Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Bugtraq> 1998_2

Bugtraq archives for 2nd quarter (Apr-Jun) 1998: {proc,kern}fs bug in FreeBSD (other systems?)

{proc,kern}fs bug in FreeBSD (other systems?)

Brian Feldman (greenFELDMAN.DYN.ML.ORG)
Fri, 26 Jun 1998 13:53:41 -0400

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Marc Heuse: "vulnerability in satan, cops & tiger"
Previous message: Aleph One: "SSL Vulnerability"
Next in thread: Scott Bartram: "Re: {proc,kern}fs bug in FreeBSD (other systems?)"

   In keeping compliant with the policies of BugTraq, I first gave the
developers fair warning and a chance to fix the bugs. As per usual, the
FreeBSD core team's response time was very quick, and the problem was
fixed within the first day of reporting it to them. The purpose of this
message is to alert anyone running FreeBSD (possibly NetBSD and OpenBSD,
may want to check this out) that there are fixes out, and vulnerable
systems should be fixed ASAP. The versions that are vulnerable are as
follows (I am using procfs as the example), other systems should be
checked out.

FreeBSD 2.2.6-STABLE:
 *      (#)procfs_vnops.c      8.6 (Berkeley) 2/7/94
 *
 *      $Id: procfs_vnops.c,v 1.24.2.1 1997/08/12 04:45:27 sef Exp $

 This seems to be using older code, and was never vulnerable.

FreeBSD 3.0-CURRENT:
 *      (#)procfs_vnops.c      8.18 (Berkeley) 5/21/95
 *
 *      $Id: procfs_vnops.c,v 1.60 1998/06/25 16:54:41 dt Exp $

 This is apparently a bug introduced in 4.4BSD-Lite2; this file's two id's
reflect both that it is from 4.4BSD-Lite2, and that it was fixed in the
FreeBSD-CURRENT source tree on 6/25/98, after I reported the bug, so
anyone running 3.0-CURRENT should definitely update their {kern,proc}fs to
prevent exploitation.

Others:
 The best way to look for this is to try the following:
        grep hungry < `locate procfs_vnops.c`
 And see if there is any reference to the following panic (from a crash
core bt)
#1  0xf0119367 in panic (fmt=0xf5740bc8 "kernfs_readdir: not hungry")
    at ../../kern/kern_shutdown.c:423

Any systems using 4.4BSD-Lite2 code should be interested in checking this
out. Now of course, I can't leave off without revealing the actual
exploit, now can I? The problem seems to be in the syscall usage of Linux
programs in the 'emulation', and so far the only program I tested this
with is RealPlayer 5.0 for Linux/i386. Attempting to browse /proc or /kern
will cause a crash on a vulnerable system. i.e. "rvplayer /proc/curproc"
or "rvplayer /kern/hostname".

my->name        =       "Brian Feldman";
my->email       =       "brianfeldmanhotmail.com";
my->info        =       finger("greenfeldman.dyn.ml.org");

Next message: Marc Heuse: "vulnerability in satan, cops & tiger"
Previous message: Aleph One: "SSL Vulnerability"
Next in thread: Scott Bartram: "Re: {proc,kern}fs bug in FreeBSD (other systems?)"