Vigil@nce: FreeBSD, NULL pointer dereference
October 2009 by Vigil@nce
A local attacker can force the kernel to dereference a NULL
pointer, in order to elevate his privileges.
– Severity: 2/4
– Consequences: user access/rights
– Provenance: user shell
– Means of attack: no proof of concept, no attack
– Ability of attacker: expert (4/4)
– Confidence: confirmed by the editor (5/5)
– Diffusion of the vulnerable configuration: high (3/3)
– Creation date: 05/10/2009
IMPACTED PRODUCTS
– FreeBSD
DESCRIPTION OF THE VULNERABILITY
An application can mmap the page at memory address 0, in order for
example to emulate the interrupt handler of MS-DOS.
In some cases, an error can occur in the kernel, and it can try to
dereference a NULL function pointer. An attacker can for example
generate this error.
If the attacker mmapped the page zero, he can place there a
malicious function. This function will then be called when the
NULL pointer is dereferenced. The attacker’s function will thus
run with kernel privileges.
A local attacker can therefore force the kernel to dereference a
NULL pointer, in order to elevate his privileges.
CHARACTERISTICS
– Identifiers: FreeBSD-EN-09:05.null, VIGILANCE-VUL-9069
Pointed by: VIGILANCE-VUL-8970, VIGILANCE-VUL-9070,
VIGILANCE-VUL-9071
– Url: http://vigilance.fr/vulnerability/FreeBSD-NULL-pointer-dereference-9069