NetBSD KernFS LSEEK Kernel内存泄露漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1196415 漏洞类型 输入验证
发布时间 2006-01-09 更新时间 2006-05-09
CVE编号 CVE-2006-0145 CNNVD-ID CNNVD-200601-057
漏洞平台 N/A CVSS评分 4.6
|漏洞来源
https://cxsecurity.com/issue/WLB-2006020015
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200601-057
|漏洞详情
NetBSD是一款免费开放源代码的UNIX性质的操作系统。NetBSD对kernfs文件系统的lseek(2)系统调用没有正确的验证文件偏移,这样用户级非特权进程可以读取任意kernel内存位置,导致泄漏敏感信息。
|漏洞EXP
--- SecurityLab Technologies, Inc.
--- Security Advisory
--- http://www.securitylab.net

Advisory Name: NetBSD / OpenBSD kernfs_xread patch evasion
Release Date: February 02, 2006
Application: kernfs
Platform: NetBSD / OpenBSD
Severity: Severe
Author: SLAB Research
Vendor Status: Patched
Reference: http://www.securitylab.net/research/
<http://www.securitylab.net/research/>

Overview:

Due to a flaw in the original patch implemented by the NetBSD team in
release 2.0.3 the kernfs_xread function was still vulnerable to
exploitation. The original patch failed to manage the truncation of
64bit integers. Prior to the 2.0.3 patch kernfs_read neglected to test
for a negative file offset value. The 2.0.3 patch enforced the testing
of negative offsets but failed to test for negative 32bit values. Since
the kernfs_xread function truncates the 64bit offset to a 32bit value it
was possible to have a negative 32bit offset bypass the security
employed. This negative offset flaw made continued disclosure of kernel
memory possibly.

OpenBSD's 3.8 kernel release contained the same vulnerability and the
same type of patch as NetBSD 2.0.3. It checked for the negative value in
a 64bit read offset. However, kernfs is no longer included in the
current OpenBSD generic kernel.

Vendor response:

OpenBSD:
OpenBSD believes this issue is not a vulnerability, because kernfs was
not linked into the GENERIC kernel by default. The OpenBSD team has
chosen to remove the kernfs tree from the current kernel code, rather
than implementing a patch.

NetBSD:
In response to this advisory the NetBSD team patched kernfs_vnops.c
version 1.114. The fix is available in the current source tree. NetBSD
3.0 recently released is not affected by this flaw. The NetBSD team has
issued an advisory:

ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2006-001.tx
t.asc

Site of the day:
FON http://www.fon.com
A wireless movement

Copyright 2006 SecurityLab Technologies, Inc. You may distribute freely
without modification.
|参考资料

来源:BID
名称:16173
链接:http://www.securityfocus.com/bid/16173
来源:MISC
链接:http://www.securitylab.net/research/2006/02/advisory_netbsd_openbsd_kernfs.html
来源:BUGTRAQ
名称:20060202[SLAB]NetBSD/OpenBSDkernfs_xreadpatchevasion
链接:http://www.securityfocus.com/archive/1/archive/1/423827/100/0/threaded
来源:OSVDB
名称:22293
链接:http://www.osvdb.org/22293
来源:SECUNIA
名称:18712
链接:http://secunia.com/advisories/18712
来源:SECUNIA
名称:18388
链接:http://secunia.com/advisories/18388
来源:NETBSD
名称:NetBSD-SA2006-001
链接:ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2006-001.txt.asc
来源:XF
名称:netbsd-kernfs-memory-disclosure(24035)
链接:http://xforce.iss.net/xforce/xfdb/24035
来源:SREASON
名称:405
链接:http://securityreason.com/securityalert/405