[Full-disclosure] FreeBSD 7.0 - 7.2 pseudofs null pointer dereference
- From: Przemyslaw Frasunek <venglin@xxxxxxxxxxxxxxxxx>
- Date: Wed, 08 Sep 2010 16:08:10 +0200
FreeBSD 7.0 - 7.2 pseudofs null pointer dereference
Disclosed by: Przemyslaw Frasunek
Starting from FreeBSD 5.0, the system supports POSIX extended attributes,
allowing to store metadata associated with file. Those attributes can be
manipulated using extattr_* syscalls.
One of the filesystems supporting extended attributes is pseudofs, on which
procfs and linprocfs are based.
2. Attack vector
Due to spurious call to pfs_unlock() in pfs_getattr() (as defined in
sys/fs/pseudofs/pseudofs_vnops.c), null pointer is dereferenced after calling
extattr_get_attribute() on pseudofs vnode.
By allocating page at address 0x0, attacker can overwrite arbitrarly chosen
portion of kernel memory, leading to crash or local root escalation.
Procfs and linprocfs are not mounted in default FreeBSD install.
By setting sysctl security.bsd.map_at_zero to 0 (which is default in 8.x
branch), the vulnerability can be exploited to cause system crash, not privilege
The bug was fixed in following commit:
Nevertheless it was not recognized as security vulnerability. The following
versions are vulnerable:
8.0-RELEASE (system crash only)
Not vulnerable versions:
7-STABLE and 8-STABLE after 05/09/2009
5. Exploit code
There is a working exploit, allowing to gain local root privileges. It will be
released after 14 days from this advisory.
Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia - http://secunia.com/
- Prev by Date: Re: [Full-disclosure] i dont know security
- Next by Date: [Full-disclosure] Cisco Security Advisory: Multiple Vulnerabilities in Cisco Wireless LAN Controllers
- Previous by thread: [Full-disclosure] [SECURITY] [DSA-2105-1] New freetype packages fix several vulnerabilities
- Next by thread: Re: [Full-disclosure] FreeBSD 7.0 - 7.2 pseudofs null pointer dereference