Multiple Vendor top Format String Vulnerability
BID:1895
Info
Multiple Vendor top Format String Vulnerability
| Bugtraq ID: | 1895 |
| Class: | Input Validation Error |
| CVE: |
CVE-2000-0998 |
| Remote: | No |
| Local: | Yes |
| Published: | Nov 01 2000 12:00AM |
| Updated: | Jul 11 2009 03:56AM |
| Credit: | First published in FreeBSD advisory FreeBSD-SA-00:62 on Nov 1, 2000. |
| Vulnerable: |
William LeFebvre top 3.5 William LeFebvre top 2.1 William LeFebvre top 2.0.11 William LeFebvre top 2.0 pre William LeFebvre top 2.0 William LeFebvre top 1.8 William LeFebvre top 1.7 William LeFebvre top 1.6 William LeFebvre top 1.5 William LeFebvre top 1.4 William LeFebvre top 1.3 William LeFebvre top 1.2 William LeFebvre top 1.0 Sun Solaris 8_x86 Sun Solaris 8_sparc Sun Solaris 7.0_x86 Sun Solaris 7.0 Sun Solaris 2.6_x86 Sun Solaris 2.6 FreeBSD FreeBSD 4.1.1 FreeBSD FreeBSD 4.1 FreeBSD FreeBSD 4.0 alpha FreeBSD FreeBSD 4.0 FreeBSD FreeBSD 3.5 x |
| Not Vulnerable: |
William LeFebvre top 3.5.1 FreeBSD FreeBSD 4.2 |
Discussion
Multiple Vendor top Format String Vulnerability
top is a program used to display system usage statistics in real time written by GoupSys Consulting but shipped by default as a core component with many operating systems. On BSD systems, top is installed setgid kmem so that it may read process information from kernel memory if executed by a user who does not have that privilege.
top contains a format-string vulnerability that may lead to a compromise of effective groupid kmem on BSD systems (or similar privileges on other systems). The problem occurs in the printing of error messages to a users terminal. A string partially composed of user input (the error message) is passed to a printf() function as the format string argument, allowing malicious format specifiers in user input to corrupt stack variables and execute arbitrary code.
If a malicious user gains egid kmem, vital information can be read from the kernel memory that may lead to a further elevation of privileges (most certainly root eventually).
The versions of top that ships with FreeBSD prior to 4.2 are known to be vulnerable. It is likely that other systems are vulnerable (though none are confirmed yet).
top is a program used to display system usage statistics in real time written by GoupSys Consulting but shipped by default as a core component with many operating systems. On BSD systems, top is installed setgid kmem so that it may read process information from kernel memory if executed by a user who does not have that privilege.
top contains a format-string vulnerability that may lead to a compromise of effective groupid kmem on BSD systems (or similar privileges on other systems). The problem occurs in the printing of error messages to a users terminal. A string partially composed of user input (the error message) is passed to a printf() function as the format string argument, allowing malicious format specifiers in user input to corrupt stack variables and execute arbitrary code.
If a malicious user gains egid kmem, vital information can be read from the kernel memory that may lead to a further elevation of privileges (most certainly root eventually).
The versions of top that ships with FreeBSD prior to 4.2 are known to be vulnerable. It is likely that other systems are vulnerable (though none are confirmed yet).
Exploit / POC
Multiple Vendor top Format String Vulnerability
The 'top-format-ex.c' exploit was contributed by SeungHyun Seo <[email protected]> on 25 July, 2001.
The 'top_ex.pl' exploit was contributed by Kevin Finisterre on 12 Dec, 2004.
The 'top-format-ex.c' exploit was contributed by SeungHyun Seo <[email protected]> on 25 July, 2001.
The 'top_ex.pl' exploit was contributed by Kevin Finisterre on 12 Dec, 2004.