Path: utzoo!mnetor!uunet!husc6!hao!oddjob!gargoyle!ihnp4!occrsh!occrsh.ATT.COM!rjd
From: rjd@occrsh.ATT.COM
Newsgroups: comp.misc
Subject: Re: Trojan Horse a Myth?
Message-ID: <140200002@occrsh.ATT.COM>
Date: 7 Dec 87 16:14:00 GMT
References: <459@gtx.com>
Lines: 28
Nf-ID: #R:gtx.com:-45900:occrsh.ATT.COM:140200002:000:1601
Nf-From: occrsh.ATT.COM!rjd    Dec  7 10:14:00 1987


> Sure.  If I wanted to get into someone's files to pull a prank, I would
> write a program to give me a shell, put it in an unprotected directory,
> and change ownership to the person whose files I wanted to get into.
> 
> Then I would send them mail that had embedded in it commands to enter
> the necessary command to make my program setuid into the memory of their
> HP terminal and then send the entered sequence to Unix.  Most of the time
> it wasn't even noticed if it was buried properly.  Now all I had to do
> was run the setuid program and I was them.

  Yeah, when I was first getting into the security aspects of Unix, I was
friends with an inexperienced administrator of a system that left his
terminal with programmable and pollable function keys writable.  Just
check to see if a "who -u" shows him idle for a few minutes, send the escape
sequences to program the keys, then poll them, and voila!!  Once he caught
on to that (as I said, he was a friend, and I was telling him most of what
I did), I switched over to the mailing of the escape sequences.  After that,
I told him all the techniques that I had used and the defense (and also
told him where ALL of the be-root programs were).  I still got blamed for
stuff that was not my fault, but them's the breaks.
  Moral: Either don't do it or be VERY careful because anything that goes
wrong will be blamed on you.  Also: Always forward root's mail to a user
and then still read it through a filter such as "cat -v", and never have
root's terminal writable.  These escape sequence methods work between machines
via uucp also.

Randy