From owner-freebsd-security@FreeBSD.ORG Sun Jun 27 01:20:33 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9C96916A4CE for ; Sun, 27 Jun 2004 01:20:33 +0000 (GMT) Received: from Neo-Vortex.Ath.Cx (203-217-83-128.dyn.iinet.net.au [203.217.83.128]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1006943D45 for ; Sun, 27 Jun 2004 01:20:32 +0000 (GMT) (envelope-from root@Neo-Vortex.Ath.Cx) Received: from localhost.Neo-Vortex.got-root.cc (Neo-Vortex@localhost.Neo-Vortex.got-root.cc [127.0.0.1]) by Neo-Vortex.Ath.Cx (8.12.10/8.12.10) with ESMTP id i5R1JpOq059991; Sun, 27 Jun 2004 11:19:54 +1000 (EST) (envelope-from root@Neo-Vortex.Ath.Cx) Date: Sun, 27 Jun 2004 11:19:51 +1000 (EST) From: Neo-Vortex To: Dave In-Reply-To: <20040626131219.T1249@metafocus.net> Message-ID: <20040627111832.D59990@Neo-Vortex.Ath.Cx> References: <20040626131219.T1249@metafocus.net> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII cc: freebsd-security@freebsd.org Subject: Re: ttyv for local only? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 27 Jun 2004 01:20:33 -0000 Hmmm, ttyv* is for local console's only (normally anyway) and ttyp* is for remote (ssh, screen, telnet, etc), are you sure some idiot didnt try to logon as qmaild in the third console when you wernt looking? On Sat, 26 Jun 2004, Dave wrote: > > I get this in my security postings. > > Jun [undisclosed time] [undiscl.] login: 2 LOGIN FAILURES ON ttyv2 > Jun [undisclosed time] [undiscl.] login: 2 LOGIN FAILURES ON ttyv2, qmaild > > As it turns out, I'm not running qmail :) And if I did, it would > definitely have a nologin shell. But that's beside the point- > > I have had a perception that ttyv was for local/console logins, and that > just "tty" was for remote logins. > > Is my understanding wrong here? > > > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" > From owner-freebsd-security@FreeBSD.ORG Mon Jun 28 21:00:50 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6EAC616A4CE for ; Mon, 28 Jun 2004 21:00:50 +0000 (GMT) Received: from metafocus.net (cbshost-12-155-142-123.sbcox.net [12.155.142.123]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0FFCB43D48 for ; Mon, 28 Jun 2004 21:00:50 +0000 (GMT) (envelope-from mudman@metafocus.net) Received: from metafocus.net (localhost [127.0.0.1]) by metafocus.net (8.12.10/8.12.10) with ESMTP id i5SLDPFN008267; Mon, 28 Jun 2004 14:13:25 -0700 (PDT) (envelope-from mudman@metafocus.net) Received: from localhost (mudman@localhost)i5SLDPAX008264; Mon, 28 Jun 2004 14:13:25 -0700 (PDT) (envelope-from mudman@metafocus.net) Date: Mon, 28 Jun 2004 14:13:25 -0700 (PDT) From: Dave To: Neo-Vortex In-Reply-To: <20040627111832.D59990@Neo-Vortex.Ath.Cx> Message-ID: <20040628140305.F8244@metafocus.net> References: <20040626131219.T1249@metafocus.net> <20040627111832.D59990@Neo-Vortex.Ath.Cx> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII cc: freebsd-security@freebsd.org Subject: Re: ttyv for local only? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 28 Jun 2004 21:00:50 -0000 Hmm, I think I am in some kind of trouble. I have been getting login errors on ttyv that definitely couldn't be me. The only other person who lives with me is my wife, and it isn't her either. qmail, popa3d, etc.. I am even getting them on my ftp too. If someone had root access, they should be able to know what I am running on my system rather than trying these idiotic logins. In fact, they could telnet to my mail port and look for the Sendmail greeting to know that I don't run qmail, or portping 125 to see if I am running any kind of POP3 server. A piece of me feels it is just some internet sweeper that mindlessly tries logging in or ftping to certain things, and moves to the next IP address. I am also wondering if it is just a syslogd thing that the login failures were simply reported on ttyv2 rather than actually happening there, but then why not ttyv0, which is the 'main' thing it prints to? I recently just backed up my system so I'm not feeling that bad but.... but... how? There is no sense in making the same mistake twice. I could run cvsup, compile a fresh binary of sockstat and ps to see if anything is running... I'll consider turning snp off and recompiling my kernel. But that would just get rid of the messages, not help me get to the heart of it. On Sun, 27 Jun 2004, Neo-Vortex wrote: > Hmmm, ttyv* is for local console's only (normally anyway) and ttyp* is for > remote (ssh, screen, telnet, etc), are you sure some idiot didnt try to > logon as qmaild in the third console when you wernt looking? > > On Sat, 26 Jun 2004, Dave wrote: > > > > > I get this in my security postings. > > > > Jun [undisclosed time] [undiscl.] login: 2 LOGIN FAILURES ON ttyv2 > > Jun [undisclosed time] [undiscl.] login: 2 LOGIN FAILURES ON ttyv2, qmaild > > > > As it turns out, I'm not running qmail :) And if I did, it would > > definitely have a nologin shell. But that's beside the point- > > > > I have had a perception that ttyv was for local/console logins, and that > > just "tty" was for remote logins. > > > > Is my understanding wrong here? > > > > > > _______________________________________________ > > freebsd-security@freebsd.org mailing list > > http://lists.freebsd.org/mailman/listinfo/freebsd-security > > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" > > > From owner-freebsd-security@FreeBSD.ORG Tue Jun 29 00:16:39 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8526916A4CE for ; Tue, 29 Jun 2004 00:16:39 +0000 (GMT) Received: from Neo-Vortex.Ath.Cx (203-217-83-128.dyn.iinet.net.au [203.217.83.128]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0083A43D4C for ; Tue, 29 Jun 2004 00:16:38 +0000 (GMT) (envelope-from root@Neo-Vortex.Ath.Cx) Received: from localhost.Neo-Vortex.got-root.cc (Neo-Vortex@localhost.Neo-Vortex.got-root.cc [127.0.0.1]) by Neo-Vortex.Ath.Cx (8.12.10/8.12.10) with ESMTP id i5T0GWOq089787; Tue, 29 Jun 2004 10:16:34 +1000 (EST) (envelope-from root@Neo-Vortex.Ath.Cx) Date: Tue, 29 Jun 2004 10:16:32 +1000 (EST) From: Neo-Vortex To: Dave In-Reply-To: <20040628140305.F8244@metafocus.net> Message-ID: <20040629101425.Y89601@Neo-Vortex.Ath.Cx> References: <20040626131219.T1249@metafocus.net> <20040627111832.D59990@Neo-Vortex.Ath.Cx> <20040628140305.F8244@metafocus.net> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII cc: freebsd-security@freebsd.org Subject: Re: ttyv for local only? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 29 Jun 2004 00:16:39 -0000 check /etc/ttys and see if ttyv2 has been mapped to anything else apart from the getty for that terminal, if it has, then thats why its appearing, if it hasnt, then either someone was at your box (wich we have established as impossible) or getty is backdoor'd... or of course something is sending phoney messages to syslogd... On Mon, 28 Jun 2004, Dave wrote: > > > Hmm, I think I am in some kind of trouble. I have been getting login > errors on ttyv that definitely couldn't be me. The only other person who > lives with me is my wife, and it isn't her either. > > qmail, popa3d, etc.. I am even getting them on my ftp too. > > If someone had root access, they should be able to know what I am running > on my system rather than trying these idiotic logins. In fact, they could > telnet to my mail port and look for the Sendmail greeting to know that I > don't run qmail, or portping 125 to see if I am running any kind of POP3 > server. A piece of me feels it is just some internet sweeper that > mindlessly tries logging in or ftping to certain things, and moves to the > next IP address. I am also wondering if it is just a syslogd thing that > the login failures were simply reported on ttyv2 rather than actually > happening there, but then why not ttyv0, which is the 'main' thing it > prints to? > > I recently just backed up my system so I'm not feeling that bad but.... > but... how? There is no sense in making the same mistake twice. I could > run cvsup, compile a fresh binary of sockstat and ps to see if anything is > running... > > I'll consider turning snp off and recompiling my kernel. But that would > just get rid of the messages, not help me get to the heart of it. > > > On Sun, 27 Jun 2004, Neo-Vortex wrote: > > > Hmmm, ttyv* is for local console's only (normally anyway) and ttyp* is for > > remote (ssh, screen, telnet, etc), are you sure some idiot didnt try to > > logon as qmaild in the third console when you wernt looking? > > > > On Sat, 26 Jun 2004, Dave wrote: > > > > > > > > I get this in my security postings. > > > > > > Jun [undisclosed time] [undiscl.] login: 2 LOGIN FAILURES ON ttyv2 > > > Jun [undisclosed time] [undiscl.] login: 2 LOGIN FAILURES ON ttyv2, qmaild > > > > > > As it turns out, I'm not running qmail :) And if I did, it would > > > definitely have a nologin shell. But that's beside the point- > > > > > > I have had a perception that ttyv was for local/console logins, and that > > > just "tty" was for remote logins. > > > > > > Is my understanding wrong here? > > > > > > > > > _______________________________________________ > > > freebsd-security@freebsd.org mailing list > > > http://lists.freebsd.org/mailman/listinfo/freebsd-security > > > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" > > > > > > From owner-freebsd-security@FreeBSD.ORG Wed Jun 30 00:37:52 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3C5DA16A4CE for ; Wed, 30 Jun 2004 00:37:52 +0000 (GMT) Received: from metafocus.net (cbshost-12-155-142-123.sbcox.net [12.155.142.123]) by mx1.FreeBSD.org (Postfix) with ESMTP id AF19043D1F for ; Wed, 30 Jun 2004 00:37:51 +0000 (GMT) (envelope-from mudman@metafocus.net) Received: from metafocus.net (localhost [127.0.0.1]) by metafocus.net (8.12.10/8.12.10) with ESMTP id i5U0oMFN047405; Tue, 29 Jun 2004 17:50:22 -0700 (PDT) (envelope-from mudman@metafocus.net) Received: from localhost (mudman@localhost)i5U0oL1L047402; Tue, 29 Jun 2004 17:50:22 -0700 (PDT) (envelope-from mudman@metafocus.net) Date: Tue, 29 Jun 2004 17:50:21 -0700 (PDT) From: Dave To: Igor Roshchin In-Reply-To: <200406282221.i5SMLMA06797@giganda.komkon.org> Message-ID: <20040629174641.N47396@metafocus.net> References: <200406282221.i5SMLMA06797@giganda.komkon.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII cc: freebsd-security@freebsd.org Subject: Re: ttyv for local only? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 30 Jun 2004 00:37:52 -0000 console none unknown off secure ttyv0 "/usr/libexec/getty Pc" cons25 on secure # Virtual terminals ttyv1 "/usr/libexec/getty Pc" cons25 on secure ttyv2 "/usr/libexec/getty Pc" cons25 on secure ttyv3 "/usr/libexec/getty Pc" cons25 on secure ttyv4 "/usr/libexec/getty Pc" cons25 on secure ttyv5 "/usr/libexec/getty Pc" cons25 on secure ttyv6 "/usr/libexec/getty Pc" cons25 on secure ttyv7 "/usr/libexec/getty Pc" cons25 on secure ttyv8 "/usr/X11R6/bin/xdm -nodaemon" xterm off secure --- I don't really see a problem here. My mystery logins are actually still continuing. I'm going to see if I can code a mousetrap to find out who is doing it. I did a fresh source compile of world from the latest cvsup for 5.2.1 REL, and ran mergemaster to look for differing startup scripts... No luck yet. I wrote down the byte-sizes of sockstat, ps, and getty on a piece of paper. I'm going to watch them over the next couple of days. On Mon, 28 Jun 2004, Igor Roshchin wrote: > You might want to check your /etc/ttys file, > if it still shows ttyv* as for the console logins or for network logins. > > Igor > > > Igor Roshchin > System Administrator > KomKon Sites > > > > From igor@giganda.komkon.org Mon Jun 28 18:19:49 2004 > > Date: Mon, 28 Jun 2004 14:13:25 -0700 (PDT) > > From: Dave > > To: Neo-Vortex > > Cc: freebsd-security@freebsd.org > > Subject: Re: ttyv for local only? > > > > > > > > Hmm, I think I am in some kind of trouble. I have been getting login > > errors on ttyv that definitely couldn't be me. The only other person who > > lives with me is my wife, and it isn't her either. > > > > qmail, popa3d, etc.. I am even getting them on my ftp too. > > > > If someone had root access, they should be able to know what I am running > > on my system rather than trying these idiotic logins. In fact, they could > > telnet to my mail port and look for the Sendmail greeting to know that I > > don't run qmail, or portping 125 to see if I am running any kind of POP3 > > server. A piece of me feels it is just some internet sweeper that > > mindlessly tries logging in or ftping to certain things, and moves to the > > next IP address. I am also wondering if it is just a syslogd thing that > > the login failures were simply reported on ttyv2 rather than actually > > happening there, but then why not ttyv0, which is the 'main' thing it > > prints to? > > > > I recently just backed up my system so I'm not feeling that bad but.... > > but... how? There is no sense in making the same mistake twice. I could > > run cvsup, compile a fresh binary of sockstat and ps to see if anything is > > running... > > > > I'll consider turning snp off and recompiling my kernel. But that would > > just get rid of the messages, not help me get to the heart of it. > > > > > > On Sun, 27 Jun 2004, Neo-Vortex wrote: > > > > > Hmmm, ttyv* is for local console's only (normally anyway) and ttyp* is for > > > remote (ssh, screen, telnet, etc), are you sure some idiot didnt try to > > > logon as qmaild in the third console when you wernt looking? > > > > > > On Sat, 26 Jun 2004, Dave wrote: > > > > > > > > > > > I get this in my security postings. > > > > > > > > Jun [undisclosed time] [undiscl.] login: 2 LOGIN FAILURES ON ttyv2 > > > > Jun [undisclosed time] [undiscl.] login: 2 LOGIN FAILURES ON ttyv2, qmaild > > > > > > > > As it turns out, I'm not running qmail :) And if I did, it would > > > > definitely have a nologin shell. But that's beside the point- > > > > > > > > I have had a perception that ttyv was for local/console logins, and that > > > > just "tty" was for remote logins. > > > > > > > > Is my understanding wrong here? > > > > > > > > > > > > _______________________________________________ > > > > freebsd-security@freebsd.org mailing list > > > > http://lists.freebsd.org/mailman/listinfo/freebsd-security > > > > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" > > > > > > > > > _______________________________________________ > > freebsd-security@freebsd.org mailing list > > http://lists.freebsd.org/mailman/listinfo/freebsd-security > > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" > > > From owner-freebsd-security@FreeBSD.ORG Wed Jun 30 00:57:45 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D2F6216A4CE for ; Wed, 30 Jun 2004 00:57:45 +0000 (GMT) Received: from ypres.firstpointglobal.com (ypres.firstpointglobal.com [61.8.97.9]) by mx1.FreeBSD.org (Postfix) with ESMTP id EDBA343D2F for ; Wed, 30 Jun 2004 00:57:44 +0000 (GMT) (envelope-from ajohns@firstpointglobal.com) Received: from mail.firstpointglobal.com (somme [192.168.100.10]) i5U1SXwJ004230; Wed, 30 Jun 2004 11:28:33 +1000 Received: from 192.168.100.1 (proxying for unknown) (SquirrelMail authenticated user ajohns); by mail.firstpointglobal.com with HTTP; Wed, 30 Jun 2004 11:05:20 +1000 (EST) Message-ID: <32866.192.168.100.1.1088557520.squirrel@192.168.100.1> In-Reply-To: <20040629174641.N47396@metafocus.net> References: <200406282221.i5SMLMA06797@giganda.komkon.org> <20040629174641.N47396@metafocus.net> Date: Wed, 30 Jun 2004 11:05:20 +1000 (EST) From: "Andrew Johns" To: "Dave" User-Agent: SquirrelMail/1.4.3-RC1 X-Mailer: SquirrelMail/1.4.3-RC1 MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Priority: 3 (Normal) Importance: Normal cc: Igor Roshchin cc: freebsd-security@freebsd.org Subject: Re: ttyv for local only? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 30 Jun 2004 00:57:46 -0000 Is your syslogd allowing remote access from the 'net? In light of the fact that no one should be able to physically stand at the console, it sounds as though someone is sending spurious entries to it... or else your box has been compromised and they're using other methods for fun, although why they would do this if it's already compromised is a good question... HTH dm > console none unknown off secure > ttyv0 "/usr/libexec/getty Pc" cons25 on secure > # Virtual terminals > ttyv1 "/usr/libexec/getty Pc" cons25 on secure > ttyv2 "/usr/libexec/getty Pc" cons25 on secure > ttyv3 "/usr/libexec/getty Pc" cons25 on secure > ttyv4 "/usr/libexec/getty Pc" cons25 on secure > ttyv5 "/usr/libexec/getty Pc" cons25 on secure > ttyv6 "/usr/libexec/getty Pc" cons25 on secure > ttyv7 "/usr/libexec/getty Pc" cons25 on secure > ttyv8 "/usr/X11R6/bin/xdm -nodaemon" xterm off secure > --- > > I don't really see a problem here. My mystery logins are actually still > continuing. I'm going to see if I can code a mousetrap to find out who is > doing it. I did a fresh source compile of world from the latest cvsup for > 5.2.1 REL, and ran mergemaster to look for differing startup scripts... > > No luck yet. I wrote down the byte-sizes of sockstat, ps, and getty on a > piece of paper. I'm going to watch them over the next couple of days. > > On Mon, 28 Jun 2004, Igor Roshchin wrote: > >> You might want to check your /etc/ttys file, >> if it still shows ttyv* as for the console logins or for network logins. >> >> Igor >> >> >> Igor Roshchin >> System Administrator >> KomKon Sites >> >> >> > From igor@giganda.komkon.org Mon Jun 28 18:19:49 2004 >> > Date: Mon, 28 Jun 2004 14:13:25 -0700 (PDT) >> > From: Dave >> > To: Neo-Vortex >> > Cc: freebsd-security@freebsd.org >> > Subject: Re: ttyv for local only? >> > >> > >> > >> > Hmm, I think I am in some kind of trouble. I have been getting login >> > errors on ttyv that definitely couldn't be me. The only other person >> who >> > lives with me is my wife, and it isn't her either. >> > >> > qmail, popa3d, etc.. I am even getting them on my ftp too. >> > >> > If someone had root access, they should be able to know what I am >> running >> > on my system rather than trying these idiotic logins. In fact, they >> could >> > telnet to my mail port and look for the Sendmail greeting to know that >> I >> > don't run qmail, or portping 125 to see if I am running any kind of >> POP3 >> > server. A piece of me feels it is just some internet sweeper that >> > mindlessly tries logging in or ftping to certain things, and moves to >> the >> > next IP address. I am also wondering if it is just a syslogd thing >> that >> > the login failures were simply reported on ttyv2 rather than actually >> > happening there, but then why not ttyv0, which is the 'main' thing it >> > prints to? >> > >> > I recently just backed up my system so I'm not feeling that bad >> but.... >> > but... how? There is no sense in making the same mistake twice. I >> could >> > run cvsup, compile a fresh binary of sockstat and ps to see if >> anything is >> > running... >> > >> > I'll consider turning snp off and recompiling my kernel. But that >> would >> > just get rid of the messages, not help me get to the heart of it. >> > >> > >> > On Sun, 27 Jun 2004, Neo-Vortex wrote: >> > >> > > Hmmm, ttyv* is for local console's only (normally anyway) and ttyp* >> is for >> > > remote (ssh, screen, telnet, etc), are you sure some idiot didnt try >> to >> > > logon as qmaild in the third console when you wernt looking? >> > > >> > > On Sat, 26 Jun 2004, Dave wrote: >> > > >> > > > >> > > > I get this in my security postings. >> > > > >> > > > Jun [undisclosed time] [undiscl.] login: 2 LOGIN FAILURES ON ttyv2 >> > > > Jun [undisclosed time] [undiscl.] login: 2 LOGIN FAILURES ON >> ttyv2, qmaild >> > > > >> > > > As it turns out, I'm not running qmail :) And if I did, it would >> > > > definitely have a nologin shell. But that's beside the point- >> > > > >> > > > I have had a perception that ttyv was for local/console logins, >> and that >> > > > just "tty" was for remote logins. >> > > > >> > > > Is my understanding wrong here? >> > > > >> > > > >> > > > _______________________________________________ >> > > > freebsd-security@freebsd.org mailing list >> > > > http://lists.freebsd.org/mailman/listinfo/freebsd-security >> > > > To unsubscribe, send any mail to >> "freebsd-security-unsubscribe@freebsd.org" >> > > > >> > > >> > _______________________________________________ >> > freebsd-security@freebsd.org mailing list >> > http://lists.freebsd.org/mailman/listinfo/freebsd-security >> > To unsubscribe, send any mail to >> "freebsd-security-unsubscribe@freebsd.org" >> > >> > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to > "freebsd-security-unsubscribe@freebsd.org" > From owner-freebsd-security@FreeBSD.ORG Wed Jun 30 02:14:33 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1952C16A4CE for ; Wed, 30 Jun 2004 02:14:33 +0000 (GMT) Received: from metafocus.net (cbshost-12-155-142-123.sbcox.net [12.155.142.123]) by mx1.FreeBSD.org (Postfix) with ESMTP id B82D343D41 for ; Wed, 30 Jun 2004 02:14:30 +0000 (GMT) (envelope-from mudman@metafocus.net) Received: from metafocus.net (localhost [127.0.0.1]) by metafocus.net (8.12.10/8.12.10) with ESMTP id i5U2QjFN048010; Tue, 29 Jun 2004 19:26:45 -0700 (PDT) (envelope-from mudman@metafocus.net) Received: from localhost (mudman@localhost)i5U2Qhv6048007; Tue, 29 Jun 2004 19:26:44 -0700 (PDT) (envelope-from mudman@metafocus.net) Date: Tue, 29 Jun 2004 19:26:41 -0700 (PDT) From: Dave To: Andrew Johns In-Reply-To: <32866.192.168.100.1.1088557520.squirrel@192.168.100.1> Message-ID: <20040629191556.L47985@metafocus.net> References: <200406282221.i5SMLMA06797@giganda.komkon.org> <32866.192.168.100.1.1088557520.squirrel@192.168.100.1> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII cc: freebsd-security@freebsd.org Subject: Re: ttyv for local only? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 30 Jun 2004 02:14:33 -0000 I didn't think syslogd was open to the world by default? Just in case, I now blocked off port 514 for UDP. If it was, then I was just running it open to the world for 2 years and finally noticed :) I guess its not commonly picked on. I also wrote a little program (one of those "in hello world time" to make things) that watches the file sizes of a small handful of files and fires off a really loud mp3 if they change :) A kind of hacky way to see if I can catch someone red-handed modifying things like ps, sockstat, sh, getty, etc.. I can't find the entries that the periodic security mailings found. I'm just going to hope I am looking in the wrong spot rather than the worse case that, say, someone decided to go back and clean them up but not before periodic noticed. :( messages and auth.log arn't showing anything, but they do seem to show failures I have deliberately generated to see where they were going. I am feeling better after the fresh recompile though. I'll see how it plays out. I don't want to format until I'm sure I'm really compromised or if I'm just tripping, or as you said, someone is goofing off with my syslogd. On Wed, 30 Jun 2004, Andrew Johns wrote: > Is your syslogd allowing remote access from the 'net? In light of the > fact that no one should be able to physically stand at the console, it > sounds as though someone is sending spurious entries to it... or else your > box has been compromised and they're using other methods for fun, although > why they would do this if it's already compromised is a good question... > > HTH > dm > > > > console none unknown off secure > > ttyv0 "/usr/libexec/getty Pc" cons25 on secure > > # Virtual terminals > > ttyv1 "/usr/libexec/getty Pc" cons25 on secure > > ttyv2 "/usr/libexec/getty Pc" cons25 on secure > > ttyv3 "/usr/libexec/getty Pc" cons25 on secure > > ttyv4 "/usr/libexec/getty Pc" cons25 on secure > > ttyv5 "/usr/libexec/getty Pc" cons25 on secure > > ttyv6 "/usr/libexec/getty Pc" cons25 on secure > > ttyv7 "/usr/libexec/getty Pc" cons25 on secure > > ttyv8 "/usr/X11R6/bin/xdm -nodaemon" xterm off secure > > --- > > > > I don't really see a problem here. My mystery logins are actually still > > continuing. I'm going to see if I can code a mousetrap to find out who is > > doing it. I did a fresh source compile of world from the latest cvsup for > > 5.2.1 REL, and ran mergemaster to look for differing startup scripts... > > > > No luck yet. I wrote down the byte-sizes of sockstat, ps, and getty on a > > piece of paper. I'm going to watch them over the next couple of days. > > > > On Mon, 28 Jun 2004, Igor Roshchin wrote: > > > >> You might want to check your /etc/ttys file, > >> if it still shows ttyv* as for the console logins or for network logins. > >> > >> Igor > >> > >> > >> Igor Roshchin > >> System Administrator > >> KomKon Sites > >> > >> > >> > From igor@giganda.komkon.org Mon Jun 28 18:19:49 2004 > >> > Date: Mon, 28 Jun 2004 14:13:25 -0700 (PDT) > >> > From: Dave > >> > To: Neo-Vortex > >> > Cc: freebsd-security@freebsd.org > >> > Subject: Re: ttyv for local only? > >> > > >> > > >> > > >> > Hmm, I think I am in some kind of trouble. I have been getting login > >> > errors on ttyv that definitely couldn't be me. The only other person > >> who > >> > lives with me is my wife, and it isn't her either. > >> > > >> > qmail, popa3d, etc.. I am even getting them on my ftp too. > >> > > >> > If someone had root access, they should be able to know what I am > >> running > >> > on my system rather than trying these idiotic logins. In fact, they > >> could > >> > telnet to my mail port and look for the Sendmail greeting to know that > >> I > >> > don't run qmail, or portping 125 to see if I am running any kind of > >> POP3 > >> > server. A piece of me feels it is just some internet sweeper that > >> > mindlessly tries logging in or ftping to certain things, and moves to > >> the > >> > next IP address. I am also wondering if it is just a syslogd thing > >> that > >> > the login failures were simply reported on ttyv2 rather than actually > >> > happening there, but then why not ttyv0, which is the 'main' thing it > >> > prints to? > >> > > >> > I recently just backed up my system so I'm not feeling that bad > >> but.... > >> > but... how? There is no sense in making the same mistake twice. I > >> could > >> > run cvsup, compile a fresh binary of sockstat and ps to see if > >> anything is > >> > running... > >> > > >> > I'll consider turning snp off and recompiling my kernel. But that > >> would > >> > just get rid of the messages, not help me get to the heart of it. > >> > > >> > > >> > On Sun, 27 Jun 2004, Neo-Vortex wrote: > >> > > >> > > Hmmm, ttyv* is for local console's only (normally anyway) and ttyp* > >> is for > >> > > remote (ssh, screen, telnet, etc), are you sure some idiot didnt try > >> to > >> > > logon as qmaild in the third console when you wernt looking? > >> > > > >> > > On Sat, 26 Jun 2004, Dave wrote: > >> > > > >> > > > > >> > > > I get this in my security postings. > >> > > > > >> > > > Jun [undisclosed time] [undiscl.] login: 2 LOGIN FAILURES ON ttyv2 > >> > > > Jun [undisclosed time] [undiscl.] login: 2 LOGIN FAILURES ON > >> ttyv2, qmaild > >> > > > > >> > > > As it turns out, I'm not running qmail :) And if I did, it would > >> > > > definitely have a nologin shell. But that's beside the point- > >> > > > > >> > > > I have had a perception that ttyv was for local/console logins, > >> and that > >> > > > just "tty" was for remote logins. > >> > > > > >> > > > Is my understanding wrong here? > >> > > > > >> > > > > >> > > > _______________________________________________ > >> > > > freebsd-security@freebsd.org mailing list > >> > > > http://lists.freebsd.org/mailman/listinfo/freebsd-security > >> > > > To unsubscribe, send any mail to > >> "freebsd-security-unsubscribe@freebsd.org" > >> > > > > >> > > > >> > _______________________________________________ > >> > freebsd-security@freebsd.org mailing list > >> > http://lists.freebsd.org/mailman/listinfo/freebsd-security > >> > To unsubscribe, send any mail to > >> "freebsd-security-unsubscribe@freebsd.org" > >> > > >> > > _______________________________________________ > > freebsd-security@freebsd.org mailing list > > http://lists.freebsd.org/mailman/listinfo/freebsd-security > > To unsubscribe, send any mail to > > "freebsd-security-unsubscribe@freebsd.org" > > > > > From owner-freebsd-security@FreeBSD.ORG Wed Jun 30 09:24:13 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9A40116A4CE for ; Wed, 30 Jun 2004 09:24:13 +0000 (GMT) Received: from pol.dyndns.org (pol.net1.nerim.net [80.65.225.93]) by mx1.FreeBSD.org (Postfix) with ESMTP id 915F143D55 for ; Wed, 30 Jun 2004 09:24:12 +0000 (GMT) (envelope-from guy@device.dyndns.org) Received: from pissenlit.device.local ([172.16.10.66]) by pol.dyndns.org (8.12.9/8.12.9) with ESMTP id i5U9NVSE013836 for ; Wed, 30 Jun 2004 11:23:33 +0200 (CEST) Message-ID: X-Mailer: XFMail 1.5.5 on FreeBSD X-Priority: 3 (Normal) Content-Type: text/plain; charset=iso-8859-15 Content-Transfer-Encoding: 8bit MIME-Version: 1.0 In-Reply-To: <20040629191556.L47985@metafocus.net> Date: Wed, 30 Jun 2004 11:23:31 +0200 (CEST) From: guy@device.dyndns.org To: freebsd-security@freebsd.org X-Virus-Scanned: by an antivirus :] Subject: Re: ttyv for local only? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 30 Jun 2004 09:24:13 -0000 Your problem make me curious... On 30-Jun-2004 Dave wrote: > > I didn't think syslogd was open to the world by default? Just in case, I > now blocked off port 514 for UDP. If it was, then I was just running it > open to the world for 2 years and finally noticed :) I guess its not > commonly picked on. With default settings on a freshly updated 4.10-STABLE "ps ax" says my syslogd is running as "/usr/sbin/syslogd -s". "man syslogd" says : -s Operate in secure mode. Do not log messages from remote machines. If specified twice, no network socket will be opened at all, which also disables logging to remote machines. So unless someone changed the way syslogd is launched, this should not be a spurious message from a remote machine (but could be from local). You may consider using a tool such as security/aide after a fresh buildworld to get sure no unauthorised changes are made to your system. Assuming your buildchain tools have not been trojaned you can do it on the target system. If you have some suspicion, run the buildworld/kernel from a live cd or another machine. Sorry if all i said sounds obvious, there are some times when possibly useless repeating seems worth :] -- Guy From owner-freebsd-security@FreeBSD.ORG Wed Jun 30 13:59:43 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 95D5216A4CE for ; Wed, 30 Jun 2004 13:59:43 +0000 (GMT) Received: from a2.scoop.co.nz (aurora.scoop.co.nz [203.96.152.68]) by mx1.FreeBSD.org (Postfix) with ESMTP id BFC5F43D4C for ; Wed, 30 Jun 2004 13:59:42 +0000 (GMT) (envelope-from andrew@scoop.co.nz) Received: from localhost (localhost [127.0.0.1]) by a2.scoop.co.nz (8.12.8p2/8.12.8) with ESMTP id i5UDxPGe087151; Thu, 1 Jul 2004 01:59:25 +1200 (NZST) (envelope-from andrew@scoop.co.nz) Date: Thu, 1 Jul 2004 01:59:25 +1200 (NZST) From: Andrew McNaughton To: Dave In-Reply-To: <20040629174641.N47396@metafocus.net> Message-ID: <20040701015509.L3236@a2.scoop.co.nz> References: <200406282221.i5SMLMA06797@giganda.komkon.org> <20040629174641.N47396@metafocus.net> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-1.4 (a2.scoop.co.nz [127.0.0.1]); Thu, 01 Jul 2004 01:59:26 +1200 (NZST) X-Virus-Scanned: clamd / ClamAV version 0.73, clamav-milter version 0.73a on a2.scoop.co.nz X-Virus-Status: Clean cc: freebsd-security@freebsd.org Subject: Re: ttyv for local only? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 30 Jun 2004 13:59:43 -0000 On Tue, 29 Jun 2004, Dave wrote: > I don't really see a problem here. My mystery logins are actually still > continuing. I'm going to see if I can code a mousetrap to find out who is > doing it. I did a fresh source compile of world from the latest cvsup for > 5.2.1 REL, and ran mergemaster to look for differing startup scripts... > > No luck yet. I wrote down the byte-sizes of sockstat, ps, and getty on a > piece of paper. I'm going to watch them over the next couple of days. md5 sums are generally better for this sort of thing. It's not all that hard to pad a file out to a desired size. Also, see /usr/ports/security/l5 for a minimalist tool which is useful for listing file data including md5 sums, file sizes, permissions, etc. Andrew -- No added Sugar. Not tested on animals. May contain traces of Nuts. If irritation occurs, discontinue use. ------------------------------------------------------------------- Andrew McNaughton Living in a shack in Tasmania andrew@scoop.co.nz Between the bush and the sea Mobile: +61 422 753 792 http://staff.scoop.co.nz/andrew/cv.doc http://www.scoop.co.nz/ From owner-freebsd-security@FreeBSD.ORG Wed Jun 30 15:39:35 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 30C7016A4CE for ; Wed, 30 Jun 2004 15:39:35 +0000 (GMT) Received: from mail.infotechfl.com (mailrelay.infotechfl.com [209.251.147.6]) by mx1.FreeBSD.org (Postfix) with ESMTP id 75B4D43D4C for ; Wed, 30 Jun 2004 15:39:28 +0000 (GMT) (envelope-from gmulder@infotechfl.com) Received: from garymulder ([172.20.0.75]) by mail.infotechfl.com (8.11.6/8.11.6) with ESMTP id i5UFcpN13928 for ; Wed, 30 Jun 2004 11:39:16 -0400 Message-Id: <4.2.0.58.20040630113808.01948328@mail.infotechfl.com> X-Sender: gmulder@mail.infotechfl.com X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.0.58 Date: Wed, 30 Jun 2004 11:38:51 -0400 To: freebsd-security@freebsd.org From: Gary Mulder In-Reply-To: References: <20040629191556.L47985@metafocus.net> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Subject: Re: ttyv for local only? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 30 Jun 2004 15:39:35 -0000 If someone hasn't suggested it already, you may want to install tripwire to md5 checksum all of your files. Once you build the database, make a copy off-machine or use chflags on a copy of it so you have a reference database that your potential cracker can't modify. Gary From owner-freebsd-security@FreeBSD.ORG Thu Jul 1 08:04:44 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 06EA716A4CE; Thu, 1 Jul 2004 08:04:44 +0000 (GMT) Received: from smtp.des.no (flood.des.no [217.116.83.31]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5453843D46; Thu, 1 Jul 2004 08:04:43 +0000 (GMT) (envelope-from security-advisories@freebsd.org) Received: by smtp.des.no (Pony Express, from userid 666) id EB33E5313; Thu, 1 Jul 2004 10:04:23 +0200 (CEST) Received: from dwp.des.no (des.no [80.203.228.37]) by smtp.des.no (Pony Express) with ESMTP id B173A5311; Thu, 1 Jul 2004 10:03:44 +0200 (CEST) Received: by dwp.des.no (Postfix, from userid 2602) id 21D1EB888; Thu, 1 Jul 2004 10:03:44 +0200 (CEST) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Precedence: bulk Message-Id: <20040701080344.21D1EB888@dwp.des.no> Date: Thu, 1 Jul 2004 10:03:44 +0200 (CEST) X-Spam-Checker-Version: SpamAssassin 2.63 (2004-01-11) on flood.des.no X-Spam-Level: s X-Spam-Status: No, hits=1.8 required=5.0 tests=ADDR_FREE autolearn=no version=2.63 Subject: FreeBSD Security Advisory FreeBSD-SA-04:13.linux X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Reply-To: security-advisories@freebsd.org List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 01 Jul 2004 08:04:44 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ============================================================================= FreeBSD-SA-04:13.linux Security Advisory The FreeBSD Project Topic: Linux binary compatibility mode input validation error Category: core Module: kernel Announced: 2004-06-30 Credits: Tim Robbins Affects: All 4.x and 5.x releases Corrected: 2004-06-30 17:31:44 UTC (RELENG_4) 2004-06-30 17:34:38 UTC (RELENG_5_2, 5.2.1-RELEASE-p9) 2004-06-30 17:33:59 UTC (RELENG_4_10, 4.10-RELEASE-p2) 2004-06-30 17:33:24 UTC (RELENG_4_9, 4.9-RELEASE-p11) 2004-06-30 17:32:24 UTC (RELENG_4_8, 4.8-RELEASE-p24) CVE Name: CAN-2004-0602 FreeBSD only: YES For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background FreeBSD is binary-compatible with the Linux operating system through a loadable kernel module/optional kernel component. II. Problem Description A programming error in the handling of some Linux system calls may result in memory locations being accessed without proper validation. III. Impact It may be possible for a local attacker to read and/or overwrite portions of kernel memory, resulting in disclosure of sensitive information or potential privilege escalation. A local attacker can cause a system panic. IV. Workaround The only known workaround is to disable the linux binary compatibility layer and prevent it from being (re)loaded. Note that step (a) must be performed before step (b). a) To prevent the linux compatibility layer being (re)loaded, remove the /boot/kernel/linux.ko file (on FreeBSD 5.x) or the /modules/linux.ko file (on FreeBSD 4.x), and add or change the following line in /etc/rc.conf: linux_enable="NO" # Linux binary compatibility loaded at startup (or NO). Add or change the following lines in /boot/loader.conf: linux_load="NO" # Linux emulation linprocfs_load="NO" In addition, remove any linprocfs file system listed in /etc/fstab. b) To disable the linux binary compatibility layer, first determine if it is loaded: # kldstat -v | grep linuxelf If no output is produced, the linux compatibility layer is not loaded; stop here. If the linux compatibility layer is loaded, determine if it is compiled into the kernel or loaded as a module: # kldstat | grep linux.ko If no output is produced, the linux compatibility layer is compiled into the kernel. Remove the line options COMPAT_LINUX from your kernel configuration file and recompile the kernel as described in and reboot the system. If output is produced, then the linux compatibility layer is loaded as a kernel module. If the module is not currently being used (by a process running under linux emulation, for example) then it may be possible to unload it: # kldunload linux # kldstat | grep linux.ko If this does not successfully unload the module, reboot the system. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to 4-STABLE; or to the RELENG_5_2, RELENG_4_10, RELENG_4_9, or RELENG_4_8 security branch dated after the correction date. 2) To patch your present system: The following patches have been verified to apply to FreeBSD 4.8, 4.9, 4.10 and 5.2 systems. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 5.2] # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-04:13/linux5.patch # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-04:13/linux5.patch.asc [FreeBSD 4.8, 4.9, 4.10] # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-04:13/linux4.patch # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-04:13/linux4.patch.asc b) Apply the patch. # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in and reboot the system. VI. Correction details The following list contains the revision numbers of each file that was corrected in FreeBSD. Branch Revision Path - ------------------------------------------------------------------------- RELENG_4 src/sys/compat/linux/linux_ioctl.c 1.55.2.13 RELENG_5_2 src/UPDATING 1.282.2.17 src/sys/compat/linux/linux_ioctl.c 1.112.2.1 src/sys/conf/newvers.sh 1.56.2.16 RELENG_4_10 src/UPDATING 1.73.2.90.2.3 src/sys/compat/linux/linux_ioctl.c 1.55.2.12.4.1 src/sys/conf/newvers.sh 1.44.2.34.2.4 RELENG_4_9 src/UPDATING 1.73.2.89.2.12 src/sys/compat/linux/linux_ioctl.c 1.55.2.12.2.1 src/sys/conf/newvers.sh 1.44.2.32.2.12 RELENG_4_8 src/UPDATING 1.73.2.80.2.27 src/sys/compat/linux/linux_ioctl.c 1.55.2.10.6.1 src/sys/conf/newvers.sh 1.44.2.29.2.25 - ------------------------------------------------------------------------- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (FreeBSD) iD8DBQFA48FqFdaIBMps37IRArpeAKCP1G1bFmYiD0v3Qdg8pq5zkV7JywCcDUHn dz5yJTOovQSmIaLVD/Ei8Xw= =SVrJ -----END PGP SIGNATURE----- From owner-freebsd-security@FreeBSD.ORG Thu Jul 1 13:29:31 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 88E7F16A4CE for ; Thu, 1 Jul 2004 13:29:31 +0000 (GMT) Received: from mail.ki.iif.hu (mignon.ki.iif.hu [193.6.222.240]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4E72F43D45 for ; Thu, 1 Jul 2004 13:29:31 +0000 (GMT) (envelope-from mohacsi@niif.hu) Received: from localhost (localhost [127.0.0.1]) by mail.ki.iif.hu (Postfix) with ESMTP id 3E634554A for ; Thu, 1 Jul 2004 15:28:44 +0200 (CEST) Received: from mail.ki.iif.hu ([127.0.0.1]) by localhost (mignon.ki.iif.hu [127.0.0.1]) (amavisd-new, port 10024) with LMTP id 91719-04-14 for ; Thu, 1 Jul 2004 15:28:41 +0200 (CEST) Received: by mail.ki.iif.hu (Postfix, from userid 1003) id C51635547; Thu, 1 Jul 2004 15:28:41 +0200 (CEST) Received: from localhost (localhost [127.0.0.1]) by mail.ki.iif.hu (Postfix) with ESMTP id AA7FE5542 for ; Thu, 1 Jul 2004 15:28:41 +0200 (CEST) Date: Thu, 1 Jul 2004 15:28:41 +0200 (CEST) From: Mohacsi Janos X-X-Sender: mohacsi@mignon.ki.iif.hu To: freebsd-security@freebsd.org Message-ID: <20040701150125.S78298@mignon.ki.iif.hu> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed X-Virus-Scanned: by amavisd-new at mail.ki.iif.hu Subject: Two possible vulnerabilities? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 01 Jul 2004 13:29:31 -0000 Dear all, Browsing through the securityfocus vulnerability database I found two items, that might interesting for the FreeBSD community: 1. GNU GNATS Syslog() Format String Vulnerability http://www.securityfocus.com/bid/10609 GNATS is vital part of the PR handling of FreeBSD. I think security officers should contact developers of GNU GNATS about this issue to resolve the potential problem. 2. gzip: Insecure creation of temporary files http://www.securityfocus.com/bid/10603 In reality this affects only znew and gzexe only gzip version prior 1.3.3-r4 I am not quite sure about the whether this vulnerability exist in the current gzip 1.2.4, that is used in FreeBSD. According to the gzip page: http://www.gzip.org - new official version will be posted soon.... Are there any plan to go forward gzip 1.3 ? Best Regards, Janos Mohacsi Network Engineer, Research Associate NIIF/HUNGARNET, HUNGARY Key 00F9AF98: 8645 1312 D249 471B DBAE 21A2 9F52 0D1F 00F9 AF98 From owner-freebsd-security@FreeBSD.ORG Thu Jul 1 17:42:10 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4289016A4CE for ; Thu, 1 Jul 2004 17:42:10 +0000 (GMT) Received: from post-22.mail.nl.demon.net (post-22.mail.nl.demon.net [194.159.73.192]) by mx1.FreeBSD.org (Postfix) with ESMTP id EFE3443D53 for ; Thu, 1 Jul 2004 17:42:09 +0000 (GMT) (envelope-from horcy@textonly.demon.nl) Received: from textonly.demon.nl ([212.238.184.155]:1565 helo=horcy) by post-22.mail.nl.demon.net with smtp (Exim 4.34) id 1Bg5Y1-0003Zs-00 for freebsd-security@freebsd.org; Thu, 01 Jul 2004 17:40:33 +0000 Message-ID: <003401c45f92$81a6e940$0200a8c0@horcy> From: =?iso-8859-1?Q?Jos_H=F6rchner?= To: References: <20040701150125.S78298@mignon.ki.iif.hu> Date: Thu, 1 Jul 2004 19:40:27 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1409 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1409 Subject: wrong security branch name? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 01 Jul 2004 17:42:10 -0000 maybe i'm wrong but shouldnt 4.10-RELEASE-p2 be 4.10-RELEASE-p1 Thx for the patch though!! Jos From owner-freebsd-security@FreeBSD.ORG Thu Jul 1 17:59:07 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 71BEC16A4CE for ; Thu, 1 Jul 2004 17:59:07 +0000 (GMT) Received: from smtp.des.no (flood.des.no [217.116.83.31]) by mx1.FreeBSD.org (Postfix) with ESMTP id CDC2F43D2D for ; Thu, 1 Jul 2004 17:59:06 +0000 (GMT) (envelope-from des@des.no) Received: by smtp.des.no (Pony Express, from userid 666) id 7D3AD5310; Thu, 1 Jul 2004 19:57:55 +0200 (CEST) Received: from dwp.des.no (des.no [80.203.228.37]) by smtp.des.no (Pony Express) with ESMTP id 37744530A; Thu, 1 Jul 2004 19:57:46 +0200 (CEST) Received: by dwp.des.no (Postfix, from userid 2602) id DF979B860; Thu, 1 Jul 2004 19:57:45 +0200 (CEST) To: =?iso-8859-1?q?Jos_H=F6rchner?= References: <20040701150125.S78298@mignon.ki.iif.hu> <003401c45f92$81a6e940$0200a8c0@horcy> From: des@des.no (=?iso-8859-1?q?Dag-Erling_Sm=F8rgrav?=) Date: Thu, 01 Jul 2004 19:57:45 +0200 In-Reply-To: <003401c45f92$81a6e940$0200a8c0@horcy> (Jos =?iso-8859-1?q?H=F6rchner's?= message of "Thu, 1 Jul 2004 19:40:27 +0200") Message-ID: User-Agent: Gnus/5.1006 (Gnus v5.10.6) Emacs/21.3 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable X-Spam-Checker-Version: SpamAssassin 2.63 (2004-01-11) on flood.des.no X-Spam-Level: X-Spam-Status: No, hits=0.0 required=5.0 tests=AWL autolearn=no version=2.63 cc: freebsd-security@freebsd.org Subject: Re: wrong security branch name? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 01 Jul 2004 17:59:07 -0000 Jos H=F6rchner writes: > maybe i'm wrong but shouldnt 4.10-RELEASE-p2 be 4.10-RELEASE-p1 No: 20040630: p2 FreeBSD-SA-04.13.linux Correct an input validation error in the linux binary compatibility code. 20040626: p1 FreeBSD-EN-04:01.twe Fix a bug in twe(4) that could cause kernel lockups. 20040527: FreeBSD 4.10-RELEASE. DES --=20 Dag-Erling Sm=F8rgrav - des@des.no From owner-freebsd-security@FreeBSD.ORG Thu Jul 1 19:48:40 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2FDDA16A4CE for ; Thu, 1 Jul 2004 19:48:40 +0000 (GMT) Received: from post-22.mail.nl.demon.net (post-22.mail.nl.demon.net [194.159.73.192]) by mx1.FreeBSD.org (Postfix) with ESMTP id C9C3D43D54 for ; Thu, 1 Jul 2004 19:48:39 +0000 (GMT) (envelope-from horcy@textonly.demon.nl) Received: from textonly.demon.nl ([212.238.184.155]:1541 helo=horcy) by post-22.mail.nl.demon.net with smtp (Exim 4.34) id 1Bg7X5-000L7g-Ou; Thu, 01 Jul 2004 19:47:43 +0000 Message-ID: <004e01c45fa4$4663aff0$0200a8c0@horcy> From: =?iso-8859-1?Q?Jos_H=F6rchner?= To: =?iso-8859-1?Q?Dag-Erling_Sm=F8rgrav?= References: <20040701150125.S78298@mignon.ki.iif.hu><003401c45f92$81a6e940$0200a8c0@horcy> Date: Thu, 1 Jul 2004 21:47:41 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 8bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1409 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1409 cc: freebsd-security@freebsd.org Subject: Re: wrong security branch name? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 01 Jul 2004 19:48:40 -0000 meuaah! i think i got some work todo... Thx for clearing that up =) Jos ----- Original Message ----- From: "Dag-Erling Smørgrav" To: "Jos Hörchner" Cc: Sent: Thursday, July 01, 2004 7:57 PM Subject: Re: wrong security branch name? Jos Hörchner writes: > maybe i'm wrong but shouldnt 4.10-RELEASE-p2 be 4.10-RELEASE-p1 No: 20040630: p2 FreeBSD-SA-04.13.linux Correct an input validation error in the linux binary compatibility code. 20040626: p1 FreeBSD-EN-04:01.twe Fix a bug in twe(4) that could cause kernel lockups. 20040527: FreeBSD 4.10-RELEASE. DES -- Dag-Erling Smørgrav - des@des.no _______________________________________________ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"