CVE-2011-4122

OpenPAM <r478 - Privilege Escalation

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2011-4122. PoCs published by IKCE.

AI-analyzed exploit summary This exploit leverages a local privilege escalation vulnerability in OpenPAM by abusing the `kcheckpass` binary's handling of user-provided service arguments. It creates a malicious PAM module and service file to execute arbitrary code with superuser privileges.

Description

Directory traversal vulnerability in openpam_configure.c in OpenPAM before r478 on FreeBSD 8.1 allows local users to load arbitrary DSOs and gain privileges via a .. (dot dot) in the service_name argument to the pam_start function, as demonstrated by a .. in the -c option to kcheckpass.

Exploits (1)

exploitdb WORKING POC VERIFIED

by IKCE · perllocalbsd

https://www.exploit-db.com/exploits/36296

View Code ZIP pw:eip

This exploit leverages a local privilege escalation vulnerability in OpenPAM by abusing the `kcheckpass` binary's handling of user-provided service arguments. It creates a malicious PAM module and service file to execute arbitrary code with superuser privileges.

Classification

Working Poc 95%

Attack Type

Lpe

Complexity

Moderate

Reliability

Reliable

Target: OpenPAM (FreeBSD 8.1)

No auth needed

Prerequisites: Local access to the target system · Presence of vulnerable `kcheckpass` binary · Write permissions in `/tmp`

MITRE ATT&CK