OpenBSD local DoS and root exploit

Friday, 10 May 2002, 12:48 AM EST

On current OpenBSD systems, any local user (being or not in the wheel group) can fill the kernel file descriptors table, leading to a denial of service. Because of a flaw in the way the kernel checks closed file descriptors 0-2 when running a setuid program, it is possible to combine these bugs and earn root access by winning a race condition.

In the mean time, Todd C. Miller posted the following to the OpenBSD security announce list:

In July of 1998 the OpenBSD kernel was modified to populate file descriptors 0-2 on exec for setuid (and setgid) processes. This was done to defeat an attack on setuid programs that open files for writing and also write to descriptors 0-2 (usually via stdin, stdout or stderr).

The fix at that time didn't properly deal with the possibility that the allocation of the dummy descriptors could fail due to a full file descriptor table. It has come to our attention that there is a winnable race condition when the file descriptor table is full, allowing an fd 0-2 attack to succeed.

(...)

The following patches are available:

OpenBSD-3.1:
ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.1/common/003_fdalloc2.patch
OpenBSD-3.0:
ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.0/common/021_fdalloc2.patch
OpenBSD-2.9:
ftp://ftp.openbsd.org/pub/OpenBSD/patches/2.9/common/026_fdalloc2.patch
OpenBSD-current as well as the OpenBSD 2.9, 3.0 and 3.1 -stable branches have already been patched.

The Hackademy advisory on this issue can be seen through a link below.

[ Read more ]




Spotlight

How security analytics help identify and manage breaches

Posted on 30 July 2014.  |  Steve Dodson, CTO at Prelert, illustrates the importance of security analytics in today's complex security architectures, talks about the most significant challenges involved in getting usable information from massive data sets, and much more.


Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.
  



Daily digest

Receive a daily digest of the latest security news.
  

DON'T
MISS

Thu, Jul 31st
    COPYRIGHT 1998-2014 BY HELP NET SECURITY.   // READ OUR PRIVACY POLICY // ABOUT US // ADVERTISE //