CVE-2005-0708
CVSS10.0
发布时间 :2005-05-02 00:00:00
修订时间 :2008-09-10 15:36:48
NMCOPS    

[原文]The sendfile system call in FreeBSD 4.8 through 4.11 and 5 through 5.4 can transfer portions of kernel memory if a file is truncated while it is being sent, which could allow remote attackers to obtain sensitive information.


[CNNVD]FreeBSD Kernel SendFile系统调用本地信息泄露漏洞(CNNVD-200505-173)

        FreeBSD kernel中存在本地信息泄漏。如果在传输开始后结束前对传输的文件进行了截尾操作,则sendfile(2)就会在缺失的文件部分传输一些随机的Kernel内存内容。

- CVSS (基础分值)

CVSS分值: 10 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: NETWORK [攻击者不需要获取内网访问权或本地访问权]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/o:freebsd:freebsd:5.1FreeBSD 5.1
cpe:/o:freebsd:freebsd:5.2.1:release
cpe:/o:freebsd:freebsd:4.3:releng
cpe:/o:freebsd:freebsd:4.6.2FreeBSD 4.6.2
cpe:/o:freebsd:freebsd:5.0FreeBSD 5.0
cpe:/o:freebsd:freebsd:4.9:pre-release
cpe:/o:freebsd:freebsd:4.6:stable
cpe:/o:freebsd:freebsd:4.7:release_p17
cpe:/o:freebsd:freebsd:4.7:releng
cpe:/o:freebsd:freebsd:4.3:release_p38
cpe:/o:freebsd:freebsd:4.7FreeBSD 4.7
cpe:/o:freebsd:freebsd:4.1.1:stable
cpe:/o:freebsd:freebsd:5.1:release
cpe:/o:freebsd:freebsd:4.4:release_p42
cpe:/o:freebsd:freebsd:4.10:release
cpe:/o:freebsd:freebsd:4.2FreeBSD 4.2
cpe:/o:freebsd:freebsd:4.1.1:release
cpe:/o:freebsd:freebsd:4.11:stable
cpe:/o:freebsd:freebsd:5.4:pre-release
cpe:/o:freebsd:freebsd:4.4:stable
cpe:/o:freebsd:freebsd:5.1:alpha
cpe:/o:freebsd:freebsd:5.3FreeBSD 5.3
cpe:/o:freebsd:freebsd:5.2FreeBSD 5.2
cpe:/o:freebsd:freebsd:4.6:releng
cpe:/o:freebsd:freebsd:4.5:stable
cpe:/o:freebsd:freebsd:4.6:release
cpe:/o:freebsd:freebsd:4.5FreeBSD 4.5
cpe:/o:freebsd:freebsd:4.9FreeBSD 4.9
cpe:/o:dragonflybsd:dragonflybsd:1.0
cpe:/o:freebsd:freebsd:4.0:releng
cpe:/o:freebsd:freebsd:4.7:release
cpe:/o:freebsd:freebsd:4.3:stable
cpe:/o:freebsd:freebsd:4.5:release_p32
cpe:/o:freebsd:freebsd:4.2:stable
cpe:/o:freebsd:freebsd:4.0FreeBSD 4.0
cpe:/o:freebsd:freebsd:4.3:release
cpe:/o:freebsd:freebsd:4.10:releng
cpe:/o:freebsd:freebsd:5.0:release_p14
cpe:/o:freebsd:freebsd:5.1:release_p5
cpe:/o:freebsd:freebsd:4.6FreeBSD 4.6
cpe:/o:freebsd:freebsd:5.3:stable
cpe:/o:freebsd:freebsd:4.6:release_p20
cpe:/o:freebsd:freebsd:5.1:releng
cpe:/o:freebsd:freebsd:5.0:releng
cpe:/o:freebsd:freebsd:4.4:releng
cpe:/o:freebsd:freebsd:5.0:alpha
cpe:/o:freebsd:freebsd:5.3:release
cpe:/o:freebsd:freebsd:4.4FreeBSD 4.4
cpe:/o:freebsd:freebsd:4.7:stable
cpe:/o:freebsd:freebsd:4.5:releng
cpe:/o:freebsd:freebsd:4.9:releng
cpe:/o:freebsd:freebsd:4.5:release
cpe:/o:freebsd:freebsd:4.8FreeBSD 4.8
cpe:/o:freebsd:freebsd:4.8:pre-release
cpe:/o:freebsd:freebsd:4.10FreeBSD 4.10
cpe:/o:freebsd:freebsd:4.1FreeBSD 4.1
cpe:/o:freebsd:freebsd:4.3FreeBSD 4.3
cpe:/o:freebsd:freebsd:4.1.1FreeBSD 4.1.1
cpe:/o:freebsd:freebsd:4.8:releng
cpe:/o:dragonflybsd:dragonflybsd:1.1
cpe:/o:freebsd:freebsd:4.8:release_p6
cpe:/o:freebsd:freebsd:5.2.1:releng
cpe:/o:freebsd:freebsd:4.0:alpha

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0708
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-0708
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200505-173
(官方数据源) CNNVD

- 其它链接及资源

- 漏洞信息

FreeBSD Kernel SendFile系统调用本地信息泄露漏洞
危急 访问验证错误
2005-05-02 00:00:00 2007-05-11 00:00:00
本地  
        FreeBSD kernel中存在本地信息泄漏。如果在传输开始后结束前对传输的文件进行了截尾操作,则sendfile(2)就会在缺失的文件部分传输一些随机的Kernel内存内容。

- 公告与补丁

        目前厂商已经发布了升级补丁以修复此安全问题,补丁获取链接:
        ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-05:02.sendfile.asc" target="_blank"

- 漏洞信息 (F100015)

FreeBSD-SA-05:02.sendfile Exploit (PacketStormID:F100015)
2011-04-01 00:00:00
Solar Designer  
exploit
freebsd
CVE-2005-0708
[点击下载]

FreeBSD sendfile exploit that dumps password hashes to stdout.

- 漏洞信息 (F37022)

FreeBSD-SA-05-02.sendfile.txt (PacketStormID:F37022)
2005-04-17 00:00:00
Sven Berkvens,Marc Olzheim  freebsd.org
advisory,web,kernel
freebsd
CVE-2005-0708
[点击下载]

FreeBSD Security Advisory FreeBSD-SA-05:02 - The sendfile(2) system call allows a server application (such as an HTTP or FTP server) to transmit the contents of a file over a network connection without first copying it to application memory. High performance servers such as Apache and ftpd use sendfile. If the file being transmitted is truncated after the transfer has started but before it completes, sendfile(2) will transfer the contents of more or less random portions of kernel memory in lieu of the missing part of the file.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

=============================================================================
FreeBSD-SA-05:02.sendfile                                   Security Advisory
                                                          The FreeBSD Project

Topic:          sendfile kernel memory disclosure

Category:       core
Module:         sys_kern
Announced:      2005-04-04
Credits:        Sven Berkvens <sven@berkvens.net>
                Marc Olzheim <zlo@zlo.nu>
Affects:        All FreeBSD 4.x releases
                All FreeBSD 5.x releases prior to 5.4-RELEASE
Corrected:      2005-04-04 23:52:02 UTC (RELENG_5, 5.4-STABLE)
                2005-04-04 23:52:35 UTC (RELENG_5_4, 5.4-RELEASE)
                2005-04-04 23:53:24 UTC (RELENG_5_3, 5.3-RELEASE-p7)
                2005-04-04 23:53:36 UTC (RELENG_4, 4.11-STABLE)
                2005-04-04 23:53:56 UTC (RELENG_4_11, 4.11-RELEASE-p2)
                2005-04-04 23:54:13 UTC (RELENG_4_10, 4.10-RELEASE-p7)
                2005-04-04 23:54:33 UTC (RELENG_4_8, 4.8-RELEASE-p29)
CVE Name:       CAN-2005-0708

For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit
<URL:http://www.freebsd.org/security/>.

I.   Background

The sendfile(2) system call allows a server application (such as an HTTP
or FTP server) to transmit the contents of a file over a network
connection without first copying it to application memory.  High
performance servers such as Apache and ftpd use sendfile.

II.  Problem Description

If the file being transmitted is truncated after the transfer has
started but before it completes, sendfile(2) will transfer the contents
of more or less random portions of kernel memory in lieu of the
missing part of the file.

III. Impact

A local user could create a large file and truncate it while
transferring it to himself, thus obtaining a copy of portions of system
memory to which he would normally not have access.  Such memory might
contain sensitive information, such as portions of the file cache or
terminal buffers.  This information might be directly useful, or it 
might be leveraged to obtain elevated privileges in some way.  For 
example, a terminal buffer might include a user-entered password.

IV.  Workaround

No known workaround.

V.   Solution

Perform one of the following:

1) Upgrade your vulnerable system to 4-STABLE or 5-STABLE, or to the
RELENG_5_3, RELENG_4_11, RELENG_4_10, or RELENG_4_8 security branch
dated after the correction date.

2) To patch your present system:

The following patches have been verified to apply to FreeBSD 4.8, 4.10,
4.11, and 5.3 systems.

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

[FreeBSD 4.x]
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-05:02/sendfile_4.patch
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-05:02/sendfile_4.patch.asc

[FreeBSD 5.3]
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-05:02/sendfile_5.patch
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-05:02/sendfile_5.patch.asc

b) Apply the patch.

# cd /usr/src
# patch < /path/to/patch

c) Recompile your kernel as described in
<URL:http://www.freebsd.org/handbook/kernelconfig.html> and reboot the
system.

VI.  Correction details

The following list contains the revision numbers of each file that was
corrected in FreeBSD.

Branch                                                           Revision
  Path
- -------------------------------------------------------------------------
RELENG_4
  src/sys/ufs/ffs/ffs_inode.c                                    1.56.2.6
RELENG_4_11
  src/UPDATING                                              1.73.2.91.2.3
  src/sys/conf/newvers.sh                                   1.44.2.39.2.6
  src/sys/ufs/ffs/ffs_inode.c                               1.56.2.5.12.1
RELENG_4_10
  src/UPDATING                                              1.73.2.90.2.8
  src/sys/conf/newvers.sh                                   1.44.2.34.2.8
  src/sys/ufs/ffs/ffs_inode.c                               1.56.2.5.10.1
RELENG_4_8
  src/UPDATING                                             1.73.2.80.2.33
  src/sys/conf/newvers.sh                                  1.44.2.29.2.29
  src/sys/ufs/ffs/ffs_inode.c                                1.56.2.5.6.1
RELENG_5
  src/sys/ufs/ffs/ffs_inode.c                                    1.93.2.2
RELENG_5_4
  src/UPDATING                                             1.342.2.24.2.1
  src/sys/ufs/ffs/ffs_inode.c                                1.93.2.1.2.1
RELENG_5_3
  src/UPDATING                                            1.342.2.13.2.10
  src/sys/conf/newvers.sh                                  1.62.2.15.2.12
  src/sys/ufs/ffs/ffs_inode.c                                    1.93.4.1
- -------------------------------------------------------------------------

The latest revision of this advisory is available at
ftp://ftp.freebsd.org/pub/CERT/advisories/FreeBSD-SA-05:02.sendfile.asc
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (FreeBSD)

iD8DBQFCUdSBFdaIBMps37IRAkJQAJ9jiw22zHygE8ui8ksl3T5jo12L6gCgkq5i
CYhVGcVxiWOU9Yu1Muwi1Xw=
=83NE
-----END PGP SIGNATURE-----
    

- 漏洞信息

15289
FreeBSD sendfile Aborted File Copy Arbitrary Kernel Memory Disclosure
Local Access Required Information Disclosure
Loss of Confidentiality
Exploit Public

- 漏洞描述

FreeBSD sendfile contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered when a malicious user creates a large file and truncates it while receiving it through a sendfile based application, such as apache or ftpd, which will disclose portions of system memory resulting in a loss of confidentiality.

- 时间线

2005-04-04 Unknow
2005-04-04 Unknow

- 解决方案

Upgrade to version 4-STABLE or 5-STABLE, or to the RELENG_5_3, RELENG_4_11, RELENG_4_10, or RELENG_4_8 security branch dated after the correction date, as it has been reported to fix this vulnerability. In addition, FreeBSD has released a patch for some older versions.

- 相关参考

- 漏洞作者

- 漏洞信息

FreeBSD Kernel SendFile System Call Local Information Disclosure Vulnerability
Access Validation Error 12993
No Yes
2005-04-05 12:00:00 2011-04-01 07:05:00
Sven Berkvens and Marc Olzheim are responsible for the discovery of this issue.

- 受影响的程序版本

FreeBSD FreeBSD 5.4 -PRERELEASE
FreeBSD FreeBSD 5.3 -STABLE
FreeBSD FreeBSD 5.3 -RELEASE
FreeBSD FreeBSD 5.3
FreeBSD FreeBSD 5.2.1 -RELEASE
FreeBSD FreeBSD 5.2 -RELENG
FreeBSD FreeBSD 5.2 -RELEASE
FreeBSD FreeBSD 5.2
FreeBSD FreeBSD 5.1 -RELENG
FreeBSD FreeBSD 5.1 -RELEASE/Alpha
FreeBSD FreeBSD 5.1 -RELEASE-p5
FreeBSD FreeBSD 5.1 -RELEASE
FreeBSD FreeBSD 5.1
FreeBSD FreeBSD 5.0 -RELENG
FreeBSD FreeBSD 5.0 -RELEASE-p14
FreeBSD FreeBSD 5.0 alpha
FreeBSD FreeBSD 5.0
FreeBSD FreeBSD 4.11 -STABLE
FreeBSD FreeBSD 4.10 -RELENG
FreeBSD FreeBSD 4.10 -RELEASE
FreeBSD FreeBSD 4.10
FreeBSD FreeBSD 4.9 -RELENG
FreeBSD FreeBSD 4.9 -PRERELEASE
FreeBSD FreeBSD 4.9
FreeBSD FreeBSD 4.8 -RELENG
FreeBSD FreeBSD 4.8 -RELEASE-p7
FreeBSD FreeBSD 4.8 -PRERELEASE
FreeBSD FreeBSD 4.8
FreeBSD FreeBSD 4.7 -STABLE
FreeBSD FreeBSD 4.7 -RELENG
FreeBSD FreeBSD 4.7 -RELEASE-p17
FreeBSD FreeBSD 4.7 -RELEASE
FreeBSD FreeBSD 4.7
FreeBSD FreeBSD 4.6.2
FreeBSD FreeBSD 4.6 -STABLE
FreeBSD FreeBSD 4.6 -RELENG
FreeBSD FreeBSD 4.6 -RELEASE-p20
FreeBSD FreeBSD 4.6 -RELEASE
FreeBSD FreeBSD 4.6
FreeBSD FreeBSD 4.5 -STABLEpre2002-03-07
FreeBSD FreeBSD 4.5 -STABLE
FreeBSD FreeBSD 4.5 -RELENG
FreeBSD FreeBSD 4.5 -RELEASE-p32
FreeBSD FreeBSD 4.5 -RELEASE
FreeBSD FreeBSD 4.5
FreeBSD FreeBSD 4.4 -STABLE
FreeBSD FreeBSD 4.4 -RELENG
FreeBSD FreeBSD 4.4 -RELEASE-p42
FreeBSD FreeBSD 4.4
FreeBSD FreeBSD 4.3 -STABLE
FreeBSD FreeBSD 4.3 -RELENG
FreeBSD FreeBSD 4.3 -RELEASE-p38
FreeBSD FreeBSD 4.3 -RELEASE
FreeBSD FreeBSD 4.3
FreeBSD FreeBSD 4.2 -STABLEpre122300
FreeBSD FreeBSD 4.2 -STABLEpre050201
FreeBSD FreeBSD 4.2 -STABLE
FreeBSD FreeBSD 4.2 -RELEASE
FreeBSD FreeBSD 4.2
FreeBSD FreeBSD 4.1.1 -STABLE
FreeBSD FreeBSD 4.1.1 -RELEASE
FreeBSD FreeBSD 4.1.1
FreeBSD FreeBSD 4.1
FreeBSD FreeBSD 4.0 .x
FreeBSD FreeBSD 4.0 -RELENG
FreeBSD FreeBSD 4.0 alpha
FreeBSD FreeBSD 4.0
DragonFlyBSD DragonFlyBSD 1.1
DragonFlyBSD DragonFlyBSD 1.0

- 漏洞讨论

A local information disclosure vulnerability affects the FreeBSD kernel. This issue arises due to a failure of the affected system call to validate the current size of a file being sent over a network.

A local attacker may leverage this issue to disclose arbitrary and potentially sensitive kernel memory. Exploitation of this issue may facilitate further attacks against the affected computer.

- 漏洞利用

The following exploit codes are available:

- 解决方案

FreeBSD has released advisory FreeBSD-SA-05:02 along with patches dealing with this issue.


FreeBSD FreeBSD 4.10 -RELENG

FreeBSD FreeBSD 4.11 -STABLE

FreeBSD FreeBSD 4.8 -RELENG

FreeBSD FreeBSD 5.3

FreeBSD FreeBSD 5.3 -STABLE

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站