TUCoPS :: Unix :: Various Flavours
:: null.htm
Microport Unix /dev/null kernel bug
Vulnerability
/dev/null
Affected
Microport Unix 3.0e and probably other versions of Microport
Unix.
Description
Any user can execute '386 I/O instructions in Microport's Unix
3.0e. The bug is as fallows: the /dev/mem driver was given an
ioctl to do I/O instructions. (Examination of the source suggests
that this was done by Microport, in the modification, no check on
the minor device number is made. Since /dev/null uses the same
driver, ioctls on /dev/null can also do I/O instructions. To
makeuse of the bug, one constructs a program to open /dev/null
and do ioctls. This does not require access to a compiler; shell
access and any of a number of tools are sufficient. Taking
advantage of this bug permits any number of security problems:
easiest is to crash the system. A clever hacker can almost
certainly arrange to get a uid 0 process with it. (Think about
DMA'ing a zero into just the right byte of the process table.)
Solution
This is a kernel bug and there is no easy work-around for binary
only sites. The following should eliminate the bug, with some side
effects:
adb -w /unix
mmioctl?W0c3
*All* memory driver ioctls will be ignored with this patch.
Programs that us the memory driver to do I/O instructions will
fail. Also, there is reboot code in there which has been
superceded by the uadmin system call; I don't think anything uses
that. The biggest problem is that this same ioctl us used for the
limited runtime control; I have no idea whether your system will
boot with this patch, /etc/init may well have a hissy fit when it
tries to do those ioctls. If you have source code, add
if(minor(dev) == 2) {
u.u_error = ENXIO;
return;
}
to the top of mmioctl in mem.c. This will eliminate the bug.