CVE-2009-4147
FreeBSD 8.0 Run-Time Link-Editor (RTLD) - Local Privilege Escalation
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
3Exploited in Wild
-Decision
Descriptions
The _rtld function in the Run-Time Link-Editor (rtld) in libexec/rtld-elf/rtld.c in FreeBSD 7.1 and 8.0 does not clear the (1) LD_LIBMAP, (2) LD_LIBRARY_PATH, (3) LD_LIBMAP_DISABLE, (4) LD_DEBUG, and (5) LD_ELF_HINTS_PATH environment variables, which allows local users to gain privileges by executing a setuid or setguid program with a modified variable containing an untrusted search path that points to a Trojan horse library, different vectors than CVE-2009-4146.
La función _rtld en Run-Time Link-Editor (rtld) en libexec/rtld-elf/rtld.c en FreeBSD v7.1 y v8.0 no limpia las variables de entorno de (1) LD_LIBMAP, (2) LD_LIBRARY_PATH, (3) LD_LIBMAP_DISABLE, (4) LD_DEBUG, and (5) LD_ELF_HINTS_PATH lo que permite a usuarios locales conseguir privilegios mediante la ejecución de un programa setuid o setguid con una variable modificada que contiene una ruta de búsqueda sin confianza que apunta a una libreria de un troyano con vectores diferentes que CVE-2009-4146.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2009-11-30 First Exploit
- 2009-12-01 CVE Reserved
- 2009-12-02 CVE Published
- 2024-08-07 CVE Updated
- 2025-03-30 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-264: Permissions, Privileges, and Access Controls
CAPEC
References (14)
| URL | Date | SRC |
|---|---|---|
| https://packetstorm.news/files/id/152997 | 2019-05-22 | |
| https://www.exploit-db.com/exploits/10255 | 2009-11-30 | |
| http://www.securityfocus.com/bid/37154 | 2024-08-07 |
| URL | Date | SRC |
|---|---|---|
| http://people.freebsd.org/~cperciva/rtld.patch | 2019-05-22 | |
| http://www.securitytracker.com/id?1023250 | 2019-05-22 |
| URL | Date | SRC |
|---|---|---|
| http://secunia.com/advisories/37517 | 2019-05-22 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Freebsd Search vendor "Freebsd" | Freebsd Search vendor "Freebsd" for product "Freebsd" | 7.1 Search vendor "Freebsd" for product "Freebsd" and version "7.1" | - |
Affected
| ||||||
| Freebsd Search vendor "Freebsd" | Freebsd Search vendor "Freebsd" for product "Freebsd" | 8.0 Search vendor "Freebsd" for product "Freebsd" and version "8.0" | - |
Affected
| ||||||