Re: OpenBSD local DoS and root exploit

From: Dave Ahmad (
Date: 05/09/02

Date: Thu, 9 May 2002 09:27:40 -0600 (MDT)
From: Dave Ahmad <>


After posting this, Fozzy sent another message mentioning that he left out
some credit. I requested that he fix the advisory and re-send it to the
list, but he hasn't gotten back to me fast enough ;). This needs to go
out, so here's the correction:

>I realized this credit problem just after sending my post :
>"Three weeks ago, XXXXXXXX from Pine released an advisory..." should be :
>"Three weeks ago, Joost Pol from Pine released an advisory...".

Dave Ahmad

On Thu, 9 May 2002 wrote:

> The following is research material from FozZy from Hackademy and Hackerz
> Voice newspaper (, and can be distributed
> modified or not if proper credits are given to them. For educational
> purposes only, no warranty of any kind, I may be wrong, this post could
> kill you mail reader, etc.
> -= OVERVIEW =-
> On current OpenBSD systems, any local user (being or not in the wheel
> group) can fill the kernel file descriptors table, leading to a denial of
> service. Because of a flaw in the way the kernel checks closed file
> descriptors 0-2 when running a setuid program, it is possible to combine
> these bugs and earn root access by winning a race condition.