Security at UCB, UNIX
utzoo!decvax!aps
utzoo!decvax!aps
Thu Mar 4 19:14:56 AEST 1982
I hate to be the one to put this onto the net because I don't
want to take credit for finding the info out but Shannon had
to pick up Pizza with his wife and he (Bill, that is) is the
person who told me. (He found out from ..., well a reliable
source. Source, I didn't know if you wanted to be known.)
Some students discovered this feature in a terminal and
went to Dr. Lynn to see if they could try this out.
What if there was this guy logged in as root on this HP
terminal and there were these other people also logged in else-
where who knew that this guy Root was logged in on this HP
terminal. Well this Root guy's terminal would be writable.
(Root has mesg y so he can get important requests via
write and the like.) Well, these other people would just send
to Root's terminal the proper escape sequence to enable
the terminal to loop back all things it recieves. So,
behold. They could then send "commands" to Root's terminal
and the terminal would loop it back to (where else but) the
system. The system would execute these commands just as if they
were comming from Root's terminal and they really would!
And, that's it; a way to execute superuser commands with out
being super user (A.K.A. A whole.)
(This is the big break in security that Donn Parker was waiting
for? I have read a few of his articles and a book. He's ok.)
Not too much to worry about, unless you let your root lay around
on HP (or other with loop back "features") terminals!
All I can say is that I am happier than a pig in X$&% that the
problem was not with the VAX!
Armando Stettner
DEC UNIX Engineering Group.
More information about the Comp.unix.wizards
mailing list