Home page logo
/

bugtraq logo Bugtraq mailing list archives

Recent OpenBSD 2.8/2.9 Exploit - stephanie patched kernels unaffected
From: "James Babiak" <jfbabiak () webmail tc cc va us>
Date: Thu, 21 Jun 2001 07:40:26 -0400

In testing the recent obsd exploit by Georgi Guninski out, I have found out
that my OpenBSD 2.8 box was not vulnerable. I have come to the conclusion
that those boxes with the stephanie kernel patches by Mike Schiffman and doe
are not vulnerable to this exploit, at least without modifying the exploit
itself. My box has extremely anally granular file access control, however I
ran this exploit using my account with full permissions, and I was in the
tpe_adm group. I imagine that the symlink restrictions prevent the exploit
from working.

Workarounds:
From what I read, the stephanie patches do not have hard link restrictions.
However, on my box /tmp is its own partition (duh), therefore not allowing
me to do a cross-device link. I don't have any obsd boxes without /tmp on
its own partition to test this out, but it may be a workaround or at least a
place to start.

Re-write the exploit to not use the /tmp symlinks.

I'm also sure there is some way to circumvent the symlink restrictions in
place.

In any case, I am working on a way around this, but at least with those
patches in place, the exploit is "script-kiddie-proof." In other words, even
Jeff King with his elite EXPN warez couldn't exploit it.

For those not familiar to the Stephanie patch, you can read more about it
and download it at:
http://www.packetfactory.net/Projects/Stephanie/

Congrats to route and doe for coming up with a patch to a hole not yet
discovered =].

-james


  By Date           By Thread  

Current thread:
  • Recent OpenBSD 2.8/2.9 Exploit - stephanie patched kernels unaffected James Babiak (Jun 22)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault