[10495] in bugtraq
Re: KKIS.05051999.003b
daemon@ATHENA.MIT.EDU (Don Lewis)
Sat May 8 18:08:44 1999
Message-Id: <199905080021.RAA16889@salsa.gv.tsc.tdk.com>
Date: Fri, 7 May 1999 17:21:24 -0700
Reply-To: Don Lewis <Don.Lewis@TSC.TDK.COM>
From: Don Lewis <Don.Lewis@TSC.TDK.COM>
X-To: Kevin Day <toasty@HOME.DRAGONDATA.COM>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: Kevin Day <toasty@HOME.DRAGONDATA.COM> "Re: KKIS.05051999.003b"
(May 6, 2:10pm)
On May 6, 2:10pm, Kevin Day wrote:
} Subject: Re: KKIS.05051999.003b
} > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~[ Informations ]~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
} > Report title : Security problem with sockets in FreeBSD's
} > implementation of UNIX-domain protocol family.
} > Problem found by : Lukasz Luzar (lluzar@security.kki.pl)
} > Report created by : Robert Pajak (shadow@security.kki.pl)
} > Lukasz Luzar (lluzar@security.kki.pl)
} > Raport published : 5th May 1999
} > Raport code : KKIS.05051999.003.b
} > Systems affected : FreeBSD-3.0 and maybe 3.1,
} > Archive : http://www.security.kki.pl/advisories/
} > Risk level : high
} >
} > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~[ Description ]~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
} > As you know, "The UNIX-domain protocol family is a collection of protocols
} > that provides local interprocess communication through the normal socket
} > mechanism. It supports the SOCK_STREAM and SOCK_DGRAM soceket types and uses
} > filesystem pathnames for addressing."
} > The SOCK_STREAM sockets also supports the communication of UNIX file
} > descriptors through the use of functions sendmsg() and recvmsg().
} > While testing UNIX-domain protocols, we have found probable bug in
} > FreeBSD's implementation of this mechanism.
} > When we had run attached example on FreeBSD-3.0 as local user, system
} > had crashed imediatelly with error "Supervisor read, page not present"
} > in kernel mode.
} >
}
} Here's my testing so far:
}
} 2.2.2 - Vulnerable
} 2.2.6 - Vulnerable
} 2.2.8 - Vulnerable
} 3.1-RELEASE - Ran 15 minutes, no crash.
I'd be willing to bet that 3.0-RELEASE is also vulnerable. I believe
Matt Dillon fixed this earlier this year in revisions 1.38/1.39 (-CURRENT
branch January 21, 1999) and 1.37.2.1 (RELENG_3 branch February 15, 1999) of
sys/kern/uipc-usrreq.c. The RELENG_3 branch fix was committed just before
3.1-RELEASE.
