[SECURITY-L] OpenBSD 3.3 -- root may override security level
Security Team - UNICAMP
security em unicamp.br
Seg Set 15 10:29:48 -03 2003
----- Forwarded message from Klaus Steding-Jessen <jessen em nic.br> -----
From: Klaus Steding-Jessen <jessen em nic.br>
Subject: [S] OpenBSD 3.3 -- root may override security level
To: seguranca em pangeia.com.br
Date: Wed, 10 Sep 2003 20:47:59 -0300
To: security-announce em openbsd.org
Subject: OpenBSD 3.3 -- root may override security level
Date: Wed, 10 Sep 2003 17:18:47 -0600
From: "Todd C. Miller" <Todd.Miller em courtesan.com>
[ Please note: this bug affects OpenBSD 3.3 only. Prior versions do
not have runtime-configurable semaphore limits. ]
It is possible for root to raise the value of the seminfo.semmns
and seminfo.semmsl sysctls to values sufficiently high such that
an integer overflow occurs. This can allow root to write to kernel
memory irrespective of the security level. The default security
level on OpenBSD is 1 ("secure mode") which does not allow writing
to /dev/mem and /dev/kmem. It may be possible for a root user
to exploit this bug to reduce the security level itself.
The impact of this bug is quite low for most systems since it is
only useful to an attacker who already has root on the local system
with the expertise to modify the running kernel.
Thanks to blexim for finding this bug and notifying us.
The problem has been fixed in the OpenBSD 3.3-stable branch.
In addition, a patch is available for OpenBSD 3.3:
ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.3/common/003_sysvsem.patch
----- End forwarded message -----
Mais detalhes sobre a lista de discussão SECURITY-L