jeffrey@sci.ccny.cuny.edu (Jeffrey L Bromberger) (05/25/91)
Just for fun, I tried the following command from my VAX to my
ethernet'ted 3b1:
% rsh notvax /usr/games/klondike
Now, considering the fact that I'm not logged in on the console, this
should fail. This game, like many others, use iswind() to see if I'm
on the bitmapped screen. The logic should stop me if I'm not.
But, it doesn't! It overwrites the console display (without regard as
to what or who is going on) with the game screen!
Any idea why all these games (klondike/mahjongg/rocks/bugs) all have
this behavior? Is it only seen when using the ethernet package? Does
this happen if someone dials in via the OBM? Is iswind() just plain
drain-bamaged?
Isn't this some bizarre sort of security hole?!?
j
--
Jeffrey L. Bromberger
System Operator---City College of New York---Science Computing Facility
jeffrey@sci.ccny.cuny.edu jeffrey@ccnysci.BITNET
Anywhere!{cmcl2,philabs,phri}!ccnysci!jeffreydnichols@ceilidh.beartrack.com (DoN Nichols) (05/25/91)
In article <1991May24.203238.7990@sci.ccny.cuny.edu> jeffrey@sci.ccny.cuny.edu (Jeffrey L Bromberger) writes: >Just for fun, I tried the following command from my VAX to my >ethernet'ted 3b1: > >% rsh notvax /usr/games/klondike > >Now, considering the fact that I'm not logged in on the console, this >should fail. This game, like many others, use iswind() to see if I'm >on the bitmapped screen. The logic should stop me if I'm not. >But, it doesn't! It overwrites the console display (without regard as >to what or who is going on) with the game screen! Yep, happened to me when my wife called it up after reading news on my system. >Any idea why all these games (klondike/mahjongg/rocks/bugs) all have >this behavior? Is it only seen when using the ethernet package? Does >this happen if someone dials in via the OBM? Is iswind() just plain >drain-bamaged? Yes, it happens when logged in to a tty port. I presume that it could happen via the OBM as well. Iswind() must be quite brain-damaged. I added code to my first copy of klondike to check if /dev/tty = w? to avoid this, but that is a kluge. >Isn't this some bizarre sort of security hole?!? At least a denial-of-service one. Maybe we need to rewrite iswind(). Kep Hoping DoN. -- Donald Nichols (DoN.) | Voice (Days): (703) 664-1585 D&D Data | Voice (Eves): (703) 938-4564 Disclaimer: from here - None | Email: <dnichols@ceilidh.beartrack.com> --- Black Holes are where God is dividing by zero ---
bruce@balilly (Bruce Lilly) (05/25/91)
In article <1991May24.203238.7990@sci.ccny.cuny.edu> jeffrey@sci.ccny.cuny.edu (Jeffrey L Bromberger) writes: >Just for fun, I tried the following command from my VAX to my >ethernet'ted 3b1: > >% rsh notvax /usr/games/klondike Note that TFM says that an *interactive* command (e.g. vi and most games) should *not* be run using remsh, by rather by rlogin to the machine. >Now, considering the fact that I'm not logged in on the console, this >should fail. This game, like many others, use iswind() to see if I'm >on the bitmapped screen. The logic should stop me if I'm not. >But, it doesn't! It overwrites the console display (without regard as >to what or who is going on) with the game screen! > >Any idea why all these games (klondike/mahjongg/rocks/bugs) all have >this behavior? Is it only seen when using the ethernet package? Does >this happen if someone dials in via the OBM? Is iswind() just plain >drain-bamaged? I don't recall why (probably because the TAM version does something strange as you describe), but I wrote a small routine which checks the controlling tty to determine if a process is running on the console. It's near the end of kfeature 1.1 if you want to take a look at it. -- Bruce Lilly blilly!balilly!bruce@sonyd1.Broadcast.Sony.COM
dave@das13.snide.com (Dave Snyder) (05/25/91)
In article <1991May24.203238.7990@sci.ccny.cuny.edu>, jeffrey@sci.ccny.cuny.edu (Jeffrey L Bromberger) writes:
-> Just for fun, I tried the following command from my VAX to my
-> ethernet'ted 3b1:
->
-> % rsh notvax /usr/games/klondike
->
-> Now, considering the fact that I'm not logged in on the console, this
-> should fail.
->
-> Any idea why all these games (klondike/mahjongg/rocks/bugs) all have
-> this behavior? Is it only seen when using the ethernet package?
It also happens to me when I try to run a bitmapped game from a terminal
on tty000.
DAS
--
David A. Snyder @ Snide Inc. - Folcroft, PA
UUCP: ..!uunet!das13!dave INTERNET: dave@das13.snide.comfloyd@ims.alaska.edu (Floyd Davidson) (05/26/91)
In article <1509@das13.snide.com> dave@das13.snide.com (Dave Snyder) writes: >In article <1991May24.203238.7990@sci.ccny.cuny.edu>, jeffrey@sci.ccny.cuny.edu (Jeffrey L Bromberger) writes: >-> Just for fun, I tried the following command from my VAX to my >-> ethernet'ted 3b1: >-> >-> % rsh notvax /usr/games/klondike >-> >-> Now, considering the fact that I'm not logged in on the console, this >-> should fail. >-> >-> Any idea why all these games (klondike/mahjongg/rocks/bugs) all have >-> this behavior? Is it only seen when using the ethernet package? > >It also happens to me when I try to run a bitmapped game from a terminal >on tty000. > It sounds like iswind() might be broken? Or maybe the programs aren't even checking? I've always used "ioctl(0,WIOCGETD,&wd)", see window(7), to determine if the display was bit mapped. It will fail and return non-zero if stdin (fd = 0) is not bitmapped. I'm sure it works for terminals connected to serial ports, but haven't checked it over an ethernet. Floyd -- Floyd L. Davidson | Alascom, Inc. pays me, |UA Fairbanks Institute of Marine floyd@ims.alaska.edu| but not for opinions. |Science suffers me as a guest.
sdb%hotmomma@uunet.uu.net (Scott Ballantyne) (05/26/91)
>>>>> On 25 May 91 04:01:52 GMT, dnichols@ceilidh.beartrack.com (DoN Nichols) said: DoN> Yes, it happens when logged in to a tty port. I presume that DoN> it could happen via the OBM as well. Iswind() must be quite DoN> brain-damaged. I added code to my first copy of klondike to DoN> check if /dev/tty = w? to avoid this, but that is a kluge. >Isn't this some bizarre sort of security hole?!? DoN> At least a denial-of-service one. Maybe we need to rewrite iswind(). I find the WIOCGETD ioctl works well for determining whether or not you are actually on a bitmap. iswind () has never worked for me :-( sdb -- {sdb%hotmomma@uunet.uu.net | hotmomma!sdb@uunet.uu.net | uunet!hotmomma!sdb} "A hacker is a machine for turning caffeine into programs"
tkacik@kyzyl.mi.org (Tom Tkacik) (05/27/91)
In article <1991May24.203238.7990@sci.ccny.cuny.edu> jeffrey@sci.ccny.cuny.edu (Jeffrey L Bromberger) writes: >Just for fun, I tried the following command from my VAX to my >ethernet'ted 3b1: > >% rsh notvax /usr/games/klondike > >Now, considering the fact that I'm not logged in on the console, this >should fail. This game, like many others, use iswind() to see if I'm >on the bitmapped screen. The logic should stop me if I'm not. >But, it doesn't! It overwrites the console display (without regard as >to what or who is going on) with the game screen! I wrote klondike, and have been told about (and verified) this problem. I have been looking into it, and discovered that it is a problem only with properly written programs (no :-). Not having any serial or ethernet connections, I have not worried about it too much. >Any idea why all these games (klondike/mahjongg/rocks/bugs) all have >this behavior? Is it only seen when using the ethernet package? Does >this happen if someone dials in via the OBM? Is iswind() just plain >drain-bamaged? The problem is with the way winit(), iswind(), and wcreate() work together. Wcreate() seems to return the parent window first, so that when it is changed and the program quits, the parent is permanently changed. This is fine only if the program is running from the UA, as the UA always gives the new application a fresh window to play with. I think that any program that changes the parent window is being rude, so all of my programs first close file descriptors 0, 1, and 2, and then open /dev/window to get a fresh window. Now that a true window has been opened, iswind() says everything is ok. The fix is to write my own iswind() routine that I can call before playing with the file descriptors, (the current one can only be called after calling winit() which must be called after opening a new window). When most machines were standalone, (as mine still is), it did not matter much whether iswind() worked. But now that there are 3b1's being networked or having serial connections I guess it's time to write my own iswind(), and patch to klondike, mahjongg, etc. once and for all. >Isn't this some bizarre sort of security hole?!? Iswind() is not the security hole, it merely shows that there is a problem. Any application can open /dev/window and get a fresh window on the console. I do not think that there is any way to prevent it. -- Tom Tkacik | tkacik@kyzyl.mi.org | To rent this space, call 1-800-555-QUIP. ...!rphroy!kyzyl!tkacik |
emm@iczer-1.UUCP (Edward M. Markowski) (05/29/91)
In article <1991May24.203238.7990@sci.ccny.cuny.edu>, jeffrey@sci.ccny.cuny.edu (Jeffrey L Bromberger) writes: | Just for fun, I tried the following command from my VAX to my | ethernet'ted 3b1: | | % rsh notvax /usr/games/klondike | | Now, considering the fact that I'm not logged in on the console, this | should fail. | | Any idea why all these games (klondike/mahjongg/rocks/bugs) all have | this behavior? Is it only seen when using the ethernet package? This seems to be a problem an all of the ports. The solution I have used for this problem is to make shure that the major number of the control tty and /dev/window match, this seems to work well. -- ------------------------------------------------------------------------------- Edward M. Markowski -- iczer-1 Administrator VOICE : (201) 478-6052 home ...the garage is flooded from the sprinkler. (201) 599-3298 work It also left a man's decapitated body, lying UUCP : ..!uunet!iczer-1!emm on the floor next to his own severed head. -or- : ..!tronsbox!iczer-1!emm A head which at this time has no name.