Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
Re: OpenBSD kernel holes ...
Date: Tue Nov 18 2003 - 14:56:03 CST
i will be releasing a paper regarding kmem allocator (heap) overflows in
kernel space and exploit for patch 005 will be in its content.
buf = malloc(user_controled_size);
vn_rdwr(UIO_READ, ..., user_buf, user_controlled_size, ...);
these types of vulnerabilities are %100 exploitable!
check kern_malloc.c line 178
if (size > MAXALLOCSAVE)
allocsize = round_page(size);
this might hint you or not ...
i have only release the stack based exploit since there is nothing new in
the technique but the heap technique deserves more explanation and
attention than an exploit post ...
On Tue, 18 Nov 2003, Steve Tornio wrote:
> > from http://www.wideopenbsd.org/errata.html
> > All architectures
> > 005: RELIABILITY FIX: November 4, 2003
> > It is possible for a local user to cause a system panic by
> > executing
> > a specially crafted binary with an invalid header.
> > A source code patch exists which remedies the problem.
> > reliability ??? ehh ;-P yeah yeah right!
> um, that's the wrong errata entry. For 3.4 -
> 006: SECURITY FIX: November 17, 2003
> It may be possible for a local user to overrun the stack in
> ProPolice catches this, turning a potential privilege escalation into
> a denial of service. iBCS2 emulation does not need to be enabled via
> sysctl(8) for this to happen.
> A source code patch exists which remedies the problem.
> Taken from http://www.openbsd.org/security.html#34