* [TUHS] Old Unix vulnerabilities
@ 2017-05-13 23:34 Dave Horsfall
2017-05-14 5:52 ` Random832
` (2 more replies)
0 siblings, 3 replies; 5+ messages in thread
From: Dave Horsfall @ 2017-05-13 23:34 UTC (permalink / raw)
OK, I'll kick it off.
A beauty in V6 (and possibly V7) was discovered by the kiddies in Elec
Eng; by sending a signal with an appropriately-crafted negative value (as
determined from inspecting <user.h>) you could overwrite u.u_uid with
zero... Needless to say I scrambled to fix that one on my 11/40 network!
--
Dave Horsfall DTM (VK2KFU) "Those who don't understand security will suffer."
^ permalink raw reply [flat|nested] 5+ messages in thread* [TUHS] Old Unix vulnerabilities 2017-05-13 23:34 [TUHS] Old Unix vulnerabilities Dave Horsfall @ 2017-05-14 5:52 ` Random832 2017-05-15 9:46 ` Tony Finch 2017-05-14 6:11 ` Random832 2017-05-18 17:32 ` Tim Newsham 2 siblings, 1 reply; 5+ messages in thread From: Random832 @ 2017-05-14 5:52 UTC (permalink / raw) On Sat, May 13, 2017, at 19:34, Dave Horsfall wrote: > OK, I'll kick it off. > > A beauty in V6 (and possibly V7) was discovered by the kiddies in Elec > Eng; by sending a signal with an appropriately-crafted negative value (as > determined from inspecting <user.h>) you could overwrite u.u_uid with > zero... Needless to say I scrambled to fix that one on my 11/40 network! V7 fixes it by changing the if(sig >= NSIG) in psignal to cast it to unsigned. Kill still doesn't validate its parameter until SysIII and 4BSD. PWB1 does not have the fix. ^ permalink raw reply [flat|nested] 5+ messages in thread
* [TUHS] Old Unix vulnerabilities 2017-05-14 5:52 ` Random832 @ 2017-05-15 9:46 ` Tony Finch 0 siblings, 0 replies; 5+ messages in thread From: Tony Finch @ 2017-05-15 9:46 UTC (permalink / raw) Random832 <random832 at fastmail.com> wrote: > On Sat, May 13, 2017, at 19:34, Dave Horsfall wrote: > > > > A beauty in V6 (and possibly V7) was discovered by the kiddies in Elec > > Eng; by sending a signal with an appropriately-crafted negative value (as > > determined from inspecting <user.h>) you could overwrite u.u_uid with > > zero... Needless to say I scrambled to fix that one on my 11/40 network! > > V7 fixes it by changing the if(sig >= NSIG) in psignal to cast it to > unsigned. Even without that check V7 wouldn't be vulnerable. In V6, the vulnerability occurs in psig() when the signal action is reset: http://minnie.tuhs.org/cgi-bin/utree.pl?file=V6/usr/sys/ken/sig.c rp = u.u_procp; n = rp->p_sig; rp->p_sig = 0; if((p=u.u_signal[n]) != 0) { u.u_error = 0; if(n != SIGINS && n != SIGTRC) u.u_signal[n] = 0; /* if n < 0 this can overwrite u.u_uid */ In V7, instead of a single pending signal, there is a bitmap of pending signals, so the corresponding code is, http://minnie.tuhs.org/cgi-bin/utree.pl?file=V7/usr/sys/sys/sig.c n = fsig(rp); if (n==0) return; rp->p_sig &= ~(1<<(n-1)); if((p=u.u_signal[n]) != 0) { u.u_error = 0; if(n != SIGINS && n != SIGTRC) u.u_signal[n] = 0; /* always within the array bounds */ Tony. -- f.anthony.n.finch <dot at dotat.at> http://dotat.at/ - I xn--zr8h punycode Viking, North Utsire, South Utsire, Northeast Forties: Variable becoming southeasterly 3 or 4, increasing 5 to 7, perhaps gale 8 later. Slight or moderate becoming moderate or rough later. Fog patches, rain later. Moderate, occasionally very poor. ^ permalink raw reply [flat|nested] 5+ messages in thread
* [TUHS] Old Unix vulnerabilities 2017-05-13 23:34 [TUHS] Old Unix vulnerabilities Dave Horsfall 2017-05-14 5:52 ` Random832 @ 2017-05-14 6:11 ` Random832 2017-05-18 17:32 ` Tim Newsham 2 siblings, 0 replies; 5+ messages in thread From: Random832 @ 2017-05-14 6:11 UTC (permalink / raw) On Sat, May 13, 2017, at 19:34, Dave Horsfall wrote: > OK, I'll kick it off. Oh, and since we're doing this... I independently noticed a buffer overflow vulnerability in mkdir, and later discovered that someone else had actually published a working exploit for the same bug... in 2004. http://archive.cert.uni-stuttgart.de/bugtraq/2004/06/msg00035.html ^ permalink raw reply [flat|nested] 5+ messages in thread
* [TUHS] Old Unix vulnerabilities 2017-05-13 23:34 [TUHS] Old Unix vulnerabilities Dave Horsfall 2017-05-14 5:52 ` Random832 2017-05-14 6:11 ` Random832 @ 2017-05-18 17:32 ` Tim Newsham 2 siblings, 0 replies; 5+ messages in thread From: Tim Newsham @ 2017-05-18 17:32 UTC (permalink / raw) Here are some previously reported ones: v1: http://minnie.tuhs.org/pipermail/unix-jun72/2008-May/000126.html http://minnie.tuhs.org/pipermail/unix-jun72/2008-May/000250.html v7: http://seclists.org/bugtraq/2004/Jun/37 On Sat, May 13, 2017 at 1:34 PM, Dave Horsfall <dave at horsfall.org> wrote: > OK, I'll kick it off. > > A beauty in V6 (and possibly V7) was discovered by the kiddies in Elec > Eng; by sending a signal with an appropriately-crafted negative value (as > determined from inspecting <user.h>) you could overwrite u.u_uid with > zero... Needless to say I scrambled to fix that one on my 11/40 network! > > -- > Dave Horsfall DTM (VK2KFU) "Those who don't understand security will > suffer." > -- Tim Newsham | www.thenewsh.com/~newsham | @newshtwit | thenewsh.blogspot.com -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://minnie.tuhs.org/pipermail/tuhs/attachments/20170518/4c4b64b5/attachment.html> ^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2017-05-18 17:32 UTC | newest] Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2017-05-13 23:34 [TUHS] Old Unix vulnerabilities Dave Horsfall 2017-05-14 5:52 ` Random832 2017-05-15 9:46 ` Tony Finch 2017-05-14 6:11 ` Random832 2017-05-18 17:32 ` Tim Newsham
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).