Path: utzoo!attcan!uunet!husc6!rutgers!ucla-cs!admin.cognet.ucla.edu!casey From: casey@admin.cognet.ucla.edu (Casey Leedom) Newsgroups: comp.sys.apollo Subject: Re: Computer virus Message-ID: <17598@shemp.CS.UCLA.EDU> Date: 7 Nov 88 01:36:20 GMT References: <8811050652.AA08798@umaxc.weeg.uiowa.edu> Sender: news@CS.UCLA.EDU Reply-To: casey@admin.cognet.ucla.edu.UUCP (Casey Leedom) Organization: UCLA Cognitive Science Program Lines: 113 | From: dbfunk@ICAEN.UIOWA.EDU (David B. Funk) | | The version of sendmail that was distributed with SR9.5 Domain/IX does | NOT have the buggy "debug" code that this virus used to get around. I | have not checked out the SR10 version but I assume that it's OK also. Unfortunately SR10s sendmail comes with debug mode compiled in. But, much as I've been known to criticize Apollo, I can't blame them for this one. In their effort to implement 4.3BSD as closely as possible, they simply picked up a problem that Berkeley left in (it should also be noted that in general I'm a pro-Berkeley-ite). Anyone running SR10 should attempt to use the instructions mailed out by Keith Bostic of CSRG at Berkeley to patch their SR10 sendmail binaries. Unfortunately, it'll be a very short lived attempt since Apollo still doesn't ship adb. I've appended a short program that will overwrite the keyword "debug" with 0xff's as per the suggestion from Berkeley. Note that the program should work without arguments for virgin SR10.0 68000 sendmail binaries. Anything else will probably have to have the proper offset of the debug keyword passed in on the command line (use ``strings -o /usr/lib/sendmail | egrep debug'' - the number printed out should work). Note also that I've tried to make the program as paranoid as possible. It reads the binary first and if "debug\0" isn't found at the indicated offset, it terminates without writing anything. However, as you always should, make a back up copy of your sendmail binary and check the program over yourself CAREFULLY. (Insert usual disclaimers of responsibility should this program not work as advertised, etc.) Casey ----- #include #include #include #ifdef m68000 # define DEBUG_OFFSET 75762L #else DON'T HAVE ANY NUMBERS FOR OTHER ACHITECTURES #endif static char buf[sizeof("debug")]; main(int argc, char **argv) { int fd, n, i; long debug_offset; extern int errno; if (argc == 1) debug_offset = DEBUG_OFFSET; else if (argc == 2 && argv[1][0] >= '0' && argv[1][0] <= '9') debug_offset = atoi(argv[1]); else { fprintf(stderr, "usage: %s [ sendmail-debug-keyword-offset ]\n", argv[0]); exit(1); } fd = open("/usr/lib/sendmail", O_RDWR); if (fd < 0) { perror("open: /usr/lib/sendmail"); exit(1); } if (lseek(fd, debug_offset, L_SET) < 0) { perror("lseek: /usr/lib/sendmail"); exit(1); } n = read(fd, buf, sizeof(buf)); if (n < 0) { perror("read: /usr/lib/sendmail"); exit(1); } if (n != sizeof(buf)) { fprintf(stderr, "%s: unable to read %d bytes, only got %d.\n", argv[0], sizeof(buf), n); exit(1); } if (strncmp(buf, "debug", sizeof(buf))) { fprintf(stderr, "%s: offset %ld in /usr/lib/sendmail does not contain\n", argv[0], debug_offset); fprintf(stderr, "the word \"debug\". /usr/lib/sendmail NOT changed.\n"); exit(1); } if (lseek(fd, debug_offset, L_SET) < 0) { perror("lseek"); exit(1); } for (i = 0; i < sizeof(buf) && buf[i]; i++) buf[i] = '\377'; n = write(fd, buf, sizeof(buf)); if (n < 0) { perror("write"); exit(1); } if (n != sizeof(buf)) { fprintf(stderr, "%s: unable to write %d bytes, only got %d out!.\n", argv[0], sizeof(buf), n); fprintf(stderr, "/usr/lib/sendmail may be corrupted!!!\n"); exit(1); } if (close(fd) < 0) { perror("close"); fprintf(stderr, "%s: /usr/lib/sendmail was written to successfully before close failed.\n", argv[0]); fprintf(stderr, "/usr/lib/sendmail may be corrupted!!!\n"); exit(1); } exit(0); }