Date: Thu, 02 Dec 1999 15:19:44 +0000 From: Adam Laurie <adam@algroup.co.uk> To: Steve Reid <sreid@sea-to-sky.net> Cc: Sheldon Hearn <sheldonh@uunet.co.za>, Bill Swingle <unfurl@dub.net>, security@FreeBSD.ORG, Jordan Hubbard <jkh@FreeBSD.ORG> Subject: Re: [btellier@USA.NET: Several FreeBSD-3.3 vulnerabilities] Message-ID: <38468E10.2E3B3338@algroup.co.uk> References: <19991201093242.A71817@dub.net> <64661.944125995@axl.noc.iafrica.com> <19991202032121.A7470@grok.localnet>
next in thread | previous in thread | raw e-mail | index | archive | help
Steve Reid wrote: > > On Thu, Dec 02, 1999 at 11:13:15AM +0200, Sheldon Hearn wrote: > > query-pr: no PRs matched > > Looks to me like this chap's full of hot air. I'm not saying the > > problems don't exist, but this guy doesn't seem to have done much to > > contact us, eh? > > It may be that he contacted the port maintainer and/or security-officer > through email rather than using the PR system. > > As long as we're on the subject I may as well relay my own experience... > > Some time ago I found a root exploit in a third-party package installed > via ports. I wasn't sure if it was freebsd-specific so I emailed the > port maintainer and the people originally responsible for the software. I can also say that I've not had a great response from the security team on what I consider to be a serious issue... The only reason I also haven't (yet) butraq'd it, is because I haven't had time to bring a machine up to date to see if the fix was committed without a solution actually being agreed on the list... My specific experience was that I found a hole in the default rc.firewall rules. This hole means that UDP is totally unprotected because of faulty rules for DNS and NTP. I posted a suggested fix to the security-officer, and got an immediate reply saying "I agree 100%". The security-officer is clearly also a list, because I then got another reply from someone else, telling me how to configure my DNS. This degenerated into a thread related to DNS server configuration and entirely missing the point regarding ipfw. I then suggested moving it to the wider forum of this list, and guess what...? The same thing happened! The thread diappeared in a cloud of irrelevant discussion about how to set up name servers. As I say, I'm currently unaware of the status of rc.firewall, but when I get around to checking it, if it hasn't been fixed, you'll be reading about yourselves on bugtraq again! If it has been fixed, then excellent, well done, etc. etc. :) For a bit of context and to save you trawling, here's the juicy bit: > And for those that don't think this is a serious issue... > > Get a copy of netcat. Make sure syslogd is running in default mode (i.e. > without "-s" option) on the target "firewalled" server. Run the > following command on a machine outside the firewall: > > nc -u -p 53 -n [firewalled-server-ip] 514 > > and type some text in. Now go and tail /var/log/messages on the target > server, and you'll see the text that has just walked through your > firewall. I leave it as an exercise for the reader to exploit an NFS > mount in a similar fashion... cheers, Adam -- Adam Laurie Tel: +44 (181) 742 0755 A.L. Digital Ltd. Fax: +44 (181) 742 5995 Voysey House Barley Mow Passage http://www.aldigital.co.uk London W4 4GB mailto:adam@algroup.co.uk UNITED KINGDOM PGP key on keyservers To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?38468E10.2E3B3338>