[UNIX] OpenBSD Procfs Memory Disclosure Vulnerability

• Previous message: SecuriTeam: "[NEWS] Configuration Disclosure on Sweex 802.11g Wireless Accesspoint/Router"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: list@securiteam.com
Date: 20 May 2004 17:55:43 +0200

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -

  OpenBSD Procfs Memory Disclosure Vulnerability
------------------------------------------------------------------------

SUMMARY

Integer related bugs in the way <http://www.openbsd.org/> OpenBSD's
kernel handles reading from the proc file system may lead to disclosure of
kernel data otherwise unattainable.

DETAILS

Vulnerable Systems:
 * OpenBSD version 3.5, possibly prior

Immune Systems:
 * OpenBSD version 3.5 with errata patch

Several bugs related to integers open the way for a user to read more
information from the kernel than allowed by the use of the proc file
system. For example it is possible to trick procfs to return large chunks
of kernel memory when reading the cmdline file of system processes. The
relevant piece of code is located at procfs_cmdline.c:
if (P_ZOMBIE(p) || (p->p_flag & P_SYSTEM) != 0) {
               len = snprintf(arg, PAGE_SIZE, "(%s)", p->p_comm);
               xlen = len - uio->uio_offset;
               if (xlen <= 0)
                       error = 0;
               else
                       error = uiomove(arg, xlen, uio);
                free(arg, M_TEMP);
               return (error);
        }

Patch Availability:
The vendor has been notified and a patch is available at
<http://www.openbsd.org/errata.html> http://www.openbsd.org/errata.html.

Disclosure Timeline
03/05/2004: Initial email to vendor
13/05/2004: Patch made available

ADDITIONAL INFORMATION

The information has been provided by <mailto:advisories@deprotect.com>
Deprotect Advisories.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

• Previous message: SecuriTeam: "[NEWS] Configuration Disclosure on Sweex 802.11g Wireless Accesspoint/Router"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]