Multiple Vendor BSD eeprom Format String vulnerability

eeprom is a utility used for displaying and writing to a sparc system's hardware EEPROM. Since it reads from and writes to kernel memory structures, eeprom is often installed setgid kmem. The versions of eeprom shipped with (sparc) versions of NetBSD and OpenBSD (derived from NetBSD eeprom) are vulnerable to a locally exploitable format string attack.

The problem occurs when outputting an error message after a failure to read or write to an eeprom field. A string partially composed of user input is passed to a *printf function (the user input is the "field name" argument, supplied to eeprom at the command line). As a result, it is possible for the user to insert format specifiers in the format-field to write to aribtrary locations on the stack. If data on the stack can be overwritten to by regular users, the flow of execution can be altered so that machine code supplied by the user is run.

It may be possible for attackers to obtain privileges of group kmem through exploitation of this vulnerability. Further compromise (eg, full root access) if gid kmem is obtained is trivial.


Privacy Statement
Copyright 2010, SecurityFocus