Re: calc.c, from jwa's sendmail exploit script

spafcs.purdue.edu

• Messages sorted by: [ date ][ thread ][ subject ][ author ]
• Next message: Pat Myrto: "Re: sendmail exploit script - resend"
• Previous message: james abendchan: "sendmail exploit script - resend"
• In reply to: der Mouse: "calc.c, from jwa's sendmail exploit script"
• Next in thread: Pat Myrto: "Re: sendmail exploit script - resend"

> 
> ObBugQ: Anyone know just what the SPARC integer divide bug is?  I've
> got copies of the relevant kernel .o files both before and after the
> patch, but haven't gotten around to disassembling and uncompiling
> enough to figure out what's wrong yet.

It's a bug that shows up in OS after OS...something similar was found
during the development of Multics and fixed then, according to the
accounts I read.  It reappeared in SunOS, I suspect, because of
engineers who aren't taught history, security, or good testing
methods, and who think that Unix is synonomous with "operating
systems."  It's an example of why the "bug of the week" approach to
getting better security won't ever solve our problems.

Oh, the nature of the bug?  The long divide is not in hardware on some
SPARC chips; the OS does an emulation trap.  The code there verifies
the level of user privilege for storing the quotient in the given
address, but fails to verify the privileges for the remainder address.
As the emulation trap is processed in a privileged state, it gets to
store arbitrary remainders into arbitrary addresses selected by the
user.

You cannot fix it without source code or the vendor patch.  You can't
monitor the logs for someone trying to exploit it, either (if they're
halfway careful about it).

--spaf

• Next message: Pat Myrto: "Re: sendmail exploit script - resend"
• Previous message: james abendchan: "sendmail exploit script - resend"
• In reply to: der Mouse: "calc.c, from jwa's sendmail exploit script"
• Next in thread: Pat Myrto: "Re: sendmail exploit script - resend"