FreeBSD mbufs sendfile Cache Poisoning Privilege Escalation Exploit

The read-only flag is not correctly copied when a mbuf buffer reference is duplicated. When the sendfile system call is used to transmit data over the loopback interface, this can result in the backing pages for the transmitted file being modified, causing data corruption. This data corruption can be exploited by an local attacker to escalate their privilege by carefully controlling the corruption of system files. It should be noted that the attacker can corrupt any file they have read access to.
Exploit type: 
Vulnerabilty ID: 
Released Date: 
Thursday, January 27, 2011 - 18:00