Re: profil(2) bug, a simple test program

[ross () GHS COM (Ross Harvey)]

> Re: NetBSD Security Advisory 1999-011
> Re: profil(2) bug, a simple test program
>
> [ profil(2) not turned off on exec, allows a wrapper to increment any
>   word in any program's data or stack space, modulo timing uncertainty ]

Summary: Solaris _is_ vulnerable after all.

So, contrary to the earlier report and directly contradicting the Solaris
execve(2) man page, it appears that most or all versions of Solaris _are_
vulnerable after all.  Chris Thompson of the Cambridge University Computing
Service first noticed this and has notified Sun.

I would have preinformed Sun had I not been under the impression that they
had fixed it, although it shouldn't matter much given the high degree of
difficulty in constructing an exploit.

I wasn't as worried about the other BSD's, because the simple NetBSD patch
that was included should work OK at any BSD site. OpenBSD has applied the
NetBSD patch to their current sources, but note that all releases of all
BSD kernels prior to NetBSD 1.4.1 (which is in process and expected later
this week) appear to have this bug.

Also, the script for the test program should cp(1) instead mv(1)...

                % cc profiltest.c
        [ optional part
                % su
                # cp a.out prog.setuid
                # chown (something) prog.setuid
                # (possibly make it setuid)
                # exit
         ]
                % ./a.out

Test results from other Unix systems might be interesting.

        ross.harvey () computer org