FreeBSD 7.0 - 7.2 pseudofs null pointer dereference
Disclosed by: Przemyslaw Frasunek
18/08/2010

1. Synopsis

Starting from FreeBSD 5.0, the system supports POSIX extended attributes,
allowing to store metadata associated with file. Those attributes can be
manipulated using extattr_* syscalls.

One of the filesystems supporting extended attributes is pseudofs, on which
procfs and linprocfs are based.

2. Attack vector

Due to spurious call to pfs_unlock() in pfs_getattr() (as defined in
sys/fs/pseudofs/pseudofs_vnops.c), null pointer is dereferenced after calling
extattr_get_attribute() on pseudofs vnode.

By allocating page at address 0x0, attacker can overwrite arbitrarly chosen
portion of kernel memory, leading to crash or local root escalation.

3. Workaround

Procfs and linprocfs are not mounted in default FreeBSD install.

By setting sysctl security.bsd.map_at_zero to 0 (which is default in 8.x
branch), the vulnerability can be exploited to cause system crash, not privilege
escalation.

4. Patch

The bug was fixed in following commit:

http://svn.freebsd.org/viewvc/base?view=revision&revision=196689

Nevertheless it was not recognized as security vulnerability. The following
versions are vulnerable:

7.0-RELEASE
7.1-RELEASE
7.2-RELEASE
8.0-RELEASE (system crash only)

Not vulnerable versions:

6.x-RELEASE
7.3-RELEASE
8.1-RELEASE
7-STABLE and 8-STABLE after 05/09/2009

5. Exploit code

There is a working exploit, allowing to gain local root privileges. It will be
released after 14 days from this advisory.