Full Disclosure mailing list archives
FreeBSD <= 6.1 kqueue() NULL pointer dereference
From: Przemyslaw Frasunek <venglin () freebsd lublin pl>
Date: Sat, 22 Aug 2009 19:19:40 +0200
FreeBSD <= 6.1 suffers from classical check/use race condition on SMP systems in kevent() syscall, leading to kernel mode NULL pointer dereference. It can be triggered by spawning two threads: 1st thread looping on open() and close() syscalls, and the 2nd thread looping on kevent(), trying to add possibly invalid filedescriptor. The bug was fixed in 6.1-STABLE, just before release of 6.2-RELEASE, but was not recognized as security vulnerability. The following code exploits this vulnerability to run root shell: http://www.frasunek.com/kqueue.txt -- * Fido: 2:480/124 ** WWW: http://www.frasunek.com/ ** NICHDL: PMF9-RIPE * * JID: venglin () jabber atman pl ** PGP ID: 2578FCAD ** HAM-RADIO: SQ8JIV * _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- FreeBSD <= 6.1 kqueue() NULL pointer dereference Przemyslaw Frasunek (Aug 22)
- Re: FreeBSD <= 6.1 kqueue() NULL pointer dereference Przemyslaw Frasunek (Aug 24)