As you point out,
[EMAIL PROTECTED] wrote:
Topic: Buffer Overflow in FreeBSD Versions: All the versions of FreeBSD are broken (4.x, 5.x, 6.0) Arch: x86 Date: 16/09/2004
A buffer overflow has been found in i386/i386/trap.c syscall() function
of FreeBSD official
source tree.
[...]
As you say below this is not exploitable except for root.
The number of arguments for a syscall is defined within the kernel and is not
supplied from an untrusted source. This means that this is not a security problem..
to load a kernel module you must be root (and not in a jail) meaning that if you
wanted to, the quicker and easier exploit would be
/bin/sh
:-)
The arg mask is not there for security, but rather to allow other values to be store in the same longword.
It's exploitable, but the only one way I discovered is to link a new syscall
to the sysent
array and to do this you need to be root; I've no time to work on this vulnerability,
but i think another way could be found. However it could give serious problems
(e.g. kernel
crashes).
_______________________________________________ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-hackers To unsubscribe, send any mail to "[EMAIL PROTECTED]"