Vulnerabilities > CVE-2010-4210 - Improper Locking vulnerability in Freebsd
Attack vector
LOCAL Attack complexity
LOW Privileges required
NONE Confidentiality impact
HIGH Integrity impact
HIGH Availability impact
HIGH Summary
The pfs_getextattr function in FreeBSD 7.x before 7.3-RELEASE and 8.x before 8.0-RC1 unlocks a mutex that was not previously locked, which allows local users to cause a denial of service (kernel panic), overwrite arbitrary memory locations, and possibly execute arbitrary code via vectors related to opening a file on a file system that uses pseudofs.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| OS | 49 |
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Leveraging Race Conditions This attack targets a race condition occurring when multiple processes access and manipulate the same resource concurrently and the outcome of the execution depends on the particular order in which the access takes place. The attacker can leverage a race condition by "running the race", modifying the resource and modifying the normal execution flow. For instance a race condition can occur while accessing a file, the attacker can trick the system by replacing the original file with his version and cause the system to read the malicious file.
- Leveraging Race Conditions via Symbolic Links This attack leverages the use of symbolic links (Symlinks) in order to write to sensitive files. An attacker can create a Symlink link to a target file not otherwise accessible to her. When the privileged program tries to create a temporary file with the same name as the Symlink link, it will actually write to the target file pointed to by the attackers' Symlink link. If the attacker can insert malicious content in the temporary file she will be writing to the sensitive file by using the Symlink. The race occurs because the system checks if the temporary file exists, then creates the file. The attacker would typically create the Symlink during the interval between the check and the creation of the temporary file.
Exploit-Db
| description | FreeBSD - 'pseudofs' NULL Pointer Dereference Local Privilege Escalation Vulnerability. CVE-2010-4210. Local exploit for bsd platform |
| file | exploits/bsd/local/15206.c |
| id | EDB-ID:15206 |
| last seen | 2016-02-01 |
| modified | 2010-10-04 |
| platform | bsd |
| port | |
| published | 2010-10-04 |
| reporter | Babcia Padlina |
| source | https://www.exploit-db.com/download/15206/ |
| title | FreeBSD - 'pseudofs' NULL Pointer Dereference Local Privilege Escalation Vulnerability |
| type | local |
Seebug
| bulletinFamily | exploit |
| description | BUGTRAQ ID: 44782 CVE ID: CVE-2010-4210 FreeBSD就是一种运行在Intel平台上、可以自由使用的开放源码Unix类系统。 FreeBSD的pseudofs模块中用于处理扩展属性的pfs_getextattr(9)函数尝试解锁之前尚未锁定的互斥体。在加载了使用 pseudofs的文件系统且允许空页面映射的系统上,攻击者可以以0覆盖内核中的任意内存位置,在某些情况下还可以在内核环境中执行任意代码。 在不允许空页面映射的系统上,攻击者可以导致FreeBSD内核忙碌。 FreeBSD FreeBSD 8.x FreeBSD FreeBSD 7.x 临时解决方法: * 卸载procfs(5)和linprocfs(5)。 厂商补丁: FreeBSD ------- FreeBSD已经为此发布了一个安全公告(FreeBSD-SA-10:09)以及相应补丁: FreeBSD-SA-10:09:Spurious mutex unlock 链接:ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-10:09.pseudofs.asc 补丁下载: 执行以下步骤之一; 1) 将有漏洞的系统升级到7-STABLE或8-STABLE,,或修改日期之后的RELENG_7_1安全版本。 2) 如果要通过源码路径升级有漏洞的系统: 以下补丁确认可应用于FreeBSD 7.1系统。 a) 从以下位置下载相关补丁,并使用PGP工具验证附带的PGP签名。 # fetch http://security.FreeBSD.org/patches/SA-10:09/pseudofs.patch # fetch http://security.FreeBSD.org/patches/SA-10:09/pseudofs.patch.asc b) 以root执行以下命令: # cd /usr/src # patch < /path/to/patch c) 如<URL:http://www.FreeBSD.org/handbook/kernelconfig.html> 所述重新编译内核并重启系统。 |
| id | SSV:20254 |
| last seen | 2017-11-19 |
| modified | 2010-11-17 |
| published | 2010-11-17 |
| reporter | Root |
| title | FreeBSD内核pseudofs模块本地内存覆盖漏洞 |