Vigil@nce: FreeBSD, integer overflow via ktimer
March 2009 by Vigil@nce
A local attacker can elevate his privileges by generating an
integer overflow in ktimer.
– Gravity: 2/4
– Consequences: administrator access/rights
– Provenance: user shell
– Means of attack: 1 attack
– Ability of attacker: technician (2/4)
– Confidence: confirmed by the editor (5/5)
– Diffusion of the vulnerable configuration: high (3/3)
– Creation date: 23/03/2009
IMPACTED PRODUCTS
- FreeBSD
DESCRIPTION OF THE VULNERABILITY
The FreeBSD kernel implements timers which can be associated to a
process.
The itimer_find() function of the sys/kern/kern_time.c file is
used to find a timer from its timerid identifier. However, this
function does not check if timerid is negative or too big. An
integer overflow thus occurs.
A local attacker can therefore corrupt the memory in order to
obtain kernel privileges.
CHARACTERISTICS
– Identifiers: BID-34196, CVE-2009-1041, FreeBSD-SA-09:06.ktimer,
VIGILANCE-VUL-8550
– Url: http://vigilance.fr/vulnerability/FreeBSD-integer-overflow-via-ktimer-8550