[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Full-disclosure] FreeBSD <= 6.1 kqueue() NULL pointer dereference

To: full-disclosure@xxxxxxxxxxxxxxxxx
Subject: [Full-disclosure] FreeBSD <= 6.1 kqueue() NULL pointer dereference
From: Przemyslaw Frasunek <venglin@xxxxxxxxxxxxxxxxx>
Date: Sat, 22 Aug 2009 19:19:40 +0200

FreeBSD <= 6.1 suffers from classical check/use race condition on SMP
systems in kevent() syscall, leading to kernel mode NULL pointer
dereference. It can be triggered by spawning two threads:
1st thread looping on open() and close() syscalls, and the 2nd thread
looping on kevent(), trying to add possibly invalid filedescriptor.

The bug was fixed in 6.1-STABLE, just before release of 6.2-RELEASE, but
was not recognized as security vulnerability.

The following code exploits this vulnerability to run root shell:
http://www.frasunek.com/kqueue.txt

-- 
* Fido: 2:480/124 ** WWW: http://www.frasunek.com/ ** NICHDL: PMF9-RIPE *
* JID: venglin@xxxxxxxxxxxxxxx ** PGP ID: 2578FCAD ** HAM-RADIO: SQ8JIV *

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Follow-Ups:
- Re: [Full-disclosure] FreeBSD <= 6.1 kqueue() NULL pointer dereference
  - From: Przemyslaw Frasunek

Prev by Date: Re: [Full-disclosure] Questions for the iProphet
Next by Date: [Full-disclosure] Twitter Pro: Best Buy's @twelpforce is full of [security] fail
Previous by thread: Re: [Full-disclosure] Free wlan sniffer for vista
Next by thread: Re: [Full-disclosure] FreeBSD <= 6.1 kqueue() NULL pointer dereference
Index(es):
- Date
- Thread