Path: utzoo!mnetor!tmsoft!torsqnt!news-server.csri.toronto.edu!cs.utexas.edu!uunet!virtech!cpcahil
From: cpcahil@virtech.uucp (Conor P. Cahill)
Newsgroups: comp.unix.sysv386
Subject: Re: SECURITY BUG IN INTERACTIVE UNIX SYSV386
Message-ID: <1991Feb16.021704.17562@virtech.uucp>
Date: 16 Feb 91 02:17:04 GMT
References: <1991Feb15.011125.19741@yrloc.ipsa.reuter.COM>
Organization: Virtual Technologies Inc.
Lines: 39

loc@yrloc.ipsa.reuter.COM (Leigh Clayton) writes:
> I've seen many many postings with this subject, but I've yet to come
>across a description of just what everyone is on about. I run 386ix 2.0.2

The problem is as follows:

The user structure, which is used by the kernel to store process 
information including the user/group that is running the process, is 
writable by the programs themselves.  Since a program can write data
to that area, they can make the system believe that they are actually
being run by the super user, thereby gaining full access to the 
entire system.

In short, any user with access to a compiler can make themselves
root with just a few lines of somewhat simple C code (although if it hadn't
been posted, it probably wouldn't have been that simple for the average
programmer to do it).

This problem is known to be present in the following systems:

	Interactive 2.0.2
	Interactive 2.2
	ESIX
	AT&T Rel 3.2 (fixed in 3.2.1)

The problem is known to NOT exist in the following systems:

	Dell Unix (both 3.2 and 4.0)
	SCO UNIX

There is a workaround for Interactive 2.2 if you have a 387 installed (turn
off UAREAW and UAREAS in /etc/conf/cf.d/stune).

Both Interactive and ESIX have said that a fix disk would be forthcomming.

-- 
Conor P. Cahill            (703)430-9247        Virtual Technologies, Inc.
uunet!virtech!cpcahil                           46030 Manekin Plaza, Suite 160
                                                Sterling, VA 22170