FreeBSD procfs cmdline Process Argument Vector Local DoS

2004-12-01T00:00:00
ID OSVDB:12175
Type osvdb
Reporter Ted Unangst(), Bryan Fulton()
Modified 2004-12-01T00:00:00

Description

Vulnerability Description

The implementation of the /proc/curproc/cmdline pseudofile in the process file system (procfs) on FreeBSD contains a flaw that may allow a local denial of service and/or unauthorized information disclosure. The issue is triggered when a malicious user causes a pointer to be dereferenced directly while a process' argument vector is read from the process address space. This will result in loss of confidentiality and/or availability.

Solution Description

Upgrade to version 4-STABLE or 5-STABLE, or to the RELENG_5_3, RELENG_5_2, RELENG_4_10, or RELENG_4_8 security branch dated after the correction date, as it has been reported to fix this vulnerability. In addition, FreeBSD has released patches for some older versions.

It is also possible to correct the flaw by unmounting the procfs and linprocfs file systems if they are mounted. Execute the following command as root:

umount -A -t procfs,linprocfs

Also, remove or comment out any lines in fstab(5) that reference procfs' orlinprocfs', so that they will not be re-mounted at next reboot.

Short Description

The implementation of the /proc/curproc/cmdline pseudofile in the process file system (procfs) on FreeBSD contains a flaw that may allow a local denial of service and/or unauthorized information disclosure. The issue is triggered when a malicious user causes a pointer to be dereferenced directly while a process' argument vector is read from the process address space. This will result in loss of confidentiality and/or availability.

References:

Vendor URL: http://www.freebsd.org/ Vendor Specific Solution URL: ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-04:17/procfs5.patch.asc Vendor Specific Solution URL: ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-04:17/procfs4.patch Vendor Specific Solution URL: ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-04:17/procfs4.patch.asc Vendor Specific Solution URL: ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-04:17/procfs5.patch Security Tracker: 1012374 Secunia Advisory ID:13352 Related OSVDB ID: 20288 Other Advisory URL: ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-04%3A17.procfs.asc ISS X-Force ID: 18321 CVE-2004-1066 Bugtraq ID: 11789