Full Disclosure mailing list archives
SPENDERSEC SECURITY ADVISORY #1 - GAPING SECURITY HOLE IN MACOS X
From: <spendersec () hushmail com>
Date: Sun, 20 Jun 2004 06:50:06 -0700
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 #=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- =# ____ ___ ___ ____ ___ ___ ____ ___ ____ / | \ | |\ | | \ | | | / | | \____ |__ / |___ | \ | | | |___ |___| \____ |___ | \ | | | \ | | | | | \ \ | | _____/ | |___ | \| |____/ |___ | \ _____/ |___ |____ #=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- =# PaX - WITH SOME ADDED FEATURES!@#$% !@#$% !@#$% RBAC - Reliable Binaries Always Compile SPEND ur money on ME!@#$% Banner Advertisement - Only $50 a month SPENDERSEC - PROUD SUPPORTER OF PROJEKT LIM3YC0N Fuck Niels!@#$% - Systrace is phor l0s3rZ #=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- =# Being thankful to all people who donated money to the grsecurity security project, I managed to provide myself with an Apple Powermac G5, not to mention multiple subscriptions to various interesting magazines (I had no idea how many things a girl could do with a tie and a cat), and start an extensive audit of the Darwin MacOS X kernel. It was not surprising that before long I discovered a tragic vulnerability in the Darwin kernel that strips MacOS X security down to the bone. Of course grsecurity would never make such mistakes; despite all the overflows in the ip options handling code we have multi-threaded PaX that will not allow execution of any code. The fact that no one can ever get their computer booted with grsecurity installed allows end-users to sleep securely, if somewhat disconnected from the information super highway. The first major problem is present in the OpenBSD patch in at [1], where the failure of falloc() results in a continuation of the loop, which can update the value of the error variable, resulting in either fd 0 or fd 1 not being correctly reopened to /dev/null while a successful falloc() for fd 2 sets error to a suitable value. At this point it's a good idea to point out that a vast amount of internet nodes, most notably backbone service providers are running MacOS X and most likely compromised by unsavoury internet denizens. As you would expect from a product supported by the OpenBSD security team, and not the grsecurity team, which consists entirely of me and, primarily, my ego, there is a second problem present at [3], where filedescriptors with the FD_CLOEXEC flag set get closed. The complete disregard for the order in which the sanitize-fd and fd-closing operations are performed should be no shock to users of non-spendersec supported operating systems. The following code is present in bsd/kern/kern_exec.c int execve(p, uap, retval) { [... snip ...] /* Radar 2261856; setuid security hole fix */ /* Patch from OpenBSD: A. Ramesh */ /* * XXX For setuid processes, attempt to ensure that * stdin, stdout, and stderr are already allocated. * We do not want userland to accidentally allocate * descriptors in this range which has implied meaning * to libc. */ for (i = 0; i < 3; i++) { extern struct fileops vnops; struct nameidata nd1; struct file *fp; int indx; if (p->p_fd->fd_ofiles[i] == NULL) { [1] if ((error = falloc(p, &fp, &indx)) != 0) [2] continue; NDINIT(&nd1, LOOKUP, FOLLOW, UIO_SYSSPACE, "/dev/null", p); if ((error = vn_open(&nd1, FREAD, 0)) != 0) { ffree(fp); p->p_fd->fd_ofiles[indx] = NULL; break; } fp->f_flag = FREAD; fp->f_type = DTYPE_VNODE; fp->f_ops = &vnops; fp->f_data = (caddr_t)nd1.ni_vp; VOP_UNLOCK(nd1.ni_vp, 0, p); } } [... snip ...] /* * Close file descriptors * which specify close-on-exec. */ [3] fdexec(p); [... snip ...] In order to more fully demonstrate the severe implications of the problem, spendersec has provided the world with a proof-of-concept example. #define OVERRATED int #define THEO (OVERRATED)NULL #define GOD THEO #define DEFINITE_SECURITY fcntl.h #define WORLD_COLLAPSE exit(666); #include <DEFINITE_SECURITY> int main(int spender, char **sec) { fcntl(0, F_SETFD, FD_CLOEXEC); fcntl(1, F_SETFD, FD_CLOEXEC); fcntl(2, F_SETFD, FD_CLOEXEC); if(spender <= GOD) WORLD_COLLAPSE; /* note that i overindex, but for systems running grsecurity * this is not a problem */ execv(sec[1], sec[1], &sec[2]); } I haven't been able to test this code, as gcc does not work with the GrSecurity kernel patch functionality. We are liasing with the PaX team to resolve the issues involved. Until such time that all issues are resolved we recommend that all spendersec customers disconnect their machines from the network. We at spendersec realise that this will cause problems with the online patching process. However, the cvshome.org team have gotten away with this for over two months now so: nyah nyah nyah. I'm more precocious and skilled than you, I understand advanced algrebra and cardinality... BOW BEFORE ME. At this point it's probably time to explain the concept behind spendersec. Spendersec is the new groundbreaking paradigm that will reshape the information security landscape. Spendersec is the commercial wing of the grsecurity project which aims to provide all the functionality of grsecurity combined with a 24-hour support team managed by my ego while I'm asleep. My Ego is forced to man the technical support desks at SpenderSec because whenever I try to use the telephone I tend to get the earpiece lodged deep within my ear and it's very difficult and painful to remove. EXAMPLE TELEPHONE SUPPORT CALL: Clueless Luser: Hi spendersec is not allowing me to execute _any_ code at all! I can't even log in! My EGO: You aren't running OpenBSD are you? Clueless Luser: No I am running RedHat 9, Shrike. My EGO: It sounds like you're running OpenBSD to me. Clueless Luser: No, really I'm not. My EGO: Look, if you're going to run inferior Operating Systems, you're going to have problems. <HANGS UP> Clueless Luser; I'm going to install Plan9 CONCLUSION: It's apparent to me that the paradigm of grsecurity is unable to protect users of the Darwin operating system; only spendersec, the proprietary commercial wing of grsecurity, has the funding necessary to confront the ever changing needs of the non-linux user. At the time of writing all blame is apportioned to the selfish and lazy PaX team, which refuses to port PaX to any operating system other than linux. Fucking slashdot hippies. Lots of love and hugs, -- spendersec <3 -----BEGIN PGP SIGNATURE----- Note: This signature can be verified at https://www.hushtools.com/verify Version: Hush 2.4 wkYEARECAAYFAkDVlg4ACgkQIM+Y4es4609/2gCeOFoNL2rXSaGshM8n9Z1HfmfBorMA oJFjGKtCoWDKPGZZoUo1QhMWJMIu =gpef -----END PGP SIGNATURE----- Concerned about your privacy? Follow this link to get secure FREE email: http://www.hushmail.com/?l=2 Free, ultra-private instant messaging with Hush Messenger http://www.hushmail.com/services.php?subloc=messenger&l=434 Promote security and make money with the Hushmail Affiliate Program: http://www.hushmail.com/about.php?subloc=affiliate&l=427 _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- SPENDERSEC SECURITY ADVISORY #1 - GAPING SECURITY HOLE IN MACOS X spendersec (Jun 20)