security hole in swais, FYI
jcurran at nnsc.nsf.net
jcurran at nnsc.nsf.net
Tue Sep 1 14:38:12 UTC 1992
--------
] From: Marten Terpstra <Marten.Terpstra at ripe.net>
] Subject: Re: security hole in swais, FYI
] Date: Tue, 01 Sep 92 15:46:22 +0200
]
]
] Hi all,
]
] Mark Kosters from GSI notified us of the problem. Using swais you can pipe
] the output of a search into any command. You can do this by typing 'c' or '|'
] on the output of a search.
]
] Since we are running swais as a public service for people without their own
] wais client this can be quite harmful. Mark demonstrated that he could start
] a shell, list /etc/passwd and so on.
]
] We are running swais under userID nobody, so too much harm cannot be done,
] but still, we decided to disable the 'c' and '|' keys as commands.
] We are running the thing without a chroot though.
]
] The offending parts can be found in screen_ui.c. This is however with
] wais-8-b4, don't know about b5.
]
] Commenting out:
]
] case '|' : ;
] case 'c' : pipe_command(question);
] state=UNKNOWN;
] return(SHOWRESULTS);
]
] in screen_ui.c does the trick, as far as we can see.
] It would be nice if there was a compile time option to switch to swais in
] "safe" mode, like some pagers have.
]
] Also if you are offering this as a public service, make sure that the pipe
] commands and shell escapes in the pager swais uses are disabled ...
This is *not* a safe method for offering anonymous "wais" service. Both
NNSC.NSF.NET and QUAKE.THINK.COM are running it under a "chroot" file system
thereby preventing access to any files not explicitely placed in the wais
user directory.
SWAIS was never intended to be run as an interactive service (if it were, I
would have certainly designed it differently). Instead, it is designed to
be run as yet another WAIS client, under a validated user name. Making it
available via telnet is something that we did to develop interest in WAIS.
Please do not setup a anonymous wais account to run it unless you provide
it with a restricted filesystem. Not only do the pipe and pager commands
pose a threat, but it is also possible for folks to use the source routines
to access files.
If you need details on how to setup a seperate filesystem for providing
anonymous wais service, send mail to "nnsc at nnsc.nsf.net".
John Curran
NSF Network Service Center
More information about the NANOG
mailing list