> Your code does:
> if((fd = open("./ibcs2own", O_CREAT^O_RDWR, 0755)) < 0) {
> How on earth is this going to work against privilege separation ? In each
> sane setup, a server process is chrooted to a directory with no writable
> directories.do you have any idea how many of those chrooted processes have temporary directories in their chroot environment ? many of the so called priv seperated processes use temoprary files thus having writeable directories in there chroot jail. you might have heard the concept called system call/API proxying, you can upload the ibcs2own binary and simulate this exploit as if you run it from a shell, not rocket since simple and straight forward ... > Being not a diehard obsd fan, I must notice that 3.4 kernel is built with > stack smashing protection, which reduces this hole to pure local DoS only. Can > you name any other OS which has any prevention against kernel buffer overflow ? i can name OSes which do not have these kind of hopeless, amateur bugs. just a reminder that propolice protects against stack smashing not heap smashing so it would be a joke to claim "prevention against kernel buffer overflow" because it simply DO NOT. there are tons of kmem alloctor overflows in OpenBSD, go figure ;-) ... regards, - noir _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
