funsec mailing list archives
MoKB days 3 and 4
From: "Dude VanWinkle" <dudevanwinkle () gmail com>
Date: Sat, 4 Nov 2006 17:39:40 -0500
As a side note, its nice to see someone picking on someone besides Microsoft for once :-) -----------------------------------------Day-3----------------------------------- http://projects.info-pull.com/mokb/MOKB-03-11-2006.html FreeBSD 6.1 UFS filesystem ffs_mountfs() integer overflow Description: The UFS filesystem handling code of the FreeBSD 6.1 kernel fails to properly handle corrupted data structures, leading to exploitable memory corruption (DoS) issues and possible arbitrary code execution. This particular vulnerability is caused by an integer overflow at ffs_mountfs() function. When a crafted UFS filesystem is mounted, the amount of kernel memory being allocated can be influenced directly, controlling the value passed to kmem_alloc() via ffs_mountfs and the successive calls to malloc, uma_large_malloc and page_alloc. A large or invalid size parameter will cause a kernel panic. A low or zero value for the size parameter may lead to an exploitable heap-based buffer overflow if user controlled data is being copied from the filesystem stream. -----------------------------------------Day-4----------------------------------- http://projects.info-pull.com/mokb/MOKB-04-11-2006.html Solaris 10 UFS filesystem alloccgblk denial of service Description: The UFS filesystem handling code of the Solaris 10 kernel fails to properly handle corrupted data structures, leading to an exploitable denial of service issue and potential loss of data or corruption of the local UFS filesystems, due to memory corruption. ------------------------ -JP _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- MoKB days 3 and 4 Dude VanWinkle (Nov 04)