From owner-freebsd-security Sun Nov 23 00:34:21 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id AAA28571 for security-outgoing; Sun, 23 Nov 1997 00:34:21 -0800 (PST) (envelope-from owner-freebsd-security) Received: from alpha.xerox.com (alpha.Xerox.COM [13.1.64.93]) by hub.freebsd.org (8.8.7/8.8.7) with SMTP id AAA28566 for ; Sun, 23 Nov 1997 00:34:17 -0800 (PST) (envelope-from fenner@parc.xerox.com) Received: from crevenia.parc.xerox.com ([13.2.116.11]) by alpha.xerox.com with SMTP id <53593(4)>; Sun, 23 Nov 1997 00:33:39 PST Received: from localhost by crevenia.parc.xerox.com with SMTP id <177476>; Sun, 23 Nov 1997 00:33:28 -0800 To: freebsd-security@freebsd.org Subject: Re: "LAND" Attack Update (fwd) In-reply-to: Your message of "Sat, 22 Nov 97 18:08:02 PST." Date: Sun, 23 Nov 1997 00:33:15 PST From: Bill Fenner Message-Id: <97Nov23.003328pst.177476@crevenia.parc.xerox.com> Sender: owner-freebsd-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk After a discussion with Charles, I think that his >1) If a socket in LISTEN state receives a SYN+ACK packet, then send a > RST and drop the packet. is equivalent to Don Lewis's previous suggestion of dropping SYN+ACK in SYN_RECEIVED; NetBSD's SYN-flood protection apparently keeps the socket in LISTEN where in FreeBSD it would be in SYN_RECEIVED. Bill From owner-freebsd-security Sun Nov 23 10:27:01 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id KAA22791 for security-outgoing; Sun, 23 Nov 1997 10:27:01 -0800 (PST) (envelope-from owner-freebsd-security) Received: from super-g.inch.com (super-g.com [207.240.140.161]) by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id KAA22786 for ; Sun, 23 Nov 1997 10:26:58 -0800 (PST) (envelope-from spork@super-g.com) Received: from localhost (localhost [127.0.0.1]) by super-g.inch.com (8.8.7/8.8.5) with SMTP id NAA02291; Sun, 23 Nov 1997 13:20:20 -0500 (EST) Date: Sun, 23 Nov 1997 13:20:20 -0500 (EST) From: spork X-Sender: spork@super-g.inch.com To: David Dawes cc: Philippe Regnauld , freebsd-security@FreeBSD.ORG Subject: Re: Fwd: "XFree86 insecurity" In-Reply-To: <19971122192453.17451@rf900.physics.usyd.edu.au> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk A quick fix I already had in place from the old xterm exploits was to put all the people that use X (well, just me) in a group and make the X binaries with suid bits only executable by that group rather than world-execute. While it's not truly a fix, it does limit your vulnerability. I've yet to play with XDM... Charles Sprickman spork@super-g.com ---- "I'm not a prophet or a stone-age man Just a mortal with potential of a superman I'm living on" -DB On Sat, 22 Nov 1997, David Dawes wrote: > On Sat, Nov 22, 1997 at 08:23:50AM +0100, Philippe Regnauld wrote: > > We (XFree86) are aware of this one. I agree with the recomendation of > removing the setuid bit and using xdm to start the Xserver, and if you > have XFree86 on a machine where this problem is significant, you should > consider doing this. > > The fix is to disable the '-config' Xserver option. This will be removed > in our next release, and also in the next X11 release from The Open > Group. It was only added to get around problems on OS's with small > command line length limits, and should never have been enabled for most > Unix-like OSs. The problem isn't XFree86-specific. It affects any > platform using X11R6 XC/TOG code where the Xserver is installed setuid > root (although on non-XFree86 platforms you may need to be a little more > inventive with the use of the -config option). > > David > > >Cute one. > > > >-----Forwarded message from shegget ----- > > > >Date: Fri, 21 Nov 1997 18:35:36 +0000 > >From: shegget > >Subject: XFree86 insecurity > >To: BUGTRAQ@NETSPACE.ORG > > > > plaguez security advisory n.10 > > > > XFree86 insecurity > > > > > > > > > >Program: XF86_*, the XFree86 servers (XF86_SVGA, XF86_VGA16, ...) > > > >Version: Tested on XFree86 3.3.1 (current), 3.2.9 and 3.1.2. > > Other versions as well. > > > >OS: All > > > >Impact: The XFree86 servers let you specify an alternate configuration > > file and do not check whether you have rights to read it. > > Any user can read files with root permissions. > > > > > > > > > >hello, > >just a short one to tell you about this "feature" I found in all default > >XFree86 servers... > > > > > >Here it is: > > > >Script started on Sat Aug 23 15:32:36 1997 > >Loading /usr/lib/kbd/keytables/fr-latin1.map > >[plaguez@plaguez plaguez]$ uname -a > >Linux plaguez 2.0.31 #10 Wed Aug 20 04:24:38 MET DST 1997 i586 > >[plaguez@plaguez plaguez]$ ls -al /etc/shadow > >-rw------- 1 root bin 1039 Aug 21 20:12 /etc/shadow > >[plaguez@plaguez bin]$ id > >uid=502(plaguez) gid=500(users) groups=500(users) > >[plaguez@plaguez plaguez]$ cd /usr/X11R6/bin > >[plaguez@plaguez bin]$ ./XF86_SVGA -config /etc/shadow > >Unrecognized option: root:qEXaUxSeQ45ls:10171:-1:-1:-1:-1:-1:-1 > >use: X [:] [option] > >-a # mouse acceleration (pixels) > >-ac disable access control restrictions > >-audit int set audit trail level > >-auth file select authorization file > >bc enable bug compatibility > >-bs disable any backing store support > >-c turns off key-click > > > >... and so on. HINT: look at the first XF86_SVGA output line. > > > > > > > > > > > >Patch: > >------ > > > >If you run xdm, you should consider removing the setuid bit of the > >servers. > > > >If not, well, wait for the XFree86 Project to bring you a patch, since I'm > >too lazy to find and fix it. > > > > > > > > > > > >later, > > > >-plaguez > >dube0866@eurobretagne.fr > > > >-----End of forwarded message----- > > > >-- > > -- Phil > > > > -[ Philippe Regnauld / sysadmin / regnauld@deepo.prosa.dk / +55.4N +11.3E ]- > From owner-freebsd-security Sun Nov 23 14:37:38 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id OAA07245 for security-outgoing; Sun, 23 Nov 1997 14:37:38 -0800 (PST) (envelope-from owner-freebsd-security) Received: from brolga.cc.uq.edu.au (viviani@brolga.cc.uq.edu.au [130.102.128.5]) by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id OAA07231 for ; Sun, 23 Nov 1997 14:37:32 -0800 (PST) (envelope-from viviani@brolga.cc.uq.edu.au) Received: (from viviani@localhost) by brolga.cc.uq.edu.au (8.8.6/8.8.7) id IAA21933 for freebsd-security@FreeBSD.ORG; Mon, 24 Nov 1997 08:37:08 +1000 (EST) Date: Mon, 24 Nov 1997 08:37:08 +1000 (EST) From: viviani paz Message-Id: <199711232237.IAA21933@brolga.cc.uq.edu.au> To: freebsd-security@FreeBSD.ORG Sender: owner-freebsd-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk subscribe freebsd From owner-freebsd-security Sun Nov 23 22:08:37 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id WAA07564 for security-outgoing; Sun, 23 Nov 1997 22:08:37 -0800 (PST) (envelope-from owner-freebsd-security) Received: from gw.sut.ru (gw.sut.ru [194.190.126.49]) by hub.freebsd.org (8.8.7/8.8.7) with SMTP id WAA07552 for ; Sun, 23 Nov 1997 22:08:15 -0800 (PST) (envelope-from koala.lanck.ru!uwl@lanck.ru) Received: from lanck.ru (lanck.ru [194.226.196.66]) by gw.sut.ru (8.6.12/8.6.12) with ESMTP id AAA16497 for ; Mon, 24 Nov 1997 00:48:07 +0300 Received: by lanck.ru with UUCP id AAA27969; (8.8.5/vak/1.9) Mon, 24 Nov 1997 00:21:04 +0300 (MSK) Received: (from uwl@localhost) by koala.lanck.ru (8.8.5/8.6.12) id UAA17465; Sun, 23 Nov 1997 20:51:55 +0300 Message-ID: <19971123205155.18430@koala.lanck.ru> Date: Sun, 23 Nov 1997 20:51:55 +0300 From: Vladimir Uralsky To: freebsd-security@FreeBSD.ORG Subject: Re: ipfw workaround for syn-loop attack, FreeBSD 2.2.5-STABLE References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.79e In-Reply-To: ; from Daniel O'Callaghan on Fri, Nov 21, 1997 at 12:49:05PM +1100 X-Operating-System: Linux 2.0.29 i586 Sender: owner-freebsd-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk On Fri, Nov 21, 1997 at 12:49:05PM +1100, Daniel O'Callaghan wrote: > > Adding this to rc.firewall on FreeBSD is also a good idea. Multi-homed > > hosts require one entry per device, needless to say. > With terminal servers which have IP addresses which move from interface > to interface, the following rules are more generic: Can't understand, what's a difference between a traceroute -s 192.168.1.1 192.168.2.1 where both of them are local addresses of host, and exploit program? Why it isn't crash a 2.2.5? -- Vova. From owner-freebsd-security Mon Nov 24 04:36:49 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id EAA29420 for security-outgoing; Mon, 24 Nov 1997 04:36:49 -0800 (PST) (envelope-from owner-freebsd-security) Received: from gatekeeper.tsc.tdk.com (root@gatekeeper.tsc.tdk.com [207.113.159.21]) by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id EAA29413 for ; Mon, 24 Nov 1997 04:36:45 -0800 (PST) (envelope-from gdonl@tsc.tdk.com) Received: from sunrise.gv.tsc.tdk.com (root@sunrise.gv.tsc.tdk.com [192.168.241.191]) by gatekeeper.tsc.tdk.com (8.8.4/8.8.4) with ESMTP id DAA19889 for ; Mon, 24 Nov 1997 03:39:26 -0800 (PST) Received: from salsa.gv.tsc.tdk.com (salsa.gv.tsc.tdk.com [192.168.241.194]) by sunrise.gv.tsc.tdk.com (8.8.5/8.8.5) with ESMTP id DAA14975 for ; Mon, 24 Nov 1997 03:39:25 -0800 (PST) Received: (from gdonl@localhost) by salsa.gv.tsc.tdk.com (8.8.5/8.8.5) id DAA21524; Mon, 24 Nov 1997 03:36:41 -0800 (PST) From: Don Lewis Message-Id: <199711241136.DAA21524@salsa.gv.tsc.tdk.com> Date: Mon, 24 Nov 1997 03:36:41 -0800 In-Reply-To: Don Lewis "Re: new TCP/IP bug in win95 (fwd)" (Nov 21, 4:37pm) X-Mailer: Mail User's Shell (7.2.6 alpha(3) 7/19/95) To: Don Lewis , Jim Shankland , robert@cyrus.watson.org Subject: Re: new TCP/IP bug in win95 (fwd) Cc: security@freebsd.org Sender: owner-freebsd-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk On Nov 21, 4:37pm, Don Lewis wrote: } Subject: Re: new TCP/IP bug in win95 (fwd) } --- tcp_input.c.prev Fri Nov 21 04:34:51 1997 } +++ tcp_input.c Fri Nov 21 16:32:10 1997 } @@ -752,6 +752,18 @@ } } } } /* } + * If the state is SYN_RCVD: } + * If seg contains a SYN,ACK, then drop it and send a RST. } + * We should only ever get an ACK or a duplicate SYN (if our } + * SYN,ACK was lost) in this state. } + * Otherwise continue processing } + */ } + case TCPS_SYN_RECEIVED: } + if ((tiflags & (TH_SYN|TH_ACK)) == (TH_SYN|TH_ACK)) } + goto dropwithreset; } + break; /* continue normal processing */ } + } + /* } * If the state is SYN_SENT: } * if seg contains an ACK, but not for our SYN, drop the input. } * if seg contains a RST, then drop the connection. }-- End of excerpt from Don Lewis I'm pretty sure this breaks simultaneous opens and self-connects, so how about the following? --- tcp_input.c.prev Fri Nov 21 04:34:51 1997 +++ tcp_input.c Mon Nov 24 03:12:11 1997 @@ -752,6 +752,32 @@ } /* + * If the state is SYN_RCVD: + * If the segment contains a SYN and the sequence number + * doesn't match the initial receive sequence number which + * was set by the previous SYN, drop the segment and send + * a RST. + * + * We'd also like to drop the segment and send a RST if + * the segment contains SYN-ACK, but we'll receive this + * in the (uncommon) simultaneous open or self-connect + * cases. In the usual case, we should only ever get an + * ACK or a duplicate SYN (if our SYN-ACK was lost) in + * this state. It would be ideal if we could perform this + * additional check if the previous state was LISTEN and + * skip this check if the previous state was SYN_SENT. + * As it stands, it's possible for a forged SYN to cause + * us to do a self-connect on a listening socket if the + * proper sequence number can be guessed. + * + * Otherwise continue processing + */ + case TCPS_SYN_RECEIVED: + if ((tiflags & TH_SYN) && ti->seq != tp->irs) + goto dropwithreset; + break; /* continue normal processing */ + + /* * If the state is SYN_SENT: * if seg contains an ACK, but not for our SYN, drop the input. * if seg contains a RST, then drop the connection. BTW, does anyone else think that instead of "goto dropwithreset" that this should be a call to tcp_drop()? If we tell our client to go away, it would seem there's no sense in keeping our socket around until it times out, though I suppose it will go away when we retry the SYN-ACK and get a RST. I might also be convinced that this should just be "goto drop". Likewise in the code below: /* * Ack processing. */ switch (tp->t_state) { /* * In SYN_RECEIVED state if the ack ACKs our SYN then enter * ESTABLISHED state and continue processing, otherwise * send an RST. */ case TCPS_SYN_RECEIVED: if (SEQ_GT(tp->snd_una, ti->ti_ack) || SEQ_GT(ti->ti_ack, tp->snd_max)) goto dropwithreset; Also the following looks wrong to me. Doesn't it end up sending two RST packets? /* * If a SYN is in the window, then this is an * error and we send an RST and drop the connection. */ if (tiflags & TH_SYN) { tp = tcp_drop(tp, ECONNRESET); goto dropwithreset; } From owner-freebsd-security Mon Nov 24 05:25:46 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id FAA02202 for security-outgoing; Mon, 24 Nov 1997 05:25:46 -0800 (PST) (envelope-from owner-freebsd-security) Received: from cheops.anu.edu.au (avalon@cheops.anu.edu.au [150.203.76.24]) by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id FAA02196 for ; Mon, 24 Nov 1997 05:25:39 -0800 (PST) (envelope-from avalon@coombs.anu.edu.au) Message-Id: <199711241325.FAA02196@hub.freebsd.org> Received: by cheops.anu.edu.au (1.37.109.16/16.2) id AA154627890; Tue, 25 Nov 1997 00:24:50 +1100 From: Darren Reed Subject: Re: new TCP/IP bug in win95 (fwd) To: Don.Lewis@tsc.tdk.com (Don Lewis) Date: Tue, 25 Nov 1997 00:24:49 +1100 (EDT) Cc: jas@flyingfox.com, robert@cyrus.watson.org, security@FreeBSD.ORG In-Reply-To: <199711241136.DAA21524@salsa.gv.tsc.tdk.com> from "Don Lewis" at Nov 24, 97 03:36:41 am X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: owner-freebsd-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk In some mail from Don Lewis, sie said: > > + * As it stands, it's possible for a forged SYN to cause > + * us to do a self-connect on a listening socket if the > + * proper sequence number can be guessed. The non-trivial to guess iss is the default now, right ? From owner-freebsd-security Mon Nov 24 10:04:47 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id KAA19926 for security-outgoing; Mon, 24 Nov 1997 10:04:47 -0800 (PST) (envelope-from owner-freebsd-security) Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id KAA19669 for security@freebsd.org; Mon, 24 Nov 1997 10:01:27 -0800 (PST) (envelope-from owner-bugmaster@freebsd.org) Date: Mon, 24 Nov 1997 10:01:27 -0800 (PST) Message-Id: <199711241801.KAA19669@hub.freebsd.org> From: FreeBSD bugmaster To: security Subject: Current problem reports assigned to you Sender: owner-freebsd-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk Current FreeBSD problem reports Critical problems Serious problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- o [1997/11/20] kern/5103 security-officerIt appears to be possible to lockup a Fre 1 problem total. Non-critical problems From owner-freebsd-security Mon Nov 24 15:25:43 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id PAA15172 for security-outgoing; Mon, 24 Nov 1997 15:25:43 -0800 (PST) (envelope-from owner-freebsd-security) Received: from burka.carrier.kiev.ua (gateway.lucky.net [195.145.31.17]) by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id PAA15148 for ; Mon, 24 Nov 1997 15:25:25 -0800 (PST) (envelope-from archer@grape.carrier.kiev.ua) Received: from sivka.carrier.kiev.ua (root@sivka.carrier.kiev.ua [193.193.193.101]) by burka.carrier.kiev.ua (8.8.6/8.Who.Cares) with ESMTP id WAA00208 for ; Mon, 24 Nov 1997 22:40:23 +0200 (EET) Received: (from uucp@localhost) by sivka.carrier.kiev.ua (8.8.7/8.8.7) with UUCP id WAA12195 for security@freebsd.org; Mon, 24 Nov 1997 22:38:24 +0200 (EET) Received: (from archer@localhost) by grape.carrier.kiev.ua (8.8.7/8.8.7) id WAA10269; Mon, 24 Nov 1997 22:25:03 +0200 (EET) Message-ID: <19971124222458.58789@grape.carrier.kiev.ua> Date: Mon, 24 Nov 1997 22:24:59 +0200 From: Alexander Litvin To: security@freebsd.org Subject: LAND -- does it work? Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.84e Sender: owner-freebsd-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk Hi! Until now, I was unable to freeze any of our FreeBSDs -- 2.2.1, 2.2.2, 2.2.5-STABLE (about two weeks, no fix), 3.0-CURRENT (about the beginning of November). Can somebody authoritatively say -- does it work for FreeBSD? -- Litvin Alexander From owner-freebsd-security Mon Nov 24 20:30:19 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id UAA08667 for security-outgoing; Mon, 24 Nov 1997 20:30:19 -0800 (PST) (envelope-from owner-freebsd-security) Received: from clipper.ua.net (root@smtp1-1.ua.net [195.5.14.40]) by hub.freebsd.org (8.8.7/8.8.7) with SMTP id UAA08662 for ; Mon, 24 Nov 1997 20:30:14 -0800 (PST) (envelope-from daemon@bit.cs.kiev.ua) Received: from bit.cs.kiev.ua ([193.124.54.47]) by clipper.ua.net with smtp id m0xaCdR-000sytC; Tue, 25 Nov 97 06:30 WET Apparently-To: Received: (from daemon@localhost) by bit.cs.kiev.ua (8.7.5/8.6.9) id GAA20049 for security@freebsd.org; Tue, 25 Nov 1997 06:30:09 +0200 (EET) Date: Tue, 25 Nov 1997 06:30:09 +0200 (EET) From: Owner of many system processes Message-Id: <199711250430.GAA20049@bit.cs.kiev.ua> Sender: owner-freebsd-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk Alexander Litvin (archer@lucky.net) wrote: > Hi! > Until now, I was unable to freeze any of our FreeBSDs -- > 2.2.1, 2.2.2, 2.2.5-STABLE (about two weeks, no fix), > 3.0-CURRENT (about the beginning of November). I second this. I have 2.2.5 (makeworlded), 2.2-stable which is a bit earlier than that, couple of old 2.2s (all older than 2.2-RELEASE), and 3.0-971008-SNAP. None of them crashed (and some non-freebsd boxes crashed, so I am sure it is the right kind of code). all the hosts in question have IPFIREWALL in kernel; probably by incident ;-) -- There is no human problem which could not be solved if people would simply do as I advise. -Gore Vidal From owner-freebsd-security Mon Nov 24 22:16:39 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id WAA15580 for security-outgoing; Mon, 24 Nov 1997 22:16:39 -0800 (PST) (envelope-from owner-freebsd-security) Received: from free.asel.net.tr ([195.174.20.102]) by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id WAA15571 for ; Mon, 24 Nov 1997 22:16:33 -0800 (PST) (envelope-from vlad@free.asel.net.tr) Received: from localhost (vlad@localhost) by free.asel.net.tr (8.8.5/8.8.5) with SMTP id HAA00258 for ; Tue, 25 Nov 1997 07:45:14 +0200 (EET) Date: Tue, 25 Nov 1997 07:45:13 +0200 (EET) From: User VLAD To: security@FreeBSD.ORG Subject: Re: LAND -- does it work? In-Reply-To: <19971124222458.58789@grape.carrier.kiev.ua> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk On Mon, 24 Nov 1997, Alexander Litvin wrote: > Hi! > > Until now, I was unable to freeze any of our FreeBSDs -- > 2.2.1, 2.2.2, 2.2.5-STABLE (about two weeks, no fix), > 3.0-CURRENT (about the beginning of November). > > Can somebody authoritatively say -- does it work for FreeBSD? > > -- > Litvin Alexander > i have one 2.2.2-RELEASE (not updated since June) and one 2.2.5-STABLE (last update November 10, 1997) boxes but even after multiple tests locally and remotely (also using different ports) there was nothing like freezing, however we got frozen a linux box with 2.0.29 kernel, win95 and winNT. -- Vlad Cambur From owner-freebsd-security Tue Nov 25 02:59:34 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id CAA04644 for security-outgoing; Tue, 25 Nov 1997 02:59:34 -0800 (PST) (envelope-from owner-freebsd-security) Received: from dpi.dgtu.donetsk.ua (root@dipt-57.6K-dgtu-gw.dgtu.donetsk.ua [194.44.183.221]) by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id CAA04622 for ; Tue, 25 Nov 1997 02:59:11 -0800 (PST) (envelope-from yk@info.dgtu.donetsk.ua) Received: from info.dgtu.donetsk.ua (root@info.dgtu.donetsk.ua [194.44.183.7]) by dpi.dgtu.donetsk.ua (8.8.7/8.8.7) with ESMTP id MAA02595; Tue, 25 Nov 1997 12:58:04 +0200 (EET) Received: (from yk@localhost) by info.dgtu.donetsk.ua (8.8.7/8.8.5) id MAA13020; Tue, 25 Nov 1997 12:58:03 +0200 (EET) From: Yury Yaroshevsky Message-Id: <199711251058.MAA13020@info.dgtu.donetsk.ua> Subject: Re: LAND -- does it work? In-Reply-To: <19971124222458.58789@grape.carrier.kiev.ua> from Alexander Litvin at "Nov 24, 97 10:24:59 pm" To: archer@lucky.net (Alexander Litvin) Date: Tue, 25 Nov 1997 12:58:03 +0200 (EET) Cc: security@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL32 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk > Until now, I was unable to freeze any of our FreeBSDs -- > 2.2.1, 2.2.2, 2.2.5-STABLE (about two weeks, no fix), > 3.0-CURRENT (about the beginning of November). > > Can somebody authoritatively say -- does it work for FreeBSD? As for me, Land succefully working only for 2.1.0. 2.1-Stable, 2.2.5-Stable is unable freeze. -- Yury V. Yaroshevsky | 380 (622) 356455 Donetsk State Technical University | yk@dgtu.donetsk.ua From owner-freebsd-security Tue Nov 25 06:37:22 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id GAA15651 for security-outgoing; Tue, 25 Nov 1997 06:37:22 -0800 (PST) (envelope-from owner-freebsd-security) Received: from cwsys.cwsent.com (66@cschuber.net.gov.bc.ca [142.31.240.113]) by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id GAA15643 for ; Tue, 25 Nov 1997 06:37:18 -0800 (PST) (envelope-from cy@cwsys.cwsent.com) Received: (from uucp@localhost) by cwsys.cwsent.com (8.8.8/8.6.10) id GAA01057; Tue, 25 Nov 1997 06:35:15 -0800 (PST) Message-Id: <199711251435.GAA01057@cwsys.cwsent.com> Received: from localhost.cwsent.com(127.0.0.1), claiming to be "cwsys" via SMTP by localhost.cwsent.com, id smtpd001046; Tue Nov 25 14:34:59 1997 X-Mailer: exmh version 2.0gamma 1/27/96 Reply-to: Cy Schubert - ITSD Open Systems Group From: Cy Schubert - ITSD Open Systems Group X-Sender: cy To: Alexander Litvin cc: security@freebsd.org Subject: Re: LAND -- does it work? In-reply-to: Your message of "Mon, 24 Nov 1997 22:24:59 +0200." <19971124222458.58789@grape.carrier.kiev.ua> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Tue, 25 Nov 1997 06:34:58 -0800 Sender: owner-freebsd-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk > Hi! > > Until now, I was unable to freeze any of our FreeBSDs -- > 2.2.1, 2.2.2, 2.2.5-STABLE (about two weeks, no fix), > 3.0-CURRENT (about the beginning of November). I've tried it on my 2.2.2 boxes (and will try it on 2.2.5 when I get the CDROM). I haven't been able to get it to hang the FreeBSD IP stack. > > Can somebody authoritatively say -- does it work for FreeBSD? > > -- > Litvin Alexander > Regards, Phone: (250)387-8437 Cy Schubert Fax: (250)387-5766 UNIX Support OV/VM: BCSC02(CSCHUBER) ITSD BITNET: CSCHUBER@BCSC02.BITNET Government of BC Internet: cschuber@uumail.gov.bc.ca Cy.Schubert@gems8.gov.bc.ca "Quit spooling around, JES do it." From owner-freebsd-security Tue Nov 25 11:04:32 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id LAA09557 for security-outgoing; Tue, 25 Nov 1997 11:04:32 -0800 (PST) (envelope-from owner-freebsd-security) Received: from room101.sysc.com (qmailr@richmojm2.student.rose-hulman.edu [137.112.206.126]) by hub.freebsd.org (8.8.7/8.8.7) with SMTP id LAA09539 for ; Tue, 25 Nov 1997 11:04:25 -0800 (PST) (envelope-from jayrich@room101.sysc.com) Received: (qmail 811 invoked by uid 1000); 25 Nov 1997 19:04:04 -0000 Date: Tue, 25 Nov 1997 14:04:04 -0500 (EST) From: "Jay M. Richmond" To: freebsd-security@freebsd.org Subject: Intel update? Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk Hello, I am not trying to bother or hurry anyone, I'm just wondering if I've missed something here. Has FreeBSD released any kindof patch for protection against the latest Intel bug? Perhaps I missed something posted to the list. It's been I think more than a couple weeks since the bug was discovered, and other 'free' operating systems, such as Linux and NetBSD, have patched against the problem already. So, I guess what I'm asking, should I buy the AMD K6 or not? :) Thanks for your time, Jay From owner-freebsd-security Tue Nov 25 14:46:48 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id OAA12419 for security-outgoing; Tue, 25 Nov 1997 14:46:48 -0800 (PST) (envelope-from owner-freebsd-security) Received: from chris.acay.com.au (root@acay0272142.acay.com.au [203.27.214.2] (may be forged)) by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id OAA12393 for ; Tue, 25 Nov 1997 14:46:39 -0800 (PST) (envelope-from warpy@suburbia.com.au) Received: from typhoon (warpy@acay00713325.acay.com.au [203.7.133.25]) by chris.acay.com.au (8.8.7/8.8.5) with SMTP id JAA04942 for ; Wed, 26 Nov 1997 09:46:19 +1100 Date: Tue, 25 Nov 1997 09:58:56 +1100 (EST) From: warpy X-Sender: warpy@typhoon Reply-To: warpy To: freebsd-security@freebsd.org Subject: Possible problem with ftpd 6.00 Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk This morning I noticed something I didn't think should be happening. That being the password being used by an anonymous user logging into ftp showing up in the process list. However this did not happen when I logged in as a normal user. Obviously there isn't much upon first glance that can be done to exploit it (at least I think so), but does it need to occur at all? If this has been discussed before I apologise. --- This is what happened: typhoon:~$ uname -a FreeBSD typhoon 2.2.5-STABLE FreeBSD 2.2.5-STABLE #0: Sun Nov 23 18:09:03 EST 1997 root@typhoon:/usr/src/sys/compile/TYPHOON i386 typhoon:~$ ftp localhost 465 Connected to localhost. 220 typhoon FTP server (Version 6.00) ready. Name (localhost:warpy): ftp 331 Guest login ok, send your email address as password. Password: 230 Guest login ok, access restrictions apply. Remote system type is UNIX. Using binary mode to transfer files. ftp> ^Z [2]+ Stopped ftp localhost typhoon:~$ ps -ax |grep ftpd |grep -v grep 951 ?? IWs 0:00.12 ftpd: localhost: anonymous/ftp@: SYST\r\n (ftpd) typhoon:~$ typhoon:~$ ftp localhost Connected to localhost. 220 typhoon FTP server (Version 6.00) ready. Name (localhost:warpy): 331 Password required for warpy. Password: 230 User warpy logged in. Remote system type is UNIX. Using binary mode to transfer files. ftp> ^Z [1]+ Stopped ftp localhost 465 typhoon:~$ ps -ax |grep ftpd |grep -v grep 951 ?? IWs 0:00.12 ftpd: localhost: warpy: SYST\r\n (ftpd) typhoon:~$ Comments? Warpy +--------------------------------------------------------------------+ | http://www.sekurity.org/~warpy | | Key fingerprint = 02 78 30 F9 0A 73 15 24 A2 E4 B1 A0 F0 42 80 B0 | +--------------------------------------------------------------------+ From owner-freebsd-security Tue Nov 25 17:34:33 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id RAA27695 for security-outgoing; Tue, 25 Nov 1997 17:34:33 -0800 (PST) (envelope-from owner-freebsd-security) Received: from panda.hilink.com.au (panda.hilink.com.au [203.8.15.25]) by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id RAA27689 for ; Tue, 25 Nov 1997 17:34:26 -0800 (PST) (envelope-from danny@panda.hilink.com.au) Received: (from danny@localhost) by panda.hilink.com.au (8.8.5/8.8.5) id MAA00567; Wed, 26 Nov 1997 12:34:07 +1100 (EST) Date: Wed, 26 Nov 1997 12:34:06 +1100 (EST) From: "Daniel O'Callaghan" To: warpy cc: freebsd-security@FreeBSD.ORG Subject: Re: Possible problem with ftpd 6.00 In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk On Tue, 25 Nov 1997, warpy wrote: > This morning I noticed something I didn't think should be happening. That > being the password being used by an anonymous user logging into ftp > showing up in the process list. However this did not happen when I logged > in as a normal user. Obviously there isn't much upon first glance that can > be done to exploit it (at least I think so), but does it need to occur at > all? > > Name (localhost:warpy): ftp > 331 Guest login ok, send your email address as password. > 951 ?? IWs 0:00.12 ftpd: localhost: anonymous/ftp@: SYST\r\n (ftpd) Since people send their e-mail address as a password, it can be interesting to see who is logged on. This is a feature, not a bug. Danny From owner-freebsd-security Wed Nov 26 09:24:57 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id JAA02857 for security-outgoing; Wed, 26 Nov 1997 09:24:57 -0800 (PST) (envelope-from owner-freebsd-security) Received: from bangkok.office.cdsnet.net (bangkok.office.cdsnet.net [204.118.245.49]) by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id JAA02834 for ; Wed, 26 Nov 1997 09:24:46 -0800 (PST) (envelope-from cts@bangkok.office.cdsnet.net) Received: (from cts@localhost) by bangkok.office.cdsnet.net (8.8.8/8.8.5) id JAA06393; Wed, 26 Nov 1997 09:24:32 -0800 (PST) Date: Wed, 26 Nov 1997 09:24:32 -0800 (PST) Message-Id: <199711261724.JAA06393@bangkok.office.cdsnet.net> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit From: Craig Spannring To: "Daniel O'Callaghan" Cc: warpy , freebsd-security@freebsd.org Subject: Re: Possible problem with ftpd 6.00 In-Reply-To: References: X-Mailer: VM 6.31 under Emacs 19.34.1 Sender: owner-freebsd-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk Daniel O'Callaghan writes: > On Tue, 25 Nov 1997, warpy wrote: > > Obviously there isn't much upon first glance that can > > be done to exploit it (at least I think so), but does it need to occur at > > all? If they really did type the email address it's not very exploitable. Unfortunatly a lot of people type their real password when prompted for a password. > Since people send their e-mail address as a password, it can be > interesting to see who is logged on. This is a feature, not a bug. Yes, it's a feature, but it's risky enough that it should be dropped. -- ====================================================================== Life is short. | Craig Spannring Ski hard, Bike fast. | cts@cdsnet.net -------------------------------+------------------------------------ Save Cyberspace- | On the planet Vulcan, MSDOS Shoot a Perl Developer! | would be considered illogical. ====================================================================== From owner-freebsd-security Wed Nov 26 11:59:03 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id LAA14632 for security-outgoing; Wed, 26 Nov 1997 11:59:03 -0800 (PST) (envelope-from owner-freebsd-security) Received: from time.cdrom.com (root@time.cdrom.com [204.216.27.226]) by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id LAA14625 for ; Wed, 26 Nov 1997 11:58:59 -0800 (PST) (envelope-from jkh@time.cdrom.com) Received: from time.cdrom.com (jkh@localhost.cdrom.com [127.0.0.1]) by time.cdrom.com (8.8.7/8.6.9) with ESMTP id LAA03576; Wed, 26 Nov 1997 11:58:19 -0800 (PST) To: Craig Spannring cc: "Daniel O'Callaghan" , warpy , freebsd-security@FreeBSD.ORG Subject: Re: Possible problem with ftpd 6.00 In-reply-to: Your message of "Wed, 26 Nov 1997 09:24:32 PST." <199711261724.JAA06393@bangkok.office.cdsnet.net> Date: Wed, 26 Nov 1997 11:58:19 -0800 Message-ID: <3573.880574299@time.cdrom.com> From: "Jordan K. Hubbard" Sender: owner-freebsd-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk > If they really did type the email address it's not very exploitable. > Unfortunatly a lot of people type their real password when prompted > for a password. These people are too stupid to remain computer users. :-) Jordan From owner-freebsd-security Wed Nov 26 22:40:37 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id WAA02834 for security-outgoing; Wed, 26 Nov 1997 22:40:37 -0800 (PST) (envelope-from owner-freebsd-security) Received: from lists01.iafrica.com (lists01.iafrica.com [196.7.0.141]) by hub.freebsd.org (8.8.7/8.8.7) with SMTP id WAA02829 for ; Wed, 26 Nov 1997 22:40:34 -0800 (PST) (envelope-from sheldonh@axl.iafrica.com) Received: from axl.iafrica.com [196.31.1.167] (root) by lists01.iafrica.com with esmtp (Exim 1.73 #1) id 0xaxbw-0005T7-00; Thu, 27 Nov 1997 08:39:40 +0200 Received: from axl.iafrica.com (sheldonh@localhost [127.0.0.1]) by axl.iafrica.com (8.8.8/8.8.7) with ESMTP id IAA11499; Thu, 27 Nov 1997 08:40:21 +0200 (SAT) (envelope-from sheldonh@axl.iafrica.com) From: Sheldon Hearn To: Craig Spannring cc: freebsd-security@freebsd.org Subject: Re: Possible problem with ftpd 6.00 In-reply-to: Your message of "Wed, 26 Nov 1997 09:24:32 PST." <199711261724.JAA06393@bangkok.office.cdsnet.net> Date: Thu, 27 Nov 1997 08:40:21 +0200 Message-ID: <11496.880612821@axl.iafrica.com> Sender: owner-freebsd-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk On Wed, 26 Nov 1997 09:24:32 PST, Craig Spannring wrote: > Yes, it's a feature, but it's risky enough that it should be dropped. I think FreeBSD security is more about making a box as tight as you can wrap it, rather than trying to weave a "one size fits all" mantle for those who refuse to read documentation. :-) 2c.sheldonh From owner-freebsd-security Wed Nov 26 23:43:30 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id XAA06738 for security-outgoing; Wed, 26 Nov 1997 23:43:30 -0800 (PST) (envelope-from owner-freebsd-security) Received: from kithrup.com (kithrup.com [205.179.156.40]) by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id XAA06725; Wed, 26 Nov 1997 23:43:23 -0800 (PST) (envelope-from sef@kithrup.com) Received: (from sef@localhost) by kithrup.com (8.8.8/8.8.7) id XAA08912; Wed, 26 Nov 1997 23:43:19 -0800 (PST) (envelope-from sef) Date: Wed, 26 Nov 1997 23:43:19 -0800 (PST) From: Sean Eric Fagan Message-Id: <199711270743.XAA08912@kithrup.com> To: security@freebsd.org, hackers@freebsd.org Reply-To: sef@kithrup.com Subject: Updated f00f workaround Organization: Kithrup Enterprises, Ltd. Sender: owner-freebsd-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk Well, I was waiting for someone else to do anything about this, but everybody is apparantly busy :). This isn't quite right -- I think there should be a less obviously-i386 method of making the page in question non-writable; there should be a better way to allocate two page-aligned pages of memory; and the check for the fault address should be done lower, but I don't know the code well enough to decide where. Note that these patches are relative to my 2.2-ish source code, but should apply fairly cleanly to any of the distributions. Also note that I don't have anything ifdef'd out just yet, although that'll happen before I check it in. Index: i386/i386/identcpu.c =================================================================== RCS file: /usr/home/sef/CVS-kernel/sys/i386/i386/identcpu.c,v retrieving revision 1.1.1.1 diff -u -r1.1.1.1 identcpu.c --- identcpu.c 1997/03/01 02:57:12 1.1.1.1 +++ identcpu.c 1997/11/27 07:15:00 @@ -78,6 +78,8 @@ { "Pentium Pro", CPUCLASS_686 }, /* CPU_686 */ }; +int has_f00f_bug = 0; + void identifycpu(void) { @@ -105,6 +107,7 @@ break; case 0x500: strcat(cpu_model, "Pentium"); /* nb no space */ + has_f00f_bug = 1; break; case 0x600: strcat(cpu_model, "Pentium Pro"); Index: i386/i386/machdep.c =================================================================== RCS file: /usr/home/sef/CVS-kernel/sys/i386/i386/machdep.c,v retrieving revision 1.2 diff -u -r1.2 machdep.c --- machdep.c 1997/03/01 05:36:35 1.2 +++ machdep.c 1997/11/27 07:39:00 @@ -803,6 +803,10 @@ struct gate_descriptor idt[NIDT]; /* interrupt descriptor table */ union descriptor ldt[NLDT]; /* local descriptor table */ +struct gate_descriptor *t_idt; +unsigned char f00f_idt[PAGE_SIZE * 3]; /* XXX */ +int has_f00f_bug; + static struct i386tss dblfault_tss; static char dblfault_stack[PAGE_SIZE]; @@ -1393,6 +1397,37 @@ /* setup proc 0's pcb */ proc0.p_addr->u_pcb.pcb_flags = 0; proc0.p_addr->u_pcb.pcb_cr3 = IdlePTD; +} + +void f00f_hack(void); +SYSINIT(f00f_hack, SI_SUB_INTRINSIC, SI_ORDER_FIRST, f00f_hack, NULL); + +void +f00f_hack(void) { + struct region_descriptor r_idt; + unsigned char *tmp; + int i; + vm_offset_t vp; + unsigned *pte; + + if (!has_f00f_bug) + return; + + printf("Intel Pentium F00F detected, installing workaround\n"); + + r_idt.rd_limit = sizeof(idt) - 1; + + tmp = (unsigned char*)roundup2((unsigned)f00f_idt, PAGE_SIZE); + tmp += PAGE_SIZE - (7 * 8); /* Put 7 entries in lower page */ + t_idt = (struct gate_descriptor*)tmp; + bcopy(idt, t_idt, sizeof(idt)); + r_idt.rd_base = (int)t_idt; + lidt(&r_idt); + vp = trunc_page(t_idt); + pte = (unsigned*)vtopte(vp); + *pte = *pte & ~PG_RW; /* Mark page as non-writable */ + invlpg(vp); + return; } /* Index: i386/i386/trap.c =================================================================== RCS file: /usr/home/sef/CVS-kernel/sys/i386/i386/trap.c,v retrieving revision 1.3 diff -u -r1.3 trap.c --- trap.c 1997/11/24 08:19:19 1.3 +++ trap.c 1997/11/27 07:38:59 @@ -134,6 +134,11 @@ static void userret __P((struct proc *p, struct trapframe *frame, u_quad_t oticks)); +extern struct gate_descriptor *t_idt; +extern int has_f00f_bug; +static int f00f_traps[] = { T_DIVIDE, T_TRCTRAP, T_NMI, T_BPTFLT, + T_OFLOW, T_BOUND, T_PRIVINFLT }; + static inline void userret(p, frame, oticks) struct proc *p; @@ -190,6 +195,7 @@ u_long eva; #endif +restart: type = frame.tf_trapno; code = frame.tf_err; @@ -257,6 +263,8 @@ i = trap_pfault(&frame, TRUE); if (i == -1) return; + if (i == -2) + goto restart; if (i == 0) goto out; @@ -599,6 +607,21 @@ eva = rcr2(); va = trunc_page((vm_offset_t)eva); + + if (has_f00f_bug && + (eva >= (unsigned int)t_idt) && + (eva <= (unsigned int)(((unsigned char*)t_idt) + 7*8))) { + int nr; + + /* + * I think this bit of code should only happen + * on a Pentium with the F00F bug, as nothing else + * should really try to write to the IDT page. + */ + nr = (eva - (unsigned int)t_idt) / 8; + frame->tf_trapno = f00f_traps[nr]; + return -2; + } if (va >= KERNBASE) { /* From owner-freebsd-security Thu Nov 27 11:54:22 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id LAA18588 for security-outgoing; Thu, 27 Nov 1997 11:54:22 -0800 (PST) (envelope-from owner-freebsd-security) Received: from kithrup.com (kithrup.com [205.179.156.40]) by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id LAA18563; Thu, 27 Nov 1997 11:54:15 -0800 (PST) (envelope-from sef@kithrup.com) Received: (from sef@localhost) by kithrup.com (8.8.8/8.8.7) id LAA24160; Thu, 27 Nov 1997 11:54:14 -0800 (PST) (envelope-from sef) Date: Thu, 27 Nov 1997 11:54:14 -0800 (PST) From: Sean Eric Fagan Message-Id: <199711271954.LAA24160@kithrup.com> To: hackers@freebsd.org, security@freebsd.org Reply-To: sef@kithrup.com Subject: Re: Updated f00f workaround Organization: Kithrup Enterprises, Ltd. Sender: owner-freebsd-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk Okay, I took Stephen McKay's suggestions to heart, and here are what I hope are the final diffs. I'm currently running this kernel in multiuser mode, and haven't noticed any problems (yet, anyway ;)). Overhead should be minimal. Index: identcpu.c =================================================================== RCS file: /usr/home/sef/CVS-kernel/sys/i386/i386/identcpu.c,v retrieving revision 1.1.1.1 diff -u -r1.1.1.1 identcpu.c --- identcpu.c 1997/03/01 02:57:12 1.1.1.1 +++ identcpu.c 1997/11/27 19:48:34 @@ -78,6 +78,10 @@ { "Pentium Pro", CPUCLASS_686 }, /* CPU_686 */ }; +#ifndef NO_F00F_HACK +int has_f00f_bug = 0; +#endif + void identifycpu(void) { @@ -105,6 +109,14 @@ break; case 0x500: strcat(cpu_model, "Pentium"); /* nb no space */ +#ifndef NO_F00F_HACK + /* + * XXX - If/when Intel fixes the bug, this + * should also check the version of the + * CPU, not just that it's a Pentium. + */ + has_f00f_bug = 1; +#endif break; case 0x600: strcat(cpu_model, "Pentium Pro"); Index: machdep.c =================================================================== RCS file: /usr/home/sef/CVS-kernel/sys/i386/i386/machdep.c,v retrieving revision 1.2 diff -u -r1.2 machdep.c --- machdep.c 1997/03/01 05:36:35 1.2 +++ machdep.c 1997/11/27 19:48:34 @@ -803,6 +803,11 @@ struct gate_descriptor idt[NIDT]; /* interrupt descriptor table */ union descriptor ldt[NLDT]; /* local descriptor table */ +#ifndef NO_F00F_HACK +struct gate_descriptor *t_idt; +int has_f00f_bug; +#endif + static struct i386tss dblfault_tss; static char dblfault_stack[PAGE_SIZE]; @@ -1394,6 +1399,42 @@ proc0.p_addr->u_pcb.pcb_flags = 0; proc0.p_addr->u_pcb.pcb_cr3 = IdlePTD; } + +#ifndef NO_F00F_HACK +void f00f_hack(void); +SYSINIT(f00f_hack, SI_SUB_INTRINSIC, SI_ORDER_FIRST, f00f_hack, NULL); + +void +f00f_hack(void) { + struct region_descriptor r_idt; + unsigned char *tmp; + int i; + vm_offset_t vp; + unsigned *pte; + + if (!has_f00f_bug) + return; + + printf("Intel Pentium F00F detected, installing workaround\n"); + + r_idt.rd_limit = sizeof(idt) - 1; + + tmp = kmem_alloc(kernel_map, PAGE_SIZE * 2); + if (((unsigned int)tmp) & 4095) + panic("kern_alloc returned non-page-aligned memory"); + /* Put the first seven entries in the lower page */ + t_idt = (struct gate_descriptor*)(tmp + PAGE_SIZE - (7*8)); + bcopy(idt, t_idt, sizeof(idt)); + r_idt.rd_base = (int)t_idt; + lidt(&r_idt); + vp = trunc_page(t_idt); + if (vm_map_protect(kernel_map, tmp, tmp + (PAGE_SIZE*2), + VM_PROT_READ, FALSE) != KERN_SUCCESS) + panic("vm_map_protect failed"); + invlpg(vp); /* XXX -- is this necessary? */ + return; +} +#endif /* NO_F00F_HACK */ /* * The registers are in the frame; the frame is in the user area of Index: trap.c =================================================================== RCS file: /usr/home/sef/CVS-kernel/sys/i386/i386/trap.c,v retrieving revision 1.3 diff -u -r1.3 trap.c --- trap.c 1997/11/24 08:19:19 1.3 +++ trap.c 1997/11/27 19:48:35 @@ -134,6 +134,11 @@ static void userret __P((struct proc *p, struct trapframe *frame, u_quad_t oticks)); +#ifndef NO_F00F_HACK +extern struct gate_descriptor *t_idt; +extern int has_f00f_bug; +#endif + static inline void userret(p, frame, oticks) struct proc *p; @@ -190,6 +195,9 @@ u_long eva; #endif +#ifndef NO_F00F_HACK +restart: +#endif type = frame.tf_trapno; code = frame.tf_err; @@ -257,6 +265,10 @@ i = trap_pfault(&frame, TRUE); if (i == -1) return; +#ifndef NO_F00F_HACK + if (i == -2) + goto restart; +#endif if (i == 0) goto out; @@ -603,7 +615,18 @@ if (va >= KERNBASE) { /* * Don't allow user-mode faults in kernel address space. + * An exception: if the faulting address is the invalid + * instruction entry in the IDT, then the Intel Pentium + * F00F bug workaround was triggered, and we need to + * treat it is as an illegal instruction, and not a page + * fault. */ +#ifndef NO_F00F_HACK + if ((eva == (unsigned int)&t_idt[6]) && has_f00f_bug) { + frame->tf_trapno = T_PRIVINFLT; + return -2; + } +#endif if (usermode) goto nogo; From owner-freebsd-security Thu Nov 27 12:23:32 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id MAA20221 for security-outgoing; Thu, 27 Nov 1997 12:23:32 -0800 (PST) (envelope-from owner-freebsd-security) Received: from nomis.simon-shapiro.org (nomis.i-Connect.Net [206.190.143.100]) by hub.freebsd.org (8.8.7/8.8.7) with SMTP id MAA20189 for ; Thu, 27 Nov 1997 12:23:26 -0800 (PST) (envelope-from shimon@nomis.Simon-Shapiro.ORG) Received: (qmail 27241 invoked by uid 1000); 27 Nov 1997 20:22:50 -0000 Message-ID: X-Mailer: XFMail 1.2-beta-111997 [p0] on FreeBSD X-Priority: 3 (Normal) Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 8bit MIME-Version: 1.0 In-Reply-To: <3573.880574299@time.cdrom.com> Date: Thu, 27 Nov 1997 12:22:50 -0800 (PST) Reply-To: shimon@simon-shapiro.org Organization: The Simon shapiro Foundation From: Simon Shapiro To: "Jordan K. Hubbard" Subject: Re: Possible problem with ftpd 6.00 Cc: freebsd-security@FreeBSD.ORG, warpy , "Daniel O'Callaghan" , Craig Spannring Sender: owner-freebsd-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk On 26-Nov-97 Jordan K. Hubbard wrote: >> If they really did type the email address it's not very exploitable. >> Unfortunatly a lot of people type their real password when prompted >> for a password. > > These people are too stupid to remain computer users. :-) > > Jordan if ( strncmp(login, "ftp, MAX_LOGIN) && strncmp(login "anonymous", MAX_LOGIN) ) { printf("Password; ") } else { printf("Your E-Mail Address, please "); } No ? From owner-freebsd-security Thu Nov 27 12:23:36 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id MAA20234 for security-outgoing; Thu, 27 Nov 1997 12:23:36 -0800 (PST) (envelope-from owner-freebsd-security) Received: from nomis.simon-shapiro.org (nomis.i-Connect.Net [206.190.143.100]) by hub.freebsd.org (8.8.7/8.8.7) with SMTP id MAA20211 for ; Thu, 27 Nov 1997 12:23:29 -0800 (PST) (envelope-from shimon@nomis.Simon-Shapiro.ORG) Received: (qmail 27278 invoked by uid 1000); 27 Nov 1997 20:22:54 -0000 Message-ID: X-Mailer: XFMail 1.2-beta-111997 [p0] on FreeBSD X-Priority: 3 (Normal) Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 8bit MIME-Version: 1.0 In-Reply-To: <3573.880574299@time.cdrom.com> Date: Thu, 27 Nov 1997 12:22:54 -0800 (PST) Reply-To: shimon@simon-shapiro.org Organization: The Simon shapiro Foundation From: Simon Shapiro To: "Jordan K. Hubbard" Subject: Re: Possible problem with ftpd 6.00 Cc: freebsd-security@FreeBSD.ORG, warpy , "Daniel O'Callaghan" , Craig Spannring Sender: owner-freebsd-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk On 26-Nov-97 Jordan K. Hubbard wrote: >> If they really did type the email address it's not very exploitable. >> Unfortunatly a lot of people type their real password when prompted >> for a password. > > These people are too stupid to remain computer users. :-) > > Jordan Maybe. But the prompt does say ``password:'' If I hook up your car's horn to the breaks light switch every time you drive west on highway 26, you will get annoyed. No? Simon From owner-freebsd-security Thu Nov 27 14:36:00 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id OAA27843 for security-outgoing; Thu, 27 Nov 1997 14:36:00 -0800 (PST) (envelope-from owner-freebsd-security) Received: from blubb.pdc.kth.se (blubb.pdc.kth.se [193.10.159.47]) by hub.freebsd.org (8.8.7/8.8.7) with SMTP id OAA27838 for ; Thu, 27 Nov 1997 14:35:57 -0800 (PST) (envelope-from joda@pdc.kth.se) Received: from joda by blubb.pdc.kth.se with local (Exim 1.71 #3) id 0xbCWb-0000gv-00; Thu, 27 Nov 1997 23:35:09 +0100 To: shimon@simon-shapiro.org Cc: "Jordan K. Hubbard" , freebsd-security@freebsd.org, warpy , "Daniel O'Callaghan" , Craig Spannring Subject: Re: Possible problem with ftpd 6.00 References: X-Emacs: 19.34 Mime-Version: 1.0 (generated by SEMI MIME-Edit 0.77) Content-Type: multipart/mixed; boundary="Multipart_Thu_Nov_27_23:35:08_1997-1" Content-Transfer-Encoding: 7bit From: joda@pdc.kth.se (Johan Danielsson) Date: 27 Nov 1997 23:35:08 +0100 In-Reply-To: Simon Shapiro's message of Thu, 27 Nov 1997 12:22:50 -0800 (PST) Message-ID: Lines: 44 X-Mailer: Gnus v5.4.52/Emacs 19.34 Sender: owner-freebsd-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk --Multipart_Thu_Nov_27_23:35:08_1997-1 Content-Type: text/plain; charset=US-ASCII Simon Shapiro writes: > if ( strncmp(login, "ftp, MAX_LOGIN) && > strncmp(login "anonymous", MAX_LOGIN) ) { > printf("Password; ") > } else { > printf("Your E-Mail Address, please "); > } The problem is that the client can't know that it's the email address it should send. I did something like the following, (from ftp.c[login]), which makes it more obvious to the user. /Johan --Multipart_Thu_Nov_27_23:35:08_1997-1 Content-Type: text/plain; charset=US-ASCII if (n == CONTINUE) { if(auth_complete) pass = myname; else if (pass == NULL) { char prompt[128]; if(myname && (!strcmp(user, "ftp") || !strcmp(user, "anonymous"))){ snprintf(defaultpass, sizeof(defaultpass), "%s@%s", myname, mydomain); snprintf(prompt, sizeof(prompt), "Password (%s): ", defaultpass); }else{ strcpy(defaultpass, ""); snprintf(prompt, sizeof(prompt), "Password: "); } pass = defaultpass; des_read_pw_string (tmp, sizeof(tmp), prompt, 0); if(tmp[0]) pass = tmp; } n = command("PASS %s", pass); } --Multipart_Thu_Nov_27_23:35:08_1997-1-- From owner-freebsd-security Thu Nov 27 14:49:46 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id OAA28477 for security-outgoing; Thu, 27 Nov 1997 14:49:46 -0800 (PST) (envelope-from owner-freebsd-security) Received: from smtp01.primenet.com (smtp01.primenet.com [206.165.6.131]) by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id OAA28455; Thu, 27 Nov 1997 14:49:37 -0800 (PST) (envelope-from tlambert@usr07.primenet.com) Received: (from daemon@localhost) by smtp01.primenet.com (8.8.8/8.8.8) id JAA02497; Thu, 27 Nov 1997 09:07:31 -0700 (MST) Received: from usr07.primenet.com(206.165.6.207) via SMTP by smtp01.primenet.com, id smtpd002470; Thu Nov 27 09:07:22 1997 Received: (from tlambert@localhost) by usr07.primenet.com (8.8.5/8.8.5) id PAA13327; Thu, 27 Nov 1997 15:48:55 -0700 (MST) From: Terry Lambert Message-Id: <199711272248.PAA13327@usr07.primenet.com> Subject: Re: Updated f00f workaround To: sef@kithrup.com Date: Thu, 27 Nov 1997 22:48:55 +0000 (GMT) Cc: hackers@freebsd.org, security@freebsd.org In-Reply-To: <199711271954.LAA24160@kithrup.com> from "Sean Eric Fagan" at Nov 27, 97 11:54:14 am X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: owner-freebsd-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk > Okay, I took Stephen McKay's suggestions to heart, and here are what I hope > are the final diffs. I'm currently running this kernel in multiuser mode, > and haven't noticed any problems (yet, anyway ;)). Overhead should be > minimal. This is going to sound wierd, because it means you would need to include replacement trap() and trap_pfault() code, but... Any chance of writing this as an LKM? This would allow binary patch for those people who can't/won't recompile their kernels, and would make it an administrative choice. It would also make it easier to carry between versions (I thought of this because you used a SYSINIT() for it). I've often thought that the FPU emulator should be done this way, and the math libraries and FPU instruction inlining not be special cased... Terry Lambert terry@lambert.org --- Any opinions in this posting are my own and not those of my present or previous employers. From owner-freebsd-security Thu Nov 27 16:38:54 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id QAA04266 for security-outgoing; Thu, 27 Nov 1997 16:38:54 -0800 (PST) (envelope-from owner-freebsd-security) Received: from seidata.com (seidata.com [206.160.242.33]) by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id QAA04260 for ; Thu, 27 Nov 1997 16:38:50 -0800 (PST) (envelope-from mike@seidata.com) Received: from localhost (mike@localhost) by seidata.com (8.8.8/8.8.5) with SMTP id TAA15814; Thu, 27 Nov 1997 19:37:09 -0500 (EST) Date: Thu, 27 Nov 1997 19:37:09 -0500 (EST) From: Mike To: User VLAD cc: security@FreeBSD.ORG Subject: Re: LAND -- does it work? In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk On Tue, 25 Nov 1997, User VLAD wrote: > 2.2.5-STABLE (last update November 10, 1997) boxes but even after ^^^^^^^^^^^^ Ditto... no el freezo. > with 2.0.29 kernel Upgrade to 2.0.32.... > win95 and winNT. Throw away... ;) --- Mike Hoskins SEI Data Network Services, Inc. mike@seidata.com From owner-freebsd-security Thu Nov 27 17:56:50 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id RAA09463 for security-outgoing; Thu, 27 Nov 1997 17:56:50 -0800 (PST) (envelope-from owner-freebsd-security) Received: from mail.fcg.net (root@mail.fcg.net [206.31.252.12]) by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id RAA09458 for ; Thu, 27 Nov 1997 17:56:48 -0800 (PST) (envelope-from isoft@fcg.net) Received: from kevin (ip74.p.fcg.net [206.31.252.74]) by mail.fcg.net (8.8.5/8.8.5) with SMTP id TAA13197 for ; Thu, 27 Nov 1997 19:56:42 -0600 Message-Id: <3.0.1.32.19971127195608.00a9628c@fcg.net> X-Sender: isoft@fcg.net X-Mailer: Windows Eudora Light Version 3.0.1 (32) Date: Thu, 27 Nov 1997 19:56:08 -0600 To: security@freebsd.org From: Kevin Bockman Subject: Re: LAND -- does it work? In-Reply-To: References: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk At 07:37 PM 11/27/97 -0500, you wrote: >On Tue, 25 Nov 1997, User VLAD wrote: >> win95 and winNT. > >Throw away... ;) the cds make nice wall decorations... From owner-freebsd-security Thu Nov 27 18:21:00 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id SAA11233 for security-outgoing; Thu, 27 Nov 1997 18:21:00 -0800 (PST) (envelope-from owner-freebsd-security) Received: from blubb.pdc.kth.se (blubb.pdc.kth.se [193.10.159.47]) by hub.freebsd.org (8.8.7/8.8.7) with SMTP id SAA11228 for ; Thu, 27 Nov 1997 18:20:52 -0800 (PST) (envelope-from joda@pdc.kth.se) Received: from joda by blubb.pdc.kth.se with local (Exim 1.71 #3) id 0xbG1p-0000ij-00; Fri, 28 Nov 1997 03:19:37 +0100 To: shimon@simon-shapiro.org Cc: (Johan Danielsson) , "Daniel O'Callaghan" , Craig Spannring , warpy , freebsd-security@freebsd.org, "Jordan K.Hubbard" Subject: Re: Possible problem with ftpd 6.00 References: X-Emacs: 19.34 Mime-Version: 1.0 (generated by SEMI MIME-Edit 0.77) Content-Type: text/plain; charset=US-ASCII From: joda@pdc.kth.se (Johan Danielsson) Date: 28 Nov 1997 03:19:36 +0100 In-Reply-To: Simon Shapiro's message of Thu, 27 Nov 1997 15:39:18 -0800 (PST) Message-ID: Lines: 14 X-Mailer: Gnus v5.4.52/Emacs 19.34 Sender: owner-freebsd-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk Simon Shapiro writes: > OK, so a real life, correct patch is 20 lines instead of 6 :-) That wasn't a patch, but ok. > I still maintain this is a trivial problem easily solved without > calling the typical non-engineer an idiot that should go away, not > come back and buy M$ product instead. Agree? Yeah, and should the gun you buy at 7-eleven have a "don't shoot at your head" sticker too? /Johan From owner-freebsd-security Thu Nov 27 19:31:38 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id TAA15128 for security-outgoing; Thu, 27 Nov 1997 19:31:38 -0800 (PST) (envelope-from owner-freebsd-security) Received: from ren.dtir.qld.gov.au (firewall-user@ns.dtir.qld.gov.au [203.108.138.66]) by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id TAA15123 for ; Thu, 27 Nov 1997 19:31:34 -0800 (PST) (envelope-from syssgm@dtir.qld.gov.au) Received: by ren.dtir.qld.gov.au; id NAA20211; Fri, 28 Nov 1997 13:31:42 +1000 (EST) Received: from ogre.dtir.qld.gov.au(167.123.8.3) by ren.dtir.qld.gov.au via smap (3.2) id xma020188; Fri, 28 Nov 97 13:31:16 +1000 Received: from localhost.dtir.qld.gov.au (localhost.dtir.qld.gov.au [127.0.0.1]) by ogre.dtir.qld.gov.au (8.8.7/8.8.7) with SMTP id NAA08663; Fri, 28 Nov 1997 13:31:19 +1000 (EST) Message-Id: <199711280331.NAA08663@ogre.dtir.qld.gov.au> X-Authentication-Warning: ogre.dtir.qld.gov.au: localhost.dtir.qld.gov.au [127.0.0.1] didn't use HELO protocol To: Sean Eric Fagan cc: freebsd-security@freebsd.org, syssgm@dtir.qld.gov.au Subject: Re: Updated f00f workaround References: <199711271954.LAA24160@kithrup.com> In-Reply-To: <199711271954.LAA24160@kithrup.com> from Sean Eric Fagan at "Thu, 27 Nov 1997 19:54:14 +0000" Date: Fri, 28 Nov 1997 13:31:18 +1000 From: Stephen McKay Sender: owner-freebsd-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk On Thursday, 27th November 1997, Sean Eric Fagan wrote: >Okay, I took Stephen McKay's suggestions to heart, and here are what I hope >are the final diffs. I'm currently running this kernel in multiuser mode, >and haven't noticed any problems (yet, anyway ;)). Overhead should be >minimal. The code as it stands should get people out of trouble, but I think a few more iterations will be needed before it is acceptable to the core group and makes it into the CVS tree. kmem_alloc() always returns aligned memory, though in principle it could return NULL. So I'd change that test to 'if (tmp == NULL) panic...' You don't need the invlpg() call because vm_map_protect() calls pmap_protect() which calls invltlb(). I notice you make both pages read-only. Have you tried allocating just the one page and not making the IDT straddle a page boundary? The workaround info at Intel implies that would be sufficient. The placement of your 'if (eva == ...' test implies that the page fault will be a user mode page fault. This looks wrong to me. The illegal opcode exception would be a user mode fault, but when it page faults attempting to deliver that exception, that should be a kernel mode fault. I would move it to after the 'if (usermode) goto nogo' test and see if it still works. Finally, the last bit of polish would be style related. Having 'idt' in the normal case and 't_idt' in the F00F bug case is not nice. I would have, say, 'normal_idt' and 'f00f_idt' and point 'idt' at which ever one was being used. Then all but a small portion of code would refer to 'idt'. I would also be happier if "PENTIUM" appeared in the bug related naming (it is pentium specific after all) but now we are down to minor nit picking. Let us know how things go! Stephen. From owner-freebsd-security Thu Nov 27 23:06:48 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id XAA25797 for security-outgoing; Thu, 27 Nov 1997 23:06:48 -0800 (PST) (envelope-from owner-freebsd-security) Received: from edina.xenologics.com (edina.xenologics.com [194.77.5.1]) by hub.freebsd.org (8.8.7/8.8.7) with SMTP id XAA25781 for ; Thu, 27 Nov 1997 23:06:39 -0800 (PST) (envelope-from stepken@edina.xnc.com) Received: from www (xpl115.xnc.de [194.77.5.79]) by edina.xenologics.com (8.6.8.1/8.6.6) with SMTP id IAA10147; Fri, 28 Nov 1997 08:06:27 +0100 Message-ID: <347E6D71.5B205801@edina.xnc.com> Date: Fri, 28 Nov 1997 08:06:26 +0100 From: Guido Stepken X-Mailer: Mozilla 3.01Gold (X11; I; Linux 2.0.29 i586) MIME-Version: 1.0 To: Kevin Bockman CC: security@freebsd.org Subject: Re: LAND -- does it work? References: <3.0.1.32.19971127195608.00a9628c@fcg.net> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk Kevin Bockman wrote: > > At 07:37 PM 11/27/97 -0500, you wrote: > >On Tue, 25 Nov 1997, User VLAD wrote: > >> win95 and winNT. > > > >Throw away... ;) > > the cds make nice wall decorations... i made very good experiences with cd's as scarecrows in the trees byrds really are shocked....they know why.....:))) From owner-freebsd-security Fri Nov 28 08:11:55 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id IAA22108 for security-outgoing; Fri, 28 Nov 1997 08:11:55 -0800 (PST) (envelope-from owner-freebsd-security) Received: from echonyc.com (echonyc.com [198.67.15.2]) by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id IAA22101 for ; Fri, 28 Nov 1997 08:11:54 -0800 (PST) (envelope-from benedict@echonyc.com) Received: from localhost (benedict@localhost) by echonyc.com (8.8.7/8.8.7) with SMTP id LAA10665; Fri, 28 Nov 1997 11:11:39 -0500 (EST) Date: Fri, 28 Nov 1997 11:11:38 -0500 (EST) From: Snob Art Genre To: Kevin Bockman cc: security@freebsd.org Subject: Re: LAND -- does it work? In-Reply-To: <3.0.1.32.19971127195608.00a9628c@fcg.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk On Thu, 27 Nov 1997, Kevin Bockman wrote: > >> win95 and winNT. > > the cds make nice wall decorations... Coasters for drinks . . . frisbees . . . Ben "You have your mind on computers, it seems." From owner-freebsd-security Fri Nov 28 08:38:33 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id IAA23201 for security-outgoing; Fri, 28 Nov 1997 08:38:33 -0800 (PST) (envelope-from owner-freebsd-security) Received: from cwsys.cwsent.com (66@cschuber.net.gov.bc.ca [142.31.240.113]) by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id IAA23190 for ; Fri, 28 Nov 1997 08:38:28 -0800 (PST) (envelope-from cy@cwsys.cwsent.com) Received: (from uucp@localhost) by cwsys.cwsent.com (8.8.8/8.6.10) id IAA02246 for ; Fri, 28 Nov 1997 08:38:21 -0800 (PST) Message-Id: <199711281638.IAA02246@cwsys.cwsent.com> Received: from localhost.cwsent.com(127.0.0.1), claiming to be "cwsys" via SMTP by localhost.cwsent.com, id smtpd002233; Fri Nov 28 16:37:24 1997 X-Mailer: exmh version 2.0gamma 1/27/96 Reply-to: Cy Schubert - ITSD Open Systems Group From: Cy Schubert - ITSD Open Systems Group X-Sender: cy To: security@freebsd.org Subject: Re: LAND -- does it work? In-reply-to: Your message of "Fri, 28 Nov 1997 11:11:38 EST." Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Fri, 28 Nov 1997 08:37:23 -0800 Sender: owner-freebsd-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk I hate to poop on everyone's party but I think that this discussion should move to FreeBSD-chat. Regards, Phone: (250)387-8437 Cy Schubert Fax: (250)387-5766 UNIX Support OV/VM: BCSC02(CSCHUBER) ITSD BITNET: CSCHUBER@BCSC02.BITNET Government of BC Internet: cschuber@uumail.gov.bc.ca Cy.Schubert@gems8.gov.bc.ca "Quit spooling around, JES do it." > On Thu, 27 Nov 1997, Kevin Bockman wrote: > > > >> win95 and winNT. > > > > the cds make nice wall decorations... > > Coasters for drinks . . . frisbees . . . > > > > Ben > > "You have your mind on computers, it seems." > > From owner-freebsd-security Fri Nov 28 09:09:20 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id JAA25088 for security-outgoing; Fri, 28 Nov 1997 09:09:20 -0800 (PST) (envelope-from owner-freebsd-security) Received: from kjsl.com (Limpia.KJSL.COM [198.137.202.3]) by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id JAA25083 for ; Fri, 28 Nov 1997 09:09:17 -0800 (PST) (envelope-from javier@kjsl.com) Received: (from javier@localhost) by kjsl.com (8.8.5/8.8.5) id JAA17765; Fri, 28 Nov 1997 09:09:10 -0800 (PST) Date: Fri, 28 Nov 1997 09:09:10 -0800 (PST) Message-Id: <199711281709.JAA17765@kjsl.com> From: Javier Henderson MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit To: Snob Art Genre Cc: Kevin Bockman , security@freebsd.org Subject: Re: LAND -- does it work? In-Reply-To: References: <3.0.1.32.19971127195608.00a9628c@fcg.net> X-Mailer: VM 6.33 under Emacs 19.34.1 Sender: owner-freebsd-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk Snob Art Genre writes: > On Thu, 27 Nov 1997, Kevin Bockman wrote: > > > >> win95 and winNT. > > > > the cds make nice wall decorations... > > Coasters for drinks . . . frisbees . . . Ever try to microwave one? It's really neat, particularly if you dim the lights first. -jav