Date: Thu, 21 Jun 2001 07:40:26 -0400
From: James Babiak <jfbabiak@webmail.tc.cc.va.us.>
To: [email protected]Subject: Recent OpenBSD 2.8/2.9 Exploit - stephanie patched kernels unaffected
In testing the recent obsd exploit by Georgi Guninski out, I have found out
that my OpenBSD 2.8 box was not vulnerable. I have come to the conclusion
that those boxes with the stephanie kernel patches by Mike Schiffman and doe
are not vulnerable to this exploit, at least without modifying the exploit
itself. My box has extremely anally granular file access control, however I
ran this exploit using my account with full permissions, and I was in the
tpe_adm group. I imagine that the symlink restrictions prevent the exploit
from working.
Workarounds:
>From what I read, the stephanie patches do not have hard link restrictions.
However, on my box /tmp is its own partition (duh), therefore not allowing
me to do a cross-device link. I don't have any obsd boxes without /tmp on
its own partition to test this out, but it may be a workaround or at least a
place to start.
Re-write the exploit to not use the /tmp symlinks.
I'm also sure there is some way to circumvent the symlink restrictions in
place.
In any case, I am working on a way around this, but at least with those
patches in place, the exploit is "script-kiddie-proof." In other words, even
Jeff King with his elite EXPN warez couldn't exploit it.
For those not familiar to the Stephanie patch, you can read more about it
and download it at:
http://www.packetfactory.net/Projects/Stephanie/
Congrats to route and doe for coming up with a patch to a hole not yet
discovered =].
-james