14 May
2017
14 May
'17
5:34 a.m.
OK, I'll kick it off.
A beauty in V6 (and possibly V7) was discovered by the kiddies in Elec
Eng; by sending a signal with an appropriately-crafted negative value (as
determined from inspecting <user.h>) you could overwrite u.u_uid with
zero... Needless to say I scrambled to fix that one on my 11/40 network!
--
Dave Horsfall DTM (VK2KFU) "Those who don't understand security will
suffer."
14 May
14 May
11:52 a.m.
On Sat, May 13, 2017, at 19:34, Dave Horsfall wrote:
OK, I'll kick it off.
A beauty in V6 (and possibly V7) was discovered by the kiddies in Elec
Eng; by sending a signal with an appropriately-crafted negative value (as
determined from inspecting <user.h>) you could overwrite u.u_uid with
zero... Needless to say I scrambled to fix that one on my 11/40 network!
V7 fixes it by changing the if(sig >= NSIG) in psignal to cast it to
unsigned. Kill still doesn't validate its parameter until SysIII and
4BSD. PWB1 does not have the fix.
15 May
15 May
3:46 p.m.
Random832 <random832(a)fastmail.com> wrote:
On Sat, May 13, 2017, at 19:34, Dave Horsfall wrote:
Even without that check V7 wouldn't be vulnerable. In V6, the
vulnerability occurs in psig() when the signal action is reset:
http://minnie.tuhs.org/cgi-bin/utree.pl?file=V6/usr/sys/ken/sig.c
rp = u.u_procp;
n = rp->p_sig;
rp->p_sig = 0;
if((p=u.u_signal[n]) != 0) {
u.u_error = 0;
if(n != SIGINS && n != SIGTRC)
u.u_signal[n] = 0;
/* if n < 0 this can overwrite u.u_uid */
In V7, instead of a single pending signal, there is a bitmap of pending
signals, so the corresponding code is,
http://minnie.tuhs.org/cgi-bin/utree.pl?file=V7/usr/sys/sys/sig.c
n = fsig(rp);
if (n==0)
return;
rp->p_sig &= ~(1<<(n-1));
if((p=u.u_signal[n]) != 0) {
u.u_error = 0;
if(n != SIGINS && n != SIGTRC)
u.u_signal[n] = 0;
/* always within the array bounds */
Tony.
--
f.anthony.n.finch <dot(a)dotat.at> http://dotat.at/ - I xn--zr8h punycode
Viking, North Utsire, South Utsire, Northeast Forties: Variable becoming
southeasterly 3 or 4, increasing 5 to 7, perhaps gale 8 later. Slight or
moderate becoming moderate or rough later. Fog patches, rain later. Moderate,
occasionally very poor.
A beauty in V6 (and possibly V7) was discovered by the kiddies in Elec
Eng; by sending a signal with an appropriately-crafted negative value (as
determined from inspecting <user.h>) you could overwrite u.u_uid with
zero... Needless to say I scrambled to fix that one on my 11/40 network!
V7 fixes it by changing the if(sig >= NSIG) in psignal to cast it to
unsigned.
14 May
14 May
12:11 p.m.
On Sat, May 13, 2017, at 19:34, Dave Horsfall wrote:
OK, I'll kick it off.
Oh, and since we're doing this... I independently noticed a buffer
overflow vulnerability in mkdir, and later discovered that someone else
had actually published a working exploit for the same bug... in 2004.
http://archive.cert.uni-stuttgart.de/bugtraq/2004/06/msg00035.html
18 May
18 May
11:32 p.m.
Here are some previously reported ones:
v1:
http://minnie.tuhs.org/pipermail/unix-jun72/2008-May/000126.html
http://minnie.tuhs.org/pipermail/unix-jun72/2008-May/000250.html
v7:
http://seclists.org/bugtraq/2004/Jun/37
On Sat, May 13, 2017 at 1:34 PM, Dave Horsfall <dave(a)horsfall.org> wrote:
OK, I'll kick it off.
A beauty in V6 (and possibly V7) was discovered by the kiddies in Elec
Eng; by sending a signal with an appropriately-crafted negative value (as
determined from inspecting <user.h>) you could overwrite u.u_uid with
zero... Needless to say I scrambled to fix that one on my 11/40 network!
--
Dave Horsfall DTM (VK2KFU) "Those who don't understand security will
suffer."
--
Tim Newsham | www.thenewsh.com/~newsham | @newshtwit | thenewsh.blogspot.com
2775
days inactive
2780
days old
4 comments
4 participants
participants (4)
-
Dave Horsfall -
Random832 -
Tim Newsham -
Tony Finch