Lets make sure these are fixed (was: Tim Newsham)

[rwing!pat () ole cdac com (Pat Myrto)]

"In the previous message, Neil Woods said..."
> We're getting some interesting stuff on bugtraq these days......8-o.  binmail
> src would have been very handy all those months ago.
>
> I hope Tim has a src licence for SunOS - if he does, is he breaking the
> agreement by allowing parts of it to be released from his account?

Not if it was via someone breaking in on the system that was properly
set up via a hole in the system code.  He certainly is not responsible
for a vendor's errors, is he?
 
It looks very much Tim Newsham has had his account compromised (probably the
whole site is a mess), and used as a funnel to post all these cracking scripts.
His explanation was plausable, and nobody with one working neuron would
post that stuff from his own account.  Remember, if a .forward file was
placed in his home subdir (and it would go unnoticed), one could simply
mail this stuff to him, and it would be passed right on.

> And when are Sun going to provide a statement about the current distribution
> of their code?

Unless they have a way to trace back and catch this clown (not the victim
whose account was compromised - wonder who else's account has been
compromised on the same site?) huffing and puffing serves no purpose.
Better to stay non-commital for the moment, and get evidence, and CATCH
these people that are breaking into systems and introduce them to the
criminal justice system rather than drive them further underground.  If
source access were not limited to a privileged few (and the crackers,
of course), these problems could be addressed MUCH better - think of
the wealth of talent to deal with this out there, being ignored because
of denial of resources!!!

I think a better thing than flaming about source code, etc would be to
ask:  Are there fixes or workarounds out for all these, and if not
perhaps it might be a good idea for those who DO have source to create
some? I wonder about things like that thing to modify the ucred struct
being fixed at all.  I know I sure hope this won't be another "wait a
few months" or "wait till next release" sort of thing.  Surely someone
out there WITH source and an understanding of the system can come up
with something.

Question I have is - how does doing all those saves and restores in
SPARC assembler result in the user being able to modify the ucred struct
in a running program without privs to modify memory directly?  I suppose
a workaround would be to (cringe) disable ps temporarily, or forthose
who can, modify it to not show that address info and and deny the info
needed to find the ucred struct in a running program, at least until a
real fix is devised.  Perhaps another idea would be to devise some test
to result in the process being killed when a user overflows the register
windows (hell, I'm really groping here, so bear with me).

One thing is obvious:  The crackers have access to source and time to
really study it, most admins DON'T.  They also know their way around in
SPARC assembler (I am still looking for a good book on the subject).
These odds need to be evened up a bit.  And if vendors knew about this
kind of vulnerability and did or said nothing, that borders on criminal.
'Bout time source licenses (for reconfig rights only, not derived works,
a hefty fee and royalties are appropriate for that) became more affordable
so honest folk would have access and a better chance of dealing with
these people.  That would at least allow enough differences to be
introduced that crackers would not be assured of identical conditions
from site to site.  A unix-type OS is just too complex to lock the
users out totally - not until vendors can GUARANTEE that they have
not left some inadvertant holes.

And you can bet the cracker's best or most invasive scripts were NOT
posted.  Nobody shows their ace-in-the-hole.  There are sure some bugs
to be trackin' there, it seems to me...  And yes, I wish I had some
fixes to offer.  I am sure we will get CERT advisories about un-resolved
holes 'round about January or February 1995...

PS:  So much for crackers not knowing about holes the elite few are
aware of...
-- 
pat@rwing  [If all fails, try:  rwing!pat () eskimo com]  Pat Myrto - Seattle WA
"No one has the right to destroy another person's belief by demanding
empirical evidence."  --   Ann Landers, nationally syndicated advice columnist
and Director at Handgun Control Inc.