Path: utzoo!utgpu!attcan!uunet!ncrlnk!ncrcae!hubcap!gatech!purdue!haven!adm!smoke!gwyn From: gwyn@smoke.BRL.MIL (Doug Gwyn ) Newsgroups: comp.unix.wizards Subject: Re: Implications of recent virus (Trojan Horse) attack Keywords: virus security Message-ID: <8845@smoke.BRL.MIL> Date: 10 Nov 88 02:20:02 GMT References: <1698@cadre.dsl.PITTSBURGH.EDU> <2151@ficc.uu.net> Reply-To: gwyn@brl.arpa (Doug Gwyn (VLD/VMB) ) Distribution: na Organization: Ballistic Research Lab (BRL), APG, MD. Lines: 35 In article <2151@ficc.uu.net> peter@ficc.uu.net (Peter da Silva) writes: >One side effect that I don't like is that UNIX is taking the blame for >a combination of (1) a security hole in an application (sendmail), and >(2) deliberate loosening of security to trusted sites (rhosts, etc...). >Non-academic UNIX in general is a lot less open to techniques like this. The virus exploited two security holes in Berkeley-supplied servers. We found that several commercial offerings that included this software had done little more that stick their own label on it; they did not go over the code and fix its problems before releasing it. In fact, in the case of sendmail, they didn't even turn off the DEBUG flag in the Makefile. The technical problems that were exploited were mostly sloppiness that nobody had reviewed and corrected in time. We know of a few other similar security holes that the virus didn't try to exploit. One could also challenge the design that provides privileged access via sockets and their servers without adequate authentication. The lessons to be learned are not overly simple, and until they have been thoroughly assimilated by the right people, you can be assured that there are more security holes of the same general nature. Try the following on your favorite remote 4BSD-based system: rlogin host -l '' This attack works a surprising percentage of the time. The problem that provides the hole has been known for many years and was fixed at least as long ago as 1984 in the AT&T-supplied UNIX variants. But it persists in the Berkeley variants. Perhaps this note will prompt the various vendors to finally fix this problem! The REAL problem is that too many people just do not care about security, probably because they don't understand how it affects them.