virus, fix for 3000 part 05 of 05 (last)

Vernon Schryver vjs at rhyolite.SGI.COM
Thu Nov 10 12:02:54 AEST 1988 

There are a number of ways to subvert a binary as it wanders thru the
network.  Another problem with posting binaries is that they are big.
Finally, the Internet Police might come and break our fingers.
Silicon Graphics has not in the past posted many (if any) binaries.
I hope we won't have to in the future.

The circumstances last week were exceptional, and there was little
time.  It might have been better if there had been time to write a
small program which could have been used to patch the 4D binaries.  We
could have posted the source for such a tool.  If you don't trust the
posted binaries, I think the official BSD patch works with adb on
3000's, although I have not tried it.  Perhaps you could attack a 4D
binary on a 3000 with adb.  However, the official BSD patch, which zeros
the entry in the command table, does not close the security problem; it
simply broke the worm.

If you have played with the hole a little, you will have noticed that
you can't become root with it.  At least, the best I have done is
UID=1 and UID=1147, though I have not spent much time at it.

The sendmail problem will be fixed in a forthcoming release for 4D's.
If you have sendmail source, you might want to port it, closing the
hole yourself.  It is a straight forward port, if a bit of a mess since
IRIS's are SV with BSD extensions extended with YP, rather than
straight BSD.

Perhaps a way could be found to put useful binaries on a neutral
archive, which could be reached via anonymous ftp.  Where are the
info-IRIS archives these days?

Please accept our apologies if the worm, which afflicted only Suns and
VAX's, caused any anxiety.  In defense of the one or two of us who
typed -DDEBUG in the production makefile (only 2 people come to mind,
but I will not say more :-), shipping exactly what we use on our
personal machines helps reduce bugs in general.  In particular, I have
used the debugging stuff to resolve problems on our Internet gateway.

If you are at all concerned about security, stop worrying about
sendmail and IMMEDIATELY install the fixes recently posted in
comp.bugs.4bsd.ucp-fixes for ftpd.  If you cannot do that, you should
remove the user name 'ftp' from /etc/passwd.  As others have said, this
applies to all 4.3BSD ftp's.  (The official fix for this will also be
in a forthcoming 4D release.)  General prudence would also have you
turn off IP forwarding, to not allow outside users to login as guest,
and to generally keep /etc/passwd small on your gateways.


Vernon Schryver
Silicon Graphics
vjs at sgi.com

More information about the Comp.sys.sgi mailing list