Full Disclosure mailing list archives

Re: yet another OpenBSD kernel hole ...

From: "Alexander E. Cuttergo" <cuttergo () gmx net>
Date: Tue, 18 Nov 2003 09:30:54 -0800

On Mon, Nov 17, 2003 at 20:23:12 -0500 (EST), noir () uberhax0r net wrote:
noir> attached exploit will get you uid=0 and break any possible chroot jail
noir> your parent process might be in, works on all 2.x and 3.x upto 3.3.
noir>
noir> priv seperation, chroot jail, systrace yeah yeah right ;P theo and niels

Your code does:
if((fd = open("./ibcs2own", O_CREAT^O_RDWR, 0755)) < 0) {
How on earth is this going to work against privilege separation ? In each
sane setup, a server process is chrooted to a directory with no writable 
directories.

noir> so i hope, some of you openbsd loving losers will finally get the truth
noir> behind your cult. it is a big LIE, aloha ????
Being not a diehard obsd fan, I must notice that 3.4 kernel is built with 
stack smashing protection, which reduces this hole to pure local DoS only. Can 
you name any other OS which has any prevention against kernel buffer overflow ?

Yes, this bug is hopeless, but stay objective.

peace,
algo

Attachment: _bin
Description:

Current thread:

yet another OpenBSD kernel hole ... noir (Nov 17)
- Re: yet another OpenBSD kernel hole ... i.t Consulting (Nov 22)
- <Possible follow-ups>
- Re: yet another OpenBSD kernel hole ... Alexander E. Cuttergo (Nov 18)
  - Re: Re: yet another OpenBSD kernel hole ... Peter Busser (Nov 18)
  - Re: Re: yet another OpenBSD kernel hole ... noir (Nov 18)
    - Re: yet another OpenBSD kernel hole ... Alexander E. Cuttergo (Nov 18)
    - Re: Re: yet another OpenBSD kernel hole ... noir (Nov 18)