ajt@mace.cc.purdue.edu (Andrew J Thomas) (11/09/88)
Most of you are probably aware of the worm ("virus") that spread around the network last week. The worm spread by three methods: password guessing, a sendmail bug, and a fingerd bug. Any VMS systems running TCP/IP software may be vulnerable to future viruses/worms. There are two things to check for: the smtp server, and the finger server. We are running the Wollongong TCP/IP software (no eunice). The smtp server does not have the debug mode enabled, so it is not subject to attack. This can be checked by telneting to smtpd port and typing 'debug'. If it accepts the debug command, you have a potentianl security hole. The second bug is in the finger server. The finger server can read in an optional line of username(s). The bug is that it doesnt check to see if the line exceeds the buffer size. If it does, it overwrites memory. You can check this by telneting to the fingerd port and entering a line longer than 512 chars. If you get no finger response, or get an error message, you have a potential problem. I am not sure how it could be exploited. The Wollongong fingerd program has this bug. I was unable to get the fixed BSD fingerd.c to work. However, I did come up with a solution that seems to work. I copied [netdist.user]finger.exe to [netdist.serv]fingerd.exe. This change takes effect as soon as the file is copied, no need to reboot. I've done this on our system and it works fine. Why does this work? The Wollongong fingerd has a "feature" that causes it to ignore usernames parameters (even though it can overrun the buffer reading them) and will just give a list logged on users, even if information about one user is requested. Since the finger program will not read input, it wont overrun the buffer. Its default ouput is the same as fingerd, but without the bug. The usual disclaimers apply to this solution. I don't know about the CMU TCP/IP code. Since it is written in bliss, and not just a straight port of BSD to VMS, it may not have any problems. If anybody knows for sure, I would like to know, and I am sure others would also. Andy Thomas ajt@bilbo.bio.purdue.edu ajt@j.cc.purdue.edu
vixie@decwrl.dec.com (Paul Vixie) (11/10/88)
# We are running the Wollongong TCP/IP software (no eunice). # The smtp server does not have the debug mode enabled, so it is not # subject to attack. Even better than that, the SMTP daemon in VAX WIN/TCP is not sendmail. Disclaimer: WIN is no doubt a trademark of Wollongong; VAX is probably owned by Digital; I am a spokesman for neither. Your mileage may vary. Void where prohibited. Etc. -- Paul Vixie Work: vixie@decwrl.dec.com decwrl!vixie +1 415 853 6600 Play: paul@vixie.sf.ca.us vixie!paul +1 415 864 7013