The SIOCGIFCONF ioctl, used to request the kernel to produce a list of interfaces, can be exploited to reveal 12 bytes of memory. It is not at all guaranteed that this memory will contain anything interesting.
046e16080325dae021493dffedc9e3fe620cdd65df9f6250a4fd4ff3ce4aaef7-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=============================================================================
FreeBSD-SA-05:04.ifconf Security Advisory
The FreeBSD Project
Topic: Kernel memory disclosure in ifconf()
Category: core
Module: sys_net
Announced: 2005-04-15
Credits: Ilja van Sprundel
Affects: All FreeBSD 4.x releases
All FreeBSD 5.x releases prior to 5.4-RELEASE
Corrected: 2005-04-15 01:51:44 UTC (RELENG_5, 5.4-STABLE)
2005-04-15 01:52:03 UTC (RELENG_5_4, 5.4-RELEASE)
2005-04-15 01:52:25 UTC (RELENG_5_3, 5.3-RELEASE-p9)
2005-04-15 01:52:40 UTC (RELENG_4, 4.11-STABLE)
2005-04-15 01:52:57 UTC (RELENG_4_11, 4.11-RELEASE-p3)
2005-04-15 01:53:14 UTC (RELENG_4_10, 4.10-RELEASE-p8)
For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit
<URL:http://www.freebsd.org/security/>.
I. Background
The SIOCGIFCONF ioctl allows a user process to ask the kernel to produce
a list of the existing network interfaces and copy it into a buffer
provided by the user process.
II. Problem Description
In generating the list of network interfaces, the kernel writes into a
portion of a buffer without first zeroing it. As a result, the prior
contents of the buffer will be disclosed to the calling process.
III. Impact
Up to 12 bytes of kernel memory may be disclosed to the user process.
Such memory might contain sensitive information, such as portions of
the file cache or terminal buffers. This information might be directly
useful, or it might be leveraged to obtain elevated privileges in some
way. For example, a terminal buffer might include a user-entered
password.
IV. Workaround
No known workaround.
V. Solution
Perform one of the following:
1) Upgrade your vulnerable system to 4-STABLE or 5-STABLE, or to the
RELENG_5_3, RELENG_4_11, or RELENG_4_10 security branch dated after the
correction date.
2) To patch your present system:
The following patches have been verified to apply to FreeBSD 4.10, 4.11,
and 5.3 systems.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
[FreeBSD 4.x]
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-05:04/ifconf4.patch
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-05:04/ifconf4.patch.asc
[FreeBSD 5.3]
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-05:04/ifconf5.patch
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-05:04/ifconf5.patch.asc
b) Apply the patch.
# cd /usr/src
# patch < /path/to/patch
c) Recompile your kernel as described in
<URL:http://www.freebsd.org/handbook/kernelconfig.html> and reboot the
system.
VI. Correction details
The following list contains the revision numbers of each file that was
corrected in FreeBSD.
Branch Revision
Path
- -------------------------------------------------------------------------
RELENG_4
src/sys/net/if.c 1.85.2.29
RELENG_4_11
src/UPDATING 1.73.2.91.2.4
src/sys/conf/newvers.sh 1.44.2.39.2.7
src/sys/net/if.c 1.85.2.28.2.1
RELENG_4_10
src/UPDATING 1.73.2.90.2.9
src/sys/conf/newvers.sh 1.44.2.34.2.10
src/sys/net/if.c 1.85.2.25.2.1
RELENG_5
src/sys/net/if.c 1.199.2.15
RELENG_5_4
src/UPDATING 1.342.2.24.2.3
src/sys/net/if.c 1.199.2.14.2.1
RELENG_5_3
src/UPDATING 1.342.2.13.2.12
src/sys/conf/newvers.sh 1.62.2.15.2.14
src/sys/net/if.c 1.199.2.7.2.3
- -------------------------------------------------------------------------
The latest revision of this advisory is available at
ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-05:04.ifconf.asc
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (FreeBSD)
iD8DBQFCXx8LFdaIBMps37IRAgEiAKCYfnAMPrVe72OPJMWtzMNrYmlPNgCfXRNe
RYDaRrNgFPGsFWTuVujelco=
=xLuH
-----END PGP SIGNATURE-----
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed