From owner-freebsd-security@FreeBSD.ORG Wed Nov 11 19:00:12 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 92C61106566B; Wed, 11 Nov 2009 19:00:12 +0000 (UTC) (envelope-from bzeeb-lists@lists.zabbadoz.net) Received: from mail.cksoft.de (mail.cksoft.de [IPv6:2001:4068:10::3]) by mx1.freebsd.org (Postfix) with ESMTP id 229968FC19; Wed, 11 Nov 2009 19:00:12 +0000 (UTC) Received: from localhost (amavis.fra.cksoft.de [192.168.74.71]) by mail.cksoft.de (Postfix) with ESMTP id AE14641C75C; Wed, 11 Nov 2009 20:00:06 +0100 (CET) X-Virus-Scanned: amavisd-new at cksoft.de Received: from mail.cksoft.de ([192.168.74.103]) by localhost (amavis.fra.cksoft.de [192.168.74.71]) (amavisd-new, port 10024) with ESMTP id fOhaQQenX1zt; Wed, 11 Nov 2009 20:00:06 +0100 (CET) Received: by mail.cksoft.de (Postfix, from userid 66) id 0CECF41C75B; Wed, 11 Nov 2009 20:00:06 +0100 (CET) Received: from maildrop.int.zabbadoz.net (maildrop.int.zabbadoz.net [10.111.66.10]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.int.zabbadoz.net (Postfix) with ESMTP id 098C64448E6; Wed, 11 Nov 2009 18:59:24 +0000 (UTC) Date: Wed, 11 Nov 2009 18:59:24 +0000 (UTC) From: "Bjoern A. Zeeb" X-X-Sender: bz@maildrop.int.zabbadoz.net To: Damian Weber In-Reply-To: Message-ID: <20091111185811.P37440@maildrop.int.zabbadoz.net> References: <6101e8c40907201008n62eeec05r6670a79698bc2ac7@mail.gmail.com> <20091111173311.T37440@maildrop.int.zabbadoz.net> X-OpenPGP-Key: 0x14003F198FEFA3E77207EE8D2B58B8F83CCF1842 MIME-Version: 1.0 Content-Type: MULTIPART/MIXED; BOUNDARY="0-1622372092-1257965964=:37440" Cc: freebsd-security@freebsd.org, wkoszek@freebsd.org, Oliver Pinter Subject: Re: 2009-07-20 FreeBSD 7.2 (pecoff executable) Local Denial of Service Exploit 23 R D Shaun Colley X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 11 Nov 2009 19:00:12 -0000 This message is in MIME format. The first part should be readable text, while the remaining parts are likely unreadable without MIME-aware tools. --0-1622372092-1257965964=:37440 Content-Type: TEXT/PLAIN; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: QUOTED-PRINTABLE On Wed, 11 Nov 2009, Damian Weber wrote: > > > On Wed, 11 Nov 2009, Bjoern A. Zeeb wrote: > >> Date: Wed, 11 Nov 2009 17:37:50 +0000 (UTC) >> From: Bjoern A. Zeeb >> To: Oliver Pinter >> Cc: freebsd-security@freebsd.org, wkoszek@freebsd.org >> Subject: Re: 2009-07-20 FreeBSD 7.2 (pecoff executable) Local Denial of >> Service Exploit 23 R D Shaun Colley >> >> On Mon, 20 Jul 2009, Oliver Pinter wrote: >> >> Hi, >> >>> http://milw0rm.com/exploits/9206 >> >> has anyone actually been able to reproduce a problem scenario with >> this on any supported releases (7.x or 6.x)? >> >> The only thing I gould get from that was: >> =09execve returned -1, errno=3D8: Exec format error >> > > FWIW, I got another result on 6.4-STABLE > > FreeBSD mymachine.local 6.4-STABLE FreeBSD 6.4-STABLE #6: Sat Oct 3 13:0= 6:12 CEST 2009 root@hypercrypt.local:/usr/obj/usr/src/sys/MYMACHINE i3= 86 > > $ ./pecoff > MZaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa=EE=EE=EE=EEa= aaa > [I'm truncating here, ~3500 a's follow]aaaaa: File name too long Not sure if you'd see it with ktrace or not; I ran into that with my tests as well and was told that it's a shell problem. try to run it from this: ------------------------------------------------------------------------ #include #include int main(int argc, char *argv[]) { =09if (execl("./pecoff", "./pecoff", NULL) =3D=3D -1) =09=09err(1, "execl()"); =09return (0); } ------------------------------------------------------------------------ /bz --=20 Bjoern A. Zeeb It will not break if you know what you are doing. --0-1622372092-1257965964=:37440--