Home    |    View Topics    |    Search    |    Contact Us    |   



Category:   OS (UNIX)  >   OpenBSD Kernel Vendors:   OpenBSD
(OpenBSD Issues Fix for 3.3) OpenBSD Kernel ibcs Overflow Yields Root Privileges to Local Users
SecurityTracker Alert ID:  1008237
SecurityTracker URL:
CVE Reference:   CVE-2003-0955   (Links to External Site)
Updated:  Nov 24 2003
Original Entry Date:  Nov 19 2003
Impact:   Execution of arbitrary code via local system, Root access via local system
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): Tested on 3.3, 3.4
Description:   A buffer overflow vulnerability was reported in the OpenBSD kernel. A local user can execute arbitrary code to gain root privileges.

Georgi Guninski reported that there is a stack based kernel overflow in OpenBSD in the 'ibcs2_exec.c'.

A demonstration exploit is provided in the Source Message and in the original advisory.

The original advisory is available at:

The vendor was reportedly notified on November 15, 2003.

Impact:   A local user can execute arbitrary code with kernel privileges.
Solution:   OpenBSD has released a fix for OpenBSD 3.3 (in addition to the previously reported patch for OpenBSD 3.4):

Vendor URL: (Links to External Site)
Cause:   Boundary error

Message History:   This archive entry is a follow-up to the message listed below.
Nov 17 2003 OpenBSD Kernel ibcs Overflow Yields Root Privileges to Local Users

 Source Message Contents

Subject:  Re: compat_ibcs2(8) privilege escalation (3.3) / kernel panic (3.4)

On Tue, Nov 18, 2003 at 02:57:31PM +0100, Henning Brauer wrote:
> Georgi Guninski reported a stack overrun due to a missing bounds check 
> in the kernel's iBCS2 emulation.  Another similar problem was also fixed 
> at the same time.
> This issue only affects the i386 architecture.
> On OpenBSD 3.3, this may result in arbitray code execution and local user
> privilege escalation.
> On OpenBSD 3.4, ProPolice catches this, turning a potential privilege
> escalation into a denial of service.
> Fixes have been committed to the -stable cvs branches, and patches are
> also available at
> and

sorry, the pathes are wrong in the initial mail.
the correct ones are


Go to the Top of This SecurityTracker Archive Page

Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2022, LLC