Contributed by deanna on from the get patching dept.
Insufficient validation in vga(4) may allow an attacker to gain root privileges if the kernel is compiled with option PCIAGP and the actual device is not an AGP device. The PCIAGP option is present by default on i386 kernels only.
A patch for 4.0 is available here, and for 3.9, here.
(Comments are closed)
By Teknoenie (70.68.164.2) on
Comments
By Anonymous Coward (213.84.147.9) on
Comments
By Anonymous Coward (195.243.113.251) on
>
But it is a remote hole, right?
So if I have these eventually rare scenario then it is exploitable.
And pci-videocards are not uncommon on old hardware, that is used on self-build firewall systems.
Manse
Comments
By gwyllion (134.58.253.113) on
No, it is not. The demo exploit of Ilja required local access.
Comments
By Manse (195.243.113.251) on
>
> No, it is not. The demo exploit of Ilja required local access.
Ok, then there is no remote hole.
And I should get some glasses, never read that.
Manse
By Anonymous Coward (81.217.124.103) on
Rare? Doesn't this affect any OpenBSD installation running in a VMware
virtual machine?
By gwyllion (134.58.253.113) on
This is a local root exploit that was demonstrated by Ilja van Sprundel at 23C3.
See Unusual bugs 23c3.pdf and unusual-bugs-t4s1.wmv
Comments
By Anonymous Coward (81.217.124.103) on
Just watched the video. It was OpenBSD 4.0 as a guest in VMware Workstation for Windows.
By grg (grg) on
I watched the movie (very interesting, btw) but few details were given regarding this. I also tried to trace through some of the code, but after a superficial look I couldn't figure out how the user supplied data to ioctl() could cause sc->sc_methods to be NULL - does this happen independent of the ioctl() call?
By Jeff Quast (dingo) af.dingo@gmail.com on
By Anonymous Coward (74.244.134.44) on
Comments
By grg (grg) on
No.
This is only exploitable iff you have a vga device on your pci bus which is not one of PCI_VENDOR_ALI, PCI_VENDOR_AMD, PCI_VENDOR_INTEL, PCI_VENDOR_SIS, PCI_VENDOR_VIATECH.
E.g. this is exploitable:
vga1 at pci0 dev 15 function 0 vendor "VMware", unknown product 0x405 rev 0x00
Whereas this is not:
vga1 at pci0 dev 2 function 0 "Intel 82815 Graphics" rev 0x04: aperture at 0x44000000, size 0x4000000
The chip specific methods pointed to by sc->sc_methods in the patch remain uninitialised (or NULL) iff your card is not claimed by one of the drivers agp_ali.c, agp_amd.c, agp_i810.c, agp_intel.c, agp_sis.c, agp_via.c.
The following will probably crash a vulnerable machine (untested!): The main problem with trying to exploit this is one needs a valid file descriptor for /dev/ttyC0. A regular user is not going to have even read permission on this file unless they login on the wsdisplay attached to the vga device (at which point the getty will chown /dev/ttyC0 for the user), i.e. they need to be sitting at a keyboard connected to the machine or they'll never be able to read /dev/ttyC0.
The interest in this exploit is largely academic - you wont be finding this used out in the wild. You probably do not need to patch your systems. But hey, that's just the ramblings of some guy on undeadly... do you really trust that?
Comments
By Miod Vallat (miod) miod@ on