[comp.bugs.sys5] Security bug in Microport Unix

bill@franklin.com (Bill) (03/18/91)

(Here's the info on the hole I mentioned. Followups have been
directed to comp.unix.sysv386.)

The bug is a means whereby any user can execute '386 I/O
instructions in Microport Unix 3.0e. This bug may well apply to
other versions of Microport's Unix; it probably does not apply to
any other Unix.

The bug is as follows: the /dev/mem driver was given an ioctl to
do I/O instructions. (Examination of the source suggests that this
was done by Microport.) Unfortunately, in the modification, no
check on the minor device number is made. Since /dev/null uses
the same driver, ioctls on /dev/null can also do I/O instructions.

To make use of the bug, one constructs a program to open
/dev/null and do ioctls. This does not require access to a
compiler; shell access and any of a number of tools are
sufficient. Taking advantage of this bug permits any number of
security problems; easiest is to crash the system. A clever hacker
can almost certainly arrange to get a uid 0 process with it.
(Think about DMA'ing a zero into just the right byte of the
process table or user structure.)

This is a kernel bug and there is no easy work-around for binary-
only sites. The following should eliminate the bug, with some side
effects:

	adb -w /unix
	mmioctl?W0c3

*All* memory driver ioctls will be ignored with this patch.
Programs that use the memory driver to do I/O instructions will
fail. Also, there is reboot code in there which has been
superceded by the uadmin system call; I don't think anything uses
that. The biggest problem is that this same ioctl is used for the
limited runtime control; I have no idea whether your system will
boot with this patch, /etc/init may well have a hissy fit when it
tries to do those ioctls, as may getty. Since my system is heavily
modified, and its /etc/init no longer uses this ioctl, I don't
know what effect this patch will have. Someone else will have to
check this out. There would have to be separate checks for the
unlimited runtime and the two user runtime.

If you have source code, add

	if (minor(dev) == 2) {
		u.u_error = ENXIO;
		return;
	}

to the top of mmioctl in mem.c. This will eliminate the bug.

If you are feeling trusting and brave, you can use the code I've
enclosed below. If you aren't, you could disassemble this code
and the code you have in your system and then compare them; the
only difference should correspond to the suggested fix above.
These are replacements for the mem.o file in /usr/atconf/mem,
from the source code for Microport Unix SysV/3.0e. There are two
mem.o files: one for the 2 user kernel and one for the unlimited
user kernel; I've used uuencode to ship them. Warning: my system
is sufficiently hacked that the original mem drivers won't work
in it, thus I could not test these. If you do use them, please
test that the bug exists on your system and that these fix it;
then let me know.

begin 664 mem.o.lim
M3`$$`$AG9">&#0``'@``````!`$N=&5X=```````````````Q`4``+0```"@
M!P```````),````@````+F1A=&$```#$!0``Q`4``!P```!X!@``7@T`````
M```$````0````"YB<W,`````X`4``.`%````````````````````````````
M`(`````N8V]M;65N=.`%``#@!0``#`$``)0&`````````````````````@``
M58OL5U:!90C_````Z2P!``"0D)!H`!```/\U"!$``.C<____@\0(B_B#?0@`
M#X6A````@ST,$0````^,%````*$`````P>`,.04,$0``#XPB````N```P/\Y
M!0P1```/C&,```"X_____SD%#!$```^/4@```*$,$0``N0`0```STO?QB_*X
M`!```"O&4%?H;/___X/$"(OX5_\U!!$``*$,$0``+0```$!0Z%#___^#Q`R%
MP`^$;@```,8%Z1````;I8@```)#&!>D0```&Z54```"X`0```#E%"`^%=0``
M`*$,$0``N0`0```STO?QB_*X`!```"O&4%?H`/___X/$"(OX5_\U!!$``/\U
M#!$``.CI_O__@\0,A<`/A`<```#&!>D0```&B\<!!0P1```!!001```I!0@1
M``"@Z1```(3`#X4-````@ST($0````^%O?[__XMU^(M]_,G#D%6+[%=6@64(
M_P```.GX````D)"0:``0``#_-0@1``#H?/[__X/$"(OX@WT(``^%;0```*$`
M````P>`,.04,$0``#XVG````@ST,$0````^,F@```*$,$0``N0`0```STO?Q
MB_*X`!```"O&4%?H+O[__X/$"(OX5Z$,$0``+0```$!0_S4$$0``Z!+^__^#
MQ`R%P`^$7````.E0````D)"X`0```#E%"`^%1P```*$,$0``N0`0```STO?Q
MB_*X`!```"O&4%?HU/W__X/$"(OX5_\U#!$``/\U!!$``.B]_?__@\0,A<`/
MA`<```#&!>D0```&B\<!!001```I!0@1```!!0P1``"@Z1```(3`#X4-````
M@ST($0````^%\?[__XMU^(M]_,G#D%6+[(/L&,=%\`````"+10@E_P```#T"
M````#X4)````Q@7I$```!LG#BT4,+0!)```/C#D````]`P````^'+@```(7`
M#XPF````_R2%T`4``)"0D&H,C47T4/]U$.@2_?__@\0,/?____\/A+T!``"+
M10P]`$0```^$U@```#T`20``#X1O````/0%)```/A'P````]`DD```^$B0``
M`#T#20``#X26````/0!,```/A,<````]`4P```^%0`$``&;'1>X``&H$C47H
M4/]U$.B@_/__@\0,A<`/A;P```"`/<P%````#X3@````Q@7,!0```.D/`0``
M_W7TZ'3\__]9B$7\QT7P`0```.GW````_W7TZ%S\__]9B47XQT7P`0```.G?
M````#[9%_%#_=?3H/_S__X/$".G*````D)"0_W7X_W7TZ"G\__^#Q`CIM```
M`)!FH>H0``!FA<`/A0T```#H#/S__^F:````D)"0Q@7I$```#>F+````9L=%
M[@``:@2-1>A0_W40Z.3[__^#Q`R%P`^$#0```,8%Z1````;I8````)"`/<0%
M````#X2_````@WWH``^%M0```,8%Q`4```#I/````)"#?>@`#X4.````Q@7$
M!0```>DE````D)"`/<0%````#X0#`0``QT7H`````.D6`0``D)"0Q@7I$```
M$X-]\``/A!;^__]J#/]U$(U%]%#H5?O__X/$##W_____#X7Z_?__Q@7I$```
M#NGN_?__D)"0#[]%[F:+%$5`````9H72#X4?````#[]%[F:+5>AFB11%0```
M`,=%Z`````#I)@```)"0D&;_1>X/OT7N.P7(!0``#XT/````#[]%[CT@````
M#XRI____:@3_=1"-1>A0Z-/Z__^#Q`R%P`^$6____\8%Z1````;I3____V:+
M1>@/O\`/OU7N#[\454`````[P@^%'0````^_1>['1>@`````,])FB11%0```
M`.DF````D)"09O]%[@^_1>X[!<@%```/C0\````/OT7N/2`````/C*7___]J
M!/]U$(U%Z%#H4_K__X/$#(7`#X3;_O__Q@7I$```!NG/_O__``````$````!
M````X`(``.`"``#@`@``X`(``#`R+C`Q`$`H(REM96TN8R`@("`@(#$N-0!`
M*",I='EP97,N:`DQ+C4`0"@C*7!A<F%M+F@),2XQ,"`M(#@W+S`T+S$P`$`H
M(RES-7!A<F%M+F@),2XS`$`H(REI;6UU+F@),2XQ-"`M(#@W+S`S+S,P`$`H
M(RES>7-M86-R;W,N:`DQ+C0`0"@C*7-Y<W1M+F@),2XU("T@.#<O,#0O,30`
M0"@C*7,U9&ER+F@),2XS`$`H(RES:6=N86PN:`DQ+C,`0"@C*71S<RYH"3$N
M-`!`*",I=7-E<BYH"3$N,30@+2`X-R\P-B\R-`!`*",I97)R;F\N:`DQ+C,`
M0"@C*6EO8W1L+F@),2XT```-````"````!0`&P```!0````&`"`````5````
M%``O````"````!0`-0```!0````&`#P````(````%`!!````%@````8`2@``
M`!0````&`%`````(````%`!;````%`````8`80````@````4`&P````4````
M!@!R````"````!0`=P```!0````&`)`````5````%`"<````%`````8`H0``
M`!0````&`*P````7````%`"W````"````!0`O0```!0````&`,,````(````
M%`#*````%`````8`T`````@````4`-X````(````%`#C````%`````8`_```
M`!4````4``@!```4````!@`.`0``%`````8`$P$``!<````4`!X!```(````
M%``D`0``%`````8`+0$``!0````&`#,!```4````!@`Y`0``%`````8`/@$`
M`!0````&`$8!```(````%`!,`0``%`````8`4P$```@````4`&T!```(````
M%`![`0``%`````8`@`$``!4````4`(\!```(````%`"4`0``%@````8`G0$`
M`!0````&`*,!```(````%`"I`0``%`````8`L`$```@````4`+4!```4````
M!@#.`0``%0```!0`V0$``!0````&`.4!```4````!@#J`0``&````!0`]0$`
M``@````4`/H!```(````%``*`@``"````!0`#P(``!0````&`"@"```5````
M%``T`@``%`````8`.@(``!0````&`#\"```8````%`!*`@``"````!0`4`(`
M`!0````&`%D"```4````!@!?`@``%`````8`90(``!0````&`&H"```4````
M!@!R`@``"````!0`>`(``!0````&`'\"```(````%`"H`@``"````!0`K@(`
M`!0````&`+\"```(````%`#*`@``"````!0`T@(```@````4`-D"```*````
M!@#J`@``&````!0`^`(```@````4``8#```(````%``1`P``"````!0`'`,`
M``@````4`"<#```(````%``R`P``"````!0`/0,```@````4`$@#```(````
M%`!<`P``&````!0`9P,```@````4`&T#```*````!@!T`P``"````!0`>@,`
M``H````&`(`#```(````%`"(`P``&0```!0`F`,```@````4`*`#```:````
M%`"P`P``"````!0`O0,``!L````4`,4#```(````%`#3`P``'````!0`VP,`
M``@````4`.(#```4````!@#K`P``"````!0`\`,``!T````4`/4#```(````
M%`#^`P``%`````8`!`0```@````4`!@$```8````%``C!```"````!0`*00`
M`!0````&`"\$```(````%``V!```"@````8`/00```@````4`$<$```(````
M%`!-!```"@````8`4P0```@````4`%X$```(````%`!D!```"@````8`:@0`
M``@````4`'($```*````!@!Y!```"````!0`A00```@````4`(X$```4````
M!@"9!```"````!0`IP0``!<````4`+4$```(````%`"[!```%`````8`P00`
M``@````4`-`$```0````!@#9!```"````!0`Z00``!`````&`/4$```(````
M%``&!0``"@````8`#`4```@````4`!L%```(````%``I!0``%P```!0`-`4`
M``@````4`#H%```4````!@!`!0``"````!0`4P4``!`````&`%L%```(````
M%`!P!0``$`````8`=04```@````4`(8%```*````!@",!0``"````!0`FP4`
M``@````4`*D%```7````%`"T!0``"````!0`N@4``!0````&`,`%```(````
M%`#0!0``"`````8`U`4```@````&`-@%```(````!@#<!0``"`````8`+F9I
M;&4`````````_O\``&<!;65M+F,`````````````````;6UR96%D````````
M`0`D``(!`````%\!````````!```````;6UW<FET90!@`0```0`D``(!````
M`"L!````````!@``````;6UI;V-T;`",`@```0`D``(!`````#@#````````
M"```````+G1E>'0``````````0````,!Q`4``),``P``````````````+F1A
M=&$```#$!0```@````,!'`````0`````````````````+F)S<P````#@!0``
M`P````,!````````````````````````+F-O;6UE;G3@!0``!`````,!#`$`
M````````````````````;&]G:6YT86)```````````(`9V5T='EC:&O$!0``
M`@````,`8W!R;&UV``#(!0```@````(`:6YI=&-H:P#,!0```@````(`=0``
M``````````````````(`;6EN``````````````````(`;6%X8VQI8VL`````
M``````(`8V]P>6]U=`````````````(`8V]P>6EN``````````````(`:6YB
M``````````````````(`:6YW``````````````````(`;W5T8@``````````
M``````(`;W5T=P````````````````(```````0```````````````(`#@``
+`&ME<FYD96)U9P``
`
end

begin 664 mem.o.unl
M3`$$`(F!9">&#0``'@``````!`$N=&5X=```````````````Q`4``+0```"@
M!P```````),````@````+F1A=&$```#$!0``Q`4``!P```!X!@``7@T`````
M```$````0````"YB<W,`````X`4``.`%````````````````````````````
M`(`````N8V]M;65N=.`%``#@!0``#`$``)0&`````````````````````@``
M58OL5U:!90C_````Z2P!``"0D)!H`!```/\U"!$``.C<____@\0(B_B#?0@`
M#X6A````@ST,$0````^,%````*$`````P>`,.04,$0``#XPB````N```P/\Y
M!0P1```/C&,```"X_____SD%#!$```^/4@```*$,$0``N0`0```STO?QB_*X
M`!```"O&4%?H;/___X/$"(OX5_\U!!$``*$,$0``+0```$!0Z%#___^#Q`R%
MP`^$;@```,8%Z1````;I8@```)#&!>D0```&Z54```"X`0```#E%"`^%=0``
M`*$,$0``N0`0```STO?QB_*X`!```"O&4%?H`/___X/$"(OX5_\U!!$``/\U
M#!$``.CI_O__@\0,A<`/A`<```#&!>D0```&B\<!!0P1```!!001```I!0@1
M``"@Z1```(3`#X4-````@ST($0````^%O?[__XMU^(M]_,G#D%6+[%=6@64(
M_P```.GX````D)"0:``0``#_-0@1``#H?/[__X/$"(OX@WT(``^%;0```*$`
M````P>`,.04,$0``#XVG````@ST,$0````^,F@```*$,$0``N0`0```STO?Q
MB_*X`!```"O&4%?H+O[__X/$"(OX5Z$,$0``+0```$!0_S4$$0``Z!+^__^#
MQ`R%P`^$7````.E0````D)"X`0```#E%"`^%1P```*$,$0``N0`0```STO?Q
MB_*X`!```"O&4%?HU/W__X/$"(OX5_\U#!$``/\U!!$``.B]_?__@\0,A<`/
MA`<```#&!>D0```&B\<!!001```I!0@1```!!0P1``"@Z1```(3`#X4-````
M@ST($0````^%\?[__XMU^(M]_,G#D%6+[(/L&,=%\`````"+10@E_P```#T"
M````#X4)````Q@7I$```!LG#BT4,+0!)```/C#D````]`P````^'+@```(7`
M#XPF````_R2%T`4``)"0D&H,C47T4/]U$.@2_?__@\0,/?____\/A+T!``"+
M10P]`$0```^$U@```#T`20``#X1O````/0%)```/A'P````]`DD```^$B0``
M`#T#20``#X26````/0!,```/A,<````]`4P```^%0`$``&;'1>X``&H$C47H
M4/]U$.B@_/__@\0,A<`/A;P```"`/<P%````#X3@````Q@7,!0```.D/`0``
M_W7TZ'3\__]9B$7\QT7P`0```.GW````_W7TZ%S\__]9B47XQT7P`0```.G?
M````#[9%_%#_=?3H/_S__X/$".G*````D)"0_W7X_W7TZ"G\__^#Q`CIM```
M`)!FH>H0``!FA<`/A0T```#H#/S__^F:````D)"0Q@7I$```#>F+````9L=%
M[@``:@2-1>A0_W40Z.3[__^#Q`R%P`^$#0```,8%Z1````;I8````)"`/<0%
M````#X2_````@WWH``^%M0```,8%Q`4```#I/````)"#?>@`#X4.````Q@7$
M!0```>DE````D)"`/<0%````#X0#`0``QT7H`````.D6`0``D)"0Q@7I$```
M$X-]\``/A!;^__]J#/]U$(U%]%#H5?O__X/$##W_____#X7Z_?__Q@7I$```
M#NGN_?__D)"0#[]%[F:+%$5`````9H72#X4?````#[]%[F:+5>AFB11%0```
M`,=%Z`````#I)@```)"0D&;_1>X/OT7N.P7(!0``#XT/````#[]%[CT@````
M#XRI____:@3_=1"-1>A0Z-/Z__^#Q`R%P`^$6____\8%Z1````;I3____V:+
M1>@/O\`/OU7N#[\454`````[P@^%'0````^_1>['1>@`````,])FB11%0```
M`.DF````D)"09O]%[@^_1>X[!<@%```/C0\````/OT7N/2`````/C*7___]J
M!/]U$(U%Z%#H4_K__X/$#(7`#X3;_O__Q@7I$```!NG/_O__`````$`````!
M````X`(``.`"``#@`@``X`(``#`R+C`Q`$`H(REM96TN8R`@("`@(#$N-0!`
M*",I='EP97,N:`DQ+C4`0"@C*7!A<F%M+F@),2XQ,"`M(#@W+S`T+S$P`$`H
M(RES-7!A<F%M+F@),2XS`$`H(REI;6UU+F@),2XQ-"`M(#@W+S`S+S,P`$`H
M(RES>7-M86-R;W,N:`DQ+C0`0"@C*7-Y<W1M+F@),2XU("T@.#<O,#0O,30`
M0"@C*7,U9&ER+F@),2XS`$`H(RES:6=N86PN:`DQ+C,`0"@C*71S<RYH"3$N
M-`!`*",I=7-E<BYH"3$N,30@+2`X-R\P-B\R-`!`*",I97)R;F\N:`DQ+C,`
M0"@C*6EO8W1L+F@),2XT```-````"````!0`&P```!0````&`"`````5````
M%``O````"````!0`-0```!0````&`#P````(````%`!!````%@````8`2@``
M`!0````&`%`````(````%`!;````%`````8`80````@````4`&P````4````
M!@!R````"````!0`=P```!0````&`)`````5````%`"<````%`````8`H0``
M`!0````&`*P````7````%`"W````"````!0`O0```!0````&`,,````(````
M%`#*````%`````8`T`````@````4`-X````(````%`#C````%`````8`_```
M`!4````4``@!```4````!@`.`0``%`````8`$P$``!<````4`!X!```(````
M%``D`0``%`````8`+0$``!0````&`#,!```4````!@`Y`0``%`````8`/@$`
M`!0````&`$8!```(````%`!,`0``%`````8`4P$```@````4`&T!```(````
M%`![`0``%`````8`@`$``!4````4`(\!```(````%`"4`0``%@````8`G0$`
M`!0````&`*,!```(````%`"I`0``%`````8`L`$```@````4`+4!```4````
M!@#.`0``%0```!0`V0$``!0````&`.4!```4````!@#J`0``&````!0`]0$`
M``@````4`/H!```(````%``*`@``"````!0`#P(``!0````&`"@"```5````
M%``T`@``%`````8`.@(``!0````&`#\"```8````%`!*`@``"````!0`4`(`
M`!0````&`%D"```4````!@!?`@``%`````8`90(``!0````&`&H"```4````
M!@!R`@``"````!0`>`(``!0````&`'\"```(````%`"H`@``"````!0`K@(`
M`!0````&`+\"```(````%`#*`@``"````!0`T@(```@````4`-D"```*````
M!@#J`@``&````!0`^`(```@````4``8#```(````%``1`P``"````!0`'`,`
M``@````4`"<#```(````%``R`P``"````!0`/0,```@````4`$@#```(````
M%`!<`P``&````!0`9P,```@````4`&T#```*````!@!T`P``"````!0`>@,`
M``H````&`(`#```(````%`"(`P``&0```!0`F`,```@````4`*`#```:````
M%`"P`P``"````!0`O0,``!L````4`,4#```(````%`#3`P``'````!0`VP,`
M``@````4`.(#```4````!@#K`P``"````!0`\`,``!T````4`/4#```(````
M%`#^`P``%`````8`!`0```@````4`!@$```8````%``C!```"````!0`*00`
M`!0````&`"\$```(````%``V!```"@````8`/00```@````4`$<$```(````
M%`!-!```"@````8`4P0```@````4`%X$```(````%`!D!```"@````8`:@0`
M``@````4`'($```*````!@!Y!```"````!0`A00```@````4`(X$```4````
M!@"9!```"````!0`IP0``!<````4`+4$```(````%`"[!```%`````8`P00`
M``@````4`-`$```0````!@#9!```"````!0`Z00``!`````&`/4$```(````
M%``&!0``"@````8`#`4```@````4`!L%```(````%``I!0``%P```!0`-`4`
M``@````4`#H%```4````!@!`!0``"````!0`4P4``!`````&`%L%```(````
M%`!P!0``$`````8`=04```@````4`(8%```*````!@",!0``"````!0`FP4`
M``@````4`*D%```7````%`"T!0``"````!0`N@4``!0````&`,`%```(````
M%`#0!0``"`````8`U`4```@````&`-@%```(````!@#<!0``"`````8`+F9I
M;&4`````````_O\``&<!;65M+F,`````````````````;6UR96%D````````
M`0`D``(!`````%\!````````!```````;6UW<FET90!@`0```0`D``(!````
M`"L!````````!@``````;6UI;V-T;`",`@```0`D``(!`````#@#````````
M"```````+G1E>'0``````````0````,!Q`4``),``P``````````````+F1A
M=&$```#$!0```@````,!'`````0`````````````````+F)S<P````#@!0``
M`P````,!````````````````````````+F-O;6UE;G3@!0``!`````,!#`$`
M````````````````````;&]G:6YT86)```````````(`9V5T='EC:&O$!0``
M`@````,`8W!R;&UV``#(!0```@````(`:6YI=&-H:P#,!0```@````(`=0``
M``````````````````(`;6EN``````````````````(`;6%X8VQI8VL`````
M``````(`8V]P>6]U=`````````````(`8V]P>6EN``````````````(`:6YB
M``````````````````(`:6YW``````````````````(`;W5T8@``````````
M``````(`;W5T=P````````````````(```````0```````````````(`#@``
+`&ME<FYD96)U9P``
`
end