CVE-2005-1126
CVSS2.1
发布时间 :2005-04-15 00:00:00
修订时间 :2011-03-07 21:21:08
NMCOP    

[原文]The SIOCGIFCONF ioctl (ifconf function) in FreeBSD 4.x through 4.11 and 5.x through 5.4 does not properly clear a buffer before using it, which allows local users to obtain portions of sensitive kernel memory.


[CNNVD]开源软件 FreeBSD ifconf 函数信息泄漏漏洞(CNNVD-200504-066)

        FreeBSD是一种类UNIX操作系统,但不是真正意义上的UNIX操作系统,它是由经过BSD、386BSD和4.4BSD发展而来的Unix的一个重要分支,它支持 x86 兼容(包括 Pentium® 和 Athlon?)、amd64 兼容(包括 Opteron?、Athlon 64 和 EM64T)、 Alpha/AXP、IA-64、PC-98以及 UltraSPARC® 架构的计算机。它运行在Intel x86 family兼容处理器、DEC Alpha、Sun微系统的UltraSPARC、Itanium (IA-64)和AMD64处理器上。针对PowerPC的支持正在开发中。它被普遍认为是相当可靠和稳定的。苹果电脑的Mac OS X即以 Mach 为内核, 配合 FreeBSD 的驱动程序和实用工具为基础。FreeBSD 源于 BSD ──美国加州大学伯克利分校开发 UNIX® 版本它由来自世界各地的志愿者开发和维护.FreeBSD 为不同架构的计算机系统提供了不同程度的支持.
        FreeBSD 4.x到4.11版本及5.x到5.4版本中,SIOCGIFCONF ioctl(ifconf函数)在使用缓冲区前没有正确的清除原有数据,这就可能使本地用户获得敏感的内核内存数据块。

- CVSS (基础分值)

CVSS分值: 2.1 [轻微(LOW)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: NONE [不会对系统完整性产生影响]
可用性影响: NONE [对系统可用性无影响]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CWE (弱点类目)

CWE-399 [资源管理错误]

- CPE (受影响的平台与产品)

cpe:/o:freebsd:freebsd:5.1FreeBSD 5.1
cpe:/o:freebsd:freebsd:5.2.1:release
cpe:/o:freebsd:freebsd:4.3:releng
cpe:/o:freebsd:freebsd:4.6.2FreeBSD 4.6.2
cpe:/o:freebsd:freebsd:5.0FreeBSD 5.0
cpe:/o:freebsd:freebsd:4.9:pre-release
cpe:/o:freebsd:freebsd:4.6:stable
cpe:/o:freebsd:freebsd:4.7:release_p17
cpe:/o:freebsd:freebsd:4.7:releng
cpe:/o:freebsd:freebsd:4.3:release_p38
cpe:/o:freebsd:freebsd:4.7FreeBSD 4.7
cpe:/o:freebsd:freebsd:5.3:releng
cpe:/o:freebsd:freebsd:4.1.1:stable
cpe:/o:freebsd:freebsd:5.1:release
cpe:/o:freebsd:freebsd:4.4:release_p42
cpe:/o:freebsd:freebsd:4.10:release
cpe:/o:freebsd:freebsd:4.1.1:release
cpe:/o:freebsd:freebsd:4.2FreeBSD 4.2
cpe:/o:freebsd:freebsd:4.11:stable
cpe:/o:freebsd:freebsd:4.4:stable
cpe:/o:freebsd:freebsd:5.1:alpha
cpe:/o:freebsd:freebsd:5.3FreeBSD 5.3
cpe:/o:freebsd:freebsd:5.2FreeBSD 5.2
cpe:/o:freebsd:freebsd:4.6:releng
cpe:/o:freebsd:freebsd:4.5:stable
cpe:/o:freebsd:freebsd:4.6:release
cpe:/o:freebsd:freebsd:4.5FreeBSD 4.5
cpe:/o:freebsd:freebsd:4.9FreeBSD 4.9
cpe:/o:freebsd:freebsd:4.0:releng
cpe:/o:freebsd:freebsd:4.7:release
cpe:/o:freebsd:freebsd:4.3:stable
cpe:/o:freebsd:freebsd:4.5:release_p32
cpe:/o:freebsd:freebsd:4.2:stable
cpe:/o:freebsd:freebsd:4.0FreeBSD 4.0
cpe:/o:freebsd:freebsd:4.3:release
cpe:/o:freebsd:freebsd:4.10:releng
cpe:/o:freebsd:freebsd:5.0:release_p14
cpe:/o:freebsd:freebsd:5.1:release_p5
cpe:/o:freebsd:freebsd:4.6FreeBSD 4.6
cpe:/o:freebsd:freebsd:5.3:stable
cpe:/o:freebsd:freebsd:4.6:release_p20
cpe:/o:freebsd:freebsd:5.1:releng
cpe:/o:freebsd:freebsd:5.0:releng
cpe:/o:freebsd:freebsd:4.4:releng
cpe:/o:freebsd:freebsd:5.0:alpha
cpe:/o:freebsd:freebsd:5.3:release
cpe:/o:freebsd:freebsd:4.4FreeBSD 4.4
cpe:/o:freebsd:freebsd:4.7:stable
cpe:/o:freebsd:freebsd:4.5:releng
cpe:/o:freebsd:freebsd:4.9:releng
cpe:/o:freebsd:freebsd:4.5:release
cpe:/o:freebsd:freebsd:4.8FreeBSD 4.8
cpe:/o:freebsd:freebsd:4.8:pre-release
cpe:/o:freebsd:freebsd:4.10FreeBSD 4.10
cpe:/o:freebsd:freebsd:4.1FreeBSD 4.1
cpe:/o:freebsd:freebsd:4.3FreeBSD 4.3
cpe:/o:freebsd:freebsd:4.1.1FreeBSD 4.1.1
cpe:/o:freebsd:freebsd:4.8:releng
cpe:/o:freebsd:freebsd:4.8:release_p6
cpe:/o:freebsd:freebsd:5.2.1:releng
cpe:/o:freebsd:freebsd:4.0:alpha

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1126
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-1126
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200504-066
(官方数据源) CNNVD

- 其它链接及资源

http://xforce.iss.net/xforce/xfdb/20114
(VENDOR_ADVISORY)  XF  freebsd-ifconf-information-disclosure(20114)
http://www.osvdb.org/15514
(VENDOR_ADVISORY)  OSVDB  15514
http://secunia.com/advisories/14959
(VENDOR_ADVISORY)  SECUNIA  14959
ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-05:04.ifconf.asc
(VENDOR_ADVISORY)  FREEBSD  FreeBSD-SA-05:04
http://www.vupen.com/english/advisories/2005/2256
(UNKNOWN)  VUPEN  ADV-2005-2256
http://www.securityfocus.com/bid/15252
(UNKNOWN)  BID  15252
http://secunia.com/advisories/17368
(UNKNOWN)  SECUNIA  17368
http://lists.apple.com/archives/security-announce/2005/Oct/msg00000.html
(UNKNOWN)  APPLE  APPLE-SA-2005-10-31

- 漏洞信息

开源软件 FreeBSD ifconf 函数信息泄漏漏洞
低危 资源管理错误
2005-04-15 00:00:00 2007-09-17 00:00:00
本地  
        FreeBSD是一种类UNIX操作系统,但不是真正意义上的UNIX操作系统,它是由经过BSD、386BSD和4.4BSD发展而来的Unix的一个重要分支,它支持 x86 兼容(包括 Pentium® 和 Athlon?)、amd64 兼容(包括 Opteron?、Athlon 64 和 EM64T)、 Alpha/AXP、IA-64、PC-98以及 UltraSPARC® 架构的计算机。它运行在Intel x86 family兼容处理器、DEC Alpha、Sun微系统的UltraSPARC、Itanium (IA-64)和AMD64处理器上。针对PowerPC的支持正在开发中。它被普遍认为是相当可靠和稳定的。苹果电脑的Mac OS X即以 Mach 为内核, 配合 FreeBSD 的驱动程序和实用工具为基础。FreeBSD 源于 BSD ──美国加州大学伯克利分校开发 UNIX® 版本它由来自世界各地的志愿者开发和维护.FreeBSD 为不同架构的计算机系统提供了不同程度的支持.
        FreeBSD 4.x到4.11版本及5.x到5.4版本中,SIOCGIFCONF ioctl(ifconf函数)在使用缓冲区前没有正确的清除原有数据,这就可能使本地用户获得敏感的内核内存数据块。

- 公告与补丁

        目前厂商已经发布了升级补丁以修复这个安全问题,补丁下载链接:
        ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-05:04.ifconf.asc

- 漏洞信息 (F41098)

Apple Security Advisory 2005-10-31 (PacketStormID:F41098)
2005-11-01 00:00:00
Apple  docs.info.apple.com
advisory,kernel
apple
CVE-2005-2749,CVE-2005-2750,CVE-2005-2751,CVE-2005-2739,CVE-2005-1126,CVE-2005-1406,CVE-2005-2752
[点击下载]

Flaws for Finder, Software Update, memberd, Keychain, and the kernel have all been addressed in this latest Apple update.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

APPLE-SA-2005-10-31 Mac OS X v10.4.3

Mac OS X v10.4.3 and Mac OS X Server v10.4.3 are now available and
deliver the following security enhancements:

Finder
CVE-ID:  CVE-2005-2749
Available for:  Mac OS X v10.4.2, Mac OS X Server v10.4.2
Impact:  File ownership information may be misleading
Description:  Under certain situations, the file and group ownership
information displayed in the Finder Get Info window may not be
correct. This update addresses the issue by synchronizing the
displayed ownership with the actual ownership in all situations.
This issue does not affect systems prior to Mac OS X v10.4.

Software Update
CVE-ID:  CVE-2005-2750
Available for:  Mac OS X v10.4.2, Mac OS X Server v10.4.2
Impact:  Important Software Updates may not install
Description:  Software Update can be instructed by the user to
ignore specific updates. If all applicable updates have been marked
in this way, Software Update will exit without providing an an
opportunity to reset the status of these updates so that they may
be installed. This update addresses the issue by asking whether the
ignored updates list should be reset when this situation is
encountered. This issue does not affect systems prior to Mac OS X
v10.4.

memberd
CVE-ID:  CVE-2005-2751
Available for:  Mac OS X Server v10.4.2
Impact:  Changes to group membership are delayed for hours
Description:  In certain situations, changes to a group's membership
may not be immediately reflected in access control checks. This may
result in an authenticated user being able to access files or other
resources even after they have been removed from a group. This
update addresses the issue by invalidating the group membership
cache at appropriate times. This issue does not affect systems
prior to Mac OS X v10.4.

Keychain
CVE-ID:  CVE-2005-2739
Available for:  Mac OS X v10.4.2, Mac OS X Server v10.4.2
Impact:  Keychain Access will continue displaying plaintext
passwords after lock timeout
Description:  Keychain Access is a utility distributed with Mac OS X
that is used to view keychain items and change keychain settings.
If a keychain automatically locks due to a timeout while viewing a
password stored inside it, that password will remain visible. This
update patches Keychain Access so that passwords are hidden when
keychains lock. This issue does not affect systems prior to Mac OS
X v10.4. Credit to Eric Hall of DarkArt Consulting Services for
reporting this issue.

Kernel
CVE-ID:  CVE-2005-1126, CVE-2005-1406, CVE-2005-2752
Available for:  Mac OS X v10.4.2, Mac OS X Server v10.4.2
Impact:  Kernel memory may be disclosed to local users
Description:  Certain kernel interfaces may return data that
includes sensitive information in uninitialized memory. These
issues affect Mac OS X v10.4.2 and earlier. Credit to Ilja van
Sprundel and Neil Archibald of Suresec LTD, and Colin Percival of
the FreeBSD team for reporting these issues.

Mac OS X v10.4.3 may be obtained from the Software Update pane in
System Preferences, or Apple's Software Downloads web site:
http://www.apple.com/support/downloads/

For Mac OS X v10.4.2
The download file is named:  "MacOSXUpdate10.4.3.dmg"
Its SHA-1 digest is:  d5f641c111621705dd0da4ecdd733a1f47c576a3

For Mac OS X v10.4 and Mac OS X v10.4.1
The download file is named:  "MacOSXUpdateCombo10.4.3.dmg"
Its SHA-1 digest is:  1264c6c4583aa163a6e8465fbad7d0ff58b32086

For Mac OS X Server v10.4.2
The download file is named:  "MacOSXServerUpdate10.4.3.dmg"
Its SHA-1 digest is:  a2cea3387079e92618b02196e7683c85377d512f

For Mac OS X Server v10.4 and Mac OS X Server v10.4.1
The download file is named:  "MacOSXSrvrUpdCombo10.4.3.dmg"
Its SHA-1 digest is:  6dbc793d6613861d7e1954c477f11215db1bb569

Information will also be posted to the Apple Product Security
web site:  http://docs.info.apple.com/article.html?artnum=61798

This message is signed with Apple's Product Security PGP key,
and details are available at:
http://www.apple.com/support/security/pgp/

-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.0.2 (Build 2425)

iQEVAwUBQ2aaL4HaV5ucd/HdAQJ+Hgf/efHQVD9Kbi3pAwoZQna3jk5tp7kqFSfS
6/MgxTz8b8AhYQAReuKQpK4uQEc2Zy3lgWOLwaaPFcfX2wunKR3we27DSUK0Nmyz
KhHf0Rr7bAnDd8kcU6DnRQEQgKb2PNZ0D6Va5Q3/19e/wFE6hI2Tm3aW7vyKPiQo
KnstC0s6KT3J2bPeaXWEJH3RTqEa5ki1sO6gDejsO9Ym4niAvSNNYooa3f/afUYU
MQqgOuXSQqKiBWQiijMrJz5ytix1jTGplkr4pEppYnfqHxTtKGY5MjXmjfX8luM9
Dj3D+bRqVQHZ6YfY9f7fKx/5rRZDXxTViHCISPh6466QJzxf26GPvg==
=EDGT
-----END PGP SIGNATURE-----

    

- 漏洞信息

15514
FreeBSD ifconf() Function Kernel Memory Disclosure
Local Access Required Information Disclosure
Loss of Confidentiality
Exploit Public

- 漏洞描述

FreeBSD contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered when a local user generates a list of network interfaces and the "SIOCGICONF" ioctl fails to zero out the buffer, which may cause up to 12 bytes of potentially sensitive information from previously cached kernel memory to be disclosed to the user process, resulting in a loss of confidentiality.

- 时间线

2005-04-15 Unknow
2005-04-15 Unknow

- 解决方案

Upgrade to version 5.4 or higher, as it has been reported to fix this vulnerability. In addition, the following patches have been released for some older versions. 2005-04-15 01:52:25 UTC (RELENG_5_3, 5.3-RELEASE-p9) 2005-04-15 01:52:40 UTC (RELENG_4, 4.11-STABLE) 2005-04-15 01:52:57 UTC (RELENG_4_11, 4.11-RELEASE-p3) 2005-04-15 01:53:14 UTC (RELENG_4_10, 4.10-RELEASE-p8)

- 相关参考

- 漏洞作者

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站