Vigil@nce: FreeBSD, buffer overflow of nmount
September 2008 by Vigil@nce
A local attacker can elevate his privileges via an overflow in
nmount().
– Gravity: 1/4
– Consequences: administrator access/rights
– Provenance: user shell
– Means of attack: no proof of concept, no attack
– Ability of attacker: expert (4/4)
– Confidence: confirmed by the editor (5/5)
– Diffusion of the vulnerable configuration: medium (2/3)
– Creation date: 04/09/2008
– Identifier: VIGILANCE-VUL-8088
IMPACTED PRODUCTS
– FreeBSD [confidential versions]
DESCRIPTION
The administrator can allow users to use the mount command, but
this is not the default configuration.
The mount command and similar commands call mount() and nmount().
However, the nmount() system call stores its parameters in a fixed
size array, which leads to a buffer overflow.
A local attacker, allowed via vfs.usermount, can therefore use
long parameters in order to execute code in the kernel.
CHARACTERISTICS
– Identifiers: BID-31002, CVE-2008-3531, FreeBSD-SA-08:08.nmount,
VIGILANCE-VUL-8088
– Url: https://vigilance.aql.fr/tree/1/8088