From owner-freebsd-security  Sun Aug 10 04:06:52 1997
Return-Path: <owner-freebsd-security>
Received: (from root@localhost)
          by hub.freebsd.org (8.8.5/8.8.5) id EAA16551
          for security-outgoing; Sun, 10 Aug 1997 04:06:52 -0700 (PDT)
Received: from shell.firehouse.net (brian@shell.firehouse.net [209.42.203.45])
          by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id EAA16542
          for <freebsd-security@FreeBSD.ORG>; Sun, 10 Aug 1997 04:06:46 -0700 (PDT)
Received: from localhost (brian@localhost)
	by shell.firehouse.net (8.8.5/8.8.5) with SMTP id HAA18648;
	Sun, 10 Aug 1997 07:04:44 -0400 (EDT)
Date: Sun, 10 Aug 1997 07:04:44 -0400 (EDT)
From: Brian Mitchell <brian@firehouse.net>
To: Philippe Regnauld <regnauld@deepo.prosa.dk>
cc: freebsd-security@FreeBSD.ORG
Subject: Re: procfs hole
In-Reply-To: <19970810123747.52460@deepo.prosa.dk>
Message-ID: <Pine.BSI.3.95.970810070303.18646A-100000@shell.firehouse.net>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
X-Loop: FreeBSD.org
Precedence: bulk

On Sun, 10 Aug 1997, Philippe Regnauld wrote:

> Philippe Regnauld writes:
> 
> > 	Has anyone tried with 2.2.2 ?
> 
> 	Finally got hold of a 2.2.2 box: it works too :-(

The exploit, as written, does not work on OpenBSD. You need a whole new
signature in openbsd to even locate the setuid() stub (syscalls are done
via a interrupt in OpenBSD, not a lcall as in FreeBSD).

Add to that the fact that openbsd lacks a map proc entry, and it makes
things annoying at best.