FreeBSD security Advisories: FreeBSD-SA-03:09.sign

← Back to Stories (view on slashdot.org)

FreeBSD security Advisories: FreeBSD-SA-03:09.sign

Posted by Hemos on Sunday August 10, 2003 @11:39PM from the alert-alert-alert dept.

Dan writes "FreeBSD security team has released two new advisories. The first advisory entitled "Insufficient range checking of signal numbers" could allow a malicious local user to use this vulnerability as a local denial-of-service attack. The second advisory "Kernel memory disclosure via ibcs2" could allow a malicious user to call the iBCS2 version of statfs(2) with an arbitrarily large length parameter, causing the kernel to return a large portion of kernel memory containing sensitive information."

16 of 78 comments (clear)

Here's the text in case it gets /.'ed by DrSkwid · 2003-08-10 23:59 · Score: 4, Informative

nah, who am I kidding

the signal thing is more than a D.O.S. though

However, in FreeBSD 5.x, the assertion code is not present if the
`INVARIANTS' kernel option is not used. In FreeBSD 5.0-RELEASE and
5.1-RELEASE, `INVARIANTS' is not enabled by default. In this
configuration, a malicious local user could use this vulnerability
to modify kernel memory, potentially leading to complete system
compromise. (FreeBSD 4.x is not vulnerable in this way.)

--
There are places where the networks are not touching,and there are places where they are-Boeing's Lori Gunter
sensitive information by patch-rustem · 2003-08-11 00:33 · Score: 5, Funny

... to return a large portion of kernel memory containing sensitive information.
What, like the sys admins porn collection.

--
Karma: Bad due to google bombing - Robert Watkins woz 'ere.
Bias in topic titles?? Never!! by Anonymous Coward · 2003-08-11 01:03 · Score: 5, Funny

It's sort of interesting that this FreeBSD vulnerability is headlined with such a cryptic title. Now, if it were a vulnerability in Windows, it would probably have been titled 'New Windows Exploit crushes small furry animals mercilessly.'
Re:Bias in topic titles?? Never!! by beefdart · 2003-08-11 01:21 · Score: 2, Informative

Its not like someone could throw up an ActiveX enabled webpage, and root your box.

The last few windows vulnerabilities have been a huge deal. Microsoft wouldnt bother to fix a hole this small unless someone made a worm for it.
"Malicious Local User" by Farley+Mullet · 2003-08-11 01:25 · Score: 4, Insightful

If someone malicious has access to your computer, bad things can happen. It's good to see that the FreeBSD team is tightening things up, but the bottom line is that if someone has an account on a system and they're determined, they'll find a way to do some damage.
freebsd-security mailing list by dodell · 2003-08-11 02:50 · Score: 4, Insightful

Subscribe to this list, and you had this story about 12 hours ago. You also downloaded and updated your src tree and fixed the bug in a matter of a few minutes. Why is it that a FreeBSD SA makes it to this site and Linux SAs don't?

--
www.sitetronics.com/wordpress
1. Re:freebsd-security mailing list by zenyu · 2003-08-11 03:23 · Score: 3, Insightful
  
  Subscribe to this list, and you had this story about 12 hours ago. You also downloaded and updated your src tree and fixed the bug in a matter of a few minutes. Why is it that a FreeBSD SA makes it to this site and Linux SAs don't?
  
  Prolly cuz the editor and poster were thinking of "only one remote security breach in the default configuration in seven years" OpenBSD. There are local user exploits found all the time in the Linux distros and in the BSDs, when remote vulnerabilities are found in any of them it usually does make it to /.
  
  But yeah, I usually read about and check my system based on security advisories before it ever makes it to slashdot.. prolly everyone else does as well which explains the 12 hour lag.
2. Re:freebsd-security mailing list by kernelistic · 2003-08-11 03:46 · Score: 2, Informative
  
  It's interesting to note that you need to have shell access to do anything to the FreeBSD systems affected.
3. Re:freebsd-security mailing list by Anonymous Coward · 2003-08-11 16:13 · Score: 3, Funny
  
  Why is it that a FreeBSD SA makes it to this site and Linux SAs don't?
  
  Because if they reported the Linux SAs, even the SCO stories would be lost the the tidal wave.
Malloc(sizeof(ram.total) - sizeof(ram.used)); by mnmn · 2003-08-11 03:03 · Score: 2, Interesting

I wouldnt worry about ibcs, always compile a kernel without it(and other binary compatibilities) for real usage. The statfs problem looks real and worrisome though. We've seen too many of similar problems where a user grabs large memory and reads the sensitive data.

I wonder if a C-reading script could read all the source code and mark all the big mallocs/reallocs that users get access to.

--
"Give orange me give eat orange me eat orange give me eat orange give me you." -Nim Chimpsky
1. Re:Malloc(sizeof(ram.total) - sizeof(ram.used)); by phoenix_rizzen · 2003-08-11 04:38 · Score: 2, Informative
  
  One thing to note about FreeBSD: just because it isn't compiled into the kernel doesn't mean you don't have access to it. Almost everything that is not directly compiled into the kernel is compiled as a module. If you fire up an app that requires ibcs2 support, then the kernel will load the ibcs2.ko kernel module. Any problems with the ibcs2 subsystem will then be in your kernel.
  
  IOW, you do need to worry about this, and you do need to patch your system.
2. Re:Malloc(sizeof(ram.total) - sizeof(ram.used)); by phoenix_rizzen · 2003-08-11 09:54 · Score: 2, Interesting
  
  How does one disable the building of kernel modules? I've only ever seen the NO_MODULES_WITH_WORLD knob, but nothing to completely disable the building of modules.
3. Re:Malloc(sizeof(ram.total) - sizeof(ram.used)); by kernelistic · 2003-08-11 12:52 · Score: 2, Informative
  
  Read the tunefs(8) and tuning(7) manpages.
  
  Here's a list of things that you might want to try out:
  
  - Rethink your slicing, see tuning(7) for more on this.
  - Enable softupdates on the data filesystems of choice.
  - Compile a custom kernel with only the drivers that you *really* need.
  - Tune the VFS sysctls. This item cannot be stressed enough. The values selected depend upon the role of the server.
  - Tune your IP stack. There's a number of sysctls that will quadruple your network throughput. Google has a number of guides which provide good insight.
  
  Remember: Copying a file from a directory to another is by no means a scientific test, as it depends upon the layout of the disk, sector size, disk cache, and a laundry list of other variables. The output of bonnie++ is what you should use to benchmark your IO subsystem.
4. Re:Malloc(sizeof(ram.total) - sizeof(ram.used)); by ffsnjb · 2003-08-11 18:46 · Score: 4, Informative
  
  uncomment the
  NO_MODULES= true # do not build modules with the kernel
  
  line in /etc/make.conf
  
  I don't build modules on my production machines, there is no need. This prevents that.
  
  --
  "Why do you consent to live in ignorance and fear?" - Bad Religion
Binary patches... by cperciva · 2003-08-11 05:25 · Score: 3, Informative

Binary patches aren't available for these advisories yet, but they will be soon (ETA 12 hours?)

See my sig for details.

--
Tarsnap: Online backups for the truly paranoid
hot mail security flaw I knew it! by ratfynk · 2003-08-11 07:02 · Score: 2, Funny

Hmmm so let me get this straight, security flaw 2 send lots of requests to the hot mail server and get lots of core info back. So thats why Hot Mail works the way it does and all we get is spam!

--
OH THE SHAME I fell off the wagon and use sigs again!