CVE-2012-0217 Intel’s sysret Kernel Privilege Escalation on FreeBSD Demo

Timeline :

Vulnerability discovered by Rafal Wojtczuk
Coordinate public release of the vulnerability the 2012-06-12
FreeBSD PoC provided by fail0verflow the 2012-07-05

PoC provided by :

Rafal Wojtczuk
John Baldwin
fail0verflow

Reference(s) :

CVE-2012-0217
OSVDB-82949
FreeBSD-SA-12:04.sysret

Affected version(s) :

All supported versions of FreeBSD previous

Tested on FreeBSD 9.0-RELEASE

Description :

FreeBSD/amd64 runs on CPUs from different vendors. Due to varying behaviour of CPUs in 64 bit mode a sanity check of the kernel may be insufficient when returning from a system call. Successful exploitation of the problem can lead to local kernel privilege escalation, kernel data corruption and/or crash. To exploit this vulnerability, an attacker must be able to run code with user privileges on the target system.

Commands :

uname -a
id
gcc -o CVE-2012-0217-sysret_FreeBSD CVE-2012-0217-sysret_FreeBSD.c
./CVE-2012-0217-sysret_FreeBSD
id