Date: Wed, 26 Jun 2002 18:25:28 -0700 (PDT) From: Marc Slemko <marcs@znep.com> To: Julian Elischer <julian@elischer.org> Cc: security@FreeBSD.ORG Subject: Re: FreeBSD vuln... Message-ID: <Pine.BSF.4.20.0206261813330.38173-100000@alive.znep.com> In-Reply-To: <Pine.BSF.4.21.0206261516150.64758-100000@InterJet.elischer.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, 26 Jun 2002, Julian Elischer wrote: > > The security officers of one of our clients (a large bank) tells us: > ----begin quote--- > The Apache hole itself only allows you to execute code as Nobody, but > there > is a working exploit in the wild now that first exploits Apache and then a > bug in memcpy on FreeBSD to gain a root shell. So at this time we are > vulnerable to a remote root exploit. > > ------- end quote > > now we are replacing apace on their systems but does anyone know what the > memcpy bug is? > > I know that the OpenBSD exploit aparently uses memcpy but does anyone have > details on the FreeBSD exploit? (not sent privately since others could be confused) The wording is inaccurate. There is a bug in Apache. It allows you, on some platforms, to gain a shell as the user Apache runs as. On *BSD (well, on x86 at least), this is done through a bug/feature of memcpy related to negative lengths, copying backwards to handle overlapping copies, and reloading the length from the stack into a register. For details on the memcpy() issue, see http://online.securityfocus.com/archive/1/278270/2002-06-17/2002-06-23/0 No question, the real bug is in Apache for passing in a negative length, however the particular exploit only works due to some very interesting details of how memcpy() is doing things that could arguably be called wrong. As for the root compromise, on the vast majority of systems if you compromise the user Apache runs as, you are going to be able to exploit some other completely unrelated pre-existing bug on the system to gain root. This is completely unrelated to memcpy(). Net, Open, and FreeBSD share the same x86 assembly memcpy() implementation from way back, and are all exploited in the same fashion. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.20.0206261813330.38173-100000>