Slashdot Mirror
Cambridge Researcher Breaks OpenBSD Systrace
An anonymous reader writes "University of Cambridge researcher Robert Watson has published a paper at the First USENIX Workshop On Offensive Technology in which he describes serious vulnerabilities in OpenBSD's Systrace, Sudo, Sysjail, the TIS GSWTK framework, and CerbNG. The technique is also effective against many commercially available anti-virus systems. His slides include sample exploit code that bypasses access control, virtualization, and intrusion detection in under 20 lines of C code consisting solely of memcpy() and fork(). Sysjail has now withdrawn their software, recommending against any use, and NetBSD has disabled Systrace by default in their upcoming release."
Any word if any of these vulnerabilities affect Linux or other Unixes as well?
My blog
I wonder what the performance penalty would be for thunking to kernel space would on every such operation would be? If it was well implemented I would guess it would be minimal since you could just pass the call off to the called kernel object directly. I also wonder what if any security vulnerabilities would be exposed by moving that extra code in kernel space. I know for the TrustedBSD tools it would be minimal due to their strict code checking policies, but for other systems having this much extra code in kernel space might be a risk.
There are 4 boxes to use in the defense of liberty: soap, ballot, jury, ammo. Use in that order. Starting now.
Local exploits are only a phpBB vulnerability from being a remote exploit. If you're running a hosting service, and you're not treating local vulnerabilities as seriously as remote ones, it's only a matter of time before your machine is pwned and becomes a spam zombie. I've seen it happen.
If you allow scripting on your server, then you've essentially given your users shell access, anyway.
Oolite: Elite-like game. For Mac, Linux and Windows
What if you can get a user shell by using an exploit in (firefox|x-chat|bind|apache|ftp|ssh|sendmail|ntp|w hatever open port)?
Guess you get what you deserve when you put a machine on the internet.
Sure it is only an unprivileged local user, what could you do with that.
Oh, wait. You could get root if you had a local user using an other exploit.
Then choose a better FTP server - it's not OpenBSD's fault you installed pr00tme-ftpd.
I can also publish a root password for my servers on digg. Does that mean it's OpenBSD's fault for that 'exploit' as well?
The purpose of the default install is a configuration that has been audtied by _the_ most anal development team on the planet. This is nothing but a good thing, and if people have a problem with Theo's attitude, feel free to fork the codebase.
On my list of the 10 best OSS projects, OpenBSD is in the top 5.
Website Hosting
The very fact that the OpenBSD project makes itself such a huge target for would-be hackers is what makes it almost certain that any vulnerabilities will be found and patched. No handwringing is necessary here, though quite a lot of recoding may be involved. We can all look forward to an even more secure OpenBSD very soon. Keep up the good work, everyone!
well-played old chap.......... ;)
Website Hosting
This race bug was known for ages. It's even hinted in the man page. Stop the FUD.
It would be nice if the parent comment (or a link to it) was placed in the article summary. The sudo application and the above comment dismissing concern over current releases is probably important enough to warrent this.
:)
Thanks
umeboshi (not logged in)
Let's be reasonable about this for a moment.
Once someone has the power to execute arbitary code on your system, then it is arguably only a matter of time before they can do what they please on it. Which is precisely why you don't use the same OpenBSD box for your firewall as you do for giving users a shell account on a Unix box.