wietse@wzv.win.tue.nl (Wietse Venema) (05/13/91)
fidelio@geech.gnu.ai.mit.edu (Rob J. Nauta) writes: > Here's a small program I wrote a while back. It speaks for itself [...]. > This program is an official release of the TimeWasters from HOLLAND ! and presents the censored version of a program that steals the password when someone signs on to a Sun system via the telnet or rlogin network service. It is this program that led to the recent burst of telnet and rlogin security fixes from Sun. However, anyone with a little imagination can adapt it to other operating systems with networking code derived from Berkeley UNIX. As the person who originally reported the problem, I provide the source to a tiny program to work around the problem (tested with SunOS 4.x and Ultrix 4.0). It is at the end of this article. Skip the remainder of this article if you are not interested in a case study of Dutch crackers with free reign on the Internet. Thought you would be... The TimeWasters is a group of students (and one former student, Rob J. Nauta) of Eindhoven University, located in the Netherlands. Their computer accounts at the Free Software Foundation have been used to attack and to breach the security of several University computer systems throughout the US, Canada and Europe. The intruders exploited the fact that Dutch law against computer crime is still in preparation. Dutch Law or not, such activities are criminal. The activities of the intruders have been monitored for quite some time. And because it will take some time before Dutch law will cover computer crime, I am provoking an open discussion of the problem. Sooner or later the intruders would have found out about the monitoring, anyway. My statements are based on several tens of megabytes of data which I have passed on to the proper US and Dutch authorities. As an illustration, this is the case history of the password stealing program: March 13: fidelio writes the initial version of the password stealing program. March 14,15: The password stealing program is "tested" on several US university systems. Dozens of passwords are captured. March 15: The CERT security organization is alerted by me. CERT, in turn, notifies Sun Microsystems and other vendors. March 18,19: Several versions of the password stealing program are uploaded to our systems and several passwords are captured. Each day I have to make minor adjustments to our networking software. March 19: In an attempt to delay further development of the program, I mail a "what's this?" message to the TimeWasters group, together with a version of the program that contains several references to the name of the group. A few hours later, fidelio submits a bug report with the password stealing program as "proof" of the bug. March 21: A fixed telnet daemon is available from Sun. Later fixes follow for other releases of the SunOS operating system. All the time, victims of these and other activities were notified either directly by me or through the CERT security organization. Note that I have given fidelio ample time to revoke his statement that he is the author of the password stealing program, in case the article was posted under his name by someone else. Of course, all this is just my personal view. For an independent view, contact {fidelio,belgers,wevers,erlend}@gnu.ai.mit.edu. Wietse Venema Eindhoven University of Technology The Netherlands #! /bin/sh # This is a shell archive. Remove anything before this line, then unpack # it by saving it into a file and typing "sh file". To overwrite existing # files, type "sh file -c". You can also feed this as standard input via # unshar, or by typing "sh <file", e.g.. If this archive is complete, you # will see the following message at the end: # "End of shell archive." # Contents: uncover.c # Wrapped by wietse@wzv on Sun May 12 17:24:44 1991 PATH=/bin:/usr/bin:/usr/ucb ; export PATH if test -f uncover.c -a "${1}" != "-c" ; then echo shar: Will not over-write existing file \"uncover.c\" else echo shar: Extracting \"uncover.c\" \(916 characters\) sed "s/^X//" >uncover.c <<'END_OF_uncover.c' X /* X * Kluge to work around login/password snooper. This program just X * repeatedly opens/closes the first five free pty masters. X */ X X#include <sys/types.h> X#include <sys/stat.h> X#include <fcntl.h> X#include <sys/ioctl.h> X X#define MINFREE 5 /* Amount of free ptys to check */ X Xmain() X{ X int i, X p; X int c; X char *line; X int free; X int fd; X X (void) close(0); X (void) close(1); X (void) close(2); X X for (;;) { X for (free = 0, c = 'p'; free < MINFREE && c <= 's'; c++) { X struct stat stb; X X line = "/dev/ptyXX"; X line[strlen("/dev/pty")] = c; X line[strlen("/dev/ptyp")] = '0'; X if (stat(line, &stb) < 0) X break; X for (i = 0; free < MINFREE && i < 16; i++) { X line[sizeof("/dev/ptyp") - 1] = "0123456789abcdef"[i]; X p = open(line, O_RDONLY); X if (p >= 0) { X free++; X close(p); X } X } X (void) sleep(5); X } X } X} END_OF_uncover.c if test 916 -ne `wc -c <uncover.c`; then echo shar: \"uncover.c\" unpacked with wrong size! fi # end of overwriting check fi echo shar: End of shell archive. exit 0