CVE-2012-3485

Tunnelblick < 3.3beta20 - Privilege Escalation via argv[0] Pathname Manipulation

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 3 public exploits for CVE-2012-3485. PoCs published by Metasploit, zx2c4, Jason A. Donenfeld, juan vazquez, including Metasploit module exploits/osx/local/setuid_tunnelblick.

AI-analyzed exploit summary This Metasploit module exploits a privilege escalation vulnerability in Tunnelblick 3.2.8 by leveraging insufficient path validation in the setuid openvpnstart binary to execute arbitrary shell scripts as root.

Description

Tunnelblick 3.3beta20 and earlier relies on argv[0] to determine the name of an appropriate (1) kernel module pathname or (2) executable file pathname, which allows local users to gain privileges via an execl system call.

Exploits (3)

exploitdb WORKING POC VERIFIED
by Metasploit · rubylocalosx
https://www.exploit-db.com/exploits/24578

This Metasploit module exploits a privilege escalation vulnerability in Tunnelblick 3.2.8 by leveraging insufficient path validation in the setuid openvpnstart binary to execute arbitrary shell scripts as root.

Classification
Working Poc 100%
Attack Type
Lpe
Complexity
Moderate
Reliability
Reliable
Target: Tunnelblick 3.2.8 on Mac OS X
No auth needed
Prerequisites: Write access to a directory (default /tmp) · Presence of vulnerable Tunnelblick installation
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by zx2c4 · bashlocalosx
https://www.exploit-db.com/exploits/20443

This exploit leverages a directory traversal vulnerability in Tunnelblick to execute arbitrary code with elevated privileges. It creates a malicious directory structure and symlink to trick the application into executing a payload.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Trivial
Reliability
Reliable
Target: Tunnelblick (OpenVPN GUI for macOS)
No auth needed
Prerequisites: Local access to the target system · Tunnelblick installed
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit WORKING POC EXCELLENT
by Jason A. Donenfeld, juan vazquez · rubypocosx
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/osx/local/setuid_tunnelblick.rb

This Metasploit module exploits a privilege escalation vulnerability in Tunnelblick 3.2.8 on macOS. It leverages insufficient path validation in the setuid `openvpnstart` binary to execute arbitrary shell scripts as root.

Classification
Working Poc 100%
Attack Type
Lpe
Complexity
Moderate
Reliability
Reliable
Target: Tunnelblick 3.2.8
No auth needed
Prerequisites: Tunnelblick 3.2.8 installed · Writable directory (e.g., /tmp) · Non-root session
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (5)

Core 5
Core References
Mailing List mailing-list x_refsource_mlist
http://www.openwall.com/lists/oss-security/2012/08/14/1
Third Party Advisory mailing-list x_refsource_fulldisc
http://archives.neohapsis.com/archives/fulldisclosure/2012-08/0122.html
Exploit, Third Party Advisory exploit x_refsource_exploit-db
http://www.exploit-db.com/exploits/24578

Scores

EPSS 0.0378
EPSS Percentile 88.5%

Details

CWE
CWE-20
Status published
Products (1)
google/tunnelblick < 3.3beta20
Published Aug 26, 2012
Tracked Since Feb 18, 2026