SECURITY BUG IN INTERACTIVE UNIX SYSV386

Ken Weaverling weave at chopin.udel.edu
Sat Feb 16 02:54:10 AEST 1991


(Some info for PRIME customers below, but first.....)

In article <1991Feb15.134715.16979 at virtech.uucp> 
      cpcahil at virtech.uucp (Conor P. Cahill) writes:
>
>	2. I wholeheartly DISAGREE with you posting the source code which
>	   performs the security bypass.  You could have just posted the
>	   uuencoded binary which would have been enough to prove your point
>	   without making it extremely easy for any two bit user to obtain
>	   privileged access.

I agree, and the binary could have proven the point with out making 
passwd and shadow 666. Therefore, if a curious user got hold of it and
ran it without really wanting to do damage, the files could be left 666
for someone else to play with.

Another alternative could have been a posting such as: "Hey, take a 
look at <sys/user.h> -- guess what, a user can WRITE to those fields!"

That would have the same shock value for sysadmins, then I could do 
*something* to buy myself *some* time like make user.h 600 or make it
a FIFO so a compile that attempts to #include it would hang or even
if I was real industrious, put a daemon on the other end of the FIFO
which could alert me if someone opened it.  

I'm not upset with the fellow who did the post. In the end, he will have
done us all a great favour. It's just that I feel naked and helpless
right now....

BTW, the bug appears on the Prime EXL 300 and matchbox series running
Prime's version of SYSV/386.  I called Prime and they opened a 
Priority SPAR on it. Any Prime customers should monitor the Prime
diagnostic database for the fix announcement. SPAR # is 4052031

-- 
>>>---> Ken Weaverling  >>>---->  weave at brahms.udel.edu



More information about the Comp.unix.sysv386 mailing list