lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
From: noir at uberhax0r.net (noir@...rhax0r.net)
Subject: Re: yet another OpenBSD kernel hole ...

> Your code does:
> if((fd = open("./ibcs2own", O_CREAT^O_RDWR, 0755)) < 0) {
> How on earth is this going to work against privilege separation ? In each
> sane setup, a server process is chrooted to a directory with no writable
> directories.

do you have any idea how many of those chrooted processes have temporary
directories in their chroot environment ? many of the so called priv
seperated processes use temoprary files thus having writeable directories
in there chroot jail. you might have heard the concept called system
call/API proxying, you can upload the ibcs2own binary and simulate this
exploit as if you run it from a shell, not rocket since simple and
straight forward ...

> Being not a diehard obsd fan, I must notice that 3.4 kernel is built with
> stack smashing protection, which reduces this hole to pure local DoS only. Can
> you name any other OS which has any prevention against kernel buffer overflow ?

i can name OSes which do not have these kind of hopeless, amateur bugs.
just a reminder that propolice protects against stack smashing not heap
smashing so it would be a joke to claim "prevention against kernel buffer
overflow" because it simply DO NOT. there are tons of kmem alloctor
overflows in OpenBSD, go figure ;-) ...

regards,
- noir



Powered by blists - more mailing lists