From 8lgm@8lgm.org Wed Jul 3 22:01:09 1996 Date: Wed, 3 Jul 1996 21:25:42 +0100 (BST) From: "[8LGM] Security Team" <8lgm@8lgm.org> To: 8lgm-advisories@8lgm.org Subject: [8lgm]-Advisory-25.UNIX.sun4c.locore.01-09-1995 ============================================================================= Virtual Domain Hosting Services provided by The FOURnet Information Network mail webserv@FOUR.net or see http://www.four.net ============================================================================= [8lgm]-Advisory-25.UNIX.sun4c.locore.01-09-1995 KERNEL OBJECT: locore.o VULNERABLE VERSIONS: SunOS 4.1.*, sun4c architecture DESCRIPTION: Executing a ta 0xff (trap_mon) instruction leaves the cpu in an inconsistent state. IMPACT: Local users can cause a watchdog reset, or bad instruction kernel panic. DISCUSSION: This is believed only to affect the sun4c architecture. All traps in the trap vector table, apart from the trap_mon trap, set register %l6 to 7 before branching to sys_trap. 7 is believed to be the number of register windows for the sun4c architecture (allowing for window overlap), and is required by sys_trap. trap_mon performs a check on the processor state register, to ensure it is running in supervisor mode. If this is not the case, a branch to sys_trap is executed to handle the error. Therefore if we perform a ta 0xff from user mode, we will branch to sys_trap with an unknown value in %l6. This can subsequently cause an illegal instruction panic, or a window underflow watchdog reset. FIX: Looking at locore.o, this is the current trap vector entry for ta 0xff: 0xff0: a1480000 = rd %psr, %l0 0xff4: 108004cb = ba trap_mon 0xff8: a81020ff = mov 0xff, %l4 0xffc: 1000000 = nop Utilising the free nop instruction, we can patch locore.o to set register %l6 to 7: 0xff0: a1480000 = rd %psr, %l0 0xff4: a81020ff = mov 0xff, %l4 0xff8: 108004ca = ba trap_mon 0xffc: ac102007 = mov 0x7, %l6 A new kernel must then be built. This patch has run successfully for several months on a SunOS 4.1.3_U1 machine. However, this patch comes with no guarantees, and must be used at your own risk. Alternatively, contact your vendor for a fix. STATUS UPDATE: The file: [8lgm]-Advisory-25.UNIX.sun4c.locore.01-09-1995.README will be created on www.8lgm.org. This will contain updates on any further versions which are found to be vulnerable, and any other information received pertaining to this advisory. ----------------------------------------------------------------------- FEEDBACK AND CONTACT INFORMATION: majordomo@8lgm.org (Mailing list requests - try 'help' for details) 8lgm@8lgm.org (Everything else) 8LGM FILESERVER: All [8LGM] advisories may be obtained via the [8LGM] fileserver. For details, 'echo help | mail 8lgm-fileserver@8lgm.org' 8LGM WWW SERVER: [8LGM]'s web server can be reached at http://www.8lgm.org. This contains details of all 8LGM advisories and other useful information. =========================================================================== ANNOUNCEMENT [8lgm] are pleased to announce a new format for future advisories. From advisory 26 onwards, exploits will no longer be made available. These will be replaced by libC/Inside reports, which will provide a more detailed insight into a vulnerability. libC/Inside, a package developed by Electris Software Limited, has been used by [8lgm] to discover vulnerabilities for some time. The syslog and sendmail advisories were based on analysing libC/Inside reports. [8lgm] would like to thank Electris Software Limited for permission to use libC/Inside reports in advisories. For a limited period, LibC/Inside is available at a special discount to 8lgm subscribers. Please contact Electris for details. For further information about libC/Inside, see: http://www.electris.com or mail electris@electris.com for details. =========================================================================== -- ----------------------------------------------------------------------- $ echo help | mail 8lgm-fileserver@8lgm.org (Fileserver help) majordomo@8lgm.org (Request to be added to list) 8lgm@8lgm.org (General enquiries) ******* VISIT 8LGM ON THE WORLD WIDE WEB: http://www.8lgm.org ******** [8LGM] uses libC/Inside - the worlds leading security analysis tool now available to the public. Visit http:://www.electris.com