Bugtraq mailing list archives

Re: KKIS.05051999.003b

From: Don.Lewis () TSC TDK COM (Don Lewis)
Date: Fri, 7 May 1999 17:21:24 -0700


On May 6,  2:10pm, Kevin Day wrote:
} Subject: Re: KKIS.05051999.003b
} > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~[ Informations ]~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
} >  Report title        : Security problem with sockets in FreeBSD's
} >                        implementation of UNIX-domain protocol family.
} >  Problem found by    : Lukasz Luzar (lluzar () security kki pl)
} >  Report created by   : Robert Pajak (shadow () security kki pl)
} >                        Lukasz Luzar (lluzar () security kki pl)
} >  Raport published    : 5th May 1999
} >  Raport code         : KKIS.05051999.003.b
} >  Systems affected    : FreeBSD-3.0 and maybe 3.1,
} >  Archive             : http://www.security.kki.pl/advisories/
} >  Risk level          : high
} >
} > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~[ Description ]~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
} >   As you know, "The UNIX-domain protocol family is a collection of protocols
} >  that provides local interprocess communication through the normal socket
} >  mechanism. It supports the SOCK_STREAM and SOCK_DGRAM soceket types and uses
} >  filesystem pathnames for addressing."
} >  The SOCK_STREAM sockets also supports the communication of UNIX file
} >  descriptors through the use of functions sendmsg() and recvmsg().
} >   While testing UNIX-domain protocols, we have found probable bug in
} >  FreeBSD's implementation of this mechanism.
} >   When we had run attached example on FreeBSD-3.0 as local user, system
} >  had crashed imediatelly with error "Supervisor read, page not present"
} >  in kernel mode.
} >
}
} Here's my testing so far:
}
} 2.2.2 - Vulnerable
} 2.2.6 - Vulnerable
} 2.2.8 - Vulnerable
} 3.1-RELEASE - Ran 15 minutes, no crash.

I'd be willing to bet that 3.0-RELEASE is also vulnerable.  I believe
Matt Dillon fixed this earlier this year in revisions 1.38/1.39 (-CURRENT
branch January 21, 1999) and 1.37.2.1 (RELENG_3 branch February 15, 1999) of
sys/kern/uipc-usrreq.c.  The RELENG_3 branch fix was committed just before
3.1-RELEASE.

Current thread:

KKIS.05051999.003b Lukasz Luzar (May 05)
- Re: KKIS.05051999.003b Kevin Day (May 06)
- Re: KKIS.05051999.003b Eugeny Kuzakov (May 06)
- <Possible follow-ups>
- Re: KKIS.05051999.003b Don Lewis (May 07)