[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Full-disclosure] FreeBSD 6.4 pipeclose()/knlist_cleardel() race condition exploit

To: full-disclosure@xxxxxxxxxxxxxxxxx, bugtraq@xxxxxxxxxxxxxxxxx
Subject: [Full-disclosure] FreeBSD 6.4 pipeclose()/knlist_cleardel() race condition exploit
From: Przemyslaw Frasunek <venglin@xxxxxxxxxxxxxxxxx>
Date: Thu, 08 Oct 2009 16:29:05 +0200

FreeBSD 6.4 and below are vulnerable to race condition between pipeclose() and
knlist_cleardel() resulting in NULL pointer dereference. The following code
exploits vulnerability to run code in kernel mode, giving root shell and
escaping from jail.

http://www.frasunek.com/pipe.txt

The bug was fixed a week ago and official security advisory was issued:

http://security.freebsd.org/advisories/FreeBSD-SA-09:13.pipe.asc

-- 
* Fido: 2:480/124 ** WWW: http://www.frasunek.com ** NICHDL: PMF9-RIPE *
* Jabber ID: venglin@xxxxxxxx ** PGP ID: 2578FCAD ** HAM-RADIO: SQ5JIV *

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Prev by Date: [Full-disclosure] [ MDVSA-2009:217-1 ] mozilla-thunderbird
Next by Date: [Full-disclosure] [ MDVSA-2009:217-2 ] mozilla-thunderbird
Previous by thread: [Full-disclosure] [ MDVSA-2009:217-1 ] mozilla-thunderbird
Next by thread: [Full-disclosure] [ MDVSA-2009:217-2 ] mozilla-thunderbird
Index(es):
- Date
- Thread