FatGid: FreeBSD 14.x kernel local privilege escalation

FatGid: FreeBSD 14.x kernel local privilege escalation(fatgid.io)

100 分 | 作者 WhyNotHugo 1天前

6 条评论

CodeCompost 20小时前
I'm curious to see how many issues an LLM can find for OpenBSD. Not knocking OpenBSD at all, genuinely curious to see if all the careful development can stand up to LLMs.
[-]
- keyle 18小时前
  Someone posted vague screenshots overnight of a bug in exit I think. Waiting on the write up.
  Edit: ref: https://xcancel.com/ortegaalfredo/status/2057109561702580311
turkeyboi 1天前
Why does this need to be a whole ass website
[-]
- cryo32 1天前
  You're not going to get anywhere in the security sector unless you gain notoriety i.e. are noticed.
  This appears to come from dressing up like Elton John in a feather suit and hiring a marketing team.
  [-]
  - tptacek 1天前
    It's a wall of text about a kernel stack overflow. I'm not sure where the "Elton John" part is. Is it... that they used an accent color?
    [-]
    - 866-RON-0-FEZ 23小时前
      Maybe the researcher was wearing windshield-wiper spectacles when he discovered the vulnerability.
      I don't understand why you're being so defensive about this.
      [-]
      - tptacek 23小时前
        Because it's a tiresome, tropey, and ultimately invalid complaint. Look downthread at the person who said the FreeBSD commit log was better than this page, despite being inscrutable to security practitioners who don't work in the kernel and not saying a word about proven exploit vectors.
        These complaints aren't about what's better or worse for the user community; they're about people trying to put vulnerability researchers in their place.
        [-]
        866-RON-0-FEZ 22小时前
        While I believe whimsical names will always be silly, I do concede that commit log is effectively useless to 99% of eyeballs.
        [-]
        tptacek 22小时前
        It's not even a complete description of the vulnerability. It's what the kernel maintainers need to know to understand and fix the bug in the code. The claim that it's superior to the branded vulnerability page gives away the whole game.
        cryo32 17小时前
        As a member of the user community, I only care when it appears on the security list and then that it's patched. And I want to see that on the changelog. And that's about it.
        I don't want or need fanfare, marketing or any of that stuff.
        It's a bug for fucks sake. There will be people having web pages for Gnome user interface bugs next.
    - GoblinSlayer 22小时前
      Buffer overflow.
- tptacek 1天前
  Why not? This weird complaint has been happening since ~2010 and it has never made any sense. You are strictly better off with the website than without it. When it was vulnerability researchers getting all peevish about the status competition they were running, I at least understood where the complaint was coming from, but even among practitioners, branded vulnerabilities are so much the norm at this point that there's no status implication anymore.
  [-]
  - themafia 23小时前
    > You are strictly better off with the website than without it.
    Why? This is a better resource in every way: https://cgit.freebsd.org/src/commit/?id=000d5b52c19ff3858a6f...
    It details the actual problem instead of showing off tired stack exploit tricks.
    [-]
    - tptacek 23小时前
      No, that commit log is obviously not better than the page explaining the vulnerability and the exploit vectors.
      Case in point: what's "tired" about the stack exploitation techniques they're using here?
      And, while you're not right, even stipulating that you were, what would that matter? How is anyone better off with less explanation of a vulnerability?
      [-]
      - themafia 21小时前
        The website explains an exploit. I've seen exploits before. The commit explains the unique issue.
        I'm more interested in the why than the how.
        I suppose people with different overall goals will see that differently.
        [-]
        tptacek 21小时前
        You didn't answer my question. What's "tired" about the exploit technique here?
    - tom_ 22小时前
      Is that even the fix though? The problem sizeof*groups expression has already been removed by that point. This fixes something but it's not obviously related to the vulnerability description.
      git log -S suggests 4cd93df95e697942adf0ff038fc8f357cbb07cf9, which looks more likely: https://cgit.freebsd.org/src/commit/?id=4cd93df95e697942adf0... - though not to say you don't want the later commit too. I'm sure you do.
- 866-RON-0-FEZ 23小时前
  It gives legitimacy to whatever whimsical name was given to a vulnerability by registering the domain.
  CVE numbers are for boring professionals.
  [-]
  - elkrapo 23小时前
    The cool kiddies wait and time their disclosures on the cool numbers.
- dragontamer 1天前
  What?
  Is there something in this website that feels unnecessary? It seems like a good format of sharing high quality information.
  This looks like a full bug into a complete root escalation of a kernel. That's hard to do and deserving of praise. The fact that we have a writeup organized like this is awesome.
  -------
  This is sort of the expert level stuff that I thought HackerNews would most enjoy.
- rs_rs_rs_rs_rs 23小时前
  Have you not done anything remotely interesting for you that you want to build a website so the whole world can see it?
- throwaway613746 22小时前
  [dead]
socphoenix 1天前
Not sure why this is saying it isn’t patched, they released the notice including fix for 14.4 yesterday?
[-]
- irishcoffee 1天前
  Maybe they're not up to snuff on yesterday? They published this yesterday.
  > The bug was silently fixed in the main branch on 2025-11-27 (commit 000d5b52c19ff3858a6f0cbb405d47713c4267a4) as a side effect of a broader function refactoring. The fix has not been backported to stable/14 or releng/14.4. FreeBSD 14.4-RELEASE remains vulnerable.
  > FreeBSD 15.0 still carries the sizeof(*groups) typo and is therefore vulnerable, but the surrounding code differs enough from 14.4 that the chain primitives developed here do not lift the overflow into a working LPE on that branch. On 15.0 the bug remains a kernel panic triggered by any unprivileged user.
djha-skin 1天前
TrueNAS is on FreeBSD, as well as lots of network equipment. This does affect us more than we think as operators.
[-]
- yjftsjthsd-h 1天前
  I would think that pure-storage NAS or network equipment was effectively completely immune to local privilege escalation. I'll give you the NAS where it might be running untrusted containers or such, but that's it.
  [-]
- ksec 4小时前
  > This does affect us more than we think as operators.
  I hope this is true but as other comments have suggested, Juniper and TrueNAS are moving or no longer on FreeBSD.
  I am now wondering if Netflix may one day give up FreeBSD for their cache server as well.
- 1over137 1天前
  Alas, TrueNAS actually switched to Linux a couple of years ago.
  [-]
  - sbankowi 1天前
    FreeBSD was the reason I chose TrueNAS Core. Unfortunately, you are right, TrueNAS Scale (Linux) is where they are focusing all their attention. At this point I will not purchase additional TrueNAS equipment as I feel I was "rug pulled." I get that they are going after more of the Docker container/app market, but I just want a solid ZFS w/excellent networking NAS device. Linux is close to this ideal, but it isn't as "Set and Forget" as FreeBSD (IMO).
    [-]
    - NexRebular 20小时前
      > solid ZFS w/excellent networking NAS device.
      illumos distros might be a good alternative. I have OmniOS[0] as a filer and SmartOS[1] running hypervisor duties on zones and bhyve.
      [0] https://omnios.org [1] https://docs.smartos.org
    - BadBadJellyBean 23小时前
      You usually don't really interact with the OS underneath at all so I don't think it makes much of a difference unless you are very fond of Jails.
      I mean that is the whole point of a NAS OS. It gives you a GUI and you don't have to worry about the rest.
- 866-RON-0-FEZ 23小时前
  Juniper JunOS is based on FreeBSD IIRC.
  [-]
  - sophacles 20小时前
    They've been moving their NOSes to a linux based platform.
    [-]
    - NexRebular 20小时前
      It really is a tragedy how everything is being monoculturized to linux.
- ActionHank 1天前
  Possibly Playstation as well.
  [-]
  - loeg 21小时前
    PlayStation 4 was a fork of FreeBSD 9, and is immune to this bug introduced in 14. Sony also changes a LOT, I'm not sure anything dealing with unix credentials even exists in this fork. It's not clear how much FreeBSD is even used in PlayStation 5 (2020), but it would be based off 12 or earlier (also immune to this bug from 14) (13 was released in 2021).
    [-]
    - HDBaseT 14小时前
      What about PlayStation 3?
      Whilst all are "soft-moddable" via HEN, a large number of the Slim and Superslims are not compatible with full custom firmware. Recently a hardware based exploit 'badWDSD' released which allow CFW, although even still a small number of Superslims are not compatible.
      [-]
      - loeg 14小时前
        I thought it went without saying that PS3 (2006) firmware isn't based on FreeBSD 14 (2023).
  - sbankowi 1天前
    Also Netgate's devices running PFSense.
    [-]
    - anygivnthursday 23小时前
      And OPNSense boxes
- doublerabbit 22小时前
  TrueNAS was, but they now use Linux as the main distribution.
badgersnake 20小时前
LPEs are really not impressive enough to warrant names and websites.