OpenBSD Remote Exploit Only two remote holes in the default install - - PowerPoint PPT Presentation
OpenBSD Remote Exploit Only two remote holes in the default install Alfredo A. Ortega June 30, 2007 Mbuf buffer overflow Buffer overflow Researching the OpenBSD 008: RELIABILITY FIX a new vulnerability was found: The m dup1()
Researching the “OpenBSD 008: RELIABILITY FIX” a new vulnerability was found: The m dup1() function causes an overflow on the mbuf structure, used by the kernel to store network packets.
mbuf1 mbuf2 mbuf3 mbuf4 End of overflow Copy direction
The function m freem() crashed...
/ s y s /mbuf . h #d e f i n e MEXTREMOVE(m) do { \ i f (MCLISREFERENCED(m)) { \ MCLDEREFERENCE(m) ; \ } e l s e i f ((m )−>m f l a g s & M CLUSTER) { \ p o o l p u t (&mclpool , (m )−>m ext . e x t b u f ) ; \ } e l s e i f ((m )−>m ext . e x t f r e e ) { \ (∗((m )−>m ext . e x t f r e e ) ) ( (m )−>m ext . ext buf , \ (m )−>m ext . e x t s i z e , (m )−>m ext . e x t a r g ) ; \ } e l s e { \ f r e e ((m )−>m ext . ext buf , (m )−>m ext . e x t t y p e ) ; \ } \ (m )−>m f l a g s &= ˜(M CLUSTER|M EXT ) ; \ (m )−>m ext . e x t s i z e = 0; /∗ why ??? ∗/ \ } while (/∗ CONSTCOND ∗/ 0)
We use two IcmpV6 packets as the attack vector
Header
Fragmentation Header IPv6 Header
Mbuf chain Fragment 2
Icmpv6
Icmpv6 Header Trampoline ShellCode SyscallHook Payload
Header mbuf 2 mbuf 1 Header mbuf 3
Hop−by−Hop Header Fragmentation Header IPv6 Header
Fragment 1
We really don’t know where in kernel-land we are. But ESI is pointing to our code.
User process Hooked syscall ShellCode Kernel Ring 0 Ring 3 Kernel Int 0x80 ShellCode ? ? ? ? ? ? ? ? ? ? ?
Initial situation Final situation
iret Where we are? Ring 0 ESI
We hook the system call (Int 0x80)
User process INT 0x80 Kernel return Hook Hooked syscall User process INT 0x80 Kernel Ring 3 Ring 0 return Normal syscall
Normal System Call Hooked System Call
Note: If the OS uses SYSENTER for system calls, the operation is slightly different.
i386: uses CS selector to limit the execution. To disable WˆX, we extend CS from ring0.
Extension Extension User Code Segment (CS) User Data Segment (DS) 0x00000000 0xffffffff 4 GB 512 MB stack
.so .text stack heap .so
Our algorithm, independent of the Kernel: s l d t ax ; Store LDT index
sub esp , byte 0 x7f sgdt [ esp +4] ; Store g l o b a l d e s c r i p t o r t a b l e mov ebx , [ esp +6] add esp , byte 0 x7f push eax ; Save l o c a l d e s c r i p t o r t a b l e index mov edx , [ ebx+eax ] mov ecx , [ ebx+eax+0x4 ] shr edx ,16 ; base low− − >edx mov eax , ecx s h l eax ,24 ; base middle − − > edx shr eax ,8
edx , eax mov eax , ecx ; b a s e h i g h − − > edx and eax ,0 xff000000
edx , eax mov ebx , edx ; ldt− − > ebx ; Extend CS s e l e c t o r
dword [ ebx+0x1c ] , 0 x000f0000 ; Extend DS s e l e c t o r
dword [ ebx+0x24 ] , 0 x000f0000
Ring 3 User Stack Ring 3 User Stack
2.mmap() 3.copy 4.jmp to mmaped mprotect() extends CS permanently
2.fork() From kernel... From kernel...
3.Standard
user−mode code user−mode code
The same strategy than on user-space. Used on PaX (http://pax.grsecurity.net) for Linux. 0x00000000 0xffffffff 4 GB
kernel
0xD0000000 0xD1000000 Kernel Code Segment (CS) Kernel Data Segment (DS)
CS shrink
mbuf chains, etc