Information Security News mailing list archives
OpenBSD plugs a rare security leak
From: William Knowles <wk () C4I ORG>
Date: Fri, 6 Oct 2000 21:32:42 -0500
http://www.upside.com/Open_Season/39dceffe0.html By Sam Williams October 06, 2000 12:00 AM PT For most open source projects, news of an overlooked security hole is simply part of the debugging process. But for the developers of OpenBSD, an operating system whose design motto is "secure by default," it's nothing short of an affront. Back in June, when a "malicious character string" vulnerability was discovered in an open source IRC (Internet Relay Chat) client, OpenBSD developers opted for the blitzkrieg approach and were already performing a full, pre-emptive source tree audit before crackers had time to figure out ways to exploit the vulnerability. "We fixed dozens if not over a hundred of format string vulnerabilities," says Aaron Campbell, an OpenBSD developer. "At the time, no exploits for format string problems were available. It was easy to crash programs, but methods for gaining elevated privileges were not publicly known and at the time it was largely theoretical." Finding the holes Despite the effort, crackers still found a way to break into a system. Tuesday the friend of an OpenBSD developer had his OpenBSD 2.7 machine compromised by an exploit of the operating system's "chpass" utility -- a Unix tool that lets users edit database information associated with their account. Somebody had gained root access, the Unix equivalent of system administrator-level control. With little information to go on, developers such as Campbell went back and looked at the old format string problem. "I went trawling through source code, trying to figure out how they did it," says Campbell, who posted an advisory on the chpass hack to an OpenBSD security mailing list on Tuesday. "I found a format string bug fixed by another OpenBSD developer, Todd Miller, during the initial audit. It was in a library used by chpass. After some investigation I actually got confirmation from the exploit author, who later posted his code to Bugtraq [a security watchdog mailing list], that I indeed had found the bug he was exploiting." Although the exploit did little to tarnish the OpenBSD reputation, Campbell says it underscored the resource limitations of the small OpenBSD team. Even with a full source code audit, developers still found it impossible to anticipate every conceivable exploit. "In fact," says Campbell, "For the size of the team, if we spent all our time figuring out if one little bug is really exploitable or not we'd never get anything else done." An early warning system Theo DeRaadt, lead developer on the project, agrees. With less programmers and less users than other open source operating systems, the OpenBSD team made the strategic decision to rely on users' already-heightened sense of security awareness and use it as an early warning system. "Are we surprised? No," says DeRaadt. "Should we have spent time checking each for exploitability? No, that's not the role we can play. And we cannot release a patch for 800 bugs, which may or may not be exploitable. We'd look like jerks." Campbell says Tuesday's scare reaffirmed his faith in aggressive audits. Even though the bug was not known to be exploitable during the original summer audit, the fact that they identified and fixed it gave them a chance to seek out similar bugs, shoring up future versions of OpenBSD. "When a new class of software glitch is identified, we take that information and use it to fix similar bugs across the entire source tree. While doing this, almost invariably other non-related problems are noticed," says Campbell. "This is the process Theo has pushed from day one, and it's the process that has produced the high quality software that OpenBSD prides itself in today." *==============================================================* "Communications without intelligence is noise; Intelligence without communications is irrelevant." Gen Alfred. M. Gray, USMC ================================================================ C4I.org - Computer Security, & Intelligence - http://www.c4i.org *==============================================================* ISN is hosted by SecurityFocus.com --- To unsubscribe email LISTSERV () SecurityFocus com with a message body of "SIGNOFF ISN".
Current thread:
- OpenBSD plugs a rare security leak William Knowles (Oct 07)