|
|
ARCHIVE: 'Phage List' - Archives (1988 - 1989)
DOCUMENT: phage #010 [Re: Yet more on the virus] (1 message, 1026 bytes)
SOURCE: http://securitydigest.org/exec/display?f=phage/archive/010.txt&t=text/plain
NOTICE: securitydigest.org recognises the rights of all third-party works.
START OF DOCUMENT
From: Bill Sommerfeld <wesommer@ATHENA.MIT.EDU>
To: [not phage]
Date: Thu 21:13:56 03/11/1988 EST
Subject: Re: Yet more on the virus
References:
[Thread Prev: 005]
[Thread Next: 011]
[Message Prev: 008]
[Message Next: 013]
Date: Thu, 03 Nov 88 19:37:02 -0500 From: Tim Becker <becker@cs.rochester.edu> We found how the program was coming in via fingerd on a vaxen. It was overrunning the "gets(line)" - line buffer in a predictable (for the virus writer) way. The fix is to change the gets(line) to a fgets(line, 512, stdin);line[strlen(line)-1]. Of course it tries this on Sun's too -- it just causes fingerd to core dump there. I figured that out about two hours ago, and discovered that it was possible to ship over machine code and have it be executed (by overwriting the stack frame such that the return PC stored in the frame pointed into the recently-read ). Keith Bostic has the program; I'd rather not redistribute it. I suspect that other daemons may have the same bugs. - Bill
END OF DOCUMENT
| ISSN 1742-948X 01 (Online) | 2005/03/01 | Copyright 2002-2008 securitydigest.org. All rights reserved. |