[comp.unix.ultrix] Security problem with LAT terminal connection

yenbut@cs.washington.edu (Voradesh Yenbut) (06/07/90)

Description:

	When a LAT connection from a DecServer to an Ultrix system
	gets dropped on DecServer end, the session on Ultrix isn't
	closed owing to stuck process such as telnet, clear or
	kermit, within the session.  The lcp command with -p option
	shows the connection is "not connected".  The ps command
	shows that the user shell is still running.

	Later on, somebody can gain access to the process of
	"not connected" session via LAT without going through
	the authentication process.

	We tested Ultrix-2.0, Ultrix-2.2, Ultrix-2.3, Ultrix-3.0, and
	Ultrix-4.0FT running on VAXstation 3200, DECstation 3100, and
	VAX 8055 with LAT software V3.0 and V1.0 on DecServer 200.
	The problem occurred to all combinations of Ultrix
	version	and LAT software.

Repeat-By:

	1. Become super user, modify /etc/ttys to have only one LAT
	   terminal device enabled, and tell init process by "kill -1 1".
	2. Log on as regular user to the Ultrix system via DecServer.
	3. Run "kermit -r" (it can be some other commands but
	   "kermit -r" is really effective for us) on Ultrix.
	4. Close the connection by logging out to DecServer.
	5. On Ultrix, do "lcp -p" to the LAT terminal device,
	   lcp would report that the device is "not connected",
	   which is normal for any LAT connection that is closed;
	   however, do "ps" on the tty, it would show something like:

		PID TT STAT  TIME COMMAND
		181 00 I     0:00 -csh (csh)
	       9221 00 I     0:00 kermit -r

	6. Reactivate the hanging session (Sorry, I can't tell on the
	   net how to do it, but it is not hard to find out).  Try to
	   log to the Ultrix system via LAT again.  If nobody else gets
	   the connection before you, you should get connected to the
	   kermit process and to the shell without the necessity of
	   typing in login name and password.


Fix:

	The problem was reported to DEC a month or so ago, but
	so far we haven't seen any effective fixes.

	In the mean time, we educate our users and use a modified
	version of finger program to report any connection that is
	dropped	by LAT, and kill processes on hanging sessions manually.