Security problem with LAT terminal connection
Voradesh Yenbut
yenbut at cs.washington.edu
Thu Jun 7 07:34:47 AEST 1990
Description:
When a LAT connection from a DecServer to an Ultrix system
gets dropped on DecServer end, the session on Ultrix isn't
closed owing to stuck process such as telnet, clear or
kermit, within the session. The lcp command with -p option
shows the connection is "not connected". The ps command
shows that the user shell is still running.
Later on, somebody can gain access to the process of
"not connected" session via LAT without going through
the authentication process.
We tested Ultrix-2.0, Ultrix-2.2, Ultrix-2.3, Ultrix-3.0, and
Ultrix-4.0FT running on VAXstation 3200, DECstation 3100, and
VAX 8055 with LAT software V3.0 and V1.0 on DecServer 200.
The problem occurred to all combinations of Ultrix
version and LAT software.
Repeat-By:
1. Become super user, modify /etc/ttys to have only one LAT
terminal device enabled, and tell init process by "kill -1 1".
2. Log on as regular user to the Ultrix system via DecServer.
3. Run "kermit -r" (it can be some other commands but
"kermit -r" is really effective for us) on Ultrix.
4. Close the connection by logging out to DecServer.
5. On Ultrix, do "lcp -p" to the LAT terminal device,
lcp would report that the device is "not connected",
which is normal for any LAT connection that is closed;
however, do "ps" on the tty, it would show something like:
PID TT STAT TIME COMMAND
181 00 I 0:00 -csh (csh)
9221 00 I 0:00 kermit -r
6. Reactivate the hanging session (Sorry, I can't tell on the
net how to do it, but it is not hard to find out). Try to
log to the Ultrix system via LAT again. If nobody else gets
the connection before you, you should get connected to the
kermit process and to the shell without the necessity of
typing in login name and password.
Fix:
The problem was reported to DEC a month or so ago, but
so far we haven't seen any effective fixes.
In the mean time, we educate our users and use a modified
version of finger program to report any connection that is
dropped by LAT, and kill processes on hanging sessions manually.
More information about the Comp.unix.ultrix
mailing list