[UNIX] Local Security Bug in OpenBSD Semaphore Handling

From: SecuriTeam (support_at_securiteam.com)
Date: 09/14/03

  • Next message: SecuriTeam: "[EXPL] Integer Overflow in OpenBSD Kernel (PoC)" 
    To: list@securiteam.com
Date: 14 Sep 2003 14:32:38 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      Local Security Bug in OpenBSD Semaphore Handling
    ------------------------------------------------------------------------

    SUMMARY

    The <http://openbsd.org/> OpenBSD project "produces a FREE,
    multi-platform 4.4BSD-based UNIX-like operating system. OpenBSD's effort
    emphasize on portability, standardization, correctness, proactive security
    and integrated cryptography."

    An integer overflow condition exists in the OpenBSD 3.3-release kernel and
    all previous versions. It is possible for root to write to semi-arbitrary
    kernel memory irrespective of securelevel(7). This potentially bypasses
    securelevel as root may modify the running kernel, introducing kernel
    level backdoors etc.

    DETAILS

    Vulnerable Systems:
     * OpenBSD kernel (3.3-release, -current before 10/09/2003) and prior

    The mechanism used to achieve this is an integer overflow in the semget(2)
    syscall, described below:
    sys_semget() allocates a buffer here:
    src/sys/kern/sysv_sem.c:
    sys_semget():
      semaptr_new->sem_base = malloc(nsems * sizeof(struct sem),
          M_SEM, M_WAITOK);

    Provided the following checks are passed:
    src/sys/kern/sysv_sem.c:
    sys_semget():
      if (nsems <= 0 || nsems > seminfo.semmsl) {
          DPRINTF(("nsems out of range (0<%d<=%d)\n", nsems,
            seminfo.semmsl));
          return (EINVAL);
      }
      if (nsems > seminfo.semmns - semtot) {
          DPRINTF(("not enough semaphores left (need %d, got %d)\n",
            nsems, seminfo.semmns - semtot));
          return (ENOSPC);
      }

    If these checks are passed and the buffer is successfully allocated, the
    nsems (number of semaphores) value associated with the semaphore set is
    set here:
    src/sys/kern/sysv_sem.c:
    sys___semctl():
      semaptr_new->sem_nsems = nsems;

    Please also note that an int is being assigned to a short here, which is a
    potential source of another bug. Since root is able to raise the values of
    seminfo.semmns and seminfo.semmsl to arbitrary values via sysctl, it is
    possible to mis-size the malloc'd buffer, allowing memory to be read and
    written via the semctl(2) syscall.

    Workaround:
    None, don't trust securelevel(7) to protect your kernel.

    Fix:
    Upgrade to -current

    ADDITIONAL INFORMATION

    The information has been provided by <mailto:blexim@hush.com> blexim

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

  • Next message: SecuriTeam: "[EXPL] Integer Overflow in OpenBSD Kernel (PoC)"

    Relevant Pages