Xref: utzoo news.admin:4081 news.sysadmin:1690 comp.mail.uucp:2359 Path: utzoo!utgpu!watmath!clyde!att!osu-cis!tut.cis.ohio-state.edu!bloom-beacon!apple!vsi1!lmb From: lmb@vsi1.UUCP (Larry Blair) Newsgroups: news.admin,news.sysadmin,comp.mail.uucp Subject: Re: Dangerous hole in Usenet! Message-ID: <1247@vsi1.UUCP> Date: 27 Nov 88 07:07:30 GMT References: <1227@vsi1.UUCP> Organization: VICOM Systems Inc., San Jose, CA Lines: 39 I'm getting very tired of dealing with requests for the hole, and it has become a pretty open secret. At the end of this posting is the mail I've been sending out. I received about 300 requests; not very many. A number of the responses bounced, 2 of them because AT&T doesn't know about its own machines. A lot of people thought I was wrong to not just post in the first place. I still think that while it will help some sites, it leaves a lot more more vulnerable. Maybe I'm paranoid, but not as much as the people who said things like, "How do I know that you aren't mailing to 'news' just to exploit some hole and destroy my system?" One thing that bugs the hell out of me: it takes about 30 seconds to create a mail alias, but a lot of supposed administrators sent me mail like, "Gee, we don't have a 'news' user here." -------------------------------------------------------------------------- The hole I have discovered in _many_ systems is the use a script for the automatic unsharing of maps. It would be trivially easy to forge a map entry which contained commands to wreak damage to your system. There is some danger even if you a running "uuhosts". If your script does not do a "chroot" (uuhosts does), you and your network are wide open for anything that can be done by the effective user running the script. You run it as "news"? Can you say "rm -f -r /usr/spool/news"? Uuhosts is only slightly more protected. The mapsh program does a chroot to limit any damage to the directory tree containing the unpacked maps. All of the commands in the effective /bin allow the creation and overwrite of file. The danger here is that, besides overwriting everything in the directory tree including the programs in the /bin, you can run the filesystem out of space or out of inodes. And since mapsh runs as root, out of space means REALLY out of space. Planting Trojan Horses is also possible. Solution: Do not execute the map script. Write your own script to unpack it. -- Larry Blair ames!vsi1!lmb lmb%vsi1.uucp@ames.arc.nasa.gov