[news.sysadmin] Trojan horse possible with news readers
news@rosevax.Rosemount.COM (News administrator) (12/02/88)
I don't know if this has been discussed before, but here goes...
Many news reading programs (rn, vnews, others?) allow you include the
original text when following-up or replying-to articles. The
default editor is usually vi; some versions of vi will execute
commands if it sees a line (near the top or bottom of a file)
of the form <e><x><:><command><:>
To see if your setup is vunerable, start a (R)eply to
me, then abort it (I don't want your cards & letters). If
you have the bug, a file called 'NEWSBUG' will appear in /tmp
on your system, containing "any command". Caveat Editor.
I don't fix 'em, I just report 'em.
-----
Merlyn LeRoy
ex:!sh -c 'echo any command'>/tmp/NEWSBUG:
jsdy@hadron.UUCP (Joseph S. D. Yao) (12/03/88)
In article <6775@rosevax.Rosemount.COM> merlyn@ernie.rosemount.com writes:
> ... some versions of vi will execute
>commands if it sees a line (near the top or bottom of a file)
>of the form <e><x><:><command><:>
System V Release 3 has a "modelines" attribute, which defaults to
"nomodelines". This is a Very Good Idea (defaulting to off).
I have added other necessary fixes. The check is, roughly, to find
the first ':' and then check for the previous two characters' match
with "ex" or "vi". The necessary fixes are:
(1) Check that the ':' is not one of the first two
characters, otherwise you will be checking against
non-existent characters on that line.
(2) Check that either the ':' is exactly the third
character on the line, or that the third character
back isspace(). Otherwise, lines like:
levi:PASSWORD DELETED:Dolly Levi of Upstate NY:/usr/levi:/match
will trigger the "feature".
Joe Yao uunet!hadron!jsdy
lmb@vsi1.UUCP (Larry Blair) (12/03/88)
In article <6775@rosevax.Rosemount.COM> merlyn@ernie.rosemount.com writes:
=Many news reading programs (rn, vnews, others?) allow you include the
=original text when following-up or replying-to articles. The
=default editor is usually vi; some versions of vi will execute
=commands if it sees a line (near the top or bottom of a file)
=of the form <e><x><:><command><:>
The newsreader I use (rn) prepends a string to the included text.
I don't believe that those braindamaged versions of vi will execute:
> ex:!sh -c 'echo any command'>/tmp/NEWSBUG:
--
Larry Blair ames!vsi1!lmb lmb%vsi1.uucp@ames.arc.nasa.gov
cory@gloom.UUCP (Cory Kempf) (12/03/88)
In article <6775@rosevax.Rosemount.COM>, news@rosevax.Rosemount.COM
(News administrator) writes:
> I don't know if this has been discussed before, but here goes...
>
> Many news reading programs (rn, vnews, others?) allow you include the
> original text when following-up or replying-to articles. The
> default editor is usually vi; some versions of vi will execute
> commands if it sees a line (near the top or bottom of a file)
> of the form <e><x><:><command><:>
for that matter, the berkeley mailer also allows you to do so...
the above example is fairly simple... the following example is a bit
more complex... and a bit more dangerous...
NOTE:
If you attempt to edit this file using the vi editor, it will (if your
system is vulnerable) echo a blank line, followed by the word "BOOM"
followed by a blank line... the usenet software allows ^H, so you
won't see anything untill it is too late. NOW can we get the
<e><x><:> mis-feature eliminated? please?
(BTW, How many of you SysAdmins out there use vi? and read news? and su root
from a directory that you have write access in? and use vi as root from that
directory? Wouldn't it be easier to post the password for root on your system?
(if you don't see how this might be a problem, send me e-mail))
If you do edit this file, you will note a line containing many ^H's...
what if I had after that a command to delete all lines beginging with
<e><x><:>?
+C
--
Cory Kempf
UUCP: encore.com!gloom!cory
Now you see it...
ex:!sh -c 'echo;echo BOOM;echo:���������������������������������������
...Now you don't.
guy@auspex.UUCP (Guy Harris) (12/03/88)
>The default editor is usually vi; some versions of vi will execute
>commands if it sees a line (near the top or bottom of a file)
>of the form <e><x><:><command><:>
Note that some versions of "ex"/"vi" can be told to ignore mode lines,
and both the 4.3BSD and S5R3 version appear to turn them off by default.
Any user who has turned them *on* (by saying "set modeline" in the
4.3BSD version, or "set modelines" in the S5R3 version), is vulnerable.
Note also that it will also accept lines of the form "vi:<command>:",
and some earlier versions also accept "ei" or "vx".
badri@valhalla.ee.rochester.edu (Badri Lokanathan) (12/03/88)
In article <1261@vsi1.UUCP>, lmb@vsi1.UUCP (Larry Blair) writes:
> I don't believe that those braindamaged versions of vi will execute:
>
> > ex:!sh -c 'echo any command'>/tmp/NEWSBUG:
Yes it will (at least the version of ex documented in the Mt. Xinu
user docs,) since the caveats are
(0) modeline must be set
(1) The line should appear in the first or last 5 lines
(2) The string ex: or vi: preceeded by a tab or a space may be
anywhere in the line and anything after the : is
interpreted as editor commands.
The only safeguard is to disable modeline.
--
"We will fight for the right to be free {) badri@ee.rochester.edu
We will build our own society //\\ {ames,cmcl2,columbia,cornell,
And we will sing, we will sing ///\\\ garp,harvard,ll-xn,rutgers}!
We will sing our own song." -UB40 _||_ rochester!ur-valhalla!badri
news@ivucsb.UUCP (Todd Day) (12/04/88)
In article <1627@valhalla.ee.rochester.edu> badri@valhalla.ee.rochester.edu (Badri Lokanathan) writes:
~The only safeguard is to disable modeline.
vi on the UNIXPC allows this behaviour, yet I see no way to disable it!
It defaults to modelines, yet, there is no command to disable it.
And the UNIXPC is supposed to be SVR3...
Todd Day | ..!pyramid!comdesign!ivucsb!todd | todd@ivucsb.UUCP
"Why is she wrong? Because *she* is a *girl*, and *this* is *science*!"
guy@auspex.UUCP (Guy Harris) (12/04/88)
>I don't believe that those braindamaged versions of vi will execute:
>
>> ex:!sh -c 'echo any command'>/tmp/NEWSBUG:
They will (I tried it).
wcf@psuhcx.psu.edu (Bill Fenner) (12/05/88)
In article <1261@vsi1.UUCP> lmb@vsi1.UUCP (Larry Blair) writes:
|In article <6775@rosevax.Rosemount.COM> merlyn@ernie.rosemount.com writes:
|=Many news reading programs (rn, vnews, others?) allow you include the
|=original text when following-up or replying-to articles. The
|=default editor is usually vi; some versions of vi will execute
|=commands if it sees a line (near the top or bottom of a file)
|=of the form <e><x><:><command><:>
|
|The newsreader I use (rn) prepends a string to the included text.
|I don't believe that those braindamaged versions of vi will execute:
|
|> ex:!sh -c 'echo any command'>/tmp/NEWSBUG:
Mine did... after seeing the above, with both a | and a > in front of it.
It did it when I replied to his message, and it did it when I followed up
to this one.
Lovely.
Bill
--
Bitnet: wcf@psuhcx.bitnet Bill Fenner | "Ain't got no cash,
Internet: wcf@hcx.psu.edu | Ain't got no style
UUCP: {gatech,rutgers}!psuvax1!psuhcx!wcf | Ain't got no girls
Fido: Sysop at 263/42 (814/238 9633) \hogbbs!wcf| To make me smile"
erict@flatline.UUCP (j eric townsend) (12/05/88)
In article <415@ivucsb.UUCP>, news@ivucsb.UUCP (Todd Day) writes:
> In article <1627@valhalla.ee.rochester.edu> badri@valhalla.ee.rochester.edu (Badri Lokanathan) writes:
> ~The only safeguard is to disable modeline.
> vi on the UNIXPC allows this behaviour, yet I see no way to disable it!
> It defaults to modelines, yet, there is no command to disable it.
There was, recently, a patch posted to unix-pc.sources that takes care
of modeline.
> And the UNIXPC is supposed to be SVR3...
Ha. Ha ha ha. See the summary.
> "Why is she wrong? Because *she* is a *girl*, and *this* is *science*!"
This guy (from Saturday Night Live) taught at my high school, I think.
--
"It's hard being a Devo fan these days. It's not cool to be a Devo
fan anymore. It takes courage." -- Devo, at their '88 Houston show
J. Eric Townsend -- smail: 511 Parker #2, Houston, Tx, 77007
UUCP: uunet!sugar!flatline!erict
..!bellcore!tness1!/
cory@gloom.UUCP (Cory Kempf) (12/06/88)
a few days ago, I posted an article in which I implied that it would
be possible to get root access to a machine just by sending mail or
posting an article that was replied to. This article wasn't supposed
to make it out, but it did anyway. (damned cancel didn't work)
Anyway, a number of people have written asking how this worked.
the Sysadmin, while not root (UID=user) read news/mail and replies.
the default editor is vi. The last few lines of the letter/article
contain lines of the sort <e><x><:>cmd<:>. The last of these lines
causes all lines beginning with <e><x><:> to be deleted. The rest
create/modify the .exrc file in the CURRENT working directory (if
write access is allowed) to probe for write access to /etc/passwd,
and if it is allowed, include a line like
"suser::0:0:Super User:/:/bin/csh"
into the /etc/passwd file. So, when the Sysadmin su's to root,
and then executes vi, vi looks in the CURRENT working directory for
a file named .exrc, and executes that.
And that is how the vi's modelines bug can be exploited to give root
access even if you never read news/mail as root (nb: instead of modifyin
the /etc/passwd file, it could just check the UID, and if it is 0 do
an 'rm -rf / &'
+C
--
Cory (the last person to escape alive from riverside) Kempf
UUCP: encore.com!gloom!cory
"...it's a mistake in the making." -KT
boyd@necisa.necisa.oz (Boyd Roberts) (12/07/88)
In article <576@auspex.UUCP> guy@auspex.UUCP (Guy Harris) writes:
>
> >I don't believe that those braindamaged versions of vi will execute:
> >
> >> ex:!sh -c 'echo any command'>/tmp/NEWSBUG:
>
>They will (I tried it).
And it does on Sys V2.2 -- yuk!
And you can't unset modeline, 'cos vi claims there isn't such an option.
My kingdom for sam! And, a jerq!
Boyd Roberts NEC Information Systems Australia
boyd@necisa.necisa.oz
``When the going gets wierd, the weird turn pro...''