NovumOS Privilege Escalation Vulnerability via Arbitrary Memory Mapping in Syscall 15

A privilege escalation vulnerability has been identified in NovumOS, a custom 32-bit operating system, in versions prior to 0.24. The issue arises in Syscall 15 (MemoryMapRange), which allows Ring 3 user-mode processes to map arbitrary virtual address ranges into their address space. This mapping can include critical kernel structures such as the Interrupt Descriptor Table (IDT), Global Descriptor Table (GDT), Task State Segment (TSS), and page tables, without proper validation against restricted areas. A local attacker could exploit this vulnerability to modify kernel interrupt handlers, leading to unauthorized execution of code in kernel mode.

Impact

Exploitation of this vulnerability allows for unauthorized modification of kernel interrupt handlers, enabling privilege escalation from user mode to kernel context.

Reproduction

To reproduce this vulnerability, a user-mode process can invoke Syscall 15 (MemoryMapRange) with addresses corresponding to critical kernel structures, such as the IDT region. Once these structures are mapped into the process's address space, the attacker can read and write to the IDT entries, modifying interrupt handlers and executing arbitrary code in Ring 0.

Remediation

Users can upgrade to NovumOS version 0.24, which addresses this vulnerability by adding forbidden memory range blocking to Syscall 15, preventing the mapping of critical kernel structures into user space.