// For flags

CVE-2012-0217

FreeBSD - Intel SYSRET Privilege Escalation

Severity Score

7.2
*CVSS v2

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

3
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

The x86-64 kernel system-call functionality in Xen 4.1.2 and earlier, as used in Citrix XenServer 6.0.2 and earlier and other products; Oracle Solaris 11 and earlier; illumos before r13724; Joyent SmartOS before 20120614T184600Z; FreeBSD before 9.0-RELEASE-p3; NetBSD 6.0 Beta and earlier; Microsoft Windows Server 2008 R2 and R2 SP1 and Windows 7 Gold and SP1; and possibly other operating systems, when running on an Intel processor, incorrectly uses the sysret path in cases where a certain address is not a canonical address, which allows local users to gain privileges via a crafted application. NOTE: because this issue is due to incorrect use of the Intel specification, it should have been split into separate identifiers; however, there was some value in preserving the original mapping of the multi-codebase coordinated-disclosure effort to a single identifier.

El modo de usuario Scheduler en el núcleo en Microsoft Windows Server v2008 R2 y R2 SP1 y Windows v7 Gold y SP1 sobre la plataforma x64 no maneja adecuadamente solicitudes del sistema, lo que permite a usuarios locales obtener privilegios a través de una aplicación modificada, también conocida como "vulnerabilidad de corrupción de memoria de modo de usuario Scheduler".

It was found that the Xen hypervisor implementation as shipped with Red Hat Enterprise Linux 5 did not properly restrict the syscall return addresses in the sysret return path to canonical addresses. An unprivileged user in a 64-bit para-virtualized guest, that is running on a 64-bit host that has an Intel CPU, could use this flaw to crash the host or, potentially, escalate their privileges, allowing them to execute arbitrary code at the hypervisor level.

*Credits: N/A
CVSS Scores
Attack Vector
Local
Attack Complexity
Low
Authentication
None
Confidentiality
Complete
Integrity
Complete
Availability
Complete
Attack Vector
Adjacent
Attack Complexity
Medium
Authentication
None
Confidentiality
Complete
Integrity
Complete
Availability
Complete
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2011-12-14 CVE Reserved
  • 2012-06-12 CVE Published
  • 2012-08-27 First Exploit
  • 2024-03-11 EPSS Updated
  • 2024-08-06 CVE Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
CWE
  • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer
CAPEC
References (30)
URL Tag Source
http://blog.illumos.org/2012/06/14/illumos-vulnerability-patched X_refsource_confirm
http://blog.xen.org/index.php/2012/06/13/the-intel-sysret-privilege-escalation X_refsource_confirm
http://lists.xen.org/archives/html/xen-announce/2012-06/msg00001.html Mailing List
http://lists.xen.org/archives/html/xen-devel/2012-06/msg01072.html Mailing List
http://secunia.com/advisories/55082 Third Party Advisory
http://smartos.org/2012/06/15/smartos-news-3 X_refsource_confirm
http://support.citrix.com/article/CTX133161 X_refsource_confirm
http://wiki.smartos.org/display/DOC/SmartOS+Change+Log#SmartOSChangeLog-June14%2C2012 X_refsource_confirm
http://www.kb.cert.org/vuls/id/649219 Third Party Advisory
http://www.oracle.com/technetwork/topics/security/cpuoct2012-1515893.html X_refsource_confirm
http://www.us-cert.gov/cas/techalerts/TA12-164A.html Third Party Advisory
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A15596 Signature
https://www.illumos.org/issues/2873 X_refsource_confirm
https://www.freebsd.org/security/patches/SA-12:04/sysret.patch
https://blog.xenproject.org/2012/06/13/the-intel-sysret-privilege-escalation
https://github.com/iZsh/exploits/blob/master/stash/CVE-2012-0217-sysret/CVE-2012-0217-sysret_FreeBSD.c
https://fail0verflow.com/blog/2012/cve-2012-0217-intel-sysret-freebsd
https://www.slideshare.net/nkslides/exploiting-the-linux-kernel-via-intels-sysret-implementation
URL Date SRC
https://www.exploit-db.com/exploits/46508 2024-08-06
https://www.exploit-db.com/exploits/28718 2024-08-06
https://www.exploit-db.com/exploits/20861 2012-08-27
URL Date SRC
URL Date SRC
http://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2012-003.txt.asc 2020-09-28
http://security.freebsd.org/advisories/FreeBSD-SA-12:04.sysret.asc 2012-06-12
http://security.gentoo.org/glsa/glsa-201309-24.xml 2020-09-28
http://www.debian.org/security/2012/dsa-2501 2020-09-28
http://www.debian.org/security/2012/dsa-2508 2020-09-28
http://www.mandriva.com/security/advisories?name=MDVSA-2013:150 2020-09-28
https://bugzilla.redhat.com/show_bug.cgi?id=813428 2012-06-12
https://docs.microsoft.com/en-us/security-updates/securitybulletins/2012/ms12-042 2020-09-28
https://access.redhat.com/security/cve/CVE-2012-0217 2012-06-12
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Freebsd
Search vendor "Freebsd"
 Freebsd
Search vendor "Freebsd" for product "Freebsd"
 <= 9.0
Search vendor "Freebsd" for product "Freebsd" and version " <= 9.0"
-
Affected
Illumos
Search vendor "Illumos"
 Illumos
Search vendor "Illumos" for product "Illumos"
 <= r13723
Search vendor "Illumos" for product "Illumos" and version " <= r13723"
-
Affected
Joyent
Search vendor "Joyent"
 Smartos
Search vendor "Joyent" for product "Smartos"
 <= 20120614
Search vendor "Joyent" for product "Smartos" and version " <= 20120614"
-
Affected
Xen
Search vendor "Xen"
 Xen
Search vendor "Xen" for product "Xen"
 <= 4.1.2
Search vendor "Xen" for product "Xen" and version " <= 4.1.2"
-
Affected
Xen
Search vendor "Xen"
 Xen
Search vendor "Xen" for product "Xen"
 4.0.0
Search vendor "Xen" for product "Xen" and version "4.0.0"
-
Affected
Xen
Search vendor "Xen"
 Xen
Search vendor "Xen" for product "Xen"
 4.0.1
Search vendor "Xen" for product "Xen" and version "4.0.1"
-
Affected
Xen
Search vendor "Xen"
 Xen
Search vendor "Xen" for product "Xen"
 4.0.2
Search vendor "Xen" for product "Xen" and version "4.0.2"
-
Affected
Xen
Search vendor "Xen"
 Xen
Search vendor "Xen" for product "Xen"
 4.0.3
Search vendor "Xen" for product "Xen" and version "4.0.3"
-
Affected
Xen
Search vendor "Xen"
 Xen
Search vendor "Xen" for product "Xen"
 4.0.4
Search vendor "Xen" for product "Xen" and version "4.0.4"
-
Affected
Xen
Search vendor "Xen"
 Xen
Search vendor "Xen" for product "Xen"
 4.1.0
Search vendor "Xen" for product "Xen" and version "4.1.0"
-
Affected
Xen
Search vendor "Xen"
 Xen
Search vendor "Xen" for product "Xen"
 4.1.1
Search vendor "Xen" for product "Xen" and version "4.1.1"
-
Affected
Microsoft
Search vendor "Microsoft"
 Windows 7
Search vendor "Microsoft" for product "Windows 7"
*x64
Affected
Microsoft
Search vendor "Microsoft"
 Windows 7
Search vendor "Microsoft" for product "Windows 7"
*sp1, x64
Affected
Microsoft
Search vendor "Microsoft"
 Windows Server 2003
Search vendor "Microsoft" for product "Windows Server 2003"
*sp2
Affected
Microsoft
Search vendor "Microsoft"
 Windows Server 2008
Search vendor "Microsoft" for product "Windows Server 2008"
 r2
Search vendor "Microsoft" for product "Windows Server 2008" and version "r2"
x64
Affected
Microsoft
Search vendor "Microsoft"
 Windows Xp
Search vendor "Microsoft" for product "Windows Xp"
*sp3
Affected
Citrix
Search vendor "Citrix"
 Xenserver
Search vendor "Citrix" for product "Xenserver"
 <= 6.0.2
Search vendor "Citrix" for product "Xenserver" and version " <= 6.0.2"
-
Affected
Citrix
Search vendor "Citrix"
 Xenserver
Search vendor "Citrix" for product "Xenserver"
 6.0
Search vendor "Citrix" for product "Xenserver" and version "6.0"
-
Affected
Netbsd
Search vendor "Netbsd"
 Netbsd
Search vendor "Netbsd" for product "Netbsd"
 <= 6.0
Search vendor "Netbsd" for product "Netbsd" and version " <= 6.0"
beta
Affected
Sun
Search vendor "Sun"
 Sunos
Search vendor "Sun" for product "Sunos"
 <= 5.11
Search vendor "Sun" for product "Sunos" and version " <= 5.11"
-
Affected