* [TUHS] Old Unix vulnerabilities
@ 2017-05-13 23:34 Dave Horsfall
2017-05-14 5:52 ` Random832
` (2 more replies)
0 siblings, 3 replies; 5+ messages in thread
From: Dave Horsfall @ 2017-05-13 23:34 UTC (permalink / raw)
OK, I'll kick it off.
A beauty in V6 (and possibly V7) was discovered by the kiddies in Elec
Eng; by sending a signal with an appropriately-crafted negative value (as
determined from inspecting <user.h>) you could overwrite u.u_uid with
zero... Needless to say I scrambled to fix that one on my 11/40 network!
--
Dave Horsfall DTM (VK2KFU) "Those who don't understand security will suffer."
^ permalink raw reply [flat|nested] 5+ messages in thread
* [TUHS] Old Unix vulnerabilities
2017-05-13 23:34 [TUHS] Old Unix vulnerabilities Dave Horsfall
@ 2017-05-14 5:52 ` Random832
2017-05-15 9:46 ` Tony Finch
2017-05-14 6:11 ` Random832
2017-05-18 17:32 ` Tim Newsham
2 siblings, 1 reply; 5+ messages in thread
From: Random832 @ 2017-05-14 5:52 UTC (permalink / raw)
On Sat, May 13, 2017, at 19:34, Dave Horsfall wrote:
> OK, I'll kick it off.
>
> A beauty in V6 (and possibly V7) was discovered by the kiddies in Elec
> Eng; by sending a signal with an appropriately-crafted negative value (as
> determined from inspecting <user.h>) you could overwrite u.u_uid with
> zero... Needless to say I scrambled to fix that one on my 11/40 network!
V7 fixes it by changing the if(sig >= NSIG) in psignal to cast it to
unsigned. Kill still doesn't validate its parameter until SysIII and
4BSD. PWB1 does not have the fix.
^ permalink raw reply [flat|nested] 5+ messages in thread
* [TUHS] Old Unix vulnerabilities
2017-05-13 23:34 [TUHS] Old Unix vulnerabilities Dave Horsfall
2017-05-14 5:52 ` Random832
@ 2017-05-14 6:11 ` Random832
2017-05-18 17:32 ` Tim Newsham
2 siblings, 0 replies; 5+ messages in thread
From: Random832 @ 2017-05-14 6:11 UTC (permalink / raw)
On Sat, May 13, 2017, at 19:34, Dave Horsfall wrote:
> OK, I'll kick it off.
Oh, and since we're doing this... I independently noticed a buffer
overflow vulnerability in mkdir, and later discovered that someone else
had actually published a working exploit for the same bug... in 2004.
http://archive.cert.uni-stuttgart.de/bugtraq/2004/06/msg00035.html
^ permalink raw reply [flat|nested] 5+ messages in thread
* [TUHS] Old Unix vulnerabilities
2017-05-14 5:52 ` Random832
@ 2017-05-15 9:46 ` Tony Finch
0 siblings, 0 replies; 5+ messages in thread
From: Tony Finch @ 2017-05-15 9:46 UTC (permalink / raw)
Random832 <random832 at fastmail.com> wrote:
> On Sat, May 13, 2017, at 19:34, Dave Horsfall wrote:
> >
> > A beauty in V6 (and possibly V7) was discovered by the kiddies in Elec
> > Eng; by sending a signal with an appropriately-crafted negative value (as
> > determined from inspecting <user.h>) you could overwrite u.u_uid with
> > zero... Needless to say I scrambled to fix that one on my 11/40 network!
>
> V7 fixes it by changing the if(sig >= NSIG) in psignal to cast it to
> unsigned.
Even without that check V7 wouldn't be vulnerable. In V6, the
vulnerability occurs in psig() when the signal action is reset:
http://minnie.tuhs.org/cgi-bin/utree.pl?file=V6/usr/sys/ken/sig.c
rp = u.u_procp;
n = rp->p_sig;
rp->p_sig = 0;
if((p=u.u_signal[n]) != 0) {
u.u_error = 0;
if(n != SIGINS && n != SIGTRC)
u.u_signal[n] = 0;
/* if n < 0 this can overwrite u.u_uid */
In V7, instead of a single pending signal, there is a bitmap of pending
signals, so the corresponding code is,
http://minnie.tuhs.org/cgi-bin/utree.pl?file=V7/usr/sys/sys/sig.c
n = fsig(rp);
if (n==0)
return;
rp->p_sig &= ~(1<<(n-1));
if((p=u.u_signal[n]) != 0) {
u.u_error = 0;
if(n != SIGINS && n != SIGTRC)
u.u_signal[n] = 0;
/* always within the array bounds */
Tony.
--
f.anthony.n.finch <dot at dotat.at> http://dotat.at/ - I xn--zr8h punycode
Viking, North Utsire, South Utsire, Northeast Forties: Variable becoming
southeasterly 3 or 4, increasing 5 to 7, perhaps gale 8 later. Slight or
moderate becoming moderate or rough later. Fog patches, rain later. Moderate,
occasionally very poor.
^ permalink raw reply [flat|nested] 5+ messages in thread
* [TUHS] Old Unix vulnerabilities
2017-05-13 23:34 [TUHS] Old Unix vulnerabilities Dave Horsfall
2017-05-14 5:52 ` Random832
2017-05-14 6:11 ` Random832
@ 2017-05-18 17:32 ` Tim Newsham
2 siblings, 0 replies; 5+ messages in thread
From: Tim Newsham @ 2017-05-18 17:32 UTC (permalink / raw)
Here are some previously reported ones:
v1:
http://minnie.tuhs.org/pipermail/unix-jun72/2008-May/000126.html
http://minnie.tuhs.org/pipermail/unix-jun72/2008-May/000250.html
v7:
http://seclists.org/bugtraq/2004/Jun/37
On Sat, May 13, 2017 at 1:34 PM, Dave Horsfall <dave at horsfall.org> wrote:
> OK, I'll kick it off.
>
> A beauty in V6 (and possibly V7) was discovered by the kiddies in Elec
> Eng; by sending a signal with an appropriately-crafted negative value (as
> determined from inspecting <user.h>) you could overwrite u.u_uid with
> zero... Needless to say I scrambled to fix that one on my 11/40 network!
>
> --
> Dave Horsfall DTM (VK2KFU) "Those who don't understand security will
> suffer."
>
--
Tim Newsham | www.thenewsh.com/~newsham | @newshtwit | thenewsh.blogspot.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://minnie.tuhs.org/pipermail/tuhs/attachments/20170518/4c4b64b5/attachment.html>
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2017-05-18 17:32 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2017-05-13 23:34 [TUHS] Old Unix vulnerabilities Dave Horsfall
2017-05-14 5:52 ` Random832
2017-05-15 9:46 ` Tony Finch
2017-05-14 6:11 ` Random832
2017-05-18 17:32 ` Tim Newsham
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).