Full Disclosure mailing list archives
Re: Re: yet another OpenBSD kernel hole ...
From: noir () uberhax0r net
Date: Tue, 18 Nov 2003 16:13:24 -0500 (EST)
Your code does: if((fd = open("./ibcs2own", O_CREAT^O_RDWR, 0755)) < 0) { How on earth is this going to work against privilege separation ? In each sane setup, a server process is chrooted to a directory with no writable directories.
do you have any idea how many of those chrooted processes have temporary directories in their chroot environment ? many of the so called priv seperated processes use temoprary files thus having writeable directories in there chroot jail. you might have heard the concept called system call/API proxying, you can upload the ibcs2own binary and simulate this exploit as if you run it from a shell, not rocket since simple and straight forward ...
Being not a diehard obsd fan, I must notice that 3.4 kernel is built with stack smashing protection, which reduces this hole to pure local DoS only. Can you name any other OS which has any prevention against kernel buffer overflow ?
i can name OSes which do not have these kind of hopeless, amateur bugs. just a reminder that propolice protects against stack smashing not heap smashing so it would be a joke to claim "prevention against kernel buffer overflow" because it simply DO NOT. there are tons of kmem alloctor overflows in OpenBSD, go figure ;-) ... regards, - noir _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- yet another OpenBSD kernel hole ... noir (Nov 17)
- Re: yet another OpenBSD kernel hole ... i.t Consulting (Nov 22)
- <Possible follow-ups>
- Re: yet another OpenBSD kernel hole ... Alexander E. Cuttergo (Nov 18)
- Re: Re: yet another OpenBSD kernel hole ... Peter Busser (Nov 18)
- Re: Re: yet another OpenBSD kernel hole ... noir (Nov 18)
- Re: yet another OpenBSD kernel hole ... Alexander E. Cuttergo (Nov 18)
- Re: Re: yet another OpenBSD kernel hole ... noir (Nov 18)