Gea-Suan LinFreeBSD 這次的 execve() 的問題...
#advisory #bug #escalation #execve #freebsd #local #lpe #privilege #root #security
sayzardLocal privilege escalation via execve()
FreeBSD에서 execve() 시스템 호출의 연산자 우선순위 버그로 인해 버퍼 오버플로우가 발생하고, 이를 통해 권한 없는 사용자가 슈퍼유저 권한을 획득할 수 있는 로컬 권한 상승 취약점(CVE-2026-7270)이 발견되었다. 해당 취약점은 FreeBSD 13, 14, 15 버전의 여러 릴리즈 및 스테이블 브랜치에 영향을 미치며, 현재 패치가 배포되어 있으므로 즉시 시스템을 업데이트하고 재부팅할 것을 권고한다. 우회 방법은 없으며, 패치 적용 후 커널 재컴파일이 필요할 수 있다.
https://www.freebsd.org/security/advisories/FreeBSD-SA-26:13.exec.asc
#freebsd #security #localprivilegeescalation #execve #cve20267270
Hacker NewsFreeBSD: Local Privilege Escalation via Execve()
https://www.freebsd.org/security/advisories/FreeBSD-SA-26:13.exec.asc
#HackerNews #FreeBSD #Privilege #Escalation #Execve #Security #Vulnerability
kxxtUpcoming features for #tracexec
#Exec backtrace and jump to parent
In next release, the #TUI will support gathering the exec #backtrace of any exec event, which will greatly simply debugging experience.
The exec backtrace shows the history of a specific event and indicates any ancestor spawns or directly tears itself down and becomes the new process.
Jump to parent is a lighter alternative to backtrace, where you just press `U` to jump to the parent exec evt.
tracexec 0.11.0 released with new timestamp feature and O_CLOEXEC file descriptors are now hidden by default.
JdeBPYes, you might find versions of getopt.c around the place that have an
if (argc < 1)
check. Not this one in the current source code for GCC, though:
Psst!
The buggy test program that blocked the EINVAL fix in Linux still has the bug today, two years later.
https://git.kernel.org/pub/scm/fs/xfs/xfstests-dev.git/tree/src/vfs/vfstest.c#n503
Amusingly, the subordinate program is a copy of the same program, and it starts by calling getopt_long_only(), one of whose earliest actions is:
optind = 1; /* Don't scan ARGV[0], the program name. */
followed closely by:
if (optind != argc && !strcmp (argv[optind], "--"))
argc is 0 at this point.