Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2001.098 -- OpenBSD Security Advisory Vulnerability in USER_LDT i386 kernel option 5 March 2001 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: kernel Vendor: OpenBSD Operating System: OpenBSD BSD Impact: Root Compromise - --------------------------BEGIN INCLUDED TEXT-------------------- - ---------------------------------------------------------------------------- OpenBSD Security Advisory March 2, 2001 Vulnerability in USER_LDT i386 kernel option - ---------------------------------------------------------------------------- SYNOPSIS A vulnerability in the USER_LDT i386 kernel option can allow an attacker to have the ability to accessed privileged area's of kernel memory. This could lead to lead to an attacker executing code with superuser privileges. This USER_LDT kernel option is not in the OpenBSD kernel by default, and is only suggested for use by users running the WINE port. This option is not documented elsewhere. - ---------------------------------------------------------------------------- AFFECTED SYSTEMS OpenBSD/i386 does not use or document the USER_LDT option. Only users of the WINE port are instructed to enable this option. A patch for this option was commited to the source tree on January 19, 2001. - ---------------------------------------------------------------------------- RESOLUTION If you are using an OpenBSD kernel compiled with "option USER_LDT", apply the patch supplied at the bottom of this advisory and recompile your kernel. Then, apply the fix below to your OpenBSD 2.8 source tree. The patch is also available at http://www.openbsd.org/errata.html (022). - ---------------------------------------------------------------------------- CREDITS This vulnerability was first discovered by Bill Sommerfeld <sommerfeld@netbsd.org>. A patch was applied to the OpenBSD tree by Theo de Raadt <deraadt@cvs.openbsd.org>. - ---------------------------------------------------------------------------- REFERENCES Security and errata, http://www.openbsd.org/security.html http://www.openbsd.org/errata.html - ---------------------------------------------------------------------------- OPENBSD 2.8 PATCH Apply by doing cd /usr/src patch -p0 <022_userldt.patch And then rebuild your kernel. Index: sys/arch/i386/i386/sys_machdep.c =================================================================== RCS file: /cvs/src/sys/arch/i386/i386/sys_machdep.c,v retrieving revision 1.8 retrieving revision 1.9 diff -u -r1.8 -r1.9 - --- sys/arch/i386/i386/sys_machdep.c 2000/06/23 02:14:36 1.8 +++ sys/arch/i386/i386/sys_machdep.c 2001/01/19 18:31:30 1.9 @@ -240,6 +240,17 @@ break; case SDT_SYS286CGT: case SDT_SYS386CGT: + /* + * Only allow call gates targeting a segment + * in the LDT or a user segment in the fixed + * part of the gdt. Segments in the LDT are + * constrained (below) to be user segments. + */ + if (desc.gd.gd_p != 0 && !ISLDT(desc.gd.gd_selector) && + ((IDXSEL(desc.gd.gd_selector) >= NGDT) || + (gdt[IDXSEL(desc.gd.gd_selector)].sd.sd_dpl != + SEL_UPL))) + return (EACCES); /* Can't replace in use descriptor with gate. */ if (n == fsslot || n == gsslot) return (EBUSY); - --------------------------END INCLUDED TEXT-------------------- This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to use any or all of this information is the responsibility of each user or organisation, and should be done so in accordance with site policies and procedures. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the original authors to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/Information/advisories.html If you believe that your system has been compromised, contact AusCERT or your representative in FIRST (Forum of Incident Response and Security Teams). Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for emergencies. -----BEGIN PGP SIGNATURE----- Version: 2.6.3i Charset: noconv Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key iQCVAwUBOqO4Qih9+71yA2DNAQFPcAQAkn2BwGEsOeavFsnACnHMvYMfupBZHWtm Vk1fAP2SBdYaInS4ckhPdBMSHsXe+j1qTlYkHh/SYzgr3tilhJUlttOymOYJ8Jw/ Q+xfdLTQhKuTdyfGEcbnFNRJ8anjOSa9e2IOwvmQ4Ry4Z6Wa5fXjrmzExmPY5zwB dCMxpPOede0= =JHlE -----END PGP SIGNATURE-----