Slashdot Mirror

← Back to Stories (view on slashdot.org)

OpenBSD Local Root Hole Patched

Posted by jamie on from the could-have-been-worse dept.

unFKNreal writes "A fellow by the name of Georgi Guninski has discovered a local root compromise in OpenBSD 2.8 & 2.9. He says its due to a race in the kernel, similar to the linux kernel race a few months back." The patch is out as of a few hours ago. Even a BSD newbie like me got his firewall patched and rebooted with no problem, after taking a moment to reread the patching instructions and kernel rebuild FAQ. The bad news: the hole was posted to bugtraq Thursday morning, with exploit code, so the black hats had a jump on you (sadly, note the date Guninski says OpenBSD was informed). If your system has any users you don't fully trust, check it over carefully after you patch! Update 3h later by J : Apparently NetBSD is affected too, and a fix is in-tree.

6 of 39 comments (clear)

  1. Re:waiter I have a fly in my soup. by The_Messenger · · Score: 3
    Here is an example of one of Theo's posts:

    SNIP>>---

    To: bugtraq@security-focus.com
    From: freegaysex@openbsd.org

    On 9 June 2001, someone whined:

    > and then I found the hole. It was a
    >> remarkably easy exploit, actually, and I now
    >> wonder just how thorough the "code audit"
    >> was. Perhaps Theo should take a more open stance
    >> and let more people into the development
    >> process. Hey, fuck you buddy! I don't want scum like you NEAR my software! Mine! In fact the next release will query my personal server and automatically wipe your disk if it detects your email or IP. Man, I am so going to go outside and break bottle against trees in my anger! Oooh!

    Theo "The Rat" de Raadt


    --

    --

    --
    I like to watch.

  2. Re:Still impressive by mduell · · Score: 3

    I recently isntall OpenBSD as a router for my home network and its wonderful. The install took less than 30 minutes from a home-brewed CD. It automagically recognized all of my hardware, and was much less painful than some linux installs I've done.
    Installing apache was painless (except I had to install libtool first), and NAT, dhcpd, and ipf were pre-installed, all I had to do was enable them.

    Note: OpenBSD used to claim 3 years without a remote root exploit and 2 years without a local one, but they dropped the local record a few months ago after one was found, and now the remote root exploit record is up to 4 years.

    Mark Duell

  3. Still impressive by clark625 · · Score: 3

    From what I remember reading recently, isn't this the first root compromise on BSD in several years? I've been considering switching critical components to OpenBSD recently, and to be honest hearing this is reassuring. My hat's off to the guys that found this--as well as the entire BSD teams that put together such good solid code.

    --
    Long, cute, or funny Sigs are just another form of over compensation, used by geeks, nerdz, etc.
  4. sigh by joq · · Score: 3


    It's possible the OpenBSD team was more focused on releasing 2.9 which many were waiting for as opposed to hurrying to release a patch, only they know. It's funny how many are quick to jump the gun and criticize them for doing something they've done freely, and nicely for years. It's also possible that it got lost in communication.

    The submitter sounds as if someone at OpenBSD just refused to acknowledge a problem which is sort of biased, since he wouldn't know why the patch took some time. Remember the team has a bug reporting system in which many different steps are taken to resolve a problem. Sometimes they have to recreate the problem entirely, and since systems vary, it's also possible someone who did test it, wasn't affected on their machine.

    Many reasons can be attributed for not releasing it asap. Seriously though, when incidents are submitted no one corp, or person should be expected to release a fix one minute later.

    --

    Want Root?
  5. waiter I have a fly in my soup. by ThatField · · Score: 4

    Seems to me like some people expect perfection from the OpenBSD crew. Yeah, it's a root exploit, but there's certainly far less exploits for major damage on OpenBSD than any or most any other OS's. I don't understand how someone can complain about a patch coming out 6 days after starting work on it. Knowing what I know about the OpenBSD bunch, I wouldn't be surprised if it took 6 days because they wanted to be sure the patch would totally cover the problem without leaving a hole or causing another hole in the system somewhere. I'm still using OpenBSD as a prefered choice OS. Can't knock the soup or the cook, just because one bowl had a fly in it. BSD still rocks, especially when it's open.

    <Dev/>
  6. Re:Weren't the audits supposed to take care of thi by Tiroth · · Score: 5
    If you had ever coded even simple reentrant code you would realize how subtle race conditions can be. And look at the conditions required for the exploit to work:

    Works best after reboot - the +s program must not be executed before, seems
    executes /tmp/sh
    /tmp/su must be a link to +s program
    if the +s program has been executed, create and run shell script the size of RAM
    You may need to type "fg" if the program receives stop signal
    you may need to run the program several times
    Even allowing for all of this, the exploit doesn't work every time.

    The hardest bugs to spot are the ones that happen rarely. Even harder to spot are exploits...because while they are technically bugs, in practice they generally rely on the author to do things that no sane coder would ever try in a "normal" program.