Freely subscribe to our NEWSLETTER

– Severity: 2/4
– Consequences: administrator access/rights, denial of service of
computer
– Provenance: user shell
– Means of attack: no proof of concept, no attack
– Ability of attacker: expert (4/4)
– Confidence: multiples sources (3/5)
– Diffusion of the vulnerable configuration: high (3/3)
– Creation date: 17/09/2009

IMPACTED PRODUCTS

– NetBSD

DESCRIPTION OF THE VULNERABILITY

On an Intel processor, when an interruption/exception occurs (for
example a system call via int 0x80), the current context
(registers CS and EIP/RIP, and flags) is saved. At the end of the
interruption/exception, the IRET instruction restores saved
values, so the interrupted program can continue its execution
where it was interrupted:
– restore the EIP/RIP instruction pointer
– restore the CS register (privilege switch)
– restore flags

However, if the EIP/RIP register does not belong to the code
segment, a general protection error occurs, before the privilege
switch.

In order to exploit this vulnerability, the attacker can for
example place an "int 0x80" instruction at the end of the code
segment (defined in the LDT) (or use the non executable stack
emulation on x86). As the address after this "int 0x80" is not in
the code segment, and as IRET tries to restore this value, the
privilege switch is not done, and the kernel stack gets
desynchronised.

On an Intel processor, a local attacker can thus generate an error
during the IRET instruction, in order to create a denial of
service and eventually to execute code.

CHARACTERISTICS

– Identifiers: CVE-2009-2793, VIGILANCE-VUL-9030
– Url: http://vigilance.fr/vulnerability/NetBSD-privilege-elevation-via-IRET-9030