| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <Pine.GSO.4.44.0311181604310.1657-100000@sodom.uberhax0r.net>
From: noir at uberhax0r.net (noir@...rhax0r.net)
Subject: Re: yet another OpenBSD kernel hole ...
> Your code does:
> if((fd = open("./ibcs2own", O_CREAT^O_RDWR, 0755)) < 0) {
> How on earth is this going to work against privilege separation ? In each
> sane setup, a server process is chrooted to a directory with no writable
> directories.
do you have any idea how many of those chrooted processes have temporary
directories in their chroot environment ? many of the so called priv
seperated processes use temoprary files thus having writeable directories
in there chroot jail. you might have heard the concept called system
call/API proxying, you can upload the ibcs2own binary and simulate this
exploit as if you run it from a shell, not rocket since simple and
straight forward ...
> Being not a diehard obsd fan, I must notice that 3.4 kernel is built with
> stack smashing protection, which reduces this hole to pure local DoS only. Can
> you name any other OS which has any prevention against kernel buffer overflow ?
i can name OSes which do not have these kind of hopeless, amateur bugs.
just a reminder that propolice protects against stack smashing not heap
smashing so it would be a joke to claim "prevention against kernel buffer
overflow" because it simply DO NOT. there are tons of kmem alloctor
overflows in OpenBSD, go figure ;-) ...
regards,
- noir
Powered by blists - more mailing lists