Information leak in many BSD derivates
A flaw in the Firewire driver of several BSD variants could allow local users to create a memory dump, thereby spying on sensitive information. Details on the security hole were published by Rodrigo Branco in his security advisory as part of the Month of Kernel Bugs.
Generic BSD kernels by default support Firewire devices. The Firewire driver included in many BSD variants offers an IOCTL port for queries and writing of data. Calling a specific IOCTL function allows users to pass parameters. Improper validation of one of those parameters allows attackers to avoid the check by using a negative value as a length parameter. This then allows for a complete image of the system memory to be created.
This image or dump can contain sensitive information about other users, including in some cases plain text versions of passwords or secret keys. Branco claims that all versions of FreeBSD, NetBSD, TrustedBSD and DragonFlyBSD contain the defective driver. He has also released a patch that expands the flawed parameter validation to include a check for negative values.
- FireWire IOCTL kernel integer overflow information disclosure, security advisory from Rodrigo Branco
- Patch for the Firewire driver sources