From owner-freebsd-security@FreeBSD.ORG  Wed Nov 11 19:22:18 2009
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id B3F86106568D;
	Wed, 11 Nov 2009 19:22:18 +0000 (UTC)
	(envelope-from dweber@htw-saarland.de)
Received: from triton.rz.uni-saarland.de (triton.rz.uni-saarland.de
	[134.96.7.25]) by mx1.freebsd.org (Postfix) with ESMTP id 3A54C8FC14;
	Wed, 11 Nov 2009 19:22:17 +0000 (UTC)
Received: from zdve-mailx.htw-saarland.de (zdve-mailx.htw-saarland.de
	[134.96.208.108])
	by triton.rz.uni-saarland.de (8.14.1/8.14.0) with ESMTP id
	nABJMGOu015290; Wed, 11 Nov 2009 20:22:16 +0100
Received: from magritte.htw-saarland.de (magritte.htw-saarland.de
	[134.96.216.98])
	by zdve-mailx.htw-saarland.de (8.13.8/8.13.8) with ESMTP id
	nABJMGJq018405; Wed, 11 Nov 2009 20:22:16 +0100 (CET)
Date: Wed, 11 Nov 2009 20:22:11 +0100 (CET)
From: Damian Weber <dweber@htw-saarland.de>
To: "Bjoern A. Zeeb" <bzeeb-lists@lists.zabbadoz.net>
In-Reply-To: <20091111185811.P37440@maildrop.int.zabbadoz.net>
Message-ID: <alpine.BSF.2.00.0911112017310.60800@magritte.htw-saarland.de>
References: <6101e8c40907201008n62eeec05r6670a79698bc2ac7@mail.gmail.com>
	<20091111173311.T37440@maildrop.int.zabbadoz.net>
	<alpine.BSF.2.00.0911111909340.60404@magritte.htw-saarland.de>
	<20091111185811.P37440@maildrop.int.zabbadoz.net>
User-Agent: Alpine 2.00 (BSF 1167 2008-08-23)
MIME-Version: 1.0
Content-Type: MULTIPART/MIXED;
	BOUNDARY="2065465572-539146762-1257967336=:60800"
X-Virus-Scanned: clamav-milter 0.95.2 at zdve-mailx
X-Virus-Status: Clean
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-3.0
	(triton.rz.uni-saarland.de [134.96.7.25]);
	Wed, 11 Nov 2009 20:22:16 +0100 (CET)
X-AntiVirus: checked by AntiVir MailGate (version: 2.1.2-14; AVE: 7.9.1.65;
	VDF: 7.1.6.221; host: AntiVir3)
Cc: freebsd-security@freebsd.org, wkoszek@freebsd.org,
	Oliver Pinter <oliver.pntr@gmail.com>
Subject: Re: 2009-07-20 FreeBSD 7.2 (pecoff executable) Local Denial of
 Service  Exploit 23 R D Shaun Colley
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Security issues \[members-only posting\]"
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 11 Nov 2009 19:22:18 -0000

  This message is in MIME format.  The first part should be readable text,
  while the remaining parts are likely unreadable without MIME-aware tools.

--2065465572-539146762-1257967336=:60800
Content-Type: TEXT/PLAIN; charset=ISO-8859-1
Content-Transfer-Encoding: 8BIT



On Wed, 11 Nov 2009, Bjoern A. Zeeb wrote:

> Date: Wed, 11 Nov 2009 18:59:24 +0000 (UTC)
> From: Bjoern A. Zeeb <bzeeb-lists@lists.zabbadoz.net>
> To: Damian Weber <dweber@htw-saarland.de>
> Cc: freebsd-security@freebsd.org, wkoszek@freebsd.org,
>     Oliver Pinter <oliver.pntr@gmail.com>
> Subject: Re: 2009-07-20 FreeBSD 7.2 (pecoff executable) Local Denial of
>     Service  Exploit 23 R D Shaun Colley
> 
> On Wed, 11 Nov 2009, Damian Weber wrote:
> 
> > 
> > 
> > On Wed, 11 Nov 2009, Bjoern A. Zeeb wrote:
> > 
> > > Date: Wed, 11 Nov 2009 17:37:50 +0000 (UTC)
> > > From: Bjoern A. Zeeb <bzeeb-lists@lists.zabbadoz.net>
> > > To: Oliver Pinter <oliver.pntr@gmail.com>
> > > Cc: freebsd-security@freebsd.org, wkoszek@freebsd.org
> > > Subject: Re: 2009-07-20 FreeBSD 7.2 (pecoff executable) Local Denial of
> > >     Service  Exploit 23 R D Shaun Colley
> > > 
> > > On Mon, 20 Jul 2009, Oliver Pinter wrote:
> > > 
> > > Hi,
> > > 
> > > > http://milw0rm.com/exploits/9206
> > > 
> > > has anyone actually been able to reproduce a problem scenario with
> > > this on any supported releases (7.x or 6.x)?
> > > 
> > > The only thing I gould get from that was:
> > > 	execve returned -1, errno=8: Exec format error
> > > 
> > 
> > FWIW, I got another result on 6.4-STABLE
> > 
> > FreeBSD mymachine.local 6.4-STABLE FreeBSD 6.4-STABLE #6: Sat Oct  3
> > 13:06:12 CEST 2009     root@hypercrypt.local:/usr/obj/usr/src/sys/MYMACHINE
> > i386
> > 
> > $ ./pecoff
> > MZaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaîîîîaaaa
> > [I'm truncating here, ~3500 a's follow]aaaaa: File name too long
> 
> 
> Not sure if you'd see it with ktrace or not;  I ran into that with my
> tests as well and was told that it's a shell problem.
> 
> try to run it from this:
> ------------------------------------------------------------------------
> #include <unistd.h>
> #include <err.h>
> 
> int
> main(int argc, char *argv[])
> {
> 
> 	if (execl("./pecoff", "./pecoff", NULL) == -1)
> 		err(1, "execl()");
> 
> 	return (0);
> }
> ------------------------------------------------------------------------

execl() and /usr/local/bin/bash (bash-3.2.48_1) produce same result 

ktrace/kdump show

...
 2380 pecoff   CALL  open(0x8048764,0x1,0)
 2380 pecoff   NAMI  "evilprog.exe"
 2380 pecoff   RET   open 3
 2380 pecoff   CALL  write(0x3,0xbfbfce80,0xfe0)
 2380 pecoff   GIO   fd 3 wrote 4064 bytes
       0x0000 4d5a 6161 6161 6161 6161 6161 6161 6161 6161  |MZaaaaaaaaaaaaaaaa|
       0x0012 6161 6161 6161 6161 6161 6161 6161 6161 6161  |aaaaaaaaaaaaaaaaaa|
...


--2065465572-539146762-1257967336=:60800--