Vigil@nce - FreeBSD: information disclosure via getlogin
November 2014 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
A local attacker can call getloing to read a memory fragment of
the FreeBSD kernel, in order to obtain perhaps sensitive
information.
Impacted products: FreeBSD
Severity: 1/4
Creation date: 05/11/2014
DESCRIPTION OF THE VULNERABILITY
In FreeBSD, the setlogin and getlogin system calls allow to define
and retrieve the user name bound to the current session.
However, the setlogin function does not clean the whole buffer
where the user name is stored and getlogin copies the whole buffer
from the kernel structure to the user process buffer. So the user
process gets, after the user name, a few bytes from the kernel
memory that may contain data the user process does have the right
to access to.
A local attacker can therefore call getlogin to read a memory
fragment of the FreeBSD kernel, in order to obtain perhaps
sensitive information.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/FreeBSD-information-disclosure-via-getlogin-15588