FreeBSD Security Advisory FreeBSD-SA-06:25.kmem

Josh Paetzel josh at tcbug.org
Wed Dec 6 04:40:26 PST 2006 

On Wednesday 06 December 2006 04:07, Colin Percival wrote:
> FreeBSD Security Advisories wrote:
> > FreeBSD-SA-06:25.kmem                                      
> > Security Advisory The FreeBSD Project ...
> > III. Impact
> >
> > A user in the "operator" group can read the contents of kernel
> > memory. Such memory might contain sensitive information, such as
> > portions of the file cache or terminal buffers.  This information
> > might be directly useful, or it might be leveraged to obtain
> > elevated privileges in some way; for example, a terminal buffer
> > might include a user-entered password.
>
> For what it's worth, there was a lot of debate about whether this
> deserved an advisory: Members of the operator group are allowed (by
> default, at least) to read raw disk devices, so being able to read
> kernel memory really isn't very much of a privilege escalation.  In
> the end I decided to go ahead with this advisory largely because we
> were already planning on issuing an advisory this week (for a far
> more serious issue in GNU tar), but if a similar issue arises next
> month, we might decide not to bother with an advisory.
>
> I'd be interested to hear opinions from the FreeBSD community about
> whether this sort of issue is one which anyone really cares about.
>
> Colin Percival
> FreeBSD Security Officer

Sure, and if you can read raw disk devices you can 
read /etc/master.passwd and /etc/group....and if you can do that then 
it's trivial to break the passwords you need to su to someone in 
wheel and then su to root.

I guess my point is someone in the operator group has a far easier way 
to gain root than this vuln.

It's great to fix bugs, but I bet this one won't prompt many people to 
apply the patches and/or rebuild world to fix.

Damned if you do, damned if you don't.  If you don't issue an SA then 
people mumble about how FBSD ignores security issues.  If you do 
issue the SA then people mumble about how pointless this one was.  My 
opinion is I'd rather know about it and make the decision myself 
whether to apply the fixes than not know about it at all.

-- 
Thanks,

Josh Paetzel

More information about the freebsd-security mailing list