Re: openbsd 3.4 ps bug

From: Kurt Seifried (bt_at_seifried.org)
Date: 11/20/03

  • Next message: Daniel: "Re: openbsd 3.4 ps bug" 
    To: "thanos F@rm@k1s" <fsvsunix@hotmail.com>, <vuln-dev@securityfocus.com>
Date: Thu, 20 Nov 2003 02:51:53 -0700

    > Security bug for openbsd 3.4
    >
    > While i was testing my new openbsd 3.4 i found the following problem.
    > First of all i have the OpenBSD3.4 FUlly patched with all the latest
    > fixes in an i386 machine (P3 128mb ram).Some of the ports were installed
    > too(From the oficial 3cd set which i bought).While i was playing with the
    > command ps i found the following which i have tested it in two machines
    with
    > four different kernels(2 patched and 2 unpatched).The utility ps has a
    flaw
    > when used with the bash shell.Go to your root(/) directory or any dir that
    > contains more then two files or directorys and give the command ps -p * or
    > ps -N * or ps -M * and you will instantly see a core dump file in your
    dir.
    > The ps program is giving us a signal (SIGSEGV).Please try all the above
    args
    > more then two times and first in your root dir.When i tried to confirm it
    with
    > the gdb it gave me the address 0x1c01c116 in ?? ().I don`t have the
    > time to confirm if the bug is exploitable or not but it is a big problem
    > because a user(id 1000+) can also do that.This is a report which will also
    > be submited in the bugtraq.It is also not confirmed that other versions
    are
    > vulnerable to this bug.This bug can only be reproduced when bash2 is
    installed
    > (from the official ports package) and a in a dir where more then two files
    exists.
    > Sorry for the bad englis.
    >
    > The openbsd team has been informed.

    Yes this creates a core dump. I fail to see how this is exploitable for
    additional privileges however as ps is not setuid/setgid (simply mode 0555).
    Can you please enlighten us as to how this is exploitable for additional
    privileges?

    Kurt Seifried, kurt@seifried.org
    A15B BEE5 B391 B9AD B0EF
    AEB0 AD63 0B4E AD56 E574
    http://seifried.org/security/

  • Next message: Daniel: "Re: openbsd 3.4 ps bug"

    Relevant Pages

    • RE: openbsd 3.4 ps bug
      ... well formed (as other, setuid/gid) processes could share this issue, ... this is not a 'security bug'. ... > While i was testing my new openbsd 3.4 i found the following problem. ... additional privileges however as ps is not setuid/setgid. ...
      (Vuln-Dev)
    • Re: [Full-Disclosure] openssh exploit code?
      ... Can you provide any sort of technical argument as to why this bug is not ... Or are you going to simply stand behind the typical OpenBSD ... So yeah, FUD. ... provide an adequate technical discussion against the exploitability of ...
      (Full-Disclosure)
    • Re: Apache root exploitable?
      ... it has been confirmed/checked to work on OpenBSD 3.0. ... stating that the exploit is indeed applicable to FreeBSD ... Apache 1.3.20, but perhaps the author of the vulnerability would like to ... * The "experts" have already concurred that this bug... ...
      (FreeBSD-Security)
    • Off-by-one Buffer Overflow Vulnerability in BSD libc realpath(3)
      ... Originally reported as affecting only WU-FTPD. ... NetBSD, FreeBSD and OpenBSD ... This is the same bug that was recently found in the wu-ftpd ftpd ... Patch for OpenBSD 3.2: ...
      (Bugtraq)
    • [UNIX] Off-by-One Error in realpath (FreeBSD)
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Get Thawte's New Step-by-Step SSL Guide for MSIIS ... the same bug that was recently found in the ... The OpenBSD ftp daemon does not use realpathin a way that could be ...
      (Securiteam)