module
FreeBSD Intel SYSRET Privilege Escalation
| Disclosed |
|---|
| 2012-06-12 |
Disclosed
2012-06-12
Description
This module exploits a vulnerability in the FreeBSD kernel,
when running on 64-bit Intel processors.
By design, 64-bit processors following the X86-64 specification will
trigger a general protection fault (GPF) when executing a SYSRET
instruction with a non-canonical address in the RCX register.
However, Intel processors check for a non-canonical address prior to
dropping privileges, causing a GPF in privileged mode. As a result,
the current userland RSP stack pointer is restored and executed,
resulting in privileged code execution.
This module has been tested successfully on:
FreeBSD 8.3-RELEASE (amd64); and
FreeBSD 9.0-RELEASE (amd64).
when running on 64-bit Intel processors.
By design, 64-bit processors following the X86-64 specification will
trigger a general protection fault (GPF) when executing a SYSRET
instruction with a non-canonical address in the RCX register.
However, Intel processors check for a non-canonical address prior to
dropping privileges, causing a GPF in privileged mode. As a result,
the current userland RSP stack pointer is restored and executed,
resulting in privileged code execution.
This module has been tested successfully on:
FreeBSD 8.3-RELEASE (amd64); and
FreeBSD 9.0-RELEASE (amd64).
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.