Contributed by jose on from the class-of-bugs dept.
Pine Digital Security Advisory Advisory ID : PINE-CERT-20040201 (CAN-2004-0114) Authors : Joost Pol Vendor Informed : 2004-02-01 Issue date : 2004-02-05 Application : kernel / sysv shared memory Platforms : FreeBSD, NetBSD and OpenBSD Availability : http://www.pine.nl/press/pine-cert-20040201.txt Synopsis While gathering material for a security training Pine Digital Security encountered a reference count overflow condition which could lead to privilege escalation. Versions Vulnerable versions include: FreeBSD >= 2.2.0, NetBSD >= 1.3 and OpenBSD >= 2.6 Impact Serious. Local users can elevate their privileges. Description The shmat(2) function maps a shared memory segment, previously created with the shmget(2) function, into the address space of the calling process.
Here is the mail from security-announce:
Date: Thu, 05 Feb 2004 16:35:48 -0700 From: Todd C. Miller
To: firstname.lastname@example.org Subject: Reference counting bug in shmat(2) A reference counting bug exists in the shmat(2) system call that could be used by an attacker to write to kernel memory under certain circumstances. The bug, found by Joost Pol, could be used to gain elevated privileges and has been successfully exploited under FreeBSD. Patches for OpenBSD 3.4 and 3.3 respectively are also available: ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.4/common/010_sysvshm.patch ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.3/common/015_sysvshm.patch The patch is already present in OpenBSD-current as well as in the 3.3 and 3.4 -stable branches. For more information on the bug, see Joost Pol's description at: http://www.pine.nl/press/pine-cert-20040201.txt
(Comments are closed)