Exploit vulnerability FreeBSD-SA-18:13.nfs: out-of-bounds access
This mission depends on the pure-capability CheriBSD FETT kernel included in FETT CHERI-RISC-V Release 2 (kernel spatial memory safety).
The objective of this mission is to demonstrate arbitrary code execution in a pure-capability kernel. This must be achieved via a reintroduced past FreeBSD security vulnerability, FreeBSD-SA-18:13.nfs. We have reintroduced this via change 015fdfd5a71c299c6288e1d789735ef6d3b46329 in the pure-capability kernel branch of the CheriBSD repository. In this vulnerability, an out-of-bounds access is performed during received NFS packet processing, which is exploitable on a vanilla non-CHERI system to gain kernel privilege. More information on the NFSv4 packet format may be found in RFC7530.
Successful completion of this mission requires demonstrating that the kernel function flag_captured(9)
has executed with the integer argument 0xfe77c0de
using the use of an NFS packet exploiting this vulnerability.
Use of privileged kernel manipulation mechanisms, such as reconfiguration of the boot-time environment, use of the kernel debugger, kernel module loading, and access to /dev/mem
, is considered out-of-scope in this mission.
If flag_captured(9)
is called, the sysctl security.flags_captured
counter will be incremented.
This corresponds to a partially successful exploit.
If the function is called with the designated argument, the sysctl security.flags_captured_key
counter will be incremented.
This corresponds to a fully successful exploit.