OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
Bugtraq archives for 3rd quarter (Jul-Aug) 1995: Security hole in Digital Ultrix and OSF/1 (aka Digital Unix)

Security hole in Digital Ultrix and OSF/1 (aka Digital Unix)

Martyn Johnson (Martyn.Johnsoncl.cam.ac.uk)
Tue, 18 Jul 1995 18:56:17 +0100 

The following security hole was reported to Digital and CERT in March 1994. It
is still present in the latest version of Digital Unix being distributed (3.2).

As far as I know it is present in all Unix variants produced by Digital for
VAX, Mips and Alpha platforms.

Digital have added a pair of flags to the "mountd" program (-d and -s) which
are intended to block mounts from outside the local domain. If you use this
feature, then the first attempt to mount from outside is correctly rejected.
But if you send the same request again straight away, it will usually be
accepted. Specifically, you must repeat the request before mountd receives a
request from some other host.

The problem is that the daemon is intending to cache the success of the last
request.  Unfortunately the code Digital have added is in the wrong place, and
the request is cached even if it fails the new test.

The bug does not affect systems which use explicit export lists rather than
relying on -d or -s.

The problem can be fixed with a one instruction patch. We have worked out
patches for OSF/1 versions 1.3 and 3.2.

For 1.3, the instruction to change is:

1147c1147
<   0x120003e28:        c3e000b6        br      zero, 0x120004104
---
>   0x120003e28:        47ff041f        bis     zero, zero, zero

For 3.2, the instruction to change is:

1395c1395
<   0x120004928:        c3e00092        br      zero, 0x120004b74
---
>   0x120004928:        47ff041f        bis     zero, zero, zero

(These are diffs on the output of "dis", the disassembler).

Martyn Johnson      majcl.cam.ac.uk
University of Cambridge Computer Lab
Cambridge UK