ajt@mace.cc.purdue.edu (Andrew J Thomas) (11/09/88)
Most of you are probably aware of the worm ("virus") that spread
around the network last week. The worm spread by three methods:
password guessing, a sendmail bug, and a fingerd bug.
Any VMS systems running TCP/IP software may be vulnerable to
future viruses/worms. There are two things to check for: the smtp
server, and the finger server.
We are running the Wollongong TCP/IP software (no eunice).
The smtp server does not have the debug mode enabled, so it is not
subject to attack. This can be checked by telneting to smtpd port
and typing 'debug'. If it accepts the debug command, you have a
potentianl security hole.
The second bug is in the finger server. The finger server can
read in an optional line of username(s). The bug is that it doesnt
check to see if the line exceeds the buffer size. If it does, it
overwrites memory. You can check this by telneting to the fingerd
port and entering a line longer than 512 chars. If you get no finger
response, or get an error message, you have a potential problem.
I am not sure how it could be exploited.
The Wollongong fingerd program has this bug. I was unable to get
the fixed BSD fingerd.c to work. However, I did come up with a
solution that seems to work. I copied [netdist.user]finger.exe
to [netdist.serv]fingerd.exe. This change takes effect as soon
as the file is copied, no need to reboot. I've done this on our
system and it works fine.
Why does this work? The Wollongong fingerd has a "feature"
that causes it to ignore usernames parameters (even though it can
overrun the buffer reading them) and will just give a list logged on
users, even if information about one user is requested. Since the
finger program will not read input, it wont overrun the buffer.
Its default ouput is the same as fingerd, but without the bug.
The usual disclaimers apply to this solution.
I don't know about the CMU TCP/IP code. Since it is written in
bliss, and not just a straight port of BSD to VMS, it may not have
any problems. If anybody knows for sure, I would like to know, and
I am sure others would also.
Andy Thomas
ajt@bilbo.bio.purdue.edu
ajt@j.cc.purdue.eduvixie@decwrl.dec.com (Paul Vixie) (11/10/88)
# We are running the Wollongong TCP/IP software (no eunice). # The smtp server does not have the debug mode enabled, so it is not # subject to attack. Even better than that, the SMTP daemon in VAX WIN/TCP is not sendmail. Disclaimer: WIN is no doubt a trademark of Wollongong; VAX is probably owned by Digital; I am a spokesman for neither. Your mileage may vary. Void where prohibited. Etc. -- Paul Vixie Work: vixie@decwrl.dec.com decwrl!vixie +1 415 853 6600 Play: paul@vixie.sf.ca.us vixie!paul +1 415 864 7013