OpenBSD plugs a rare security leak

[William Knowles <wk () C4I ORG>]

http://www.upside.com/Open_Season/39dceffe0.html

By Sam Williams
October 06, 2000 12:00 AM PT

For most open source projects, news of an overlooked security hole is
simply part of the debugging process. But for the developers of
OpenBSD, an operating system whose design motto is "secure by
default," it's nothing short of an affront.

Back in June, when a "malicious character string" vulnerability was
discovered in an open source IRC (Internet Relay Chat) client, OpenBSD
developers opted for the blitzkrieg approach and were already
performing a full, pre-emptive source tree audit before crackers had
time to figure out ways to exploit the vulnerability.

"We fixed dozens if not over a hundred of format string
vulnerabilities," says Aaron Campbell, an OpenBSD developer. "At the
time, no exploits for format string problems were available. It was
easy to crash programs, but methods for gaining elevated privileges
were not publicly known and at the time it was largely theoretical."

Finding the holes

Despite the effort, crackers still found a way to break into a system.
Tuesday the friend of an OpenBSD developer had his OpenBSD 2.7 machine
compromised by an exploit of the operating system's "chpass" utility
-- a Unix tool that lets users edit database information associated
with their account. Somebody had gained root access, the Unix
equivalent of system administrator-level control.

With little information to go on, developers such as Campbell went
back and looked at the old format string problem.

"I went trawling through source code, trying to figure out how they
did it," says Campbell, who posted an advisory on the chpass hack to
an OpenBSD security mailing list on Tuesday. "I found a format string
bug fixed by another OpenBSD developer, Todd Miller, during the
initial audit. It was in a library used by chpass. After some
investigation I actually got confirmation from the exploit author, who
later posted his code to Bugtraq [a security watchdog mailing list],
that I indeed had found the bug he was exploiting."

Although the exploit did little to tarnish the OpenBSD reputation,
Campbell says it underscored the resource limitations of the small
OpenBSD team. Even with a full source code audit, developers still
found it impossible to anticipate every conceivable exploit.

"In fact," says Campbell, "For the size of the team, if we spent all
our time figuring out if one little bug is really exploitable or not
we'd never get anything else done."

An early warning system

Theo DeRaadt, lead developer on the project, agrees. With less
programmers and less users than other open source operating systems,
the OpenBSD team made the strategic decision to rely on users'
already-heightened sense of security awareness and use it as an early
warning system.

"Are we surprised? No," says DeRaadt. "Should we have spent time
checking each for exploitability? No, that's not the role we can play.
And we cannot release a patch for 800 bugs, which may or may not be
exploitable. We'd look like jerks."

Campbell says Tuesday's scare reaffirmed his faith in aggressive
audits. Even though the bug was not known to be exploitable during the
original summer audit, the fact that they identified and fixed it gave
them a chance to seek out similar bugs, shoring up future versions of
OpenBSD.

"When a new class of software glitch is identified, we take that
information and use it to fix similar bugs across the entire source
tree. While doing this, almost invariably other non-related problems
are noticed," says Campbell. "This is the process Theo has pushed from
day one, and it's the process that has produced the high quality
software that OpenBSD prides itself in today."


*==============================================================*
"Communications without intelligence is noise;  Intelligence
without communications is irrelevant." Gen Alfred. M. Gray, USMC
================================================================
C4I.org - Computer Security, & Intelligence - http://www.c4i.org
*==============================================================*

ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".