Home page logo

bugtraq logo Bugtraq mailing list archives

ANOTHER OpenBSD security vulnerability!!!!
From: Chris Cappuccio <chris () DQC ORG>
Date: Tue, 7 Nov 2000 02:56:37 -0800

- :Leet Advisory % :Leet Advisory % :Leet Advisory % :Leet Advisory % :Leet -
|                                                                           |
| www.dqc.org/~chris                                                        |
|                                                                           |
| Version      : Leet advisory #2666 of many                                |
| Author       : LarFoxley[famedork / condemned / ESP / AH / PPTP (soon)]   |
| Contributed  : All of Team Leet (thanks alot) & UVM                       |
| Topic        : A non-priviledged user may gain physical access to the     |
|                system, thus exploiting what is known in innner circles as |
|                "the five-finger discount"                                 |
| Effected     : All Operating Systems which use a computer                 |
|                * OpenBSD, and possibly others                             |
| Prvt Release : October 1, 1995                                            |
| Released     : November 7, 19100                                          |
| Credits      : www.whitehouse.gov, flash.bellcore.com, www.merit.edu      |
|                Check Section 1                                            |
| Vendor status: Raped                                                      |
|                                                                           |
- :Leet Advisory % :Leet Advisory % :Leet Advisory % :Leet Advisory % :Leet -

Section 1 [Grits]:

        First and foremost, thanks to dictionary.com, without which I would
        be totally lost in the world of English spelling and grammar.  Thanks
        to my mother who bore me.  This was a coordinated effort with Team
        Leet and The Serious Hackers known as Super Super Good.

        I would like to thank RootShellBadddMothers and Team SSH for
        rigorously testing on many stupid shell providers who don't know
        about the OpenBSD team's secret plans for world domination through
        eleet unknown bugs :] (fatcorpse and her great mass testing scripts,
        great for analysis: www.freshmeat.net < great site :)

        I would like to thank bass of BEER.  He started the whole OpenBSD
        religion.  Keep up the good work.

        Special thanks to obecian and his DoS 3.3 System.  It has made my
        job so easy that I think I should not be paid anymore.

        I would also like to thank: NSA, CIA, FBI, Walls Fargo, WTO,
        Kettutytt, Satan, Dorkex (h0rze :), ISS, Solar Designer, #blowjob,
        #hotsex, #eatshit, #42, #conf, Al Hugher, Alpeh1, communism, the
        US Air Force, OJ Simpson, Semtex, Ebola, George W. Bush, Ralph Nader
        and Jello Biafra.

Section 2 [Preface]:

        Usually, Team Leet keeps our code and research quite private until we
spew our diarrhea all over your computer monitor.  But, what really annoys
us, is when a very big figure in the computer security community lies to the
people who make him who he is.  The person I speak of is Bob Dobbs.  Bob
Dobbs claims that OpenBSD hasn't experienced a local root hole in the default
install for many years.  Yet, during his internal audits, he regularly finds
unfaithfulness to the church, and he never notifies the public.  I think you
guys are lame.  You have demonstrated sins, transgressions, intemperances,
vices, errors, failings, personal faults, indiscretions, lapses, trespasses,
and crimes agsinst man, woman, child, law, nature and god.  What worries Team
Leet is that our servers might be hacked.  We have found many other
exploitable holes in previous OpenBSD distributions, that have miraculously
been patched and never revealed.  Next, there is the "Three years without a
remote hole in the default install."  I hope this advisory breaks that
aswell, because, techinically:

        * Walk up to the machine
        * Turn it off
        * Unplug it
        * Take it with you

        Although we have not confirmed it, we believe this bug is also
        exploitable via NFS, RSH, TELNET, and SSH.

        Three years without a remote hoe? Strike that.

Section 3 [Background]:

        OpenBSD is a vulnerable operating system because it runs on a
computer which can be physically accessed by an intruder.  It is
significantly better then the traditional UNIX based OS.

Section 4 [Problem Description]:

        There exists a bug in the physical universe which has blatently
slipped passed the seemlessly feeble minded OpenBSD developers and
hackphreak.org members alike.  This bug allows for any local user (or remote
user) to steal the entire OpenBSD system, thus rendering it completely
useless.  Once the system is stolen, a local user (with access to the
console) may in fact remove the hard disk.  The system uses a published
standard, FFS.  When one has access to the hard disk, they may use FFS do
most anything: such as reading the disk, and writing to it, not just a DoS
(if you have to read through this you have now more reason to switch to

        A very smart attacker will:

                * Mount the hard disk
                * Read from it
                * Use RSH

        A layout of the hard disk is given:

                * Root filesystem /
                *     Usr filesystem /usr
                *     Home filesystem /home
                *     Root's filesystem /root
                *     Tmp's filesystem /tmp
                *     Var's filesystem /var

printf("hello, world\n");
 * here, we print to the screen
 * this is considered a vulnerablilty because we were able to show
 * just how much damange can really be done with this unique
 * and as-of-yet-unknown method

Section 4 [The exploit]:

// openbsd-sucks.c by LarFoxley of Team Leet (#openbsd on efnet) & SSH
// This exploit is proof of my love for you
// Greets: NSA, CIA, FBI, Walls Fargo, WTO, EHAP, Condoms, caddis[TESO],
//         Kettutytt, Satan, Dorkex (h0rze :), ISS, Solar Designer, #blowjob,
//         #hotsex, #eatshit, #42, #conf, Al Hugher, Alpeh1, communism, the
//         US Air Force, OJ Simpson, Semtex, Ebola, George W. Bush, Ralph
//         Nader and Jello Biafra.
// PS: The expoit is broke very slightly, so it takes some knowledge ;)

#include <stdyo.h>
#include <streengs.h>

prentf("hello, world!!!!!\n");
// Now that we have gained physical access, there is no more need for
// actual code, because we can simply remove the hard disk at this point.
// Also, if you enter the debugger, you can change the user id of the
// process that you are currently using.  Imagine that.

Section 5 [TO HELL WITH YOU'S]:

       J.R. "Bob" Dobbs, and the OpenBSD team



       Anyone who thinks OpenBSD is useful

       All of #openbsd on EFNET

       All of the people who have violated my sphincter


       Scriptkiddies who don't use my scripts


Section 6 [Come 1 Come ALL]:

       Team Leet invites you to join efnet #openbsd for a great learning
experience.  Just join us to teach and learn.  But remember, SEXUAL
HARASSMENT = FAT LAWSUIT.  www.dqc.org/~chris

Section 7 [Lies]:

       I hope this advisory makes you feel warm inside.  I know that Windows
NT will always rule my world.  I think Bill Gates is a role model for my
children and their grand-children.  I like eating pineapples.  All OpenBSD
users are paranoid schizophrenics who fall to my knees when they read this

Rev. Chris Cappuccio -=- http://www.dqc.org/~chris/

"If you don't turn on to politics, politics will turn on you"
       - Ralph Nader

  By Date           By Thread  

Current thread:
  • ANOTHER OpenBSD security vulnerability!!!! Chris Cappuccio (Nov 08)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]