Bugtraq mailing list archives
Re: FreeBSD Security Advisory: FreeBSD-SA-00:62.top [REISSUED]
From: vort-fu <vort () WIRETAPPED NET>
Date: Tue, 7 Nov 2000 13:12:56 +1100
II. Problem Description A "format string vulnerability" was discovered in the top(1) utility which allows unprivileged local users to cause the top process to execute arbitrary code. The top utility runs with increased privileges as a member of the kmem group, which allows it to read from kernel memory (but not write to it). A process with the ability to read from kernel memory can monitor privileged data such as network traffic, disk buffers and terminal activity, and may be able to leverage this to obtain further privileges on the local system or on other systems, including root privileges.
From my initial findings, this was not exploitable (not easily if at all),
as the command input is restricted in length, 50 bytes from memory. No supplied addresses can be accessed nor any that could be used to easily modify the ret of a call.
NOTE: The original version of this advisory contained an incomplete patch which does not fully eliminate the security vulnerability. The additional vulnerability was pointed out by Przemyslaw Frasunek <venglin () freebsd lublin pl>.
It seems that somebody from the freebsd team didnt copy and paste well enough from my openbsd patch, but the missing segment in the original fbsd patch was only added for 'completeness' on my behalf. The error lied in the kill command alone, the renice command was unaffected, thus the updated patch is not necessarily needed. Personally I would put this down to a programming error, and not an (exploitable) vulnerability. Though I admit that I am not an overly superkraduberleet(tm) exploit coder, and dont pretend to be, but if anyone can exploit this bug, please forward to the list. ps. This was sent to the openbsd team, and patched, a month or so ago. How can the freebsd team justify the lateness in applying their patch (especially considering that they felt it was exploitable)? vort-fu vort () wiretapped net
Current thread:
- FreeBSD Security Advisory: FreeBSD-SA-00:62.top [REISSUED] FreeBSD Security Advisories (Nov 07)
- <Possible follow-ups>
- Re: FreeBSD Security Advisory: FreeBSD-SA-00:62.top [REISSUED] vort-fu (Nov 08)
- Re: FreeBSD Security Advisory: FreeBSD-SA-00:62.top [REISSUED] Kris Kennaway (Nov 08)
- Re: FreeBSD Security Advisory: FreeBSD-SA-00:62.top [REISSUED] Warner Losh (Nov 09)