TUCoPS :: BSD :: bsd5913.htm

FreeBSD kernel integer overflow
6th Jan 2003 [SBWID-5913]

	FreeBSD kernel integer overflow


	 RELENG_4   (aka -STABLE) 	: not vulnerable after 20021111
	 RELENG_5_0 (aka -CURRENT)      : vulnerable in lseek(2) (199)
	 All current -RELEASE versions  : vulnerable in fpathconf(2) (192)
	OpenBSD/NetBSD: not vulnerable


	In Joost Pol of Pine Digital Security advisory :
	Inside the FreeBSD kernel each file (socket,  device  or  regular  file)
	opened is represented by a file structure (sys/file.h).
	Amongst other members this structure  holds  a  reference  counter  (int
	f_count). This reference counter is increased by  the  fhold()  function
	and decreased by the fdrop() function. (both in sys/file.h)
	For example, when a file is open(2)ed or dup(2)ed the reference  counter
	is increased and  when  the  file  is  close(2)ed  again  the  reference
	counter is decreased. Once the reference counter reaches zero, the  file
	structure itself is deallocated.
	Most system calls which perform (blocking) operations  on  a  file  will
	issue a fhold() call to prevent  the  file  from  being  closed  in  the
	middle of an operation. Once  the  operation  is  finished  the  (extra)
	reference will be released again by issuing a fdrop() call.
	Inside the fpathconf(2) (192) system call we spotted a  condition  where
	a call to fdrop() is missing. When issueing a  fpathconf(2)  call  on  a
	socket it will return with an error condition but it  will  not  release
	the extra file reference.
	Due to the missing fdrop() call inside the fpathconf(2) system  call  is
	it possible to overflow the reference  counter  of  the  file  structure
	(int f_count).
	FreeBSD -CURRENT suffers from the same problem in another syscall.
	Causing a system panic and privilege escalation have been confirmed.
	Exploitation of this bug will take time, depending on machine speed  and
	system limits this could vary between hours and days.
	1. System Panic
	A  system  panic  can  be  caused  by  issuing  around  2^31  calls   to
	fpathconf(2) with  a  filedescriptor  which  references  a  socket.  The
	reference counter (int f_count) will wrap to a negative value  and  this
	will cause a panic in close(2).
	2. Privilege Escalation
	It is also possible (although more difficult) to gain root access  using
	this bug. One would open(2) a socket  and  dup(2)  it.  One  would  then
	issue around 2^32 -  1  calls  to  fpathconf(2)  causing  the  reference
	counter to wrap to 1.
	After closing the original filedescriptor the  file  structure  will  be
	deallocated. At  this  point  the  dup(2)ed  file  descriptor  is  still
	hanging around with a file structure pointing to unallocated memory.
	The final step, which is left as an excercise  for  the  reader,  is  to
	have a sensitive file (like /etc/skeykeys) opened and allocated  at  the
	previously freed location.
	Once this happens the dup(2)ed file descriptor is still  hanging  around
	providing access to this file. This could result in  the  escalation  of
	user privileges.
	Although the missing fdrop() call in fpathconf(2) was noticed before  by
	Nakamura  Takayuki  <tak@st.rim.or.jp>  its   impact   was   severely


	 Update (08 January 2003)
	The following patch has been verified to  apply  to  FreeBSD  4.4,  4.5,
	4.6, and 4.7 systems :
	Path                                                             Revision
	- -------------------------------------------------------------------------
	- -------------------------------------------------------------------------

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH