Multiple BSD Vendor FireWire IOCTL Local Integer Overflow Vulnerability
BID:21089
Info
Multiple BSD Vendor FireWire IOCTL Local Integer Overflow Vulnerability
| Bugtraq ID: | 21089 |
| Class: | Boundary Condition Error |
| CVE: |
CVE-2006-6013 |
| Remote: | No |
| Local: | Yes |
| Published: | Nov 15 2006 12:00AM |
| Updated: | Dec 15 2006 08:13PM |
| Credit: | Filipe Balestra <[email protected]> and Rodrigo Rubira Branco (BSDaemon) <[email protected]> discovered this issue. |
| Vulnerable: |
TrustedBSD TrustedBSD 0 NetBSD NetBSD Current NetBSD NetBSD 4.0 NetBSD NetBSD 4,0_Beta MidnightBSD MidnightBSD 0.1 FreeBSD FreeBSD 6.0 -STABLE FreeBSD FreeBSD 6.0 -RELEASE FreeBSD FreeBSD 5.5 -STABLE FreeBSD FreeBSD 5.5 -RELEASE FreeBSD FreeBSD 5.4 -RELENG FreeBSD FreeBSD 5.4 -RELEASE FreeBSD FreeBSD 5.4 -PRERELEASE FreeBSD FreeBSD 5.3 -STABLE FreeBSD FreeBSD 5.3 -RELENG FreeBSD FreeBSD 5.3 -RELEASE FreeBSD FreeBSD 5.3 FreeBSD FreeBSD 5.2.1 -RELEASE FreeBSD FreeBSD 5.2 -RELENG FreeBSD FreeBSD 5.2 -RELEASE FreeBSD FreeBSD 5.2 FreeBSD FreeBSD 5.1 -RELENG FreeBSD FreeBSD 5.1 -RELEASE/Alpha FreeBSD FreeBSD 5.1 -RELEASE-p5 FreeBSD FreeBSD 5.1 -RELEASE FreeBSD FreeBSD 5.1 FreeBSD FreeBSD 5.0 -RELENG FreeBSD FreeBSD 5.0 -RELEASE-p14 FreeBSD FreeBSD 5.0 alpha FreeBSD FreeBSD 5.0 FreeBSD FreeBSD 4.11 -STABLE FreeBSD FreeBSD 4.11 -RELENG FreeBSD FreeBSD 4.11 -RELEASE-p3 FreeBSD FreeBSD 4.11 -RELEASE-p20 FreeBSD FreeBSD 4.11 -RELEASE FreeBSD FreeBSD 4.10 -RELENG FreeBSD FreeBSD 4.10 -RELEASE-p8 FreeBSD FreeBSD 4.10 -RELEASE FreeBSD FreeBSD 4.10 FreeBSD FreeBSD 4.9 -RELENG FreeBSD FreeBSD 4.9 -PRERELEASE FreeBSD FreeBSD 4.9 FreeBSD FreeBSD 4.8 -RELENG FreeBSD FreeBSD 4.8 -RELEASE-p7 FreeBSD FreeBSD 4.8 -PRERELEASE FreeBSD FreeBSD 4.8 FreeBSD FreeBSD 4.7 -STABLE FreeBSD FreeBSD 4.7 -RELENG FreeBSD FreeBSD 4.7 -RELEASE-p17 FreeBSD FreeBSD 4.7 -RELEASE FreeBSD FreeBSD 4.7 FreeBSD FreeBSD 4.6.2 FreeBSD FreeBSD 4.6 -STABLE FreeBSD FreeBSD 4.6 -RELENG FreeBSD FreeBSD 4.6 -RELEASE-p20 FreeBSD FreeBSD 4.6 -RELEASE FreeBSD FreeBSD 4.6 FreeBSD FreeBSD 4.5 -STABLEpre2002-03-07 FreeBSD FreeBSD 4.5 -STABLE FreeBSD FreeBSD 4.5 -RELENG FreeBSD FreeBSD 4.5 -RELEASE-p32 FreeBSD FreeBSD 4.5 -RELEASE FreeBSD FreeBSD 4.5 FreeBSD FreeBSD 4.4 -STABLE FreeBSD FreeBSD 4.4 -RELENG FreeBSD FreeBSD 4.4 -RELENG FreeBSD FreeBSD 4.4 -RELEASE-p42 FreeBSD FreeBSD 4.4 FreeBSD FreeBSD 4.3 -STABLE FreeBSD FreeBSD 4.3 -RELENG FreeBSD FreeBSD 4.3 -RELEASE-p38 FreeBSD FreeBSD 4.3 -RELEASE FreeBSD FreeBSD 4.3 FreeBSD FreeBSD 4.2 -STABLEpre122300 FreeBSD FreeBSD 4.2 -STABLEpre050201 FreeBSD FreeBSD 4.2 -STABLE FreeBSD FreeBSD 4.2 -RELEASE FreeBSD FreeBSD 4.2 FreeBSD FreeBSD 4.1.1 -STABLE FreeBSD FreeBSD 4.1.1 -RELEASE FreeBSD FreeBSD 4.1.1 FreeBSD FreeBSD 4.1 FreeBSD FreeBSD 4.0 .x FreeBSD FreeBSD 4.0 -RELENG FreeBSD FreeBSD 4.0 alpha FreeBSD FreeBSD 4.0 FreeBSD FreeBSD 3.5.1 -STABLEpre2001-07-20 FreeBSD FreeBSD 3.5.1 -STABLE FreeBSD FreeBSD 3.5.1 -RELEASE FreeBSD FreeBSD 3.5.1 FreeBSD FreeBSD 3.5 x FreeBSD FreeBSD 3.5 -STABLEpre122300 FreeBSD FreeBSD 3.5 -STABLEpre050201 FreeBSD FreeBSD 3.5 -STABLE FreeBSD FreeBSD 3.5 FreeBSD FreeBSD 3.4 x FreeBSD FreeBSD 3.4 FreeBSD FreeBSD 3.3 x FreeBSD FreeBSD 3.3 FreeBSD FreeBSD 3.2 x FreeBSD FreeBSD 3.2 FreeBSD FreeBSD 3.1 x FreeBSD FreeBSD 3.1 FreeBSD FreeBSD 3.0 -RELENG FreeBSD FreeBSD 3.0 FreeBSD FreeBSD 2.2.8 FreeBSD FreeBSD 2.2.6 FreeBSD FreeBSD 2.2.5 FreeBSD FreeBSD 2.2.4 FreeBSD FreeBSD 2.2.3 FreeBSD FreeBSD 2.2.2 FreeBSD FreeBSD 2.2 x FreeBSD FreeBSD 2.2 FreeBSD FreeBSD 2.1.7 .1 FreeBSD FreeBSD 2.1.6 .1 FreeBSD FreeBSD 2.1.6 FreeBSD FreeBSD 2.1.5 FreeBSD FreeBSD 2.1 x FreeBSD FreeBSD 2.1 FreeBSD FreeBSD 2.0.5 FreeBSD FreeBSD 2.0 FreeBSD FreeBSD 1.1.5 .1 FreeBSD FreeBSD 6.1 -STABLE FreeBSD FreeBSD 6.1 -RELEASE-p10 FreeBSD FreeBSD 6.1 -RELEASE FreeBSD FreeBSD 6.0 -RELEASE-p5 FreeBSD FreeBSD 5.4-STABLE FreeBSD FreeBSD 4.10-PRERELEASE FreeBSD FreeBSD 3.x FreeBSD FreeBSD 2.x FreeBSD FreeBSD -current DragonFlyBSD DragonFlyBSD 1.2 DragonFlyBSD DragonFlyBSD 1.1 DragonFlyBSD DragonFlyBSD 1.0 |
| Not Vulnerable: |
NetBSD NetBSD 4.0 BETA2 |
Discussion
Multiple BSD Vendor FireWire IOCTL Local Integer Overflow Vulnerability
Multiple BSD operating systems are prone to a local integer-overflow vulnerability. This issue affects the FireWire subsystem.
An attacker can exploit this vulnerability to gain access to potentially sensitive kernel memory. Information harvested by exploiting this issue will aid in further attacks.
TrustedBSD, FreeBSD, NetBSD, and DragonFly BSD are all vulnerable to this issue. Specific version information is not currently available.
Update: FreeBSD and possibly other operating systems reportedly allow only members of the 'operators' group and the superuser to issue IOCTL commands against FireWire devices.
Multiple BSD operating systems are prone to a local integer-overflow vulnerability. This issue affects the FireWire subsystem.
An attacker can exploit this vulnerability to gain access to potentially sensitive kernel memory. Information harvested by exploiting this issue will aid in further attacks.
TrustedBSD, FreeBSD, NetBSD, and DragonFly BSD are all vulnerable to this issue. Specific version information is not currently available.
Update: FreeBSD and possibly other operating systems reportedly allow only members of the 'operators' group and the superuser to issue IOCTL commands against FireWire devices.
Exploit / POC
Multiple BSD Vendor FireWire IOCTL Local Integer Overflow Vulnerability
Currently we are not aware of any exploits for this issue. If you feel we are in error or if you are aware of more recent information, please mail us at: [email protected]
Currently we are not aware of any exploits for this issue. If you feel we are in error or if you are aware of more recent information, please mail us at: [email protected]
Solution / Fix
Multiple BSD Vendor FireWire IOCTL Local Integer Overflow Vulnerability
Solution:
Fixes are available from multiple vendors. Please see the references for information on obtaining and applying fixes.
FreeBSD FreeBSD 4.11 -STABLE
FreeBSD FreeBSD 6.0 -STABLE
Solution:
Fixes are available from multiple vendors. Please see the references for information on obtaining and applying fixes.
FreeBSD FreeBSD 4.11 -STABLE
-
FreeBSD kmem.patch
http://security.FreeBSD.org/patches/SA-06:25/kmem.patch -
FreeBSD kmem.patch.asc
http://security.FreeBSD.org/patches/SA-06:25/kmem.patch.asc
FreeBSD FreeBSD 6.0 -STABLE
-
FreeBSD kmem.patch
http://security.FreeBSD.org/patches/SA-06:25/kmem.patch -
FreeBSD kmem.patch.asc
http://security.FreeBSD.org/patches/SA-06:25/kmem.patch.asc
References
Multiple BSD Vendor FireWire IOCTL Local Integer Overflow Vulnerability
References:
References:
- DragonFly BSD Home Page (DragonFly BSD)
- FreeBSD Homepage (FreeBSD)
- MidnightBSD Home Page (MidnightBSD)
- NetBSD Homepage (NetBSD)
- TrustedBSD Home Page (TrustedBSD)
- DragonFlyBSD all versions FireWire IOCTL kernel integer overflow information di ("Rodrigo Rubira Branco \(BSDaemon\)"
- FreeBSD all versions FireWire IOCTL kernel integer overflow information disclou ("Rodrigo Rubira Branco (BSDaemon)"
- NetBSD all versions FireWire IOCTL kernel integer overflow information disclous ("Rodrigo Rubira Branco \(BSDaemon\)"
- Re: FreeBSD all versions FireWire IOCTL kernel integer overflow information dis (Lucas Holt
- RE: FreeBSD all versions FireWire IOCTL kernel integer overflow information dis ("Rogier Mulhuijzen"
- TrustedBSD* all versions FireWire IOCTL kernel integer overflow information dis ("Rodrigo Rubira Branco (BSDaemon)"