Date: Wed, 11 Nov 2009 20:22:11 +0100 (CET) From: Damian Weber <dweber@htw-saarland.de> To: "Bjoern A. Zeeb" <bzeeb-lists@lists.zabbadoz.net> Cc: freebsd-security@freebsd.org, wkoszek@freebsd.org, Oliver Pinter <oliver.pntr@gmail.com> Subject: Re: 2009-07-20 FreeBSD 7.2 (pecoff executable) Local Denial of Service Exploit 23 R D Shaun Colley Message-ID: <alpine.BSF.2.00.0911112017310.60800@magritte.htw-saarland.de> In-Reply-To: <20091111185811.P37440@maildrop.int.zabbadoz.net> References: <6101e8c40907201008n62eeec05r6670a79698bc2ac7@mail.gmail.com> <20091111173311.T37440@maildrop.int.zabbadoz.net> <alpine.BSF.2.00.0911111909340.60404@magritte.htw-saarland.de> <20091111185811.P37440@maildrop.int.zabbadoz.net>
next in thread | previous in thread | raw e-mail | index | archive | help
This message is in MIME format. The first part should be readable text, while the remaining parts are likely unreadable without MIME-aware tools. --2065465572-539146762-1257967336=:60800 Content-Type: TEXT/PLAIN; charset=ISO-8859-1 Content-Transfer-Encoding: 8BIT On Wed, 11 Nov 2009, Bjoern A. Zeeb wrote: > Date: Wed, 11 Nov 2009 18:59:24 +0000 (UTC) > From: Bjoern A. Zeeb <bzeeb-lists@lists.zabbadoz.net> > To: Damian Weber <dweber@htw-saarland.de> > Cc: freebsd-security@freebsd.org, wkoszek@freebsd.org, > Oliver Pinter <oliver.pntr@gmail.com> > Subject: Re: 2009-07-20 FreeBSD 7.2 (pecoff executable) Local Denial of > Service Exploit 23 R D Shaun Colley > > On Wed, 11 Nov 2009, Damian Weber wrote: > > > > > > > On Wed, 11 Nov 2009, Bjoern A. Zeeb wrote: > > > > > Date: Wed, 11 Nov 2009 17:37:50 +0000 (UTC) > > > From: Bjoern A. Zeeb <bzeeb-lists@lists.zabbadoz.net> > > > To: Oliver Pinter <oliver.pntr@gmail.com> > > > Cc: freebsd-security@freebsd.org, wkoszek@freebsd.org > > > Subject: Re: 2009-07-20 FreeBSD 7.2 (pecoff executable) Local Denial of > > > Service Exploit 23 R D Shaun Colley > > > > > > On Mon, 20 Jul 2009, Oliver Pinter wrote: > > > > > > Hi, > > > > > > > http://milw0rm.com/exploits/9206 > > > > > > has anyone actually been able to reproduce a problem scenario with > > > this on any supported releases (7.x or 6.x)? > > > > > > The only thing I gould get from that was: > > > execve returned -1, errno=8: Exec format error > > > > > > > FWIW, I got another result on 6.4-STABLE > > > > FreeBSD mymachine.local 6.4-STABLE FreeBSD 6.4-STABLE #6: Sat Oct 3 > > 13:06:12 CEST 2009 root@hypercrypt.local:/usr/obj/usr/src/sys/MYMACHINE > > i386 > > > > $ ./pecoff > > MZaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaîîîîaaaa > > [I'm truncating here, ~3500 a's follow]aaaaa: File name too long > > > Not sure if you'd see it with ktrace or not; I ran into that with my > tests as well and was told that it's a shell problem. > > try to run it from this: > ------------------------------------------------------------------------ > #include <unistd.h> > #include <err.h> > > int > main(int argc, char *argv[]) > { > > if (execl("./pecoff", "./pecoff", NULL) == -1) > err(1, "execl()"); > > return (0); > } > ------------------------------------------------------------------------ execl() and /usr/local/bin/bash (bash-3.2.48_1) produce same result ktrace/kdump show ... 2380 pecoff CALL open(0x8048764,0x1,0) 2380 pecoff NAMI "evilprog.exe" 2380 pecoff RET open 3 2380 pecoff CALL write(0x3,0xbfbfce80,0xfe0) 2380 pecoff GIO fd 3 wrote 4064 bytes 0x0000 4d5a 6161 6161 6161 6161 6161 6161 6161 6161 |MZaaaaaaaaaaaaaaaa| 0x0012 6161 6161 6161 6161 6161 6161 6161 6161 6161 |aaaaaaaaaaaaaaaaaa| ... --2065465572-539146762-1257967336=:60800--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?alpine.BSF.2.00.0911112017310.60800>