Path: utzoo!utgpu!jarvis.csri.toronto.edu!rutgers!tut.cis.ohio-state.edu!ucbvax!NUSVM.BITNET!GBOPOLY1 From: GBOPOLY1@NUSVM.BITNET (fclim) Newsgroups: comp.sys.apollo Subject: RE: security bug (hole) Message-ID: <8908140928.AA18824@umix.cc.umich.edu> Date: 14 Aug 89 09:27:53 GMT Sender: daemon@ucbvax.BERKELEY.EDU Organization: The Internet Lines: 92 X-Unparsable-Date: Mon, 14 Aug 89 17:19:57 SST I like to put my 2 cents into this. I have discovered rdmc on my own before Peter Lipp announced it. It was kind of experimental and I use it once in a while to shut all nodes in the ring: % foreach x (//*) rsh $x:t rdmc shut end or use it to log out someone (I was experimenting with a time-quota in a similar sense as a disk-qouta): % rsh node rdmc "lo -on; lo" I have never thought of the convoluted DM command: > rdmc "kd cr en;dr;kd cr xc -f '/tmp/pw' ;en;kd cr en ke ke ke" to crowbar the passwd right under the user's nose. I am new to programming with Aegis system calls; and I don't spend much time writing such programs 'cos I'd rather use Unix calls instead. If I can write rdmc, I am sure others better than myself are able to do so, whether Peter has submitted the source or not. Peter has done us a great service by publishing the source; it shows that *** the DM is either too powerful or too loose. *** Apollo oughta scale it down by removing certain commands from it or checking the SID/ACLs on the commands. /**********************************************************/ I like to share a couple of ideas I have for some time now. They concern trojan horses. On vanilla Unix w/o a windowing system like Apollo DM (ie only a glass tty is available) (eg Xenix on an IBM PC w/o X), it is easy to write a trojan horse. The trojan (shell script or otherwise) displays a login prompt inviting users to log in. Whether it logs in the user or not, it will capture the passwd. It is possible to imitate the Apollo login screen for the purpose of capturing passwds by using gpr_$borrow mode and pad_$dm_cmd() call. The latter call (pad_$dm_cmd) is not used to log in the user (because it can't be done), but is used to call the DM command msg to print the "wrong passwd" message on the DM output pad. There are still some more work to be done to avoid arousing the user; but I believe I can produce a program to trick some of the people (especially naive novices) some of the time. I have 2 solutions. The first one uses the behavior of init(8), the Adam and Eve process found in Unix and recently in Domain/OS. On a successful login, init spawn a shell and then it (init) goes to sleep. At logout, init awakes and waits upon another login(1). (This is roughly what happens; I have left out all the juicy parts). The idea is to have a front-panel LED to reflect the status of init. When no one is logged in on that node, init is awake and the LED lights up or blinks. If the LED is not blinking, either the LED had KOed or someone has logged in and left a trojan; users log in at their own risk. No system call can turn this LED on. The 2nd idea is to throw out gpr_$borrow mode in a sense. Applications may still enter into borrow mode; but instead of 1024 by 800, only 1024 by 780 pixels are writable. Thus, no one can write codes to imitate the DM input pad. System calls should be available to blacken this portion or to send text to this portion. For the latter purpose, the portion is treated as a one-line glass tty: text appears in this region in the same manner as the electronic billboards (whatChaCallIt?) found in Manhattan's Time Square or Wall Street where the text scroll horizontally. Commands like send_alarm, wall(1), write(1) attempt to create a pad; on failure, they writes to the bottom of the borrowed screen. fclim --- gbopoly1 % nusvm.bitnet @ cunyvm.cuny.edu computer centre singapore polytechnic dover road singapore 0513. =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Add your pet peeve If we think really hard, maybe we can stop this ____! No ____! No ____! No ____! =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Self-adhesive labels with following note: ___ If this is not blinking, / log in at your own risk. / v are on sale at 10 cents a piece. Residents of the People's Republic of Massachusetts, please add state tax.