module
FreeBSD Intel SYSRET Privilege Escalation
| Disclosed | Created |
|---|---|
| 2012-06-12 | 2019-03-19 |
Disclosed
2012-06-12
Created
2019-03-19
Description
This module exploits a vulnerability in the FreeBSD kernel,
when running on 64-bit Intel processors.
By design, 64-bit processors following the X86-64 specification will
trigger a general protection fault (GPF) when executing a SYSRET
instruction with a non-canonical address in the RCX register.
However, Intel processors check for a non-canonical address prior to
dropping privileges, causing a GPF in privileged mode. As a result,
the current userland RSP stack pointer is restored and executed,
resulting in privileged code execution.
This module has been tested successfully on:
FreeBSD 8.3-RELEASE (amd64); and
FreeBSD 9.0-RELEASE (amd64).
when running on 64-bit Intel processors.
By design, 64-bit processors following the X86-64 specification will
trigger a general protection fault (GPF) when executing a SYSRET
instruction with a non-canonical address in the RCX register.
However, Intel processors check for a non-canonical address prior to
dropping privileges, causing a GPF in privileged mode. As a result,
the current userland RSP stack pointer is restored and executed,
resulting in privileged code execution.
This module has been tested successfully on:
FreeBSD 8.3-RELEASE (amd64); and
FreeBSD 9.0-RELEASE (amd64).
Authors
Rafal Wojtczuk
John Baldwin
iZsh
bcoles bcoles@gmail.com
John Baldwin
iZsh
bcoles bcoles@gmail.com
Platform
BSD
Architectures
x64
References
Module Options
To display the available options, load the module within the Metasploit console and run the commands ‘show options’ or ‘show advanced’:
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.