|

»

freebsd-security

2009-07-20 FreeBSD 7.2 (pecoff executable) Local Denial of Service Exploit 23 R D Shaun Colley

View: New views

12 Messages — Rating Filter: Alert me

	2009-07-20 FreeBSD 7.2 (pecoff executable) Local Denial of Service Exploit 23 R D Shaun Colley by Oliver Pinter (Pintér Olivér) :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message http://milw0rm.com/exploits/9206 _______________________________________________ freebsd-security@... mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscribe@..."
	Re: 2009-07-20 FreeBSD 7.2 (pecoff executable) Local Denial of Service Exploit 23 R D Shaun Colley by Dag-Erling Smørgrav :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message Oliver Pinter <oliver.pntr@...> writes: > http://milw0rm.com/exploits/9206 Standard procedure is to contact so@... directly rather than post an exploit on a public, archived mailing list. DES -- Dag-Erling Smørgrav - des@... _______________________________________________ freebsd-security@... mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscribe@..."
	Re: 2009-07-20 FreeBSD 7.2 (pecoff executable) Local Denial of Service Exploit 23 R D Shaun Colley by Jason V. Miller :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message On Tue, Jul 21, 2009 at 05:39:25PM +0200, Dag-Erling Sm??rgrav wrote: > Oliver Pinter <oliver.pntr@...> writes: > > http://milw0rm.com/exploits/9206 > > Standard procedure is to contact so@... directly rather than > post an exploit on a public, archived mailing list. To be fair, he didn't post a new exploit to the list, but instead a link to an already-public exploit. J. -- Jason V. Miller _______________________________________________ freebsd-security@... mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscribe@..."
	Re: 2009-07-20 FreeBSD 7.2 (pecoff executable) Local Denial of Service Exploit 23 R D Shaun Colley by Oliver Pinter (Pintér Olivér) :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message Hi all! Yeah, I found the expolit in milw0rm at Jul 20, 2009. and send this mail, before I never read anything from so@...... and from this mail (I think security officer), so then add cperciva to CC. btw: oliver@oliverp src> git grep "so@..." sys/dev/usb/ubser.c: * Copyright (c) 2004 Ber{}ter <tic{}sd.org> sys/dev/usb/ubser.h: * Copyright (c) 2003 Ber{}ter <tic{}asd.org> This git tree is the full freebsd tree, imported to git, and no information from this mail address. On 7/21/09, Jason V. Miller <jmiller@...> wrote: > On Tue, Jul 21, 2009 at 05:39:25PM +0200, Dag-Erling Sm??rgrav wrote: >> Oliver Pinter <oliver.pntr@...> writes: >> > http://milw0rm.com/exploits/9206 >> >> Standard procedure is to contact so@... directly rather than >> post an exploit on a public, archived mailing list. > > To be fair, he didn't post a new exploit to the list, but instead a link to > an already-public exploit. > > J. > > -- > Jason V. Miller > _______________________________________________ freebsd-security@... mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscribe@..."
	Re: 2009-07-20 FreeBSD 7.2 (pecoff executable) Local Denial of Service Exploit 23 R D Shaun Colley by Dag-Erling Smørgrav :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message Oliver Pinter <oliver.pntr@...> writes: > Yeah, I found the expolit in milw0rm at Jul 20, 2009. and send this > mail, before I never read anything from so@...... http://www.freebsd.org/security so@ is an alias for security-officer@. DES -- Dag-Erling Smørgrav - des@... _______________________________________________ freebsd-security@... mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscribe@..."
	Re: 2009-07-20 FreeBSD 7.2 (pecoff executable) Local Denial of Service Exploit 23 R D Shaun Colley by Bjoern A. Zeeb :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message On Mon, 20 Jul 2009, Oliver Pinter wrote: Hi, > http://milw0rm.com/exploits/9206 has anyone actually been able to reproduce a problem scenario with this on any supported releases (7.x or 6.x)? The only thing I gould get from that was: execve returned -1, errno=8: Exec format error Similar results applied to the scenario from http://www.freebsd.org/cgi/query-pr.cgi?pr=kern/80742 which had been filed for a 5.x system by Wojciech A. Koszek long before the above. /bz -- Bjoern A. Zeeb It will not break if you know what you are doing. _______________________________________________ freebsd-security@... mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscribe@..."
	Re: 2009-07-20 FreeBSD 7.2 (pecoff executable) Local Denial of Service Exploit 23 R D Shaun Colley by Damian Weber :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message On Wed, 11 Nov 2009, Bjoern A. Zeeb wrote: > Date: Wed, 11 Nov 2009 17:37:50 +0000 (UTC) > From: Bjoern A. Zeeb <bzeeb-lists@...> > To: Oliver Pinter <oliver.pntr@...> > Cc: freebsd-security@..., wkoszek@... > Subject: Re: 2009-07-20 FreeBSD 7.2 (pecoff executable) Local Denial of > Service Exploit 23 R D Shaun Colley > > On Mon, 20 Jul 2009, Oliver Pinter wrote: > > Hi, > > > http://milw0rm.com/exploits/9206 > > has anyone actually been able to reproduce a problem scenario with > this on any supported releases (7.x or 6.x)? > > The only thing I gould get from that was: > execve returned -1, errno=8: Exec format error > FWIW, I got another result on 6.4-STABLE FreeBSD mymachine.local 6.4-STABLE FreeBSD 6.4-STABLE #6: Sat Oct 3 13:06:12 CEST 2009 root@...:/usr/obj/usr/src/sys/MYMACHINE i386 $ ./pecoff MZaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaîîîîaaaa [I'm truncating here, ~3500 a's follow]aaaaa: File name too long -- Damian _______________________________________________ freebsd-security@... mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscribe@..."
	Re: 2009-07-20 FreeBSD 7.2 (pecoff executable) Local Denial of Service Exploit 23 R D Shaun Colley by Bjoern A. Zeeb :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message On Wed, 11 Nov 2009, Damian Weber wrote: > > > On Wed, 11 Nov 2009, Bjoern A. Zeeb wrote: > >> Date: Wed, 11 Nov 2009 17:37:50 +0000 (UTC) >> From: Bjoern A. Zeeb <bzeeb-lists@...> >> To: Oliver Pinter <oliver.pntr@...> >> Cc: freebsd-security@..., wkoszek@... >> Subject: Re: 2009-07-20 FreeBSD 7.2 (pecoff executable) Local Denial of >> Service Exploit 23 R D Shaun Colley >> >> On Mon, 20 Jul 2009, Oliver Pinter wrote: >> >> Hi, >> >>> http://milw0rm.com/exploits/9206 >> >> has anyone actually been able to reproduce a problem scenario with >> this on any supported releases (7.x or 6.x)? >> >> The only thing I gould get from that was: >> execve returned -1, errno=8: Exec format error >> > > FWIW, I got another result on 6.4-STABLE > > FreeBSD mymachine.local 6.4-STABLE FreeBSD 6.4-STABLE #6: Sat Oct 3 13:06:12 CEST 2009 root@...:/usr/obj/usr/src/sys/MYMACHINE i386 > > $ ./pecoff > MZaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaîîîîaaaa > [I'm truncating here, ~3500 a's follow]aaaaa: File name too long Not sure if you'd see it with ktrace or not; I ran into that with my tests as well and was told that it's a shell problem. try to run it from this: ------------------------------------------------------------------------ #include <unistd.h> #include <err.h> int main(int argc, char *argv[]) { if (execl("./pecoff", "./pecoff", NULL) == -1) err(1, "execl()"); return (0); } ------------------------------------------------------------------------ /bz -- Bjoern A. Zeeb It will not break if you know what you are doing. _______________________________________________ freebsd-security@... mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscribe@..."
	Re: 2009-07-20 FreeBSD 7.2 (pecoff executable) Local Denial of Service Exploit 23 R D Shaun Colley by Damian Weber :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message On Wed, 11 Nov 2009, Bjoern A. Zeeb wrote: > Date: Wed, 11 Nov 2009 18:59:24 +0000 (UTC) > From: Bjoern A. Zeeb <bzeeb-lists@...> > To: Damian Weber <dweber@...> > Cc: freebsd-security@..., wkoszek@..., > Oliver Pinter <oliver.pntr@...> > Subject: Re: 2009-07-20 FreeBSD 7.2 (pecoff executable) Local Denial of > Service Exploit 23 R D Shaun Colley > > On Wed, 11 Nov 2009, Damian Weber wrote: > > > > > > > On Wed, 11 Nov 2009, Bjoern A. Zeeb wrote: > > > > > Date: Wed, 11 Nov 2009 17:37:50 +0000 (UTC) > > > From: Bjoern A. Zeeb <bzeeb-lists@...> > > > To: Oliver Pinter <oliver.pntr@...> > > > Cc: freebsd-security@..., wkoszek@... > > > Subject: Re: 2009-07-20 FreeBSD 7.2 (pecoff executable) Local Denial of > > > Service Exploit 23 R D Shaun Colley > > > > > > On Mon, 20 Jul 2009, Oliver Pinter wrote: > > > > > > Hi, > > > > > > > http://milw0rm.com/exploits/9206 > > > > > > has anyone actually been able to reproduce a problem scenario with > > > this on any supported releases (7.x or 6.x)? > > > > > > The only thing I gould get from that was: > > > execve returned -1, errno=8: Exec format error > > > > > > > FWIW, I got another result on 6.4-STABLE > > > > FreeBSD mymachine.local 6.4-STABLE FreeBSD 6.4-STABLE #6: Sat Oct 3 > > 13:06:12 CEST 2009 root@...:/usr/obj/usr/src/sys/MYMACHINE > > i386 > > > > $ ./pecoff > > MZaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaîîîîaaaa > > [I'm truncating here, ~3500 a's follow]aaaaa: File name too long > > > Not sure if you'd see it with ktrace or not; I ran into that with my > tests as well and was told that it's a shell problem. > > try to run it from this: > ------------------------------------------------------------------------ > #include <unistd.h> > #include <err.h> > > int > main(int argc, char *argv[]) > { > > if (execl("./pecoff", "./pecoff", NULL) == -1) > err(1, "execl()"); > > return (0); > } > ------------------------------------------------------------------------ execl() and /usr/local/bin/bash (bash-3.2.48_1) produce same result ktrace/kdump show ... 2380 pecoff CALL open(0x8048764,0x1,0) 2380 pecoff NAMI "evilprog.exe" 2380 pecoff RET open 3 2380 pecoff CALL write(0x3,0xbfbfce80,0xfe0) 2380 pecoff GIO fd 3 wrote 4064 bytes 0x0000 4d5a 6161 6161 6161 6161 6161 6161 6161 6161 \|MZaaaaaaaaaaaaaaaa\| 0x0012 6161 6161 6161 6161 6161 6161 6161 6161 6161 \|aaaaaaaaaaaaaaaaaa\| ... _______________________________________________ freebsd-security@... mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscribe@..."
	Re: 2009-07-20 FreeBSD 7.2 (pecoff executable) Local Denial of Service Exploit 23 R D Shaun Colley by Eygene Ryabinkin-3 :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message Wed, Nov 11, 2009 at 07:14:48PM +0100, Damian Weber wrote: > FWIW, I got another result on 6.4-STABLE > > FreeBSD mymachine.local 6.4-STABLE FreeBSD 6.4-STABLE #6: Sat Oct 3 13:06:12 CEST 2009 root@...:/usr/obj/usr/src/sys/MYMACHINE i386 > > $ ./pecoff > MZaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa????aaaa > [I'm truncating here, ~3500 a's follow]aaaaa: File name too long You have no pecoff module loaded or compiled-in to the kernel, aren't you? Your "File name too long" is spitted by the shell, so it was not handled by the PE loader at all. -- Eygene _ ___ _.--. # \`.\|\..----...-'` `-._.-'_.-'` # Remember that it is hard / ' ` , __.--' # to read the on-line manual )/' _/ \ `-_, / # while single-stepping the kernel. `-'" `"\_ ,_.-;_.-\_ ', fsc/as # _.-'_./ {_.' ; / # -- FreeBSD Developers handbook {_.-``-' {_/ # _______________________________________________ freebsd-security@... mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscribe@..."
	Re: 2009-07-20 FreeBSD 7.2 (pecoff executable) Local Denial of Service Exploit 23 R D Shaun Colley by Wojciech A. Koszek-4 :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message On Wed, Nov 11, 2009 at 05:37:50PM +0000, Bjoern A. Zeeb wrote: > On Mon, 20 Jul 2009, Oliver Pinter wrote: > > Hi, > >> http://milw0rm.com/exploits/9206 > > has anyone actually been able to reproduce a problem scenario with > this on any supported releases (7.x or 6.x)? > > The only thing I gould get from that was: > execve returned -1, errno=8: Exec format error > > Similar results applied to the scenario from > http://www.freebsd.org/cgi/query-pr.cgi?pr=kern/80742 > which had been filed for a 5.x system by Wojciech A. Koszek long > before the above. > Hello, This report has been lying in the PR database for a long time. I removed PECOFF from CURRENT some time ago, since absolutely noone was able to give any sensible argument for keeping PECOFF handler. Because PECOFF has been introduced years before I became a commiter, I wasn't sure if MFC is a good idea back then. The reason I didn't perform MFC to stable releases after "newer" report is our merge policy. I simply haven't yet studied it. We can consider PECOFF bug as having "security implications", but in order to make it "active", someone has to study NOTES and enable this option. For the first glance I see that ports/ situation didn't change -- we seem to have 0 ports requiring PECOFF to be present. And I can't right now confirm whether the bug is still there -- I have no 6.x and 7.x systems for testing anymore. If you want to try my code out (available in the PR), compile PECOFF -- I remember that I provided some sample case to panic the kernel. I think the best way would be to remove PECOFF from 6.x and 7.x. Thanks for CCing me. -- Wojciech A. Koszek wkoszek@... http://FreeBSD.czest.pl/~wkoszek/ _______________________________________________ freebsd-security@... mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscribe@..."
	Re: 2009-07-20 FreeBSD 7.2 (pecoff executable) Local Denial of Service Exploit 23 R D Shaun Colley by Damian Weber :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message On Wed, 11 Nov 2009, Eygene Ryabinkin wrote: > Date: Wed, 11 Nov 2009 22:37:44 +0300 > From: Eygene Ryabinkin <rea-fbsd@...> > To: Damian Weber <dweber@...> > Cc: Bjoern A. Zeeb <bzeeb-lists@...>, > freebsd-security@..., wkoszek@..., > Oliver Pinter <oliver.pntr@...> > Subject: Re: 2009-07-20 FreeBSD 7.2 (pecoff executable) Local Denial of > Service Exploit 23 R D Shaun Colley > > Wed, Nov 11, 2009 at 07:14:48PM +0100, Damian Weber wrote: > > FWIW, I got another result on 6.4-STABLE > > > > FreeBSD mymachine.local 6.4-STABLE FreeBSD 6.4-STABLE #6: Sat Oct 3 13:06:12 CEST 2009 root@...:/usr/obj/usr/src/sys/MYMACHINE i386 > > > > $ ./pecoff > > MZaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa????aaaa > > [I'm truncating here, ~3500 a's follow]aaaaa: File name too long > > You have no pecoff module loaded or compiled-in to the kernel, > aren't you? Your "File name too long" is spitted by the shell, > so it was not handled by the PE loader at all. Confirmed. The code crashes the 6.4-stable machine when pecoff module is loaded. Wojciech A. Koszek wrote: > I think the best way would be to remove PECOFF from 6.x and 7.x. Now, I'm inclined to think that, too ;-) -- Damian _______________________________________________ freebsd-security@... mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscribe@..."