Vigil@nce - FreeBSD: privilege escalation via IRET
October 2015 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
A local attacker can trigger an interruption with an exception on
FreeBSD, in order to escalate his privileges or to trigger a
denial of service.
Impacted products: FreeBSD.
Severity: 2/4.
Creation date: 26/08/2015.
DESCRIPTION OF THE VULNERABILITY
The GS segment contains data of the current thread (user mode) or
the current processor (kernel mode).
The IRET instruction leaves the interruption handler, and returns
to the interrupted context.
However, on an x64 environment, if an IRET occurs with an #SS
(Stack-Segment Fault) or #PF (Page Fault) exception, the kernel
uses the GS segment of the user mode (instead of using the kernel
mode one).
A local attacker can therefore trigger an interruption with an
exception on FreeBSD, in order to escalate his privileges or to
trigger a denial of service.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/FreeBSD-privilege-escalation-via-IRET-17749