NetBSD Coredump Kernel Refcount LPE

We discussed this vulnerability during Episode 164 on 01 November 2022

Fairly straightforward refcount leak bug in the coredump function of the kernel. It would take a reference on the process credentials to ensure they don’t get destroyed while in-use, but they don’t release the reference on the error exit path. Here, it was easy to trigger a fail case via the vn_open() call to open a vnode for the write file. By simply providing a path that your process doesn’t have permission to write to, it’ll error and leak the reference count. Since the reference count is 32-bit and just uses an atomic_inc, it’s also feasible to exploit.

Exploitation was somewhat interesting as it ultimately gives you a UAF in the kauth_cred_t zone and not the general purpose zone. However, you could overlap your cred with a more privileged cred for an easy and reliable privilege escalation.