Cambridge Researcher Breaks OpenBSD Systrace

An anonymous reader writes "University of Cambridge researcher Robert Watson has published a paper at the First USENIX Workshop On Offensive Technology in which he describes serious vulnerabilities in OpenBSD's Systrace, Sudo, Sysjail, the TIS GSWTK framework, and CerbNG. The technique is also effective against many commercially available anti-virus systems. His slides include sample exploit code that bypasses access control, virtualization, and intrusion detection in under 20 lines of C code consisting solely of memcpy() and fork(). Sysjail has now withdrawn their software, recommending against any use, and NetBSD has disabled Systrace by default in their upcoming release."

SELinux and the same ...

[Gopal.V]

James Morris has put up an analysis [livejournal.com] of the same vulnerabilities.

And pushing the system code down into lower echelons of execution (i.e kernel), the way SELinux does it, is a valid fix.

Re:SELinux and the same ...

[afidel]

I wonder what the performance penalty would be for thunking to kernel space would on every such operation would be? If it was well implemented I would guess it would be minimal since you could just pass the call off to the called kernel object directly. I also wonder what if any security vulnerabilities would be exposed by moving that extra code in kernel space. I know for the TrustedBSD tools it would be minimal due to their strict code checking policies, but for other systems having this much extra code in kernel space might be a risk.

Re:

[gwern]

If the message-passing microkernels are any guide, thunking on every kernel call could be very expensive unless you go to great lengths (like L4) to avoid it.

Re:

[Jokkey]

I wonder what the performance penalty would be for thunking to kernel space would on every such operation would be?

What's being discussed here is system call wrapping, and system calls by definition go to kernel space anyway. No extra thunk to kernel space is required.

Re:

[makomk]

Just putting the validation code in the kernel is not, by itself, sufficient - it's important that any arguments are copied from userspace exactly once. If the validation code and the actual syscall code each do their own copy from userspace, this is a potentially exploitable security issue.

Linux?`

[morgan_greywolf]

Any word if any of these vulnerabilities affect Linux or other Unixes as well?

Re:Linux?

[Noryungi]

Yes, M. Watson also attacked equivalent programs (GSWTK) under Linux successfully.

Read his blog post, as some of the techniques described are quite interesting. Too bad we can't read the full paper.

Re:Linux?

[x_MeRLiN_x]

Would you be talking about this [watson.org]?

Re:Linux?

[Hawke]

The presentation covers it pretty well. At least the GSWTK attack.

(It's a straight forward time-of-use vs. time-of-check attack. And we were at least partially aware of it when we wrote GSWTK. The problem is that the original system calls require memory in the processes space, so you can't just copy in the string after you validate it to keep the process from changing it. I wrote some methods for Linux that allocated extra pages in the processes memory space so we could copy in the string, but that just makes the attack harder via obscurity. It doesn't address the fundamental issue at all.)

Since NetBSD seems to be affected as well...

[bomanbot]

are other UNIX-based Operating Systems vulnerable as well? Systrace and especially Sudo are very common in nearly all UNIX-like Systems, so maybe Linux and MacOS X users should also be concerned? And what about Windows, since commercially availabe anti-virus systems are also afflicted? That seems like a very serious vulnerability to me...

I'm not worried

[Gazzonyx]

I'm not worried about a vuln. in sudo; I always log in as root and don't have sudo running :). Remember, Real Programmers log in as root. Take that h4x0rz!

Re:I'm not worried

[eno2001]

You know the old saying... "you get what you stay for". As long as you're logging in as root you will damage your system. It's a known fact. Anyone who logs in as root eventually dostoyevsky's their system. Logging in as root is dangerous. Even using 'su -' is dangerous. 'sudo' provides some level of security and accountability but even that is dangerous. I can't tell you how many times I've seen people type 'sudo bash' and then tool around doing everything as root all the time. The only way to really be safe is to never use any super user abilities whatsoever. The way I've handled it is that any time I run into something that I need root access for, I just give up. So I don't have any new users other than the ones I originally set up when I installed Ubuntu. I also don't have any access to the CD-RW drive built into the system, but that's OK since I'm not an illegal music and software pirate (only pirates use CD-R/CD-RW). I can't use the attached scanner that once worked in Windows 98 but that's OK since there is no need to scan photos or anything in Linux since there are no apps with which to work on them anyway. Whenever the system pops up asking me for the root password I just cancel out and stick with whatever settings the system had. Basically for me, a request for the root password is a threat to the security of my PC, myself and possible the nation or even global security. So in short DO NOT EVER USE root access of ANY kind. It's very dangerous and best left to the experts (bearded and bald scientists in dusty university halls).

Re:

[DrSkwid]

The successor to Unix [bell-labs.com] got rid of root altogether from the OS.

I prefer a boast like "Nothing to escalate" than "Secure by default"

Re:

[nuzak]

> Anyone who logs in as root eventually dostoyevsky's their system.

I'm unfamiliar with Dostoyevsky as a verb. Explain?

> So in short DO NOT EVER USE root access of ANY kind.

I agree. That's why the OS should drop it entirely. Plan9 did. And MLS systems get one thing right: the role that's able to alter security contexts itself has virtually no access to anything else.

But if sudo isn't secure...

[Gazzonyx]

So... how do you patch your system without escalating from a normal user?

Re:I'm not worried

[bl8n8r]

Thank God! A user that finally gets security! Look at those pigs wizzin by...

Re:

[Alsee]

WHAT IN HELL IS THIS THING?
It's called a 'snowball' sir.

-

Re:

[makomk]

Only an experimental feature in a prerelease version of sudo is affected by this vulnerability; normal users of sudo have nothing to worry about.

Re:

[ratboy666]

Given that the vulerability exploited is a system call race, it may be that the "unwrapped" system calls may be exploited as well.

Basically, wrapping the call (supposed to increase security) make the race more exploitable. It is NOT "sudo" that is at fault, specifically, because sudo (in its current release) does not do call wrapping.

There is an easy solution available -- simply disallow all execution between the time the system call is invoked, and all parameters have been copied to system space. Alternati

Re:

[SpaceLifeForm]

Windows equivalent: Shut Down

Re:

[Znork]

Most security applications implemented as system call wrappers would be vulnerable (basically anything where there's an opportunity to modify the checked system call post-check by tricking todays modern and eminently interruptable kernels into doing something else than getting on with executing the syscall for a few cycles), altho I suspect that anyone running sudo as primary security enforcement and logging application isnt exactly worried about this level of fairly arcane exploits (note that more lowlevel

No need for alarm!

[Antarius]

The tremors that you are feeling are from the sounds of the collective users of OpenBSD all simultaneously shouting "Fuck!" in exasperation.

Re:No need for alarm!

[nateb]

The tremors that you are feeling are from the sounds of the collective users of OpenBSD all simultaneously shouting "Fuck!" in exasperation.

All twelve of them. :)

I like the thought of openbsd, though, having never used it. I'm sure everything will be fine.

Re:

[Dan Ost]

OpenBSD is my favorite platform for purpose-built machines. I do appreciate the security, but the main reason I like it is for the quality documentation (especially the man pages!) and the ease of setup.

The majority of my machines run Gentoo, but Gentoo can't really by used as a fire-and-forget platform like OBSD can be.

Re:No need for alarm!

[peacefinder]

All twelve of them. :)

We yell really loud.

(And I actually yelled "Wow!". We're not a homogenous lot.)

Re:

[MysteriousPreacher]

That's 13 now, I just picked up the disks a little while ago.

OpenBSD will never have the popularity or wide range of ports that FreeBSD has but it's a pretty solid system designed with a clear mandate. It's worth installing, even just to see the security decisions that have been taken so you can apply them to another Unix-like system. Like Dan Ost said, the documentation is excellent and the developers and mailing list users have been pretty helpful. The only thing I'm missing is WPA support.

Re:

[aliquis]

What? It takes 10-15 minutes to install and 2 to turn it into a dhcpserver? Check the FAQ.

Re:

[aliquis]

It's quite simple really, you first create a BSD slice, which is what you would call a partition in MS-DOS, then inside that one you put your partitions using disklabel. Partition a is always the root partition, b is always swap, c is the whole BSD slice, d is the whole disk, e-z is whatever you want them to be.

And you could always let it use the whole disk if you want to.

Re:

[aliquis]

The option "use entire disk" only sets it to one slice on the whole disk, you can still partition it in any other way if you want to, but just make no b-partition if that is what you want, or make one first and set a for whatever the rest is.

Re:

[aliquis]

It's been for long, the motherboard started to burn so the machine is dead, it was quite boring anyway :D

(I only posted "intresting stuff" and not diary kind of stuff, but I don't know how useful it where for other people anyway, also I decided to write in swedish instead of english for most stuff.)

All my much older webpages are dead since long.

Re:

[aliquis]

Uhm, no Internet connection? Where do you live?

100/10 here ;/

Re:

[guruevi]

I didn't know they could BOTH shout thatloud.

Re:

[Antarius]

They have big voices?

"Pay no attention to the Pufferfish behind the curtain"

And the most popular response to the halving of the OpenBSD userbase for humorous reasons:

"It's a sign that OpenBSD is a Mature O.S. So mature that the userbase has gone through puberty!"


[Whaddya mean "youdongeddit?" Puberty. You know; when a boys balls drop. The voice gets lower... Aw, forget it.]

why give much of a crap

[rubycodez]

on local user/software exploits? my domains have over a thousand users, but no one logs into an account on the machine.

Re:

[xaxa]

I have SSH access to some machines I have webspace on (with Fasthosts, I think). I think they use GNU/Linux, but presumably there are people offering the same service but with BSD.

Re:why give much of a crap

[Alioth]

Local exploits are only a phpBB vulnerability from being a remote exploit. If you're running a hosting service, and you're not treating local vulnerabilities as seriously as remote ones, it's only a matter of time before your machine is pwned and becomes a spam zombie. I've seen it happen.

If you allow scripting on your server, then you've essentially given your users shell access, anyway.

Re:

[rubycodez]

bullshit, crap code by incompetent programmers causes input data to be executed, the scripting languages all have ways to flag data as tainted suspect and deal with it properly with no possibility of execution (e.g. sql injection attacks, etc.) Piss poor development practices will always lead to security breaches, and that goes for any language not just the scripting ones. The biggest and most damaging attacks have been due to sloppiness in the c/c++ realm (ooo, who would ever give us more data than we ex

Re:

[DrSkwid]

If you sleep at night on the strength of PHP's codebase then you should make sure your phone is turned off to save you being woken by the "we've been rooted" call.

Re:

[edunbar93]

Oh, that's easy. Because when an attacker breaks into someone's CMS (because your users most certainly do not read about security updates on software mailing lists, and there's no way in hell you even know what they're running), suddenly that attacker *does* have a login on that machine. They can now run software as the "httpd" user. This is the reason jail(8) was invented. And what do you know... they found a vulnerability in a certain version of jail.

OpenBSD Security

[pathological liar]

... now if only this would lead to a little ego deflation and humility among OpenBSD developers.

As long as I'm dreaming, I also want a pony.

Re:

[teknopurge]

Parish that thought.

Because of their egos, a fix is likely being commited to CVS as we speak.

Re:

[frenchbedroom]

Parish that thought.

You mean like, put it in a convent [wikipedia.org] or something ? Oh no, I get it, you mean he should build a little chapel in memory of it, right ?

No released version of sudo affected

[millert]

The sudo systrace support is part of an experimental feature ("monitor mode") not present in any of the real sudo releases (though the code is available via anonymous cvs). Given the deficiencies of systrace (and ptrace) it is unlikely that this feature will be present in any future sudo release.

  - todd

Re:

[fimbulvetr]

Hello Todd.

Thanks for sudo, and thanks for this clarification.

Re:

[psmears]

Given the deficiencies of systrace (and ptrace) it is unlikely that this feature will be present in any future sudo release.

That's a shame...

Granted, as the paper shows, it's of no use as a feature for preventing your box from getting pwned. But the it can still be useful: often I'm more worried about the system being brought down by local users with root access, than by external forces. These users can be trusted not to break things deliberately, or overwrite the logs, but not necessarily to remember everything they've recently done when something goes wrong. ("Oh, yeah, I deleted /etc/passwd. Didn't think it was important,

Re:

[epine]

Yes, as per usual, the tribalism reflex on this thread has shut down useful brain circuits in most of the posters. Gorged with tribalistic lust, the average post here seems to be able to consider only the issue of getting pwned, or the paranoid dichotomy between useful and secure, or the purportedly paltry size of the OpenBSD user base, or the irritating slogan at the top of the OpenBSD home page (which hardly negates their contributions to the security ecology since the inception of the project no matter

Code isn't up (thank goodness)

[xC0000005]

It appears he's removed the code from the presentation (though it still says it's present, I don't see it). Good.

Ha Ha

[UnknowingFool]

Sweet justice! My Win98 boxes have finally protected me against a hole. I am invinci*^&#%
$#%#^&&!#$@$

[CONNNECTION LOST]

Brace for impact...

[Mattintosh]

Theo DeRaadt goes on a rampage in 5... 4... 3... 2...

Re:

[Anonymous Coward]

De Raadt doesn't do Rampages, he only does games available via console, like Tetris, Hunt and Hangman.

He also doesn't get upset about problems being found in software, like any sane person, he's more afraid of the problems he's not finding out about.

Re:

[808140]

I agree that it wasn't stealing -- but it was indeed a copyright violation. Ignoring all the hoopla that followed for a moment, we have a situation where a developer uploaded a bunch of GPLd source, did not indicate that it was GPLd source, and, here's the important part, made it publicly available via CVS.

There are two things to consider here, both of which are important. First, from the perspective of a BSD developer: with no indication that the code was GPLd code, and given that it was on a public Ope

Re:

[808140]

That's purely hypothetical. In this specific case there was no chance of that happening. The code was specific to a driver (non functioning at that). Who the hell is going to incorporate bits of that into their own project?

This is kind of like fucking a girl who talks like a virgin without wearing a condom and saying there's no chance you'll get an STD from her. Sure, she looks clean, but how can you really know? You're taking a risk. It may be a calculated risk, but it is a risk nonetheless.

The orig

Re:

[arehnius]

Correct me if I'm wrong, but Robert Watson is a kind of security guru for FreeBSD, isn't he ? From his page :

Robert Watson (FreeBSD Home Page) : I'm a FreeBSD Core Team member, as well as member of the security officer and release engineering teams.

I hope nobody will take it as a plot of FreeBSD to gain/keep lead over other BSDs.

Re:

[mulvane]

The BSD's work pretty closely together and if he did find something in another BSD, it could be very possible he was looking into a feature to port over and doing his own testing of the code before hand found this. Is this what happened? I am not sure, but it is possible. The BSD's are really in a non-compete status with each other and are more in a sharing of knowledge of the forks of the original base.

Re:

[peacefinder]

Robert Watson is apparently [devnull.cz] the fellow who suggested porting systrace to FreeBSD. Seems like he's been working on this for a long time.

"I hope nobody will take it as a plot of FreeBSD to gain/keep lead over other BSDs."

I shouldn't think so. At least for sysjail, this problem affects "All versions [...] on all architectures." It doesn't seem to be an OpenBSD-specific problem, but with many implementations of systrace(4). If FreeBSD has already fixed their systrace, then presumably the other BSDs will be look

"cambrige researcher"...

[diegocgteleline.es]

...and he's also one of the most important FreeBSD hackers.

Article?

[Leafheart]

Site is slashdotted, anyone got a copy of the article?

Re:

[Anonymous Coward]

By the way, what has happened to the slashdot effect? Not so long ago the first thing I did when reading about something on slashdot was finding a coral or google cache link to the actual article on the comments section. Nowadays - and I haven't really even thought about it - the articles usually just work. Are the webservers better now, or has the power of slashdot effect declined?

Or have I just been lucky?

Re:

[Anonymous Coward]

Are the webservers better now, or has the power of slashdot effect declined? Or have I just been lucky?

Yes.

Re:

[jjrockman]

Nah, it's just that nobody RTFA anymore.

Re:

[cp.tar]

By the way, what has happened to the slashdot effect? Not so long ago the first thing I did when reading about something on slashdot was finding a coral or google cache link to the actual article on the comments section. Nowadays - and I haven't really even thought about it - the articles usually just work. Are the webservers better now, or has the power of slashdot effect declined?

Or have I just been lucky?

It is now known as the Slashdot Quantum Paradox.

Previously, the Slashdot Paradox meant that although nobody ever read TFA, the servers were still swarmed and brought down to their knees by the sheer force of discussion.

Nowadays, due to several breakthroughs in quantum science and technology, the Slashdot Quantum Paradox ensures that as long as nobody actually goes to RTFA, the servers stay online. However, should anybody actually go and try to RTFA, the Slashdot Effect would affect it in full.

Since you

problem affects a variety of software

[Anonymous Coward]

This class of problem potentially affects a variety of software. Systrace (which runs on Linux, NetBSD, OpenBSD, Darwin, etc) was given as one example of software that is affected. Even Sun's Dtrace might be vulnerable.

This is exactly why I love OpenBSD!

[amper]

The very fact that the OpenBSD project makes itself such a huge target for would-be hackers is what makes it almost certain that any vulnerabilities will be found and patched. No handwringing is necessary here, though quite a lot of recoding may be involved. We can all look forward to an even more secure OpenBSD very soon. Keep up the good work, everyone!

OpenBSD's man page for systrace mentions this?

[cgdae]

OpenBSD's systrace manpage appears to mention this problem in the BUGS section:

Applications that use clone()-like system calls to share the complete address space between processes may be able to replace system call arguments after they have been evaluated by systrace and escape policy enforcement.

Or see http://www.openbsd.org/cgi-bin/man.cgi?query=systr ace&apropos=0&sektion=0&manpath=OpenBSD+Current&ar ch=i386&format=html [openbsd.org]

m0n0wall /pfsense?

[atarione]

hey could someone do me a favor and tell me if m0n0wall or Pfsense ... are vulnerable to this?

OpenBSD record: Good

[widman]

The only meaningful bug they had lately was the IPV6 mbuf. And even that one obviously affected only people using IPv6.

This race bug was known for ages. It's even hinted in the man page. Stop the FUD.

Sysjail is really just one guy

[raddan]

Kristaps Dzonsons. And I'm not sure if he ever really intended for it to be for production use. I saw his talk at NYCBSDCon [nycbsdcon.org] last year, and my impression was "here's a neat tool I'm working on guys, I'm still working out a lot of things, come play if you want". Not that this isn't an important vulnerability to address-- but I'd be surprised if anyone was currently using sysjail in an important production role.

Don't use dev tools as security tools...

[Anti-Trend]

...that's essentially what the presenter is saying. The 'chroot' style jail is essentially a fake system root designed for development purposes, so you can have a little fake clean-room environment in which to build. Later, this concept was adapted for security purposes -- hence systrace, sysjail... What he's suggesting is that this userland approach is easily circumvented, and the best approach would be to use a mandatory access control approach at the kernel level, ala SELinux. To me, it's not so much tha

Undeadly coverage

[zyche]

Coverage on Undeadly [undeadly.org].

To answer some anti-OpenBSD bias from the summary above: systrace is really Niels Provos toy, OpenBSD just includes it in the base install just as NetBSD does; regarding sudo, it has been addressed in a comment above (not vulnerable in the actual released version); and by saying that NetBSD has disabled systrace that implies that OpenBSD has it still enabled. Except that it is a tool that isn't used by the default install at all - you have to enable and configure it yourself. And as the Undeadly post states: Since 2002, the systrace(1) man page included a warning in the BUGS section about the possibility of escaping the policy enforcement because of the behavior of certain system calls..

Personally I have never liked the idea of systrace - leaves way to much to to me as a system administrator to fuck up.

Systrace.org post on this alleged bug

[widman]

http://www.systrace.org/index.php?/archives/14-Eva ding-System-Sandbox-Containment.html [systrace.org]

At WOOT this year, Robert Watson presented a paper on how to evade popular system call interposition systems, including Systrace. For Systrace, Robert noticed that the arguments written to the stackgap could be replaced by a co-operating process after Systrace performed its policy check. The initial prototype of Systrace as described in the paper avoided this problem by using a look-aside buffer in the kernel. This impos

Re:

[NeoTerra]

I'm scared when something complex has no patches. Then again I'm more scared when something complex has a LOT of patches.

Re:so much for...

[MrNaz]

Why didn't you just say "I'm scared." ?

Re:

[orclevegam]

Because sometimes I guess the patch level is "just right"?

Re:so much for...

[ArwynH]

And it still only has had two remote holes in the default install in more than 10 years. This isn't a remotely exploitable hole, it allows privilege escalation, which requires access to the system and thus is a local hole. It's still a whopper of a hole though...

Re:

[jimicus]

Let's be reasonable about this for a moment.

Once someone has the power to execute arbitary code on your system, then it is arguably only a matter of time before they can do what they please on it. Which is precisely why you don't use the same OpenBSD box for your firewall as you do for giving users a shell account on a Unix box.

Re:

[teknopurge]

Then choose a better FTP server - it's not OpenBSD's fault you installed pr00tme-ftpd.

I can also publish a root password for my servers on digg. Does that mean it's OpenBSD's fault for that 'exploit' as well?

The purpose of the default install is a configuration that has been audtied by _the_ most anal development team on the planet. This is nothing but a good thing, and if people have a problem with Theo's attitude, feel free to fork the codebase.

On my list of the 10 best OSS projects, OpenBSD is in the t

Re:so much for...

[EvanED]

On my list of the 10 best OSS projects, OpenBSD is in the top 5.

In other words... it's in your list of the 5 best OSS projects.

(sorry)

Re:

[Plutonite]

On my list of the 10 best OSS projects, OpenBSD is in the top 5.

In other words... it's in your list of the 5 best OSS projects.

(sorry)

Mod parent up! In security related topics nitpicking is encouraged. No apology needed.

PS: Can we have the list please? They are always interesting and provide good flamewar material.

Re:

[jpkunst]

On my list of the 10 best OSS projects, OpenBSD is in the top 5.

In other words... it's in your list of the 5 best OSS projects.

(sorry)

In other words ... it's at number 5. (If it was at number 4, he would have said is in the top 4, etc.)

JP

Re:

[teknopurge]

well-played old chap.......... ;)

Re:

[turing_m]

You ruined his build up!

It's not just in the top thousand OSS projects. It's not only in the top hundred. It's not even just in the top ten OSS projects. It's in the TOP FIVE! Not only does it have ls, cat, grep and sed, if you order within the next 5 minutes we'll even throw in openssh free!

Re:

[DrSkwid]

OpenBSD auditing isn't the god of all auditing you think it is.

This is just another piece of audited code that roots you.

Re:

[Hatta]

It's a marketing slogan, of course it's silly. "Only two remote holes in the default install, in more than 10 years!" means about as much as "99 44/100 percent pure."

Re:

[Anonymous Coward]

What if you can get a user shell by using an exploit in (firefox|x-chat|bind|apache|ftp|ssh|sendmail|ntp|w hatever open port)?
Guess you get what you deserve when you put a machine on the internet.

Sure it is only an unprivileged local user, what could you do with that.

Oh, wait. You could get root if you had a local user using an other exploit.

Re:no

[Steve Baker]

Exactly, why would anyone want to put a computer on the internet? That's just stupid!

Re:

[Hatta]

Why? Isn't that what multiuser networked operating systems are for?

Re:

[rubycodez]

actually, no, if you're providing services for untrusted users. the user authenticates to and uses a service, but never to machine account to possibly run code on the machine. Local users ALWAYS can mess up a machine, there's no end to the ways they can do it.

Re:

[shadowmas]

these are exploits for a local user on system, anyone who puts a machine on the internet and lets people log into actual Unix accounts deserves what they get.

Unless of course they did it because they live in the real world and actually practical requirement needing that to be done.

While we're disabling any form of shell access for any reason whatsoever, why not stop all those HTTP servers as well and the SMTP, DNS and all that crap as well. After all anybody who dares expose such a system on the internet when history tells us that there will be new vulnerabilities found in those software is obliviously an idiot.

Re:

[rubycodez]

If someone has need for a local account on a machine or any ability to run arbitrary code you're in the same realm as company hiring employee and trying to verify if they are trustworthy or not. Local user can always cause problems if they so choose. Just like anyone with physical access can cause even more problems.

Re:fix shedules ?

[orclevegam]

as usual I would assume *bsd to put out fixes quite timely...

Well, the fix for now appears to be don't use the vulnerable software, but considering that the vulnerability allows you to break the software such that it behaves as if it wasn't running, I have to wonder if people should use it anyway and just accept that for now anyone that knows how can bypass that particular security check. Also, if it was something simple like a buffer overrun that would be trivial to patch, but because of the way this particular vulnerability functions (concurrency attack) there's not simple solution. Some have suggested pushing the code to kernel space, but as they've also pointed out, that's rather risky in its own regard. Short of some kind of provision in the kernel to prevent the attacks I'm not sure how this could be fixed (although I haven't seen to many details, just that it involves re-writing some args after they've already been scanned by systrace).

Re:fix shedules ?

[TubeSteak]

as usual I would assume *bsd to put out fixes quite timely...

FTFA: All affected vendors received at least six months, and in some cases many years advance notice regarding these vulnerabilities.

Re:

[peacefinder]

"I have to wonder if people should use it anyway and just accept that for now anyone that knows how can bypass that particular security check"

It'll be interesting to see what the tradeoff is: does the system become more vulnerable overall by using the vulnerable software, or less? Has the layer of security it was supposed to add become another exploit path that's worse than what it was supposed to protect against?

My off-the-cuff inexpert guess is that it will still be valuable for some limited situations, b

Re:

[orclevegam]

My off-the-cuff inexpert guess is that it will still be valuable for some limited situations, but that in many cases it'll reduce the overall security of the system. I'm looking forward to hearing more from the various teams involved.

Well, if I'm understanding the exploit properly, and the purpose of systrace, I can see both for and against. It's essentially there to allow an application to run at least privileges unless it wants to access a specific resource, and then to only be promoted for the duration of that request. The alternative to this is to run an application with elevated (normal in the case of most applications, few require root) privileges all the time. Now, depending on how the privilege escalation is implemented, this

Re:Why???

[orclevegam]

Why is everyone so hell bent on BREAKING things? Can't we all just try to get along for an instant?

Because the fastest way to learn about something is to break it. Why do you think physicists spend all that time and money on particle accelerators?

Re:

[ettlz]

Clarification:

Why do you think physicists spend all that time and

other people's

money on particle accelerators?

;) (Well, I'm a theorist, so make of it what you will...)

Re:

[ettlz]

Or CLIC or ILC etc. Well, I ain't complainin', it's a great way to spend government money. And the way I see it, not only does it keep us all in jobs, it's more money that the Illuminati will never be able to use to further immanentise the eschaton.

Re:

[bberens]

The workaround is very complex. Send your IP and root password to pwnd@dodgeit.com and I'll take a look at your system to help make recommendations.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[mrsteveman1]

That only works up to the exact number of users who are both able to read code, and understand it, which is a smaller number than the total user count probably by quite a bit.

The advantage is that users are ABLE to find things like security problems if they look, because the source is open. That doesn't guarantee they will find things, but you can see that it is at least possible.