[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

FreeBSD 6.4 pipeclose()/knlist_cleardel() race condition exploit

FreeBSD 6.4 and below are vulnerable to race condition between pipeclose() and
knlist_cleardel() resulting in NULL pointer dereference. The following code
exploits vulnerability to run code in kernel mode, giving root shell and
escaping from jail.


The bug was fixed a week ago and official security advisory was issued:


* Fido: 2:480/124 ** WWW: http://www.frasunek.com ** NICHDL: PMF9-RIPE *
* Jabber ID: venglin@xxxxxxxx ** PGP ID: 2578FCAD ** HAM-RADIO: SQ5JIV *