# Title: Windows NT User Mode to Ring 0 Escalation Vulnerability
# EDB-ID: 11199
# CVE-ID: ( 2010-0232 )
# OSVDB-ID: ()
# Author: Tavis Ormandy
# Published: 2010-01-19
# Verified: yes
# Download Exploit Code
# Download N/A

There is an unbelievable simple local r00t bug in recent FreeBSD versions.
I audited FreeBSD for local r00t bugs a long time *sigh*. Now it pays out.

This summer may have caused a few burden’s on linux administrators. By all the patching necessary to keep their systems out of the hands of those who would choose to exploit it, unless your using something like Ksplice, you’ve more than likely rebooted many times already. Well, here is one more reason to wake this early this morning…

There are a number of privilege escalation attacks known for oracle. These are mainly because by default PL/SQL procedures and functions run with the privilege of the definer and not that of invoker. Think of it like SUID files.

The vulnerability is caused due to the IOCTL handler of the "tmactmon.sys"
driver improperly processing user space parameters. This exploit execute
arbitrary code in kernel space via a specially crafted IOCTL.
 

This will give us an immediate (probably remote) root shell.
This exploit is only verified on a FreeBSD 7.0-RELEASE fresh install
with telnetd enabled. Other version of FreeBSD may also be affected,
OpenBSD and NetBSD where not tested but MAY contain the same bug because
of historic reasons

Multiple Kaspersky Products 'klim5.sys' Local Privilege Escalation Vulnerability