{"vuid":"VU#969078","idnumber":"969078","name":"FreeBSD syscons fails to properly validate input in \"CONS_SCRSHOT\" ioctl","keywords":["FreeBSD","syscons","kernel memory disclosure","CONS_SCRSHOT"],"overview":"The FreeBSD syscons CONS_SCRSHOT ioctl does not sufficiently validate input for the function's arguments. This may cause the disclosure of arbitrary portions of kernel memory that may contain sensitive information.","clean_desc":"Syscons is the default console driver for FreeBSD. It provides virtual terminal functionality using the machine's physical keyboard and screen. The syscons CONS_SCRSHOT ioctl fails to properly validate its input arguments. By supplying specially crafted arguments, an attacker may be able to retrieve arbitrary portions of kernel memory.","impact":"The returned portions of kernel memory may contain sensitive information, such as data from file cache or terminal buffers. For example, the terminal buffer may contain a user-supplied password. Note that this vulnerability is exploitable only by a user who has access to the physical console or the /dev/ttyv devices.","resolution":"Upgrade or Patch\nUpgrade or apply a patch as specified in the FreeBSD-SA-04:15.syscons Security Advisory.","workarounds":"","sysaffected":"","thanks":"Thanks to Christer Oberg for reporting this vulnerability.","author":"This document was written by Will Dormann and is based on the information provided in the FreeBSD Security Advisory.","public":["http://secunia.com/advisories/12722/","http://www.securitytracker.com/alerts/2004/Oct/1011526.html","http://www.securityfocus.com/archive/1/377491","http://xforce.iss.net/xforce/xfdb/17584","ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-04:15.syscons.asc"],"cveids":["CVE-2004-0919"],"certadvisory":"","uscerttechnicalalert":null,"datecreated":"2004-10-05T13:24:17Z","publicdate":"2004-10-04T00:00:00Z","datefirstpublished":"2004-10-08T19:56:05Z","dateupdated":"2004-10-15T20:57:52Z","revision":7,"vrda_d1_directreport":"","vrda_d1_population":"","vrda_d1_impact":"","cam_widelyknown":"15","cam_exploitation":"0","cam_internetinfrastructure":"5","cam_population":"18","cam_impact":"8","cam_easeofexploitation":"18","cam_attackeraccessrequired":"8","cam_scorecurrent":"7.776","cam_scorecurrentwidelyknown":"9.72","cam_scorecurrentwidelyknownexploited":"17.496","ipprotocol":"","cvss_accessvector":"","cvss_accesscomplexity":"","cvss_authentication":null,"cvss_confidentialityimpact":"","cvss_integrityimpact":"","cvss_availabilityimpact":"","cvss_exploitablity":null,"cvss_remediationlevel":"","cvss_reportconfidence":"","cvss_collateraldamagepotential":"","cvss_targetdistribution":"","cvss_securityrequirementscr":"","cvss_securityrequirementsir":"","cvss_securityrequirementsar":"","cvss_basescore":"","cvss_basevector":"","cvss_temporalscore":"","cvss_environmentalscore":"","cvss_environmentalvector":"","metric":7.776,"vulnote":null}