Re: OpenBSD local DoS and root exploit

[Dave Ahmad <da () securityfocus com>]

Hey,

After posting this, Fozzy sent another message mentioning that he left out
some credit.  I requested that he fix the advisory and re-send it to the
list, but he hasn't gotten back to me fast enough ;).  This needs to go
out, so here's the correction:

> I realized this credit problem just after sending my post :
> "Three weeks ago, XXXXXXXX from Pine released an advisory..." should be :
> "Three weeks ago, Joost Pol from Pine released an advisory...".

Dave Ahmad
SecurityFocus
www.securityfocus.com

On Thu, 9 May 2002 fozzy () dmpfrance com wrote:

> The following is research material from FozZy from Hackademy and Hackerz
> Voice newspaper (http://www.hackerzvoice.org), and can be distributed
> modified or not if proper credits are given to them. For educational
> purposes only, no warranty of any kind, I may be wrong, this post could
> kill you mail reader, etc.
>
>
> -= OVERVIEW =-
>
> On current OpenBSD systems, any local user (being or not in the wheel
> group) can fill the kernel file descriptors table, leading to a denial of
> service. Because of a flaw in the way the kernel checks closed file
> descriptors 0-2 when running a setuid program, it is possible to combine
> these bugs and earn root access by winning a race condition.