Re: UnixWare
Casper Dik (casper@fwi.uva.nl)
Wed, 27 Apr 94 19:35:43 +0200
>On Apr 27, 10:49am, Perry E. Metzger wrote:
>> Subject: Re: UnixWare
>
>> Name a couple for us then. I personally have seen only one security
>> hole in a kernel in the past several years -- the division bug under
>> older SunOS. Virtually every alert is related to a program thats
>> setuid root, or that is needlessly running with root privileges (like
>> sendmail).
A number of SunOS ones: divide by zero, imul, idiv emulation
(two seperate bugs), PTRACE_ATACH (in SunOS 4.0.x).
There was some bug in early Solaris versions inwindow underflow/overflow traps
too (unconfirmed).
There are also ones reported in V6 or V7 unix.
The BSD pty subsystem also is too permissive and allows snooping on other
pty's, which could lead to the discovery of passwords and unauthorized access.
>I've not got a copy of UNIX ware around, but I bet that it's still got
>the mmap/copy-on-write hole in it. Easy to reproduce, with a 64KB file
>and mmap should return a permission denied, but it still let's you get
>access.
I wouldn't be too sure: this bug was discovered a long time ago and seems
to only have hit the SVR4 for Intel market.
>NOTE I'VE NOT GOT A COPY or UNIXware available, but that bug was discovered
>in all SVR4's about the same time that UNIXWare was starting to ship...
The bug was discovered much earlier. I believe ICL had already fixed it
in their SPARC reference port and it wasn't in Solaris 2.1 for the x86
either (about two years old).
Although vendors distribute fixes, it seems to take a long time before the
patch gets incorporated in their main release (it supposedly is still in
ESIX 4.0.4, while fixes were made available for 4.0.2 and 4.0.3)
Casper