NetBSD Coredump Kernel Refcount LPE
Fairly straightforward refcount leak bug in the coredump
function of the kernel. It would take a reference on the process credentials to ensure they don’t get destroyed while in-use, but they don’t release the reference on the error exit path. Here, it was easy to trigger a fail case via the vn_open()
call to open a vnode for the write file. By simply providing a path that your process doesn’t have permission to write to, it’ll error and leak the reference count. Since the reference count is 32-bit and just uses an atomic_inc
, it’s also feasible to exploit.
Exploitation was somewhat interesting as it ultimately gives you a UAF in the kauth_cred_t
zone and not the general purpose zone. However, you could overlap your cred with a more privileged cred for an easy and reliable privilege escalation.