Contactez-nous Suivez-nous sur Twitter En francais English Language

De la Théorie à la pratique

Freely subscribe to our NEWSLETTER

Newsletter FR

Newsletter EN



Vigil@nce: FreeBSD, buffer overflow of nmount

September 2008 by Vigil@nce

A local attacker can elevate his privileges via an overflow in nmount().

- Gravity: 1/4
- Consequences: administrator access/rights
- Provenance: user shell
- Means of attack: no proof of concept, no attack
- Ability of attacker: expert (4/4)
- Confidence: confirmed by the editor (5/5)
- Diffusion of the vulnerable configuration: medium (2/3)
- Creation date: 04/09/2008
- Identifier: VIGILANCE-VUL-8088


- FreeBSD [confidential versions]


The administrator can allow users to use the mount command, but this is not the default configuration.

The mount command and similar commands call mount() and nmount(). However, the nmount() system call stores its parameters in a fixed size array, which leads to a buffer overflow.

A local attacker, allowed via vfs.usermount, can therefore use long parameters in order to execute code in the kernel.


- Identifiers: BID-31002, CVE-2008-3531, FreeBSD-SA-08:08.nmount, VIGILANCE-VUL-8088
- Url:

See previous articles


See next articles