Rechercher
Contactez-nous Suivez-nous sur Twitter En francais English Language
 

De la Théorie à la pratique





















Freely subscribe to our NEWSLETTER

Newsletter FR

Newsletter EN

Vulnérabilités

Unsubscribe

Vigil@nce: FreeBSD, buffer overflow of nmount

September 2008 by Vigil@nce

A local attacker can elevate his privileges via an overflow in nmount().

- Gravity: 1/4
- Consequences: administrator access/rights
- Provenance: user shell
- Means of attack: no proof of concept, no attack
- Ability of attacker: expert (4/4)
- Confidence: confirmed by the editor (5/5)
- Diffusion of the vulnerable configuration: medium (2/3)
- Creation date: 04/09/2008
- Identifier: VIGILANCE-VUL-8088

IMPACTED PRODUCTS

- FreeBSD [confidential versions]

DESCRIPTION

The administrator can allow users to use the mount command, but this is not the default configuration.

The mount command and similar commands call mount() and nmount(). However, the nmount() system call stores its parameters in a fixed size array, which leads to a buffer overflow.

A local attacker, allowed via vfs.usermount, can therefore use long parameters in order to execute code in the kernel.

CHARACTERISTICS

- Identifiers: BID-31002, CVE-2008-3531, FreeBSD-SA-08:08.nmount, VIGILANCE-VUL-8088
- Url: https://vigilance.aql.fr/tree/1/8088




See previous articles

    

See next articles