Vigil@nce: OpenBSD, denial of service via fts
March 2009 by Vigil@nce
SYNTHESIS OF THE VULNERABILITY
A local attacker can use a long path in order to stop applications
using the fts_* functions of the libc.
Gravity: 1/4
Consequences: denial of service of service
Provenance: user shell
Means of attack: 1 attack
Ability of attacker: technician (2/4)
Confidence: confirmed by the editor (5/5)
Diffusion of the vulnerable configuration: high (3/3)
Creation date: 06/03/2009
IMPACTED PRODUCTS
– OpenBSD
DESCRIPTION OF THE VULNERABILITY
Functions in the fts (fts_open, fts_read, etc.) family are used to
go through a directory hierarchy.
They use the _ftsent structure to store information on a file.
This structure has a field named fts_level, which contains the
depth level where the file was found (number of went through
directories). The fts_level field is of short type (16 bit,
maximum 64k).
However, the OpenBSD implementation of fts does not check if the
depth is over 64k. A negative value is then used, which creates an
error.
A local attacker can therefore use a long path in order to stop
applications using the fts_* functions of the libc.
CHARACTERISTICS
Identifiers: BID-34008, CVE-2009-0537, VIGILANCE-VUL-8517
http://vigilance.fr/vulnerability/OpenBSD-denial-of-service-via-fts-8517