Aazure.595
net.general,net.unix-wizards
utcsrgv!utzoo!decvax!ucbvax!ihnss!cbosg!teklabs!tekmdp!azure!randals
Thu Mar 4 07:01:43 1982
WARNING: There is another system
It's time to go public with my discovery about a serious flaw
in security the standard UUCP software in V7, 2BSD, and 4BSD.
I have successfully constructed a shell command file which will execute
ANY desired command(s) on ANY system running vanilla UUCP. What's more,
the command is executed as (not root, darn) the "uucp" login, thus
allowing access to the L.sys and USERFILEs, which in turn yields more system
names to "attack". The actual commands executed are also untraceable,
but if you look through the LOGFILE, you can at least tell that somebody
is doing something (but not what they do).
I do not know if this is the same bug found by Berkeley People
(anyone out there that knows what they did please confer with me),
but I will be glad to share my knowledge with any properly identified
system administrator.
I will send computer mail only to "root" of any system that requests
the information. My uucp address is:
...!ucbvax!teklabs!tekmdp!randals
or
...!decvax!teklabs!tekmdp!randals
(many other systems also know about us... check your local maps)
Randal L. Schwartz
Tektronix Microcomputer Development Products
Beaverton, Oregon
-----------------------------------------------------------------
gopher://quux.org/ conversion by John Goerzen <
[email protected]>
of
http://communication.ucsd.edu/A-News/
This Usenet Oldnews Archive
article may be copied and distributed freely, provided:
1. There is no money collected for the text(s) of the articles.
2. The following notice remains appended to each copy:
The Usenet Oldnews Archive: Compilation Copyright (C) 1981, 1996
Bruce Jones, Henry Spencer, David Wiseman.
