The ioctl handler in the atkbd keyboard driver in FreeBSD is prone to a signedness error, which can lead to a buffer overflow in the kernel when processing a SETFKEY ioctl message with specially crafted values. This vulnerability can be exploited by a local unprivileged attacker to gain root privileges. In order to reach the vulnerable code in the keyboard driver, the exploit needs a virtual terminal (/dev/ttyv*) allocated for the user under which the initial agent is running. Virtual terminals are allocated when a user logs into the physical machine, as opposed to the pseudo-terminals (/dev/pts/*) which are allocated when accessing a system via a SSH shell, for example. This module can be configured to keep waiting for an accessible virtual terminal, by setting the Advanced/TIME LIMIT parameter to the desired maximum amount of minutes to wait for.
CVE Link
Exploit Platform
Exploit Type
Product Name