From owner-freebsd-security Mon Oct 30 13:36:12 1995 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.6.12/8.6.6) id NAA17692 for security-outgoing; Mon, 30 Oct 1995 13:36:12 -0800 Received: from gvr.win.tue.nl (gvr.win.tue.nl [131.155.210.19]) by freefall.freebsd.org (8.6.12/8.6.6) with ESMTP id NAA17679 for ; Mon, 30 Oct 1995 13:36:00 -0800 Received: by gvr.win.tue.nl (8.6.10/1.53) id WAA00821; Mon, 30 Oct 1995 22:35:21 +0100 From: guido@gvr.win.tue.nl (Guido van Rooij) Message-Id: <199510302135.WAA00821@gvr.win.tue.nl> Subject: rlogind patch revisited To: freebsd-security@freebsd.org Date: Mon, 30 Oct 1995 22:35:21 +0100 (MET) X-Mailer: ELM [version 2.4 PL24] Content-Type: text Content-Length: 653 Sender: owner-security@freebsd.org Precedence: bulk There is this already old p[atch for rlogind: revision 1.2 date: 1994/08/15 19:44:50; author: guido; state: Exp; lines: +5 -0 Plug security hole that was already fixed in 1.1. It prevents user from specifying their hostname when rlogin()-ing in (using rlogin -f-h) Reviewed by: Submitted by: ---------------------------- this is solved by doing a strstr on the username provided. this prevends usernames like "this-one" to give troubles. I think just checking the first character for a "-" will be enough. (even space or tabs won't have to be skipped as the username is fed directly as an argument in execl()) What's your opinion? -Guido From owner-freebsd-security Wed Nov 1 08:43:45 1995 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.6.12/8.6.6) id IAA21358 for security-outgoing; Wed, 1 Nov 1995 08:43:45 -0800 Received: from alpha.dsu.edu (ghelmer@alpha.dsu.edu [138.247.32.12]) by freefall.freebsd.org (8.6.12/8.6.6) with ESMTP id IAA21353 for ; Wed, 1 Nov 1995 08:43:43 -0800 Received: (from ghelmer@localhost) by alpha.dsu.edu (8.7.1/8.7.1) id KAA05826; Wed, 1 Nov 1995 10:43:39 -0600 (CST) Date: Wed, 1 Nov 1995 10:43:39 -0600 (CST) From: Guy Helmer To: freebsd-security@freefall.FreeBSD.org Subject: telnetd patch Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@FreeBSD.org Precedence: bulk Is there an "approved" (or at least "good enough") telnetd patch for FreeBSD 2.0.5's telnetd? If so, where can it be found? Thanks, Guy Helmer Guy Helmer, Dakota State University Computing Services - ghelmer@alpha.dsu.edu From owner-freebsd-security Thu Nov 2 03:46:17 1995 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.6.12/8.6.6) id DAA27621 for security-outgoing; Thu, 2 Nov 1995 03:46:17 -0800 Received: from jhome.DIALix.COM (root@jhome.DIALix.COM [192.203.228.69]) by freefall.freebsd.org (8.6.12/8.6.6) with ESMTP id DAA27612 for ; Thu, 2 Nov 1995 03:46:08 -0800 Received: (from peter@localhost) by jhome.DIALix.COM (8.6.12/8.6.9) id TAA02863; Thu, 2 Nov 1995 19:45:54 +0800 Date: Thu, 2 Nov 1995 19:45:54 +0800 (WST) From: Peter Wemm To: CVS-commiters@freefall.freebsd.org cc: security@freebsd.org Subject: Re: cvs commit: CVSROOT log_accum.pl In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@freebsd.org Precedence: bulk On Thu, 2 Nov 1995, Peter Wemm wrote: > On Thu, 2 Nov 1995, Peter Wemm wrote: > > swallace 95/11/02 01:30:23 > ^^^^^^^^ aargh!! no!!! > > > > Modified: . log_accum.pl > > Log: > > Take $ENV{'USER'} for the login name, as rshd, telnetd and rlogind all > > set it. I'm still at a loss to explain why getlogin and `logname` > > (which make a supposedly secure system call) are returning somebody else's > > username when cvs (a non privileged process) is run on the end of a rsh. > > If I do: rsh freefall 'print getlogin' it always seems to work... > > > > (If this doesn't work after this commit, I might commandeer Jeffrey Hsu's > > login.. :-) This commit may say 'hsu' though.) > > I think I have an idea why this is happening.. > > Check the output of: > rsh localhost ps -O "sess,pid,tt,stat,time,command" | sort > > SESS PID TT STAT TIME COMMAND > acc320 107 ?? Ss 0:01.18 inetd > acc320 224 ?? I 0:00.97 telnetd > acc320 226 ?? S 0:09.80 telnetd > acc320 228 ?? I 0:10.37 telnetd > acc320 230 ?? S 0:07.21 telnetd > acc320 2319 ?? S 0:00.09 rshd > acc320 2321 ?? S 0:00.14 csh -c ps -o sess,pid,tt,stat,time,command -a > acc320 2322 ?? R 0:00.02 ps -o sess pid tt > > b7a040 231 p3 IWs 0:01.05 -tcsh (tcsh) > b7a040 274 p3 S 0:04.44 -su (tcsh) > b7a040 307 ?? S 0:32.66 /usr/local/sbin/gated > b7a040 2317 p3 S+ 0:00.12 rsh jhome ps -o sess,pid,tt,stat,time,command > b7a040 2318 p3 S+ 0:00.06 sort > b7a040 2320 p3 S+ 0:00.00 rsh jhome ps -o sess,pid,tt,stat,time,command > > b7a640 229 p2 Is 0:04.44 -tcsh (tcsh) > b7a640 2248 p2 I+ 0:00.17 cvs -z5 -d freefall:/home/ncvs commit log_accu > b7a640 2249 p2 I+ 0:00.11 rsh freefall cvs server > b7a640 2250 p2 I+ 0:00.02 rsh freefall cvs server > > Notice all the processes in the same session as inetd, including rshd and > the executed command. setlogin() within the kernel can only store one > userid per session, and any new ones overwrite the old values. > > So, the chances are that the last person who used inetd (or some other > server in inetd's group that's doing a setlogin()) is smashing all the > login names in that group, and getting credit for the commits.. > > I'm checking this on freefall now.. Hmmm!!!! > > SESS PID USER TT COMMAND > 10f09e0 114 root ?? inetd > 10f09e0 1083 ftp ?? -door.lotus.com: anonymous/johng@pcrd.com: RETR bin/b > 10f09e0 2655 root ?? telnetd > 10f09e0 2910 root ?? telnetd > 10f09e0 8755 root ?? rlogind -D > 10f09e0 11991 root ?? telnetd > 10f09e0 13963 root ?? rlogind -D > 10f09e0 17085 ftp ?? -immanuel.tfs.com: anonymous/pascal@tfs.com: RETR All > 10f09e0 17422 root ?? rlogind -D > 10f09e0 19057 root ?? rlogind -D > 10f09e0 21137 ftp ?? -blues.physik.rwth-aachen.de: anonymous/kuku@: RETR a > 10f09e0 21140 root ?? telnetd > 10f09e0 22437 root ?? telnetd > 10f09e0 23001 root ?? telnetd > 10f09e0 23245 ftp ?? -133.68.164.100: anonymous/ftp: RETR manpages/manpage > 10f09e0 24139 ftp ?? -global.atm.ncu.edu.tw: anonymous/roylin@global.atm.n > 10f09e0 24197 ftp ?? /bin/ls -lgA -lRat > 10f09e0 24683 ftp ?? -158.250.238.2: anonymous/moury@qw: IDLE > 10f09e0 24710 root ?? sendmail: CAA24693 gvr.win.tue.nl.: client greeting ( > 10f09e0 24793 ftp ?? -zm.karpaty.uzhgorod.ua: anonymous/eug@zm.karpaty.uzh > 10f09e0 24826 root ?? rlogind -D > 10f09e0 24842 root ?? rshd > 10f09e0 24858 ftp ?? (ls) > 10f09e0 24859 peter ?? tcsh -c ps -o sess,pid,user,tt,command -a -x > 10f09e0 24860 peter ?? ps -o sess pid user > 10f09e0 27638 root ?? rlogind -D > 10f09e0 27982 ftp ?? -mechv.me.tuns.ca: anonymous/root@: RETR 2.1.0-951026 > 10f09e0 28052 ftp ?? /usr/bin/tar -c -z -f - 2.1.0-951026-SNAP > 10f09e0 28053 ftp ?? gzip > 10f09e0 28054 ftp ?? /usr/bin/tar -c -z -f - 2.1.0-951026-SNAP > 10f09e0 28310 root ?? xterm -fn koi9x15 -tn vt102 -T Freefall -n Freefall - > > HMMM!!!! > > -Peter Well, that's definately it.. It's a kernel bug. I ran the following, and after the rsh while loop had started printing "peter" over and over again, I did (as root): rsh jhome id. That's when the username of the peter rsh changed. Script started on Thu Nov 2 19:20:01 1995 peter@jhome[7:20pm]~-101> rsh jhome id uid=1000(peter) gid=1000(peter) groups=1000(peter), 0(wheel), 499(ncvs) peter@jhome[7:20pm]~-102> cat ./gl #! /bin/sh while : do logname sleep 2 done peter@jhome[7:20pm]~-103> rsh jhome ./gl peter peter peter peter peter root root root ^C peter@jhome[7:20pm]~-104> Script done on Thu Nov 2 19:20:45 1995 The following patch fixes it for me by moving the setsid to a more appropriate place, and making sure that each exec'ed process is in it's own session. Index: inetd.c =================================================================== RCS file: /home/ncvs/src/usr.sbin/inetd/inetd.c,v retrieving revision 1.8 diff -c -r1.8 inetd.c *** inetd.c 1995/10/30 14:03:00 1.8 --- inetd.c 1995/11/02 11:23:44 *************** *** 440,447 **** } sigsetmask(0L); if (pid == 0) { - if (debug && dofork) - setsid(); if (dofork) { if (debug) fprintf(stderr, "+ Closing from %d\n", --- 440,445 ---- *************** *** 469,474 **** --- 467,473 ---- recv(0, buf, sizeof (buf), 0); _exit(1); } + setsid(); if (pwd->pw_uid) { if (setgid(pwd->pw_gid) < 0) { syslog(LOG_ERR, I'd also like to do a setlogin(se->se_user); two lines down from the setsid() I added (ie: beore setgid(), after the if), this will ensure non-root processes will get a valid result to getlogin(), while root processes will be free to set their own. I think it's important to not set root processes to "root", because if the root process is an old-style authenticator that changes it's uid to a user, we dont want to erroniously have that new process going by the "root" name... Also, of note is XFree86-3.1.2's xdm and gated from ports which do not correctly detach from the parent session. xdm is a worry, because it changes the 'logname' of the parent session (maybe even init if started from there). Maybe the setlogin() call should only work for processes that are the session leader rather than just "one of many in the session"? -Peter From owner-freebsd-security Thu Nov 2 05:19:52 1995 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.6.12/8.6.6) id FAA00205 for security-outgoing; Thu, 2 Nov 1995 05:19:52 -0800 Received: from sequent.kiae.su (sequent.kiae.su [144.206.136.6]) by freefall.freebsd.org (8.6.12/8.6.6) with SMTP id FAA00197 for ; Thu, 2 Nov 1995 05:19:36 -0800 Received: by sequent.kiae.su id AA00492 (5.65.kiae-2 ); Thu, 2 Nov 1995 16:13:02 +0300 Received: by sequent.KIAE.su (UUMAIL/2.0); Thu, 2 Nov 95 16:13:01 +0300 Received: (from ache@localhost) by ache.dialup.demos.ru (8.6.12/8.6.12) id QAA02307; Thu, 2 Nov 1995 16:10:14 +0300 To: CVS-commiters@freefall.freebsd.org, Peter Wemm Cc: security@freebsd.org References: In-Reply-To: ; from Peter Wemm at Thu, 2 Nov 1995 19:45:54 +0800 (WST) Message-Id: Organization: Olahm Ha-Yetzirah Date: Thu, 2 Nov 1995 16:10:14 +0300 (MSK) X-Mailer: Mail/@ [v2.40 FreeBSD] From: =?KOI8-R?Q?=E1=CE=C4=D2=C5=CA_=FE=C5=D2=CE=CF=D7?= (aka Andrey A. Chernov, Black Mage) X-Class: Fast Subject: Re: cvs commit: CVSROOT log_accum.pl Lines: 30 Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Content-Length: 1004 Sender: owner-security@freebsd.org Precedence: bulk In message Peter Wemm writes: >Maybe the setlogin() call should only work for processes that are the >session leader rather than just "one of many in the session"? It is definitely so, and check for session leader must be added to setlogin syscall. Even manpage says that setlogin affects only _current_ session. Proposed fix: *** kern_prot.c.bak Thu Nov 2 16:05:11 1995 --- kern_prot.c Thu Nov 2 16:08:29 1995 *************** *** 623,628 **** --- 623,630 ---- { int error; + if (!SESS_LEADER(p)) + return (EPERM); if ((error = suser(p->p_ucred, &p->p_acflag))) return (error); error = copyinstr((caddr_t) uap->namebuf, -- Andrey A. Chernov : And I rest so composedly, /Now, in my bed, ache@astral.msk.su : That any beholder /Might fancy me dead - http://dt.demos.su/~ache : Might start at beholding me, /Thinking me dead. RELCOM Team,FreeBSD Team : E.A.Poe From "For Annie" 1849 From owner-freebsd-security Thu Nov 2 05:56:09 1995 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.6.12/8.6.6) id FAA00803 for security-outgoing; Thu, 2 Nov 1995 05:56:09 -0800 Received: from jhome.DIALix.COM (jhome.DIALix.COM [192.203.228.69]) by freefall.freebsd.org (8.6.12/8.6.6) with ESMTP id FAA00798 for ; Thu, 2 Nov 1995 05:56:04 -0800 Received: (from peter@localhost) by jhome.DIALix.COM (8.6.12/8.6.9) id VAA03282; Thu, 2 Nov 1995 21:54:52 +0800 Date: Thu, 2 Nov 1995 21:54:51 +0800 (WST) From: Peter Wemm To: =?KOI8-R?Q?=E1=CE=C4=D2=C5=CA_=FE=C5=D2=CE=CF=D7?= cc: CVS-commiters@freefall.freebsd.org, security@freebsd.org Subject: Re: cvs commit: CVSROOT log_accum.pl In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@freebsd.org Precedence: bulk On Thu, 2 Nov 1995, =?KOI8-R?Q?=E1=CE=C4=D2=C5=CA_=FE=C5=D2=CE=CF=D7?= wrote: > In message > Peter Wemm writes: > > >Maybe the setlogin() call should only work for processes that are the > >session leader rather than just "one of many in the session"? > > It is definitely so, and check for session leader must be added > to setlogin syscall. > Even manpage says that setlogin affects only _current_ session. > > Proposed fix: > > *** kern_prot.c.bak Thu Nov 2 16:05:11 1995 > --- kern_prot.c Thu Nov 2 16:08:29 1995 > *************** > *** 623,628 **** > --- 623,630 ---- > { > int error; > > + if (!SESS_LEADER(p)) > + return (EPERM); > if ((error = suser(p->p_ucred, &p->p_acflag))) > return (error); > error = copyinstr((caddr_t) uap->namebuf, This is a pretty brutal fix.. :-) I think we'd better check what's going to break first before we do this. inetd will need to be modified first and installed before the kernel is patched or all hell could break loose. ps -ax -O sess | sort +1 will sort processes by session id. This would be a good thing for everybody to check to see if there's anything else out there in common use that's not changing the session... (other than children of inetd.. :-) -Peter > -- > Andrey A. Chernov : And I rest so composedly, /Now, in my bed, > ache@astral.msk.su : That any beholder /Might fancy me dead - > http://dt.demos.su/~ache : Might start at beholding me, /Thinking me dead. > RELCOM Team,FreeBSD Team : E.A.Poe From "For Annie" 1849 > From owner-freebsd-security Fri Nov 3 03:00:06 1995 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.6.12/8.6.6) id DAA05028 for security-outgoing; Fri, 3 Nov 1995 03:00:06 -0800 Received: from gilberto.physik.rwth-aachen.de (gilberto.physik.rwth-aachen.de [137.226.31.2]) by freefall.freebsd.org (8.6.12/8.6.6) with ESMTP id CAA05012 for ; Fri, 3 Nov 1995 02:59:58 -0800 Received: (from kuku@localhost) by gilberto.physik.rwth-aachen.de (8.6.11/8.6.9) id LAA20715 for freebsd-security@freebsd.org; Fri, 3 Nov 1995 11:59:31 +0100 Message-Id: <199511031059.LAA20715@gilberto.physik.rwth-aachen.de> Subject: X Server Vulnerability and New Binaries (fwd) To: freebsd-security@freebsd.org Date: Fri, 3 Nov 1995 11:59:31 +0100 (MET) From: Christoph Kukulies Reply-To: Christoph Kukulies X-Mailer: ELM [version 2.4 PL24] Content-Type: text Content-Length: 1189 Sender: owner-security@freebsd.org Precedence: bulk Just FYI - Is FreeBSD affected by this, too? --Chris Christoph P. U. Kukulies kuku@gil.physik.rwth-aachen.de | |Forwarded message: |From owner-port-i386@netbsd.org Fri Nov 3 11:52:49 1995 |Date: Fri, 3 Nov 1995 09:21:18 +0100 |From: matthieu@laas.fr (Matthieu Herrb) |Message-Id: <9511030821.AA27313@elwood.laas.fr> |To: Curt Sampson |Cc: port-i386@netbsd.org |Subject: X Server Vulnerability and New Binaries |In-Reply-To: |References: |Reply-To: matthieu@laas.fr |Sender: owner-port-i386@netbsd.org |Precedence: list |X-Loop: port-i386@NetBSD.ORG | |You wrote (in your message from Thu 2) | > | > Is anyone building a new binary for X11R6 on NetBSD 1.0/i386 that | > incorporates patch13, the fix for the X security vulnerability just | > announced by CERT? I really don't have the time and energy to do | > this just now. | |I've done it. It should be on |ftp.xfree86.org:/pub/XFree86/current/binaries/NetBSD/ and all its |mirrors. The file is named X312Sxdm.tgz. | |BTW, MD5 (X312Sxdm.tgz) = 0bc74cbee0214366ac15658bf5436853 | | | Matthieu | From owner-freebsd-security Fri Nov 3 05:17:05 1995 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.6.12/8.6.6) id FAA11009 for security-outgoing; Fri, 3 Nov 1995 05:17:05 -0800 Received: from sequent.kiae.su (sequent.kiae.su [144.206.136.6]) by freefall.freebsd.org (8.6.12/8.6.6) with SMTP id FAA10998 for ; Fri, 3 Nov 1995 05:16:55 -0800 Received: by sequent.kiae.su id AA17909 (5.65.kiae-2 ); Fri, 3 Nov 1995 16:12:50 +0300 Received: by sequent.KIAE.su (UUMAIL/2.0); Fri, 3 Nov 95 16:12:49 +0300 Received: (from ache@localhost) by ache.dialup.demos.ru (8.6.12/8.6.12) id QAA03213; Fri, 3 Nov 1995 16:03:36 +0300 To: Peter Wemm Cc: CVS-commiters@freefall.freebsd.org, security@freebsd.org References: In-Reply-To: ; from Peter Wemm at Thu, 2 Nov 1995 21:54:51 +0800 (WST) Message-Id: Organization: Olahm Ha-Yetzirah Date: Fri, 3 Nov 1995 16:03:36 +0300 (MSK) X-Mailer: Mail/@ [v2.40 FreeBSD] From: =?KOI8-R?Q?=E1=CE=C4=D2=C5=CA_=FE=C5=D2=CE=CF=D7?= (aka Andrey A. Chernov, Black Mage) X-Class: Fast Subject: Re: cvs commit: CVSROOT log_accum.pl Lines: 53 Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Content-Length: 1931 Sender: owner-security@freebsd.org Precedence: bulk In message Peter Wemm writes: >On Thu, 2 Nov 1995, =?KOI8-R?Q?=E1=CE=C4=D2=C5=CA_=FE=C5=D2=CE=CF=D7?= wrote: >> In message >> Peter Wemm writes: >> >> >Maybe the setlogin() call should only work for processes that are the >> >session leader rather than just "one of many in the session"? >> >> It is definitely so, and check for session leader must be added >> to setlogin syscall. >> Even manpage says that setlogin affects only _current_ session. >> >> Proposed fix: >> >> *** kern_prot.c.bak Thu Nov 2 16:05:11 1995 >> --- kern_prot.c Thu Nov 2 16:08:29 1995 >> *************** >> *** 623,628 **** >> --- 623,630 ---- >> { >> int error; >> >> + if (!SESS_LEADER(p)) >> + return (EPERM); >> if ((error = suser(p->p_ucred, &p->p_acflag))) >> return (error); >> error = copyinstr((caddr_t) uap->namebuf, >This is a pretty brutal fix.. :-) I think we'd better check what's going >to break first before we do this. inetd will need to be modified first >and installed before the kernel is patched or all hell could break loose. Well, here list of programs which calls setlogin: init rexecd rshd login After your inetd fix what else can be affected with my patch? Setlogin isn't suppose to do group operation, i.e. mass login id changes, and must affect only current session. It must be applied in any case, independently what can be affected, according to manpage (and common sense too). Moreover, when it will be applied, it will be easy to find, what is affected and fix it. -- Andrey A. Chernov : And I rest so composedly, /Now, in my bed, ache@astral.msk.su : That any beholder /Might fancy me dead - http://dt.demos.su/~ache : Might start at beholding me, /Thinking me dead. RELCOM Team,FreeBSD Team : E.A.Poe From "For Annie" 1849