TUCoPS :: BSD :: bt1256.txt

TUCoPS :: BSD :: bt1256.txt
FreeBSD Integer Overflow in FreeBSD Kernel


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- -------------------------------------------------------------------------------
Pine Digital Security Advisory
- -------------------------------------------------------------------------------
Advisory ID       : PINE-CERT-20030902
Authors           : Joost Pol
Vendor Informed   : 2003-23-09
Issue date        : 2003-01-10
Application       : kernel / uio
Version(s)        : All Versions
Platforms         : FreeBSD
Availability      : http://www.pine.nl/press/pine-cert-20030902.txt
- -------------------------------------------------------------------------------

Synopsis

        While performing an audit for a customer, Pine Digital Security
        encountered an integer overflow/underflow condition which
        could lead to the disclosure of kernel memory.

Versions

        All known FreeBSD versions are vulnerable.

Impact

        Serious.

        Local users on a machine with procfs enabled could exploit this
        vulnerability to cause a system panic (denial of service) or
        potentially elevate their privileges.

Description

        The process file system, or procfs, implements a view of the system
        process table inside the file system.  It is normally mounted on
        /proc, and is required for the complete operation of programs
        such as ps(1) and w(1).

        On several places in the procfs implementation the "uio" offset
        parameter is used without proper validation, the following
        code fragment illustrates this:

        /usr/src/sys/miscfs/procfs/procfs_regs.c (edited, line 59-84):

                struct reg r; char *kv; int kl;
                ..

                kl = sizeof(r);
                kv = (char *) &r;
                ...

                kv += uio->uio_offset;
                kl -= uio->uio_offset;

                if (kl > uio->uio_resid) kl = uio->uio_resid;

                ...

                if (kl < 0) error = EINVAL;

                ...

                if (error == 0) error = uiomove(kv, kl, uio);

        As the above code fragment illustrates and since the uio->uio_offset
        parameter is under (indirect) control of the user it is possible
        to disclose large amounts of kernel memory by specifying an
        extremely large or negative value.

Exploitability

        Local users can cause an effective denial of service by attempting
        to read from non resident kernel memory and thus generating
        a system panic.

        Local users could also potentially elevate their privileges by
        reading from terminal input buffers and thus stealing other
        users passwords.

Appendum

        The FreeBSD security officer team spotted a similiar vulnerability
        in the pseudofs implementation. Pine Digital Security recommends
        upgrading even if you do not use procfs.

Disclaimer

        Pine Digital Security does not release exploits.

Patches

        The FreeBSD Project has updated their CVS repositories.

References

        FreeBSD-SA-03:17.procfs.asc

        http://www.pine.nl/press/pine-cert-20030902.txt

        file://usr/include/sys/file.h
        file://usr/src/sys/miscfs/procfs/procfs_dbregs.c
        file://usr/src/sys/miscfs/procfs/procfs_fpregs.c
        file://usr/src/sys/miscfs/procfs/procfs_regs.c
        file://usr/src/sys/miscfs/procfs/procfs_rlimit.c
        file://usr/src/sys/miscfs/procfs/procfs_status.c
        file://usr/src/sys/kern/vfs_syscalls.c

- -- 
Service Provider :: Pine Digital Security :| www.pine.nl || +31 (0)70 311 10 10
 :: PGP id 0xF360BB93 fpr ABED 303C 0120 E057 633A 1CB1 D236 C82A F360 BB93 ::  
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (SunOS)

iEYEARECAAYFAj98VaEACgkQ0jbIKvNgu5NkQgCfUlXJfIedVg776CvE/xmqjzsz
6B0AnRxpZkZghoSF+Gpgeme86sTaN/W0
=95pa
-----END PGP SIGNATURE-----