
    More on the SYSOP SECURITY emergency!!!!

    Date:  01-01-89.

    From Kevin Dahlstedt sysop for
         Rabbit Mountain BBS
         (303) 460 1093
         300-9600 bps  HST

    In an earlier document (SYSOP.TXT) Richard  Johnson  hits  upon  a
    very  dangerous  problem inherent with the way WILDCAT BBS systems
    accept uploads.  In summary, Richard basically says that  external
    uploads  of  files  can  overwrite  existing  batch  files or .com
    files.  This occurs when your  external  upload  system  initially
    uploads  files  into  the  same  directory that contains the batch
    files and/or program files.

    This problem is not however, limited to known uploads  like  those
    outlined  by  Richard.   The  problem  is  much  more  complex and
    potentially dangerous.  The  scenario  described  by  Richard  can
    occur a number of ways.

    First,  a caller can select the upload option, type in a name such
    as  DSZ.COM  or  ZUP.BAT,  start the upload, and WHAM.....security
    problem!  This scenario is described in more  detail  in  Richards
    document.

    Second, a caller can select a download for some  specific  program
    that  you  just  MIGHT  have  in  your  collection  for  available
    downloads that just HAPPENS to  match  a  file  in  your  protocol
    directory  (like  DSZ.COM) and if this same caller selects the use
    of  some  external  protocol  then  once  again   WHAM....security
    breech!   This occurs because WILDCAT copies the needed files into
    the protocol directory before passing the necessary parameters  to
    the protocol's batch file.  Once the external protocol is finished
    WILDCAT  deletes the files that were just copied.  This problem is
    less dangerous than the once mentioned previously since  the  file
    is just deleted and not replaced, however the next scenerio is one
    that  should  scare  the  HELL  out  of  you, if you sysop WILDCAT
    boards!!

    Third, and the most dangerous of these scenarios, involves the use
    of external protocols that allow  batch  transfers.   Imagine  our
    caller  selecting  the upload option and providing a innocent name
    like GAMENAME.ARC, BUT on the callers side of  things  the  caller
    actually  sets his version of DSZ (or other batch protocol driver)
    to send BOTH GAMENAME.ARC AND ZDOWN.BAT.  All statistics  for  the
    upload  will  actually  show  the upload working correctly and the
    file being copied to the  correct  directory  and  NO  information
    pointing  to  the EXTRA upload that has been sent.  NO way to know
    that it is there...NO way to know WHO sent  it!   If  that  second
    upload contains the right information you can kiss the information
    on your disk drives GOODBYE and have NO way to catch the culprit.


    So....are you scared enough yet......well here are some solutions:

    First, and   BEST,   do  what  Richard  Johnson  suggests  in  his
    document.   Make  all  the  files  in  your   protocol   directory
    READ-ONLY.

    Second,  set all external protocols to  upload  into  a  temporary
    directory  instead  of  the  protocol  directory.   By  doing this
    individuals that do send you files that HAPPEN to  have  the  same
    name as protocol files will not be stopped from doing so.  Thus if
    some  nice guy like Richard decides to send you the latest copy of
    JMODEM.COM and forgets to make it an ARC file the upload  will  be
    accepted  and  be  in a usable format.  Also if some BAD GUY sends
    you EXTRA files with a batch upload they will end up in  the  temp
    directory  which  should  ALWAYS be empty (thus it will be easy to
    detect that something wrong has happened).

    Third,  make up an fake file area that ONLY the sysop  has  access
    to, and  put  a  copy  of  all PROTOCOL files into that file area.
    Then 'add' them into your files database  so  that  any  attempted
    uploads will be 'denied' due to inability to overwrite!

    Fourth, verify that you  do  not  have  ANY  files  available  for
    download  that  can  accidently overlay one of your protocol files
    and thereby result in eventual deletion of that file  or  download
    of the wrong file.

    Fifth, use  Richard  Johnsons  LOG  program  to monitor the actual
    performance of the upload.  This can be done like this:

      DSZ port %2 speed %1 rz %3 %4 %5 %6 %7 %8 %9 | LOG Zmodem UPLOAD

        Note: This instruction results in the  saving  of  the  actual
              text output from DSZ in a log file that is both date and
              time  stamped!!!   If you ever find a mysterious file in
              your temp UPLOAD directory you can track it back to  the
              PERSON  who  attempted the BREAK....CATCH that vandal in
              his tracks.......heh heh heh.



    I discovered  these  problems  by  doing  some  test  uploads  and
    downloads  that resulted in some very bizarre problems.  Avoid the
    problems altogether and protect yourselves!

    To any other sysops reading this.......Happy 1989!

    Kevin

