[news.sysadmin] How to plug a Trojan Horse

trn@aplcomm.jhuapl.edu (Tony Nardo) (12/17/88)

First, an apology.  When I wrote my original question, someone pointed out
that the form of my query implied Mr. Ellozy would not report a system
security hole, but would exploit it.  I did not mean to suggest this, and
would like to apologize to Mr. Ellozy for this implication.

And now, to summarize the suggestions I received in response to:

> [...] if you discovered one of these [security] holes, and realized that
> 	a second worm could very easily be written to exploit it, what would
> 	*you* do?

-------------------------------------------------------------------------------

David Goodenough (dg@lakart.UUCP) wrote:

I would try to do what Chuq Von Rospach did. He posted a "fix" that allowed
me to turn off the feature in sendmail and fingerd that caused the problem.
HOWEVER he did this in such a way that it was not immediately deductible
from the fix how to use the wormhole. The sendmail patch involved "turning
off" the debug option by destroying a string that some parser was looking
for. So it has something to do with debugging, but I'm damned if I can find
anything more about it.

The bottom line is that I say "Well done" to Chuq, and IF I found such a
security hole, I'd post a fix. Actually I already did - this related
to the secure setuid script problem. I just wrote a program that removed
the security problem, and posted the source. It was only about 50 lines,
but the idea is there. Admittedly this can't be used to infiltrate someone
else's system, but ANYTHING that helps tighten security around UNIX is
a good thing.

-------------------------------------------------------------------------------

Greg Lockwood (root@acc-sb-unix.arpa) wrote:

If a security hole is discovered, it seems the obvious thing to
do is to report it to your vendor.  In this way, that vendor, who
is the only one with a list of its customers, can contact them
and disseminate the information.  Obviously, you don't want to
spread the information about the holes via the net, or other means
where non-customers can get to it.

This implies that each vendor keeps a record of its customers and
can mail to them.  Rather than make this a free service, I think
most sites would be willing to pay a nominal fee to the vendor
for this service, and the vendor, by making such an offer, insulates
itself (to some extent) from legal liability inherent in the original
leaky software.

Just an idea.

-------------------------------------------------------------------------------

hadron!jsdy@uunet.uu.net (Joe Yao) wrote:

IF TIME PERMITTED, I'd send diffs of the fix out to the world without
explaining it - those who are authorized to make the fix will probably
be able to see what the problem is, and put it in future releases.

Unfortunately, time has not always permitted.