SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   OS (UNIX)  >   OpenBSD Kernel Vendors:   OpenBSD
(OpenBSD Issues Fix for 3.3) OpenBSD Kernel ibcs Overflow Yields Root Privileges to Local Users
SecurityTracker Alert ID:  1008237
SecurityTracker URL:  http://securitytracker.com/id/1008237
CVE Reference:   CVE-2003-0955   (Links to External Site)
Updated:  Nov 24 2003
Original Entry Date:  Nov 19 2003
Impact:   Execution of arbitrary code via local system, Root access via local system
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): Tested on 3.3, 3.4
Description:   A buffer overflow vulnerability was reported in the OpenBSD kernel. A local user can execute arbitrary code to gain root privileges.

Georgi Guninski reported that there is a stack based kernel overflow in OpenBSD in the 'ibcs2_exec.c'.

A demonstration exploit is provided in the Source Message and in the original advisory.

The original advisory is available at:

http://www.guninski.com/msuxobsd2.html

The vendor was reportedly notified on November 15, 2003.

Impact:   A local user can execute arbitrary code with kernel privileges.
Solution:   OpenBSD has released a fix for OpenBSD 3.3 (in addition to the previously reported patch for OpenBSD 3.4):

ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.4/i386/006_ibcs2.patch

ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.3/i386/011_ibcs2.patch

Vendor URL:  www.openbsd.org/ (Links to External Site)
Cause:   Boundary error

Message History:   This archive entry is a follow-up to the message listed below.
Nov 17 2003 OpenBSD Kernel ibcs Overflow Yields Root Privileges to Local Users



 Source Message Contents

Subject:  Re: compat_ibcs2(8) privilege escalation (3.3) / kernel panic (3.4)


On Tue, Nov 18, 2003 at 02:57:31PM +0100, Henning Brauer wrote:
> Georgi Guninski reported a stack overrun due to a missing bounds check 
> in the kernel's iBCS2 emulation.  Another similar problem was also fixed 
> at the same time.
> 
> This issue only affects the i386 architecture.
> 
> On OpenBSD 3.3, this may result in arbitray code execution and local user
> privilege escalation.
> 
> On OpenBSD 3.4, ProPolice catches this, turning a potential privilege
> escalation into a denial of service.
> 
> Fixes have been committed to the -stable cvs branches, and patches are
> also available at
>   ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.4/common/006_ibcs2.patch
> and
>   ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.3/common/011_ibcs2.patch

sorry, the pathes are wrong in the initial mail.
the correct ones are
  ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.4/i386/006_ibcs2.patch
and
  ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.3/i386/011_ibcs2.patch

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2022, SecurityGlobal.net LLC