Xref: utzoo news.sysadmin:1783 comp.unix.wizards:13113
Path: utzoo!utgpu!watmath!clyde!att!rutgers!mit-eddie!bloom-beacon!bu-cs!encore!gloom!cory
From: cory@gloom.UUCP (Cory Kempf)
Newsgroups: news.sysadmin,comp.unix.wizards
Subject: Re: Trojan horse possible with news readers
Summary: now you see it...
...now you don't
Message-ID: <213@gloom.UUCP>
Date: 2 Dec 88 17:49:02 GMT
References: <6775@rosevax.Rosemount.COM>
Organization: Alloy Computer Products, Framingham, Mass.
Lines: 39
In article <6775@rosevax.Rosemount.COM>, news@rosevax.Rosemount.COM
(News administrator) writes:
> I don't know if this has been discussed before, but here goes...
>
> Many news reading programs (rn, vnews, others?) allow you include the
> original text when following-up or replying-to articles. The
> default editor is usually vi; some versions of vi will execute
> commands if it sees a line (near the top or bottom of a file)
> of the form <:><:>
for that matter, the berkeley mailer also allows you to do so...
the above example is fairly simple... the following example is a bit
more complex... and a bit more dangerous...
NOTE:
If you attempt to edit this file using the vi editor, it will (if your
system is vulnerable) echo a blank line, followed by the word "BOOM"
followed by a blank line... the usenet software allows ^H, so you
won't see anything untill it is too late. NOW can we get the
<:> mis-feature eliminated? please?
(BTW, How many of you SysAdmins out there use vi? and read news? and su root
from a directory that you have write access in? and use vi as root from that
directory? Wouldn't it be easier to post the password for root on your system?
(if you don't see how this might be a problem, send me e-mail))
If you do edit this file, you will note a line containing many ^H's...
what if I had after that a command to delete all lines beginging with
<:>?
+C
--
Cory Kempf
UUCP: encore.com!gloom!cory
Now you see it...
ex:!sh -c 'echo;echo BOOM;echo:
...Now you don't.