Trojan horse possible with news readers

Cory Kempf cory at gloom.UUCP
Sat Dec 3 03:49:02 AEST 1988


In article <6775 at rosevax.Rosemount.COM>, news at rosevax.Rosemount.COM 
(News administrator) writes:
> I don't know if this has been discussed before, but here goes...
> 
> Many news reading programs (rn, vnews, others?) allow you include the
> original text when following-up or replying-to articles.  The
> default editor is usually vi; some versions of vi will execute
> commands if it sees a line (near the top or bottom of a file)
> of the form <e><x><:><command><:>

for that matter, the berkeley mailer also allows you to do so...

the above example is fairly simple... the following example is a bit
more complex... and a bit more dangerous...

NOTE:
If you attempt to edit this file using the vi editor, it will (if your
system is vulnerable) echo a blank line, followed by the word "BOOM"
followed by a blank line... the usenet software allows ^H, so you 
won't see anything untill it is too late.  NOW can we get the 
<e><x><:> mis-feature eliminated?  please?

(BTW, How many of you SysAdmins out there use vi? and read news? and su root
from a directory that you have write access in? and use vi as root from that
directory?  Wouldn't it be easier to post the password for root on your system?
(if you don't see how this might be a problem, send me e-mail))

If you do edit this file, you will note a line containing many ^H's... 
what if I had after that a command to delete all lines beginging with 
<e><x><:>?

+C
--
Cory Kempf
UUCP:	encore.com!gloom!cory

Now you see it...
ex:!sh -c 'echo;echo        BOOM;echo:
...Now you don't.



More information about the Comp.unix.wizards mailing list