security hole in swais, FYI

jcurran at nnsc.nsf.net jcurran at nnsc.nsf.net
Tue Sep 1 14:38:12 UTC 1992 

--------
] From: Marten Terpstra <Marten.Terpstra at ripe.net>
] Subject: Re: security hole in swais, FYI 
] Date: Tue, 01 Sep 92 15:46:22 +0200
]
] 
] Hi all,
]
] Mark Kosters from GSI notified us of the problem. Using swais you can pipe
] the output of a search into any command. You can do this by typing 'c' or '|'
] on the output of a search.
]
] Since we are running swais as a public service for people without their own
] wais client this can be quite harmful. Mark demonstrated that he could start
] a shell, list /etc/passwd and so on.
]
] We are running swais under userID nobody, so too much harm cannot be done,
] but still, we decided to disable the 'c' and '|' keys as commands.
] We are running the thing without a chroot though.
]
] The offending parts can be found in screen_ui.c. This is however with
] wais-8-b4, don't know about b5.
]
] Commenting out:
]
]             case '|'  : ;
]             case 'c'  : pipe_command(question);
]                       state=UNKNOWN;
]                       return(SHOWRESULTS);
]
] in screen_ui.c does the trick, as far as we can see.
] It would be nice if there was a compile time option to switch to swais in
] "safe" mode, like some pagers have.
]
] Also if you are offering this as a public service, make sure that the pipe
] commands and shell escapes in the pager swais uses are disabled ...

This is *not* a safe method for offering anonymous "wais" service.  Both 
NNSC.NSF.NET and QUAKE.THINK.COM are running it under a "chroot" file system
thereby preventing access to any files not explicitely placed in the wais
user directory.

SWAIS was never intended to be run as an interactive service (if it were, I
would have certainly designed it differently).  Instead, it is designed to 
be run as yet another WAIS client, under a validated user name.  Making it
available via telnet is something that we did to develop interest in WAIS.
Please do not setup a anonymous wais account to run it unless you provide
it with a restricted filesystem.  Not only do the pipe and pager commands 
pose a threat, but it is also possible for folks to use the source routines
to access files.

If you need details on how to setup a seperate filesystem for providing
anonymous wais service, send mail to "nnsc at nnsc.nsf.net".

John Curran
NSF Network Service Center

More information about the NANOG mailing list