FreeBSD ptrace PT_LWPINFO Denial of Service Vulnerability iDefense Security Advisory 10.10.06 http://www.idefense.com/intelligence/vulnerabilities/ Oct 10, 2006 I. BACKGROUND FreeBSD is a modern operating system for x86, amd64, Alpha, IA-64, PC-98 and SPARC architectures. It's based on the UNIX operating system, BSD, which was created at the University of California, Berkeley. More information can be obtained from the FreeBSD Project web site at http://www.FreeBSD.org/ The PT_LWPINFO ptrace command allows a tracer to get information on a running thread. II. DESCRIPTION Local exploitation of a design error in version 6 of The FreeBSD Project's FreeBSD operating system allows attackers to create a denial of service (DoS) condition. The problem specifically exists due to the kern_ptrace function returning without properly releasing locks. Consider the following code excerpt: 953 case PT_LWPINFO: 954 if (data == 0 || data > sizeof(*pl)) 955 return (EINVAL); If the "data" variable is out of range, the function will return without releasing locks. When the next signal or process operation dealing with this process occurs, the machine will lock up. Additionally, the "addr" variable is not properly checked for validity. When an unmapped user-space address is supplied, the kernel will panic. This is due to the invalid memory address being passed to "copyout" as seen below. 450 case PT_LWPINFO: 451 error = copyout(&r.pl, uap->addr, uap->data); 452 break; 453 } III. ANALYSIS Exploitation of this vulnerability would result in a DoS condition on the affected host. In the case of an invalid length value, exploitation will result in a hard lock up. In the case of a valid length with an invalid user-space memory address, exploitation will result in a kernel panic leading to reboot. IV. DETECTION iDefense has confirmed the existence of this problem in FreeBSD version 6.0-RELEASE. FreeBSD 6.1-RELEASE is not affected. It is suspected that other versions are also affected. V. WORKAROUND iDefense is not aware of any workaround for this issue. VI. VENDOR RESPONSE "The policy of the FreeBSD Security Team is that local denial of service bugs not be treated as security issues; it is possible that this problem will be corrected in a future Erratum." The locking issue was addressed with revision 1.131.2.3 of sys_process.c from the FreeBSD kernel source. The kernel panic issue was addressed with revision 1.136 of sys_process.c. These revisions are available via CVS. VII. CVE INFORMATION The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2006-4516 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems. VIII. DISCLOSURE TIMELINE 08/18/2006 Initial vendor notification 10/06/2006 Initial vendor response 10/10/2006 Public disclosure 10/12/2005 Revised public disclosure IX. CREDIT The discoverer of this vulnerability wishes to remain anonymous. Thanks go to Ilja van Sprundel for helping to with the analysis of this vulnerability. Get paid for vulnerability research http://www.idefense.com/methodology/vulnerability/vcp.php Free tools, research and upcoming events http://labs.idefense.com/ X. LEGAL NOTICES Copyright © 2006 iDefense, Inc. Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of iDefense. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please email customerservice@private for permission. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.
This archive was generated by hypermail 2.1.3 : Fri Oct 13 2006 - 04:13:38 PDT