Path: utzoo!attcan!uunet!lll-winken!ames!mailrus!purdue!decwrl!decvax!ima!minya!jc From: jc@minya.UUCP (John Chambers) Newsgroups: news.admin Subject: Re: Is uunet a security hole? Message-ID: <9@minya.UUCP> Date: 8 Jan 89 16:41:00 GMT References: <10420@rpp386.Dallas.TX.US> Organization: (none) Lines: 54 In article <10420@rpp386.Dallas.TX.US>, jfh@rpp386.dallas.tx.us (The Beach Bum) writes: > > ... the scenario is that a cracker > tries to gain access to a site using `uunet' as its system name and > sees what is available. > > Well, this is exactly what happened here today. Below are the log > entries from an aborted attempt: > > uucp uunet (12/27-15:42) OK (startup) > uucp uunet (12/27-15:42) REQUESTED (S D.rpp386c3ec27 X.rpp386C6c3e yls - yls) > yls uunet (12/27-15:42) REQUESTED (R /usr/mail/uucp /usr/spool/uucppublic yls -dc dummy 777 yls) > yls uunet (12/27-15:42) USERFILE: access denied (/usr/mail/uucp) > yls uunet (12/27-15:42) REQUESTED (R /etc/passwd /usr/spool/uucppublic/passrpp yls -dc dummy 777 yls) > yls uunet (12/27-15:42) USERFILE: access denied (/etc/passwd) > yls uunet (12/27-15:42) OK (conversation complete) > uucp br549 (12/27-15:42) yls XQT DENIED (uucp -C /usr/spool/uucppublic/* br549!/usr/spool/uucppublic ) > This reminds me of one complaint I've always had about UUCP, and which the new, improved documentation for hdb hasn't helped much. There are all these nice log files that look like they should help a lot in the task of diagnosing such attacks. But the logs are rather cryptic, and it's not always clear just what's going on. It would help a whole lot if someone could provide a detailed manual on how to interpret UUCP logs. For instance, I've noticed that the first two fields, which obviously contain ids and sysnames, can refer to either end of the connection. In comparing log entries with what actually happened, I find it quite difficult to determine what the rules are. In the above example, is "yls" an id on the sending or receiving end? Or should the terms be "originating" and "accepting" or "master" and "slave"? Sure, you can determine in this case by looking at the password file, but sometimes the id is in both files. In the last line, is "uucp" referring to the id on rpp386 or br549 or the pseudo-uunet? To make effective use of the logs for tracking down security problems, it would help a lot if I could look at a log entry and say EXACTLY what it means. Right now, I work mostly on the basis of what it COULD mean, and quite a bit of the log turns out to be ambiguous. Note that I'm not criticising the existing UUCP security, which I find quite a bit better than any of its competitors. The complaint is about the still-incomplete documentation. I understand that it takes time to do all this, and the log files are rather version-dependent (in addition to be an internal file of a proprietary package), and all that. Still, it would be a big help if it were better documented. This is definitely a case where secrecy and obscurity helps those trying to violate security, and administrators would be helped a lot by full documentation. -- John Chambers <{adelie,ima,maynard,mit-eddie}!minya!{jc,root}> (617/484-6393) [Any errors in the above are due to failures in the logic of the keyboard, not in the fingers that did the typing.]