From owner-freebsd-security Mon Feb 5 14:43:41 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.3/8.7.3) id OAA02317 for security-outgoing; Mon, 5 Feb 1996 14:43:41 -0800 (PST) Received: from dolphin (dolphin-20.cs.adfa.oz.au [131.236.20.5]) by freefall.freebsd.org (8.7.3/8.7.3) with SMTP id OAA02310 for ; Mon, 5 Feb 1996 14:43:36 -0800 (PST) Received: by dolphin (5.x/SMI-SVR4) id AA29826; Tue, 6 Feb 1996 09:43:23 +1100 From: wkt@csadfa.cs.adfa.oz.au (Warren Toomey) Message-Id: <9602052243.AA29826@dolphin> Subject: Some Kernel Security Patches To: freebsd-security@freebsd.org Date: Tue, 6 Feb 1996 09:43:22 +1100 (EST) X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: owner-security@freebsd.org Precedence: bulk All, I have some kernel patches for FreeBSD 2.1 to help improve network security. If you're interested, I'm presenting a paper about the stuff next week at a conference here in Australia. You can get the paper at http://minnie.cs.adfa.oz.au/Seminars/AUUG96/netpaper.html, and it has a hyperlink to the kernel patches (and a few other things). If you have any questions, please email me, I'm not currently subscribed to the freebsd-security list. Cheers, Warren Toomey wkt@cs.adfa.oz.au From owner-freebsd-security Mon Feb 5 22:50:23 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.3/8.7.3) id WAA03471 for security-outgoing; Mon, 5 Feb 1996 22:50:23 -0800 (PST) Received: from westhill.cdrom.com (westhill.cdrom.com [192.216.223.174]) by freefall.freebsd.org (8.7.3/8.7.3) with SMTP id WAA03465 for ; Mon, 5 Feb 1996 22:50:21 -0800 (PST) Received: from localhost.cdrom.com (localhost.cdrom.com [127.0.0.1]) by westhill.cdrom.com (8.6.12/8.6.12) with SMTP id WAA03142 ; Mon, 5 Feb 1996 22:49:53 -0800 X-Authentication-Warning: westhill.cdrom.com: Host localhost.cdrom.com didn't use HELO protocol To: wkt@csadfa.cs.adfa.oz.au (Warren Toomey) cc: freebsd-security@freebsd.org From: Gary Palmer Subject: Re: Some Kernel Security Patches In-reply-to: Your message of "Tue, 06 Feb 1996 09:43:22 +1100." <9602052243.AA29826@dolphin> Date: Mon, 05 Feb 1996 22:49:53 -0800 Message-ID: <3140.823589393@westhill.cdrom.com> Sender: owner-security@freebsd.org Precedence: bulk Warren Toomey wrote in message ID <9602052243.AA29826@dolphin>: > I have some kernel patches for FreeBSD 2.1 to help improve > network security. If you're interested, I'm presenting a paper about the > stuff next week at a conference here in Australia. You can get the paper > at http://minnie.cs.adfa.oz.au/Seminars/AUUG96/netpaper.html, and it has a > hyperlink to the kernel patches (and a few other things). Hi I tried out your patches in one of our machines and ran into an intersting problem. The kernel starts out the boot process with nothing bound, and (if it's a busy server) can get hit A LOT before any services (such as named) can be loaded. Anyone know any way around this? I was thinking of trying to create a sysctl variable which would enable the logging, and you could stick that in /etc/rc.local (which is after all the servers are started), but I don't want to hack sysconfig much :-( Any other ideas? Gary From owner-freebsd-security Mon Feb 5 22:59:44 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.3/8.7.3) id WAA03665 for security-outgoing; Mon, 5 Feb 1996 22:59:44 -0800 (PST) Received: from rover.village.org (rover.village.org [204.144.255.49]) by freefall.freebsd.org (8.7.3/8.7.3) with SMTP id WAA03660 Mon, 5 Feb 1996 22:59:41 -0800 (PST) Received: from localhost (localhost [127.0.0.1]) by rover.village.org (8.6.11/8.6.6) with SMTP id XAA02048; Mon, 5 Feb 1996 23:59:34 -0700 Message-Id: <199602060659.XAA02048@rover.village.org> To: Michael Dillon Subject: Re: Is this security hole being fixed?? Cc: freebsd-hackers@FreeBSD.org, freebsd-security@FreeBSD.org In-reply-to: Your message of Mon, 05 Feb 1996 22:46:57 PST Date: Mon, 05 Feb 1996 23:59:33 -0700 From: Warner Losh Sender: owner-security@FreeBSD.org Precedence: bulk : Some of the other things are very questionable. I can break a standard : Sun Solaris 2 machine in about 2 minutes from a shell prompt and about 10 : otherwise unless the user is applying patchkits very fast. Currently I can : break almost any BSD derived system because of a bug CERT haven't yet : even published. This would be the "you can bind to a specific port that has a IN_ADDR_ANY binding already" bug? That is a "feature" of the OS that is designed to override generic daemons with specific ones. To make this change would be to change the way that sockets work. Not that this is a bad thing, but everyone should know this is a design change. The other way to fix it is to have your daemons that run as root bind to all the interfaces, like newer named daemons do. You *ESPECIALLY* want to do this for all daemons that run on ports > 1023, since you don't have to be root to bind to those sockets. In the case of NFS it is rather, well, a large gaping hole for reasons that should be obvious to most people... Or is this some other problem? Warner P.S. Is freebsd-security still active? Should this go there? From owner-freebsd-security Tue Feb 6 00:13:31 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.3/8.7.3) id AAA07253 for security-outgoing; Tue, 6 Feb 1996 00:13:31 -0800 (PST) Received: from genesis.atrad.adelaide.edu.au (genesis.atrad.adelaide.edu.au [129.127.96.120]) by freefall.freebsd.org (8.7.3/8.7.3) with ESMTP id AAA07248 Tue, 6 Feb 1996 00:13:25 -0800 (PST) Received: from msmith@localhost by genesis.atrad.adelaide.edu.au (8.6.12/8.6.9) id SAA02468; Tue, 6 Feb 1996 18:39:27 +1030 From: Michael Smith Message-Id: <199602060809.SAA02468@genesis.atrad.adelaide.edu.au> Subject: Re: Is this security hole being fixed?? To: michael@memra.com (Michael Dillon) Date: Tue, 6 Feb 1996 18:39:27 +1030 (CST) Cc: freebsd-hackers@FreeBSD.org, security@FreeBSD.org In-Reply-To: from "Michael Dillon" at Feb 5, 96 10:46:57 pm MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-security@FreeBSD.org Precedence: bulk Michael Dillon stands accused of saying: > From: Alan Cox > To: Multiple recipients of list BIG-LINUX > Subject: Linux as a production system > > [ irrelevant details deleted ] > > Some of the other things are very questionable. I can break a standard > Sun Solaris 2 machine in about 2 minutes from a shell prompt and about 10 > otherwise unless the user is applying patchkits very fast. Currently I can > break almost any BSD derived system because of a bug CERT haven't yet > even published. Alan's good at this sort of bragging, in my (limited) experience. Unless he's willing to expose his techniques to scrutiny, I'm happy to scoff. -- ]] Mike Smith, Software Engineer msmith@atrad.adelaide.edu.au [[ ]] Genesis Software genesis@atrad.adelaide.edu.au [[ ]] High-speed data acquisition and (GSM mobile) 0411-222-496 [[ ]] realtime instrument control (ph/fax) +61-8-267-3039 [[ ]] "wherever you go, there you are" - Buckaroo Banzai [[ From owner-freebsd-security Wed Feb 7 03:13:11 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.3/8.7.3) id DAA20250 for security-outgoing; Wed, 7 Feb 1996 03:13:11 -0800 (PST) Received: from genesis.atrad.adelaide.edu.au (genesis.atrad.adelaide.edu.au [129.127.96.120]) by freefall.freebsd.org (8.7.3/8.7.3) with ESMTP id DAA20242 for ; Wed, 7 Feb 1996 03:13:04 -0800 (PST) Received: from msmith@localhost by genesis.atrad.adelaide.edu.au (8.6.12/8.6.9) id VAA10492 for security@freebsd.org; Wed, 7 Feb 1996 21:40:25 +1030 From: Michael Smith Message-Id: <199602071110.VAA10492@genesis.atrad.adelaide.edu.au> Subject: SS_PRIV, SIOCSIFADDR and rshd To: security@freebsd.org Date: Wed, 7 Feb 1996 21:40:25 +1030 (CST) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-security@freebsd.org Precedence: bulk Something that's come out of a recent edification : Alan Cox stands accused of saying: > > > You may need to be a little more specific here; I see > > > > kern/uipc_socket.c so_create(): > > if (p->p_ucred->cr_uid == 0) > > so->so_state = SS_PRIV; > > If root a socket has SS_PRIV set allowing you to do SIOCSIFADDR etc. > > Now follow say in.rshd when its told to run not over a tty/pty pair. This > socket (created by root SS_PRIV) gets passed to a user process as fd 0. > Now what do you think happens when you do SIOCSIFADDR ioctls on fd 0 of > a program run that way via rsh. Processes created by inetd should also > be able to exploit this. Anyone in a position to comment on this? I can't see anything obvious that resets SS_PRIV (or any of the socket state attributes) on either exec or set*id... -- ]] Mike Smith, Software Engineer msmith@atrad.adelaide.edu.au [[ ]] Genesis Software genesis@atrad.adelaide.edu.au [[ ]] High-speed data acquisition and (GSM mobile) 0411-222-496 [[ ]] realtime instrument control (ph/fax) +61-8-267-3039 [[ ]] "wherever you go, there you are" - Buckaroo Banzai [[ From owner-freebsd-security Wed Feb 7 06:30:24 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.3/8.7.3) id GAA01827 for security-outgoing; Wed, 7 Feb 1996 06:30:24 -0800 (PST) Received: from who.cdrom.com (who.cdrom.com [192.216.222.3]) by freefall.freebsd.org (8.7.3/8.7.3) with SMTP id GAA01822 for ; Wed, 7 Feb 1996 06:30:22 -0800 (PST) Received: from mail.cs.tu-berlin.de (root@mail.cs.tu-berlin.de [130.149.17.13]) by who.cdrom.com (8.6.12/8.6.11) with ESMTP id GAA00474 for ; Wed, 7 Feb 1996 06:29:36 -0800 Received: from gundula.cs.tu-berlin.de (wosch@gundula.cs.tu-berlin.de [130.149.17.46]) by mail.cs.tu-berlin.de (8.6.12/8.6.12) with ESMTP id PAA19852 for ; Wed, 7 Feb 1996 15:03:28 +0100 From: Wolfram Schneider Received: (wosch@localhost) by gundula.cs.tu-berlin.de (8.6.12/8.6.12) id PAA15972; Wed, 7 Feb 1996 15:03:24 +0100 Date: Wed, 7 Feb 1996 15:03:24 +0100 Message-Id: <199602071403.PAA15972@gundula.cs.tu-berlin.de> To: security@freebsd.org Subject: chown(2) patch MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit Content-Conversion: prohibited Sender: owner-security@freebsd.org Precedence: bulk from bug reports [1995/08/13] kern/679 chown(2) ignores set-user-id and set-group-id bits for user root --- 1.1 1995/09/05 22:12:59 +++ ufs_vnops.c 1996/02/04 22:43:42 @@ -546,10 +546,24 @@ #endif /* QUOTA */ if (ouid != uid || ogid != gid) ip->i_flag |= IN_CHANGE; + +#ifdef COMPAT_CHOWN + /* clear suid/sgid flag for non-root files */ if (ouid != uid && cred->cr_uid != 0) ip->i_mode &= ~ISUID; if (ogid != gid && cred->cr_uid != 0) ip->i_mode &= ~ISGID; +#else + /* + * always clear suid/sgid flags, + * also for root like manpage claims + */ + + if (ouid != uid) + ip->i_mode &= ~ISUID; + if (ogid != gid) + ip->i_mode &= ~ISGID; +#endif /* !COMPAT_COMPAT */ return (0); } From owner-freebsd-security Wed Feb 7 07:44:56 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.3/8.7.3) id HAA07729 for security-outgoing; Wed, 7 Feb 1996 07:44:56 -0800 (PST) Received: from halloran-eldar.lcs.mit.edu (halloran-eldar.lcs.mit.edu [18.26.0.159]) by freefall.freebsd.org (8.7.3/8.7.3) with SMTP id HAA07724 for ; Wed, 7 Feb 1996 07:44:53 -0800 (PST) Received: by halloran-eldar.lcs.mit.edu; (5.65/1.1.8.2/19Aug95-0530PM) id AA19509; Wed, 7 Feb 1996 10:44:17 -0500 Date: Wed, 7 Feb 1996 10:44:17 -0500 From: "Garrett A. Wollman" Message-Id: <9602071544.AA19509@halloran-eldar.lcs.mit.edu> To: Michael Smith Cc: security@freebsd.org Subject: SS_PRIV, SIOCSIFADDR and rshd In-Reply-To: <199602071110.VAA10492@genesis.atrad.adelaide.edu.au> References: <199602071110.VAA10492@genesis.atrad.adelaide.edu.au> Sender: owner-security@freebsd.org Precedence: bulk < said: > Anyone in a position to comment on this? I can't see anything obvious that > resets SS_PRIV (or any of the socket state attributes) on either exec or > set*id... Not a problem for the case of rshd. Our rshd always uses pipes to talk to the inferior process. It's worth thinking about; I'll cons up a new setsockopt today to fix the problem in the general case (at least for inetd). -GAWollman -- Garrett A. Wollman | Shashish is simple, it's discreet, it's brief. ... wollman@lcs.mit.edu | Shashish is the bonding of hearts in spite of distance. Opinions not those of| It is a bond more powerful than absence. We like people MIT, LCS, ANA, or NSA| who like Shashish. - Claude McKenzie + Florent Vollant From owner-freebsd-security Wed Feb 7 17:50:31 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.3/8.7.3) id RAA21831 for security-outgoing; Wed, 7 Feb 1996 17:50:31 -0800 (PST) Received: from genesis.atrad.adelaide.edu.au (genesis.atrad.adelaide.edu.au [129.127.96.120]) by freefall.freebsd.org (8.7.3/8.7.3) with ESMTP id RAA21797 for ; Wed, 7 Feb 1996 17:50:12 -0800 (PST) Received: from msmith@localhost by genesis.atrad.adelaide.edu.au (8.6.12/8.6.9) id MAA13788; Thu, 8 Feb 1996 12:17:53 +1030 From: Michael Smith Message-Id: <199602080147.MAA13788@genesis.atrad.adelaide.edu.au> Subject: Re: SS_PRIV, SIOCSIFADDR and rshd To: wollman@lcs.mit.edu (Garrett A. Wollman) Date: Thu, 8 Feb 1996 12:17:53 +1030 (CST) Cc: msmith@atrad.adelaide.edu.au, security@freebsd.org In-Reply-To: <9602071544.AA19509@halloran-eldar.lcs.mit.edu> from "Garrett A. Wollman" at Feb 7, 96 10:44:17 am MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-security@freebsd.org Precedence: bulk Garrett A. Wollman stands accused of saying: > > > Anyone in a position to comment on this? I can't see anything obvious that > > resets SS_PRIV (or any of the socket state attributes) on either exec or > > set*id... > > Not a problem for the case of rshd. Our rshd always uses pipes to > talk to the inferior process. > > It's worth thinking about; I'll cons up a new setsockopt today to fix > the problem in the general case (at least for inetd). Hmm. There's no user struct visible at that level, so I guess it's not likely to be easy to check for uid == 0. > -GAWollman -- ]] Mike Smith, Software Engineer msmith@atrad.adelaide.edu.au [[ ]] Genesis Software genesis@atrad.adelaide.edu.au [[ ]] High-speed data acquisition and (GSM mobile) 0411-222-496 [[ ]] realtime instrument control (ph/fax) +61-8-267-3039 [[ ]] "wherever you go, there you are" - Buckaroo Banzai [[ From owner-freebsd-security Fri Feb 9 22:25:14 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.3/8.7.3) id WAA21081 for security-outgoing; Fri, 9 Feb 1996 22:25:14 -0800 (PST) Received: from zip.io.org (root@zip.io.org [198.133.36.80]) by freefall.freebsd.org (8.7.3/8.7.3) with SMTP id WAA21076 for ; Fri, 9 Feb 1996 22:25:11 -0800 (PST) Received: (from taob@localhost) by zip.io.org (8.6.12/8.6.12) id BAA08558; Sat, 10 Feb 1996 01:24:44 -0500 Date: Sat, 10 Feb 1996 01:24:44 -0500 (EST) From: Brian Tao To: FREEBSD-SECURITY-L Subject: User creating root-owned directories? Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@freebsd.org Precedence: bulk I was sent this message from one of our support staff. Any ideas how this user could have created the root directory? It looks like a sendmail hole, or an instance of exploiting a buffer that is then passed through a shell interpreter (note the "ls ; !" portion of the name). We are running a mixed BSD/OS, FreeBSD and NetBSD environment. The mail server is a BSD/OS 2.0 machine running sendmail 8.6.12, shell servers are FreeBSD 2.1 and the NFS server is NetBSD 1.1. User home directories are accessible on any of the above machines. In general, how does one go about tracking down this kind of problem? SementE is the nickname of a known hacker, and it really bugs me when some snot-nosed kid finds security holes I don't. :-/ ;-) -- Brian Tao (BT300, taob@io.org) Systems Administrator, Internex Online Inc. "Though this be madness, yet there is method in't" ---------- Forwarded message ---------- Date: Sat, 10 Feb 1996 00:20:32 -0500 (EST) From: Mark Salerno To: Brian Tao Subject: Someone hacked root it seems. This may be a false alarm, but.. this evening (friday) I received a message from a user online, who wanted me to notify oyou that someone had hacked root. Although I didn't believe him at first, here's the proof he gave. I entered into his directory and did an 'ls -lr' total 164 -rw-r--r-- 1 cfloyd user 20 Jun 26 1995  -rw-r--r-- 1 cfloyd user 82498 Aug 14 21:34 phoenix.irc -rw------- 1 cfloyd user 14893 Aug 14 21:31 phoenix.hlp drwx------ 2 cfloyd user 512 Aug 30 1994 mail -rw------- 1 cfloyd user 27815 Aug 14 17:40 extras.irc -rw-r--r-- 1 cfloyd user 35007 Dec 31 19:48 eggdox.doh drwxr-xr-x 2 root user 512 Feb 9 00:11 SementE wuz herels ; ! drwx------ 4 cfloyd user 512 Feb 3 1995 News drwx------ 2 cfloyd user 512 Feb 8 00:49 Mail look at the SementE file. owned by root. inside his dir. Not sure exactly what this means. Looks like someone has root. thought I s houdl let you know. If I'm just causing a false alarm, someone please splash me with a bottle of snapple ;) -MS --- MSofty: Mark Salerno - mjs@io.org, msofty@io.org -- Internex Online Support Staff - 20 Bay St., Suite 1625. Toronto, Ontario. M5J 2N8 From owner-freebsd-security Sat Feb 10 00:09:33 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.3/8.7.3) id AAA26582 for security-outgoing; Sat, 10 Feb 1996 00:09:33 -0800 (PST) Received: from precipice.shockwave.com (precipice.shockwave.com [171.69.108.33]) by freefall.freebsd.org (8.7.3/8.7.3) with ESMTP id AAA26576 for ; Sat, 10 Feb 1996 00:09:30 -0800 (PST) Received: from localhost.shockwave.com (localhost.shockwave.com [127.0.0.1]) by precipice.shockwave.com (8.7.3/8.7.3) with SMTP id AAA02008; Sat, 10 Feb 1996 00:08:20 -0800 (PST) Message-Id: <199602100808.AAA02008@precipice.shockwave.com> To: Brian Tao cc: FREEBSD-SECURITY-L Subject: Re: User creating root-owned directories? In-reply-to: Your message of "Sat, 10 Feb 1996 01:24:44 EST." Date: Sat, 10 Feb 1996 00:08:19 -0800 From: Paul Traina Sender: owner-security@freebsd.org Precedence: bulk errr... did your sysadmin have root when he did ls -l in that user's directory? if so, did he have . in his path? You possibly could have been had by someone who had a ls executable which, when run as root, deleted itself, created the directory, AND created a setuid program somewhere. In any case, I'd upgrade to sendmail 8.7.x (x=current) and freebsd 2.1 -stable just to be sure you've got all the security patches. 8.6.12 does have bugs in it which could allow a user to gain root. > Date: Sat, 10 Feb 1996 01:24:44 -0500 (EST) > From: Brian Tao > To: FREEBSD-SECURITY-L > Subject: User creating root-owned directories? > Precedence: bulk > > I was sent this message from one of our support staff. Any ideas > how this user could have created the root directory? It looks like a > sendmail hole, or an instance of exploiting a buffer that is then > passed through a shell interpreter (note the "ls ; !" portion of the > name). > > We are running a mixed BSD/OS, FreeBSD and NetBSD environment. > The mail server is a BSD/OS 2.0 machine running sendmail 8.6.12, shell > servers are FreeBSD 2.1 and the NFS server is NetBSD 1.1. User home > directories are accessible on any of the above machines. > > In general, how does one go about tracking down this kind of > problem? SementE is the nickname of a known hacker, and it really > bugs me when some snot-nosed kid finds security holes I don't. :-/ ;-) > -- > Brian Tao (BT300, taob@io.org) > Systems Administrator, Internex Online Inc. > "Though this be madness, yet there is method in't" > > ---------- Forwarded message ---------- > Date: Sat, 10 Feb 1996 00:20:32 -0500 (EST) > From: Mark Salerno > To: Brian Tao > Subject: Someone hacked root it seems. > > This may be a false alarm, but.. > > this evening (friday) I received a message from a user online, who wanted > me to notify oyou that someone had hacked root. Although I didn't believe > him at first, here's the proof he gave. I entered into his directory and > did an 'ls -lr' > > total 164 > -rw-r--r-- 1 cfloyd user 20 Jun 26 1995  > -rw-r--r-- 1 cfloyd user 82498 Aug 14 21:34 phoenix.irc > -rw------- 1 cfloyd user 14893 Aug 14 21:31 phoenix.hlp > drwx------ 2 cfloyd user 512 Aug 30 1994 mail > -rw------- 1 cfloyd user 27815 Aug 14 17:40 extras.irc > -rw-r--r-- 1 cfloyd user 35007 Dec 31 19:48 eggdox.doh > drwxr-xr-x 2 root user 512 Feb 9 00:11 SementE wuz herels ; ! > drwx------ 4 cfloyd user 512 Feb 3 1995 News > drwx------ 2 cfloyd user 512 Feb 8 00:49 Mail > > look at the SementE file. owned by root. inside his dir. > Not sure exactly what this means. Looks like someone has root. thought I > s houdl let you know. If I'm just causing a false alarm, someone please > splash me with a bottle of snapple ;) > > -MS > > --- MSofty: Mark Salerno - mjs@io.org, msofty@io.org > -- Internex Online Support Staff > - 20 Bay St., Suite 1625. Toronto, Ontario. M5J 2N8 > From owner-freebsd-security Sat Feb 10 08:07:10 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.3/8.7.3) id IAA28718 for security-outgoing; Sat, 10 Feb 1996 08:07:10 -0800 (PST) Received: from bbs.mpcs.com (root@bbs.mpcs.com [204.215.226.2]) by freefall.freebsd.org (8.7.3/8.7.3) with ESMTP id IAA28711 for ; Sat, 10 Feb 1996 08:07:04 -0800 (PST) Received: from penny.n2wx.ampr.org (root@penny.n2wx.mpcs.com [204.215.226.90]) by bbs.mpcs.com (8.7.3/8.7.3/MPCS) with ESMTP id LAA22182 for ; Sat, 10 Feb 1996 11:07:02 -0500 Received: (from root@localhost) by penny.n2wx.ampr.org (8.7.3/8.6.12/n2wx) id LAA00868 for freebsd-security@FreeBSD.org; Sat, 10 Feb 1996 11:06:59 -0500 Received: (from hg@localhost) by penny.n2wx.ampr.org (8.7.3/8.7.3/n2wx) id LAA00862; Sat, 10 Feb 1996 11:06:44 -0500 Date: Sat, 10 Feb 1996 11:06:43 -0500 (EST) From: Howard Goldstein cc: FREEBSD-SECURITY-L Subject: Re: User creating root-owned directories? In-Reply-To: <199602100808.AAA02008@precipice.shockwave.com> Message-ID: Organization: disorganization MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@FreeBSD.org Precedence: bulk On Sat, 10 Feb 1996, Paul Traina wrote: > In any case, I'd upgrade to sendmail 8.7.x (x=current) and freebsd 2.1 > -stable just to be sure you've got all the security patches. 8.6.12 does > have bugs in it which could allow a user to gain root. I'd also suggest use of the 'smrsh' restricted shell on sendmail-invoked processes to help keep security on sendmail up to snuff as future holes are discovered (see smrsh subdir in the sendmail distrib). -- Howard Goldstein http://www.tapr.org/~n2wx/ mail/newsadmin @mpcs.com From owner-freebsd-security Sat Feb 10 08:37:00 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.3/8.7.3) id IAA29902 for security-outgoing; Sat, 10 Feb 1996 08:37:00 -0800 (PST) Received: from zip.io.org (root@zip.io.org [198.133.36.80]) by freefall.freebsd.org (8.7.3/8.7.3) with SMTP id IAA29891 for ; Sat, 10 Feb 1996 08:36:57 -0800 (PST) Received: (from taob@localhost) by zip.io.org (8.6.12/8.6.12) id LAA16641; Sat, 10 Feb 1996 11:36:18 -0500 Date: Sat, 10 Feb 1996 11:36:15 -0500 (EST) From: Brian Tao To: Paul Traina cc: FREEBSD-SECURITY-L Subject: Re: User creating root-owned directories? In-Reply-To: <199602100808.AAA02008@precipice.shockwave.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@freebsd.org Precedence: bulk On Sat, 10 Feb 1996, Paul Traina wrote: > > errr... did your sysadmin have root when he did ls -l in that user's > directory? > > if so, did he have . in his path? The sysadmin would be me ;-), and the root account does not include . anywhere in the path. The three others with root access were not involved with this. > You possibly could have been had by someone who had a ls executable > which, when run as root, deleted itself, created the directory, AND > created a setuid program somewhere. I'll perform a more detailed scan for setuid and setgid programs today then. A lot of our users run setuid CGI scripts (PHP tools, a Web page logging package)... the hacker may have named a setuid program after one of the PHP scripts to hide it from scrutiny. Probably a good time to compare MD5 signatures on the system binaries too... *sigh*. > In any case, I'd upgrade to sendmail 8.7.x (x=current) and freebsd 2.1 > -stable just to be sure you've got all the security patches. 8.6.12 does > have bugs in it which could allow a user to gain root. Being sendmail and all, 8.7.x probably does too. ;-) It'll take a little bit of work to do that, since our current mail server is on BSD/OS 2.0, and also handles several other functions. Thanks, Paul. -- Brian Tao (BT300, taob@io.org) Systems Administrator, Internex Online Inc. "Though this be madness, yet there is method in't" From owner-freebsd-security Sat Feb 10 09:48:43 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.3/8.7.3) id JAA02365 for security-outgoing; Sat, 10 Feb 1996 09:48:43 -0800 (PST) Received: from anna.az.com (anna.az.com [204.57.139.9]) by freefall.freebsd.org (8.7.3/8.7.3) with SMTP id JAA02360 for ; Sat, 10 Feb 1996 09:48:36 -0800 (PST) Received: (from yankee@localhost) by anna.az.com (8.6.12/8.6.12) id JAA27397; Sat, 10 Feb 1996 09:49:11 -0800 Date: Sat, 10 Feb 1996 09:49:10 -0800 (PST) From: "az.com" To: freebsd-security@FreeBSD.org Subject: Need help building jails In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@FreeBSD.org Precedence: bulk 2 questions: 1. Haven't been above to build a jail yet with chroot! Haven't been able to get chroot to work, any ideas? Want to do a chroot immediately upon login for certain accounts and make twilight zone versions of /usr/home,/usr/bin,/usr/sbin,/bin,/sbin,/usr/local/bin in a directory called /usr/jail chroot just gives an error when I try to use it from /etc/passwd, or .login, or at the csh: chroot: jail: Operation not permitted. I've tried endless permutations of permissions and configurations, nothing seems to work. If I'm super user, chroot works. Wanted to put a chroot in the best location, presumably not .login or .cshrc, but instead right in the /etc/passwd file as what to execute at login. 2. Can I find code for FreeBSD to do exactly the same thing as chroot with ftpd? 3. Can I find code for FreeBSD to do exactly the same thing as chroot with httpd? Thank You! From owner-freebsd-security Sat Feb 10 10:32:48 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.3/8.7.3) id KAA03884 for security-outgoing; Sat, 10 Feb 1996 10:32:48 -0800 (PST) Received: from anna.az.com (anna.az.com [204.57.139.9]) by freefall.freebsd.org (8.7.3/8.7.3) with SMTP id KAA03875 for ; Sat, 10 Feb 1996 10:32:44 -0800 (PST) Received: (from yankee@localhost) by anna.az.com (8.6.12/8.6.12) id KAA28519; Sat, 10 Feb 1996 10:33:25 -0800 Date: Sat, 10 Feb 1996 10:33:24 -0800 (PST) From: "az.com" To: freebsd-security@FreeBSD.org Subject: Want OS patch to restrict root processes to local In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@FreeBSD.org Precedence: bulk Where would I go in the source code or has someone already created the following: For all network and dialin parented processes, i.e., hackers coming from internet or dial-in using a legitimate user's password to get a shell: Prevents any process which gained root access via hacking from getting real root priveledge even though it appears they attained it. (kernel does nothing) this would prevent setuid or even if someone actually used the root passwd via su I have no need, except in special circustances (hence the toggle switch), to allow any process originating from a dialin or network port to ever execute as root. To make the whole thing fly would require the inclusion of a short registry file containing /pathname/programname(s) exempt from this restriction. This would allow common users to execute setuid programs like /usr/bin/passwd. Otherwise, the kernel would not return an error to the user, but never actually execute as root. It would also immedately generate a log. This would completely automate the detection of new holes the first time they are ever tried. Instead of only searching for and analyzing for security holes - let the holes exist, and when they are found autodiscover them and plug them at the moment of intrusion. From owner-freebsd-security Sat Feb 10 10:42:17 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.3/8.7.3) id KAA04286 for security-outgoing; Sat, 10 Feb 1996 10:42:17 -0800 (PST) Received: from anna.az.com (anna.az.com [204.57.139.9]) by freefall.freebsd.org (8.7.3/8.7.3) with SMTP id KAA04279 for ; Sat, 10 Feb 1996 10:42:14 -0800 (PST) Received: (from yankee@localhost) by anna.az.com (8.6.12/8.6.12) id KAA28832; Sat, 10 Feb 1996 10:42:54 -0800 Date: Sat, 10 Feb 1996 10:42:54 -0800 (PST) From: "az.com" To: freebsd-security@freebsd.org Subject: Need help building jails (fwd) Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@freebsd.org Precedence: bulk 2 questions: 1. Haven't been above to build a jail yet with chroot! Haven't been able to get chroot to work, any ideas? Want to do a chroot immediately upon login for certain accounts and make twilight zone versions of /usr/home,/usr/bin,/usr/sbin,/bin,/sbin,/usr/local/bin in a directory called /usr/jail chroot just gives an error when I try to use it from /etc/passwd, or .login, or at the csh: chroot: jail: Operation not permitted. I've tried endless permutations of permissions and configurations, nothing seems to work. If I'm super user, chroot works. Wanted to put a chroot in the best location, presumably not .login or .cshrc, but instead right in the /etc/passwd file as what to execute at login. 2. Can I find code for FreeBSD to do exactly the same thing as chroot with ftpd? 3. Can I find code for FreeBSD to do exactly the same thing as chroot with httpd? Thank You! From owner-freebsd-security Sat Feb 10 11:45:16 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.3/8.7.3) id LAA07057 for security-outgoing; Sat, 10 Feb 1996 11:45:16 -0800 (PST) Received: from mailhub.aros.net (mailhub.aros.net [205.164.111.17]) by freefall.freebsd.org (8.7.3/8.7.3) with SMTP id LAA07051 for ; Sat, 10 Feb 1996 11:45:14 -0800 (PST) Received: from terra.aros.net (terra.aros.net [205.164.111.10]) by mailhub.aros.net (8.6.12/Unknown) with ESMTP id MAA08522; Sat, 10 Feb 1996 12:45:36 -0700 Received: (from angio@localhost) by terra.aros.net (8.6.12/8.6.12) id MAA12583; Sat, 10 Feb 1996 12:45:12 -0700 From: Dave Andersen Message-Id: <199602101945.MAA12583@terra.aros.net> Subject: Re: User creating root-owned directories? To: taob@io.org (Brian Tao) Date: Sat, 10 Feb 1996 12:45:12 -0700 (MST) Cc: pst@shockwave.com, freebsd-security@freebsd.org In-Reply-To: from "Brian Tao" at Feb 10, 96 11:36:15 am X-Mailer: ELM [version 2.4 PL24] Content-Type: text Sender: owner-security@freebsd.org Precedence: bulk Lo and behold, Brian Tao once said: > I'll perform a more detailed scan for setuid and setgid programs > today then. A lot of our users run setuid CGI scripts (PHP tools, a > Web page logging package)... the hacker may have named a setuid > program after one of the PHP scripts to hide it from scrutiny. > Probably a good time to compare MD5 signatures on the system binaries > too... *sigh*. From the way the filename looks, it's almost tempting to say that someone got in through a poorly configured cgi-bin script of some type. Do you have setuid cgis lying around that might use user-input for generating a command line? (The "I got in ; ls" is what suggests it..) -Dave Andersen -- angio@aros.net Complete virtual hosting and business-oriented system administration Internet services. (WWW, FTP, email) http://www.aros.net/ http://www.aros.net/about/virtual/ "There are only two industries that refer to thier customers as 'users'." From owner-freebsd-security Sat Feb 10 16:52:54 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.3/8.7.3) id QAA25626 for security-outgoing; Sat, 10 Feb 1996 16:52:54 -0800 (PST) Received: from ibp.ibp.fr (ibp.ibp.fr [132.227.60.30]) by freefall.freebsd.org (8.7.3/8.7.3) with ESMTP id QAA25605 for ; Sat, 10 Feb 1996 16:52:46 -0800 (PST) Received: from blaise.ibp.fr (blaise.ibp.fr [132.227.60.1]) by ibp.ibp.fr (8.6.12/jtpda-5.0) with ESMTP id BAA23465 ; Sun, 11 Feb 1996 01:52:44 +0100 Received: from (uucp@localhost) by blaise.ibp.fr (8.6.12/jtpda-5.0) with UUCP id BAA11141 ; Sun, 11 Feb 1996 01:52:45 +0100 Received: (from roberto@localhost) by keltia.freenix.fr (8.7.3/keltia-uucp-2.7) id BAA03804; Sun, 11 Feb 1996 01:36:29 +0100 (MET) From: Ollivier Robert Message-Id: <199602110036.BAA03804@keltia.freenix.fr> Subject: Re: Need help building jails To: yankee@anna.az.com (az.com) Date: Sun, 11 Feb 1996 01:36:29 +0100 (MET) Cc: freebsd-security@FreeBSD.ORG In-Reply-To: from "az.com" at "Feb 10, 96 09:49:10 am" X-Operating-System: FreeBSD 2.2-CURRENT ctm#1630 X-Mailer: ELM [version 2.4ME+ PL5 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-security@FreeBSD.ORG Precedence: bulk It seems that az.com said: > Want to do a chroot immediately upon login for certain accounts and make > twilight zone versions of > /usr/home,/usr/bin,/usr/sbin,/bin,/sbin,/usr/local/bin in a directory > called /usr/jail Here is the shell I used in the past for my "guest" account here : #! /usr/bin/suidperl # chroot "/users/guest"; $< = $> = 1000; $ENV{TERM} = 'vt100'; $ENV{PATH} = '/bin:/usr/bin'; $ENV{SHELL} = '/bin/tcsh'; $ENV{HOME} = '/guest'; chdir "/guest"; print < 2. Can I find code for FreeBSD to do exactly the same thing as chroot with > ftpd? Use the wu-ftpd 2.4, put the users in a special group called for example "ftponly" and use the following in ftpaccess: guestgroup ftponly > 3. Can I find code for FreeBSD to do exactly the same thing as chroot > with httpd? Most servers can do it automatically or you may find patches for them to do a chroot. Apache can do it I think. -- Ollivier ROBERT -=- The daemon is FREE! -=- roberto@keltia.frmug.fr.net FreeBSD keltia.freenix.fr 2.2-CURRENT #5: Sun Feb 4 03:11:17 MET 1996 From owner-freebsd-security Sat Feb 10 19:19:32 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.3/8.7.3) id TAA05223 for security-outgoing; Sat, 10 Feb 1996 19:19:32 -0800 (PST) Received: from fslg8.fsl.noaa.gov (fslg8.fsl.noaa.gov [137.75.131.171]) by freefall.freebsd.org (8.7.3/8.7.3) with SMTP id TAA05216 for ; Sat, 10 Feb 1996 19:19:27 -0800 (PST) Received: by fslg8.fsl.noaa.gov (5.57/Ultrix3.0-C) id AA24340; Sat, 10 Feb 96 21:19:26 -0600 Received: by emu.fsl.noaa.gov (1.38.193.4/SMI-4.1 (1.38.193.4)) id AA22583; Sat, 10 Feb 1996 20:19:25 -0700 Date: Sat, 10 Feb 1996 20:19:25 -0700 From: kelly@fsl.noaa.gov (Sean Kelly) Message-Id: <9602110319.AA22583@emu.fsl.noaa.gov> To: yankee@anna.az.com Cc: freebsd-security@freebsd.org In-Reply-To: (yankee@anna.az.com) Subject: Re: Need help building jails (fwd) Sender: owner-security@freebsd.org Precedence: bulk >>>>> "Yankee" == az com writes: Yankee> Haven't been able to get chroot to work, any ideas? Although anyone can run /usr/sbin/chroot, the chroot() system call (type ``man 2 chroot'') says This call is restricted to the super-user. so you need to be root to make effective use of /usr/sbin/chroot. So, you probably want a special version of /usr/bin/login that checks a database (perhaps by extending /etc/passwd or /etc/login.access, but maybe a new database to stay compatible) which performs the chroot if a certain field is set. It can do this while it's running as root, before it sets the user ID to the logged-in user. The source code to /usr/bin/login is on the FreeBSD CD-ROM and FTP sites, so hack away. -- Sean Kelly NOAA Forecast Systems Laboratory, Boulder Colorado USA If there's ever an amusement park called Bag World, I bet it would really start to annoy you after a while how they really sort of stretch the definition of "bag." -- Deep Thoughts, by Jack Handey