|
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - ------------------------------------------------------------------------------- Pine Digital Security Advisory - ------------------------------------------------------------------------------- Advisory ID : PINE-CERT-20030902 Authors : Joost Pol Vendor Informed : 2003-23-09 Issue date : 2003-01-10 Application : kernel / uio Version(s) : All Versions Platforms : FreeBSD Availability : http://www.pine.nl/press/pine-cert-20030902.txt - ------------------------------------------------------------------------------- Synopsis While performing an audit for a customer, Pine Digital Security encountered an integer overflow/underflow condition which could lead to the disclosure of kernel memory. Versions All known FreeBSD versions are vulnerable. Impact Serious. Local users on a machine with procfs enabled could exploit this vulnerability to cause a system panic (denial of service) or potentially elevate their privileges. Description The process file system, or procfs, implements a view of the system process table inside the file system. It is normally mounted on /proc, and is required for the complete operation of programs such as ps(1) and w(1). On several places in the procfs implementation the "uio" offset parameter is used without proper validation, the following code fragment illustrates this: /usr/src/sys/miscfs/procfs/procfs_regs.c (edited, line 59-84): struct reg r; char *kv; int kl; .. kl = sizeof(r); kv = (char *) &r; ... kv += uio->uio_offset; kl -= uio->uio_offset; if (kl > uio->uio_resid) kl = uio->uio_resid; ... if (kl < 0) error = EINVAL; ... if (error == 0) error = uiomove(kv, kl, uio); As the above code fragment illustrates and since the uio->uio_offset parameter is under (indirect) control of the user it is possible to disclose large amounts of kernel memory by specifying an extremely large or negative value. Exploitability Local users can cause an effective denial of service by attempting to read from non resident kernel memory and thus generating a system panic. Local users could also potentially elevate their privileges by reading from terminal input buffers and thus stealing other users passwords. Appendum The FreeBSD security officer team spotted a similiar vulnerability in the pseudofs implementation. Pine Digital Security recommends upgrading even if you do not use procfs. Disclaimer Pine Digital Security does not release exploits. Patches The FreeBSD Project has updated their CVS repositories. References FreeBSD-SA-03:17.procfs.asc http://www.pine.nl/press/pine-cert-20030902.txt file://usr/include/sys/file.h file://usr/src/sys/miscfs/procfs/procfs_dbregs.c file://usr/src/sys/miscfs/procfs/procfs_fpregs.c file://usr/src/sys/miscfs/procfs/procfs_regs.c file://usr/src/sys/miscfs/procfs/procfs_rlimit.c file://usr/src/sys/miscfs/procfs/procfs_status.c file://usr/src/sys/kern/vfs_syscalls.c - -- Service Provider :: Pine Digital Security :| www.pine.nl || +31 (0)70 311 10 10 :: PGP id 0xF360BB93 fpr ABED 303C 0120 E057 633A 1CB1 D236 C82A F360 BB93 :: -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (SunOS) iEYEARECAAYFAj98VaEACgkQ0jbIKvNgu5NkQgCfUlXJfIedVg776CvE/xmqjzsz 6B0AnRxpZkZghoSF+Gpgeme86sTaN/W0 =95pa -----END PGP SIGNATURE-----