DIEHL%iravcl@germany.CSNET.UUCP (08/27/87)
[ I sent this message to info-vax about 2 weeks ago. As it never found its way back to germany I assume it got lost like other messages sent by one of my collegues. here it is again: ] Some time ago we installed the FINGER program. We did not see any security problem in installing FINGER with SYSPRV privilege, because the only files FINGER accessed were SYSUAF.DAT (to get the last-login date) and FINGER.PLN in a user's home-directory. After looking into the sources we were sure that there was no way to abuse the SYSPRV privilege. Now I know that I was wrong: Using FINGER there *is* a way to read *any* protected file, if the directory containing that file allows at least EXECUTE-access. (The reason is one of the various SET FILE ... commands) --> DO NOT INSTALL ANY PROGRAM THAT READS USERFILES USING SYSPRV PRIVILEGE UNLESS YOU ARE *VERY* SURE THAT IT IS SECURE!!! Arno Diehl, University of Karlsruhe, West Germany
tli@sargas.usc.edu (Tony Li) (08/28/87)
In article <8708280950.AA25855@ucbvax.Berkeley.EDU> DIEHL%iravcl@germany.CSNET (Arno Diehl) writes:
Using FINGER there *is* a way to read *any* protected
file, if the directory containing that file allows at
least EXECUTE-access. (The reason is one of the various
SET FILE ... commands)
Would you consider posting either a patch or a workaround please?
Telling us that there is a bug without a diagnosis and patch begs to
have some hacker discover and abuse it.
Thanks,
Tony Li
Tony Li - USC University Computing Services "Fene mele kiki bobo"
Uucp: oberon!tli -- Joe Isuzu
Bitnet: tli@uscvaxq, tli@ramoth
Internet: tli@sargas.usc.edu
gea@IAGO.CALTECH.EDU (Gary Ansok) (08/28/87)
> Some time ago we installed the FINGER program. We did not > see any security problem in installing FINGER with SYSPRV > privilege, because the only files FINGER accessed were > SYSUAF.DAT (to get the last-login date) and FINGER.PLN in a > user's home-directory. FINGER should keep its SYSPRV turned *off* except when absolutely necessary (such as accessing SYSUAF.DAT). There is no need for a program to use SYSPRV to access FINGER.PLN files; if users keep their FINGER.PLN files protected, it's their choice (and their problem when everyone else starts complaining). If you have novice users in an environment where the default is protected files, then a .COM file can be used when they update their FINGER.PLN files to unprotect the files. Privileged programs keeping privileges turned off except when necessary is only one form of paranoia that installed programs should exhibit. Several others have been mentioned in this list from time to time; perhaps someone out there has kept a summary. Gary Ansok gea@romeo.caltech.edu -or- ansok@scivax.arpa
levy@ttrdc.UUCP (08/31/87)
In article <8708280950.AA25855@ucbvax.Berkeley.EDU>, DIEHL%iravcl@germany.CSNET (Arno Diehl) writes: > Using [privileged program] there *is* a way to read *any* protected > file, if the directory containing that file allows at > least EXECUTE-access. (The reason is one of the various > SET FILE ... commands) > > --> DO NOT INSTALL ANY PROGRAM THAT READS USERFILES USING > SYSPRV PRIVILEGE UNLESS YOU ARE *VERY* SURE THAT IT IS > SECURE!!! I think this has already revealed the secret to anyone who has access to online help or the VMS manuals and who has even half a brain. Incidentally, the same caution should apply to implementors of privileged programs on any operating system which supports a similar function (I know of at least one other than VMS which does, but at least that system provides ready support for the privileged program to detect whether this is the case with a file it is being asked to read). Another bugaboo to watch out for is logical names. Privileged programs should be carefully written so as not to be tripped up by redefinitions of SYS$INPUT, SYS$OUTPUT, SYS$ERROR, TT:, and the like. -- |------------Dan Levy------------| Path: ..!{akgua,homxb,ihnp4,ltuxa,mvuxa, | an Engihacker @ | vax135}!ttrdc!ttrda!levy | AT&T Computer Systems Division | Disclaimer: i am not a Yvel Nad |--------Skokie, Illinois--------|
DIEHL%iravcl@germany.CSNET.UUCP (08/31/87)
Hallo out there! Tony Li writes in response to my message: > Would you consider posting either a patch or a workaround please? > Telling us that there is a bug without a diagnosis and patch begs to > have some hacker discover and abuse it. When I discovered that "feature" in FINGER (and obviously in any other program reading user files with SYSPRV enabled), I did not know any workaround exept eliminating SYSPRV. On the other hand I did not want to wait until WE have a patch or workaround; I just wanted to tell the system-managers to be careful when installing programs with privileges. Instead of being publicly more explicit on the way how to abuse FINGER, I told Richard Garland (one of the devellopers of FINGER) what the problem is exactly. I hope that there will be a secure version of FINGER quite soon. Arno Diehl, University of Karlsruhe, West Germany PS: I'm not fond of installing patches coming over the net...