From owner-freebsd-security@FreeBSD.ORG Thu Nov 12 07:45:47 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 5F516106566B; Thu, 12 Nov 2009 07:45:47 +0000 (UTC) (envelope-from dweber@htw-saarland.de) Received: from theia.rz.uni-saarland.de (theia.rz.uni-saarland.de [134.96.7.31]) by mx1.freebsd.org (Postfix) with ESMTP id DE7D98FC14; Thu, 12 Nov 2009 07:45:46 +0000 (UTC) Received: from zdve-mailx.htw-saarland.de (zdve-mailx.htw-saarland.de [134.96.208.108]) by theia.rz.uni-saarland.de (8.14.1/8.14.0) with ESMTP id nAC7jLQB032316; Thu, 12 Nov 2009 08:45:21 +0100 Received: from magritte.htw-saarland.de (magritte.htw-saarland.de [134.96.216.98]) by zdve-mailx.htw-saarland.de (8.13.8/8.13.8) with ESMTP id nAC7jLj5007036; Thu, 12 Nov 2009 08:45:21 +0100 (CET) Date: Thu, 12 Nov 2009 08:45:16 +0100 (CET) From: Damian Weber To: Eygene Ryabinkin In-Reply-To: Message-ID: References: <6101e8c40907201008n62eeec05r6670a79698bc2ac7@mail.gmail.com> <20091111173311.T37440@maildrop.int.zabbadoz.net> User-Agent: Alpine 2.00 (BSF 1167 2008-08-23) MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-Virus-Scanned: clamav-milter 0.95.2 at zdve-mailx X-Virus-Status: Clean X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-3.0 (theia.rz.uni-saarland.de [134.96.7.31]); Thu, 12 Nov 2009 08:45:21 +0100 (CET) X-AntiVirus: checked by AntiVir MailGate (version: 2.1.2-14; AVE: 7.9.1.65; VDF: 7.1.6.223; host: AntiVir1) Cc: "Bjoern A. Zeeb" , Oliver Pinter , wkoszek@freebsd.org, freebsd-security@freebsd.org Subject: Re: 2009-07-20 FreeBSD 7.2 (pecoff executable) Local Denial of Service Exploit 23 R D Shaun Colley X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 12 Nov 2009 07:45:47 -0000 On Wed, 11 Nov 2009, Eygene Ryabinkin wrote: > Date: Wed, 11 Nov 2009 22:37:44 +0300 > From: Eygene Ryabinkin > To: Damian Weber > Cc: Bjoern A. Zeeb , > freebsd-security@freebsd.org, wkoszek@freebsd.org, > Oliver Pinter > Subject: Re: 2009-07-20 FreeBSD 7.2 (pecoff executable) Local Denial of > Service Exploit 23 R D Shaun Colley > > Wed, Nov 11, 2009 at 07:14:48PM +0100, Damian Weber wrote: > > FWIW, I got another result on 6.4-STABLE > > > > FreeBSD mymachine.local 6.4-STABLE FreeBSD 6.4-STABLE #6: Sat Oct 3 13:06:12 CEST 2009 root@hypercrypt.local:/usr/obj/usr/src/sys/MYMACHINE i386 > > > > $ ./pecoff > > MZaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa????aaaa > > [I'm truncating here, ~3500 a's follow]aaaaa: File name too long > > You have no pecoff module loaded or compiled-in to the kernel, > aren't you? Your "File name too long" is spitted by the shell, > so it was not handled by the PE loader at all. Confirmed. The code crashes the 6.4-stable machine when pecoff module is loaded. Wojciech A. Koszek wrote: > I think the best way would be to remove PECOFF from 6.x and 7.x. Now, I'm inclined to think that, too ;-) -- Damian