tty security problems under SunOS 4.1 and SunOS 4.1.1

[Dan Bernstein]

CERT recently announced patched versions of telnetd and rlogind
available from Sun for SunOS 4.1 and 4.1.1. The patches do stop the
``cover'' program which was posted here recently. I believe the
``uncover'' program posted recently also prevents ``cover'' from
working.

However, the bugs are not fixed. I was able to adapt my breaking
program---still using the same holes that I posted some years back---to
SunOS 4.1 and 4.1.1, both with and without the new telnetd/rlogind.
Mitch Wright has agreed to be a reference for this. I believe the new
version will also survive ``uncover''.

What does this mean for you? In the short term: Hopefully the Netherland
crackers will not be able to duplicate this work. In any case, to evade
tty security this way under SunOS now takes such a complex sequence of
manipulations that the average user won't even be tempted to try.
(Legitimate applications also have to do a ridiculous amount of extra
work, but never mind.) It is thus worthwhile to install the patched
telnetd and rlogind.

In the long term: SunOS is still insecure, and a sufficiently dedicated
cracker can and will be able to get past tty security no matter how many
other holes you close. It is inexcusable for Sun to leave this open.

I'd like to give two further comments. One: Don't believe unjustified
claims that a security hole has been fixed unless you can understand the
fixes yourself. I've received a lot of e-mail asking whether SunOS 4.1
and 4.1.1 had the same problems, or saying that Sun and CERT gave the
impression that the holes were closed, or insisting that the recently
announced patches were more than enough to fix everything and that the
tty problems would never reappear. Uh-huh. Sure they're fixed. I'm
reminded of what so many sites told Stoll upon being told that they'd
been broken into: ``We run a secure shop.''

Two: Security holes must be closed by logic, not just by testing. One of
my louder critics in this discussion---a manager of a large network,
unfortunately---thinks that by seeing break code he can invent a working
fix. He's wrong. It's exactly that sort of thinking that produces one
tty kludge after another, each of which is claimed to be the final
solution and none of which really does the job.

Sun's patched telnetd and rlogind do stop one program. That's good. But
the CERT announcement implies that the patches are a ``SOLUTION'' to the
entire vulnerability of the tty subsystem. That's absolutely wrong. The
documentation inside Sun's patched source claims that the new versions
will detect whenever a tty is open. That's absolutely wrong too.

Just because one break program fails doesn't mean the system is secure.
Unless you can logically prove your security, you have no security.

I hope the SunOS 4.1.1 example gives people a healthy level of distrust
for vendors' claims that a hole has been fixed. Sun---that's right,
powerful vendor Sun---was told about a security-breaking program, did
manage to stop that program, and then didn't look before it leaped into
the claim that the problem was now completely solved.

Why do people think this way? What is so difficult about logic and
common sense that they have to be replaced by testing? You can't play
around with security---and given how easy it is to *guarantee* that a
mechanism is secure, there's no reason to play around.

---Dan