The Unix-Haters handbook page 291

Holes in the Armor 255 any per-user CPU time quotas. With a per-user process limit set at 50, those 50 processes from the attacking the user will quickly swamp the computer and stop all useful work on the system.) System Usage Is Not Monitored Ever have a Unix computer inexplicably slow down? You complain to the resident Unix guru (assuming you haven’t been jaded enough to accept this behavior), he’ll type some magic commands, then issue some cryptic state- ment such as: “Sendmail ran away. I had to kill it. Things should be fine now.” Sendmail ran away? He’s got to be kidding, you think. Sadly, though, he’s not. Unix doesn’t always wait for an attack of the type described above sometimes it launches one itself, like firemen who set fires during the slow season. Sendmail is among the worst offenders: sometimes, for no reason at all, a sendmail process will begin consuming large amounts of CPU time. The only action that a hapless sysadmin can take is to kill the offend- ing process and hope for better “luck” the next time. Not exciting enough? Well, thanks to the design of the Unix network sys- tem, you can paralyze any Unix computer on the network by remote con- trol, without even logging in. Simply write a program to open 50 connections to the sendmail daemon on a remote computer and send ran- dom garbage down these pipes. Users of the remote machine will experi- ence a sudden, unexplained slowdown. If the random data cause the remote sendmail program to crash and dump core, the target machine will run even slower. Disk Overload Another attack brings Unix to its knees without even using up the CPU, thanks to Unix’s primitive approach to disk and network activity. It’s easy: just start four or five find jobs streaming through the file system with the command: % repeat 4 find / -exec wc {} \ Each find process reads the contents of every readable file on the file sys- tem, which flushes all of the operating system’s disk buffers. Almost immediately, Unix grinds to a halt. It’s simple, neat, and there is no effec- tive prophylactic against users who get their jollies in strange ways.

256 Security The Worms Crawl In In November 1988, an electronic parasite (a “worm”) disabled thousands of workstations and super-minicomputers across the United States. The worm attacked through a wide-area computer network called the Internet. News reports placed the blame for the so-called “Internet Worm” squarely on the shoulders of a single Cornell University graduate student, Robert T. Morris. Releasing the worm was something between a prank and a wide- scale experiment. A jury found him guilty of writing a computer program that would “attack” systems on the network and “steal” passwords. But the real criminal of the “Internet Worm” episode wasn’t Robert Morris, but years of neglect of computer security issues by authors and vendors of the Unix operating system. Morris’s worm attacked not by cunning, stealth, or sleuth, but by exploiting two well-known bugs in the Unix operating system—bugs that inherently resulted from Unix’s very design. Morris’s program wasn’t an “Internet Worm.” After all, it left alone all Internet machines running VMS, ITS, Apollo/Domain, TOPS-20, or Genera. It was a strictly and purely a Unix worm. One of the network programs, sendmail, was distributed by Sun Microsys- tems and Digital Equipment Corporation with a special command called DEBUG. Any person connecting to a sendmail program over the network and issuing a DEBUG command could convince the sendmail program to spawn a subshell. The Morris worm also exploited a bug in the finger program. By sending bogus information to the finger server, fingerd, it forced the computer to execute a series of commands that eventually created a subshell. If the fin- ger server had been unable to spawn subshells, the Morris worm would have crashed the Finger program, but it would not have created a security- breaking subshell. Date: Tue, 15 Nov 88 13:30 EST From: Richard Mlynarik mly@ai.mit.edu To: UNIX-HATERS Subject: The Chernobyl of operating systems [I bet more ‘valuable research time’ is being ‘lost’ by the randoms flaming about the sendmail worm than was ‘lost’ due to worm-inva- sion. All those computer science ‘researchers’ do in any case is write increasingly sophisticated screen-savers or read netnews.] Date: 11 Nov 88 15:27 GMT+0100

Previous Page Next Page

The Unix-Haters handbook Page 291 (291 of 360)

The Unix-Haters handbook resources

Help