Aazure.607
net.general,net.unix-wizards
utcsrgv!utzoo!decvax!duke!chico!harpo!mhtsa!ihnss!cbosg!teklabs!tekmdp!azure!randals
Sun Mar  7 17:10:34 1982
followup: WARNING: There is another system
Many of the people that have responded to my first announcement
of the break in UUCP that allows ANY command to be executed on ANY
system running vanilla V7, 2BSD, or 4BSD system as the "uucp" user
have asked me if this is the ampersand bug that John Levine mentioned
on this net a while ago.  (John's announcement must have happended
while our world-connect site, "teklabs", was having disk problems.)

To make this perfectly clear.... IT IS NOT the ampersand bug!  If I had
known about the ampersand bug, my task might have been a little simpler,
but my method DOES NOT DEPEND ON THAT BUG.  Fixing that bug DOES NOT ensure
you of a secure system.

To repeat my previous offer (for which to-date I have received 45 requests!!),
I will send computer mail only to "root" of any system that requests
the information.  (I also simultaneously mail it to the original requestor,
since many people have told me that they do not check root's mail that often.)
My letter contains a description of the bug, my magic shell program
that makes use of the bug, and a recommended fix.
My uucp address is:

       ...!ucbvax!teklabs!tekmdp!randals
               or
       ...!decvax!teklabs!tekmdp!randals

       (many other systems also know about us... check your local maps)

Randal L. Schwartz
Tektronix Microcomputer Development Products
Beaverton, Oregon

P.S. If you have friends that are not on the net, but ARE running UUCP,
(are there really any sites like that?)  please tell them about this...
it IS important that as MANY systems as possible get fixed.

-----------------------------------------------------------------
gopher://quux.org/ conversion by John Goerzen <[email protected]>
of http://communication.ucsd.edu/A-News/


This Usenet Oldnews Archive
article may be copied and distributed freely, provided:

1. There is no money collected for the text(s) of the articles.

2. The following notice remains appended to each copy:

The Usenet Oldnews Archive: Compilation Copyright (C) 1981, 1996
Bruce Jones, Henry Spencer, David Wiseman.

You are viewing proxied material from gopher.quux.org. The copyright of proxied material belongs to its original authors. Any comments or complaints in relation to proxied material should be directed to the original authors of the content concerned. Please see the disclaimer for more details.