Re: Crackers and Worms


Paul Vixie (vixie@decwrl.dec.com)
13 Nov 88 03:42:43 GMT


In article <In article <3380@emory.uucp> In article <3380@emory.uucp> arnold@emory.UUCP (Arnold D. Robbins {EUCC}) writes:
# In article <44440@beno.seismo.CSS.GOV> rick@seismo.CSS.GOV (Rick Adams) writes:
# >I have not been able to find ONE person who claims to
# >have known that sendmail compiled with DEBUG on would have allowed
# >anyone with SMTP access to run an arbitrary program on their machine.
#
# Didn't Paul Vixie say he knew it? If not, I apologize in advance.

Yes, Paul Vixie did indeed say that he knew it. Rick Adams and I exchanged
some mail about this, and he pointed out basically that if I knew this was
possible but didn't recognize it as a security hole, the knowledge was
pretty much useless.

At the time I was first digging into sendmail, some time in 1986, I was not
at all sure what it was all for, what it all meant, and whether I understood
any single part of it. (This seems normal among sendmail proto-hackers :-)).
When I discovered all the various functional changes you could make in debug
mode, I assumed that there was a good reason for all of them and I dutifully
ported and patched and debugged the complete program, with all holes intact.
Even when I found what I thought was a bug, I tried very hard to re-understand
intention and implementation, on the constant assumption that it was supposed
to be the way it was, all details included.

I know better today, of course. If I had had occasion to poke into sendmail
three weeks ago and notice that
      if (a->q_alias == NULL && !tTd(0, 1) && !QueueRun && !ForceMail)
                             ^^^^^^^^^^^^^
in recipient() in recipient.c, you may safely bet you a** that I'd send off
some mail to Berkeley. I now feel (somewhat arrogantly, I'm sure!) that I
know what's intended in 90% of the sendmail code.

This points up an interesting dynamic of publicly available source code. If
the only people who are studying it carefully are those still wet behind their
ears, and these people lack the overall knowledge and confidence to question
what they see, we may all be in a heap of trouble. I hope we'll all learn to
be a little bit nicer to the next person who asks a "stupid" question...

--
Paul Vixie
Work:	 vixie@decwrl.dec.com	 decwrl!vixie	 +1 415	853 6600
Play:	 paul@vixie.sf.ca.us	 vixie!paul	 +1 415	864 7013



This archive was generated by hypermail 2.0b3 on Thu Mar 09 2000 - 14:44:30 GMT