Vigil@nce: FreeBSD, privilege elevation via devfs and VFS
October 2009 by Vigil@nce
SYNTHESIS OF THE VULNERABILITY
A local attacker can use devfs and VFS, in order to obtain kernel
privileges.
Severity: 2/4
Consequences: administrator access/rights
Provenance: user shell
Means of attack: 1 attack
Ability of attacker: technician (2/4)
Confidence: confirmed by the editor (5/5)
Diffusion of the vulnerable configuration: high (3/3)
Creation date: 05/10/2009
Revision date: 09/10/2009
IMPACTED PRODUCTS
– FreeBSD
DESCRIPTION OF THE VULNERABILITY
The devfs (/dev) filesystem is used to access to systems devices.
The VFS (Virtual File System) filesystem creates a virtual layer.
When devfs and VFS are used simultaneously, the fp->f_vnode
pointer of the sys/fs/devfs/devfs_vnops.c file can become NULL. A
local attacker can thus use VIGILANCE-VUL-9069
(https://vigilance.fr/tree/1/9069) in order to force the kernel to
execute a malicious function.
A local attacker can therefore use devfs and VFS, in order to
obtain kernel privileges.
CHARACTERISTICS
Identifiers: BID-36587, FreeBSD-SA-09:14.devfs, VIGILANCE-VUL-9071
http://vigilance.fr/vulnerability/FreeBSD-privilege-elevation-via-devfs-and-VFS-9071