FreeBSD : mnGoSearch buffer overflow in UdmDocToTextBuf() (87cc48fd-5fdd-11d8-80e3-0020ed76ef5a)

This script is Copyright (C) 2009-2015 Tenable Network Security, Inc.


Synopsis :

The remote FreeBSD host is missing a security-related update.

Description :

Jedi/Sector One <[email protected]> reported the following on the
full-disclosure list :

Every document is stored in multiple parts according to its sections
(description, body, etc) in databases. And when the content has to be
sent to the client, UdmDocToTextBuf() concatenates those parts
together and skips metadata.

Unfortunately, that function lacks bounds checking and a buffer
overflow can be triggered by indexing a large enough document.

'len' is fixed to 10K [in UdmDocToTextBuf] in searchd.c . S->val
length depends on the length of the original document and on the
indexer settings (the sample configuration file has low limits that
work around the bug, though).

Exploitation should be easy, moreover textbuf points to the stack.

See also :

http://www.nessus.org/u?f989314d
http://www.nessus.org/u?31a474c2

Solution :

Update the affected package.

Risk factor :

High

Family: FreeBSD Local Security Checks

Nessus Plugin ID: 36472 (freebsd_pkg_87cc48fd5fdd11d880e30020ed76ef5a.nasl)

Bugtraq ID:

CVE ID:

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now