Re: OpenBSD local DoS and root exploit

From: Dave Ahmad (da@securityfocus.com)
Date: 05/09/02


Date: Thu, 9 May 2002 09:27:40 -0600 (MDT)
From: Dave Ahmad <da@securityfocus.com>
To: fozzy@dmpfrance.com

Hey,

After posting this, Fozzy sent another message mentioning that he left out
some credit. I requested that he fix the advisory and re-send it to the
list, but he hasn't gotten back to me fast enough ;). This needs to go
out, so here's the correction:

>I realized this credit problem just after sending my post :
>"Three weeks ago, XXXXXXXX from Pine released an advisory..." should be :
>"Three weeks ago, Joost Pol from Pine released an advisory...".

Dave Ahmad
SecurityFocus
www.securityfocus.com

On Thu, 9 May 2002 fozzy@dmpfrance.com wrote:

>
> The following is research material from FozZy from Hackademy and Hackerz
> Voice newspaper (http://www.hackerzvoice.org), and can be distributed
> modified or not if proper credits are given to them. For educational
> purposes only, no warranty of any kind, I may be wrong, this post could
> kill you mail reader, etc.
>
>
> -= OVERVIEW =-
>
> On current OpenBSD systems, any local user (being or not in the wheel
> group) can fill the kernel file descriptors table, leading to a denial of
> service. Because of a flaw in the way the kernel checks closed file
> descriptors 0-2 when running a setuid program, it is possible to combine
> these bugs and earn root access by winning a race condition.
>
>