Vigil@nce: FreeBSD, denial of service via kenv
March 2009 by Vigil@nce
SYNTHESIS OF THE VULNERABILITY
A local attacker can use kenv() in order to stop the system.
Gravity: 1/4
Consequences: denial of service of computer
Provenance: user shell
Means of attack: 1 proof of concept and 1 attack
Ability of attacker: technician (2/4)
Confidence: confirmed by the editor (5/5)
Diffusion of the vulnerable configuration: high (3/3)
Creation date: 23/03/2009
IMPACTED PRODUCTS
– FreeBSD
DESCRIPTION OF THE VULNERABILITY
The kenv() system call manipulates kernel environment variables:
kenv(action, name, value, len);
The "action" can be:
– KENV_GET: store the value of "name" in the "value" array of
size "len"
– KENV_DUMP : dump all variables in "value" of size "len"
– etc.
When KENV_DUMP is used, the kernel allocates a memory area of size
"len" to store the concatenated variables. However, it does not
check if the "len" variable is very big. In this case, the kernel
tries to allocate a large memory area, which stops it.
A local attacker can therefore use kenv() in order to stop the
system.
CHARACTERISTICS
Identifiers: FreeBSD-EN-09:01.kenv, VIGILANCE-VUL-8551
http://vigilance.fr/vulnerability/FreeBSD-denial-of-service-via-kenv-8551