DIEHL%iravcl@germany.CSNET.UUCP (08/27/87)
[ I sent this message to info-vax about 2 weeks ago. As it never found its
way back to germany I assume it got lost like other messages sent by one
of my collegues.
here it is again:
]
Some time ago we installed the FINGER program. We did not
see any security problem in installing FINGER with SYSPRV
privilege, because the only files FINGER accessed were
SYSUAF.DAT (to get the last-login date) and FINGER.PLN in a
user's home-directory. After looking into the sources we
were sure that there was no way to abuse the SYSPRV
privilege.
Now I know that I was wrong:
Using FINGER there *is* a way to read *any* protected
file, if the directory containing that file allows at
least EXECUTE-access. (The reason is one of the various
SET FILE ... commands)
--> DO NOT INSTALL ANY PROGRAM THAT READS USERFILES USING
SYSPRV PRIVILEGE UNLESS YOU ARE *VERY* SURE THAT IT IS
SECURE!!!
Arno Diehl, University of Karlsruhe, West Germanytli@sargas.usc.edu (Tony Li) (08/28/87)
In article <8708280950.AA25855@ucbvax.Berkeley.EDU> DIEHL%iravcl@germany.CSNET (Arno Diehl) writes:
Using FINGER there *is* a way to read *any* protected
file, if the directory containing that file allows at
least EXECUTE-access. (The reason is one of the various
SET FILE ... commands)
Would you consider posting either a patch or a workaround please?
Telling us that there is a bug without a diagnosis and patch begs to
have some hacker discover and abuse it.
Thanks,
Tony Li
Tony Li - USC University Computing Services "Fene mele kiki bobo"
Uucp: oberon!tli -- Joe Isuzu
Bitnet: tli@uscvaxq, tli@ramoth
Internet: tli@sargas.usc.edugea@IAGO.CALTECH.EDU (Gary Ansok) (08/28/87)
> Some time ago we installed the FINGER program. We did not > see any security problem in installing FINGER with SYSPRV > privilege, because the only files FINGER accessed were > SYSUAF.DAT (to get the last-login date) and FINGER.PLN in a > user's home-directory. FINGER should keep its SYSPRV turned *off* except when absolutely necessary (such as accessing SYSUAF.DAT). There is no need for a program to use SYSPRV to access FINGER.PLN files; if users keep their FINGER.PLN files protected, it's their choice (and their problem when everyone else starts complaining). If you have novice users in an environment where the default is protected files, then a .COM file can be used when they update their FINGER.PLN files to unprotect the files. Privileged programs keeping privileges turned off except when necessary is only one form of paranoia that installed programs should exhibit. Several others have been mentioned in this list from time to time; perhaps someone out there has kept a summary. Gary Ansok gea@romeo.caltech.edu -or- ansok@scivax.arpa
levy@ttrdc.UUCP (08/31/87)
In article <8708280950.AA25855@ucbvax.Berkeley.EDU>, DIEHL%iravcl@germany.CSNET (Arno Diehl) writes: > Using [privileged program] there *is* a way to read *any* protected > file, if the directory containing that file allows at > least EXECUTE-access. (The reason is one of the various > SET FILE ... commands) > > --> DO NOT INSTALL ANY PROGRAM THAT READS USERFILES USING > SYSPRV PRIVILEGE UNLESS YOU ARE *VERY* SURE THAT IT IS > SECURE!!! I think this has already revealed the secret to anyone who has access to online help or the VMS manuals and who has even half a brain. Incidentally, the same caution should apply to implementors of privileged programs on any operating system which supports a similar function (I know of at least one other than VMS which does, but at least that system provides ready support for the privileged program to detect whether this is the case with a file it is being asked to read). Another bugaboo to watch out for is logical names. Privileged programs should be carefully written so as not to be tripped up by redefinitions of SYS$INPUT, SYS$OUTPUT, SYS$ERROR, TT:, and the like. -- |------------Dan Levy------------| Path: ..!{akgua,homxb,ihnp4,ltuxa,mvuxa, | an Engihacker @ | vax135}!ttrdc!ttrda!levy | AT&T Computer Systems Division | Disclaimer: i am not a Yvel Nad |--------Skokie, Illinois--------|
DIEHL%iravcl@germany.CSNET.UUCP (08/31/87)
Hallo out there!
Tony Li writes in response to my message:
> Would you consider posting either a patch or a workaround please?
> Telling us that there is a bug without a diagnosis and patch begs to
> have some hacker discover and abuse it.
When I discovered that "feature" in FINGER (and obviously in any other program
reading user files with SYSPRV enabled), I did not know any workaround
exept eliminating SYSPRV. On the other hand I did not want to wait until WE
have a patch or workaround; I just wanted to tell the system-managers to be
careful when installing programs with privileges.
Instead of being publicly more explicit on the way how to abuse FINGER, I told
Richard Garland (one of the devellopers of FINGER) what the problem is exactly.
I hope that there will be a secure version of FINGER quite soon.
Arno Diehl, University of Karlsruhe, West Germany
PS: I'm not fond of installing patches coming over the net...