Re: Re: yet another OpenBSD kernel hole ...

[noir () uberhax0r net]

> Your code does:
> if((fd = open("./ibcs2own", O_CREAT^O_RDWR, 0755)) < 0) {
> How on earth is this going to work against privilege separation ? In each
> sane setup, a server process is chrooted to a directory with no writable
> directories.

do you have any idea how many of those chrooted processes have temporary
directories in their chroot environment ? many of the so called priv
seperated processes use temoprary files thus having writeable directories
in there chroot jail. you might have heard the concept called system
call/API proxying, you can upload the ibcs2own binary and simulate this
exploit as if you run it from a shell, not rocket since simple and
straight forward ...

> Being not a diehard obsd fan, I must notice that 3.4 kernel is built with
> stack smashing protection, which reduces this hole to pure local DoS only. Can
> you name any other OS which has any prevention against kernel buffer overflow ?

i can name OSes which do not have these kind of hopeless, amateur bugs.
just a reminder that propolice protects against stack smashing not heap
smashing so it would be a joke to claim "prevention against kernel buffer
overflow" because it simply DO NOT. there are tons of kmem alloctor
overflows in OpenBSD, go figure ;-) ...

regards,
- noir


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html