Aucbvax.5576 fa.unix-wizards utzoo!decvax!ucbvax!unix-wizards Sun Dec 27 02:37:24 1981 Hideous uucp security hole >From decvax!yale-comix!ima!johnl@Berkeley Sun Dec 27 02:24:41 1981 There is a bug in the 4.0 and 4.1 BSD uucp and probably in other versions that allows malicious users to execute any command remotely whether or not the remote system nominally allows it. The problem is that uuxqt, the program that actually executes remote commands, fails to check for "&" characters in the command line, so that any command can follow an "&" and be executed. Malicious users can expicitly invoke the shell and run arbitrary sequences of commands. They can also execute uucp remotely and so masquerade as other users and systems. The fix do disallow commands with "&" is fairly simple. In uuxqt.c, add the following: while ((ptr = getprm(ptr, prm)) != NULL) { if (prm[0] == ';' || prm[0] == '^' || prm[0] == '|') { xcmd[0] = '\0'; APPCMD(prm); continue; } /******* begin new code *******/ /* this is about line 150 */ if(prm[0] == '&') { cmdnok++; break; } /******* end of new code *******/ if ((cmdnok = cmdok(xcmd, prm)) != 0) /* command not valid */ break; In getprm.c, near line 30 change: || *s == ';) { to || *s == ';' || *s == '&') { I'm amazed this hasn't been picked up before. ----------------------------------------------------------------- gopher://quux.org/ conversion by John Goerzen of http://communication.ucsd.edu/A-News/ This Usenet Oldnews Archive article may be copied and distributed freely, provided: 1. There is no money collected for the text(s) of the articles. 2. The following notice remains appended to each copy: The Usenet Oldnews Archive: Compilation Copyright (C) 1981, 1996 Bruce Jones, Henry Spencer, David Wiseman.