OpenBSD Journal

i386 users: vga(4) security patch available

Contributed by deanna on from the get patching dept.

From the OpenBSD errata:

Insufficient validation in vga(4) may allow an attacker to gain root privileges if the kernel is compiled with option PCIAGP and the actual device is not an AGP device. The PCIAGP option is present by default on i386 kernels only.

A patch for 4.0 is available here, and for 3.9, here.

(Comments are closed)

Comments

  1. By Teknoenie (70.68.164.2) on

    Time to reset the counter on the OpenBSD web page again?!

    Comments

    1. By Anonymous Coward (213.84.147.9) on

      Of course not. It's not a remote exploit in the default install. It only works if the machine has a really rare setup.

      Comments

      1. By Anonymous Coward (195.243.113.251) on

        > Of course not. It's not a remote exploit in the default install. It only works if the machine has a really rare setup.
        >

        But it is a remote hole, right?

        So if I have these eventually rare scenario then it is exploitable.
        And pci-videocards are not uncommon on old hardware, that is used on self-build firewall systems.


        Manse

        Comments

        1. By gwyllion (134.58.253.113) on

          > But it is a remote hole, right?

          No, it is not. The demo exploit of Ilja required local access.

          Comments

          1. By Manse (195.243.113.251) on

            > > But it is a remote hole, right?
            >
            > No, it is not. The demo exploit of Ilja required local access.

            Ok, then there is no remote hole.
            And I should get some glasses, never read that.



            Manse

      2. By Anonymous Coward (81.217.124.103) on

        > It only works if the machine has a really rare setup.

        Rare? Doesn't this affect any OpenBSD installation running in a VMware
        virtual machine?

    2. By gwyllion (134.58.253.113) on

      > Time to reset the counter on the OpenBSD web page again?!

      This is a local root exploit that was demonstrated by Ilja van Sprundel at 23C3.

      See Unusual bugs 23c3.pdf and unusual-bugs-t4s1.wmv

      Comments

      1. By Anonymous Coward (81.217.124.103) on

        > This is a local root exploit that was demonstrated by Ilja van Sprundel at 23C3.

        Just watched the video. It was OpenBSD 4.0 as a guest in VMware Workstation for Windows.

      2. By grg (grg) on

        I assume the user running the exploit needs to have permission to read/write /dev/ttyC0 also? I.e. A remotely logged in user could not exploit this, only someone with physical access to the machine.

        I watched the movie (very interesting, btw) but few details were given regarding this. I also tried to trace through some of the code, but after a superficial look I couldn't figure out how the user supplied data to ioctl() could cause sc->sc_methods to be NULL - does this happen independent of the ioctl() call?

  2. By Jeff Quast (dingo) af.dingo@gmail.com on

    Another reason to enjoy my software framebuffer on zaurus and sparc

  3. By Anonymous Coward (74.244.134.44) on

    Does this bug affect systems with no graphics hardware? I have a pcengines box with serial console.

    Comments

    1. By grg (grg) on

      > Does this bug affect systems with no graphics hardware? I have a pcengines box with serial console.

      No.

      This is only exploitable iff you have a vga device on your pci bus which is not one of PCI_VENDOR_ALI, PCI_VENDOR_AMD, PCI_VENDOR_INTEL, PCI_VENDOR_SIS, PCI_VENDOR_VIATECH.

      E.g. this is exploitable:
      vga1 at pci0 dev 15 function 0 vendor "VMware", unknown product 0x405 rev 0x00
      Whereas this is not:
      vga1 at pci0 dev 2 function 0 "Intel 82815 Graphics" rev 0x04: aperture at 0x44000000, size 0x4000000

      The chip specific methods pointed to by sc->sc_methods in the patch remain uninitialised (or NULL) iff your card is not claimed by one of the drivers agp_ali.c, agp_amd.c, agp_i810.c, agp_intel.c, agp_sis.c, agp_via.c.

      The following will probably crash a vulnerable machine (untested!): 
      #include <stdio.h>
#include <fcntl.h>
#include <sys/ioctl.h>
#include <sys/agpio.h>

int main()
{
        agp_info ai;
        int fd;

        fd = open("/dev/ttyC0", O_RDONLY, 0);
        if (fd == -1) {
                perror("open");
                return -1;
        }

        if (ioctl(fd, AGPIOC_INFO, &ai) == -1) {
                perror("ioctl");
                return -1;
        }

        return 0;
}
      The main problem with trying to exploit this is one needs a valid file descriptor for /dev/ttyC0. A regular user is not going to have even read permission on this file unless they login on the wsdisplay attached to the vga device (at which point the getty will chown /dev/ttyC0 for the user), i.e. they need to be sitting at a keyboard connected to the machine or they'll never be able to read /dev/ttyC0.

      The interest in this exploit is largely academic - you wont be finding this used out in the wild. You probably do not need to patch your systems. But hey, that's just the ramblings of some guy on undeadly... do you really trust that?

      Comments

      1. By Miod Vallat (miod) miod@ on

        Actually, AGPIOC_INFO is the only agp ioctl which can not trigger the problem.

Latest Articles

Credits

Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original deadly.org with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]