Vigil@nce: FreeBSD, buffer overflow of nmount
September 2008 by Vigil@nce
A local attacker can elevate his privileges via an overflow in nmount().
Consequences: administrator access/rights
Provenance: user shell
Means of attack: no proof of concept, no attack
Ability of attacker: expert (4/4)
Confidence: confirmed by the editor (5/5)
Diffusion of the vulnerable configuration: medium (2/3)
Creation date: 04/09/2008
FreeBSD [confidential versions]
The administrator can allow users to use the mount command, but this is not the default configuration.
The mount command and similar commands call mount() and nmount(). However, the nmount() system call stores its parameters in a fixed size array, which leads to a buffer overflow.
A local attacker, allowed via vfs.usermount, can therefore use long parameters in order to execute code in the kernel.
Identifiers: BID-31002, CVE-2008-3531, FreeBSD-SA-08:08.nmount,