Path: blob/master/documentation/modules/exploit/freebsd/misc/rtsold_dnssl_cmdinject.md
36041 views
Vulnerable Application
This module exploits CVE-2025-14558, a command injection vulnerability in FreeBSD's rtsol(8) and rtsold(8) programs. The DNSSL option in IPv6 Router Advertisement messages is passed to resolvconf(8) without sanitization, allowing command injection.
All FreeBSD versions are affected unless the system has received the security fixes released on 2025-12-16.
The first non-vulnerable releases are:
15.0-RELEASE-p1
14.3-RELEASE-p7
13.5-RELEASE-p8
All earlier and legacy FreeBSD versions remain vulnerable.
Vulnerable versions can be downloaded from the FreeBSD archive.
To configure a vulnerable target:
Install FreeBSD (unpatched version)
Enable IPv6 Router Advertisement (Replace Interface Name with your interface):
Reboot or start services manually
Verify with
ifconfig em0 | grep ACCEPT_RTADV
Verification Steps
Install FreeBSD (unpatched) and configure rtsold as above
Start msfconsole on attacker (same network segment)
Do:
use exploit/freebsd/misc/rtsold_dnssl_cmdinjectDo:
set CMD touch /tmp/pwnedDo:
set INTERFACE eth0Do:
exploitOn target, verify file exists:
ls -la /tmp/pwned
Options
INTERFACE
Network interface for sending RA packets. Must be on same Layer 2 segment as target. Defaults to first available interface if not set.
COUNT
Number of RA packets to send. Default: 3. Increase for unreliable networks.
DELAY
Delay between packets in milliseconds. Default: 1000.
Scenarios
FreeBSD 14.3-RELEASE Command Execution
Verify on target:
Troubleshooting:
If the exploit doesn't work:
Verify target has
ACCEPT_RTADV:ifconfig | grep ACCEPT_RTADVVerify rtsold running with
-s:ps aux | grep rtsoldVerify Layer 2 adjacency (RA messages are not routed)
Run msfconsole as root for pcap access