FreeBSD kernel buffer overflow
Julian Elischer
julian at elischer.org
Thu Sep 16 15:17:40 PDT 2004
As you point out,
gerarra at tin.it wrote:
>Topic: Buffer Overflow in FreeBSD
>Versions: All the versions of FreeBSD are broken (4.x, 5.x, 6.0)
>Arch: x86
>Date: 16/09/2004
>
>
>A buffer overflow has been found in i386/i386/trap.c syscall() function
>of FreeBSD official
>source tree.
>
>
[...]
As you say below this is not exploitable except for root.
The number of arguments for a syscall is defined within the kernel and
is not
supplied from an untrusted source. This means that this is not a
security problem..
to load a kernel module you must be root (and not in a jail) meaning
that if you
wanted to, the quicker and easier exploit would be
/bin/sh
:-)
The arg mask is not there for security, but rather to allow other values
to be store in the same longword.
>It's exploitable, but the only one way I discovered is to link a new syscall
>to the sysent
>array and to do this you need to be root; I've no time to work on this vulnerability,
>but i think another way could be found. However it could give serious problems
>(e.g. kernel
>crashes).
>
>
More information about the freebsd-hackers
mailing list