Date: Thu, 16 Sep 2004 15:17:39 -0700 From: Julian Elischer <julian@elischer.org> To: gerarra@tin.it Cc: freebsd-hackers@freebsd.org Subject: Re: FreeBSD kernel buffer overflow Message-ID: <414A1103.2030809@elischer.org> In-Reply-To: <4146316C00007764@ims3a.cp.tin.it> References: <4146316C00007764@ims3a.cp.tin.it>
next in thread | previous in thread | raw e-mail | index | archive | help
As you point out, gerarra@tin.it wrote: >Topic: Buffer Overflow in FreeBSD >Versions: All the versions of FreeBSD are broken (4.x, 5.x, 6.0) >Arch: x86 >Date: 16/09/2004 > > >A buffer overflow has been found in i386/i386/trap.c syscall() function >of FreeBSD official >source tree. > > [...] As you say below this is not exploitable except for root. The number of arguments for a syscall is defined within the kernel and is not supplied from an untrusted source. This means that this is not a security problem.. to load a kernel module you must be root (and not in a jail) meaning that if you wanted to, the quicker and easier exploit would be /bin/sh :-) The arg mask is not there for security, but rather to allow other values to be store in the same longword. >It's exploitable, but the only one way I discovered is to link a new syscall >to the sysent >array and to do this you need to be root; I've no time to work on this vulnerability, >but i think another way could be found. However it could give serious problems >(e.g. kernel >crashes). > >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?414A1103.2030809>