Vigil@nce: NetBSD, privilege elevation via IRET
September 2009 by Vigil@nce
On an Intel processor, a local attacker can generate an error
during the IRET instruction, in order to create a denial of
service and eventually to execute code.
– Severity: 2/4
– Consequences: administrator access/rights, denial of service of
computer
– Provenance: user shell
– Means of attack: no proof of concept, no attack
– Ability of attacker: expert (4/4)
– Confidence: multiples sources (3/5)
– Diffusion of the vulnerable configuration: high (3/3)
– Creation date: 17/09/2009
IMPACTED PRODUCTS
– NetBSD
DESCRIPTION OF THE VULNERABILITY
On an Intel processor, when an interruption/exception occurs (for
example a system call via int 0x80), the current context
(registers CS and EIP/RIP, and flags) is saved. At the end of the
interruption/exception, the IRET instruction restores saved
values, so the interrupted program can continue its execution
where it was interrupted:
– restore the EIP/RIP instruction pointer
– restore the CS register (privilege switch)
– restore flags
However, if the EIP/RIP register does not belong to the code
segment, a general protection error occurs, before the privilege
switch.
In order to exploit this vulnerability, the attacker can for
example place an "int 0x80" instruction at the end of the code
segment (defined in the LDT) (or use the non executable stack
emulation on x86). As the address after this "int 0x80" is not in
the code segment, and as IRET tries to restore this value, the
privilege switch is not done, and the kernel stack gets
desynchronised.
On an Intel processor, a local attacker can thus generate an error
during the IRET instruction, in order to create a denial of
service and eventually to execute code.
CHARACTERISTICS
– Identifiers: CVE-2009-2793, VIGILANCE-VUL-9030
– Url: http://vigilance.fr/vulnerability/NetBSD-privilege-elevation-via-IRET-9030