Multics on HIS 645 Execute Instruction SDW Access Check Bypass

1974-06-01T22:31:21
ID OSVDB:22135
Type osvdb
Reporter OSVDB
Modified 1974-06-01T22:31:21

Description

Vulnerability Description

Multics contains a flaw that may allow a local attacker to gain elevated privileges. The issue occured when a specific sequence of code was used to bypass the access checking on the 645 machine. This occured when the execute instruction was in certain restricted locations of a segment with at least read-execute (re) permission. The execute instruction then referenced an object instruction in word zero of a second segment with at least R permission. The object instruction indirected through an ITS pointer in the first segment to access a word for reading or writing in a third segment. The third segment was required to be "active"; that is, to have an SDW pointing to a valid page table for the segment. If all these conditions were met precisely, the access control fields in the SDW of the third segment would be ignored and the object instruction permitted to complete without access checks.

Solution Description

Currently, there are no known upgrades, patches, or workarounds available to correct this issue.

Short Description

Multics contains a flaw that may allow a local attacker to gain elevated privileges. The issue occured when a specific sequence of code was used to bypass the access checking on the 645 machine. This occured when the execute instruction was in certain restricted locations of a segment with at least read-execute (re) permission. The execute instruction then referenced an object instruction in word zero of a second segment with at least R permission. The object instruction indirected through an ITS pointer in the first segment to access a word for reading or writing in a third segment. The third segment was required to be "active"; that is, to have an SDW pointing to a valid page table for the segment. If all these conditions were met precisely, the access control fields in the SDW of the third segment would be ignored and the object instruction permitted to complete without access checks.

References:

Related OSVDB ID: 22128 Related OSVDB ID: 22136 Related OSVDB ID: 22129 Related OSVDB ID: 22132 Related OSVDB ID: 22130 Related OSVDB ID: 22133 Related OSVDB ID: 22131 Related OSVDB ID: 22134 Other Advisory URL: http://csrc.nist.gov/publications/history/karg74.pdf Other Advisory URL: http://cnscenter.future.co.kr/resource/rsc-center/vendor-wp/ibm/RC22534.pdf Keyword: karg74