cedman@lynx.ps.uci.edu (Carl Edman) (09/25/90)
PROGRAMMER GENERALS WARNING: Precompiled binaries can be hazardous to your health and lead to virus infections. Now, really: It is very easy to change particularily a programm like a shell to f.e. put the name of a non-backtraceable account into the .rhosts file and then send mail to it to inform the hacker that he has just gotten a new account. Maybe even a su account ? , or to log all lines containing some keywords (like password or username) to a public file. You may want to take the risk, but be warned. Theorectial Physicist,N.:A physicist whose | Send mail existence is postulated, to make the numbers | to balance but who is never actually observed | cedman@golem.ps.uci.edu in the laboratory. | edmanc@uciph0.ps.uci.edu
demon@ibmpcug.co.uk (Cliff Stanford) (09/27/90)
cedman@lynx.ps.uci.edu (Carl Edman) writes: > Now, really: It is very easy to change particularily a programm like > a shell to f.e. put the name of a non-backtraceable account into the > .rhosts file and then send mail to it to inform the hacker that > he has just gotten a new account. Maybe even a su account ? You mean that if that were included in the source to a large program (ELM, for instance) you'd notice it was there before compiling it? I doubt I would. Regards, Cliff. -- Automatic Disclaimer: The views expressed above are those of the author alone and may not represent the views of the IBM PC User Group. -- Cliff Stanford cms@demon.co.uk Demon Systems Limited demon@ibmpcug.co.uk 42 Hendon Lane demon@cix.co.uk London N3 1TT - England +44 81 349 0063
cedman@lynx.ps.uci.edu (Carl Edman) (09/27/90)
In article <1990Sep26.234214.338@ibmpcug.co.uk> demon@ibmpcug.co.uk (Cliff Stanford) writes: cedman@lynx.ps.uci.edu (Carl Edman) writes: > Now, really: It is very easy to change particularily a programm like > a shell to f.e. put the name of a non-backtraceable account into the > .rhosts file and then send mail to it to inform the hacker that > he has just gotten a new account. Maybe even a su account ? You mean that if that were included in the source to a large program (ELM, for instance) you'd notice it was there before compiling it? I doubt I would. Regards, Cliff. Yes, I think would have a good chance of noticing such a thing (even if for no other reason that I have to tinker around with every programm for a few hours before it compiles anyway :-). Secondly and possibly more importantly: Someone would notice, and fast. I dare say that if some source is available via anonymous ftp and is not completely unpopular, no virus would go undetected for more than one or two weeks, at most. And when it is detected the sources WILL be removed, there will be an outcry and emergency broadcasts on all usenet-channels (:-), and the author (or whoever put the sources there) will be in deep trouble. A virus in binary form , on the other hand, is hard to spot or to trace (if it is intelligently done, of course). It may take months before someone notices effects, and after that it can take many more months before someone can trace this virus back to this particular piece of software. Regards, Carl Edman Theorectial Physicist,N.:A physicist whose | Send mail existence is postulated, to make the numbers | to balance but who is never actually observed | cedman@golem.ps.uci.edu in the laboratory. | edmanc@uciph0.ps.uci.edu
scs@lokkur.dexter.mi.us (Steve Simmons) (09/28/90)
cedman@lynx.ps.uci.edu (Carl Edman) writes: > Now, really: It is very easy to change particularily a program like > a shell to f.e. put the name of a non-backtraceable account into the > .rhosts file and then send mail to it to inform the hacker that > he has just gotten a new account. Maybe even a su account ? demon@ibmpcug.co.uk (Cliff Stanford) replies: > You mean that if that were included in the source to a >large program (ELM, for instance) you'd notice it was there >before compiling it? I doubt I would. I wouldn't either, but to a great degree I'm depending on the collective benefit of the net. Were there a trapdoor buried in elm or some other commonly used code from the net, there's a good chance that *somebody* will notice it fast. And woe to the person who got caught doing it! Of course, this is another reason I'm more likely to blindly compile stuff from comp.sources.{misc,unix} than alt.sources.
glenn@suphys.physics.su.OZ.AU (Glenn Geers) (09/29/90)
What about vendors deliberately putting trap-doors in their distributed binaries? We had a Dual Chapparal (68020 Sys V.2 with FFS) and after a long time (several years) discovered that 'su' worked without a password provided the users current directory was /etc! I think that this was left in so that engineers doing on-sight servicing could become 'root' without having to have a sys admin type around. Still this is rather rude (and undocumented of course). Just thought I'd add my 2 cents worth (for the last time---Australia is ceasing to mint 1 and 2 cent coins this year). Cheers, Glenn glenn@qed.physics.su.oz.au -- Glenn Geers | "So when it's over, we're back to people. Department of Theoretical Physics | Just to prove that human touch can have The University of Sydney | no equal." Sydney NSW 2006 Australia | - Basia Trzetrzelewska, 'Prime Time TV'
scs@lokkur.dexter.mi.us (Steve Simmons) (09/30/90)
glenn@suphys.physics.su.OZ.AU (Glenn Geers) writes: >What about vendors deliberately putting trap-doors in their distributed >binaries? >We had a Dual Chapparal (68020 Sys V.2 with FFS) and after a long time (several >years) discovered that 'su' worked without a password provided the users >current directory was /etc! I think that this was left in so that engineers >doing on-sight servicing could become 'root' . . . I'm appalled. You should post this to comp.unix so as to properly blacken their name.
shields@yunexus.YorkU.CA (Paul Shields) (09/30/90)
scs@lokkur.dexter.mi.us (Steve Simmons) writes: >I wouldn't either, but to a great degree I'm depending on the collective >benefit of the net. Were there a trapdoor buried in elm or some other >commonly used code from the net, there's a good chance that *somebody* >will notice it fast. And woe to the person who got caught doing it! So how long did it take the net to discover that GNU Emacs installed itself as world writable? Yes, it seems it did this "out-of-the-box" back in 1988 when a colleague of mine stumbled across it. The biggest security hole he had ever seen, he said. P.
ken@opusc.csd.scarolina.edu (Ken Sallenger) (10/02/90)
In article <1990Sep29.004107.17548@metro.ucc.su.OZ.AU> glenn@suphys.physics.su.OZ.AU (Glenn Geers) writes: => => What about vendors deliberately putting trap-doors in their distributed => binaries? We have a rather advanced, esoteric parallel machine on campus. When it was first installed, a group of 6 programmers and systems types, along with a couple of faculty researchers, were the primary users for the first few months. It only took about 6 weeks for one of us (yes, I confess, it was I) to type "xyzzy" to the command interpreter prompt, just to see what would happen... The system halted, and the user who typed it was thrown into the diagnostic ROM monitor. I should point out that the account from which the magic cookie was issued had every privilege that an account could have. One almost didn't need to use the root account with all those priv's. The trapdoor was put there by the primary developer of the system (a high-powered hardware engineer who also happened at the time to be CEO of the company :-) and well, they never had gotten around to taking it out. The Customer Service type to whom I reported it couldn't believe what I was telling her at first. And she couldn't imagine why anyone would type "xyzzy" to a shell prompt in the first place! I guess she hadn't hung out with too many software hackers. Come to think of it, I don't know whether they ever _did_ get around to taking that out... -- Ken Sallenger / ken@bigbird.csd.scarolina.edu / +1 803 777-9334 Computer Services Division / 1244 Blossom ST / Columbia, SC 29208
vail@tegra.COM (Johnathan Vail) (10/05/90)
In article <1990Oct1.192920.679@opusc.csd.scarolina.edu> ken@opusc.csd.scarolina.edu (Ken Sallenger) writes: It only took about 6 weeks for one of us (yes, I confess, it was I) to type "xyzzy" to the command interpreter prompt, just to see what would happen... The system halted, and the user who typed it was thrown into the diagnostic ROM monitor. The Customer Service type to whom I reported it couldn't believe what I was telling her at first. And she couldn't imagine why anyone would type "xyzzy" to a shell prompt in the first place! I guess she hadn't hung out with too many software hackers. Come to think of it, I don't know whether they ever _did_ get around to taking that out... Two years ago when I was working at DG it was still in AOS. Typing `xyzzy' at the prompt returned "Nothing happens". I wondered if anything ever did happen. Rumor had it that you had to be in a certain directory. This made sense but I tried everything I could think of, even with all the proveledges on the console. My conclusion is that I that was true then the directory necessary was no longer used on current releases. Anybody know the real "Truth" about this? jv "Even Marilyn Monroe was a man, but, this, tends to get overlooked, by, our mother fixated overweight sexist media" -- Robin Hitchcock _____ | | Johnathan Vail | n1dxg@tegra.com |Tegra| (508) 663-7435 | N1DXG@448.625-(WorldNet) ----- jv@n1dxg.ampr.org {...sun!sunne ..uunet}!tegra!vail
ddl@husc6.harvard.edu (Dan Lanciani) (10/11/90)
In article <1990Oct1.192920.679@opusc.csd.scarolina.edu>, ken@opusc.csd.scarolina.edu (Ken Sallenger) writes: | It only took about 6 weeks for one of us (yes, I confess, it was I) to | type "xyzzy" to the command interpreter prompt, just to see what would | happen... Interesting, some versions of MS-DOS also had an xyzzy command. It appeared to enable exit-status reporting from the shell.. Dan Lanciani ddl@harvard.*