Multics on 6180 contains a flaw that may allow a local user to gain elevated privileges. The issue was caused by the call limiter not being set on gate segments, allowing the user to transfer to any instruction within the gate rather than to just an entry transfer vector. This would allow control of data passed to the mxerror routines, allowing ring0 access.
Multics on 6180 contains a flaw that may allow a local user to crash the machine. The issue occured during the login process, when the 'tally word' did not have write permission, causing an access violation, subsequently crashing the entire machine. This could be performed without authenticating on the machine.
Multics contains a flaw that may allow a local user to gain elevated privileges. The issue occured when a user used the hphcs_ privileged gate to transfer the appropriate absolute segment number rather than using dynamic linking to gain access to any hphcs_ capability.
Multics on 6180 machines contain several flaws. During an audit of the Multics system, many vulnerabilities were identified and disclosed. At the end of the audit, notation was made that there "additional vulnerabilities identified but at the time have not been developed into demonstrations." No further details have been provided.
Multics contains a flaw that may allow a local user to crash the machine. The issue occurs when a user causes the master mode procedure to enter a location improperly. When the index register zero is out of bounds, the processor registers are saved for debugging and control is transferred to "mxerror". By moving the signaller|0 with a bad value in index register zero, a user could crash the system.
Multics contains a flaw that may allow a local user to elevate privileges. The issue is due to a flaw in the unlocked stack base system. It is possible for an attacker to manipulate the signaller to enter at location 0 with an invalid index register before setting the stack pointer to an area of extraneous storage in a link segment (such as emergency_shutdown.link). This could allow an attacker to place custom code in the link that would be executed with ring0 privileges.
Multics contains a flaw that may allow a local attacker to gain elevated privileges. The issue occured when a specific sequence of code was used to bypass the access checking on the 645 machine. This occured when the execute instruction was in certain restricted locations of a segment with at least read-execute (re) permission. The execute instruction then referenced an object instruction in word zero of a second segment with at least R permission. The object instruction indirected through an ITS pointer in the first segment to access a word for reading or writing in a third segment. The third segment was required to be "active"; that is, to have an SDW pointing to a valid page table for the segment. If all these conditions were met precisely, the access control fields in the SDW of the third segment would be ignored and the object instruction permitted to complete without access checks.
Multics on 645 contains a flaw that may allow a local user to gain elevated privileges. The issue occurs when a crafted IDC modifier is used to gain access to ring0 functions. This could be achieved when a user supplied an argument pointer that is constructed to contain an IDC modifier (increment address, decrement tally, and continue) that causes the first reference through the indirect chain to address a valid argument. This first reference is the one made by the argument validator. The reference through the IDC modifier increments the address field of the tally word causing it to point to a different indirect word which in turn points to a different ITS pointer which points to an argument which is writable in ring 0 only. The second reference through this modified indirect chain is made by the ring 0 program which proceeds to write data where it shouldn't.
PLATO systems with the TUTOR language and 'ext' command could be used to send an 'ext' request to another terminal. If the remote terminal did not have a device attached, it would cause the terminal to lock up, requiring a power reset to fix.
The database information may change without any notice. Use of the information constitutes acceptance for use in an AS IS condition, and there are NO
warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the copyright
holder or distributor (OSVDB or OSF) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.