From owner-freebsd-security@FreeBSD.ORG Wed Nov 11 17:40:08 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 9C107106566C; Wed, 11 Nov 2009 17:40:08 +0000 (UTC) (envelope-from bzeeb-lists@lists.zabbadoz.net) Received: from mail.cksoft.de (mail.cksoft.de [IPv6:2001:4068:10::3]) by mx1.freebsd.org (Postfix) with ESMTP id 306118FC08; Wed, 11 Nov 2009 17:40:08 +0000 (UTC) Received: from localhost (amavis.fra.cksoft.de [192.168.74.71]) by mail.cksoft.de (Postfix) with ESMTP id 393FE41C7AB; Wed, 11 Nov 2009 18:40:07 +0100 (CET) X-Virus-Scanned: amavisd-new at cksoft.de Received: from mail.cksoft.de ([192.168.74.103]) by localhost (amavis.fra.cksoft.de [192.168.74.71]) (amavisd-new, port 10024) with ESMTP id E1pyQBNiUVYv; Wed, 11 Nov 2009 18:40:05 +0100 (CET) Received: by mail.cksoft.de (Postfix, from userid 66) id ECAF941C7AA; Wed, 11 Nov 2009 18:40:05 +0100 (CET) Received: from maildrop.int.zabbadoz.net (maildrop.int.zabbadoz.net [10.111.66.10]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.int.zabbadoz.net (Postfix) with ESMTP id 547734448E6; Wed, 11 Nov 2009 17:37:50 +0000 (UTC) Date: Wed, 11 Nov 2009 17:37:50 +0000 (UTC) From: "Bjoern A. Zeeb" X-X-Sender: bz@maildrop.int.zabbadoz.net To: Oliver Pinter In-Reply-To: <6101e8c40907201008n62eeec05r6670a79698bc2ac7@mail.gmail.com> Message-ID: <20091111173311.T37440@maildrop.int.zabbadoz.net> References: <6101e8c40907201008n62eeec05r6670a79698bc2ac7@mail.gmail.com> X-OpenPGP-Key: 0x14003F198FEFA3E77207EE8D2B58B8F83CCF1842 MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: freebsd-security@freebsd.org, wkoszek@FreeBSD.org Subject: Re: 2009-07-20 FreeBSD 7.2 (pecoff executable) Local Denial of Service Exploit 23 R D Shaun Colley X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 11 Nov 2009 17:40:08 -0000 On Mon, 20 Jul 2009, Oliver Pinter wrote: Hi, > http://milw0rm.com/exploits/9206 has anyone actually been able to reproduce a problem scenario with this on any supported releases (7.x or 6.x)? The only thing I gould get from that was: execve returned -1, errno=8: Exec format error Similar results applied to the scenario from http://www.freebsd.org/cgi/query-pr.cgi?pr=kern/80742 which had been filed for a 5.x system by Wojciech A. Koszek long before the above. /bz -- Bjoern A. Zeeb It will not break if you know what you are doing. From owner-freebsd-security@FreeBSD.ORG Wed Nov 11 18:52:38 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id EB7E31065670; Wed, 11 Nov 2009 18:52:38 +0000 (UTC) (envelope-from dweber@htw-saarland.de) Received: from triton.rz.uni-saarland.de (triton.rz.uni-saarland.de [134.96.7.25]) by mx1.freebsd.org (Postfix) with ESMTP id 75B178FC14; Wed, 11 Nov 2009 18:52:38 +0000 (UTC) Received: from zdve-mailx.htw-saarland.de (zdve-mailx.htw-saarland.de [134.96.208.108]) by triton.rz.uni-saarland.de (8.14.1/8.14.0) with ESMTP id nABIExNs005515; Wed, 11 Nov 2009 19:14:59 +0100 Received: from magritte.htw-saarland.de (magritte.htw-saarland.de [134.96.216.98]) by zdve-mailx.htw-saarland.de (8.13.8/8.13.8) with ESMTP id nABIEwoR014660; Wed, 11 Nov 2009 19:14:58 +0100 (CET) Date: Wed, 11 Nov 2009 19:14:48 +0100 (CET) From: Damian Weber To: "Bjoern A. Zeeb" In-Reply-To: <20091111173311.T37440@maildrop.int.zabbadoz.net> Message-ID: References: <6101e8c40907201008n62eeec05r6670a79698bc2ac7@mail.gmail.com> <20091111173311.T37440@maildrop.int.zabbadoz.net> User-Agent: Alpine 2.00 (BSF 1167 2008-08-23) MIME-Version: 1.0 Content-Type: MULTIPART/MIXED; BOUNDARY="2065465572-1911669242-1257963299=:60404" X-Virus-Scanned: clamav-milter 0.95.2 at zdve-mailx X-Virus-Status: Clean X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-3.0 (triton.rz.uni-saarland.de [134.96.7.25]); Wed, 11 Nov 2009 19:14:59 +0100 (CET) X-AntiVirus: checked by AntiVir MailGate (version: 2.1.2-14; AVE: 7.9.1.65; VDF: 7.1.6.221; host: AntiVir3) Cc: freebsd-security@freebsd.org, wkoszek@freebsd.org, Oliver Pinter Subject: Re: 2009-07-20 FreeBSD 7.2 (pecoff executable) Local Denial of Service Exploit 23 R D Shaun Colley X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 11 Nov 2009 18:52:39 -0000 This message is in MIME format. The first part should be readable text, while the remaining parts are likely unreadable without MIME-aware tools. --2065465572-1911669242-1257963299=:60404 Content-Type: TEXT/PLAIN; charset=ISO-8859-1 Content-Transfer-Encoding: 8BIT On Wed, 11 Nov 2009, Bjoern A. Zeeb wrote: > Date: Wed, 11 Nov 2009 17:37:50 +0000 (UTC) > From: Bjoern A. Zeeb > To: Oliver Pinter > Cc: freebsd-security@freebsd.org, wkoszek@freebsd.org > Subject: Re: 2009-07-20 FreeBSD 7.2 (pecoff executable) Local Denial of > Service Exploit 23 R D Shaun Colley > > On Mon, 20 Jul 2009, Oliver Pinter wrote: > > Hi, > > > http://milw0rm.com/exploits/9206 > > has anyone actually been able to reproduce a problem scenario with > this on any supported releases (7.x or 6.x)? > > The only thing I gould get from that was: > execve returned -1, errno=8: Exec format error > FWIW, I got another result on 6.4-STABLE FreeBSD mymachine.local 6.4-STABLE FreeBSD 6.4-STABLE #6: Sat Oct 3 13:06:12 CEST 2009 root@hypercrypt.local:/usr/obj/usr/src/sys/MYMACHINE i386 $ ./pecoff MZaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaîîîîaaaa [I'm truncating here, ~3500 a's follow]aaaaa: File name too long -- Damian --2065465572-1911669242-1257963299=:60404-- From owner-freebsd-security@FreeBSD.ORG Wed Nov 11 19:00:12 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 92C61106566B; Wed, 11 Nov 2009 19:00:12 +0000 (UTC) (envelope-from bzeeb-lists@lists.zabbadoz.net) Received: from mail.cksoft.de (mail.cksoft.de [IPv6:2001:4068:10::3]) by mx1.freebsd.org (Postfix) with ESMTP id 229968FC19; Wed, 11 Nov 2009 19:00:12 +0000 (UTC) Received: from localhost (amavis.fra.cksoft.de [192.168.74.71]) by mail.cksoft.de (Postfix) with ESMTP id AE14641C75C; Wed, 11 Nov 2009 20:00:06 +0100 (CET) X-Virus-Scanned: amavisd-new at cksoft.de Received: from mail.cksoft.de ([192.168.74.103]) by localhost (amavis.fra.cksoft.de [192.168.74.71]) (amavisd-new, port 10024) with ESMTP id fOhaQQenX1zt; Wed, 11 Nov 2009 20:00:06 +0100 (CET) Received: by mail.cksoft.de (Postfix, from userid 66) id 0CECF41C75B; Wed, 11 Nov 2009 20:00:06 +0100 (CET) Received: from maildrop.int.zabbadoz.net (maildrop.int.zabbadoz.net [10.111.66.10]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.int.zabbadoz.net (Postfix) with ESMTP id 098C64448E6; Wed, 11 Nov 2009 18:59:24 +0000 (UTC) Date: Wed, 11 Nov 2009 18:59:24 +0000 (UTC) From: "Bjoern A. Zeeb" X-X-Sender: bz@maildrop.int.zabbadoz.net To: Damian Weber In-Reply-To: Message-ID: <20091111185811.P37440@maildrop.int.zabbadoz.net> References: <6101e8c40907201008n62eeec05r6670a79698bc2ac7@mail.gmail.com> <20091111173311.T37440@maildrop.int.zabbadoz.net> X-OpenPGP-Key: 0x14003F198FEFA3E77207EE8D2B58B8F83CCF1842 MIME-Version: 1.0 Content-Type: MULTIPART/MIXED; BOUNDARY="0-1622372092-1257965964=:37440" Cc: freebsd-security@freebsd.org, wkoszek@freebsd.org, Oliver Pinter Subject: Re: 2009-07-20 FreeBSD 7.2 (pecoff executable) Local Denial of Service Exploit 23 R D Shaun Colley X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 11 Nov 2009 19:00:12 -0000 This message is in MIME format. The first part should be readable text, while the remaining parts are likely unreadable without MIME-aware tools. --0-1622372092-1257965964=:37440 Content-Type: TEXT/PLAIN; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: QUOTED-PRINTABLE On Wed, 11 Nov 2009, Damian Weber wrote: > > > On Wed, 11 Nov 2009, Bjoern A. Zeeb wrote: > >> Date: Wed, 11 Nov 2009 17:37:50 +0000 (UTC) >> From: Bjoern A. Zeeb >> To: Oliver Pinter >> Cc: freebsd-security@freebsd.org, wkoszek@freebsd.org >> Subject: Re: 2009-07-20 FreeBSD 7.2 (pecoff executable) Local Denial of >> Service Exploit 23 R D Shaun Colley >> >> On Mon, 20 Jul 2009, Oliver Pinter wrote: >> >> Hi, >> >>> http://milw0rm.com/exploits/9206 >> >> has anyone actually been able to reproduce a problem scenario with >> this on any supported releases (7.x or 6.x)? >> >> The only thing I gould get from that was: >> =09execve returned -1, errno=3D8: Exec format error >> > > FWIW, I got another result on 6.4-STABLE > > FreeBSD mymachine.local 6.4-STABLE FreeBSD 6.4-STABLE #6: Sat Oct 3 13:0= 6:12 CEST 2009 root@hypercrypt.local:/usr/obj/usr/src/sys/MYMACHINE i3= 86 > > $ ./pecoff > MZaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa=EE=EE=EE=EEa= aaa > [I'm truncating here, ~3500 a's follow]aaaaa: File name too long Not sure if you'd see it with ktrace or not; I ran into that with my tests as well and was told that it's a shell problem. try to run it from this: ------------------------------------------------------------------------ #include #include int main(int argc, char *argv[]) { =09if (execl("./pecoff", "./pecoff", NULL) =3D=3D -1) =09=09err(1, "execl()"); =09return (0); } ------------------------------------------------------------------------ /bz --=20 Bjoern A. Zeeb It will not break if you know what you are doing. --0-1622372092-1257965964=:37440-- From owner-freebsd-security@FreeBSD.ORG Wed Nov 11 19:22:18 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B3F86106568D; Wed, 11 Nov 2009 19:22:18 +0000 (UTC) (envelope-from dweber@htw-saarland.de) Received: from triton.rz.uni-saarland.de (triton.rz.uni-saarland.de [134.96.7.25]) by mx1.freebsd.org (Postfix) with ESMTP id 3A54C8FC14; Wed, 11 Nov 2009 19:22:17 +0000 (UTC) Received: from zdve-mailx.htw-saarland.de (zdve-mailx.htw-saarland.de [134.96.208.108]) by triton.rz.uni-saarland.de (8.14.1/8.14.0) with ESMTP id nABJMGOu015290; Wed, 11 Nov 2009 20:22:16 +0100 Received: from magritte.htw-saarland.de (magritte.htw-saarland.de [134.96.216.98]) by zdve-mailx.htw-saarland.de (8.13.8/8.13.8) with ESMTP id nABJMGJq018405; Wed, 11 Nov 2009 20:22:16 +0100 (CET) Date: Wed, 11 Nov 2009 20:22:11 +0100 (CET) From: Damian Weber To: "Bjoern A. Zeeb" In-Reply-To: <20091111185811.P37440@maildrop.int.zabbadoz.net> Message-ID: References: <6101e8c40907201008n62eeec05r6670a79698bc2ac7@mail.gmail.com> <20091111173311.T37440@maildrop.int.zabbadoz.net> <20091111185811.P37440@maildrop.int.zabbadoz.net> User-Agent: Alpine 2.00 (BSF 1167 2008-08-23) MIME-Version: 1.0 Content-Type: MULTIPART/MIXED; BOUNDARY="2065465572-539146762-1257967336=:60800" X-Virus-Scanned: clamav-milter 0.95.2 at zdve-mailx X-Virus-Status: Clean X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-3.0 (triton.rz.uni-saarland.de [134.96.7.25]); Wed, 11 Nov 2009 20:22:16 +0100 (CET) X-AntiVirus: checked by AntiVir MailGate (version: 2.1.2-14; AVE: 7.9.1.65; VDF: 7.1.6.221; host: AntiVir3) Cc: freebsd-security@freebsd.org, wkoszek@freebsd.org, Oliver Pinter Subject: Re: 2009-07-20 FreeBSD 7.2 (pecoff executable) Local Denial of Service Exploit 23 R D Shaun Colley X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 11 Nov 2009 19:22:18 -0000 This message is in MIME format. The first part should be readable text, while the remaining parts are likely unreadable without MIME-aware tools. --2065465572-539146762-1257967336=:60800 Content-Type: TEXT/PLAIN; charset=ISO-8859-1 Content-Transfer-Encoding: 8BIT On Wed, 11 Nov 2009, Bjoern A. Zeeb wrote: > Date: Wed, 11 Nov 2009 18:59:24 +0000 (UTC) > From: Bjoern A. Zeeb > To: Damian Weber > Cc: freebsd-security@freebsd.org, wkoszek@freebsd.org, > Oliver Pinter > Subject: Re: 2009-07-20 FreeBSD 7.2 (pecoff executable) Local Denial of > Service Exploit 23 R D Shaun Colley > > On Wed, 11 Nov 2009, Damian Weber wrote: > > > > > > > On Wed, 11 Nov 2009, Bjoern A. Zeeb wrote: > > > > > Date: Wed, 11 Nov 2009 17:37:50 +0000 (UTC) > > > From: Bjoern A. Zeeb > > > To: Oliver Pinter > > > Cc: freebsd-security@freebsd.org, wkoszek@freebsd.org > > > Subject: Re: 2009-07-20 FreeBSD 7.2 (pecoff executable) Local Denial of > > > Service Exploit 23 R D Shaun Colley > > > > > > On Mon, 20 Jul 2009, Oliver Pinter wrote: > > > > > > Hi, > > > > > > > http://milw0rm.com/exploits/9206 > > > > > > has anyone actually been able to reproduce a problem scenario with > > > this on any supported releases (7.x or 6.x)? > > > > > > The only thing I gould get from that was: > > > execve returned -1, errno=8: Exec format error > > > > > > > FWIW, I got another result on 6.4-STABLE > > > > FreeBSD mymachine.local 6.4-STABLE FreeBSD 6.4-STABLE #6: Sat Oct 3 > > 13:06:12 CEST 2009 root@hypercrypt.local:/usr/obj/usr/src/sys/MYMACHINE > > i386 > > > > $ ./pecoff > > MZaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaîîîîaaaa > > [I'm truncating here, ~3500 a's follow]aaaaa: File name too long > > > Not sure if you'd see it with ktrace or not; I ran into that with my > tests as well and was told that it's a shell problem. > > try to run it from this: > ------------------------------------------------------------------------ > #include > #include > > int > main(int argc, char *argv[]) > { > > if (execl("./pecoff", "./pecoff", NULL) == -1) > err(1, "execl()"); > > return (0); > } > ------------------------------------------------------------------------ execl() and /usr/local/bin/bash (bash-3.2.48_1) produce same result ktrace/kdump show ... 2380 pecoff CALL open(0x8048764,0x1,0) 2380 pecoff NAMI "evilprog.exe" 2380 pecoff RET open 3 2380 pecoff CALL write(0x3,0xbfbfce80,0xfe0) 2380 pecoff GIO fd 3 wrote 4064 bytes 0x0000 4d5a 6161 6161 6161 6161 6161 6161 6161 6161 |MZaaaaaaaaaaaaaaaa| 0x0012 6161 6161 6161 6161 6161 6161 6161 6161 6161 |aaaaaaaaaaaaaaaaaa| ... --2065465572-539146762-1257967336=:60800-- From owner-freebsd-security@FreeBSD.ORG Wed Nov 11 19:37:51 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id EB8B21065676 for ; Wed, 11 Nov 2009 19:37:51 +0000 (UTC) (envelope-from rea-fbsd@codelabs.ru) Received: from 0.mx.codelabs.ru (0.mx.codelabs.ru [144.206.177.45]) by mx1.freebsd.org (Postfix) with ESMTP id 98A088FC14 for ; Wed, 11 Nov 2009 19:37:51 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=codelabs.ru; s=two; h=Date:From:To:Cc:Subject:Message-ID: Reply-To:References:MIME-Version:Content-Type:In-Reply-To: Sender; bh=14Mh88SnmAcXluyqswuY2Lw30dZiw3fwtq8cP/Rw5fg=; b=bkcOj muUPFiItPdT7Y2pBiEElrmM9SdjC6uxdCpu/OIUBm8WTbzbxWQ2U9yV0Ynxf0tb3 vOIhqqKikQYfpc2IzyD75t3fmP7PzQlwUTZUUPN70mtleVqiEllhVK1NMSVzQOJZ dDIsjeLKV2LhHJvgTtD4q7kBhBpuUsxGAKw02kKBx/tflJ1xJW9UBVr31UJSUFe3 N/EL/Y/P8G+Uj2XxeNR9culNrnYmcNJppSErnPdlV6MwEB2DeDomK6iNUOA5HpQF iXJSHDv9woLcGi3Xe62ZeOhQxjvb0MFedPcVe/k9YbF28rqVTZqTtE4VLUFP+zRO lVbtCcUUOk+c1EOMA== Received: from shadow.codelabs.ru (cdma-92-36-8-47.msk.skylink.ru [92.36.8.47]) by 0.mx.codelabs.ru with esmtpsa (TLSv1:AES256-SHA:256) id 1N8J0l-000Ijt-SO; Wed, 11 Nov 2009 22:37:49 +0300 Date: Wed, 11 Nov 2009 22:37:44 +0300 From: Eygene Ryabinkin To: Damian Weber Message-ID: References: <6101e8c40907201008n62eeec05r6670a79698bc2ac7@mail.gmail.com> <20091111173311.T37440@maildrop.int.zabbadoz.net> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: Sender: rea-fbsd@codelabs.ru Cc: "Bjoern A. Zeeb" , Oliver Pinter , wkoszek@freebsd.org, freebsd-security@freebsd.org Subject: Re: 2009-07-20 FreeBSD 7.2 (pecoff executable) Local Denial of Service Exploit 23 R D Shaun Colley X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: rea-fbsd@codelabs.ru List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 11 Nov 2009 19:37:52 -0000 Wed, Nov 11, 2009 at 07:14:48PM +0100, Damian Weber wrote: > FWIW, I got another result on 6.4-STABLE > > FreeBSD mymachine.local 6.4-STABLE FreeBSD 6.4-STABLE #6: Sat Oct 3 13:06:12 CEST 2009 root@hypercrypt.local:/usr/obj/usr/src/sys/MYMACHINE i386 > > $ ./pecoff > MZaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa????aaaa > [I'm truncating here, ~3500 a's follow]aaaaa: File name too long You have no pecoff module loaded or compiled-in to the kernel, aren't you? Your "File name too long" is spitted by the shell, so it was not handled by the PE loader at all. -- Eygene _ ___ _.--. # \`.|\..----...-'` `-._.-'_.-'` # Remember that it is hard / ' ` , __.--' # to read the on-line manual )/' _/ \ `-_, / # while single-stepping the kernel. `-'" `"\_ ,_.-;_.-\_ ', fsc/as # _.-'_./ {_.' ; / # -- FreeBSD Developers handbook {_.-``-' {_/ # From owner-freebsd-security@FreeBSD.ORG Wed Nov 11 23:30:34 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C5A7F106566C for ; Wed, 11 Nov 2009 23:30:34 +0000 (UTC) (envelope-from wkoszek@freebsd.czest.pl) Received: from freebsd.czest.pl (l95h.icis.pcz.pl [212.87.224.105]) by mx1.freebsd.org (Postfix) with ESMTP id 32AD78FC14 for ; Wed, 11 Nov 2009 23:30:33 +0000 (UTC) Received: from freebsd.czest.pl (l95h.icis.pcz.pl [212.87.224.105]) by freebsd.czest.pl (8.14.2/8.14.2) with ESMTP id nABN7RGd001744; Thu, 12 Nov 2009 00:07:27 +0100 (CET) (envelope-from wkoszek@freebsd.czest.pl) Received: (from wkoszek@localhost) by freebsd.czest.pl (8.14.2/8.14.2/Submit) id nABN7RlY001743; Thu, 12 Nov 2009 00:07:27 +0100 (CET) (envelope-from wkoszek) Date: Thu, 12 Nov 2009 00:07:27 +0100 From: "Wojciech A. Koszek" To: "Bjoern A. Zeeb" Message-ID: <20091111230727.GB91162@FreeBSD.org> Mail-Followup-To: "Bjoern A. Zeeb" , Oliver Pinter , freebsd-security@freebsd.org References: <6101e8c40907201008n62eeec05r6670a79698bc2ac7@mail.gmail.com> <20091111173311.T37440@maildrop.int.zabbadoz.net> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-2 Content-Disposition: inline In-Reply-To: <20091111173311.T37440@maildrop.int.zabbadoz.net> User-Agent: Mutt/1.5.17 (2007-11-01) X-Greylist: Sender DNS name whitelisted, not delayed by milter-greylist-3.0 (freebsd.czest.pl [212.87.224.105]); Thu, 12 Nov 2009 00:07:27 +0100 (CET) X-Mailman-Approved-At: Wed, 11 Nov 2009 23:42:25 +0000 Cc: freebsd-security@freebsd.org, Oliver Pinter Subject: Re: 2009-07-20 FreeBSD 7.2 (pecoff executable) Local Denial of Service Exploit 23 R D Shaun Colley X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 11 Nov 2009 23:30:34 -0000 On Wed, Nov 11, 2009 at 05:37:50PM +0000, Bjoern A. Zeeb wrote: > On Mon, 20 Jul 2009, Oliver Pinter wrote: > > Hi, > >> http://milw0rm.com/exploits/9206 > > has anyone actually been able to reproduce a problem scenario with > this on any supported releases (7.x or 6.x)? > > The only thing I gould get from that was: > execve returned -1, errno=8: Exec format error > > Similar results applied to the scenario from > http://www.freebsd.org/cgi/query-pr.cgi?pr=kern/80742 > which had been filed for a 5.x system by Wojciech A. Koszek long > before the above. > Hello, This report has been lying in the PR database for a long time. I removed PECOFF from CURRENT some time ago, since absolutely noone was able to give any sensible argument for keeping PECOFF handler. Because PECOFF has been introduced years before I became a commiter, I wasn't sure if MFC is a good idea back then. The reason I didn't perform MFC to stable releases after "newer" report is our merge policy. I simply haven't yet studied it. We can consider PECOFF bug as having "security implications", but in order to make it "active", someone has to study NOTES and enable this option. For the first glance I see that ports/ situation didn't change -- we seem to have 0 ports requiring PECOFF to be present. And I can't right now confirm whether the bug is still there -- I have no 6.x and 7.x systems for testing anymore. If you want to try my code out (available in the PR), compile PECOFF -- I remember that I provided some sample case to panic the kernel. I think the best way would be to remove PECOFF from 6.x and 7.x. Thanks for CCing me. -- Wojciech A. Koszek wkoszek@FreeBSD.org http://FreeBSD.czest.pl/~wkoszek/ From owner-freebsd-security@FreeBSD.ORG Thu Nov 12 07:45:47 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 5F516106566B; Thu, 12 Nov 2009 07:45:47 +0000 (UTC) (envelope-from dweber@htw-saarland.de) Received: from theia.rz.uni-saarland.de (theia.rz.uni-saarland.de [134.96.7.31]) by mx1.freebsd.org (Postfix) with ESMTP id DE7D98FC14; Thu, 12 Nov 2009 07:45:46 +0000 (UTC) Received: from zdve-mailx.htw-saarland.de (zdve-mailx.htw-saarland.de [134.96.208.108]) by theia.rz.uni-saarland.de (8.14.1/8.14.0) with ESMTP id nAC7jLQB032316; Thu, 12 Nov 2009 08:45:21 +0100 Received: from magritte.htw-saarland.de (magritte.htw-saarland.de [134.96.216.98]) by zdve-mailx.htw-saarland.de (8.13.8/8.13.8) with ESMTP id nAC7jLj5007036; Thu, 12 Nov 2009 08:45:21 +0100 (CET) Date: Thu, 12 Nov 2009 08:45:16 +0100 (CET) From: Damian Weber To: Eygene Ryabinkin In-Reply-To: Message-ID: References: <6101e8c40907201008n62eeec05r6670a79698bc2ac7@mail.gmail.com> <20091111173311.T37440@maildrop.int.zabbadoz.net> User-Agent: Alpine 2.00 (BSF 1167 2008-08-23) MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-Virus-Scanned: clamav-milter 0.95.2 at zdve-mailx X-Virus-Status: Clean X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-3.0 (theia.rz.uni-saarland.de [134.96.7.31]); Thu, 12 Nov 2009 08:45:21 +0100 (CET) X-AntiVirus: checked by AntiVir MailGate (version: 2.1.2-14; AVE: 7.9.1.65; VDF: 7.1.6.223; host: AntiVir1) Cc: "Bjoern A. Zeeb" , Oliver Pinter , wkoszek@freebsd.org, freebsd-security@freebsd.org Subject: Re: 2009-07-20 FreeBSD 7.2 (pecoff executable) Local Denial of Service Exploit 23 R D Shaun Colley X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 12 Nov 2009 07:45:47 -0000 On Wed, 11 Nov 2009, Eygene Ryabinkin wrote: > Date: Wed, 11 Nov 2009 22:37:44 +0300 > From: Eygene Ryabinkin > To: Damian Weber > Cc: Bjoern A. Zeeb , > freebsd-security@freebsd.org, wkoszek@freebsd.org, > Oliver Pinter > Subject: Re: 2009-07-20 FreeBSD 7.2 (pecoff executable) Local Denial of > Service Exploit 23 R D Shaun Colley > > Wed, Nov 11, 2009 at 07:14:48PM +0100, Damian Weber wrote: > > FWIW, I got another result on 6.4-STABLE > > > > FreeBSD mymachine.local 6.4-STABLE FreeBSD 6.4-STABLE #6: Sat Oct 3 13:06:12 CEST 2009 root@hypercrypt.local:/usr/obj/usr/src/sys/MYMACHINE i386 > > > > $ ./pecoff > > MZaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa????aaaa > > [I'm truncating here, ~3500 a's follow]aaaaa: File name too long > > You have no pecoff module loaded or compiled-in to the kernel, > aren't you? Your "File name too long" is spitted by the shell, > so it was not handled by the PE loader at all. Confirmed. The code crashes the 6.4-stable machine when pecoff module is loaded. Wojciech A. Koszek wrote: > I think the best way would be to remove PECOFF from 6.x and 7.x. Now, I'm inclined to think that, too ;-) -- Damian