Allele Security Alert
ASA-2019-00405, CVE-2019-5602, FreeBSD-SA-19:11.cd_ioctl
Privilege escalation in cd driver
The FreeBSD Project
All supported versions of FreeBSD
2019-07-03 00:11:31 UTC (stable/12, 12.0-STABLE)
2019-07-02 00:03:55 UTC (releng/12.0, 12.0-RELEASE-p7)
2019-07-03 00:12:50 UTC (stable/11, 11.3-PRERELEASE)
2019-07-02 00:03:55 UTC (releng/11.3, 11.3-RC3-p1)
2019-07-02 00:03:55 UTC (releng/11.2, 11.2-RELEASE-p11)
Proof of concept
The cd(4) driver implements a number of ioctls to permit low-level access to the media in the CD-ROM device. The Linux emulation layer provides a corresponding set of ioctls, some of which are implemented as wrappers of native cd(4) ioctls.
These ioctls are available to users in the operator group, which gets read-only access to cd(4) devices by default.
To implement one particular ioctl, the Linux emulation code used a special interface present in the cd(4) driver which allows it to copy subchannel information directly to a kernel address. This interface was erroneously made accessible to userland, allowing users with read access to a cd(4) device to arbitrarily overwrite kernel memory when some media is present in the device.
A user in the operator group can make use of this interface to gain root privileges on a system with a cd(4) device when some media is present in the device.
Privilege escalation in cd(4) driver
[base] Revision 349628
[base] Revision 349625
[base] Revision 349629
Exploiting a No-Name FreeBSD Kernel Vulnerability
If there is any error in this alert or you wish a comprehensive analysis, let us know.
Last modified: July 26, 2019