Vulnerability
top
Affected
OpenBSD, FreeBSD
Description
Following is based on a FreeBSD-SA-00:62 Security Advisory and it
was originally found by vort via OpenBSD. top is a utility for
displaying current system resource statistics such as process CPU
and memory use. It is externally-maintained, contributed software
which is included in *BSD by default.
A "format string vulnerability" was discovered in the top(1)
utility which allows unprivileged local users to cause the top
process to execute arbitrary code. The top utility runs with
increased privileges as a member of the kmem group, which allows
it to read from kernel memory (but not write to it). A process
with the ability to read from kernel memory can monitor privileged
data such as network traffic, disk buffers and terminal activity,
and may be able to leverage this to obtain further privileges on
the local system or on other systems, including root privileges.
All released versions of FreeBSD prior to the correction date
including 4.0, 4.1, 4.1.1 and 3.5.1 are vulnerable to this
problem, but it was fixed in the 4.1.1-STABLE branch prior to the
release of FreeBSD 4.2-RELEASE. This has been fixed in OpenBSD
2.7 is some patch.
Local users can read privileged data from kernel memory which may
provide information allowing them to further increase their local
or remote system access privileges.
Solution
Remove the setgid bit on the top utilities. This has the
side-effect that users who are not a member of the kmem group or
who are not the superuser cannot use the top utility.
For FreeBSD:
1) Upgrade your vulnerable FreeBSD system to 4.1.1-STABLE or
3.5.1-STABLE after the respective correction dates
2000/10/04 (FreeBSD 4.1.1-STABLE) and 2000/10/04 (FreeBSD
3.5.1-STABLE)
2) Apply the patch below and recompile the relevant files:
# cd /usr/src/contrib/top
# patch -p < /path/to/patch_or_advisory
# cd /usr/src/usr.bin/top
# make depend && make all install
Index: display.c
===================================================================
RCS file: /mnt/ncvs/src/contrib/top/display.c,v
retrieving revision 1.4
retrieving revision 1.5
diff -u -r1.4 -r1.5
--- display.c 1999/01/09 20:20:33 1.4
+++ display.c 2000/10/04 23:34:16 1.5
@@ -829,7 +831,7 @@
register int i;
/* first, format the message */
- (void) sprintf(next_msg, msgfmt, a1, a2, a3);
+ (void) snprintf(next_msg, sizeof(next_msg), msgfmt, a1, a2, a3);
if (msglen > 0)
{
Index: top.c
===================================================================
RCS file: /mnt/ncvs/src/contrib/top/top.c,v
retrieving revision 1.4
retrieving revision 1.5
diff -u -r1.4 -r1.5
--- top.c 1999/01/09 20:20:34 1.4
+++ top.c 2000/10/04 23:34:16 1.5
@@ -807,7 +809,7 @@
{
if ((errmsg = kill_procs(tempbuf2)) != NULL)
{
- new_message(MT_standout, errmsg);
+ new_message(MT_standout, "%s", errmsg);
putchar('\r');
no_command = Yes;
}
Index: top.c
===================================================================
RCS file: /mnt/ncvs/src/contrib/top/top.c,v
retrieving revision 1.5
retrieving revision 1.6
diff -u -r1.5 -r1.6
--- top.c 2000/10/04 23:34:16 1.5
+++ top.c 2000/11/03 22:00:10 1.6
@@ -826,7 +826,7 @@
{
if ((errmsg = renice_procs(tempbuf2)) != NULL)
{
- new_message(MT_standout, errmsg);
+ new_message(MT_standout, "%s", errmsg);
putchar('\r');
no_command = Yes;
}
TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH
