COMMAND

    nfsd(8)

SYSTEMS AFFECTED

    SunOS 4.0

PROBLEM

    Under  SunOS  4.0  it  is  possible  to change the major and minor
    numbers on  a opened  device. Over  NSF, any  device which you can
    open and write to can be truncated into another one.  That is,  it
    is possible  to open,  for example,  the device  /dev/null and use
    ftruncate(2) and change  it's major and  minor numbers so  that it
    becomes another device (like  /dev/mem for example). This  creates
    major security problems because it allows any non-privileged  user
    to any data stored  on any device or  even write access to  kernel
    memory. The  root of  the problem  is that  the vnode  ops do  not
    distinguish between open regular files and device types. Thus  the
    system call may be called  on any arbitrary device. The  new major
    and minor  numbers for  the device  are based  on what  is on  the
    stack. That is  that the device  characteristics of the  vnode are
    modified instead of the block  pointers to the file are  what gets
    zero'd.  Here  is  an  example  of  turning /dev/null into another
    console devce [trunc  is a simple  C program that  opens and calls
    ftruncate on it;s first argument]

        % ls -lg /dev/null /dev/console
        crwxrwxrwx  1 root  staff   3,   2 Sep 17 02:07 /dev/null
        crw--w----  1 root  wheel   0,   0 Sep 16 20:07 /dev/console

        % trunc /dev/null 0

        % ls -lg /dev/null /dev/console
        crwxrwxrwx  1 root  staff   0,   0 Sep 17 02:07 /dev/null
        crw--w----  1 root  wheel   0,   0 Sep 16 20:07 /dev/console

SOLUTION

    Apply  Sun's  patches.  This  has  been  fixed  in SunOS 4.0.3 and
    SunOS 386i-4.0.2