Implications of recent virus (Trojan Horse) attack

[Doug Gwyn]

In article <2151 at ficc.uu.net> peter at ficc.uu.net (Peter da Silva) writes:
>One side effect that I don't like is that UNIX is taking the blame for
>a combination of (1) a security hole in an application (sendmail), and
>(2) deliberate loosening of security to trusted sites (rhosts, etc...).
>Non-academic UNIX in general is a lot less open to techniques like this.

The virus exploited two security holes in Berkeley-supplied servers.
We found that several commercial offerings that included this software
had done little more that stick their own label on it; they did not go
over the code and fix its problems before releasing it.  In fact, in
the case of sendmail, they didn't even turn off the DEBUG flag in the
Makefile.

The technical problems that were exploited were mostly sloppiness that
nobody had reviewed and corrected in time.  We know of a few other
similar security holes that the virus didn't try to exploit.

One could also challenge the design that provides privileged access
via sockets and their servers without adequate authentication.

The lessons to be learned are not overly simple, and until they have
been thoroughly assimilated by the right people, you can be assured
that there are more security holes of the same general nature.

Try the following on your favorite remote 4BSD-based system:
	rlogin host -l ''
This attack works a surprising percentage of the time.  The problem
that provides the hole has been known for many years and was fixed
at least as long ago as 1984 in the AT&T-supplied UNIX variants.
But it persists in the Berkeley variants.  Perhaps this note will
prompt the various vendors to finally fix this problem!

The REAL problem is that too many people just do not care about
security, probably because they don't understand how it affects
them.