The sendfile() system call does not handle specially crafted files properly. Exploitation of this vulnerability may leak sensitive information to a local attacker.
The sendfile() system call is used to send a file through a socket without copying the file data into memory. A vulnerability exists in certain implementations of sendfile() that may allow an attacker to view sensitive kernel memory. If sendfile() is supplied a file that is then truncated during transmission, sendfile() may send sections of kernel memory through the socket. The contents of the leaked memory depends on what programs or files have recently been loaded and/or executed.
A local attacker may be able to view sections of kernel memory that contain sensitive information. For instance, it may be possible for an attacker can gain access to authentication information, such as passwords and usernames.
Check with Vendor
Users who suspect they are vulnerable are encouraged to check with their vendor to determine the appropriate action to take. Please see the list of vendors we have notified below.
Thanks to Marc Olzheim for reporting this vulnerability.
This document was written by Jeff Gennari.
|Date First Published:||2005-04-20|
|Date Last Updated:||2006-01-10 21:14 UTC|