Bugtraq mailing list archives
Re: OpenBSD local DoS and root exploit
From: Jonas Eriksson <je () sekure net>
Date: Thu, 9 May 2002 18:54:31 +0200 (CEST)
The response from the OpenBSD team: --- Date: Thu, 09 May 2002 08:35:34 -0600 From: Todd C. Miller <Todd.Miller () courtesan com> To: security-announce () openbsd org Subject: Potential localhost root hole In July of 1998 the OpenBSD kernel was modified to populate file descriptors 0-2 on exec for setuid (and setgid) processes. This was done to defeat an attack on setuid programs that open files for writing and also write to descriptors 0-2 (usually via stdin, stdout or stderr). The fix at that time didn't properly deal with the possibility that the allocation of the dummy descriptors could fail due to a full file descriptor table. It has come to our attention that there is a winnable race condition when the file descriptor table is full, allowing an fd 0-2 attack to succeed. Credit for finding this goes to FozZy of Hackademy / Hackerz Voice. Please see his advisory on bugtraq for more in-depth details. The following patches are available: OpenBSD-3.1: ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.1/common/003_fdalloc2.patch OpenBSD-3.0: ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.0/common/021_fdalloc2.patch OpenBSD-2.9: ftp://ftp.openbsd.org/pub/OpenBSD/patches/2.9/common/026_fdalloc2.patch OpenBSD-current as well as the OpenBSD 2.9, 3.0 and 3.1 -stable branches have already been patched. On Thu, 9 May 2002, Dave Ahmad wrote:
Hey, After posting this, Fozzy sent another message mentioning that he left out some credit. I requested that he fix the advisory and re-send it to the list, but he hasn't gotten back to me fast enough ;). This needs to go out, so here's the correction:I realized this credit problem just after sending my post : "Three weeks ago, XXXXXXXX from Pine released an advisory..." should be : "Three weeks ago, Joost Pol from Pine released an advisory...".Dave Ahmad SecurityFocus www.securityfocus.com On Thu, 9 May 2002 fozzy () dmpfrance com wrote:The following is research material from FozZy from Hackademy and Hackerz Voice newspaper (http://www.hackerzvoice.org), and can be distributed modified or not if proper credits are given to them. For educational purposes only, no warranty of any kind, I may be wrong, this post could kill you mail reader, etc. -= OVERVIEW =- On current OpenBSD systems, any local user (being or not in the wheel group) can fill the kernel file descriptors table, leading to a denial of service. Because of a flaw in the way the kernel checks closed file descriptors 0-2 when running a setuid program, it is possible to combine these bugs and earn root access by winning a race condition.
-- Favourite pickup line: Hey baby, wanna synchronize sequence numbers? Warning: not always effective
Current thread:
- OpenBSD local DoS and root exploit fozzy (May 09)
- Re: OpenBSD local DoS and root exploit Dave Ahmad (May 09)
- Re: OpenBSD local DoS and root exploit Jonas Eriksson (May 10)
- Re: OpenBSD local DoS and root exploit Dave Ahmad (May 09)