spaf@cs.purdue.edu (Gene Spafford) (11/04/88)
FLASH!! Kevin ("Adb's your friend.") Braunsdorf of Purdue CC just burst into my office with a cure discovered in the disassembled worm binary. If there is an external variable in the library named "pleasequit" that is non-zero, the worm will die immediately after starting. Thus, to kill any new worms, include a patch in your library that defines the symbol. The following shell file and source code will modify your C library to define this symbol. It WON'T kill any currently linked and running versions, but it should prevent reinfection. If you install this and a reinfection occurs, please notify us all immediately! # Shar archive. Give the following as input to /bin/sh # Packed Thu Nov 3 21:56:35 EST 1988 by spaf@uther.cs.purdue.edu # # This archive contains: # foo.sh # foo.c # # echo x - foo.sh sed 's/^X//' >foo.sh <<'*-*-END-of-foo.sh-*-*' Xcc -c foo.c -o foo.o Xcp /lib/libc.a /lib/libc.a.old Xar q /lib/libc.a foo.o Xranlib /lib/libc.a *-*-END-of-foo.sh-*-* echo x - foo.c sed 's/^X//' >foo.c <<'*-*-END-of-foo.c-*-*' Xint pleasequit = -1; *-*-END-of-foo.c-*-* exit -- Gene Spafford NSF/Purdue/U of Florida Software Engineering Research Center, Dept. of Computer Sciences, Purdue University, W. Lafayette IN 47907-2004 Internet: spaf@cs.purdue.edu uucp: ...!{decwrl,gatech,ucbvax}!purdue!spaf -- Gene Spafford NSF/Purdue/U of Florida Software Engineering Research Center, Dept. of Computer Sciences, Purdue University, W. Lafayette IN 47907-2004 Internet: spaf@cs.purdue.edu uucp: ...!{decwrl,gatech,ucbvax}!purdue!spaf
lwall@jpl-devvax.JPL.NASA.GOV (Larry Wall) (11/05/88)
In article <5313@medusa.cs.purdue.edu> spaf@arthur.cs.purdue.edu (Gene Spafford) writes:
: If there is an external variable in the library named "pleasequit" that is
: non-zero, the worm will die immediately after exiting.
: Thus, to kill any new worms, include a patch in your library that
: defines the symbol. The following shell file and source code
: will modify your C library to define this symbol.
:
: It WON'T kill any currently linked and running versions, but it will
: prevent reinfection.
This is true as long as someone doesn't start a mutant version.
Not only could you delete the "pleasequit" reference, but the patch for
binary sendmails that Keith sent out does not disable remote debugging!
It only changes the command enabling it from "debug" to "", i.e. a
simple CR will enable debugging. It wouldn't take much of a mutation
to make use of that. We've got to do more that innoculate sendmail
against this particular organism--we've got to plug the security hole.
A better binary patch involves finding the table which contains the
pointers to the strings such as "debug", which I think is called CmdTab.
With each string pointer is an integer which is an index into a switch
statement. All you need to do is zap the integer that turns debugging
on into a zero, and you get a "Command not recognized" instead.
It's a little difficult to find the table with adb since your sendmail is
probably stripped. You could do a hex longword od and find the address
that way, but I used bed (binary editor). There's only one place in
sendmail that contains alternate longwords with string addresses and
consecutive integers, looking something like this:
xxxxxxxx 00000001
yyyyyyyy 00000002
zzzzzzzz 00000003
You want to find that table, then find the entry that says 0000000b (decimal 11)
and change it to a zero. (At least, the 11 is correct in SunOS 3.5 and 4.3bsd;
I haven't checked SunOS 4.0.).
If you have bed, you're basically done. If not, you'll have to figure out the
location of the 11 and patch it with adb similarly to Keith's patch. Then go
through the usual rigamarole of restarting sendmail.
To verify, telnet localhost smtp and see if either "debug" or CR turns on
debugging. If not, you blew it somewhere.
Good luck.
(If you want bed and can't get to uunet, it's in my ftp directory on this
machine (128.149.8.43).)
Larry Wall
lwall@jpl-devvax.jpl.nasa.gov