From owner-freebsd-security Sun Aug 11 17:29:43 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id RAA21129 for security-outgoing; Sun, 11 Aug 1996 17:29:43 -0700 (PDT) Received: from aries.interspace.com.au (steve@aries.interspace.com.au [203.22.192.2]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id RAA21124 for ; Sun, 11 Aug 1996 17:29:40 -0700 (PDT) Received: (from steve@localhost) by aries.interspace.com.au (8.7.5/8.6.9) id KAA02766; Mon, 12 Aug 1996 10:29:25 +1000 Date: Mon, 12 Aug 1996 10:29:25 +1000 (GMT+1000) From: Steve Gibson To: freebsd-security@freebsd.org Subject: auth.h and libauth for Kerberos Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk I've found a diff to patch ftpd to use Kerberos for authentication, however it uses a library called auth and an include file called auth.h It also uses a struct called 'authorization' which is, I assume as I can't find it in any other include file, in this auth.h/libauth Does this beast exist for FreeBSD, or does anybody know where the sources for this library might be? PS the patch is at http://rel.semi.harris.com/ftp/ftp/pub/unixtools/sources/ftpd-kerb-patch Thankyou ------------------------------------------------------------------------------ Interspace Australia Pty Ltd Steve Gibson - System Administrator 8 Boyd Street, West Melbourne, Australia 3003 Ph +61 3 9329 9066 Fax +61 3 9329 1388 ------------------------------------------------------------------------------ From owner-freebsd-security Sun Aug 11 21:25:33 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id VAA29707 for security-outgoing; Sun, 11 Aug 1996 21:25:33 -0700 (PDT) Received: from naughty.monkey.org (naughty.monkey.org [141.211.26.102]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id VAA29702 for ; Sun, 11 Aug 1996 21:25:31 -0700 (PDT) Received: from localhost (dugsong@localhost) by naughty.monkey.org (8.7.5/8.7.5) with SMTP id AAA17687; Mon, 12 Aug 1996 00:24:24 -0400 (EDT) Date: Mon, 12 Aug 1996 00:24:24 -0400 (EDT) From: Douglas Song To: Steve Gibson cc: freebsd-security@freebsd.org Subject: Re: auth.h and libauth for Kerberos In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk although it's not freely available for export from the US, CMU has a Kerberized version of wu-ftpd that also supports AFS (token and ticket passing). See http://andrew2.andrew.cmu.edu/dist for more info... --- Douglas Song dugsong@{umich.edu,monkey.org} University of Michigan ITD GPCC Unix Services www: http://www-personal.umich.edu/~dugsong keyid: C2263445 fingerprint: BF F5 20 EA DA 2F C4 F4 7D 68 4A 50 E4 35 D1 17 From owner-freebsd-security Mon Aug 12 17:48:25 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id RAA19275 for security-outgoing; Mon, 12 Aug 1996 17:48:25 -0700 (PDT) Received: from aries.interspace.com.au (steve@aries.interspace.com.au [203.22.192.2]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id RAA19251 for ; Mon, 12 Aug 1996 17:48:17 -0700 (PDT) Received: (from steve@localhost) by aries.interspace.com.au (8.7.5/8.6.9) id KAA05137; Tue, 13 Aug 1996 10:48:07 +1000 Date: Tue, 13 Aug 1996 10:48:07 +1000 (GMT+1000) From: Steve Gibson To: Douglas Song cc: freebsd-security@freebsd.org Subject: Re: auth.h and libauth for Kerberos In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk On Mon, 12 Aug 1996, Douglas Song wrote: > although it's not freely available for export from the US, CMU has a > Kerberized version of wu-ftpd that also supports AFS (token and ticket > passing). See http://andrew2.andrew.cmu.edu/dist for more info... > Well, I can't see why I couldn't export it(I don't believe there is any encrytion required in the source, the encrytion stuff should be in libdes) but the page says that a licence is required. The standard wu-ftpd has kerberos authentication in it (compile with a -DKERBEROS) but it still needs the auth.h/libauth ------------------------------------------------------------------------------ Interspace Australia Pty Ltd Steve Gibson - System Administrator 8 Boyd Street, West Melbourne, Australia 3003 Ph +61 3 9329 9066 Fax +61 3 9329 1388 ------------------------------------------------------------------------------ From owner-freebsd-security Tue Aug 13 00:54:42 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id AAA28500 for security-outgoing; Tue, 13 Aug 1996 00:54:42 -0700 (PDT) Received: from atena.eurocontrol.fr (atena.uneec.eurocontrol.fr [147.196.69.10]) by freefall.freebsd.org (8.7.5/8.7.3) with SMTP id AAA28495 for ; Tue, 13 Aug 1996 00:54:39 -0700 (PDT) Received: by atena.eurocontrol.fr; (5.65v3.2/1.3/10May95) id AA17465; Tue, 13 Aug 1996 09:54:37 +0200 Received: from mozart.eurocontrol.fr by eurocontrol.fr with ESMTP (1.37.109.16/16.2) id AA198942528; Tue, 13 Aug 1996 09:48:48 +0200 Message-Id: <199608130748.AA198942528@euro.eurocontrol.fr> Received: by mozart.eurocontrol.fr (1.37.109.16/16.2) id AA130732527; Tue, 13 Aug 1996 09:48:47 +0200 Date: Tue, 13 Aug 1996 09:48:47 +0200 From: ollivier.robert@eurocontrol.fr (Ollivier Robert) To: freebsd-security@freebsd.org Subject: Re: SECURITY: LSF Update#11: Vulnerability of rlogin X-Mailer: Mutt 0.39 Mime-Version: 1.0 Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk We are vulnerable. I've just look at rlogin.c. ------- start of forwarded message ------- From: deraadt@theos.com (Theo de Raadt) Newsgroups: comp.os.linux.networking,comp.security.unix Subject: Re: SECURITY: LSF Update#11: Vulnerability of rlogin Date: 10 Aug 1996 17:37:06 GMT In article Olaf Titz writes: Alexander O. Yuriev wrote: > A vulnerability exists in the rlogin program of NetKitB-0.6 > This vulnerability affects several widely used Linux > distributions, including RedHat Linux 2.0, 2.1 and derived > systems including Caldera Network Desktop, Slackware 3.0 and > others. This vulnerability is not limited to Linux or any > other free UNIX systems. Both the information about this *Big sigh* Now it has finally come that the Linux community puts out security bulletins in exact CERT style which give no information on what is wrong, no information on how to check whether the own system is affected, and no source patches. :-( Yeah, that sucks. Full disclosure makes sure no group misses fixing the problem. There's been a lot of bugs in system utilities of late. A bunch of people have been looking closely. There's exploitable buffer overflows all over the place. The problem is a buffer overflow of a dynamic buffer in main() using the environment variable TERM. If your rlogin.c sources have strcpy() in them you probably have the bug. Here's one way to fix it; this patch is from OpenBSD. It also truncates the passed buffer to 64 so that rlogind will never see an overlong string (in which cause it won't see the baud rate), and tries not to pass a truncated baud rate spec to the remote end (ie. 1920 instead of 19200.) Index: rlogin.c =================================================================== RCS file: /cvs/src/usr.bin/rlogin/rlogin.c,v retrieving revision 1.3 retrieving revision 1.5 diff -b -c -r1.3 -r1.5 *** rlogin.c 1996/04/17 07:15:21 1.3 --- rlogin.c 1996/06/20 03:19:22 1.5 *************** *** 156,162 **** struct termios tty; long omask; int argoff, ch, dflag, one, uid; ! char *host, *p, *user, term[1024]; argoff = dflag = 0; one = 1; --- 156,162 ---- struct termios tty; long omask; int argoff, ch, dflag, one, uid; ! char *host, *p, *user, term[64]; argoff = dflag = 0; one = 1; *************** *** 256,265 **** exit(1); } ! (void)strcpy(term, (p = getenv("TERM")) ? p : "network"); if (tcgetattr(0, &tty) == 0) { ! (void)strcat(term, "/"); ! (void)sprintf(term + strlen(term), "%d", cfgetospeed(&tty)); } (void)get_window_size(0, &winsize); --- 256,275 ---- exit(1); } ! (void)strncpy(term, (p = getenv("TERM")) ? p : "network", ! sizeof(term) - 1); ! term[sizeof(term) - 1] = '\0'; ! ! /* ! * Add "/baud" only if there is room left; ie. do not send "/19" ! * for 19200 baud with a particularily long $TERM ! */ if (tcgetattr(0, &tty) == 0) { ! char baud[20]; /* more than enough.. */ ! ! (void)sprintf(baud, "/%d", cfgetospeed(&tty)); ! if (strlen(term) + strlen(baud) < sizeof(term) - 1) ! (void)strcat(term, baud); } (void)get_window_size(0, &winsize); -- This space not left unintentionally unblank. deraadt@theos.com ------- end of forwarded message ------- -- Ollivier ROBERT -=- Eurocontrol EEC/TIS -=- Ollivier.Robert@eurocontrol.fr From owner-freebsd-security Tue Aug 13 06:22:58 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id GAA13287 for security-outgoing; Tue, 13 Aug 1996 06:22:58 -0700 (PDT) Received: from ns.frihet.com (root@frihet.bayarea.net [205.219.92.1]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id GAA13281 for ; Tue, 13 Aug 1996 06:22:55 -0700 (PDT) Received: from ns.frihet.com (tweten@localhost [127.0.0.1]) by ns.frihet.com (8.7.5/8.6.12) with ESMTP id GAA18894; Tue, 13 Aug 1996 06:22:08 -0700 (PDT) Message-Id: <199608131322.GAA18894@ns.frihet.com> X-Mailer: exmh version 1.6.7 5/3/96 Reply-To: "David E. Tweten" To: ollivier.robert@eurocontrol.fr (Ollivier Robert) cc: freebsd-security@FreeBSD.org Subject: Re: SECURITY: LSF Update#11: Vulnerability of rlogin Date: Tue, 13 Aug 1996 06:22:07 -0700 From: "David E. Tweten" Sender: owner-security@FreeBSD.org X-Loop: FreeBSD.org Precedence: bulk ollivier.robert@eurocontrol.fr said: >! if (strlen(term) + strlen(baud) < sizeof(term) - 1) >! (void)strcat(term, baud); This looks like a (reasonably harmless) off-by-one error to me. Shouldn't it rather be (minimum change) if (strlen(term) + strlen(baud) <= sizeof(term) - 1) or (most readable) if (strlen(term) + strlen(baud) + 1 <= sizeof(term)) or (least operations) if (strlen(term) + strlen(baud) < sizeof(term)) instead? -- David E. Tweten | PGP Key fingerprint: | tweten@frihet.com 12141 Atrium Drive | E9 59 E7 5C 6B 88 B8 90 | tweten@and.com Saratoga, CA 95070-3162 | 65 30 2A A4 A0 BC 49 AE | (408) 446-4131 From owner-freebsd-security Tue Aug 13 12:14:42 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id MAA04238 for security-outgoing; Tue, 13 Aug 1996 12:14:42 -0700 (PDT) Received: from bitbucket.edmweb.com (bitbucket.edmweb.com [204.244.190.9]) by freefall.freebsd.org (8.7.5/8.7.3) with SMTP id MAA04229 for ; Tue, 13 Aug 1996 12:14:33 -0700 (PDT) Received: (from steve@localhost) by bitbucket.edmweb.com (8.6.12/8.6.12) id MAA00212; Tue, 13 Aug 1996 12:14:20 -0700 Date: Tue, 13 Aug 1996 12:14:17 -0700 (PDT) From: Steve Reid To: freebsd-security@freebsd.org Subject: Re: Vulnrability in all known Linux distributions In-Reply-To: <32100CD9.33FBC5AF@mymail.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk Has anyone run through FreeBSD suid binaries looking for bad bounds-checking? On Tue, 13 Aug 1996, bloodmask wrote: > Date: Tue, 13 Aug 1996 07:04:25 +0200 > From: bloodmask > To: Multiple recipients of list BUGTRAQ > Subject: Vulnrability in all known Linux distributions [snip] > After finding this one, we at covin decided it's time to put an end to > this issue, and we've begun scanning all of Linux's suid binaries for > other hints of these hidden "features", Results will be released soon. From owner-freebsd-security Fri Aug 16 23:06:29 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id XAA20878 for security-outgoing; Fri, 16 Aug 1996 23:06:29 -0700 (PDT) Received: from wwwserver.cqi.com (www.sevenlocks.com [205.252.44.167]) by freefall.freebsd.org (8.7.5/8.7.3) with SMTP id XAA20873 for ; Fri, 16 Aug 1996 23:06:26 -0700 (PDT) Received: by wwwserver.cqi.com from localhost (router,SLmailNT V2.0); Fri, 16 Aug 1996 00:02:25 Eastern Daylight Time Date: Fri, 16 Aug 1996 00:01:50 Eastern Daylight Time From: distribution-request@sevenlocks.com Reply-To: "Distribution List" Subject: distribution Digest - V01 #02 To: "Distribution List" Message-Id: <19960816000225.a29add4e.in@wwwserver.cqi.com> Sender: owner-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk distribution Digest Fri, 16 Aug 1996 00:01:50 Eastern Daylight Time V01 #02 Today's topics: 'new security information available' 'new security information available' ---------------------------------------------------------------------- Date: Thu, 15 Aug 1996 21:19:11 Eastern Daylight Time From: "Dstang" Subject: new security information available Dear Security Colleague: I would like to invite you to subscribe to SecurityDigest, a new, free bi-monthly electronic newsletter, devoted to security news, issues and trends. Every issue of SecurityDigest is delivered to your desktop (or laptop) with the latest security news and information you need, in a clear and concise e-mail format. Subscribe now by sending an e-mail message to listserver@sevenlocks.com containing the string "subscribe securitydigest." Or view the charter issue of SecurityDigest on Safe@Home, Seven Locks Software's Web site (http://www.sevenlocks.com/SecurityDigest.htm), where you can also secure your free subscription. Sincerely, David J. Stang President and CEO Seven Locks Software, Inc.  ------------------------------ Date: Thu, 15 Aug 1996 21:19:26 Eastern Daylight Time From: "Dstang" Subject: new security information available Dear Security Colleague: I would like to invite you to subscribe to SecurityDigest, a new, free bi-monthly electronic newsletter, devoted to security news, issues and trends. Every issue of SecurityDigest is delivered to your desktop (or laptop) with the latest security news and information you need, in a clear and concise e-mail format. Subscribe now by sending an e-mail message to listserver@sevenlocks.com containing the string "subscribe securitydigest." Or view the charter issue of SecurityDigest on Safe@Home, Seven Locks Software's Web site (http://www.sevenlocks.com/SecurityDigest.htm), where you can also secure your free subscription. Sincerely, David J. Stang President and CEO Seven Locks Software, Inc.  ------------------------------ End of distribution Digest V01 #02 **********************************