Date: Sat, 08 May 1999 22:21:43 -0600 From: Wes Peters <wes@softweyr.com> To: Don Lewis <Don.Lewis@tsc.tdk.com> Cc: Kevin Day <toasty@HOME.DRAGONDATA.COM>, security@FreeBSD.ORG Subject: Re: KKIS.05051999.003b Message-ID: <37350D57.C21154@softweyr.com> References: <199905090326.UAA19750@salsa.gv.tsc.tdk.com>
index | next in thread | previous in thread | raw e-mail
Don Lewis wrote:
>
> On May 7, 11:34pm, Wes Peters wrote:
> } Subject: Re: KKIS.05051999.003b
> } Don Lewis wrote:
> } >
> } > On May 6, 2:10pm, Kevin Day wrote:
> } > }
> } > } Here's my testing so far:
> } > }
> } > } 2.2.2 - Vulnerable
> } > } 2.2.6 - Vulnerable
> } > } 2.2.8 - Vulnerable
> } > } 3.1-RELEASE - Ran 15 minutes, no crash.
> }
> } Let it keep running. It will (apparently) eventually exhaust all
> } available file handles in an unrecoverable manner. 3.1-R is better,
> } but not invulnerable.
>
> I don't see any obvious descriptor leaks, but the fact that FreeBSD < 3.1
> panics (probably in unp_gc(), which Matt fixed) indicates that I'm missing
> something. The exploit code should not result in any calls to unp_gc(),
> because the client receives all the descriptors that are sent by the server.
Actually it doesn't. If you look up the first message I posted on this
subject, I listed the error messages it produces, many of which indicated
the client didn't get a descriptor from the server IIRC. Maybe that's
how the descriptors are being lost; they've been sent on a UNIX domain
socket and so have to remain open, have been closed by the server, working
around it's limits, and have not been read by the client?
> This should result in unp_rights being 0 except when the descriptor is
> in flight. If unp_rights is 0 when the socket is closed, unp_gc() should not
> be called. unp_gc() should only be called if the client closes socket before
> receiving the descriptor.
>
> Maybe a third process occasionally get scheduled while the exploit code
> has the descriptor in flight and causes unp_gc() to get executed. If so,
> then the exploit shouldn't cause a problem in single user mode.
I haven't had time to research this any further, I spent today chasing
a VERY engergetic toddler. I'm too old for this. ;^)
--
"Where am I, and what am I doing in this handbasket?"
Wes Peters Softweyr LLC
http://www.softweyr.com/~softweyr wes@softweyr.com
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
help
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?37350D57.C21154>