Xref: utzoo news.admin:4047 comp.mail.uucp:2314 Path: utzoo!attcan!uunet!husc6!linus!heart-of-gold!jc From: jc@heart-of-gold (John M Chambers) Newsgroups: news.admin,comp.mail.uucp Subject: Re: How safe is UUCP? (Was: Virus in the future?) Message-ID: <178@heart-of-gold> Date: 21 Nov 88 19:30:08 GMT References: <74@dsoft.UUCP> <196@libove.UUCP> <8623@rpp386.Dallas.TX.US> Organization: Mitre Corp, Bedford, MA, USA Lines: 68 In article <8623@rpp386.Dallas.TX.US>, jfh@rpp386.Dallas.TX.US (John F. Haugh II) writes: > In article <196@libove.UUCP> root@libove.UUCP (Jay M. Libove) writes: > |I allow the commands (in /usr/lib/uucp/L.cmds) > | rmail, /usr/lib/uucp/uucico, rnews, cunbatch, uucp, uux > | > |and my /usr/lib/uucp/USERFILE contains > | uucp, / > | , / > | > |So, how vulnerable am I? > > What did you say that phone number was? This I have to take a crack > at. The /etc/passwd file should be snatchable with one simple UUCP > command. Then, several whiles of work should produce the root password, > and since he is running stock SCO Xenix, I should be able to login as > root over the serial line. Hey, would you tell me (or even better, the newsgroup) how to do this? I've tried it with quite a few uucp installations (as part of security testing, of course :-), and the obvious ways usually fail. If the local administrators are on the ball, the USERFILE will prevent you from using just rpp386!/etc/passwd (or ~root!etc/passwd), since they start with '/'. Most versions of uucp silently drop any requests that contain "/../". So you must know of some bug that allows you to reference /etc/passwd without using any of these strings. I'd like to hear about it, so I can start looking for ways to stop you. > Surprize Jay, all of your files have just been turned to mush. And > since I can get the L.sys info for your neighbors from your machine, I > should be wrecking havoc on the net for days to come. Normally, L.sys (or Systems) is owned by uucp and has 400 or 600 permissions; the uucico daemon runs as a different id, so it can't read this file. How do you get around that? Oh, sure, if a uucp installation uses the same uid for all uucp logins, it's easy, but no admin interested in security would do something that silly, I hope. There's also the point that L.sys is outside the directory listed in the USERFILE, but I guess your answer to the above paragraph will tell me how to get around that. > You lose. Next victim. Let's see; I can volunteer my home system. There's a bit of a problem, though: I could give out the phone number (and in fact, you can get it from the uucp maps), but it won't answer. I only allow outgoing calls, because it's a home line used by humans, too. Perhaps if you send me your system's phone number plus uucico login info (or even better, post it to the newsgroup like jfh@rpp386.Dallas.TX.US did :-), I can have my system call yours, and you can have some bombs waiting for me. OK? I keep hearing all sorts of rumors about fatal uucp security bugs, but so far I haven't been able to learn much about them. Does someone have a document describing them? I don't mean the obvious ones (such as I've hinted at above). I mean bugs that are there even when you use all the normal uucp security mechanisms. Are the claims just sour grapes from uucp's competitors, or does someone know things they aren't telling the rest of us? You'd think that, since the phone companies use uucp to download stuff across the phone lines, there should be a lively group of uucp equivalents of Phone Phreaks that are breaking in all over and subverting the switches (which are mostly running Unix nowadays). But I haven't read about it yet. Am I out of touch, or is this a problem? -- From: John Chambers From ...!linus!!heart-of-gold!jc (John Chambers 617/217-2285) [The above opinions were packaged by volume, not by weight; some settling of contents may have occurred during distribution.]