Hey, After posting this, Fozzy sent another message mentioning that he left out some credit. I requested that he fix the advisory and re-send it to the list, but he hasn't gotten back to me fast enough ;). This needs to go out, so here's the correction: >I realized this credit problem just after sending my post : >"Three weeks ago, XXXXXXXX from Pine released an advisory..." should be : >"Three weeks ago, Joost Pol from Pine released an advisory...". Dave Ahmad SecurityFocus www.securityfocus.com On Thu, 9 May 2002 fozzy@dmpfrance.com wrote: > > The following is research material from FozZy from Hackademy and Hackerz > Voice newspaper (http://www.hackerzvoice.org), and can be distributed > modified or not if proper credits are given to them. For educational > purposes only, no warranty of any kind, I may be wrong, this post could > kill you mail reader, etc. > > > -= OVERVIEW =- > > On current OpenBSD systems, any local user (being or not in the wheel > group) can fill the kernel file descriptors table, leading to a denial of > service. Because of a flaw in the way the kernel checks closed file > descriptors 0-2 when running a setuid program, it is possible to combine > these bugs and earn root access by winning a race condition. > >
