Subject: vvopenbsd.c exploit for kern_exec.c
To: None <>
From: Jeremy C. Reed <>
List: tech-security
Date: 06/15/2001 13:36:36
I didn't see any news about the Guninski OpenBSD security advisory related
to NetBSD.

"A race condition exists in the kernel execve(2) implementation that
opens a small window of vulnerability for a non-privileged us er to
ptrace(2) attach to a suid/sgid process." (From OpenBSD's errata.)

"By forking a few process it is possible to attach to +s pid with ptrace.
The process seems to be in a strange state when it is attached.
Contrary to the man info PT_DETACH allows specifying an address to which
execution is continued." (From Guninski.)

It appears the NetBSD kern_exec code is slightly different -- using
lockmgr() -- than OpenBSDs.

And from trying the exploit, I don't
see anything happening (no root) on my NetBSD 1.5.1_ALPHA (i386) system
(other than when I ran it a few times, my load went to 25+, but system was
still usable even though slow). I did notice that the rxvt windows I was
in exited a few times after saying exit.

Can anyone confirm if this problem exists in NetBSD?

The exploit uses su -- is this exploit doable for users not in the wheel

   Jeremy C. Reed