There are a set of kernel interfaces called "call gates" which are code primitives used to build system-level calls into an operating system's kernel. A subset of these "calls gates" may be able to be manipulated on some operating systems which use improper privilege checking when accessing local descriptor tables (LDTs)
Of specific concern is the syscall "i386_set_ldt" , which accesses a call gate without first validating whether a ring transition to a more privileged segment in the LDT is appropriate.
Of special note is an observation shared in the NetBSD security advisory on this issue:
A user with access to a local account may gain privileges reserved for the kernel.
Apply kernel patches provided by your vendor.
The fix to NetBSD [for example]:
This was initially reported by Bill Sommerfeld.
This document was written by Jeff S Havrilla
|Date First Published:||2001-02-16|
|Date Last Updated:||2001-03-02 22:12 UTC|