rsalz@uunet.uu.net (Rich Salz) (06/08/90)
Submitted-by: Dan Farmer <df@cert.sei.cmu.edu>
Posting-number: Volume 22, Issue 106
Archive-name: cops.pch
Patch-To: volume21/cops
Here's the first patch for COPS. Pretty minor stuff on the whole, but I'd
appreciate it if you would get it out to the world for me. This one fixes
some bugs and minor doc stuff; I'll be putting out another patch later
this year that should add features and all that good stuff (hopefully it
won't be repairing problems with this patch :-)).
thanks,
-- dan
--------------- Cut here for patch -------------------------
Patch #: 1
Priority: MEDIUM
This is the first patch for COPS. This shar file includes three files; the
original csh version of kuang (actually, another shar file), a patch file,
and a "patchlevel.h" file.
o The csh version of kuang was meant to be included in the original release,
but somehow got lost along the way. It should be functionally equivalent to
the version I ported to bourne shell for wider portability, but is a little
cleaner design, since I had to do some strange things to get it to work in
bourne.
o Perhaps the biggest problem was with the password guessing program; turned
out there was a bug that someone added while adding features through the
years (it was originally written in 1983, and the bug was not in the original
version, looking at my archives.) The problem was that once a dictionary
passwd was guessed, a variable wasn't reset. The original author also added
some comments about the design and intent of the program.
o /bin/rm -f in rc* files (pretty common stuff) are now ignored.
o findsuid now uses "ls -ldga" instead of "ls -lga" to find files.
o A couple of error messages and docs were slightly changed, and a couple
of miscellaneous "'"'s were added to improve robustness; minor nits.
Enjoy! If you have any problems, drop me a line at:
df@sei.cmu.edu
or
(412) 268 7197
P.S. To apply the patch, merely type:
patch < cops.patch.1
If you don't have the patch program, apply the patch by hand,
or get patch (I highly recommend it -- great program! It can
be gotten from uunet.uu.net, via anonymous ftp)
After patching, type "make", and all should be well again....
The original COPS toolkit (as well as the "patch" program) can be gotten
via anonymous ftp from uunet.uu.net (192.48.96.2), or wherever fine software
is archived :-)
--------------------------------------------------------------------------------
#! /bin/sh
# This is a shell archive. Remove anything before this line, then unpack
# it by saving it into a file and typing "sh file". To overwrite existing
# files, type "sh file -c". You can also feed this as standard input via
# unshar, or by typing "sh <file", e.g.. If this archive is complete, you
# will see the following message at the end:
# "End of shell archive."
# Contents: cops.patch.1 kuang.orig patchlevel.h
#
PATH=/bin:/usr/bin:/usr/ucb ; export PATH
if test -f 'cops.patch.1' -a "${1}" != "-c" ; then
echo shar: Will not clobber existing file \"'cops.patch.1'\"
else
echo shar: Extracting \"'cops.patch.1'\" \(6595 characters\)
sed "s/^X//" >'cops.patch.1' <<'END_OF_FILE'
XIndex: MANIFEST
X17a18
X> kuang.orig
X
XIndex: README
X123c123
X< -- Next, change lines 36 and 37 in the "cops" shell file from:
X---
X> -- Next, change lines 37 and 38 in the "cops" shell file from:
X129c129
X< -- Set "MAIL=NO" in the "cops" shell file (line 22). This will prevent
X---
X> -- Set "MAIL=NO" in the "cops" shell file (line 23). This will prevent
X140c140
X< -- You may wish to comment out the password checker (line 72 in the
X---
X> -- You may wish to comment out the password checker (line 73 in the
X187c187
X< groups in their respective target lines (below lines 21 and 27,
X---
X> groups in their respective target lines (below lines 20 and 27,
X
XIndex: XTRA_CREDIT
X9,10c9,10
X< Craig Leres, Seth Alford, Roger Southwick, Steve Dum, and Rick Lindsley
X< all get credit for the password guessing program.
X---
X> Craig Leres, Jef Poskanzer, Seth Alford, Roger Southwick, Steve Dum,
X> and Rick Lindsley all get credit for the password guessing program.
X24c24,28
X< implementation ideas at LISA II.
X---
X> implementation ideas at LISA III.
X>
X> In round II (the first patch), Mark Plumbly fixed rc.chk so it would
X> work like I said it would, as well as pointing out a few problems with
X> the password guesser.
X
XIndex: group.chk
X75,76c75,77
X< if ("'$C2'" != "TRUE")
X< printf("Warning! Group file, line %d, group has password: %s\n", NR, $0)
X---
X> if ("'$C2'" != "TRUE") {
X> if (length($2) == 13)
X> printf("Warning! Group file, line %d, group has password: %s\n", NR, $0) }
X127c128,129
X< printf("Warning! YGroup file, line %d, group has password: %s\n", NR, $0) } \
X---
X> if (if (length($2) == 13))
X> printf("Warning! YGroup file, line %d, group has password: %s\n", NR, $0) } \
X
XIndex: kuang
X0a1
X> #!/bin/sh
XOnly in cops.src: kuang.orig
X
XIndex: makefile
X28a29
X> RM=/bin/rm
X32a34,36
X>
X> clean:
X> $(RM) $(EXECUTABLE)
X
XIndex: passwd.chk
X88,89c88,92
X< if ($3 !~ /[0-9]/) {
X< printf("Warning! Password file, line %d, nonnumeric user id: \n\t%s\n", NR, $0) } \
X---
X> if ($3 !~ /^[0-9]/) {
X> if ($3 < 0) {
X> printf("Warning! Password file, line %d, negative user id: \n\t%s\n", NR, $0) } \
X> else {
X> printf("Warning! Password file, line %d, nonnumeric user id: \n\t%s\n", NR, $0) }} \
X117,118c120,124
X< if ($3 !~ /[0-9]/ && $3 != "-2") {
X< printf("Warning! YPassword file, line %d, nonnumeric user id: \n\t%s\n", NR, $0) } \
X---
X> if ($3 !~ /^[0-9]/) {
X> if ($3 < 0) {
X> printf("Warning! YPassword file, line %d, negative user id: \n\t%s\n", NR, $0) } \
X> else {
X> printf("Warning! YPassword file, line %d, nonnumeric user id: \n\t%s\n", NR, $0) }} \
X121c127
X< if ($4 !~ /[0-9]/ && $4 != "-2") {
X---
X> if ($4 !~ /[0-9]/) {
XOnly in cops.src: patch.1
X
XIndex: rc.chk
X21a22,27
X> # 12 Apr 90, Mark Plumbly made it ignore lines starting with rm -f
X> # (popular in rc files) and fixed my code so it would ignore everything
X> # after a ">".
X> #
X> SED=/bin/sed
X> CAT=/bin/cat
X43d48
X< #
X46c51,70
X< first_pass=`$AWK '{for (i=1;i<=NF;i++) if ((index($i,"/")) && ((first=substr($i,1,1)!=">"))&& first!="#" && first!="$" && (last=substr($i,length($i),1))!="\"") print $i}' $init_files | $EGREP -v "/dev/.*ty|/tmp|/usr/tmp|/dev/null" | $SORT -u`
X---
X> #
X> # 12 Apr mdp: Modified to remove "> file" as well as ">file"
X> # and remove "rm -f file" (this removes a few bogus ones).
X> # (i.e. things which are written to or removed only are ignored).
X> #
X> first_pass=`${CAT} ${init_files} | \
X> ${SED} -e 's/ *#.*$//' | \
X> $AWK '
X> { \
X> for (i=1;i<=NF;i++) { \
X> if ((index($i,"/")) && \
X> ((first=substr($i,1,1)!=">")) && \
X> $(i-1)!=">" && \
X> ( i<=2 || $(i-2)!="rm" || $(i-1)!="-f" ) && \
X> first!="#" && \
X> first!="$" && \
X> (last=substr($i,length($i),1))!="\"") \
X> print $i \
X> } \
X> }' | $EGREP -v "/dev/.*ty|/tmp|/usr/tmp|/dev/null" | $SORT -u`
X
XIndex: root.chk
X71c71
X< if test ! `$GREP "root" $ftp`
X---
X> if $TEST ! "`$GREP "root" $ftp`"
X91c91
X< $GREP path $csh | $AWK '{split($0,p1,"="); \
X---
X> $GREP path $csh | $SED 's/#.*$//' | $AWK '{split($0,p1,"="); \
X105c105
X< $GREP PATH $sh | $SED 's/\(PATH=.*\);.*/\1/' |
X---
X> $GREP PATH $sh | $SED 's/#.*$//' | $SED 's/\(PATH=.*\);.*/\1/' |
X118c118
X< $ECHO "Warning! \".\" is in roots path!"
X---
X> $ECHO "Warning! \".\" (or current directory) is in roots path!"
X123c123
X< $ECHO "Warning! Directory $i is _World_ writable!"
X---
X> $ECHO "Warning! Directory $i is _World_ writable and in roots path!"
X
XIndex: suid.chk
X37c37
X< SEARCH=.
X---
X> SEARCH=/
X58c58
X< $FIND $SEARCH \( -perm -4000 -o -perm -2000 \) -exec $LS -lga {} \; | \
X---
X> $FIND $SEARCH \( -perm -4000 -o -perm -2000 \) -exec $LS -ldga {} \; | \
X
XIndex: docs/warnings
X50c50
X< 1)
X---
X> 0)
X61c61
X< 2)
X---
X> 1)
X80c80
X< 3)
X---
X> 2)
X93a94,101
X> 3)
X> Directory foo_dir is _World_ writable and in roots path!
X>
X> This is the same as (2), but the directory was found to be in the
X> path variable set either in /.login or /.profile. This is a bad thing
X> because if it is writable, a trojan horse can be placed there, and
X> root will execute the command. See also (23).
X>
X198a207,214
X> Password file, line xyz, negative user id: foo
X>
X> A user id is negative. This is most common with user name "nobody",
X> and with an id of "-2". This can be dangerous, especially if you are running
X> a Sun, with 4.xx SunOS. It is uncertain if it is dangerous for other
X> versions or machines. Changing it to 32767 is the usual course of action.
X>
X> 19)
X204c220
X< 19)
X---
X> 20)
X206c222,223
X< To fix, delete all blank lines.
X---
X> To fix, delete all blank lines. This can be very bad, because a blank
X> line can give a uid=0 account with no password.
X208c225
X< 20)
X---
X> 21)
X214c231
X< 21)
X---
X> 22)
X220,221c237,238
X< 22)
X< "." is in roots path!
X---
X> 23)
X> "." (or current directory) is in roots path!
X229c246
X< 23)
X---
X> 24)
X238c255
X< 24)
X---
X> 25)
X
XIndex: src/pass.c
X15a16,27
X>
X> Insecure is something that Jef Poskanzer and I wrote to rid a
X> local system of an overly persistent ankle-biting adolescent.
X> It was a quick hack we whipped up in just a few minutes and was
X> never intended to be publically distributed. Unfortunately, I
X> made the mistake of giving a copy to an associate at UC
X> Berkeley. Apparently, he incorporated it in a security package
X> he later developed for use at Berkeley. Someone else
X> distributed it outside Berkeley which explains why it's been
X> publically distributed.
X>
X>
X226c238
X< #define ARB_CONST 80
X---
X> #define ARB_CONST 1024
X275a288,289
X>
X> done = 0;
X
END_OF_FILE
if test 6595 -ne `wc -c <'cops.patch.1'`; then
echo shar: \"'cops.patch.1'\" unpacked with wrong size!
fi
# end of 'cops.patch.1'
fi
if test -f 'kuang.orig' -a "${1}" != "-c" ; then
echo shar: Will not clobber existing file \"'kuang.orig'\"
else
echo shar: Extracting \"'kuang.orig'\" \(7758 characters\)
sed "s/^X//" >'kuang.orig' <<'END_OF_FILE'
X#! /bin/sh
X# This is a shell archive. Remove anything before this line, then unpack
X# it by saving it into a file and typing "sh file". To overwrite existing
X# files, type "sh file -c". You can also feed this as standard input via
X# unshar, or by typing "sh <file", e.g.. If this archive is complete, you
X# will see the following message at the end:
X# "End of shell archive."
X# Contents: dofiles dogids douids init_kuang kuang.csh
X#
XPATH=/bin:/usr/bin:/usr/ucb ; export PATH
Xif test -f 'dofiles' -a "${1}" != "-c" ; then
X echo shar: Will not clobber existing file \"'dofiles'\"
Xelse
Xecho shar: Extracting \"'dofiles'\" \(1564 characters\)
Xsed "s/^X//" >'dofiles' <<'END_OF_FILE'
XX# /* Copyright 1985 Robert W. Baldwin */
XX# /* Copyright 1986 Robert W. Baldwin */
XXset notice85="Copyright 1985 Robert W. Baldwin"
XXset notice86="Copyright 1986 Robert W. Baldwin"
XX
XX#
XX# A list of file names is read from successive lines of stdin.
XX# Each file is examined for ways to access it.
XX# The input format is:
XX# <filename> <whitespace> <mode> <comments>
XX# The <mode> is either "write" or "replace".
XX#
XXecho Called dofiles. #>/dev/tty
XXwhile ( 1 )
XX set nextfile = ( `echo $<` )
XX if ( $#nextfile == 0 ) break;
XX#
XX set file = $nextfile[1]
XX set mode = $nextfile[2]
XX echo " File $file, mode $mode" #>/dev/tty
XX#
XX# Rules converting filename goals into UserName or GroupName goals.
XX#
XX set writers = ( `filewriters $file` )
XX if ( $#writers == 3 ) then
XX set owner = $writers[1]
XX set group = $writers[2]
XX set other = $writers[3]
XX echo " Writers are $owner $group $other" #>/dev/tty
XX addto uids $owner $mode $file $nextfile[3-]
XX if ( $group != "NONE" ) then
XX addto gids $group $mode $file $nextfile[3-]
XX endif
XX if ( $other != "NONE" ) then
XX addto uids $other $mode $file $nextfile[3-]
XX endif
XX else
XX echo " $file does not exist" #>/dev/tty
XX continue
XX endif
XX#
XX# Rules converting filename goals into other filename goals.
XX#
XX if ($mode != "replace" ) then
XX continue
XX endif
XX#
XX set parent = "$file:h"
XX set basename = "$file:t"
XX# echo -n " " Parent directory is $parent #>/dev/tty
XX# echo ", " basename is $basename #>/dev/tty
XX if ( "$parent" != "" ) then
XX addto files $parent write replace $basename $nextfile[3-]
XX endif
XXend
XX
XEND_OF_FILE
Xif test 1564 -ne `wc -c <'dofiles'`; then
X echo shar: \"'dofiles'\" unpacked with wrong size!
Xfi
X# end of 'dofiles'
Xfi
Xif test -f 'dogids' -a "${1}" != "-c" ; then
X echo shar: Will not clobber existing file \"'dogids'\"
Xelse
Xecho shar: Extracting \"'dogids'\" \(668 characters\)
Xsed "s/^X//" >'dogids' <<'END_OF_FILE'
XX# /* Copyright 1985 Robert W. Baldwin */
XX# /* Copyright 1986 Robert W. Baldwin */
XXset notice85="Copyright 1985 Robert W. Baldwin"
XXset notice86="Copyright 1986 Robert W. Baldwin"
XX
XX#
XX# Process a list of gids from stdin.
XX# Usage: dogids
XX# Input format is:
XX# GroupName Comments
XX#
XXecho Called dogids #>/dev/tty
XXwhile ( 1 )
XX set nextgid = ( `echo $<` )
XX if ( $#nextgid == 0 ) break;
XX set group = $nextgid[1]
XX echo " " Group $group #>/dev/tty
XX#
XX# Rules mapping gids to uids.
XX#
XX foreach user ( `members $group` )
XX addto uids $user grant $group $nextgid[2-]
XX end
XX#
XX# Rules mapping gids to files.
XX#
XX addto files /etc/group replace grant $group $nextgid[2-]
XXend
XX
XEND_OF_FILE
Xif test 668 -ne `wc -c <'dogids'`; then
X echo shar: \"'dogids'\" unpacked with wrong size!
Xfi
X# end of 'dogids'
Xfi
Xif test -f 'douids' -a "${1}" != "-c" ; then
X echo shar: Will not clobber existing file \"'douids'\"
Xelse
Xecho shar: Extracting \"'douids'\" \(1539 characters\)
Xsed "s/^X//" >'douids' <<'END_OF_FILE'
XX# /* Copyright 1985 Robert W. Baldwin */
XX# /* Copyright 1986 Robert W. Baldwin */
XXset notice85="Copyright 1985 Robert W. Baldwin"
XXset notice86="Copyright 1986 Robert W. Baldwin"
XX
XX#
XX# Process a list of uids from stdin.
XX# Usage: douids username comments
XX#
XXecho Called douids #>/dev/tty
XXwhile ( 1 )
XX set nextuid = ( `echo $<` )
XX if ( $#nextuid == 0 ) break;
XX set user = $nextuid[1]
XX echo " " User $user #>/dev/tty
XX#
XX# Rules mapping uids to other uids.
XX#
XX
XX#
XX# Rules mapping uids to files.
XX#
XX addto files /etc/passwd replace grant $user $nextuid[2-]
XX addto files /usr/lib/aliases replace trojan $user $nextuid[2-]
XX
XX if ( -e ~${user}/.rhosts ) then
XX addto files ~${user}/.rhosts write grant $user $nextuid[2-]
XX endif
XX
XX if (-e ~${user}/.login) then
XX addto files ~${user}/.login replace trojan $user $nextuid[2-]
XX endif
XX
XX if (-e ~${user}/.cshrc) then
XX addto files ~${user}/.cshrc replace trojan $user $nextuid[2-]
XX endif
XX
XX if (-e ~${user}/.profile) then
XX addto files ~${user}/.profile replace trojan $user $nextuid[2-]
XX endif
XX
XX if (${user} == "root") then
XX addto files /usr/lib/crontab replace create supershell\
XX $nextuid[2-]
XX addto files /etc/rc replace trojan $user $nextuid[2-]
XX addto files /etc/rc.local replace trojan $user $nextuid[2-]
XX endif
XX
XX if (${user} != "root") then
XX addto files /etc/hosts.equiv replace allow rlogin $nextuid[2-]
XX endif
XX
XX if ((${user} != "root") && (-e /etc/hosts.equiv) && \
XX !(-z /etc/hosts.equiv)) then
XX addto files /etc/hosts replace fake HostAddress $nextuid[2-]
XX endif
XX
XXend
XX
XEND_OF_FILE
Xif test 1539 -ne `wc -c <'douids'`; then
X echo shar: \"'douids'\" unpacked with wrong size!
Xfi
X# end of 'douids'
Xfi
Xif test -f 'init_kuang' -a "${1}" != "-c" ; then
X echo shar: Will not clobber existing file \"'init_kuang'\"
Xelse
Xecho shar: Extracting \"'init_kuang'\" \(836 characters\)
Xsed "s/^X//" >'init_kuang' <<'END_OF_FILE'
XX# /* Copyright 1985 Robert W. Baldwin */
XX# /* Copyright 1986 Robert W. Baldwin */
XXset notice85="Copyright 1985 Robert W. Baldwin"
XXset notice86="Copyright 1986 Robert W. Baldwin"
XX
XX###############################################
XX# Kuang: Rule based computer security checker.
XX###############################################
XX#
XX#
XX# Initialization.
XX#
XXclearfiles
XX#
XX# First setup what we have access to.
XX# The uids.k file must include the user 'OTHER' meaning the world access bits.
XX# Add any other UIDs accessible to the attacker (e.g., ftp, daemon).
XX#
XX# Directly accessible user IDs.
XXcat >uids.k <<END
XXOTHER
XXEND
XX#
XX# Directly accessible group IDs.
XX# This usually includes a group like 'users', which most users are in.
XX#
XXcat >gids.k <<END
XXEND
XX#
XX# Setup the primary goal(s).
XX#
XXecho Setting up goal #>/dev/tty
XXaddto uids root DO ANYTHING
XX
XEND_OF_FILE
Xif test 836 -ne `wc -c <'init_kuang'`; then
X echo shar: \"'init_kuang'\" unpacked with wrong size!
Xfi
X# end of 'init_kuang'
Xfi
Xif test -f 'kuang.csh' -a "${1}" != "-c" ; then
X echo shar: Will not clobber existing file \"'kuang.csh'\"
Xelse
Xecho shar: Extracting \"'kuang.csh'\" \(704 characters\)
Xsed "s/^X//" >'kuang.csh' <<'END_OF_FILE'
XX# /* Copyright 1985 Robert W. Baldwin */
XX# /* Copyright 1986 Robert W. Baldwin */
XXset notice85="Copyright 1985 Robert W. Baldwin"
XXset notice86="Copyright 1986 Robert W. Baldwin"
XX
XX###############################################
XX# Kuang: Rule based computer security checker.
XX###############################################
XX#
XX#
XX# Initialization.
XX#
XXcsh -f init_kuang
XX#
XX# Main loop
XX#
XXecho Starting main loop #>/dev/tty
XXwhile ( -e uids.n || -e gids.n || -e files.n )
XX if ( -e uids.n ) then
XX mv uids.n uids.x
XX csh -f douids < uids.x
XX endif
XX if ( -e gids.n ) then
XX mv gids.n gids.x
XX csh -f dogids < gids.x
XX endif
XX
XX if ( -e files.n ) then
XX mv files.n files.x
XX csh -f dofiles < files.x
XX endif
XX end
XX
XEND_OF_FILE
Xif test 704 -ne `wc -c <'kuang.csh'`; then
X echo shar: \"'kuang.csh'\" unpacked with wrong size!
Xfi
X# end of 'kuang.csh'
Xfi
Xecho shar: End of shell archive.
Xexit 0
END_OF_FILE
if test 7758 -ne `wc -c <'kuang.orig'`; then
echo shar: \"'kuang.orig'\" unpacked with wrong size!
fi
# end of 'kuang.orig'
fi
if test -f 'patchlevel.h' -a "${1}" != "-c" ; then
echo shar: Will not clobber existing file \"'patchlevel.h'\"
else
echo shar: Extracting \"'patchlevel.h'\" \(21 characters\)
sed "s/^X//" >'patchlevel.h' <<'END_OF_FILE'
X#define PATCHLEVEL 1
END_OF_FILE
if test 21 -ne `wc -c <'patchlevel.h'`; then
echo shar: \"'patchlevel.h'\" unpacked with wrong size!
fi
# end of 'patchlevel.h'
fi
echo shar: End of shell archive.
exit 0
exit 0 # Just in case...
--
Please send comp.sources.unix-related mail to rsalz@uunet.uu.net.
Use a domain-based address or give alternate paths, or you may lose out.