openbsd 3.4 ps bug

From: thanos F_at_rm@k1s (F_at_rm@k1s)
Date: 11/19/03

  • Next message: noir: "Re: GetPC code (was: Shellcode from ASCII)" 
    Date: 19 Nov 2003 19:20:27 -0000
To: vuln-dev@securityfocus.com
    ('binary' encoding is not supported, stored as-is)

    Security bug for openbsd 3.4

    While i was testing my new openbsd 3.4 i found the following problem.
    First of all i have the OpenBSD3.4 FUlly patched with all the latest
    fixes in an i386 machine (P3 128mb ram).Some of the ports were installed
    too(From the oficial 3cd set which i bought).While i was playing with the
    command ps i found the following which i have tested it in two machines with
    four different kernels(2 patched and 2 unpatched).The utility ps has a flaw
    when used with the bash shell.Go to your root(/) directory or any dir that
    contains more then two files or directorys and give the command ps -p * or
    ps -N * or ps -M * and you will instantly see a core dump file in your dir.
    The ps program is giving us a signal (SIGSEGV).Please try all the above args
    more then two times and first in your root dir.When i tried to confirm it with
    the gdb it gave me the address 0x1c01c116 in ?? ().I don`t have the
    time to confirm if the bug is exploitable or not but it is a big problem
    because a user(id 1000+) can also do that.This is a report which will also
    be submited in the bugtraq.It is also not confirmed that other versions are
    vulnerable to this bug.This bug can only be reproduced when bash2 is installed
    (from the official ports package) and a in a dir where more then two files exists.
    Sorry for the bad englis.

    The openbsd team has been informed.

  • Next message: noir: "Re: GetPC code (was: Shellcode from ASCII)"

    Relevant Pages

    • Re: amd64 system with 32 bit clock?
      ... I ran the command on the wrong computer. ... You say that NetBSD/amd64 has this bug too! ... Is it a bug shared by both 64-bit OS releases? ... Using OpenBSD with or without X & KDE? ...
      (comp.unix.bsd.openbsd.misc)
    • [Full-disclosure] multiple vendor ftpd - Cross-site request forgery
      ... This problem has been discovered on OpenBSD 4.3. ... The ftpd utility is the Internet File Transfer Protocol server process. ... The main problem exists in dividing long command for few others. ... SecurityReason has informed only BSD developers and proFTPd Team. ...
      (Full-Disclosure)
    • Re: [Full-Disclosure] openssh exploit code?
      ... Can you provide any sort of technical argument as to why this bug is not ... Or are you going to simply stand behind the typical OpenBSD ... So yeah, FUD. ... provide an adequate technical discussion against the exploitability of ...
      (Full-Disclosure)
    • Re: Apache root exploitable?
      ... it has been confirmed/checked to work on OpenBSD 3.0. ... stating that the exploit is indeed applicable to FreeBSD ... Apache 1.3.20, but perhaps the author of the vulnerability would like to ... * The "experts" have already concurred that this bug... ...
      (FreeBSD-Security)
    • Re: openbsd 3.4 ps bug
      ... > Security bug for openbsd 3.4 ... > While i was testing my new openbsd 3.4 i found the following problem. ... > time to confirm if the bug is exploitable or not but it is a big problem ... additional privileges however as ps is not setuid/setgid. ...
      (Vuln-Dev)