Subject: vvopenbsd.c exploit for kern_exec.c
To: None <firstname.lastname@example.org>
From: Jeremy C. Reed <email@example.com>
Date: 06/15/2001 13:36:36
I didn't see any news about the Guninski OpenBSD security advisory related
"A race condition exists in the kernel execve(2) implementation that
opens a small window of vulnerability for a non-privileged us er to
ptrace(2) attach to a suid/sgid process." (From OpenBSD's errata.)
"By forking a few process it is possible to attach to +s pid with ptrace.
The process seems to be in a strange state when it is attached.
Contrary to the man info PT_DETACH allows specifying an address to which
execution is continued." (From Guninski.)
It appears the NetBSD kern_exec code is slightly different -- using
lockmgr() -- than OpenBSDs.
And from trying the http://www.guninski.com/vvopenbsd.c exploit, I don't
see anything happening (no root) on my NetBSD 1.5.1_ALPHA (i386) system
(other than when I ran it a few times, my load went to 25+, but system was
still usable even though slow). I did notice that the rxvt windows I was
in exited a few times after saying exit.
Can anyone confirm if this problem exists in NetBSD?
The exploit uses su -- is this exploit doable for users not in the wheel
Jeremy C. Reed