lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 18 Nov 2003 15:56:03 -0500 (EST)
From: noir@...rhax0r.net
To: Steve Tornio <steve@...riol.net>
Cc: bugtraq@...urityfocus.com
Subject: Re: OpenBSD kernel holes ...



i will be releasing a paper regarding kmem allocator (heap) overflows in
kernel space and exploit for patch 005 will be in its content.

buf = malloc(user_controled_size);
vn_rdwr(UIO_READ, ..., user_buf, user_controlled_size, ...);

these types of vulnerabilities are %100 exploitable!
check kern_malloc.c line 178

                if (size > MAXALLOCSAVE)
                        allocsize = round_page(size);

this might hint you or not ...

i have only release the stack based exploit since there is nothing new in
the technique but the heap technique deserves more explanation and
attention than an exploit post ...

 - noir


On Tue, 18 Nov 2003, Steve Tornio wrote:

> <snip>
>
> > from http://www.wideopenbsd.org/errata.html
> >
> > All architectures
> >
> >      005: RELIABILITY FIX: November 4, 2003
> >      It is possible for a local user to cause a system panic by
> > executing
> >      a specially crafted binary with an invalid header.
> >      A source code patch exists which remedies the problem.
> >
> >
> > reliability ??? ehh ;-P yeah yeah right!
> >
>
> um, that's the wrong errata entry.  For 3.4 -
>
> 006: SECURITY FIX: November 17, 2003
>   It may be possible for a local user to overrun the stack in
> compat_ibcs2(8).
>   ProPolice catches this, turning a potential privilege escalation into
> a denial of service. iBCS2 emulation does not need to be enabled via
> sysctl(8) for this to happen.
>   A source code patch exists which remedies the problem.
>
> Taken from http://www.openbsd.org/security.html#34
>
>



Powered by blists - more mailing lists