Relay-Version: version B 2.10 5/3/83; site utzoo.UUCP
Posting-Version: version B 2.10.1 6/24/83; site gatech.UUCP
Path: utzoo!watmath!clyde!burl!ulysses!mhuxl!houxm!vax135!cornell!uw-beaver!tektronix!hplabs!sdcrdcf!sdcsvax!akgua!gatech!strick
From: strick@gatech.UUCP (Henry A. Strickland)
Newsgroups: net.bugs
Subject: 'stty', 'write', 'mail', 'readnews', et al.
Message-ID: <10028@gatech.UUCP>
Date: Sun, 2-Sep-84 20:59:05 EDT
Article-I.D.: gatech.10028
Posted: Sun Sep  2 20:59:05 1984
Date-Received: Thu, 6-Sep-84 04:24:43 EDT
References: <895@trwrb.UUCP> <1228@dalcs.UUCP> <747@dual.UUCP> <46@rlgvax.UUCP> <318@wucs.UUCP>
Organization: The Clouds Project, School of ICS, Georgia Tech
Lines: 28

> Ioctl() is not the only problem; consider
> 	cat /unix >/dev/tty01
> where some fool has left his terminal (/dev/tty01) writable to the world.
> Worse yet, send him a character sequence like
> HOME CR LF cd; find . -exec chmod 777 {} \; &
> CLEAR_TO_END_OF_SCREEN HOME DUMP_SCREEN CLEAR 
> (using the appropriate codes for his terminal type) and you will get him
> to chmod all his files so you can play with them.  

If the above can work if 'write'ing or 'cat'ing to a /dev/tty*,
wouldn't it also work if you mailed it to someone, or posted it
to net.general?  I tried mailing myself a string of control characters,
and 'mail' unquestioningly sent them to my terminal. 
I have seen manuals containing FF characters come across 'readnews'.
Do other systems filter these out, or are we all vulnerable?

I keep 'mesg y', and don't consider myself a fool.  I also don't filter
control characters out of my 'mail' or 'readnews'.  I would send you
all a control-g in this message as a test, but I could imagine people
who post propaganda to net.general putting FFs and BELs in their messages
as attention grabbers, and I think it would be a terrible precedent.  

I'll offer a free net.stonehenge subscription for whoever can bring down
every machine on the net first . . . 
-- 
 the clouds project                henry strickland
  school of ics / ga tech
   atlanta ga 30332        { akgua allegra hplabs ihnp4 }!gatech!strick