Path: galaxy.trc.rwcp.or.jp!titcca!nttlab!Nickel!okuno From: okuno@Nickel.NTT.JP Newsgroups: ntt.general,fj.general,fj.mail Subject: INTERNET is UP (including patches) Message-ID: <28039244912@Nickel.NTT.JP> Date: 7 Nov 88 01:54:51 GMT Sender: news@nttlab.ntt.JP Reply-To: okuno@nuesun.ntt.jp Distribution: fj Organization: NTT Software Laboratories Lines: 663 Posting-Front-End: TAO/ELIS Znews, Version -0.54, 30-Oct-88; Nickel.NTT.JP Xref: galaxy.trc.rwcp.or.jp fj.general:546 fj.mail:39 X-originally-archived-at: http://galaxy.rwcp.or.jp/text/cgi-bin/newsarticle2?ng=fj.mail&nb=39&hd=a X-reformat-date: Mon, 18 Oct 2004 15:18:22 +0900 X-reformat-comment: Tabs were expanded into 4 column tabstops by the Galaxy's archiver. See http://katsu.watanabe.name/ancientfj/galaxy-format.html for more info. CSNETとのメールの接続は土曜日から再開していますが、 CSNETの過負荷のために、順調にメール交換が行なえてはいません。 以下の記事は、CSNETから送られてきたvirus顛末記です。 最終的に修正しなけらばならないソフトウェアは SENDMAIL, FINGERD, FTPの三種類です。 すべての修正情報はこのメッセージに入っています。 - Gitchang - ======================================== Subject: CSNET is resuming operation Date: Fri, 04 Nov 88 19:38:23 -0500 From: dswindel%nnsc.nsf.net@ntt-cs-relay.ntt Internet Computer Virus Update Sometime late Wednesday, November 2, 1988, a computer virus was injected into the Internet. Upon learning of the virus, the CSNET staff shut down the CSNET network (PhoneNet, Dialup-IP, X25Net, Cypress, and leased line service) to prevent the spread of the virus to or from member sites. Having identified the transmission route of the virus, and having taken action to prevent the spread of the virus via the CSNET hardware in Cambridge, we now believe that the situation is under control and have reconnected CSNET to the Internet. This message contains information on what the virus did and how it spread, and recommendations that you should take at your site to minimize the spread of the program and allow you to confidently resume Internet use. It also contains patches to sendmail and fingerd, two of the programs which are now known to contribute to the spread of the virus. If you have any questions about the virus or about CSNET's status, you should call the CSNET Hotline at (617)-873-2777 and leave a message. The CSNET staff will be available throughout the weekend and will check both telephone and electronic mail frequently. Q: What Is The Virus And How Does It Spread? A: The virus apparently affects UNIX Sun and VAX (Ultrix and BSD4.X) systems via a bug in Sendmail (Vax and Sun) and in the finger daemon (BSD4.3). There are no reports of the virus infecting other hardware platforms or of the virus spreading through non-IP-based connections (such as PhoneNet). Once it enters a system via sendmail or fingerd, the virus compiles a small bootstrap program in /usr/tmp or /tmp using the standard UNIX C compiler (/bin/cc). The bootstrap program uses TCP to bring executable programs across from an infected system; once transferred, the virus tries to access user accounts with easily-determined passwords, and uses /etc/hosts.equiv or .rhost files as well as sendmail and fingerd to propagate itself onto other machines. The executables run under the name of "sh", so to a casual observer performing a system status command, the program looks like a normal user running the sh shell. There have been no reports that the virus is destructive; that is, it doesn't appear to modify or delete any data files. However, in its attempts to replicate itself, the virus has caused some systems to slow down or to crash because of an excessive number of processes. Q: How can you tell if your machine was affected? A: On machines that have been visited by the virus, the /tmp and /usr/tmp directories have been found to contain files of the form: x, or x, dated since November 2, 1988. On Ultrix and Sun systems, core files may be present in the root directory (/core) emanating from the finger daemon. The presence of a /core file indicates that the virus entered your system via fingerd but failed. Q: How can you prevent your machine from becoming infected? A: There are several steps that you can take to protect your network and your computers from this virus. You should take all necessary actions that are appropriate for your environment before you resume normal Internet access. 1) If you are using sendmail, apply the patches given at the end of this message to disable the DEBUG option. 2) Disable the fingerd daemon by editing /etc/servers (Sun) or /etc/inetd.conf (VAX), commenting out the fingerd service, and restarting inetd. There is a patch that has been posted to fix the problem in fingerd that allowed the virus to spread; we have included the patch in this message. 3) Install the patch to ftpd given at the end of this message. Although ftp doesn't appear to play a role in the propagation of the virus, unpatched ftp's represent a significant security problem. 4) Clean up your /.rhosts, /etc/hosts.equiv, and user .rhost files. These files should only allow trusted, known, necessary systems to access your hardware. 5) Make sure that all of your user accounts have passwords, and that the passwords are non-trivial and are not normal English words that can be gleaned from /usr/dict. The virus contains a list of the more popular passwords, and searches through /etc/passed on a newly-infected machine to try to find accounts it could access. 6) If you think your machine and/or network is under attack, you might want to rename /bin/cc so that the virus is unable to propagate itself further on your machine. 7) Disconnect your network from the Internet until you are confident that you have installed all necessary patches and taken all reasonable security measures. Q: What About PhoneNet Sites? A: Due to the transmission mechanism that the virus used to spread itself, we are confident the that the virus can not be transmitted via PhoneNet in any way. Further, we are confident that the virus is not spread via the body or text of a mail message, but rather, through the sendmail protocol itself. Q: What has CSNET Done? A: In an attempt to protect our members, CSNET discontinued all service as of 11:30 EST yesterday (November 3, 1988). We have taken steps to prevent the virus from attacking our systems and from propagating it in any way. We are confident that PhoneNet sites can not be infected by Email; the virus travels via IP packets, not via the PhoneNet protocol. Having taking these steps, we now feel that it is appropriate to resume network operation. Q: Patches to Sendmail, FTP, and Fingerd A: The remainder of this message contains the patches we have received from the net which will protect your systems from the virus. If you have any questions regarding them, or about the virus in general, please contact the CSNET CIC at (617) 873-2777. Thank You. -- The CSNET Staff ---------------------------- FTP Fix ------------------------------- Date: Sat, 29 Oct 88 17:00:29 EDT From: glenn@wheaties.ai.mit.edu (Glenn A. Adams) To: [list] Subject: serious unix ftp security bug I'm not sure if you know about this, but the following bug exists in the BSD ftp server which allows root access to random network users. To reproduce, do the following: ftp -n loser.anywhere quote user ftp cd ~root quote pass guest When the pathname for CWD is parsed, glob() bashes the static pwent saved by USER; since guest!=0, PASS succeeds, and, you guessed it, you are now root. I was informed of this last week by a grad student at Harvard and am trying to spread the word to the appropriate people. I would suggest removing the ftp entry in your passwd file as a first step. [...fix is below...] Glenn Adams MIT AI Laboratory Date: Sun, 30 Oct 88 00:20:03 EDT From: rick@seismo.CSS.GOV (Rick Adams) To: karl@dinosaur.cis.ohio-state.edu Subject: Re: horrible ftpd security bug This is a diff of what I'm now running vs. 4.3bsd. The trick was to take the "save" code from the pass() command in ftpd.c and move it into the piece that processes the user command. It seems to plug the immediate hole, but I'm not sure if their are others. --rick RCS file: RCS/ftpcmd.y,v retrieving revision 2.1 diff -c -r2.1 ftpcmd.y *** /tmp/,RCSt1005803 Sun Oct 30 00:17:23 1988 --- ftpcmd.y Sat Oct 29 23:56:41 1988 *************** *** 28,33 **** --- 28,34 ---- #include #include #include + #include extern struct sockaddr_in data_dest; extern int logged_in; *************** *** 82,95 **** cmd: USER SP username CRLF = { extern struct passwd *getpwnam(); logged_in = 0; if (strcmp((char *) $3, "ftp") == 0 || strcmp((char *) $3, "anonymous") == 0) { if ((pw = getpwnam("ftp")) != NULL) { ! guest = 1; ! reply(331, ! "Guest login ok, send ident as password."); } else { reply(530, "User %s unknown.", $3); --- 83,112 ---- cmd: USER SP username CRLF = { extern struct passwd *getpwnam(); + extern char * savestr(); + static struct passwd save; logged_in = 0; if (strcmp((char *) $3, "ftp") == 0 || strcmp((char *) $3, "anonymous") == 0) { if ((pw = getpwnam("ftp")) != NULL) { ! #ifdef 0 ! struct tm *localtime(), *tp; ! long clock; ! (void) time(&clock); ! tp = localtime(&clock); ! if (tp->tm_wday == 6 || tp->tm_wday == 0 ! || tp->tm_hour >= 19 || ! tp->tm_hour < 9) { ! #endif 0 ! guest = 1; ! reply(331, ! "Guest login ok, send ident as password."); ! #ifdef 0 ! } ! else ! reply(530, "Anonymous login not allowed between 9AM and 7PM EST Mon-Fri."); ! #endif 0 } else { reply(530, "User %s unknown.", $3); *************** *** 107,112 **** --- 124,143 ---- reply(530, "User %s access denied.", $3); } free((char *) $3); + if (pw) { + /* + * Save everything so globbing doesn't + * clobber the fields. + */ + save = *pw; + save.pw_name = savestr(pw->pw_name); + save.pw_passwd = savestr(pw->pw_passwd); + save.pw_comment = savestr(pw->pw_comment); + save.pw_gecos = savestr(pw->pw_gecos); + save.pw_dir = savestr(pw->pw_dir); + save.pw_shell = savestr(pw->pw_shell); + pw = &save; + } } | PASS SP password CRLF = { *************** *** 578,584 **** if (tmpline[c] == '\n') { *cs++ = '\0'; if (debug) { ! syslog(LOG_DEBUG, "FTPD: command: %s", s); } tmpline[0] = '\0'; return(s); --- 609,615 ---- if (tmpline[c] == '\n') { *cs++ = '\0'; if (debug) { ! syslog(LOG_DEBUG, "command: %s", s); } tmpline[0] = '\0'; return(s); *************** *** 616,622 **** return (NULL); *cs++ = '\0'; if (debug) { ! syslog(LOG_DEBUG, "FTPD: command: %s", s); } return (s); } --- 647,653 ---- return (NULL); *cs++ = '\0'; if (debug) { ! syslog(LOG_DEBUG, "command: %s", s); } return (s); } *************** *** 633,639 **** (void) time(&now); if (logging) { syslog(LOG_INFO, ! "FTPD: User %s timed out after %d seconds at %s", (pw ? pw -> pw_name : "unknown"), timeout, ctime(&now)); } dologout(1); --- 664,670 ---- (void) time(&now); if (logging) { syslog(LOG_INFO, ! "User %s timed out after %d seconds at %s", (pw ? pw -> pw_name : "unknown"), timeout, ctime(&now)); } dologout(1); ----------------------- Sendmail Fix (1 of 3) ----------------------------- From: bostic@OKEEFFE.BERKELEY.EDU (Keith Bostic) Newsgroups: comp.bugs.4bsd.ucb-fixes Subject: V1.67 (Virus posting) Message-ID: <8811031054.AA22156@okeeffe.Berkeley.EDU> Date: 3 Nov 88 10:54:57 GMT Sender: daemon@ucbvax.BERKELEY.EDU Organization: University of California at Berkeley Lines: 107 Approved: ucb-fixes@okeeffe.berkeley.edu Subject: Fixes for the virus Index: usr.lib/sendmail/src/srvrsmtp.c 4BSD Description: There's a virus running around; the salient facts. A bug in sendmail has been used to introduce a virus into a lot of Internet UNIX systems. It has not been observed to damage the host system, however, it's incredibly virulent, attempting to introduce itself to every system it can find. It appears to use rsh, broken passwords, and sendmail to introduce itself into the target systems. It affects only VAXen and Suns, as far as we know. There are three changes that we believe will immunize your system. They are attached. Thanks to the Experimental Computing Facility, Center for Disease Control for their assistance. (It's pretty late, and they certainly deserved some thanks, somewhere!) Fix: First, either recompile or patch sendmail to disallow the `debug' option. If you have source, recompile sendmail after first applying the following patch to the module svrsmtp.c: *** /tmp/d22039 Thu Nov 3 02:26:20 1988 --- srvrsmtp.c Thu Nov 3 01:21:04 1988 *************** *** 85,92 **** "onex", CMDONEX, # ifdef DEBUG "showq", CMDDBGQSHOW, - "debug", CMDDBGDEBUG, # endif DEBUG # ifdef WIZ "kill", CMDDBGKILL, # endif WIZ --- 85,94 ---- "onex", CMDONEX, # ifdef DEBUG "showq", CMDDBGQSHOW, # endif DEBUG + # ifdef notdef + "debug", CMDDBGDEBUG, + # endif notdef # ifdef WIZ "kill", CMDDBGKILL, # endif WIZ Then, reinstall sendmail, refreeze the configuration file, using the command "/usr/lib/sendmail -bz", kill any running sendmail's, using the ps(1) command and the kill(1) command, and restart your sendmail. To find out how sendmail is execed on your system, use grep(1) to find the sendmail start line in either the files /etc/rc or /etc/rc.local If you don't have source, apply the following patch to your sendmail binary. SAVE A COPY OF IT FIRST, IN CASE YOU MESS UP! This is mildly tricky -- note, some versions of strings(1), which we're going to use to find the offset of the string "debug" in the binary print out the offsets in octal, not decimal. Run the following shell line to decide how your version of strings(1) works: /bin/echo 'abcd' | /usr/ucb/strings -o Note, make sure the eight control 'G's are preserved in this line. If this command results in something like: 0000008 abcd your strings(1) command prints out locations in decimal, else it's octal. The patch script for sendmail. NOTE, YOUR OFFSETS MAY VARY!! This script assumes that your strings(1) command prints out the offsets in decimal. Script started on Thu Nov 3 02:08:14 1988 okeeffe:tmp {2} strings -o -a /usr/lib/sendmail | egrep debug 0096972 debug okeeffe:tmp {3} adb -w /usr/lib/sendmail ?m 0 0xffffffff 0 0t10$d radix=10 base ten 96972?s 96972: debug 96972?w 0 96972: 25701 = 0 okeeffe:tmp {4} ^D script done on Thu Nov 3 02:09:31 1988 If your strings(1) command prints out the offsets in octal, change the line "0t10$d" to "0t8$d". After you've fixed sendmail, move both /bin/cc and /bin/ld to something else. (The virus uses the cc and the ld commands to rebuild itself to run on your system.) Finally, kill any processes on your system that don't belong there. Suspicious ones have "(sh)" or "xNNNNNNN" where the N's are random digits, as the command name on the ps(1) output line. One more thing, if you find files in /tmp or /usr/tmp that have names like "xNNNNNN,l1.c", or "xNNNNNN,sun3.o", or "xNNNNNNN,vax.o" where the N's are random digits, you've been infected. -------------------------------- Sendmail Fix (2 of 3) ----------------------- From: bostic@OKEEFFE.BERKELEY.EDU (Keith Bostic) Newsgroups: comp.bugs.4bsd.ucb-fixes Subject: V1.68 (Virus posting #2) Message-ID: <8811031612.AA22864@okeeffe.Berkeley.EDU> Date: 3 Nov 88 16:12:19 GMT Sender: daemon@ucbvax.BERKELEY.EDU Organization: University of California at Berkeley Lines: 16 Approved: ucb-fixes@okeeffe.berkeley.edu Subject: Virus posting #2 Index: usr.lib/sendmail/src/srvrsmtp.c 4BSD Description: This is a followup message, to clear up two points. First off, a better value to use to PATCH your sendmail executable is 0xff; if you're using the patch script, change: 96972?w 0 to: 96972?w 65535 Secondly, note, if, when you run strings(1) on your sendmail executable, greping for ``debug'', you don't get any output, don't worry about the problem, your system is already (we think) safe. ------------------ Sendmail Fix (3 of 3) and fingerd fix ------------------ From: bostic@OKEEFFE.BERKELEY.EDU (Keith Bostic) Newsgroups: comp.bugs.4bsd.ucb-fixes Subject: V1.69 (Virus posting #3) Message-ID: <8811040318.AA26579@okeeffe.Berkeley.EDU> Date: 4 Nov 88 03:18:47 GMT Sender: daemon@ucbvax.BERKELEY.EDU Organization: University of California at Berkeley Lines: 188 Approved: ucb-fixes@okeeffe.berkeley.edu Subject: Virus posting #3 Index: usr.lib/sendmail/src/srvrsmtp.c 4BSD Description: The recently reported worm appears to also be using the fingerd(8) daemon to enter systems. Here's a fix. The previous patch for sendmail(8) on binary systems only prevented the current attacker. The attached patch fixes the problem. Fix: Re-patch sendmail. Recompile and reinstall the attached source for fingerd(8). Here's a script to repatch sendmail. Note, this only applies to binary systems, if you have source you should have recompiled and reinstalled it already. You should start with the original sendmail binary, NOT the binary that you've already patched. AND, REMEMBER, ALWAYS SAVE AN EXTRA COPY IN CASE YOU MAKE A MISTAKE!! Finally, if you don't find the string ``debug'' in your sendmail binary, you don't have a problem; ignore this patch. This patch essentially makes it impossible to set the debug flag. Note, your offsets as printed by adb may vary! Comments are preceded by a hash mark, don't type them in, nor expect adb to print them out. Also, we're again using strings(1) to find the decimal offset in the file of certain strings. To find out if your strings(1) command prints offsets in decimal, put 8 control (non-printable) characters in a file, followed by four printable characters, and then use strings(1) to find the offset of your four printable characters. If the offset is ``8'', it's using decimal, if it's ``10'' it's using octal. Script started on Thu Nov 3 18:45:34 1988 # find the decimal offset of the strings ``debug'' and ``showq'' in the # sendmail binary. okeeffe:tmp {2} strings -o -a sendmail | egrep 'debug|showq' 0097040 showq 0097046 debug okeeffe:tmp {3} adb -w sendmail # set the map, then set the default radix to base 10 ?m 0 0xffffffff 0 0t10$d radix=10 base ten # check to make sure that strings(1) was right, and then find out what # the byte pattern for ``showq'' is for your machine. Note that adb # prints out that byte pattern in HEX! 97040?s 97040: showq 97040?Xx 97040: 73686f77 7100 # check on the string ``debug'', then, overwrite the first four bytes, # move up 4 bytes, and then overwite the last two bytes with the byte # pattern seen above for ``showq''. 97046?s 97046: debug 97046?W 0x73686f77 97046: 1684365941 = 1936224119 .+4 .?w 0x7100 97050: 26368 = 28928 # check to make sure we wrote out the correct string. 97046?s 97046: showq okeeffe:tmp {4} strings -o -a sendmail | egrep 'debug|showq' 0097040 showq 0097046 showq okeeffe:tmp {5} script done on Thu Nov 3 18:47:42 1988 # This is a shell archive. Save it in a file, remove anything before # this line, and then unpack it by entering "sh file". Note, it may # create directories; files and directories will be owned by you and # have default permissions. # # This archive contains: # # fingerd.c # echo x - fingerd.c sed 's/^X//' >fingerd.c << 'END-of-fingerd.c' X/* X * Copyright (c) 1983 The Regents of the University of California. X * All rights reserved. X * X * Redistribution and use in source and binary forms are permitted X * provided that the above copyright notice and this paragraph are X * duplicated in all such forms and that any documentation, X * advertising materials, and other materials related to such X * distribution and use acknowledge that the software was developed X * by the University of California, Berkeley. The name of the X * University may not be used to endorse or promote products derived X * from this software without specific prior written permission. X * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR X * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED X * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. X */ X X#ifndef lint Xchar copyright[] = X"@(#) Copyright (c) 1983 The Regents of the University of California.\n\ X All rights reserved.\n"; X#endif /* not lint */ X X#ifndef lint Xstatic char sccsid[] = "@(#)fingerd.c 5.3 (Berkeley) 11/3/88"; X#endif /* not lint */ X X/* X * Finger server. X */ X#include X#include X#include X#include X Xmain(argc, argv) X int argc; X char *argv[]; X{ X register char *sp; X char line[512]; X struct sockaddr_in sin; X int i, p[2], pid, status; X FILE *fp; X char *av[4]; X X i = sizeof (sin); X if (getpeername(0, &sin, &i) < 0) X fatal(argv[0], "getpeername"); X if (fgets(line, sizeof(line), stdin) == NULL) X exit(1); X sp = line; X av[0] = "finger"; X for (i = 1;;) { X while (isspace(*sp)) X sp++; X if (!*sp) X break; X if (*sp == '/' && (sp[1] == 'W' || sp[1] == 'w')) { X sp += 2; X av[i++] = "-l"; X } X if (*sp && !isspace(*sp)) { X av[i++] = sp; X while (*sp && !isspace(*sp)) X sp++; X *sp = '\0'; X } X } X av[i] = 0; X if (pipe(p) < 0) X fatal(argv[0], "pipe"); X if ((pid = fork()) == 0) { X close(p[0]); X if (p[1] != 1) { X dup2(p[1], 1); X close(p[1]); X } X execv("/usr/ucb/finger", av); X _exit(1); X } X if (pid == -1) X fatal(argv[0], "fork"); X close(p[1]); X if ((fp = fdopen(p[0], "r")) == NULL) X fatal(argv[0], "fdopen"); X while ((i = getc(fp)) != EOF) { X if (i == '\n') X putchar('\r'); X putchar(i); X } X fclose(fp); X while ((i = wait(&status)) != pid && i != -1) X ; X return(0); X} X Xfatal(prog, s) X char *prog, *s; X{ X fprintf(stderr, "%s: ", prog); X perror(s); X exit(1); X} END-of-fingerd.c exit