2009-07-20 FreeBSD 7.2 (pecoff executable) Local Denial of
Service Exploit 23 R D Shaun Colley
Damian Weber
dweber at htw-saarland.de
Thu Nov 12 07:45:47 UTC 2009
On Wed, 11 Nov 2009, Eygene Ryabinkin wrote:
> Date: Wed, 11 Nov 2009 22:37:44 +0300
> From: Eygene Ryabinkin <rea-fbsd at codelabs.ru>
> To: Damian Weber <dweber at htw-saarland.de>
> Cc: Bjoern A. Zeeb <bzeeb-lists at lists.zabbadoz.net>,
> freebsd-security at freebsd.org, wkoszek at freebsd.org,
> Oliver Pinter <oliver.pntr at gmail.com>
> Subject: Re: 2009-07-20 FreeBSD 7.2 (pecoff executable) Local Denial of
> Service Exploit 23 R D Shaun Colley
>
> Wed, Nov 11, 2009 at 07:14:48PM +0100, Damian Weber wrote:
> > FWIW, I got another result on 6.4-STABLE
> >
> > FreeBSD mymachine.local 6.4-STABLE FreeBSD 6.4-STABLE #6: Sat Oct 3 13:06:12 CEST 2009 root at hypercrypt.local:/usr/obj/usr/src/sys/MYMACHINE i386
> >
> > $ ./pecoff
> > MZaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa????aaaa
> > [I'm truncating here, ~3500 a's follow]aaaaa: File name too long
>
> You have no pecoff module loaded or compiled-in to the kernel,
> aren't you? Your "File name too long" is spitted by the shell,
> so it was not handled by the PE loader at all.
Confirmed. The code crashes the 6.4-stable machine when pecoff module
is loaded.
Wojciech A. Koszek wrote:
> I think the best way would be to remove PECOFF from 6.x and 7.x.
Now, I'm inclined to think that, too ;-)
-- Damian
More information about the freebsd-security
mailing list