lenny@quincy.UUCP (09/23/87)
Security problem #1: Under release 3.5 or more. Send mail to yourself on 3B1, wait for the <MAIL ENVELOPE> icon and then press either <MSG> or point to it with mouse and press <B1>. You immediately get thrown into mail, with your message displaying and at the ? prompt type: !sh "Look ma, I'm root!" Security problem #2: A lot of people keep "tutor" with no password and widely distribute their dialup number. Tutor, a non-expert user, can't run the shell?! Or can they? Create a file in the Filecabinet, editor either "vi" or "ed" and do a ":!sh" in vi or "!sh" in ed, and wha-la! Security problem #3: Mail setup... UUCP phone numbers and passwords in the L.sys file are normally protected so that NON-SUPERUSER people cannot hack them! Go into mail setup (any user... even Tutor) and you can get all the necessary hacking information! Bad!!!! Any others would be appreciated!! -Lenny -- Lenny Tropiano ...seismo!uunet!swlabs!godfre!quincy!lenny -or- American LP Systems, Inc. ...cmcl2!phri!gor!helm!quincy!lenny -or- 1777-18 Veterans Memorial Hwy. ...mtune!quincy!lenny -or Islandia, New York 11722 +1 516-582-5525 ...ihnp4!icus!quincy!lenny
sean@killer.UUCP (09/24/87)
In article <54@quincy.UUCP>, lenny@quincy.UUCP (Lenny Tropiano) writes: > Security problem #2: > > A lot of people keep "tutor" with no password and widely distribute their > dialup number. Tutor, a non-expert user, can't run the shell?! Or can they? > Create a file in the Filecabinet, editor either "vi" or "ed" and do a ":!sh" > in vi or "!sh" in ed, and wha-la! > This one's easy: assign tutor a password! :-) There is also another way for tutor to get a shell. While in Office of tutor the user has only to type /bin/sh or /bin/ksh, and the User Agent will run the shell. This works for ANY user not having "EXPERT" status. The pass- word solution will keep unwanted folks from getting in as tutor, but I dunno how one would prevent this security problem once tutor has logged in success- fully. > Security problem #3: > > Mail setup... UUCP phone numbers and passwords in the L.sys file are normally > protected so that NON-SUPERUSER people cannot hack them! Go into mail setup > (any user...even Tutor) and you can get all the necessary hacking information! My solution here was to edit /usr/lib/ua/Administration. Remove any entries from this file that you don't want everyone using, and put them in the install login's personal Administration file (/u/install/Administration). In fact, the only things I left in /usr/lib/ua/Administration are "Changing Password" and "System Information"; I moved the rest to install's Administra- tion. As an extra measure of security on L.sys (or Systems, as the case may be) I set the permissions to 640. If you do this you'll have to change the file's group to mail, so that the AT&T Electronic Mail software can read it. Sean
dpw@unisec.usi.com (Darryl P. Wagoner) (09/26/87)
Yes, indeed these are problems. The mail hole can be fixed by my
email program that I posted a month or so ago. It solves the problem
by setting the user's id before it execs elm or mailx.
If anyone would like a copy, drop me a line and I will mail it to you.
I am going to offer ideas on other holes and solutions without
spelling out how to expoit them. Please don't followup and try to show
how bright you are by telling the world how to breakin with these hole.
As I pointed out before the fire sale, the Unix PC has a few other
security problems. Namely:
/usr/lib/ua/uasetx and /usr/lib/ua/uasig
one of these or maybe both can used for priviaged command from the
UA. You can put a "EXEC -w -p $SHELL for your Unix System in your
office and get a root shell. The only way to prevent this is to make
a "super" group of those people that you trust and change mode of
these commands to 4710 mode.
Next, it seems that on 3.51 "/" is 777 mode. I will not point out
the problem with that but you should fix it.
Also, a generic System V hole. Don't use a .profile to startup
a captive program such as a BBS or info about the system and how
to get a account. These types of programs should be the default
shell and must be compiled program (not scripts).
--
Darryl Wagoner dpw@unisec.usi.com
UniSecure Systems, Inc.; OS/2, No Unix!
Newport, RI; (401)-849-0857
UUCP: {gatech|cbosgd|uiucdcs|ihnp4}!rayssd!unisec!dpwgwyn@brl-smoke.ARPA (Doug Gwyn ) (09/27/87)
In article <54@quincy.UUCP> lenny@quincy.UUCP (Lenny Tropiano) writes: >Security problem #1: >Security problem #2: >Security problem #3: The moral is, "privileges" (set-UIDness) should be given only to small, isolated processes that carefully perform simple tasks, NOT to fancy interactive interfaces. Second moral: It's hard to provide a guaranteed controlled environment that is also featureful. Chroot can help with this, but by the time sufficient useful facilities are placed into the new environment, it's not much safer than an uncontrolled environment.
daveb@geac.UUCP (Brown) (09/27/87)
In article <6478@brl-smoke.ARPA> gwyn@brl.arpa (Doug Gwyn (VLD/VMB) <gwyn>) writes: >Second moral: It's hard to provide a guaranteed controlled environment >that is also featureful. Chroot can help with this, but by the time >sufficient useful facilities are placed into the new environment, it's >not much safer than an uncontrolled environment. This has been dealt with to a limited degree in the second version of "Secure Xenix[1]". The trusted shell[2] is a table-driven command interpreter with a facility to set the "role" of the user, which serves to set the tables that she can use. Ie, if I'm the auditor and the filesystem maintainer, I can issue both filesystem and auditing commands. This is know as an "open subsystem", and was first popularized by ICL (you know, the english mainframers). It is the opposite of a "closed subsystem" like mail or <your favorite editor>. --dave 1. Xenix is a Trademark of Microsoft. 2. Hecht et all, "UNIX without the Superuser", in "Conference Proceedings of the Summer 1987 USENIX Technical Conference and Exposition". -- David Collier-Brown. {mnetor|yetti|utgpu}!geac!daveb Geac Computers International Inc., | Computer Science loses its 350 Steelcase Road,Markham, Ontario, | memory (if not its mind) CANADA, L3R 1B3 (416) 475-0525 x3279 | every 6 months.
mike@turing.unm.edu.unm.edu (Michael I. Bushnell) (10/12/87)
In article <1487@geac.UUCP> daveb@geac.UUCP (Dave Collier-Brown) writes: >..... > This is know as an "open subsystem", and was first popularized by >ICL (you know, the english mainframers). It is the opposite of a >"closed subsystem" like mail or <your favorite editor>. Nope. <my favorite editor> is GNU emacs. It isn't a closed subsystem, rather, it allows E-Lisp to execute any command. . . . Sigh. Michael I. Bushnell a/k/a Bach II mike@turing.unm.edu {ucbvax,gatech}!unmvax!turing!mike --- Tex SEX! The HOME of WHEELS! The dripping of COFFEE!! Take me to Minnesota but don't EMBARRASS me!! -- Zippy the Pinhead