FreeBSD -- Privilege escalation in cd(4) driver
To implement one particular ioctl, the Linux emulation
code used a special interface present in the cd(4) driver
which allows it to copy subchannel information directly to
a kernel address. This interface was erroneously made
accessible to userland, allowing users with read access to
a cd(4) device to arbitrarily overwrite kernel memory when
some media is present in the device.
A user in the operator group can make use of this interface
to gain root privileges on a system with a cd(4) device
when some media is present in the device.
Copyright © 2003-2005 Jacques Vidrine and contributors.
Please see the source of this document for full copyright