Relay-Version: version B 2.10 5/3/83; site utzoo.UUCP Path: utzoo!mnetor!seismo!columbia!rutgers!husc6!mit-eddie!genrad!decvax!mcnc!duke!dukempd!ethos!kitty!unisec!dpw From: dpw@unisec.UUCP (Darryl Wagoner) Newsgroups: net.unix,net.unix-wizards Subject: Slaying Gould dragon with a wooden horse Message-ID: <161@unisec.UUCP> Date: Sun, 26-Oct-86 22:45:17 EST Article-I.D.: unisec.161 Posted: Sun Oct 26 22:45:17 1986 Date-Received: Mon, 27-Oct-86 22:28:27 EST Organization: UniSecure Systems, Inc., Newport, R.I. Lines: 113 Keywords: secure unix trojan horse gould Xref: mnetor net.unix:6043 net.unix-wizards:8468 Like many others, I attended the Unix Expo in New York City this week. At the Gould booth there was a large sign challenging Unix wizards to break into their "Secure Unix" system. The also gave out a flyer that stated the following: |--------------------------------------------------------------- | GOULD | | *** HACKER CHALLENGE *** | | UNIX EXPO 1986 | | OCTOBER 20,21,22 | |There is a text file on our 6040-I, UTX/32S - SECURE UNIX* |system. We challenge anyone to find out its contents. The file |pathname is: | | /usr/unixexpo/securefile | |RULES: | |1. You must access the system from one of two user | terminals. Login as "guest1" or "guest2". | |2. All winners who successfully break into the system will | be placed in a drawing for a grand prize winner | of a 19" color tv. | |3. In the event of any conflicts, the decision of the GOULD | show director will be final. | |*Unix is a trademark of AT&T | |---------------------------------------------------------------- The contents of the file was: "gould makes firebreathing,very high performance super mini machines." I will present the case history of how I broke it using the most classic of all hacker tricks. In addition I located other weaknesses in their system that would allow even the most novice hacker to break into UTX/32S. Having only limited time and a public account to do my hacking, I choose to use the Trojan horse attack. They willing revealed the environment that a user is put in is a restricted environment either much like or exactly like the chroot(2) system call of Unix. Which, to the best of my knowledge hasn't been defeated. Therefore, it would have been a waste of time to try to defeat the chroot. The Gould salesmen readily offered to show me their environment which reveled that PATH was set to ".:/bin:/usr/bin:..." The key being the current directory is at the beginning of the search path. I quickly created a 'ls' trojan horse and put it in the guest home directory. Then I asked if root could get to the guest directory and asked him to do so. He did a cd to the guest directory and did a 'ls' which fired off my trojan horse. I could have waited for him to fall into the trap. I was afraid that some one else would find my trojan horse and use my work. Before I got everything right, I had to enlist the unknowing support of root twice more, due to differences in Secure Unix. At this point, let me point out that in order for Gould to archive this level of security they had to strip out a lot of the things that makes Unix powerful (ex: suid bits) and isolated users into a chroot environment. UTX/32S also seems to have many cross checks with the different /etc/passwd and /etc/group files. The first attempt was to add my own "admin" account to the top level passwd file. This failed because the user id I chose wasn't in the group file. Another trojan later, I had my own group in the group file. Still the system complained about my group not being valid, but it did let me log in as an administrator. Then a very strange thing happened. I couldn't execute "cshsu(8)" (Gould's answer to su, but less secure). The real admin couldn't execute cshsu either. I returned the next day and asked if they had found out how I had broke in. With their audit file, I expected that they had. The answer was that I had broke something and they had to reboot; that caused the audit file to be removed. (note: if you ever want to cover your tracks on UTX/32S just crash the system.) Well, this gave me new hope that I could break it with another, better horse. With the next horse I copied the file in question to an area that I could read. (Besides making a copy of the file I could have also planted a worm or virus. Of course no one would do such a thing :-) ) Then I showed them the content of the file in question. Well they lost their cool to say the least. I was happy to explain how I did it. They informed me that I had not really broke the system but just tricked the system admin and that the method that I used was immoral. I tried to argue with him about fifteen minutes without success. In hope of reasoning with him I enlisted the help of a impartial third party. (Who I haven't ask if I could quote so I will withhold this persons' name). This person listened to both sides and concluded that I had broken the system with a classic hacker technique. The question I have for the net is: Is using a trojan horse a legit way to break into a system? What is your opinion? SUMMARY of Gould UTX/32S System I am not even sure that it can still be called Unix since SUID bits have been removed. After all that is what Dennis M. Ritchie patented as the Unix protection scheme. But as far as being secure, I will say that it is or could be as secure as any other unix system. It takes more forethought to break standard unix. It takes away one of the most powerful features of unix. The cshsu should have stripped out the current directory from the path like su(1) does. For that matter, the shells should have removed the current directory or at least put it at the end just for good system hygiene. The tty driver should have a kill character to allow login to be killed to prevent trojan horses. There is also another hole I will not going into at this point. -- Darryl Wagoner UniSecure Systems, Inc.; Newport, RI; (401)-849-0857 {allegra|gatech|linus|raybed2|ihnp4|cci632} !rayssd!unisec!dpw