Info

Disclosure

Jan 09, 2006

Discovery

Unknown

Dates

Exploit

Unknown

Solution

Unknown

Description

NetBSD contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered when the lseek system call for the kernfs file system has insufficient bounds checking, which will disclose arbitrary memory information resulting in a loss of confidentiality.

Classification

Location: Local Access Required
Attack Type: Information Disclosure
Impact: Loss of Confidentiality
Disclosure: OSVDB Verified

Solution

Currently, there are no known upgrades or patches to correct this issue. It is possible to correct the flaw by implementing the following workaround: download 'kernfs_vnops.c' from CVS, then rebuild and reinstall the kernel.

Products

NetBSD Foundation, Inc.	NetBSD	1.6
		2.0
		2.0.3
		2.1
		1.6.1
		1.6.2
		2.0.1
		2.0.2

OpenBSD

3.8

References

Bugtraq ID: 16173
Secunia Advisory ID: 18388 18712
SCIP VulDB ID: 1959 2030
CVE ID: 2006-0145 (see also: NVD)
Vendor Specific Advisory URL: ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2006-001.txt.asc
Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2006-01/0116.html
http://archives.neohapsis.com/archives/fulldisclosure/2006-02/0013.html
Vendor Specific Solution URL: http://cvsweb.netbsd.org/bsdweb.cgi/~checkout~/src/sys/miscfs/kernfs/kernfs_vnops.c?rev=1.116&content-type=text/plain
Packet Storm: http://packetstormsecurity.org/0601-advisories/NetBSD-SA2006-001.txt
Vendor URL: http://www.netbsd.org
Other Advisory URL: http://www.securitylab.net/research/2006/02/advisory_netbsd_openbsd_kernfs.html
Keyword: NetBSD Security Advisory 2006-001

Credit

Ejovi Nuwere - ejovisecuritylab.net -

Direct URL: http://osvdb.org/22293

Info

Disclosure

Discovery

Dates

Exploit

Solution

Description

Classification

Solution

Products

NetBSD Foundation, Inc.

NetBSD

OpenBSD

OpenBSD

References

Credit