SECURITY BUG IN INTERACTIVE UNIX SYSV386
Conor P. Cahill
cpcahil at virtech.uucp
Sat Feb 16 13:17:04 AEST 1991
loc at yrloc.ipsa.reuter.COM (Leigh Clayton) writes:
> I've seen many many postings with this subject, but I've yet to come
>across a description of just what everyone is on about. I run 386ix 2.0.2
The problem is as follows:
The user structure, which is used by the kernel to store process
information including the user/group that is running the process, is
writable by the programs themselves. Since a program can write data
to that area, they can make the system believe that they are actually
being run by the super user, thereby gaining full access to the
entire system.
In short, any user with access to a compiler can make themselves
root with just a few lines of somewhat simple C code (although if it hadn't
been posted, it probably wouldn't have been that simple for the average
programmer to do it).
This problem is known to be present in the following systems:
Interactive 2.0.2
Interactive 2.2
ESIX
AT&T Rel 3.2 (fixed in 3.2.1)
The problem is known to NOT exist in the following systems:
Dell Unix (both 3.2 and 4.0)
SCO UNIX
There is a workaround for Interactive 2.2 if you have a 387 installed (turn
off UAREAW and UAREAS in /etc/conf/cf.d/stune).
Both Interactive and ESIX have said that a fix disk would be forthcomming.
--
Conor P. Cahill (703)430-9247 Virtual Technologies, Inc.
uunet!virtech!cpcahil 46030 Manekin Plaza, Suite 160
Sterling, VA 22170
More information about the Comp.unix.sysv386
mailing list