The Plop Incident

From RedBrick Wiki
Jump to: navigation, search

In October 1998 redbrick ran into two major problems. The first problem was the loss of one of its best admins, plop. This was solved by co-opting John Bolger as sysadmin while an EGM was pending. This would allow redbrick to continue offering services during the busiest time of the year when new freshers join the society.

The second problem was a huge increases in the incidents of "screen bombing". To solve this problem, a change was made to write to allow logging of the length of all messages sent using write. This would provide an audit trail for abuse, without compromising the privacy of user's write messages.

The write patch was written by grimnar, and installed after some minimal testing by John Bolger. This minimalist testing proved to be a big mistake, as the testing missed a dangerous security flaw in the write patch. This flawed patch was installed on the live system on October 21st, 1998

On October 22nd, plop discovered this flaw and left an easy exploit in /tmp and posted about it on the redbrick newsgroups. The admins or the author of the patch were never directly informed that the security flaw existed, or where it was.

After an unexplained system crash on the evening of October 22nd citation needed, John retrieved the source code for the exploit from plop's home directory, without permission of either the committee or plop himself.

Almost immediately all hell broke lose. Plop made an official complaint about breach of privacy, and posted notice of what happened to every newsgroup and to every member. The next morning John stepped down as co-opted admin, pending an inquiry into what happened and a vote from the membership if he was right or wrong. A committee meeting ruled that plop should be disusered for 110 days, which eventually led to a complaint to the SPC. In the end both John and plop apologised to each other in public on the news group system.

The fallout of the plop incident is still felt today. John has never gone back to full time redbrick admin, having resigned only weeks after the incident. The underlying concerns about security, privacy and the rights of users privacy and the need for admins to access a users home directory, while often discussed, have never been resolved.

Sadly, newsgroup postings from the time were not saved. However ~x/kmail shows a small number of the mails which were exchanged at the time. The exploit used can be found in ~x/bin/smoo

x


Plop's Comments

I don't believe there was a system crash that day. I suspect that John Bolger was embarassed that I posted an exploit on the redbrick newsgroups for code he reviewed (which is relatively harmless, write is a program with few privileges). The root exploit I used to catch John Bolger going through my files was in a chsh tool written by redbrick admin (and frequent poster on secure programming) John Looney. He had a habit of using the system() function to run commands from suid programs, which was susceptible to an IFS exploit on the version of solaris redbrick ran at the time.

Plop


===================================================================

The Events of October 22nd as we, the committee, see them.

===================================================================

Due to the fact that a lot of "screen bombings" have been taking place among new members this year, a logging system was needed in order to identify those members responsible. This logging facility was already in place on Nurse (one of the other redbrick machines), but when the new machine (Mother) was introduced, this was overlooked. Basically, whenever anybody is screen bombed a message shows up in a log which says something to the effect of

"possible screen-bomb from userx to usery on 22nd Oct at 19:30"

This enables us to catch out the culprits, and deal with them, so that nobody gets tormented by complete garble flying up their screen. The admins set about modifying the "write" program, so that this logging facility could be incorporated. The program was modified, and the older version replaced with the newer one. Unfortunately, there was a bug in this program. It enabled any user who took advantage of said bug, to set their GID to tty, and hence have the ability to write anything they wanted, to anyone's terminals, without the victim knowing who it was that had wrote to their screen. It should be pointed out that the admins were not aware of this bug at the time, and the program was deemed fit for use.

At some stage this week, the bug was discovered, by the user pooka. In a message on the newsgroup system, pooka made reference to some stack overflow problems in the write program, and said nothing more. Plop went and found said bugs, and wrote an exploit for them. For those of you who don't know, and exploit is a program written, which takes advantage of a bug in another piece of code, and when run, will usually drop the user into an SUID shell, or something similar. We're not here to debate morals, but suffice to say it would have been appropriate for plop to then come to the redbrick admins, and point out the flaws in the write program, as well as detailing how they could be fixed, so that no one can take advantage and make life a misery for everyone else. Instead of doing that, plop copied the exploit into the /tmp directory and made it world executable. Again for new members, this means that anyone who wants, can run this program, and gain full write access to anybody's terminal on the system. Not only did he put the program there, but he then went on to post an article on the newsgroup system, telling all the members who read the groups, that an exploit to the write bug had been written, and was freely available to execute for anyone who wished to try it out. A copy of this posting is available for anyone who wishes to read it.

If we look at this situation for a moment, we can see that a user had written a program which enabled any user to gain priveleges on redbrick which they weren't entitled to, and informed the members about it. This is not on.

I (spock) was made aware of this exploit, when I was heyed last night by the user "root". Root was not logged on. I heyed plop, assuming it was him, and told him that I wasn't aware he had root access any more, considering that he was no longer an admin. He heyed me back, and said something to the effect of him testing out the bug in the write program. I then talked to spinal, who was co-opted as an admin until the EGM takes place, about the whole situation. We agreed that the old write program should be restored, and the exploit that plop had written should be deleted so that no users could take advantage of it.

The rules of the university which would be broken by running that program are as follows (taken from http://www.dcu.ie/compservices/rules.html):

"It is expressly forbidden:

  • To seek or gain unauthorised access to systems or network resources
  • To impersonate or send email messages whose header fields have in any way been altered or where the message appears to originate from someone or somewhere else is in all cases regarded as an extremely serious offence and subject to disciplinary action up to expulsion from the university."

About ten minutes after this, I received a hey from plop, which said something to the effect of (I didn't cut and paste it), "John Bolger has been looking around in my account, I would like to make an official complaint". To which I replied (as is now well documented) : "nothing on this machine is guaranteed to be private". This is a simple fact. It does NOT mean, however, that the committee spend their days rooting through people's private files and mail, because that is NOT done, and any committee member doing so would immediately be expelled from the committee. As an aside, this morning I already had many a bewildered fresher heying me wondering why we read their mail. WE DO NOT READ YOUR MAIL. He then heyed back something to the effect of "you don't want to take that line with me", to which I responded something to the effect of "I do actually", since I wanted the problem resolved. Then there was silence.

Approximately fifteen minutes later, another user made me aware of the fact that every member of the society had just received a mail from plop, giving his side of the story. At the same time, the same mail was posted on every single news group on the system. There's no point in quoting the mail, it's available for you all to read in your own mailbox.

One thing I should perhaps point out however, is plop's prompt:

{9}(~spinal/xxx)# ls <plop@Mother ZSH emacs

as you can see there is a hash mark "#" at the end of his prompt, which is usually indicative of a root shell. Plop is no longer an administrator, he has no right to root access. This might mean that plop exploited root through some other means, and this is what enabled him to look through john bolger's directory, some might rightly point out the hypocrisy here.

Once this had happened, I talked to John Bolger, who denied copying all of plop's files into his home directory. He said that all he was doing was looking at the write.c program which was in plop's directory, and as far as he was aware, he did not copy anything else out. It has since come to light that it is quite possible that john did copy an entire directory of plop's out and into his own, but all he was concerned with was the exploit in question.

It should be pointed out, that when a user does anything which breaches the rules of the society, or attempts to gain priveleges on the society machines, the administrators are permitted to run checks on the users directory, in order to determine the extent to which the user had broken the rules in the past, or their intention to break rules in the future. This involves looking through the users directory, and checking for suspicious looking files. This is where the privacy barrier is broken. The only way in which the privacy barrier is broken, is if the rules of the society are broken. It is plain to see that 99.99% of members should never have any worries about this, as long as they keep in check with the rules (http://www.redbrick.dcu.ie/rules.html). If you don't break the rules, your privacy won't be broken, it's as simple as that.

In light of these facts, john bolger did nothing wrong in checking plop's directory. In fact, it was done for your protection. Picture the scenario, a user breaks the rules, he/she is disusered for doing so. Their home directory ISN'T checked for further exploits. They are reusered having served their time, and they run another exploit on the machine, which was in their home directory. The exploit could perhaps give them root access. At this point, they go into YOUR mailbox, and start reading YOUR mail. This is malicious, and it could happen. This is why measures are in place to try and prevent exactly this scenario, and it has been successful so far as we are aware.

To summarise:

  • by exploiting the bug in the write program, and making the exploit publically available, plop broke the rules.
  • by mass mailing every body without the prior consent of the committee, plop broke the rules.
  • Nothing has been accomplished here, other than a lot of users, getting very worried over nothing.
  • We do not read your mail, enter your directory, or look through your files, but we DO try to ensure that nobody else does either.

We are not the bad guys, we are here to serve you, to educate you, and to give you a good time along the way. If that means disusering people who break the rules, so be it. If it means breaking the privacy of people who break the rules, so be it.

This was plop's second offence since he joined the society. He has been disusered for 110 days (the first day of second semester). We don't like when this kind of thing happens, but the other 1050 members must come first (yes, we broke the 1000 barrier (!), fast approaching 1100).

Plop, of course, has every right to appeal the disuserment, and the committee are open to listening to his story.

I hope this finishes the argument, but I already have visions of hundreds of postings on the newsgroups for at least the next week. Kind of takes me back to first year, when plop posted something similar on the old BBS, telling everybody that the committee were able to read your mail, and look through your files. It's an old argument, but seeing as some people simply don't seem to understand it I'll reiterate for the last time, we do not read your mail or look through your files.

Hope to see you all in Break for the Border on wednesday! :)

Jon. DCUNS Secretary.

Originally from the Encyclopedia