Tuesday, March 13, 2007

Second OpenBSD remote hole in more than a decade!

A remote kernel buffer overflow in OpenBSD's IPv6 networking stack was found by CORE Security Technologies. The hole involves incorrect handling of mbufs, a type of data structure used in the kernel for managing network packets.

Exploitation of the bug can be done in two different ways. One is to overwrite a function pointer found inside the mbuf struct. This function pointer, 'mbuf.MH_ext->ext_free' can be controlled by an attacker when the mbuf contents is overwritten. When the mbuf is free'd the instruction it points to will be executed. The CORE security advisory POC uses a ret2text technique which jumps to an int3 instruction, which triggers 'ddb'.

The other way to exploit this bug is to use a technique typically used in userland heap overflows. The mbuf's are stored in a linked list, sort of the same way heap chunks are managed by libc. In the mbuf struct there are forward and backwards pointers (ext_nextref and ext_prevref), control of these pointers allows for an arbitrary 4 byte kernel memory overwrite.


This officially bumps the now-famous counter on www.openbsd.org from "only one remote hole" to "only two remote holes in the default install, in more than 10 years!" The previous remote hole was an OpenSSH hole found by Mark Dowd in June 2002.

In a way, it is not too surprising to find a hole in the mbufs -- as anyone who has ever tinkered with mbufs on BSD systems would tell you, the mbuf API is a very tricky beast.

If you run an OpenBSD system, you're advised to patch your kernel using this patch. The upcoming OpenBSD 4.1 is NOT affected by this bug.

No comments: