SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |    Help    |   

SecurityTracker
Archives


Welcome to SecurityTracker!
 
Click to Sign Up
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com
Sign Up!





Category:  OS (UNIX)  >  NetBSD Vendors:  NetBSD
NetBSD elf_load_file() Validation Error Lets Local Users Crash the System
SecurityTracker Alert ID:  1015848
SecurityTracker URL:  http://securitytracker.com/id?1015848
CVE Reference:  GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Mar 30 2006
Impact:  Denial of service via local system
Fix Available:  Yes   Vendor Confirmed:  Yes  
Advisory:  NetBSD Security Advisory
Version(s): 2.0, 2.1, 3.0
Description:  A vulnerability was reported in NetBSD. A local user can cause denial of service conditions.

The elf_load_file() function does not properly handle interpreters without a PT_LOAD section defined in the header. A malformed ELF interpreter can trigger a NULL pointer deference in the kernel.

The NetBSD 2.x branches are only affected if the kernel is compiled with the USE_TOPDOWN_VM option (not the default in GENERIC kernels).

Eric Haszlakiewicz reported this vulnerability.
Impact:  A local user can cause the system to crash.
Solution:  NetBSD has issued a fix.

The NetBSD advisory is available at:

ftp://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2006-008.txt.asc
Vendor URL:  www.netbsd.org/ (Links to External Site)
Cause:  Input validation error
Underlying OS:  UNIX (NetBSD)
Reported By:  NetBSD Security-Officer <security-officer@NetBSD.org>
Message History:   None.

 Source Message Contents
Date:  Thu, 30 Mar 2006 02:32:06 +0100
From:  NetBSD Security-Officer <security-officer@NetBSD.org>
Subject:  NetBSD Security Advisory 2006-008: Malformed ELF interpreter causes


 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


		 NetBSD Security Advisory 2006-008
		 =================================

Topic:		Malformed ELF interpreter causes system crash

Version:	NetBSD-current:	source prior to March 17, 2006
		NetBSD 3.0:	affected
		NetBSD 2.1:	affected
		NetBSD 2.0.*:	affected
		NetBSD 2.0:	affected

Severity:	Any local user can crash the system

Fixed:		NetBSD-current:		March 17, 2006
		NetBSD-3-0 branch:	March 20, 2006
						(3.0.1 will include the fix)
		NetBSD-3   branch:	March 20, 2006
		NetBSD-2-1 branch:	March 20, 2006
						(2.1.1 will include the fix)
		NetBSD-2-0 branch:	March 20, 2006
						(2.0.4 will include the fix)
		NetBSD-2   branch:	March 20, 2006

Abstract
========

A malformed copy of ld.elf_so, or any other elf interpreter, can cause
a NULL pointer deference in the kernel.

Technical Details
=================

The elf_load_file() function assumed that an interpreter always has a
PT_LOAD section defined in it's header.  That is not necessarily the
case, as an attacker can trivially create an interpreter that
does not have that, and a binary that uses that interpreter.

The netbsd-2, netbsd-2-0 and netbsd-2-1 branches are only vulnerable
if the kernel is compiled with the USE_TOPDOWN_VM option which is
not set by default in GENERIC kernels.

Solutions and Workarounds
=========================

For all NetBSD versions, you need to obtain fixed kernel sources,
rebuild and install the new kernel, and reboot the system.

The fixed source may be obtained from the NetBSD CVS repository.

The following instructions briefly summarise how to upgrade your
kernel.  In these instructions, replace:

  ARCH     with your architecture (from uname -m), and 
  KERNCONF with the name of your kernel configuration file.

To update from CVS, re-build, and re-install the kernel:

        # cd src
        # cvs update -d -P sys/kern/exec_elf32.c
	# ./build.sh kernel=KERNCONF
	# mv /netbsd /netbsd.old
	# cp sys/arch/ARCH/compile/obj/KERNCONF/netbsd /netbsd
	# shutdown -r now

For more information on how to do this, see:

   http://www.NetBSD.org/guide/en/chap-kernel.html


Thanks To
=========

Eric Haszlakiewicz for PoC code and implementing the fixes.
Coverity for access to the scans of the NetBSD source code.

Revision History
================

	2006-03-29	Initial release


More Information
================

Advisories may be updated as new information becomes available.
The most recent version of this advisory (PGP signed) can be found at 
  ftp://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2006-008.txt.asc

Information about NetBSD and NetBSD security can be found at
http://www.NetBSD.org/ and http://www.NetBSD.org/Security/.


Copyright 2006, The NetBSD Foundation, Inc.  All Rights Reserved.
Redistribution permitted only in full, unmodified form.

$NetBSD: NetBSD-SA2006-008.txt,v 1.5 2006/03/29 11:14:28 adrianp Exp $

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (NetBSD)

iQCVAwUBRCsC1D5Ru2/4N2IFAQJrmgQAg2/owLrUTcdaxFifhE8yJmXyeMv+uGmF
/zU7V9saCT6bmkBmIUbH41UVxdRWTPGJV8EoQ9mOZ1EqAktkhafZfXlIem3ZkMMk
vhkM3JzLsMchnl0JWET/Cr1d60U32hN6fMwqQXR9NveF80kiKpoCQO0RjhBAUbUo
jxa30CXXWtw=
=VOww
-----END PGP SIGNATURE-----


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us   |    Help

Copyright 2006, SecurityGlobal.net LLC