Vigil@nce - FreeBSD: denial of service via execve
June 2014 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
A local attacker can use execve() from a multi-threaded process on
FreeBSD, in order to trigger a denial of service.
Impacted products: Debian, FreeBSD
Severity: 1/4
Creation date: 04/06/2014
DESCRIPTION OF THE VULNERABILITY
The execve() and fexecve() system calls replace the current
process by a new image.
The FreeBSD kernel optimizes this change by replacing the Virtual
Memory Address Space. However, if the process had threads not yet
terminated, they can use the old addresses, which triggers a
Triple-Fault.
A local attacker can therefore use execve() from a multi-threaded
process on FreeBSD, in order to trigger a denial of service.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/FreeBSD-denial-of-service-via-execve-14840