IWETHEY v. 0.3.0 | TODO
1,095 registered users | 0 active users | 0 LpH | Statistics
Login | Create New User
IWETHEY Banner

Welcome to IWETHEY!

IWETHEY Home / IWETHEY Board / Security Forum / Well OpenBSD was never vulnerable. :-)
Post #31,781
by ben_tilly
3/12/02 12:41:28 AM
Reply
New Well OpenBSD was never vulnerable. :-)
The problem is that Linux' malloc implementation doesn't by default protect against people calling free() twice in a row on the same memory. The *BSD family does.

There is a tunable environment variable MALLOC_CHECK_ which can be set in Linux to values from 0-2 to detect simple errors like this and optionally do nothing, report on STDERR, or crash. Set that in obvious global places, update zlib, and restart. That will block *most* of this, and help with several other problems.

In general for statically linked stuff, I would focus on machines and applications which are exposed to the network or files from there. (Like, say, OpenSSH.) As it stands, you can deliver a DoS this way, but exploitability seems somewhat remote. Since local users can do a local DoS fairly easily (unless you have paranoid ulimits set), remote users are the main risk.

And perhaps it would be a good idea to have OpenBSD on any machine directly on the general network? :-)

Cheers,
Ben
"... I couldn't see how anyone could be educated by this self-propagating system in which people pass exams, teach others to pass exams, but nobody knows anything."
--Richard Feynman
Post #31,854
by kmself
Picture of kmself
3/12/02 1:51:32 PM
Reply
New OpenBSD as server
There are a few problems.

First, OpenBSD's update process is limited. While it's improving, and oBSD wasn't vulnerable to this potential exploit, my experience has been that of the three major options (Debian/apt, RedHat/rpm, oBSD), the ease-of-maintenance continuum flows left to right.

Second, OpenBSD lacks SMP support. Uniprocessor only. That's a nonstarter for several of our systems. As an appliance, it's acceptable. As a server, it shows clear failings.

Third, even placing oBSD as a bastion system in front of your servers, you're open to exploits in CGIs or other server-side software, behind the firewall. Security is a process, not a product.

I'm happy with the fact that I am able to update my Debian systems within 24 hours of this alert with no issues. Red Hat I'll have to wrestle with over the course of the day, and OpenBSD I'm glad I don't have to mess with. Given a choice of "secure by default" and "very narrow vulnerability window", I've come to prefer the latter, though a sane-by-default configuration also helps.
--
Karsten M. Self [link|mailto:kmself@ix.netcom.com|kmself@ix.netcom.com]
[link|http://kmself.ix.netcom.com/|[link|http://kmself.ix.netcom.com/|http://kmself.ix.netcom.com/]]
What part of "gestalt" don't you understand?
     zlib advisory - (ben_tilly) - (16) - March 11, 2002, 05:46:41 PM EST
         Re: zlib advisory - a similar link. - (a6l6e6x) - March 11, 2002, 11:25:28 PM EST
         Remedy? - (kmself) - (3) - March 12, 2002, 12:12:38 AM EST
             Erg. - (static) - March 12, 2002, 12:27:49 AM EST
             Well OpenBSD was never vulnerable. :-) - (ben_tilly) - (1) - March 12, 2002, 12:41:28 AM EST
                 OpenBSD as server - (kmself) - March 12, 2002, 01:51:32 PM EST
         Re: zlib advisory - (pwhysall) - (1) - March 12, 2002, 02:29:24 AM EST
             Re: zlib and up2date - (a6l6e6x) - March 12, 2002, 02:29:21 PM EST
         Microsoft vulnerable too - uses zlib code - (admin) - (2) - March 14, 2002, 10:07:28 PM EST
             Risk: adopting FS code without adopting FS practices - (kmself) - (1) - March 15, 2002, 01:45:18 AM EST
                 But note that MS doesn't update the build #'s - (tonytib) - March 15, 2002, 09:37:37 PM EST
         I'm confused about the entire thing - (wharris2) - (5) - March 14, 2002, 11:08:50 PM EST
             DoS is an attack - (ben_tilly) - (4) - March 14, 2002, 11:38:03 PM EST
                 Re: DoS is an attack - (wharris2) - (3) - March 15, 2002, 12:08:18 AM EST
                     Then I suggest... - (Yendor) - (1) - March 15, 2002, 09:56:32 AM EST
                         I've run into double-free problems before - (wharris2) - March 16, 2002, 10:05:44 AM EST
                     It's a known class of exploit... - (kmself) - March 15, 2002, 02:12:46 PM EST

I don't want to write it, and you don't want to see it.
44 ms