Learning about stack based kernel overflows, and OpenBSD

Contributed by jose on 2004-02-08 from the more-instruction dept.

rik writes: "Kris Vangeneugden has written a GCIH paper on OpenBSD Privilege Escalation. It references Guninski's advisory from 2003. The paper can be found at http://www.giac.org/practical/GCIH/Kris_Vangeneugden_GCIH.pdf "

(Comments are closed)

Comments

By Dunceor () on 2004-02-08 18:25

nice live example and got analysis of the vuln/exploit..
By Helevius () on 2004-02-09 08:05

Hello,
This is not a troll question -- I would like some expert commentary on a Slashdot post about the latest OpenBSD issue. This comment says:
"There have actually been a number of local and remote root holes in the default install of OpenBSD during that time frame..the only sense in which their claim is true is that they don't count root holes except in the head of the CVS tree. If a release from a year ago had the hole, but the current tree does not, they don't count it.
For example, a couple of years ago there was a telnetd exploit discovered after OpenBSD had disabled telnetd by default in OpenBSD-current, but a recent prior release had shipped with telnetd enabled. That allowed them to rationalize not counting it as a remote hole. There are a number of other similar examples."
Can someone elaborate on this or refute it?
Thank you,
Helevius
Comments
1. By Josh () selerius@codefusion.org on 2004-02-09 08:17 http://codefusion.org
  
  Thats BS. OpenBSD maintains a -stable branch in the CVS Repository for one year. Each release is maintained for exactly one year...with a formal release being made every 6 months. That means right now, 3.3 -stable is available in CVS. After the one year mark, your on your own in regards to patches, etc.
  
  Not only are major problems fixed in -stable, but also minor one's as well...
  
  See http://www.openbsd.org/faq/faq5.html#Flavors for more information.
2. By Daniel Hartmeier () daniel@benzedrine.cx on 2004-02-09 09:09 mailto:daniel@benzedrine.cx
  
  I assume the reference is to the teso telnetd advisory, which was published Jul 18 2001.
  
  Check cvsweb. OpenBSD was at 2.9-current at that time (2.9 the most recent release).
  
  telnetd was disabled in /etc/inetd.conf r1.32, on Sep 26 1999, the last release with telnetd enabled was 2.5, from April 1999.
  
  So, not exactly a "recent prior release", but rather a more than two years older, unsupported release.
  
  So, yes, if you find a remote exploit NOW that works only against 2.x-release, I guess the counter on the web site wouldn't be increased. Even if the hole WAS present when that 2.x was released, and MIGHT have been known ever since then.
  
  Does that definition of the counter make the statement significantly less strong for the typical user, who updates once a year and doesn't run unsupported releases?
  
  I guess if you want a counter increment as a trophy, you'll have to accept how it is defined, and find a bug in recent code. It's not redefined arbitrarily, the sshd hole incremented it, after all.

Latest Articles

Thu, Apr 18
- 05:05 Coming soon to a -current system near you: parallel raw IP input (0)
Wed, Apr 17
- 05:33 In -current, default write format for tar(1) changed to "pax" (10)
Wed, Apr 10
- 18:50 OpenSMTPD 7.5.0p0 Released (2)
Tue, Apr 09
- 04:49 20 years since "and we're just starting": undeadly.org turns 20 (2024-04-09) (13)
Fri, Apr 05
- 06:16 OpenBSD 7.5 released (3)
Thu, Mar 28
- 18:18 LibreSSL 3.8.4 and 3.9.1 released (0)
Tue, Mar 12
- 06:53 OpenSSH 9.7/9.7p1 released! (0)
Mon, Mar 11
- 11:28 Game of Trees 0.97 released (0)
Sun, Mar 10
- 09:06 LibreSSL versions 3.8.3 and 3.9.0 released (0)

Credits

Copyright © 2004-2008 Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to April 2nd 2004 as well as images and HTML templates were copied from the fabulous original deadly.org with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]