UFS Bug: FreeBSD 6.1/6.2/7.0: MOKB-08-11-2006, CVE-2006-5824,
MOKB-03-11-2006, CVE-2006-5679
Josh Paetzel
josh at tcbug.org
Thu Nov 23 23:42:25 UTC 2006
On Thursday 23 November 2006 15:36, David Malone wrote:
> On Thu, Nov 23, 2006 at 10:30:35AM +0100, O. Hartmann wrote:
> > Is for these UFS bugs in FreeBSD since 6.1 a fix uderway?
> >
> > See:
> >
> > http://projects.info-pull.com/mokb/
> >
> > MOKB-08-11-2006,CVE-2006-5824, MOKB-03-11-2006,CVE-2006-5679
>
> These two bugs both seem to involve mounting deliberately corrupted
> UFS file systems. I'm not sure that many people allow this. To be
> honest, I'm surprised that they only list two bugs of this sort -
> UFS wasn't designed to be robust to working with accidently
> corrupted filesystems, let alone ones corrupted maliciously!
>
> The usual response of UFS to a corrupted filesystem is to panic.
> I'm guessing it would have been easier to do:
>
> grep panic /usr/src/sys/ufs/*/*.c
>
> to find a load of these bugs, rather than writing a fuzzing tool
> ;-)
>
> (That's not to say that it isn't worth improving things, it's just
> likely to be a large amount of work to fix this in a way that
> actually makes things better.)
>
> David.
Out of the box you need to be root to mount things. Once you have
root access to a box you don't need silly things like this to crash
it.
If you've gone out of your way to configure your box in such a way
that a non-root user can mount arbitrary UFS filesystems then they
certainly don't need to waste their time with buffer-overflows and
the like. They can simply mount a filesystem with any number of SUID
root binaries on it and have their way with the box.
Either way, while it's senseless to argue that the buffer overflows
don't exist, anyone in a positiion to actually exploit them doesn't
need them to be malicious.
--
Thanks,
Josh Paetzel
More information about the freebsd-security
mailing list