The Sendmail Debug Flag That Brought Down the Early Internet

On the evening of November 2, 1988, Robert Tappan Morris — a graduate student at Cornell — released a self-replicating program onto the ARPANET from a MIT computer, probably to obscure its origin. By morning, roughly 6,000 Unix machines were infected and many had slowed to a crawl. This was a meaningful fraction of the machines connected to the early internet.

The worm had three attack vectors. The first was a buffer overflow in the fingerd finger daemon, which used the notoriously unsafe gets() function and didn't check the length of its input. The second exploited trust relationships in the rsh and rexec utilities: if machine A trusted machine B, and machine B was infected, the worm could instruct A to execute commands without a password.

The third vector was the one that shouldn't have existed. Eric Allman, the author of sendmail — then the dominant Unix mail server — had included a debug mode flag that allowed a remote sender to specify a program to pipe incoming mail into, rather than delivering it to a user. This feature was left enabled in production versions to make testing easier. The Morris Worm used it to send a small bootstrap program to a listening sendmail process and execute it, which then downloaded the full worm.

Morris was convicted in 1990 under the Computer Fraud and Abuse Act of 1986 — the first prosecution under that law. He received a fine of $10,050, 400 hours of community service, and three years of probation. He later co-founded Viaweb, which was acquired by Yahoo in 1998 and became Yahoo Store.