FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

Boundary checking errors in syscons

Affected systems
5.0 <= FreeBSD < 5.2.1_11

Details

VuXML ID 67710833-1626-11d9-bc4a-000c41e2cdad
Discovery 2004-09-30
Entry 2004-10-04

The syscons CONS_SCRSHOT ioctl(2) does insufficient validation of its input arguments. In particular, negative coordinates or large coordinates may cause unexpected behavior.

It may be possible to cause the CONS_SCRSHOT ioctl to return portions of kernel memory. Such memory might contain sensitive information, such as portions of the file cache or terminal buffers. This information might be directly useful, or it might be leveraged to obtain elevated privileges in some way. For example, a terminal buffer might include a user-entered password.

This bug may be exploitable by users who have access to the physical console or can otherwise open a /dev/ttyv* device node.

References

CVE Name CVE-2004-0919
FreeBSD Advisory SA-04:15.syscons
URL http://www.freebsd.org/cgi/cvsweb.cgi/src/sys/dev/syscons/syscons.c#rev1.429