You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long. 13 KiB

3 years ago
3 years ago
3 years ago
3 years ago
3 years ago
3 years ago
3 years ago
3 years ago
  1. In October 1998 redbrick ran into two major problems. The first problem
  2. was the loss of one of its best admins, plop. This was solved by
  3. co-opting John Bolger as sysadmin while an EGM was pending. This would
  4. allow redbrick to continue offering services during the busiest time of
  5. the year when new freshers join the society.
  6. The second problem was a huge increases in the incidents of \"screen
  7. bombing\". To solve this problem, a change was made to write to allow
  8. logging of the length of all messages sent using write. This would
  9. provide an audit trail for abuse, without compromising the privacy of
  10. user\'s write messages.
  11. The write patch was written by grimnar, and installed after some minimal
  12. testing by John Bolger. This minimalist testing proved to be a big
  13. mistake, as the testing missed a dangerous security flaw in the write
  14. patch. This flawed patch was installed on the live system on October
  15. 21st, 1998
  16. On October 22nd, plop discovered this flaw and left an easy exploit in
  17. /tmp and posted about it on the redbrick newsgroups. The admins or the
  18. author of the patch were never directly informed that the security flaw
  19. existed, or where it was.
  20. After an unexplained system crash on the evening of October 22nd
  21. <em>citation needed</em>, John retrieved the source code for the exploit
  22. from plop\'s home directory, without permission of either the committee
  23. or plop himself.
  24. Almost immediately all hell broke lose. Plop made an official complaint
  25. about breach of privacy, and posted notice of what happened to every
  26. newsgroup and to every member. The next morning John stepped down as
  27. co-opted admin, pending an inquiry into what happened and a vote from
  28. the membership if he was right or wrong. A committee meeting ruled that
  29. plop should be disusered for 110 days, which eventually led to a
  30. complaint to the SPC. In the end both John and plop apologised to each
  31. other in public on the news group system.
  32. The fallout of the plop incident is still felt today. John has never
  33. gone back to full time redbrick admin, having resigned only weeks after
  34. the incident. The underlying concerns about security, privacy and the
  35. rights of users privacy and the need for admins to access a users home
  36. directory, while often discussed, have never been resolved.
  37. Sadly, newsgroup postings from the time were not saved. However
  38. \~x/kmail shows a small number of the mails which were exchanged at the
  39. time. The exploit used can be found in \~x/bin/smoo
  40. x
  41. ### Plop\'s Comments
  42. I don\'t believe there was a system crash that day. I suspect that John
  43. Bolger was embarassed that I posted an exploit on the redbrick
  44. newsgroups for code he reviewed (which is relatively harmless, write is
  45. a program with few privileges). The root exploit I used to catch John
  46. Bolger going through my files was in a chsh tool written by redbrick
  47. admin (and frequent poster on secure programming) John Looney. He had a
  48. habit of using the system() function to run commands from suid programs,
  49. which was susceptible to an IFS exploit on the version of solaris
  50. redbrick ran at the time.
  51. [Plop](/User:Plop "wikilink")
  52. ===============================================================================
  53. The Events of October 22nd as we, the committee, see them.
  54. ===============================================================================
  55. Due to the fact that a lot of \"screen bombings\" have been taking place
  56. among new members this year, a logging system was needed in order to
  57. identify those members responsible. This logging facility was already in
  58. place on Nurse (one of the other redbrick machines), but when the new
  59. machine (Mother) was introduced, this was overlooked. Basically,
  60. whenever anybody is screen bombed a message shows up in a log which says
  61. something to the effect of
  62. \"possible screen-bomb from userx to usery on 22nd Oct at 19:30\"
  63. This enables us to catch out the culprits, and deal with them, so that
  64. nobody gets tormented by complete garble flying up their screen. The
  65. admins set about modifying the \"write\" program, so that this logging
  66. facility could be incorporated. The program was modified, and the older
  67. version replaced with the newer one. Unfortunately, there was a bug in
  68. this program. It enabled any user who took advantage of said bug, to set
  69. their GID to tty, and hence have the ability to write anything they
  70. wanted, to anyone\'s terminals, without the victim knowing who it was
  71. that had wrote to their screen. It should be pointed out that the admins
  72. were not aware of this bug at the time, and the program was deemed fit
  73. for use.
  74. At some stage this week, the bug was discovered, by the user pooka. In a
  75. message on the newsgroup system, pooka made reference to some stack
  76. overflow problems in the write program, and said nothing more. Plop went
  77. and found said bugs, and wrote an exploit for them. For those of you who
  78. don\'t know, and exploit is a program written, which takes advantage of
  79. a bug in another piece of code, and when run, will usually drop the user
  80. into an SUID shell, or something similar. We\'re not here to debate
  81. morals, but suffice to say it would have been appropriate for plop to
  82. then come to the redbrick admins, and point out the flaws in the write
  83. program, as well as detailing how they could be fixed, so that no one
  84. can take advantage and make life a misery for everyone else. Instead of
  85. doing that, plop copied the exploit into the /tmp directory and made it
  86. world executable. Again for new members, this means that anyone who
  87. wants, can run this program, and gain full write access to anybody\'s
  88. terminal on the system. Not only did he put the program there, but he
  89. then went on to post an article on the newsgroup system, telling all the
  90. members who read the groups, that an exploit to the write bug had been
  91. written, and was freely available to execute for anyone who wished to
  92. try it out. A copy of this posting is available for anyone who wishes to
  93. read it.
  94. If we look at this situation for a moment, we can see that a user had
  95. written a program which enabled any user to gain priveleges on redbrick
  96. which they weren\'t entitled to, and informed the members about it. This
  97. is not on.
  98. I (spock) was made aware of this exploit, when I was heyed last night by
  99. the user \"root\". Root was not logged on. I heyed plop, assuming it was
  100. him, and told him that I wasn\'t aware he had root access any more,
  101. considering that he was no longer an admin. He heyed me back, and said
  102. something to the effect of him testing out the bug in the write program.
  103. I then talked to spinal, who was co-opted as an admin until the EGM
  104. takes place, about the whole situation. We agreed that the old write
  105. program should be restored, and the exploit that plop had written should
  106. be deleted so that no users could take advantage of it.
  107. The rules of the university which would be broken by running that
  108. program are as follows (taken from
  109. <>):
  110. \"It is expressly forbidden:
  111. * To seek or gain unauthorised access to systems or network resources
  112. <!-- -->
  113. * To impersonate or send email messages whose header fields have in
  114. any way been altered or where the message appears to originate from
  115. someone or somewhere else is in all cases regarded as an extremely
  116. serious offence and subject to disciplinary action up to expulsion
  117. from the university.\"
  118. About ten minutes after this, I received a hey from plop, which said
  119. something to the effect of (I didn\'t cut and paste it), \"John Bolger
  120. has been looking around in my account, I would like to make an official
  121. complaint\". To which I replied (as is now well documented) : \"nothing
  122. on this machine is guaranteed to be private\". This is a simple fact. It
  123. does NOT mean, however, that the committee spend their days rooting
  124. through people\'s private files and mail, because that is NOT done, and
  125. any committee member doing so would immediately be expelled from the
  126. committee. As an aside, this morning I already had many a bewildered
  127. fresher heying me wondering why we read their mail. WE DO NOT READ YOUR
  128. MAIL. He then heyed back something to the effect of \"you don\'t want to
  129. take that line with me\", to which I responded something to the effect
  130. of \"I do actually\", since I wanted the problem resolved. Then there
  131. was silence.
  132. Approximately fifteen minutes later, another user made me aware of the
  133. fact that every member of the society had just received a mail from
  134. plop, giving his side of the story. At the same time, the same mail was
  135. posted on every single news group on the system. There\'s no point in
  136. quoting the mail, it\'s available for you all to read in your own
  137. mailbox.
  138. One thing I should perhaps point out however, is plop\'s prompt:
  139. {9}(\~spinal/xxx)\# ls \<plop@Mother ZSH emacs
  140. as you can see there is a hash mark \"\#\" at the end of his prompt,
  141. which is usually indicative of a root shell. Plop is no longer an
  142. administrator, he has no right to root access. This might mean that plop
  143. exploited root through some other means, and this is what enabled him to
  144. look through john bolger\'s directory, some might rightly point out the
  145. hypocrisy here.
  146. Once this had happened, I talked to John Bolger, who denied copying all
  147. of plop\'s files into his home directory. He said that all he was doing
  148. was looking at the write.c program which was in plop\'s directory, and
  149. as far as he was aware, he did not copy anything else out. It has since
  150. come to light that it is quite possible that john did copy an entire
  151. directory of plop\'s out and into his own, but all he was concerned with
  152. was the exploit in question.
  153. It should be pointed out, that when a user does anything which breaches
  154. the rules of the society, or attempts to gain priveleges on the society
  155. machines, the administrators are permitted to run checks on the users
  156. directory, in order to determine the extent to which the user had broken
  157. the rules in the past, or their intention to break rules in the future.
  158. This involves looking through the users directory, and checking for
  159. suspicious looking files. This is where the privacy barrier is broken.
  160. The only way in which the privacy barrier is broken, is if the rules of
  161. the society are broken. It is plain to see that 99.99% of members should
  162. never have any worries about this, as long as they keep in check with
  163. the rules ( If you don\'t break
  164. the rules, your privacy won\'t be broken, it\'s as simple as that.
  165. In light of these facts, john bolger did nothing wrong in checking
  166. plop\'s directory. In fact, it was done for your protection. Picture the
  167. scenario, a user breaks the rules, he/she is disusered for doing so.
  168. Their home directory ISN\'T checked for further exploits. They are
  169. reusered having served their time, and they run another exploit on the
  170. machine, which was in their home directory. The exploit could perhaps
  171. give them root access. At this point, they go into YOUR mailbox, and
  172. start reading YOUR mail. This is malicious, and it could happen. This is
  173. why measures are in place to try and prevent exactly this scenario, and
  174. it has been successful so far as we are aware.
  175. To summarise:
  176. * by exploiting the bug in the write program, and making the exploit
  177. publically available, plop broke the rules.
  178. * by mass mailing every body without the prior consent of the
  179. committee, plop broke the rules.
  180. * Nothing has been accomplished here, other than a lot of users,
  181. getting very worried over nothing.
  182. * We do not read your mail, enter your directory, or look through your
  183. files, but we DO try to ensure that nobody else does either.
  184. We are not the bad guys, we are here to serve you, to educate you, and
  185. to give you a good time along the way. If that means disusering people
  186. who break the rules, so be it. If it means breaking the privacy of
  187. people who break the rules, so be it.
  188. This was plop\'s second offence since he joined the society. He has been
  189. disusered for 110 days (the first day of second semester). We don\'t
  190. like when this kind of thing happens, but the other 1050 members must
  191. come first (yes, we broke the 1000 barrier (!), fast approaching 1100).
  192. Plop, of course, has every right to appeal the disuserment, and the
  193. committee are open to listening to his story.
  194. I hope this finishes the argument, but I already have visions of
  195. hundreds of postings on the newsgroups for at least the next week. Kind
  196. of takes me back to first year, when plop posted something similar on
  197. the old BBS, telling everybody that the committee were able to read your
  198. mail, and look through your files. It\'s an old argument, but seeing as
  199. some people simply don\'t seem to understand it I\'ll reiterate for the
  200. last time, we do not read your mail or look through your files.
  201. Hope to see you all in Break for the Border on wednesday! :)
  202. Jon. DCUNS Secretary.
  203. Originally from the [Encyclopedia](/Encyclopedia "wikilink")
  204. [Category:Encyclopedia](/Category:Encyclopedia "wikilink")