Path: utzoo!utgpu!watmath!clyde!att!osu-cis!tut.cis.ohio-state.edu!bloom-beacon!athena.mit.edu!jik
From: jik@athena.mit.edu (Jonathan I. Kamens)
Newsgroups: comp.lang.c
Subject: Re: Insecure hardware (was Re: gets(3) nonsense)
Message-ID: <8308@bloom-beacon.MIT.EDU>
Date: 5 Dec 88 05:06:08 GMT
References: <867@cernvax.UUCP> <645@quintus.UUCP> <339@igor.Rational.COM> <4869@bsu-cs.UUCP> <14733@mimsy.UUCP> <13203@ncoast.UUCP>
Sender: daemon@bloom-beacon.MIT.EDU
Reply-To: jik@athena.mit.edu (Jonathan I. Kamens)
Organization: Massachusetts Institute of Technology
Lines: 20

In article <13203@ncoast.UUCP> allbery@ncoast.UUCP (Brandon S. Allbery) writes:

>From what I've read, the fingerd attack was applied to Suns as well -- but
>the "wwww" address *was* sufficiently wrong, so an infected fingerd simply
>dumped core.

This is not correct.  I just checked with the one of the members of
the team who disassembled the code here at MIT.  He says that the
problem with the Sun version of the worm was that it was trying to use
the same hex instructions as the VAX code.  This obviously wouldn't
work, since the Sun instruction set is just slightly different from
the VAX's :-).

If the author(s) of the code had bothered to figure out the stack
frame dimensions on the Sun, I'm sure he/she/they would have also
figured out the necessary Sun instructions to make it work, and vice
versa.

  Jonathan Kamens
  MIT Project Athena