In testing the recent obsd exploit by Georgi Guninski out, I have found out that my OpenBSD 2.8 box was not vulnerable. I have come to the conclusion that those boxes with the stephanie kernel patches by Mike Schiffman and doe are not vulnerable to this exploit, at least without modifying the exploit itself. My box has extremely anally granular file access control, however I ran this exploit using my account with full permissions, and I was in the tpe_adm group. I imagine that the symlink restrictions prevent the exploit from working. Workarounds: From what I read, the stephanie patches do not have hard link restrictions. However, on my box /tmp is its own partition (duh), therefore not allowing me to do a cross-device link. I don't have any obsd boxes without /tmp on its own partition to test this out, but it may be a workaround or at least a place to start. Re-write the exploit to not use the /tmp symlinks. I'm also sure there is some way to circumvent the symlink restrictions in place. In any case, I am working on a way around this, but at least with those patches in place, the exploit is "script-kiddie-proof." In other words, even Jeff King with his elite EXPN warez couldn't exploit it. For those not familiar to the Stephanie patch, you can read more about it and download it at: http://www.packetfactory.net/Projects/Stephanie/ Congrats to route and doe for coming up with a patch to a hole not yet discovered =]. -james
This archive was generated by hypermail 2b30 : Fri Jun 22 2001 - 12:22:12 PDT