Path: utzoo!attcan!uunet!peregrine!elroy!jpl-devvax!lwall From: lwall@jpl-devvax.JPL.NASA.GOV (Larry Wall) Newsgroups: news.sysadmin Subject: Re: A worm preventer! Message-ID: <3462@jpl-devvax.JPL.NASA.GOV> Date: 5 Nov 88 00:10:30 GMT References: <5313@medusa.cs.purdue.edu> Reply-To: lwall@jpl-devvax.JPL.NASA.GOV (Larry Wall) Organization: Jet Propulsion Laboratory, Pasadena, CA. Lines: 49 In article <5313@medusa.cs.purdue.edu> spaf@arthur.cs.purdue.edu (Gene Spafford) writes: : If there is an external variable in the library named "pleasequit" that is : non-zero, the worm will die immediately after exiting. : Thus, to kill any new worms, include a patch in your library that : defines the symbol. The following shell file and source code : will modify your C library to define this symbol. : : It WON'T kill any currently linked and running versions, but it will : prevent reinfection. This is true as long as someone doesn't start a mutant version. Not only could you delete the "pleasequit" reference, but the patch for binary sendmails that Keith sent out does not disable remote debugging! It only changes the command enabling it from "debug" to "", i.e. a simple CR will enable debugging. It wouldn't take much of a mutation to make use of that. We've got to do more that innoculate sendmail against this particular organism--we've got to plug the security hole. A better binary patch involves finding the table which contains the pointers to the strings such as "debug", which I think is called CmdTab. With each string pointer is an integer which is an index into a switch statement. All you need to do is zap the integer that turns debugging on into a zero, and you get a "Command not recognized" instead. It's a little difficult to find the table with adb since your sendmail is probably stripped. You could do a hex longword od and find the address that way, but I used bed (binary editor). There's only one place in sendmail that contains alternate longwords with string addresses and consecutive integers, looking something like this: xxxxxxxx 00000001 yyyyyyyy 00000002 zzzzzzzz 00000003 You want to find that table, then find the entry that says 0000000b (decimal 11) and change it to a zero. (At least, the 11 is correct in SunOS 3.5 and 4.3bsd; I haven't checked SunOS 4.0.). If you have bed, you're basically done. If not, you'll have to figure out the location of the 11 and patch it with adb similarly to Keith's patch. Then go through the usual rigamarole of restarting sendmail. To verify, telnet localhost smtp and see if either "debug" or CR turns on debugging. If not, you blew it somewhere. Good luck. (If you want bed and can't get to uunet, it's in my ftp directory on this machine (128.149.8.43).) Larry Wall lwall@jpl-devvax.jpl.nasa.gov