Vigil@nce: FreeBSD, file corruption via mbuf
July 2010 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/
SYNTHESIS OF THE VULNERABILITY
A local attacker can use the sendfile() function, which uses
mbufs, in order to corrupt readable files.
– Severity: 2/4
– Creation date: 13/07/2010
DESCRIPTION OF THE VULNERABILITY
A "mbuf" (memory buffer) can contain data or point to external
data. The M_RDONLY flag of a mbuf indicates that the memory area
is read only.
However, when a mbuf pointing to external data is duplicated, the
M_RDONLY flag is not set on the new mbuf. Its data are therefore
writable.
The sendfile() system call is used to send a file to a file
descriptor. The sendfile() function uses mbufs pointing to
external data. This function can thus be used as an attack vector,
by sending a readable file to the loopback. In this case, memory
areas of the file become writable.
A local attacker can therefore use the sendfile() function, which
uses mbufs, in order to corrupt readable files.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/FreeBSD-file-corruption-via-mbuf-9753