This Metasploit module exploits a vulnerability in the FreeBSD kernel, when running on 64-bit Intel processors. By design, 64-bit processors following the X86-64 specification will trigger a general protection fault (GPF) when executing a SYSRET instruction with a non-canonical address in the RCX register. However, Intel processors check for a non-canonical address prior to dropping privileges, causing a GPF in privileged mode. As a result, the current userland RSP stack pointer is restored and executed, resulting in privileged code execution.
f1711c3320d7c4e9f80661d007057fb1b0b673f47fb51ec2968a821bc6aa8991Gentoo Linux Security Advisory 201309-24 - Multiple vulnerabilities have been found in Xen, allowing attackers on a Xen Virtual Machine to execute arbitrary code, cause Denial of Service, or gain access to data on the host. Versions less than 4.2.2-r1 are affected.
42fbd346dc4e79100c814835fd5068ef0a6bd2ccc23977307e7f191f8be1cc22This is proof of concept code that demonstrates the Microsoft Windows kernel (Intel/x64) SYSRET vulnerability as described in MS12-042. The shellcode disables code signing and will grant NT SYSTEM privileges to a specified application or already running process.
55e5a8e72dbb887b38dad0ce6c7bebe03b8466705cf04ce1a1a8c9406a8c4db3Debian Linux Security Advisory 2508-1 - Rafal Wojtczuk from Bromium discovered that FreeBSD wasn't handling correctly uncanonical return addresses on Intel amd64 CPUs, allowing privilege escalation to kernel for local users.
7aebd5ce5840f094d51d7679c7d9ff0704d0af681bb872fa59cd27000b552673Debian Linux Security Advisory 2501-1 - Several vulnerabilities were discovered in Xen, a hypervisor.
aedc2dcb40c8f0ac3825bb16ea9ed2fab49038c45013687c7f01466444984580FreeBSD Security Advisory - The FreeBSD operating system implements a rings model of security, where privileged operations are done in the kernel, and most applications request access to these operations by making a system call, which puts the CPU into the required privilege level and passes control to the kernel. FreeBSD/amd64 runs on CPUs from different vendors. Due to varying behaviour of CPUs in 64 bit mode a sanity check of the kernel may be insufficient when returning from a system call. Successful exploitation of the problem can lead to local kernel privilege escalation, kernel data corruption and/or crash.
50ab73e18c85232ccd993cef89e2d46586aa4f827d36aa88ad33256fe4a53d2dRed Hat Security Advisory 2012-0720-01 - The kernel packages contain the Linux kernel, the core of any Linux operating system. It was found that the Xen hypervisor implementation as shipped with Red Hat Enterprise Linux 5 did not properly restrict the syscall return addresses in the sysret return path to canonical addresses. An unprivileged user in a 64-bit para-virtualized guest, that is running on a 64-bit host that has an Intel CPU, could use this flaw to crash the host or, potentially, escalate their privileges, allowing them to execute arbitrary code at the hypervisor level.
4f93a8d3609af7b9395a9788c9a833f81f3cf75349cf85a1cb8f625a117d6395Red Hat Security Advisory 2012-0721-01 - The kernel packages contain the Linux kernel, the core of any Linux operating system. It was found that the Xen hypervisor implementation as shipped with Red Hat Enterprise Linux 5 did not properly restrict the syscall return addresses in the sysret return path to canonical addresses. An unprivileged user in a 64-bit para-virtualized guest, that is running on a 64-bit host that has an Intel CPU, could use this flaw to crash the host or, potentially, escalate their privileges, allowing them to execute arbitrary code at the hypervisor level.
a5b7f699084429bb0df03f79e3c77c3fe4d64db427a8e5ac1c2e51801bd8f6fe
© 2024 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed