FreeBSD -- Kernel stack disclosure in setlogin(2) / getlogin(2)
When setlogin(2) is called while setting up a new login
session, the login name is copied into an uninitialized
stack buffer, which is then copied into a buffer of the
same size in the session structure. The getlogin(2) system
call returns the entire buffer rather than just the portion
occupied by the login name associated with the session.
An unprivileged user can access this memory by calling
getlogin(2) and reading beyond the terminating NUL character
of the resulting string. Up to 16 (FreeBSD 8) or 32 (FreeBSD
9 and 10) bytes of kernel memory may be leaked in this
manner for each invocation of setlogin(2).
This memory may contain sensitive information, such as
portions of the file cache or terminal buffers, which an
attacker might leverage to obtain elevated privileges.
Copyright © 2003-2005 Jacques Vidrine and contributors.
Please see the source of this document for full copyright