FreeBSD libcasper Privilege Escalation Vulnerability via File Descriptor Overflow

A vulnerability in libcasper, a FreeBSD library that allows Capsicum-sandboxed applications to access restricted system interfaces, has been identified. The issue arises because libcasper does not properly validate socket descriptors before using the select system call to monitor data availability. This oversight can lead to stack corruption, particularly if an application allocates large file descriptors by leaving many open and then executing a program that fails to close them. The vulnerability is especially concerning if the affected application has setuid root privileges, as it could be exploited to escalate local privileges.

Impact

Exploitation of this vulnerability can cause stack corruption, with the potential to escalate local privileges, especially if the target application is running with setuid root rights.

Remediation

Users can upgrade to a supported FreeBSD version that has addressed this vulnerability. Instructions for updating via the pkg utility, freebsd-update utility, or by applying a source code patch are available in the FreeBSD Security Advisory.