On current OpenBSD systems, any local user (being or not in the wheel group) can fill the kernel file descriptors table, leading to a denial of service. Because of a flaw in the way the kernel checks closed file descriptors 0-2 when running a setuid program, it is possible to combine these bugs and earn root access by winning a race condition.

In the mean time, Todd C. Miller posted the following to the OpenBSD security announce list:

In July of 1998 the OpenBSD kernel was modified to populate file descriptors 0-2 on exec for setuid (and setgid) processes. This was done to defeat an attack on setuid programs that open files for writing and also write to descriptors 0-2 (usually via stdin, stdout or stderr).

The fix at that time didn't properly deal with the possibility that the allocation of the dummy descriptors could fail due to a full file descriptor table. It has come to our attention that there is a winnable race condition when the file descriptor table is full, allowing an fd 0-2 attack to succeed.

(...)

The following patches are available:

OpenBSD-3.1:
ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.1/common/003_fdalloc2.patch
OpenBSD-3.0:
ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.0/common/021_fdalloc2.patch
OpenBSD-2.9:
ftp://ftp.openbsd.org/pub/OpenBSD/patches/2.9/common/026_fdalloc2.patch
OpenBSD-current as well as the OpenBSD 2.9, 3.0 and 3.1 -stable branches have already been patched.

The Hackademy advisory on this issue can be seen through a link below.

[ Read more ]