Vigil@nce: FreeBSD, buffer overflow via Unix Socket
October 2011 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
A local attacker can use a Unix socket, in order to create an
overflow in the FreeBSD kernel.
– Severity: 2/4
– Creation date: 28/09/2011
IMPACTED PRODUCTS
– FreeBSD
DESCRIPTION OF THE VULNERABILITY
Unix sockets are used to exchange data between two applications,
using a file of type socket.
The sockaddr_un structure (which is compatible with sockaddr)
contains the following fields:
– sun_len : size of data in the structure (sun_family + size of
file name + 1)
– sun_family : type of socket (AF_UNIX)
– sun_path : path of the file, stored in a 104 bytes array
The bind() and connect() system calls setup and connect a socket.
However, their implementation in the uipc_bind() and unp_connect()
functions in file sys/kern/uipc_usrreq.c do not check if the size
indicated in sun_len is larger than the size of the sockaddr_un
structure.
A local attacker can therefore use a Unix socket, in order to
create an overflow in the FreeBSD kernel.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/FreeBSD-buffer-overflow-via-Unix-Socket-11020