Vigil@nce: FreeBSD, privilege elevation via netgraph/bluetooth
December 2008 by Vigil@nce
SYNTHESIS
A local attacker can use netgraph or bluetooth sockets in order to
execute code with kernel privileges.
Gravity: 2/4
Consequences: user access/rights
Provenance: user shell
Means of attack: 1 attack
Ability of attacker: technician (2/4)
Confidence: confirmed by the editor (5/5)
Diffusion of the vulnerable configuration: high (3/3)
Creation date: 23/12/2008
Revision date: 30/12/2008
IMPACTED PRODUCTS
– FreeBSD
DESCRIPTION
The FreeBSD kernel supports various socket types:
– IP
– netgraph (ng_socket kernel module, which is generic)
– bluetooth (ng_bluetooth kernel module, which is based on
netgraph)
– etc.
Some operations are not supported by netgraph/bluetooth functions:
bind(), disconnect(), peeraddr(), shutdown() and sockaddr().
However, the pointer on these functions is not initialized.
A local attacker can therefore layout the memory, then create a
netgraph/bluetooth socket, and then call one of these functions,
in order to force the usage of his pointer in the memory. The
function corresponding to this pointer is therefore called by the
kernel.
A local attacker can thus use netgraph or bluetooth sockets in
order to execute code with kernel privileges.
CHARACTERISTICS
Identifiers: BID-32976, FreeBSD-SA-08:13.protosw,
VIGILANCE-VUL-8352