SNI-18 pre-discovered in June 1994

bukys@CS.ROCHESTER.EDU
Tue, 02 Sep 1997 15:44:41 -0400

-----BEGIN PGP SIGNED MESSAGE-----

Regarding the SNI-18 advisory of September 1, 1997:

It should have been fixed in June 1994. That's when I reported it
in a "closed" setting.

In May 1994 I reported, to Sun Microsystems and CERT a bug in OLD
vacation code (still present in SunOS 4) -- it used popen() to send
mail, and didn't check for shell metacharacters in the address.
(SUN SO#1597536, CERT INFO#9883)

This did cause some activity among Unix vendors. Fortunately, their
recent releases at that time had already switched to using execl()
instead. (Note: I don't believe there has ever been a SunOS 4 patch
released for the popen() bug despite the security issue.)

At the end of that discussion, on June 1, 1994, I pointed out to Sun
and CERT the additional vulnerability to the "From: -C/whatever"
attack, and suggested that the word be spread to all Unix vendors.
Sadly, it didn't happen.

Sigh. What's wrong with this picture? (Don't answer, it's rhetorical.)

Liudvikas Bukys
University of Rochester
Computer Science Department
734 Computer Studies Building
Rochester, NY 14627-0226

tel# 716-275-7747
fax# 716-461-2018

<bukys@cs.rochester.edu>

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2

iQCVAwUBNAxqEQrFV5kWCvhJAQHzUAQAlrUp5RFnNeXbUhPhuTgw2OjajcWwJ6Jj
MgaBf08VSD+J9xfrhHae8sINbib0iqaIsUxS710iKkTaYnsnF7H8sLo301CC1lYG
QcF3AMw/19pc0rfxWyxhfaGENalHDBMvWWev04f2wWU7Q5wTnVrBhCpeVoGeo1S9
q2ZD7HjCTn0=
=aa6u
-----END PGP SIGNATURE-----