ASA-2019-00405 – FreeBSD: Privilege escalation in cd driver

Posted on by Allele Security Intelligence in Alerts

Allele Security Alert

ASA-2019-00405

Identifier(s)

ASA-2019-00405, CVE-2019-5602, FreeBSD-SA-19:11.cd_ioctl

Title

Privilege escalation in cd driver

Vendor(s)

The FreeBSD Project

Product(s)

FreeBSD

Affected version(s)

All supported versions of FreeBSD

Fixed version(s)

2019-07-03 00:11:31 UTC (stable/12, 12.0-STABLE)
2019-07-02 00:03:55 UTC (releng/12.0, 12.0-RELEASE-p7)
2019-07-03 00:12:50 UTC (stable/11, 11.3-PRERELEASE)
2019-07-02 00:03:55 UTC (releng/11.3, 11.3-RC3-p1)
2019-07-02 00:03:55 UTC (releng/11.2, 11.2-RELEASE-p11)

Proof of concept

Yes

Description

The cd(4) driver implements a number of ioctls to permit low-level access to the media in the CD-ROM device. The Linux emulation layer provides a corresponding set of ioctls, some of which are implemented as wrappers of native cd(4) ioctls.

These ioctls are available to users in the operator group, which gets read-only access to cd(4) devices by default.

To implement one particular ioctl, the Linux emulation code used a special interface present in the cd(4) driver which allows it to copy subchannel information directly to a kernel address. This interface was erroneously made accessible to userland, allowing users with read access to a cd(4) device to arbitrarily overwrite kernel memory when some media is present in the device.

A user in the operator group can make use of this interface to gain root privileges on a system with a cd(4) device when some media is present in the device.

Technical details

Unknown

Workaround

Unknown

Credits

Alex Fortune

Reference(s)

Privilege escalation in cd(4) driver
https://www.freebsd.org/security/advisories/FreeBSD-SA-19:11.cd_ioctl.asc

[base] Revision 349628
https://svnweb.freebsd.org/base?view=revision&revision=r349628

[base] Revision 349625
https://svnweb.freebsd.org/base?view=revision&revision=r349625

[base] Revision 349629
https://svnweb.freebsd.org/base?view=revision&revision=r349629

Exploiting a No-Name FreeBSD Kernel Vulnerability
https://www.synacktiv.com/posts/exploit/exploiting-a-no-name-freebsd-kernel-vulnerability.html

CVE-2019-5602
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5602

CVE-2019-5602
https://nvd.nist.gov/vuln/detail/CVE-2019-5602

If there is any error in this alert or you wish a comprehensive analysis, let us know.

Last modified: July 26, 2019

We are not responsible for any data loss, device corruption or any other type of issue due to the use of any information mentioned in our security alerts.