Slaying Gould dragon with a wooden horse

Darryl Wagoner dpw at unisec.UUCP
Mon Oct 27 13:45:17 AEST 1986 

Like many others, I attended the Unix Expo in New York City this week.
At the Gould booth there was a large sign challenging Unix wizards
to break into their "Secure Unix" system.  The also gave out a flyer that
stated the following:

|---------------------------------------------------------------
|			GOULD
|
|		***	HACKER CHALLENGE   ***
|
|			UNIX EXPO 1986
|
|			OCTOBER 20,21,22
|
|There is a text file on our 6040-I, UTX/32S - SECURE UNIX*
|system.  We challenge anyone to find out its contents.  The file
|pathname is:
|
|			/usr/unixexpo/securefile
|
|RULES:
|
|1.	You must access the system from one of two user
|	terminals.  Login as "guest1" or "guest2".
|
|2.	All winners who successfully break into the system will
|	be placed in a drawing for a grand prize winner
|	of a 19" color tv.
|
|3.	In the event of any conflicts, the decision of the GOULD
|	show director will be final.
|
|*Unix is a trademark of AT&T
|
|----------------------------------------------------------------

The contents of the file was:

"gould makes firebreathing,very high performance super mini machines."

I will present the case history of how I broke it using the most classic 
of all hacker tricks.  In addition I located other weaknesses in their system 
that would allow even the most novice hacker to break into UTX/32S.  

Having only limited time and a public account to do my hacking, I choose to
use the Trojan horse attack.  They willing revealed the environment that
a user is put in is a restricted environment either much like or exactly
like the chroot(2) system call of Unix.  Which, to the best of my knowledge 
hasn't been defeated.  Therefore, it would have been a waste of time
to try to defeat the chroot.  The Gould salesmen readily offered to show me
their environment which reveled that PATH was set to ".:/bin:/usr/bin:..."
The key being  the current directory is at the beginning of the search
path.  I quickly created a 'ls' trojan horse and put it in the guest
home directory.  Then I asked if root could get to the guest directory and
asked  him to do so.  He did a cd to the guest directory and did a 'ls'
which fired off my trojan horse.  I could have waited for him to fall into 
the trap.  I was afraid that some one else would find my trojan horse 
and use my work.  Before I got everything right, I had to enlist the unknowing
support of root twice more, due to differences in Secure Unix.

At this point, let me point out that in order for Gould to archive this
level of security they had to strip out a lot of the things that
makes Unix powerful (ex: suid bits) and isolated users into a chroot
environment.  UTX/32S also seems to have many cross checks with the
different /etc/passwd and /etc/group files.  The first attempt was
to add my own "admin" account to the top level passwd file.  This failed
because the user id I chose wasn't in the group file.   Another trojan
later, I had my own group in the group file.  Still the system complained about
my group not being valid, but it did let me log in as an administrator.
Then a very strange thing happened.  I couldn't execute "cshsu(8)"
(Gould's answer to su, but less secure).  The real admin couldn't execute
cshsu either.  I returned the next day and asked if they had found out
how I had broke in.  With their audit file, I expected that they had.
The answer was that I had broke something and they had to reboot; that
caused the audit file to be removed.  (note: if you ever want to cover
your tracks on UTX/32S just crash the system.) Well, this gave me new 
hope that I could break it with another, better horse. With the next 
horse I copied the file in question to an area that I could read.  
(Besides making a copy of the file I could have also planted a
worm or virus.  Of course no one would do such a thing :-) )

Then I showed them the content of the file in question.  Well
they lost their cool to say the least.  I was happy to explain how I did
it.  They informed me that I had not really broke the system but just 
tricked the system admin and that the method that I used was immoral.  
I tried to argue with him about fifteen minutes without success.  In hope 
of reasoning with him I enlisted the help of a impartial third party.  
(Who I haven't ask if I could quote so I will withhold this persons' name).  
This person listened to both sides and concluded that I had broken the 
system with a classic hacker technique.  

The question I have for the net is: Is using a trojan horse a legit way
to break into a system?  What is your opinion?

		SUMMARY of Gould UTX/32S System

I am not even sure that it can still be called Unix since SUID bits have
been removed.  After all that is what Dennis M. Ritchie patented as the
Unix protection scheme.  But as far as being secure, I will say that
it is or could be as secure as any other unix system.  It takes more
forethought to break standard unix. It takes away one of the most 
powerful features of unix.  The cshsu should have stripped out the
current directory from the path like su(1) does.  For that matter, the shells
should have removed the current directory or at least put it at the end
just for good system hygiene.  The tty driver should have a kill character
to allow login to be killed to prevent trojan horses.  There is also
another hole I will not going into at this point. 
-- 
Darryl Wagoner			
UniSecure Systems, Inc.; Newport,  RI; (401)-849-0857 

{allegra|gatech|linus|raybed2|ihnp4|cci632}  !rayssd!unisec!dpw

More information about the Comp.unix.wizards mailing list