[UNIX] Local Security Bug in OpenBSD Semaphore Handling

• Previous message: SecuriTeam: "[UNIX] Buffer Overflow in MySQL (PASSWORD)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: list@securiteam.com
Date: 14 Sep 2003 14:32:38 +0200

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -

  Local Security Bug in OpenBSD Semaphore Handling
------------------------------------------------------------------------

SUMMARY

The <http://openbsd.org/> OpenBSD project "produces a FREE,
multi-platform 4.4BSD-based UNIX-like operating system. OpenBSD's effort
emphasize on portability, standardization, correctness, proactive security
and integrated cryptography."

An integer overflow condition exists in the OpenBSD 3.3-release kernel and
all previous versions. It is possible for root to write to semi-arbitrary
kernel memory irrespective of securelevel(7). This potentially bypasses
securelevel as root may modify the running kernel, introducing kernel
level backdoors etc.

DETAILS

Vulnerable Systems:
 * OpenBSD kernel (3.3-release, -current before 10/09/2003) and prior

The mechanism used to achieve this is an integer overflow in the semget(2)
syscall, described below:
sys_semget() allocates a buffer here:
src/sys/kern/sysv_sem.c:
sys_semget():
  semaptr_new->sem_base = malloc(nsems * sizeof(struct sem),
      M_SEM, M_WAITOK);

Provided the following checks are passed:
src/sys/kern/sysv_sem.c:
sys_semget():
  if (nsems <= 0 || nsems > seminfo.semmsl) {
      DPRINTF(("nsems out of range (0<%d<=%d)\n", nsems,
        seminfo.semmsl));
      return (EINVAL);
  }
  if (nsems > seminfo.semmns - semtot) {
      DPRINTF(("not enough semaphores left (need %d, got %d)\n",
        nsems, seminfo.semmns - semtot));
      return (ENOSPC);
  }

If these checks are passed and the buffer is successfully allocated, the
nsems (number of semaphores) value associated with the semaphore set is
set here:
src/sys/kern/sysv_sem.c:
sys___semctl():
  semaptr_new->sem_nsems = nsems;

Please also note that an int is being assigned to a short here, which is a
potential source of another bug. Since root is able to raise the values of
seminfo.semmns and seminfo.semmsl to arbitrary values via sysctl, it is
possible to mis-size the malloc'd buffer, allowing memory to be read and
written via the semctl(2) syscall.

Workaround:
None, don't trust securelevel(7) to protect your kernel.

Fix:
Upgrade to -current

ADDITIONAL INFORMATION

The information has been provided by <mailto:blexim@hush.com> blexim

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

• Previous message: SecuriTeam: "[UNIX] Buffer Overflow in MySQL (PASSWORD)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]