CVE-2002-0973
CVSS4.6
发布时间 :2002-09-24 00:00:00
修订时间 :2016-10-17 22:23:08
NMCOS    

[原文]Integer signedness error in several system calls for FreeBSD 4.6.1 RELEASE-p10 and earlier may allow attackers to access sensitive kernel memory via large negative values to the (1) accept, (2) getsockname, and (3) getpeername system calls, and the (4) vesa FBIO_GETPALETTE ioctl.


[CNNVD]FreeBSD系统调用有符号整数边界检查漏洞(CNNVD-200209-035)

        
        FreeBSD 4.6.1-RELEASE-p10以及之前版本的内核中的几个系统调用没有对参数进行正确的边界检查,可能导致内核中的敏感信息泄漏。
        FreeBSD 内核提供了如下系统调用:accept(2)、getsockname(2)、getpeername(2)、vesa(4) FBIO_GETPALETTE ioctl(2)。它们错误地假定某个参数肯定为正整数,而实际上该参数是作为有符号整数处理的。因此,系统调用碰到负数参数时,会出现边界检查失败。
        如果攻击者用较大的负值参数调用受影响的系统调用,就会导致kernel返回很大一部分的kernel内存。这些内存中可能含有机密信息,如部分文件缓存或终端缓冲区等。攻击者可以直接或间接地利用这些信息提升权限。例如,终端缓冲区中可能含有用户提交的口令信息。
        

- CVSS (基础分值)

CVSS分值: 4.6 [中等(MEDIUM)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/o:freebsd:freebsd:4.1.1:stable
cpe:/o:freebsd:freebsd:4.1.1FreeBSD 4.1.1
cpe:/o:freebsd:freebsd:4.2FreeBSD 4.2
cpe:/o:freebsd:freebsd:4.6:release
cpe:/o:freebsd:freebsd:4.3FreeBSD 4.3
cpe:/o:freebsd:freebsd:4.6FreeBSD 4.6
cpe:/o:freebsd:freebsd:4.3:release
cpe:/o:freebsd:freebsd:4.5:release
cpe:/o:freebsd:freebsd:4.1.1:release
cpe:/o:freebsd:freebsd:4.0FreeBSD 4.0
cpe:/o:freebsd:freebsd:4.1FreeBSD 4.1
cpe:/o:freebsd:freebsd:4.2:stable
cpe:/o:freebsd:freebsd:4.3:stable
cpe:/o:freebsd:freebsd:4.4FreeBSD 4.4
cpe:/o:freebsd:freebsd:4.4:stable
cpe:/o:freebsd:freebsd:4.5FreeBSD 4.5
cpe:/o:freebsd:freebsd:4.5:stable
cpe:/o:freebsd:freebsd:4.6.1:release_p10

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0973
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2002-0973
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200209-035
(官方数据源) CNNVD

- 其它链接及资源

http://marc.info/?l=bugtraq&m=102976839728706&w=2
(UNKNOWN)  FREEBSD  FreeBSD-SA-02:38
http://www.iss.net/security_center/static/9903.php
(UNKNOWN)  XF  freebsd-negative-system-call-bo(9903)
http://www.securityfocus.com/bid/5493
(UNKNOWN)  BID  5493

- 漏洞信息

FreeBSD系统调用有符号整数边界检查漏洞
中危 边界条件错误
2002-09-24 00:00:00 2005-10-20 00:00:00
本地  
        
        FreeBSD 4.6.1-RELEASE-p10以及之前版本的内核中的几个系统调用没有对参数进行正确的边界检查,可能导致内核中的敏感信息泄漏。
        FreeBSD 内核提供了如下系统调用:accept(2)、getsockname(2)、getpeername(2)、vesa(4) FBIO_GETPALETTE ioctl(2)。它们错误地假定某个参数肯定为正整数,而实际上该参数是作为有符号整数处理的。因此,系统调用碰到负数参数时,会出现边界检查失败。
        如果攻击者用较大的负值参数调用受影响的系统调用,就会导致kernel返回很大一部分的kernel内存。这些内存中可能含有机密信息,如部分文件缓存或终端缓冲区等。攻击者可以直接或间接地利用这些信息提升权限。例如,终端缓冲区中可能含有用户提交的口令信息。
        

- 公告与补丁

        临时解决方法:
        此问题没有合适的临时解决方法,您只有通过限制不可信用户访问系统来减小风险。
        厂商补丁:
        FreeBSD
        -------
        FreeBSD已经为此发布了一个安全公告(FreeBSD-SA-02:38)以及相应补丁:
        FreeBSD-SA-02:38:Boundary checking errors involving signed integers
        链接:ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-02:38.signed-error.asc
        补丁下载:
        1) 将受影响的FreeBSD系统升级到4.6.2-RELEASE或4.6-STABLE,或相应修正日期后发
        布的RELENG_4_6 (4.6.1-RELEASE-p11)、RELENG_4_5 (4.5-RELEASE-p19)或RELENG_4_4
        (4.4-RELEASE-p26)security branch。
        2) 为现有系统安装补丁:
        下列补丁适用于FreeBSD 4.x系统。
        a) 从下列地址下载相应的补丁并用你的PGP工具核实分开的PGP签名。
        # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-02:38/signed-error.patch
        # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-02:38/signed-error.patch.asc
        b) 安装补丁:
        # cd /usr/src
        # patch < /path/to/patch
        c) 按照下列描述重新编写kernel并重启系统:
        URL:
        http://www.freebsd.org/handbook/kernelconfig.html

- 漏洞信息

6045
FreeBSD Multiple System Call Integer Signedness Memory Access
Local Access Required Input Manipulation
Loss of Confidentiality

- 漏洞描述

FreeBSD contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered when a malicious user calls the accept(2), getsockname(2), or getpeername(2) system calls, or vesa(4) FBIO_GETPALETTE ioctl(2) with a large negative argument, which will cause a buffer overflow and disclose kernel memory information resulting in a loss of confidentiality.

- 时间线

2002-08-19 Unknow
Unknow Unknow

- 解决方案

Upgrade to version 4.6.2-RELEASE or 4.6-STABLE; or to any of the RELENG_4_6 (4.6.1-RELEASE-p11), RELENG_4_5 (4.5-RELEASE-p19), or RELENG_4_4 (4.4-RELEASE-p26) security branches dated after the respective correction dates, as it has been reported to fix this vulnerability. Also, FreeBSD has released a patch.

- 相关参考

- 漏洞作者

- 漏洞信息

FreeBSD System Call Signed Integer Buffer Overflow Vulnerability
Boundary Condition Error 5493
No Yes
2002-08-19 12:00:00 2009-07-11 03:56:00
Discovery credited to Silvio Cesare <silvio@qualys.com>.

- 受影响的程序版本

FreeBSD FreeBSD 4.6 -STABLE
FreeBSD FreeBSD 4.6 -RELEASE
FreeBSD FreeBSD 4.6
FreeBSD FreeBSD 4.5 -STABLE
FreeBSD FreeBSD 4.5 -RELEASE
FreeBSD FreeBSD 4.5
FreeBSD FreeBSD 4.4 -STABLE
FreeBSD FreeBSD 4.4 -RELENG
FreeBSD FreeBSD 4.4
FreeBSD FreeBSD 4.3 -STABLE
FreeBSD FreeBSD 4.3 -RELENG
FreeBSD FreeBSD 4.3 -RELEASE
FreeBSD FreeBSD 4.3
FreeBSD FreeBSD 4.2 -STABLE
FreeBSD FreeBSD 4.2 -RELEASE
FreeBSD FreeBSD 4.2
FreeBSD FreeBSD 4.1.1 -STABLE
FreeBSD FreeBSD 4.1.1 -RELEASE
FreeBSD FreeBSD 4.1.1
FreeBSD FreeBSD 4.1
FreeBSD FreeBSD 4.0
FreeBSD FreeBSD 4.6 -STABLE

- 不受影响的程序版本

FreeBSD FreeBSD 4.6 -STABLE

- 漏洞讨论

A vulnerability has been reported for the FreeBSD system. Reportedly, a few system calls are vulnerable to signed integer buffer overflow conditions.

The vulnerability is the result of system calls assuming that some arguments were given as positive integers while, in actuality, the arguments were handled as signed integers. If a negative value was supplied for the argument, the boundary checking code would fail.

- 漏洞利用

Currently we are not aware of any exploits for this issue. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com &lt;mailto:vuldb@securityfocus.com&gt;.

- 解决方案

FreeBSD users are advised to apply the following patch or to upgrade to 4.6.2-RELEASE or 4.6-STABLE; or to any of the RELENG_4_6 (4.6.1-RELEASE-p11), RELENG_4_5 (4.5-RELEASE-p19), or RELENG_4_4 (4.4-RELEASE-p26) security branches
dated after the respective correction dates:

2002-08-13 02:42:32 UTC (RELENG_4)
2002-08-13 12:12:36 UTC (RELENG_4_6)
2002-08-13 12:13:05 UTC (RELENG_4_5)
2002-08-13 12:13:49 UTC (RELENG_4_4)

The following patch is available:


FreeBSD FreeBSD 4.0

FreeBSD FreeBSD 4.1

FreeBSD FreeBSD 4.1.1 -RELEASE

FreeBSD FreeBSD 4.1.1

FreeBSD FreeBSD 4.2 -RELEASE

FreeBSD FreeBSD 4.2

FreeBSD FreeBSD 4.3

FreeBSD FreeBSD 4.3 -RELEASE

FreeBSD FreeBSD 4.4

FreeBSD FreeBSD 4.5

FreeBSD FreeBSD 4.5 -RELEASE

FreeBSD FreeBSD 4.6

FreeBSD FreeBSD 4.6 -RELEASE

- 相关参考

     

     

    关于SCAP中文社区

    SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

    版权声明

    CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站