The 'Security Digest' Archives (TM)

Archive: About | Browse | Search | Contributions | Feedback
Site: Help | Index | Search | Contact | Notices | Changes

ARCHIVE: Zardoz 'Security Digest' - Archives (1989 - 1991)
DOCUMENT: Zardoz 'Security Digest' V1 #22 not known (1 file, 2202 bytes)
NOTICE: recognises the rights of all third-party works.


Security Digest Volume 1 Issue 22


            [Akira Kato: Possible security hole in some releases of SUN OS.]
            Virus notes
            Re: dpasswd utility (was Re: Use of /etc/dialups and /etc/d_passwd)


Date: Sat, 20 May 89 16:32:08 EST
From: Gene Spafford <uunet!!spaf>
Subject: [Akira Kato: Possible security hole in some releases of SUN OS.]

Yet another reason why everyone loves Unix :-)

 ------- Forwarded Message from:
 ------- Akira Kato <kato%cs.titech.junet%[email protected]>

Recently one of my friends pointed out a security hole in some releases
of SUN OS.

There is an aliased entry `decode' in /usr/lib/aliases (/etc/aliases)
by default in some releases of SUN OS:

        decode: "|/usr/bin/uudecode"

This is very dangourous because any files owned by UUCP can be overwritten
if /usr/bin/uudecode is owned by UUCP and setuid on. It can easily be done
by sending [email protected] an email including uuencoded text with
abstract path.

In some releases, the situation can be more horrible;
        if above entry exists and
           /usr/bin/uudecode has setuid OFF and
           the owner of /usr/spool/at is daemon and
           atrun is invoked periodically and
           sendmail is configured as DefUid=daemon and
           sendmail daemon is running
           one can get superuser privilege by sending special
           hacked mail to [email protected] over smtp.
           First place a hacked file into /usr/spool/at using
           uudecode mechanism above. The contents of the file
           is at-formatted and it includes `# owner: root'.
           When atrun executes the spooled file, .....

In Sun OS 3.5, decode entry is included in aliases. In Sun OS
4.0, decode entry is valid and the mode of uudecode is 111.

The best way to cope with this hole is to remove the alias entry.

 ------- End of Forwarded Message


Date: Wed May 24 06:23:25 1989
From: uunet!ficc!peter
Subject: Virus notes

I'm sure some of you remember my first "Usenet Virus" posting last year,
shortly before the Internet Worm affair. I would just like to note that
if one were to send out a source-code virus like that one, right now would
be a good time. If you called it "patch #13 to patch" and posted to to
comp.sources.d, it would be grabbed and used by thousands of people...

Watch your patches...


Date: Tue, 23 May 89 04:41:39 PDT
From: Lenny Tropiano
Subject: Re: dpasswd utility (was Re: Use of /etc/dialups and /etc/d_passwd)

[ This was posted in usenet news group comp.unix.wizards.  It would seem to
be a very good way to have and administer a secondary password on dialup
lines, that can be changed for everyone on a regular basis.  Alas, it's

for System V, so I can't check it out or even use it.  This is the last
item in this digest, so don't waste time skipping through it if you're
not interested in it - neil ]

I wrote this a while back, and it'll be useful for those playing with
Dialup Passwords.  This should compile with most compilers, and System V
systems.  Any problems should be reported to:  [email protected]
"unshar" and read the README ...

-- cut here  -- -- cut here  -- -- cut here  -- -- cut here  -- -- cut here  --
#! /bin/sh
# This is a shell archive.  Remove anything before this line, then unpack
# it by saving it into a file and typing "sh file".  To overwrite existing
# files, type "sh file -c".  You can also feed this as standard input via
# unshar, or by typing "sh <file", e.g..  If this archive is complete, you
# will see the following message at the end:
#               "End of shell archive."
# Contents:  README Makefile dpasswd.c
# Wrapped by [email protected] on Tue May  2 00:19:23 1989
PATH=/bin:/usr/bin:/usr/ucb ; export PATH
if test -f README -a "${1}" != "-c" ; then
  echo shar: Will not over-write existing file \"README\"

echo shar: Extracting \"README\" \(3434 characters\)
sed "s/^X//" >README <<'END_OF_README'
XREADME for dpasswd:     By Lenny Tro

ou for "Dialup Password:" after
Xyou enter your initial password correctly.  If you enter the dialup password
Xincorrectly, you will be denied login.
XWhat you can do with this, is allow everything but /bin/sh, and /bin/ksh to
Xget in without a secondary passwords.  (This will prevent having to give
Xpeople with uucp logins another password -- you can give them one, if you
Xso desire with login shell /usr/lib/uucp/uucico).


XSample files are as follows: