rtsold passes unvalidated domain search list options from router advertisement messages directly to the resolvconf shell script, which fails to properly quote its input. This allows an attacker on the local network to inject arbitrary shell commands that are executed with root privileges when the vulnerable system processes a malicious router advertisement. The deployed network agent will run with root privileges. The exploit performs the following steps: Builds the Ethernet envelope to ensure the data travels without OS restrictions. Generates a fake Router Advertisement message to trick the victim into thinking the attacker is a legitimate gateway. Calculates a checksum so the target's kernel accepts the packet as valid. Hides malicious commands inside DNS configuration options using a specific format that triggers execution on FreeBSD.
CVE Link
Exploit Platform
Product Name