From owner-freebsd-hackers@FreeBSD.ORG Thu Sep 16 22:17:40 2004 Return-Path: Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1201C16A4CE for ; Thu, 16 Sep 2004 22:17:40 +0000 (GMT) Received: from mail.vicor-nb.com (bigwoop.vicor-nb.com [208.206.78.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id F14DF43D46 for ; Thu, 16 Sep 2004 22:17:39 +0000 (GMT) (envelope-from julian@elischer.org) Received: from elischer.org (julian.vicor-nb.com [208.206.78.97]) by mail.vicor-nb.com (Postfix) with ESMTP id BEEAA7A3D2; Thu, 16 Sep 2004 15:17:39 -0700 (PDT) Message-ID: <414A1103.2030809@elischer.org> Date: Thu, 16 Sep 2004 15:17:39 -0700 From: Julian Elischer User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.3.1) Gecko/20030516 X-Accept-Language: en, hu MIME-Version: 1.0 To: gerarra@tin.it References: <4146316C00007764@ims3a.cp.tin.it> In-Reply-To: <4146316C00007764@ims3a.cp.tin.it> Content-Type: text/plain; charset=ISO-8859-15; format=flowed Content-Transfer-Encoding: 7bit cc: freebsd-hackers@freebsd.org Subject: Re: FreeBSD kernel buffer overflow X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 16 Sep 2004 22:17:40 -0000 As you point out, gerarra@tin.it wrote: >Topic: Buffer Overflow in FreeBSD >Versions: All the versions of FreeBSD are broken (4.x, 5.x, 6.0) >Arch: x86 >Date: 16/09/2004 > > >A buffer overflow has been found in i386/i386/trap.c syscall() function >of FreeBSD official >source tree. > > [...] As you say below this is not exploitable except for root. The number of arguments for a syscall is defined within the kernel and is not supplied from an untrusted source. This means that this is not a security problem.. to load a kernel module you must be root (and not in a jail) meaning that if you wanted to, the quicker and easier exploit would be /bin/sh :-) The arg mask is not there for security, but rather to allow other values to be store in the same longword. >It's exploitable, but the only one way I discovered is to link a new syscall >to the sysent >array and to do this you need to be root; I've no time to work on this vulnerability, >but i think another way could be found. However it could give serious problems >(e.g. kernel >crashes). > >