strick@gatech.UUCP (Henry A. Strickland) (09/03/84)
> Ioctl() is not the only problem; consider > cat /unix >/dev/tty01 > where some fool has left his terminal (/dev/tty01) writable to the world. > Worse yet, send him a character sequence like > HOME CR LF cd; find . -exec chmod 777 {} \; & > CLEAR_TO_END_OF_SCREEN HOME DUMP_SCREEN CLEAR > (using the appropriate codes for his terminal type) and you will get him > to chmod all his files so you can play with them. If the above can work if 'write'ing or 'cat'ing to a /dev/tty*, wouldn't it also work if you mailed it to someone, or posted it to net.general? I tried mailing myself a string of control characters, and 'mail' unquestioningly sent them to my terminal. I have seen manuals containing FF characters come across 'readnews'. Do other systems filter these out, or are we all vulnerable? I keep 'mesg y', and don't consider myself a fool. I also don't filter control characters out of my 'mail' or 'readnews'. I would send you all a control-g in this message as a test, but I could imagine people who post propaganda to net.general putting FFs and BELs in their messages as attention grabbers, and I think it would be a terrible precedent. I'll offer a free net.stonehenge subscription for whoever can bring down every machine on the net first . . . -- the clouds project henry strickland school of ics / ga tech atlanta ga 30332 { akgua allegra hplabs ihnp4 }!gatech!strick
gwyn@brl-tgr.UUCP (09/06/84)
Relay-Version: version B 2.10 5/3/83 based; site houxm.UUCP Posting-Version: version B 2.10.1 6/24/83; site brl-tgr.ARPA Message-ID: <4432@brl-tgr.ARPA> Date: Wed, 5-Sep-84 23:58:13 EDT Date-Received: Thu, 13-Sep-84 12:14:47 EDT ite', 'mail', 'readnews', et al. Organization: Ballistics Research Lab Lines: 2 Yup, mail containing "bad" control sequences are known as "letter bombs" and they too can be a security problem.
tom@hcrvx1.UUCP (Tom Kelly) (09/07/84)
It's a general problem on any terminal that has a "transmit" screen
capability. You don't have to use Mail or News; put the control sequence in
a man page, or a README file. Anyone who looks at it executes your
trojan horse.
A very similar serious problem arose under another operating system with
which I am familiar. It was possible to send a message to the operator's
console that contained these control characters. Since the console was
always privileged, it was an easy way to give your account super-user
capabilities. After it was discovered, the operating system was changed
to filter all messages to the console and remove certain control characters.
The program that controlled your terminal was also modifed to filter these
out so you couldn't send them to another user via the equivalent of
write(1).
This experience led me to conclude that I would just as soon not use
a terminal that had "transmit screen" ability, unless I could turn it
off.
Tom Kelly (416) 922-1937
{utzoo, ihnp4, decvax}!hcr!hcrvx1!tom