Path: utzoo!utgpu!jarvis.csri.toronto.edu!mailrus!cs.utexas.edu!wuarchive!udel!gatech!hubcap!ncrcae!ncr-sd!hp-sdd!apollo!pcc From: pcc@apollo.HP.COM (Peter Craine) Newsgroups: comp.sys.apollo Subject: Re: Sendmail hole (?) Message-ID: <461142ab.20b6d@apollo.HP.COM> Date: 6 Oct 89 15:57:00 GMT References: <46098421.81da@digital.sps.mot.com> Sender: root@apollo.HP.COM Reply-To: pcc@apollo.COM (Peter Craine) Organization: Apollo Computer, Chelmsford, MA Lines: 39 In article <46098421.81da@digital.sps.mot.com> chen@digital.sps.mot.com (Jinfu Chen) writes: >People at comp.virus are getting quite excited about the coming "Friday the 13th" >(Oct 13th). This reminds me the infamous ARPANET-worm last November, so I just >tried the following to our SMTP gateway node (running SR10.1.0.4), and to my >surprise: > [sendmail DEBUG stuff deleted] > >Should I get panic?! I don't know if the "DEBUG" command in this version of >SMTP from Apollo is immune to the ARPANET worm. Could someone from Apollo >verify this? > >One of the recent Apollo patch is related to `fingerd' and the document says >it's been inoculated against the virus publicized on USENET. Does this apply >to sendmail? > >-- You don't have to panic. Sendmail is inoculated at SR10.2 so that THAT virus attack won't work (unless you use the undocument, unsupported option that I'm not going to talk about). Theoretically, if somebody did enough work, they could find a way to get the old internet virus to work against SR10.0 and SR10.1 systems. But the attack would be very difficult to engineer (I'm reasonably sure). I'm not going to go into a dissertation about how that virus (worm, actually) worked, but it's a tad more difficult than it would be on a "real UNIX" system. I'm not going to say anything stupid like "Gee, our system is impervious to attack" (I'll wait while you finish laughing), but that particular attack isn't as easy as some people believe. BTW, the hole in fingerd that we fixed was that fingerd never checked how long the data was that was being passed to it. There is now an (enforced) limit. [flame suit on] Peter Craine, NACS *I* don't wany my own opinions. Why would HPOLLO want them?