Vulnerability Development mailing list archives
RE: openbsd 3.4 ps bug
From: "Dom De Vitto" <dom () DeVitto com>
Date: Thu, 20 Nov 2003 21:59:41 -0000
I personally think it's interesting that ps does not appear to be well formed (as other, setuid/gid) processes could share this issue, however Kurt's point is valid - if there is no elevation of privilege, this is not a 'security bug'. Dom - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Dom De Vitto Tel. 07855 805 271 http://www.devitto.com mailto:dom () devitto com - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -----Original Message----- From: Kurt Seifried [mailto:bt () seifried org] Sent: Thursday, November 20, 2003 9:52 AM To: thanos F@rm@k1s; vuln-dev () securityfocus com Subject: Re: openbsd 3.4 ps bug
Security bug for openbsd 3.4 While i was testing my new openbsd 3.4 i found the following problem. First of all i have the OpenBSD3.4 FUlly patched with all the latest fixes in an i386 machine (P3 128mb ram).Some of the ports were installed too(From the oficial 3cd set which i bought).While i was playing with the command ps i found the following which i have tested it in two machines
with
four different kernels(2 patched and 2 unpatched).The utility ps has a
flaw
when used with the bash shell.Go to your root(/) directory or any dir that contains more then two files or directorys and give the command ps -p * or ps -N * or ps -M * and you will instantly see a core dump file in your
dir.
The ps program is giving us a signal (SIGSEGV).Please try all the above
args
more then two times and first in your root dir.When i tried to confirm it
with
the gdb it gave me the address 0x1c01c116 in ?? ().I don`t have the time to confirm if the bug is exploitable or not but it is a big problem because a user(id 1000+) can also do that.This is a report which will also be submited in the bugtraq.It is also not confirmed that other versions
are
vulnerable to this bug.This bug can only be reproduced when bash2 is
installed
(from the official ports package) and a in a dir where more then two files
exists.
Sorry for the bad englis. The openbsd team has been informed.
Yes this creates a core dump. I fail to see how this is exploitable for additional privileges however as ps is not setuid/setgid (simply mode 0555). Can you please enlighten us as to how this is exploitable for additional privileges? Kurt Seifried, kurt () seifried org A15B BEE5 B391 B9AD B0EF AEB0 AD63 0B4E AD56 E574 http://seifried.org/security/
Current thread:
- openbsd 3.4 ps bug thanos F (Nov 19)
- Re: openbsd 3.4 ps bug Kurt Seifried (Nov 20)
- Re: openbsd 3.4 ps bug Daniel (Nov 20)
- RE: openbsd 3.4 ps bug Dom De Vitto (Nov 20)
- RE: openbsd 3.4 ps bug Nash Leon (Nov 21)
- <Possible follow-ups>
- RE: openbsd 3.4 ps bug thanos F (Nov 21)
- Re: openbsd 3.4 ps bug Kurt Seifried (Nov 20)