Aucbvax.5576

Aucbvax.5576
fa.unix-wizards
utzoo!decvax!ucbvax!unix-wizards
Sun Dec 27 02:37:24 1981
Hideous uucp security hole
>From decvax!yale-comix!ima!johnl@Berkeley Sun Dec 27 02:24:41 1981
There is a bug in the 4.0 and 4.1 BSD uucp and probably in other versions
that allows malicious users to execute any command remotely whether or
not the remote system nominally allows it.

The problem is that uuxqt, the program that actually executes remote
commands, fails to check for "&" characters in the command line, so that
any command can follow an "&" and be executed. Malicious users can
expicitly invoke the shell and run arbitrary sequences of commands.
They can also execute uucp remotely and so masquerade as other users and
systems.

The fix do disallow commands with "&" is fairly simple. In uuxqt.c, add
the following:

while ((ptr = getprm(ptr, prm)) != NULL) {
if (prm[0] == ';' || prm[0] == '^'
|| prm[0] == '|') {
xcmd[0] = '\0';
APPCMD(prm);
continue;
}
/******* begin new code *******/
/* this is about line 150 */
if(prm[0] == '&') {
cmdnok++;
break;
}
/******* end of new code *******/
if ((cmdnok = cmdok(xcmd, prm)) != 0)
/* command not valid */
break;

In getprm.c, near line 30 change:
|| *s == ';) {
to
|| *s == ';' || *s == '&') {

I'm amazed this hasn't been picked up before.

-----------------------------------------------------------------
gopher://quux.org/ conversion by John Goerzen <[email protected]>
of http://communication.ucsd.edu/A-News/

This Usenet Oldnews Archive
article may be copied and distributed freely, provided:

1. There is no money collected for the text(s) of the articles.

2. The following notice remains appended to each copy:

The Usenet Oldnews Archive: Compilation Copyright (C) 1981, 1996
Bruce Jones, Henry Spencer, David Wiseman.