FreeBSD Kernel SendFile System Call Local Information Disclosure Vulnerability

Bugtraq ID:	12993
Class:	Access Validation Error
CVE:	CVE-2005-0708
Remote:	No
Local:	Yes
Published:	Apr 05 2005 12:00AM
Updated:	Apr 01 2011 07:05PM
Credit:	Sven Berkvens and Marc Olzheim are responsible for the discovery of this issue.
Vulnerable:	FreeBSD FreeBSD 5.4 -PRERELEASE FreeBSD FreeBSD 5.3 -STABLE FreeBSD FreeBSD 5.3 -RELEASE FreeBSD FreeBSD 5.3 FreeBSD FreeBSD 5.2.1 -RELEASE FreeBSD FreeBSD 5.2 -RELENG FreeBSD FreeBSD 5.2 -RELEASE FreeBSD FreeBSD 5.2 FreeBSD FreeBSD 5.1 -RELENG FreeBSD FreeBSD 5.1 -RELEASE/Alpha FreeBSD FreeBSD 5.1 -RELEASE-p5 FreeBSD FreeBSD 5.1 -RELEASE FreeBSD FreeBSD 5.1 FreeBSD FreeBSD 5.0 -RELENG FreeBSD FreeBSD 5.0 -RELEASE-p14 FreeBSD FreeBSD 5.0 alpha FreeBSD FreeBSD 5.0 FreeBSD FreeBSD 4.11 -STABLE FreeBSD FreeBSD 4.10 -RELENG FreeBSD FreeBSD 4.10 -RELEASE FreeBSD FreeBSD 4.10 FreeBSD FreeBSD 4.9 -RELENG FreeBSD FreeBSD 4.9 -PRERELEASE FreeBSD FreeBSD 4.9 FreeBSD FreeBSD 4.8 -RELENG FreeBSD FreeBSD 4.8 -RELEASE-p7 FreeBSD FreeBSD 4.8 -PRERELEASE FreeBSD FreeBSD 4.8 FreeBSD FreeBSD 4.7 -STABLE FreeBSD FreeBSD 4.7 -RELENG FreeBSD FreeBSD 4.7 -RELEASE-p17 FreeBSD FreeBSD 4.7 -RELEASE FreeBSD FreeBSD 4.7 FreeBSD FreeBSD 4.6.2 FreeBSD FreeBSD 4.6 -STABLE FreeBSD FreeBSD 4.6 -RELENG FreeBSD FreeBSD 4.6 -RELEASE-p20 FreeBSD FreeBSD 4.6 -RELEASE FreeBSD FreeBSD 4.6 FreeBSD FreeBSD 4.5 -STABLEpre2002-03-07 FreeBSD FreeBSD 4.5 -STABLE FreeBSD FreeBSD 4.5 -RELENG FreeBSD FreeBSD 4.5 -RELEASE-p32 FreeBSD FreeBSD 4.5 -RELEASE FreeBSD FreeBSD 4.5 FreeBSD FreeBSD 4.4 -STABLE FreeBSD FreeBSD 4.4 -RELENG FreeBSD FreeBSD 4.4 -RELEASE-p42 FreeBSD FreeBSD 4.4 FreeBSD FreeBSD 4.3 -STABLE FreeBSD FreeBSD 4.3 -RELENG FreeBSD FreeBSD 4.3 -RELEASE-p38 FreeBSD FreeBSD 4.3 -RELEASE FreeBSD FreeBSD 4.3 FreeBSD FreeBSD 4.2 -STABLEpre122300 FreeBSD FreeBSD 4.2 -STABLEpre050201 FreeBSD FreeBSD 4.2 -STABLE FreeBSD FreeBSD 4.2 -RELEASE FreeBSD FreeBSD 4.2 FreeBSD FreeBSD 4.1.1 -STABLE FreeBSD FreeBSD 4.1.1 -RELEASE FreeBSD FreeBSD 4.1.1 FreeBSD FreeBSD 4.1 FreeBSD FreeBSD 4.0 .x FreeBSD FreeBSD 4.0 -RELENG FreeBSD FreeBSD 4.0 alpha FreeBSD FreeBSD 4.0 DragonFlyBSD DragonFlyBSD 1.1 DragonFlyBSD DragonFlyBSD 1.0
Not Vulnerable:

FreeBSD Kernel SendFile System Call Local Information Disclosure Vulnerability

A local information disclosure vulnerability affects the FreeBSD kernel. This issue arises due to a failure of the affected system call to validate the current size of a file being sent over a network.

A local attacker may leverage this issue to disclose arbitrary and potentially sensitive kernel memory. Exploitation of this issue may facilitate further attacks against the affected computer.

FreeBSD Kernel SendFile System Call Local Information Disclosure Vulnerability

The following exploit codes are available:

• /data/vulnerabilities/exploits/freebsd_sendfile.c
• /data/vulnerabilities/exploits/12993.c
• /data/vulnerabilities/exploits/12993-1.c

FreeBSD Kernel SendFile System Call Local Information Disclosure Vulnerability

Solution:
FreeBSD has released advisory FreeBSD-SA-05:02 along with patches dealing with this issue.


FreeBSD FreeBSD 4.10 -RELENG

• FreeBSD sendfile_4.patch
  ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-05:02/sendfile_4.pat ch

FreeBSD FreeBSD 4.11 -STABLE

• FreeBSD sendfile_4.patch
  ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-05:02/sendfile_4.pat ch

FreeBSD FreeBSD 4.8 -RELENG

• FreeBSD sendfile_4.patch
  ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-05:02/sendfile_4.pat ch

FreeBSD FreeBSD 5.3

• FreeBSD sendfile_5.patch
  ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-05:02/sendfile_5.pat ch

FreeBSD FreeBSD 5.3 -STABLE

• FreeBSD sendfile_5.patch
  ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-05:02/sendfile_5.pat ch

FreeBSD Kernel SendFile System Call Local Information Disclosure Vulnerability

References:

• FreeBSD Homepage (FreeBSD)