CVE-2009-4146

FreeBSD 7.1-8.0 - Privilege Escalation

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 2 public exploits for CVE-2009-4146. PoCs published by Kingcope, stealth, bcoles, including Metasploit module exploits/freebsd/local/rtld_execl_priv_esc.

AI-analyzed exploit summary The exploit leverages a vulnerability in FreeBSD's Run-Time Link-Editor (rtld) to bypass restrictions on environment variables like LD_PRELOAD for setugid binaries, achieving local privilege escalation to root. It uses a crafted environment setup and a shared library to execute arbitrary commands with elevated privileges.

Description

The _rtld function in the Run-Time Link-Editor (rtld) in libexec/rtld-elf/rtld.c in FreeBSD 7.1, 7.2, and 8.0 does not clear the LD_PRELOAD environment variable, which allows local users to gain privileges by executing a setuid or setguid program with a modified LD_PRELOAD variable containing an untrusted search path that points to a Trojan horse library, a different vector than CVE-2009-4147.

Exploits (2)

exploitdb WORKING POC
localbsd
https://www.exploit-db.com/exploits/10255

The exploit leverages a vulnerability in FreeBSD's Run-Time Link-Editor (rtld) to bypass restrictions on environment variables like LD_PRELOAD for setugid binaries, achieving local privilege escalation to root. It uses a crafted environment setup and a shared library to execute arbitrary commands with elevated privileges.

Classification
Working Poc 100%
Attack Type
Lpe
Complexity
Moderate
Reliability
Reliable
Target: FreeBSD 8.0-RELEASE, FreeBSD 7.1-RELEASE
No auth needed
Prerequisites: Local access to a vulnerable FreeBSD system · Ability to compile and execute binaries
devstral-2 · analyzed Feb 19, 2026 Full analysis →
metasploit WORKING POC EXCELLENT
by Kingcope, stealth, bcoles · rubypoc
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/freebsd/local/rtld_execl_priv_esc.rb

This Metasploit module exploits a vulnerability in FreeBSD's run-time link-editor (rtld) where `unsetenv()` fails to remove `LD_*` environment variables, allowing arbitrary shared object loading via `LD_PRELOAD` for privilege escalation.

Classification
Working Poc 100%
Attack Type
Lpe
Complexity
Moderate
Reliability
Reliable
Target: FreeBSD 7.2-RELEASE, 8.0-RELEASE (amd64)
No auth needed
Prerequisites: Access to a vulnerable FreeBSD system · Presence of a SUID executable (e.g., /sbin/ping) · Compiler (cc) installed · Write permissions in a directory (e.g., /tmp)
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (8)

Core 8
Core References
Exploit vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/37154
Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq
http://www.securityfocus.com/archive/1/508146/100/0/threaded
Vendor Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/37517
Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq
http://www.securityfocus.com/archive/1/508142/100/0/threaded
Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://www.securitytracker.com/id?1023250
Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq
http://www.securityfocus.com/archive/1/508168/100/0/threaded

Scores

EPSS 0.0390
EPSS Percentile 88.9%

Details

CWE
CWE-264
Status published
Products (3)
freebsd/freebsd 7.1
freebsd/freebsd 7.2
freebsd/freebsd 8.0
Published Dec 02, 2009
Tracked Since Feb 18, 2026