chuq@plaid.Sun.COM (Chuq Von Rospach) (11/08/88)
The following modifications have been approved by Sun Microsystems
Customer Support to fix the current Internet Virus problem. This is a
set of patches designed to prevent the propagation of the Internet
'worm' that has infected Sun-3 and Vax computers. There are two parts to
this fix:
1) an adb patch that closes a security hole in sendmail.
2) a new version of the file /usr/etc/in.fingerd.
If you have any questions about this patch or if the instructions don't
match what you see, contact Sun Microsystems Customer Support via the
800-USA4SUN phone number, via the hotline@sun.com e-mail address, or send
e-mail to Chuq Von Rospach at chuq@sun.com (uucp form: ..!sun!chuq).
A few notes on the worm. It affects only machines with SMTP-based
connections to computer networks. If your machines are not connected to
outside organizations or are connected only by uucp, you are not at
risk and you may choose to not install these patches. If you do have a
connection with an outside organization (either on the Internet or with
an organization that might have an Internet connection) you are
potentially at risk to infestation. The connections with potential risk
are those that allow you to access another system via commands like
rlogin or telnet. If that is not possible, you are not at risk.
This worm is benign. It's primary purpose is to find other systems in which
to replicate. It does no damage to your system other than sapping system
resources. Under some circumstances, it can make systems crash due to
resource exhaustion, but otherwise causes few problems.
The worm was specifically targeted at Sun-3 and Vax computers. While the
security hole exists on Sun-2 and Sun-4 machines, they are not at risk from
the current virus. We recommend that you install these patches on any
machine that acts as a gateway between your organization and the rest of the
network and on any machine whose network address is publicly available to
the Internet. We recommend installing these patches on every machine. These
patches are not Sun-specific, they should work for all Berkeley-based Unix
systems.
These patches will work on Sun-2, Sun-3 and Sun-4 machines under releases
3.x and 4.0 and 386i machines under 4.0. Only Sun-3 machines running 3.x
are at risk from the current worm, but all machines are potentially at risk
for future variations of this attack, so every system should be corrected.
Patching sendmail:
The following instructions should be used to fix the security hole in
sendmail:
1) log onto the system as root
2) make a copy of sendmail
# cd /usr/lib
# cp sendmail sendmail.debug
3) find the offset for the debug option in sendmail:
# strings -o -a sendmail | egrep debug
124882 debug
[note: this number will vary depending on architecture and
release. Make sure you use the number appropriate for your
system!]
4) start adb:
# adb -w sendmail
[note: adb does not print user prompts. Just type at it]
5) put adb into base 10:
[type the string:] ?m 0 0xffffffff 0
[there is no response from adb]
[type the string:] 0t10$d
[adb responds:] radix=10 base ten
6) verify the address of the of the debug option:
[type the string:] 124882?s
[adb should respond:] 124882: debug
[note: make sure you use the correct number for your system here]
7) disable the debug option:
[type the string:] 124882?w 65535
[adb should respond:] 124882: 25701 = 65535
[note: make sure you use the correct number for your system here]
8) exit adb:
^D
#
9) kill off your sendmail daemon and restart it.
# ps -ax | grep sendmail
1563 ? I 0:00 /usr/lib/sendmail -bd -q17m
1849 p4 S 0:00 grep -i sendmail
# kill 1563
# /usr/lib/sendmail -bd -q17m &
10) verify the debug option is disabled:
# /usr/etc/mconnect
connecting to host localhost (127.0.0.1), port 25
connection open
220 [system dependent header information here]
[type: ] debug
500 Command unrecognized
[type: ] quit
221 plaid.Sun.COM closing connection
Installing a new fingerd:
Attached to the end of this message is a new version of the program
/usr/etc/in.fingerd. This version fixes a security hole in that program.
To install this on your system, save the program to a file named
in.fingerd.c. Then compile the program with:
% cc -O -o in.fingerd in.fingerd.c
Install the new fingerd as follows:
% su
# cp in.fingerd /usr/etc/in.fingerd.new
# cd /usr/etc
# mv in.fingerd in.fingerd.orig
# mv in.fingerd.new in.fingerd
# chown root in.fingerd
# chmod 755 in.fingerd
Then reboot your system to re-initialize the daemons.
----- Begin of file in.fingerd.c -----
/*
* Copyright (c) 1983 Regents of the University of California.
* All rights reserved. The Berkeley software License Agreement
* specifies the terms and conditions for redistribution.
*/
#ifndef lint
char copyright[] =
"@(#) Copyright (c) 1983 Regents of the University of California.\n\
All rights reserved.\n";
#endif not lint
#ifndef lint
static char sccsid[] = "@(#)in.fingerd.c 1.4 88/02/08 SMI"; /* from UCB 5.1 6/6/85 */
#endif not lint
/*
* Finger server.
*/
#include <sys/types.h>
#include <netinet/in.h>
#include <stdio.h>
#include <ctype.h>
main(argc, argv)
char *argv[];
{
register char *sp;
char line[512];
struct sockaddr_in sin;
int i, p[2], pid, status;
FILE *fp;
char *av[4];
i = sizeof (sin);
if (getpeername(0, &sin, &i) < 0)
fatal(argv[0], "getpeername");
line[0] = '\0';
(void) fgets(line, sizeof(line), stdin);
sp = line;
av[0] = "finger";
i = 1;
while (1) {
while (isspace(*sp))
sp++;
if (!*sp)
break;
if (*sp == '/' && (sp[1] == 'W' || sp[1] == 'w')) {
sp += 2;
av[i++] = "-l";
}
if (*sp && !isspace(*sp)) {
av[i++] = sp;
while (*sp && !isspace(*sp))
sp++;
*sp = '\0';
}
}
av[i] = 0;
if (pipe(p) < 0)
fatal(argv[0], "pipe");
if ((pid = fork()) == 0) {
close(p[0]);
if (p[1] != 1) {
dup2(p[1], 1);
close(p[1]);
}
execv("/usr/local/finger", av);
execv("/usr/ucb/finger", av);
printf("No local finger program found\n");
fflush(stdout);
_exit(1);
}
if (pid == -1)
fatal(argv[0], "fork");
close(p[1]);
if ((fp = fdopen(p[0], "r")) == NULL)
fatal(argv[0], "fdopen");
while ((i = getc(fp)) != EOF) {
if (i == '\n')
putchar('\r');
putchar(i);
}
fclose(fp);
while ((i = wait(&status)) != pid && i != -1)
;
return(0);
}
fatal(prog, s)
char *prog, *s;
{
fprintf(stderr, "%s: ", prog);
perror(s);
exit(1);
}
----- end of in.fingerd.c -----
----- end of virus patch message -----ulmo@ssyx.ucsc.edu (scritzifchisted ulmo qzutvchsxik) (11/09/88)
I'm a totally ignorant Unix user, but there are a few common sense things I might add to this having to do with permissions of old copies lying around, in case you didn't remember: In article <76493@sun.uucp> chuq@plaid.Sun.COM (Chuq Von Rospach) writes: >Patching sendmail: > 2) make a copy of sendmail > # cd /usr/lib > # cp sendmail sendmail.debug # chmod 644 sendmail.debug [or something as effective] [use chmod 000 if you're totally paranoid] >Installing a new fingerd: > % su > # cp in.fingerd /usr/etc/in.fingerd.new > # cd /usr/etc > # mv in.fingerd in.fingerd.orig # chmod 644 in.fingerd.orig I know, this has got to be really petty. But, now that everyone knows how debug works, it's probably best to make sure someone doesn't use those good old root powers for something they've been wanting to do for awhile ... (on the most part, I guess people are pretty good about this sort of thing). (I have no affiliation, so ignore any implied organization.)