Title: Multiple Vendor BSD eeprom Format String vulnerability
Severity: HIGH
Description:
eeprom is a utility used for displaying and writing to a sparc system's hardware EEPROM. Since it reads from and writes to kernel memory structures, eeprom is often installed setgid kmem. The versions of eeprom shipped with (sparc) versions of NetBSD and OpenBSD (derived from NetBSD eeprom) are vulnerable to a locally exploitable format string attack.
The problem occurs when outputting an error message after a failure to read or write to an eeprom field. A string partially composed of user input is passed to a *printf function (the user input is the "field name" argument, supplied to eeprom at the command line). As a result, it is possible for the user to insert format specifiers in the format-field to write to aribtrary locations on the stack. If data on the stack can be overwritten to by regular users, the flow of execution can be altered so that machine code supplied by the user is run.
It may be possible for attackers to obtain privileges of group kmem through exploitation of this vulnerability. Further compromise (eg, full root access) if gid kmem is obtained is trivial.
Affected Products:
- NetBSD NetBSD 1.4.0
- NetBSD NetBSD 1.4.1
- NetBSD NetBSD 1.4.2
- OpenBSD OpenBSD 2.3.0
- OpenBSD OpenBSD 2.4.0
- OpenBSD OpenBSD 2.5.0
- OpenBSD OpenBSD 2.6.0
- OpenBSD OpenBSD 2.7.0
References:
- NetBSD: NetBSD Security Page
- OpenBSD: OpenBSD Security Information
Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.
