The worm uses a number of flaws or weaknesses in the existing standard software of many UNIX systems. Some of these defects are described below.
Fingerd Program
Fingerd program is a utility that allows obtaining information about users. It is usually used to identify the full name or login name (login) of a user, whether it is in session and possibly other information about the person such as phone numbers, etc.. This program is run as a daemon or background process (background), to deal with requests for information coming from a distance, using the protocol fingerd, This program accepts connections. Programs running on the other hand read and send input line receiver that questioned answered.
The weakness exploited which “break” the program involves modification of input buffer used by this site. Library f / 0 of the C language has several routines that read entry without check buffer boundaries involved in this operation. In particular, the function gets call takes input data into a buffer, without checking its limits. Call this function has been exploited by worms. Routine gets is not the only who has this deficiency. A whole family of C library routines is possible to exceed the buffer’s site when decoded format when entering or leaving, unless the user explicitly specify the number of characters for conversion.
Although experienced programmers are knowledgeable of these issues, many of them continue to use these routines. The problem is that any network server or privileged program using these functions may be compromised due to improper use of inputs. Interestingly, recently, two more were found in the standard BSD UNIX commands that have this problem.
After the attack on the INTERNET were revealed several potential problems and several ways to remove them, however, these library routines is still in use.
Sendmail program
Sendmail program is an email service intended to ruteze letters in a heterogeneous network.The program has several modes of operation, but one of which is exploited by worms and the process involves launching the service in the background (daemons). In this way of working, the process is in state of “listening” to a TCP port (25) for distributing incoming mail from standard Internet protocol, SMTP (Simple Mail Transfer Protocol). When such a situation is detected, the process enters into a dialogue with another remote process to determine sender, recipient, message content and delivery instructions.
The weakness exploited in sendmail is linked to an option to debug the code. Sendmail debug command to send the worm and then specify the recipient of the message, as a set of commands and not as a user address. In normal operation, this is not allowed; however, the activity code debugging is possible to check incoming mail for a particular recipient without addressing call routines. By using this option, run test programs to display mail system status without sending or establish a connection. This debugging option is often used precisely because of the complexity of configuring sendmail.
Sendmail program is of great importance, especially for Unix systems derived from BSD, because manipulates complex processes of routing and distribution of mail. However, despite great importance and wide use, most system administrators know little about how sendmail works. Although found more instances of the driver is written for system administrators or Kernel changes, nobody has yet made changes to sendmail or its configuration files. In conclusion, the weaknesses presented in sendmail are little known, and some of them are detected and reported on the extent of their discovery.
