NovumOS Privilege Escalation Vulnerability via Unvalidated Syscall 12

A privilege escalation vulnerability has been identified in NovumOS, a custom 32-bit operating system developed in Zig and x86 Assembly. In versions prior to 0.24, Syscall 12 (JumpToUser) allows Ring 3 user-mode processes to jump to arbitrary kernel addresses and execute code in Ring 0 context. This vulnerability arises because the syscall accepts entry point addresses from user-space registers without proper validation, enabling local privilege escalation. The issue has been fixed in NovumOS version 0.24.

Impact

Exploitation of this vulnerability allows for arbitrary code execution in Ring 0, the kernel context, effectively escalating privileges from user mode to kernel mode. This could lead to unauthorized access to system resources and critical kernel functions.

Reproduction

To reproduce this vulnerability, a user-mode process in Ring 3 can invoke Syscall 12 by using the 'int $0x80' assembly instruction. The process must provide a kernel address, such as the Interrupt Descriptor Table (IDT) address, through the EBX register. This unvalidated entry point will then be executed in Ring 0, allowing the process to execute arbitrary code with kernel privileges.

Remediation

Users are advised to update to NovumOS version 0.24, which addresses this vulnerability by implementing validation for Syscall 12 to ensure that entry points are within the appropriate user-space range. If an immediate update is not possible, users can restrict syscall access by running the system in single-user mode without Ring 3, and by disabling user-mode processes, allowing only the kernel shell to run.