The 'Security Digest' Archives (TM)

Archive: About | Browse | Search | Contributions | Feedback
Site: Help | Index | Search | Contact | Notices | Changes

ARCHIVE: 'Phage List' - Archives (1988 - 1989)
DOCUMENT: phage #010 [Re: Yet more on the virus] (1 message, 1026 bytes)
SOURCE: http://securitydigest.org/exec/display?f=phage/archive/010.txt&t=text/plain
NOTICE: securitydigest.org recognises the rights of all third-party works.

START OF DOCUMENT

From: Bill Sommerfeld <wesommer@ATHENA.MIT.EDU>
To: [not phage]
Date: Thu 21:13:56 03/11/1988 EST
Subject: Re: Yet more on the virus
References: [Thread Prev: 005] [Thread Next: 011] [Message Prev: 008] [Message Next: 013]

   Date: Thu, 03 Nov 88 19:37:02 -0500
   From: Tim Becker <becker@cs.rochester.edu>

   We found how the program was coming in via fingerd on a vaxen.  It was
   overrunning the "gets(line)" - line buffer in a predictable (for the
   virus writer) way.  The fix is to change the gets(line) to a fgets(line,
   512, stdin);line[strlen(line)-1].

   Of course it tries this on Sun's too -- it just causes fingerd to core
   dump there.

I figured that out about two hours ago, and discovered that it was
possible to ship over machine code and have it be executed (by
overwriting the stack frame such that the return PC stored in the
frame pointed into the recently-read ).  Keith Bostic has the program;
I'd rather not redistribute it.  I suspect that other daemons may have
the same bugs.

					- Bill

END OF DOCUMENT