[UNIX] FreeBSD Local Integer Overflow (i386_set_ldt)



The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -



FreeBSD Local Integer Overflow (i386_set_ldt)
------------------------------------------------------------------------


SUMMARY

<http://www.FreeBSD.org/> FreeBSD is a modern operating system for x86,
amd64, Alpha, IA-64, PC-98 and SPARC architectures. It's based on the UNIX
operating system, BSD, which was created at the University of California,
Berkeley.

A vulnerability in FreeBSD could allow denial of service and potentially
arbitrary code execution.

DETAILS

Vulnerable Systems:
* FreeBSD version 5.5 (earlier versions suspected)

Local exploitation of a input validation error in the FreeBSD Project's
i386_set_ldt() kernel implementation could allow attackers to create a
kernel panic, leading to a denial of service condition on the affected
computer.
Exploitation of this vulnerability would result in a denial of service
condition on the affected host. There is a potential for arbitrary code
execution in kernel context due to the way this function manipulates
kernel heap memory.

Vendor responce:
"It appears that the problem you have discovered was fixed in revision
1.96 of src/sys/i386/i386/sys_machdep.c on March 23, 2005, after being
found by the Coverity Prevent analysis tool; the commit message at the
time documented this as a local denial of service bug.

The policy of the FreeBSD Security Team is that local denial of service
bugs not be treated as security issues; it is possible that this problem
will be corrected in a future Erratum."

CVE Information:
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4172>
CVE-2006-4172

Disclosure Timeline:
* 08/16/2006 - Initial vendor notification
* 08/16/2006 - Initial vendor response
* 09/23/2006 - Public disclosure


ADDITIONAL INFORMATION

The information has been provided by iDefense.
The original article can be found at:
<http://www.idefense.com/intelligence/vulnerabilities/display.php?id=414>
http://www.idefense.com/intelligence/vulnerabilities/display.php?id=414



========================================


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx


====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.



Relevant Pages