|
Bugtraq
mailing list archives
Re: OpenBSD kernel holes ...
From: noir () uberhax0r net
Date: Tue, 18 Nov 2003 15:56:03 -0500 (EST)
i will be releasing a paper regarding kmem allocator (heap) overflows in
kernel space and exploit for patch 005 will be in its content.
buf = malloc(user_controled_size);
vn_rdwr(UIO_READ, ..., user_buf, user_controlled_size, ...);
these types of vulnerabilities are %100 exploitable!
check kern_malloc.c line 178
if (size > MAXALLOCSAVE)
allocsize = round_page(size);
this might hint you or not ...
i have only release the stack based exploit since there is nothing new in
the technique but the heap technique deserves more explanation and
attention than an exploit post ...
- noir
On Tue, 18 Nov 2003, Steve Tornio wrote:
<snip>
from http://www.wideopenbsd.org/errata.html
All architectures
005: RELIABILITY FIX: November 4, 2003
It is possible for a local user to cause a system panic by
executing
a specially crafted binary with an invalid header.
A source code patch exists which remedies the problem.
reliability ??? ehh ;-P yeah yeah right!
um, that's the wrong errata entry. For 3.4 -
006: SECURITY FIX: November 17, 2003
It may be possible for a local user to overrun the stack in
compat_ibcs2(8).
ProPolice catches this, turning a potential privilege escalation into
a denial of service. iBCS2 emulation does not need to be enabled via
sysctl(8) for this to happen.
A source code patch exists which remedies the problem.
Taken from http://www.openbsd.org/security.html#34
 By Date 
By Thread
Current thread:
|
Intro
