The 'Security Digest' Archives (TM)

Archive: About | Browse | Search | Contributions | Feedback
Site: Help | Index | Search | Contact | Notices | Changes

ARCHIVE: Core 'Security Digest' - Archives (1990 - 1991)
DOCUMENT: Core 'Security Digest' V1 #7 1990-12-15 (1 file, 4388 bytes)
SOURCE: http://securitydigest.org/exec/display?f=core/archive/107.txt&t=text/plain
NOTICE: securitydigest.org recognises the rights of all third-party works.

START OF DOCUMENT


Date: Sat Dec 15 16:35:49 PST 1990
Subject: Core Security Digest V1 #7

Core Security Digest Volume 1 Issue 7

subject(s):

            truly awful hole in Microport Unix

The unix core security mailing list is by invitation only and contains
sensitive material which SHOULD NOT BE REVEALED to non-members.
DO NOT PUT ANY LIST CONTENTS IN LOCATIONS ACCESSABLE TO NON-MEMBERS.
If you must keep copies on-line, please encrypt them at the very least.

PLEASE POST TO:                              core@uninet.cpd.com
PLEASE SEND EMERGENCY ALERTS TO:   core-emergency@uninet.cpd.com
PLEASE SEND REQUESTS TO:             core-request@uninet.cpd.com


------------------------------------------------------------------------

Date: 11 Dec 90 02:02:29 EST (Tue)
From: bill@twwells.com (T. William Wells)
Subject: truly awful hole in Microport Unix

While mousing around in my kernel a month or so ago, I discovered
a means whereby any user can execute '386 I/O instructions in
Microport Unix 3.0e. This bug may well apply to other versions of
Microport's Unix; it probably does not apply to any other Unix.

The bug is as follows: the /dev/mem driver was given an ioctl to
do I/O instructions. (Examination of the source suggests that this
was done by Microport.) Unfortunately, in the modification, no
check on the minor device number is made. Since /dev/null uses
the same driver, ioctls on /dev/null can also do I/O instructions.

To make use of the bug, one constructs a program to open
/dev/null and do ioctls. This does not require access to a
compiler; shell access and any of a number of tools are
sufficient. Taking advantage of this bug permits any number of
security problems; easiest is to crash the system. A clever hacker
can almost certainly arrange to get a uid 0 process with it.
(Think about DMA'ing a zero into just the right byte of the
process table.)

This is a kernel bug and there is no easy work-around for binary-
only sites. The following should eliminate the bug, with some side
effects:

	adb -w /unix
	mmioctl?W0c3

*All* memory driver ioctls will be ignored with this patch.
Programs that use the memory driver to do I/O instructions will
fail. Also, there is reboot code in there which has been
superceded by the uadmin system call; I don't think anything uses
that. The biggest problem is that this same ioctl is used for the
limited runtime control; I have no idea whether your system will
boot with this patch, /etc/init may well have a hissy fit when it
tries to do those ioctls. Since my system is heavily modified,
and its /etc/init no longer uses this ioctl, I don't know what
effect it will have. Someone else will have to check this out.
There would have to be separate checks for the unlimited runtime
and the two user runtime.

If you have source code, add

	if (minor(dev) == 2) {
		u.u_error = ENXIO;
		return;
	}

to the top of mmioctl in mem.c. This will eliminate the bug.

If you are feeling trusting and brave, you can use the code I've
enclosed below. These are replacements for the mem.o file in
/usr/atconf/mem, from the source code for Microport Unix
SysV/3.0e. There are two mem.o files: one for the 2 user kernel
and one for the unlimited user kernel; I've used uuencode to ship
them. Warning: my system is sufficiently hacked that the original
mem drivers won't work in it, thus I could not test these. If you
do use them, please test that the bug exists on your system and
that these fix it; then let me (or the list) know.

[ Please let the list know, I have no way of testing this - neil ]

begin 664 mem.o.lim
M3`$$`$AG9">&#0``'@``````!`$N=&5X=```````````````Q`4``+0```"@
M!P```````),````@````+F1A=&$```#$!0``Q`4``!P```!X!@``7@T`````
M```$````0````"YB<W,`````X`4``.`%````````````````````````````
M`(`````N8V]M;65N=.`%``#@!0``#`$``)0&`````````````````````@``
M58OL5U:!90C_````Z2P!``"0D)!H`!```/\U"!$``.C<____@\0(B_B#?0@`
M#X6A````@ST,$0````^,%````*$`````P>`,.04,$0``#XPB````N```P/\Y
M!0P1```/C&,```"X_____SD%#!$```^/4@```*$,$0``N0`0```STO?QB_*X
M`!```"O&4%?H;/___X/$"(OX5_\U!!$``*$,$0``+0```$!0Z%#___^#Q`R%
MP`^$;@```,8%Z1````;I8@```)#&!>D0```&Z54```"X`0```#E%"`^%=0``
M`*$,$0``N0`0```STO?QB_*X`!```"O&4%?H`/___X/$"(OX5_\U!!$``/\U
M#!$``.CI_O__@\0,A<`/A`<```#&!>D0```&B\<!!0P1```!!001```I!0@1
M``"@Z1```(3`#X4-````@ST($0````^%O?[__XMU^(M]_,G#D%6+[%=6@64(
M_P```.GX````D)"0:``0``#_-0@1``#H?/[__X/$"(OX@WT(``^%;0```*$`
M````P>`,.04,$0``#XVG````@ST,$0````^,F@```*$,$0``N0`0```STO?Q
MB_*X`!```"O&4%?H+O[__X/$"(OX5Z$,$0``+0```$!0_S4$$0``Z!+^__^#
MQ`R%P`^$7````.E0````D)"X`0```#E%"`^%1P```*$,$0``N0`0```STO?Q
MB_*X`!```"O&4%?HU/W__X/$"(OX5_\U#!$``/\U!!$``.B]_?__@\0,A<`/
MA`<```#&!>D0```&B\<!!001```I!0@1```!!0P1``"@Z1```(3`#X4-````
M@ST($0````^%\?[__XMU^(M]_,G#D%6+[(/L&,=%\`````"+10@E_P```#T"
M````#X4)````Q@7I$```!LG#BT4,+0!)```/C#D````]`P````^'+@```(7`
M#XPF````_R2%T`4``)"0D&H,C47T4/]U$.@2_?__@\0,/?____\/A+T!``"+
M10P]`$0```^$U@```#T`20``#X1O````/0%)```/A'P````]`DD```^$B0``
M`#T#20``#X26````/0!,```/A,<````]`4P```^%0`$``&;'1>X``&H$C47H
M4/]U$.B@_/__@\0,A<`/A;P```"`/<P%````#X3@````Q@7,!0```.D/`0``
M_W7TZ'3\__]9B$7\QT7P`0```.GW````_W7TZ%S\__]9B47XQT7P`0```.G?
M````#[9%_%#_=?3H/_S__X/$".G*````D)"0_W7X_W7TZ"G\__^#Q`CIM```
M`)!FH>H0``!FA<`/A0T```#H#/S__^F:````D)"0Q@7I$```#>F+````9L=%
M[@``:@2-1>A0_W40Z.3[__^#Q`R%P`^$#0```,8%Z1````;I8````)"`/<0%
M````#X2_````@WWH``^%M0```,8%Q`4```#I/````)"#?>@`#X4.````Q@7$
M!0```>DE````D)"`/<0%````#X0#`0``QT7H`````.D6`0``D)"0Q@7I$```
M$X-]\``/A!;^__]J#/]U$(U%]%#H5?O__X/$##W_____#X7Z_?__Q@7I$```
M#NGN_?__D)"0#[]%[F:+%$5`````9H72#X4?````#[]%[F:+5>AFB11%0```
M`,=%Z`````#I)@```)"0D&;_1>X/OT7N.P7(!0``#XT/````#[]%[CT@````
M#XRI____:@3_=1"-1>A0Z-/Z__^#Q`R%P`^$6____\8%Z1````;I3____V:+
M1>@/O\`/OU7N#[\454`````[P@^%'0````^_1>['1>@`````,])FB11%0```
M`.DF````D)"09O]%[@^_1>X[!<@%```/C0\````/OT7N/2`````/C*7___]J
M!/]U$(U%Z%#H4_K__X/$#(7`#X3;_O__Q@7I$```!NG/_O__``````$````!
M````X`(``.`"``#@`@``X`(``#`R+C`Q`$`H(REM96TN8R`@("`@(#$N-0!`
M*",I='EP97,N:`DQ+C4`0"@C*7!A<F%M+F@),2XQ,"`M(#@W+S`T+S$P`$`H
M(RES-7!A<F%M+F@),2XS`$`H(REI;6UU+F@),2XQ-"`M(#@W+S`S+S,P`$`H
M(RES>7-M86-R;W,N:`DQ+C0`0"@C*7-Y<W1M+F@),2XU("T@.#<O,#0O,30`
M0"@C*7,U9&ER+F@),2XS`$`H(RES:6=N86PN:`DQ+C,`0"@C*71S<RYH"3$N
M-`!`*",I=7-E<BYH"3$N,30@+2`X-R\P-B\R-`!`*",I97)R;F\N:`DQ+C,`
M0"@C*6EO8W1L+F@),2XT```-````"````!0`&P```!0````&`"`````5````
M%``O````"````!0`-0```!0````&`#P````(````%`!!````%@````8`2@``
M`!0````&`%`````(````%`!;````%`````8`80````@````4`&P````4````
M!@!R````"````!0`=P```!0````&`)`````5````%`"<````%`````8`H0``
M`!0````&`*P````7````%`"W````"````!0`O0```!0````&`,,````(````
M%`#*````%`````8`T`````@````4`-X````(````%`#C````%`````8`_```
M`!4````4``@!```4````!@`.`0``%`````8`$P$``!<````4`!X!```(````
M%``D`0``%`````8`+0$``!0````&`#,!```4````!@`Y`0``%`````8`/@$`
M`!0````&`$8!```(````%`!,`0``%`````8`4P$```@````4`&T!```(````
M%`![`0``%`````8`@`$``!4````4`(\!```(````%`"4`0``%@````8`G0$`
M`!0````&`*,!```(````%`"I`0``%`````8`L`$```@````4`+4!```4````
M!@#.`0``%0```!0`V0$``!0````&`.4!```4````!@#J`0``&````!0`]0$`
M``@````4`/H!```(````%``*`@``"````!0`#P(``!0````&`"@"```5````
M%``T`@``%`````8`.@(``!0````&`#\"```8````%`!*`@``"````!0`4`(`
M`!0````&`%D"```4````!@!?`@``%`````8`90(``!0````&`&H"```4````
M!@!R`@``"````!0`>`(``!0````&`'\"```(````%`"H`@``"````!0`K@(`
M`!0````&`+\"```(````%`#*`@``"````!0`T@(```@````4`-D"```*````
M!@#J`@``&````!0`^`(```@````4``8#```(````%``1`P``"````!0`'`,`
M``@````4`"<#```(````%``R`P``"````!0`/0,```@````4`$@#```(````
M%`!<`P``&````!0`9P,```@````4`&T#```*````!@!T`P``"````!0`>@,`
M``H````&`(`#```(````%`"(`P``&0```!0`F`,```@````4`*`#```:````
M%`"P`P``"````!0`O0,``!L````4`,4#```(````%`#3`P``'````!0`VP,`
M``@````4`.(#```4````!@#K`P``"````!0`\`,``!T````4`/4#```(````
M%`#^`P``%`````8`!`0```@````4`!@$```8````%``C!```"````!0`*00`
M`!0````&`"\$```(````%``V!```"@````8`/00```@````4`$<$```(````
M%`!-!```"@````8`4P0```@````4`%X$```(````%`!D!```"@````8`:@0`
M``@````4`'($```*````!@!Y!```"````!0`A00```@````4`(X$```4````
M!@"9!```"````!0`IP0``!<````4`+4$```(````%`"[!```%`````8`P00`
M``@````4`-`$```0````!@#9!```"````!0`Z00``!`````&`/4$```(````
M%``&!0``"@````8`#`4```@````4`!L%```(````%``I!0``%P```!0`-`4`
M``@````4`#H%```4````!@!`!0``"````!0`4P4``!`````&`%L%```(````
M%`!P!0``$`````8`=04```@````4`(8%```*````!@",!0``"````!0`FP4`
M``@````4`*D%```7````%`"T!0``"````!0`N@4``!0````&`,`%```(````
M%`#0!0``"`````8`U`4```@````&`-@%```(````!@#<!0``"`````8`+F9I
M;&4`````````_O\``&<!;65M+F,`````````````````;6UR96%D````````
M`0`D``(!`````%\!````````!```````;6UW<FET90!@`0```0`D``(!````
M`"L!````````!@``````;6UI;V-T;`",`@```0`D``(!`````#@#````````
M"```````+G1E>'0``````````0````,!Q`4``),``P``````````````+F1A
M=&$```#$!0```@````,!'`````0`````````````````+F)S<P````#@!0``
M`P````,!````````````````````````+F-O;6UE;G3@!0``!`````,!#`$`
M````````````````````;&]G:6YT86)```````````(`9V5T='EC:&O$!0``
M`@````,`8W!R;&UV``#(!0```@````(`:6YI=&-H:P#,!0```@````(`=0``
M``````````````````(`;6EN``````````````````(`;6%X8VQI8VL`````
M``````(`8V]P>6]U=`````````````(`8V]P>6EN``````````````(`:6YB
M``````````````````(`:6YW``````````````````(`;W5T8@``````````
M``````(`;W5T=P````````````````(```````0```````````````(`#@``
+`&ME<FYD96)U9P``
`
end

begin 664 mem.o.unl
M3`$$`(F!9">&#0``'@``````!`$N=&5X=```````````````Q`4``+0```"@
M!P```````),````@````+F1A=&$```#$!0``Q`4``!P```!X!@``7@T`````
M```$````0````"YB<W,`````X`4``.`%````````````````````````````
M`(`````N8V]M;65N=.`%``#@!0``#`$``)0&`````````````````````@``
M58OL5U:!90C_````Z2P!``"0D)!H`!```/\U"!$``.C<____@\0(B_B#?0@`
M#X6A````@ST,$0````^,%````*$`````P>`,.04,$0``#XPB````N```P/\Y
M!0P1```/C&,```"X_____SD%#!$```^/4@```*$,$0``N0`0```STO?QB_*X
M`!```"O&4%?H;/___X/$"(OX5_\U!!$``*$,$0``+0```$!0Z%#___^#Q`R%
MP`^$;@```,8%Z1````;I8@```)#&!>D0```&Z54```"X`0```#E%"`^%=0``
M`*$,$0``N0`0```STO?QB_*X`!```"O&4%?H`/___X/$"(OX5_\U!!$``/\U
M#!$``.CI_O__@\0,A<`/A`<```#&!>D0```&B\<!!0P1```!!001```I!0@1
M``"@Z1```(3`#X4-````@ST($0````^%O?[__XMU^(M]_,G#D%6+[%=6@64(
M_P```.GX````D)"0:``0``#_-0@1``#H?/[__X/$"(OX@WT(``^%;0```*$`
M````P>`,.04,$0``#XVG````@ST,$0````^,F@```*$,$0``N0`0```STO?Q
MB_*X`!```"O&4%?H+O[__X/$"(OX5Z$,$0``+0```$!0_S4$$0``Z!+^__^#
MQ`R%P`^$7````.E0````D)"X`0```#E%"`^%1P```*$,$0``N0`0```STO?Q
MB_*X`!```"O&4%?HU/W__X/$"(OX5_\U#!$``/\U!!$``.B]_?__@\0,A<`/
MA`<```#&!>D0```&B\<!!001```I!0@1```!!0P1``"@Z1```(3`#X4-````
M@ST($0````^%\?[__XMU^(M]_,G#D%6+[(/L&,=%\`````"+10@E_P```#T"
M````#X4)````Q@7I$```!LG#BT4,+0!)```/C#D````]`P````^'+@```(7`
M#XPF````_R2%T`4``)"0D&H,C47T4/]U$.@2_?__@\0,/?____\/A+T!``"+
M10P]`$0```^$U@```#T`20``#X1O````/0%)```/A'P````]`DD```^$B0``
M`#T#20``#X26````/0!,```/A,<````]`4P```^%0`$``&;'1>X``&H$C47H
M4/]U$.B@_/__@\0,A<`/A;P```"`/<P%````#X3@````Q@7,!0```.D/`0``
M_W7TZ'3\__]9B$7\QT7P`0```.GW````_W7TZ%S\__]9B47XQT7P`0```.G?
M````#[9%_%#_=?3H/_S__X/$".G*````D)"0_W7X_W7TZ"G\__^#Q`CIM```
M`)!FH>H0``!FA<`/A0T```#H#/S__^F:````D)"0Q@7I$```#>F+````9L=%
M[@``:@2-1>A0_W40Z.3[__^#Q`R%P`^$#0```,8%Z1````;I8````)"`/<0%
M````#X2_````@WWH``^%M0```,8%Q`4```#I/````)"#?>@`#X4.````Q@7$
M!0```>DE````D)"`/<0%````#X0#`0``QT7H`````.D6`0``D)"0Q@7I$```
M$X-]\``/A!;^__]J#/]U$(U%]%#H5?O__X/$##W_____#X7Z_?__Q@7I$```
M#NGN_?__D)"0#[]%[F:+%$5`````9H72#X4?````#[]%[F:+5>AFB11%0```
M`,=%Z`````#I)@```)"0D&;_1>X/OT7N.P7(!0``#XT/````#[]%[CT@````
M#XRI____:@3_=1"-1>A0Z-/Z__^#Q`R%P`^$6____\8%Z1````;I3____V:+
M1>@/O\`/OU7N#[\454`````[P@^%'0````^_1>['1>@`````,])FB11%0```
M`.DF````D)"09O]%[@^_1>X[!<@%```/C0\````/OT7N/2`````/C*7___]J
M!/]U$(U%Z%#H4_K__X/$#(7`#X3;_O__Q@7I$```!NG/_O__`````$`````!
M````X`(``.`"``#@`@``X`(``#`R+C`Q`$`H(REM96TN8R`@("`@(#$N-0!`
M*",I='EP97,N:`DQ+C4`0"@C*7!A<F%M+F@),2XQ,"`M(#@W+S`T+S$P`$`H
M(RES-7!A<F%M+F@),2XS`$`H(REI;6UU+F@),2XQ-"`M(#@W+S`S+S,P`$`H
M(RES>7-M86-R;W,N:`DQ+C0`0"@C*7-Y<W1M+F@),2XU("T@.#<O,#0O,30`
M0"@C*7,U9&ER+F@),2XS`$`H(RES:6=N86PN:`DQ+C,`0"@C*71S<RYH"3$N
M-`!`*",I=7-E<BYH"3$N,30@+2`X-R\P-B\R-`!`*",I97)R;F\N:`DQ+C,`
M0"@C*6EO8W1L+F@),2XT```-````"````!0`&P```!0````&`"`````5````
M%``O````"````!0`-0```!0````&`#P````(````%`!!````%@````8`2@``
M`!0````&`%`````(````%`!;````%`````8`80````@````4`&P````4````
M!@!R````"````!0`=P```!0````&`)`````5````%`"<````%`````8`H0``
M`!0````&`*P````7````%`"W````"````!0`O0```!0````&`,,````(````
M%`#*````%`````8`T`````@````4`-X````(````%`#C````%`````8`_```
M`!4````4``@!```4````!@`.`0``%`````8`$P$``!<````4`!X!```(````
M%``D`0``%`````8`+0$``!0````&`#,!```4````!@`Y`0``%`````8`/@$`
M`!0````&`$8!```(````%`!,`0``%`````8`4P$```@````4`&T!```(````
M%`![`0``%`````8`@`$``!4````4`(\!```(````%`"4`0``%@````8`G0$`
M`!0````&`*,!```(````%`"I`0``%`````8`L`$```@````4`+4!```4````
M!@#.`0``%0```!0`V0$``!0````&`.4!```4````!@#J`0``&````!0`]0$`
M``@````4`/H!```(````%``*`@``"````!0`#P(``!0````&`"@"```5````
M%``T`@``%`````8`.@(``!0````&`#\"```8````%`!*`@``"````!0`4`(`
M`!0````&`%D"```4````!@!?`@``%`````8`90(``!0````&`&H"```4````
M!@!R`@``"````!0`>`(``!0````&`'\"```(````%`"H`@``"````!0`K@(`
M`!0````&`+\"```(````%`#*`@``"````!0`T@(```@````4`-D"```*````
M!@#J`@``&````!0`^`(```@````4``8#```(````%``1`P``"````!0`'`,`
M``@````4`"<#```(````%``R`P``"````!0`/0,```@````4`$@#```(````
M%`!<`P``&````!0`9P,```@````4`&T#```*````!@!T`P``"````!0`>@,`
M``H````&`(`#```(````%`"(`P``&0```!0`F`,```@````4`*`#```:````
M%`"P`P``"````!0`O0,``!L````4`,4#```(````%`#3`P``'````!0`VP,`
M``@````4`.(#```4````!@#K`P``"````!0`\`,``!T````4`/4#```(````
M%`#^`P``%`````8`!`0```@````4`!@$```8````%``C!```"````!0`*00`
M`!0````&`"\$```(````%``V!```"@````8`/00```@````4`$<$```(````
M%`!-!```"@````8`4P0```@````4`%X$```(````%`!D!```"@````8`:@0`
M``@````4`'($```*````!@!Y!```"````!0`A00```@````4`(X$```4````
M!@"9!```"````!0`IP0``!<````4`+4$```(````%`"[!```%`````8`P00`
M``@````4`-`$```0````!@#9!```"````!0`Z00``!`````&`/4$```(````
M%``&!0``"@````8`#`4```@````4`!L%```(````%``I!0``%P```!0`-`4`
M``@````4`#H%```4````!@!`!0``"````!0`4P4``!`````&`%L%```(````
M%`!P!0``$`````8`=04```@````4`(8%```*````!@",!0``"````!0`FP4`
M``@````4`*D%```7````%`"T!0``"````!0`N@4``!0````&`,`%```(````
M%`#0!0``"`````8`U`4```@````&`-@%```(````!@#<!0``"`````8`+F9I
M;&4`````````_O\``&<!;65M+F,`````````````````;6UR96%D````````
M`0`D``(!`````%\!````````!```````;6UW<FET90!@`0```0`D``(!````
M`"L!````````!@``````;6UI;V-T;`",`@```0`D``(!`````#@#````````
M"```````+G1E>'0``````````0````,!Q`4``),``P``````````````+F1A
M=&$```#$!0```@````,!'`````0`````````````````+F)S<P````#@!0``
M`P````,!````````````````````````+F-O;6UE;G3@!0``!`````,!#`$`
M````````````````````;&]G:6YT86)```````````(`9V5T='EC:&O$!0``
M`@````,`8W!R;&UV``#(!0```@````(`:6YI=&-H:P#,!0```@````(`=0``
M``````````````````(`;6EN``````````````````(`;6%X8VQI8VL`````
M``````(`8V]P>6]U=`````````````(`8V]P>6EN``````````````(`:6YB
M``````````````````(`:6YW``````````````````(`;W5T8@``````````
M``````(`;W5T=P````````````````(```````0```````````````(`#@``
+`&ME<FYD96)U9P``
`
end

------------------------------------------------------------------------

        End of Core Security Digest Volume 1 Issue 7
        **********************

END OF DOCUMENT