VULHUB ™

A vulnerability exists in the vax version of NetBSD, up to and including 1.4.1, and -current branches prior to 1991212. The ptrace() system call is used to trace and debug processes. The debugging process can alter register values, including the PSL (status) register. Under the VAX architecture, information about privilege levels and used stacks are also stored in the PSL register. Those flags are altered via the REI instruction (return from interrupt) or LDPCTX (load process context) instruction, and cannot be modified in 'user' mode. When altering the PSL from a debugging process, however, the program is in a kernel mode, and the debugging process can effectively alter the PSL to increase the privilege of the process.

A vulnerability exists in the vax version of NetBSD, up to and including 1.4.1, and -current branches prior to 1991212. The ptrace() system call is used to trace and debug processes. The debugging process can alter register values, including the PSL (status) register. Under the VAX architecture, information about privilege levels and used stacks are also stored in the PSL register. Those flags are altered via the REI instruction (return from interrupt) or LDPCTX (load process context) instruction, and cannot be modified in 'user' mode. When altering the PSL from a debugging process, however, the program is in a kernel mode, and the debugging process can effectively alter the PSL to increase the privilege of the process.