Bugtraq mailing list archives
OpenBSD remote root
From: Typo Princep <typo () SCENE AT>
Date: Mon, 18 Dec 2000 06:26:17 +0100
Hi, I'll have to clarify a few things before pointing you to the warez. On 12/04/2000 02:52:48 Kristian Vlaardingerbroek sent a mail ( http://www.geocrawler.com/archives/3/254/2000/12/50 ) to the openbsd bugs mailinglist with the descriptive subject: Remote hole in ftpd that can lead to root compromise In that mail, he first pointed out that "your 3 years of remote safeness have just ended", and then provided technical information for fixing a serious ftpd bug. But he made a minor error that made the fix ineffective. He also said that he knows of a private exploit for this vulnerability, and in another mail pointed out that Scrippie was the one who found the bug. The first reply that came was a short one: "ftpd is not enabled in the default install since 2.6." That sales pitch stuff is a weird thing to worry about when in fact all OpenBSD installs since at least 2.4 (ok, only those with open ftp, enabled MKD and writable incoming) are susceptible to this bug which allows remote root compromise. (NetBSD probably vuln too, FreeBSD not, linux/x86 not because of 4byte alignment of memory) Some of the later replies corrected the technical error Kristian made, and provided a cleaner fix. Next we have evidence that a wargame's openbsd 2.6 server has been rooted on December 6th, leaving clear traces of the exploit's nature in utmp and other logfiles. (been cleaned in the meanwhile) December 6th... that was just 2 days after the initial bug report, and the exploit used seems to be a rewrite of the one Kristian refered to. Now the funny thing is that 2 weeks have passed since the initial bugreport, to the openbsd bugs mailinglist, and NetBSD in the meanwhile seems to have put OpenBSDs bugfix into cvs. But noone has made the userbase aware of the security problems nor has any further discussion taken place on obsd-bugs. That, coupled with the claim that that OpenBSD doesnt take a security through obscurity approach, but a serious one, makes me fairly suspicious. I think the 'Security through Obscurity' dogma either is misused or plain wrong, because i feel a lot safer on a Linux System with some patches and replacement daemons that, according to popular opinion, provide no security but just obscurity. Im talking about kernel, glibc, gcc, ... patches that do things like change the memory layout, remove %n format support from libc, or make certain memory regions nonexecutable, and well designed mini daemons to handle simple protocols like auth, http, ftp and pop3. So to counter this trend in the security community, and because a leak was inevitable anyway, caddis and me decided to release his oftpd exploit. I think this may be a good way to prove that depending on a central authority to protect you of all security problems is a bad idea. (instead try to make your system more obscure and you'll probably survive the next 0day sploit).. the exploit is available from http://teso.scene.at/. And a patch for ftpd is available from the obsd bugs mailinglist archive at geocrawler: http://www.geocrawler.com/archives/3/254/2000/12/50/4767599/ Regards, typo
Current thread:
- OpenBSD remote root Typo Princep (Dec 18)
- Re: OpenBSD remote root joshua stein (Dec 19)
- Re: OpenBSD remote root Emre (Dec 19)
- Re: OpenBSD remote root Dan Harkless (Dec 20)
- Re: OpenBSD remote root Jose Nazario (Dec 20)
- Re: OpenBSD remote root Dan Harkless (Dec 21)
- listing of vendor's security-announcement lists Matt Power (Dec 22)
- Re: OpenBSD remote root Dan Harkless (Dec 20)
- Re: OpenBSD remote root David Damerell (Dec 20)
- <Possible follow-ups>
- Re: OpenBSD remote root Theo de Raadt (Dec 21)