April Fools Day... what a wonderful time to pull gags on thousands of your closest friends. Here's the one I wrote and posted for April 1, 2003 - the infamous "/dev/null Vulnerability". (For those not familiar with Unix, /dev/null is sort of like a trash can device, where you can redirect output of programs if you don't want to see it.)
If you haven't had enough April Fools gags pulled on you, be sure to check what Dr Sloof's name spells backwards. :-)
In case anyone panicked, the upgrades recommended in the hoax had actually already been recommended in real security advisories. So while you're not supposed to still fall for it if you read it all the way to the end, there's no harm done in following its advice. Like all good April Fools jokes, it's supposed to look real... for a short time. The good ones make you laugh when you realize you've been had - but they shouldn't hurt you.
This was sent out by mail and also posted on UseNet. Google Groups has the original message and followups. http://groups.google.com/groups?hl=en&lr=&ie=UTF-8&oe=UTF-8&threadm=advisory-ca-2003-0401%40announce.cirt.us&rnum=1&prev=/groups%3Fsafe%3Dimages%26ie%3DUTF-8%26oe%3DUTF-8%26as_umsgid%3Dadvisory-ca-2003-0401%2540announce.cirt.us%26lr%3D%26hl%3Den
From: lsloof@cirt.us (Dr. Lirpa Sloof)
Newsgroups: alt.security,comp.security.unix,comp.os.linux.security
Subject: CIRT Advisory CA-2003-0401: /dev/null Vulnerability
Date: 01 Apr 2003 08:21:28 GMT
Organization: Computer Incident Response Team (CIRT)
Message-ID: <advisory-ca-2003-0401@announce.cirt.us>
NNTP-Posting-Host: nimbus.thunder.net
CIRT Advisory CA-2003-0401 /dev/null Vulnerability
Computer Incident Response Team
Systems Affected
* Windows CE, ME, NT, 2000, XP, 98, 95
* Linux (all distributions)
* BSD-derived Operating Systems
* Solaris
* IRIX
* HP-UX
* Digital/Compaq Tru64 Unix
* AIX
* other Unix-compatible systems and Unix-compatibility libraries
Overview
There is a vulnerability in /dev/null on Unix systems, Unix-compatible
systems and those with Unix or POSIX compatibility libraries (including
Windows) that can be exploited to cause a denial-of-service condition
and could cause hardware damage to some systems in isolated cases.
Though rare, the possibility of hardware damage is the primary reason
why this advisory is being categorized as urgent.
I. Description
A vulnerability has been discovered with the algorithm most commonly
used to implement /dev/null on Unix and Unix-compatible systems which
can be used to cause damage to other software connected to it. In some
cases, this software damage can also trigger hardware damage. These
vulnerabilities can be exploited by a local user already logged into
the system for a denial-of-service. If used in conjunction with
remote exploit attacks, this could allow a remote attacker, worm or
virus to cause hardware damage on some systems. In even more rare
circumstances there are possibilities of bodily injury in bystanders.
II. Impact
The contemporary method of /dev/null drivers is described as the "high
suction algorithm" in comparison with the replacement that vendors have
made available for their systems. If a malicious user uses a program
with low-resistance logic to connect /dev/null back into itself,
the device goes critical and can be used for destructive purposes.
Once the /dev/null device driver enters a critical state, programs with
low-resistance logic will break, be consumed by /dev/null and expose
their standard input to the full force of /dev/null itself. Some examples
which have been verified in labs include the following:
* Programs which are consumed by /dev/null become permanent entry points
to /dev/null afterward.
* If standard input is redirected from any regular file, it will be
"sucked dry" and left empty. File permissions do not prevent loss
of data.
* If standard input is redirected from a directory, all the files and
directories within it will be sucked dry, recusrively removing an
entire directory tree.
* If standard input is redirected from a pipe or named pipe, it will
expose the full force of the critical state /dev/null to the program
on the other end of the pipe. As with direct linkage to /dev/null,
if the program contains logic too weak to resist the suction, it
will be consumed and permanently become a portal to /dev/null itself.
* If standard input is redirected from a keyboard device, the keyboard
will implode, crushing the keys. This has the possibility to cause
minor lacerations if anyone is typing on the keyboard at the time of the
implosion.
* If standard input is redirected from a mouse device, it will pop like
a weasel in a microwave oven.
* If standard input is redirected from a CRT monitor driver, the device
is unaffected because it already contains a vaccuum.
* If standard input is redirected from a disk driver, the drive will
be erased and the lubrication removed from the bearings. In lab tests
the disk platter has exited the drive at high speed in a random
direction. Note that if this occurs in a data center environment,
the platter is likely to embed itself in other computer hardware.
There is a risk of injury if a disk platter or other shrapnel from
the self-destructing disk drive should hit any person.
* If standard input is redirected from a network device, the results
have been very unpredictable. The effects appear to be mainly
confined within the local area network (LAN). In all cases, all
packets are sucked off the network.
* An ethernet hub is too weak to resist the suction and becomes a
vaccuum port for /dev/null.
* All ethernet switches and broadband network interfaces are immune
to the effects.
* In one home where a user-modified digital video recorder (DVR) device
was connected to the network, the existing recordings were erased.
But the device was running Linux so its own /dev/null created enough
suction that the pressure differential caused no further damage.
* In another home where a refrigerator was connected to the network,
all the food inside became freeze-dried.
* The most violent reaction was found where a home automation system
was connected to the network. The vaccuum came in contact with the
central air vents and sucked the air out of the house. Everyone
got out safely. But an infestation of termites in the house was
entirely suffocated.
III. Solution
Note that many of the mitigation steps recommended below may have
significant impact on your everyday home or office operations. Use
appropriate caution but also ensure that any changes made based on the
following recommendations will not unacceptably affect your ongoing use
of your computer and occupancy of your building unless you're certain
that a great danger exists in your circumstances.
Apply a patch from your vendor
Appendix A contains information provided by vendors for this advisory.
Please consult this appendix to determine if you need to contact
your vendor directly.
Appendix A. - Vendor Information
This appendix contains information provided by vendors for this
advisory.
Microsoft
The same patch as the fix for the March 17 buffer overflow in the
Windows Core DLL also fixes the high-suction algorithm. Note that
Windows systems are particularly vulnerable to the high-suction
algorithm because all the programs on Windows have weak logic and
are unable to resist the suction. Also, Microsoft has said that
there will be no patch for NT4 because they are unable to build a
new copy of the OS from source code. So NT4 not only sucks, but
it also blows.
Red Hat
Upgrade to kernel kernel-2.4.18-27.7.x (for RedHat Linux 7.x),
kernel-2.4.18-27.8.0 (for RedHat Linux 8.0) or later.
RedHat Linux 9.0 is not vulnerable.
SCO (Caldera)
Upgrade to OpenLinux 3.1.1, UnixWare 7.1.1, OpenUnix 8.0.0
or later.
Debian GNU/Linux
Upgrade to kernel kernel-image-2.4.18* or later for your system.
Mandrake Linux
Upgrade to kernel-2.4.19.32mdk-1-1mdk.* (for Mandrake Linux 9.0,
Corporate Server 2.1) or later.
Mandrake Linux 9.1 is not vulnerable.
SuSE Linux
Upgrade to kernel-2.4.19-20030324 updates (for SuSE Linux 8.1),
kernel-2.4.18-20030324 (for SuSE Linux 7.1-8.0) or later.
SuSE Linux 8.2 is not vulnerable.
Slackware Linux
For Slackware Linux, contact your vendor.
FreeBSD
Upgrade to FreeBSD 5.0 or later.
NetBSD
Upgrade to NetBSD-1.6.1 or later.
OpenBSD
Upgrade to OpenBSD 3.3 or later.
Solaris
Apply patch 114356-01 (Solaris 9), patch 114356-01 (Solaris 8)
or later.
IRIX
Apply update 20030201-01-P.
HP
Apply patch SSRT2322_2341_2384_2412_2439 (HP/Compaq Tru64 Unix).
For HP-UX, contact your vendor.
AIX
For AIX, contact your vendor.
Back up to Ian's Humor Pages