Hi Shawn,
Nice p0c, but it don't work with security.bsd.unprivileged_proc_debug=0,
which was initially enabled in the menu with hardening options.
Pawel.
On 20 June 2017 at 14:15, Shawn Webb <shawn.webb at hardenedbsd.org>
wrote:
> On Tue, Jun 20, 2017 at 08:13:46AM +0000, Vladimir Terziev wrote:
> > Hi,
> >
> > I assume FreeBSD security team is already aware about the Stack Clash
> vulnerability, that is stated to affect FreeBSD amongst other Unix-like OS.
> >
> > Just in case here is the analyses document of Qualys:
> >
> > https://www.qualys.com/2017/06/19/stack-clash/stack-clash.txt
>
> FreeBSD is indeed affected. I've written a PoC, which works even with
> the stack guard enabled:
>
> https://github.com/lattera/exploits/blob/master/FreeBSD/
> StackClash/001-stackclash.c
>
> Thanks,
>
> --
> Shawn Webb
> Cofounder and Security Engineer
> HardenedBSD
>
> GPG Key ID: 0x6A84658F52456EEE
> GPG Key Fingerprint: 2ABA B6BD EF6A F486 BE89 3D9E 6A84 658F 5245 6EEE
>
--
One of God's own prototypes. A high-powered mutant of some kind never
even considered for mass production. Too weird to live, and too rare to die.