FreeBSD <= 6.1 Local Root Vulnerability
Page 1 of 1
FreeBSD <= 6.1 Local Root Vulnerability
FreeBSD <= 6.1 suffers from classical check/use race condition on SMP
systems in kevent() syscall, leading to kernel mode NULL pointer
dereference. It can be triggered by spawning two threads:
1st thread looping on open() and close() syscalls, and the 2nd thread
looping on kevent(), trying to add possibly invalid filedescriptor.
The bug was fixed in 6.1-STABLE, just before release of 6.2-RELEASE, but
was not recognized as security vulnerability.
The following code exploits this vulnerability to run root shell:
http://www.frasunek.com/kqueue.txt
systems in kevent() syscall, leading to kernel mode NULL pointer
dereference. It can be triggered by spawning two threads:
1st thread looping on open() and close() syscalls, and the 2nd thread
looping on kevent(), trying to add possibly invalid filedescriptor.
The bug was fixed in 6.1-STABLE, just before release of 6.2-RELEASE, but
was not recognized as security vulnerability.
The following code exploits this vulnerability to run root shell:
http://www.frasunek.com/kqueue.txt
andry- Moderator
- Posts : 467
Join date : 2010-05-07
Similar topics
» FreeBSD 7.2 local root vulnerability (0day) demo
» FreeBSD 8.0 local root exploit
» Linux 2.6.x fs/pipe.c local root exploit
» Exploiting IE8 UTF-7 XSS Vulnerability using Local Redirection
» Exploiting IE8 UTF-7 XSS Vulnerability using Local Redirection
» FreeBSD 8.0 local root exploit
» Linux 2.6.x fs/pipe.c local root exploit
» Exploiting IE8 UTF-7 XSS Vulnerability using Local Redirection
» Exploiting IE8 UTF-7 XSS Vulnerability using Local Redirection
Page 1 of 1
Permissions in this forum:
You cannot reply to topics in this forum
|
|