CVE-2009-4147

FreeBSD 7.1-8.0 - Privilege Escalation

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 2 public exploits for CVE-2009-4147. PoCs published by kingcope, Kingcope, stealth, bcoles, including Metasploit module exploits/freebsd/local/rtld_execl_priv_esc.

AI-analyzed exploit summary This exploit leverages a vulnerability in FreeBSD's Run-Time Link-Editor (rtld) to bypass restrictions on environment variables like LD_PRELOAD for setugid binaries, achieving local privilege escalation to root. The exploit manipulates the environment to load a malicious shared library via LD_PRELOAD, which then executes a shell with elevated privileges.

Description

The _rtld function in the Run-Time Link-Editor (rtld) in libexec/rtld-elf/rtld.c in FreeBSD 7.1 and 8.0 does not clear the (1) LD_LIBMAP, (2) LD_LIBRARY_PATH, (3) LD_LIBMAP_DISABLE, (4) LD_DEBUG, and (5) LD_ELF_HINTS_PATH environment variables, which allows local users to gain privileges by executing a setuid or setguid program with a modified variable containing an untrusted search path that points to a Trojan horse library, different vectors than CVE-2009-4146.

Exploits (2)

exploitdb WORKING POC VERIFIED
by kingcope · textlocalbsd
https://www.exploit-db.com/exploits/10255

This exploit leverages a vulnerability in FreeBSD's Run-Time Link-Editor (rtld) to bypass restrictions on environment variables like LD_PRELOAD for setugid binaries, achieving local privilege escalation to root. The exploit manipulates the environment to load a malicious shared library via LD_PRELOAD, which then executes a shell with elevated privileges.

Classification
Working Poc 100%
Attack Type
Lpe
Complexity
Trivial
Reliability
Reliable
Target: FreeBSD 8.0-RELEASE, FreeBSD 7.1-RELEASE
No auth needed
Prerequisites: Local access to a vulnerable FreeBSD system · Ability to compile and execute binaries
devstral-2 · analyzed Feb 18, 2026 Full analysis →
metasploit WORKING POC EXCELLENT
by Kingcope, stealth, bcoles · rubypoc
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/freebsd/local/rtld_execl_priv_esc.rb

This Metasploit module exploits a vulnerability in FreeBSD's run-time link-editor (rtld) where the `unsetenv()` function fails to remove `LD_*` environment variables, allowing arbitrary shared object loading via `LD_PRELOAD` for privilege escalation.

Classification
Working Poc 100%
Attack Type
Lpe
Complexity
Moderate
Reliability
Reliable
Target: FreeBSD 7.2-RELEASE, 8.0-RELEASE (amd64)
No auth needed
Prerequisites: cc compiler installed · writable directory (e.g., /tmp) · SUID executable (e.g., /sbin/ping)
devstral-2 · analyzed Apr 23, 2026 Full analysis →

References (7)

Core 7
Core References
Exploit vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/37154
Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq
http://www.securityfocus.com/archive/1/508146/100/0/threaded
Vendor Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/37517
Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq
http://www.securityfocus.com/archive/1/508142/100/0/threaded
Patch vdb-entry x_refsource_sectrack
http://www.securitytracker.com/id?1023250

Scores

EPSS 0.1258
EPSS Percentile 94.1%

Details

CWE
CWE-264
Status published
Products (2)
freebsd/freebsd 7.1
freebsd/freebsd 8.0
Published Dec 02, 2009
Tracked Since Feb 18, 2026