Date: 20 May 2004 17:55:43 +0200
From: SecuriTeam <support@securiteam.com.>
To: list@securiteam.com
Subject: [UNIX] OpenBSD Procfs Memory Disclosure Vulnerability
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
OpenBSD Procfs Memory Disclosure Vulnerability
------------------------------------------------------------------------
SUMMARY
Integer related bugs in the way <http://www.openbsd.org/>; OpenBSD's
kernel handles reading from the proc file system may lead to disclosure of
kernel data otherwise unattainable.
DETAILS
Vulnerable Systems:
* OpenBSD version 3.5, possibly prior
Immune Systems:
* OpenBSD version 3.5 with errata patch
Several bugs related to integers open the way for a user to read more
information from the kernel than allowed by the use of the proc file
system. For example it is possible to trick procfs to return large chunks
of kernel memory when reading the cmdline file of system processes. The
relevant piece of code is located at procfs_cmdline.c:
if (P_ZOMBIE(p) || (p->p_flag & P_SYSTEM) != 0) {
len = snprintf(arg, PAGE_SIZE, "(%s)", p->p_comm);
xlen = len - uio->uio_offset;
if (xlen <= 0)
error = 0;
else
error = uiomove(arg, xlen, uio);
free(arg, M_TEMP);
return (error);
}
Patch Availability:
The vendor has been notified and a patch is available at
<http://www.openbsd.org/errata.html>; http://www.openbsd.org/errata.html.
Disclosure Timeline
03/05/2004: Initial email to vendor
13/05/2004: Patch made available
ADDITIONAL INFORMATION
The information has been provided by <mailto:advisories@deprotect.com.>
Deprotect Advisories.
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
