module
FreeBSD Intel SYSRET Privilege Escalation
| Disclosed | Created |
|---|---|
| 06/12/2012 | 03/19/2019 |
Disclosed
06/12/2012
Created
03/19/2019
Description
This module exploits a vulnerability in the FreeBSD kernel,
when running on 64-bit Intel processors.
By design, 64-bit processors following the X86-64 specification will
trigger a general protection fault (GPF) when executing a SYSRET
instruction with a non-canonical address in the RCX register.
However, Intel processors check for a non-canonical address prior to
dropping privileges, causing a GPF in privileged mode. As a result,
the current userland RSP stack pointer is restored and executed,
resulting in privileged code execution.
This module has been tested successfully on:
FreeBSD 8.3-RELEASE (amd64); and
FreeBSD 9.0-RELEASE (amd64).
when running on 64-bit Intel processors.
By design, 64-bit processors following the X86-64 specification will
trigger a general protection fault (GPF) when executing a SYSRET
instruction with a non-canonical address in the RCX register.
However, Intel processors check for a non-canonical address prior to
dropping privileges, causing a GPF in privileged mode. As a result,
the current userland RSP stack pointer is restored and executed,
resulting in privileged code execution.
This module has been tested successfully on:
FreeBSD 8.3-RELEASE (amd64); and
FreeBSD 9.0-RELEASE (amd64).
Authors
Rafal WojtczukJohn BaldwiniZshbcoles
Platform
BSD
Architectures
x64
References
Module Options
To display the available options, load the module within the Metasploit console and run the commands ‘show options’ or ‘show advanced’:
msf > use exploit/freebsd/local/intel_sysret_priv_esc
msf /(c) > show actions
...actions...
msf /(c) > set ACTION < action-name >
msf /(c) > show options
...show and set options...
msf /(c) > run
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.