Computer Security

Security Advisory: FreeBSD <= 6.1 kqueue() NULL pointer dereference
back  news / advisories / forum / software / advertising / search / exploits  forward
[EN] securityvulns.ru
no-pyccku



Related information

  BSD systems kevent race conditions

  Re: [Full-disclosure] FreeBSD <= 6.1 kqueue() NULL pointer dereference

  FreeBSD <= 6.1 kqueue() NULL pointer dereference

From:Przemyslaw Frasunek <venglin_(at)_FREEBSD.LUBLIN.PL>
Date:24.08.2009
Subject:FreeBSD <= 6.1 kqueue() NULL pointer dereference

FreeBSD <= 6.1 suffers from classical check/use race condition on SMP
systems in kevent() syscall, leading to kernel mode NULL pointer
dereference. It can be triggered by spawning two threads:
1st thread looping on open() and close() syscalls, and the 2nd thread
looping on kevent(), trying to add possibly invalid filedescriptor.

The bug was fixed in 6.1-STABLE, just before release of 6.2-RELEASE, but
was not recognized as security vulnerability.

The following code exploits this vulnerability to run root shell:
http://www.frasunek.com/kqueue.txt

--
* Fido: 2:480/124 ** WWW: http://www.frasunek.com/ ** NICHDL: PMF9-RIPE *
* JID: venglin@jabber.atman.pl ** PGP ID: 2578FCAD ** HAM-RADIO: SQ8JIV *

About | Terms of use | Privacy Policy
© SecurityVulns, 3APA3A, Vladimir Dubrovin
Nizhny Novgorod

 
 


Rating@Mail.ru
test server