CVE-2007-4305

NetBSD/OpenBSD - Local Privilege Escalation

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2007-4305. PoCs published by Robert N. M. Watson.

AI-analyzed exploit summary This exploit targets a race condition in Systrace's system call wrappers, allowing privilege escalation or auditing bypass by manipulating system call arguments. The PoC demonstrates a fork-based overwrite of a socket address structure during a bind operation.

Description

Multiple race conditions in the (1) Sudo monitor mode and (2) Sysjail policies in Systrace on NetBSD and OpenBSD allow local users to defeat system call interposition, and consequently bypass access control policy and auditing.

Exploits (1)

exploitdb WORKING POC VERIFIED
by Robert N. M. Watson · textlocalbsd
https://www.exploit-db.com/exploits/30484

This exploit targets a race condition in Systrace's system call wrappers, allowing privilege escalation or auditing bypass by manipulating system call arguments. The PoC demonstrates a fork-based overwrite of a socket address structure during a bind operation.

Classification
Working Poc 80%
Attack Type
Lpe
Complexity
Moderate
Reliability
Racy
Target: Systrace (version not specified)
No auth needed
Prerequisites: Access to a vulnerable Systrace installation · Ability to execute arbitrary code on the target system
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3
Core References
Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/26479
Various Sources x_refsource_misc
http://www.watson.org/~robert/2007woot/
Exploit vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/25258

Scores

EPSS 0.0012
EPSS Percentile 31.0%

Details

Status published
Products (45)
sysjail/sysjail
systrace/systrace
todd_miller/sudo 1.5.6
todd_miller/sudo 1.5.7
todd_miller/sudo 1.5.8
todd_miller/sudo 1.5.9
todd_miller/sudo 1.6
todd_miller/sudo 1.6.1
todd_miller/sudo 1.6.2
todd_miller/sudo 1.6.3
... and 35 more
Published Aug 13, 2007
Tracked Since Feb 18, 2026