2009-07-20 FreeBSD 7.2 (pecoff executable) Local Denial of Service Exploit 23 R D Shaun Colley

Wojciech A. Koszek wkoszek at freebsd.org
Wed Nov 11 23:30:34 UTC 2009

On Wed, Nov 11, 2009 at 05:37:50PM +0000, Bjoern A. Zeeb wrote:
> On Mon, 20 Jul 2009, Oliver Pinter wrote:
> Hi,
>> http://milw0rm.com/exploits/9206
> has anyone actually been able to reproduce a problem scenario with
> this on any supported releases (7.x or 6.x)?
> The only thing I gould get from that was:
> 	execve returned -1, errno=8: Exec format error
> Similar results applied to the scenario from
> 	http://www.freebsd.org/cgi/query-pr.cgi?pr=kern/80742
> which had been filed for a 5.x system by Wojciech A. Koszek long
> before the above.


This report has been lying in the PR database for a long time. I removed
PECOFF from CURRENT some time ago, since absolutely noone was able to give
any sensible argument for keeping PECOFF handler.

Because PECOFF has been introduced years before I became a commiter, I wasn't
sure if MFC is a good idea back then.  The reason I didn't perform MFC to
stable releases after "newer" report is our merge policy. I simply haven't yet
studied it.

We can consider PECOFF bug as having "security implications", but in order to
make it "active", someone has to study NOTES and enable this option. For the
first glance I see that ports/ situation didn't change -- we seem to have 0
ports requiring PECOFF to be present.

And I can't right now confirm whether the bug is still there -- I have no 6.x
and 7.x systems for testing anymore.

If you want to try my code out (available in the PR), compile PECOFF -- I remember
that I provided some sample case to panic the kernel.

I think the best way would be to remove PECOFF from 6.x and 7.x.

Thanks for CCing me.

Wojciech A. Koszek
wkoszek at FreeBSD.org

More information about the freebsd-security mailing list