CVE-2005-3346

osh 1.7-14 - Buffer Overflow via Environment Variable Substitution

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2005-3346. PoCs published by Charles Stevenson.

AI-analyzed exploit summary This exploit leverages a buffer overflow in OSH 1.7-14 via environment variable manipulation to overwrite stack data, allowing arbitrary code execution via LD_PRELOAD injection. It compiles a shared library to spawn a root shell when executed.

Description

Buffer overflow in the environment variable substitution code in main.c in OSH 1.7-14 allows local users to inject arbitrary environment variables, such as LD_PRELOAD, via pathname arguments of the form "$VAR/EVAR=arg", which cause the EVAR portion to be appended to a buffer returned by a getenv function call.

Exploits (1)

exploitdb WORKING POC VERIFIED

by Charles Stevenson · bashlocallinux

https://www.exploit-db.com/exploits/1300

View Code ZIP pw:eip

This exploit leverages a buffer overflow in OSH 1.7-14 via environment variable manipulation to overwrite stack data, allowing arbitrary code execution via LD_PRELOAD injection. It compiles a shared library to spawn a root shell when executed.

Classification

Working Poc 95%

Attack Type

Lpe

Complexity

Moderate

Reliability

Reliable

Target: OSH (Operator Shell) 1.7-14

Auth required

Prerequisites: User must be in the operator group · OSH must be installed and setuid root · Ability to compile and execute code on the target system

MITRE ATT&CK