From owner-freebsd-security Sun Jun 30 09:17:33 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id JAA25264 for security-outgoing; Sun, 30 Jun 1996 09:17:33 -0700 (PDT) Received: from post.io.org (post.io.org [198.133.36.6]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id JAA25258 for ; Sun, 30 Jun 1996 09:17:29 -0700 (PDT) Received: from zap.io.org (taob@zap.io.org [198.133.36.81]) by post.io.org (8.7.5/8.7.3) with SMTP id MAA10596; Sun, 30 Jun 1996 12:13:21 -0400 (EDT) Date: Sun, 30 Jun 1996 12:14:10 -0400 (EDT) From: Brian Tao To: Dan Polivy cc: Multiple recipients of list BUGTRAQ , FREEBSD-SECURITY-L Subject: Re: BoS: CERT Advisory CA-96.12 - Vulnerability in suidperl (fwd) In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk On Sun, 30 Jun 1996, Dan Polivy wrote: > > Does /bin/bash exist on your system? Is the script setuid to > anything? (It should have either the user or group +s, i think) It > worked for me on my FreeBSD machines (2.1 and -stable)... Small glitch on my mistake... I had tried the script as originally presented to me, with #!/usr/bin/perl. Changing that to suidperl alters the results (I thought perl automatically fed a setuid script to suidperl). On a BSD/OS 2.0 system, running the script produces "Can't swap uid and euid.". The exploit works on my FreeBSD systems from 2.1R through to 2.2-960501-SNAP. 2.2-960612-SNAP appears to have already fixed the problem. I imagine the recent 2.1.5 snapshots are not vulnerable either, but I haven't had a chance to verify. -- Brian Tao (BT300, taob@io.org, taob@ican.net) Systems and Network Administrator, Internet Canada Corp. "Though this be madness, yet there is method in't" From owner-freebsd-security Sun Jun 30 09:49:57 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id JAA27274 for security-outgoing; Sun, 30 Jun 1996 09:49:57 -0700 (PDT) Received: from post.io.org (post.io.org [198.133.36.6]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id JAA27239; Sun, 30 Jun 1996 09:48:34 -0700 (PDT) Received: from zap.io.org (taob@zap.io.org [198.133.36.81]) by post.io.org (8.7.5/8.7.3) with SMTP id MAA10769; Sun, 30 Jun 1996 12:43:08 -0400 (EDT) Date: Sun, 30 Jun 1996 12:43:57 -0400 (EDT) From: Brian Tao To: Terry Lambert cc: hackers@FreeBSD.ORG, security@FreeBSD.ORG Subject: Re: I need help on this one - please help me track this guy down! In-Reply-To: <199606240651.XAA27306@phaeton.artisoft.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk On Sun, 23 Jun 1996, Terry Lambert wrote: > > 9) Make sure you aren't running routed -q. Why not? -- Brian Tao (BT300, taob@io.org, taob@ican.net) Systems and Network Administrator, Internet Canada Corp. "Though this be madness, yet there is method in't" From owner-freebsd-security Sun Jun 30 09:54:03 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id JAA27648 for security-outgoing; Sun, 30 Jun 1996 09:54:03 -0700 (PDT) Received: from post.io.org (post.io.org [198.133.36.6]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id JAA27579 for ; Sun, 30 Jun 1996 09:52:40 -0700 (PDT) Received: from zap.io.org (taob@zap.io.org [198.133.36.81]) by post.io.org (8.7.5/8.7.3) with SMTP id MAA10802; Sun, 30 Jun 1996 12:47:16 -0400 (EDT) Date: Sun, 30 Jun 1996 12:48:05 -0400 (EDT) From: Brian Tao To: Terry Lambert cc: jkh@time.cdrom.com, security@FreeBSD.ORG Subject: Re: I need help on this one - please help me track this guy down! In-Reply-To: <199606241719.KAA28491@phaeton.artisoft.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk On Mon, 24 Jun 1996, Terry Lambert wrote: > > The list is endless, which is why you reinstall. You can trust every > binary from the distribution media. Unless, of course, the distribution media itself was compromised (which would have been the case if the hacker generated his own tarballs for the ftp.freebsd.org). :( -- Brian Tao (BT300, taob@io.org, taob@ican.net) Systems and Network Administrator, Internet Canada Corp. "Though this be madness, yet there is method in't" From owner-freebsd-security Sun Jun 30 11:21:54 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id LAA03829 for security-outgoing; Sun, 30 Jun 1996 11:21:54 -0700 (PDT) Received: from relay.nuxi.com (nuxi.cs.ucdavis.edu [128.120.56.38]) by freefall.freebsd.org (8.7.5/8.7.3) with SMTP id LAA03820 for ; Sun, 30 Jun 1996 11:21:52 -0700 (PDT) Received: (from obrien@localhost) by relay.nuxi.com (8.6.12/8.6.12) id LAA20002; Sun, 30 Jun 1996 11:21:59 -0700 From: "David E. O'Brien" Message-Id: <199606301821.LAA20002@relay.nuxi.com> Subject: Re: BoS: Re: [linux-security] BoS: CERT Advisory CA-96.12 - Vulnerability To: jmb@FRB.GOV (Jonathan M. Bresler) Date: Sun, 30 Jun 1996 11:21:58 -0700 (PDT) Cc: freebsd-security@freebsd.org In-Reply-To: <199606301536.LAA15220@kryten.frb.gov> from "Jonathan M. Bresler" at Jun 30, 96 11:36:21 am X-PGP-Fingerprint: B7 4D 3E E9 11 39 5F A3 90 76 5D 69 58 D9 98 7A X-Pgp-Keyid: 34F9F9D5 X-Mailer: ELM [version 2.4 PL24 ME8a] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk > CERT sends out a notice as soon as the vendor agrees. > the issue is not CERT, the issue is CERT's policy of waiting for > the vendor regardless of how long the vendor takes to produce > a fix. (hours? days? weeks? .....) > > its the unlimited waiting period that tweaks people. > > jmb > -- > Jonathan M. Bresler 202-452-2831 breslerj@frb.gov Speaking of delays to produce a notice, what is FreeBSD's policy? What is the policy on full-disclosure? -- David (obrien@cs.ucdavis.edu) From owner-freebsd-security Sun Jun 30 13:45:58 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id NAA15837 for security-outgoing; Sun, 30 Jun 1996 13:45:58 -0700 (PDT) Received: (from jmb@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id NAA15828; Sun, 30 Jun 1996 13:45:54 -0700 (PDT) From: "Jonathan M. Bresler" Message-Id: <199606302045.NAA15828@freefall.freebsd.org> Subject: Re: BoS: Re: [linux-security] BoS: CERT Advisory CA-96.12 - Vulnerability To: obrien@Nuxi.cs.ucdavis.edu (David E. O'Brien) Date: Sun, 30 Jun 1996 13:45:54 -0700 (PDT) Cc: jmb@FRB.GOV, freebsd-security@freebsd.org In-Reply-To: <199606301821.LAA20002@relay.nuxi.com> from "David E. O'Brien" at Jun 30, 96 11:21:58 am X-Mailer: ELM [version 2.4 PL24] Content-Type: text Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk David E. O'Brien wrote: > > > CERT sends out a notice as soon as the vendor agrees. > > the issue is not CERT, the issue is CERT's policy of waiting for > > the vendor regardless of how long the vendor takes to produce > > a fix. (hours? days? weeks? .....) > > > > its the unlimited waiting period that tweaks people. > > > > jmb > > -- > > Jonathan M. Bresler 202-452-2831 breslerj@frb.gov > > Speaking of delays to produce a notice, what is FreeBSD's policy? > What is the policy on full-disclosure? FreeBSD fixes any errors found as fast as possible (they all say that ;) FreeBSD has provided every user with access to the source so we can mailout a patch and let everyone fix their code. a commerical vendor has to cut binaries for everyone. FreeBSD also makes binaries available. but there is no management wondering is it will look bad to admit that there was abug. *heavend* a bug! hahahh jmb -- Jonathan M. Bresler FreeBSD Postmaster jmb@FreeBSD.ORG FreeBSD--4.4BSD Unix for PC clones, source included. http://www.freebsd.org/ PGP 2.6.2 Fingerprint: 31 57 41 56 06 C1 40 13 C5 1C E3 E5 DC 62 0E FB From owner-freebsd-security Sun Jun 30 14:11:56 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id OAA17645 for security-outgoing; Sun, 30 Jun 1996 14:11:56 -0700 (PDT) Received: from ulc199.residence.gatech.edu (root@ulc199.residence.gatech.edu [199.77.162.99]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id OAA17636 for ; Sun, 30 Jun 1996 14:11:53 -0700 (PDT) Received: (from ken@localhost) by ulc199.residence.gatech.edu (8.7.5/8.7.3) id RAA23445 Sun, 30 Jun 1996 17:11:43 -0400 (EDT) From: Kenneth Merry Message-Id: <199606302111.RAA23445@ulc199.residence.gatech.edu> Subject: Re: I need help on this one - please help me track this guy down! To: taob@io.org (Brian Tao) Date: Sun, 30 Jun 1996 17:11:42 -0400 (EDT) Cc: security@freebsd.org In-Reply-To: from Brian Tao at "Jun 30, 96 12:43:57 pm" X-Mailer: ELM [version 2.4ME+ PL15 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk > On Sun, 23 Jun 1996, Terry Lambert wrote: > > > > 9) Make sure you aren't running routed -q. > > Why not? It depends on what your network setup looks like. If you control all the machines on your subnet, there's no problem with running routed -q. If you don't control all the machines on your subnet, it can be very dangerous, since it will believe anyone who claims to be the default router. I ran into that once when I put my machine on the dorm network here at GT. A couple of guys with Linux boxes were running routed -g -s, and so all of my outbound packets wound up going to their machines. It turned out that whatever distribution of Linux they had (old version of slackware, perhaps?) enabled those options on routed by default. (They were pretty clueless, and it didn't appear to be a malicious thing.) Since then, I've always made a point of disabling routed, and hard-coding default routes, so I don't get any nasty surprises. Ken -- Kenneth Merry ken@ulc199.residence.gatech.edu Disclaimer: I don't speak for GTRI, GT, or Elvis. From owner-freebsd-security Sun Jun 30 14:44:34 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id OAA19529 for security-outgoing; Sun, 30 Jun 1996 14:44:34 -0700 (PDT) Received: from skipper.epsilon.nl (skipper.epsilon.nl [194.178.91.12]) by freefall.freebsd.org (8.7.5/8.7.3) with SMTP id OAA19524 for ; Sun, 30 Jun 1996 14:44:29 -0700 (PDT) Received: from async28.epsilon.nl (async28.epsilon.nl [194.178.91.78]) by skipper.epsilon.nl (8.6.12/8.6.12) with SMTP id XAA22453; Sun, 30 Jun 1996 23:40:05 +0200 Received: by async28.epsilon.nl with Microsoft Mail id <01BB66DE.4DEBEA20@async28.epsilon.nl>; Sun, 30 Jun 1996 23:46:05 +-200 Message-ID: <01BB66DE.4DEBEA20@async28.epsilon.nl> From: Jouke Dijkstra To: "'Brian Tao'" Cc: "security@FreeBSD.ORG" Subject: AW: I need help on this one - please help me track this guy down! Date: Sun, 30 Jun 1996 23:46:01 +-200 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: owner-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk You should re-read the archives.. He would have put a virus in the quake dist if he wanted to do much damage. Besides, it's would be the wrong timing to do such a thing. He'd rather wait till just after a new -RELEASE. To the FreeBSD team: Thanks a LOT for such a great OS. As a system administrator, it gives me the ability to go home at 6 pm, and have some nice dreams about a girl instead of nightmares about crashing computers. - Jouke ---------- Van: Brian Tao[SMTP:taob@io.org] Verzonden: zondag 30 juni 1996 14:48 Aan: Terry Lambert CC: jkh@time.cdrom.com; security@FreeBSD.ORG Onderwerp: Re: I need help on this one - please help me track this guy down! On Mon, 24 Jun 1996, Terry Lambert wrote: > > The list is endless, which is why you reinstall. You can trust every > binary from the distribution media. Unless, of course, the distribution media itself was compromised (which would have been the case if the hacker generated his own tarballs for the ftp.freebsd.org). :( -- Brian Tao (BT300, taob@io.org, taob@ican.net) Systems and Network Administrator, Internet Canada Corp. "Though this be madness, yet there is method in't" From owner-freebsd-security Sun Jun 30 16:59:20 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id QAA28006 for security-outgoing; Sun, 30 Jun 1996 16:59:20 -0700 (PDT) Received: from post.io.org (post.io.org [198.133.36.6]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id QAA27997 for ; Sun, 30 Jun 1996 16:59:17 -0700 (PDT) Received: from zap.io.org (taob@zap.io.org [198.133.36.81]) by post.io.org (8.7.5/8.7.3) with SMTP id TAA12550; Sun, 30 Jun 1996 19:55:08 -0400 (EDT) Date: Sun, 30 Jun 1996 19:55:57 -0400 (EDT) From: Brian Tao To: Kenneth Merry cc: security@freebsd.org Subject: Is "routed -q" necessary? In-Reply-To: <199606302111.RAA23445@ulc199.residence.gatech.edu> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk On Sun, 30 Jun 1996, Kenneth Merry wrote: > > It depends on what your network setup looks like. If you control all > the machines on your subnet, there's no problem with running routed > -q. Since I only have one default router anyway, there is no need to run routed at all? I figured it might help keep the routing tables down to a manageable size, with static and dynamic IP connections coming and going all the time. -- Brian Tao (BT300, taob@io.org, taob@ican.net) Systems and Network Administrator, Internet Canada Corp. "Though this be madness, yet there is method in't" From owner-freebsd-security Sun Jun 30 17:44:34 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id RAA02763 for security-outgoing; Sun, 30 Jun 1996 17:44:34 -0700 (PDT) Received: from ulc199.residence.gatech.edu (root@ulc199.residence.gatech.edu [199.77.162.99]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id RAA02754 for ; Sun, 30 Jun 1996 17:44:31 -0700 (PDT) Received: (from ken@localhost) by ulc199.residence.gatech.edu (8.7.5/8.7.3) id UAA24617 Sun, 30 Jun 1996 20:44:22 -0400 (EDT) From: Kenneth Merry Message-Id: <199607010044.UAA24617@ulc199.residence.gatech.edu> Subject: Re: Is "routed -q" necessary? To: taob@io.org (Brian Tao) Date: Sun, 30 Jun 1996 20:44:21 -2800 (EDT) Cc: security@freebsd.org In-Reply-To: from Brian Tao at "Jun 30, 96 07:55:57 pm" X-Mailer: ELM [version 2.4ME+ PL15 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk Brian Tao wrote: > On Sun, 30 Jun 1996, Kenneth Merry wrote: > > > > It depends on what your network setup looks like. If you control all > > the machines on your subnet, there's no problem with running routed > > -q. > > Since I only have one default router anyway, there is no need to > run routed at all? I figured it might help keep the routing tables > down to a manageable size, with static and dynamic IP connections > coming and going all the time. Well, there *might* be a reason to run routed, even if you only have one default router, and you hardwire the default router in ahead of time. It might make it easier if you ever had to take the default router down, and didn't want the machines on the subnet to lose connectivity. You could put in a replacement router, and have it start advertising itself as the default route. Hopefully the machines on the subnet would pick up on that (because of routed) and use the replacement router. Then, you could take the 'normal' router down. As for keeping routing tables down to a manageable size, I dunno. Machines I've seen at work tend to pick up lots of unnecessary routes when running routed. Machines that don't run routed only have the routes that are necessary -- one for hosts on the same subnet, and the 'default' route, for everything else. Someone more familiar with routing stuff might have a better answer, though. I'm speaking from experience in a somewhat limited environment. Ken -- Kenneth Merry ken@ulc199.residence.gatech.edu Disclaimer: I don't speak for GTRI, GT, or Elvis. From owner-freebsd-security Sun Jun 30 18:52:06 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id SAA09167 for security-outgoing; Sun, 30 Jun 1996 18:52:06 -0700 (PDT) Received: from einstein.technet.sg (ngps@einstein.technet.sg [192.169.33.50]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id SAA09112 for ; Sun, 30 Jun 1996 18:52:02 -0700 (PDT) Received: (from ngps@localhost) by einstein.technet.sg (8.7.3/8.6.9) id JAA29168; Mon, 1 Jul 1996 09:51:48 +0800 (SST) Date: Mon, 1 Jul 1996 09:51:46 +0800 (SST) From: Ng Pheng Siong X-Sender: ngps@einstein.technet.sg To: Brian Tao cc: Kenneth Merry , security@freebsd.org Subject: Re: Is "routed -q" necessary? In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk On Sun, 30 Jun 1996, Brian Tao wrote: > Since I only have one default router anyway, there is no need to > run routed at all? I figured it might help keep the routing tables > down to a manageable size, with static and dynamic IP connections > coming and going all the time. Yup, and tell your router not to [bm]cast routing info onto your single-homed LAN, too. - PS -- Ng Pheng Siong * Finger for PGP key. Pacific Internet Pte Ltd * Singapore Fast, secure, cheap. Pick two. From owner-freebsd-security Sun Jun 30 19:42:55 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id TAA14813 for security-outgoing; Sun, 30 Jun 1996 19:42:55 -0700 (PDT) Received: from post.io.org (post.io.org [198.133.36.6]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id TAA14781 for ; Sun, 30 Jun 1996 19:42:40 -0700 (PDT) Received: from zap.io.org (taob@zap.io.org [198.133.36.81]) by post.io.org (8.7.5/8.7.3) with SMTP id WAA13469; Sun, 30 Jun 1996 22:38:29 -0400 (EDT) Date: Sun, 30 Jun 1996 22:39:19 -0400 (EDT) From: Brian Tao To: Kenneth Merry cc: security@freebsd.org Subject: Re: Is "routed -q" necessary? In-Reply-To: <199607010044.UAA24617@ulc199.residence.gatech.edu> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk On Sun, 30 Jun 1996, Kenneth Merry wrote: > > Well, there *might* be a reason to run routed, even if you only have > one default router, and you hardwire the default router in ahead of > time. Is it possible to tell routed not to mess with the default route? Our main router to the Internet for this subnet is a Cisco, but there are also Ascends and Livingston PM-2e's providing routing for dialup customers. I think I need to be running routed if I want to use a classless routing protocol like RIPv2. We have a couple of Web servers that each have a /25, which isn't possible with just RIP. -- Brian Tao (BT300, taob@io.org, taob@ican.net) Systems and Network Administrator, Internet Canada Corp. "Though this be madness, yet there is method in't" From owner-freebsd-security Mon Jul 1 07:55:20 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id HAA02160 for security-outgoing; Mon, 1 Jul 1996 07:55:20 -0700 (PDT) Received: from post.io.org (post.io.org [198.133.36.6]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id HAA02148 for ; Mon, 1 Jul 1996 07:55:15 -0700 (PDT) Received: from zap.io.org (taob@zap.io.org [198.133.36.81]) by post.io.org (8.7.5/8.7.3) with SMTP id KAA16958 for ; Mon, 1 Jul 1996 10:55:11 -0400 (EDT) Date: Mon, 1 Jul 1996 10:55:11 -0400 (EDT) From: Brian Tao To: FREEBSD-SECURITY-L Subject: Possible to block ARP? Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk I'm trying to make my firewall totally invisible to certain machines on my network. The only thing I can't seem to get rid of is its entry in the ARP tables when someone tries to pings its IP address. Is this possible? -- Brian Tao (BT300, taob@io.org, taob@ican.net) Systems and Network Administrator, Internet Canada Corp. "Though this be madness, yet there is method in't" From owner-freebsd-security Mon Jul 1 08:28:55 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id IAA04315 for security-outgoing; Mon, 1 Jul 1996 08:28:55 -0700 (PDT) Received: from rocky.mt.sri.com ([206.127.76.100]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id IAA04308 for ; Mon, 1 Jul 1996 08:28:50 -0700 (PDT) Received: (from nate@localhost) by rocky.mt.sri.com (8.7.5/8.7.3) id JAA09543; Mon, 1 Jul 1996 09:28:42 -0600 (MDT) Date: Mon, 1 Jul 1996 09:28:42 -0600 (MDT) Message-Id: <199607011528.JAA09543@rocky.mt.sri.com> From: Nate Williams To: Brian Tao Cc: FREEBSD-SECURITY-L Subject: Re: Possible to block ARP? In-Reply-To: References: Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk > I'm trying to make my firewall totally invisible to certain > machines on my network. The only thing I can't seem to get rid of is > its entry in the ARP tables when someone tries to pings its IP > address. Is this possible? Do you have access to the machine in question? If so, you can 'add' a permanent fake-ARP entry on that box, which would be easier than trying to add a kernel hack to avoid having it's ARP entry published. Find an ethernet address of a machine that doesn't exist on your network (feel free to use this one '00:00:c0:50:b9:0a') and tell the machines you don't want to have access to your firewall that this is the entry for that machine. ie; # arp -s firewall.brian.tao 00:00:c0:50:b9:0a pub # ping firewall.brian.tao [ Nothing ] If you don't have access to those machines, then there's no easy way of 'selectively' responding to ARP requests depending on the originator. Nate From owner-freebsd-security Mon Jul 1 09:27:19 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id JAA07862 for security-outgoing; Mon, 1 Jul 1996 09:27:19 -0700 (PDT) Received: from post.io.org (post.io.org [198.133.36.6]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id JAA07847 for ; Mon, 1 Jul 1996 09:27:15 -0700 (PDT) Received: from zap.io.org (taob@zap.io.org [198.133.36.81]) by post.io.org (8.7.5/8.7.3) with SMTP id MAA17735; Mon, 1 Jul 1996 12:27:01 -0400 (EDT) Date: Mon, 1 Jul 1996 12:27:01 -0400 (EDT) From: Brian Tao To: Nate Williams cc: FREEBSD-SECURITY-L Subject: Re: Possible to block ARP? In-Reply-To: <199607011528.JAA09543@rocky.mt.sri.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk On Mon, 1 Jul 1996, Nate Williams wrote: > > If you don't have access to those machines, then there's no easy way > of 'selectively' responding to ARP requests depending on the > originator. Hmmm, that would have been optimal, but your suggestion of publishing a fake ARP entry should work well enough. I'd only have to worry about routers that can show their ARP cache, but not let you override them. Users don't (shouldn't) have admin access to those boxes anyway... -- Brian Tao (BT300, taob@io.org, taob@ican.net) Systems and Network Administrator, Internet Canada Corp. "Though this be madness, yet there is method in't" From owner-freebsd-security Mon Jul 1 09:39:26 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id JAA08896 for security-outgoing; Mon, 1 Jul 1996 09:39:26 -0700 (PDT) Received: from uu.elvisti.kiev.ua (acc0.elvisti.kiev.ua [193.125.28.132]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id JAA08878 for ; Mon, 1 Jul 1996 09:38:32 -0700 (PDT) Received: from office.elvisti.kiev.ua (office.elvisti.kiev.ua [193.125.28.129]) by uu.elvisti.kiev.ua (8.7.5/8.7.3) with ESMTP id TAA20774; Mon, 1 Jul 1996 19:57:46 +0300 (EET DST) Received: (from stesin@localhost) by office.elvisti.kiev.ua (8.6.12/8.ElVisti) id TAA18740; Mon, 1 Jul 1996 19:57:45 +0300 From: "Andrew V. Stesin" Message-Id: <199607011657.TAA18740@office.elvisti.kiev.ua> Subject: Re: Possible to block ARP? To: nate@mt.sri.com (Nate Williams) Date: Mon, 1 Jul 1996 19:57:44 +0300 (EET DST) Cc: taob@io.org, freebsd-security@FreeBSD.ORG In-Reply-To: <199607011528.JAA09543@rocky.mt.sri.com> from "Nate Williams" at Jul 1, 96 09:28:42 am X-Mailer: ELM [version 2.4 PL24alpha5] Content-Type: text Sender: owner-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk # Do you have access to the machine in question? If so, you can 'add' a # permanent fake-ARP entry on that box, which would be easier than trying # to add a kernel hack to avoid having it's ARP entry published. What about the following: disable ARP on the firewall's ether interface, and add permanent ARP entries _on the firewall_ for the boxes allowed to access it? (I guess that if some other guy will insert even a real ARP entry for the firewall, the firewall won't be able to send him any reply. In combination with IP filtering this should be enough?) -- With best regards -- Andrew Stesin. Phones/fax: +380 (44) { 244-0122, 276-0188, 271-3457, 271-3560 } "You may delegate authority, but not responsibility." Frank's Management Rule #1. From owner-freebsd-security Mon Jul 1 11:08:58 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id LAA18523 for security-outgoing; Mon, 1 Jul 1996 11:08:58 -0700 (PDT) Received: from phaeton.artisoft.com (phaeton.Artisoft.COM [198.17.250.211]) by freefall.freebsd.org (8.7.5/8.7.3) with SMTP id LAA18511; Mon, 1 Jul 1996 11:08:54 -0700 (PDT) Received: (from terry@localhost) by phaeton.artisoft.com (8.6.11/8.6.9) id LAA06008; Mon, 1 Jul 1996 11:07:07 -0700 From: Terry Lambert Message-Id: <199607011807.LAA06008@phaeton.artisoft.com> Subject: Re: I need help on this one - please help me track this guy down! To: taob@io.org (Brian Tao) Date: Mon, 1 Jul 1996 11:07:07 -0700 (MST) Cc: terry@lambert.org, hackers@FreeBSD.ORG, security@FreeBSD.ORG In-Reply-To: from "Brian Tao" at Jun 30, 96 12:43:57 pm X-Mailer: ELM [version 2.4 PL24] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk > On Sun, 23 Jun 1996, Terry Lambert wrote: > > > > 9) Make sure you aren't running routed -q. > > Why not? The University of Utah was attacked by a guy in the Mac lab claiming to be the default gateway. Terry Lambert terry@lambert.org --- Any opinions in this posting are my own and not those of my present or previous employers. From owner-freebsd-security Mon Jul 1 11:31:38 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id LAA22009 for security-outgoing; Mon, 1 Jul 1996 11:31:38 -0700 (PDT) Received: from halloran-eldar.lcs.mit.edu (halloran-eldar.lcs.mit.edu [18.26.0.159]) by freefall.freebsd.org (8.7.5/8.7.3) with SMTP id LAA21989 for ; Mon, 1 Jul 1996 11:31:32 -0700 (PDT) Received: by halloran-eldar.lcs.mit.edu; (5.65/1.1.8.2/19Aug95-0530PM) id AA09457; Mon, 1 Jul 1996 14:31:15 -0400 Date: Mon, 1 Jul 1996 14:31:15 -0400 From: Garrett Wollman Message-Id: <9607011831.AA09457@halloran-eldar.lcs.mit.edu> To: Brian Tao Cc: security@freebsd.org Subject: Is "routed -q" necessary? In-Reply-To: References: <199606302111.RAA23445@ulc199.residence.gatech.edu> Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk < said: > run routed at all? I figured it might help keep the routing tables > down to a manageable size, with static and dynamic IP connections > coming and going all the time. The routing tables are already a manageable size; you don't need to do anything to them at all. (There is, however, a small nit as regards ICMP redirects which `routed' would deal with for you.) You can also run `routed' in ``router discovery'' mode if you so desire, although this doesn't completely exist as yet. Since this is the security list, I would point out that the -current routed(8) does not support RIPv2 security. It should, and I hope that the recently added key(4)/keyadmin(8) facility can be used to handle the key-management functions. (I should probably add a hook in /etc/rc to automatically load any statically-configured keys.) -GAWollman -- Garrett A. Wollman | Shashish is simple, it's discreet, it's brief. ... wollman@lcs.mit.edu | Shashish is the bonding of hearts in spite of distance. Opinions not those of| It is a bond more powerful than absence. We like people MIT, LCS, ANA, or NSA| who like Shashish. - Claude McKenzie + Florent Vollant From owner-freebsd-security Tue Jul 2 02:14:30 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id CAA14191 for security-outgoing; Tue, 2 Jul 1996 02:14:30 -0700 (PDT) Received: from sk2eu.eunet.sk (sk2eu.EUnet.sk [192.108.130.33]) by freefall.freebsd.org (8.7.5/8.7.3) with SMTP id CAA14169 for ; Tue, 2 Jul 1996 02:14:15 -0700 (PDT) Received: from softec.sk by sk2eu.eunet.sk with UUCP id AA09639 Tue, 2 Jul 1996 11:14:02 +0200 Subject: securelevel and modload To: freebsd-security@freebsd.org Date: Tue, 2 Jul 1996 11:01:41 +0200 (CET) From: Zoltan Basti X-Mailer: ELM [version 2.4 PL21] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Message-Id: <9607021101.aa20796@softec.softec.sk> X-Charset: ASCII X-Char-Esc: 29 Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk Hello there, I think the FreeBSD kernel securelevel functionality together with the schg and sappnd flags are a very good idea to make systems more secure. I like the idea of unchangable securelevel, unchangable flags etc. But I don't know whether this all securelevel stuff can be eliminated by a loadable kernel module, which, say, changes the value of the variable securelevel. So what's the situation? Anyway, from a security point of view I would like to completely disable loadable kernel modules. Is there a way to do it? Thanks in advance, -- Zoltan Basti From owner-freebsd-security Tue Jul 2 03:46:37 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id DAA25871 for security-outgoing; Tue, 2 Jul 1996 03:46:37 -0700 (PDT) Received: from shogun.tdktca.com ([206.26.1.21]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id DAA25861 for ; Tue, 2 Jul 1996 03:46:34 -0700 (PDT) Received: from shogun.tdktca.com (daemon@localhost) by shogun.tdktca.com (8.7.2/8.7.2) with ESMTP id FAA13581 for ; Tue, 2 Jul 1996 05:47:48 -0500 (CDT) Received: from orion.fa.tdktca.com ([163.49.131.130]) by shogun.tdktca.com (8.7.2/8.7.2) with SMTP id FAA13576 for ; Tue, 2 Jul 1996 05:47:47 -0500 (CDT) Received: (from alex@localhost) by orion.fa.tdktca.com (8.6.12/8.6.9) id FAA17709; Tue, 2 Jul 1996 05:49:46 -0500 Date: Tue, 2 Jul 1996 05:49:46 -0500 Message-Id: <199607021049.FAA17709@orion.fa.tdktca.com> From: Alex Nash To: zbs@softec.softec.sk Cc: freebsd-security@freebsd.org Subject: Re: securelevel and modload Reply-to: alex@fa.tdktca.com Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk > I think the FreeBSD kernel securelevel functionality together with > the schg and sappnd flags are a very good idea to make systems > more secure. I like the idea of unchangable securelevel, > unchangable flags etc. But I don't know whether this > all securelevel stuff can be eliminated by a > loadable kernel module, which, say, changes the value of > the variable securelevel. > > So what's the situation? > > Anyway, from a security point of view I would like to completely > disable loadable kernel modules. Is there a way to do it? You cannot load or unload LKMs at securelevels greater than 0. This is the case with -current as of Nov 29th 1995, and -stable as of May 31st 1996. Alex From owner-freebsd-security Tue Jul 2 19:36:29 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id TAA01130 for security-outgoing; Tue, 2 Jul 1996 19:36:29 -0700 (PDT) Received: from biblioteca.campus.unal.edu.co ([200.21.26.198]) by freefall.freebsd.org (8.7.5/8.7.3) with SMTP id TAA01103 for ; Tue, 2 Jul 1996 19:36:23 -0700 (PDT) Received: by biblioteca.campus.unal.edu.co (AIX 3.2/UCB 5.64/4.03) id AA15817; Tue, 2 Jul 1996 21:34:27 -0400 Date: Tue, 2 Jul 1996 21:34:27 -0400 (EDT) From: "Pedro F. Giffuni S." To: security@freebsd.org Subject: Sendmail cracked! Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk Hello: I am running kerberos and DES, but to my surprise my 2 FreeBSD's and my AIX's received me with a funny message: /etc/motd was modified and wtmp erased. I knew I was under attack before because of some failed logins, on my fbsds, and strange "cannot execute" messages un my AIXs root mail. By the message I received, I know other computers in the campus are cracked also. My solution was securing sendmail by running it in the inetd.conf with tcp_wrappers. It is a last moment solution...Is there a new sendmail, a patch, or a configuration option? regards, Pedro. From owner-freebsd-security Tue Jul 2 22:07:32 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id WAA00133 for security-outgoing; Tue, 2 Jul 1996 22:07:32 -0700 (PDT) Received: from naughty.monkey.org ([141.211.26.102]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id WAA00125 for ; Tue, 2 Jul 1996 22:07:30 -0700 (PDT) Received: from localhost (dugsong@localhost) by naughty.monkey.org (8.7.5/8.7.5) with SMTP id BAA04752; Wed, 3 Jul 1996 01:08:01 -0400 (EDT) Date: Wed, 3 Jul 1996 01:08:01 -0400 (EDT) From: Douglas Song To: "Pedro F. Giffuni S." cc: security@freebsd.org Subject: Re: Please, please... In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk Get the latest version of BIND. This will help thwart DNS spoofing attacks, but DNS just doesn't have any real security to begin with, so keep that in mind. Check out the smap sendmail proxy from the TIS firewall toolkit (ftp://ftp.tis.com/pub/firewalls/toolkit, I believe). Sendmail does NOT need to be setuid root, and you don't want to run that beast out of inetd anyhow. Maybe FreeBSD could take a great step forward by incorporating smap and other security tools into the standard distribution? Hose the s-bit off all unnecessary binaries (suidperl and the mount_* commands come to mind ;) and consider a clean reinstall, if you haven't been running tripwire or something like it. Best of luck... --- Douglas Song dugsong@monkey.org From owner-freebsd-security Tue Jul 2 22:13:36 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id WAA00749 for security-outgoing; Tue, 2 Jul 1996 22:13:36 -0700 (PDT) Received: from haven.uniserve.com (haven.uniserve.com [198.53.215.121]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id WAA00741 for ; Tue, 2 Jul 1996 22:13:33 -0700 (PDT) Received: by haven.uniserve.com id <32076-23942>; Tue, 2 Jul 1996 22:17:09 -0800 Date: Tue, 2 Jul 1996 22:17:01 -0700 (PDT) From: Tom Samplonius To: "Pedro F. Giffuni S." cc: security@FreeBSD.org Subject: Re: Sendmail cracked! In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@FreeBSD.org X-Loop: FreeBSD.org Precedence: bulk On Tue, 2 Jul 1996, Pedro F. Giffuni S. wrote: > Hello: > I am running kerberos and DES, but to my surprise my 2 FreeBSD's and my > AIX's received me with a funny message: /etc/motd was modified and wtmp > erased. > I knew I was under attack before because of some failed logins, on my fbsds, > and strange "cannot execute" messages un my AIXs root mail. By the message I > received, I know other computers in the campus are cracked also. > > My solution was securing sendmail by running it in the inetd.conf with > tcp_wrappers. It is a last moment solution...Is there a new sendmail, a > patch, or a configuration option? > > regards, > Pedro. > How do you know it was Sendmail? Tom From owner-freebsd-security Tue Jul 2 23:35:56 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id XAA09787 for security-outgoing; Tue, 2 Jul 1996 23:35:56 -0700 (PDT) Received: from bitbucket.edmweb.com (bitbucket.edmweb.com [204.244.190.9]) by freefall.freebsd.org (8.7.5/8.7.3) with SMTP id XAA09778 for ; Tue, 2 Jul 1996 23:35:51 -0700 (PDT) Received: (from root@localhost) by bitbucket.edmweb.com (8.6.12/8.6.12) id XAA00361; Tue, 2 Jul 1996 23:35:47 -0700 Date: Tue, 2 Jul 1996 23:35:43 -0700 (PDT) From: Steve Reid To: freebsd-security@freebsd.org Subject: Tripwire - latest version? Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk Can someone please direct me to the latest version of Tripwire? I've looked around, but the newest version I could find was over a year old... Has there been no recent development on this program, or am I just looking in the wrong places? From owner-freebsd-security Wed Jul 3 08:53:47 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id IAA18658 for security-outgoing; Wed, 3 Jul 1996 08:53:47 -0700 (PDT) Received: from biblioteca.campus.unal.edu.co ([200.21.26.198]) by freefall.freebsd.org (8.7.5/8.7.3) with SMTP id IAA18651; Wed, 3 Jul 1996 08:53:39 -0700 (PDT) Received: by biblioteca.campus.unal.edu.co (AIX 3.2/UCB 5.64/4.03) id AA33578; Wed, 3 Jul 1996 10:51:25 -0400 Date: Wed, 3 Jul 1996 10:51:25 -0400 (EDT) From: "Pedro F. Giffuni S." To: Matt Bartley Cc: security@freebsd.org, stable@freebsd.org Subject: What is known about The security hole In-Reply-To: <199607030559.WAA18214@lear35.cytex.com> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk On Tue, 2 Jul 1996, Matt Bartley wrote: > > With all due discretion, what happened to you with the 8.6.13 that's > in 2.1.0? > Since everyone wants to know the details, here they are: I manage 3 machines: 2 FreeBSD's and an AIX 3.2.5. I have always kept tcpd running, and all the r* services closed. I considered my machines had an acceptable security, until I started noting: 1) delayed or bouncing mail 2) a fbsd message "removed from mail queue" on console 3) a mail reply, that I didn't send, saying the mailer could not execute the requested command 4) The fbsd that I installed first was specially damaged: permisions were changed and it has problems resolving names 5) /etc/motd was modified, the sarcastic message included excerpts from a mail message I had sent weeks ago to the netadmin. 6) The cracker even sent me mail from root's account, and on that date no one logged in! Most of our machines are cracked, but one of the things that surprised me was that a private fbsd, installed a week ago, also fell. I would suggest having smrsh included by default in sendmail's configuration in new releases, and immediate upgrades in sendmail and BIND. On a non-release level, excelent proposals have been replacing sendmail by ZMail, or qMail, or shutdown sendmail and run it with crontab. Pedro. From owner-freebsd-security Wed Jul 3 09:33:16 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id JAA21026 for security-outgoing; Wed, 3 Jul 1996 09:33:16 -0700 (PDT) Received: from haven.uniserve.com (haven.uniserve.com [198.53.215.121]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id JAA21000; Wed, 3 Jul 1996 09:33:12 -0700 (PDT) Received: by haven.uniserve.com id <32100-23944>; Wed, 3 Jul 1996 09:36:43 -0800 Date: Wed, 3 Jul 1996 09:36:42 -0700 (PDT) From: Tom Samplonius To: "Pedro F. Giffuni S." cc: Matt Bartley , security@freebsd.org, stable@freebsd.org Subject: Re: What is known about The security hole In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk On Wed, 3 Jul 1996, Pedro F. Giffuni S. wrote: > I would suggest having smrsh included by default in sendmail's configuration > in new releases, and immediate upgrades in sendmail and BIND. I'd also like to add that CERT issued an advisory about Sendmail 8.6.12 several months ago. Either 8.6.13 or 8.7.5 is recommended. Tom From owner-freebsd-security Wed Jul 3 10:44:47 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id KAA00723 for security-outgoing; Wed, 3 Jul 1996 10:44:47 -0700 (PDT) Received: from palmer.demon.co.uk (palmer.demon.co.uk [158.152.50.150]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id KAA00711 for ; Wed, 3 Jul 1996 10:44:43 -0700 (PDT) Received: from palmer.demon.co.uk (localhost [127.0.0.1]) by palmer.demon.co.uk (sendmail/PALMER-2) with ESMTP id SAA10561; Wed, 3 Jul 1996 18:36:17 +0100 (BST) To: Douglas Song cc: "Pedro F. Giffuni S." , security@FreeBSD.ORG From: "Gary Palmer" Subject: Re: Please, please... In-reply-to: Your message of "Wed, 03 Jul 1996 01:08:01 EDT." Date: Wed, 03 Jul 1996 18:36:16 +0100 Message-ID: <10559.836415376@palmer.demon.co.uk> Sender: owner-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk Douglas Song wrote in message ID : > Check out the smap sendmail proxy from the TIS firewall toolkit > (ftp://ftp.tis.com/pub/firewalls/toolkit, I believe). Sendmail does NOT > need to be setuid root, and you don't want to run that beast out of inetd > anyhow. Maybe FreeBSD could take a great step forward by incorporating > smap and other security tools into the standard distribution? Uh-uh. We can't. To quote someone I spoke to at TIS ``No form of redistribution is allowed, even mirroring''. TIS's FWTK is in ports, but we can't even put the distfile on the CDROM, you have to FTP it (I can understand why too). So SMAP will NEVER become part of our release. Gary -- Gary Palmer FreeBSD Core Team Member FreeBSD: Turning PC's into workstations. See http://www.FreeBSD.ORG/ for info From owner-freebsd-security Wed Jul 3 16:10:39 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id QAA06676 for security-outgoing; Wed, 3 Jul 1996 16:10:39 -0700 (PDT) Received: from mail.jrihealth.com (mail.jrihealth.com [204.249.32.3]) by freefall.freebsd.org (8.7.5/8.7.3) with SMTP id QAA06670 for ; Wed, 3 Jul 1996 16:10:35 -0700 (PDT) Received: from carebase3.jri.org (danp@carebase3.jri.org [204.249.32.9]) by mail.jrihealth.com (8.3/8.6.6.Beta9) with SMTP id TAA14715; Wed, 3 Jul 1996 19:20:54 -0400 Date: Wed, 3 Jul 1996 19:21:07 -0400 (EDT) From: Dan Polivy To: freebsd-security@freebsd.org Subject: is FreeBSD's rdist vulnerable? Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk Hey, Has anyone read 8lgm's rdist advisory and attempted to see whether or not FreeBSD's rdist is vulnerable? I use rdist to update various files here, and so I suppose getting id of the setuid bit would break it? Thanks... Dan +=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-+ | Dan Polivy Powered by FreeBSD! | Systems Administrator | | Work: | JRI Health Information Systems | | Home: | http://www.jri.org/ | |-------------------------------------+--------------------------------------| | Webmaster, The Lion's Roar Online! | http://www.roar.pride.net/~roar/ | +-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=+ From owner-freebsd-security Wed Jul 3 20:02:13 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id UAA21907 for security-outgoing; Wed, 3 Jul 1996 20:02:13 -0700 (PDT) Received: from post.io.org (post.io.org [198.133.36.6]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id UAA21850 for ; Wed, 3 Jul 1996 20:02:00 -0700 (PDT) Received: from zap.io.org (taob@zap.io.org [198.133.36.81]) by post.io.org (8.7.5/8.7.3) with SMTP id XAA17355; Wed, 3 Jul 1996 23:01:40 -0400 (EDT) Date: Wed, 3 Jul 1996 23:01:39 -0400 (EDT) From: Brian Tao To: Dan Polivy cc: freebsd-security@FreeBSD.ORG Subject: Re: is FreeBSD's rdist vulnerable? In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk On Wed, 3 Jul 1996, Dan Polivy wrote: > > Has anyone read 8lgm's rdist advisory and attempted to see whether or not > FreeBSD's rdist is vulnerable? For those of you who haven't seen the advisory... -- Brian Tao (BT300, taob@io.org, taob@ican.net) Systems and Network Administrator, Internet Canada Corp. "Though this be madness, yet there is method in't" >>>>> From: "[8LGM] Security Team" <8lgm@8lgm.org> To: 8lgm-advisories@8lgm.org Subject: [8lgm]-Advisory-26.UNIX.rdist.20-3-1996 Date: Wed, 3 Jul 1996 21:25:58 +0100 (BST) ============================================================================= Virtual Domain Hosting Services provided by The FOURnet Information Network mail webserv@FOUR.net or see http://www.four.net ============================================================================= libC/Inside provided by Electris Software Limited mail electris@electris.com or see http://www.electris.com ============================================================================= [8lgm]-Advisory-26.UNIX.rdist.20-3-1996 PROGRAM: rdist VULNERABLE VERSIONS: Solaris 2.* SunOS 4.1.* Potentially all versions running setuid root. DESCRIPTION: rdist creates an error message based on a user provided string, without checking bounds on the buffer used. This buffer is on the stack, and can therefore be used to execute arbitrary instructions. IMPACT: Local users can obtain superuser privileges. EXPLOIT: A program was developed to verify this bug on a SunOS 4.1.3 machine, and succeeded in obtaining a shell running uid 0 from rdist. DETAILS: Consider the following command, running as user bin. # rdist -d TestString -d TestString rdist: line 1: TestString redefined distfile: No such file or directory # Using libC/Inside, the following trace was obtained:- ----------------------------------------------------------------------- libC/Inside Shared Library Tracing. V1.0 (Solaris 2.5). Copyright (C) 1996, Electris Software Limited, All Rights Reserved. Tracing started Thu May 9 00:04:19 1996 Pid is 18738 Log file is /tmp/Inside.18738 Log file descriptor is 3 uid=2(bin) gid=2(bin) euid=0(root) groups=2(bin),3(sys) Program is rdist _start+0x30->atexit(call_fini) return(0) _start+0x3c->atexit(_fini) return(0) main+0x28->getuid() return(2) main+0x38->seteuid(2) return(0) main+0x5c->getuid() return(2) main+0x64->getpwuid(2) return((pw_name="bin", pw_passwd="x", pw_uid=2, pw_gid=2, pw_age="", \ pw_comment="", pw_gecos="", pw_dir="/usr/bin", pw_shell="")) main+0xb0->strcpy(user, "bin") return("bin") main+0xc4->strcpy(homedir, "/usr/bin") return("/usr/bin") main+0xd4->gethostname(host, 32) return(0) (Arg 0 = "legless") main+0x10c->strcmp("-d", "-Server") return(17) define+0x30->strchr("TestString", '=') return((null)) lookup+0x11c->malloc(16) return(0x33220) main+0x10c->strcmp("-d", "-Server") return(17) define+0x30->strchr("TestString", '=') return((null)) lookup+0x88->strcmp("TestString", "TestString") return(0) lookup+0xcc->sprintf(0xeffff8a8, "%s redefined", "TestString") return(20) (Arg 0 = "TestString redefined") yyerror+0x1c->fflush(stdout) return(0) lookup+0xd4->fprintf(stderr, "rdist: line %d: %s\n", 1, \ "TestString redefined") return(36) main+0x444->mktemp("/tmp/rdistXXXXXX") return("/tmp/rdista004_m") main+0x4d8->fopen("distfile", "r") return((null)) main+0x4fc->fopen("Distfile", "r") return((null)) main+0x560->perror("distfile") return() main+0x568->exit(1) ----------------------------------------------------------------------- At lookup+0xcc, sprintf() copies the string provided to an address on the stack. rdist does not check the length of this string, so a large string would overwrite the stack. FIX: Use a version of rdist that does not require setuid root privileges. Obtain a patch from your vendor. STATUS UPDATE: The file: [8lgm]-Advisory-26.UNIX.rdist.20-3-1996.README will be created on www.8lgm.org. This will contain updates on any further versions which are found to be vulnerable, and any other information received pertaining to this advisory. - ----------------------------------------------------------------------- FEEDBACK AND CONTACT INFORMATION: majordomo@8lgm.org (Mailing list requests - try 'help' for details) 8lgm@8lgm.org (Everything else) 8LGM FILESERVER: All [8LGM] advisories may be obtained via the [8LGM] fileserver. For details, 'echo help | mail 8lgm-fileserver@8lgm.org' 8LGM WWW SERVER: [8LGM]'s web server can be reached at http://www.8lgm.org. This contains details of all 8LGM advisories and other useful information. =========================================================================== - -- - ----------------------------------------------------------------------- $ echo help | mail 8lgm-fileserver@8lgm.org (Fileserver help) majordomo@8lgm.org (Request to be added to list) 8lgm@8lgm.org (General enquiries) ******* VISIT 8LGM ON THE WORLD WIDE WEB: http://www.8lgm.org ******** [8LGM] uses libC/Inside - the worlds leading security analysis tool now available to the public. Visit http:://www.electris.com <<<<< From owner-freebsd-security Thu Jul 4 00:50:20 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id AAA09142 for security-outgoing; Thu, 4 Jul 1996 00:50:20 -0700 (PDT) Received: from gvr.win.tue.nl (root@gvr.win.tue.nl [131.155.210.19]) by freefall.freebsd.org (8.7.5/8.7.3) with SMTP id AAA09134 for ; Thu, 4 Jul 1996 00:50:16 -0700 (PDT) Received: by gvr.win.tue.nl (8.6.13/1.53) id JAA14410; Thu, 4 Jul 1996 09:50:03 +0200 From: guido@gvr.win.tue.nl (Guido van Rooij) Message-Id: <199607040750.JAA14410@gvr.win.tue.nl> Subject: Re: is FreeBSD's rdist vulnerable? To: danp@carebase3.jri.org (Dan Polivy) Date: Thu, 4 Jul 1996 09:50:02 +0200 (MET DST) Cc: freebsd-security@freebsd.org In-Reply-To: from Dan Polivy at "Jul 3, 96 07:21:07 pm" X-Mailer: ELM [version 2.4ME+ PL17 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk Dan Polivy wrote: > Hey, > > Has anyone read 8lgm's rdist advisory and attempted to see whether or not > FreeBSD's rdist is vulnerable? I use rdist to update various files here, > and so I suppose getting id of the setuid bit would break it? Thanks... Yes it is vulnerable. -Guido From owner-freebsd-security Thu Jul 4 02:41:54 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id CAA15510 for security-outgoing; Thu, 4 Jul 1996 02:41:54 -0700 (PDT) Received: from ns.kconline.com (ns.kconline.com [207.51.167.3]) by freefall.freebsd.org (8.7.5/8.7.3) with SMTP id CAA15504 for ; Thu, 4 Jul 1996 02:41:49 -0700 (PDT) Received: from localhost (jriffle@localhost) by ns.kconline.com (8.6.12/8.6.12) with SMTP id EAA03621 for ; Thu, 4 Jul 1996 04:38:43 -0500 Date: Thu, 4 Jul 1996 04:38:43 -0500 (EST) From: Jim Riffle To: freebsd-security@freebsd.org Subject: Anyone have lists of vulnerable FreeBSD programs Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk I just started subscribing to this list about a week ago and I am not scared :) Does anyone have a listing programs which come with FreeBSD 2.1.0-Release which are vulnerable and possiable fixes? I am planning on upgrading to 2.1.5 when it is released, which I assume will take care of these vulnerabilities if nobody has a list. Correct? Thanks, Jim From owner-freebsd-security Thu Jul 4 04:03:29 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id EAA20207 for security-outgoing; Thu, 4 Jul 1996 04:03:29 -0700 (PDT) Received: from relay.philips.nl (ns.philips.nl [130.144.65.1]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id EAA20185 for ; Thu, 4 Jul 1996 04:03:10 -0700 (PDT) Received: (from smap@localhost) by relay.philips.nl (8.6.9/8.6.9-950414) id NAA29840; Thu, 4 Jul 1996 13:00:45 +0200 Received: from unknown(192.26.173.32) by ns.philips.nl via smap (V1.3+ESMTP) with ESMTP id sma029522; Thu Jul 4 12:59:51 1996 Received: from spooky.lss.cp.philips.com (spooky.lss.cp.philips.com [130.144.199.105]) by smtp.nl.cis.philips.com (8.6.10/8.6.10-0.9z-02May95) with ESMTP id NAA20742; Thu, 4 Jul 1996 13:01:55 +0200 Received: (from guido@localhost) by spooky.lss.cp.philips.com (8.6.10/8.6.10-0.991c-08Nov95) id MAA04054; Thu, 4 Jul 1996 12:59:40 +0200 From: Guido van Rooij Message-Id: <199607041059.MAA04054@spooky.lss.cp.philips.com> Subject: Re: Anyone have lists of vulnerable FreeBSD programs To: jriffle@ns.kconline.com (Jim Riffle) Date: Thu, 4 Jul 1996 12:59:40 +0200 (MET DST) Cc: freebsd-security@freebsd.org Reply-To: Guido.vanRooij@nl.cis.philips.com In-Reply-To: from Jim Riffle at "Jul 4, 96 04:38:43 am" X-Mailer: ELM [version 2.4ME+ PL19 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk Jim Riffle wrote: > I just started subscribing to this list about a week ago and I am not > scared :) Does anyone have a listing programs which come with FreeBSD > 2.1.0-Release which are vulnerable and possiable fixes? > > I am planning on upgrading to 2.1.5 when it is released, which I assume > will take care of these vulnerabilities if nobody has a list. Correct? > Read the advisories on ftp://freefall.freebsd.org/pub/CERT -Guido From owner-freebsd-security Thu Jul 4 07:18:37 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id HAA28379 for security-outgoing; Thu, 4 Jul 1996 07:18:37 -0700 (PDT) Received: from ns1.zygaena.com (ns1.zygaena.com [206.148.80.3]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id HAA28373 for ; Thu, 4 Jul 1996 07:18:34 -0700 (PDT) Received: (from nobody@localhost) by ns1.zygaena.com (8.7.5/8.7.3) id KAA06182 for ; Thu, 4 Jul 1996 10:18:35 -0400 (EDT) X-Authentication-Warning: ns1.zygaena.com: nobody set sender to using -f Received: from selway.i.com(198.30.169.1) by ns1.zygaena.com via smap (V1.3) id sma006180; Thu Jul 4 10:18:32 1996 Received: (from ewb@localhost) by selway.i.com (8.7.3/8.7.3) id KAA00137 for freebsd-security@freebsd.org; Thu, 4 Jul 1996 10:18:28 -0400 (EDT) Date: Thu, 4 Jul 1996 10:18:28 -0400 (EDT) From: Will Brown Message-Id: <199607041418.KAA00137@selway.i.com> To: freebsd-security@freebsd.org Subject: routing security? Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk Seems to me that routing protocols such as RIP, OSPF, BGP, etc. would be juicy targets for attack, yet I have never heard of any such attacks or vulnerability - as though they are somehow immune, or have been overlooked, or I have me head in sand. Yes I are hackere loking to you tell me how to cwack your systemes in fun new way :) just kidding (sure, sure:) but any comments on this question would be welcomed, as I want to look into getting beyond using static routes - without compromise. ------------------------============================----------------------- Will Brown ewb@zns.net Professional Web Design Zygaena Network Services http://www.zns.net and Hosting 216-381-6019 (voice) 216-381-6064 (fax) at reasonable prices From owner-freebsd-security Thu Jul 4 08:00:21 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id IAA01048 for security-outgoing; Thu, 4 Jul 1996 08:00:21 -0700 (PDT) Received: from irs.inf.tu-dresden.de (irs.inf.tu-dresden.de [141.76.1.17]) by freefall.freebsd.org (8.7.5/8.7.3) with SMTP id IAA01006 for ; Thu, 4 Jul 1996 08:00:04 -0700 (PDT) Received: by irs.inf.tu-dresden.de (8.6.12/8.6.12-s1) id QAA23324; Thu, 4 Jul 1996 16:59:56 +0200 Date: Thu, 4 Jul 1996 16:59:56 +0200 Message-Id: <199607041459.QAA23324@irs.inf.tu-dresden.de> To: freebsd-security@freebsd.org Subject: [der Mouse ] Re: portmapper dangers From: hohmuth@inf.tu-dresden.de (Michael Hohmuth) Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk Given the recent OpenBSD flame war in comp.unix.bsd.*.misc and some recent posting by der Mouse in the Bugtraq mailing list (included below), I'm led to believe that the OpenBSD version of `portmap' has silently had some security bugs fixed. Would someone from the FreeBSD crew go and check out the diffs (ftp.openbsd.org)? (I can't do that myself as I possess some ignorance wrt NFS, `portmap' and all that stuff.) I've had some email dialog with der Mouse; he's offered to provide anyone going into this with any details I can't supply, which probably means he will provide you with all the details as I don't have any. :) Michael -- Email: hohmuth@inf.tu-dresden.de WWW: http://www.inf.tu-dresden.de/~mh1/ ------- Start of forwarded message ------- From: der Mouse Subject: Re: portmapper dangers To: Multiple recipients of list BUGTRAQ Date: Mon, 1 Jul 1996 14:09:48 -0400 Reply-To: Bugtraq List Approved-By: ALEPH1@UNDERGROUND.ORG Approved-By: der Mouse Message-ID: <199607011809.OAA05268@Collatz.McRCIM.McGill.EDU> Sender: Bugtraq List >> The dangers, according to the code changes I saw, [...] > So I assume the person you've been corresponding with has found a way > to exploit that in some novel, clever way? [...] Not to be > argumentative, but the fact that you can do unauthenticated sets and > unsets has been documented ever since the O'Reilly RPC book came out > (read the appendices). > And as far as I can tell, if outsiders don't have access to your > portmapper a la portmap3, they still can't do a set or an unset. Has > your associate found a way around Mr. Venema's access control? I don't know what the hell he's found. He told me he had found portmap bugs, bad ones that he almost had to break binary compatbility to fix. I asked about revealing them, he said he didn't want to 'cause 8lgm got so badly flamed for giving out bug info. I offered to anonymize him and take any heat myself, he refused saying he'd want credit. I found an udpated portmap.c up for anonymous ftp, diffed it against other sources I had access to, and came up with the info I posted. The closest source I had handy to diff against (ie, smallest diffs) was the NetBSD source; based on that, I believe 4.4 is probably vulnerable as well. This then made me think that probably Venema's code was also open, which matched well with some other remarks my informant made (I specifically asked about the Venema code). I suppose I should have checked, but searching out and reading Venema's code looked like more time than was worth investing. (Of course, as it turned out...sigh.) Then he wigged out, telling me I acted irresponsibly because now he had a SunOS machine he couldn't protect, that I missed half-a-dozen important aspects of it, that all I'd done was to draw attention to portmap bugs from black hats with nothing better to do than pore over portmap looking for them. Yeah, well, I've got a whole lab full of SunOS machines I want to protect too. I can't base my actions on things I know nothing about, and he refused to tell me what the holes were, leading me to believe his reasons for secrecy were not wanting to get flamed, not because they were hard to fix. So I did what I could to find out what I could, since if he won't tell me what I need to protect my machines, I'm damn well going to do my best to search out the information on my own. His attitude seems to be that if his machines are locked down tight the rest of the world can go to hell for all he cares. I don't feel that way, which is why I posted here instead of just deducing what I could and then keeping quiet, especially since what I did find was easy for an admin to fix, by running a modern portmapper. (Interestingly, he did say that my message was forwarded to him. This means that he isn't on bugtraq, but that someone was who was close enough to the events to recognize who my unnamed informant was. I wonder what that person's motivations were.) His last letter was burbling about holding me personally responsible if his machines got cracked in the next few weeks. At this point, the only reason I have to think that the other holes even _exist_ is that this guy has a history that demonstrates lots of technical skill, so he's not likely to be too far wrong. And yes, I know this message is bound to provoke further attention directed at portmap. I don't like the thought that this probably means more cracked systems, possibly even some of the ones I'm supposedly protecting, but the attention is unavoidable given the discussion, and at least _something_ good may come out of it if it ends up provoking widespread exploitation of the holes (assuming I'm right that they exist); that appears to be the one thing that makes vendors actually _fix_ holes. der Mouse mouse@collatz.mcrcim.mcgill.edu 01 EE 31 F6 BB 0C 34 36 00 F3 7C 5A C1 A0 67 1D ------- End of forwarded message ------- From owner-freebsd-security Thu Jul 4 11:13:21 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id LAA09395 for security-outgoing; Thu, 4 Jul 1996 11:13:21 -0700 (PDT) Received: (from guido@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id LAA09367; Thu, 4 Jul 1996 11:13:16 -0700 (PDT) Message-Id: <199607041813.LAA09367@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: guido set sender to security-officer@freebsd.org using -f To: freebsd-security-notifications@freebsd.org, freebsd-announce@freebsd.org Cc: freebsd-security@freebsd.org, first-teams@first.org From: FreeBSD Security Officer Reply-To: security-officer@freebsd.org Subject: FreeBSD Security Advisory: FreeBSD-SA-96:15.ppp Date: Mon, 4 Jul 1996 11:10:00 -0700 (PDT) Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk -----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SA-96:15 Security Advisory FreeBSD, Inc. Topic: security compromise from ppp Category: core Module: ppp Announced: 1996-06-25 Affects: FreeBSD 2.0.5, 2.1, 2.1-stable, and 2.2-current Corrected: 2.1-stable and 2.2-current as of 1996-06-10 FreeBSD only: unknown Patches: ftp://freebsd.org/pub/CERT/patches/SA-96:15/ ============================================================================= I. Background FreeBSD ships a userland ppp program that can be used by users to set up ppp connections. This program is also known as ijppp. The ppp program has a vulnerability that allows any user to run commands under root privileges. II. Problem Description The ppp program does not properly manage user privileges, allowing users to run any program with root privileges. III. Impact This vulnerability can only be exploited by users with a valid account on the local system to easily obtain superuser access. IV. Workaround One may simply disable the setuid bit on all copies of the ppp program. This will close the vulnerability but will only allow the superuser to set up ppp connections. As root, execute the commands: # chmod 555 /usr/sbin/ppp then verify that the setuid permissions of the files have been removed. The permissions array should read "-r-xr-xr-x" as shown here: # ls -l /usr/sbin/ppp -r-xr-xr-x 1 root bin 86016 Nov 16 1995 /usr/sbin/ppp V. Solution Patches are available which eliminate this vulnerability. The following patch should be applied to the system sources and ppp should be rebuilt and reinstalled. The first patch is against the FreeBSD 2.1 and FreeBSD-stable source tree. The second patch is for FreeBSD-current (version before 1996-06-10). Apply the patch, then (being superuser): # cd /usr/src/usr.sbin/ppp # make depend # make all # make install Index: command.c =================================================================== RCS file: /home/ncvs/src/usr.sbin/ppp/command.c,v retrieving revision 1.5.4.3 retrieving revision 1.5.4.4 diff -u -r1.5.4.3 -r1.5.4.4 --- command.c 1996/02/05 17:02:52 1.5.4.3 +++ command.c 1996/06/10 09:41:49 1.5.4.4 @@ -17,7 +17,7 @@ * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. * - * $Id: command.c,v 1.5.4.3 1996/02/05 17:02:52 dfr Exp $ + * $Id: command.c,v 1.5.4.4 1996/06/10 09:41:49 ache Exp $ * */ #include @@ -187,9 +187,14 @@ * We are running setuid, we should change to * real user for avoiding security problems. */ - setgid( getgid() ); - setuid( getuid() ); - + if (setgid(getgid()) < 0) { + perror("setgid"); + exit(1); + } + if (setuid(getuid()) < 0) { + perror("setuid"); + exit(1); + } TtyOldMode(); if(argc > 0) execvp(argv[0], argv); Index: chat.c =================================================================== RCS file: /home/ncvs/src/usr.sbin/ppp/chat.c,v retrieving revision 1.4.4.1 retrieving revision 1.4.4.2 diff -u -r1.4.4.1 -r1.4.4.2 --- chat.c 1995/10/06 11:24:31 1.4.4.1 +++ chat.c 1996/06/10 09:41:45 1.4.4.2 @@ -18,7 +18,7 @@ * Columbus, OH 43221 * (614)451-1883 * - * $Id: chat.c,v 1.4.4.1 1995/10/06 11:24:31 davidg Exp $ + * $Id: chat.c,v 1.4.4.2 1996/06/10 09:41:45 ache Exp $ * * TODO: * o Support more UUCP compatible control sequences. @@ -331,6 +331,15 @@ nb = open("/dev/tty", O_RDWR); dup2(nb, 0); LogPrintf(LOG_CHAT, "exec: %s\n", command); + /* switch back to original privileges */ + if (setgid(getgid()) < 0) { + LogPrintf(LOG_CHAT, "setgid: %s\n", strerror(errno)); + exit(1); + } + if (setuid(getuid()) < 0) { + LogPrintf(LOG_CHAT, "setuid: %s\n", strerror(errno)); + exit(1); + } pid = execvp(command, vector); LogPrintf(LOG_CHAT, "execvp failed for (%d/%d): %s\n", pid, errno, command); exit(127); Patch for FreeBSd-current before 1996-06-10: Index: command.c =================================================================== RCS file: /home/ncvs/src/usr.sbin/ppp/command.c,v retrieving revision 1.17 retrieving revision 1.18 diff -u -r1.17 -r1.18 --- command.c 1996/05/11 20:48:22 1.17 +++ command.c 1996/06/09 20:40:58 1.18 @@ -17,7 +17,7 @@ * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. * - * $Id: command.c,v 1.17 1996/05/11 20:48:22 phk Exp $ + * $Id: command.c,v 1.18 1996/06/09 20:40:58 ache Exp $ * */ #include @@ -190,9 +190,14 @@ * We are running setuid, we should change to * real user for avoiding security problems. */ - setgid( getgid() ); - setuid( getuid() ); - + if (setgid(getgid()) < 0) { + perror("setgid"); + exit(1); + } + if (setuid(getuid()) < 0) { + perror("setuid"); + exit(1); + } TtyOldMode(); if(argc > 0) execvp(argv[0], argv); Index: chat.c =================================================================== RCS file: /home/ncvs/src/usr.sbin/ppp/chat.c,v retrieving revision 1.10 retrieving revision 1.11 diff -u -r1.10 -r1.11 --- chat.c 1996/05/11 20:48:20 1.10 +++ chat.c 1996/06/09 20:40:56 1.11 @@ -18,7 +18,7 @@ * Columbus, OH 43221 * (614)451-1883 * - * $Id: chat.c,v 1.10 1996/05/11 20:48:20 phk Exp $ + * $Id: chat.c,v 1.11 1996/06/09 20:40:56 ache Exp $ * * TODO: * o Support more UUCP compatible control sequences. @@ -393,6 +393,15 @@ nb = open("/dev/tty", O_RDWR); dup2(nb, 0); LogPrintf(LOG_CHAT_BIT, "exec: %s\n", command); + /* switch back to original privileges */ + if (setgid(getgid()) < 0) { + LogPrintf(LOG_CHAT_BIT, "setgid: %s\n", strerror(errno)); + exit(1); + } + if (setuid(getuid()) < 0) { + LogPrintf(LOG_CHAT_BIT, "setuid: %s\n", strerror(errno)); + exit(1); + } pid = execvp(command, vector); LogPrintf(LOG_CHAT_BIT, "execvp failed for (%d/%d): %s\n", pid, errno, command); exit(127); ============================================================================= FreeBSD, Inc. Web Site: http://www.freebsd.org/ Confidential contacts: security-officer@freebsd.org PGP Key: ftp://freebsd.org/pub/CERT/public_key.asc Security notifications: security-notifications@freebsd.org Security public discussion: security@freebsd.org Notice: Any patches in this document may not apply cleanly due to modifications caused by digital signature or mailer software. Please reference the URL listed at the top of this document for original copies of all patches if necessary. ============================================================================= -----BEGIN PGP SIGNATURE----- Version: 2.6.3ia Charset: noconv iQCVAwUBMdFeplUuHi5z0oilAQFc5AP9Fq3hOVm/AeE6wJvmXlBdMlwF3W+752V8 V/F2OmFro60mgKZ/WHSHMJqMesCh5+VKRuUYGQ+YTJMb9wFY0zvVa6s6kS+cR680 kIV4sLXj5CjKGR6JZ0EavT6zMEE2EgiqUwGNxS1M52j4lvcTpFTh3cCs4smSncly LOposIY9r5c= =IZIn -----END PGP SIGNATURE----- From owner-freebsd-security Thu Jul 4 11:24:25 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id LAA09805 for security-outgoing; Thu, 4 Jul 1996 11:24:25 -0700 (PDT) Received: (from guido@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id LAA09779; Thu, 4 Jul 1996 11:24:20 -0700 (PDT) Message-Id: <199607041824.LAA09779@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: guido set sender to security-officer@freebsd.org using -f To: freebsd-security-notifications@freebsd.org, freebsd-announce@freebsd.org Cc: freebsd-security@freebsd.org, first-teams@first.org From: FreeBSD Security Officer Reply-To: security-officer@freebsd.org Subject: FreeBSD Security Advisory: FreeBSD-SA-96:15.ppp Date: Mon, 4 Jul 1996 11:15:00 -0700 (PDT) Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk -----BEGIN PGP SIGNED MESSAGE----- Of course the announcement date on the just sent advisory was incorrect and should be: Thu Jul 4 1996. ============================================================================= FreeBSD, Inc. Web Site: http://www.freebsd.org/ Confidential contacts: security-officer@freebsd.org PGP Key: ftp://freebsd.org/pub/CERT/public_key.asc Security notifications: security-notifications@freebsd.org Security public discussion: security@freebsd.org Notice: Any patches in this document may not apply cleanly due to modifications caused by digital signature or mailer software. Please reference the URL listed at the top of this document for original copies of all patches if necessary. ============================================================================= -----BEGIN PGP SIGNATURE----- Version: 2.6.3ia Charset: noconv iQCVAwUBMdwLoVUuHi5z0oilAQF2eQP+K+iKWmBLIVlzU2i+71PPkeIZMtm+GE1d xuw3B0nJbiyBvWIumtkltnAFuVDDAA9injZHy0NOSztbReyS5G7Qs261dE8YqgQm MsmrVTP/x/x02BJlUJffe0MeLFijwIlxoYKAef7IJ8jVDCyQ02ntKAE7oRlgTK3r rR11aLXF3VE= =1FAc -----END PGP SIGNATURE----- From owner-freebsd-security Sat Jul 6 15:29:23 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id PAA08166 for security-outgoing; Sat, 6 Jul 1996 15:29:23 -0700 (PDT) Received: from bacata ([200.21.26.62]) by freefall.freebsd.org (8.7.5/8.7.3) with SMTP id PAA08160 for ; Sat, 6 Jul 1996 15:29:15 -0700 (PDT) Received: from unalslip.usc.unal.edu.co by bacata (SMI-8.6/SMI-SVR4) id RAA21801; Sat, 6 Jul 1996 17:31:15 +0500 Message-ID: <31DF04A4.287F@biblioteca.campus.unal.edu.co> Date: Sat, 06 Jul 1996 17:28:20 -0700 From: Pedro Giffuni S Organization: Universidad Nacional de Colombia X-Mailer: Mozilla 2.02 (Win16; I) MIME-Version: 1.0 To: security@freebsd.org Subject: C2 security Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk Hi, I found this message from about three years ago: ________________________________________________________________________C2 security for BSD/386 Brian Beattie (beattie@agora.rain.com) Fri, 30 Apr 93 15:16:13 PDT Somebody asked if BSD/386 had C2 security. It is my understanding that BSDI had no plans for C2. I am curious, how much interset is there in C2 security. Being the main engineer of the Trusted MINIX project I have often considered bring BSD/386 up toi C2. While I do not have the resources to handle the eval process I could certainly do the development and documentation. Anybody care? -- Brian Beattie | Do not meddle in the affairs of Wizards, | for you are crunchy and taste good with beattie@agora.rain.com | catsup. ________________________________________________________________________