Path: utzoo!attcan!uunet!ncrlnk!ncrcae!ece-csc!mcnc!rutgers!cmcl2!nrl-cmf!ames!amdahl!pyramid!prls!mips!sultra!dtynan From: dtynan@sultra.UUCP (Der Tynan) Newsgroups: news.admin Subject: Re: How safe is UUCP? (Was: Virus in the future?) Summary: UUCP is *not* safe. Message-ID: <2654@sultra.UUCP> Date: 14 Nov 88 22:52:07 GMT References: <74@dsoft.UUCP> <196@libove.UUCP> Organization: Tynan Computers, Sunnyvale, CA Lines: 54 In article <196@libove.UUCP>, root@libove.UUCP (Jay M. Libove) writes: > > So, my question is this: What bugs are known about in the many assorted > versions on UUCP software that the net at large is running? I, for myself, > am most concerned about whatever version SCO Xenix 286 v2.2.1 runs, but I'm As far as 'smail' is concerned, you cannot send mail to a process (yet!). This will be changed in 3.0, but my guess is, the authors will make sure that it is secure. The final onus is on you. As for uucp, it is *not* safe. It has some bugs which I will publish soon. I don't think there is a problem with "anonymous" UUCP, but that doesn't mean I've tested it exhaustively either. I'll quote my new anti-virus catch-phrase; "If in doubt, cut it out!". If you're worried about security and anonymous uucp, I suggest turning it off until you are sure. As far as site-to-site UUCP is concerned, make sure the 'control' files are safe. See below. > > I allow the commands (in /usr/lib/uucp/L.cmds) > rmail, /usr/lib/uucp/uucico, rnews, cunbatch, uucp, uux Wrong. You should ONLY allow 'rnews' and 'rmail'. What you have is a big security hole. For example, cunbatch is called by rnews only. None of the other commands should be allowed. As an example, try logging in as UUCP. If you have the 'x' protocol, you can pretend to be another uucico process. Now, try transferring files from your root directory. If this works, you have a problem. I found it takes quite a bit of 'playing around' with the control files, before you can get it right. For example, the *only* publicly accessable directory should be /usr/spool/uucppublic. Anything else is bad news (unless you know what you're doing). Unfortunately, when setting this up, it can break things. Thus, logging in as uucp (or nuucp) can help. As a 'quick-n-dirty' rule for L.cmds, if the first letter of the command is not 'r', it doesn't belong in L.cmds. Of course, rsh is a BIG exception here. It should *never* appear in L.cmds. Don't be gratuitous here. If you're not convinced that the program is ABSOLUTELY necessary, keep it out. > > and my /usr/lib/uucp/USERFILE contains > uucp, / > , / > > So, how vulnerable am I? > Jay Libove ARPA: jl42@andrew.cmu.edu or libove@cs.cmu.edu I'd have to go and wade through the UUCP documentation again, but it seems to me that your USERFILE will allow me (or anyone else) to copy *anything* off your system. This is very wrong. Try simulating an attack on yourself, by logging in as 'uucp' (or nuucp). See above. - Der -- dtynan@sultra.UUCP (Dermot Tynan @ Tynan Computers) {mips,pyramid}!sultra!dtynan --- God invented alcohol to keep the Irish from taking over the planet ---