SUMMARY Potential Security Problem?

From: Tom Mornini (tmornini@infomania.com)
Date: Tue Jul 30 1996 - 13:01:48 CDT


I originallly asked:

>I just got this e-mail from a friend. Does anybody "in the know" have
>a comment on Solaris' vulnerability to this problem?

>>>FYI: It was mentioned that Solaris has the same vulnerability
>>>(SCO, Solaris, and [shoot, one other]). Just thought you'd like
>>>to be aware of it, though you don't have to worry about users online..

And Casper Dik responded almost immediately...

>Solaris is not vulnerable to this problem, tehre's nothing at address 0 so
>you get a SIGSEGV instead.
>
>
>[ ... ]
>
>Obviously, *any* system which contain pt_chmod which has set-uid permissions
>is a gross overstatement:
> - on reasonable systems dereferencing NULL causes an error
> [ on Solaris chown returns EFAULT ]
> - on some systems pt_chmod bails out when ptsname() returns NULL
> (i.e., they fixed the bug)
>
>All in all, pt_chmod is a *much* better solution than making xterm, screen,
>splitvt, cmdtool, shelltool, etc set-uid root.
>
>>> * The values given in null_file[] work on our SCO 3.2v4 system. On some
>>> * systems the values may change from process to process. To find out the
>>> * correct values for your system, run /usr/lib/pt_chmod under your
>>>favourite
>>> * debugger, and print the first few words from address 0 onwards, until
>>> * you hit a null byte.
>>> */
>
>
>Which doesn't work in Solaris as there's nothing mapped there.
>(Adb will give you "data address not found")
>
>Casper

-- Tom Mornini
-- InfoMania
-- PostScript Electronic Prepress



This archive was generated by hypermail 2.1.2 : Fri Sep 28 2001 - 23:11:06 CDT