Vigil@nce - FreeBSD: buffer overflow via .login_conf.db
August 2010 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/
SYNTHESIS OF THE VULNERABILITY
An attacker can use a specially malformed .login_conf.db file in
order to elevate his privileges.
Severity: 2/4
Creation date: 10/08/2010
DESCRIPTION OF THE VULNERABILITY
The /etc/login.conf file contains configuration directives for
user accounts, using key/value pairs. For example:
me:\
:coredumpsize=1024:\
:maxproc=infinity:
Each user can have a .login_conf file located in his home
directory to define customized values. The .login_conf file is
converted to a Berkeley database named /.login_conf.db.
These files are read by /usr/bin/login when the user authenticates
to a service. However, if the size of a key/value of the
/.login_conf.db file is too large, a buffer overflow occurs.
An attacker can therefore use a specially malformed .login_conf.db
file in order to elevate his privileges.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/FreeBSD-buffer-overflow-via-login-conf-db-9821