Path: utzoo!utgpu!jarvis.csri.toronto.edu!rutgers!tut.cis.ohio-state.edu!ucbvax!NUSVM.BITNET!GBOPOLY1
From: GBOPOLY1@NUSVM.BITNET (fclim)
Newsgroups: comp.sys.apollo
Subject: RE: security bug (hole)
Message-ID: <8908140928.AA18824@umix.cc.umich.edu>
Date: 14 Aug 89 09:27:53 GMT
Sender: daemon@ucbvax.BERKELEY.EDU
Organization: The Internet
Lines: 92
X-Unparsable-Date: Mon, 14 Aug 89 17:19:57 SST

I like to put my 2 cents into this.
I have discovered rdmc on my own before Peter Lipp announced it.
It was kind of experimental and I use it once in a while to shut all
nodes in the ring:
     % foreach x (//*)
     rsh $x:t rdmc shut
     end
or use it to log out someone (I was experimenting with a time-quota
in a similar sense as a disk-qouta):
     % rsh node rdmc "lo -on; lo"
I have never thought of the convoluted DM command:
> rdmc "kd cr en;dr;kd cr xc -f '/tmp/pw' ;en;kd cr en ke ke ke"
to crowbar the passwd right under the user's nose.

I am new to programming with Aegis system calls; and I don't spend
much time writing such programs 'cos I'd rather use Unix calls instead.
If I can write rdmc, I am sure others better than myself are able to
do so, whether Peter has submitted the source or not.

Peter has done us a great service by publishing the source; it
shows that
       ***  the DM is either too powerful or too loose.  ***
Apollo oughta scale it down by removing certain commands from it
or checking the SID/ACLs on the commands.

/**********************************************************/

I like to share a couple of ideas I have for some time now.
They concern trojan horses.

On vanilla Unix w/o a windowing system like Apollo DM (ie only a
glass tty is available) (eg Xenix on an IBM PC w/o X), it is easy
to write a trojan horse.  The
trojan (shell script or otherwise) displays a login prompt inviting
users to log in.  Whether it logs in the user or not, it will
capture the passwd.

It is possible to imitate the Apollo login screen for the purpose of
capturing passwds by using gpr_$borrow mode and pad_$dm_cmd() call.
The latter call (pad_$dm_cmd) is not used to log in the user (because
it can't be done), but is used to call the DM command msg to print
the "wrong passwd" message on the DM output pad.  There are still some
more work to be done to avoid arousing the user; but I believe I can
produce a program to trick some of the people (especially naive
novices) some of the time.

I have 2 solutions.  The first one uses the behavior of init(8), the
Adam and Eve process found in Unix and recently in Domain/OS.  On a
successful login, init spawn a shell and then it (init) goes to
sleep.  At logout, init awakes and waits upon another login(1).
(This is roughly what happens; I have left out all the juicy parts).

The idea is to have a front-panel LED to reflect the status of init.
When no one is logged in on that node, init is awake and the LED lights
up or blinks.  If the LED is not blinking, either the LED had KOed or
someone has logged in and left a trojan; users log in at their
own risk.  No system call can turn this LED on.

The 2nd idea is to throw out gpr_$borrow mode in a sense.  Applications
may still enter into borrow mode; but instead of 1024 by 800, only
1024 by 780 pixels are writable.  Thus, no one can write codes to
imitate the DM input pad.  System calls should be available to blacken
this portion or to send text to this portion.  For the latter purpose,
the portion is treated as a one-line glass tty:  text appears in this
region in the same manner as the electronic billboards (whatChaCallIt?)
found in Manhattan's Time Square or Wall Street where the text scroll
horizontally.  Commands like send_alarm, wall(1), write(1) attempt to
create a pad; on failure, they writes to the bottom of the borrowed
screen.

fclim          --- gbopoly1 % nusvm.bitnet @ cunyvm.cuny.edu
computer centre
singapore polytechnic
dover road
singapore 0513.

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Add your pet peeve

If we think really hard, maybe we can stop this ____!
No ____! No ____! No ____!
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

Self-adhesive labels with following note:

                    ___ If this is not blinking,
                   /    log in at your own risk.
                  /
                 v

are on sale at 10 cents a piece.  Residents of the People's Republic
of Massachusetts, please add state tax.