Security hole in Digital Ultrix and OSF/1 (aka Digital Unix)
Martyn Johnson (Martyn.Johnson@cl.cam.ac.uk)
Tue, 18 Jul 1995 18:56:17 +0100
The following security hole was reported to Digital and CERT in March 1994. It
is still present in the latest version of Digital Unix being distributed (3.2).
As far as I know it is present in all Unix variants produced by Digital for
VAX, Mips and Alpha platforms.
Digital have added a pair of flags to the "mountd" program (-d and -s) which
are intended to block mounts from outside the local domain. If you use this
feature, then the first attempt to mount from outside is correctly rejected.
But if you send the same request again straight away, it will usually be
accepted. Specifically, you must repeat the request before mountd receives a
request from some other host.
The problem is that the daemon is intending to cache the success of the last
request. Unfortunately the code Digital have added is in the wrong place, and
the request is cached even if it fails the new test.
The bug does not affect systems which use explicit export lists rather than
relying on -d or -s.
The problem can be fixed with a one instruction patch. We have worked out
patches for OSF/1 versions 1.3 and 3.2.
For 1.3, the instruction to change is:
1147c1147
< 0x120003e28: c3e000b6 br zero, 0x120004104
---
> 0x120003e28: 47ff041f bis zero, zero, zero
For 3.2, the instruction to change is:
1395c1395
< 0x120004928: c3e00092 br zero, 0x120004b74
---
> 0x120004928: 47ff041f bis zero, zero, zero
(These are diffs on the output of "dis", the disassembler).
Martyn Johnson maj@cl.cam.ac.uk
University of Cambridge Computer Lab
Cambridge UK