Skip to content

Add Module and Documentation for CVE-2025-14558 #20798

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
JohannesLks wants to merge 7 commits into
base: master
Choose a base branch
from
Open

Add Module and Documentation for CVE-2025-14558 #20798

JohannesLks wants to merge 7 commits into from
+349 −0

Conversation

@JohannesLks
Copy link
Contributor

@JohannesLks JohannesLks commented Dec 21, 2025
edited
Loading

New Module: FreeBSD rtsold/rtsol DNSSL Command Injection (CVE-2025-14558)

Fixes #20789

This PR adds a new exploit module for CVE-2025-14558, a command injection vulnerability in FreeBSD's rtsol(8) and rtsold(8) daemons. The vulnerability arises from improper validation of the Domain Name Search List (DNSSL) option in IPv6 Router Advertisement (RA) messages, which are passed to the resolvconf(8) script without sanitization. An attacker on the local network can execute arbitrary commands as root by injecting shell metacharacters into the DNSSL domain field.

Verification

  • Start msfconsole
  • use exploit/freebsd/misc/rtsold_dnssl_cmdinject
  • set INTERFACE <your_interface> (e.g., eth0)
  • set CMD touch /tmp/pwned
  • exploit
  • Verify that Router Advertisement(s) sent successfully is displayed.
  • Verify on the target machine (if available) that /tmp/pwned exists.

Demo / Proof of Concept

This module requires a FreeBSD target system (versions 13.x, 14.x, or 15.0 prior to 2025-12-16 patches) running rtsold with the -s flag.

@JohannesLks JohannesLks marked this pull request as draft December 21, 2025 22:13
@JohannesLks JohannesLks changed the title Draft: Add Module and Documentation for CVE-2025-14558 Add Module and Documentation for CVE-2025-14558 Dec 21, 2025
@JohannesLks JohannesLks marked this pull request as ready for review December 21, 2025 22:28
bcoles
bcoles reviewed Dec 22, 2025
View reviewed changes
@JohannesLks JohannesLks requested a review from bcoles December 23, 2025 14:29
jvoisin
jvoisin reviewed Dec 26, 2025
View reviewed changes
documentation/modules/exploit/freebsd/misc/rtsold_dnssl_cmdinject.md
To configure a vulnerable target:

1. Install FreeBSD (unpatched version)
2. Enable IPv6 Router Advertisement (Replace Interface Name with your interface):
Copy link
Contributor

@jvoisin jvoisin Dec 26, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This isn't enabled by default?

Copy link
Contributor Author

@JohannesLks JohannesLks Dec 26, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@jvoisin Not on freebsd.

modules/exploits/freebsd/misc/rtsold_dnssl_cmdinject.rb Outdated
def check
check_pcaprub_loaded

lhost = datastore['LHOST'] || Rex::Socket.source_address('1.1.1.1')
Copy link
Contributor

@jvoisin jvoisin Dec 26, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why 1.1.1.1 and not a random address?

Copy link
Contributor Author

@JohannesLks JohannesLks Dec 26, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@jvoisin The call only exists to let the kernel select the default outbound interface and determine a suitable local source address. Using a random address could result in non-deterministic routing, which would make the check and callback behavior unreliable. An unspecified address keeps the behavior deterministic.

dledda-r7
dledda-r7 reviewed Dec 29, 2025
View reviewed changes
modules/exploits/freebsd/misc/rtsold_dnssl_cmdinject.rb
'DefaultTarget' => 0,
'DisclosureDate' => '2025-12-16',
'DefaultOptions' => {
'PAYLOAD' => 'cmd/unix/generic'
Copy link
Contributor

@dledda-r7 dledda-r7 Dec 29, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I was wondering if there is a limit in payload size and if you have tried any other payload we have, for example: payload/cmd/unix/bind_netcat. that would be nice as default option

Copy link
Contributor Author

@JohannesLks JohannesLks Dec 29, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@dledda-r7 Yes, there is a payload size limit of approximately 52 bytes (63 minus $() wrapper and domain prefix) due to DNS label length restrictions (63 bytes max per RFC 1035).

I tested cmd/unix/bind_netcat before and it fails. The payload is about 97 bytes, which gets split across multiple DNS labels. When processed by resolvconf, labels are joined with dots, corrupting the shell command.
cmd/unix/generic with short commands works fine. bind_netcat is unfortunately not suitable as a default option due to its size.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@dledda-r7 dledda-r7 dledda-r7 left review comments

@bcoles bcoles Awaiting requested review from bcoles

+1 more reviewer

@jvoisin jvoisin jvoisin left review comments

Reviewers whose approvals may not affect merge requirements

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

docs module

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Remote command injection in FreeBSD via IPv6 processing

4 participants

@JohannesLks @jvoisin @bcoles @dledda-r7