Relay-Version: version B 2.10 5/3/83; site utzoo.UUCP Path: utzoo!linus!philabs!seismo!hao!hplabs!sri-unix!MP@mit-xx From: MP@mit-xx@sri-unix.UUCP Newsgroups: net.unix-wizards Subject: Re: Need trojan horse info Message-ID: <12067@sri-arpa.UUCP> Date: Mon, 26-Sep-83 21:19:00 EDT Article-I.D.: sri-arpa.12067 Posted: Mon Sep 26 21:19:00 1983 Date-Received: Fri, 30-Sep-83 00:41:34 EDT Lines: 61 From: Mark Plotnick Digging into the archives, we find... >From mhtsa!alice!research!dmr Thu Nov 4 02:30:06 1982 Subject: Joy of reproduction Newsgroups: net.lang.c Some years ago Ken Thompson broke the C preprocessor in the following ways: 1) When compiling login.c, it inserted code that allowed you to log in as anyone by supplying either the regular password or a special, fixed password. 2) When compiling cpp.c, it inserted code that performed the special test to recognize the appropriate part of login.c and insert the password code. It also inserted code to recognize the appropriate part of cpp.c and insert the code described in way 2). Once the object cpp was installed, its bugs were thus self-reproducing, while all the source code remained clean-looking. (Things were even set up so the funny stuff would not be inserted if cc's -P option was used.) We actually installed this on one of the other systems at the Labs. It lasted for several months, until someone copied the cpp binary from another system. Notes: 1) The idea was not original; we saw it in a report on Multics vulnerabilities. I don't know of anyone else who actually went to the considerable labor of producing a working example. 2) I promise that no such thing has ever been included in any distributed version of Unix. However, this took place about the time that NSA was first acquiring the system, and there was considerable temptation. Dennis Ritchie >From harpo!zeppo!whuxlb!mash (John Mashey) Thu Nov 4 18:08:24 1982 Subject: Joy of Reproduction - other side Newsgroups: net.lang.c DMR gave an amusing description of Ken's self-reproducing loophole bug done years ago. As a user of (one of the) systems on which it got installed (Piscataway PWBs), I recall a few more amusing items: 1) We never would have found it if Ken hadn't been lazy and made the extra code a function -- the tipoff was the item in the namelist that never appeared in the source. 2) I doubt that anyone would have known what happened if Ken hadn't left everything lying around on research. 3) This occurred when one could seldom expect that one's old cc would compile Dennis's newest cc source (due to continual bootstrapping) -- we always had to grab both new source and new object. this helped the trap considerably. We had been sniping at Ken and Dennis for security problems. The loophole code came soon thereafter... 5) Finally, the scariest/funniest part of the whole business was reading Brunner's Shockwave Rider book several weeks before this, liking it, but thinking that "worm programs with infinitely replicating tails" were ridiculous. Then Ken's program showed up... -john mashey -------