RE: openbsd 3.4 ps bug
From: Dom De Vitto (dom_at_DeVitto.com)
Date: 11/20/03
- Previous message: Daniel: "Re: openbsd 3.4 ps bug"
- In reply to: Kurt Seifried: "Re: openbsd 3.4 ps bug"
- Next in thread: Nash Leon: "RE: openbsd 3.4 ps bug"
- Reply: Nash Leon: "RE: openbsd 3.4 ps bug"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: <vuln-dev@securityfocus.com> Date: Thu, 20 Nov 2003 21:59:41 -0000
I personally think it's interesting that ps does not appear to be
well formed (as other, setuid/gid) processes could share this issue,
however Kurt's point is valid - if there is no elevation of privilege,
this is not a 'security bug'.
Dom
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Dom De Vitto Tel. 07855 805 271
http://www.devitto.com mailto:dom@devitto.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
-----Original Message-----
From: Kurt Seifried [mailto:bt@seifried.org]
Sent: Thursday, November 20, 2003 9:52 AM
To: thanos F@rm@k1s; vuln-dev@securityfocus.com
Subject: Re: openbsd 3.4 ps bug
> Security bug for openbsd 3.4
>
> While i was testing my new openbsd 3.4 i found the following problem.
> First of all i have the OpenBSD3.4 FUlly patched with all the latest
> fixes in an i386 machine (P3 128mb ram).Some of the ports were
> installed too(From the oficial 3cd set which i bought).While i was
> playing with the command ps i found the following which i have tested
> it in two machines
with
> four different kernels(2 patched and 2 unpatched).The utility ps has a
flaw
> when used with the bash shell.Go to your root(/) directory or any dir
> that contains more then two files or directorys and give the command
> ps -p * or ps -N * or ps -M * and you will instantly see a core dump
> file in your
dir.
> The ps program is giving us a signal (SIGSEGV).Please try all the
> above
args
> more then two times and first in your root dir.When i tried to confirm
> it
with
> the gdb it gave me the address 0x1c01c116 in ?? ().I don`t have the
> time to confirm if the bug is exploitable or not but it is a big
> problem because a user(id 1000+) can also do that.This is a report
> which will also be submited in the bugtraq.It is also not confirmed
> that other versions
are
> vulnerable to this bug.This bug can only be reproduced when bash2 is
installed
> (from the official ports package) and a in a dir where more then two
> files
exists.
> Sorry for the bad englis.
>
> The openbsd team has been informed.
Yes this creates a core dump. I fail to see how this is exploitable for
additional privileges however as ps is not setuid/setgid (simply mode 0555).
Can you please enlighten us as to how this is exploitable for additional
privileges?
Kurt Seifried, kurt@seifried.org
A15B BEE5 B391 B9AD B0EF
AEB0 AD63 0B4E AD56 E574
http://seifried.org/security/
- Previous message: Daniel: "Re: openbsd 3.4 ps bug"
- In reply to: Kurt Seifried: "Re: openbsd 3.4 ps bug"
- Next in thread: Nash Leon: "RE: openbsd 3.4 ps bug"
- Reply: Nash Leon: "RE: openbsd 3.4 ps bug"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
