Around 1997 I used search engines to find poorly configured IRIX servers with /etc/passwd exposed to the Internet via classic directory traversal. IRIX helpfully provided several accounts with factory default passwords, so these usernames were easy to search for, which was in turn an easy way to identify IRIX hosts. Unpatched local root vulnerabilities ensured that “Game over, man.”
9front includes a web server written in rc, called rc-httpd. It was written to run on a Mac, but early on I transplanted it into Plan 9 in order to serve 9front.org, cat-v.org, and other sites. We’ve made some refinements over the years, but it remains very simple. Most importantly, it works well for static or CGI pages, the latter of which is needed by werc.
Plan 9 makes erecting trivial sandboxes easy, but robust ones remain elusive if the quirky restrictions embodied in the special user none are for some reason undesirable. For close to ten years I’ve run all our sites on rc-httpd with no sandboxing at all. Since public websites and public mailing lists are all that have ever been stored on the machine, I’ve never mustered the gumption to try and harden the environment further.
Late last month, 4chan’s /g/ discovered a directory traversal bug in rc-httpd. It shouldn’t have been much of a problem because the web files should have been sandboxed from the rest of the file system. It wasn’t much of a problem because not much else was accessible via the file system. Still, it’s true this class of bug in a web server program has been very well known dating back to the dawn of the World Wide Web, and it’s pretty silly that it was present in rc-httpd. The 4chan thread was full of witty comments about the rookie mistakes in our homemade software. The solution of course is to run software too complex to be understood by humans, whose development is sponsored by, and for all practical purposes controlled by hostile corporations.
Based on my logs it is clear that two major leaks occurred as a result of this attack:
The subscriber lists of all the public mailing lists hosted on the machine. (Less than critical because already more-or-less public information.)
The passwords of all the users of the various werc websites hosted on the machine. (Less than critical because there have not been any users authenticating to any of these websites for several years.)
No other private information was exfiltrated. No data on the server was modified. There was, however, considerable excitement surrounding the “discovery” of files on the server that were either part of the 9front distribution or otherwise linked from the websites served by the machine. In other words, data that was already publicly available even without unintended directory traversal.
Because rc-httpd’s configuration file is also executable rc, I was able to close the hole on my server in a handful of minutes by manually rejecting requests containing the improper string. Because the code was simple in general, the program was patched fairly quickly. Because I have been mostly absent from 9front development since the importation of git9, I flubbed the initial commit, and later accidentally reverted the fix on my own server for several hours.
Because I’m an idiot, all of this happened in the first place.
Computers are unsafe at any speed.