lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <4C8798CA.60602@freebsd.lublin.pl>
Date: Wed, 08 Sep 2010 16:08:10 +0200
From: Przemyslaw Frasunek <venglin@...ebsd.lublin.pl>
To: full-disclosure@...ts.grok.org.uk
Subject: FreeBSD 7.0 - 7.2 pseudofs null pointer
	dereference

FreeBSD 7.0 - 7.2 pseudofs null pointer dereference
Disclosed by: Przemyslaw Frasunek
18/08/2010

1. Synopsis

Starting from FreeBSD 5.0, the system supports POSIX extended attributes,
allowing to store metadata associated with file. Those attributes can be
manipulated using extattr_* syscalls.

One of the filesystems supporting extended attributes is pseudofs, on which
procfs and linprocfs are based.

2. Attack vector

Due to spurious call to pfs_unlock() in pfs_getattr() (as defined in
sys/fs/pseudofs/pseudofs_vnops.c), null pointer is dereferenced after calling
extattr_get_attribute() on pseudofs vnode.

By allocating page at address 0x0, attacker can overwrite arbitrarly chosen
portion of kernel memory, leading to crash or local root escalation.

3. Workaround

Procfs and linprocfs are not mounted in default FreeBSD install.

By setting sysctl security.bsd.map_at_zero to 0 (which is default in 8.x
branch), the vulnerability can be exploited to cause system crash, not privilege
escalation.

4. Patch

The bug was fixed in following commit:

http://svn.freebsd.org/viewvc/base?view=revision&revision=196689

Nevertheless it was not recognized as security vulnerability. The following
versions are vulnerable:

7.0-RELEASE
7.1-RELEASE
7.2-RELEASE
8.0-RELEASE (system crash only)

Not vulnerable versions:

6.x-RELEASE
7.3-RELEASE
8.1-RELEASE
7-STABLE and 8-STABLE after 05/09/2009

5. Exploit code

There is a working exploit, allowing to gain local root privileges. It will be
released after 14 days from this advisory.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ