| T.R | Title | User | Personal
Name | Date | Lines |
|---|
| 244.1 | Note #215.4 Tells All! | VAXUUM::DYER | Iceberg or volcano? | Wed May 21 1986 09:28 | 3 |
| I see you've already noticed Topic #215. What more do
you need?
<_Jym_>
|
| 244.2 | Does it ? | GAOV08::MAGIC | Conor Moran | Wed May 21 1986 16:35 | 18 |
| < Note 244.1 by VAXUUM::DYER "Iceberg or volcano?" >
-< Note #215.4 Tells All! >-
I see you've already noticed Topic #215. What more do
you need?
<_Jym_>
Re .1 :
True, that summary of the protocol is quite informative. However,
I wonder does it tell the full story ? I know for a fact that
there is a code to send text directly into the input buffer of
somebody using PHONE so that it appears as if they themselves
had typed it. Using this code, it was possible to get the person
to execute any phone command (Help, Fac, Dial etc.). One hack
used this to do the same as CONNECT.COM in #36 but with a much
wider range of commands.
<CFM>
|
| 244.3 | more serious possibilities ... | OFFPLS::DUPONT2 | | Wed Jun 04 1986 17:22 | 15 |
| It seems to me that the PHONE protocol in its current form makes it
possible to imbed ESCAPE SEQUENCES in the message being sent, a la BOTHER.COM
or SEND_MESSAGE.COM from earlier notes.
This opens up serious cracking possibilities, as well as harmless fun,
since it permits the classic escape sequence hacks to be used to re-program
another users terminal (such as to force answerback, etc.).
Assuming that there are other fascist paranoid sysops out there
(besides me) who worry about such things, has anyone come up with a
good way to put some measure of control on this, without actually removing
PHONE access ? How about tracing the source of the messages, for
a posteriori crackdown ? Anyone know of plans by the developers to make
the PHONE and MAIL protoocols more secure and more difficult to obtain
documentation for ?
|
| 244.4 | Possible solutions ? | GAOV08::MAGIC | Conor Moran | Thu Jun 05 1986 08:21 | 19 |
|
It seems to me that the problem with both PHONE and MAIL is
that when a user sends a message, the username has to be sent
along with it. It is this fact that makes the hacks in topics
36 and 39 possible. In both cases it is a modified username
which does the damage. What would be needed therefore is for
the PHONE and MAIL servers to
a) Find out for themselves who is sending the message
b) Remove ALL escape/control sequences, not just in the
actual text, but in the from/to/subject fields in MAIL
and also in any broadcasts.
c) The logical names used by PHONE should not be in the
system logical name table. Instead they should be
somewhere ONLY a prived image can put/access them.
<CFM>
|
| 244.5 | The nature of the beast | TUNDRA::HARRIMAN | | Mon Jul 28 1986 15:19 | 28 |
|
re .4
As any of you old TOPS-20 hackers may remember (You there, Jym?)
even a the completely different ways that TOPS-20 did mail and the
equivalent of PHONE were hackable.
MAIL (actually MS or MM) on TOPS-20 was "served" by MAILER (probably
still is...) and we had hacks that would do essentially the same
thing to fool it via IPC (InterProcess Communication) that we were
sending it mail. Also we could fool MS just by making a bogus message
in the right format (shades of the present wave of VMSMAIL hacks).
This is unfortunate but cannot be avoided except by radical changes
to the way the mailer and PHONE work. You can't just say "well change
the protocol so any user can't hack at it". The real "problem" is
that the overhead associated with having every single MAIL link
check back to it's caller, or every single phone packet get traced
back over the network would be really bad for the network.
Even though it's bad for security, there are much worse things that
can be done thru DECnet, and besides it's only the hackers who do
that stuff anyway!
Regards to all you hackers
/pjh
|
| 244.6 | Fool me once... | GALLO::RASPUZZI | Michael Raspuzzi | Mon Jul 28 1986 18:07 | 20 |
|
re .5:
TOPS-20 MS is now served by MX and no longer by MAILER. MX (Mail
eXchange) handles all incomging and outgoing mail. Even though
the communication for local mail is through IPCF, you cannot
hack anything without privs and masquarade where the message
came from. This is true because ORION (the PID manager and IPCF
message guy) takes care of letting MX know where this IPCF message
is coming from. Unless you can masquarade as ORION (only one can
run at a time on the system) than you cannot fake MX into believing
you are someone else. Of course, network mail is different (good
old mail-11 protocol can be hacked as we have seen).
If you have privs, you can do some ENQ/DEQ magic and append a phony
message to someone's mail file and twiddle the last writer word
in the FDB to make it look like the mail came from someone else.
The key word here is PRIVS (as in WHEEL or OPERATOR).
Mike
|
| 244.7 | [RE .5]: I'm Here | VAXUUM::DYER | Wage Peace | Wed Jul 30 1986 16:31 | 0
|