CVE-2013-2171

FreeBSD 9 Address Space Manipulation Privilege Escalation

Title source: metasploit
STIX 2.1

Exploitation Summary

EIP tracks 4 public exploits for CVE-2013-2171. PoCs published by Metasploit, Hunger, 0xGabe, including Metasploit module exploits/freebsd/local/mmap.

AI-analyzed exploit summary This Metasploit module exploits CVE-2013-2171, a FreeBSD 9.0/9.1 privilege escalation vulnerability via address space manipulation. It uploads and executes a binary payload to achieve local privilege escalation.

Description

The vm_map_lookup function in sys/vm/vm_map.c in the mmap implementation in the kernel in FreeBSD 9.0 through 9.1-RELEASE-p4 does not properly determine whether a task should have write access to a memory location, which allows local users to bypass filesystem write permissions and consequently gain privileges via a crafted application that leverages read permissions, and makes mmap and ptrace system calls.

Exploits (4)

exploitdb WORKING POC VERIFIED
by Metasploit · rubylocalfreebsd
https://www.exploit-db.com/exploits/26454

This Metasploit module exploits CVE-2013-2171, a FreeBSD 9.0/9.1 privilege escalation vulnerability via address space manipulation. It uploads and executes a binary payload to achieve local privilege escalation.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Moderate
Reliability
Reliable
Target: FreeBSD 9.0, 9.1
Auth required
Prerequisites: Local shell access on FreeBSD 9.0/9.1 · Writable directory (e.g., /tmp)
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by Hunger · clocalfreebsd
https://www.exploit-db.com/exploits/26368

This exploit leverages a mmap/ptrace vulnerability in FreeBSD 9.0/9.1 to achieve local privilege escalation by copying a malicious binary over a setuid binary (/usr/sbin/timedc) and executing it to spawn a root shell.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Moderate
Reliability
Reliable
Target: FreeBSD 9.0, 9.1
No auth needed
Prerequisites: Local access to the target system · Compiled binary of the exploit · Presence of the vulnerable mmap/ptrace implementation
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 1 stars
by 0xGabe · poc
https://github.com/0xGabe/FreeBSD-9.0-9.1-Privilege-Escalation

This exploit leverages a mmap/ptrace vulnerability in FreeBSD 9.0-9.1 to achieve local privilege escalation by manipulating memory mappings and process tracing. It replaces the memory of a privileged binary (/usr/sbin/timedc) with a shell payload to gain root access.

Classification
Working Poc 100%
Attack Type
Lpe
Complexity
Moderate
Reliability
Reliable
Target: FreeBSD 9.0-9.1
No auth needed
Prerequisites: Local access to a vulnerable FreeBSD 9.0-9.1 system · Compilation of the exploit code
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit WORKING POC GREAT
by Konstantin Belousov, Alan Cox, Hunger, sinn3r · rubypoc
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/freebsd/local/mmap.rb

This Metasploit module exploits CVE-2013-2171, a FreeBSD 9.0/9.1 privilege escalation vulnerability via address space manipulation. It uploads a payload and exploit binary to a writable directory, then executes them to achieve local privilege escalation.

Classification
Working Poc 100%
Attack Type
Lpe
Complexity
Moderate
Reliability
Reliable
Target: FreeBSD 9.0, 9.1
No auth needed
Prerequisites: Access to a writable directory on the target system · Local shell access on FreeBSD 9.0/9.1
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3
Core References
Vendor Advisory vendor-advisory x_refsource_freebsd
http://www.freebsd.org/security/advisories/FreeBSD-SA-13:06.mmap.asc
Third Party Advisory vendor-advisory x_refsource_debian
http://www.debian.org/security/2013/dsa-2714

Scores

EPSS 0.0694
EPSS Percentile 93.3%

Details

CWE
CWE-264
Status published
Products (2)
freebsd/freebsd 9.0
freebsd/freebsd 9.1 (2 CPE variants)
Published Jul 02, 2013
Tracked Since Feb 18, 2026