lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20031118173053.GA3048@gmx.net>
From: cuttergo at gmx.net (Alexander E. Cuttergo)
Subject: Re: yet another OpenBSD kernel hole ...

On Mon, Nov 17, 2003 at 20:23:12 -0500 (EST), noir@...rhax0r.net wrote:
noir> attached exploit will get you uid=0 and break any possible chroot jail
noir> your parent process might be in, works on all 2.x and 3.x upto 3.3.
noir>
noir> priv seperation, chroot jail, systrace yeah yeah right ;P theo and niels

Your code does:
if((fd = open("./ibcs2own", O_CREAT^O_RDWR, 0755)) < 0) {
How on earth is this going to work against privilege separation ? In each
sane setup, a server process is chrooted to a directory with no writable 
directories.

noir> so i hope, some of you openbsd loving losers will finally get the truth
noir> behind your cult. it is a big LIE, aloha ????
Being not a diehard obsd fan, I must notice that 3.4 kernel is built with 
stack smashing protection, which reduces this hole to pure local DoS only. Can 
you name any other OS which has any prevention against kernel buffer overflow ?

Yes, this bug is hopeless, but stay objective.

peace,
algo
  
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20031118/52e3491e/attachment.bin

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ