I didn't see any news about the Guninski OpenBSD security advisory related
to NetBSD.

"A race condition exists in the kernel execve(2) implementation that
opens a small window of vulnerability for a non-privileged us er to
ptrace(2) attach to a suid/sgid process." (From OpenBSD's errata.)

"By forking a few process it is possible to attach to +s pid with ptrace.
The process seems to be in a strange state when it is attached.
Contrary to the man info PT_DETACH allows specifying an address to which
execution is continued." (From Guninski.)

It appears the NetBSD kern_exec code is slightly different -- using
lockmgr() -- than OpenBSDs.

And from trying the http://www.guninski.com/vvopenbsd.c exploit, I don't
see anything happening (no root) on my NetBSD 1.5.1_ALPHA (i386) system
(other than when I ran it a few times, my load went to 25+, but system was
still usable even though slow). I did notice that the rxvt windows I was
in exited a few times after saying exit.

Can anyone confirm if this problem exists in NetBSD?

The exploit uses su -- is this exploit doable for users not in the wheel
group?

   Jeremy C. Reed
   http://www.reedmedia.net/

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]