[17541] in bugtraq
ANOTHER OpenBSD security vulnerability!!!!
daemon@ATHENA.MIT.EDU (Chris Cappuccio)
Tue Nov 7 13:21:13 2000
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-Id: <Pine.BSO.4.21.0011070134120.23632-100000@dqc.org>
Date: Tue, 7 Nov 2000 02:56:37 -0800
Reply-To: Chris Cappuccio <chris@DQC.ORG>
From: Chris Cappuccio <chris@DQC.ORG>
To: BUGTRAQ@SECURITYFOCUS.COM
- :Leet Advisory % :Leet Advisory % :Leet Advisory % :Leet Advisory % :Leet -
| |
| www.dqc.org/~chris |
| |
| Version : Leet advisory #2666 of many |
| Author : LarFoxley[famedork / condemned / ESP / AH / PPTP (soon)] |
| Contributed : All of Team Leet (thanks alot) & UVM |
| Topic : A non-priviledged user may gain physical access to the |
| system, thus exploiting what is known in innner circles as |
| "the five-finger discount" |
| Effected : All Operating Systems which use a computer |
| * OpenBSD, and possibly others |
| Prvt Release : October 1, 1995 |
| Released : November 7, 19100 |
| Credits : www.whitehouse.gov, flash.bellcore.com, www.merit.edu |
| Check Section 1 |
| Vendor status: Raped |
| |
- :Leet Advisory % :Leet Advisory % :Leet Advisory % :Leet Advisory % :Leet -
Section 1 [Grits]:
First and foremost, thanks to dictionary.com, without which I would
be totally lost in the world of English spelling and grammar. Thanks
to my mother who bore me. This was a coordinated effort with Team
Leet and The Serious Hackers known as Super Super Good.
I would like to thank RootShellBadddMothers and Team SSH for
rigorously testing on many stupid shell providers who don't know
about the OpenBSD team's secret plans for world domination through
eleet unknown bugs :] (fatcorpse and her great mass testing scripts,
great for analysis: www.freshmeat.net < great site :)
I would like to thank bass of BEER. He started the whole OpenBSD
religion. Keep up the good work.
Special thanks to obecian and his DoS 3.3 System. It has made my
job so easy that I think I should not be paid anymore.
I would also like to thank: NSA, CIA, FBI, Walls Fargo, WTO,
Kettutytt, Satan, Dorkex (h0rze :), ISS, Solar Designer, #blowjob,
#hotsex, #eatshit, #42, #conf, Al Hugher, Alpeh1, communism, the
US Air Force, OJ Simpson, Semtex, Ebola, George W. Bush, Ralph Nader
and Jello Biafra.
Section 2 [Preface]:
Usually, Team Leet keeps our code and research quite private until we
spew our diarrhea all over your computer monitor. But, what really annoys
us, is when a very big figure in the computer security community lies to the
people who make him who he is. The person I speak of is Bob Dobbs. Bob
Dobbs claims that OpenBSD hasn't experienced a local root hole in the default
install for many years. Yet, during his internal audits, he regularly finds
unfaithfulness to the church, and he never notifies the public. I think you
guys are lame. You have demonstrated sins, transgressions, intemperances,
vices, errors, failings, personal faults, indiscretions, lapses, trespasses,
and crimes agsinst man, woman, child, law, nature and god. What worries Team
Leet is that our servers might be hacked. We have found many other
exploitable holes in previous OpenBSD distributions, that have miraculously
been patched and never revealed. Next, there is the "Three years without a
remote hole in the default install." I hope this advisory breaks that
aswell, because, techinically:
* Walk up to the machine
* Turn it off
* Unplug it
* Take it with you
Although we have not confirmed it, we believe this bug is also
exploitable via NFS, RSH, TELNET, and SSH.
Three years without a remote hoe? Strike that.
Section 3 [Background]:
OpenBSD is a vulnerable operating system because it runs on a
computer which can be physically accessed by an intruder. It is
significantly better then the traditional UNIX based OS.
Section 4 [Problem Description]:
There exists a bug in the physical universe which has blatently
slipped passed the seemlessly feeble minded OpenBSD developers and
hackphreak.org members alike. This bug allows for any local user (or remote
user) to steal the entire OpenBSD system, thus rendering it completely
useless. Once the system is stolen, a local user (with access to the
console) may in fact remove the hard disk. The system uses a published
standard, FFS. When one has access to the hard disk, they may use FFS do
most anything: such as reading the disk, and writing to it, not just a DoS
(if you have to read through this you have now more reason to switch to
CP/M).
A very smart attacker will:
* Mount the hard disk
* Read from it
* Use RSH
A layout of the hard disk is given:
* Root filesystem /
* Usr filesystem /usr
* Home filesystem /home
* Root's filesystem /root
* Tmp's filesystem /tmp
* Var's filesystem /var
------------------------------------------------------------------
main()
{
printf("hello, world\n");
/*
* here, we print to the screen
* this is considered a vulnerablilty because we were able to show
* just how much damange can really be done with this unique
* and as-of-yet-unknown method
*/
}
Section 4 [The exploit]:
// PUBLIC RELEASE
//
// openbsd-sucks.c by LarFoxley of Team Leet (#openbsd on efnet) & SSH
//
// This exploit is proof of my love for you
//
// Greets: NSA, CIA, FBI, Walls Fargo, WTO, EHAP, Condoms, caddis[TESO],
// Kettutytt, Satan, Dorkex (h0rze :), ISS, Solar Designer, #blowjob,
// #hotsex, #eatshit, #42, #conf, Al Hugher, Alpeh1, communism, the
// US Air Force, OJ Simpson, Semtex, Ebola, George W. Bush, Ralph
// Nader and Jello Biafra.
//
// PS: The expoit is broke very slightly, so it takes some knowledge ;)
//
// PUBLIC RELEASE * DO NOT DISTRIBUTE
#include <stdyo.h>
#include <streengs.h>
main()
{
prentf("hello, world!!!!!\n");
// Now that we have gained physical access, there is no more need for
// actual code, because we can simply remove the hard disk at this point.
// Also, if you enter the debugger, you can change the user id of the
// process that you are currently using. Imagine that.
}
Section 5 [TO HELL WITH YOU'S]:
J.R. "Bob" Dobbs, and the OpenBSD team
Photographers
Rapists
Anyone who thinks OpenBSD is useful
All of #openbsd on EFNET
All of the people who have violated my sphincter
BoW
Scriptkiddies who don't use my scripts
obecian
Section 6 [Come 1 Come ALL]:
Team Leet invites you to join efnet #openbsd for a great learning
experience. Just join us to teach and learn. But remember, SEXUAL
HARASSMENT = FAT LAWSUIT. www.dqc.org/~chris
Section 7 [Lies]:
I hope this advisory makes you feel warm inside. I know that Windows
NT will always rule my world. I think Bill Gates is a role model for my
children and their grand-children. I like eating pineapples. All OpenBSD
users are paranoid schizophrenics who fall to my knees when they read this
message.
---
Rev. Chris Cappuccio -=- http://www.dqc.org/~chris/
"If you don't turn on to politics, politics will turn on you"
- Ralph Nader