[UNIX] FreeBSD sendfile Kernel Information Disclosure

From: SecuriTeam (support_at_securiteam.com)
Date: 11/10/05

  • Next message: SecuriTeam: "[EXPL] sudo Local Privilege Escalation" 
    To: list@securiteam.com
Date: 10 Nov 2005 14:32:00 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      FreeBSD sendfile Kernel Information Disclosure
    ------------------------------------------------------------------------

    SUMMARY

    The FreeBSD sendfile system call allows a server application (such as an
    HTTP or FTP server) to transmit the contents of a file over a network
    connection without first copying it to application memory.

    The FreeBSD kernel does not clean memory parts before being used with
    sendfile, allowing users to retrieve random information about the system.

    DETAILS

    Vulnerable Systems:
     * FreeBSD 4 series
     * FreeBSD 5 series prior to 5.4-RELEASE

    Immune Systems:
     * FreeBSD RELENG_5, 5.4-STABLE
     * FreeBSD RELENG_5_4, 5.4-RELEASE
     * FreeBSD RELENG_5_3, 5.3-RELEASE-p7
     * FreeBSD RELENG_4, 4.11-STABLE
     * FreeBSD RELENG_4_11, 4.11-RELEASE-p2
     * FreeBSD RELENG_4_10, 4.10-RELEASE-p7
     * FreeBSD RELENG_4_8, 4.8-RELEASE-p29

    If the file being transmitted is truncated after the transfer has started
    but before it completes, sendfile will transfer the contents of more or
    less random portions of kernel memory in lieu of the missing part of the
    file.

    A local user could create a large file and truncate it while transferring
    it to himself, thus obtaining a copy of portions of system memory to which
    he would normally not have access. Such memory might contain sensitive
    information, such as portions of the file cache or terminal buffers. This
    information might be directly useful, or it might be leveraged to obtain
    elevated privileges in some way. For example, a terminal buffer might
    include a user-entered password.

    CVE Information:
     <http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0708>
    CAN-2005-0708

    ADDITIONAL INFORMATION

    The information has been provided by FreeBSD Security.
    The original article can be found at:
    <ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-05:02.sendfile.asc> ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-05:02.sendfile.asc

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

  • Next message: SecuriTeam: "[EXPL] sudo Local Privilege Escalation"

    Relevant Pages