• Product Information
• Security Products Overview
• Juniper Networks ISG Series
• IDP Demo
• Product Poster & Z-Card 

Title: Multiple Vendor top Format String Vulnerability

Severity: HIGH

Description:

top is a program used to display system usage statistics in real time written by GoupSys Consulting but shipped by default as a core component with many operating systems. On BSD systems, top is installed setgid kmem so that it may read process information from kernel memory if executed by a user who does not have that privilege.

top contains a format-string vulnerability that may lead to a compromise of effective groupid kmem on BSD systems (or similar privileges on other systems). The problem occurs in the printing of error messages to a users terminal. A string partially composed of user input (the error message) is passed to a printf() function as the format string argument, allowing malicious format specifiers in user input to corrupt stack variables and execute arbitrary code.

If a malicious user gains egid kmem, vital information can be read from the kernel memory that may lead to a further elevation of privileges (most certainly root eventually).

The versions of top that ships with FreeBSD prior to 4.2 are known to be vulnerable. It is likely that other systems are vulnerable (though none are confirmed yet).

Affected Products:

• FreeBSD FreeBSD 3.5.0 x
• FreeBSD FreeBSD 4.0.0
• FreeBSD FreeBSD 4.0.0 alpha
• FreeBSD FreeBSD 4.1.0
• FreeBSD FreeBSD 4.1.1
• Sun Solaris 2.6
• Sun Solaris 2.6_x86
• Sun Solaris 7.0
• Sun Solaris 7.0_x86
• Sun Solaris 8
• Sun Solaris 8_x86
• William LeFebvre top 1.0.0
• William LeFebvre top 1.2.0
• William LeFebvre top 1.3.0
• William LeFebvre top 1.4.0
• William LeFebvre top 1.5.0
• William LeFebvre top 1.6.0
• William LeFebvre top 1.7.0
• William LeFebvre top 1.8.0
• William LeFebvre top 2.0.0
• William LeFebvre top 2.0.0 pre
• William LeFebvre top 2.0.11
• William LeFebvre top 2.1.0
• William LeFebvre top 3.5.0

References:

• FreeBSD: FreeBSD Security Information
• William LeFebvre: Release notes for 3.5.1
• William LeFebvre: top Homepage

Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.