Dutch crackers (tty security example - history and workaround)

Wietse Venema wietse at wzv.win.tue.nl
Mon May 13 05:26:14 AEST 1991


fidelio at geech.gnu.ai.mit.edu (Rob J. Nauta) writes:

> Here's a small program I wrote a while back. It speaks for itself [...].
> This program is an official release of the TimeWasters from HOLLAND !

and presents the censored version of a program that steals the password
when someone signs on to a Sun system via the telnet or rlogin network
service. It is this program that led to the recent burst of telnet and
rlogin security fixes from Sun.

However, anyone with a little imagination can adapt it to other
operating systems with networking code derived from Berkeley UNIX.

As the person who originally reported the problem, I provide the source
to a tiny program to work around the problem (tested with SunOS 4.x and
Ultrix 4.0). It is at the end of this article.

Skip the remainder of this article if you are not interested in a case
study of Dutch crackers with free reign on the Internet.

Thought you would be...

The TimeWasters is a group of students (and one former student, Rob J.
Nauta) of Eindhoven University, located in the Netherlands.  Their
computer accounts at the Free Software Foundation have been used to
attack and to breach the security of several University computer
systems throughout the US, Canada and Europe. The intruders exploited
the fact that Dutch law against computer crime is still in preparation.

Dutch Law or not, such activities are criminal.  The activities of the
intruders have been monitored for quite some time.  And because it will
take some time before Dutch law will cover computer crime, I am
provoking an open discussion of the problem.  Sooner or later the
intruders would have found out about the monitoring, anyway.  My
statements are based on several tens of megabytes of data which I have
passed on to the proper US and Dutch authorities.

As an illustration, this is the case history of the password stealing
program:

March 13: fidelio writes the initial version of the password stealing 
	program. 

March 14,15: The password stealing program is "tested" on several US 
	university systems. Dozens of passwords are captured.

March 15: The CERT security organization is alerted by me. CERT, in turn,
	notifies Sun Microsystems and other vendors.

March 18,19: Several versions of the password stealing program are 
	uploaded to our systems and several passwords are captured.
	Each day I have to make minor adjustments to our networking
	software.

March 19: In an attempt to delay further development of the program, I mail 
	a "what's this?" message to the TimeWasters group, together with a 
	version of the program that contains several references to the name 
	of the group.

	A few hours later, fidelio submits a bug report with the password
	stealing program as "proof" of the bug.

March 21: A fixed telnet daemon is available from Sun. Later fixes follow 
	for other releases of the SunOS operating system.

All the time, victims of these and other activities were notified
either directly by me or through the CERT security organization.

Note that I have given fidelio ample time to revoke his statement that
he is the author of the password stealing program, in case the article
was posted under his name by someone else.

Of course, all this is just my personal view.  For an independent view,
contact {fidelio,belgers,wevers,erlend}@gnu.ai.mit.edu.

	Wietse Venema
	Eindhoven University of Technology
	The Netherlands

#! /bin/sh
# This is a shell archive.  Remove anything before this line, then unpack
# it by saving it into a file and typing "sh file".  To overwrite existing
# files, type "sh file -c".  You can also feed this as standard input via
# unshar, or by typing "sh <file", e.g..  If this archive is complete, you
# will see the following message at the end:
#		"End of shell archive."
# Contents:  uncover.c
# Wrapped by wietse at wzv on Sun May 12 17:24:44 1991
PATH=/bin:/usr/bin:/usr/ucb ; export PATH
if test -f uncover.c -a "${1}" != "-c" ; then 
  echo shar: Will not over-write existing file \"uncover.c\"
else
echo shar: Extracting \"uncover.c\" \(916 characters\)
sed "s/^X//" >uncover.c <<'END_OF_uncover.c'
X /*
X  * Kluge to work around login/password snooper. This program just
X  * repeatedly opens/closes the first five free pty masters.
X  */
X
X#include <sys/types.h>
X#include <sys/stat.h>
X#include <fcntl.h>
X#include <sys/ioctl.h>
X
X#define	MINFREE	5			/* Amount of free ptys to check */
X
Xmain()
X{
X    int     i,
X            p;
X    int     c;
X    char   *line;
X    int     free;
X    int     fd;
X
X    (void) close(0);
X    (void) close(1);
X    (void) close(2);
X
X    for (;;) {
X	for (free = 0, c = 'p'; free < MINFREE && c <= 's'; c++) {
X	    struct stat stb;
X
X	    line = "/dev/ptyXX";
X	    line[strlen("/dev/pty")] = c;
X	    line[strlen("/dev/ptyp")] = '0';
X	    if (stat(line, &stb) < 0)
X		break;
X	    for (i = 0; free < MINFREE && i < 16; i++) {
X		line[sizeof("/dev/ptyp") - 1] = "0123456789abcdef"[i];
X		p = open(line, O_RDONLY);
X		if (p >= 0) {
X		    free++;
X		    close(p);
X		} 
X	    }
X	    (void) sleep(5);
X	}
X    }
X}
END_OF_uncover.c
if test 916 -ne `wc -c <uncover.c`; then
    echo shar: \"uncover.c\" unpacked with wrong size!
fi
# end of overwriting check
fi
echo shar: End of shell archive.
exit 0



More information about the Comp.unix.internals mailing list