BSD Kernel SHMAT System Call Privilege Escalation Vulnerability
BID:9586
Info
BSD Kernel SHMAT System Call Privilege Escalation Vulnerability
| Bugtraq ID: | 9586 |
| Class: | Design Error |
| CVE: |
CVE-2004-0114 |
| Remote: | No |
| Local: | Yes |
| Published: | Feb 05 2004 12:00AM |
| Updated: | Oct 05 2006 06:40PM |
| Credit: | The disclosure of this issue has been credited to Joost Pol of Pine Digital Security. |
| Vulnerable: |
OpenBSD OpenBSD 2.9 OpenBSD OpenBSD 2.8 OpenBSD OpenBSD 2.7 OpenBSD OpenBSD 2.6 OpenBSD OpenBSD 3.4 OpenBSD OpenBSD 3.3 OpenBSD OpenBSD 3.2 OpenBSD OpenBSD 3.1 OpenBSD OpenBSD 3.0 NetBSD NetBSD current pre20010805 NetBSD NetBSD 1.6.1 NetBSD NetBSD 1.6 beta NetBSD NetBSD 1.6 NetBSD NetBSD 1.5.3 NetBSD NetBSD 1.5.2 NetBSD NetBSD 1.5.1 NetBSD NetBSD 1.5 x86 NetBSD NetBSD 1.5 sh3 NetBSD NetBSD 1.5 NetBSD NetBSD 1.4.3 NetBSD NetBSD 1.4.2 x86 NetBSD NetBSD 1.4.2 SPARC NetBSD NetBSD 1.4.2 arm32 NetBSD NetBSD 1.4.2 Alpha NetBSD NetBSD 1.4.2 NetBSD NetBSD 1.4.1 x86 NetBSD NetBSD 1.4.1 SPARC NetBSD NetBSD 1.4.1 sh3 NetBSD NetBSD 1.4.1 arm32 NetBSD NetBSD 1.4.1 Alpha NetBSD NetBSD 1.4.1 NetBSD NetBSD 1.4 x86 NetBSD NetBSD 1.4 SPARC NetBSD NetBSD 1.4 arm32 NetBSD NetBSD 1.4 Alpha NetBSD NetBSD 1.4 NetBSD NetBSD 1.3.3 NetBSD NetBSD 1.3.2 NetBSD NetBSD 1.3.1 NetBSD NetBSD 1.3 NetBSD NetBSD current pre20010701 NetBSD NetBSD Current FreeBSD FreeBSD 5.2 FreeBSD FreeBSD 5.1 -RELENG FreeBSD FreeBSD 5.1 -RELEASE-p5 FreeBSD FreeBSD 5.1 FreeBSD FreeBSD 5.0 -RELENG FreeBSD FreeBSD 5.0 -RELEASE-p14 FreeBSD FreeBSD 5.0 alpha FreeBSD FreeBSD 5.0 FreeBSD FreeBSD 4.9 -PRERELEASE FreeBSD FreeBSD 4.9 FreeBSD FreeBSD 4.8 -RELENG FreeBSD FreeBSD 4.8 -RELEASE-p7 FreeBSD FreeBSD 4.8 -PRERELEASE FreeBSD FreeBSD 4.8 FreeBSD FreeBSD 4.7 -STABLE FreeBSD FreeBSD 4.7 -RELENG FreeBSD FreeBSD 4.7 -RELEASE-p17 FreeBSD FreeBSD 4.7 -RELEASE FreeBSD FreeBSD 4.7 FreeBSD FreeBSD 4.6.2 FreeBSD FreeBSD 4.6 -STABLE FreeBSD FreeBSD 4.6 -RELENG FreeBSD FreeBSD 4.6 -RELEASE-p20 FreeBSD FreeBSD 4.6 -RELEASE FreeBSD FreeBSD 4.6 FreeBSD FreeBSD 4.5 -STABLEpre2002-03-07 FreeBSD FreeBSD 4.5 -STABLE FreeBSD FreeBSD 4.5 -RELENG FreeBSD FreeBSD 4.5 -RELEASE-p32 FreeBSD FreeBSD 4.5 -RELEASE FreeBSD FreeBSD 4.5 FreeBSD FreeBSD 4.4 -STABLE FreeBSD FreeBSD 4.4 -RELENG FreeBSD FreeBSD 4.4 -RELENG FreeBSD FreeBSD 4.4 -RELEASE-p42 FreeBSD FreeBSD 4.4 FreeBSD FreeBSD 4.3 -STABLE FreeBSD FreeBSD 4.3 -RELENG FreeBSD FreeBSD 4.3 -RELEASE-p38 FreeBSD FreeBSD 4.3 -RELEASE FreeBSD FreeBSD 4.3 FreeBSD FreeBSD 4.2 -STABLEpre122300 FreeBSD FreeBSD 4.2 -STABLEpre050201 FreeBSD FreeBSD 4.2 -STABLE FreeBSD FreeBSD 4.2 -RELEASE FreeBSD FreeBSD 4.2 FreeBSD FreeBSD 4.1.1 -STABLE FreeBSD FreeBSD 4.1.1 -RELEASE FreeBSD FreeBSD 4.1.1 FreeBSD FreeBSD 4.1 FreeBSD FreeBSD 4.0 .x FreeBSD FreeBSD 4.0 -RELENG FreeBSD FreeBSD 4.0 alpha FreeBSD FreeBSD 4.0 FreeBSD FreeBSD 3.5.1 -STABLEpre2001-07-20 FreeBSD FreeBSD 3.5.1 -STABLE FreeBSD FreeBSD 3.5.1 -RELEASE FreeBSD FreeBSD 3.5.1 FreeBSD FreeBSD 3.5 x FreeBSD FreeBSD 3.5 -STABLEpre122300 FreeBSD FreeBSD 3.5 -STABLEpre050201 FreeBSD FreeBSD 3.5 -STABLE FreeBSD FreeBSD 3.5 FreeBSD FreeBSD 3.4 x FreeBSD FreeBSD 3.4 FreeBSD FreeBSD 3.3 x FreeBSD FreeBSD 3.3 FreeBSD FreeBSD 3.2 x FreeBSD FreeBSD 3.2 FreeBSD FreeBSD 3.1 x FreeBSD FreeBSD 3.1 FreeBSD FreeBSD 3.0 -RELENG FreeBSD FreeBSD 3.0 FreeBSD FreeBSD 2.2.8 FreeBSD FreeBSD 2.2.6 FreeBSD FreeBSD 2.2.5 FreeBSD FreeBSD 2.2.4 FreeBSD FreeBSD 2.2.3 FreeBSD FreeBSD 2.2.2 FreeBSD FreeBSD 2.2 x FreeBSD FreeBSD 2.2 |
| Not Vulnerable: | |
Discussion
BSD Kernel SHMAT System Call Privilege Escalation Vulnerability
A vulnerability has been reported to reside in the 'shmat()' system call used in the BSD kernel. Exploiting this issue may allow a local attacker to inject instructions into the memory of a privileged process.
A vulnerability has been reported to reside in the 'shmat()' system call used in the BSD kernel. Exploiting this issue may allow a local attacker to inject instructions into the memory of a privileged process.
Exploit / POC
BSD Kernel SHMAT System Call Privilege Escalation Vulnerability
The following exploit is available:
The following exploit is available:
Solution / Fix
BSD Kernel SHMAT System Call Privilege Escalation Vulnerability
Solution:
FreeBSD has released an advisory with patches to address this issue. Please see the referenced advisory for details.
OpenBSD has released patches for versions 3.3 and 3.4.
NetBSD has released advisory 2004-004 dealing with this issue.
OpenBSD OpenBSD 3.4
OpenBSD OpenBSD 3.3
NetBSD NetBSD 1.6.1
Solution:
FreeBSD has released an advisory with patches to address this issue. Please see the referenced advisory for details.
OpenBSD has released patches for versions 3.3 and 3.4.
NetBSD has released advisory 2004-004 dealing with this issue.
OpenBSD OpenBSD 3.4
-
OpenBSD 010_sysvshm.patch
ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.4/common/010_sysvshm.patch
OpenBSD OpenBSD 3.3
-
OpenBSD 010_sysvshm.patch
ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.4/common/010_sysvshm.patch -
OpenBSD 015_sysvshm.patch
ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.3/common/015_sysvshm.patch
NetBSD NetBSD 1.6.1
References
BSD Kernel SHMAT System Call Privilege Escalation Vulnerability
References:
References:
- FreeBSD Homepage (FreeBSD)
- NetBSD Homepage (NetBSD)
- OpenBSD Homepage (OpenBSD)
- [PINE-CERT-20040201] reference count overflow in shmat() (Joost Pol
)