CVE-2012-0217

FreeBSD Intel SYSRET Privilege Escalation

Severity Score

7.2

*CVSS v2

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

The x86-64 kernel system-call functionality in Xen 4.1.2 and earlier, as used in Citrix XenServer 6.0.2 and earlier and other products; Oracle Solaris 11 and earlier; illumos before r13724; Joyent SmartOS before 20120614T184600Z; FreeBSD before 9.0-RELEASE-p3; NetBSD 6.0 Beta and earlier; Microsoft Windows Server 2008 R2 and R2 SP1 and Windows 7 Gold and SP1; and possibly other operating systems, when running on an Intel processor, incorrectly uses the sysret path in cases where a certain address is not a canonical address, which allows local users to gain privileges via a crafted application. NOTE: because this issue is due to incorrect use of the Intel specification, it should have been split into separate identifiers; however, there was some value in preserving the original mapping of the multi-codebase coordinated-disclosure effort to a single identifier.

El modo de usuario Scheduler en el núcleo en Microsoft Windows Server v2008 R2 y R2 SP1 y Windows v7 Gold y SP1 sobre la plataforma x64 no maneja adecuadamente solicitudes del sistema, lo que permite a usuarios locales obtener privilegios a través de una aplicación modificada, también conocida como "vulnerabilidad de corrupción de memoria de modo de usuario Scheduler".

It was found that the Xen hypervisor implementation as shipped with Red Hat Enterprise Linux 5 did not properly restrict the syscall return addresses in the sysret return path to canonical addresses. An unprivileged user in a 64-bit para-virtualized guest, that is running on a 64-bit host that has an Intel CPU, could use this flaw to crash the host or, potentially, escalate their privileges, allowing them to execute arbitrary code at the hypervisor level.

*Credits: N/A

Attack Vector

Local

Attack Complexity

Low

Authentication

None

Confidentiality

Complete

Integrity

Complete

Availability

Complete

Attack Vector

Adjacent

Attack Complexity

Medium

Authentication

None

Confidentiality

Complete

Integrity

Complete

Availability

Complete

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2011-12-14 CVE Reserved
2012-06-12 CVE Published
2012-06-12 First Exploit
2024-03-11 EPSS Updated
2024-08-06 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date

CWE

CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer

CAPEC

References (31)

URL	Tag	Source
http://blog.illumos.org/2012/06/14/illumos-vulnerability-patched	X_refsource_confirm
http://blog.xen.org/index.php/2012/06/13/the-intel-sysret-privilege-escalation	X_refsource_confirm
http://lists.xen.org/archives/html/xen-announce/2012-06/msg00001.html	Mailing List
http://lists.xen.org/archives/html/xen-devel/2012-06/msg01072.html	Mailing List
http://secunia.com/advisories/55082	Third Party Advisory
http://smartos.org/2012/06/15/smartos-news-3	X_refsource_confirm
http://support.citrix.com/article/CTX133161	X_refsource_confirm
http://wiki.smartos.org/display/DOC/SmartOS+Change+Log#SmartOSChangeLog-June14%2C2012	X_refsource_confirm
http://www.kb.cert.org/vuls/id/649219	Third Party Advisory
http://www.oracle.com/technetwork/topics/security/cpuoct2012-1515893.html	X_refsource_confirm
http://www.us-cert.gov/cas/techalerts/TA12-164A.html	Third Party Advisory
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A15596	Signature
https://www.illumos.org/issues/2873	X_refsource_confirm
https://www.freebsd.org/security/patches/SA-12:04/sysret.patch
https://blog.xenproject.org/2012/06/13/the-intel-sysret-privilege-escalation
https://github.com/iZsh/exploits/blob/master/stash/CVE-2012-0217-sysret/CVE-2012-0217-sysret_FreeBSD.c
https://fail0verflow.com/blog/2012/cve-2012-0217-intel-sysret-freebsd
https://www.slideshare.net/nkslides/exploiting-the-linux-kernel-via-intels-sysret-implementation

URL	Date	SRC
https://www.exploit-db.com/exploits/46508	2024-08-06
https://www.exploit-db.com/exploits/28718	2024-08-06
https://www.exploit-db.com/exploits/20861	2012-08-27
https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/freebsd/local/intel_sysret_priv_esc.rb	2012-06-12

URL	Date	SRC

URL	Date	SRC
http://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2012-003.txt.asc	2020-09-28
http://security.freebsd.org/advisories/FreeBSD-SA-12:04.sysret.asc	2012-06-12
http://security.gentoo.org/glsa/glsa-201309-24.xml	2020-09-28
http://www.debian.org/security/2012/dsa-2501	2020-09-28
http://www.debian.org/security/2012/dsa-2508	2020-09-28
http://www.mandriva.com/security/advisories?name=MDVSA-2013:150	2020-09-28
https://bugzilla.redhat.com/show_bug.cgi?id=813428	2012-06-12
https://docs.microsoft.com/en-us/security-updates/securitybulletins/2012/ms12-042	2020-09-28
https://access.redhat.com/security/cve/CVE-2012-0217	2012-06-12

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Freebsd Search vendor "Freebsd"		Freebsd Search vendor "Freebsd" for product "Freebsd"				<= 9.0 Search vendor "Freebsd" for product "Freebsd" and version " <= 9.0"		-		Affected
Illumos Search vendor "Illumos"		Illumos Search vendor "Illumos" for product "Illumos"				<= r13723 Search vendor "Illumos" for product "Illumos" and version " <= r13723"		-		Affected
Joyent Search vendor "Joyent"		Smartos Search vendor "Joyent" for product "Smartos"				<= 20120614 Search vendor "Joyent" for product "Smartos" and version " <= 20120614"		-		Affected
Xen Search vendor "Xen"		Xen Search vendor "Xen" for product "Xen"				<= 4.1.2 Search vendor "Xen" for product "Xen" and version " <= 4.1.2"		-		Affected
Xen Search vendor "Xen"		Xen Search vendor "Xen" for product "Xen"				4.0.0 Search vendor "Xen" for product "Xen" and version "4.0.0"		-		Affected
Xen Search vendor "Xen"		Xen Search vendor "Xen" for product "Xen"				4.0.1 Search vendor "Xen" for product "Xen" and version "4.0.1"		-		Affected
Xen Search vendor "Xen"		Xen Search vendor "Xen" for product "Xen"				4.0.2 Search vendor "Xen" for product "Xen" and version "4.0.2"		-		Affected
Xen Search vendor "Xen"		Xen Search vendor "Xen" for product "Xen"				4.0.3 Search vendor "Xen" for product "Xen" and version "4.0.3"		-		Affected
Xen Search vendor "Xen"		Xen Search vendor "Xen" for product "Xen"				4.0.4 Search vendor "Xen" for product "Xen" and version "4.0.4"		-		Affected
Xen Search vendor "Xen"		Xen Search vendor "Xen" for product "Xen"				4.1.0 Search vendor "Xen" for product "Xen" and version "4.1.0"		-		Affected
Xen Search vendor "Xen"		Xen Search vendor "Xen" for product "Xen"				4.1.1 Search vendor "Xen" for product "Xen" and version "4.1.1"		-		Affected
Microsoft Search vendor "Microsoft"		Windows 7 Search vendor "Microsoft" for product "Windows 7"				*		x64		Affected
Microsoft Search vendor "Microsoft"		Windows 7 Search vendor "Microsoft" for product "Windows 7"				*		sp1, x64		Affected
Microsoft Search vendor "Microsoft"		Windows Server 2003 Search vendor "Microsoft" for product "Windows Server 2003"				*		sp2		Affected
Microsoft Search vendor "Microsoft"		Windows Server 2008 Search vendor "Microsoft" for product "Windows Server 2008"				r2 Search vendor "Microsoft" for product "Windows Server 2008" and version "r2"		x64		Affected
Microsoft Search vendor "Microsoft"		Windows Xp Search vendor "Microsoft" for product "Windows Xp"				*		sp3		Affected
Citrix Search vendor "Citrix"		Xenserver Search vendor "Citrix" for product "Xenserver"				<= 6.0.2 Search vendor "Citrix" for product "Xenserver" and version " <= 6.0.2"		-		Affected
Citrix Search vendor "Citrix"		Xenserver Search vendor "Citrix" for product "Xenserver"				6.0 Search vendor "Citrix" for product "Xenserver" and version "6.0"		-		Affected
Netbsd Search vendor "Netbsd"		Netbsd Search vendor "Netbsd" for product "Netbsd"				<= 6.0 Search vendor "Netbsd" for product "Netbsd" and version " <= 6.0"		beta		Affected
Sun Search vendor "Sun"		Sunos Search vendor "Sun" for product "Sunos"				<= 5.11 Search vendor "Sun" for product "Sunos" and version " <= 5.11"		-		Affected