[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <4C8798CA.60602@freebsd.lublin.pl>
Date: Wed, 08 Sep 2010 16:08:10 +0200
From: Przemyslaw Frasunek <venglin@...ebsd.lublin.pl>
To: full-disclosure@...ts.grok.org.uk
Subject: FreeBSD 7.0 - 7.2 pseudofs null pointer
dereference
FreeBSD 7.0 - 7.2 pseudofs null pointer dereference
Disclosed by: Przemyslaw Frasunek
18/08/2010
1. Synopsis
Starting from FreeBSD 5.0, the system supports POSIX extended attributes,
allowing to store metadata associated with file. Those attributes can be
manipulated using extattr_* syscalls.
One of the filesystems supporting extended attributes is pseudofs, on which
procfs and linprocfs are based.
2. Attack vector
Due to spurious call to pfs_unlock() in pfs_getattr() (as defined in
sys/fs/pseudofs/pseudofs_vnops.c), null pointer is dereferenced after calling
extattr_get_attribute() on pseudofs vnode.
By allocating page at address 0x0, attacker can overwrite arbitrarly chosen
portion of kernel memory, leading to crash or local root escalation.
3. Workaround
Procfs and linprocfs are not mounted in default FreeBSD install.
By setting sysctl security.bsd.map_at_zero to 0 (which is default in 8.x
branch), the vulnerability can be exploited to cause system crash, not privilege
escalation.
4. Patch
The bug was fixed in following commit:
http://svn.freebsd.org/viewvc/base?view=revision&revision=196689
Nevertheless it was not recognized as security vulnerability. The following
versions are vulnerable:
7.0-RELEASE
7.1-RELEASE
7.2-RELEASE
8.0-RELEASE (system crash only)
Not vulnerable versions:
6.x-RELEASE
7.3-RELEASE
8.1-RELEASE
7-STABLE and 8-STABLE after 05/09/2009
5. Exploit code
There is a working exploit, allowing to gain local root privileges. It will be
released after 14 days from this advisory.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists