Re: iDefense Security Advisory 10.10.06: FreeBSD ptrace PT_LWPINFO Denial of Service Vulnerability
In response to Colin Percival <[EMAIL PROTECTED]>: > Bill Moran wrote: > > Colin Percival <[EMAIL PROTECTED]> wrote: > >> This is a local denial of service bug, which was fixed 6 weeks ago in HEAD > ^^^ > > That was what I expected. Section III seems to hint that it could be > > used by an unprivileged user to crash or lock a system. > > Yes. An unprivileged user who is able to execute code on an affected system > can cause a kernel panic. There are a variety of reasons for not treating > bugs like this as security issues; the strongest reason imho is that if one > of your users is making a system crash, you can disable his account and call > the police. Thanks for the clarification. >From my standpoint, this qualifies as a "privilege escalation" and warrants action. I see that it's already fixed in RELENG_6_1. Am I correct that there is no intention to MFC this back to RELENG_6_0? And, yes, I can't spell "unprivileged" to save my life, and the spell checker was turned off on my other computer ... -- Bill Moran Collaborative Fusion Inc. IMPORTANT: This message contains confidential information and is intended only for the individual named. If the reader of this message is not an intended recipient (or the individual responsible for the delivery of this message to an intended recipient), please be advised that any re-use, dissemination, distribution or copying of this message is prohibited. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message, which arise as a result of e-mail transmission. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: iDefense Security Advisory 10.10.06: FreeBSD ptrace PT_LWPINFO Denial of Service Vulnerability
Bill Moran wrote: > Colin Percival <[EMAIL PROTECTED]> wrote: >> This is a local denial of service bug, which was fixed 6 weeks ago in HEAD ^^^ > That was what I expected. Section III seems to hint that it could be > used by an unprivilidged user to crash or lock a system. Yes. An unprivileged user who is able to execute code on an affected system can cause a kernel panic. There are a variety of reasons for not treating bugs like this as security issues; the strongest reason imho is that if one of your users is making a system crash, you can disable his account and call the police. > BTW, are you going to be at NYCBSDCon? No -- I only go to conferences if I have a paper to present. Colin Percival ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: iDefense Security Advisory 10.10.06: FreeBSD ptrace PT_LWPINFO Denial of Service Vulnerability
Colin Percival <[EMAIL PROTECTED]> wrote: > Bill Moran wrote: > > This report seems pretty vague. I'm unsure as to whether the alleged > > "bug" gives the user any more permissions than he'd already have? Anyone > > know any details? > > This is a local denial of service bug, which was fixed 6 weeks ago in HEAD > and RELENG_6. There is no opportunity for either remote denial of service > or any privilege escalation. > > > VI. VENDOR RESPONSE > > > > "The policy of the FreeBSD Security Team is that local denial of service > > bugs not be treated as security issues; it is possible that this problem > > will be corrected in a future Erratum." > > If there was any potential for > (a) privilege escalation, > (b) disclosure of potentially sensitive information, or > (c) denial of service by a non-authenticated attacker, > we would have issued a security advisory. That was what I expected. Section III seems to hint that it could be used by an unprivilidged user to crash or lock a system. I suspect they used it as root to crash/lock the OS. But I don't need any bugs to do that as root, so it doesn't really count as a security issue. BTW, are you going to be at NYCBSDCon? If so, seek me out -- I owe you a beer at the least. As always, thanks for the quick response. -- Bill Moran That seem right to you? Jubal Early ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: iDefense Security Advisory 10.10.06: FreeBSD ptrace PT_LWPINFO Denial of Service Vulnerability
Bill Moran wrote: > This report seems pretty vague. I'm unsure as to whether the alleged > "bug" gives the user any more permissions than he'd already have? Anyone > know any details? This is a local denial of service bug, which was fixed 6 weeks ago in HEAD and RELENG_6. There is no opportunity for either remote denial of service or any privilege escalation. > VI. VENDOR RESPONSE > > "The policy of the FreeBSD Security Team is that local denial of service > bugs not be treated as security issues; it is possible that this problem > will be corrected in a future Erratum." If there was any potential for (a) privilege escalation, (b) disclosure of potentially sensitive information, or (c) denial of service by a non-authenticated attacker, we would have issued a security advisory. Colin Percival ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
iDefense Security Advisory 10.10.06: FreeBSD ptrace PT_LWPINFO Denial of Service Vulnerability
This report seems pretty vague. I'm unsure as to whether the alleged "bug" gives the user any more permissions than he'd already have? Anyone know any details? FreeBSD ptrace PT_LWPINFO Denial of Service Vulnerability iDefense Security Advisory 10.10.06 http://www.idefense.com/intelligence/vulnerabilities/ Oct 10, 2006 I. BACKGROUND FreeBSD is a modern operating system for x86, amd64, Alpha, IA-64, PC-98 and SPARC architectures. It's based on the UNIX operating system, BSD, which was created at the University of California, Berkeley. More information can be obtained from the FreeBSD Project web site at http://www.FreeBSD.org/ II. DESCRIPTION The PT_LWPINFO ptrace command allows a tracer to get information on a running thread. Due to the use of signed integers and a lack of proper input validation, a situation can occur in the kernel where a panic will cause DoS. The affected code follows. 953 case PT_LWPINFO: 954 if (data == 0 || data > sizeof(*pl)) 955 return (EINVAL); Since the "data" variable is a signed integer, the check on line 954 can easily be bypassed. Eventually, the negative value is passed to copyout(), which will result in a kernel panic or corruption of the user space memory. III. ANALYSIS Exploitation of this vulnerability would result in a denial of service condition on the affected host. In some cases exploitation resulted in a hard lock up of the machine, where as other times a kernel panic was caused leading to reboot. iDefense considers this a LOW severity vulnerability due to the local access requirement. IV. DETECTION iDefense has confirmed the existence of this problem in FreeBSD version 6.0-RELEASE. FreeBSD 6.1-RELEASE is not affected. It is suspected that other versions are also affected. V. WORKAROUND iDefense is not aware of any workaround for this issue. VI. VENDOR RESPONSE "The policy of the FreeBSD Security Team is that local denial of service bugs not be treated as security issues; it is possible that this problem will be corrected in a future Erratum." VII. CVE INFORMATION The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2006-4516 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems. VIII. DISCLOSURE TIMELINE 08/18/2006 Initial vendor notification 10/06/2006 Initial vendor response 10/10/2006 Public disclosure -- Bill Moran Sometimes I think I'm stupid. The rest of the time I'm sure of it. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"