<date>
04/2001

<title>
kernel ldt sysarch()

<os>
NetBSD 1.4-1.5 OpenBSD 2.6-2.8 x86

<info>
the code installs trap call gate descriptor with DPL=3 targeting kernel
code segment selector KCSSEL (DPL=0) in task local descriptor table LDT
through sysarch(I386_SET_LDT,struct i386_set_ldt_args*) system call.

as a result command shell is spawned with effective root user privilege.

<link>
BSD/bsdx86_ldt.c

<file>
BSD/bsdx86_ldt.c

