Path: utzoo!utgpu!attcan!uunet!ncrlnk!ncrcae!hubcap!gatech!uflorida!haven!adm!smoke!gwyn
From: gwyn@smoke.BRL.MIL (Doug Gwyn )
Newsgroups: comp.unix.wizards
Subject: Re: Implications of recent virus (Trojan Horse) attack
Keywords: virus security
Message-ID: <8858@smoke.BRL.MIL>
Date: 10 Nov 88 18:03:13 GMT
References: <1698@cadre.dsl.PITTSBURGH.EDU> <2151@ficc.uu.net> <8845@smoke.BRL.MIL> <14465@mimsy.UUCP>
Reply-To: gwyn@brl.arpa (Doug Gwyn (VLD/VMB) <gwyn>)
Distribution: na
Organization: Ballistic Research Lab (BRL), APG, MD.
Lines: 26

In article <14465@mimsy.UUCP> chris@mimsy.UUCP (Chris Torek) writes:
>In article <8845@smoke.BRL.MIL> gwyn@smoke.BRL.MIL (Doug Gwyn ) writes:
>>The technical problems that were exploited were mostly sloppiness that
>>nobody had reviewed and corrected in time.  We know of a few other
>>similar security holes that the virus didn't try to exploit.
>Well, good grief, SEND THEM TO US.  WE *WILL* FIX THEM.  This is a
>large part of what comp.bugs.4bsd.ucb-fixes is about.  (Or do you mean
>that they are fixed in 4.3tahoe but not other 4BSD-derived systems?)

Last time I tried, there was a distinct lack of interest!

>>Try the following on your favorite remote 4BSD-based system:
>>	rlogin host -l ''

>Obviously this one has been fixed in 4.3tahoe.

Not necessarily.  Try the following:
	# vi /etc/passwd
	<insert an extra blank line, say at the end>
	$ passwd
	<change your password, say to the same thing it already is>
	$ su ''
	# suprise!
If this hole exists, it can be traced to getpwent() not being careful
enough when it parses /etc/passwd records.  See UNIX System V for the
simplest fix.