Hideous uucp security hole
ucbvax!unix-wizards
There is a bug in the 4.0 and 4.1 BSD uucp and probably in other versions
that allows malicious users to execute any command remotely whether or
not the remote system nominally allows it.
The problem is that uuxqt, the program that actually executes remote
commands, fails to check for "&" characters in the command line, so that
any command can follow an "&" and be executed. Malicious users can
expicitly invoke the shell and run arbitrary sequences of commands.
They can also execute uucp remotely and so masquerade as other users and
systems.
The fix do disallow commands with "&" is fairly simple. In uuxqt.c, add
the following:
while ((ptr = getprm(ptr, prm)) != NULL) {
if (prm[0] == ';' || prm[0] == '^'
|| prm[0] == '|') {
xcmd[0] = '\0';
APPCMD(prm);
continue;
}
/******* begin new code *******/
/* this is about line 150 */
if(prm[0] == '&') {
cmdnok++;
break;
}
/******* end of new code *******/
if ((cmdnok = cmdok(xcmd, prm)) != 0)
/* command not valid */
break;
In getprm.c, near line 30 change:
|| *s == ';) {
to
|| *s == ';' || *s == '&') {
I'm amazed this hasn't been picked up before.