Dutch crackers (tty security example - history and workaround)
Wietse Venema
wietse at wzv.win.tue.nl
Mon May 13 05:26:14 AEST 1991
fidelio at geech.gnu.ai.mit.edu (Rob J. Nauta) writes:
> Here's a small program I wrote a while back. It speaks for itself [...].
> This program is an official release of the TimeWasters from HOLLAND !
and presents the censored version of a program that steals the password
when someone signs on to a Sun system via the telnet or rlogin network
service. It is this program that led to the recent burst of telnet and
rlogin security fixes from Sun.
However, anyone with a little imagination can adapt it to other
operating systems with networking code derived from Berkeley UNIX.
As the person who originally reported the problem, I provide the source
to a tiny program to work around the problem (tested with SunOS 4.x and
Ultrix 4.0). It is at the end of this article.
Skip the remainder of this article if you are not interested in a case
study of Dutch crackers with free reign on the Internet.
Thought you would be...
The TimeWasters is a group of students (and one former student, Rob J.
Nauta) of Eindhoven University, located in the Netherlands. Their
computer accounts at the Free Software Foundation have been used to
attack and to breach the security of several University computer
systems throughout the US, Canada and Europe. The intruders exploited
the fact that Dutch law against computer crime is still in preparation.
Dutch Law or not, such activities are criminal. The activities of the
intruders have been monitored for quite some time. And because it will
take some time before Dutch law will cover computer crime, I am
provoking an open discussion of the problem. Sooner or later the
intruders would have found out about the monitoring, anyway. My
statements are based on several tens of megabytes of data which I have
passed on to the proper US and Dutch authorities.
As an illustration, this is the case history of the password stealing
program:
March 13: fidelio writes the initial version of the password stealing
program.
March 14,15: The password stealing program is "tested" on several US
university systems. Dozens of passwords are captured.
March 15: The CERT security organization is alerted by me. CERT, in turn,
notifies Sun Microsystems and other vendors.
March 18,19: Several versions of the password stealing program are
uploaded to our systems and several passwords are captured.
Each day I have to make minor adjustments to our networking
software.
March 19: In an attempt to delay further development of the program, I mail
a "what's this?" message to the TimeWasters group, together with a
version of the program that contains several references to the name
of the group.
A few hours later, fidelio submits a bug report with the password
stealing program as "proof" of the bug.
March 21: A fixed telnet daemon is available from Sun. Later fixes follow
for other releases of the SunOS operating system.
All the time, victims of these and other activities were notified
either directly by me or through the CERT security organization.
Note that I have given fidelio ample time to revoke his statement that
he is the author of the password stealing program, in case the article
was posted under his name by someone else.
Of course, all this is just my personal view. For an independent view,
contact {fidelio,belgers,wevers,erlend}@gnu.ai.mit.edu.
Wietse Venema
Eindhoven University of Technology
The Netherlands
#! /bin/sh
# This is a shell archive. Remove anything before this line, then unpack
# it by saving it into a file and typing "sh file". To overwrite existing
# files, type "sh file -c". You can also feed this as standard input via
# unshar, or by typing "sh <file", e.g.. If this archive is complete, you
# will see the following message at the end:
# "End of shell archive."
# Contents: uncover.c
# Wrapped by wietse at wzv on Sun May 12 17:24:44 1991
PATH=/bin:/usr/bin:/usr/ucb ; export PATH
if test -f uncover.c -a "${1}" != "-c" ; then
echo shar: Will not over-write existing file \"uncover.c\"
else
echo shar: Extracting \"uncover.c\" \(916 characters\)
sed "s/^X//" >uncover.c <<'END_OF_uncover.c'
X /*
X * Kluge to work around login/password snooper. This program just
X * repeatedly opens/closes the first five free pty masters.
X */
X
X#include <sys/types.h>
X#include <sys/stat.h>
X#include <fcntl.h>
X#include <sys/ioctl.h>
X
X#define MINFREE 5 /* Amount of free ptys to check */
X
Xmain()
X{
X int i,
X p;
X int c;
X char *line;
X int free;
X int fd;
X
X (void) close(0);
X (void) close(1);
X (void) close(2);
X
X for (;;) {
X for (free = 0, c = 'p'; free < MINFREE && c <= 's'; c++) {
X struct stat stb;
X
X line = "/dev/ptyXX";
X line[strlen("/dev/pty")] = c;
X line[strlen("/dev/ptyp")] = '0';
X if (stat(line, &stb) < 0)
X break;
X for (i = 0; free < MINFREE && i < 16; i++) {
X line[sizeof("/dev/ptyp") - 1] = "0123456789abcdef"[i];
X p = open(line, O_RDONLY);
X if (p >= 0) {
X free++;
X close(p);
X }
X }
X (void) sleep(5);
X }
X }
X}
END_OF_uncover.c
if test 916 -ne `wc -c <uncover.c`; then
echo shar: \"uncover.c\" unpacked with wrong size!
fi
# end of overwriting check
fi
echo shar: End of shell archive.
exit 0
More information about the Comp.unix.internals
mailing list