lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <Pine.LNX.4.44.0308301855570.20999-100000@felinemenace>
Date: Sat, 30 Aug 2003 19:07:46 -0700 (PDT)
From: ned <nd@...inemenace.org>
To: bugs@...nbsd.org, <misc@...nbsd.org>
Cc: bugtraq@...urityfocus.com, <full-disclosure@...ts.netsys.com>
Subject: OpenBSD 3.2 Kthread Madness


OPENBSD 3.2 - \3.2\sys\kern\kern_kthread.c

Ohk, here is the function:

int
kthread_create(void (*func)(void *), void *arg,
    struct proc **newpp, const char *fmt, ...) <---- where the data is
{
	struct proc *p2; <--------- New proc struct
	register_t rv[2];
	int error;
	va_list ap;

	/*
	 * First, create the new process.  Share the memory, file
	 * descriptors and don't leave the exit status around for the
	 * parent to wait for.
	 */
	error = fork1(&proc0, 0,
	    FORK_SHAREVM|FORK_NOZOMBIE|FORK_SIGHAND, NULL, 0, func, arg, 
rv);
	if (error)
		return (error);

	p2 = pfind(rv[0]);

	/*
	 * Mark it as a system process and not a candidate for
	 * swapping.
	 */
	p2->p_flag |= P_INMEM | P_SYSTEM;	/* XXX */

	/* Name it as specified. */
	va_start(ap, fmt);
	vsprintf(p2->p_comm, fmt, ap); <--- HELLO!
	va_end(ap);

	/* All done! */
	if (newpp != NULL)
		*newpp = p2;
	return (0);
} 

some notes:
- proc.h defines p_comm for a size of MAXCOMLEN+1
- MAXCOMLEN is defined in param.h as 16.
- This gives use 17 bytes to overflow.

but how? you wont be able to do it from user-land (i presume) and the only 
way i can imagine this being done is via a LKM. but then i realise that 
you need root to do anything associated with lkm's. so the chances of 
actually exploiting it, comes down to modifying a call in init_main.c and 
watvhing your system not power up!

for patch wise..is there a vslprintf i can stick in there?
 - nd

-- 
http://felinemenace.org/~nd

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ