From owner-freebsd-security Sun Jul 5 02:15:06 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id CAA11573 for freebsd-security-outgoing; Sun, 5 Jul 1998 02:15:06 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from tweetie.online.barbour-index.co.uk (tweetie-pipex.online.barbour-index.co.uk [194.129.192.48]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id CAA11554; Sun, 5 Jul 1998 02:14:57 -0700 (PDT) (envelope-from scot@planet-three.com) Received: from localhost (scot@localhost) by tweetie.online.barbour-index.co.uk (8.8.8/8.8.8) with SMTP id KAA19355; Sun, 5 Jul 1998 10:14:58 +0100 (BST) (envelope-from scot@planet-three.com) X-Authentication-Warning: tweetie.online.barbour-index.co.uk: scot owned process doing -bs Date: Sun, 5 Jul 1998 10:14:58 +0100 (BST) From: Scot Elliott X-Sender: scot@tweetie.online.barbour-index.co.uk To: freebsd-isp@FreeBSD.ORG, freebsd-security@FreeBSD.ORG Subject: Security Alert: Qualcomm POP Server Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Morning all. I caught someone last night with a root shell on our mail server. I traced it back to somewhere in the US, but unfortunately got locked out and the log files removed before I had time to fix it ;-( I shut the machine down remotely by mounting /usr over NFS and changing /usr/libexec/atrun to a shell script that run /sbin/shutdown (near huh? ;-) Anyway - the point is that is looks like some kind of buffer overflow in the POP daemon that ships with FreeBSD 2.2.6. I noticed lots of ^P^P^P... messages from popper in the log file before it was removed. There was an extra line in /etc/inetd.conf which ran a shell as root on some port I wasn't using (talk I think). So I'm guessing that the exploit allows anyone to run any command as root. Nice. Whomever it was was having a whale of a time with my C compiler for some reason... very dodgy. If I can find out the source of this then I'd like to follow it up. Does anyone have experience of chasing this sort of thing from across the US border? Also, of course, everyone should check their popper version. Cheers Yours - Scot. ----------------------------------------------------------------------------- Scot Elliott (scot@poptart.org, scot@nic.cx) | Work: +44 (0)171 7046777 PGP fingerprint: FCAE9ED3A234FEB59F8C7F9DDD112D | Home: +44 (0)181 8961019 ----------------------------------------------------------------------------- Public key available by finger at: finger scot@poptart.org or at: http://www.poptart.org/pgpkey.html To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Sun Jul 5 03:03:30 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id DAA16670 for freebsd-security-outgoing; Sun, 5 Jul 1998 03:03:30 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from freebie.lemis.com (freebie.lemis.com [139.130.136.133] (may be forged)) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id DAA16649; Sun, 5 Jul 1998 03:03:02 -0700 (PDT) (envelope-from grog@freebie.lemis.com) Received: (from grog@localhost) by freebie.lemis.com (8.9.0/8.9.0) id TAA19346; Sun, 5 Jul 1998 19:32:50 +0930 (CST) Message-ID: <19980705193250.N18970@freebie.lemis.com> Date: Sun, 5 Jul 1998 19:32:50 +0930 From: Greg Lehey To: Scot Elliott , freebsd-isp@FreeBSD.ORG, freebsd-security@FreeBSD.ORG Subject: Re: Security Alert: Qualcomm POP Server References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.91.1i In-Reply-To: ; from Scot Elliott on Sun, Jul 05, 1998 at 10:14:58AM +0100 WWW-Home-Page: http://www.lemis.com/~grog Organization: LEMIS, PO Box 460, Echunga SA 5153, Australia Phone: +61-8-8388-8286 Fax: +61-8-8388-8725 Mobile: +61-41-739-7062 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sunday, 5 July 1998 at 10:14:58 +0100, Scot Elliott wrote: > Morning all. > > I caught someone last night with a root shell on our mail server. I > traced it back to somewhere in the US, but unfortunately got locked out > and the log files removed before I had time to fix it ;-( > > I shut the machine down remotely by mounting /usr over NFS and changing > /usr/libexec/atrun to a shell script that run /sbin/shutdown (near huh? > ;-) > > Anyway - the point is that is looks like some kind of buffer overflow in > the POP daemon that ships with FreeBSD 2.2.6. I noticed lots of ^P^P^P... > messages from popper in the log file before it was removed. There was an > extra line in /etc/inetd.conf which ran a shell as root on some port I > wasn't using (talk I think). So I'm guessing that the exploit allows > anyone to run any command as root. Nice. Whomever it was was having a > whale of a time with my C compiler for some reason... very dodgy. > > If I can find out the source of this then I'd like to follow it up. Does > anyone have experience of chasing this sort of thing from across the US > border? Also, of course, everyone should check their popper version. Yes, it looks as if your assessment was right. The problem was fixed on June 28. Greg -- See complete headers for address and phone numbers finger grog@lemis.com for PGP public key To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Sun Jul 5 03:50:15 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id DAA22276 for freebsd-security-outgoing; Sun, 5 Jul 1998 03:50:15 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from shell6.ba.best.com (jkb@shell6.ba.best.com [206.184.139.137]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id DAA22209; Sun, 5 Jul 1998 03:49:59 -0700 (PDT) (envelope-from jkb@best.com) Received: from localhost (jkb@localhost) by shell6.ba.best.com (8.9.0/8.9.0/best.sh) with SMTP id DAA15669; Sun, 5 Jul 1998 03:48:31 -0700 (PDT) X-Authentication-Warning: shell6.ba.best.com: jkb owned process doing -bs Date: Sun, 5 Jul 1998 03:48:30 -0700 (PDT) From: "Jan B. Koum " X-Sender: jkb@shell6.ba.best.com To: Scot Elliott cc: freebsd-isp@FreeBSD.ORG, freebsd-security@FreeBSD.ORG Subject: Re: Security Alert: Qualcomm POP Server In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Where have you been all this time? Dont' you follow bugtraq? Yes, Qualcomm had remote root shell buffer overflow "y3r 0wned" type thingie. Exploits for both *bsd and linux systems were published. Get cucipop or updated qualcomm pop server. -- Yan Jan Koum jkb@best.com | "Turn up the lights; I don't want www.FreeBSD.org -- The Power to Serve | to go home in the dark." ---------------------------------------+----------------------------------- ICMP: What happens when you hack into a military network and they catch you. On Sun, 5 Jul 1998, Scot Elliott wrote: >Morning all. > >I caught someone last night with a root shell on our mail server. I >traced it back to somewhere in the US, but unfortunately got locked out >and the log files removed before I had time to fix it ;-( > >I shut the machine down remotely by mounting /usr over NFS and changing >/usr/libexec/atrun to a shell script that run /sbin/shutdown (near huh? >;-) > >Anyway - the point is that is looks like some kind of buffer overflow in >the POP daemon that ships with FreeBSD 2.2.6. I noticed lots of ^P^P^P... >messages from popper in the log file before it was removed. There was an >extra line in /etc/inetd.conf which ran a shell as root on some port I >wasn't using (talk I think). So I'm guessing that the exploit allows >anyone to run any command as root. Nice. Whomever it was was having a >whale of a time with my C compiler for some reason... very dodgy. > >If I can find out the source of this then I'd like to follow it up. Does >anyone have experience of chasing this sort of thing from across the US >border? Also, of course, everyone should check their popper version. > >Cheers > > >Yours - Scot. > > >----------------------------------------------------------------------------- >Scot Elliott (scot@poptart.org, scot@nic.cx) | Work: +44 (0)171 7046777 >PGP fingerprint: FCAE9ED3A234FEB59F8C7F9DDD112D | Home: +44 (0)181 8961019 >----------------------------------------------------------------------------- >Public key available by finger at: finger scot@poptart.org > or at: http://www.poptart.org/pgpkey.html > > > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-isp" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Sun Jul 5 07:10:14 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id HAA09298 for freebsd-security-outgoing; Sun, 5 Jul 1998 07:10:14 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from ns2.sminter.com.ar (ns2.sminter.com.ar [200.10.100.11]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id HAA09293 for ; Sun, 5 Jul 1998 07:10:10 -0700 (PDT) (envelope-from Recabarren!fpscha@ns2.sminter.com.ar) Received: (from uucp@localhost) by ns2.sminter.com.ar (8.8.5/8.8.4) id LAA02161 for freebsd.org!security; Sun, 5 Jul 1998 11:08:15 -0300 (GMT) >Received: (from fpscha@localhost) by localhost.schapachnik.com.ar (8.8.5/8.8.5) id BAA00316; Sun, 5 Jul 1998 01:52:41 -0300 (ARST) From: "Fernando P. Schapachnik" Message-Id: <199807050452.BAA00316@localhost.schapachnik.com.ar> Subject: Re: adduser chmod... (repost) To: security@FreeBSD.ORG Date: Sun, 5 Jul 1998 01:52:40 -0300 (ARST) Reply-To: fpscha@schapachnik.com.ar X-Mailer: ELM [version 2.4ME+ PL22 (25)] MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org This is a repost, I know. The reason is that the original message was completely ununderstandable due to my faulty keyboard and my faulty late night english :) Sorry. -------- I think that BSD semantics for groups are fine but not perfect. For example: what happens if userA has some files he whishes to share with userB and userC but not userD, and some others he whishes to share just with userD and userE? He has to ask sysadmin to make two groups just for him! An interesting approach would be having /etc/group and $HOME/.group. In that context a file owned by userA:group1 would mean "The owner of this file is userA, and the group is group1, whose members are those specified in /etc/group if group1 exists in that file, or the ones specified in ~userA/.group in another case". This schema will let users have as many groups as they wish and administer them without setuid programs. Another very interesting feature would be the possibility to have in $HOME/.group something like: my_family:*:~daddy meaning that the users who belong to this group are listed in daddy's group "my_family". The purpose of this is to allow a some users to establish a "workgroup" and let just one of them be the maintainer. Two problems arise: 1) How to guarantee unicity between user groups and -let's call them this way- /etc groups? A simple approach would be that a user's group is considered invalid if it has the same name that a system group. In this case the group behavior is the empty group one (ie, no user belogs to that group). When a user wants to create a new group he just must check against /etc/group (a script can do this for him). What happens when root adds a new group, said group1? Well, existing users will have their own group1 behaving like the empty group. But this shouldn't be a problem because we can have a daily script that whenevers it finds that /etc/group has been modified compares system groups against user groups and mails the affected users. An userland script could be provided to simplify "change all my the files that belong to group oldgroup to newgroup". 2) How to guarantee gid's unicity? This is the hardest part. Perhaps changid gid_t to long int and allowing a fixed number of groups per user? Something like it would mean that although saying "file A's group is group1" is ambiguous, the ambiguity disappears once you get the gid, that's still unique. Most programs shouldn't note the change. Another posibility is that gid only makes sense knowing the uid. I particulary don't like it because it means breaking a lot of software. Just an opinion ;-) Regards! Fernando P. Schapachnik fpscha@schapachnik.com.ar To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Sun Jul 5 07:49:27 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id HAA12007 for freebsd-security-outgoing; Sun, 5 Jul 1998 07:49:27 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from megaweapon.zigg.com (ip121.grand-rapids.mi.pub-ip.psi.net [38.11.210.121]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id HAA11950; Sun, 5 Jul 1998 07:49:18 -0700 (PDT) (envelope-from matt@megaweapon.zigg.com) Received: from megaweapon.zigg.com (megaweapon.zigg.com [192.168.1.1]) by megaweapon.zigg.com (8.8.8/8.8.8) with SMTP id KAA15549; Sun, 5 Jul 1998 10:49:55 -0400 (EDT) (envelope-from matt@megaweapon.zigg.com) Date: Sun, 5 Jul 1998 10:49:55 -0400 (EDT) From: Matt Behrens To: Scot Elliott cc: freebsd-isp@FreeBSD.ORG, freebsd-security@FreeBSD.ORG Subject: Re: Security Alert: Qualcomm POP Server In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org This is the bug mentioned on BUGTRAQ about two weeks ago. A friend of mine got hit as well by "well-meaning" attackers. Blah. In any case, he upgraded to 2.52 of popper and is now immune to at least the script kiddie attacks. On Sun, 5 Jul 1998, Scot Elliott wrote: > Morning all. > > I caught someone last night with a root shell on our mail server. I > traced it back to somewhere in the US, but unfortunately got locked out > and the log files removed before I had time to fix it ;-( > > I shut the machine down remotely by mounting /usr over NFS and changing > /usr/libexec/atrun to a shell script that run /sbin/shutdown (near huh? > ;-) > > Anyway - the point is that is looks like some kind of buffer overflow in > the POP daemon that ships with FreeBSD 2.2.6. I noticed lots of ^P^P^P... > messages from popper in the log file before it was removed. There was an > extra line in /etc/inetd.conf which ran a shell as root on some port I > wasn't using (talk I think). So I'm guessing that the exploit allows > anyone to run any command as root. Nice. Whomever it was was having a > whale of a time with my C compiler for some reason... very dodgy. > > If I can find out the source of this then I'd like to follow it up. Does > anyone have experience of chasing this sort of thing from across the US > border? Also, of course, everyone should check their popper version. > > Cheers > > > Yours - Scot. > > > ----------------------------------------------------------------------------- > Scot Elliott (scot@poptart.org, scot@nic.cx) | Work: +44 (0)171 7046777 > PGP fingerprint: FCAE9ED3A234FEB59F8C7F9DDD112D | Home: +44 (0)181 8961019 > ----------------------------------------------------------------------------- > Public key available by finger at: finger scot@poptart.org > or at: http://www.poptart.org/pgpkey.html > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe security" in the body of the message > Matt Behrens | http://www.zigg.com/ Network Operations, The Iserv Company | Proudly running FreeBSD; sworn MIS, Michigan Kenworth, Inc. | enemy of Linux, a free hack OS Chanop Script Coordinator, WWFIN | and Windows, a non-free hack OS! To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Sun Jul 5 10:18:49 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id KAA06840 for freebsd-security-outgoing; Sun, 5 Jul 1998 10:18:49 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from wumpus.its.uow.edu.au (wumpus.its.uow.edu.au [130.130.68.12]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id KAA05043 for ; Sun, 5 Jul 1998 10:18:44 -0700 (PDT) (envelope-from ncb05@uow.edu.au) Received: from banshee.cs.uow.edu.au (ncb05@banshee.cs.uow.edu.au [130.130.188.1]) by wumpus.its.uow.edu.au (8.9.0.Beta5/8.9.0.Beta5) with SMTP id DAA19211; Mon, 6 Jul 1998 03:18:21 +1000 (EST) Date: Mon, 6 Jul 1998 03:18:20 +1000 (EST) From: Nicholas Charles Brawn X-Sender: ncb05@banshee.cs.uow.edu.au To: Jay Tribick cc: freebsd-security@FreeBSD.ORG Subject: Re: Increasing security by decreasing installed programs In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sat, 4 Jul 1998, Jay Tribick wrote: > > Hi all.. > > I think we all need to look closely at the default-installed > suid/sgid programs. Why, by default, does FreeBSD install uucp*? > There's not /that/ many people who use it and it would be much > better as an optional components, especially as it runs suid/sgid. > > Why not make the installation program let you select defaultly > installed suid binaries individually (instead of just selecting > the basic distribution, let us go one level down and select > individual basic packages)? > > Regards, > > Jay Tribick > > [| Network Administrator | FastNet International | http://fast.net.uk/ |] > [| PGPv5 RSA Key Available [2047bit] | Finger netadmin@fastnet.co.uk |] > [| T: +44 (0)1273 677633 F: +44 (0)1273 621631 e: netadmin@fast.net.uk |] > [| ----={ PGPv5 Fingerprint := FA690E7762F0E62F38C6052CC387FFF3 }=---- |] > Robert Watson's site - http://www.watson.org/fbsd-hardening/ covers (or at least discusses this issue). However, I am in agreement with you that there should be some sort of option to limit installation of default setuid and setgid programs during installation of a new freebsd system. Perhaps some sort of "security" option that one could run after the installation that would alert you about all setuid/setgid files and devices, and allow you to remove priveledges and increase or modify default security settings? Just my $0.02 :) Nick -- Email: ncb05@uow.edu.au - http://rabble.uow.edu.au/~nick Key fingerprint = DE 30 33 D3 16 91 C8 8D A7 F8 70 03 B7 77 1A 2A "When in doubt, ask someone wiser than yourself..." -unknown To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Sun Jul 5 14:09:00 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id OAA07877 for freebsd-security-outgoing; Sun, 5 Jul 1998 14:09:00 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from indigo.ie (nsmart@ts01-44.waterford.indigo.ie [194.125.139.107]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id OAA07711 for ; Sun, 5 Jul 1998 14:08:29 -0700 (PDT) (envelope-from rotel@indigo.ie) Received: (from nsmart@localhost) by indigo.ie (8.8.8/8.8.7) id WAA04673; Sun, 5 Jul 1998 22:03:07 +0100 (IST) (envelope-from rotel@indigo.ie) From: Niall Smart Message-Id: <199807052103.WAA04673@indigo.ie> Date: Sun, 5 Jul 1998 22:03:05 +0000 In-Reply-To: David Greenman "Re: bsd securelevel patch question" (Jul 2, 9:00am) Reply-To: rotel@indigo.ie X-Mailer: Mail User's Shell (7.2.6 beta(3) 11/17/96) To: dg@root.com, rotel@indigo.ie Subject: Re: bsd securelevel patch question Cc: "Allen Smith" , security@FreeBSD.ORG, njs3@doc.ic.ac.uk, dima@best.net, abc@ralph.ml.org, tqbf@secnet.com Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Jul 2, 9:00am, David Greenman wrote: } Subject: Re: bsd securelevel patch question > >On Jul 2, 7:10am, David Greenman wrote: > >> > >> Well, one thing that is wrong with this is that it is slow. I sure wouldn't > >> want my busy WWW server doing this for every connection that is made. > > > >It would only be necessary to do this for binds to ports < 1024. So it > >would just be checked every time a daemon started. > > Um, well, let's talk about FTP servers, then, since those do a privileged > bind() for every data connection that is estabilished (one per file transfer). This can be solved by using passive mode on the FTP server side, which is a good idea for security conscious sites anyhow. Niall -- Niall Smart. PGP: finger njs3@motmot.doc.ic.ac.uk FreeBSD: Turning PC's into Workstations: www.freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Sun Jul 5 14:12:22 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id OAA08552 for freebsd-security-outgoing; Sun, 5 Jul 1998 14:12:22 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from indigo.ie (nsmart@ts01-44.waterford.indigo.ie [194.125.139.107]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id OAA08540 for ; Sun, 5 Jul 1998 14:12:07 -0700 (PDT) (envelope-from rotel@indigo.ie) Received: (from nsmart@localhost) by indigo.ie (8.8.8/8.8.7) id WAA04694; Sun, 5 Jul 1998 22:06:52 +0100 (IST) (envelope-from rotel@indigo.ie) From: Niall Smart Message-Id: <199807052106.WAA04694@indigo.ie> Date: Sun, 5 Jul 1998 22:06:51 +0000 In-Reply-To: andrew@squiz.co.nz (Andrew McNaughton) "Re: bsd securelevel patch question" (Jul 3, 4:26am) Reply-To: rotel@indigo.ie X-Mailer: Mail User's Shell (7.2.6 beta(3) 11/17/96) To: andrew@squiz.co.nz (Andrew McNaughton), security@FreeBSD.ORG Subject: Re: bsd securelevel patch question Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Jul 3, 4:26am, Andrew McNaughton wrote: } Subject: Re: bsd securelevel patch question > >Eh? If ssh/smtp/inetd bind to the port you won't be able to, no > >matter how often you try. > > Unless the server is restarted for some reason. hence the rapid cron job > which will eventually succeed if not detected first. Well, this should be detected, and is easily detectable. > >And you won't be able to steal keys > >by hijacking sshd. > > If the trojan gets to tell the other end what public key to use, then of > course it can get at the data stream. This is equally true with > routing/man-in-the-middle attacks. Yes, you could get at the data stream, but thats an implication of having a network service compromised, you can't get the keys though; but you probably don't care at that stage. > I don't know enough about TCP/IP details to know if this makes sense, but > perhaps you could use these as more than just flags and allow programmers > to bind to the socket by just opening the appropriate device file. ie > > #!/usr/local/bin/perl > open (SMTP, " Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id OAA09247 for freebsd-security-outgoing; Sun, 5 Jul 1998 14:17:41 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from implode.root.com (implode.root.com [198.145.90.17]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id OAA09237 for ; Sun, 5 Jul 1998 14:17:37 -0700 (PDT) (envelope-from root@implode.root.com) Received: from implode.root.com (localhost [127.0.0.1]) by implode.root.com (8.8.5/8.8.5) with ESMTP id OAA20990; Sun, 5 Jul 1998 14:17:47 -0700 (PDT) Message-Id: <199807052117.OAA20990@implode.root.com> To: rotel@indigo.ie cc: "Allen Smith" , security@FreeBSD.ORG, njs3@doc.ic.ac.uk, dima@best.net, abc@ralph.ml.org, tqbf@secnet.com Subject: Re: bsd securelevel patch question In-reply-to: Your message of "Sun, 05 Jul 1998 22:03:05 -0000." <199807052103.WAA04673@indigo.ie> From: David Greenman Reply-To: dg@root.com Date: Sun, 05 Jul 1998 14:17:47 -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >On Jul 2, 9:00am, David Greenman wrote: >} Subject: Re: bsd securelevel patch question >> >On Jul 2, 7:10am, David Greenman wrote: >> >> >> >> Well, one thing that is wrong with this is that it is slow. I sure wouldn't >> >> want my busy WWW server doing this for every connection that is made. >> > >> >It would only be necessary to do this for binds to ports < 1024. So it >> >would just be checked every time a daemon started. >> >> Um, well, let's talk about FTP servers, then, since those do a privileged >> bind() for every data connection that is estabilished (one per file transfer). > >This can be solved by using passive mode on the FTP server side, which is >a good idea for security conscious sites anyhow. Passive FTP is initiated by the client and is not something that the server can enforce. Further, it does nothing to enhance security for the server - if anything, it actually reduces the security since you'd have to poke holes through any firewall to allow the client data connects. -DG David Greenman Co-founder/Principal Architect, The FreeBSD Project To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Mon Jul 6 14:10:17 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id OAA19023 for freebsd-security-outgoing; Mon, 6 Jul 1998 14:10:17 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from indigo.ie (root@ts01-62.waterford.indigo.ie [194.125.139.125]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id OAA18919 for ; Mon, 6 Jul 1998 14:09:49 -0700 (PDT) (envelope-from rotel@indigo.ie) Received: (from nsmart@localhost) by indigo.ie (8.8.8/8.8.7) id RAA00781; Mon, 6 Jul 1998 17:36:06 +0100 (IST) (envelope-from rotel@indigo.ie) From: Niall Smart Message-Id: <199807061636.RAA00781@indigo.ie> Date: Mon, 6 Jul 1998 17:36:05 +0000 In-Reply-To: David Greenman "Re: bsd securelevel patch question" (Jul 5, 2:17pm) Reply-To: rotel@indigo.ie X-Mailer: Mail User's Shell (7.2.6 beta(3) 11/17/96) To: dg@root.com, rotel@indigo.ie Subject: Re: bsd securelevel patch question Cc: "Allen Smith" , security@FreeBSD.ORG, njs3@doc.ic.ac.uk, dima@best.net, abc@ralph.ml.org, tqbf@secnet.com Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Jul 5, 2:17pm, David Greenman wrote: > > Passive FTP is initiated by the client and is not something that the server > can enforce. Further, it does nothing to enhance security for the server - if > anything, it actually reduces the security since you'd have to poke holes > through any firewall to allow the client data connects. Well, the decision to enforce it is a matter of site policy, most ftp clients support passive mode by now. As for the security, I'd prefer to allow connects in to the ftp servers on ports I know it will be listening on rather than having a machine inside the DMZ initiating TCP connections; having said that, FreeBSD's ftp daemon currently accepts connections on ports it is listening on from any IP, in accordance with the FTP RFC, but this is inconsistenct with the bahaviour of the PORT command in paranoid mode which will only connect to the IP of the control channel peer. What do you think of patching this? Niall -- Niall Smart. PGP: finger njs3@motmot.doc.ic.ac.uk FreeBSD: Turning PC's into Workstations: www.freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Mon Jul 6 14:15:55 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id OAA19779 for freebsd-security-outgoing; Mon, 6 Jul 1998 14:15:55 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from asteroid.svib.ru (root@asteroid.svib.ru [195.151.166.145]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id OAA19762 for ; Mon, 6 Jul 1998 14:15:49 -0700 (PDT) (envelope-from tarkhil@asteroid.svib.ru) Received: from minas-tirith.pol.ru (shuttle.svib.ru [195.151.166.144]) by asteroid.svib.ru (8.8.8/8.8.8) with ESMTP id BAA18358 for ; Tue, 7 Jul 1998 01:15:44 +0400 (MSD) (envelope-from tarkhil@asteroid.svib.ru) Received: from minas-tirith.pol.ru (minas-tirith.pol.ru [127.0.0.1]) by minas-tirith.pol.ru (8.8.8/8.8.7) with ESMTP id BAA01513 for ; Tue, 7 Jul 1998 01:15:54 +0400 (MSD) (envelope-from tarkhil@minas-tirith.pol.ru) Message-Id: <199807062115.BAA01513@minas-tirith.pol.ru> X-Mailer: exmh version 2.0.2 2/24/98 To: security@FreeBSD.ORG Reply-To: tarkhil@asteroid.svib.ru Subject: Port 1028? X-URL: http://freebsd.svib.ru Mime-Version: 1.0 Content-Type: text/plain; charset=koi8-r Content-Transfer-Encoding: 8bit Date: Tue, 07 Jul 1998 01:15:52 +0400 From: Alex Povolotsky Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hello! What can be on port 1028? I've found several attempts to connect to it... Alex. -- Alexander B. Povolotsky [2:5020/145] [http://freebsd.svib.ru] [tarkhil@asteroid.svib.ru] [Urgent messages: 234-9696 ÁÂ.#35442 or tarkhil@pager.express.ru] To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Mon Jul 6 15:09:59 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id PAA28700 for freebsd-security-outgoing; Mon, 6 Jul 1998 15:09:59 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from hokkshideh.jetcafe.org (hokkshideh.jetcafe.org [205.147.43.4]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id PAA28651 for ; Mon, 6 Jul 1998 15:09:42 -0700 (PDT) (envelope-from dave@jetcafe.org) Received: from hokkshideh.jetcafe.org (localhost [127.0.0.1]) by hokkshideh.jetcafe.org (8.8.8/8.8.5) with ESMTP id PAA06354; Mon, 6 Jul 1998 15:09:12 -0700 (PDT) Message-Id: <199807062209.PAA06354@hokkshideh.jetcafe.org> X-Mailer: exmh version 2.0.2 2/24/98 To: Mike Cc: Igor Roshchin , security@FreeBSD.ORG Subject: Re: (FWD) Qpopper 2.52 Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Mon, 06 Jul 1998 15:09:12 -0700 From: Dave Hayes Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Mike writes: > I'm running 2.5 right now... and will be awaiting 3.0. However, > 2.52 seems to sig 11 like crazy here under 3.0-CURRENT. Maybe it's > just me, I'll have to look at it again tomorrow when I'm a bit more > 'awake'. :) Welp, 2.52 sig 11's a lot here too. Anyone figured this out yet? ------ Dave Hayes - Altadena CA, USA - dave@jetcafe.org >>> The opinions expressed above are entirely my own <<< Freedom Knight of Usenet - (NEW!) http://www.jetcafe.org/~dave/usenet Wisdom (n.) - 1. Something you can learn without knowing it. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Mon Jul 6 16:45:14 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id QAA12562 for freebsd-security-outgoing; Mon, 6 Jul 1998 16:45:14 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from implode.root.com (implode.root.com [198.145.90.17]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id QAA12557 for ; Mon, 6 Jul 1998 16:45:11 -0700 (PDT) (envelope-from root@implode.root.com) Received: from implode.root.com (localhost [127.0.0.1]) by implode.root.com (8.8.5/8.8.5) with ESMTP id QAA15510; Mon, 6 Jul 1998 16:45:06 -0700 (PDT) Message-Id: <199807062345.QAA15510@implode.root.com> To: rotel@indigo.ie cc: "Allen Smith" , security@FreeBSD.ORG, njs3@doc.ic.ac.uk, dima@best.net, abc@ralph.ml.org, tqbf@secnet.com Subject: Re: bsd securelevel patch question In-reply-to: Your message of "Mon, 06 Jul 1998 17:36:05 -0000." <199807061636.RAA00781@indigo.ie> From: David Greenman Reply-To: dg@root.com Date: Mon, 06 Jul 1998 16:45:06 -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >On Jul 5, 2:17pm, David Greenman wrote: >> >> Passive FTP is initiated by the client and is not something that the server >> can enforce. Further, it does nothing to enhance security for the server - if >> anything, it actually reduces the security since you'd have to poke holes >> through any firewall to allow the client data connects. > >Well, the decision to enforce it is a matter of site policy, most >ftp clients support passive mode by now. I think you are missing what I'm saying. Again, I'm saying that the FTP client is the thing that initiates the passive mode (via the PASV command) - not the server and thus your suggestion to "just use passive FTP on the server" to get around needing privileged-port bind()s in the server is simply not an option. > As for the security, I'd >prefer to allow connects in to the ftp servers on ports I know it >will be listening on rather than having a machine inside the DMZ >initiating TCP connections; having said that, FreeBSD's ftp daemon >currently accepts connections on ports it is listening on from any >IP, in accordance with the FTP RFC, but this is inconsistenct with >the bahaviour of the PORT command in paranoid mode which will only >connect to the IP of the control channel peer. What do you think >of patching this? Are you talking about the data port listens that ftpd does when it is operating in passive mode? If so, then you're wrong - ftpd listens for the control channel IP address. As for non-passive FTP and the PORT command, the behavior of ftpd (that is, to do the connect to the address specified) is required in order to support FTP proxies and can't be changed without breaking that. Thus the "paranoid mode" is bogus and not only does it violate the RFC, but breaks functionality which many people find useful and necessary...in fact, thwarting their own attempts at improving security (admins don't uses FTP proxies just to make life more difficult for their users). -DG David Greenman Co-founder/Principal Architect, The FreeBSD Project To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Mon Jul 6 19:22:31 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id TAA27273 for freebsd-security-outgoing; Mon, 6 Jul 1998 19:22:31 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from indigo.ie (nsmart@ts01-62.waterford.indigo.ie [194.125.139.125]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id TAA27251 for ; Mon, 6 Jul 1998 19:22:22 -0700 (PDT) (envelope-from rotel@indigo.ie) Received: (from nsmart@localhost) by indigo.ie (8.8.8/8.8.7) id DAA02400; Tue, 7 Jul 1998 03:17:56 +0100 (IST) (envelope-from rotel@indigo.ie) From: Niall Smart Message-Id: <199807070217.DAA02400@indigo.ie> Date: Tue, 7 Jul 1998 03:17:54 +0000 In-Reply-To: David Greenman "Re: bsd securelevel patch question" (Jul 6, 4:45pm) Reply-To: rotel@indigo.ie X-Mailer: Mail User's Shell (7.2.6 beta(3) 11/17/96) To: dg@root.com, rotel@indigo.ie Subject: Re: bsd securelevel patch question Cc: "Allen Smith" , security@FreeBSD.ORG, njs3@doc.ic.ac.uk, dima@best.net, abc@ralph.ml.org, tqbf@secnet.com Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Jul 6, 4:45pm, David Greenman wrote: } Subject: Re: bsd securelevel patch question > > I think you are missing what I'm saying. Again, I'm saying that the FTP > client is the thing that initiates the passive mode (via the PASV command) - > not the server and thus your suggestion to "just use passive FTP on the > server" to get around needing privileged-port bind()s in the server is > simply not an option. Right, what I meant was to provide the option of disabling the PORT command. Yes, I know this will confuse people and break things, but I think its a reasonable choice to offer the administrator. What ever else do they do anyway? :) I wonder if initiating active mode data connections from an undefault (!) data port would break much. I notice /usr/bin/ftp doesn't "authenticate" this, in fact it doesn't even check the peer's IP, maybe this is something to do with not breaking FTP proxies; I don't know how they work. At least a warning would be appropriate though? > > As for the security, I'd > >prefer to allow connects in to the ftp servers on ports I know it > >will be listening on rather than having a machine inside the DMZ > >initiating TCP connections; having said that, FreeBSD's ftp daemon > >currently accepts connections on ports it is listening on from any > >IP, in accordance with the FTP RFC, but this is inconsistenct with > >the bahaviour of the PORT command in paranoid mode which will only > >connect to the IP of the control channel peer. What do you think > >of patching this? > > Are you talking about the data port listens that ftpd does when it is > operating in passive mode? If so, then you're wrong - ftpd listens for the > control channel IP address. No it doesn't; check dataconn() in ftpd.c, it simply accepts the connection after using select for timeout. The "authentication" for PORT occurs as part of parsing the PORT command in host_port in ftpcmd.y BTW, UNPv2 mentions a possible race condition between the select returning and the call to accept on TCP implementations which wake the process on receipt of a SYN, in which case receipt of a FIN or RST can shutdown the 3-way handshake between select returning and the call to accept. Does this apply to FreeBSD? From looking at tcp_input it seems not, the call to sonewconn() on line 397 specifies a second argument of 0 which seems to indicate that waiting processes should not be woken, I'd appreciate if you could confirm this is the case. [ in case anyone's wondering how you get around that in OSs it does apply to you can set the socket non-blocking and check for EWOULDBLOCK from accept ] > As for non-passive FTP and the PORT command, the behavior of ftpd (that is, > to do the connect to the address specified) is required in order to support > FTP proxies and can't be changed without breaking that. Thus the "paranoid > mode" is bogus and not only does it violate the RFC, but breaks functionality > which many people find useful and necessary...in fact, thwarting their own > attempts at improving security (admins don't uses FTP proxies just to make > life more difficult for their users). Well, breaking the RFC is necessary in most environments; I sure don't want any of my ftp daemons making connections to hosts inside my network under the control of someone outside, or connecting to anyone's priviledged ports. Again, its a site policy decision. Still, I see what you mean about ftp proxies. An ACL for the list of allowable PORT destinations would solve this, but is probably more useful as part of a dedicated anonymous ftp daemon. Niall -- Niall Smart. PGP: finger njs3@motmot.doc.ic.ac.uk FreeBSD: Turning PC's into Workstations: www.freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Mon Jul 6 23:44:38 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id XAA07727 for freebsd-security-outgoing; Mon, 6 Jul 1998 23:44:38 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from ujf.ujf-grenoble.fr (ujf.ujf-grenoble.fr [193.54.232.33]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id XAA07709 for ; Mon, 6 Jul 1998 23:44:32 -0700 (PDT) (envelope-from Gilles.Bruno@ujf-grenoble.fr) Received: from antigua (adm-bruno.ujf-grenoble.fr [193.54.232.177]) by ujf.ujf-grenoble.fr (8.8.5/8.8.5) with SMTP id IAA28034; Tue, 7 Jul 1998 08:44:19 +0200 (MET DST) Message-Id: <199807070644.IAA28034@ujf.ujf-grenoble.fr> X-Sender: bruno@adm X-Mailer: QUALCOMM Windows Eudora Pro Version 4.0.1 Date: Tue, 07 Jul 1998 08:44:18 +0200 To: Dave Hayes , Mike From: Gilles Bruno Subject: Re: (FWD) Qpopper 2.52 Cc: Igor Roshchin , security@FreeBSD.ORG In-Reply-To: <199807062209.PAA06354@hokkshideh.jetcafe.org> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 15:09 06/07/98 -0700, Dave Hayes wrote: >Mike writes: >> I'm running 2.5 right now... and will be awaiting 3.0. However, >> 2.52 seems to sig 11 like crazy here under 3.0-CURRENT. Maybe it's >> just me, I'll have to look at it again tomorrow when I'm a bit more >> 'awake'. :) > >Welp, 2.52 sig 11's a lot here too. Anyone figured this out yet? >------ Hi, I had a similar problem : the ktrace showed segment violation SIGSEGV i found if was due to badly configured DB configuration : make sure the -DBSD44_DBM is included either in your Makefile (O_DEFS) or in your config.h I susscessfully compiled it on 2.2-R, 2.2.6-R and even 2.1.7.. Works now like a charm... Hope it helps. Sincerely yours, >Dave Hayes - Altadena CA, USA - dave@jetcafe.org > >>> The opinions expressed above are entirely my own <<< >Freedom Knight of Usenet - (NEW!) http://www.jetcafe.org/~dave/usenet > >Wisdom (n.) - 1. Something you can learn without knowing it. > -- Gilles BRUNO Universite Joseph Fourier - CRIP Domaine Universitaire 38041 St Martin d'Heres FRANCE Tel (33) 04 76 63 56 68 - Fax (33) 04 76 51 42 74 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Tue Jul 7 00:17:09 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id AAA13485 for freebsd-security-outgoing; Tue, 7 Jul 1998 00:17:09 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from implode.root.com (implode.root.com [198.145.90.17]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id AAA13475 for ; Tue, 7 Jul 1998 00:17:04 -0700 (PDT) (envelope-from root@implode.root.com) Received: from implode.root.com (localhost [127.0.0.1]) by implode.root.com (8.8.5/8.8.5) with ESMTP id AAA21226; Tue, 7 Jul 1998 00:17:03 -0700 (PDT) Message-Id: <199807070717.AAA21226@implode.root.com> To: rotel@indigo.ie cc: "Allen Smith" , security@FreeBSD.ORG, njs3@doc.ic.ac.uk, dima@best.net, abc@ralph.ml.org, tqbf@secnet.com Subject: Re: bsd securelevel patch question In-reply-to: Your message of "Tue, 07 Jul 1998 03:17:54 -0000." <199807070217.DAA02400@indigo.ie> From: David Greenman Reply-To: dg@root.com Date: Tue, 07 Jul 1998 00:17:03 -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >On Jul 6, 4:45pm, David Greenman wrote: >} Subject: Re: bsd securelevel patch question >> >> I think you are missing what I'm saying. Again, I'm saying that the FTP >> client is the thing that initiates the passive mode (via the PASV command) - >> not the server and thus your suggestion to "just use passive FTP on the >> server" to get around needing privileged-port bind()s in the server is >> simply not an option. > >Right, what I meant was to provide the option of disabling the PORT >command. Yes, I know this will confuse people and break things, >but I think its a reasonable choice to offer the administrator. Sorry, that's just a silly recommendation. Period. >I wonder if initiating active mode data connections from an undefault >(!) data port would break much. I notice /usr/bin/ftp doesn't >"authenticate" this, in fact it doesn't even check the peer's IP, >maybe this is something to do with not breaking FTP proxies; I >don't know how they work. At least a warning would be appropriate >though? That might work for _some_ clients. >> > As for the security, I'd >> >prefer to allow connects in to the ftp servers on ports I know it >> >will be listening on rather than having a machine inside the DMZ >> >initiating TCP connections; having said that, FreeBSD's ftp daemon >> >currently accepts connections on ports it is listening on from any >> >IP, in accordance with the FTP RFC, but this is inconsistenct with >> >the bahaviour of the PORT command in paranoid mode which will only >> >connect to the IP of the control channel peer. What do you think >> >of patching this? >> >> Are you talking about the data port listens that ftpd does when it is >> operating in passive mode? If so, then you're wrong - ftpd listens for the >> control channel IP address. > >No it doesn't; check dataconn() in ftpd.c, it simply accepts the >connection after using select for timeout. The "authentication" >for PORT occurs as part of parsing the PORT command in host_port in >ftpcmd.y What does accept() have to do with how the socket is bind()ed? (Answer: absolutely nothing) The bind() and listen() occur in the passive() function, which very definately sets the ctrl_addr as the listen address. I also don't know what you're talking about regarding the PORT command in passive mode since these are mutually exclusive. -DG David Greenman Co-founder/Principal Architect, The FreeBSD Project To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Tue Jul 7 00:33:46 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id AAA14649 for freebsd-security-outgoing; Tue, 7 Jul 1998 00:33:46 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from hokkshideh.jetcafe.org (hokkshideh.jetcafe.org [205.147.43.4]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id AAA14640 for ; Tue, 7 Jul 1998 00:33:42 -0700 (PDT) (envelope-from dave@jetcafe.org) Received: from hokkshideh.jetcafe.org (localhost [127.0.0.1]) by hokkshideh.jetcafe.org (8.8.8/8.8.5) with ESMTP id AAA15112; Tue, 7 Jul 1998 00:33:24 -0700 (PDT) Message-Id: <199807070733.AAA15112@hokkshideh.jetcafe.org> X-Mailer: exmh version 2.0.2 2/24/98 To: Gilles Bruno Cc: Mike , Igor Roshchin , security@FreeBSD.ORG Subject: Re: (FWD) Qpopper 2.52 Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Tue, 07 Jul 1998 00:33:24 -0700 From: Dave Hayes Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Gilles Bruno writes: > Hi, I had a similar problem : the ktrace showed segment violation > SIGSEGV i found if was due to badly configured DB configuration : > make sure the -DBSD44_DBM is included either in your Makefile > (O_DEFS) or in your config.h That, and take the -f optimizations out of the makefile. Those seem to have caused dbm_fetch() to SIGSEGV. :) ------ Dave Hayes - Altadena CA, USA - dave@jetcafe.org >>> The opinions expressed above are entirely my own <<< Freedom Knight of Usenet - (NEW!) http://www.jetcafe.org/~dave/usenet Objects are defined subjectively. Since objects are defined arbitrarily, this gives rise to your arbitrary subjectivity. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Tue Jul 7 03:51:11 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id DAA06420 for freebsd-security-outgoing; Tue, 7 Jul 1998 03:51:11 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from indigo.ie (nsmart@ts01-53.waterford.indigo.ie [194.125.139.116]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id DAA06389 for ; Tue, 7 Jul 1998 03:51:06 -0700 (PDT) (envelope-from rotel@indigo.ie) Received: (from nsmart@localhost) by indigo.ie (8.8.8/8.8.7) id LAA00625; Tue, 7 Jul 1998 11:46:36 +0100 (IST) (envelope-from rotel@indigo.ie) From: Niall Smart Message-Id: <199807071046.LAA00625@indigo.ie> Date: Tue, 7 Jul 1998 11:46:35 +0000 In-Reply-To: David Greenman "Re: bsd securelevel patch question" (Jul 7, 12:17am) Reply-To: rotel@indigo.ie X-Mailer: Mail User's Shell (7.2.6 beta(3) 11/17/96) To: dg@root.com, rotel@indigo.ie Subject: Re: bsd securelevel patch question Cc: "Allen Smith" , security@FreeBSD.ORG, njs3@doc.ic.ac.uk, dima@best.net, abc@ralph.ml.org, tqbf@secnet.com Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Jul 7, 12:17am, David Greenman wrote: } Subject: Re: bsd securelevel patch question > > >> > As for the security, I'd > >> >prefer to allow connects in to the ftp servers on ports I know it > >> >will be listening on rather than having a machine inside the DMZ > >> >initiating TCP connections; having said that, FreeBSD's ftp daemon > >> >currently accepts connections on ports it is listening on from any > >> >IP, in accordance with the FTP RFC, but this is inconsistenct with > >> >the bahaviour of the PORT command in paranoid mode which will only > >> >connect to the IP of the control channel peer. What do you think > >> >of patching this? > >> > >> Are you talking about the data port listens that ftpd does when it is > >> operating in passive mode? If so, then you're wrong - ftpd listens for the > >> control channel IP address. > > > >No it doesn't; check dataconn() in ftpd.c, it simply accepts the > >connection after using select for timeout. The "authentication" > >for PORT occurs as part of parsing the PORT command in host_port in > >ftpcmd.y > > What does accept() have to do with how the socket is bind()ed? (Answer: > absolutely nothing) The bind() and listen() occur in the passive() function, > which very definately sets the ctrl_addr as the listen address. I'm talking about the addresses the ftpd will accept data channel connections from in paranoid (and passive) mode, not the address at which it listens for those connections, I thought you were too, from what you said above: "ftpd listens for the control channel IP address". In paranoid mode and active mode it will only connect the data channel to the control channel peer on a non-priviledged port. When in paranoid mode and passive mode it will accept data channel connections from any IP on any port. > I also don't > know what you're talking about regarding the PORT command in passive mode > since these are mutually exclusive. Yes I know; I was pointing out that there is no function which handles authentiction of the remote data channel peer in both the passive and active modes in paranoid mode. Niall -- Niall Smart. PGP: finger njs3@motmot.doc.ic.ac.uk FreeBSD: Turning PC's into Workstations: www.freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Tue Jul 7 04:42:08 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id EAA12741 for freebsd-security-outgoing; Tue, 7 Jul 1998 04:42:08 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from implode.root.com (implode.root.com [198.145.90.17]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id EAA12736 for ; Tue, 7 Jul 1998 04:42:06 -0700 (PDT) (envelope-from root@implode.root.com) Received: from implode.root.com (localhost [127.0.0.1]) by implode.root.com (8.8.5/8.8.5) with ESMTP id EAA22650; Tue, 7 Jul 1998 04:42:03 -0700 (PDT) Message-Id: <199807071142.EAA22650@implode.root.com> To: rotel@indigo.ie cc: "Allen Smith" , security@FreeBSD.ORG, njs3@doc.ic.ac.uk, dima@best.net, abc@ralph.ml.org, tqbf@secnet.com Subject: Re: bsd securelevel patch question In-reply-to: Your message of "Tue, 07 Jul 1998 11:46:35 -0000." <199807071046.LAA00625@indigo.ie> From: David Greenman Reply-To: dg@root.com Date: Tue, 07 Jul 1998 04:42:03 -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >> What does accept() have to do with how the socket is bind()ed? (Answer: >> absolutely nothing) The bind() and listen() occur in the passive() function, >> which very definately sets the ctrl_addr as the listen address. > >I'm talking about the addresses the ftpd will accept data channel >connections from in paranoid (and passive) mode, not the address at >which it listens for those connections, I thought you were too, >from what you said above: "ftpd listens for the control channel IP >address". Now I realize where the misunderstanding started. You're suggesting that after the accept(), that ftpd should verify that the address of the peer (presumably via getpeername()) matches the peer address of the control channel? Assuming that the ftp client (or proxy) always does a bind() using it's local control channel address so that the server always sees the same peer address independant of routing issues, then this should work. It would be nice to be able to bind() the foreign address to a (listen) socket as well. -DG David Greenman Co-founder/Principal Architect, The FreeBSD Project To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Tue Jul 7 06:19:43 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id GAA24292 for freebsd-security-outgoing; Tue, 7 Jul 1998 06:19:43 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from fledge.watson.org (root@COPLAND.CODA.CS.CMU.EDU [128.2.222.48]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id GAA24287 for ; Tue, 7 Jul 1998 06:19:42 -0700 (PDT) (envelope-from robert@cyrus.watson.org) Received: from fledge.watson.org (robert@fledge.pr.watson.org [192.0.2.3]) by fledge.watson.org (8.8.8/8.8.8) with SMTP id JAA10471; Tue, 7 Jul 1998 09:19:23 -0400 (EDT) Date: Tue, 7 Jul 1998 09:19:23 -0400 (EDT) From: Robert Watson X-Sender: robert@fledge.watson.org Reply-To: Robert Watson To: Niall Smart cc: Andrew McNaughton , security@FreeBSD.ORG Subject: Re: bsd securelevel patch question In-Reply-To: <199807052106.WAA04694@indigo.ie> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sun, 5 Jul 1998, Niall Smart wrote: > On Jul 3, 4:26am, Andrew McNaughton wrote: > } Subject: Re: bsd securelevel patch question > > >Eh? If ssh/smtp/inetd bind to the port you won't be able to, no > > >matter how often you try. > > > > Unless the server is restarted for some reason. hence the rapid cron job > > which will eventually succeed if not detected first. > > Well, this should be detected, and is easily detectable. "detectable" is not acceptable in most real-world environments. Suppose I know you will be upgrading ssh at a certain time of day due to your announcement that incoming ssh service will not be available during that time period (a common arrangement where customers are involved -- notifying them of downtimes for commonly used services). I agree that privilege would have to be allocated on a per-port basis, as my access to most of my servers is only via the network -- I cannot afford to "detect" someone replacing a key daemon (nfsd) on a server because they managed to subvert a CGI script. The case of Java Servlets is actually a little more serious -- ServLets run inside the web server's process. Similarly, a buffer overflow in apache should not give me that ability. Having a bulk "can bind <1024 on protocol TCP" privilege is too broad, and gains very little. Robert N Watson Carnegie Mellon University http://www.cmu.edu/ TIS Labs at Network Associates, Inc. http://www.tis.com/ SafePort Network Services http://www.safeport.com/ robert@fledge.watson.org http://www.watson.org/~robert/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Tue Jul 7 11:24:20 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id LAA11091 for freebsd-security-outgoing; Tue, 7 Jul 1998 11:24:20 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from chipweb.ml.org (qmailr@c1003518-a.plstn1.sfba.home.com [24.1.82.47]) by hub.freebsd.org (8.8.8/8.8.8) with SMTP id LAA10993 for ; Tue, 7 Jul 1998 11:24:09 -0700 (PDT) (envelope-from ludwigp@bigfoot.com) Received: (qmail 5531 invoked by uid 666); 7 Jul 1998 18:24:15 -0000 Received: from speedy.chipweb.ml.org (172.16.1.1) by inet.chipweb.ml.org with SMTP; 7 Jul 1998 18:24:15 -0000 Message-Id: <3.0.3.32.19980707112409.031f3894@mail.plstn1.sfba.home.com> X-Sender: ludwigp@mail.plstn1.sfba.home.com X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.3 (32) Date: Tue, 07 Jul 1998 11:24:09 -0700 To: joda@pdc.kth.se (Johan Danielsson) From: Ludwig Pummer Subject: Re: kerberos su problems betw 2 machines Cc: security@FreeBSD.ORG In-Reply-To: References: <3.0.3.32.19980625122541.006988b8@mail.plstn1.sfba.home.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Sorry it's taken so long to reply... I'm responding to this reply, but I also tried Narvi's suggestion of naming the server by IP in my krb.conf, which didn't fix my problem. At 11:23 PM 6/25/98 -0400, Johan Danielsson wrote: >Ludwig Pummer writes: > >> On inet, logging in as ludwigp gives me my ticket. I can kinit to >> ludwigp.root and get my ticket, but trying to do su gives me "su: >> kerberos: unable to verify rcmd ticket: Incorrect network address >> (krb_rd_req)". > >This is most likely (but not necessarily) due to some hostname/address >mismatch. If your machines ip-address doesn't match the A record in >DNS, you get these problems. Likewise if you have more than one >interface and your hostname doesn't point to the one that you use to >talk to your KDC. This machine is multi-homed, but DNS is all set up properly. ludwigp@inet% hostname inet.chipweb.ml.org ludwigp@inet% nslookup inet.chipweb.ml.org Server: fortress.chipweb.ml.org Address: 172.16.1.7 Name: inet.chipweb.ml.org Address: 172.16.1.5 >Check what IP address the KDC thinks you are using >by looking at the log. If you run multi-homed, you might also want to >check the krb.equiv(5) man-page (this is not turned off in the FreeBSD >dist, right?) I have no krb.equiv and no manpage for it..but the log says: 7-Jul-1998 11:06:11: AS REQ ludwigp.@CHIPWEB.ML.ORG for krbtgt.CHIPWEB.ML.ORG from 24.1.82.47 7-Jul-1998 11:06:27: AS REQ ludwigp.root@CHIPWEB.ML.ORG for krbtgt.CHIPWEB.ML.ORG from 24.1.82.47 7-Jul-1998 11:06:27: APPL REQ ludwigp.root@CHIPWEB.ML.ORG for rcmd.inet from 24.1.82.47 So the kerberos stuff looks like it's coming from 24.1.82.47? Why is that? Could it be because the 24.1.82.47 interface is brought up first in rc.conf? >If you successfully used a kerberized login, this is probably not your >problem (depending on how paranoid your login is). Were you actually >using a kerberized login, or did you login via normal password + >kinit? Yes, it's using kerberized login: FreeBSD (inet.chipweb.ml.org) (ttyv4) login: ludwigp Password: Last login: Tue Jul 7 11:07:59 on ttyv4 Copyright (c) 1980, 1983, 1986, 1988, 1990, 1991, 1993, 1994 The Regents of the University of California. All rights reversed. FreeBSD 2.2.5-RELEASE (INET) #0... .... ludwigp@inet% klist Ticket file: /tmp/tkt1001 Principal: ludwigp@CHIPWEB.ML.ORG Issued Expires Principal Jul 7 11:13:53 Jul 7 19:13:53 krbtgt.CHIPWEB.ML.ORG@CHIPWEB.ML.ORG --Thanks in advance --Ludwig Pummer ludwigp@bigfoot.com ICQ UIN: 692441 http://chipweb.home.ml.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Tue Jul 7 12:10:52 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id MAA17726 for freebsd-security-outgoing; Tue, 7 Jul 1998 12:10:52 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from burka.rdy.com (dima@burka.rdy.com [205.149.163.30]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id MAA17718 for ; Tue, 7 Jul 1998 12:10:49 -0700 (PDT) (envelope-from dima@burka.rdy.com) Received: (from dima@localhost) by burka.rdy.com (8.8.8/RDY&DVV) id MAA04769; Tue, 7 Jul 1998 12:10:37 -0700 (PDT) Message-Id: <199807071910.MAA04769@burka.rdy.com> Subject: Re: kerberos su problems betw 2 machines In-Reply-To: <3.0.3.32.19980707112409.031f3894@mail.plstn1.sfba.home.com> from Ludwig Pummer at "Jul 7, 1998 11:24: 9 am" To: ludwigp@bigfoot.com (Ludwig Pummer) Date: Tue, 7 Jul 1998 12:10:37 -0700 (PDT) Cc: joda@pdc.kth.se, security@FreeBSD.ORG X-Class: Fast Organization: HackerDome Reply-To: dima@best.net From: dima@best.net (Dima Ruban) X-Mailer: ELM [version 2.4ME+ PL43 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Ludwig Pummer writes: > This machine is multi-homed, but DNS is all set up properly. Make sure, lookup on both IP addresses on your interfaces gives you _the same_ name. -- dima To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Tue Jul 7 12:11:56 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id MAA17840 for freebsd-security-outgoing; Tue, 7 Jul 1998 12:11:56 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from blubb.pdc.kth.se (blubb.pdc.kth.se [193.10.159.47]) by hub.freebsd.org (8.8.8/8.8.8) with SMTP id MAA17832 for ; Tue, 7 Jul 1998 12:11:52 -0700 (PDT) (envelope-from joda@pdc.kth.se) Received: from joda by blubb.pdc.kth.se with local (Exim 1.71 #3) id 0ytd9A-00030t-00; Tue, 7 Jul 1998 21:11:24 +0200 To: Ludwig Pummer Cc: security@FreeBSD.ORG Subject: Re: kerberos su problems betw 2 machines References: <3.0.3.32.19980625122541.006988b8@mail.plstn1.sfba.home.com> <3.0.3.32.19980707112409.031f3894@mail.plstn1.sfba.home.com> X-Emacs: 19.34 Mime-Version: 1.0 (generated by SEMI MIME-Edit 0.77) Content-Type: text/plain; charset=US-ASCII From: joda@pdc.kth.se (Johan Danielsson) Date: 07 Jul 1998 21:11:24 +0200 In-Reply-To: Ludwig Pummer's message of "Tue, 07 Jul 1998 11:24:09 -0700" Message-ID: Lines: 27 X-Mailer: Gnus v5.6.9/Emacs 19.34 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Ludwig Pummer writes: > So the kerberos stuff looks like it's coming from 24.1.82.47? Why is > that? Could it be because the 24.1.82.47 interface is brought up > first in rc.conf? Because your operating system thinks that's the best interface for taking to your KDC. > Yes, it's using kerberized login: > ludwigp@inet% klist > Ticket file: /tmp/tkt1001 > Principal: ludwigp@CHIPWEB.ML.ORG > > Issued Expires Principal > Jul 7 11:13:53 Jul 7 19:13:53 krbtgt.CHIPWEB.ML.ORG@CHIPWEB.ML.ORG But your login isn't paranoid enough. It should get a ticket for the local machine and try to decrypt it with the service key. Try adding the following to /etc/krb.equiv: 24.1.82.47 172.16.1.5 /Johan To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Tue Jul 7 12:22:47 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id MAA19694 for freebsd-security-outgoing; Tue, 7 Jul 1998 12:22:47 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from blubb.pdc.kth.se (blubb.pdc.kth.se [193.10.159.47]) by hub.freebsd.org (8.8.8/8.8.8) with SMTP id MAA19678 for ; Tue, 7 Jul 1998 12:22:42 -0700 (PDT) (envelope-from joda@pdc.kth.se) Received: from joda by blubb.pdc.kth.se with local (Exim 1.71 #3) id 0ytdJa-00030z-00; Tue, 7 Jul 1998 21:22:10 +0200 To: dima@best.net Cc: ludwigp@bigfoot.com (Ludwig Pummer), security@FreeBSD.ORG Subject: Re: kerberos su problems betw 2 machines References: <199807071910.MAA04769@burka.rdy.com> X-Emacs: 19.34 Mime-Version: 1.0 (generated by SEMI MIME-Edit 0.77) Content-Type: text/plain; charset=US-ASCII From: joda@pdc.kth.se (Johan Danielsson) Date: 07 Jul 1998 21:22:10 +0200 In-Reply-To: dima@best.net's message of "Tue, 7 Jul 1998 12:10:37 -0700 (PDT)" Message-ID: Lines: 13 X-Mailer: Gnus v5.6.9/Emacs 19.34 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org dima@best.net (Dima Ruban) writes: > Make sure, lookup on both IP addresses on your interfaces gives you > _the same_ name. I don't think this is the problem. In MIT Kerberos 5, you can get a working multi-homed configuration by making sure that the hostname has A records for all it's interfaces. In Kerberos 4 (which we are dealing with here), only has room for one ip-address in the ticket, and the KDC chooses that address based on the ip-address the request was sent from. /Johan To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Tue Jul 7 12:38:53 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id MAA22061 for freebsd-security-outgoing; Tue, 7 Jul 1998 12:38:53 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from burka.rdy.com (dima@burka.rdy.com [205.149.163.30]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id MAA22056 for ; Tue, 7 Jul 1998 12:38:51 -0700 (PDT) (envelope-from dima@burka.rdy.com) Received: (from dima@localhost) by burka.rdy.com (8.8.8/RDY&DVV) id MAA00439; Tue, 7 Jul 1998 12:38:46 -0700 (PDT) Message-Id: <199807071938.MAA00439@burka.rdy.com> Subject: Re: kerberos su problems betw 2 machines In-Reply-To: from Johan Danielsson at "Jul 7, 1998 9:22:10 pm" To: joda@pdc.kth.se (Johan Danielsson) Date: Tue, 7 Jul 1998 12:38:46 -0700 (PDT) Cc: dima@best.net, ludwigp@bigfoot.com, security@FreeBSD.ORG X-Class: Fast Organization: HackerDome Reply-To: dima@best.net From: dima@best.net (Dima Ruban) X-Mailer: ELM [version 2.4ME+ PL43 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Johan Danielsson writes: > dima@best.net (Dima Ruban) writes: > > > Make sure, lookup on both IP addresses on your interfaces gives you > > _the same_ name. > > I don't think this is the problem. In MIT Kerberos 5, you can get a > working multi-homed configuration by making sure that the hostname has > A records for all it's interfaces. In Kerberos 4 (which we are dealing I'm not sure that A records for all the interfaces would be enough. Some time ago I've had a multihomed machine with krb5 and I'm pretty sure all the IPs on the interfaces had an A record. And util I've fixed all of them to resolve to the same name (hostname) this multihomed configuration didn't work as it was supposed to. > with here), only has room for one ip-address in the ticket, and the > KDC chooses that address based on the ip-address the request was sent > from. > > /Johan > -- dima To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Wed Jul 8 02:09:43 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id CAA01197 for freebsd-security-outgoing; Wed, 8 Jul 1998 02:09:43 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from alecto.physics.uiuc.edu (alecto.physics.uiuc.edu [130.126.8.20]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id CAA01183 for ; Wed, 8 Jul 1998 02:09:40 -0700 (PDT) (envelope-from igor@alecto.physics.uiuc.edu) Received: (from igor@localhost) by alecto.physics.uiuc.edu (8.9.0/8.9.0) id AAA25583; Wed, 8 Jul 1998 00:17:56 -0500 (CDT) From: Igor Roshchin Message-Id: <199807080517.AAA25583@alecto.physics.uiuc.edu> Subject: Re: (FWD) Qpopper 2.52 In-Reply-To: <199807070733.AAA15112@hokkshideh.jetcafe.org> from "Dave Hayes" at "Jul 7, 1998 0:33:24 am" To: dave@jetcafe.org (Dave Hayes) Date: Wed, 8 Jul 1998 00:17:56 -0500 (CDT) Cc: Gilles.Bruno@ujf-grenoble.fr, mike@seidata.com, igor@physics.uiuc.edu, security@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL43 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > Gilles Bruno writes: > > Hi, I had a similar problem : the ktrace showed segment violation > > SIGSEGV i found if was due to badly configured DB configuration : > > make sure the -DBSD44_DBM is included either in your Makefile > > (O_DEFS) or in your config.h > > That, and take the -f optimizations out of the makefile. Those seem > to have caused dbm_fetch() to SIGSEGV. :) > ------ > Dave Hayes - Altadena CA, USA - dave@jetcafe.org Having compiled the qpopper-2.52, using ..../ports/mail/popper fetched from the ftp.freebsd.org with all FreeBSD patches applied, I didn't have any problems so far. -DBSD44_DBM is there.. couldn't find any -f option in either of the two Makefile-s. IgoR To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Wed Jul 8 02:12:20 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id CAA01988 for freebsd-security-outgoing; Wed, 8 Jul 1998 02:12:20 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from Amnesiac.123.org (root@Amnesiac.mtl.pl [195.116.4.13]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id CAA01929 for ; Wed, 8 Jul 1998 02:12:13 -0700 (PDT) (envelope-from mcl@Amnesiac.123.org) Received: from localhost (mcl@localhost) by Amnesiac.123.org (8.9.0/8.9.0) with SMTP id FAA08099 for ; Wed, 8 Jul 1998 05:23:49 +0200 (CEST) Date: Wed, 8 Jul 1998 05:23:45 +0200 (CEST) From: Michal Listos To: security@FreeBSD.ORG Subject: /etc/security weakness Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- 'bry While browsing through /etc/security I've discovered an ancient security hole. I though it was secured in 2.1.x, but it seems that I was wrong. /etc/security uses string mode comparision when checking for root accounts. It should use binary instead, shouldn't it? [783](root@Amnesiac ~)# echo 'hoot:$1$8rSeV$Vibbz.ILt9JsZZouefmnQ1:00:0::0:0:hidden root account:/root/:/bin/sh' >> /etc/master.passwd [784](root@Amnesiac ~)# awk 'BEGIN {FS=":"} $3=="0" {print $1,$3}' /etc/master.passwd root 0 jrewt 0 toor 0 [786](root@Amnesiac ~)# - -- Michal "some people's lives almost entirely through computers." - - never had time to leave the machine to see one -----BEGIN PGP SIGNATURE----- Version: 2.6.3ia Charset: noconv iQCVAwUBNaLmRb1rJn1VyAj1AQGyyQQAhAh3gWCp5TILh5aEZp4z6Nzy8wrRMRbs gnOrwvHBrjouR8btZIUhUm6sYdRI7EK5yYlob7SGCY2a3hJgQrwK0+Rn5Thn4aHo zFlNOm15csRFAyf8Zg0RRFKcbVZ4Pm2bx9on5d5W1HjNctm4lDjeIAr9Sy3J5pdG zu7RkD448x4= =yXjb -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Wed Jul 8 10:33:00 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id KAA01569 for freebsd-security-outgoing; Wed, 8 Jul 1998 10:33:00 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from whistle.com (s205m131.whistle.com [207.76.205.131]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id KAA01564 for ; Wed, 8 Jul 1998 10:32:58 -0700 (PDT) (envelope-from archie@whistle.com) Received: (from smap@localhost) by whistle.com (8.7.5/8.6.12) id KAA02750 for ; Wed, 8 Jul 1998 10:32:27 -0700 (PDT) Received: from bubba.whistle.com(207.76.205.7) by whistle.com via smap (V1.3) id sma002748; Wed Jul 8 10:32:07 1998 Received: (from archie@localhost) by bubba.whistle.com (8.8.7/8.6.12) id KAA29352 for freebsd-security@freebsd.org; Wed, 8 Jul 1998 10:32:07 -0700 (PDT) From: Archie Cobbs Message-Id: <199807081732.KAA29352@bubba.whistle.com> Subject: www security check output (fwd) To: freebsd-security@FreeBSD.ORG Date: Wed, 8 Jul 1998 10:32:07 -0700 (PDT) X-Mailer: ELM [version 2.4ME+ PL31 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Does anyone recognize this attack? (I've changed the recipient IP address to "IPADDRESS" to protect the innocent :-) Thanks, -Archie > ipfw: 999 Deny UDP 207.239.226.169:63110 IPADDRESS:33468 in via ed1 > ipfw: 999 Deny UDP 207.239.226.169:63106 IPADDRESS:33468 in via ed1 > ipfw: 999 Deny UDP 207.239.226.169:63110 IPADDRESS:33469 in via ed1 > ipfw: 999 Deny UDP 207.239.226.169:63106 IPADDRESS:33469 in via ed1 > ipfw: 999 Deny UDP 207.239.226.169:63110 IPADDRESS:33470 in via ed1 > ipfw: 999 Deny UDP 207.239.226.169:63106 IPADDRESS:33470 in via ed1 > ipfw: 999 Deny UDP 207.239.226.169:63110 IPADDRESS:33471 in via ed1 > ipfw: 999 Deny UDP 207.239.226.169:63106 IPADDRESS:33471 in via ed1 > ipfw: 999 Deny UDP 207.239.226.169:63106 IPADDRESS:33472 in via ed1 > ipfw: 999 Deny UDP 207.239.226.169:63110 IPADDRESS:33472 in via ed1 > ipfw: 999 Deny UDP 207.239.226.169:63106 IPADDRESS:33473 in via ed1 > ipfw: 999 Deny UDP 207.239.226.169:63110 IPADDRESS:33473 in via ed1 > ipfw: 999 Deny UDP 207.239.226.169:63106 IPADDRESS:33474 in via ed1 > ipfw: 999 Deny UDP 207.239.226.169:63110 IPADDRESS:33474 in via ed1 > ipfw: 999 Deny UDP 207.239.226.169:63106 IPADDRESS:33475 in via ed1 > ipfw: 999 Deny UDP 207.239.226.169:63110 IPADDRESS:33475 in via ed1 > ipfw: 999 Deny UDP 207.239.226.169:63110 IPADDRESS:33476 in via ed1 > ipfw: 999 Deny UDP 207.239.226.169:63106 IPADDRESS:33476 in via ed1 > ipfw: 999 Deny UDP 207.239.226.169:63106 IPADDRESS:33477 in via ed1 > ipfw: 999 Deny UDP 207.239.226.169:63110 IPADDRESS:33477 in via ed1 > ipfw: 999 Deny UDP 207.239.226.169:63110 IPADDRESS:33478 in via ed1 > ipfw: 999 Deny UDP 207.239.226.169:63106 IPADDRESS:33478 in via ed1 > ipfw: 999 Deny UDP 207.239.226.169:63106 IPADDRESS:33479 in via ed1 > ipfw: 999 Deny UDP 207.239.226.169:63110 IPADDRESS:33479 in via ed1 > ipfw: 999 Deny UDP 207.239.226.169:63106 IPADDRESS:33480 in via ed1 > ipfw: 999 Deny UDP 207.239.226.169:63110 IPADDRESS:33480 in via ed1 > ipfw: 999 Deny UDP 207.239.226.169:63106 IPADDRESS:33481 in via ed1 > ipfw: 999 Deny UDP 207.239.226.169:63110 IPADDRESS:33481 in via ed1 > ipfw: 999 Deny UDP 207.239.226.169:63106 IPADDRESS:33482 in via ed1 > ipfw: 999 Deny UDP 207.239.226.169:63110 IPADDRESS:33482 in via ed1 > ipfw: 999 Deny UDP 207.239.226.169:63106 IPADDRESS:33483 in via ed1 > ipfw: 999 Deny UDP 207.239.226.169:63110 IPADDRESS:33483 in via ed1 > ipfw: 999 Deny UDP 207.239.226.169:63110 IPADDRESS:33484 in via ed1 > ipfw: 999 Deny UDP 207.239.226.169:63106 IPADDRESS:33484 in via ed1 > ipfw: 999 Deny UDP 207.239.226.169:63106 IPADDRESS:33485 in via ed1 > ipfw: 999 Deny UDP 207.239.226.169:63110 IPADDRESS:33485 in via ed1 > ipfw: 999 Deny UDP 207.239.226.169:63110 IPADDRESS:33486 in via ed1 > ipfw: 999 Deny UDP 207.239.226.169:63106 IPADDRESS:33486 in via ed1 > ipfw: 999 Deny UDP 207.239.226.169:63106 IPADDRESS:33487 in via ed1 > ipfw: 999 Deny UDP 207.239.226.169:63110 IPADDRESS:33487 in via ed1 > ipfw: 999 Deny UDP 207.239.226.169:63110 IPADDRESS:33488 in via ed1 > ipfw: 999 Deny UDP 207.239.226.169:63106 IPADDRESS:33488 in via ed1 > ipfw: 999 Deny UDP 207.239.226.169:63106 IPADDRESS:33489 in via ed1 > ipfw: 999 Deny UDP 207.239.226.169:63110 IPADDRESS:33489 in via ed1 > ipfw: 999 Deny UDP 207.239.226.169:63110 IPADDRESS:33490 in via ed1 > ipfw: 999 Deny UDP 207.239.226.169:63106 IPADDRESS:33490 in via ed1 > ipfw: 999 Deny UDP 207.239.226.169:63106 IPADDRESS:33491 in via ed1 > ipfw: 999 Deny UDP 207.239.226.169:63110 IPADDRESS:33491 in via ed1 > ipfw: 999 Deny UDP 207.239.226.169:63106 IPADDRESS:33492 in via ed1 > ipfw: 999 Deny UDP 207.239.226.169:63110 IPADDRESS:33492 in via ed1 > ipfw: 999 Deny UDP 207.239.226.169:63106 IPADDRESS:33493 in via ed1 > ipfw: 999 Deny UDP 207.239.226.169:63110 IPADDRESS:33493 in via ed1 > ipfw: 999 Deny UDP 207.239.226.169:63106 IPADDRESS:33494 in via ed1 > ipfw: 999 Deny UDP 207.239.226.169:63110 IPADDRESS:33494 in via ed1 > ipfw: 999 Deny UDP 207.239.226.169:63110 IPADDRESS:33495 in via ed1 > ipfw: 999 Deny UDP 207.239.226.169:63106 IPADDRESS:33495 in via ed1 > ipfw: 999 Deny UDP 207.239.226.169:63110 IPADDRESS:33496 in via ed1 > ipfw: 999 Deny UDP 207.239.226.169:63106 IPADDRESS:33496 in via ed1 > ipfw: 999 Deny UDP 207.239.226.169:63106 IPADDRESS:33497 in via ed1 > ipfw: 999 Deny UDP 207.239.226.169:63110 IPADDRESS:33497 in via ed1 > ipfw: 999 Deny UDP 207.239.226.169:63106 IPADDRESS:33498 in via ed1 > ipfw: 999 Deny UDP 207.239.226.169:63110 IPADDRESS:33498 in via ed1 > ipfw: 999 Deny UDP 207.239.226.169:63106 IPADDRESS:33499 in via ed1 > ipfw: 999 Deny UDP 207.239.226.169:63110 IPADDRESS:33499 in via ed1 > ipfw: 999 Deny UDP 207.239.226.169:63106 IPADDRESS:33500 in via ed1 > ipfw: 999 Deny UDP 207.239.226.169:63110 IPADDRESS:33500 in via ed1 > ipfw: 999 Deny UDP 207.239.226.169:63106 IPADDRESS:33501 in via ed1 > ipfw: 999 Deny UDP 207.239.226.169:63110 IPADDRESS:33501 in via ed1 > ipfw: 999 Deny UDP 207.239.226.169:63106 IPADDRESS:33502 in via ed1 > ipfw: 999 Deny UDP 207.239.226.169:63110 IPADDRESS:33502 in via ed1 > ipfw: 999 Deny UDP 207.239.226.169:63106 IPADDRESS:33503 in via ed1 > ipfw: 999 Deny UDP 207.239.226.169:63110 IPADDRESS:33503 in via ed1 > ipfw: 999 Deny UDP 207.239.226.169:63106 IPADDRESS:33504 in via ed1 > ipfw: 999 Deny UDP 207.239.226.169:63110 IPADDRESS:33504 in via ed1 > ipfw: 999 Deny UDP 207.239.226.169:63106 IPADDRESS:33505 in via ed1 > ipfw: limit reached on rule #999 ___________________________________________________________________________ Archie Cobbs * Whistle Communications, Inc. * http://www.whistle.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Wed Jul 8 12:15:11 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id MAA13682 for freebsd-security-outgoing; Wed, 8 Jul 1998 12:15:11 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from kaori.communique.net (kaori.communique.net [204.27.67.55]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id MAA13675 for ; Wed, 8 Jul 1998 12:15:09 -0700 (PDT) (envelope-from rzig@verio.net) Received: by kaori.INTERNAL with Internet Mail Service (5.0.1458.49) id ; Wed, 8 Jul 1998 14:14:25 -0500 Message-ID: From: Raul Zighelboim To: "'Archie Cobbs'" , freebsd-security@FreeBSD.ORG Subject: RE: www security check output (fwd) Date: Wed, 8 Jul 1998 14:14:23 -0500 X-Priority: 3 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.0.1458.49) Content-Type: text/plain; charset="iso-8859-1" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org 2 simultaneous traceroute routines ? > -----Original Message----- > From: Archie Cobbs [SMTP:archie@whistle.com] > Sent: Wednesday, July 08, 1998 12:32 PM > To: freebsd-security@FreeBSD.ORG > Subject: www security check output (fwd) > > Does anyone recognize this attack? (I've changed the recipient IP > address to "IPADDRESS" to protect the innocent :-) > > Thanks, > -Archie > > > ipfw: 999 Deny UDP 207.239.226.169:63110 IPADDRESS:33468 in via ed1 > > ipfw: 999 Deny UDP 207.239.226.169:63106 IPADDRESS:33468 in via ed1 > > ipfw: 999 Deny UDP 207.239.226.169:63110 IPADDRESS:33469 in via ed1 > > ipfw: 999 Deny UDP 207.239.226.169:63106 IPADDRESS:33469 in via ed1 > > ipfw: 999 Deny UDP 207.239.226.169:63110 IPADDRESS:33470 in via ed1 > > ipfw: 999 Deny UDP 207.239.226.169:63106 IPADDRESS:33470 in via ed1 > > ipfw: 999 Deny UDP 207.239.226.169:63110 IPADDRESS:33471 in via ed1 > > ipfw: 999 Deny UDP 207.239.226.169:63106 IPADDRESS:33471 in via ed1 > > ipfw: 999 Deny UDP 207.239.226.169:63106 IPADDRESS:33472 in via ed1 > > ipfw: 999 Deny UDP 207.239.226.169:63110 IPADDRESS:33472 in via ed1 > > ipfw: 999 Deny UDP 207.239.226.169:63106 IPADDRESS:33473 in via ed1 > > ipfw: 999 Deny UDP 207.239.226.169:63110 IPADDRESS:33473 in via ed1 > > ipfw: 999 Deny UDP 207.239.226.169:63106 IPADDRESS:33474 in via ed1 > > ipfw: 999 Deny UDP 207.239.226.169:63110 IPADDRESS:33474 in via ed1 > > ipfw: 999 Deny UDP 207.239.226.169:63106 IPADDRESS:33475 in via ed1 > > ipfw: 999 Deny UDP 207.239.226.169:63110 IPADDRESS:33475 in via ed1 > > ipfw: 999 Deny UDP 207.239.226.169:63110 IPADDRESS:33476 in via ed1 > > ipfw: 999 Deny UDP 207.239.226.169:63106 IPADDRESS:33476 in via ed1 > > ipfw: 999 Deny UDP 207.239.226.169:63106 IPADDRESS:33477 in via ed1 > > ipfw: 999 Deny UDP 207.239.226.169:63110 IPADDRESS:33477 in via ed1 > > ipfw: 999 Deny UDP 207.239.226.169:63110 IPADDRESS:33478 in via ed1 > > ipfw: 999 Deny UDP 207.239.226.169:63106 IPADDRESS:33478 in via ed1 > > ipfw: 999 Deny UDP 207.239.226.169:63106 IPADDRESS:33479 in via ed1 > > ipfw: 999 Deny UDP 207.239.226.169:63110 IPADDRESS:33479 in via ed1 > > ipfw: 999 Deny UDP 207.239.226.169:63106 IPADDRESS:33480 in via ed1 > > ipfw: 999 Deny UDP 207.239.226.169:63110 IPADDRESS:33480 in via ed1 > > ipfw: 999 Deny UDP 207.239.226.169:63106 IPADDRESS:33481 in via ed1 > > ipfw: 999 Deny UDP 207.239.226.169:63110 IPADDRESS:33481 in via ed1 > > ipfw: 999 Deny UDP 207.239.226.169:63106 IPADDRESS:33482 in via ed1 > > ipfw: 999 Deny UDP 207.239.226.169:63110 IPADDRESS:33482 in via ed1 > > ipfw: 999 Deny UDP 207.239.226.169:63106 IPADDRESS:33483 in via ed1 > > ipfw: 999 Deny UDP 207.239.226.169:63110 IPADDRESS:33483 in via ed1 > > ipfw: 999 Deny UDP 207.239.226.169:63110 IPADDRESS:33484 in via ed1 > > ipfw: 999 Deny UDP 207.239.226.169:63106 IPADDRESS:33484 in via ed1 > > ipfw: 999 Deny UDP 207.239.226.169:63106 IPADDRESS:33485 in via ed1 > > ipfw: 999 Deny UDP 207.239.226.169:63110 IPADDRESS:33485 in via ed1 > > ipfw: 999 Deny UDP 207.239.226.169:63110 IPADDRESS:33486 in via ed1 > > ipfw: 999 Deny UDP 207.239.226.169:63106 IPADDRESS:33486 in via ed1 > > ipfw: 999 Deny UDP 207.239.226.169:63106 IPADDRESS:33487 in via ed1 > > ipfw: 999 Deny UDP 207.239.226.169:63110 IPADDRESS:33487 in via ed1 > > ipfw: 999 Deny UDP 207.239.226.169:63110 IPADDRESS:33488 in via ed1 > > ipfw: 999 Deny UDP 207.239.226.169:63106 IPADDRESS:33488 in via ed1 > > ipfw: 999 Deny UDP 207.239.226.169:63106 IPADDRESS:33489 in via ed1 > > ipfw: 999 Deny UDP 207.239.226.169:63110 IPADDRESS:33489 in via ed1 > > ipfw: 999 Deny UDP 207.239.226.169:63110 IPADDRESS:33490 in via ed1 > > ipfw: 999 Deny UDP 207.239.226.169:63106 IPADDRESS:33490 in via ed1 > > ipfw: 999 Deny UDP 207.239.226.169:63106 IPADDRESS:33491 in via ed1 > > ipfw: 999 Deny UDP 207.239.226.169:63110 IPADDRESS:33491 in via ed1 > > ipfw: 999 Deny UDP 207.239.226.169:63106 IPADDRESS:33492 in via ed1 > > ipfw: 999 Deny UDP 207.239.226.169:63110 IPADDRESS:33492 in via ed1 > > ipfw: 999 Deny UDP 207.239.226.169:63106 IPADDRESS:33493 in via ed1 > > ipfw: 999 Deny UDP 207.239.226.169:63110 IPADDRESS:33493 in via ed1 > > ipfw: 999 Deny UDP 207.239.226.169:63106 IPADDRESS:33494 in via ed1 > > ipfw: 999 Deny UDP 207.239.226.169:63110 IPADDRESS:33494 in via ed1 > > ipfw: 999 Deny UDP 207.239.226.169:63110 IPADDRESS:33495 in via ed1 > > ipfw: 999 Deny UDP 207.239.226.169:63106 IPADDRESS:33495 in via ed1 > > ipfw: 999 Deny UDP 207.239.226.169:63110 IPADDRESS:33496 in via ed1 > > ipfw: 999 Deny UDP 207.239.226.169:63106 IPADDRESS:33496 in via ed1 > > ipfw: 999 Deny UDP 207.239.226.169:63106 IPADDRESS:33497 in via ed1 > > ipfw: 999 Deny UDP 207.239.226.169:63110 IPADDRESS:33497 in via ed1 > > ipfw: 999 Deny UDP 207.239.226.169:63106 IPADDRESS:33498 in via ed1 > > ipfw: 999 Deny UDP 207.239.226.169:63110 IPADDRESS:33498 in via ed1 > > ipfw: 999 Deny UDP 207.239.226.169:63106 IPADDRESS:33499 in via ed1 > > ipfw: 999 Deny UDP 207.239.226.169:63110 IPADDRESS:33499 in via ed1 > > ipfw: 999 Deny UDP 207.239.226.169:63106 IPADDRESS:33500 in via ed1 > > ipfw: 999 Deny UDP 207.239.226.169:63110 IPADDRESS:33500 in via ed1 > > ipfw: 999 Deny UDP 207.239.226.169:63106 IPADDRESS:33501 in via ed1 > > ipfw: 999 Deny UDP 207.239.226.169:63110 IPADDRESS:33501 in via ed1 > > ipfw: 999 Deny UDP 207.239.226.169:63106 IPADDRESS:33502 in via ed1 > > ipfw: 999 Deny UDP 207.239.226.169:63110 IPADDRESS:33502 in via ed1 > > ipfw: 999 Deny UDP 207.239.226.169:63106 IPADDRESS:33503 in via ed1 > > ipfw: 999 Deny UDP 207.239.226.169:63110 IPADDRESS:33503 in via ed1 > > ipfw: 999 Deny UDP 207.239.226.169:63106 IPADDRESS:33504 in via ed1 > > ipfw: 999 Deny UDP 207.239.226.169:63110 IPADDRESS:33504 in via ed1 > > ipfw: 999 Deny UDP 207.239.226.169:63106 IPADDRESS:33505 in via ed1 > > ipfw: limit reached on rule #999 > > ______________________________________________________________________ > _____ > Archie Cobbs * Whistle Communications, Inc. * > http://www.whistle.com > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Wed Jul 8 15:15:41 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id PAA07531 for freebsd-security-outgoing; Wed, 8 Jul 1998 15:15:41 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from tandem.milestonerdl.com (main.milestonerdl.com [204.107.138.1]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id PAA07523 for ; Wed, 8 Jul 1998 15:15:38 -0700 (PDT) (envelope-from marc@tandem.milestonerdl.com) Received: (from marc@localhost) by tandem.milestonerdl.com (8.8.4/8.8.4) id RAA21903; Wed, 8 Jul 1998 17:43:13 GMT Date: Wed, 8 Jul 1998 17:43:13 +0000 () From: Marc Rassbach To: freebsd-security@FreeBSD.ORG, archie@whistle.com, skip-info@skip.org Subject: FreeBSD 2.2.6/ipfw-natd/SKIP playing nice with NT 4 SKIP (round 5) Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org (and hopefully the last round!) Thanks to tips from Archie Cobbs at whistle.com I was able to almost get skip and natd on FreeBSD to work with NT 4.0 skip. (The cert. on the NT box starts is 0x5b7d367e4fe8daf60313d75a0fe5b497) The config I desire to have work is one with nomadic users, and the configs I can get working are: non-nomadic users and natd. Nomadic users and no natd. But not the grail of nomadic users and natd. If I boot up with kernel.GENERIC this skiphost -P works as Im wanting. skiphost -i ep0 -p skiphost -i ep0 -a 224.0.0.1 skiphost -i ep0 -a 192.168.138.1 -v 2 -k DES-CBC -t DES-CBC -s 8 -S 0x65acaa1f5edce866d7f473508fda994f skiphost -i ep0 -a 224.0.0.2 skiphost -i ep0 -a 192.168.138.255 skiphost -i ep0 -a "*" -v 2 -k DES-CBC -t DES-CBC -r 8 -R 0x40a6c87db1f6677ab12a98c82f007012 -s 8 -S 0x65acaa1f5edce866d7f473508fda994f skiphost -i ep0 -a "*" -v 2 -k DES-CBC -t DES-CBC -r 8 -R 0x5b7d367e4fe8daf60313d75a0fe5b497 -s 8 -S 0x65acaa1f5edce866d7f473508fda994f skiphost -i ep0 -o on If I use this ipfw list and have a kernel configured for IPFW 00010 allow skip from any to any 00010 allow 79 from any to any 00010 allow esp from any to any 00010 allow ah from any to any 00010 allow udp from any to 192.168.138.1 1640 00010 allow udp from 192.168.138.1 1640 to any 00100 divert 6668 log ip from any to any via 192.168.138.1 65535 allow ip from any to any and this skiphost -P skiphost -i ep0 -p skiphost -i ep0 -a 224.0.0.1 skiphost -i ep0 -a 192.168.138.1 -v 2 -k DES-CBC -t DES-CBC -s 8 -S 0x65acaa1f5edce866d7f473508fda994f skiphost -i ep0 -a 224.0.0.2 skiphost -i ep0 -a 192.168.138.16 skiphost -i ep0 -a 192.168.138.55 skiphost -i ep0 -a 192.168.138.255 skiphost -i ep0 -a "*" -v 2 -k DES-CBC -t DES-CBC -r 8 -R 0x40a6c87db1f6677ab12a98c82f007012 -s 8 -S 0x65acaa1f5edce866d7f473508fda994f skiphost -i ep0 -a "*" -v 2 -k DES-CBC -t DES-CBC -r 8 -R 0x5b7d367e4fe8daf60313d75a0fe5b497 -s 8 -S 0x65acaa1f5edce866d7f473508fda994f skiphost -i ep0 -o on I at least have un-encrypted communications. Asking the skip implementation to be in a nomadic mode breaks with the above config. So, can anyone spot what I did wrong here? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Wed Jul 8 19:28:43 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id TAA06927 for freebsd-security-outgoing; Wed, 8 Jul 1998 19:28:43 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from mail.webspan.net (root@mail.webspan.net [206.154.70.7]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id TAA06921 for ; Wed, 8 Jul 1998 19:28:41 -0700 (PDT) (envelope-from opsys@mail.webspan.net) Received: from orion.webspan.net (orion.webspan.net [206.154.70.5]) by mail.webspan.net (WEBSPAN/970608) with SMTP id WAA28144 for ; Wed, 8 Jul 1998 22:21:51 -0400 (EDT) Date: Wed, 8 Jul 1998 22:28:39 -0400 (EDT) From: Open Systems Networking X-Sender: opsys@orion.webspan.net To: freebsd-security@FreeBSD.ORG Subject: PGP 262 wont do 2048 bit keys. Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org For some reason I cannot for the life of me get PGP 262 out of ports to do 2048 bit keys. Now unless im dreaming doesnt pgp 262 do 2048 bit keys? I keep getting this: keygen failed! keygen error I dont know why though. It is supposed to 2048-bit sized keys. Hrmm. Chris -- "Linux... The choice of a GNUtered generation." ===================================| Open Systems Networking And Consulting. FreeBSD 2.2.6 is available now! | Phone: 316-326-6800 -----------------------------------| 1402 N. Washington, Wellington, KS-67152 FreeBSD: The power to serve! | E-Mail: opsys@open-systems.net http://www.freebsd.org | Consulting-Network Engineering-Security ===================================| http://open-systems.net -----BEGIN PGP PUBLIC KEY BLOCK----- Version: 2.6.2 mQENAzPemUsAAAEH/06iF0BU8pMtdLJrxp/lLk3vg9QJCHajsd25gYtR8X1Px1Te gWU0C4EwMh4seDIgK9bzFmjjlZOEgS9zEgia28xDgeluQjuuMyUFJ58MzRlC2ONC foYIZsFyIqdjEOCBdfhH5bmgB5/+L5bjDK6lNdqD8OAhtC4Xnc1UxAKq3oUgVD/Z d5UJXU2xm+f08WwGZIUcbGcaonRC/6Z/5o8YpLVBpcFeLtKW5WwGhEMxl9WDZ3Kb NZH6bx15WiB2Q/gZQib3ZXhe1xEgRP+p6BnvF364I/To9kMduHpJKU97PH3dU7Mv CXk2NG3rtOgLTEwLyvtBPqLnbx35E0JnZc0k5YkABRO0JU9wZW4gU3lzdGVtcyA8 b3BzeXNAb3Blbi1zeXN0ZW1zLm5ldD4= =BBjp -----END PGP PUBLIC KEY BLOCK----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Wed Jul 8 19:41:25 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id TAA08682 for freebsd-security-outgoing; Wed, 8 Jul 1998 19:41:25 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from ritchie.loop.com (ritchie-inet.loop.com [207.211.60.70]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id TAA08677; Wed, 8 Jul 1998 19:41:23 -0700 (PDT) (envelope-from cassy@loop.com) Received: from patty.loop.com (patty-inet.loop.com [207.211.60.69]) by ritchie.loop.com (8.8.7/8.8.7) with SMTP id TAA05617; Wed, 8 Jul 1998 19:38:10 -0700 (PDT) (envelope-from cassy@loop.com) Date: Wed, 8 Jul 1998 19:36:57 -0700 (PDT) From: "Cassandra M. Perkins" To: "Jan B. Koum " cc: Scot Elliott , freebsd-isp@FreeBSD.ORG, freebsd-security@FreeBSD.ORG Subject: Re: Security Alert: Qualcomm POP Server In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org What version of qpopper is not vunerable to the hole? ---------------------------------------------------------------------------- | Cassandra M. Perkins | People usually get what's coming to | | Network Operations | them... unless it's been mailed. | | The Loop Internet Switch Co., LLC | -fortune | ---------------------------------------------------------------------------- On Sun, 5 Jul 1998, Jan B. Koum wrote: > > Where have you been all this time? Dont' you follow bugtraq? > Yes, Qualcomm had remote root shell buffer overflow "y3r 0wned" > type thingie. Exploits for both *bsd and linux systems were published. Get > cucipop or updated qualcomm pop server. > > -- Yan > > Jan Koum jkb@best.com | "Turn up the lights; I don't want > www.FreeBSD.org -- The Power to Serve | to go home in the dark." > ---------------------------------------+----------------------------------- > ICMP: What happens when you hack into a military network and they catch you. > > On Sun, 5 Jul 1998, Scot Elliott wrote: > > >Morning all. > > > >I caught someone last night with a root shell on our mail server. I > >traced it back to somewhere in the US, but unfortunately got locked out > >and the log files removed before I had time to fix it ;-( > > > >I shut the machine down remotely by mounting /usr over NFS and changing > >/usr/libexec/atrun to a shell script that run /sbin/shutdown (near huh? > >;-) > > > >Anyway - the point is that is looks like some kind of buffer overflow in > >the POP daemon that ships with FreeBSD 2.2.6. I noticed lots of ^P^P^P... > >messages from popper in the log file before it was removed. There was an > >extra line in /etc/inetd.conf which ran a shell as root on some port I > >wasn't using (talk I think). So I'm guessing that the exploit allows > >anyone to run any command as root. Nice. Whomever it was was having a > >whale of a time with my C compiler for some reason... very dodgy. > > > >If I can find out the source of this then I'd like to follow it up. Does > >anyone have experience of chasing this sort of thing from across the US > >border? Also, of course, everyone should check their popper version. > > > >Cheers > > > > > >Yours - Scot. > > > > > >----------------------------------------------------------------------------- > >Scot Elliott (scot@poptart.org, scot@nic.cx) | Work: +44 (0)171 7046777 > >PGP fingerprint: FCAE9ED3A234FEB59F8C7F9DDD112D | Home: +44 (0)181 8961019 > >----------------------------------------------------------------------------- > >Public key available by finger at: finger scot@poptart.org > > or at: http://www.poptart.org/pgpkey.html > > > > > > > >To Unsubscribe: send mail to majordomo@FreeBSD.org > >with "unsubscribe freebsd-isp" in the body of the message > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-isp" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Wed Jul 8 19:47:20 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id TAA09810 for freebsd-security-outgoing; Wed, 8 Jul 1998 19:47:20 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from burka.rdy.com (dima@burka.rdy.com [205.149.163.30]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id TAA09790 for ; Wed, 8 Jul 1998 19:47:14 -0700 (PDT) (envelope-from dima@burka.rdy.com) Received: (from dima@localhost) by burka.rdy.com (8.8.8/RDY&DVV) id TAA26335; Wed, 8 Jul 1998 19:47:05 -0700 (PDT) Message-Id: <199807090247.TAA26335@burka.rdy.com> Subject: Re: PGP 262 wont do 2048 bit keys. In-Reply-To: from Open Systems Networking at "Jul 8, 1998 10:28:39 pm" To: opsys@mail.webspan.net (Open Systems Networking) Date: Wed, 8 Jul 1998 19:47:04 -0700 (PDT) Cc: freebsd-security@FreeBSD.ORG X-Class: Fast Organization: HackerDome Reply-To: dima@best.net From: dima@best.net (Dima Ruban) X-Mailer: ELM [version 2.4ME+ PL43 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Open Systems Networking writes: > > For some reason I cannot for the life of me get PGP 262 out of ports to do > 2048 bit keys. Now unless im dreaming doesnt pgp 262 do 2048 bit keys? 263i fixes it. > > I keep getting this: > > keygen failed! > keygen error > > I dont know why though. It is supposed to 2048-bit sized keys. > Hrmm. > > Chris > > -- > "Linux... The choice of a GNUtered generation." > > ===================================| Open Systems Networking And Consulting. > FreeBSD 2.2.6 is available now! | Phone: 316-326-6800 > -----------------------------------| 1402 N. Washington, Wellington, KS-67152 > FreeBSD: The power to serve! | E-Mail: opsys@open-systems.net > http://www.freebsd.org | Consulting-Network Engineering-Security > ===================================| http://open-systems.net > > -----BEGIN PGP PUBLIC KEY BLOCK----- > Version: 2.6.2 > > mQENAzPemUsAAAEH/06iF0BU8pMtdLJrxp/lLk3vg9QJCHajsd25gYtR8X1Px1Te > gWU0C4EwMh4seDIgK9bzFmjjlZOEgS9zEgia28xDgeluQjuuMyUFJ58MzRlC2ONC > foYIZsFyIqdjEOCBdfhH5bmgB5/+L5bjDK6lNdqD8OAhtC4Xnc1UxAKq3oUgVD/Z > d5UJXU2xm+f08WwGZIUcbGcaonRC/6Z/5o8YpLVBpcFeLtKW5WwGhEMxl9WDZ3Kb > NZH6bx15WiB2Q/gZQib3ZXhe1xEgRP+p6BnvF364I/To9kMduHpJKU97PH3dU7Mv > CXk2NG3rtOgLTEwLyvtBPqLnbx35E0JnZc0k5YkABRO0JU9wZW4gU3lzdGVtcyA8 > b3BzeXNAb3Blbi1zeXN0ZW1zLm5ldD4= > =BBjp > -----END PGP PUBLIC KEY BLOCK----- > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe security" in the body of the message > -- dima To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Wed Jul 8 20:12:35 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id UAA12046 for freebsd-security-outgoing; Wed, 8 Jul 1998 20:12:35 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from odyssey.apana.org.au (odyssey.apana.org.au [203.11.114.1]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id UAA12027; Wed, 8 Jul 1998 20:12:26 -0700 (PDT) (envelope-from dean@odyssey.apana.org.au) Received: from localhost (dean@localhost) by odyssey.apana.org.au (8.8.8/8.8.7) with SMTP id LAA11542; Thu, 9 Jul 1998 11:12:05 +0800 (WST) Date: Thu, 9 Jul 1998 11:12:05 +0800 (WST) From: Dean Hollister To: "Cassandra M. Perkins" cc: "Jan B. Koum " , Scot Elliott , freebsd-isp@FreeBSD.ORG, freebsd-security@FreeBSD.ORG Subject: Re: Security Alert: Qualcomm POP Server In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, 8 Jul 1998, Cassandra M. Perkins wrote: > What version of qpopper is not vunerable to the hole? 2.52. Regards, d. +-------------------------------------------------------+ | Dean Hollister, | dean@mushka.ml.org | | Perth, Western Australia. | dean@wa.apana.org.au | +-------------------------------------------------------+ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Wed Jul 8 20:15:13 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id UAA12573 for freebsd-security-outgoing; Wed, 8 Jul 1998 20:15:13 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from stevie.loop.com (stevie-inet.loop.com [207.211.60.71]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id UAA12565; Wed, 8 Jul 1998 20:15:08 -0700 (PDT) (envelope-from cassy@loop.com) Received: from patty.loop.com (patty-inet.loop.com [207.211.60.69]) by stevie.loop.com (8.8.6/8.8.6) with SMTP id UAA07683; Wed, 8 Jul 1998 20:14:38 -0700 (PDT) Date: Wed, 8 Jul 1998 20:10:18 -0700 (PDT) From: "Cassandra M. Perkins" To: Dean Hollister cc: "Jan B. Koum " , Scot Elliott , freebsd-isp@FreeBSD.ORG, freebsd-security@FreeBSD.ORG Subject: Re: Security Alert: Qualcomm POP Server In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Got it. Thanks. ---------------------------------------------------------------------------- | Cassandra M. Perkins | People usually get what's coming to | | Network Operations | them... unless it's been mailed. | | The Loop Internet Switch Co., LLC | -fortune | ---------------------------------------------------------------------------- On Thu, 9 Jul 1998, Dean Hollister wrote: > On Wed, 8 Jul 1998, Cassandra M. Perkins wrote: > > > What version of qpopper is not vunerable to the hole? > > 2.52. > > Regards, > > d. > > +-------------------------------------------------------+ > | Dean Hollister, | dean@mushka.ml.org | > | Perth, Western Australia. | dean@wa.apana.org.au | > +-------------------------------------------------------+ > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Wed Jul 8 20:49:27 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id UAA18079 for freebsd-security-outgoing; Wed, 8 Jul 1998 20:49:27 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from rover.village.org (rover.village.org [204.144.255.49]) by hub.freebsd.org (8.8.8/8.8.8) with SMTP id UAA18066 for ; Wed, 8 Jul 1998 20:49:23 -0700 (PDT) (envelope-from imp@village.org) Received: from harmony [10.0.0.6] by rover.village.org with esmtp (Exim 1.71 #1) id 0yu7hu-0001Sc-00; Wed, 8 Jul 1998 21:49:18 -0600 Received: from harmony.village.org (localhost.village.org [127.0.0.1]) by harmony.village.org (8.8.8/8.8.3) with ESMTP id VAA11442; Wed, 8 Jul 1998 21:51:09 -0600 (MDT) Message-Id: <199807090351.VAA11442@harmony.village.org> To: Open Systems Networking Subject: Re: PGP 262 wont do 2048 bit keys. Cc: freebsd-security@FreeBSD.ORG In-reply-to: Your message of "Wed, 08 Jul 1998 22:28:39 EDT." References: Date: Wed, 08 Jul 1998 21:51:09 -0600 From: Warner Losh Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message Open Systems Networking writes: : I dont know why though. It is supposed to 2048-bit sized keys. : Hrmm. Previous traffic on this suggests it is due to the port bogusly using RSAREF rather than the legally hacked version that comes with pgp. Warner To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Fri Jul 10 04:59:51 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id EAA29759 for freebsd-security-outgoing; Fri, 10 Jul 1998 04:59:51 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from mail.aussie.org (hallam.lnk.telstra.net [139.130.54.166]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id EAA29729 for ; Fri, 10 Jul 1998 04:59:09 -0700 (PDT) (envelope-from maillist@oaks.com.au) Received: from bigbox (frankenputer.aussie.org [203.29.75.73]) by mail.aussie.org (8.9.0/8.9.0) with SMTP id VAA15030 for ; Fri, 10 Jul 1998 21:58:29 +1000 (EST) Message-Id: <199807101158.VAA15030@mail.aussie.org> From: "Hallam Oaks P/L list account" To: "freebsd-security@FreeBSD.ORG" Date: Fri, 10 Jul 1998 21:59:07 +1000 Reply-To: "Hallam Oaks P/L list account" X-Mailer: PMMail 98 Standard (2.01.1600) For Windows NT (4.0.1381;3) MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Subject: DNS zone xfers from random(?) sites Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org G'Day all; I hope that asking this question doesn't reveal too much of my ignorance of DNS-related issues ;) I've been primary DNS for a few domains for about two or three years now. Right now my machine hosts about six primary DNS entries. Each of the primaries is backed by two secondaries. So far so good. Recently (a few months ago) I added a new domain - mgr.org.au - and have since started noticing a pattern of zone transfers that I do not explicitly recall seeing before on any of my other domains. Basically, what seems to be random sites around the world (e.g. Israel, Singapore, France) are downloading the zone file, even where they are not secondaries to this domain. I am not seeing this pattern on other domains (one or two of them perhaps, but not so many in such a short time). I do not recognise the sites that are requesting the transfers. While I could of course block them from doing this I am curious as to whether or not anyone can offer up any suggestion as to _why_ this may be happening, and if there is any legitimate explanation for it. The domain in question is for a local (Melbourne, Australia) FM radio station (which is not even broadcasting at the moment) and I can hardly see it having any interest to people in, say, France or Singapore. If there's a legitimate purpose for it I'll just let it continue. I know it's possible to do manual zone transfers (heck, I've done it myself) but I can't figure out why so many different sites ... Any info appreciated. regards, -- Chris Hallam Oaks P/L To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Fri Jul 10 06:01:43 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id GAA05826 for freebsd-security-outgoing; Fri, 10 Jul 1998 06:01:43 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from dumont.neoplanos.com.br (dumont.neoplanos.com.br [200.249.209.3]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id GAA05803 for ; Fri, 10 Jul 1998 06:01:40 -0700 (PDT) (envelope-from john@dumont.neoplanos.com.br) Received: from localhost (john@localhost) by dumont.neoplanos.com.br (8.8.8/8.8.5) with SMTP id KAA02302 for ; Fri, 10 Jul 1998 10:12:43 -0300 (EST) Date: Fri, 10 Jul 1998 10:12:43 -0300 (EST) From: Joao Paulo Caldas Campello To: freebsd-security@FreeBSD.ORG Subject: About popper bug Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi all, The last days i've seen some messages about an exploitable bug in popper, but I couldn't locate the original message, certainly `cause I was not yet subscribed in the list... If some good soul could send me any information about this bug - how may i test if it's exploitable in my FreeBSD system (2.2.6-RELEASE), and how may i fix that - i would be very pleased. thanks, J. Paulo Director of Internet Dept. Neo Planos High School To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Fri Jul 10 10:32:45 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id KAA11218 for freebsd-security-outgoing; Fri, 10 Jul 1998 10:32:45 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from puck.nether.net (jared@puck.nether.net [204.42.254.5]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id KAA11208 for ; Fri, 10 Jul 1998 10:32:40 -0700 (PDT) (envelope-from jared@puck.nether.net) Received: (from jared@localhost) by puck.nether.net (8.9.0/8.7.3) id NAA07346; Fri, 10 Jul 1998 13:32:33 -0400 Message-ID: <19980710133233.D7184@puck.nether.net> Date: Fri, 10 Jul 1998 13:32:33 -0400 From: Jared Mauch To: Joao Paulo Caldas Campello , freebsd-security@FreeBSD.ORG Subject: Re: About popper bug References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.91.1i In-Reply-To: ; from Joao Paulo Caldas Campello on Fri, Jul 10, 1998 at 10:12:43AM -0300 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org You can find information at www.geekgirl.com, or your favorite bugtraq archive. I'd recommend getting on it by sending a >>> subscribe bugtraq message to listserv@netspace.org where the subscribe bugtraq is in the body of the message On Fri, Jul 10, 1998 at 10:12:43AM -0300, Joao Paulo Caldas Campello wrote: > Hi all, > > The last days i've seen some messages about an exploitable bug in > popper, but I couldn't locate the original message, certainly `cause I was > not yet subscribed in the list... If some good soul could send me any > information about this bug - how may i test if it's exploitable in my > FreeBSD system (2.2.6-RELEASE), and how may i fix that - i would be very > pleased. > > thanks, > > J. Paulo > Director of Internet Dept. > Neo Planos High School > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe security" in the body of the message -- Jared Mauch | pgp key available via finger from jared@puck.nether.net Nether Net | http://puck.nether.net/~jared/ | "You Go To Hell! You Go To Hell and Die!" To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Fri Jul 10 11:18:39 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id LAA17600 for freebsd-security-outgoing; Fri, 10 Jul 1998 11:18:39 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from infowest.com (infowest.com [204.17.177.10]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id LAA17595 for ; Fri, 10 Jul 1998 11:18:38 -0700 (PDT) (envelope-from agifford@infowest.com) Received: from infowest.com (eq.net [207.49.60.250]) by infowest.com (8.8.8/8.8.8) with ESMTP id MAA09049 for ; Fri, 10 Jul 1998 12:18:02 -0600 (MDT) Message-ID: <35A65AD0.438A6F28@infowest.com> Date: Fri, 10 Jul 1998 12:17:52 -0600 From: "Aaron D. Gifford" X-Mailer: Mozilla 4.05 [en] (X11; U; FreeBSD 2.2.6-STABLE i386) MIME-Version: 1.0 To: security@FreeBSD.ORG Subject: a chroot() shell wrapper Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hello, I'm a relative newbie in coding for security, but I threw together a chroot() wrapper last night that is used as a user's shell. It chroot()s to a jail and runs another shell in the jail. It seems pretty straightforward, but I suspect I've missed some obvious things. I've got it online at http://www.eq.net/software/chrsh.c -- I called it chrsh but there's probably something already named that, though a quick web search didn't find anything. I was considering using rsh (the restricted shell), but it looked like it didn't do a chroot() jail, which is what I wanted. If you download it and look at it, please let me know if you notice any glaring errors or omissions. It seems to work on my own FreeBSD 2.2.6-STABLE system. Even though I searched and didn't notice anything, I GREATLY suspect I just reinvented the wheel. If so, please let me know and point me in the right direction. :) Aaron out. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Fri Jul 10 14:14:54 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id OAA17276 for freebsd-security-outgoing; Fri, 10 Jul 1998 14:14:54 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from seaworld.jpl.nasa.gov (seaworld.jpl.nasa.gov [137.78.96.30]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id OAA17271 for ; Fri, 10 Jul 1998 14:14:53 -0700 (PDT) (envelope-from jehamby@manta.jpl.nasa.gov) Received: from manta.jpl.nasa.gov by seaworld.jpl.nasa.gov via SMTP (980427.SGI.8.8.8/940406.SGI) for id OAA16148; Fri, 10 Jul 1998 14:14:46 -0700 (PDT) Received: from localhost by manta.jpl.nasa.gov (SMI-8.6/SMI-SVR4) id OAA03792; Fri, 10 Jul 1998 14:14:46 -0700 Date: Fri, 10 Jul 1998 14:14:46 -0700 (PDT) From: Jake Hamby X-Sender: jehamby@manta To: security@FreeBSD.ORG Subject: RootRunner (admin GUI w/o security holes?) Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi all, I'm currently working on an administration GUI tool for FreeBSD, Linux, and Solaris. I've bitten off a rather large chunk of features that I'd like to implement before my deadline of August 15 (which should be enough of a clue for some of you to figure out why I'm working on this now), but I hope to implement at least basic user, group, network, and package management. Anyway, in order to administer a UNIX system, you typically need root privileges. Yet it's a Bad Idea to run X as root. Looking at other GUI admin tools, I've seen two basic approaches. First, many require the user to su to root before running the tool, or else it works in read-only mode. This is ugly because it's difficult to run the program from your window manager, so you have to pop open an xterm, su to root, then run it if you're logged in as yourself. Yet, this is the approach that many programs take, especially on Linux. The other approach is even worse, from a security standpoint. This is to make the program setuid root, and ask the user for the root password if necessary. I don't need to mention the problems this presents if any security holes (such as buffer overflow exploits or simply not thoroughly checking the user's privileges) are discovered in the program. This is the approach taken by many commercial UNIXs, including IRIX and Solaris, and a quick search of Bugtraq will reveal tons of holes from this alone. I came up with an idea for my admin program that I haven't seen before, yet (like the recent poster of the chroot jail program), I strongly suspect I may be reinventing the wheel. My idea is to open a pty, spawn /bin/sh, then execute the su (or sudo, if installed) program, query the user from the GUI for the root password, and feed it through the pty. Then I'll have a root shell that I can execute commands in, including the ability to read/write administration files (by using cat). This sounds ideal to me, because the program (including the GUI, which is important considering the recent security holes discovered in Xlib) runs as the user, and the only setuid program needed is /bin/su (which *better* be secure, or else the entire system is in a lot of trouble :). Even better, my program will (optionally) show the user which commands it's executing, and as much as possible, use the tools in /sbin and /usr/sbin rather than directly talking to the OS. The only other program I've heard of that works this way is SMIT on AIX, and it sounds very useful. I can simply echo the output of each command to a subwindow of the GUI and in the process, teach the actual UNIX commands to new sysadmins, rather than hiding it from them. Are there any potential security holes with this approach? The first problem I can think of is that the program might crash, leaving the root password in the core file. However, since all good UNIXes set the permissions on cores to 600, and the user who ran the program must've known the root password in order for it to be saved, then this seems like a reasonable risk. I considered installing a signal handler for SIGSEGV and other common signals that dump core, then wiping all occurrence of the root password, but due to the vagaries of GUIs and even stdio, I can't guarantee that it won't be lying around somewhere. I could prevent the program from dumping core, but if there are any bugs in the GUI, I want to know about them and be able to get a stack backtrace from gdb, so for now at least, that's out of the question. Is there any possibility (especially in BSD and Linux, which require you to search the /dev/ptyXX space to find an open pty), for race conditions where an eavesdropper could get the root password through the pty when someone else is running the admin GUI? Any pointers on how to write this section of the code (if it would need to be any different from the way that, for example, xterm grabs a pty) would be helpful. I plan to finish my implementation and release it, hopefully tonight, in which case I'll post a URL. I'd really appreciate it if any of you have time for a quick walkthrough of my code to make sure it doesn't do anything stupid. Please reply by private email if you have any comments. I'll summarize them and post to the list when finished. Also, if you can think of other mailing lists I should post this to, that would be very helpful. My version of "RootRunner" will use C++ and Qt, so unfortunately, probably won't be directly useful to many of you. However, I will release it under a liberal BSD-style copyright, so feel free to modify it for your own needs, especially since I think the concept could be very useful for all sorts of programs which need to run (at least temporarily) as another user, including (eek!) competitors to mine. -Jake To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Fri Jul 10 16:37:07 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id QAA13868 for freebsd-security-outgoing; Fri, 10 Jul 1998 16:37:07 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from relay.acadiau.ca (relay.acadiau.ca [131.162.2.90]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id QAA13856 for ; Fri, 10 Jul 1998 16:36:58 -0700 (PDT) (envelope-from 026809r@dragon.acadiau.ca) Received: from dragon.acadiau.ca (dragon [131.162.1.79]) by relay.acadiau.ca (8.8.5/8.8.5) with SMTP id UAA23104; Fri, 10 Jul 1998 20:36:54 -0300 (ADT) Received: by dragon.acadiau.ca id UAA08298; Fri, 10 Jul 1998 20:36:52 -0300 From: 026809r@dragon.acadiau.ca (Michael Richards) Message-Id: <199807102336.UAA08298@dragon.acadiau.ca> Subject: Re: RootRunner (admin GUI w/o security holes?) To: jehamby@manta.jpl.nasa.gov (Jake Hamby) Date: Fri, 10 Jul 1998 20:36:51 -0300 (ADT) Cc: security@FreeBSD.ORG In-Reply-To: from "Jake Hamby" at Jul 10, 98 02:14:46 pm X-Mailer: ELM [version 2.4 PL25] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > Anyway, in order to administer a UNIX system, you typically need root > privileges. Yet it's a Bad Idea to run X as root. Looking at other GUI > admin tools, I've seen two basic approaches. First, many require the user Why not just use ssh to forward your root x connections via an encrypted connection. All of your problems go away. You are even secure from network sniffers because the entire data stream is encrypted. -Mike To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Fri Jul 10 16:53:58 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id QAA16826 for freebsd-security-outgoing; Fri, 10 Jul 1998 16:53:58 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from seaworld.jpl.nasa.gov (seaworld.jpl.nasa.gov [137.78.96.30]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id QAA16803 for ; Fri, 10 Jul 1998 16:53:46 -0700 (PDT) (envelope-from jehamby@manta.jpl.nasa.gov) Received: from manta.jpl.nasa.gov by seaworld.jpl.nasa.gov via SMTP (980427.SGI.8.8.8/940406.SGI) id QAA18136; Fri, 10 Jul 1998 16:53:45 -0700 (PDT) Received: from localhost by manta.jpl.nasa.gov (SMI-8.6/SMI-SVR4) id QAA03973; Fri, 10 Jul 1998 16:53:44 -0700 Date: Fri, 10 Jul 1998 16:53:44 -0700 (PDT) From: Jake Hamby X-Sender: jehamby@manta To: Michael Richards <026809r@dragon.acadiau.ca> cc: security@FreeBSD.ORG Subject: Re: RootRunner (admin GUI w/o security holes?) In-Reply-To: <199807102336.UAA08298@dragon.acadiau.ca> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, 10 Jul 1998, Michael Richards wrote: > Why not just use ssh to forward your root x connections via an encrypted > connection. All of your problems go away. You are even secure from network > sniffers because the entire data stream is encrypted. Well, I definitely want to support ssh to allow secure remote administration (where it would replace su or sudo in the scheme I described), but I'm really loath to run any part of the GUI as uid 0, if it's at all possible to avoid. While it's probably not a security hole, per se, my biggest problem is the one I already mentioned of how to start the program from the "start menu" of your favorite windowmanager, without having to pop up an ugly xterm window to ask for the root password. -Jake To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Fri Jul 10 19:39:26 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id TAA12899 for freebsd-security-outgoing; Fri, 10 Jul 1998 19:39:26 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from engulf.net (brandon@engulf.com [207.96.124.102]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id TAA12881 for ; Fri, 10 Jul 1998 19:39:22 -0700 (PDT) (envelope-from brandon@engulf.net) Received: from localhost (brandon@localhost) by engulf.net (8.8.8/8.8.8) with SMTP id WAA21422; Fri, 10 Jul 1998 22:35:00 -0400 (EDT) Date: Fri, 10 Jul 1998 22:34:47 -0400 (EDT) From: Brandon Lockhart To: "Aaron D. Gifford" cc: security@FreeBSD.ORG Subject: Re: a chroot() shell wrapper In-Reply-To: <35A65AD0.438A6F28@infowest.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I love the idea, maybe some documentation should be coming out with a little more clear instructions once we make sure it is stable. Now, a question about it. Once the user logs in, and is in "/home", if they "cd /bin", does that put them in /usr/home/testuser/bin? ,-----------------------------------------------------------------. | //// "Anything I say represents only my opinion." | | (o o) / | | ,---ooO--(_)--Ooo---------------------------------------------, | | | BRANDON LOCKHART | | | `-------------------------------------------------------------' | | brandon.lockhart@usinternetworking.com brandon@engulf.net | | Work: (410) 897-4551 Pager: (888) xxx-xxxx | `-----------------------------------------------------------------' To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Fri Jul 10 19:44:07 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id TAA13686 for freebsd-security-outgoing; Fri, 10 Jul 1998 19:44:07 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from adk.gr (COREDUMP.CIS.UPENN.EDU [158.130.6.141]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id TAA13681 for ; Fri, 10 Jul 1998 19:44:05 -0700 (PDT) (envelope-from angelos@dsl.cis.upenn.edu) Received: from dsl.cis.upenn.edu ([198.223.41.41]) by adk.gr (8.8.8/8.8.5) with ESMTP id WAA21195 for ; Fri, 10 Jul 1998 22:41:57 -0400 (EDT) Message-Id: <199807110241.WAA21195@adk.gr> To: security@FreeBSD.ORG Subject: Re: chroot() Date: Fri, 10 Jul 1998 22:35:19 EDT From: "Angelos D. Keromytis" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- To: security@freebsd.org Subject: Re: chroot() Cc: Date: 07/10/98, 22:35:16 Keep in mind that it's trivial to escape from a root shell if you have root (or can do certain things). chroot() is unfortunately far from perfect. - -Angelos -----BEGIN PGP SIGNATURE----- Version: 2.6.3i Charset: noconv Comment: Processed by Mailcrypt 3.4, an Emacs/PGP interface iQCVAwUBNabPZb0pBjh2h1kFAQGspwP9E9e/NZp/QsBBlSge2BF61b4VsWS4qsdr 354LULHaTgpxGm4oNPyKZAsQ2PJz0/eK8B2jguH+ZPs04SwbJqqi1b+O64atJsrO EjBteTFSAHa68+PeLJqF7u9Msc0VnoMCH0geC+B9RmJ/qaC4tT06RG241wTUu1eC gbtxa2wneVc= =/d1q -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Fri Jul 10 21:08:06 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id VAA21669 for freebsd-security-outgoing; Fri, 10 Jul 1998 21:08:06 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from super-g.inch.com (super-g.com [207.240.140.161]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id VAA21664 for ; Fri, 10 Jul 1998 21:08:05 -0700 (PDT) (envelope-from spork@super-g.com) Received: from localhost (localhost [127.0.0.1]) by super-g.inch.com (8.8.8/8.8.5) with SMTP id AAA14526; Sat, 11 Jul 1998 00:07:50 -0400 (EDT) Date: Sat, 11 Jul 1998 00:07:50 -0400 (EDT) From: spork X-Sender: spork@super-g.inch.com To: Joao Paulo Caldas Campello cc: freebsd-security@FreeBSD.ORG Subject: Re: About (another?) popper bug In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I'm curious if anyone else is seeing some odd behaviour in qpopper 2.52. I built it using the port, but changed two things before the build step, I set it to "SERVER_MODE" and removed "KEEP_TEMP_DROP". By default, BULLDB is enabled. If you take a look at /your/bulldb/dir/bulldb.db, does anyone else see some odd things in there (looking at it with 'strings')? I see lots of master.passwd fragments, including encrypted passwords. Granted, the file is readable only by root, but it seems odd that that info should be in there and it makes me a bit nervous. Ideas? I'm working on getting cucipop to build with the db 2.x support, but in the meantime we're sticking with qpopper... Thanks, Charles Charles Sprickman spork@super-g.com ---- On Fri, 10 Jul 1998, Joao Paulo Caldas Campello wrote: > Hi all, > > The last days i've seen some messages about an exploitable bug in > popper, but I couldn't locate the original message, certainly `cause I was > not yet subscribed in the list... If some good soul could send me any > information about this bug - how may i test if it's exploitable in my > FreeBSD system (2.2.6-RELEASE), and how may i fix that - i would be very > pleased. > > thanks, > > J. Paulo > Director of Internet Dept. > Neo Planos High School > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Fri Jul 10 23:36:48 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id XAA02754 for freebsd-security-outgoing; Fri, 10 Jul 1998 23:36:48 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from critter.freebsd.dk (critter.freebsd.dk [195.8.133.1] (may be forged)) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id XAA02749 for ; Fri, 10 Jul 1998 23:36:45 -0700 (PDT) (envelope-from phk@critter.freebsd.dk) Received: from critter.freebsd.dk (localhost [127.0.0.1]) by critter.freebsd.dk (8.8.7/8.8.5) with ESMTP id IAA02488; Sat, 11 Jul 1998 08:34:21 +0200 (CEST) To: "Angelos D. Keromytis" cc: security@FreeBSD.ORG Subject: Re: chroot() In-reply-to: Your message of "Fri, 10 Jul 1998 22:35:19 EDT." <199807110241.WAA21195@adk.gr> Date: Sat, 11 Jul 1998 08:34:18 +0200 Message-ID: <2486.900138858@critter.freebsd.dk> From: Poul-Henning Kamp Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message <199807110241.WAA21195@adk.gr>, "Angelos D. Keromytis" writes: >Keep in mind that it's trivial to escape from a root shell if you have >root (or can do certain things). chroot() is unfortunately far from >perfect. A FreeBSD user has paid me to strengthen the chroot() concept, and the code will go into FreeBSD when he has had time to get his money back through the use of it. -- Poul-Henning Kamp FreeBSD coreteam member phk@FreeBSD.ORG "Real hackers run -current on their laptop." "ttyv0" -- What UNIX calls a $20K state-of-the-art, 3D, hi-res color terminal To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Sat Jul 11 10:13:36 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id KAA20364 for freebsd-security-outgoing; Sat, 11 Jul 1998 10:13:36 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from frmug.org (frmug-gw.frmug.org [193.56.58.252]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id KAA20359 for ; Sat, 11 Jul 1998 10:13:33 -0700 (PDT) (envelope-from roberto@keltia.freenix.fr) Received: (from uucp@localhost) by frmug.org (8.9.0/frmug-2.3/nospam) with UUCP id TAA10970 for freebsd-security@FreeBSD.ORG; Sat, 11 Jul 1998 19:13:28 +0200 (CEST) (envelope-from roberto@keltia.freenix.fr) Received: (from roberto@localhost) by keltia.freenix.fr (8.9.0.Beta4/keltia-2.14/nospam) id KAA09565 for freebsd-security@FreeBSD.ORG; Sat, 11 Jul 1998 10:16:24 +0200 (CEST) (envelope-from roberto) Message-ID: <19980711101624.A9562@keltia.freenix.fr> Date: Sat, 11 Jul 1998 10:16:24 +0200 From: Ollivier Robert To: "freebsd-security@FreeBSD.ORG" Subject: Re: DNS zone xfers from random(?) sites Mail-Followup-To: "freebsd-security@FreeBSD.ORG" References: <199807101158.VAA15030@mail.aussie.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.92.14i In-Reply-To: <199807101158.VAA15030@mail.aussie.org>; from Hallam Oaks P/L list account on Fri, Jul 10, 1998 at 09:59:07PM +1000 X-Operating-System: FreeBSD 3.0-CURRENT ctm#4419 AMD-K6 MMX @ 225 MHz Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org According to Hallam Oaks P/L list account: > Basically, what seems to be random sites around the world (e.g. Israel, > Singapore, France) are downloading the zone file, even where they are not > secondaries to this domain. I am not seeing this pattern on other domains Did you asked them why they were doing this ? -- Ollivier ROBERT -=- FreeBSD: The Power to Serve! -=- roberto@keltia.freenix.fr FreeBSD keltia.freenix.fr 3.0-CURRENT #11: Sat Jun 27 00:41:06 CEST 1998 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Sat Jul 11 19:33:36 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id TAA08490 for freebsd-security-outgoing; Sat, 11 Jul 1998 19:33:36 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from dumont.neoplanos.com.br (dumont.neoplanos.com.br [200.249.209.3]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id TAA08382 for ; Sat, 11 Jul 1998 19:33:13 -0700 (PDT) (envelope-from john@neoplanos.com.br) Received: from john (john@linha03.neoplanos.com.br [200.249.209.103]) by dumont.neoplanos.com.br (8.8.8/8.8.5) with SMTP id XAA11805 for ; Sat, 11 Jul 1998 23:05:41 -0300 (EST) Message-Id: <3.0.5.32.19980711225406.007c9e50@neoplanos.com.br> X-Sender: john@neoplanos.com.br X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.5 (32) Date: Sat, 11 Jul 1998 22:54:06 -0300 To: freebsd-security@FreeBSD.ORG From: Joao Paulo Campello Subject: qpopper bug Mime-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by hub.freebsd.org id TAA08407 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi all, I'm very glad of all the help I've received the last day about the qpopper bug... A lot of people sent me private and list emails explaining ever a bit more, and now I feel my system is more secure (not hundred percent, for sure)... My wish was to reply each and each email I've got about this problem, but it would be a not cool spam!! :) So I'm replying in the list, just to thank all the help and time you all have spent with me... :)) Thanks again, João Paulo Caldas Campello Diretor Tecnico - Neo Planos Solution Provider http://www.neoplanos.com.br/ IRCAdmin NetLink - Recife/PE (ICQ # ASK-ME :)) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Sat Jul 11 19:46:33 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id TAA12139 for freebsd-security-outgoing; Sat, 11 Jul 1998 19:46:33 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from soccer.ksg.com (ftw-tsa5-18.cyberramp.net [207.158.119.18]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id TAA12050 for ; Sat, 11 Jul 1998 19:46:08 -0700 (PDT) (envelope-from kgor@soccer.ksg.com) Received: (from kgor@localhost) by soccer.ksg.com (8.8.8/8.8.8) id TAA10008; Sat, 11 Jul 1998 19:35:38 -0500 (CDT) (envelope-from kgor) Date: Sat, 11 Jul 1998 19:35:38 -0500 (CDT) Message-Id: <199807120035.TAA10008@soccer.ksg.com> From: "Kent S. Gordon" To: jehamby@manta.jpl.nasa.gov CC: 026809r@dragon.acadiau.ca, security@FreeBSD.ORG In-reply-to: (message from Jake Hamby on Fri, 10 Jul 1998 16:53:44 -0700 (PDT)) Subject: Re: RootRunner (admin GUI w/o security holes?) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >>>>> "jehamby" == Jake Hamby writes: > On Fri, 10 Jul 1998, Michael Richards wrote: >> Why not just use ssh to forward your root x connections via an >> encrypted connection. All of your problems go away. You are >> even secure from network sniffers because the entire data >> stream is encrypted. > Well, I definitely want to support ssh to allow secure remote > administration (where it would replace su or sudo in the scheme > I described), but I'm really loath to run any part of the GUI as > uid 0, if it's at all possible to avoid. While it's probably > not a security hole, per se, my biggest problem is the one I > already mentioned of how to start the program from the "start > menu" of your favorite windowmanager, without having to pop up > an ugly xterm window to ask for the root password. You could always create an no password entry in sudo for these cases or a special suid binary that invokes the program. I have used no password entry in sudo for this in the past. > -Jake > To Unsubscribe: send mail to majordomo@FreeBSD.org with > "unsubscribe security" in the body of the message -- Kent S. Gordon KSG -- Unix, Network, Database Consulting Postal: 76 Corral Drive North, Keller, Texas 76248 e-mail: kgor@ksg.com Phone:(817)431-8775 Resume: http://www.ksg.com/resume.html To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Sat Jul 11 21:39:21 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id VAA01665 for freebsd-security-outgoing; Sat, 11 Jul 1998 21:39:21 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from aniwa.sky (aniwa.actrix.gen.nz [203.96.56.186]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id VAA01633 for ; Sat, 11 Jul 1998 21:39:14 -0700 (PDT) (envelope-from andrew@squiz.co.nz) Received: from localhost (andrew@localhost) by aniwa.sky (8.8.7/8.8.7) with SMTP id QAA11697; Sun, 12 Jul 1998 16:35:48 +1200 (NZST) (envelope-from andrew@squiz.co.nz) X-Authentication-Warning: aniwa.sky: andrew owned process doing -bs Date: Sun, 12 Jul 1998 16:35:48 +1200 (NZST) From: Andrew McNaughton X-Sender: andrew@aniwa.sky Reply-To: andrew@squiz.co.nz To: "Kent S. Gordon" cc: jehamby@manta.jpl.nasa.gov, 026809r@dragon.acadiau.ca, security@FreeBSD.ORG Subject: Re: RootRunner (admin GUI w/o security holes?) In-Reply-To: <199807120035.TAA10008@soccer.ksg.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sat, 11 Jul 1998, Kent S. Gordon wrote: > Date: Sat, 11 Jul 1998 19:35:38 -0500 (CDT) > From: "Kent S. Gordon" > To: jehamby@manta.jpl.nasa.gov > Cc: 026809r@dragon.acadiau.ca, security@FreeBSD.ORG > Subject: Re: RootRunner (admin GUI w/o security holes?) > > >>>>> "jehamby" == Jake Hamby writes: > > > On Fri, 10 Jul 1998, Michael Richards wrote: > >> Why not just use ssh to forward your root x connections via an > >> encrypted connection. All of your problems go away. You are > >> even secure from network sniffers because the entire data > >> stream is encrypted. > > > Well, I definitely want to support ssh to allow secure remote > > administration (where it would replace su or sudo in the scheme > > I described), but I'm really loath to run any part of the GUI as > > uid 0, if it's at all possible to avoid. While it's probably > > not a security hole, per se, my biggest problem is the one I > > already mentioned of how to start the program from the "start > > menu" of your favorite windowmanager, without having to pop up > > an ugly xterm window to ask for the root password. > > You could always create an no password entry in sudo for these cases > or a special suid binary that invokes the program. I have used no > password entry in sudo for this in the past. > > > -Jake That gives finer control over access, but otherwise I don't think it's much different from suid. I suspect the only way to get a uid = 0 backend and a uid != 0 frontend is to run them as separate processes with some sort of communication channel. Andrew To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Sat Jul 11 21:55:42 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id VAA04224 for freebsd-security-outgoing; Sat, 11 Jul 1998 21:55:42 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from mail.exo.net.au (root@sky-valley.exo.net.au [203.14.230.103]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id VAA04212 for ; Sat, 11 Jul 1998 21:55:33 -0700 (PDT) (envelope-from bullseye.apana.org.au!andymac@mail.exo.net.au) Received: by mail.exo.net.au id m0yvEAR-0004twC (Debian Smail-3.2 1996-Jul-4 #2); Sun, 12 Jul 1998 14:55:19 +1000 (EST) Received: from bullseye.apana.org.au (central.apana.org.au [203.9.107.245]) by bullseye.apana.org.au (8.8.8/8.8.8) with SMTP id LAA01165; Sun, 12 Jul 1998 11:13:29 +1000 (EST) (envelope-from andymac@bullseye.apana.org.au) Date: Sun, 12 Jul 1998 11:07:38 +1100 (EDT) From: Andrew MacIntyre To: Jake Hamby cc: security@FreeBSD.ORG Subject: Re: RootRunner (admin GUI w/o security holes?) In-Reply-To: Message-ID: X-X-Sender: andymac@bullseye.apana.org.au MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, 10 Jul 1998, Jake Hamby wrote: > I'm currently working on an administration GUI tool for FreeBSD, Linux, > and Solaris. I've bitten off a rather large chunk of features that I'd > like to implement before my deadline of August 15 (which should be enough > of a clue for some of you to figure out why I'm working on this now), but > I hope to implement at least basic user, group, network, and package > management. {.....} > Even better, my program will (optionally) show the user which commands > it's executing, and as much as possible, use the tools in /sbin and > /usr/sbin rather than directly talking to the OS. The only other program > I've heard of that works this way is SMIT on AIX, and it sounds very > useful. I can simply echo the output of each command to a subwindow of > the GUI and in the process, teach the actual UNIX commands to new > sysadmins, rather than hiding it from them. Are there any potential > security holes with this approach? I like the idea, and have used SMIT on AIX 3.2.5, and the concept is useful. WRT the security problems, I'm not a security guru, however slightly extending your concept to support access to remote systems (using ssh as suggested by another poster in this thread) could be _very_ useful. Having 2 access mechanisms (local & remote) could be a bit cumbersome though... {.....} > Is there any possibility (especially in BSD and Linux, which require you > to search the /dev/ptyXX space to find an open pty), for race conditions > where an eavesdropper could get the root password through the pty when > someone else is running the admin GUI? Any pointers on how to write this > section of the code (if it would need to be any different from the way > that, for example, xterm grabs a pty) would be helpful. Perhaps you want to look at the source for the telnet daemon, which does basically this IIRC. {.....} -- Andrew I MacIntyre "These thoughts are mine alone..." E-mail: andrew.macintyre@aba.gov.au (work) | Snail: PO Box 370 andymac@bullseye.apana.org.au (play) | Belconnen ACT 2616 Fido: Andrew MacIntyre, 3:620/243.18 | Australia To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message