From owner-freebsd-security Wed Jul 24 11:54:19 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id LAA06422 for security-outgoing; Wed, 24 Jul 1996 11:54:19 -0700 (PDT) Received: from server.fasts.lv (root@server.fasts.lv [194.8.13.242]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id LAA06411 for ; Wed, 24 Jul 1996 11:54:07 -0700 (PDT) Received: from server.fasts.lv (vitjok@server.fasts.lv [194.8.13.242]) by server.fasts.lv (8.7.5/8.7.3) with SMTP id VAA01226 for ; Wed, 24 Jul 1996 21:52:18 GMT Date: Wed, 24 Jul 1996 21:52:17 +0000 () From: Victor Rotanov To: freebsd-security@FreeBSD.org Subject: unofficial rlogin security patch Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@FreeBSD.org X-Loop: FreeBSD.org Precedence: bulk Hello. Here's the patch: ---8<------------------------------------------------------------------------- *** rlogin.c Wed Jul 24 21:46:58 1996 --- rlogin.c.orig Sun Jun 23 13:08:27 1996 *************** *** 258,265 **** (void)fprintf(stderr, "rlogin: login/tcp: unknown service.\n"); exit(1); } ! ! (void)strncpy(term, (p = getenv("TERM")) ? p : "network", 1016); if (ioctl(0, TIOCGETP, &ttyb) == 0) { (void)strcat(term, "/"); (void)strcat(term, speeds[(int)ttyb.sg_ospeed]); --- 258,265 ---- (void)fprintf(stderr, "rlogin: login/tcp: unknown service.\n"); exit(1); } ! ! (void)strcpy(term, (p = getenv("TERM")) ? p : "network"); if (ioctl(0, TIOCGETP, &ttyb) == 0) { (void)strcat(term, "/"); (void)strcat(term, speeds[(int)ttyb.sg_ospeed]); ---8<------------------------------------------------------------------------- From owner-freebsd-security Wed Jul 24 12:41:58 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id MAA10426 for security-outgoing; Wed, 24 Jul 1996 12:41:58 -0700 (PDT) Received: from GndRsh.aac.dev.com (GndRsh.aac.dev.com [198.145.92.241]) by freefall.freebsd.org (8.7.5/8.7.3) with SMTP id MAA10421 for ; Wed, 24 Jul 1996 12:41:54 -0700 (PDT) Received: (from rgrimes@localhost) by GndRsh.aac.dev.com (8.6.12/8.6.12) id MAA23153; Wed, 24 Jul 1996 12:41:31 -0700 From: "Rodney W. Grimes" Message-Id: <199607241941.MAA23153@GndRsh.aac.dev.com> Subject: Re: unofficial rlogin security patch To: vitjok@fasts.lv (Victor Rotanov) Date: Wed, 24 Jul 1996 12:41:31 -0700 (PDT) Cc: freebsd-security@freebsd.org In-Reply-To: from Victor Rotanov at "Jul 24, 96 09:52:17 pm" X-Mailer: ELM [version 2.4ME+ PL11 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk > > Hello. A caution to all... this patch is _REVERSED_, apply it with patch -r Here's the patch: > > ---8<------------------------------------------------------------------------- > *** rlogin.c Wed Jul 24 21:46:58 1996 > --- rlogin.c.orig Sun Jun 23 13:08:27 1996 > *************** > *** 258,265 **** > (void)fprintf(stderr, "rlogin: login/tcp: unknown service.\n"); > exit(1); > } > ! > ! (void)strncpy(term, (p = getenv("TERM")) ? p : "network", 1016); > if (ioctl(0, TIOCGETP, &ttyb) == 0) { > (void)strcat(term, "/"); > (void)strcat(term, speeds[(int)ttyb.sg_ospeed]); > --- 258,265 ---- > (void)fprintf(stderr, "rlogin: login/tcp: unknown service.\n"); > exit(1); > } > ! > ! (void)strcpy(term, (p = getenv("TERM")) ? p : "network"); > if (ioctl(0, TIOCGETP, &ttyb) == 0) { > (void)strcat(term, "/"); > (void)strcat(term, speeds[(int)ttyb.sg_ospeed]); > ---8<------------------------------------------------------------------------- > -- Rod Grimes rgrimes@gndrsh.aac.dev.com Accurate Automation Company Reliable computers for FreeBSD From owner-freebsd-security Wed Jul 24 12:42:49 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id MAA10480 for security-outgoing; Wed, 24 Jul 1996 12:42:49 -0700 (PDT) Received: from orion.webspan.net (root@orion.webspan.net [206.154.70.41]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id MAA10474 for ; Wed, 24 Jul 1996 12:42:47 -0700 (PDT) Received: from localhost (gpalmer@localhost [127.0.0.1]) by orion.webspan.net (8.7.5/8.6.12) with SMTP id PAA07561; Wed, 24 Jul 1996 15:42:06 -0400 (EDT) X-Authentication-Warning: orion.webspan.net: Host gpalmer@localhost [127.0.0.1] didn't use HELO protocol To: Victor Rotanov cc: freebsd-security@FreeBSD.org From: "Gary Palmer" Subject: Re: unofficial rlogin security patch In-reply-to: Your message of "Wed, 24 Jul 1996 21:52:17 -0000." Date: Wed, 24 Jul 1996 15:42:06 -0400 Message-ID: <7556.838237326@orion.webspan.net> Sender: owner-security@FreeBSD.org X-Loop: FreeBSD.org Precedence: bulk Victor Rotanov wrote in message ID : > > Hello. > > Here's the patch: What exactly is this meant to do, pray tell? Gary -- Gary Palmer FreeBSD Core Team Member FreeBSD: Turning PC's into workstations. See http://www.FreeBSD.ORG/ for info From owner-freebsd-security Wed Jul 24 12:51:32 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id MAA11080 for security-outgoing; Wed, 24 Jul 1996 12:51:32 -0700 (PDT) Received: from server.fasts.lv (root@server.fasts.lv [194.8.13.242]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id MAA11039; Wed, 24 Jul 1996 12:50:27 -0700 (PDT) Received: from server.fasts.lv (vitjok@server.fasts.lv [194.8.13.242]) by server.fasts.lv (8.7.5/8.7.3) with SMTP id WAA01536; Wed, 24 Jul 1996 22:47:56 GMT Date: Wed, 24 Jul 1996 22:47:56 +0000 () From: Victor Rotanov To: Gary Palmer cc: freebsd-security@FreeBSD.org Subject: Re: unofficial rlogin security patch In-Reply-To: <7556.838237326@orion.webspan.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@FreeBSD.org X-Loop: FreeBSD.org Precedence: bulk Hello Gary. On Wed, 24 Jul 1996, Gary Palmer wrote: > Victor Rotanov wrote in message ID > : > > > > Hello. > > > > Here's the patch: > > What exactly is this meant to do, pray tell? This will not allow buffer overrun caused by setting TERM environment variable to something longer than 1024 bytes. > > Gary > -- > Gary Palmer FreeBSD Core Team Member > FreeBSD: Turning PC's into workstations. See http://www.FreeBSD.ORG/ for info > Thanks, vitjok. From owner-freebsd-security Wed Jul 24 12:55:42 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id MAA11324 for security-outgoing; Wed, 24 Jul 1996 12:55:42 -0700 (PDT) Received: from orion.webspan.net (root@orion.webspan.net [206.154.70.41]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id MAA11319 for ; Wed, 24 Jul 1996 12:55:39 -0700 (PDT) Received: from localhost (gpalmer@localhost [127.0.0.1]) by orion.webspan.net (8.7.5/8.6.12) with SMTP id PAA08271; Wed, 24 Jul 1996 15:55:18 -0400 (EDT) X-Authentication-Warning: orion.webspan.net: Host gpalmer@localhost [127.0.0.1] didn't use HELO protocol To: Victor Rotanov cc: freebsd-security@FreeBSD.org From: "Gary Palmer" Subject: Re: unofficial rlogin security patch In-reply-to: Your message of "Wed, 24 Jul 1996 22:47:56 -0000." Date: Wed, 24 Jul 1996 15:55:18 -0400 Message-ID: <8267.838238118@orion.webspan.net> Sender: owner-security@FreeBSD.org X-Loop: FreeBSD.org Precedence: bulk Victor Rotanov wrote in message ID : > This will not allow buffer overrun caused by setting TERM environment > variable to something longer than 1024 bytes. In that case the patch was backwards (by my reading) ... you were changing strncpy to strcpy, which is what confused me (sorry, I didn't have time to check the source). Gary -- Gary Palmer FreeBSD Core Team Member FreeBSD: Turning PC's into workstations. See http://www.FreeBSD.ORG/ for info From owner-freebsd-security Wed Jul 24 16:25:18 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id QAA23939 for security-outgoing; Wed, 24 Jul 1996 16:25:18 -0700 (PDT) Received: from red.jnx.com (ppp-2-162.sntc01.pacbell.net [206.170.2.162]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id QAA23934 for ; Wed, 24 Jul 1996 16:25:11 -0700 (PDT) Received: (from pst@localhost) by red.jnx.com (8.7.5/8.7.3) id QAA20129; Wed, 24 Jul 1996 16:24:41 -0700 (PDT) To: rgrimes@gndrsh.aac.dev.com (Rodney W. Grimes) cc: freebsd-security@freebsd.org Subject: Re: unofficial rlogin security patch References: <199607241941.MAA23153@GndRsh.aac.dev.com> From: Paul Traina Date: 24 Jul 1996 16:24:40 -0700 In-Reply-To: rgrimes@gndrsh.aac.dev.com's message of 24 Jul 96 19:41:31 GMT Message-ID: <7y20i16xqf.fsf@red.jnx.com> Lines: 2 X-Mailer: Gnus v5.2.25/XEmacs 19.14 Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk Better yet, don't apply the unofficial patch, rather apply the official patch that's been committed to FreeBSD. From owner-freebsd-security Wed Jul 24 22:24:29 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id WAA17255 for security-outgoing; Wed, 24 Jul 1996 22:24:29 -0700 (PDT) Received: from janus.saturn.net (root@janus.saturn.net [206.42.0.10]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id WAA17250; Wed, 24 Jul 1996 22:24:24 -0700 (PDT) Received: from tcpip (tcpip [206.42.2.27]) by janus.saturn.net (8.7.4/8.6.9) with SMTP id BAA18490; Thu, 25 Jul 1996 01:24:26 -0400 Date: Thu, 25 Jul 1996 01:23:13 -0400 (EDT) From: Brian Mitchell X-Sender: brian@tcpip To: Gary Palmer cc: Victor Rotanov , freebsd-security@FreeBSD.org Subject: Re: unofficial rlogin security patch In-Reply-To: <7556.838237326@orion.webspan.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@FreeBSD.org X-Loop: FreeBSD.org Precedence: bulk On Wed, 24 Jul 1996, Gary Palmer wrote: > Victor Rotanov wrote in message ID > : > > > > Hello. > > > > Here's the patch: > > What exactly is this meant to do, pray tell? It fixes the TERM environment variable overflow, which can't be exploited anyways (because main() never returns) as far as I know, but it is still a good thing. Brian Mitchell brian@saturn.net "I never give them hell. I just tell the truth and they think it's hell" - H. Truman From owner-freebsd-security Thu Jul 25 06:41:08 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id GAA29215 for security-outgoing; Thu, 25 Jul 1996 06:41:08 -0700 (PDT) Received: from nervosa.netcom.com (nervosa.vendetta.com [192.187.167.18]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id GAA29177; Thu, 25 Jul 1996 06:41:00 -0700 (PDT) Received: (from coredump@localhost) by nervosa.netcom.com (8.7.5/8.7.3) id GAA12575; Thu, 25 Jul 1996 06:41:17 -0700 (PDT) Date: Thu, 25 Jul 1996 06:41:17 -0700 (PDT) From: goamatic To: winter@jurai.net cc: freebsd-current@freebsd.org, freebsd-security@freebsd.org Subject: well.. Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk Here is beta 1 of the changes I have done to Crack 4.1 in order to make it work with master.passwd (md5) style passwords. Patch from crack/ -- begin --- diff -c Sources/Makefile /var/tmp/Sources/Makefile *** Sources/Makefile Thu Jun 25 07:54:38 1992 --- /var/tmp/Sources/Makefile Thu Jul 25 05:02:14 1996 *************** *** 2,8 **** # Revised Makefile for Crack v4.1 - AEM, Feb 14 1992 ### ! LIBS= CFLAGS= -O PWC= crack-pwc FCRYPT= crack-fcrypt.o --- 2,8 ---- # Revised Makefile for Crack v4.1 - AEM, Feb 14 1992 ### ! LIBS= -lcrypt CFLAGS= -O PWC= crack-pwc FCRYPT= crack-fcrypt.o diff -c Sources/conf.h /var/tmp/Sources/conf.h *** Sources/conf.h Thu Jun 25 07:54:41 1992 --- /var/tmp/Sources/conf.h Thu Jul 25 04:23:15 1996 *************** *** 58,64 **** */ #define COMPRESSION ! #define ZCAT "/usr/ucb/zcat" /* as in "zcat Dicts/bigdict.Z" */ #define PCAT "/usr/bin/pcat" /* --- 58,64 ---- */ #define COMPRESSION ! #define ZCAT "/usr/bin/zcat" /* as in "zcat Dicts/bigdict.Z" */ #define PCAT "/usr/bin/pcat" /* *************** *** 66,69 **** * doesn't work properly */ ! #define FCRYPT --- 66,69 ---- * doesn't work properly */ ! #undef FCRYPT diff -c Sources/crack-pwc.c /var/tmp/Sources/crack-pwc.c *** Sources/crack-pwc.c Thu Jun 25 07:55:44 1992 --- /var/tmp/Sources/crack-pwc.c Thu Jul 25 06:21:44 1996 *************** *** 125,131 **** p = PWSkip (p); retval -> passwd.pw_gid = atoi (p); ! p = PWSkip (p); retval -> passwd.pw_gecos = p; p = PWSkip (p); --- 125,140 ---- p = PWSkip (p); retval -> passwd.pw_gid = atoi (p); ! p = PWSkip (p); ! retval -> passwd.pw_class = p; ! ! p = PWSkip (p); ! retval -> passwd.pw_change = atoi (p); ! ! p = PWSkip (p); ! retval -> passwd.pw_expire = atoi (p); ! ! p = PWSkip (p); retval -> passwd.pw_gecos = p; p = PWSkip (p); *************** *** 143,149 **** { int i; char *ptr; ! char salt[2]; char buffer[STRINGSIZE]; long int numlines; long int numentries; --- 152,158 ---- { int i; char *ptr; ! char salt[34]; char buffer[STRINGSIZE]; long int numlines; long int numentries; *************** *** 153,159 **** numlines = 0L; numentries = 0L; current_line = NULL; ! salt[0] = salt[1] = '*'; while (fgets (buffer, STRINGSIZE, stdin)) { --- 162,169 ---- numlines = 0L; numentries = 0L; current_line = NULL; ! salt[0] = '*'; ! salt[1] = '$'; while (fgets (buffer, STRINGSIZE, stdin)) { *************** *** 191,202 **** new_element -> filename); continue; } ! if (i > 13) { Log ("User %s (in %s) has a long pw_passwd field - truncating.\n", new_element -> passwd.pw_name, new_element -> filename); ! ptr[13] = '\0'; } numentries++; --- 201,212 ---- new_element -> filename); continue; } ! if (i > 34) { Log ("User %s (in %s) has a long pw_passwd field - truncating.\n", new_element -> passwd.pw_name, new_element -> filename); ! ptr[34] = '\0'; } numentries++; *************** *** 204,222 **** { new_element -> across = current_line; current_line = new_element; ! } else { if (current_line) { ! current_line -> next = userroot; } userroot = current_line; current_line = new_element; numlines++; ! salt[0] = ptr[0]; ! salt[1] = ptr[1]; ! } } if (current_line) /* last one tends to hang about */ { --- 214,233 ---- { new_element -> across = current_line; current_line = new_element; ! } else { if (current_line) { ! current_line -> next = userroot; } userroot = current_line; current_line = new_element; numlines++; ! strcpy(salt, ptr); ! /* salt[0] = ptr[0]; */ ! /* salt[1] = ptr[1]; */ } + } if (current_line) /* last one tends to hang about */ { *************** *** 1091,1104 **** /* Quick, verify that we are sane ! */ - if (strcmp (crypt ("fredfred", "fredfred"), "frxWbx4IRuBBA")) - { - Log ("Version of crypt() being used internally is not compatible with standard.\n"); - Log ("This could be due to byte ordering problems - see the comments in Sources/conf.h\n"); - Log ("If there is another reason for this, edit the source to remove this assertion.\n"); - Log ("Terminating...\n"); - exit (0); - } #ifndef AMIGA signal (SIGTERM, CatchTERM); #endif --- 1102,1107 ---- diff -c Scripts/do_join /var/tmp/Scripts/do_join *** Scripts/do_join Thu Jun 25 07:54:20 1992 --- /var/tmp/Scripts/do_join Thu Jul 25 05:05:32 1996 *************** *** 48,54 **** awk -F: ' BEGIN { FS = ":"; ! numf = 8; # number of fields in a pwent, + 1 warn="'"$warn"'"; date = "'"`date`"'"; date = substr(date, 5, 15); --- 48,54 ---- awk -F: ' BEGIN { FS = ":"; ! numf = 11; # number of fields in a pwent, + 1 warn="'"$warn"'"; date = "'"`date`"'"; date = substr(date, 5, 15); -- cut -------- == Chris Layne ======================================== Nervosa Computing == == coredump@nervosa.vendetta.com == http://nervosa.vendetta.com/~coredump == From owner-freebsd-security Thu Jul 25 07:05:12 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id HAA00387 for security-outgoing; Thu, 25 Jul 1996 07:05:12 -0700 (PDT) Received: from server.fasts.lv (server.fasts.lv [194.8.13.242]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id HAA00295 for ; Thu, 25 Jul 1996 07:03:42 -0700 (PDT) Received: from server.fasts.lv (vitjok@server.fasts.lv [194.8.13.242]) by server.fasts.lv (8.7.5/8.7.3) with SMTP id QAA04493; Thu, 25 Jul 1996 16:56:05 GMT Date: Thu, 25 Jul 1996 16:56:05 +0000 () From: Victor Rotanov To: Paul Traina cc: "Rodney W. Grimes" , freebsd-security@freebsd.org Subject: Re: unofficial rlogin security patch In-Reply-To: <7y20i16xqf.fsf@red.jnx.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk Hello Paul. On 24 Jul 1996, Paul Traina wrote: > Better yet, don't apply the unofficial patch, rather apply the official > patch that's been committed to FreeBSD. > Since 2.1.5-RELEASE there were no patches for rlogin posted to freebsd-security, and 2.1.5-RELEASE has this problem. Thanks, vitjok. From owner-freebsd-security Thu Jul 25 11:28:43 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id LAA19535 for security-outgoing; Thu, 25 Jul 1996 11:28:43 -0700 (PDT) Received: (from pst@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id LAA19515 for freebsd-security; Thu, 25 Jul 1996 11:28:40 -0700 (PDT) Date: Thu, 25 Jul 1996 11:28:40 -0700 (PDT) From: Paul Traina Message-Id: <199607251828.LAA19515@freefall.freebsd.org> To: freebsd-security Subject: rlogin.c patch (official) Sender: owner-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk Index: rlogin.c =================================================================== RCS file: /home/ncvs/src/usr.bin/rlogin/rlogin.c,v retrieving revision 1.10 retrieving revision 1.12 diff -c -r1.10 -r1.12 *** rlogin.c 1996/02/11 09:18:18 1.10 --- rlogin.c 1996/07/25 18:27:40 1.12 *************** *** 102,107 **** --- 102,108 ---- char *speeds[] = { "0", "50", "75", "110", "134", "150", "200", "300", "600", "1200", "1800", "2400", "4800", "9600", "19200", "38400", "57600", "115200" + #define MAX_SPEED_LENGTH (sizeof("115200") - 1) }; #ifdef OLDSUN *************** *** 259,265 **** exit(1); } ! (void)strcpy(term, (p = getenv("TERM")) ? p : "network"); if (ioctl(0, TIOCGETP, &ttyb) == 0) { (void)strcat(term, "/"); (void)strcat(term, speeds[(int)ttyb.sg_ospeed]); --- 260,270 ---- exit(1); } ! #define MAX_TERM_LENGTH (sizeof(term) - 1 - MAX_SPEED_LENGTH - 1) ! ! (void)strncpy(term, (p = getenv("TERM")) ? p : "network", ! MAX_TERM_LENGTH); ! term[MAX_TERM_LENGTH] = '\0'; if (ioctl(0, TIOCGETP, &ttyb) == 0) { (void)strcat(term, "/"); (void)strcat(term, speeds[(int)ttyb.sg_ospeed]); From owner-freebsd-security Thu Jul 25 13:10:34 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id NAA27947 for security-outgoing; Thu, 25 Jul 1996 13:10:34 -0700 (PDT) Received: from mexico.brainstorm.eu.org (root@mexico.brainstorm.eu.org [193.56.58.253]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id NAA27927; Thu, 25 Jul 1996 13:10:29 -0700 (PDT) Received: from brasil.brainstorm.eu.org (brasil.brainstorm.eu.org [193.56.58.33]) by mexico.brainstorm.eu.org (8.7.5/8.7.3) with ESMTP id WAA13531; Thu, 25 Jul 1996 22:10:20 +0200 Received: (from uucp@localhost) by brasil.brainstorm.eu.org (8.6.12/8.6.12) with UUCP id WAA29676; Thu, 25 Jul 1996 22:09:49 +0200 Received: (from roberto@localhost) by keltia.freenix.fr (8.8.Alpha.5/keltia-uucp-2.8) id VAA14732; Thu, 25 Jul 1996 21:49:23 +0200 (MET DST) Message-Id: <199607251949.VAA14732@keltia.freenix.fr> Date: Thu, 25 Jul 1996 21:49:23 +0200 From: roberto@keltia.freenix.fr (Ollivier Robert) To: pst@freefall.freebsd.org (Paul Traina) Cc: freebsd-security@freefall.freebsd.org Subject: Re: rlogin.c patch (official) In-Reply-To: <199607251828.LAA19515@freefall.freebsd.org>; from Paul Traina on Jul 25, 1996 11:28:40 -0700 References: <199607251828.LAA19515@freefall.freebsd.org> X-Mailer: Mutt 0.37 Mime-Version: 1.0 Sender: owner-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk According to Paul Traina: > (void)strcat(term, "/"); > (void)strcat(term, speeds[(int)ttyb.sg_ospeed]); Having a sgttyb-free version of rlogin would be nice too. we have to get rid that old thing. -- Ollivier ROBERT -=- The daemon is FREE! -=- roberto@keltia.freenix.fr FreeBSD keltia.freenix.fr 2.2-CURRENT #16: Sun Jul 21 13:26:53 MET DST 1996 From owner-freebsd-security Thu Jul 25 23:40:36 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id XAA02240 for security-outgoing; Thu, 25 Jul 1996 23:40:36 -0700 (PDT) Received: from relay.nuxi.com (nuxi.cs.ucdavis.edu [128.120.56.38]) by freefall.freebsd.org (8.7.5/8.7.3) with SMTP id XAA02230 for ; Thu, 25 Jul 1996 23:40:24 -0700 (PDT) Received: (from obrien@localhost) by relay.nuxi.com (8.6.12/8.6.12) id XAA12397; Thu, 25 Jul 1996 23:39:57 -0700 From: "David E. O'Brien" Message-Id: <199607260639.XAA12397@relay.nuxi.com> Subject: Re: unofficial rlogin security patch To: vitjok@fasts.lv (Victor Rotanov) Date: Thu, 25 Jul 1996 23:39:56 -0700 (PDT) Cc: freebsd-security@freebsd.org In-Reply-To: from Victor Rotanov at "Jul 24, 96 09:52:17 pm" X-PGP-Fingerprint: B7 4D 3E E9 11 39 5F A3 90 76 5D 69 58 D9 98 7A X-Pgp-Keyid: 34F9F9D5 X-Mailer: ELM [version 2.4ME+ PL22 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk > ! > ! (void)strncpy(term, (p = getenv("TERM")) ? p : "network", 1016); > if (ioctl(0, TIOCGETP, &ttyb) == 0) { Except that you STILL left a big blowing hole. Now there is a chance term won't be nul terminated. From the man page: The strncpy() copies not more than len characters into dst, appending `\0' characters if src is less than len characters long, and not termi- nating dst if src is more than len characters long. Notice that strncpy() will NOT append '\0' if strlen(src) > n. Look at the real 2.1.5 patch and you will notice the ``term[1015] = '\0';'' instruction that is always needed after a strncpy(). -- David (obrien@cs.ucdavis.edu) From owner-freebsd-security Thu Jul 25 23:47:51 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id XAA02421 for security-outgoing; Thu, 25 Jul 1996 23:47:51 -0700 (PDT) Received: from relay.nuxi.com (nuxi.cs.ucdavis.edu [128.120.56.38]) by freefall.freebsd.org (8.7.5/8.7.3) with SMTP id XAA02413; Thu, 25 Jul 1996 23:47:49 -0700 (PDT) Received: (from obrien@localhost) by relay.nuxi.com (8.6.12/8.6.12) id XAA12470; Thu, 25 Jul 1996 23:48:00 -0700 From: "David E. O'Brien" Message-Id: <199607260648.XAA12470@relay.nuxi.com> Subject: Re: Crack 4.1 patches for FBSD To: coredump@nervosa.vendetta.com (goamatic) Date: Thu, 25 Jul 1996 23:48:00 -0700 (PDT) Cc: winter@jurai.net, freebsd-current@FreeBSD.ORG, freebsd-security@FreeBSD.ORG In-Reply-To: from goamatic at "Jul 25, 96 06:41:17 am" X-PGP-Fingerprint: B7 4D 3E E9 11 39 5F A3 90 76 5D 69 58 D9 98 7A X-Pgp-Keyid: 34F9F9D5 X-Mailer: ELM [version 2.4ME+ PL22 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk > Here is beta 1 of the changes I have done to Crack 4.1 in order to > make it work with master.passwd (md5) style passwords. Patch from crack/ I wouldn't bother. I spoke with Alec Moffet today at the USENIX security conference. Crack 5.0 is due out in 6 (or so) weeks. He said it was a complete rewrite, and he has substantually changed the handing of different password file formats. -- David (obrien@cs.ucdavis.edu) From owner-freebsd-security Thu Jul 25 23:52:34 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id XAA02767 for security-outgoing; Thu, 25 Jul 1996 23:52:34 -0700 (PDT) Received: from nervosa.netcom.com (nervosa.vendetta.com [192.187.167.18]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id XAA02745; Thu, 25 Jul 1996 23:52:30 -0700 (PDT) Received: (from coredump@localhost) by nervosa.netcom.com (8.7.5/8.7.3) id XAA14706; Thu, 25 Jul 1996 23:53:01 -0700 (PDT) Date: Thu, 25 Jul 1996 23:53:00 -0700 (PDT) From: goamatic To: "David E. O'Brien" cc: winter@jurai.net, freebsd-current@FreeBSD.ORG, freebsd-security@FreeBSD.ORG Subject: Re: Crack 4.1 patches for FBSD In-Reply-To: <199607260648.XAA12470@relay.nuxi.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk On Thu, 25 Jul 1996, David E. O'Brien wrote: > > Here is beta 1 of the changes I have done to Crack 4.1 in order to > > make it work with master.passwd (md5) style passwords. Patch from crack/ > > I wouldn't bother. I spoke with Alec Moffet today at the USENIX security > conference. Crack 5.0 is due out in 6 (or so) weeks. He said it was a > complete rewrite, and he has substantually changed the handing of > different password file formats. > > -- David (obrien@cs.ucdavis.edu) > Yeah, well it's not like Crack is some hard programming feat in itself. Until than, the patch is available. == Chris Layne ======================================== Nervosa Computing == == coredump@nervosa.vendetta.com == http://nervosa.vendetta.com/~coredump == From owner-freebsd-security Fri Jul 26 01:28:21 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id BAA08934 for security-outgoing; Fri, 26 Jul 1996 01:28:21 -0700 (PDT) Received: from critter.tfs.com ([140.145.230.177]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id BAA08910; Fri, 26 Jul 1996 01:28:14 -0700 (PDT) Received: from critter.tfs.com (localhost.tfs.com [127.0.0.1]) by critter.tfs.com (8.7.5/8.7.3) with ESMTP id KAA02330; Fri, 26 Jul 1996 10:28:25 +0200 (MET DST) To: "David E. O'Brien" cc: coredump@nervosa.vendetta.com (goamatic), winter@jurai.net, freebsd-current@FreeBSD.ORG, freebsd-security@FreeBSD.ORG Subject: Re: Crack 4.1 patches for FBSD In-reply-to: Your message of "Thu, 25 Jul 1996 23:48:00 PDT." <199607260648.XAA12470@relay.nuxi.com> Date: Fri, 26 Jul 1996 10:28:24 +0200 Message-ID: <2328.838369704@critter.tfs.com> From: Poul-Henning Kamp Sender: owner-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk In message <199607260648.XAA12470@relay.nuxi.com>, "David E. O'Brien" writes: >> Here is beta 1 of the changes I have done to Crack 4.1 in order to >> make it work with master.passwd (md5) style passwords. Patch from crack/ > >I wouldn't bother. I spoke with Alec Moffet today at the USENIX security >conference. Crack 5.0 is due out in 6 (or so) weeks. He said it was a >complete rewrite, and he has substantually changed the handing of >different password file formats. Any news on any attacks on our MD5 based passwords ? -- Poul-Henning Kamp | phk@FreeBSD.ORG FreeBSD Core-team. http://www.freebsd.org/~phk | phk@login.dknet.dk Private mailbox. whois: [PHK] | phk@ref.tfs.com TRW Financial Systems, Inc. Future will arrive by its own means, progress not so. From owner-freebsd-security Fri Jul 26 07:27:39 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id HAA29133 for security-outgoing; Fri, 26 Jul 1996 07:27:39 -0700 (PDT) Received: from kdat.calpoly.edu (kdat.csc.calpoly.edu [129.65.54.101]) by freefall.freebsd.org (8.7.5/8.7.3) with SMTP id HAA29127 for ; Fri, 26 Jul 1996 07:27:35 -0700 (PDT) Received: (from nlawson@localhost) by kdat.calpoly.edu (8.6.12/N8) id HAA02418; Fri, 26 Jul 1996 07:27:37 -0700 From: Nathan Lawson Message-Id: <199607261427.HAA02418@kdat.calpoly.edu> Subject: Re: Crack 4.1 patches for FBSD To: phk@critter.tfs.com (Poul-Henning Kamp) Date: Fri, 26 Jul 1996 07:27:37 -0700 (PDT) Cc: freebsd-security@freebsd.org In-Reply-To: <2328.838369704@critter.tfs.com> from "Poul-Henning Kamp" at Jul 26, 96 10:28:24 am X-Mailer: ELM [version 2.4 PL23] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk > >> Here is beta 1 of the changes I have done to Crack 4.1 in order to > >> make it work with master.passwd (md5) style passwords. Patch from crack/ > > > >I wouldn't bother. I spoke with Alec Moffet today at the USENIX security > >conference. Crack 5.0 is due out in 6 (or so) weeks. He said it was a > >complete rewrite, and he has substantually changed the handing of > >different password file formats. > > Any news on any attacks on our MD5 based passwords ? The only problem I see with them is that MD5 is so darn quick, your number of crypts goes way up even with the present number of iterations. The DES hash used in most Unicen was desigend to be slow (originally taking 1 second per crypt on a VAX 11/780), but that fell prey to optimization and exponential CPU speed increases. Perhaps some intermediate permutations between hashes might be appropriate, but I'd consider the algorithm very carefully as it is very easy to end up with something that is no slower than the original and significantly less secure. -- Nate Lawson "There are a thousand hacking at the branches of CPE Senior evil to one who is striking at the root." CSL Admin -- Henry David Thoreau, 'Walden', 1854 From owner-freebsd-security Fri Jul 26 11:32:21 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id LAA14456 for security-outgoing; Fri, 26 Jul 1996 11:32:21 -0700 (PDT) Received: from critter.tfs.com ([140.145.230.177]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id LAA14440; Fri, 26 Jul 1996 11:32:16 -0700 (PDT) Received: from critter.tfs.com (localhost.tfs.com [127.0.0.1]) by critter.tfs.com (8.7.5/8.7.3) with ESMTP id UAA02869; Fri, 26 Jul 1996 20:32:34 +0200 (MET DST) To: Nathan Lawson cc: freebsd-security@freebsd.org Subject: Re: Crack 4.1 patches for FBSD In-reply-to: Your message of "Fri, 26 Jul 1996 07:27:37 PDT." <199607261427.HAA02418@kdat.calpoly.edu> Date: Fri, 26 Jul 1996 20:32:34 +0200 Message-ID: <2867.838405954@critter.tfs.com> From: Poul-Henning Kamp Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk >> Any news on any attacks on our MD5 based passwords ? > >The only problem I see with them is that MD5 is so darn quick, your number >of crypts goes way up even with the present number of iterations. The DES >hash used in most Unicen was desigend to be slow (originally taking 1 second >per crypt on a VAX 11/780), but that fell prey to optimization and exponential >CPU speed increases. > >Perhaps some intermediate permutations between hashes might be appropriate, >but I'd consider the algorithm very carefully as it is very easy to end up >with something that is no slower than the original and significantly less >secure. Have you actually timed them ? Have you actually looked at the code that generates the MD5 passwords in FreeBSD ? It sounds to me like you havn't... -- Poul-Henning Kamp | phk@FreeBSD.ORG FreeBSD Core-team. http://www.freebsd.org/~phk | phk@login.dknet.dk Private mailbox. whois: [PHK] | phk@ref.tfs.com TRW Financial Systems, Inc. Future will arrive by its own means, progress not so. From owner-freebsd-security Sat Jul 27 08:36:17 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id IAA14670 for security-outgoing; Sat, 27 Jul 1996 08:36:17 -0700 (PDT) Received: from cwsys.cwent.com (cschuber.net.gov.bc.ca [142.31.240.113]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id IAA14649; Sat, 27 Jul 1996 08:36:09 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by cwsys.cwent.com (8.7.5/8.6.10) with SMTP id IAA04804; Sat, 27 Jul 1996 08:35:35 -0700 (PDT) Message-Id: <199607271535.IAA04804@cwsys.cwent.com> X-Authentication-Warning: cwsys.cwent.com: Host localhost [127.0.0.1] didn't use HELO protocol Reply-to: cschuber@uumail.gov.bc.ca X-Mailer: Xmh To: security-officer@freebsd.org cc: freebsd-security@freebsd.org Subject: Ping Date: Sat, 27 Jul 1996 08:35:03 -0700 From: Cy Schubert Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk I've been catching up with some messages from Bugtraq. It appears that the problem described below matches the code in FreeBSD 2.1R and CURRENT. Following is a patch I've put together based on 2.1R. ------------ Cut here ----------- Ping exposure: The following fragment of code fixes a buffer overflow in ping that can be used to execute arbitrary commands as root. See file ping.bug for more details. --- ping.c.orig Sat Jul 27 08:03:22 1996 +++ ping.c Sat Jul 27 08:05:17 1996 @@ -959,9 +959,9 @@ if ((options & F_NUMERIC) || !(hp = gethostbyaddr((char *)&l, 4, AF_INET))) - (void)sprintf(buf, "%s", inet_ntoa(*(struct in_addr *)&l)); + (void)snprintf(buf, 80, "%s", inet_ntoa(*(struct in_addr *)&l)); else - (void)sprintf(buf, "%s (%s)", hp->h_name, + (void)snprintf(buf, 80, "%s (%s)", hp->h_name, inet_ntoa(*(struct in_addr *)&l)); return(buf); } ------------ Cut here ----------- Regards, Phone: (604)389-3827 Cy Schubert OV/VM: BCSC02(CSCHUBER) Open Systems Support BITNET: CSCHUBER@BCSC02.BITNET ITSD Internet: cschuber@uumail.gov.bc.ca cschuber@bcsc02.gov.bc.ca "Quit spooling around, JES do it." ------- Forwarded Message Received: from localhost (localhost [127.0.0.1]) by passer.osg.gov.bc.ca (8.7.5/8.6.10) with SMTP id OAA06995 for cy; Mon, 22 Jul 1996 14:08:31 -0700 (PDT) X-UIDL: 838175217.004 Resent-From: Cy Schubert - ITSD Open Systems Group Resent-Message-Id: <199607222108.OAA06995@passer.osg.gov.bc.ca> X-Authentication-Warning: passer.osg.gov.bc.ca: Host localhost [127.0.0.1] didn't use HELO protocol Received: from orca.gov.bc.ca (ORCA.gov.bc.ca [142.32.102.25]) by passer.osg.gov.bc.ca (8.7.5/8.6.10) with SMTP id OAA07135 for ; Mon, 22 Jul 1996 14:08:26 -0700 (PDT) Received: from [128.148.157.143] by orca.gov.bc.ca (5.4R3.10/200.1.1.4) id AA02425; Mon, 22 Jul 1996 14:08:21 -0700 Received: from netspace.org ([128.148.157.6]) by brimstone.netspace.org with ESMTP id <24106-25282>; Mon, 22 Jul 1996 17:07:01 -0500 Received: from netspace.org (netspace [128.148.157.6]) by netspace.org (8.7/8.6.12) with SMTP id RAA03283; Mon, 22 Jul 1996 17:06:17 -0400 Received: from NETSPACE.ORG by NETSPACE.ORG (LISTSERV-TCP/IP release 1.8b) with spool id 194779 for BUGTRAQ@NETSPACE.ORG; Mon, 22 Jul 1996 16:55:37 -0400 Received: from netspace.org (netspace [128.148.157.6]) by netspace.org (8.7/8.6.12) with SMTP id QAA02131 for ; Mon, 22 Jul 1996 16:55:24 -0400 Approved-By: ALEPH1@UNDERGROUND.ORG Received: from janus.saturn.net (janus.saturn.net [206.42.0.10]) by netspace.org (8.7/8.6.12) with ESMTP id QAA11274 for ; Sun, 21 Jul 1996 16:08:58 -0400 Received: from tcpip (tcpip [206.42.2.27]) by janus.saturn.net (8.7.4/8.6.9) with SMTP id QAA20089 for ; Sun, 21 Jul 1996 16:09:39 -0400 X-Sender: brian@tcpip Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Approved-By: Brian Mitchell Message-Id: Date: Sun, 21 Jul 1996 16:08:28 -0400 Reply-To: Bugtraq List Sender: Bugtraq List From: Brian Mitchell Subject: ping To: Multiple recipients of list BUGTRAQ Resent-To: cy@uumail.gov.bc.ca Resent-Date: Mon, 22 Jul 96 14:08:31 -0700 Resent-XMts: smtp There is a (somewhat difficult to exploit) security hole in the ping program (NetKit-B/linux) - I imagine the hole is present in all BSD4.4-Lite based unixes, but I have not checked. pr_addr() has a buffer overflow which makes it possible to execute arbitrary code. You do need a local account, unless you know someone on the system is always doing a ping -v somehost, in which case it may be done remotely. Here is the code in question: /* * pr_addr -- * Return an ascii host address as a dotted quad and optionally with * a hostname. */ char * pr_addr(l) u_long l; { struct hostent *hp; static char buf[80]; if ((options & F_NUMERIC) || !(hp = gethostbyaddr((char *)&l, 4, AF_INET))) (void)sprintf(buf, "%s", inet_ntoa(*(struct in_addr *)&l)); else (void)sprintf(buf, "%s (%s)", hp->h_name, inet_ntoa(*(struct in_addr *)&l)); return(buf); } This function is called when ping is running in -v mode (verbose) and it recieves a non-echo related icmp packet. Something like this should take care of it, I would guess: 998c998 < (void)sprintf(buf, "%s", inet_ntoa(*(struct in_addr *)&l)); - --- > (void)snprintf(buf, 75, "%s", inet_ntoa(*(struct in_addr *)&l));1000c1000 < (void)sprintf(buf, "%s (%s)", hp->h_name, - --- > (void)snprintf(buf, 75, "%s (%s)", hp->h_name, Brian Mitchell brian@saturn.net "I never give them hell. I just tell the truth and they think it's hell" - - H. Truman ------- End of Forwarded Message