Bugtraq mailing list archives
Re: OpenBSD kernel holes ...
From: noir () uberhax0r net
Date: Tue, 18 Nov 2003 15:56:03 -0500 (EST)
i will be releasing a paper regarding kmem allocator (heap) overflows in kernel space and exploit for patch 005 will be in its content. buf = malloc(user_controled_size); vn_rdwr(UIO_READ, ..., user_buf, user_controlled_size, ...); these types of vulnerabilities are %100 exploitable! check kern_malloc.c line 178 if (size > MAXALLOCSAVE) allocsize = round_page(size); this might hint you or not ... i have only release the stack based exploit since there is nothing new in the technique but the heap technique deserves more explanation and attention than an exploit post ... - noir On Tue, 18 Nov 2003, Steve Tornio wrote:
<snip>from http://www.wideopenbsd.org/errata.html All architectures 005: RELIABILITY FIX: November 4, 2003 It is possible for a local user to cause a system panic by executing a specially crafted binary with an invalid header. A source code patch exists which remedies the problem. reliability ??? ehh ;-P yeah yeah right!um, that's the wrong errata entry. For 3.4 - 006: SECURITY FIX: November 17, 2003 It may be possible for a local user to overrun the stack in compat_ibcs2(8). ProPolice catches this, turning a potential privilege escalation into a denial of service. iBCS2 emulation does not need to be enabled via sysctl(8) for this to happen. A source code patch exists which remedies the problem. Taken from http://www.openbsd.org/security.html#34
Current thread:
- OpenBSD kernel holes ... noir (Nov 18)
- Re: OpenBSD kernel holes ... Steve Tornio (Nov 18)
- Re: OpenBSD kernel holes ... noir (Nov 18)
- Re: OpenBSD kernel holes ... Coleman Kane (Nov 18)
- Re: OpenBSD kernel holes ... noir (Nov 19)
- Re: OpenBSD kernel holes ... Thamer Al-Harbash (Nov 20)
- Re: OpenBSD kernel holes ... Steve Tornio (Nov 18)