Re: Re: yet another OpenBSD kernel hole ...

[noir () uberhax0r net]

> I can think of only one - named, it has a writable /var/named/slave, and it
> is an exception. Anyway, this is a reminder to mount /var partition
> as noexec,nosuid.

there is anonymous ftp and sftp assuming incoming/ directories. how about
sendmail ? and many similar MTAs. Also bugs like select() does not
require any writable directory so wrapping the select-alike exploits with
MOSDEF or your Impurity will break chroot, get root and spanwn a shell if
you like ... ;>

> Of course, there are other useful things you can do in a chroot jail, and
> there are methods to prevent you from doing them, but let's not beat this
> dead cow once again.

yep, there are other public and unpublic techniques to break chroot other
than kernel overflows. once you gain execution, chroot slightly raises the bar
but does not prevent successful exploitation.

> What does syscall forwarding add to the discussion ? It is only a tool. If
> you can create a binary and execute it, you can exploit this bug with or
> without syscall forwarding.
> Not to mention that Impurity is a superior tool on Unices.

syscall forwarding makes life simpler in uploading/downloading and
executing remote binaries, nothing more. there are definetely better
solutions like MOSDEF and Impurity which allow you to do even more complex
stuff in a remote exploitation context, such as kernel exploits ...

> Right, I should have put it "against stack kernel overflows" (BTW I did not
> say "all kernel buffer overflows"). Anyway, I wonder if you have any technique
> to genericly exploit heap overflow in kernel land; you have promised in p60-6
> to post one :)

as i claimed in p60-6 and recently in bugtraq
( http://www.securityfocus.com/archive/1/344889/2003-11-15/2003-11-21/0 ),
yes i got working technique ;)

later,
- noir


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html