Operating System:

[BSD][OpenBSD]

Published:

04 March 2001

Protect yourself against future threats.

//Service

Security Bulletins

Receive up to date and consistent security bulletins across a wide range of vendors, streamlining security patching.

Read more
Resources > Security Bulletins > ESB-2001.098 

-----BEGIN PGP SIGNED MESSAGE-----

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                 ESB-2001.098 -- OpenBSD Security Advisory
               Vulnerability in USER_LDT i386 kernel option
                               5 March 2001

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:                kernel
Vendor:                 OpenBSD
Operating System:       OpenBSD
                        BSD
Impact:                 Root Compromise

- --------------------------BEGIN INCLUDED TEXT--------------------

- ----------------------------------------------------------------------------

			OpenBSD Security Advisory

			      March 2, 2001

		Vulnerability in USER_LDT i386 kernel option

- ----------------------------------------------------------------------------

SYNOPSIS

A vulnerability in the USER_LDT i386 kernel option can allow an attacker to
have the ability to accessed privileged area's of kernel memory. This could
lead to lead to an attacker executing code with superuser privileges.

This USER_LDT kernel option is not in the OpenBSD kernel by default, and is 
only suggested for use by users running the WINE port. This option is not
documented elsewhere.

- ----------------------------------------------------------------------------

AFFECTED SYSTEMS

OpenBSD/i386 does not use or document the USER_LDT option. Only users of
the WINE port are instructed to enable this option.

A patch for this option was commited to the source tree on January 19, 2001.

- ----------------------------------------------------------------------------

RESOLUTION

If you are using an OpenBSD kernel compiled with "option USER_LDT", apply
the patch supplied at the bottom of this advisory and recompile your
kernel.

Then, apply the fix below to your OpenBSD 2.8 source tree. The patch is also
available at http://www.openbsd.org/errata.html (022).

- ----------------------------------------------------------------------------

CREDITS

This vulnerability was first discovered by Bill Sommerfeld
<sommerfeld@netbsd.org>. A patch was applied to the OpenBSD tree by
Theo de Raadt <deraadt@cvs.openbsd.org>.

- ----------------------------------------------------------------------------

REFERENCES

Security and errata,

	http://www.openbsd.org/security.html
	http://www.openbsd.org/errata.html

- ----------------------------------------------------------------------------

OPENBSD 2.8 PATCH
Apply by doing
	cd /usr/src
	patch -p0 <022_userldt.patch
And then rebuild your kernel.

Index: sys/arch/i386/i386/sys_machdep.c
===================================================================
RCS file: /cvs/src/sys/arch/i386/i386/sys_machdep.c,v
retrieving revision 1.8
retrieving revision 1.9
diff -u -r1.8 -r1.9
- --- sys/arch/i386/i386/sys_machdep.c	2000/06/23 02:14:36	1.8
+++ sys/arch/i386/i386/sys_machdep.c	2001/01/19 18:31:30	1.9
@@ -240,6 +240,17 @@
 			break;
 		case SDT_SYS286CGT:
 		case SDT_SYS386CGT:
+			/*
+			 * Only allow call gates targeting a segment
+			 * in the LDT or a user segment in the fixed
+			 * part of the gdt.  Segments in the LDT are
+			 * constrained (below) to be user segments.
+			 */
+			if (desc.gd.gd_p != 0 && !ISLDT(desc.gd.gd_selector) &&
+			    ((IDXSEL(desc.gd.gd_selector) >= NGDT) ||
+			     (gdt[IDXSEL(desc.gd.gd_selector)].sd.sd_dpl !=
+				 SEL_UPL)))
+				return (EACCES);
 			/* Can't replace in use descriptor with gate. */
 			if (n == fsslot || n == gsslot)
 				return (EBUSY);

- --------------------------END INCLUDED TEXT--------------------

This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content.  The decision to use any or all of this information is
the responsibility of each user or organisation, and should be done so in
accordance with site policies and procedures.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the original authors to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

	http://www.auscert.org.au/Information/advisories.html

If you believe that your system has been compromised, contact AusCERT or
your representative in FIRST (Forum of Incident Response and Security
Teams).

Internet Email: auscert@auscert.org.au
Facsimile:	(07) 3365 7031
Telephone:	(07) 3365 4417 (International: +61 7 3365 4417)
		AusCERT personnel answer during Queensland business hours
		which are GMT+10:00 (AEST).
		On call after hours for emergencies.

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv
Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key

iQCVAwUBOqO4Qih9+71yA2DNAQFPcAQAkn2BwGEsOeavFsnACnHMvYMfupBZHWtm
Vk1fAP2SBdYaInS4ckhPdBMSHsXe+j1qTlYkHh/SYzgr3tilhJUlttOymOYJ8Jw/
Q+xfdLTQhKuTdyfGEcbnFNRJ8anjOSa9e2IOwvmQ4Ry4Z6Wa5fXjrmzExmPY5zwB
dCMxpPOede0=
=JHlE
-----END PGP SIGNATURE-----