From owner-freebsd-security Sun Apr 21 00:36:59 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.3/8.7.3) id AAA02770 for security-outgoing; Sun, 21 Apr 1996 00:36:59 -0700 (PDT) Received: (from pst@localhost) by freefall.freebsd.org (8.7.3/8.7.3) id AAA02732 Sun, 21 Apr 1996 00:36:54 -0700 (PDT) Date: Sun, 21 Apr 1996 00:36:54 -0700 (PDT) From: Paul Traina Message-Id: <199604210736.AAA02732@freefall.freebsd.org> To: announce@freebsd.org, ports@freebsd.org Subject: updated pcnfsd port (security fixes) Cc: security@freebsd.org Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk The pcnfsd(8) port for FreeBSD has been updated to include security patches discussed in CERT CA:96.08. There are actually /two/ source files patched, not just the single patch referenced in the original CERT advisory. If you are using pcnfsd in an insecure environment, the FreeBSD team urges you to upgrade to the most recent port code immediately. Users of the pcnfsd pre-compiled package are urged to grab the latest port source code (look for patches/patch-ad) and compile that up. An updated pre-compiled package will appear in all of the usual places in the near future. Paul -- reference follows -- ============================================================================= CERT(sm) Advisory CA-96.08 April 18, 1996 Topic: Vulnerabilities in PCNFSD ----------------------------------------------------------------------------- The CERT Coordination Center has received reports of two vulnerabilities in the pcnfsd program (pcnfsd is also known as rpc.pcnfsd); we have also received reports that these problems are being exploited. These vulnerabilities are present in some vendor-provided versions of pcnfsd and in some publicly available versions. These two vulnerabilities were reported by Avalon Security Research in reports entitled "pcnfsd." If you are using a vendor-supplied version of pcnfsd, please see the vendor information in Section III.A and Appendix A. Until you can install a patch from your vendor for these vulnerabilities, consider using the publicly available version described in Section III.B. If you already use or plan to switch to a public version, we urge you to use the version cited in Section III.B or install the patch described in Section III.C. This patch has already been incorporated into the pcnfsd version described in III.B. There are many different public domain versions of pcnfsd, and we have not analyzed the vulnerability of those versions. We have analyzed and fixed the problems noted in this advisory only in the version described in III.B. As we receive additional information relating to this advisory, we will place it in: ftp://info.cert.org/pub/cert_advisories/CA-96.08.README We encourage you to check our README files regularly for updates on advisories that relate to your site. ----------------------------------------------------------------------------- I. Description The pcnfsd program (also called rpc.pcnfsd) is an authentication and printing program that runs on a UNIX server. There are many publicly available versions, and several vendors supply their own version. pcnfsd supports a printing model that uses NFS to transfer files from a client to the pcnfsd server. (Note: pcnfsd does *not* provide NFS services.) When a client wants to print a file, it requests the path to a spool directory from the server. The client then writes the necessary files for printing using NFS, and informs the pcnfsd server that the files are ready for printing. pcnfsd creates a subdirectory for each of its clients using the client's hostname, then returns this path name to the client. The returned path name must be exported via to its clients by the NFS server. The NFS server and the pcnfsd server may be two separate machines. The first vulnerability is that pcnfsd, which runs as root, creates the aforementioned directories with mkdir(2) and then changes their mode with chmod(2) to mode 777. If the target directory is replaced with a symbolic link pointing to a restricted file or directory, the mkdir(2) will fail but the chmod(2) will succeed. This means that the target of the symbolic link will be mode 777. Note that pcnfsd must run as root when servicing print requests so that it can assume the identity of the PC user when interacting with UNIX print commands. On some systems, pcnfsd may also have to run as root so it can read restricted files when carrying out authentication tasks. The second vulnerability is that pcnfsd calls the system(3) subroutine as root, and the string passed to system(3) can be influenced by the arguments given in the remote procedure call. Remote users can execute arbitrary commands on the machine where pcnfsd runs. II. Impact For the first vulnerability, local users can change the permissions on any file accessible to the local system that the root user can change. For the second vulnerability, remote users can execute arbitrary commands as root on the machine where pcnfsd runs. III. Solution If you are using pcnfsd from a vendor, consult the vendor list in Section A. If your vendor is not listed, we recommend that you contact your vendor directly. Until a vendor patch is available, we recommend that you obtain the publicly available version of pcnfsd as described in Section B. This version already has the patch described in Section C. If you are presently using a public version of pcnfsd, we recommend that you either change to the version listed in Section B or apply the patch described in Section C. (The version in Section B already contains this patch.) A. Obtain and install the appropriate patch according to the instructions included with the patch. Below is a list of the vendors who have reported to us as of the date of this advisory. More complete information, including how to obtain patches, is provided in the appendix of this advisory and reproduced in the CA-96.xx.README file. We will update the README file as we receive more information. If your vendor's name is not on this list, please contact the vendor directly. Vendor or Source Status ---------------- ------------ BSDI BSD/OS Vulnerable. Patch available. Hewlett Packard Vulnerable. Patch under development. IBM AIX 3.2 Vulnerable. Patches available. IBM AIX 4.1 Vulnerable. Patches available. NEXTSTEP Vulnerable. Will be fixed in version 4.0. SCO OpenServer 5 Vulnerable. Patch under development. SCO UnixWare 2.1 Vulnerable. Patch under development. SGI IRIX 5.3 Vulnerable. Patch under development. SGI IRIX 6.2 Not vulnerable. B. Until you are able to install the appropriate patch, we recommend that you obtain a version of pcnfsd from one of the following locations. This version already has the patch mentioned in Section III.C and included in Appendix B. ftp://ftp.cert.org/pub/tools/pcnfsd/pcnfsd.93.02.16-cert-dist.tar.Z ftp://ftp.cert.dfn.de/pub/tools/net/pcnfsd/pcnfsd.93.02.16-cert-dist.tar.Z MD5 (pcnfsd.93.02.16-cert-dist.tar.Z) = b7af99a07dfcf24b3da3446d073f8649 Build, install, and restart rpc.pcnfsd. Ensure that the mode of the top-level pcnfsd spool directory is 755. In this version of pcnfsd, the top level spool directory is /usr/spool/pcnfs. To change this to mode 755, do the following as root: chmod 755 /usr/spool/pcnfs C. Appendix B contains a patch for the two vulnerabilities described in this advisory. Apply the patch using the GNU patch utility or by hand as necessary. Rebuild, reinstall, and restart rpc.pcnfsd. Set the mode of the top-level pcnfsd spool directory to 755. For example, in the version of pcnfsd cited in Section B, the top level spool directory is /usr/spool/pcnfs. To change this to mode 755, do the following as root: chmod 755 /usr/spool/pcnfs --------------------------------------------------------------------------- The CERT Coordination Center thanks Josh D., Ben G., and Alfred H. of Avalon Security Research for providing information for this advisory. We thank Wolfgang Ley of DFN-CERT for his help in understanding these problems. --------------------------------------------------------------------------- If you believe that your system has been compromised, contact the CERT Coordination Center or your representative in the Forum of Incident Response and Security Teams (FIRST). We strongly urge you to encrypt any sensitive information you send by email. The CERT Coordination Center can support a shared DES key and PGP. Contact the CERT staff for more information. Location of CERT PGP key ftp://info.cert.org/pub/CERT_PGP.key CERT Contact Information ------------------------ Email cert@cert.org Phone +1 412-268-7090 (24-hour hotline) CERT personnel answer 8:30-5:00 p.m. EST (GMT-5)/EDT(GMT-4), and are on call for emergencies during other hours. Fax +1 412-268-6989 Postal address CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh PA 15213-3890 USA CERT publications, information about FIRST representatives, and other security-related information are available for anonymous FTP from http://www.cert.org/ ftp://info.cert.org/pub/ CERT advisories and bulletins are also posted on the USENET newsgroup comp.security.announce To be added to our mailing list for CERT advisories and bulletins, send your email address to cert-advisory-request@cert.org Copyright 1996 Carnegie Mellon University This material may be reproduced and distributed without permission provided it is used for noncommercial purposes and the copyright statement is included. CERT is a service mark of Carnegie Mellon University. ......................................................................... Appendix A: Vendor Information Current as of April 18, 1996 See CA-96.08.README for updated information. Below is information we have received from vendors concerning the vulnerability described in this advisory. If you do not see your vendor's name, please contact the vendor directly for information. Berkeley Software Design, Inc. (BSDI) ===================================== The problem described in these vulnerabilities is present in all versions of BSD/OS. There is a patch (our patch number U210-007) for our 2.1 version of BSD/OS and associated products available from our patch and ftp servers or ftp://ftp.BSDI.COM/bsdi/patches/patches-2.1/U210-007 Hewlett-Packard Company ======================= Patches in process, watch for HP an security bulletin for this vulnerability. IBM Corporation =============== See the appropriate release below to determine your action. AIX 3.2 ------- Apply the following fixes to your system: APAR - IX57623 (PTF - U442633) APAR - IX56965 (PTF - U442638) To determine if you have these PTFs on your system, run the following commands: lslpp -lB U442633 lslpp -lB U442638 AIX 4.1 ------- Apply the following fixes to your system: APAR - IX57616 APAR - IX56730 To determine if you have these APARs on your system, run the following commands: instfix -ik IX57616 instfix -ik IX56730 To Order -------- APARs may be ordered using FixDist or from the IBM Support Center. For more information on FixDist, reference URL: http://aix.boulder.ibm.com/pbin-usa/fixdist.pl/ or send e-mail to aixserv@austin.ibm.com with a subject of "FixDist". IBM and AIX are registered trademarks of International Business Machines Corporation. NeXT Software, Inc. =================== NEXTSTEP is vulnerable. This will be fixed in the 4.0 release of OpenStep for Mach (aka NEXTSTEP 4.0, due out 2Q96). The Santa Cruz Operation, Inc. ============================== Patches for pcnfsd are currently being developed for the following releases: SCO OpenServer 5 SCO UnixWare 2.1. These releases, as well as all prior releases, are vulnerable to both issues mentioned in the advisory. Should you not need to use pcnfs, SCO recommends that you not run pcnfsd. This can be done by commenting out pcnfsd in the appropriate script that starts pcnfsd, located in /etc/rc2.d. The README file for this advisory will be updated when further patch information is available. Silicon Graphics Corporation ============================ pcnfsd was only released for IRIX 5.3 and IRIX 6.2. SGI is producing patch1179 for IRIX 5.3. IRIX 6.2 is not vulnerable. ......................................................................... Appendix B: Patch Information Here is the patch for pcnfsd_print.c. It is also available as: ftp://ftp.cert.org/pub/tools/pcnfsd/pcnfsd_print.c.diffs ftp://ftp.cert.dfn.de/pub/tools/net/pcnfsd/pcnfsd_print.c.diffs MD5 (pcnfsd_print.c-diffs) = ec44046ff5c769aa5bf2d8d155b61f1f ---------------------------------CUT HERE--------------------------------- *** /tmp/T0a002c1 Fri Apr 5 13:14:50 1996 --- pcnfsd_print.c Fri Apr 5 13:14:46 1996 *************** *** 221,226 **** --- 221,227 ---- { int dir_mode = 0777; int rc; + mode_t oldmask; *sp = &pathname[0]; pathname[0] = '\0'; *************** *** 231,241 **** /* get pathname of current directory and return to client */ (void)sprintf(pathname,"%s/%s",sp_name, sys); (void)mkdir(sp_name, dir_mode); /* ignore the return code */ - (void)chmod(sp_name, dir_mode); rc = mkdir(pathname, dir_mode); /* DON'T ignore this return code */ if((rc < 0 && errno != EEXIST) || - (chmod(pathname, dir_mode) != 0) || (stat(pathname, &statbuf) != 0) || !(statbuf.st_mode & S_IFDIR)) { (void)sprintf(tempstr, --- 232,242 ---- /* get pathname of current directory and return to client */ (void)sprintf(pathname,"%s/%s",sp_name, sys); + oldmask = umask(0); (void)mkdir(sp_name, dir_mode); /* ignore the return code */ rc = mkdir(pathname, dir_mode); /* DON'T ignore this return code */ + umask(oldmask); if((rc < 0 && errno != EEXIST) || (stat(pathname, &statbuf) != 0) || !(statbuf.st_mode & S_IFDIR)) { (void)sprintf(tempstr, *************** *** 381,387 **** ** filter with the appropriate arguments. **------------------------------------------------------ */ ! (void)run_ps630(new_pathname, opts); } /* ** Try to match to an aliased printer --- 382,391 ---- ** filter with the appropriate arguments. **------------------------------------------------------ */ ! (void)sprintf(tempstr, ! "rpc.pcnfsd: ps630 filter disabled for %s\n", pathname); ! msg_out(tempstr); ! return(PS_RES_FAIL); } /* ** Try to match to an aliased printer ---------------------------------CUT HERE--------------------------------- From owner-freebsd-security Tue Apr 23 01:29:22 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.3/8.7.3) id BAA16781 for security-outgoing; Tue, 23 Apr 1996 01:29:22 -0700 (PDT) Received: from kings.bcl.com (kings.bcl.com [194.72.35.33]) by freefall.freebsd.org (8.7.3/8.7.3) with ESMTP id BAA16774 for ; Tue, 23 Apr 1996 01:29:18 -0700 (PDT) Received: from mitre.bcl.com (mitre.bcl.com [194.72.35.242]) by kings.bcl.com with ESMTP id JAA24776 for ; Tue, 23 Apr 1996 09:29:16 +0100 (BST) Received: from pc-21.bcl.com (pc-21.bcl.com [194.72.35.221]) by mitre.bcl.com (8.7.1/8.7.1) with SMTP id JAA04756 for ; Tue, 23 Apr 1996 09:30:14 +0100 Message-Id: <199604230830.JAA04756@mitre.bcl.com> Comments: Authenticated sender is From: "FreeBSD Manager" Organization: BCL International To: freebsd-security@freebsd.org Date: Tue, 23 Apr 1996 09:27:44 +0000 Subject: CA-95:13 syslog problem Reply-to: freebsd@bcl.com Priority: normal X-mailer: Pegasus Mail for Windows (v2.10) Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk Can anyone confirm if FreeBSD 2.1.0-RELEASE is vulnerable to the syslog problem as described in CERT advisory CA-95:13 and if so the current state/location of a patch to solve this problem. Bob --- FreeBSD Mail Lists, | Email: freebsd@bcl.com | Human Contact: BCL International | WWW: http://www.bcl.com/ | Bob Dickel, 18-20 Farringdon Lane, | Tel: 0171 251 1125 | Technical Support LONDON, EC1R 3AU. | Fax: 0171 251 4902 | Email: bob@bcl.com From owner-freebsd-security Tue Apr 23 06:08:59 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.3/8.7.3) id GAA00956 for security-outgoing; Tue, 23 Apr 1996 06:08:59 -0700 (PDT) Received: from passer.osg.gov.bc.ca (passer.osg.gov.bc.ca [142.32.110.29]) by freefall.freebsd.org (8.7.3/8.7.3) with ESMTP id GAA00951 for ; Tue, 23 Apr 1996 06:08:57 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by passer.osg.gov.bc.ca (8.7.5/8.6.10) with SMTP id GAA01064; Tue, 23 Apr 1996 06:08:29 -0700 (PDT) From: Cy Schubert - ITSD Open Systems Group Message-Id: <199604231308.GAA01064@passer.osg.gov.bc.ca> X-Authentication-Warning: passer.osg.gov.bc.ca: Host localhost [127.0.0.1] didn't use HELO protocol Reply-to: cschuber@orca.gov.bc.ca X-Mailer: DXmail To: freebsd@bcl.com cc: freebsd-security@freebsd.org Subject: Re: CA-95:13 syslog problem In-reply-to: Your message of "Tue, 23 Apr 96 09:27:44 -0000." <199604230830.JAA04756@mitre.bcl.com> Date: Tue, 23 Apr 96 06:08:28 -0700 X-Mts: smtp Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk > > Can anyone confirm if FreeBSD 2.1.0-RELEASE is vulnerable to the > syslog problem as described in CERT advisory CA-95:13 and if so the > current state/location of a patch to solve this problem. I don't believe the bug exists as the following test program should dump core or at least issue a message stating snprintf is broken. #include #include static char x[6]= {'H','E','L','L','O',0}; void main() { char buf[4096]; int ct; for(ct=0;ct<4095;ct++) buf[ct]='X'; openlog("testprog",LOG_PID, LOG_AUTHPRIV); printf("Check snprintf\n"); snprintf(x,3,buf); if(x[4]!='O') fprintf(stderr,"snprintf is broken\n"); printf("Testing syslog\n"); syslog(LOG_ERR|LOG_USER,buf); closelog(); } > > Bob > > > --- > FreeBSD Mail Lists, | Email: freebsd@bcl.com | Human Contact: > BCL International | WWW: http://www.bcl.com/ | Bob Dickel, > 18-20 Farringdon Lane, | Tel: 0171 251 1125 | Technical Support > LONDON, EC1R 3AU. | Fax: 0171 251 4902 | Email: bob@bcl.com > Regards, Phone: (604)389-3827 Cy Schubert OV/VM: BCSC02(CSCHUBER) Open Systems Support BITNET: CSCHUBER@BCSC02.BITNET ITSD Internet: cschuber@uumail.gov.bc.ca cschuber@bcsc02.gov.bc.ca "Quit spooling around, JES do it." From owner-freebsd-security Tue Apr 23 10:07:43 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.3/8.7.3) id KAA18625 for security-outgoing; Tue, 23 Apr 1996 10:07:43 -0700 (PDT) Received: from precipice.shockwave.com (precipice.shockwave.com [171.69.108.33]) by freefall.freebsd.org (8.7.3/8.7.3) with ESMTP id KAA18609 for ; Tue, 23 Apr 1996 10:07:33 -0700 (PDT) Received: from localhost.shockwave.com (localhost.shockwave.com [127.0.0.1]) by precipice.shockwave.com (8.7.5/8.7.3) with SMTP id KAA21757; Tue, 23 Apr 1996 10:06:05 -0700 (PDT) Message-Id: <199604231706.KAA21757@precipice.shockwave.com> X-Mailer: exmh version 1.6.6 3/24/96 To: freebsd@bcl.com Cc: freebsd-security@FreeBSD.org Subject: Re: CA-95:13 syslog problem In-Reply-To: Your message of "Tue, 23 Apr 1996 09:27:44 -0000." <199604230830.JAA04756@mitre.bcl.com> Mime-Version: 1.0 Content-Type: application/pgp; format=mime; x-action=signclear; x-originator=73D288A5 Content-Transfer-Encoding: 7bit Date: Tue, 23 Apr 1996 10:06:04 -0700 From: Paul Traina Sender: owner-security@FreeBSD.org X-Loop: FreeBSD.org Precedence: bulk -----BEGIN PGP SIGNED MESSAGE----- Content-Type: text/plain; charset=us-ascii CA 95:13 was fixed in FreeBSD prior to 2.1.0-RELEASE. -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMX0N+lUuHi5z0oilAQGPtwP/e1qlS7Q6xHefJGO7DPaFuGGEQL73tEOn 9VyH9tAHfybkaJJZIIn7+PF5iRpFMCNmTwbz2jNTt6vAwNin/TVNytEp/zWadIKX xW7bCFL05hsa0Bq1BXHWk0rdtgjsyLBiwY/YaIRR3POwNGiz872Wc78qNcMv2d+i cnFA1x/J6aw= =VpVL -----END PGP SIGNATURE----- From owner-freebsd-security Tue Apr 23 11:44:19 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.3/8.7.3) id LAA24801 for security-outgoing; Tue, 23 Apr 1996 11:44:19 -0700 (PDT) Received: from ibp.ibp.fr (ibp.ibp.fr [132.227.60.30]) by freefall.freebsd.org (8.7.3/8.7.3) with ESMTP id LAA24778 for ; Tue, 23 Apr 1996 11:44:14 -0700 (PDT) Received: from blaise.ibp.fr (blaise.ibp.fr [132.227.60.1]) by ibp.ibp.fr (8.6.12/jtpda-5.0) with ESMTP id UAA12394 ; Tue, 23 Apr 1996 20:44:12 +0200 Received: from (uucp@localhost) by blaise.ibp.fr (8.6.12/jtpda-5.0) with UUCP id UAA16348 ; Tue, 23 Apr 1996 20:44:11 +0200 Received: (from roberto@localhost) by keltia.freenix.fr (8.7.5/keltia-uucp-2.7) id UAA16875; Tue, 23 Apr 1996 20:42:05 +0200 (MET DST) From: Ollivier Robert Message-Id: <199604231842.UAA16875@keltia.freenix.fr> Subject: Re: CA-95:13 syslog problem To: freebsd@bcl.com Date: Tue, 23 Apr 1996 20:42:05 +0200 (MET DST) Cc: freebsd-security@freebsd.org In-Reply-To: <199604230830.JAA04756@mitre.bcl.com> from FreeBSD Manager at "Apr 23, 96 09:27:44 am" X-Operating-System: FreeBSD 2.2-CURRENT ctm#1916 X-Mailer: ELM [version 2.4ME+ PL11 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk It seems that FreeBSD Manager said: > Can anyone confirm if FreeBSD 2.1.0-RELEASE is vulnerable to the > syslog problem as described in CERT advisory CA-95:13 and if so the > current state/location of a patch to solve this problem. 2.1.0-RELEASE is *not* vulnarable. It was fixed in CURRENT: ------------------------------------------------------------ revision 1.4 date: 1995/09/15 13:53:39; author: peter; state: Exp; lines: +86 -18 Fix security bugs with a "new approach", using stdio's powerful buffer control hooks. It is similar to an unrolled multi-part snprintf(), in that a "FILE *" is attached to a string buffer. There is also an optimisation for the case where the syslog format string does not contain %m, which should improve performance of "informational" logging, like from ftpd. ------------------------------------------------------------ the imported into 2.1-STABLE which become 2.1.0-RELEASE: ------------------------------------------------------------ revision 1.2.4.2 <<<<<<<<<<<<<<< date: 1995/09/26 07:54:51; author: davidg; state: Exp; lines: +86 -18 Brought in changes from main branch: security fixes. ------------------------------------------------------------ RCS file: /spare/FreeBSD-current/src/lib/libc/gen/syslog.c,v Working file: syslog.c head: 1.8 branch: locks: strict access list: symbolic names: RELENG_2_1_0_RELEASE: 1.2.4.3 <<<<<<<<<<<<<<<< RELENG_2_1_0: 1.2.0.4 The difference between 1.2.4.2 and 1.2.4.3 is a fix of the security fix :-) 2.0.5-RELEASE is vulnerable. -- Ollivier ROBERT -=- The daemon is FREE! -=- roberto@keltia.freenix.fr FreeBSD keltia.freenix.fr 2.2-CURRENT #13: Sun Apr 21 18:14:54 MET DST 1996 From owner-freebsd-security Fri Apr 26 06:45:01 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.3/8.7.3) id GAA07858 for security-outgoing; Fri, 26 Apr 1996 06:45:01 -0700 (PDT) Received: from alpha.dsu.edu (ghelmer@alpha.dsu.edu [138.247.32.12]) by freefall.freebsd.org (8.7.3/8.7.3) with ESMTP id GAA07843 for ; Fri, 26 Apr 1996 06:44:57 -0700 (PDT) Received: from localhost (ghelmer@localhost) by alpha.dsu.edu (8.7.5/8.7.3) with SMTP id IAA00928 for ; Fri, 26 Apr 1996 08:44:53 -0500 (CDT) Date: Fri, 26 Apr 1996 08:44:53 -0500 (CDT) From: Guy Helmer To: security@freebsd.org Subject: ptrace vulnerability, was: Something fishy with our PT_ATTACH code! In-Reply-To: <29493.830512651@time.cdrom.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk On Fri, 26 Apr 1996, Jordan K. Hubbard wrote: > Just got back from Kirk's usual Thursday-night OS class and while we > were going through exit1(), I noticed something that looked a little > odd in the ptrace "reattach" code. In following it (and it later > turned out to be correct), I happened to notice the following weird > behavior with attach and detach: [...] That reminds me, did BSDI release any information/patches regarding the ptrace vulnerabilitiy (CERT VB-96.04.bsdi)? I assume the 4.4BSD-derived systems had the same ptrace code... Guy Helmer, Dakota State University Computing Services - ghelmer@alpha.dsu.edu From owner-freebsd-security Fri Apr 26 10:16:58 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.3/8.7.3) id KAA19743 for security-outgoing; Fri, 26 Apr 1996 10:16:58 -0700 (PDT) Received: from marble.eps.nagoya-u.ac.jp (marble.eps.nagoya-u.ac.jp [133.6.57.68]) by freefall.freebsd.org (8.7.3/8.7.3) with ESMTP id KAA19738 for ; Fri, 26 Apr 1996 10:16:55 -0700 (PDT) Received: from marble.eps.nagoya-u.ac.jp (localhost [127.0.0.1]) by marble.eps.nagoya-u.ac.jp (8.7.4+2.6Wbeta6/3.3W9) with ESMTP id CAA00383; Sat, 27 Apr 1996 02:16:45 +0900 (JST) Message-Id: <199604261716.CAA00383@marble.eps.nagoya-u.ac.jp> To: ghelmer@alpha.dsu.edu Cc: security@freebsd.org Subject: Re: ptrace vulnerability, was: Something fishy with our PT_ATTACH code! In-Reply-To: Your message of "Fri, 26 Apr 1996 08:44:53 -0500 (CDT)" References: X-Mailer: Mew beta version 0.96 on Emacs 19.28.1, Mule 2.3 Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Date: Sat, 27 Apr 1996 02:16:43 +0900 From: KATO Takenori Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk > That reminds me, did BSDI release any information/patches regarding the > ptrace vulnerabilitiy (CERT VB-96.04.bsdi)? BSDI has released a patch 'K201-008' to fix ptrace security problem. > I assume the 4.4BSD-derived > systems had the same ptrace code... The body of ptrace code was deleted in 4.4BSD-Lite destribution. ---- KATO Takenori Dept. Earth Planet. Sci., Nagoya Univ., Nagoya, 464-01, Japan Voice: +81-52-789-2529 Fax: +81-52-789-3033 From owner-freebsd-security Fri Apr 26 12:35:06 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.3/8.7.3) id MAA27338 for security-outgoing; Fri, 26 Apr 1996 12:35:06 -0700 (PDT) Received: from firewall.mc.com (firewall.mc.com [192.148.197.15]) by freefall.freebsd.org (8.7.3/8.7.3) with SMTP id MAA27314 for ; Fri, 26 Apr 1996 12:34:54 -0700 (PDT) Received: by firewall.mc.com id AA27640 (5.65c/IDA-1.4.4 for ); Fri, 26 Apr 1996 15:34:51 -0400 Received: from jericho.mc.com(192.233.16.4) by firewall via smap (V1.3) id sma027635; Fri Apr 26 15:34:28 1996 Received: from bach (bach [192.233.16.203]) by jericho (8.6.11/8.6.11) with SMTP id PAA25304; Fri, 26 Apr 1996 15:34:26 -0400 From: "Gordon W. Ross" Received: by bach (4.1//ident-1.0) id AA13106; Fri, 26 Apr 96 15:34:25 EDT Date: Fri, 26 Apr 96 15:34:25 EDT Message-Id: <9604261934.AA13106@bach> To: freebsd-security@freebsd.org Subject: CERT Advisory CA-96.08 - Vulnerabilities in PCNFSD Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk Hi there FreeBSD folks. I just wanted to give you a "heads-up" about this CERT advisory for pcnfsd. I've just corrected the rpc.pcnfsd in NetBSD, so you can grab that if you like. I was not sure who to contact. Send me private e-mail if you would like more details about the problem and its correction. Cheers! Gordon From owner-freebsd-security Fri Apr 26 13:09:48 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.3/8.7.3) id NAA29914 for security-outgoing; Fri, 26 Apr 1996 13:09:48 -0700 (PDT) Received: from palmer.demon.co.uk (palmer.demon.co.uk [158.152.50.150]) by freefall.freebsd.org (8.7.3/8.7.3) with ESMTP id NAA29904 for ; Fri, 26 Apr 1996 13:09:39 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by palmer.demon.co.uk (sendmail/PALMER-1) with SMTP id VAA04446 ; Fri, 26 Apr 1996 21:05:45 +0100 (BST) To: "Gordon W. Ross" cc: freebsd-security@FreeBSD.ORG From: "Gary Palmer" Subject: Re: CERT Advisory CA-96.08 - Vulnerabilities in PCNFSD In-reply-to: Your message of "Fri, 26 Apr 1996 15:34:25 EDT." <9604261934.AA13106@bach> Date: Fri, 26 Apr 1996 21:05:44 +0100 Message-ID: <4443.830549144@palmer.demon.co.uk> Sender: owner-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk "Gordon W. Ross" wrote in message ID <9604261934.AA13106@bach>: > Hi there FreeBSD folks. I just wanted to give you a "heads-up" > about this CERT advisory for pcnfsd. I've just corrected the > rpc.pcnfsd in NetBSD, so you can grab that if you like. > I was not sure who to contact. Send me private e-mail if you > would like more details about the problem and its correction. Already taken care of: pst 96/04/21 00:29:17 Modified: net/pcnfsd/pkg DESCR Added: net/pcnfsd/patches patch-ad Log: Add in patches for vulnerabilities discussed in CERT CA:96.08 Revision Changes Path 1.2 +3 -0 ports/net/pcnfsd/pkg/DESCR (it probably should have been sent to FreeBSD-Ports, since we don't have pcnfsd in out base system) Gary -- Gary Palmer FreeBSD Core Team Member FreeBSD - Turning PC's into workstations. See http://www.FreeBSD.ORG/ for info. From owner-freebsd-security Fri Apr 26 13:37:16 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.3/8.7.3) id NAA02755 for security-outgoing; Fri, 26 Apr 1996 13:37:16 -0700 (PDT) Received: from cyberelf.com (www.link-systems.com [168.151.135.100]) by freefall.freebsd.org (8.7.3/8.7.3) with SMTP id NAA02747 for ; Fri, 26 Apr 1996 13:37:12 -0700 (PDT) Received: (from lgp@localhost) by cyberelf.com (8.6.12/8.6.12) id QAA01781; Fri, 26 Apr 1996 16:37:21 -0400 Date: Fri, 26 Apr 1996 16:37:21 -0400 (EDT) From: Linda Pedersen To: freebsd-security@FreeBSD.org Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@FreeBSD.org X-Loop: FreeBSD.org Precedence: bulk unsubscribe From owner-freebsd-security Fri Apr 26 15:11:14 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.3/8.7.3) id PAA07742 for security-outgoing; Fri, 26 Apr 1996 15:11:14 -0700 (PDT) Received: from precipice.shockwave.com (precipice.shockwave.com [171.69.108.33]) by freefall.freebsd.org (8.7.3/8.7.3) with ESMTP id PAA07735 for ; Fri, 26 Apr 1996 15:11:07 -0700 (PDT) Received: from localhost.shockwave.com (localhost.shockwave.com [127.0.0.1]) by precipice.shockwave.com (8.7.5/8.7.3) with SMTP id PAA10340; Fri, 26 Apr 1996 15:10:06 -0700 (PDT) Message-Id: <199604262210.PAA10340@precipice.shockwave.com> X-Mailer: exmh version 1.6.6 3/24/96 To: "Gordon W. Ross" cc: freebsd-security@FreeBSD.org Subject: Re: CERT Advisory CA-96.08 - Vulnerabilities in PCNFSD In-reply-to: Your message of "Fri, 26 Apr 1996 15:34:25 EDT." <9604261934.AA13106@bach> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Fri, 26 Apr 1996 15:10:05 -0700 From: Paul Traina Sender: owner-security@FreeBSD.org X-Loop: FreeBSD.org Precedence: bulk Thanks very much Gordan. Generic security issues go right where you sent them. If you ever need to send something confidential, there's security-officer@freebsd.org and public keys are available on all the major PGP keyserver (we should be documenting this properly in the www page soon...let me talk to our wonderful webmaster). We fixed pcnfsd last week too. Best regards and thanks much for the heads up message, Paul From owner-freebsd-security Sat Apr 27 15:05:23 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.3/8.7.3) id PAA11570 for security-outgoing; Sat, 27 Apr 1996 15:05:23 -0700 (PDT) Received: from drax-i.leverage.com ([206.79.139.8]) by freefall.freebsd.org (8.7.3/8.7.3) with SMTP id PAA11551 Sat, 27 Apr 1996 15:05:15 -0700 (PDT) Received: (from smapman@localhost) by drax-i.leverage.com (8.6.12/8.6.12) id PAA10270; Sat, 27 Apr 1996 15:05:44 -0700 Received: from nikki.leverage.com(172.16.0.11) by drax-i.leverage.com via smap (V1.3) id sma010268; Sat Apr 27 15:05:42 1996 Received: (from tlod@localhost) by nikki.leverage.com (8.6.12/8.6.12) id PAA15892; Sat, 27 Apr 1996 15:06:36 -0700 Date: Sat, 27 Apr 1996 15:06:36 -0700 (PDT) From: Thede Loder To: freebsd-isp@freebsd.org, freebsd-security@freebsd.org, freebsd-doc@freebsd.org Subject: Simple SOCKS Daemon Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk Hello FreeBSD Users! I have implemented a SOCKS version 4 server for FreeBSD. I will be porting it to other platforms, but in the mean time, I'm looking for some feedback. Info on it can be found at http://waynesworld.ucsd.edu/~tlod/ssockd/ssockd.html Let me know what you think! -Thede Loder -- tlod@leverage.com