RE: openbsd 3.4 ps bug

From: Dom De Vitto (dom_at_DeVitto.com)
Date: 11/20/03

  • Next message: Aaron Adams: "Linux Kernel <= 2.4.21 MXCSR Local DOS Exploitation"
    To: <vuln-dev@securityfocus.com>
    Date: Thu, 20 Nov 2003 21:59:41 -0000
    
    

    I personally think it's interesting that ps does not appear to be
    well formed (as other, setuid/gid) processes could share this issue,
    however Kurt's point is valid - if there is no elevation of privilege,
    this is not a 'security bug'.

    Dom
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    Dom De Vitto Tel. 07855 805 271
    http://www.devitto.com mailto:dom@devitto.com
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

    -----Original Message-----
    From: Kurt Seifried [mailto:bt@seifried.org]
    Sent: Thursday, November 20, 2003 9:52 AM
    To: thanos F@rm@k1s; vuln-dev@securityfocus.com
    Subject: Re: openbsd 3.4 ps bug

    > Security bug for openbsd 3.4
    >
    > While i was testing my new openbsd 3.4 i found the following problem.
    > First of all i have the OpenBSD3.4 FUlly patched with all the latest
    > fixes in an i386 machine (P3 128mb ram).Some of the ports were
    > installed too(From the oficial 3cd set which i bought).While i was
    > playing with the command ps i found the following which i have tested
    > it in two machines
    with
    > four different kernels(2 patched and 2 unpatched).The utility ps has a
    flaw
    > when used with the bash shell.Go to your root(/) directory or any dir
    > that contains more then two files or directorys and give the command
    > ps -p * or ps -N * or ps -M * and you will instantly see a core dump
    > file in your
    dir.
    > The ps program is giving us a signal (SIGSEGV).Please try all the
    > above
    args
    > more then two times and first in your root dir.When i tried to confirm
    > it
    with
    > the gdb it gave me the address 0x1c01c116 in ?? ().I don`t have the
    > time to confirm if the bug is exploitable or not but it is a big
    > problem because a user(id 1000+) can also do that.This is a report
    > which will also be submited in the bugtraq.It is also not confirmed
    > that other versions
    are
    > vulnerable to this bug.This bug can only be reproduced when bash2 is
    installed
    > (from the official ports package) and a in a dir where more then two
    > files
    exists.
    > Sorry for the bad englis.
    >
    > The openbsd team has been informed.

    Yes this creates a core dump. I fail to see how this is exploitable for
    additional privileges however as ps is not setuid/setgid (simply mode 0555).
    Can you please enlighten us as to how this is exploitable for additional
    privileges?

    Kurt Seifried, kurt@seifried.org
    A15B BEE5 B391 B9AD B0EF
    AEB0 AD63 0B4E AD56 E574
    http://seifried.org/security/


  • Next message: Aaron Adams: "Linux Kernel <= 2.4.21 MXCSR Local DOS Exploitation"