-----BEGIN PGP SIGNED MESSAGE-----

===============================================================================
Security Advisory                                                       CERT-NL
===============================================================================
Author/Source : Olav ten Bosch                              Index  :    S-96-79
Distribution  : World                                       Page   :          1
Classification: External                                    Version:          1
Subject       : FreeBSD: Buffer overflow in modstat         Date   :  11-Dec-96
===============================================================================

By courtesy of FreeBSD we received information on a vulnerability
in systems running FreeBSD due to a buffer overflow in 'modstat'.

CERT-NL recommends to apply the workaround or patch mentioned below.

==============================================================================
FreeBSD-SA-96:19					    Security Advisory
               FreeBSD, Inc.

Topic:		Buffer overflow in modstat

Category:	core
Module:		modstat
Announced:	1996-12-10
Affects:	FreeBSD 2.0, 2.0.5, 2.1, 2.1.5, 2.1.6, 2.1.6.1
Corrected:	FreeBSD-current as of 1996/08/08
FreeBSD only:	no

Patches:	ftp://freebsd.org/pub/CERT/patches/SA-96:19/

=============================================================================

I.   Background

     The modstat program is used to display status of loaded kernel modules.
     It is standard software in the FreeBSD operating system.

II.  Problem Description

     The modstat program has always been installed setuid kmem. Within
     the program, a buffer overflow can occur.


III. Impact
     Local users can gain kmem privileges.


IV.  Workaround

     Modstat does not need to be setuid kmem. It is thus sufficient to
     do the following:
 su
 cd /usr/bin
 chmod 555 modstat
     This effectively clears the setuid bit on the modstat program.

V.   Solution

     Apply the following patch:
     (This patch can also be found on
 ftp://freebsd.org/pub/CERT/patches/SA-96:19)

Index: Makefile
===================================================================
RCS file: /home/freebsd/CVS/src/usr.bin/modstat/Makefile,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -r1.1 -r1.2
- - --- Makefile	1994/08/19 12:14:02	1.1
+++ Makefile	1996/05/30 02:19:03	1.2
@@ -38,7 +38,5 @@

 PROG=	modstat
 MAN8=	modstat.8
- - -BINGRP=	kmem
- - -BINMODE=2555

 .include <bsd.prog.mk>
Index: modstat.c
===================================================================
RCS file: /home/freebsd/CVS/src/usr.bin/modstat/modstat.c,v
retrieving revision 1.3
retrieving revision 1.4
diff -u -r1.3 -r1.4
- - --- modstat.c	1995/04/20 05:08:53	1.3
+++ modstat.c	1996/08/08 07:58:07	1.4
@@ -72,8 +72,9 @@
 {
  struct lmc_stat	sbuf;

+	sbuf.name[MAXLKMNAME - 1] = '\0'; /* In case strncpy limits the string. */
  if (modname != NULL)
- - -		strcpy(sbuf.name, modname);
+		strncpy(sbuf.name, modname, MAXLKMNAME - 1);

  sbuf.id = modnum;

=============================================================================
FreeBSD, Inc.

Web Site:			http://www.freebsd.org/
Confidential contacts:		security-officer@freebsd.org
PGP Key:			ftp://freebsd.org/pub/CERT/public_key.asc
Security notifications:		security-notifications@freebsd.org
Security public discussion:	security@freebsd.org

Notice: Any patches in this document may not apply cleanly due to
        modifications caused by digital signature or mailer software.
        Please reference the URL listed at the top of this document
        for original copies of all patches if necessary.
=============================================================================

CERT-NL is the Computer Emergency Response Team for SURFnet customers.
SURFnet is the Dutch network for educational, research and related institutes.
CERT-NL is a member of the Forum of Incident Response and Security Teams
(FIRST).

All CERT-NL material is available under:
  http://www.surfnet.nl/surfnet/security/cert-nl.html
  ftp://ftp.surfnet.nl/surfnet/net-security

In case of computer or network security problems please contact your
local CERT/security-team or CERT-NL  (if your institute is NOT a SURFnet
customer please address the appropriate (local) CERT/security-team).

CERT-NL is one/two hour(s) ahead of UTC (GMT) in winter/summer,
i.e. UTC+0100 in winter and UTC+0200 in summer (DST).
   Email:     cert-nl@surfnet.nl
   Phone:     +31 302 305 305
   Fax:       +31 302 305 329
   Snailmail: SURFnet bv
              Attn. CERT-NL
              P.O. Box 19035
              NL - 3501 DA  UTRECHT
              The Netherlands
   A 7 * 24 hours phone number is available to SURFnet SSC's and FIRST
   members on request.
==============================================================================


-----BEGIN PGP SIGNATURE-----
Version: 2.6.2i

iQCVAwUBMq6cz2L2fnkJN/jpAQE4MQP+PNfFrA5jMncZDHsRXhcrVq7Rz3SuZm11
CkB8Wfx4Vdx/JsLC52c18fuLnnkhyBvUjSPQmb/7EuwFSQV2RWOU9y8x8BBjaMws
u9EuuI+vzDq8opbMRVq9mr3eqmtqpkwZmzIjmpYC11E6xGVs/dUApx6p0ZHMwQsi
bBnTNdjki4I=
=jNgw
-----END PGP SIGNATURE-----