home | help | back | first | fref | pref | prev | next | nref | lref | last | post |
Received: from PACIFIC-CARRIER-ANNEX.MIT.EDU by po6.MIT.EDU (5.61/4.7) id AA18511; Mon, 3 Oct 94 23:01:23 EDT Received: from villa.fc.net by MIT.EDU with SMTP id AA05928; Mon, 3 Oct 94 23:01:22 EDT Received: from freeside.fc.net (freeside.fc.net [198.6.198.2]) by villa.fc.net (8.6.8.1/8.6.6) with ESMTP id HAA01914 for <bugtraq-outgoing@villa.fc.net>; Mon, 3 Oct 1994 07:32:30 -0500 Received: (from majordom@localhost) by freeside.fc.net (8.6.8.1/8.6.6) id HAA08834 for bugtraq-outgoing@villa.fc.net; Mon, 3 Oct 1994 07:33:02 -0500 Received: from crimelab.crimelab.com (crimelab.crimelab.com [198.64.127.1]) by freeside.fc.net (8.6.8.1/8.6.6) with ESMTP id HAA08823 for <bugtraq@fc.net>; Mon, 3 Oct 1994 07:32:43 -0500 Received: from mail.fwi.uva.nl (root@mail.fwi.uva.nl [146.50.4.20]) by crimelab.crimelab.com (8.6.9/8.6.4) with SMTP id HAA12316 for <bugtraq@crimelab.com>; Mon, 3 Oct 1994 07:28:09 -0500 Received: from fwi.uva.nl (xoff.fwi.uva.nl) by mail.fwi.uva.nl with SMTP (5.65c/5.1) id AA06996; Mon, 3 Oct 1994 13:28:57 +0100 Message-Id: <199410031228.AA06996@mail.fwi.uva.nl> X-Organisation: Faculty of Mathematics & Computer Science University of Amsterdam Kruislaan 403 NL-1098 SJ Amsterdam The Netherlands X-Phone: +31 20 525 7463 X-Telex: 10262 hef nl X-Fax: +31 20 525 7490 To: rwing!pat@ole.cdac.com (Pat Myrto) Cc: bugtraq@crimelab.com Subject: Re: Lets make sure these are fixed (was: Tim Newsham) In-Reply-To: Your message of "Mon, 03 Oct 1994 01:54:40 PDT." <9410030854.AA05291@rwing.UUCP> Date: Mon, 03 Oct 1994 13:28:55 +0100 From: Casper Dik <casper@fwi.uva.nl> Sender: bugtraq-owner@crimelab.com Precedence: bulk >Question I have is - how does doing all those saves and restores in >SPARC assembler result in the user being able to modify the ucred struct >in a running program without privs to modify memory directly? I suppose >a workaround would be to (cringe) disable ps temporarily, or forthose >who can, modify it to not show that address info and and deny the info >needed to find the ucred struct in a running program, at least until a >real fix is devised. Perhaps another idea would be to devise some test >to result in the process being killed when a user overflows the register >windows (hell, I'm really groping here, so bear with me). Have you tried it on your system? As far as I can tell this code might have worked at one time under Solaris 2.x (x <= 1). Currently all it does is core dump. (With a SIGSEGV/SEGV_MAPERR on the address specified on the command line) The code works by taking advantage of the register window underflow and overflow traps that didn't check whether the "stack frames" are in the user's address space or not. Reading memory is done by using up the register windows thus making sure the last restore causes an underflow trap (which restores registers from kernel memory: gives read access) Using the overflow trap it is possible to write memory. In Solaris 2.2 and 2.3 this works properly as far as I can tell (the source seems to check the source and target of window loads/stores. Nor can I get the example to work). Similar bugs once existed in SunOS 4.1.x (though instruction emulation traps where most often used). I do not know where this code comes from, but it has been around quite some time. >One thing is obvious: The crackers have access to source and time to >really study it, most admins DON'T. They also know their way around in >SPARC assembler (I am still looking for a good book on the subject). I'm not sure whether this is a hacker product or someone really well-versed in the subject that wrote these. The original multiply/divide code uses similar hacks and does not originate in the hacker comunity, if I'm informed right. Having understood the SPARC assembler it is then easy to modify and adapt this code to try new holes in the system. One thing strikes me as odd in this code, though: the stack in this code is made to grow upwards, instead of downwards. The best reference on SPARC assembler is undoubtedly the architecture reference manual. It tells you exactly what all these assembler instructions do. >These odds need to be evened up a bit. And if vendors knew about this >kind of vulnerability and did or said nothing, that borders on criminal. >'Bout time source licenses (for reconfig rights only, not derived works, >a hefty fee and royalties are appropriate for that) became more affordable >so honest folk would have access and a better chance of dealing with >these people. That would at least allow enough differences to be >introduced that crackers would not be assured of identical conditions >from site to site. A unix-type OS is just too complex to lock the >users out totally - not until vendors can GUARANTEE that they have >not left some inadvertant holes. Holes like this one are not found easily unless you know what you're looking for. I think this particular hole is fixed in Solaris 2.3 (even FCS) and I think I even checked 2.2 when I first got this code. I put the code aside as being of historical importance only. Or can people reproduce this on their Solaris systems? You might want to change the number of restores/saves too: some systems have 7 others 8 register windows. >And you can bet the cracker's best or most invasive scripts were NOT >posted. Nobody shows their ace-in-the-hole. There are sure some bugs >to be trackin' there, it seems to me... And yes, I wish I had some >fixes to offer. I am sure we will get CERT advisories about un-resolved >holes 'round about January or February 1995... Only the bin mail hole is still present, I think. Casper
home | help | back | first | fref | pref | prev | next | nref | lref | last | post |