CVE-2016-6253

HIGH

NetBSD <7.0 - Local Privilege Escalation

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 3 public exploits for CVE-2016-6253. PoCs published by Metasploit, akat1, h00die <[email protected]>, akat1, including Metasploit module exploits/unix/local/netbsd_mail_local.

AI-analyzed exploit summary This exploit leverages a race condition in NetBSD's mail.local to escalate privileges by overwriting the atrun binary with a malicious script. It requires a root-owned crontab job to trigger execution.

Description

mail.local in NetBSD versions 6.0 through 6.0.6, 6.1 through 6.1.5, and 7.0 allows local users to change ownership of or append data to arbitrary files on the target system via a symlink attack on the user mailbox.

Exploits (3)

exploitdb WORKING POC VERIFIED
by Metasploit · rubylocalnetbsd_x86
https://www.exploit-db.com/exploits/40385

This exploit leverages a race condition in NetBSD's mail.local to escalate privileges by overwriting the atrun binary with a malicious script. It requires a root-owned crontab job to trigger execution.

Classification
Working Poc 100%
Attack Type
Lpe
Complexity
Complex
Reliability
Racy
Target: NetBSD mail.local (7.0 - 7.0.1, 6.1 - 6.1.5, 6.0 - 6.0.6)
No auth needed
Prerequisites: SUID bit set on mail.local · Root-owned crontab job · Write access to /tmp
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by akat1 · clocalbsd
https://www.exploit-db.com/exploits/40141

This exploit leverages a race condition in the `atrun` utility to overwrite the binary with a malicious script, granting a root shell via a setuid `ksh` binary. It requires local access and precise timing to win the race condition.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Complex
Reliability
Racy
Target: FreeBSD atrun (versions before the fix for CVE-2016-6253)
No auth needed
Prerequisites: Local access to the target system · Presence of vulnerable `atrun` binary · Write permissions to `/var/mail` or ability to create symlinks
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit WORKING POC GREAT
by h00die <[email protected]>, akat1 · rubypocunix
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/unix/local/netbsd_mail_local.rb

This exploit leverages a race condition in NetBSD's mail.local to escalate privileges by overwriting the atrun binary with a malicious script. It requires a root-owned crontab job to execute and can take up to 10 minutes to trigger.

Classification
Working Poc 100%
Attack Type
Lpe
Complexity
Complex
Reliability
Racy
Target: NetBSD mail.local (versions 6.0-6.0.6, 6.1-6.1.5, 7.0-7.0.1)
No auth needed
Prerequisites: SUID bit set on mail.local · root-owned crontab job · write access to /tmp
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (8)

Core 8
Core References
Vendor Advisory vendor-advisory x_refsource_netbsd
http://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2016-006.txt.asc
Exploit, Third Party Advisory, VDB Entry x_refsource_misc
http://packetstormsecurity.com/files/138021/NetBSD-mail.local-8-Local-Root.html
Exploit, Third Party Advisory, VDB Entry exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/40141/
Exploit, Third Party Advisory, VDB Entry exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/40385/
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/92101
Exploit, Third Party Advisory x_refsource_misc
http://akat1.pl/?id=2
Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://www.securitytracker.com/id/1036429
Exploit, Third Party Advisory, VDB Entry x_refsource_misc
http://www.rapid7.com/db/modules/exploit/unix/local/netbsd_mail_local

Scores

CVSS v3 7.8
EPSS 0.0727
EPSS Percentile 91.9%
Attack Vector LOCAL
CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-59
Status published
Products (14)
netbsd/netbsd 6.0
netbsd/netbsd 6.0.1
netbsd/netbsd 6.0.2
netbsd/netbsd 6.0.3
netbsd/netbsd 6.0.4
netbsd/netbsd 6.0.5
netbsd/netbsd 6.0.6
netbsd/netbsd 6.1
netbsd/netbsd 6.1.1
netbsd/netbsd 6.1.2
... and 4 more
Published Jan 20, 2017
Tracked Since Feb 18, 2026