FreeBSD 6.4 and below are vulnerable to race condition between pipeclose() and knlist_cleardel() resulting in NULL pointer dereference. The following code exploits vulnerability to run code in kernel mode, giving root shell and escaping from jail.
http://www.frasunek.com/pipe.txt The bug was fixed a week ago and official security advisory was issued: http://security.freebsd.org/advisories/FreeBSD-SA-09:13.pipe.asc -- * Fido: 2:480/124 ** WWW: http://www.frasunek.com ** NICHDL: PMF9-RIPE * * Jabber ID: [email protected] ** PGP ID: 2578FCAD ** HAM-RADIO: SQ5JIV * _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
