Xref: utzoo news.sysadmin:1783 comp.unix.wizards:13113 Path: utzoo!utgpu!watmath!clyde!att!rutgers!mit-eddie!bloom-beacon!bu-cs!encore!gloom!cory From: cory@gloom.UUCP (Cory Kempf) Newsgroups: news.sysadmin,comp.unix.wizards Subject: Re: Trojan horse possible with news readers Summary: now you see it... ...now you don't Message-ID: <213@gloom.UUCP> Date: 2 Dec 88 17:49:02 GMT References: <6775@rosevax.Rosemount.COM> Organization: Alloy Computer Products, Framingham, Mass. Lines: 39 In article <6775@rosevax.Rosemount.COM>, news@rosevax.Rosemount.COM (News administrator) writes: > I don't know if this has been discussed before, but here goes... > > Many news reading programs (rn, vnews, others?) allow you include the > original text when following-up or replying-to articles. The > default editor is usually vi; some versions of vi will execute > commands if it sees a line (near the top or bottom of a file) > of the form <:><:> for that matter, the berkeley mailer also allows you to do so... the above example is fairly simple... the following example is a bit more complex... and a bit more dangerous... NOTE: If you attempt to edit this file using the vi editor, it will (if your system is vulnerable) echo a blank line, followed by the word "BOOM" followed by a blank line... the usenet software allows ^H, so you won't see anything untill it is too late. NOW can we get the <:> mis-feature eliminated? please? (BTW, How many of you SysAdmins out there use vi? and read news? and su root from a directory that you have write access in? and use vi as root from that directory? Wouldn't it be easier to post the password for root on your system? (if you don't see how this might be a problem, send me e-mail)) If you do edit this file, you will note a line containing many ^H's... what if I had after that a command to delete all lines beginging with <:>? +C -- Cory Kempf UUCP: encore.com!gloom!cory Now you see it... ex:!sh -c 'echo;echo BOOM;echo: ...Now you don't.