CVE-2019-19726
HIGHOpenBSD Dynamic Loader chpass Privilege Escalation
Title source: metasploitDescription
OpenBSD through 6.6 allows local users to escalate to root because a check for LD_LIBRARY_PATH in setuid programs can be defeated by setting a very small RLIMIT_DATA resource limit. When executing chpass or passwd (which are setuid root), _dl_setup_env in ld.so tries to strip LD_LIBRARY_PATH from the environment, but fails when it cannot allocate memory. Thus, the attacker is able to execute their own library code as root.
Exploits (3)
exploitdb
WORKING POC
VERIFIED
by Metasploit · rubylocalopenbsd
https://www.exploit-db.com/exploits/47803
exploitdb
WORKING POC
VERIFIED
by Qualys Corporation · textlocalopenbsd
https://www.exploit-db.com/exploits/47780
metasploit
WORKING POC
EXCELLENT
by Qualys, bcoles · rubypoc
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/openbsd/local/dynamic_loader_chpass_privesc.rb
References (9)
Scores
CVSS v3
7.8
EPSS
0.0938
EPSS Percentile
92.8%
Attack Vector
LOCAL
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-269
Status
published
Products (1)
openbsd/openbsd
< 6.6
Published
Dec 12, 2019
Tracked Since
Feb 18, 2026