Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

FreeBSD Security Advisory FreeBSD-SA-04:15.syscons
From: FreeBSD Security Advisories <security-advisories () freebsd org>
Date: Mon, 4 Oct 2004 20:54:12 GMT

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

=============================================================================
FreeBSD-SA-04:15.syscons                                    Security Advisory
                                                          The FreeBSD Project

Topic:          Boundary checking errors in syscons

Category:       core
Module:         sys_dev_syscons
Announced:      2004-10-04
Credits:        Christer Oberg
Affects:        FreeBSD 5.x releases
Corrected:      2004-09-30 17:49:15 UTC (RELENG_5, 5.3-BETA6)
                2004-10-04 17:04:25 UTC (RELENG_5_2, 5.2.1-RELEASE-p11)
CVE Name:       CAN-2004-0919
FreeBSD only:   YES

For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit
<URL:http://www.freebsd.org/security/>.

I.   Background

syscons(4) is the default console driver for FreeBSD.  Using the
physical keyboard and screen, it provides multiple virtual terminals
which appear as if they were separate terminals.  One virtual terminal
is considered current and exclusively occupies the screen and the
keyboard; the other virtual terminals are placed in the background.

II.  Problem Description

The syscons CONS_SCRSHOT ioctl(2) does insufficient validation of
its input arguments.  In particular, negative coordinates or large
coordinates may cause unexpected behavior.

III. Impact

It may be possible to cause the CONS_SCRSHOT ioctl to return portions of
kernel memory.  Such memory might contain sensitive information, such as
portions of the file cache or terminal buffers.  This information might
be directly useful, or it might be leveraged to obtain elevated
privileges in some way.  For example, a terminal buffer might include a
user-entered password.

IV.  Workaround

There is no known workaround.  However, this bug is only exploitable
by users who have access to the physical console or can otherwise open
a /dev/ttyv* device node.

V.   Solution

Perform one of the following:

1) Upgrade your vulnerable system to the RELENG_5_2 security branch
dated after the correction date.

2) To patch your present system:

The following patches have been verified to apply to FreeBSD 5.2
systems.

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-04:15/syscons.patch
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-04:15/syscons.patch.asc

b) Apply the patch.

# cd /usr/src
# patch < /path/to/patch

c) Recompile your kernel as described in
<URL:http://www.freebsd.org/handbook/kernelconfig.html> and reboot the
system.

VI.  Correction details

The following list contains the revision numbers of each file that was
corrected in FreeBSD.

Branch                                                           Revision
  Path
- -------------------------------------------------------------------------
RELENG_5_2
  src/UPDATING                                                 1.282.2.19
  src/sys/conf/newvers.sh                                       1.56.2.18
  src/sys/dev/syscons/syscons.c                                 1.409.2.1
- -------------------------------------------------------------------------

VII. References

<URL:http://cvsweb.freebsd.org/src/sys/dev/syscons/syscons.c.diff?r1=1.428&r2=1.429>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (FreeBSD)

iD8DBQFBYYMTFdaIBMps37IRAuNbAJ4jbPnqo3vvEeD33ItW09r3zAuh5QCghq5v
SN4Y+OCpzJ7Szy3s++slzeQ=
=FlYi
-----END PGP SIGNATURE-----
_______________________________________________
freebsd-security-notifications () freebsd org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security-notifications
To unsubscribe, send any mail to "freebsd-security-notifications-unsubscribe () freebsd org"

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


  By Date           By Thread  

Current thread:
  • FreeBSD Security Advisory FreeBSD-SA-04:15.syscons FreeBSD Security Advisories (Oct 04)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault