FreeBSD 6.x Privilege Escalation Vulnerability

SEBUG

Affected Versions:
FreeBSD 6.x vulnerability description:
FreeBSD is an open-source operating system.
FreeBSD has multiple security issues:
-The pipe "close ()" implementation related to Kqueues has a release usage error, which can lead to the available Null Pointer Vulnerability, kernel memory corruption, and other unpredictable results. Successful exploitation of the vulnerability can lead to Elevation of Privilege, kernel data corruption or crash.
-In most architectures, FreeBSD divides the virtual memory address space of processes into two parts: user and kernel. When a process enters the kernel, the system call performance is improved by avoiding global address control switching, and the performance of the kernel to access user memory is improved.
However, in this design, address 0 is processed as a controllable part of the virtual address space. If the kernel references a Null pointer due to a kernel error, code or data mapped to address 0 by malicious processes can operate on Kernel behavior. If a malicious user process maps code or data to address 0, a kernel error can cause a Null pointer call. The kernel can execute arbitrary code with the kernel privilege to replace the kernel crash. <* Reference
Http://security.freebsd.org/advisories/FreeBSD-EN-09:05.null.asc
Http://security.freebsd.org/advisories/FreeBSD-SA-09:13.pipe.asc
Http://secunia.com/advisories/36955
*>
Security suggestions:
FreeBSD:

For errors caused by pipe "close ()", refer to the following methods to upgrade:
1) Upgrade the system with the vulnerability to 6-STABLE or RELENG_6_4, or the secure version of RELENG_6_3 after the modification date.
2) patch the current system:
The following patch validation can be applied to FreeBSD 6.3 and 6.4 systems.
A) download the patches from the following locations and use the PGP tool to verify the attached PGP signature.
# Fetch http://security.FreeBSD.org/patches/SA-09:13/pipe.patch
# Fetch http://security.FreeBSD.org/patches/SA-09:13/pipe.patch.asc
B) run the following command as root:
# Cd/usr/src
# Patch </path/to/patch
C) recompile the kernel and restart the system as described in Users with the Null pointer reference error vulnerability can refer to the following methods to upgrade:
1) Upgrade the system with vulnerabilities to 6-STABLE, 7-STABLE or 8-RC, or the RELENG_7_2, RELENG_7_1, RELENG_6_4 or RELENG_6_3 Security versions after the modification date.
2) patch the current system:
The following patch validation can be applied to FreeBSD 6.3, 6.4, 7.1, and 7.2 systems.
A) download the patches from the following locations and use the PGP tool to verify the attached PGP signature.
[FreeBSD 7.x]
# Fetch http://security.FreeBSD.org/patches/EN-09:05/null.patch
# Fetch http://security.FreeBSD.org/patches/EN-09:05/null.patch.asc
[FreeBSD 6.x]
# Fetch http://security.FreeBSD.org/patches/EN-09:05/null6.patch
# Fetch http://security.FreeBSD.org/patches/EN-09:05/null6.patch.asc
Note: patches 7. x for FreeBSD can be used for FreeBSD 8, but this function is disabled by default.
B) run the following command as root:
# Cd/usr/src
# Patch </path/to/patch
C) recompile the kernel and restart the system as described in <URL: http://www.FreeBSD.org/handbook/kernelconfig.html>.