Re: UFS Bug: FreeBSD 6.1/6.2/7.0: MOKB-08-11-2006, CVE-2006-5824

On Thursday 23 November 2006 15:36, David Malone wrote:
> On Thu, Nov 23, 2006 at 10:30:35AM +0100, O. Hartmann wrote:
> > Is for these UFS bugs in FreeBSD since 6.1 a fix uderway?
> >
> > See:
> >
> > http://projects.info-pull.com/mokb/
> >
> > MOKB-08-11-2006,CVE-2006-5824, MOKB-03-11-2006,CVE-2006-5679
>
> These two bugs both seem to involve mounting deliberately corrupted
> UFS file systems. I'm not sure that many people allow this. To be
> honest, I'm surprised that they only list two bugs of this sort -
> UFS wasn't designed to be robust to working with accidently
> corrupted filesystems, let alone ones corrupted maliciously!
>
> The usual response of UFS to a corrupted filesystem is to panic.
> I'm guessing it would have been easier to do:
>
> 	grep panic /usr/src/sys/ufs/*/*.c
>
> to find a load of these bugs, rather than writing a fuzzing tool
> ;-)
>
> (That's not to say that it isn't worth improving things, it's just
> likely to be a large amount of work to fix this in a way that
> actually makes things better.)
>
> 	David.

Out of the box you need to be root to mount things.  Once you have 
root access to a box you don't need silly things like this to crash 
it.

If you've gone out of your way to configure your box in such a way 
that a non-root user can mount arbitrary UFS filesystems then they 
certainly don't need to waste their time with buffer-overflows and 
the like.  They can simply mount a filesystem with any number of SUID 
root binaries on it and have their way with the box.

Either way, while it's senseless to argue that the buffer overflows 
don't exist, anyone in a positiion to actually exploit them doesn't 
need them to be malicious.

-- 
Thanks,

Josh Paetzel
_______________________________________________
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"