OpenBSD Journal

OpenBSD local DOS and root exploit

Contributed by Dengue on from the never-trust-the-users dept.

KryptoBSD writes :

" On current OpenBSD systems, any local user (being or not in the wheel group) can fill the kernel file descriptors table, leading to a denial of service. Because of a flaw in the way the kernel checks closed file descriptors 0-2 when running a setuid program, it is possible to combine these bugs and earn root access by winning a race condition.

The following is research material from FozZy from Hackademy and Hackerz Voice newspaper ( ) and can be distributed modified or not if proper credits are given to them. For educational purposes only, no warranty of any kind, I may be wrong, this post could kill you mail reader, etc. "

Patch 003 fixes this condition in OpenBSD 3.1, and Patch 021 fixes this condition in OpenBSD 3.0. See errata.html for more details.

(Comments are closed)

  1. By Anonymous Coward () on

    Isn't this bug the same seen on freebsd about a month ago ?

    1. By Cindy_Montreal () on

      Yeah, OpenBSD ports over all the bugs, flaws, and other problems. Then fixes them.

      What would be nice, if in ports there was packages that contains nothing but bugs, flaws, security risks, and other problems. This way anyone who feels they need to install security problem could. :)

      -- Cindy_Montreal

      1. By Anonymous Coward () on

        Thought you were from Calgary too?

        1. By Anonymous Coward () on

          And this is theo taht find the bug on freebsd
          i think it is better if he audits openbsd
          rather than freebsd...

        2. By Cindy_Montreal () on

          No, Relocated back to Montreal for a bit. But soon shall be back in the land of Ralph, with all the gohpers.

          1. By Roo () on

            Lucky you in Montreal... I loved MTL so much that I ended up extending my holiday from 2 weeks to 6 and then another 2 week stint later in the year. :)

            Grand Prix should be coming up soon, that place goes mad during GP week !

            Favourite places to eat out were Kaizen, Primadonna and for somewhere less pricey I used to love the Mess Hall in Westmount. That was near where I was staying - handy.

            It's possible that I might be heading back out there for a couple of weeks in June. Here's hoping, love that City !


  2. By Anonymous Coward () on

    I wonder if that vulnerability was one of the reasons for the recent wave of stripping the current tree from suid bits...

    1. By Anonymous Coward () on

      When I saw this notice, I thought I better zip on
      over to to get the patch.
      But this bug was found and fixed on May 8 so I did
      not need to do anything.


Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]