Vigil@nce: FreeBSD, privilege elevation via kevent
August 2009 by Vigil@nce
On a multi-processor computer, a local attacker can use kevent(),
in order to obtain kernel privileges.
Severity: 2/4
Consequences: administrator access/rights
Provenance: user shell
Means of attack: 1 attack
Ability of attacker: technician (2/4)
Confidence: confirmed by the editor (5/5)
Diffusion of the vulnerable configuration: high (3/3)
Creation date: 24/08/2009
IMPACTED PRODUCTS
– FreeBSD
DESCRIPTION OF THE VULNERABILITY
The kqueue() system call asks the kernel to inform the process
when some events occur. The kevent() function is used to alter the
list of events to track.
On a multi-processor computer, when a thread opens a file, and
when another thread asks to track this file descriptor, there is a
time slice when the kernel can use an invalid file descriptor. In
this case, it uses a function located at address zero, that the
attacker can have mmapped. The malicious attacker function is then
executed with kernel privileges.
On a multi-processor computer, a local attacker can therefore use
kevent(), in order to obtain kernel privileges.
CHARACTERISTICS
Identifiers: BID-36101, VIGILANCE-VUL-8970
http://vigilance.fr/vulnerability/FreeBSD-privilege-elevation-via-kevent-8970