From owner-freebsd-security Sun Jul 19 00:30:23 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id AAA11467 for freebsd-security-outgoing; Sun, 19 Jul 1998 00:30:23 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from iq.org (proff@polysynaptic.iq.org [203.4.184.222]) by hub.freebsd.org (8.8.8/8.8.8) with SMTP id AAA11454 for ; Sun, 19 Jul 1998 00:30:20 -0700 (PDT) (envelope-from proff@iq.org) Received: (qmail 1683 invoked by uid 110); 19 Jul 1998 07:29:58 -0000 To: Bruce Schneier cc: coderpunks@toad.com, aucrypto@suburbia.net, cryptography@c2.net, freebsd-security@FreeBSD.ORG Subject: cryptographically secure logging From: Julian Assange Date: 19 Jul 1998 17:29:57 +1000 Message-ID: Lines: 28 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org "Cryptographic Support for Secure Logs on Untrusted Machines" B. Schneier and J. Kelsey, The Seventh USENIX Security Symposium Proceedings, USENIX Press, January 1998, pp. 53-62. In many real-world applications, sensitive information must be kept in log files on an untrusted machine. In the event that an attacker captures this machine, we would like to guarantee that he will gain little or no information from the log files and limit his ability to corrupt the log files. This paper describes an efficient method for making all log entries generated prior to the logging machine's compromise impossible for the attacker to read, and also impossible to undetectably modify or destroy. I haven't read Bruce's paper, but Bruce (and others) might be interested to know that Darren Reed and I have actually implemented one of these for unix. It's also a very flexible syslogd replacement in it's own right (thanks to Darren). It's called nsyslog and is available from http://cheops.anu.edu.au/~avalon/nsyslog.html. It will be included in the default NetBSD distribution (although it should run on most unix platforms). It uses only secure hashes, and essentially does for logs what S/KEY does for authentication. Cheers, Julian. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Sun Jul 19 05:20:20 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id FAA09792 for freebsd-security-outgoing; Sun, 19 Jul 1998 05:20:20 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from frmug.org (frmug-gw.frmug.org [193.56.58.252]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id FAA09767 for ; Sun, 19 Jul 1998 05:20:15 -0700 (PDT) (envelope-from roberto@keltia.freenix.fr) Received: (from uucp@localhost) by frmug.org (8.9.1/frmug-2.3/nospam) with UUCP id OAA13501 for freebsd-security@FreeBSD.ORG; Sun, 19 Jul 1998 14:19:57 +0200 (CEST) (envelope-from roberto@keltia.freenix.fr) Received: (from roberto@localhost) by keltia.freenix.fr (8.9.0.Beta4/keltia-2.14/nospam) id OAA05525 for freebsd-security@FreeBSD.ORG; Sun, 19 Jul 1998 14:15:30 +0200 (CEST) (envelope-from roberto) Message-ID: <19980719141529.A5494@keltia.freenix.fr> Date: Sun, 19 Jul 1998 14:15:29 +0200 From: Ollivier Robert To: freebsd-security@FreeBSD.ORG Subject: Re: cryptographically secure logging Mail-Followup-To: freebsd-security@FreeBSD.ORG References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.93i In-Reply-To: ; from Julian Assange on Sun, Jul 19, 1998 at 05:29:57PM +1000 X-Operating-System: FreeBSD 3.0-CURRENT ctm#4462 AMD-K6 MMX @ 225 MHz Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org According to Julian Assange: > interested to know that Darren Reed and I have actually implemented > one of these for unix. It's also a very flexible syslogd replacement in > it's own right (thanks to Darren). It's called nsyslog and is > available from http://cheops.anu.edu.au/~avalon/nsyslog.html. It will > be included in the default NetBSD distribution (although it should run > on most unix platforms). There is also ssylog made by Core SDI in Brazil. It uses encryption and authentication. -=-=-=- 1.a. Getting the last version The last version of the secure syslog package will always be available at http://www.core-sdi.com/ssyslog. You may want to check out for a new release before installing. The distribution file should look like 'ssyslog-X.XX.tar.gz'. Where X.XX stands for version number (i.e. 'ssyslog-0.99.tar.gz'). You will need also the GNU gunzip command in order to decompress it. -=-=-=- -=-=-=- 1. What is Secure Syslog? Secure Syslog (ssyslog) is a daemon intended to replace the traditional syslog daemon present on most UNIX-like operating systems. It takes adventage of advanced cryptographic protocols to make system logs auditable in a secure-way. It also implements a network protocol that allows centralized auditing of system logs. For the scheme behind ssyslog to be completed, a trusted remote machine is needed, this machine will called auditing machine 2. What is wrong with old syslog? Old Syslog stores system logs in local files, if an intruder gains root privileges on a given machine, she can modify or erase any of the logs... if she is carefull enough she can do this so nobody will ever notice the logs where modified. From the perspective of security this is wrong. The auditing of system logs is not possible under this circumstances. Most versions of syslog can be configured so that system logs are transmited and logged in a loghost... but this generates a lot of traffic in the network. Secure Syslog avoid this problems implementing a protocol that allows the future authentication of system logs and permits the log transfer to be done as requested by the auditor (in the loghost) and in hours of low network traffic. 3. What makes the SECURE part of Secure syslog secure? The cryptographic protocol used for log authentication, called PEO-1, is designed so that a trusted auditor can check if any of the logs where adulterated. Using this protocol the append-only property of system logs is assured. The communications with the auditor are encrypted using Blowfish (a symmetric cryptography block algorithm), and the auditor is authenticated using a challenge-response protocol. Ssyslog uses sha-1 as the one way hash function needed for PEO-1. 4. Where can I find more about PEO-1? In http://www.core-sdi.com/ssyslog are links to the original papers describing PEO-1, and other related documents. -=-=-=- -- Ollivier ROBERT -=- FreeBSD: The Power to Serve! -=- roberto@keltia.freenix.fr FreeBSD keltia.freenix.fr 3.0-CURRENT #61: Sun Jul 12 14:38:23 CEST 1998 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Sun Jul 19 10:10:00 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id KAA00368 for freebsd-security-outgoing; Sun, 19 Jul 1998 10:10:00 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from lariat.lariat.org (ppp1000.lariat.org@[206.100.185.2]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id KAA00363 for ; Sun, 19 Jul 1998 10:09:58 -0700 (PDT) (envelope-from brett@lariat.org) Received: (from brett@localhost) by lariat.lariat.org (8.8.8/8.8.8) id LAA28734; Sun, 19 Jul 1998 11:09:43 -0600 (MDT) Message-Id: <199807191709.LAA28734@lariat.lariat.org> X-Sender: brett@mail.lariat.org X-Mailer: QUALCOMM Windows Eudora Pro Version 4.0.1 Date: Sun, 19 Jul 1998 11:09:40 -0600 To: security@FreeBSD.ORG From: Brett Glass Subject: Why is there no info on the QPOPPER hack? Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Our system has been penetrated via a buffer overflow exploit in Qualcomm's QPOPPER, as obtained from the FreeBSD ports library. But there's no advisory about this on FreeBSD's site.... In fact, we learned of the exploit only because the cracker was sloppy. We need advice on resecuring the system and preventing future incidents of this kind. CERT has been utterly unresponsive; they seem to have ignored our two e-mails asking for help. Any help we can get from members of the FreeBSD community would be MUCH appreciated. --Brett Glass To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Sun Jul 19 11:38:03 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id LAA06682 for freebsd-security-outgoing; Sun, 19 Jul 1998 11:38:03 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from hotjobs.com (fs2.ny.genx.net [206.64.4.67]) by hub.freebsd.org (8.8.8/8.8.8) with SMTP id LAA06674 for ; Sun, 19 Jul 1998 11:38:00 -0700 (PDT) (envelope-from perlsta@fs3.ny.genx.net) Received: (qmail 28328 invoked by uid 1288); 19 Jul 1998 18:36:43 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 19 Jul 1998 18:36:43 -0000 Date: Sun, 19 Jul 1998 14:36:43 -0400 (EDT) From: Alfred To: Brett Glass cc: security@FreeBSD.ORG Subject: Re: Why is there no info on the QPOPPER hack? In-Reply-To: <199807191709.LAA28734@lariat.lariat.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org y'know not to flame, but the popper sploit was the topic of 1/3 of the e-mails on all the lists i'm on freebsd as well as others. if you keep your head in a hole you're not going to get any help or warning. you didn't expect chuck to knock on your door and tell you, did you? :) i suggest you subscribe to some of the lists, at LEAST security. -Alfred On Sun, 19 Jul 1998, Brett Glass wrote: > Our system has been penetrated via a buffer overflow exploit in Qualcomm's > QPOPPER, as obtained from the FreeBSD ports library. But there's no > advisory about this on FreeBSD's site.... In fact, we learned of the > exploit only because the cracker was sloppy. > > We need advice on resecuring the system and preventing future incidents of > this kind. CERT has been utterly unresponsive; they seem to have ignored > our two e-mails asking for help. Any help we can get from members of the > FreeBSD community would be MUCH appreciated. > > --Brett Glass > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Sun Jul 19 11:47:06 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id LAA07625 for freebsd-security-outgoing; Sun, 19 Jul 1998 11:47:06 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from fallout.campusview.indiana.edu (fallout.campusview.indiana.edu [149.159.1.1]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id LAA07617 for ; Sun, 19 Jul 1998 11:47:04 -0700 (PDT) (envelope-from jfieber@indiana.edu) Received: from localhost (jfieber@localhost) by fallout.campusview.indiana.edu (8.8.8/8.8.7) with SMTP id NAA27946; Sun, 19 Jul 1998 13:46:44 -0500 (EST) Date: Sun, 19 Jul 1998 13:46:43 -0500 (EST) From: John Fieber To: Brett Glass cc: security@FreeBSD.ORG Subject: Re: Why is there no info on the QPOPPER hack? In-Reply-To: <199807191709.LAA28734@lariat.lariat.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sun, 19 Jul 1998, Brett Glass wrote: > We need advice on resecuring the system and preventing future incidents of > this kind. CERT has been utterly unresponsive; they seem to have ignored > our two e-mails asking for help. Any help we can get from members of the > FreeBSD community would be MUCH appreciated. A subscription to the bugtraq mailing list is essential for anyone responsible for system security. See http://www.geek-girl.com/bugtraq/index.html for archives and instructions on subscribing. I believe the qpopper problems were brougt up on this mailing list as well. (But since security and bugtraq mail gets sorted into the same folder, I could be wrong...) -john To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Sun Jul 19 12:05:07 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id MAA09241 for freebsd-security-outgoing; Sun, 19 Jul 1998 12:05:07 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from lariat.lariat.org (ppp1000.lariat.org@[206.100.185.2]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id MAA09232 for ; Sun, 19 Jul 1998 12:05:01 -0700 (PDT) (envelope-from brett@lariat.org) Received: (from brett@localhost) by lariat.lariat.org (8.8.8/8.8.8) id NAA00633; Sun, 19 Jul 1998 13:04:39 -0600 (MDT) Message-Id: <199807191904.NAA00633@lariat.lariat.org> X-Sender: brett@mail.lariat.org X-Mailer: QUALCOMM Windows Eudora Pro Version 4.0.1 Date: Sun, 19 Jul 1998 13:04:32 -0600 To: Alfred From: Brett Glass Subject: Re: Why is there no info on the QPOPPER hack? Cc: security@FreeBSD.ORG In-Reply-To: References: <199807191709.LAA28734@lariat.lariat.org> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I'm on "announce;" didn't get it. (In fact, I haven't gotten ANYTHING from that list for a long time. Is it dead?) I check the Web site regularly; no mention of it there. I'm on "chat;" no mention there. --Brett At 02:36 PM 7/19/98 -0400, you wrote: >y'know not to flame, but the popper sploit was the topic of 1/3 of the >e-mails on all the lists i'm on freebsd as well as others. > >if you keep your head in a hole you're not going to get any help or >warning. you didn't expect chuck to knock on your door and tell you, did >you? :) > >i suggest you subscribe to some of the lists, at LEAST security. > >-Alfred > >On Sun, 19 Jul 1998, Brett Glass wrote: > >> Our system has been penetrated via a buffer overflow exploit in Qualcomm's >> QPOPPER, as obtained from the FreeBSD ports library. But there's no >> advisory about this on FreeBSD's site.... In fact, we learned of the >> exploit only because the cracker was sloppy. >> >> We need advice on resecuring the system and preventing future incidents of >> this kind. CERT has been utterly unresponsive; they seem to have ignored >> our two e-mails asking for help. Any help we can get from members of the >> FreeBSD community would be MUCH appreciated. >> >> --Brett Glass >> >> >> To Unsubscribe: send mail to majordomo@FreeBSD.org >> with "unsubscribe security" in the body of the message >> > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Sun Jul 19 12:54:36 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id MAA14628 for freebsd-security-outgoing; Sun, 19 Jul 1998 12:54:36 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from echonyc.com (echonyc.com [198.67.15.2]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id MAA14623 for ; Sun, 19 Jul 1998 12:54:35 -0700 (PDT) (envelope-from benedict@echonyc.com) Received: from localhost (benedict@localhost) by echonyc.com (8.8.7/8.8.7) with SMTP id PAA13844; Sun, 19 Jul 1998 15:54:16 -0400 (EDT) Date: Sun, 19 Jul 1998 15:54:16 -0400 (EDT) From: Snob Art Genre Reply-To: ben@rosengart.com To: Brett Glass cc: Alfred , security@FreeBSD.ORG Subject: Re: Why is there no info on the QPOPPER hack? In-Reply-To: <199807191904.NAA00633@lariat.lariat.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sun, 19 Jul 1998, Brett Glass wrote: > I'm on "announce;" didn't get it. (In fact, I haven't gotten ANYTHING from > that list for a long time. Is it dead?) Announce is low-volume by charter. Ben "You have your mind on computers, it seems." To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Sun Jul 19 13:47:48 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id NAA19633 for freebsd-security-outgoing; Sun, 19 Jul 1998 13:47:48 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from lariat.lariat.org (ppp1000.lariat.org@[206.100.185.2]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id NAA19625 for ; Sun, 19 Jul 1998 13:47:44 -0700 (PDT) (envelope-from brett@lariat.org) Received: (from brett@localhost) by lariat.lariat.org (8.8.8/8.8.8) id OAA02264; Sun, 19 Jul 1998 14:47:27 -0600 (MDT) Message-Id: <199807192047.OAA02264@lariat.lariat.org> X-Sender: brett@mail.lariat.org X-Mailer: QUALCOMM Windows Eudora Pro Version 4.0.1 Date: Sun, 19 Jul 1998 14:47:25 -0600 To: security@FreeBSD.ORG From: Brett Glass Subject: The 99,999-bug question: Why can you execute from the stack? Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org We're going to be spending about a man-month rebuilding a complex system that was hacked due to a buffer overflow exploit. Looking back at our system log files, I can see exactly how the hack was done and how the perpetrator was able to get root. What I CAN'T understand is why FreeBSD allows the hack to occur. Why on Earth would one want to allow code to be executed from the stack? The Intel segmentation model normally prevents this, and there's additional hardware in the MMU that's supposed to be able to preclude it. Why does the OS leave this gigantic hole open? Why not just close it? --Brett Glass To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Sun Jul 19 14:24:10 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id OAA23982 for freebsd-security-outgoing; Sun, 19 Jul 1998 14:24:10 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from relay15.jaring.my (relay15.jaring.my [192.228.128.126]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id OAA23977 for ; Sun, 19 Jul 1998 14:24:08 -0700 (PDT) (envelope-from lpchiew@pc.jaring.my) Received: from pclow (j40.ptl42.jaring.my [161.142.116.54]) by relay15.jaring.my (8.8.8/8.8.8) with SMTP id FAA23347; Mon, 20 Jul 1998 05:22:26 +0800 (MYT) Message-ID: <35B21DAC.7D83@pc.jaring.my> Date: Mon, 20 Jul 1998 00:24:12 +0800 From: kopi kau Reply-To: lpchiew@pc.jaring.my Organization: Kopi Tiam X-Mailer: Mozilla 3.04Gold (Win95; I) MIME-Version: 1.0 To: Nicole CC: Hallam Oaks P/L list account , "freebsd-security@FreeBSD.ORG" Subject: Re: Large-scale scan of SNMP ports References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Nicole wrote: > > Or.. If it's just us 2, how about just sending to us :> make that 3. -- - Don't fry your eggs before they hatch - To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Sun Jul 19 14:38:26 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id OAA25541 for freebsd-security-outgoing; Sun, 19 Jul 1998 14:38:26 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from hotjobs.com (fs3.ny.genx.net [206.64.4.82]) by hub.freebsd.org (8.8.8/8.8.8) with SMTP id OAA25534 for ; Sun, 19 Jul 1998 14:38:24 -0700 (PDT) (envelope-from perlsta@fs3.ny.genx.net) Received: (qmail 28997 invoked by uid 1288); 19 Jul 1998 21:37:07 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 19 Jul 1998 21:37:07 -0000 Date: Sun, 19 Jul 1998 17:37:07 -0400 (EDT) From: Alfred To: Brett Glass cc: security@FreeBSD.ORG Subject: Re: The 99,999-bug question: Why can you execute from the stack? In-Reply-To: <199807192047.OAA02264@lariat.lariat.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org there was a thread about this just a week ago, it was something to do with signals and threads. and breakage of some ancient programs. -Alfred also there was just an announcement about some package to "self-check" executables for stack corruption. On Sun, 19 Jul 1998, Brett Glass wrote: > We're going to be spending about a man-month rebuilding a complex system > that was hacked due to a buffer overflow exploit. Looking back at our > system log files, I can see exactly how the hack was done and how the > perpetrator was able to get root. > > What I CAN'T understand is why FreeBSD allows the hack to occur. Why on > Earth would one want to allow code to be executed from the stack? The Intel > segmentation model normally prevents this, and there's additional hardware > in the MMU that's supposed to be able to preclude it. Why does the OS leave > this gigantic hole open? Why not just close it? > > --Brett Glass > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Sun Jul 19 14:49:32 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id OAA27714 for freebsd-security-outgoing; Sun, 19 Jul 1998 14:49:32 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from indigo.ie (nsmart@ts05-119.dublin.indigo.ie [194.125.220.129]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id OAA27695 for ; Sun, 19 Jul 1998 14:49:28 -0700 (PDT) (envelope-from rotel@indigo.ie) Received: (from nsmart@localhost) by indigo.ie (8.8.8/8.8.7) id WAA00967; Sun, 19 Jul 1998 22:43:59 +0100 (IST) (envelope-from rotel@indigo.ie) From: Niall Smart Message-Id: <199807192143.WAA00967@indigo.ie> Date: Sun, 19 Jul 1998 22:43:58 +0000 In-Reply-To: <199807192047.OAA02264@lariat.lariat.org>; Brett Glass Reply-To: rotel@indigo.ie X-Files: The truth is out there X-Mailer: Mail User's Shell (7.2.6 beta(3) 11/17/96) To: Brett Glass , security@FreeBSD.ORG Subject: Re: The 99,999-bug question: Why can you execute from the stack? Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Jul 19, 2:47pm, Brett Glass wrote: } Subject: The 99,999-bug question: Why can you execute from the stack? > We're going to be spending about a man-month rebuilding a complex system > that was hacked due to a buffer overflow exploit. Looking back at our > system log files, I can see exactly how the hack was done and how the > perpetrator was able to get root. > > What I CAN'T understand is why FreeBSD allows the hack to occur. Why on > Earth would one want to allow code to be executed from the stack? The Intel > segmentation model normally prevents this, and there's additional hardware > in the MMU that's supposed to be able to preclude it. Why does the OS leave > this gigantic hole open? Why not just close it? Making the stack non executable doesn't stop buffer overflow attacks; see www.geek-girl.com/bugtraq/ for more information. Its still useful for stopping script monkeys though so I ordered a set of intel manuals with the idea of doing this but I haven't got around to it yet, maybe soon. Niall -- Niall Smart. PGP: finger njs3@motmot.doc.ic.ac.uk FreeBSD: Turning PC's into Workstations: www.freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Sun Jul 19 14:56:54 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id OAA28776 for freebsd-security-outgoing; Sun, 19 Jul 1998 14:56:54 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from implode.root.com (implode.root.com [198.145.90.17]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id OAA28768 for ; Sun, 19 Jul 1998 14:56:52 -0700 (PDT) (envelope-from root@implode.root.com) Received: from implode.root.com (localhost [127.0.0.1]) by implode.root.com (8.8.5/8.8.5) with ESMTP id OAA18816; Sun, 19 Jul 1998 14:55:59 -0700 (PDT) Message-Id: <199807192155.OAA18816@implode.root.com> To: Brett Glass cc: security@FreeBSD.ORG Subject: Re: The 99,999-bug question: Why can you execute from the stack? In-reply-to: Your message of "Sun, 19 Jul 1998 14:47:25 MDT." <199807192047.OAA02264@lariat.lariat.org> From: David Greenman Reply-To: dg@root.com Date: Sun, 19 Jul 1998 14:55:59 -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >We're going to be spending about a man-month rebuilding a complex system >that was hacked due to a buffer overflow exploit. Looking back at our >system log files, I can see exactly how the hack was done and how the >perpetrator was able to get root. > >What I CAN'T understand is why FreeBSD allows the hack to occur. Why on >Earth would one want to allow code to be executed from the stack? The Intel >segmentation model normally prevents this, and there's additional hardware >in the MMU that's supposed to be able to preclude it. Why does the OS leave >this gigantic hole open? Why not just close it? Two words: Signal Trampoline. For an explaination, see the mailing list archives for -hackers, search for 'signal trampoline'. -DG David Greenman Co-founder/Principal Architect, The FreeBSD Project To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Sun Jul 19 15:04:05 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id PAA29703 for freebsd-security-outgoing; Sun, 19 Jul 1998 15:04:05 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from frmug.org (frmug-gw.frmug.org [193.56.58.252]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id PAA29684 for ; Sun, 19 Jul 1998 15:04:01 -0700 (PDT) (envelope-from roberto@keltia.freenix.fr) Received: (from uucp@localhost) by frmug.org (8.9.1/frmug-2.3/nospam) with UUCP id AAA10777 for security@FreeBSD.ORG; Mon, 20 Jul 1998 00:03:42 +0200 (CEST) (envelope-from roberto@keltia.freenix.fr) Received: (from roberto@localhost) by keltia.freenix.fr (8.9.0.Beta4/keltia-2.14/nospam) id XAA09116 for security@FreeBSD.ORG; Sun, 19 Jul 1998 23:55:32 +0200 (CEST) (envelope-from roberto) Message-ID: <19980719235532.A8630@keltia.freenix.fr> Date: Sun, 19 Jul 1998 23:55:32 +0200 From: Ollivier Robert To: security@FreeBSD.ORG Subject: Re: The 99,999-bug question: Why can you execute from the stack? Mail-Followup-To: security@FreeBSD.ORG References: <199807192047.OAA02264@lariat.lariat.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.93i In-Reply-To: <199807192047.OAA02264@lariat.lariat.org>; from Brett Glass on Sun, Jul 19, 1998 at 02:47:25PM -0600 X-Operating-System: FreeBSD 3.0-CURRENT ctm#4462 AMD-K6 MMX @ 225 MHz Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org According to Brett Glass: > segmentation model normally prevents this, and there's additional hardware > in the MMU that's supposed to be able to preclude it. Why does the OS leave > this gigantic hole open? Why not just close it? As it has been said several times already, gcc itself make code on the stack a bit difficult to forbid. It generates code on the stack for "trampolines". -- Ollivier ROBERT -=- FreeBSD: The Power to Serve! -=- roberto@keltia.freenix.fr FreeBSD keltia.freenix.fr 3.0-CURRENT #61: Sun Jul 12 14:38:23 CEST 1998 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Sun Jul 19 15:18:21 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id PAA01706 for freebsd-security-outgoing; Sun, 19 Jul 1998 15:18:21 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from lariat.lariat.org (ppp1000.lariat.org@[206.100.185.2]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id PAA01701 for ; Sun, 19 Jul 1998 15:18:19 -0700 (PDT) (envelope-from brett@lariat.org) Received: (from brett@localhost) by lariat.lariat.org (8.8.8/8.8.8) id QAA03542; Sun, 19 Jul 1998 16:17:49 -0600 (MDT) Message-Id: <199807192217.QAA03542@lariat.lariat.org> X-Sender: brett@mail.lariat.org X-Mailer: QUALCOMM Windows Eudora Pro Version 4.0.1 Date: Sun, 19 Jul 1998 16:17:45 -0600 To: Alfred From: Brett Glass Subject: Re: The 99,999-bug question: Why can you execute from the stack? Cc: security@FreeBSD.ORG In-Reply-To: References: <199807192047.OAA02264@lariat.lariat.org> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org It could be a kernel option: "Turn off at your own risk." --Brett At 05:37 PM 7/19/98 -0400, Alfred wrote: >there was a thread about this just a week ago, it was something to do with >signals and threads. and breakage of some ancient programs. > >-Alfred > >also there was just an announcement about some package to "self-check" >executables for stack corruption. > >On Sun, 19 Jul 1998, Brett Glass wrote: > >> We're going to be spending about a man-month rebuilding a complex system >> that was hacked due to a buffer overflow exploit. Looking back at our >> system log files, I can see exactly how the hack was done and how the >> perpetrator was able to get root. >> >> What I CAN'T understand is why FreeBSD allows the hack to occur. Why on >> Earth would one want to allow code to be executed from the stack? The Intel >> segmentation model normally prevents this, and there's additional hardware >> in the MMU that's supposed to be able to preclude it. Why does the OS leave >> this gigantic hole open? Why not just close it? >> >> --Brett Glass >> >> >> To Unsubscribe: send mail to majordomo@FreeBSD.org >> with "unsubscribe security" in the body of the message >> > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Sun Jul 19 15:18:45 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id PAA01738 for freebsd-security-outgoing; Sun, 19 Jul 1998 15:18:45 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from lariat.lariat.org (ppp1000.lariat.org@[206.100.185.2]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id PAA01730 for ; Sun, 19 Jul 1998 15:18:43 -0700 (PDT) (envelope-from brett@lariat.org) Received: (from brett@localhost) by lariat.lariat.org (8.8.8/8.8.8) id QAA03558; Sun, 19 Jul 1998 16:18:24 -0600 (MDT) Message-Id: <199807192218.QAA03558@lariat.lariat.org> X-Sender: brett@mail.lariat.org X-Mailer: QUALCOMM Windows Eudora Pro Version 4.0.1 Date: Sun, 19 Jul 1998 16:18:22 -0600 To: security@FreeBSD.ORG From: Brett Glass Subject: Re: The 99,999-bug question: Why can you execute from the stack? Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 10:43 PM 7/19/98 +0000, you wrote: >Making the stack non executable doesn't stop buffer overflow attacks; >see www.geek-girl.com/bugtraq/ for more information. It should stop most of them. I could imagine a situation where one subverted a program by changing its data (for example, one could force commands into an interpreter by putting them into higher stack frames). However, the most common method seems to be to plant a bogus return address that points to machine code that does the cracker's bidding. --Brett To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Sun Jul 19 15:23:40 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id PAA02428 for freebsd-security-outgoing; Sun, 19 Jul 1998 15:23:40 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from verdi.nethelp.no (verdi.nethelp.no [158.36.41.162]) by hub.freebsd.org (8.8.8/8.8.8) with SMTP id PAA02417 for ; Sun, 19 Jul 1998 15:23:38 -0700 (PDT) (envelope-from sthaug@nethelp.no) From: sthaug@nethelp.no Received: (qmail 26383 invoked by uid 1001); 19 Jul 1998 22:23:22 +0000 (GMT) To: brett@lariat.org Cc: security@FreeBSD.ORG Subject: Re: The 99,999-bug question: Why can you execute from the stack? In-Reply-To: Your message of "Sun, 19 Jul 1998 14:47:25 -0600" References: <199807192047.OAA02264@lariat.lariat.org> X-Mailer: Mew version 1.05+ on Emacs 19.34.2 Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Date: Mon, 20 Jul 1998 00:23:22 +0200 Message-ID: <26381.900887002@verdi.nethelp.no> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > What I CAN'T understand is why FreeBSD allows the hack to occur. Why on > Earth would one want to allow code to be executed from the stack? The Intel > segmentation model normally prevents this, and there's additional hardware > in the MMU that's supposed to be able to preclude it. Why does the OS leave > this gigantic hole open? Why not just close it? As far as I remember part of the signal handling code (the trampoline code) executes off the stack. I believe it's nontrivial to fix this. Steinar Haug, Nethelp consulting, sthaug@nethelp.no To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Sun Jul 19 15:28:31 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id PAA03357 for freebsd-security-outgoing; Sun, 19 Jul 1998 15:28:31 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from lariat.lariat.org (ppp1000.lariat.org@[206.100.185.2]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id PAA03351 for ; Sun, 19 Jul 1998 15:28:29 -0700 (PDT) (envelope-from brett@lariat.org) Received: (from brett@localhost) by lariat.lariat.org (8.8.8/8.8.8) id QAA03712; Sun, 19 Jul 1998 16:28:03 -0600 (MDT) Message-Id: <199807192228.QAA03712@lariat.lariat.org> X-Sender: brett@mail.lariat.org X-Mailer: QUALCOMM Windows Eudora Pro Version 4.0.1 Date: Sun, 19 Jul 1998 16:28:00 -0600 To: dg@root.com From: Brett Glass Subject: Re: The 99,999-bug question: Why can you execute from the stack? Cc: security@FreeBSD.ORG In-Reply-To: <199807192155.OAA18816@implode.root.com> References: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Putting the code on the user's stack is an interesting notion, but does not seem to me that executing code from the stack is the only way to clean up after a signal. The code could be in a runtime library, in a specially-created segment, or on a special read-only page mapped into the user space for that purpose. This would be cleaner. In fact, the page might be shared among processes returning from signals. I'd much rather see this technique revised than leave a hole open for buffer overflow attacks. We don't want to get a reputation for lax security. --Brett At 02:55 PM 7/19/98 -0700, David Greenman wrote: >>We're going to be spending about a man-month rebuilding a complex system >>that was hacked due to a buffer overflow exploit. Looking back at our >>system log files, I can see exactly how the hack was done and how the >>perpetrator was able to get root. >> >>What I CAN'T understand is why FreeBSD allows the hack to occur. Why on >>Earth would one want to allow code to be executed from the stack? The Intel >>segmentation model normally prevents this, and there's additional hardware >>in the MMU that's supposed to be able to preclude it. Why does the OS leave >>this gigantic hole open? Why not just close it? > > Two words: Signal Trampoline. For an explaination, see the mailing list >archives for -hackers, search for 'signal trampoline'. > >-DG > >David Greenman >Co-founder/Principal Architect, The FreeBSD Project > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Sun Jul 19 17:01:02 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id RAA13609 for freebsd-security-outgoing; Sun, 19 Jul 1998 17:01:02 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from wraith.cs.uow.edu.au (root@wraith.cs.uow.edu.au [130.130.64.1]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id RAA13601 for ; Sun, 19 Jul 1998 17:00:59 -0700 (PDT) (envelope-from ncb05@uow.edu.au) Received: from wumpus.its.uow.edu.au (wumpus.its.uow.edu.au [130.130.68.12]) by wraith.cs.uow.edu.au (8.9.1/8.9.1) with SMTP id KAA05354; Mon, 20 Jul 1998 10:00:30 +1000 (EST) Date: Mon, 20 Jul 1998 10:00:29 +1000 (EST) From: Nicholas Charles Brawn X-Sender: ncb05@wumpus.its.uow.edu.au To: Brett Glass cc: security@FreeBSD.ORG Subject: Re: Why is there no info on the QPOPPER hack? In-Reply-To: <199807191709.LAA28734@lariat.lariat.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sun, 19 Jul 1998, Brett Glass wrote: > Our system has been penetrated via a buffer overflow exploit in Qualcomm's > QPOPPER, as obtained from the FreeBSD ports library. But there's no > advisory about this on FreeBSD's site.... In fact, we learned of the > exploit only because the cracker was sloppy. > > We need advice on resecuring the system and preventing future incidents of > this kind. CERT has been utterly unresponsive; they seem to have ignored > our two e-mails asking for help. Any help we can get from members of the > FreeBSD community would be MUCH appreciated. CERT typically ignores requests for help unless you are a very large company. Small ISP's and businesses connected to the internet are unlikely to receive personal assistance. However, CERT has put out an advisory on the qpopper vulnerability: ftp.cert.org:/pub/cert_advisories/CA-98.08.qpopper_vul >From the vendor information page: "Versions of QUALCOMM qpopper prior to 2.5 are vulnerable. QUALCOMM recommends upgrading to the most recent version..." CERT also has a paper on recovering from incidents which is accessable from their web page and ftp site. And finally, two other sites you should keep an eye on: http://www.freebsd.org/security/security.html (FreeBSD Security Guide) http://www.watson.org/fbsd-hardening/ (FreeBSD Hardening Project) > > --Brett Glass Good luck, Nick :) -- Email: ncb05@uow.edu.au - http://rabble.uow.edu.au/~nick Key fingerprint = DE 30 33 D3 16 91 C8 8D A7 F8 70 03 B7 77 1A 2A "When in doubt, ask someone wiser than yourself..." -unknown To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Sun Jul 19 17:20:32 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id RAA15819 for freebsd-security-outgoing; Sun, 19 Jul 1998 17:20:32 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from beatrice.rutgers.edu (beatrice.rutgers.edu [165.230.209.143]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id RAA15812 for ; Sun, 19 Jul 1998 17:20:30 -0700 (PDT) (envelope-from easmith@beatrice.rutgers.edu) Received: (from easmith@localhost) by beatrice.rutgers.edu (980427.SGI.8.8.8/970903.SGI.AUTOCF) id UAA18947; Sun, 19 Jul 1998 20:18:57 -0400 (EDT) From: "Allen Smith" Message-Id: <9807192018.ZM18945@beatrice.rutgers.edu> Date: Sun, 19 Jul 1998 20:18:57 -0400 In-Reply-To: Ollivier Robert "Re: The 99,999-bug question: Why can you execute from the stack?" (Jul 19, 11:55pm) References: <199807192047.OAA02264@lariat.lariat.org> <19980719235532.A8630@keltia.freenix.fr> X-Mailer: Z-Mail (3.2.3 08feb96 MediaMail) To: Ollivier Robert Cc: security@FreeBSD.ORG Subject: Re: The 99,999-bug question: Why can you execute from the stack? Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Jul 19, 11:55pm, Ollivier Robert (possibly) wrote: > According to Brett Glass: > > segmentation model normally prevents this, and there's additional hardware > > in the MMU that's supposed to be able to preclude it. Why does the OS leave > > this gigantic hole open? Why not just close it? > > As it has been said several times already, gcc itself make code on the > stack a bit difficult to forbid. It generates code on the stack for > "trampolines". According to the ?guy?, Solar Developer, who wrote the linux patch, in 199704131906.QAA06271@sun1.ideal.ru: ____ About GCC trampolines -- yes, there is a problem, but in reality it turns out to be quite easy to solve; also, nested functions, and especially those which address gets passed somewhere else, are not common in real world applications -- one of the reasons is that it's a GNU C extension. Since most programs will never use the trampolines, it makes sense to run them with non-executable stack, and enable stack execution permission for those that really need it. This can be done automatically, by modifying the GPF handler to switch back to the huge code segment (which covers the stack) and re-executing the instruction, unless it was a RET. Since most buffer overflows can only be exploited by overwriting the return address, this will still make them unexploitable (RET has to be the instruction to pass the control onto the stack), while C programs will normally only use CALL, and it is extremely unlikely that some code will use RET for that purpose (this can never happen for pure C programs compiled with GCC). Note that such emulation won't make the things run any slower since only one GPF per entire process life may get generated (after that the stack remains executable for this entire process). About me breaking the entire signal handling -- wrong, I handle this case specially from the very beginning, by temporary switching to the huge code segment for the time of signal handler execution. This leaves potential buffer overflows in signal handlers exploitable, but there seems to be no other simple way for the kernel to put the necessary return code in user program's address space (remember, signal handlers have to return with a plain RET, but they need to return to the kernel, so some extra code in the user space is required, which would get jumped to by the RET, and jump into the kernel). ____ Admittedly, I don't know enough on x86 programming to know whether or not this will work on FreeBSD; it appears to on Linux. -Allen -- Allen Smith easmith@beatrice.rutgers.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Sun Jul 19 17:55:20 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id RAA19476 for freebsd-security-outgoing; Sun, 19 Jul 1998 17:55:20 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from lariat.lariat.org (ppp1000.lariat.org@[206.100.185.2]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id RAA19462 for ; Sun, 19 Jul 1998 17:55:17 -0700 (PDT) (envelope-from brett@lariat.org) Received: (from brett@localhost) by lariat.lariat.org (8.8.8/8.8.8) id SAA05978; Sun, 19 Jul 1998 18:54:47 -0600 (MDT) Message-Id: <199807200054.SAA05978@lariat.lariat.org> X-Sender: brett@mail.lariat.org X-Mailer: QUALCOMM Windows Eudora Pro Version 4.0.1 Date: Sun, 19 Jul 1998 18:54:45 -0600 To: sthaug@nethelp.no From: Brett Glass Subject: Re: The 99,999-bug question: Why can you execute from the stack? Cc: security@FreeBSD.ORG In-Reply-To: <26381.900887002@verdi.nethelp.no> References: <199807192047.OAA02264@lariat.lariat.org> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 12:23 AM 7/20/98 +0200, sthaug@nethelp.no wrote: >As far as I remember part of the signal handling code (the trampoline >code) executes off the stack. I believe it's nontrivial to fix this. I doubt it's hard. "Trampoline" code is just one of the implementation methods used in the very common practice called "thunking." "Thunking" -- a word which dates back to the creation of the Algol 66 compiler for Sperry Univac batch processing systems -- is the general term for creating a small snippet of code that is later executed by another program, process, or subroutine. The code is sometimes created at runtime, sometimes at compile time. Sometimes it's boilerplate that's patched or "fixed up" at runtime. However, the distinguishing traits are that the snippet of code is small and is used to "glue" two other bodies of code together. Putting a "thunk" on the stack sometimes seems convenient because it uses "automatic" storage (to use the C term); the memory that holds the code is automatically deallocated when the stack is popped after it's used. It can only be done in a non-Harvard architecture, though, and leaves holes open for several kinds of nasty exploits. Fortunately, all that's necessary to solve the problems is to put the "thunk" somewhere else! Everything else about the thunk stays the same. It's possible for example, to reserve a page of memory -- or a small code segment in the Intel protected mode architecture -- for it. You can even reserve a little space in a user process's code segment. If the thunk can be made general enough, it can be shared by processes returning from the same exception, making the non-stack implementation more efficient than the one that used the stack. And none of the user code will be the wiser. Someone mentioned that GCC also uses "trampoline" thunks. If so, there ought to be a way to get it to use a different method. After all, it needs to be able to generate code for OSes like Solaris, which can disable execution from the stack. --Brett To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Sun Jul 19 18:03:04 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id SAA20392 for freebsd-security-outgoing; Sun, 19 Jul 1998 18:03:04 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from whistle.com (s205m131.whistle.com [207.76.205.131]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id SAA20384 for ; Sun, 19 Jul 1998 18:02:59 -0700 (PDT) (envelope-from archie@whistle.com) Received: (from smap@localhost) by whistle.com (8.7.5/8.6.12) id SAA27768; Sun, 19 Jul 1998 18:02:05 -0700 (PDT) Received: from bubba.whistle.com(207.76.205.7) by whistle.com via smap (V1.3) id sma027766; Sun Jul 19 18:02:04 1998 Received: (from archie@localhost) by bubba.whistle.com (8.8.7/8.6.12) id SAA07953; Sun, 19 Jul 1998 18:02:04 -0700 (PDT) From: Archie Cobbs Message-Id: <199807200102.SAA07953@bubba.whistle.com> Subject: Re: The 99,999-bug question: Why can you execute from the stack? In-Reply-To: <199807192047.OAA02264@lariat.lariat.org> from Brett Glass at "Jul 19, 98 02:47:25 pm" To: brett@lariat.org (Brett Glass) Date: Sun, 19 Jul 1998 18:02:04 -0700 (PDT) Cc: security@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL38 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Brett Glass writes: > What I CAN'T understand is why FreeBSD allows the hack to occur. Why on > Earth would one want to allow code to be executed from the stack? The Intel As an almost-example of why executing on the stack is not completely crazy, consider JIT-compiling Java runtimes like kaffe. These dynamically compile Java methods into i386 executable instructions, then execute those methods. Kaffe actually does this on the heap I think, but it just as reasonable if it wanted to do it on the stack (eg, perhaps some kind of temporary method, trampoline code to get things going, etc). -Archie ___________________________________________________________________________ Archie Cobbs * Whistle Communications, Inc. * http://www.whistle.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Sun Jul 19 18:18:22 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id SAA22527 for freebsd-security-outgoing; Sun, 19 Jul 1998 18:18:22 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from time.cdrom.com (root@time.cdrom.com [204.216.27.226]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id SAA22522 for ; Sun, 19 Jul 1998 18:18:20 -0700 (PDT) (envelope-from jkh@time.cdrom.com) Received: from time.cdrom.com (jkh@localhost.cdrom.com [127.0.0.1]) by time.cdrom.com (8.8.8/8.8.8) with ESMTP id SAA07761; Sun, 19 Jul 1998 18:17:03 -0700 (PDT) (envelope-from jkh@time.cdrom.com) To: Brett Glass cc: dg@root.com, security@FreeBSD.ORG Subject: Re: The 99,999-bug question: Why can you execute from the stack? In-reply-to: Your message of "Sun, 19 Jul 1998 16:28:00 MDT." <199807192228.QAA03712@lariat.lariat.org> Date: Sun, 19 Jul 1998 18:17:02 -0700 Message-ID: <7757.900897422@time.cdrom.com> From: "Jordan K. Hubbard" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > I'd much rather see this technique revised than leave a hole open for > buffer overflow attacks. We don't want to get a reputation for lax > security. If you can make it all work and want to hack up a proof of concept, go for it. Right now, however, I think you're letting annoyance get the better part of intelligence. More importantly, making suggestions which are almost worded like demands when it is very clear that you do _not_ understand the subject in question is only a good way of antagonizing people. You, of all people, should know that. - Jordan To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Sun Jul 19 18:41:03 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id SAA24811 for freebsd-security-outgoing; Sun, 19 Jul 1998 18:41:03 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from lariat.lariat.org (ppp1000.lariat.org@[206.100.185.2]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id SAA24806 for ; Sun, 19 Jul 1998 18:41:01 -0700 (PDT) (envelope-from brett@lariat.org) Received: (from brett@localhost) by lariat.lariat.org (8.8.8/8.8.8) id TAA06705; Sun, 19 Jul 1998 19:40:39 -0600 (MDT) Message-Id: <199807200140.TAA06705@lariat.lariat.org> X-Sender: brett@mail.lariat.org X-Mailer: QUALCOMM Windows Eudora Pro Version 4.0.1 Date: Sun, 19 Jul 1998 19:40:38 -0600 To: "Jordan K. Hubbard" From: Brett Glass Subject: Re: The 99,999-bug question: Why can you execute from the stack? Cc: dg@root.com, security@FreeBSD.ORG In-Reply-To: <7757.900897422@time.cdrom.com> References: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 06:17 PM 7/19/98 -0700, Jordan K. Hubbard wrote: >If you can make it all work and want to hack up a proof of concept, go >for it. Right now, however, I think you're letting annoyance get the >better part of intelligence. I make no bones about the fact that I'm annoyed; that buffer overflow exploit will cost me between a week and a month of tedious work. The fact that the problem has been fixed in Linux and Solaris is a good proof of concept. Again, the problem is simply one of where to put a "thunk." In general, putting it on the CPU stack is a bad idea, and the problem is starting to bite all of us. It'll only get worse, especially so long as we use C; the language is so prone to array overruns and buffer overflow exploits. >More importantly, making suggestions which are almost worded like >demands when it is very clear that you do _not_ understand the subject >in question is only a good way of antagonizing people. As a seasoned assembly language programmer, I understand the subjects of memory allocation and "thunking" quite well. I don't think anyone should feel antagonized when I emphasize the importance of fixing this problem -- especially after the extensive personal cost it has had, and will have, for me. --Brett Glass To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Sun Jul 19 18:46:56 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id SAA25584 for freebsd-security-outgoing; Sun, 19 Jul 1998 18:46:56 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from rover.village.org (rover.village.org [204.144.255.49]) by hub.freebsd.org (8.8.8/8.8.8) with SMTP id SAA25569 for ; Sun, 19 Jul 1998 18:46:54 -0700 (PDT) (envelope-from imp@village.org) Received: from harmony [10.0.0.6] by rover.village.org with esmtp (Exim 1.71 #1) id 0yy524-0003gh-00; Sun, 19 Jul 1998 19:46:28 -0600 Received: from harmony.village.org (localhost.village.org [127.0.0.1]) by harmony.village.org (8.8.8/8.8.3) with ESMTP id TAA07794; Sun, 19 Jul 1998 19:48:31 -0600 (MDT) Message-Id: <199807200148.TAA07794@harmony.village.org> To: Archie Cobbs Subject: Re: The 99,999-bug question: Why can you execute from the stack? Cc: brett@lariat.org (Brett Glass), security@FreeBSD.ORG In-reply-to: Your message of "Sun, 19 Jul 1998 18:02:04 PDT." <199807200102.SAA07953@bubba.whistle.com> References: <199807200102.SAA07953@bubba.whistle.com> Date: Sun, 19 Jul 1998 19:48:30 -0600 From: Warner Losh Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message <199807200102.SAA07953@bubba.whistle.com> Archie Cobbs writes: : As an almost-example of why executing on the stack is not completely : crazy, consider JIT-compiling Java runtimes like kaffe. These dynamically : compile Java methods into i386 executable instructions, then execute : those methods. Kaffe actually does this on the heap I think, but it just : as reasonable if it wanted to do it on the stack (eg, perhaps some kind : of temporary method, trampoline code to get things going, etc). I think that most, but not all, of the problems can be fixed by making the stack non-executables for set[gu]id binaries. this will fix the attacks where elevated privs are used to get access. however, i'm not completely sure about this because there are many problems with this idea. not the least of which is that it feels like a bandaide to me. One option would be to have an executable page of memory on a per process basis. This would allow a place to allow signals to happen. Since the kernel, and not the userland, would write the code to here, it wouldn't be too bad. Except for the per process part.... One way to "solve" this problem would be to have all calls push a "guard" page that could be unmapped. This would solve the stack overflow problems, but not all overflows. Again, this is at a huge price which I don't think I'd want to pay. Another high cost option would be to have a purify/checker-like functionality compiled into everything and cause a segv or some other generally fatal signal. This would solve all the overflows, but again at a huge price. If there was a silver bullet, I sure would like to know what it is... Warner To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Sun Jul 19 19:11:14 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id TAA28763 for freebsd-security-outgoing; Sun, 19 Jul 1998 19:11:14 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from lariat.lariat.org (ppp1000.lariat.org@[206.100.185.2]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id TAA28752 for ; Sun, 19 Jul 1998 19:11:11 -0700 (PDT) (envelope-from brett@lariat.org) Received: (from brett@localhost) by lariat.lariat.org (8.8.8/8.8.8) id UAA07188; Sun, 19 Jul 1998 20:10:41 -0600 (MDT) Message-Id: <199807200210.UAA07188@lariat.lariat.org> X-Sender: brett@mail.lariat.org X-Mailer: QUALCOMM Windows Eudora Pro Version 4.0.1 Date: Sun, 19 Jul 1998 20:10:39 -0600 To: Warner Losh , Archie Cobbs From: Brett Glass Subject: Re: The 99,999-bug question: Why can you execute from the stack? Cc: security@FreeBSD.ORG In-Reply-To: <199807200148.TAA07794@harmony.village.org> References: <199807200102.SAA07953@bubba.whistle.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 07:48 PM 7/19/98 -0600, Warner Losh wrote: >I think that most, but not all, of the problems can be fixed by making >the stack non-executables for set[gu]id binaries. this will fix the >attacks where elevated privs are used to get access. however, i'm not >completely sure about this because there are many problems with this >idea. not the least of which is that it feels like a bandaide to me. I think it's fundamentally good architecture and a good general precaution to keep code off the stack. After all, the original Intel architecture was set up so that you couldn't execute from a stack segment without doing special aliasing; they did this with security and reliability in mind. Alas, most "flat model" OSes turn off this mechanism. >One option would be to have an executable page of memory on a per >process basis. This would allow a place to allow signals to happen. That's certainly one idea. It wouldn't even have to take up physical memory until it was needed, saving space. Another way to do it would be to reserve some space at the end of the executable's last existing code page. If the thunk isn't large, the odds are excellent that it'll fit there. In which case, there's no wasted memory and nothing special to allocate. If it doesn't fit, allocate an extra page at load time, or map it but defer allocation until a signal must be handled. The important thing is to keep the code off of the stack and also out of the global data space. >Since the kernel, and not the userland, would write the code to here, >it wouldn't be too bad. Except for the per process part.... > >One way to "solve" this problem would be to have all calls push a >"guard" page that could be unmapped. This would solve the stack >overflow problems, but not all overflows. Again, this is at a huge >price which I don't think I'd want to pay. We can avoid this; see above. >Another high cost option would be to have a purify/checker-like >functionality compiled into everything and cause a segv or some other >generally fatal signal. This would solve all the overflows, but again >at a huge price. I agree that this is excessive. >If there was a silver bullet, I sure would like to know what it is... There's no "silver bullet." But putting the thunk on the stack is in some ways trickier than putting it elsewhere, since the stack could underflow when you tried to make room. Having a known location is easier. --Brett To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Sun Jul 19 19:11:14 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id TAA28764 for freebsd-security-outgoing; Sun, 19 Jul 1998 19:11:14 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from beatrice.rutgers.edu (beatrice.rutgers.edu [165.230.209.143]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id TAA28753 for ; Sun, 19 Jul 1998 19:11:12 -0700 (PDT) (envelope-from easmith@beatrice.rutgers.edu) Received: (from easmith@localhost) by beatrice.rutgers.edu (980427.SGI.8.8.8/970903.SGI.AUTOCF) id WAA23529; Sun, 19 Jul 1998 22:09:29 -0400 (EDT) From: "Allen Smith" Message-Id: <9807192209.ZM23527@beatrice.rutgers.edu> Date: Sun, 19 Jul 1998 22:09:29 -0400 In-Reply-To: Warner Losh "Re: The 99,999-bug question: Why can you execute from the stack?" (Jul 19, 7:48pm) References: <199807200102.SAA07953@bubba.whistle.com> <199807200148.TAA07794@harmony.village.org> X-Mailer: Z-Mail (3.2.3 08feb96 MediaMail) To: Warner Losh , Archie Cobbs Subject: Re: The 99,999-bug question: Why can you execute from the stack? Cc: brett@lariat.org (Brett Glass), security@FreeBSD.ORG Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Jul 19, 7:48pm, Warner Losh (possibly) wrote: > I think that most, but not all, of the problems can be fixed by making > the stack non-executables for set[gu]id binaries. this will fix the > attacks where elevated privs are used to get access. however, i'm not > completely sure about this because there are many problems with this > idea. not the least of which is that it feels like a bandaide to me. I'd suggest adding anything executing with an effective uid of root; keep in mind servers. I've actually worked on this with the libparanoia's libc substitution, at least with the non-assembler ones; I'll try to find the time to test soon whether this actually speeds things up. BTW, breaking binary compatibility on software that runs as root or that's set[gu]id isn't as much of a problem as it might seem - if a piece of software is going to run at elevated permissions, you ought to have the source code. That's (part of) the lesson of _An Empirical Study of the Reliability of UNIX Utilities_, in which GNUware (and software with free source code in general) was found to be a lot more reliable. (Admittedly, another part is that the GNU project has rules against doing things that let in buffer overflows...) See ftp://grilled.cs.wisc.edu/technical_papers/fuzz.ps.Z and ftp://grilled.cs.wisc.edu/technical_papers/fuzz-revisited.ps.gz for more information. -Allen -- Allen Smith easmith@beatrice.rutgers.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Sun Jul 19 20:21:26 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id UAA07770 for freebsd-security-outgoing; Sun, 19 Jul 1998 20:21:26 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from implode.root.com (implode.root.com [198.145.90.17]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id UAA07765 for ; Sun, 19 Jul 1998 20:21:24 -0700 (PDT) (envelope-from root@implode.root.com) Received: from implode.root.com (localhost [127.0.0.1]) by implode.root.com (8.8.5/8.8.5) with ESMTP id UAA24309; Sun, 19 Jul 1998 20:20:21 -0700 (PDT) Message-Id: <199807200320.UAA24309@implode.root.com> To: Brett Glass cc: Warner Losh , Archie Cobbs , security@FreeBSD.ORG Subject: Re: The 99,999-bug question: Why can you execute from the stack? In-reply-to: Your message of "Sun, 19 Jul 1998 20:10:39 MDT." <199807200210.UAA07188@lariat.lariat.org> From: David Greenman Reply-To: dg@root.com Date: Sun, 19 Jul 1998 20:20:21 -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >At 07:48 PM 7/19/98 -0600, Warner Losh wrote: > >>I think that most, but not all, of the problems can be fixed by making >>the stack non-executables for set[gu]id binaries. this will fix the >>attacks where elevated privs are used to get access. however, i'm not >>completely sure about this because there are many problems with this >>idea. not the least of which is that it feels like a bandaide to me. > >I think it's fundamentally good architecture and a good general >precaution to keep code off the stack. After all, the original Intel >architecture was set up so that you couldn't execute from a stack segment >without doing special aliasing; they did this with security and reliability >in mind. Alas, most "flat model" OSes turn off this mechanism. I think people are fooling themselves if they think that making the stack non-executable is going to prevent any of the stack overflow related attacks from working (with minor mods of course). Most executables have plenty enough code mapped that in most cases it shouldn't be too difficult for the exploiter to frob the stack a bit with some reasonable arguments and then push a non- stack function as the return address (plenty of yummy things to choose from in shared libc, for example - including, but not limited to, execl()). This wouldn't require anything to execute from the stack, so making the stack non-executable wouldn't prevent this from working. -DG David Greenman Co-founder/Principal Architect, The FreeBSD Project To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Sun Jul 19 20:25:28 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id UAA08441 for freebsd-security-outgoing; Sun, 19 Jul 1998 20:25:28 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from rover.village.org (rover.village.org [204.144.255.49]) by hub.freebsd.org (8.8.8/8.8.8) with SMTP id UAA08432 for ; Sun, 19 Jul 1998 20:25:23 -0700 (PDT) (envelope-from imp@village.org) Received: from harmony [10.0.0.6] by rover.village.org with esmtp (Exim 1.71 #1) id 0yy6ZX-0003jd-00; Sun, 19 Jul 1998 21:25:07 -0600 Received: from harmony.village.org (localhost.village.org [127.0.0.1]) by harmony.village.org (8.8.8/8.8.3) with ESMTP id VAA08432; Sun, 19 Jul 1998 21:27:11 -0600 (MDT) Message-Id: <199807200327.VAA08432@harmony.village.org> To: dg@root.com Subject: Re: The 99,999-bug question: Why can you execute from the stack? Cc: Brett Glass , Archie Cobbs , security@FreeBSD.ORG In-reply-to: Your message of "Sun, 19 Jul 1998 20:20:21 PDT." <199807200320.UAA24309@implode.root.com> References: <199807200320.UAA24309@implode.root.com> Date: Sun, 19 Jul 1998 21:27:11 -0600 From: Warner Losh Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message <199807200320.UAA24309@implode.root.com> David Greenman writes: : shared libc, for example - including, but not limited to, execl()). This : wouldn't require anything to execute from the stack, so making the stack : non-executable wouldn't prevent this from working. Which is one reason why I think that having guard pages between each frame may be the only way to cope with this :-(. Unfortunately, this makes things really expensive and slow and won't prevent all attacks. Warner To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Sun Jul 19 21:01:22 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id VAA13801 for freebsd-security-outgoing; Sun, 19 Jul 1998 21:01:22 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from lariat.lariat.org (ppp1000.lariat.org@[206.100.185.2]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id VAA13787 for ; Sun, 19 Jul 1998 21:01:16 -0700 (PDT) (envelope-from brett@lariat.org) Received: (from brett@localhost) by lariat.lariat.org (8.8.8/8.8.8) id WAA08903; Sun, 19 Jul 1998 22:00:54 -0600 (MDT) Message-Id: <199807200400.WAA08903@lariat.lariat.org> X-Sender: brett@mail.lariat.org X-Mailer: QUALCOMM Windows Eudora Pro Version 4.0.1 Date: Sun, 19 Jul 1998 22:00:53 -0600 To: dg@root.com From: Brett Glass Subject: Re: The 99,999-bug question: Why can you execute from the stack? Cc: Warner Losh , Archie Cobbs , security@FreeBSD.ORG In-Reply-To: <199807200320.UAA24309@implode.root.com> References: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 08:20 PM 7/19/98 -0700, David Greenman wrote: > I think people are fooling themselves if they think that making the stack >non-executable is going to prevent any of the stack overflow related attacks >from working (with minor mods of course). Most executables have plenty enough >code mapped that in most cases it shouldn't be too difficult for the exploiter >to frob the stack a bit with some reasonable arguments and then push a non- >stack function as the return address (plenty of yummy things to choose from in >shared libc, for example - including, but not limited to, execl()). This >wouldn't require anything to execute from the stack, so making the stack >non-executable wouldn't prevent this from working. Unfortunately, without the use of call gates, there are still some exploits that can be done. But far fewer.... You need to know exactly where things are mapped in order to push the addresses of library routines as return addresses. --Brett To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Sun Jul 19 21:11:54 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id VAA16008 for freebsd-security-outgoing; Sun, 19 Jul 1998 21:11:54 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from rover.village.org (rover.village.org [204.144.255.49]) by hub.freebsd.org (8.8.8/8.8.8) with SMTP id VAA16003 for ; Sun, 19 Jul 1998 21:11:52 -0700 (PDT) (envelope-from imp@village.org) Received: from harmony [10.0.0.6] by rover.village.org with esmtp (Exim 1.71 #1) id 0yy7IW-0003lQ-00; Sun, 19 Jul 1998 22:11:36 -0600 Received: from harmony.village.org (localhost.village.org [127.0.0.1]) by harmony.village.org (8.8.8/8.8.3) with ESMTP id WAA08927; Sun, 19 Jul 1998 22:13:40 -0600 (MDT) Message-Id: <199807200413.WAA08927@harmony.village.org> To: Brett Glass Subject: Re: The 99,999-bug question: Why can you execute from the stack? Cc: dg@root.com, Archie Cobbs , security@FreeBSD.ORG In-reply-to: Your message of "Sun, 19 Jul 1998 22:00:53 MDT." <199807200400.WAA08903@lariat.lariat.org> References: <199807200400.WAA08903@lariat.lariat.org> Date: Sun, 19 Jul 1998 22:13:40 -0600 From: Warner Losh Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message <199807200400.WAA08903@lariat.lariat.org> Brett Glass writes: : Unfortunately, without the use of call gates, there are still some : exploits that can be done. But far fewer.... You need to know : exactly where things are mapped in order to push the addresses of : library routines as return addresses. For any given release, this is easy. Not as easy as knowing the high bits of the stack address, but still fairly easiy. nm is your friend. Warner To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Sun Jul 19 21:31:42 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id VAA19302 for freebsd-security-outgoing; Sun, 19 Jul 1998 21:31:42 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from destiny.erols.com (root@destiny.erols.com [207.96.73.65]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id VAA19297 for ; Sun, 19 Jul 1998 21:31:39 -0700 (PDT) (envelope-from jdowdal@destiny.erols.com) Received: from destiny.erols.com (someone@destiny.erols.com [207.96.73.65]) by destiny.erols.com (8.8.8/8.6.12) with SMTP id AAA27609; Mon, 20 Jul 1998 00:30:57 -0400 (EDT) Date: Mon, 20 Jul 1998 00:30:56 -0400 (EDT) From: John Dowdal To: Brett Glass cc: "Jordan K. Hubbard" , dg@root.com, security@FreeBSD.ORG Subject: Re: The 99,999-bug question: Why can you execute from the stack? In-Reply-To: <199807200140.TAA06705@lariat.lariat.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sun, 19 Jul 1998, Brett Glass wrote: > At 06:17 PM 7/19/98 -0700, Jordan K. Hubbard wrote: > As a seasoned assembly language programmer, I understand the subjects > of memory allocation and "thunking" quite well. I don't think anyone > should feel antagonized when I emphasize the importance of fixing this > problem -- especially after the extensive personal cost it has had, and > will have, for me. As a seasoned assembly language programmer, you should understand the subject of "backup" quite well. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Sun Jul 19 21:46:59 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id VAA21300 for freebsd-security-outgoing; Sun, 19 Jul 1998 21:46:59 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from time.cdrom.com (root@time.cdrom.com [204.216.27.226]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id VAA21295 for ; Sun, 19 Jul 1998 21:46:57 -0700 (PDT) (envelope-from jkh@time.cdrom.com) Received: from time.cdrom.com (jkh@localhost.cdrom.com [127.0.0.1]) by time.cdrom.com (8.8.8/8.8.8) with ESMTP id VAA08501; Sun, 19 Jul 1998 21:45:28 -0700 (PDT) (envelope-from jkh@time.cdrom.com) To: Brett Glass cc: dg@root.com, Warner Losh , Archie Cobbs , security@FreeBSD.ORG Subject: Re: The 99,999-bug question: Why can you execute from the stack? In-reply-to: Your message of "Sun, 19 Jul 1998 22:00:53 MDT." <199807200400.WAA08903@lariat.lariat.org> Date: Sun, 19 Jul 1998 21:45:28 -0700 Message-ID: <8496.900909928@time.cdrom.com> From: "Jordan K. Hubbard" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > Unfortunately, without the use of call gates, there are still some exploits > that can be done. But far fewer.... You need to know exactly where things are > mapped in order to push the addresses of library routines as return addresses And, considering the kinds of exploits I've been seeing released lately, is still well within the reach of your average exploit-writer. It only has to be puzzled out once (not difficult with easy access to both sources and release binaries) and then the skript-kiddies can take it and wreak their havoc without having to necessarily understand anything about the exploit. I doubt they understood the one used to hack you, for that matter. I agree with David - this is just locking the barn door while leaving all the windows open. Good for a false sense of security, nothing more, and only fundamentally missing the point that the only *effective* and worthwhile solution is to extensively audit the code. How many here just ran popper as root without even thinking about it, please raise your hands? I raise my own hand here, since I didn't look at the code for popper either, and I was just fortunate that I heard about the bug from folks on IRC and an early Bugtrax report and was able to close it before anything bad happened (to me). Once this security scare happened, however, and I actually DID look at the code for popper, my feelings were not of indignation and anger, my thoughts ran more along the lines of: "My god, this code is completely full of mice - it looks like it PREDATES any conventional notion of security! Ye gods, we've been running this code as *root*? This code, which I'm now seeing here?? Well fuck us all with the telephone poles we so richly deserve for being so damn complacent!" :-) Seriously, that code had so many potential exploits and stack overflows that I seriously doubt all the stack protection in the world would have saved you. It didn't need a band-aid, it needed a thorough audit which now, after all the horses have escaped the barn, seems to finally be happening. We adopted it, we recommended it and then we failed to give it even the most cursory audit. I know there are over 1500 ports now, but for those items which really do constitute "significant risk", I think that we could all afford to take a page from Theo's book and start going through stuff more methodically. The simple, painful fact is that people are running way too much random, unaudited stuff with root privilege on an Internet which has also become far more hostile than anything they may formerly have been accustomed to. The rules of that game have changed, period, and if you admin a Unix machine in the same manner that you used to back in the 80's then you Will Lose and make no mistake about it, the only question remaining being when and where. Those who can't audit should also, at the very minimum, subscribe to bugtrax and watch the usual geek-girl related announcements. If you're going on vacation, make sure that your machine is in the hands of someone who'll be doing this in your stead! Murphy's law practically demands that any significant security attack will happen on a friday evening before the start of a 3-day holiday weekend, or something, so plan accordingly and you won't be in here going "ahhh! ahhh! doctor, it hurt when they did *this*!" the week afterwards. :-) - Jordan To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Sun Jul 19 21:48:17 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id VAA21515 for freebsd-security-outgoing; Sun, 19 Jul 1998 21:48:17 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from lariat.lariat.org (ppp1000.lariat.org@[206.100.185.2]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id VAA21509 for ; Sun, 19 Jul 1998 21:48:15 -0700 (PDT) (envelope-from brett@lariat.org) Received: (from brett@localhost) by lariat.lariat.org (8.8.8/8.8.8) id WAA09638; Sun, 19 Jul 1998 22:47:46 -0600 (MDT) Message-Id: <199807200447.WAA09638@lariat.lariat.org> X-Sender: brett@mail.lariat.org X-Mailer: QUALCOMM Windows Eudora Pro Version 4.0.1 Date: Sun, 19 Jul 1998 22:47:38 -0600 To: John Dowdal From: Brett Glass Subject: Re: The 99,999-bug question: Why can you execute from the stack? Cc: "Jordan K. Hubbard" , dg@root.com, security@FreeBSD.ORG In-Reply-To: References: <199807200140.TAA06705@lariat.lariat.org> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 12:30 AM 7/20/98 -0400, John Dowdal wrote: >As a seasoned assembly language programmer, you should understand the >subject of "backup" quite well. And so I do. But when you're caught between backups, and don't discover the break-in right away, it's not that straightforward to restore the system. And restoring it also re-opens security holes. --Brett To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Mon Jul 20 00:41:55 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id AAA07592 for freebsd-security-outgoing; Mon, 20 Jul 1998 00:41:55 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from tversu.ru (root@mail.tversu.ru [62.76.80.2]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id AAA07585 for ; Mon, 20 Jul 1998 00:41:52 -0700 (PDT) (envelope-from vadim@gala.tversu.ru) Received: from gala.tversu.ru (vadim@gala.tversu.ru [62.76.80.10]) by tversu.ru (8.8.8/8.8.8) with ESMTP id LAA21658 for ; Mon, 20 Jul 1998 11:40:46 +0400 (MSD) Received: (from vadim@localhost) by gala.tversu.ru (8.8.8/8.8.8) id LAA28812; Mon, 20 Jul 1998 11:40:41 +0400 (MSD) Message-ID: <19980720114040.A28663@tversu.ru> Date: Mon, 20 Jul 1998 11:40:40 +0400 From: Vadim Kolontsov To: freebsd-security@FreeBSD.ORG Subject: Re: cryptographically secure logging References: <19980719141529.A5494@keltia.freenix.fr> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.90.11i In-Reply-To: <19980719141529.A5494@keltia.freenix.fr>; from Ollivier Robert on Sun, Jul 19, 1998 at 02:15:29PM +0200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi, On Sun, Jul 19, 1998 at 02:15:29PM +0200, Ollivier Robert wrote: > There is also ssylog made by Core SDI in Brazil. It uses encryption and > authentication. Using "unsecure" syslog I can forward all logs to a "logserver" to analyze it in a real-time (for example, using excellent tool called 'logsurfer'). SDI's audlog allows to *download* logs from any machine (which runs ssyslog), using secure protocol, checking if logs are unchanged. But it doesn't provide a solution for a real-time analysis on a "central machine", the only thing which is possible is to add "download logs from all machines every 5 minutes and pipe it to logsurfer"-like entry to crontab.. or use unsecure-spoofable-sniffable UDP logging. Didn't check nsyslogd yet -- going to do it right now. By the way, if any of us are using logsurfer, probably we can try to create a database of logsurfers rules for a standard programs (sendmail, syslogd, kernel messages, and so on). Regards, V. -- Vadim Kolontsov Tver Internet Center NOC To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Mon Jul 20 04:33:16 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id EAA24381 for freebsd-security-outgoing; Mon, 20 Jul 1998 04:33:16 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from marta.arcom.spb.su (marta.arcom.spb.su [195.190.100.18]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id EAA24353 for ; Mon, 20 Jul 1998 04:33:11 -0700 (PDT) (envelope-from snar@marta.arcom.spb.su) Received: (from snar@localhost) by marta.arcom.spb.su (8.8.8/t/97-Mar-14) id PAA25475; Mon, 20 Jul 1998 15:29:33 +0400 (MSD) Message-ID: <19980720152932.42290@nevalink.ru> Date: Mon, 20 Jul 1998 15:29:32 +0400 From: Alexandre Snarskii To: Warner Losh , Archie Cobbs Cc: Brett Glass , security@FreeBSD.ORG Subject: Re: The 99,999-bug question: Why can you execute from the stack? References: <199807200102.SAA07953@bubba.whistle.com> <199807200148.TAA07794@harmony.village.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.89i In-Reply-To: <199807200148.TAA07794@harmony.village.org>; from Warner Losh on Sun, Jul 19, 1998 at 07:48:30PM -0600 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sun, Jul 19, 1998 at 07:48:30PM -0600, Warner Losh wrote: > > One way to "solve" this problem would be to have all calls push a > "guard" page that could be unmapped. This would solve the stack > overflow problems, but not all overflows. Again, this is at a huge > price which I don't think I'd want to pay. > > Another high cost option would be to have a purify/checker-like > functionality compiled into everything and cause a segv or some other > generally fatal signal. This would solve all the overflows, but again > at a huge price. At huge computing price. Measured in seconds, spent by processor to perform needed computing. As for me, the cost of upgrade to computers, which will perform these computing is much less than the cost of every outage caused by remote exploit. Just my 2 cents. -- Alexandre Snarskii the source code is included To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Mon Jul 20 06:43:22 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id GAA07153 for freebsd-security-outgoing; Mon, 20 Jul 1998 06:43:22 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from marta.arcom.spb.su (marta.arcom.spb.su [195.190.100.18]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id GAA07147 for ; Mon, 20 Jul 1998 06:43:20 -0700 (PDT) (envelope-from snar@marta.arcom.spb.su) Received: (from snar@localhost) by marta.arcom.spb.su (8.8.8/t/97-Mar-14) id RAA27049; Mon, 20 Jul 1998 17:38:00 +0400 (MSD) Message-ID: <19980720173800.17978@nevalink.ru> Date: Mon, 20 Jul 1998 17:38:00 +0400 From: Alexandre Snarskii To: Allen Smith , Warner Losh Cc: security@FreeBSD.ORG Subject: Re: The 99,999-bug question: Why can you execute from the stack? References: <199807200102.SAA07953@bubba.whistle.com> <199807200148.TAA07794@harmony.village.org> <9807192209.ZM23527@beatrice.rutgers.edu> Mime-Version: 1.0 Content-Type: multipart/mixed; boundary=pXqbjpZ4EhLzMW5y X-Mailer: Mutt 0.89i In-Reply-To: <9807192209.ZM23527@beatrice.rutgers.edu>; from Allen Smith on Sun, Jul 19, 1998 at 10:09:29PM -0400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --pXqbjpZ4EhLzMW5y Content-Type: text/plain; charset=us-ascii On Sun, Jul 19, 1998 at 10:09:29PM -0400, Allen Smith wrote: > On Jul 19, 7:48pm, Warner Losh (possibly) wrote: > > > I think that most, but not all, of the problems can be fixed by making > > the stack non-executables for set[gu]id binaries. this will fix the > > attacks where elevated privs are used to get access. however, i'm not > > completely sure about this because there are many problems with this > > idea. not the least of which is that it feels like a bandaide to me. > > I'd suggest adding anything executing with an effective uid of root; > keep in mind servers. I've actually worked on this with the > libparanoia's libc substitution, at least with the non-assembler ones; > I'll try to find the time to test soon whether this actually speeds > things up. Better approach is (every suid/sgid program) or ( euid == 0 ). Patch to libparanoia/stentry.c attached. ( You have no need to patch any other file - all checks are in stentry.c, others is just standard files from /usr/src/lib/libc, just calls to stentry.c functions added ). Patched libparanoia available at ftp://ftp.lexa.ru/pub/domestic/snar/libparanoia.1.1.tgz -- Alexandre Snarskii the source code is included --pXqbjpZ4EhLzMW5y Content-Type: text/plain; charset=us-ascii Content-Disposition: attachment; filename=libparanoia10 Index: libparanoia/stentry.c diff -c libparanoia/stentry.c:1.3 libparanoia/stentry.c:1.5 *** libparanoia/stentry.c:1.3 Tue Jul 14 21:04:50 1998 --- libparanoia/stentry.c Mon Jul 20 17:19:19 1998 *************** *** 23,34 **** --- 23,41 ---- closelog();\ kill(SIGSEGV,getpid());\ exit(1) ;\ + + static int docheck=-1; /* -1 - still unknown, 0 - do not check, 1 - do check */ void enter_violation() { int i; unsigned bp=getbp(); + if(!docheck) return ; + if(docheck==-1) { + if(issetugid()||(!geteuid())) docheck=1; + else docheck=0; + }; invflag++; if(invflag>1) return; bzero(save,sizeof(save)); *************** *** 59,64 **** --- 66,73 ---- { int i; unsigned bp=getbp(); + if(!docheck) return ; /* at exit_violation docheck is _always_ + initialised, so we can skip checking of -1 */ if(invflag>1) { invflag--; return; --pXqbjpZ4EhLzMW5y-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Mon Jul 20 08:47:16 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id IAA21655 for freebsd-security-outgoing; Mon, 20 Jul 1998 08:47:16 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from gatekeeper.iserver.com (gatekeeper.iserver.com [206.107.170.2]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id IAA21648 for ; Mon, 20 Jul 1998 08:47:14 -0700 (PDT) (envelope-from hart@iserver.com) Received: by gatekeeper.iserver.com; Mon, 20 Jul 1998 09:46:46 -0600 (MDT) Received: from unknown(192.168.1.109) by gatekeeper.iserver.com via smap (V3.1.1) id xma003755; Mon, 20 Jul 98 09:46:42 -0600 Received: (hart@localhost) by anchovy.orem.iserver.com (8.8.5) id JAA06129; Mon, 20 Jul 1998 09:35:34 -0600 (MDT) Date: Mon, 20 Jul 1998 09:35:34 -0600 (MDT) From: Paul Hart X-Sender: hart@anchovy.orem.iserver.com To: Brett Glass cc: "Jordan K. Hubbard" , dg@root.com, security@FreeBSD.ORG Subject: Re: The 99,999-bug question: Why can you execute from the stack? In-Reply-To: <199807200140.TAA06705@lariat.lariat.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sun, 19 Jul 1998, Brett Glass wrote: > It'll only get worse, especially so long as we use C; the language is > so prone to array overruns and buffer overflow exploits. The language only does what it is told, how can it be held responsible? C is not prone to exploitation, C programmers are. And they're still making the same tired mistakes over and over. > I don't think anyone should feel antagonized when I emphasize the > importance of fixing this problem -- especially after the extensive > personal cost it has had, and will have, for me. Brett, this type of exploit has been around for many years (one element of the original Internet worm was based on a buffer overflow in fingerd). And each time someone gets hacked they have the same grandiose visions for building elaborate kludges to make sure they're never hacked again. But, alas, these visions are only Band-Aid solutions. The real problem is flawed application code. Instead of dreaming up fancy kernel kludges, let's direct our efforts toward auditing code, thus attacking the problem at the root. I don't want to seem callous to your plight because I know how you must feel, but does not the old adage "once bitten, twice shy" apply to your situation? You were hacked. Now you know better. Can we assume that this will not happen again? BTW, you aren't running imapd are you? A new hole, just as evil as the popper hole, was recently revealed in that. See the Bugtraq archives at http://www.netspace.org. Paul Hart -- Paul Robert Hart ><8> ><8> ><8> Verio Web Hosting, Inc. hart@iserver.com ><8> ><8> ><8> http://www.iserver.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Mon Jul 20 09:16:16 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id JAA25226 for freebsd-security-outgoing; Mon, 20 Jul 1998 09:16:16 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from ns.mt.sri.com (sri-gw.MT.net [206.127.105.141]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id JAA25219 for ; Mon, 20 Jul 1998 09:16:13 -0700 (PDT) (envelope-from nate@mt.sri.com) Received: from mt.sri.com (rocky.mt.sri.com [206.127.76.100]) by ns.mt.sri.com (8.8.8/8.8.8) with SMTP id KAA05548; Mon, 20 Jul 1998 10:13:14 -0600 (MDT) (envelope-from nate@rocky.mt.sri.com) Received: by mt.sri.com (SMI-8.6/SMI-SVR4) id KAA07117; Mon, 20 Jul 1998 10:13:11 -0600 Date: Mon, 20 Jul 1998 10:13:11 -0600 Message-Id: <199807201613.KAA07117@mt.sri.com> From: Nate Williams MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit To: Warner Losh Cc: Archie Cobbs , brett@lariat.org (Brett Glass), security@FreeBSD.ORG Subject: Re: The 99,999-bug question: Why can you execute from the stack? In-Reply-To: <199807200148.TAA07794@harmony.village.org> References: <199807200102.SAA07953@bubba.whistle.com> <199807200148.TAA07794@harmony.village.org> X-Mailer: VM 6.29 under 19.15 XEmacs Lucid Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org [ Making the stack non-executable ] > : As an almost-example of why executing on the stack is not completely > : crazy, consider JIT-compiling Java runtimes like kaffe. These dynamically > : compile Java methods into i386 executable instructions, then execute > : those methods. Kaffe actually does this on the heap I think, but it just > : as reasonable if it wanted to do it on the stack (eg, perhaps some kind > : of temporary method, trampoline code to get things going, etc). > > I think that most, but not all, of the problems can be fixed by making > the stack non-executables for set[gu]id binaries. This wouldn't have done a thing for Brett, since it appears he was attacked via the bug in popper, which is not setuid but runs out of inetd. Programs that run out of inetd have been the majority of the 'external' breakin programs used if you throw out sendmail. :) Nate To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Mon Jul 20 09:31:40 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id JAA27669 for freebsd-security-outgoing; Mon, 20 Jul 1998 09:31:40 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from pfunk.crown.net (gbieker@pfunk.crown.net [208.137.2.68]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id JAA27664 for ; Mon, 20 Jul 1998 09:31:38 -0700 (PDT) (envelope-from gbieker@pfunk.crown.net) Received: from localhost (gbieker@localhost) by pfunk.crown.net (8.8.8/8.8.5) with SMTP id LAA23337 for ; Mon, 20 Jul 1998 11:28:33 -0500 Date: Mon, 20 Jul 1998 11:28:33 -0500 (CDT) From: "Gentry A. Bieker" To: security@FreeBSD.ORG Subject: Re: Why is there no info on the QPOPPER hack? In-Reply-To: Message-ID: X-NOSPAM: All Unsolicited Commercial E-Mail sent to this address may be subjected to a reading and archival fee not less than US Dollars. MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > On Sun, 19 Jul 1998, Brett Glass wrote: > > > Our system has been penetrated via a buffer overflow exploit in Qualcomm's > > QPOPPER, as obtained from the FreeBSD ports library. But there's no > > advisory about this on FreeBSD's site.... In fact, we learned of the > > exploit only because the cracker was sloppy. > > > > We need advice on resecuring the system and preventing future incidents of > > this kind. CERT has been utterly unresponsive; they seem to have ignored > > our two e-mails asking for help. Any help we can get from members of the > > FreeBSD community would be MUCH appreciated. > > > > --Brett Glass > > Exactly what are you thinking here. In almost EVERY email that I recieved from the security mailinglists at freebsd, and in almost every isp-* mailinglist I subscribe to, it was at least every other message "QPOPPER this, QPOPPER that". You can't expect your system to be automaticly secure. It just won't happen. The CERT isn't there to maintain your systems, YOU are... You don't expect all of your software to automaticly upgrade for you, do you? Then why expect a secure system with little or no effort. ------------------------------------------------------------------------ -[ Gentry A. Bieker ]---------[ 6300 Melton Rd. ]-------- -[ Systems Administrator ]---------[ Portage, Indiana 46368 ]-------- -[ Crown.Net, Inc. ]---------[ Phone: (219)762-1431 ]-------- -[ gbieker@crown.net ]---------[ Fax: (219)762-0917 ]-------- ------------------------------------------------------------------------ ----[ All Unsolicited Commercial E-Mail Sent to this address may be ]--- -----[ subjected to a reading and archival fee not less than $500 ]----- ------------------------------------------------------------------------ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Mon Jul 20 10:18:09 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id KAA04237 for freebsd-security-outgoing; Mon, 20 Jul 1998 10:18:09 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from lariat.lariat.org (ppp1000.lariat.org@[206.100.185.2]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id KAA04222 for ; Mon, 20 Jul 1998 10:18:07 -0700 (PDT) (envelope-from brett@lariat.org) Received: (from brett@localhost) by lariat.lariat.org (8.8.8/8.8.8) id LAA19993; Mon, 20 Jul 1998 11:14:36 -0600 (MDT) Message-Id: <199807201714.LAA19993@lariat.lariat.org> X-Sender: brett@mail.lariat.org X-Mailer: QUALCOMM Windows Eudora Pro Version 4.0.1 Date: Mon, 20 Jul 1998 11:14:33 -0600 To: Alexandre Snarskii , Warner Losh , Archie Cobbs From: Brett Glass Subject: Re: The 99,999-bug question: Why can you execute from the stack? Cc: security@FreeBSD.ORG In-Reply-To: <19980720152932.42290@nevalink.ru> References: <199807200148.TAA07794@harmony.village.org> <199807200102.SAA07953@bubba.whistle.com> <199807200148.TAA07794@harmony.village.org> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Waitaminnit. Intel installed, IN THE x86 CHIPS WE ARE NOW USING, special hardware designed to guard against these exploits. The mechanisms they designed are called "segments" and "call gates" (among other things). And what do we do? We turn it off. In fact, Intel sees so few people using these vital features that it doesn't bother to speed them up in new CPU models, as they do other parts of the chip. In short, the hackers who want slightly more convenient "flat" address spaces have contributed in devastating ways to the problems we have now. --Brett Glass At 03:29 PM 7/20/98 +0400, Alexandre Snarskii wrote: >On Sun, Jul 19, 1998 at 07:48:30PM -0600, Warner Losh wrote: >> >> One way to "solve" this problem would be to have all calls push a >> "guard" page that could be unmapped. This would solve the stack >> overflow problems, but not all overflows. Again, this is at a huge >> price which I don't think I'd want to pay. >> >> Another high cost option would be to have a purify/checker-like >> functionality compiled into everything and cause a segv or some other >> generally fatal signal. This would solve all the overflows, but again >> at a huge price. > >At huge computing price. Measured in seconds, spent by processor >to perform needed computing. As for me, the cost of upgrade to >computers, which will perform these computing is much less >than the cost of every outage caused by remote exploit. >Just my 2 cents. >-- >Alexandre Snarskii >the source code is included > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Mon Jul 20 10:19:54 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id KAA04499 for freebsd-security-outgoing; Mon, 20 Jul 1998 10:19:54 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from phoenix.volant.org (phoenix.volant.org [205.179.79.193]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id KAA04491 for ; Mon, 20 Jul 1998 10:19:53 -0700 (PDT) (envelope-from patl@phoenix.volant.org) From: patl@phoenix.volant.org Received: from asimov.phoenix.volant.org ([205.179.79.65]) by phoenix.volant.org with smtp (Exim 1.92 #8) id 0yyJb7-0003Ni-00; Mon, 20 Jul 1998 10:19:37 -0700 Received: from localhost by asimov.phoenix.volant.org (SMI-8.6/SMI-SVR4) id KAA09561; Mon, 20 Jul 1998 10:19:34 -0700 Date: Mon, 20 Jul 1998 10:19:34 -0700 (PDT) Reply-To: patl@phoenix.volant.org Subject: Re: The 99,999-bug question: ... To: Paul Hart cc: security@FreeBSD.ORG In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; CHARSET=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > On Sun, 19 Jul 1998, Brett Glass wrote: > > > It'll only get worse, especially so long as we use C; the language is > > so prone to array overruns and buffer overflow exploits. > > The language only does what it is told, how can it be held responsible? C > is not prone to exploitation, C programmers are. And they're still making > the same tired mistakes over and over. Nonsense. C makes it -very- easy to shoot yourself in the foot. You have to go out of your way to avoid it. It requires constant vigilance. C programmers are still makeing the same tired mistakes because C encourages those mistakes. And, unfortunately, aspects of the C language design make it difficult, if not impossible, to add any sort of compiler-generated checking. (Array-pointer equivalence is one of the more brain-damaged misfeatures.) More reasonable languages make you go out of your way to shoot off your toes. > > I don't think anyone should feel antagonized when I emphasize the > > importance of fixing this problem -- especially after the extensive > > personal cost it has had, and will have, for me. > > Brett, this type of exploit has been around for many years (one element of > the original Internet worm was based on a buffer overflow in fingerd). > And each time someone gets hacked they have the same grandiose visions for > building elaborate kludges to make sure they're never hacked again. But, > alas, these visions are only Band-Aid solutions. The real problem is > flawed application code. Instead of dreaming up fancy kernel kludges, > let's direct our efforts toward auditing code, thus attacking the problem > at the root. Auditing code is only part of the correct approach. Another major goal is to restrict the scope of potential damage if a program is compromised. One way to do this is to avoid root permission; or to irrevocably surrender it at the earliest possible moment. (One of the reasons I chose the Cyrus IMAP server over imap-uw is that Cyrus delivery runs entirely as a non-privileged pseudo-user; and the server gives up root permission as soon as it has bound to the privileged port.) And, yes, another approach is to use languages with built-in bounds checking, etc. The use of such languages doesn't eliminate security hazards; but it does help. And it allows the programmer to focus on the higher-level design issues. > I don't want to seem callous to your plight because I know how you must > feel, but does not the old adage "once bitten, twice shy" apply to your > situation? You were hacked. Now you know better. Can we assume that > this will not happen again? The only way to be completely secure is to keep your machine in a secure room; with NO external access or network connectivity. But that's not really compatible with running a mail server... :-) Cracks happen. Have a good backup and recovery plan. Have a good detection plan. > BTW, you aren't running imapd are you? A new hole, just as evil as the > popper hole, was recently revealed in that. See the Bugtraq archives at > http://www.netspace.org. Only in the imap-uw code. It doesn't affect Cyrus. -Pat To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Mon Jul 20 10:28:10 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id KAA06082 for freebsd-security-outgoing; Mon, 20 Jul 1998 10:28:10 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from Kitten.mcs.com (Kitten.mcs.com [192.160.127.90]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id KAA06068 for ; Mon, 20 Jul 1998 10:28:02 -0700 (PDT) (envelope-from karl@Mars.mcs.net) Received: from Mars.mcs.net (karl@Mars.mcs.net [192.160.127.85]) by Kitten.mcs.com (8.8.7/8.8.2) with ESMTP id MAA17706; Mon, 20 Jul 1998 12:26:53 -0500 (CDT) Received: (from karl@localhost) by Mars.mcs.net (8.8.7/8.8.2) id MAA01421; Mon, 20 Jul 1998 12:26:52 -0500 (CDT) Message-ID: <19980720122652.35370@mcs.net> Date: Mon, 20 Jul 1998 12:26:52 -0500 From: Karl Denninger To: Brett Glass Cc: Alexandre Snarskii , Warner Losh , Archie Cobbs , security@FreeBSD.ORG Subject: Re: The 99,999-bug question: Why can you execute from the stack? References: <199807200148.TAA07794@harmony.village.org> <199807200102.SAA07953@bubba.whistle.com> <199807200148.TAA07794@harmony.village.org> <19980720152932.42290@nevalink.ru> <199807201714.LAA19993@lariat.lariat.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.84 In-Reply-To: <199807201714.LAA19993@lariat.lariat.org>; from Brett Glass on Mon, Jul 20, 1998 at 11:14:33AM -0600 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Brett is right. First and foremost, using segmentation isn't a "bad thing". It forces programmers to do the RIGHT thing, or their code blows up. I used to have to deal with this on Microport and other x86 processors. They had a "large model" which created multiple 64k (max) segments. If you played games with pointers (ie: trying to stuff a pointer into an int) you got fscked by this, and generated many core dumps :-) If you wrote syntatically CORRECT code, it worked. We seem to have forgotten that the means to enforce this kind of protection DOES exist in our current processors - but we don't want to use it, because it means we have to write correct code! -- -- Karl Denninger (karl@MCS.Net)| MCSNet - Serving Chicagoland and Wisconsin http://www.mcs.net/ | T1's from $600 monthly / All Lines K56Flex/DOV | NEW! Corporate ISDN Prices dropped by up to 50%! Voice: [+1 312 803-MCS1 x219]| EXCLUSIVE NEW FEATURE ON ALL PERSONAL ACCOUNTS Fax: [+1 312 803-4929] | *SPAMBLOCK* Technology now included at no cost On Mon, Jul 20, 1998 at 11:14:33AM -0600, Brett Glass wrote: > Waitaminnit. Intel installed, IN THE x86 CHIPS WE ARE NOW USING, special > hardware designed to guard against these exploits. The mechanisms > they designed are called "segments" and "call gates" (among other > things). And what do we do? We turn it off. In fact, Intel sees > so few people using these vital features that it doesn't bother > to speed them up in new CPU models, as they do other parts of > the chip. > > In short, the hackers who want slightly more convenient "flat" > address spaces have contributed in devastating ways to the problems > we have now. > > --Brett Glass > > At 03:29 PM 7/20/98 +0400, Alexandre Snarskii wrote: > > >On Sun, Jul 19, 1998 at 07:48:30PM -0600, Warner Losh wrote: > >> > >> One way to "solve" this problem would be to have all calls push a > >> "guard" page that could be unmapped. This would solve the stack > >> overflow problems, but not all overflows. Again, this is at a huge > >> price which I don't think I'd want to pay. > >> > >> Another high cost option would be to have a purify/checker-like > >> functionality compiled into everything and cause a segv or some other > >> generally fatal signal. This would solve all the overflows, but again > >> at a huge price. > > > >At huge computing price. Measured in seconds, spent by processor > >to perform needed computing. As for me, the cost of upgrade to > >computers, which will perform these computing is much less > >than the cost of every outage caused by remote exploit. > >Just my 2 cents. > >-- > >Alexandre Snarskii > >the source code is included > > > >To Unsubscribe: send mail to majordomo@FreeBSD.org > >with "unsubscribe security" in the body of the message > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Mon Jul 20 10:33:23 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id KAA07240 for freebsd-security-outgoing; Mon, 20 Jul 1998 10:33:23 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from lariat.lariat.org (ppp1000.lariat.org@[206.100.185.2]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id KAA07204 for ; Mon, 20 Jul 1998 10:33:19 -0700 (PDT) (envelope-from brett@lariat.org) Received: (from brett@localhost) by lariat.lariat.org (8.8.8/8.8.8) id LAA20377; Mon, 20 Jul 1998 11:32:55 -0600 (MDT) Message-Id: <199807201732.LAA20377@lariat.lariat.org> X-Sender: brett@mail.lariat.org X-Mailer: QUALCOMM Windows Eudora Pro Version 4.0.1 Date: Mon, 20 Jul 1998 11:32:51 -0600 To: Paul Hart From: Brett Glass Subject: Re: The 99,999-bug question: Why can you execute from the stack? Cc: "Jordan K. Hubbard" , dg@root.com, security@FreeBSD.ORG In-Reply-To: References: <199807200140.TAA06705@lariat.lariat.org> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 09:35 AM 7/20/98 -0600, Paul Hart wrote: >Brett, this type of exploit has been around for many years (one element of >the original Internet worm was based on a buffer overflow in fingerd). >And each time someone gets hacked they have the same grandiose visions for >building elaborate kludges to make sure they're never hacked again. But, >alas, these visions are only Band-Aid solutions. The real problem is >flawed application code. I would argue that the real problem is unsafe tools. C and its libraries have, from the start, been rusty, and unsafe, with no safeguards against cutting one's head off. Heck, the C language was more than 20 years old before compiler writers even thought to warn programmers that they might have typed "=" instead of "=="! And that's one of the few warnings against serious lexical/semantic problems that has EVER been put in. Believe me, I would not use UNIX were the currently available alternatives not so much worse. What I've always wanted (and I find it hard to believe that no one has done it) is opt for an OS written in a language designed to prevent, rather than encourage, the creation of the sorts of bugs we're seeing here. But, of course, people don't take the long view; they ignore security and reliability at the design level. It makes me want to quit the business. >Instead of dreaming up fancy kernel kludges, >let's direct our efforts toward auditing code, thus attacking the problem >at the root. Quality can't (and shouldn't) be tested or audited in. It should be DESIGNED in. The development tools we use to develop the system in the first place should not admit themselves to such easy creation of dangerous holes and bugs. >I don't want to seem callous to your plight because I know how you must >feel, but does not the old adage "once bitten, twice shy" apply to your >situation? You were hacked. Now you know better. Can we assume that >this will not happen again? No, we can't. I'm sure there will be more holes -- both in third party utilities and in FreeBSD itself -- that will leave my system vulnerable. (As I mentioned in an earlier message, we are even irresponsibly TURNING OFF features of the hardware that are designed to catch many such problems.) And I will not have the time to audit all the code or rewrite it to prevent that. Unless I abandon my livelihood (sorry, guys, I'm not rich), I'll be forced to rely on systems that are built without reliability and security as Goal #1. Any change in the status quo will require a change of attitude -- a level of professionalism that I haven't seen yet in most developers. And I don't see that maturity coming. Look at all the fuss I've encountered when asking that JUST ONE AVENUE OF ATTACK be closed! I keep hearing excuses of the form, "Well, there will still be other ways to break in, so why fix even one?" Guys, we have to close them ALL. --Brett Glass To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Mon Jul 20 10:40:22 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id KAA08955 for freebsd-security-outgoing; Mon, 20 Jul 1998 10:40:22 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from lariat.lariat.org (ppp1000.lariat.org@[206.100.185.2]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id KAA08950 for ; Mon, 20 Jul 1998 10:40:21 -0700 (PDT) (envelope-from brett@lariat.org) Received: (from brett@localhost) by lariat.lariat.org (8.8.8/8.8.8) id LAA20525; Mon, 20 Jul 1998 11:40:03 -0600 (MDT) Message-Id: <199807201740.LAA20525@lariat.lariat.org> X-Sender: brett@mail.lariat.org X-Mailer: QUALCOMM Windows Eudora Pro Version 4.0.1 Date: Mon, 20 Jul 1998 11:39:57 -0600 To: "Gentry A. Bieker" , security@FreeBSD.ORG From: Brett Glass Subject: Re: Why is there no info on the QPOPPER hack? In-Reply-To: References: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 11:28 AM 7/20/98 -0500, you wrote: >You don't expect all of your software to automaticly upgrade for you, do you? That's a darn good idea. Several Windows apps do this already. Why not the FreeBSD ports? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Mon Jul 20 10:52:58 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id KAA11799 for freebsd-security-outgoing; Mon, 20 Jul 1998 10:52:58 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from dworkin.amber.org (petrilli@dworkin.amber.org [209.31.146.74]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id KAA11777 for ; Mon, 20 Jul 1998 10:52:55 -0700 (PDT) (envelope-from petrilli@dworkin.amber.org) Received: from localhost (petrilli@localhost) by dworkin.amber.org (8.9.0/8.9.0) with SMTP id NAA10409; Mon, 20 Jul 1998 13:52:20 -0400 (EDT) Date: Mon, 20 Jul 1998 13:52:19 -0400 (EDT) From: "Christopher G. Petrilli" To: Brett Glass cc: "Gentry A. Bieker" , security@FreeBSD.ORG Subject: Re: Why is there no info on the QPOPPER hack? In-Reply-To: <199807201740.LAA20525@lariat.lariat.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, 20 Jul 1998, Brett Glass wrote: > At 11:28 AM 7/20/98 -0500, you wrote: > > >You don't expect all of your software to automaticly upgrade for you, do you? > > That's a darn good idea. Several Windows apps do this already. Why not > the FreeBSD ports? Oh yes, I definately want my applications randomly upgrading themselves ... this will fix all my security holes :-) Chris -- | Christopher Petrilli | petrilli@amber.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Mon Jul 20 11:10:23 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id LAA14493 for freebsd-security-outgoing; Mon, 20 Jul 1998 11:10:23 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from lariat.lariat.org (ppp1000.lariat.org@[206.100.185.2]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id LAA14488 for ; Mon, 20 Jul 1998 11:10:20 -0700 (PDT) (envelope-from brett@lariat.org) Received: (from brett@localhost) by lariat.lariat.org (8.8.8/8.8.8) id MAA21160; Mon, 20 Jul 1998 12:09:50 -0600 (MDT) Message-Id: <199807201809.MAA21160@lariat.lariat.org> X-Sender: brett@mail.lariat.org X-Mailer: QUALCOMM Windows Eudora Pro Version 4.0.1 Date: Mon, 20 Jul 1998 12:09:47 -0600 To: "Christopher G. Petrilli" From: Brett Glass Subject: Re: Why is there no info on the QPOPPER hack? Cc: "Gentry A. Bieker" , security@FreeBSD.ORG In-Reply-To: References: <199807201740.LAA20525@lariat.lariat.org> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org It might save your butt. But who said anything about "randomly?" The aforementioned Windows apps do let you upgrade when you want to, and let you roll back. --Brett At 01:52 PM 7/20/98 -0400, Christopher G. Petrilli wrote: >On Mon, 20 Jul 1998, Brett Glass wrote: > >> At 11:28 AM 7/20/98 -0500, you wrote: >> >> >You don't expect all of your software to automaticly upgrade for you, do you? >> >> That's a darn good idea. Several Windows apps do this already. Why not >> the FreeBSD ports? > >Oh yes, I definately want my applications randomly upgrading themselves >... this will fix all my security holes :-) > >Chris >-- >| Christopher Petrilli >| petrilli@amber.org > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Mon Jul 20 11:13:40 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id LAA15042 for freebsd-security-outgoing; Mon, 20 Jul 1998 11:13:40 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from dworkin.amber.org (petrilli@dworkin.amber.org [209.31.146.74]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id LAA15032 for ; Mon, 20 Jul 1998 11:13:36 -0700 (PDT) (envelope-from petrilli@dworkin.amber.org) Received: from localhost (petrilli@localhost) by dworkin.amber.org (8.9.0/8.9.0) with SMTP id OAA10456; Mon, 20 Jul 1998 14:13:11 -0400 (EDT) Date: Mon, 20 Jul 1998 14:13:11 -0400 (EDT) From: "Christopher G. Petrilli" To: Brett Glass cc: "Gentry A. Bieker" , security@FreeBSD.ORG Subject: Re: Why is there no info on the QPOPPER hack? In-Reply-To: <199807201809.MAA21160@lariat.lariat.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, 20 Jul 1998, Brett Glass wrote: > It might save your butt. > > But who said anything about "randomly?" The aforementioned Windows apps > do let you upgrade when you want to, and let you roll back. I think that the idea of "notification" of a new update is wonderful, however, installation should not be in anyt way "automatic", even if you say "sure upgrade my machine while I cross my fingers and hope that nothing 'unusual' happens." This however, is trvially accomplished through either a modification to the package mechanism (providing an extra utility), or simply having email lists. Chris > At 01:52 PM 7/20/98 -0400, Christopher G. Petrilli wrote: > > >On Mon, 20 Jul 1998, Brett Glass wrote: > > > >> At 11:28 AM 7/20/98 -0500, you wrote: > >> > >> >You don't expect all of your software to automaticly upgrade for you, > do you? > >> > >> That's a darn good idea. Several Windows apps do this already. Why not > >> the FreeBSD ports? > > > >Oh yes, I definately want my applications randomly upgrading themselves > >... this will fix all my security holes :-) > > > >Chris > >-- > >| Christopher Petrilli > >| petrilli@amber.org > > > -- | Christopher Petrilli | petrilli@amber.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Mon Jul 20 11:28:05 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id LAA16794 for freebsd-security-outgoing; Mon, 20 Jul 1998 11:28:05 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from marta.arcom.spb.su (marta.arcom.spb.su [195.190.100.18]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id LAA16786 for ; Mon, 20 Jul 1998 11:28:02 -0700 (PDT) (envelope-from snar@marta.arcom.spb.su) Received: (from snar@localhost) by marta.arcom.spb.su (8.8.8/t/97-Mar-14) id WAA00193; Mon, 20 Jul 1998 22:26:13 +0400 (MSD) Message-ID: <19980720222613.37562@nevalink.ru> Date: Mon, 20 Jul 1998 22:26:13 +0400 From: Alexandre Snarskii To: Brett Glass , Alexandre Snarskii Cc: security@FreeBSD.ORG Subject: Re: The 99,999-bug question: Why can you execute from the stack? References: <199807200148.TAA07794@harmony.village.org> <199807200102.SAA07953@bubba.whistle.com> <199807200148.TAA07794@harmony.village.org> <19980720152932.42290@nevalink.ru> <199807201714.LAA19993@lariat.lariat.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.89i In-Reply-To: <199807201714.LAA19993@lariat.lariat.org>; from Brett Glass on Mon, Jul 20, 1998 at 11:14:33AM -0600 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, Jul 20, 1998 at 11:14:33AM -0600, Brett Glass wrote: > Waitaminnit. Intel installed, IN THE x86 CHIPS WE ARE NOW USING, special > hardware designed to guard against these exploits. The mechanisms > they designed are called "segments" and "call gates" (among other > things). And what do we do? We turn it off. In fact, Intel sees > so few people using these vital features that it doesn't bother > to speed them up in new CPU models, as they do other parts of > the chip. > > In short, the hackers who want slightly more convenient "flat" > address spaces have contributed in devastating ways to the problems > we have now. Can you release kernel patches to realise hardware-level protection ? ( I'm not an experienced kernel programer, and have no enough time to learn kernel internals, sorry :( ) I know, that my solution is rather 'fast and dirty hack', but it works. And i don't see any another solution for stack smashing prevention for FreeBSD now. PS: btw, non-executable stack don't protect against return-into-libc attack ( as demonstrated by Rafal Wojtczuk in bugtraq against Solar Designer's patch ). -- Alexandre Snarskii the source code is included To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Mon Jul 20 11:28:47 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id LAA16969 for freebsd-security-outgoing; Mon, 20 Jul 1998 11:28:47 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from lariat.lariat.org (ppp1000.lariat.org@[206.100.185.2]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id LAA16955 for ; Mon, 20 Jul 1998 11:28:44 -0700 (PDT) (envelope-from brett@lariat.org) Received: (from brett@localhost) by lariat.lariat.org (8.8.8/8.8.8) id MAA21514; Mon, 20 Jul 1998 12:28:04 -0600 (MDT) Message-Id: <199807201828.MAA21514@lariat.lariat.org> X-Sender: brett@mail.lariat.org X-Mailer: QUALCOMM Windows Eudora Pro Version 4.0.1 Date: Mon, 20 Jul 1998 12:27:55 -0600 To: "Christopher G. Petrilli" From: Brett Glass Subject: Re: Why is there no info on the QPOPPER hack? Cc: "Gentry A. Bieker" , security@FreeBSD.ORG In-Reply-To: References: <199807201809.MAA21160@lariat.lariat.org> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I'd go further. I'd be willing to allow an INSTANT automatic upgrade if the FreeBSD Security Manager sent a message, digitally signed with a nice, long key, saying that a serious exploit might be imminent. It'd be worth the risk. In the case of the QPopper hole, it would have been the Right Thing. The feature would, of course, be optional. Not everyone would turn it on, but *I* would. --Brett GLass At 02:13 PM 7/20/98 -0400, Christopher G. Petrilli wrote: >On Mon, 20 Jul 1998, Brett Glass wrote: > >> It might save your butt. >> >> But who said anything about "randomly?" The aforementioned Windows apps >> do let you upgrade when you want to, and let you roll back. > >I think that the idea of "notification" of a new update is wonderful, >however, installation should not be in anyt way "automatic", even if you >say "sure upgrade my machine while I cross my fingers and hope that >nothing 'unusual' happens." This however, is trvially accomplished >through either a modification to the package mechanism (providing an >extra utility), or simply having email lists. > >Chris > > >> At 01:52 PM 7/20/98 -0400, Christopher G. Petrilli wrote: >> >> >On Mon, 20 Jul 1998, Brett Glass wrote: >> > >> >> At 11:28 AM 7/20/98 -0500, you wrote: >> >> >> >> >You don't expect all of your software to automaticly upgrade for you, >> do you? >> >> >> >> That's a darn good idea. Several Windows apps do this already. Why not >> >> the FreeBSD ports? >> > >> >Oh yes, I definately want my applications randomly upgrading themselves >> >... this will fix all my security holes :-) >> > >> >Chris >> >-- >> >| Christopher Petrilli >> >| petrilli@amber.org >> > >> > >-- >| Christopher Petrilli >| petrilli@amber.org > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Mon Jul 20 11:34:56 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id LAA18210 for freebsd-security-outgoing; Mon, 20 Jul 1998 11:34:56 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from dworkin.amber.org (petrilli@dworkin.amber.org [209.31.146.74]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id LAA18188 for ; Mon, 20 Jul 1998 11:34:51 -0700 (PDT) (envelope-from petrilli@dworkin.amber.org) Received: from localhost (petrilli@localhost) by dworkin.amber.org (8.9.0/8.9.0) with SMTP id OAA11063; Mon, 20 Jul 1998 14:34:17 -0400 (EDT) Date: Mon, 20 Jul 1998 14:34:17 -0400 (EDT) From: "Christopher G. Petrilli" To: Brett Glass cc: "Gentry A. Bieker" , security@FreeBSD.ORG Subject: Re: Why is there no info on the QPOPPER hack? In-Reply-To: <199807201828.MAA21514@lariat.lariat.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, 20 Jul 1998, Brett Glass wrote: > I'd go further. I'd be willing to allow an INSTANT automatic upgrade > if the FreeBSD Security Manager sent a message, digitally signed with > a nice, long key, saying that a serious exploit might be imminent. It'd > be worth the risk. In the case of the QPopper hole, it would have been > the Right Thing. > > The feature would, of course, be optional. Not everyone would turn it on, > but *I* would. Maybe after 2-3 independent external audits to verify that there are no exploits would I consider this, but considering the unlikely nature of this, I think there are better places to invest time and resources than to replace the administrator's brain. Chris > > > >> It might save your butt. > >> > >> But who said anything about "randomly?" The aforementioned Windows apps > >> do let you upgrade when you want to, and let you roll back. > > > >I think that the idea of "notification" of a new update is wonderful, > >however, installation should not be in anyt way "automatic", even if you > >say "sure upgrade my machine while I cross my fingers and hope that > >nothing 'unusual' happens." This however, is trvially accomplished > >through either a modification to the package mechanism (providing an > >extra utility), or simply having email lists. > > > >Chris > > > > > >> At 01:52 PM 7/20/98 -0400, Christopher G. Petrilli wrote: > >> > >> >On Mon, 20 Jul 1998, Brett Glass wrote: > >> > > >> >> At 11:28 AM 7/20/98 -0500, you wrote: > >> >> > >> >> >You don't expect all of your software to automaticly upgrade for you, > >> do you? > >> >> > >> >> That's a darn good idea. Several Windows apps do this already. Why not > >> >> the FreeBSD ports? > >> > > >> >Oh yes, I definately want my applications randomly upgrading themselves > >> >... this will fix all my security holes :-) > >> > > >> >Chris > >> >-- > >> >| Christopher Petrilli > >> >| petrilli@amber.org > >> > > >> > > > >-- > >| Christopher Petrilli > >| petrilli@amber.org > > > -- | Christopher Petrilli | petrilli@amber.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Mon Jul 20 11:38:17 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id LAA18855 for freebsd-security-outgoing; Mon, 20 Jul 1998 11:38:17 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from lariat.lariat.org (ppp1000.lariat.org@[206.100.185.2]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id LAA18849 for ; Mon, 20 Jul 1998 11:38:14 -0700 (PDT) (envelope-from brett@lariat.org) Received: (from brett@localhost) by lariat.lariat.org (8.8.8/8.8.8) id MAA21687; Mon, 20 Jul 1998 12:37:47 -0600 (MDT) Message-Id: <199807201837.MAA21687@lariat.lariat.org> X-Sender: brett@mail.lariat.org X-Mailer: QUALCOMM Windows Eudora Pro Version 4.0.1 Date: Mon, 20 Jul 1998 12:37:38 -0600 To: Alexandre Snarskii , Alexandre Snarskii From: Brett Glass Subject: Re: The 99,999-bug question: Why can you execute from the stack? Cc: security@FreeBSD.ORG In-Reply-To: <19980720222613.37562@nevalink.ru> References: <199807201714.LAA19993@lariat.lariat.org> <199807200148.TAA07794@harmony.village.org> <199807200102.SAA07953@bubba.whistle.com> <199807200148.TAA07794@harmony.village.org> <19980720152932.42290@nevalink.ru> <199807201714.LAA19993@lariat.lariat.org> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 10:26 PM 7/20/98 +0400, Alexandre Snarskii wrote: >Can you release kernel patches to realise hardware-level protection ? >( I'm not an experienced kernel programer, and have no enough time >to learn kernel internals, sorry :( ) The patches would have to be both to the kernel and the compiler, since the changes would change the machine's segmentation model. I can't give you an instant evaluation of how extensive they would be; it depends on how many programs and kernel routines are coded with the assumption that the world is totally "flat." >PS: btw, non-executable stack don't protect against return-into-libc >attack ( as demonstrated by Rafal Wojtczuk in bugtraq against >Solar Designer's patch ). Segmentation would also guard against another exploit, by the way: jumping into the middle of a routine to the point just after a security check. I'm SURE that there are holes like this that haven't been exploited yet. --Brett To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Mon Jul 20 11:45:47 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id LAA20162 for freebsd-security-outgoing; Mon, 20 Jul 1998 11:45:47 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from lariat.lariat.org (ppp1000.lariat.org@[206.100.185.2]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id LAA20147 for ; Mon, 20 Jul 1998 11:45:45 -0700 (PDT) (envelope-from brett@lariat.org) Received: (from brett@localhost) by lariat.lariat.org (8.8.8/8.8.8) id MAA21839; Mon, 20 Jul 1998 12:45:19 -0600 (MDT) Message-Id: <199807201845.MAA21839@lariat.lariat.org> X-Sender: brett@mail.lariat.org X-Mailer: QUALCOMM Windows Eudora Pro Version 4.0.1 Date: Mon, 20 Jul 1998 12:45:11 -0600 To: "Christopher G. Petrilli" From: Brett Glass Subject: Re: Why is there no info on the QPOPPER hack? Cc: "Gentry A. Bieker" , security@FreeBSD.ORG In-Reply-To: References: <199807201828.MAA21514@lariat.lariat.org> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Reliance on mailing lists such as Bugtraq does not do any more or less to "replace the administrator's brain." Fact is, when a trusted authority says that there's a hole to be closed, I want action. I'm perfectly content to review what happened after the fact. --Brett Glass At 02:34 PM 7/20/98 -0400, Christopher G. Petrilli wrote: >Maybe after 2-3 independent external audits to verify that there are no >exploits would I consider this, but considering the unlikely nature of >this, I think there are better places to invest time and resources than >to replace the administrator's brain. > >Chris To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Mon Jul 20 12:05:15 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id MAA23913 for freebsd-security-outgoing; Mon, 20 Jul 1998 12:05:15 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from phoenix.volant.org (phoenix.volant.org [205.179.79.193]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id MAA23902 for ; Mon, 20 Jul 1998 12:05:09 -0700 (PDT) (envelope-from patl@phoenix.volant.org) From: patl@phoenix.volant.org Received: from asimov.phoenix.volant.org ([205.179.79.65]) by phoenix.volant.org with smtp (Exim 1.92 #8) id 0yyLEw-0004G3-00; Mon, 20 Jul 1998 12:04:50 -0700 Received: from localhost by asimov.phoenix.volant.org (SMI-8.6/SMI-SVR4) id MAA09610; Mon, 20 Jul 1998 12:04:47 -0700 Date: Mon, 20 Jul 1998 12:04:47 -0700 (PDT) Reply-To: patl@phoenix.volant.org Subject: Re: Automatic updates Was: Why is there no info on the QPOPPER hack? To: Brett Glass cc: security@FreeBSD.ORG In-Reply-To: <199807201740.LAA20525@lariat.lariat.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; CHARSET=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > At 11:28 AM 7/20/98 -0500, you wrote: > > >You don't expect all of your software to automaticly upgrade for you, do > >you? > > That's a darn good idea. Several Windows apps do this already. Why not > the FreeBSD ports? You obviously haven't seen any of the flack Micro$oft is getting about this 'feature'. Most third parties are recommending turning it off. (The biggest problem seems to be that it doesn't track enough of the system config info to make sure the updated version is actually compatible with the rest of the system.) Also, can you say 'major security hole'? Sure you can. -Pat To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Mon Jul 20 12:12:24 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id MAA25545 for freebsd-security-outgoing; Mon, 20 Jul 1998 12:12:24 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from khavrinen.lcs.mit.edu (khavrinen.lcs.mit.edu [18.24.4.193]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id MAA25540 for ; Mon, 20 Jul 1998 12:12:22 -0700 (PDT) (envelope-from wollman@khavrinen.lcs.mit.edu) Received: (from wollman@localhost) by khavrinen.lcs.mit.edu (8.8.8/8.8.8) id PAA01354; Mon, 20 Jul 1998 15:11:58 -0400 (EDT) (envelope-from wollman) Date: Mon, 20 Jul 1998 15:11:58 -0400 (EDT) From: Garrett Wollman Message-Id: <199807201911.PAA01354@khavrinen.lcs.mit.edu> To: Brett Glass Cc: security@FreeBSD.ORG Subject: Re: The 99,999-bug question: Why can you execute from the stack? In-Reply-To: <199807201732.LAA20377@lariat.lariat.org> References: <199807200140.TAA06705@lariat.lariat.org> <199807201732.LAA20377@lariat.lariat.org> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org < said: > not so much worse. What I've always wanted (and I find it hard to believe > that no one has done it) is opt for an OS written in a language designed > to prevent, rather than encourage, the creation of the sorts of bugs we're > seeing here. So go get an Alpha and run Symbolics Genera on it. -GAWollman -- Garrett A. Wollman | O Siem / We are all family / O Siem / We're all the same wollman@lcs.mit.edu | O Siem / The fires of freedom Opinions not those of| Dance in the burning flame MIT, LCS, CRS, or NSA| - Susan Aglukark and Chad Irschick To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Mon Jul 20 12:23:37 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id MAA27736 for freebsd-security-outgoing; Mon, 20 Jul 1998 12:23:37 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from ns.mt.sri.com (sri-gw.MT.net [206.127.105.141]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id MAA27725 for ; Mon, 20 Jul 1998 12:23:35 -0700 (PDT) (envelope-from nate@mt.sri.com) Received: from mt.sri.com (rocky.mt.sri.com [206.127.76.100]) by ns.mt.sri.com (8.8.8/8.8.8) with SMTP id NAA06972; Mon, 20 Jul 1998 13:22:50 -0600 (MDT) (envelope-from nate@rocky.mt.sri.com) Received: by mt.sri.com (SMI-8.6/SMI-SVR4) id NAA08405; Mon, 20 Jul 1998 13:22:47 -0600 Date: Mon, 20 Jul 1998 13:22:47 -0600 Message-Id: <199807201922.NAA08405@mt.sri.com> From: Nate Williams MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit To: Brett Glass Cc: "Christopher G. Petrilli" , "Gentry A. Bieker" , security@FreeBSD.ORG Subject: Re: Why is there no info on the QPOPPER hack? In-Reply-To: <199807201809.MAA21160@lariat.lariat.org> References: <199807201740.LAA20525@lariat.lariat.org> <199807201809.MAA21160@lariat.lariat.org> X-Mailer: VM 6.29 under 19.15 XEmacs Lucid Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > It might save your butt. > > But who said anything about "randomly?" The aforementioned Windows apps > do let you upgrade when you want to, and let you roll back. > > --Brett Which Windows apps allow you to roll upgrades back? Also, you said 'automatically' in your original email, and now you're changing your tune to 'when you want to'.re to automaticly upgrade for you, > do you? > >> > >> That's a darn good idea. Several Windows apps do this already. Why not > >> the FreeBSD ports? In any case, our ports allow you to upgrade when you want to as well, and roll back as well, and don't require any sort of work on behalf of the application writer, unlike the Windows software. :) Upgrade: -------- # cd /usr/ports/mail/popper # make clean && make && make install Roll back: ---------- # cd /usr/ports/mail/popper # cvs update -D'last week' # make clean && make && make install Nate To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Mon Jul 20 12:49:34 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id MAA01676 for freebsd-security-outgoing; Mon, 20 Jul 1998 12:49:34 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from mail.intercom.com ([207.51.55.117]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id MAA01671 for ; Mon, 20 Jul 1998 12:49:32 -0700 (PDT) (envelope-from jason@mail.intercom.com) Received: from localhost (jason@localhost) by mail.intercom.com (8.9.0/8.9.0) with SMTP id PAA18340; Mon, 20 Jul 1998 15:52:48 -0400 (EDT) Date: Mon, 20 Jul 1998 15:52:48 -0400 (EDT) From: jason To: Brett Glass cc: "Gentry A. Bieker" , security@FreeBSD.ORG Subject: Re: Why is there no info on the QPOPPER hack? In-Reply-To: <199807201740.LAA20525@lariat.lariat.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Uhm, you people ever hear of RCS and CVS??? Bang, automatic upgrades... -J On Mon, 20 Jul 1998, Brett Glass wrote: > At 11:28 AM 7/20/98 -0500, you wrote: > > >You don't expect all of your software to automaticly upgrade for you, do you? > > That's a darn good idea. Several Windows apps do this already. Why not > the FreeBSD ports? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Mon Jul 20 13:23:37 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id NAA07809 for freebsd-security-outgoing; Mon, 20 Jul 1998 13:23:37 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from obie.softweyr.com ([204.68.178.33]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id NAA07803 for ; Mon, 20 Jul 1998 13:23:25 -0700 (PDT) (envelope-from wes@obie.softweyr.com) Received: (from wes@localhost) by obie.softweyr.com (8.8.8/8.8.8) id OAA27380; Mon, 20 Jul 1998 14:21:20 -0600 (MDT) (envelope-from wes) From: Wes Peters Message-Id: <199807202021.OAA27380@obie.softweyr.com> Subject: Re: Why is there no info on the QPOPPER hack? In-Reply-To: <199807201740.LAA20525@lariat.lariat.org> from Brett Glass at "Jul 20, 98 11:39:57 am" To: brett@lariat.org (Brett Glass) Date: Mon, 20 Jul 1998 14:21:20 -0600 (MDT) Cc: "Gentry A. Bieker"@obie.softweyr.com, , security@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL32 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > >You don't expect all of your software to automaticly upgrade for you, do you? > > That's a darn good idea. Several Windows apps do this already. Why not > the FreeBSD ports? He walked right into that one, didn't he? How difficult would it be to write a little daemon to check all of the installed ports and packages for update availability? We should write it in modula-3, to make sure it doesn't have any buffer overflow problems, though. Anyone wanna learn m3? ;^) -- "Where am I, and what am I doing in this handbasket?" Wes Peters Softweyr LLC http://www.softweyr.com/~softweyr wes@softweyr.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Mon Jul 20 14:08:07 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id OAA14595 for freebsd-security-outgoing; Mon, 20 Jul 1998 14:08:07 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from rover.village.org (rover.village.org [204.144.255.49]) by hub.freebsd.org (8.8.8/8.8.8) with SMTP id OAA14504 for ; Mon, 20 Jul 1998 14:08:04 -0700 (PDT) (envelope-from imp@village.org) Received: from harmony [10.0.0.6] by rover.village.org with esmtp (Exim 1.71 #1) id 0yyN9t-0004D5-00; Mon, 20 Jul 1998 15:07:45 -0600 Received: from harmony.village.org (localhost.village.org [127.0.0.1]) by harmony.village.org (8.8.8/8.8.3) with ESMTP id PAA13333; Mon, 20 Jul 1998 15:09:58 -0600 (MDT) Message-Id: <199807202109.PAA13333@harmony.village.org> To: Brett Glass Subject: Re: The 99,999-bug question: Why can you execute from the stack? Cc: Alexandre Snarskii , Archie Cobbs , security@FreeBSD.ORG In-reply-to: Your message of "Mon, 20 Jul 1998 11:14:33 MDT." <199807201714.LAA19993@lariat.lariat.org> References: <199807201714.LAA19993@lariat.lariat.org> <199807200148.TAA07794@harmony.village.org> <199807200102.SAA07953@bubba.whistle.com> <199807200148.TAA07794@harmony.village.org> Date: Mon, 20 Jul 1998 15:09:58 -0600 From: Warner Losh Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message <199807201714.LAA19993@lariat.lariat.org> Brett Glass writes: : Waitaminnit. Intel installed, IN THE x86 CHIPS WE ARE NOW USING, special : hardware designed to guard against these exploits. The mechanisms : they designed are called "segments" and "call gates" (among other : things). And what do we do? We turn it off. In fact, Intel sees : so few people using these vital features that it doesn't bother : to speed them up in new CPU models, as they do other parts of : the chip. How do you enable call gates, and how do they fix these problems? How exactly do call gates eliminate this problem? The kernel already uses segments to manage security, so I don't think I understand your comment about this. Can you elaberate in more detail how exactly these tools will solve the problems that we're having? Specifically the problem of overwriting the return address, to say setuid with an arg of 0. While it isn't arbitrary code, it does give you elevated privs. I don't see how any of them can solve that problem. Educate me please. Warner To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Mon Jul 20 14:09:30 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id OAA14823 for freebsd-security-outgoing; Mon, 20 Jul 1998 14:09:30 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from gatekeeper.iserver.com (gatekeeper.iserver.com [206.107.170.2]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id OAA14805 for ; Mon, 20 Jul 1998 14:09:24 -0700 (PDT) (envelope-from hart@iserver.com) Received: by gatekeeper.iserver.com; Mon, 20 Jul 1998 15:09:08 -0600 (MDT) Received: from unknown(192.168.1.109) by gatekeeper.iserver.com via smap (V3.1.1) id xma004724; Mon, 20 Jul 98 15:09:03 -0600 Received: (hart@localhost) by anchovy.orem.iserver.com (8.8.5) id OAA06622; Mon, 20 Jul 1998 14:57:53 -0600 (MDT) Date: Mon, 20 Jul 1998 14:57:53 -0600 (MDT) From: Paul Hart X-Sender: hart@anchovy.orem.iserver.com To: Brett Glass cc: security@FreeBSD.ORG Subject: Re: The 99,999-bug question: Why can you execute from the stack? In-Reply-To: <199807201732.LAA20377@lariat.lariat.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, 20 Jul 1998, Brett Glass wrote: > I would argue that the real problem is unsafe tools. C and its libraries > have, from the start, been rusty, and unsafe, with no safeguards against > cutting one's head off. I will not argue with the statement that C gives you the potential to hurt yourself. It does. BUT, so do power tools, knives, and blunt objects. These things can and should be used with care, but we shouldn't necessarily get rid of them just because people can hurt themselves with them. The world is a dangerous place, so be careful. My wood shop teacher in junior high school made us all take a power tool safety course before we could operate the shop's table saw. Maybe programmers writing software that runs as root should be just as careful. Often times "being careful" just means rethinking your C coding style. Instead of using strcpy(), use strncpy(). That's not too hard of change, is it? As a simple example, your entire qpopper problem would have been non-existent if the programmer would have used vsnprintf() instead of vsprintf(). Funny what a difference a single character makes. > > I don't want to seem callous to your plight because I know how you must > > feel, but does not the old adage "once bitten, twice shy" apply to your > > situation? You were hacked. Now you know better. Can we assume that > > this will not happen again? > > No, we can't. I'm sure there will be more holes -- both in third party > utilities and in FreeBSD itself -- that will leave my system vulnerable. I don't doubt that programmers will continue to crank out buggy software. However, I think you can more or less effectively protect yourself from crackers without powering down and unplugging your machine permanently. Consider Bugtraq and the other popular security mailing lists as required reading. Absolutely. None of these holes would have taken you by surprise if you had diligently read these lists. Most of these crackers are immature "script kiddies" that simply download prepackaged exploits off sites like http://www.rootshell.com and then roam the Internet looking for windows to smash in. Their skill level is remarkably low, and sooner or later they'll get caught. As a case in point, I work in a setting where we have thousands (8000+) of untrusted users with shell access to our server machines. The machines are running BSDI, but for the purposes of this discussion they are identical to machines running FreeBSD. We are a ROUTINE target of script kiddie attacks. If we were not vigilant about security, we would have been "0wn3d" long ago. But we are vigilant. It is surprising how bland our little wannabe hackers are. They always use the same boring exploit code, directly taken from Rootshell or Bugtraq, and they always try the same old stunts, which of course, do not work. If you maintain that two or three day lead time on the script kiddies and patch stuff as soon as it is exposed on Bugtraq, you should be relatively safe. Your mileage may vary, of course, but that's a safe lead time figure. IMO, if you are safe against everything at Rootshell, then you're safe against 99.99% of what will ever come your way. Perhaps you should panic about the other .01%, but that's why you have an emergency plan to recover in the case of an catastrophe, right? Paul Hart -- Paul Robert Hart ><8> ><8> ><8> Verio Web Hosting, Inc. hart@iserver.com ><8> ><8> ><8> http://www.iserver.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Mon Jul 20 14:32:17 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id OAA18791 for freebsd-security-outgoing; Mon, 20 Jul 1998 14:32:17 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from gatekeeper.tsc.tdk.com (root@gatekeeper.tsc.tdk.com [207.113.159.21]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id OAA18778 for ; Mon, 20 Jul 1998 14:32:14 -0700 (PDT) (envelope-from gdonl@tsc.tdk.com) Received: from sunrise.gv.tsc.tdk.com (root@sunrise.gv.tsc.tdk.com [192.168.241.191]) by gatekeeper.tsc.tdk.com (8.8.8/8.8.8) with ESMTP id OAA15282; Mon, 20 Jul 1998 14:30:35 -0700 (PDT) (envelope-from gdonl@tsc.tdk.com) Received: from salsa.gv.tsc.tdk.com (salsa.gv.tsc.tdk.com [192.168.241.194]) by sunrise.gv.tsc.tdk.com (8.8.5/8.8.5) with ESMTP id OAA03728; Mon, 20 Jul 1998 14:30:34 -0700 (PDT) Received: (from gdonl@localhost) by salsa.gv.tsc.tdk.com (8.8.5/8.8.5) id OAA27539; Mon, 20 Jul 1998 14:30:33 -0700 (PDT) From: Don Lewis Message-Id: <199807202130.OAA27539@salsa.gv.tsc.tdk.com> Date: Mon, 20 Jul 1998 14:30:33 -0700 In-Reply-To: Alexandre Snarskii "Re: The 99,999-bug question: Why can you execute from the stack?" (Jul 20, 3:29pm) X-Mailer: Mail User's Shell (7.2.6 alpha(3) 7/19/95) To: Alexandre Snarskii , Warner Losh , Archie Cobbs Subject: Re: The 99,999-bug question: Why can you execute from the stack? Cc: Brett Glass , security@FreeBSD.ORG Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Jul 20, 3:29pm, Alexandre Snarskii wrote: } Subject: Re: The 99,999-bug question: Why can you execute from the stack? } On Sun, Jul 19, 1998 at 07:48:30PM -0600, Warner Losh wrote: } > Another high cost option would be to have a purify/checker-like } > functionality compiled into everything and cause a segv or some other } > generally fatal signal. This would solve all the overflows, but again } > at a huge price. } } At huge computing price. Measured in seconds, spent by processor } to perform needed computing. It may be worse than that. In a desparate attempt to track down a bug in BIND, I recompiled it with the bounds checking version of gcc. On a fairly zippy machine, it took about half an hour to load a few zones with a total of a few hundred hosts. Under light query load it was gobbling about 30% of the CPU. In the situations where I've used code compiled this way, it seems to average about a factor of 20 more expensive in terms of CPU usage. If this is acceptable to you, feel free to get the GCC patches and recompile userland (or at least those pieces that are compatible with the bounds checker). See . --- Truck To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Mon Jul 20 14:41:27 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id OAA20623 for freebsd-security-outgoing; Mon, 20 Jul 1998 14:41:27 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from sasami.jurai.net (winter@sasami.jurai.net [207.153.65.3]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id OAA20615 for ; Mon, 20 Jul 1998 14:41:22 -0700 (PDT) (envelope-from winter@jurai.net) Received: from localhost (winter@localhost) by sasami.jurai.net (8.8.8/8.8.7) with SMTP id RAA21872; Mon, 20 Jul 1998 17:40:35 -0400 (EDT) Date: Mon, 20 Jul 1998 17:40:35 -0400 (EDT) From: "Matthew N. Dodd" To: Brett Glass cc: "Christopher G. Petrilli" , "Gentry A. Bieker" , security@FreeBSD.ORG Subject: Re: Why is there no info on the QPOPPER hack? In-Reply-To: <199807201828.MAA21514@lariat.lariat.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org This sort of thing tends to go over poorly at security audits and with people who's heads are on the line when things break. I'm not willing to trust a 3rd party with that level of control of my system. Nobody should be that trusting. Just think of what would happen if the update process was compromised. On Mon, 20 Jul 1998, Brett Glass wrote: > I'd go further. I'd be willing to allow an INSTANT automatic upgrade > if the FreeBSD Security Manager sent a message, digitally signed with > a nice, long key, saying that a serious exploit might be imminent. It'd > be worth the risk. In the case of the QPopper hole, it would have been > the Right Thing. > > The feature would, of course, be optional. Not everyone would turn it on, > but *I* would. /* Matthew N. Dodd | A memory retaining a love you had for life winter@jurai.net | As cruel as it seems nothing ever seems to http://www.jurai.net/~winter | go right - FLA M 3.1:53 */ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Mon Jul 20 14:43:06 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id OAA21062 for freebsd-security-outgoing; Mon, 20 Jul 1998 14:43:06 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from tick.ssec.wisc.edu (tick.ssec.wisc.edu [144.92.108.121]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id OAA21047 for ; Mon, 20 Jul 1998 14:43:01 -0700 (PDT) (envelope-from dglo@tick.ssec.wisc.edu) Received: from tick.ssec.wisc.edu (localhost [127.0.0.1]) by tick.ssec.wisc.edu (8.8.7/8.8.7) with ESMTP id QAA03436; Mon, 20 Jul 1998 16:42:27 -0500 (CDT) From: Dave Glowacki Message-Id: <199807202142.QAA03436@tick.ssec.wisc.edu> X-Mailer: exmh version 2.0.2 2/24/98 To: Wes Peters cc: brett@lariat.org (Brett Glass), "Gentry A. Bieker"@obie.softweyr.com, gbieker@crown.net, security@FreeBSD.ORG Subject: Re: Why is there no info on the QPOPPER hack? In-reply-to: Your message of "Mon, 20 Jul 1998 14:21:20 MDT." <199807202021.OAA27380@obie.softweyr.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Mon, 20 Jul 1998 16:42:27 -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > > >You don't expect all of your software to automaticly upgrade for you, do you? > > > > That's a darn good idea. Several Windows apps do this already. Why not > > the FreeBSD ports? > > He walked right into that one, didn't he? > > How difficult would it be to write a little daemon to check all of the > installed ports and packages for update availability? > > We should write it in modula-3, to make sure it doesn't have any > buffer overflow problems, though. Anyone wanna learn m3? ;^) You don't even have to start from scratch. Bruce Mah posted a Perl script last week that grabs the most recent INDEX file from ftp.freebsd.org, compares it to the info returned by 'pkg_info -aI' and prints out a report listing the status of all your installed ports. See http://www.ca.sandia.gov/~bmah/pub/pkg_version/pkg_version.pl To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Mon Jul 20 15:38:23 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id PAA00997 for freebsd-security-outgoing; Mon, 20 Jul 1998 15:38:23 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from shell6.ba.best.com (jkb@shell6.ba.best.com [206.184.139.137]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id PAA00986 for ; Mon, 20 Jul 1998 15:38:18 -0700 (PDT) (envelope-from jkb@best.com) Received: from localhost (jkb@localhost) by shell6.ba.best.com (8.9.0/8.9.0/best.sh) with SMTP id PAA08271 for ; Mon, 20 Jul 1998 15:38:02 -0700 (PDT) X-Authentication-Warning: shell6.ba.best.com: jkb owned process doing -bs Date: Mon, 20 Jul 1998 15:38:01 -0700 (PDT) From: "Jan B. Koum " X-Sender: jkb@shell6.ba.best.com To: security@FreeBSD.ORG Subject: unwanted packets in secure mode? Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Message from syslogd@0wn at Tue Jul 21 10:52:35 1998 ... 0wn syslogd: discarded 2 unwanted packets in secure mode Message from syslogd@0wn at Tue Jul 21 11:03:16 1998 ... 0wn syslogd: discarded 4 unwanted packets in secure mode Message from syslogd@0wn at Tue Jul 21 11:04:01 1998 ... 0wn syslogd: discarded 8 unwanted packets in secure mode Anyone might know where this is coming from? Thanks, -- Yan Jan Koum jkb@best.com | "Turn up the lights; I don't want www.FreeBSD.org -- The Power to Serve | to go home in the dark." To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Mon Jul 20 16:08:39 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id QAA08656 for freebsd-security-outgoing; Mon, 20 Jul 1998 16:08:39 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from lariat.lariat.org (ppp1000.lariat.org@[206.100.185.2]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id QAA08638 for ; Mon, 20 Jul 1998 16:08:35 -0700 (PDT) (envelope-from brett@lariat.org) Received: (from brett@localhost) by lariat.lariat.org (8.8.8/8.8.8) id RAA26536; Mon, 20 Jul 1998 17:08:11 -0600 (MDT) Message-Id: <199807202308.RAA26536@lariat.lariat.org> X-Sender: brett@mail.lariat.org X-Mailer: QUALCOMM Windows Eudora Pro Version 4.0.1 Date: Mon, 20 Jul 1998 17:08:05 -0600 To: patl@phoenix.volant.org From: Brett Glass Subject: Re: Automatic updates Was: Why is there no info on the QPOPPER hack? Cc: security@FreeBSD.ORG In-Reply-To: References: <199807201740.LAA20525@lariat.lariat.org> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org It need not be a hole, so long as it is cryptographically secure. One could even configure it so that it takes several long keys held by different parties to activate. I can envision a very safe trust infrastructure for this, with far less probability of intrusion than via the code it replaced. Microsoft is getting flack about their mechanism because it is involuntary and gathers data on users surreptitiously. Third party mechanisms, such as Symantec's automatic update and Cybermedia's Oil Change, are well accepted. --Brett At 12:04 PM 7/20/98 -0700, patl@phoenix.volant.org wrote: >> At 11:28 AM 7/20/98 -0500, you wrote: >> >> >You don't expect all of your software to automaticly upgrade for you, do >> >you? >> >> That's a darn good idea. Several Windows apps do this already. Why not >> the FreeBSD ports? > >You obviously haven't seen any of the flack Micro$oft is getting >about this 'feature'. Most third parties are recommending turning >it off. (The biggest problem seems to be that it doesn't track >enough of the system config info to make sure the updated version >is actually compatible with the rest of the system.) > > >Also, can you say 'major security hole'? Sure you can. > > > >-Pat > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Mon Jul 20 16:29:17 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id QAA14828 for freebsd-security-outgoing; Mon, 20 Jul 1998 16:29:17 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from lariat.lariat.org (ppp1000.lariat.org@[206.100.185.2]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id QAA14814 for ; Mon, 20 Jul 1998 16:29:14 -0700 (PDT) (envelope-from brett@lariat.org) Received: (from brett@localhost) by lariat.lariat.org (8.8.8/8.8.8) id RAA26896; Mon, 20 Jul 1998 17:28:52 -0600 (MDT) Message-Id: <199807202328.RAA26896@lariat.lariat.org> X-Sender: brett@mail.lariat.org X-Mailer: QUALCOMM Windows Eudora Pro Version 4.0.1 Date: Mon, 20 Jul 1998 17:15:21 -0600 To: Garrett Wollman From: Brett Glass Subject: Re: The 99,999-bug question: Why can you execute from the stack? Cc: security@FreeBSD.ORG In-Reply-To: <199807201911.PAA01354@khavrinen.lcs.mit.edu> References: <199807201732.LAA20377@lariat.lariat.org> <199807200140.TAA06705@lariat.lariat.org> <199807201732.LAA20377@lariat.lariat.org> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Might not be a bad option, but to be honest I'd have a lot to learn before being sure I could make that kind of decision.(I'm assuming you're talking about Symbolics, the old LISP machine company; last time I checked, they'd gone belly up.) I'd need to see whether the language and OS I could get today were fully type-safe and reasonably secure. --Brett At 03:11 PM 7/20/98 -0400, Garrett Wollman wrote: >So go get an Alpha and run Symbolics Genera on it. > >-GAWollman To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Mon Jul 20 16:29:17 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id QAA14830 for freebsd-security-outgoing; Mon, 20 Jul 1998 16:29:17 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from lariat.lariat.org (ppp1000.lariat.org@[206.100.185.2]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id QAA14816 for ; Mon, 20 Jul 1998 16:29:14 -0700 (PDT) (envelope-from brett@lariat.org) Received: (from brett@localhost) by lariat.lariat.org (8.8.8/8.8.8) id RAA26899; Mon, 20 Jul 1998 17:28:53 -0600 (MDT) Message-Id: <199807202328.RAA26899@lariat.lariat.org> X-Sender: brett@mail.lariat.org X-Mailer: QUALCOMM Windows Eudora Pro Version 4.0.1 Date: Mon, 20 Jul 1998 17:28:51 -0600 To: Paul Hart From: Brett Glass Subject: Re: The 99,999-bug question: Why can you execute from the stack? Cc: security@FreeBSD.ORG In-Reply-To: References: <199807201732.LAA20377@lariat.lariat.org> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 02:57 PM 7/20/98 -0600, Paul Hart wrote: >I will not argue with the statement that C gives you the potential to hurt >yourself. It does. BUT, so do power tools, knives, and blunt objects. >These things can and should be used with care, but we shouldn't >necessarily get rid of them just because people can hurt themselves with >them. The world is a dangerous place, so be careful. My wood shop >teacher in junior high school made us all take a power tool safety course >before we could operate the shop's table saw. And I'll bet he would not have let you use a table saw without a blade guard, or with a broken blade. Nor would he let you rip wood on a radial arm saw, which can kick the work back in your face -- hard. Same thing with C. It's an old, rusty, broken tool without blade guards, and it's not well suited to purpose. Your old shop teacher wouldn't have let it in the shop. >Maybe programmers writing >software that runs as root should be just as careful. ...and boot C out of the shop. >Often times "being careful" just means rethinking your C coding style. >Instead of using strcpy(), use strncpy(). That's not too hard of change, >is it? Well, then why not boot strcpy() out of the library? Bzzzt.... Sorry, history (in other words, prior mistakes) is no excuse. Of course, because of pointer/array equivalence, this wouldn't BEGIN to close the holes. >As a simple example, your entire qpopper problem would have been >non-existent if the programmer would have used vsnprintf() instead of >vsprintf(). Funny what a difference a single character makes. One of the programmers in charge of maintaining that code wrote me as follows just yesterday: You are right about sprintf and vsprintf may cause the overflows. What I did in 2.5 is to contain the external values (mostly user generated) as a quick patch. I guess using those calls for internal data (where the size is known) is safe. In short, time to take the tool out of the shop. If it's even THERE, students unclear on the concept will kill themselves. >Consider Bugtraq and the other popular security mailing lists as required >reading. Absolutely. None of these holes would have taken you by >surprise if you had diligently read these lists. Not necessarily. An exploit can be used long before it hits the lists. --Brett Glass To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Mon Jul 20 16:33:51 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id QAA15838 for freebsd-security-outgoing; Mon, 20 Jul 1998 16:33:51 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from shell6.ba.best.com (jkb@shell6.ba.best.com [206.184.139.137]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id QAA15804 for ; Mon, 20 Jul 1998 16:33:45 -0700 (PDT) (envelope-from jkb@best.com) Received: from localhost (jkb@localhost) by shell6.ba.best.com (8.9.0/8.9.0/best.sh) with SMTP id QAA19691 for ; Mon, 20 Jul 1998 16:33:29 -0700 (PDT) X-Authentication-Warning: shell6.ba.best.com: jkb owned process doing -bs Date: Mon, 20 Jul 1998 16:33:28 -0700 (PDT) From: "Jan B. Koum " X-Sender: jkb@shell6.ba.best.com To: security@FreeBSD.ORG Subject: Re: unwanted packets in secure mode? In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Never mind .. I am a retard .. I forgot my syslogd is running with "-s" switch. In syslogd.c we have: if (!(Vogons & (Vogons - 1))) { (void)snprintf(line, sizeof line, "syslogd: discarded %d unwanted packets in secure mode", Vogons); logmsg(LOG_SYSLOG|LOG_AUTH, line, LocalHostName, ADDDATE); Does it make sence to actually add an IP of a server trying to send us syslogd packets? Maybe something like: "syslogd: discarded %d unwanted packets in secure mode form %s" -- Yan Jan Koum jkb@best.com | "Turn up the lights; I don't want www.FreeBSD.org -- The Power to Serve | to go home in the dark." On Mon, 20 Jul 1998, Jan B. Koum wrote: > >Message from syslogd@0wn at Tue Jul 21 10:52:35 1998 ... >0wn syslogd: discarded 2 unwanted packets in secure mode > >Message from syslogd@0wn at Tue Jul 21 11:03:16 1998 ... >0wn syslogd: discarded 4 unwanted packets in secure mode > >Message from syslogd@0wn at Tue Jul 21 11:04:01 1998 ... >0wn syslogd: discarded 8 unwanted packets in secure mode > > > > Anyone might know where this is coming from? Thanks, > >-- Yan > >Jan Koum jkb@best.com | "Turn up the lights; I don't want >www.FreeBSD.org -- The Power to Serve | to go home in the dark." > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Mon Jul 20 16:40:37 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id QAA17850 for freebsd-security-outgoing; Mon, 20 Jul 1998 16:40:37 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from pobox.com (lafra-81.mdm.mke.execpc.com [169.207.80.209]) by hub.freebsd.org (8.8.8/8.8.8) with SMTP id QAA17702 for ; Mon, 20 Jul 1998 16:40:04 -0700 (PDT) (envelope-from hamilton@pobox.com) Message-Id: <199807202340.QAA17702@hub.freebsd.org> Received: (qmail 26832 invoked from network); 20 Jul 1998 18:41:44 -0500 Received: from localhost (HELO pobox.com) (127.0.0.1) by localhost with SMTP; 20 Jul 1998 18:41:44 -0500 To: "Matthew N. Dodd" Cc: security@FreeBSD.ORG Subject: Re: Why is there no info on the QPOPPER hack? In-reply-to: Your message of "Mon, 20 Jul 1998 17:40:35 EDT." Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Mon, 20 Jul 1998 18:41:44 -0500 From: Jon Hamilton Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message , "Matthe w N. Dodd" wrote: } } This sort of thing tends to go over poorly at security audits and with } people who's heads are on the line when things break. } } I'm not willing to trust a 3rd party with that level of control of my } system. Right. } Nobody should be that trusting. Wrong. Not everybody's environment looks like yours; there are undoubtedly people for whom this would be a very good idea. } Just think of what would happen if the update process was compromised. That's less catastrophic some places than others. -- Jon Hamilton hamilton@pobox.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Mon Jul 20 16:48:54 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id QAA19935 for freebsd-security-outgoing; Mon, 20 Jul 1998 16:48:54 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from time.cdrom.com (root@time.cdrom.com [204.216.27.226]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id QAA19817 for ; Mon, 20 Jul 1998 16:48:32 -0700 (PDT) (envelope-from jkh@time.cdrom.com) Received: from time.cdrom.com (jkh@localhost.cdrom.com [127.0.0.1]) by time.cdrom.com (8.8.8/8.8.8) with ESMTP id QAA26069; Mon, 20 Jul 1998 16:47:10 -0700 (PDT) (envelope-from jkh@time.cdrom.com) To: Brett Glass cc: Paul Hart , dg@root.com, security@FreeBSD.ORG Subject: Re: The 99,999-bug question: Why can you execute from the stack? In-reply-to: Your message of "Mon, 20 Jul 1998 11:32:51 MDT." <199807201732.LAA20377@lariat.lariat.org> Date: Mon, 20 Jul 1998 16:47:10 -0700 Message-ID: <26065.900978430@time.cdrom.com> From: "Jordan K. Hubbard" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > I would argue that the real problem is unsafe tools. C and its libraries > have, from the start, been rusty, and unsafe, with no safeguards against > cutting one's head off. Heck, the C language was more than 20 years old That may be true, but it has no relevance to this discussion. > Quality can't (and shouldn't) be tested or audited in. It should be DESIGNED > in. The development tools we use to develop the system in the first place That may be true, but it has no relevance to this discussion. > Any change in the status quo will require a change of attitude -- a level of > professionalism that I haven't seen yet in most developers. This has nothing to do with "lack of professionalism", this has to do with users (like yourself) simply expecting to get something without investing any of their own effort. I really have to be somewhat amazed at this discussion. I remember a period during the late 70's and 80's when NOBODY would have just run something on one of their systems without either extensively auditing it first or making sure that it had just gone through such an audit. People used to be *careful* about what they ran and they used to take a personal interest in anything which ran with root privileges. They also used to make backups and designate people to take over for them when they went on honeymoons and such. :-) Developers haven't changed much at all, from what I can see, but the quality of the *users* and the time and attention which they spend on proper security procedures has really gone into the toilet. Sorry Brett, but you're really pointing your finger in the wrong direction here. People have really gotten far too complacent lately and they're starting to pay the price for expecting everything to now be point-and-click, including their own security. - Jordan To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Mon Jul 20 16:50:06 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id QAA20424 for freebsd-security-outgoing; Mon, 20 Jul 1998 16:50:06 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from lariat.lariat.org (ppp1000.lariat.org@[206.100.185.2]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id QAA20316 for ; Mon, 20 Jul 1998 16:49:46 -0700 (PDT) (envelope-from brett@lariat.org) Received: (from brett@localhost) by lariat.lariat.org (8.8.8/8.8.8) id RAA27220; Mon, 20 Jul 1998 17:49:23 -0600 (MDT) Message-Id: <199807202349.RAA27220@lariat.lariat.org> X-Sender: brett@mail.lariat.org X-Mailer: QUALCOMM Windows Eudora Pro Version 4.0.1 Date: Mon, 20 Jul 1998 17:49:21 -0600 To: security@FreeBSD.ORG From: Brett Glass Subject: Re: The 99,999-bug question: Why can you execute from the stack? In-Reply-To: <199807202109.PAA13333@harmony.village.org> References: <199807201714.LAA19993@lariat.lariat.org> <199807200148.TAA07794@harmony.village.org> <199807200102.SAA07953@bubba.whistle.com> <199807200148.TAA07794@harmony.village.org> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 03:09 PM 7/20/98 -0600, Warner Losh wrote: >How do you enable call gates, and how do they fix these problems? How >exactly do call gates eliminate this problem? A call gate is an abstract descriptor that points to a legal entry point of a routine (usually a shared library routine or an OS routine). It's the only way to get in. You can't jump into the middle because the segmentation mechanism won't let you through. You have to use the gate. You also can't use a RET instruction to call something backwards through a gate (the designers thought of that). >The kernel already uses segments to manage security, so I don't think >I understand your comment about this. Actually, the segmentation mechanisms are hardly used. One of the first things they COULD be used for is to prevent execution out of the stack and data segments, which is normally disallowed. (You need what's called a "CS alias" to allow execution out of something other than the code segment.) This is all in the Intel docs on protected mode. >Can you elaberate in more >detail how exactly these tools will solve the problems that we're >having? I wish I still had the original Intel papers on the subject. They were thinking about these things way back in the 1980's! But here are some URLS with good information. At http://www.fh-zwickau.de/~hoh/pmode/ there's a good tutorial in German that's partially translated to English. Note in particular the section on gates. Also see the 80386 programmer's reference at http://www.jimbrooks.org/web/programming/i386-html/toc.htm --Brett To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Mon Jul 20 16:53:05 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id QAA21224 for freebsd-security-outgoing; Mon, 20 Jul 1998 16:53:05 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from lariat.lariat.org (ppp1000.lariat.org@[206.100.185.2]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id QAA21154 for ; Mon, 20 Jul 1998 16:52:47 -0700 (PDT) (envelope-from brett@lariat.org) Received: (from brett@localhost) by lariat.lariat.org (8.8.8/8.8.8) id RAA27271; Mon, 20 Jul 1998 17:52:21 -0600 (MDT) Message-Id: <199807202352.RAA27271@lariat.lariat.org> X-Sender: brett@mail.lariat.org X-Mailer: QUALCOMM Windows Eudora Pro Version 4.0.1 Date: Mon, 20 Jul 1998 17:52:20 -0600 To: "Matthew N. Dodd" From: Brett Glass Subject: Re: Why is there no info on the QPOPPER hack? Cc: "Christopher G. Petrilli" , "Gentry A. Bieker" , security@FreeBSD.ORG In-Reply-To: References: <199807201828.MAA21514@lariat.lariat.org> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Thousands (maybe tens or hundreds of thousands) of systems have been potentially compromised because that code was in the FreeBSD Ports library. I'd find it hard to believe that such a scheme would do anything but improve the odds that the hole would be closed. And, no, CVSup is not an answer. On production machines, you don't want to CVSup to the latest version -- you just want to pick up known good patches for significant problems. --Brett At 05:40 PM 7/20/98 -0400, Matthew N. Dodd wrote: > >This sort of thing tends to go over poorly at security audits and with >people who's heads are on the line when things break. > >I'm not willing to trust a 3rd party with that level of control of my >system. > >Nobody should be that trusting. > >Just think of what would happen if the update process was compromised. > >On Mon, 20 Jul 1998, Brett Glass wrote: >> I'd go further. I'd be willing to allow an INSTANT automatic upgrade >> if the FreeBSD Security Manager sent a message, digitally signed with >> a nice, long key, saying that a serious exploit might be imminent. It'd >> be worth the risk. In the case of the QPopper hole, it would have been >> the Right Thing. >> >> The feature would, of course, be optional. Not everyone would turn it on, >> but *I* would. > > > >/* > Matthew N. Dodd | A memory retaining a love you had for life > winter@jurai.net | As cruel as it seems nothing ever seems to > http://www.jurai.net/~winter | go right - FLA M 3.1:53 >*/ > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Mon Jul 20 17:10:52 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id RAA25564 for freebsd-security-outgoing; Mon, 20 Jul 1998 17:10:52 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from metronet.com (pgilley@fohnix.metronet.com [192.245.137.2]) by hub.freebsd.org (8.8.8/8.8.8) with SMTP id RAA25546 for ; Mon, 20 Jul 1998 17:10:49 -0700 (PDT) (envelope-from pgilley@metronet.com) Received: from localhost by metronet.com with SMTP id AA26170 (5.67a/IDA1.5hp for ); Mon, 20 Jul 1998 19:10:04 -0500 Date: Mon, 20 Jul 1998 19:10:04 -0500 (CDT) From: Phil Gilley To: freebsd-security@FreeBSD.ORG Subject: FreeBSD ipfw Configuration Page Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org It seems that every time someone mentions an ipfw rule set they've developed there are several "can you send me a copy" followups. This illustrates the lack of complete working configuration examples for ipfw (beyond what's in the default /etc/rc.firewall script). Therefore I have created the FreeBSD ipfw Configuration Page. Its purpose is to provide a place to find and study various ipfw rule sets. This is intended to be a contributor supported page, meaning that most of the examples are going to be submitted by other people. I have provided the configuration I use and Chris has said I can use his recent example that was posted to this list. But for this page to be of any real use I need more examples. Comments on the current examples or anything else are welcome. Please see the Web page for more information. http://www.metronet.com/~pgilley/freebsd/ipfw As long as there is interest I will try to keep the page up to date. Phil Gilley pgilley@metronet.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Mon Jul 20 17:46:29 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id RAA02300 for freebsd-security-outgoing; Mon, 20 Jul 1998 17:46:29 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from zeus.theinternet.com.au (akm@zeus.theinternet.com.au [203.34.176.2]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id RAA02140 for ; Mon, 20 Jul 1998 17:46:09 -0700 (PDT) (envelope-from akm@zeus.theinternet.com.au) Received: (from akm@localhost) by zeus.theinternet.com.au (8.8.7/8.8.7) id KAA26950; Tue, 21 Jul 1998 10:41:42 GMT (envelope-from akm) From: Andrew Kenneth Milton Message-Id: <199807211041.KAA26950@zeus.theinternet.com.au> Subject: Re: Why is there no info on the QPOPPER hack? In-Reply-To: <199807201845.MAA21839@lariat.lariat.org> from Brett Glass at "Jul 20, 98 12:45:11 pm" To: brett@lariat.org (Brett Glass) Date: Tue, 21 Jul 1998 10:41:42 +0000 (GMT) Cc: petrilli@dworkin.amber.org, gbieker@crown.NET, security@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL32 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org +----[ Brett Glass ]--------------------------------------------- | Reliance on mailing lists such as Bugtraq does not do any more or less | to "replace the administrator's brain." Fact is, when a trusted authority | says that there's a hole to be closed, I want action. I'm perfectly content | to review what happened after the fact. So fix it. If you can't fix it, wait for it to be fixed. If you can't wait for it to be fixed either change to a different vendor implementation or shut down. While these choice might be inconvenient, they are all you have. If you want to whinge about lack of support/features, buy support or buy a commercial OS (which almost certainly guarantees slower response time, but, at least someone there will listen to you whinge.) God knows there's half a dozen things been on my todo list for years that have been interfered with by Real Life. And BTW C doesn't kill people, C Programmers kill people. -- Totally Holistic Enterprises Internet| P:+61 7 3870 0066 | Andrew The Internet (Aust) Pty Ltd | F:+61 7 3870 4477 | Milton ACN: 082 081 472 | M:+61 416 022 411 |72 Col .Sig PO Box 403 Booval QLD Australia 4304 |akm@theinternet.com.au|Specialist To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Mon Jul 20 17:48:22 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id RAA02719 for freebsd-security-outgoing; Mon, 20 Jul 1998 17:48:22 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from wraith.cs.uow.edu.au (root@wraith.cs.uow.edu.au [130.130.64.1]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id RAA02701 for ; Mon, 20 Jul 1998 17:48:16 -0700 (PDT) (envelope-from ncb05@uow.edu.au) Received: from banshee.cs.uow.edu.au (ncb05@banshee.cs.uow.edu.au [130.130.188.1]) by wraith.cs.uow.edu.au (8.9.1/8.9.1) with SMTP id KAA04650 for ; Tue, 21 Jul 1998 10:47:24 +1000 (EST) Date: Tue, 21 Jul 1998 10:47:23 +1000 (EST) From: Nicholas Charles Brawn X-Sender: ncb05@banshee.cs.uow.edu.au To: security@FreeBSD.ORG Subject: Re: Why is there no info on the QPOPPER hack? In-Reply-To: <199807201828.MAA21514@lariat.lariat.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, 20 Jul 1998, Brett Glass wrote: > I'd go further. I'd be willing to allow an INSTANT automatic upgrade > if the FreeBSD Security Manager sent a message, digitally signed with > a nice, long key, saying that a serious exploit might be imminent. It'd > be worth the risk. In the case of the QPopper hole, it would have been > the Right Thing. > > The feature would, of course, be optional. Not everyone would turn it on, > but *I* would. Again, this would be merely a stopgap measure. Also, patches need to be adequately tested before applying. As one who watched the shenanigans on bugtraq following the hype about qpopper, I saw numerous patches released without adequate testing or further auditing of qpopper source. The result was that several patches actually prevented qpopper from performing it's task, and in some cases didn't fix all the holes identified. In short, the best defense against attacks is a good offense. You need a good administrator who understands security issues, keeps up to date with advisories and open source security lists, and knows your systems and networks like the back of their hand. Automatic updates of software may help in some circumstances, but it doesn't beat having an admin on hand who knows what their doing. > --Brett GLass Just my $0.02 :) Nick -- Email: ncb05@uow.edu.au - http://rabble.uow.edu.au/~nick Key fingerprint = DE 30 33 D3 16 91 C8 8D A7 F8 70 03 B7 77 1A 2A "When in doubt, ask someone wiser than yourself..." -unknown To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Mon Jul 20 18:14:46 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id SAA07769 for freebsd-security-outgoing; Mon, 20 Jul 1998 18:14:46 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from wraith.cs.uow.edu.au (root@wraith.cs.uow.edu.au [130.130.64.1]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id SAA07763 for ; Mon, 20 Jul 1998 18:14:38 -0700 (PDT) (envelope-from ncb05@uow.edu.au) Received: from banshee.cs.uow.edu.au (ncb05@banshee.cs.uow.edu.au [130.130.188.1]) by wraith.cs.uow.edu.au (8.9.1/8.9.1) with SMTP id LAA06331; Tue, 21 Jul 1998 11:13:54 +1000 (EST) Date: Tue, 21 Jul 1998 11:13:53 +1000 (EST) From: Nicholas Charles Brawn X-Sender: ncb05@banshee.cs.uow.edu.au To: Phil Gilley cc: freebsd-security@FreeBSD.ORG Subject: Re: FreeBSD ipfw Configuration Page In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org If others think this is a worthwhile idea, could such pages be linked to from www.freebsd.org/security/security.html? Nick -- Email: ncb05@uow.edu.au - http://rabble.uow.edu.au/~nick Key fingerprint = DE 30 33 D3 16 91 C8 8D A7 F8 70 03 B7 77 1A 2A "When in doubt, ask someone wiser than yourself..." -unknown To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Mon Jul 20 18:43:45 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id SAA12862 for freebsd-security-outgoing; Mon, 20 Jul 1998 18:43:45 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from mail1.its.rpi.edu (root@mail1.its.rpi.edu [128.113.100.7]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id SAA12850 for ; Mon, 20 Jul 1998 18:43:43 -0700 (PDT) (envelope-from drosih@rpi.edu) Received: from [128.113.24.47] (gilead.acs.rpi.edu [128.113.24.47]) by mail1.its.rpi.edu (8.8.8/8.8.6) with ESMTP id VAA32414; Mon, 20 Jul 1998 21:43:22 -0400 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" X-Sender: drosih@pop1.rpi.edu Message-Id: In-Reply-To: References: <199807201732.LAA20377@lariat.lariat.org> Date: Mon, 20 Jul 1998 21:47:19 -0400 To: Paul Hart , Brett Glass From: Garance A Drosihn Subject: Re: The 99,999-bug question: Why can you execute from the stack? Cc: security@FreeBSD.ORG Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 2:57 PM -0600 7/20/98, Paul Hart wrote: >On Mon, 20 Jul 1998, Brett Glass wrote: > >> I would argue that the real problem is unsafe tools. C and its libraries >> have, from the start, been rusty, and unsafe, with no safeguards against >> cutting one's head off. > > Often times "being careful" just means rethinking your C coding style. > Instead of using strcpy(), use strncpy(). That's not too hard of change, > is it? As a simple example, your entire qpopper problem would have been > non-existent if the programmer would have used vsnprintf() instead of > vsprintf(). Funny what a difference a single character makes. It is not a hard change. That, however, is no consolation to anyone nailed by this. The fact is that QPOPPER did use vsprintf, and that (apparently) no one noticed it. It wasn't *Brett's* coding style that will cause *Brett* to lose a few weeks of time here. Perhaps we could think up some changes which would make these bad coding decisions much more obvious. And if we do that, then maybe we catch more of them before getting bitten by them, instead of after the fact. I don't mean to be inflammatory here, I just wonder if there's some changes which could be made which would safe "future Brett's" from losing a large chunk of time. --- Garance Alistair Drosehn = gad@eclipse.its.rpi.edu Senior Systems Programmer or drosih@rpi.edu Rensselaer Polytechnic Institute To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Mon Jul 20 18:44:35 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id SAA13209 for freebsd-security-outgoing; Mon, 20 Jul 1998 18:44:35 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from mail1.its.rpi.edu (root@mail1.its.rpi.edu [128.113.100.7]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id SAA13195 for ; Mon, 20 Jul 1998 18:44:31 -0700 (PDT) (envelope-from drosih@rpi.edu) Received: from [128.113.24.47] (gilead.acs.rpi.edu [128.113.24.47]) by mail1.its.rpi.edu (8.8.8/8.8.6) with ESMTP id VAA18392; Mon, 20 Jul 1998 21:44:14 -0400 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" X-Sender: drosih@pop1.rpi.edu Message-Id: In-Reply-To: References: <199807201732.LAA20377@lariat.lariat.org> Date: Mon, 20 Jul 1998 21:48:11 -0400 To: Brett Glass From: Garance A Drosihn Subject: Projects to improve security (related to C) Cc: security@FreeBSD.ORG Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, 20 Jul 1998, Brett Glass wrote: > I would argue that the real problem is unsafe tools. C and its > libraries have, from the start, been rusty, and unsafe, with no > safeguards against cutting one's head off. I agree with this. At a different time, and a different place than the security mailing list, I would tempted to go into the details of just how much I agree with it. However, that entire argument would be worthless. Let us stay in the real world for now. We have an operating system with a lot of C code already written, and on top of that 1,000 ports, most of which are also already written in C. There is no sense in getting into a debate about the "best" computer language, because we're going to be living with C for many years whether we like it or not. This particular problem was in QPOPPER. Would you have been happy to do without any POP service until someone had the time to rewrite that in some other language? Let us ignore the language war, and just start with the assumption that we're going to have to live with a lot of C code for a long time into the future. Even if the entire FreeBSD project managed to agree that some other language was better, we will still pick up a lot of programs from other unixes. It is, in my opinion, much too ambitious to suggest that we rewrite everything. However, I don't want to just drop this issue either. Could we think of projects we could do in the next few months, for instance, which might help us to improve security? Even if we won't have time to rewrite everything, there still could be things we could do to force programmers to at least *think* about some of the most common pitfalls. One pitfall is this ability to execute code from the stack. If it is not feasible to completely remove this ability, because too much would need to be rewritten, can we partially remove it? Have it so that by default, applications can not execute code in a stack, but that they just need to make some system call for that to work? Is that feasible? Would it save us from some security problems? For instance, does QPOPPER (that one specific application) really need to execute any code on the stack? Another idea might be to have a #define that makes it more tedious to use routines like "sprintf". It's one thing to have a page of wise programming tips stashed away somewhere, and quite another if the program you are porting won't compile (a very effective reminder) when it includes calls to sprintf. I'm thinking of some flag that a person could set as a part of CFLAGS in /etc/make.conf, and which would turn all these more-dangerous routines into compile-time errors. Not warnings. Errors. And then for people in a hurry, allow a second #define for each routine, so you can stll use that routine if you "need" it's "power" (translation: you don't have the time to rewrite all of it). Say, a global flag (effecting all such risky routines) called "DO_NOT_ALLOW_BAD_PRACTICES". And then a escape-hatch define for each routine, such as "ALLOW_BAD_PRACTICE_OF_USING_SPRINTF". People will switch to snprintf just to avoid typing such a stupid name... And if they *do* #define such variables, at least you have a red flag sitting in the source code for that port which someone else could find with a 'grep' if they feel ambitous some day. (note that this means *one* grep, one for 'ALLOW_BAD_PRACTICE', would find references to *all* of these risky routines...). I have no idea if these suggestions are feasible, or if they'd really help all that much. On the other hand, I do think it is valuable to consider security issues related to the C language. If we argue which language is the best, we'll spend six months just arguing with each other and not really improve anything. If we just throw up our hands and pretend C is perfect, then we will just keep having these security issues pop up when we least want them to. It'd be better to come up with suggestions of realistic projects we could do, and which might produce some positive results. --- Garance Alistair Drosehn = gad@eclipse.its.rpi.edu Senior Systems Programmer or drosih@rpi.edu Rensselaer Polytechnic Institute To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Mon Jul 20 19:38:29 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id TAA21130 for freebsd-security-outgoing; Mon, 20 Jul 1998 19:38:29 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from pobox.com (jaresh-26.mdm.mke.execpc.com [169.207.81.154]) by hub.freebsd.org (8.8.8/8.8.8) with SMTP id TAA21118 for ; Mon, 20 Jul 1998 19:38:18 -0700 (PDT) (envelope-from hamilton@pobox.com) Message-Id: <199807210238.TAA21118@hub.freebsd.org> Received: (qmail 1478 invoked from network); 20 Jul 1998 21:40:35 -0500 Received: from localhost (HELO pobox.com) (127.0.0.1) by localhost with SMTP; 20 Jul 1998 21:40:35 -0500 To: Brett Glass cc: "Matthew N. Dodd" , "Christopher G. Petrilli" , "Gentry A. Bieker" , security@FreeBSD.ORG Subject: Re: Why is there no info on the QPOPPER hack? In-reply-to: Your message of "Mon, 20 Jul 1998 17:52:20 MDT." <199807202352.RAA27271@lariat.lariat.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Mon, 20 Jul 1998 21:40:35 -0500 From: Jon Hamilton Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message <199807202352.RAA27271@lariat.lariat.org>, Brett Glass wrote: } Thousands (maybe tens or hundreds of thousands) of systems have been } potentially compromised because that code was in the FreeBSD Ports } library. I'd find it hard to believe that such a scheme would do } anything but improve the odds that the hole would be closed. I still think you're just ranting. What does it mean to "have been potentially compromised" anyway? } And, no, CVSup is not an answer. On production machines, you don't } want to CVSup to the latest version -- you just want to pick up } known good patches for significant problems. Maybe you've been working too long and too hard cleaning up after your breakin. CVSup would work fine for what you're talking about, you'd just have to have a different tag which only got "known good patches for significant problems". Of course, this would still have the problem of being a "pull" model, so you'd have to check "often enough". You'd also have to be damn sure you trusted the person doing the checkins, and you'd have to be sure that you were in fact talking to the server you decided to trust. And you'd have to be certain that you trusted the patch as applied, both that it solved the problem it was meant to solve, and that it didn't introduce some other bogosity. Most of these should be red flags shouting out that you don't really want to automate this process, but I don't imagine that'll slow you down much. I don't have solutions to all those problems, but then again I'm not the one jumping up and down saying that we've got to have solutions to this problem affecting "maybe tens or hundreds of thousands" of systems. -- Jon Hamilton hamilton@pobox.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Mon Jul 20 19:57:44 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id TAA23734 for freebsd-security-outgoing; Mon, 20 Jul 1998 19:57:44 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from lariat.lariat.org (ppp1000.lariat.org@[206.100.185.2]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id TAA23726 for ; Mon, 20 Jul 1998 19:57:40 -0700 (PDT) (envelope-from brett@lariat.org) Received: (from brett@localhost) by lariat.lariat.org (8.8.8/8.8.8) id UAA00240; Mon, 20 Jul 1998 20:57:07 -0600 (MDT) Message-Id: <199807210257.UAA00240@lariat.lariat.org> X-Sender: brett@mail.lariat.org X-Mailer: QUALCOMM Windows Eudora Pro Version 4.0.1 Date: Mon, 20 Jul 1998 20:57:03 -0600 To: Andrew Kenneth Milton From: Brett Glass Subject: Re: Why is there no info on the QPOPPER hack? Cc: petrilli@dworkin.amber.org, gbieker@crown.NET, security@FreeBSD.ORG In-Reply-To: <199807211041.KAA26950@zeus.theinternet.com.au> References: <199807201845.MAA21839@lariat.lariat.org> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 10:41 AM 7/21/98 +0000, Andrew Kenneth Milton wrote: >So fix it. > >If you can't fix it, wait for it to be fixed. >If you can't wait for it to be fixed either change to a different >vendor implementation or shut down. Possibly. But in this case, by the time I found out about the problem, someone else could already have fixed it and it could have been installed automatically on the system. Why re-implement the wheel or duplicate another's effort? >While these choice might be inconvenient, they are all you have. The point is that they're not. It'd be nice to get an automatic update that closes the hole. I might create the new version sometimes, but there's no reason for each person to do it every time. >If you want to whinge about lack of support/features, buy support >or buy a commercial OS (which almost certainly guarantees slower >response time, but, at least someone there will listen to you >whinge.) Well, the first thing I might "whinge" about is your spelling. But after I get through ribbing you about that, I'll continue to mount an effort to come up with a more sensible solution than trying to close every security hole myself, thank you. >And BTW C doesn't kill people, C Programmers kill people. In either case, the solution is to fix C or move to something else. --Brett To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Mon Jul 20 20:11:29 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id UAA25746 for freebsd-security-outgoing; Mon, 20 Jul 1998 20:11:29 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from lariat.lariat.org (ppp1000.lariat.org@[206.100.185.2]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id UAA25735 for ; Mon, 20 Jul 1998 20:11:27 -0700 (PDT) (envelope-from brett@lariat.org) Received: (from brett@localhost) by lariat.lariat.org (8.8.8/8.8.8) id VAA00475; Mon, 20 Jul 1998 21:11:05 -0600 (MDT) Message-Id: <199807210311.VAA00475@lariat.lariat.org> X-Sender: brett@mail.lariat.org X-Mailer: QUALCOMM Windows Eudora Pro Version 4.0.1 Date: Mon, 20 Jul 1998 21:11:01 -0600 To: Jon Hamilton From: Brett Glass Subject: Re: Why is there no info on the QPOPPER hack? Cc: "Matthew N. Dodd" , "Christopher G. Petrilli" , "Gentry A. Bieker" , security@FreeBSD.ORG In-Reply-To: <199807210238.UAA29812@lariat.lariat.org> References: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 09:40 PM 7/20/98 -0500, Jon Hamilton wrote: >I still think you're just ranting. What does it mean to "have been >potentially compromised" anyway? It means that many of these systems are still just WAITING to be broken into. There could be a lot more damage done -- we're talking millions of dollars' worth. >Maybe you've been working too long and too hard cleaning up after your >breakin. CVSup would work fine for what you're talking about, you'd just >have to have a different tag which only got "known good patches for >significant problems". Of course, this would still have the problem of >being a "pull" model, so you'd have to check "often enough". Which means, given the typical e-mail volume an administrator must handle, many people would not "pull" in time. I'd rather have a "push" model with the ability to back out or opt out. >You'd also have to be damn sure you trusted the person doing the checkins, Anyone who runs FreeBSD already places a lot of trust in the maintainers. >and >you'd have to be sure that you were in fact talking to the server you >decided to trust. Easily accomplished via cryptography. >And you'd have to be certain that you trusted the patch >as applied, both that it solved the problem it was meant to solve, and >that it didn't introduce some other bogosity. Most of these should be >red flags shouting out that you don't really want to automate this >process, but I don't imagine that'll slow you down much. I would rather automate it than see delays, break-ins, and duplicated effort. --Brett Glass To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Mon Jul 20 20:32:48 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id UAA29225 for freebsd-security-outgoing; Mon, 20 Jul 1998 20:32:48 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from pobox.com (jaresh-26.mdm.mke.execpc.com [169.207.81.154]) by hub.freebsd.org (8.8.8/8.8.8) with SMTP id UAA29219 for ; Mon, 20 Jul 1998 20:32:44 -0700 (PDT) (envelope-from hamilton@pobox.com) Message-Id: <199807210332.UAA29219@hub.freebsd.org> Received: (qmail 2243 invoked from network); 20 Jul 1998 22:34:59 -0500 Received: from localhost (HELO pobox.com) (127.0.0.1) by localhost with SMTP; 20 Jul 1998 22:34:59 -0500 To: Brett Glass cc: "Matthew N. Dodd" , "Christopher G. Petrilli" , "Gentry A. Bieker" , security@FreeBSD.ORG Subject: Re: Why is there no info on the QPOPPER hack? In-reply-to: Your message of "Mon, 20 Jul 1998 21:11:01 MDT." <199807210311.VAA00475@lariat.lariat.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Mon, 20 Jul 1998 22:34:59 -0500 From: Jon Hamilton Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message <199807210311.VAA00475@lariat.lariat.org>, Brett Glass wrote: } At 09:40 PM 7/20/98 -0500, Jon Hamilton wrote: } } >I still think you're just ranting. What does it mean to "have been } >potentially compromised" anyway? } } It means that many of these systems are still just WAITING to be broken } into. There could be a lot more damage done -- we're talking millions } of dollars' worth. The sky is falling! Where is that warranty? Oh, that's right, there isn't one. The people who are responsible for keeping those machines safe are just going to have to be responsible for keeping them safe, I guess. } >Maybe you've been working too long and too hard cleaning up after your } >breakin. CVSup would work fine for what you're talking about, you'd just } >have to have a different tag which only got "known good patches for } >significant problems". Of course, this would still have the problem of } >being a "pull" model, so you'd have to check "often enough". } } Which means, given the typical e-mail volume an administrator must handle, } many people would not "pull" in time. I'd rather have a "push" model with the } ability to back out or opt out. *shrug* fine with me. } >You'd also have to be damn sure you trusted the person doing the checkins, } } Anyone who runs FreeBSD already places a lot of trust in the maintainers. True, but how often do we see problems where "-current won't compile" or where patches went in which were unchecked or otherwise caused problems? You're talking about a volunteer effort, and I just don't see you getting the kind of rigor out of it that you'd need for something like you're suggesting. This is not meant to denigrate the effort any of the maintainers put in - I am arguing that it's not reasonable to expect such a level of effort from them, and if not them, then who? } >and } >you'd have to be sure that you were in fact talking to the server you } >decided to trust. } } Easily accomplished via cryptography. Wave your hands some more. Are you _really_ sure that you trust your local copy of pgp (or whatever other method you want to use)? You'd have to be 100% certain that no undesirable person had been able to get to your "master" machine to replace the kernel, your compiler, your crypto software, and the list goes on. Are you 100% sure? } >And you'd have to be certain that you trusted the patch } >as applied, both that it solved the problem it was meant to solve, and } >that it didn't introduce some other bogosity. Most of these should be } >red flags shouting out that you don't really want to automate this } >process, but I don't imagine that'll slow you down much. } } I would rather automate it than see delays, break-ins, and duplicated } effort. But automating it doesn't solve the problem, and it's not even clear to me that it improves the situation in a way useful to people who care about their security. You're proposing a non-solution which closes some of the holes some of the time, and in the process introduces another layer of complexity to managing your systems. You may think that's a big win, but I don't. There are way too many questions you claim are "easy" to solve that really aren't. -- Jon Hamilton hamilton@pobox.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Mon Jul 20 20:33:57 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id UAA29375 for freebsd-security-outgoing; Mon, 20 Jul 1998 20:33:57 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from sasami.jurai.net (winter@sasami.jurai.net [207.153.65.3]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id UAA29370 for ; Mon, 20 Jul 1998 20:33:54 -0700 (PDT) (envelope-from winter@jurai.net) Received: from localhost (winter@localhost) by sasami.jurai.net (8.8.8/8.8.7) with SMTP id XAA25290; Mon, 20 Jul 1998 23:33:28 -0400 (EDT) Date: Mon, 20 Jul 1998 23:33:28 -0400 (EDT) From: "Matthew N. Dodd" To: Brett Glass cc: "Christopher G. Petrilli" , "Gentry A. Bieker" , security@FreeBSD.ORG Subject: Re: Why is there no info on the QPOPPER hack? In-Reply-To: <199807202352.RAA27271@lariat.lariat.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, 20 Jul 1998, Brett Glass wrote: > Thousands (maybe tens or hundreds of thousands) of systems have been > potentially compromised because that code was in the FreeBSD Ports > library. Mine wasn't. Am I luck or just fast on the draw? I'm still not running qpopper because I've not had the time to pick through it. Whats your excuse? If you're not willing to stay on top of things and react when bugs are found: 1. Don't run code that you have not audited. 2. Use commercial software so you have the ability to bitch at someone who cares. > I'd find it hard to believe that such a scheme would do > anything but improve the odds that the hole would be closed. There is no magic bullet. If the auto upgrade mechanism is comprimized, the FreeBSd project now has to bear the blame for providing an insecure security service. I'd much rather they spent their time providing an OS. This is the nature of the game. Stay on top of things. > And, no, CVSup is not an answer. On production machines, you don't > want to CVSup to the latest version -- you just want to pick up > known good patches for significant problems. How do you know what the 'good' ones are? You sound like a person in need of a scram button for your network. > At 05:40 PM 7/20/98 -0400, Matthew N. Dodd wrote: > > > > >This sort of thing tends to go over poorly at security audits and with > >people who's heads are on the line when things break. > > > >I'm not willing to trust a 3rd party with that level of control of my > >system. > > > >Nobody should be that trusting. > > > >Just think of what would happen if the update process was compromised. > > > >On Mon, 20 Jul 1998, Brett Glass wrote: > >> I'd go further. I'd be willing to allow an INSTANT automatic upgrade > >> if the FreeBSD Security Manager sent a message, digitally signed with > >> a nice, long key, saying that a serious exploit might be imminent. It'd > >> be worth the risk. In the case of the QPopper hole, it would have been > >> the Right Thing. > >> > >> The feature would, of course, be optional. Not everyone would turn it on, > >> but *I* would. > > > > > > > >/* > > Matthew N. Dodd | A memory retaining a love you had for life > > winter@jurai.net | As cruel as it seems nothing ever seems to > > http://www.jurai.net/~winter | go right - FLA M 3.1:53 > >*/ > > > /* Matthew N. Dodd | A memory retaining a love you had for life winter@jurai.net | As cruel as it seems nothing ever seems to http://www.jurai.net/~winter | go right - FLA M 3.1:53 */ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Mon Jul 20 20:38:10 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id UAA00805 for freebsd-security-outgoing; Mon, 20 Jul 1998 20:38:10 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from sasami.jurai.net (winter@sasami.jurai.net [207.153.65.3]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id UAA00737 for ; Mon, 20 Jul 1998 20:37:56 -0700 (PDT) (envelope-from winter@jurai.net) Received: from localhost (winter@localhost) by sasami.jurai.net (8.8.8/8.8.7) with SMTP id XAA25346; Mon, 20 Jul 1998 23:37:27 -0400 (EDT) Date: Mon, 20 Jul 1998 23:37:27 -0400 (EDT) From: "Matthew N. Dodd" To: Brett Glass cc: Jon Hamilton , "Christopher G. Petrilli" , "Gentry A. Bieker" , security@FreeBSD.ORG Subject: Re: Why is there no info on the QPOPPER hack? In-Reply-To: <199807210311.VAA00475@lariat.lariat.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Ok, you convinced me. When are you going to have this service operational? How much are you going to charge for it? What sort of guarantee (maney back? plus?) are you going to give me? Who is your insurance carrier? (you must be getting great rates!) Thanks. On Mon, 20 Jul 1998, Brett Glass wrote: > At 09:40 PM 7/20/98 -0500, Jon Hamilton wrote: > > >I still think you're just ranting. What does it mean to "have been > >potentially compromised" anyway? > > It means that many of these systems are still just WAITING to be broken > into. There could be a lot more damage done -- we're talking millions > of dollars' worth. > > >Maybe you've been working too long and too hard cleaning up after your > >breakin. CVSup would work fine for what you're talking about, you'd just > >have to have a different tag which only got "known good patches for > >significant problems". Of course, this would still have the problem of > >being a "pull" model, so you'd have to check "often enough". > > Which means, given the typical e-mail volume an administrator must handle, > many people would not "pull" in time. I'd rather have a "push" model with the > ability to back out or opt out. > > >You'd also have to be damn sure you trusted the person doing the checkins, > > Anyone who runs FreeBSD already places a lot of trust in the maintainers. > > >and > >you'd have to be sure that you were in fact talking to the server you > >decided to trust. > > Easily accomplished via cryptography. > > >And you'd have to be certain that you trusted the patch > >as applied, both that it solved the problem it was meant to solve, and > >that it didn't introduce some other bogosity. Most of these should be > >red flags shouting out that you don't really want to automate this > >process, but I don't imagine that'll slow you down much. > > I would rather automate it than see delays, break-ins, and duplicated > effort. > > --Brett Glass > /* Matthew N. Dodd | A memory retaining a love you had for life winter@jurai.net | As cruel as it seems nothing ever seems to http://www.jurai.net/~winter | go right - FLA M 3.1:53 */ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Mon Jul 20 20:52:37 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id UAA03613 for freebsd-security-outgoing; Mon, 20 Jul 1998 20:52:37 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from time.cdrom.com (root@time.cdrom.com [204.216.27.226]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id UAA03574 for ; Mon, 20 Jul 1998 20:52:22 -0700 (PDT) (envelope-from jkh@time.cdrom.com) Received: from time.cdrom.com (jkh@localhost.cdrom.com [127.0.0.1]) by time.cdrom.com (8.8.8/8.8.8) with ESMTP id UAA27235; Mon, 20 Jul 1998 20:51:03 -0700 (PDT) (envelope-from jkh@time.cdrom.com) To: Garance A Drosihn cc: Brett Glass , security@FreeBSD.ORG Subject: Re: Projects to improve security (related to C) In-reply-to: Your message of "Mon, 20 Jul 1998 21:48:11 EDT." Date: Mon, 20 Jul 1998 20:51:03 -0700 Message-ID: <27231.900993063@time.cdrom.com> From: "Jordan K. Hubbard" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > However, that entire argument would be worthless. Let us stay in > the real world for now. We have an operating system with a lot of C > code already written, and on top of that 1,000 ports, most of which > are also already written in C. There is no sense in getting into a > debate about the "best" computer language, because we're going to be Thank you, that's essentially what I just said to Brett in private email. It is highly unlikely that we're going to be rewriting FreeBSD in Java or Modula-3 anytime soon, so why even debate the point? :) > Let us ignore the language war, and just start with the assumption > that we're going to have to live with a lot of C code for a long > time into the future. Even if the entire FreeBSD project managed > to agree that some other language was better, we will still pick > up a lot of programs from other unixes. It is, in my opinion, much > too ambitious to suggest that we rewrite everything. Amen bruddah. > However, I don't want to just drop this issue either. Could we think > of projects we could do in the next few months, for instance, which > might help us to improve security? Even if we won't have time to Audit. Audit audit audit. Like I said in my previous email, just *five minutes* looking through the popper sources was enough time to have my jaw dropping in sheer horror at how badly we'd dropped that particular ball and I don't think it would take a rocket scientist to identify the top 10 ports in need of first attention. Start with ports/net and ports/mail and you'll have more than enough to work on. This whole auditing idea is also hardly new or innovative - those who remember back a year or so will recall my starting a "FreeBSD auditing project" complete with its own web page, auditors list, etc. Almost nothing came of it because people just weren't willing to actually DO THE WORK of auditing the code, they only wanted to talk about how much it was necessary. :-) > One pitfall is this ability to execute code from the stack. If it > is not feasible to completely remove this ability, because too much > would need to be rewritten, can we partially remove it? Have it so It wouldn't help you, as David has already pointed out. You'd just cause the exploit writers to hack a different region in libc and the problem would still be there. Again, it's not as if everyone needs to be a rocket scientist in order to get exploits, all you need is ONE person to hack out the exploit, using the stack or not, and the Internet will take care of the rest. Moving the symptoms of a problem has never been a more profitless exercise in history than it is right now. There's only one solution, one which OpenBSD has made significant marketing points out of, and that's to go through the code and look for holes resulting from poor programming practices. As the nature of exploits change and get harder and harder to "band-aid" over with technical trickery, this will only become all the more important and you all might as well start forming good habits now while it's still comparatively easy to jump aboard and make a difference. :-) - Jordan To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Mon Jul 20 20:57:20 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id UAA04228 for freebsd-security-outgoing; Mon, 20 Jul 1998 20:57:20 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from time.cdrom.com (root@time.cdrom.com [204.216.27.226]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id UAA04221 for ; Mon, 20 Jul 1998 20:57:17 -0700 (PDT) (envelope-from jkh@time.cdrom.com) Received: from time.cdrom.com (jkh@localhost.cdrom.com [127.0.0.1]) by time.cdrom.com (8.8.8/8.8.8) with ESMTP id UAA27254; Mon, 20 Jul 1998 20:55:44 -0700 (PDT) (envelope-from jkh@time.cdrom.com) To: Brett Glass cc: Andrew Kenneth Milton , petrilli@dworkin.amber.org, gbieker@crown.NET, security@FreeBSD.ORG Subject: Re: Why is there no info on the QPOPPER hack? In-reply-to: Your message of "Mon, 20 Jul 1998 20:57:03 MDT." <199807210257.UAA00240@lariat.lariat.org> Date: Mon, 20 Jul 1998 20:55:44 -0700 Message-ID: <27249.900993344@time.cdrom.com> From: "Jordan K. Hubbard" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > Possibly. But in this case, by the time I found out about the problem, > someone else could already have fixed it and it could have been installed > automatically on the system. Why re-implement the wheel or duplicate > another's effort? To jump in on Brett's side for a second here (wow! :), I would also like to say that than an "automatic updating service" like this would probably do more good than harm in the long run and is probably worth pursuing. However, due to general lack of time and resources in the project coupled with the important fact that I wouldn't want the project to be behind the legal 8-ball the first time this auto-update mechanism was compromised into an "auto-crack" mechanism, I'd sooner see this put together on an entirely INFORMAL basis by someone outside the project. It's not something I think we need or want to get into the middle of. Code up a proof of concept, deal with the security issues behind implementing it and see who you can sign up as "customers" of such a mechanism. I'd be perfectly happy to see Brett lead an effort like that and, since he's now sort of put himself on the spot by suggesting it, will direct anyone wishing to get involved in such an effort to Brett's doorstep. - Jordan To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Mon Jul 20 21:02:36 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id VAA05490 for freebsd-security-outgoing; Mon, 20 Jul 1998 21:02:36 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from zeus.theinternet.com.au (akm@zeus.theinternet.com.au [203.34.176.2]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id VAA05432 for ; Mon, 20 Jul 1998 21:02:24 -0700 (PDT) (envelope-from akm@zeus.theinternet.com.au) Received: (from akm@localhost) by zeus.theinternet.com.au (8.8.7/8.8.7) id NAA28466; Tue, 21 Jul 1998 13:58:18 GMT (envelope-from akm) From: Andrew Kenneth Milton Message-Id: <199807211358.NAA28466@zeus.theinternet.com.au> Subject: Re: Why is there no info on the QPOPPER hack? In-Reply-To: <199807210257.UAA00240@lariat.lariat.org> from Brett Glass at "Jul 20, 98 08:57:03 pm" To: brett@lariat.org (Brett Glass) Date: Tue, 21 Jul 1998 13:58:18 +0000 (GMT) Cc: security@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL32 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org +----[ Brett Glass ]--------------------------------------------- | At 10:41 AM 7/21/98 +0000, Andrew Kenneth Milton wrote: | | >So fix it. | > | >If you can't fix it, wait for it to be fixed. | >If you can't wait for it to be fixed either change to a different | >vendor implementation or shut down. | | Possibly. But in this case, by the time I found out about the problem, | someone else could already have fixed it and it could have been installed | automatically on the system. Why re-implement the wheel or duplicate | another's effort? In which case you are waiting for it to be fixed. You can always have your system update ports automatically. And in the specific case of qpopper, depending on whose patch you trusted the most, you'd have non-functioning software, automatically, but, still non-functioning. | >While these choice might be inconvenient, they are all you have. | | The point is that they're not. It'd be nice to get an automatic update | that closes the hole. I might create the new version sometimes, but | there's no reason for each person to do it every time. But, this is not the case. The bug was fixed, the patches were released, and you could have had the software rebuilt and reinstalled, as soon as the tree was updated. | Well, the first thing I might "whinge" about is your spelling. But | after I get through ribbing you about that, I'll continue to mount an | effort to come up with a more sensible solution than trying to close | every security hole myself, thank you. And how do you spell colour? Security isn't a pastime, it's a career. You have to have some level of commitment to it, it doesn't happen by accident. | >And BTW C doesn't kill people, C Programmers kill people. | | In either case, the solution is to fix C or move to something else. C is not broken. The solution is for software houses to have quality systems in place to prevent things like buffer overflows. If you want to use free, possibly unmaintained (by the author) software, then you have to accept the risks of doing so. Your system is hosed because you made the conscious choice of picking one vendor over another. If it means that much to you you should test software before you install it on a live system. If you can't be bothered to do that, make sure you have good business insurance and get on with your life. You chose and installed the software, which you blatantly didn't trust because it was written in C, but, failed to test it, even though you had a low level of trust in it. Your better system is within your grasp, you could identify problems that exist before they become security holes, submit bug reports, and take measures to prevent problems in the meantime. You don't want to test it? Don't have the time? That's your calculated risk, weigh up what is costs you to test Vs how much it costs you if your system is compromised. Don't simply dream of nirvana and complain when you wake up at home. I don't know of any popmail software written in Ada. When I find some I'll let you know. -- Totally Holistic Enterprises Internet| P:+61 7 3870 0066 | Andrew The Internet (Aust) Pty Ltd | F:+61 7 3870 4477 | Milton ACN: 082 081 472 | M:+61 416 022 411 |72 Col .Sig PO Box 403 Booval QLD Australia 4304 |akm@theinternet.com.au|Specialist To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Mon Jul 20 22:08:52 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id WAA13679 for freebsd-security-outgoing; Mon, 20 Jul 1998 22:08:52 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from gatekeeper.iserver.com (gatekeeper.iserver.com [206.107.170.2]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id WAA13672 for ; Mon, 20 Jul 1998 22:08:51 -0700 (PDT) (envelope-from hart@iserver.com) Received: by gatekeeper.iserver.com; Mon, 20 Jul 1998 23:08:34 -0600 (MDT) Received: from unknown(192.168.1.109) by gatekeeper.iserver.com via smap (V3.1.1) id xma013552; Mon, 20 Jul 98 23:08:13 -0600 Received: (hart@localhost) by anchovy.orem.iserver.com (8.8.5) id WAA07156; Mon, 20 Jul 1998 22:57:00 -0600 (MDT) Date: Mon, 20 Jul 1998 22:57:00 -0600 (MDT) From: Paul Hart X-Sender: hart@anchovy.orem.iserver.com To: Brett Glass cc: security@FreeBSD.ORG Subject: Re: The 99,999-bug question: Why can you execute from the stack? In-Reply-To: <199807202328.RAA26899@lariat.lariat.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, 20 Jul 1998, Brett Glass wrote: > One of the programmers in charge of maintaining that code wrote me as > follows just yesterday: > > You are right about sprintf and vsprintf may cause the overflows. > What I did in 2.5 is to contain the external values (mostly user generated) > as a quick patch. I guess using those calls for internal data (where the > size is known) is safe. > > In short, time to take the tool out of the shop. If it's even THERE, students > unclear on the concept will kill themselves. I personally feel the official Qualcomm patch is pretty weak, which is why I have opted to craft my own patch instead. Instead of squashing the bug in pop_msg() by using vsnprintf() instead of vsprintf(), the Qualcomm developers have opted instead to try to limit the length of arguments passed in calls to pop_msg(). Huh? Why not cut to the chase and address the real bug instead of applying lots and lots of Band-Aids all over the place. What if they missed a few calls? It sounds like the developers have not learned from their mistakes. Will it take another nasty spree of root compromises to penetrate their heads? > > Consider Bugtraq and the other popular security mailing lists as required > > reading. Absolutely. None of these holes would have taken you by > > surprise if you had diligently read these lists. > > Not necessarily. An exploit can be used long before it hits the lists. Well, of course. I think we all know that. I was making reference to the qpopper bug specifically, though. Big news scoops like the popper hole have a way of breaking on public lists, despite anybody's best efforts. Were you compromised before or after June 27? The first public posting that I am aware of regarding the vsprintf() overflow in Qualcomm popper was posted to Bugtraq on June 27, 1998. Check it out at: http://www.netspace.org/cgi-bin/wa?A2=ind9806D&L=bugtraq&P=R3472 The first publically posted i386 BSD exploit for this hole that I am aware of was posted to Bugtraq on June 30, 1998 (pretty quick, eh?). Check it out at: http://www.netspace.org/cgi-bin/wa?A2=ind9806E&L=bugtraq&P=R1313 Don't get me wrong ... I'm bummed that you got hacked. BUT, make sure that you aren't letting your emotions get the better of level-headed and rational thinking in response to the compromise. If you were compromised after June 27, 1998, you could have prevented the situation by reading Bugtraq and freebsd-security. The list traffic spiked in volume as a result of the disclosure, so it would have been hard to miss. Trust me on one thing, though. If you can thwart the script kiddies, you'll solve over 99% of your possible problems. It sounds like you weren't hit by a skilled cracker. The ones you don't even know about are the ones you should fear the most, but those are far and away less numerous. Paul Hart -- Paul Robert Hart ><8> ><8> ><8> Verio Web Hosting, Inc. hart@iserver.com ><8> ><8> ><8> http://www.iserver.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Tue Jul 21 00:34:32 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id AAA00331 for freebsd-security-outgoing; Tue, 21 Jul 1998 00:34:32 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from gatekeeper.alcatel.com.au (gatekeeper.alcatel.com.au [203.17.66.1]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id AAA00325 for ; Tue, 21 Jul 1998 00:34:28 -0700 (PDT) (envelope-from peter.jeremy@alcatel.com.au) Received: from mfg1.cim.alcatel.com.au ("port 3760"@[139.188.23.1]) by gatekeeper.alcatel.com.au (PMDF V5.1-7 #U2695) with ESMTP id <01IZO525QM8W00007X@gatekeeper.alcatel.com.au> for security@FreeBSD.ORG; Tue, 21 Jul 1998 17:22:16 +1000 Received: from gsms01.alcatel.com.au by cim.alcatel.com.au (PMDF V5.1-10 #23324) with ESMTP id <01IZO2S58WCGJIZ28O@cim.alcatel.com.au> for security@FreeBSD.ORG; Tue, 21 Jul 1998 16:14:59 +1000 Received: (from jeremyp@localhost) by gsms01.alcatel.com.au (8.8.8/8.7.3) id QAA19838 for security@FreeBSD.ORG; Tue, 21 Jul 1998 16:14:58 +1000 (EST) Date: Tue, 21 Jul 1998 16:14:58 +1000 (EST) From: Peter Jeremy Subject: Re: The 99,999-bug question: Why can you execute from the stack? To: security@FreeBSD.ORG Message-id: <199807210614.QAA19838@gsms01.alcatel.com.au> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, 20 Jul 1998 14:57:53 -0600 (MDT), Paul Hart wrote: >I will not argue with the statement that C gives you the potential to hurt >yourself. It does. BUT, so do power tools, knives, and blunt objects. And just moving to Modula-3, Ada, APL, Lisp, Scheme, Smalltalk or your personal language-du-jour doesn't automatically fix the problem. The first Ariane-5 rocket had to be destroyed shortly after launch - due to a bug in its Ada software. Secure, robust code is hard to write in any language. C just makes it a lot easier to write bad code. >Instead of using strcpy(), use strncpy(). The semantics of strncpy() (and strncat()) are not what I would consider obvious. A naive replacement of strcpy() with strncpy() will not solve all buffer overflow problems - whilst you can't overrun the buffer you strncpy()'d into, it may no longer be NUL-terminated, which could be exploited later. Less importantly, strncpy() is also very inefficient in the (common) case where large buffers are allocated to contain (normally) short strings. IMHO, in general you would be better off defining two functions: char *strxcpy(char *DST, const char *SRC, size_t LEN) copy at most LEN-1 characters from SRC to DST. Always NUL-terminate the result. char *strxcat(char *DST, const char *SRC, size_t LEN) concatenate SRC onto the end of DST, to a maximum total length of LEN-1 characters. Always NUL-terminate the result. > As a simple example, your entire qpopper problem would have been >non-existent if the programmer would have used vsnprintf() instead of >vsprintf(). There is a portability problem here. For maximum portability, you need to limit yourself to the Standard C Library - which doesn't include either [v]snprintf() or any of the building blocks to easily implement it. A simple (integer-only and non-reentrant) [v]snprintf() is about 320 lines (eg the one in X11R6.3). Peter -- Peter Jeremy (VK2PJ) peter.jeremy@alcatel.com.au Alcatel Australia Limited 41 Mandible St Phone: +61 2 9690 5019 ALEXANDRIA NSW 2015 Fax: +61 2 9690 5247 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Tue Jul 21 00:38:51 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id AAA00889 for freebsd-security-outgoing; Tue, 21 Jul 1998 00:38:51 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from aniwa.sky (aniwa.actrix.gen.nz [203.96.56.186]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id AAA00853 for ; Tue, 21 Jul 1998 00:38:39 -0700 (PDT) (envelope-from andrew@squiz.co.nz) Received: from localhost (andrew@localhost) by aniwa.sky (8.8.7/8.8.7) with SMTP id TAA10219; Tue, 21 Jul 1998 19:37:12 +1200 (NZST) (envelope-from andrew@squiz.co.nz) Date: Tue, 21 Jul 1998 19:37:10 +1200 (NZST) From: Andrew McNaughton X-Sender: andrew@aniwa.sky Reply-To: andrew@squiz.co.nz To: Garance A Drosihn cc: Paul Hart , Brett Glass , security@FreeBSD.ORG Subject: Re: The 99,999-bug question: Why can you execute from the stack? In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, 20 Jul 1998, Garance A Drosihn wrote: > At 2:57 PM -0600 7/20/98, Paul Hart wrote: > >On Mon, 20 Jul 1998, Brett Glass wrote: > > > >> I would argue that the real problem is unsafe tools. C and its libraries > >> have, from the start, been rusty, and unsafe, with no safeguards against > >> cutting one's head off. > > > > Often times "being careful" just means rethinking your C coding style. > > Instead of using strcpy(), use strncpy(). That's not too hard of change, > > is it? As a simple example, your entire qpopper problem would have been > > non-existent if the programmer would have used vsnprintf() instead of > > vsprintf(). Funny what a difference a single character makes. > > It is not a hard change. That, however, is no consolation to anyone > nailed by this. The fact is that QPOPPER did use vsprintf, and that > (apparently) no one noticed it. It wasn't *Brett's* coding style that > will cause *Brett* to lose a few weeks of time here. > > Perhaps we could think up some changes which would make these bad > coding decisions much more obvious. And if we do that, then maybe we > catch more of them before getting bitten by them, instead of after the > fact. I don't mean to be inflammatory here, I just wonder if there's > some changes which could be made which would safe "future Brett's" from > losing a large chunk of time. -- cut -- #!/bin/sh for i in `ls /bin/* /usr/bin/* /usr/local/bin/*` do strings $i | grep vsprintf | sed -e "s|^|$i: |" done -- cut -- Yikes. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Tue Jul 21 01:23:45 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id BAA05602 for freebsd-security-outgoing; Tue, 21 Jul 1998 01:23:45 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from iq.org (proff@polysynaptic.iq.org [203.4.184.222]) by hub.freebsd.org (8.8.8/8.8.8) with SMTP id BAA05597 for ; Tue, 21 Jul 1998 01:23:41 -0700 (PDT) (envelope-from proff@iq.org) From: proff@iq.org Received: (qmail 3946 invoked by uid 110); 21 Jul 1998 08:22:57 -0000 Message-ID: <19980721082257.3945.qmail@iq.org> Subject: Re: f-greping across the universe In-Reply-To: from Andrew McNaughton at "Jul 21, 98 07:37:10 pm" To: andrew@squiz.co.nz Date: Tue, 21 Jul 1998 18:22:57 +1000 (EST) Cc: drosih@rpi.edu, hart@iserver.com, brett@lariat.org, security@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL28 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > -- cut -- > #!/bin/sh > for i in `ls /bin/* /usr/bin/* /usr/local/bin/*` > do > strings $i | grep vsprintf | sed -e "s|^|$i: |" > done > > -- cut -- > > Yikes. You can't just leak OpenBSD trade secrets like that. You must understand the grueling hours Theo & friends spent creating their meister work. Cheers, Julian. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Tue Jul 21 01:39:34 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id BAA07909 for freebsd-security-outgoing; Tue, 21 Jul 1998 01:39:34 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from relay.esat.net (relay.esat.net [192.111.39.11]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id BAA07904 for ; Tue, 21 Jul 1998 01:39:31 -0700 (PDT) (envelope-from nialls@euristix.ie) Received: from (euristix.ie) [193.120.210.2] by relay.esat.net with esmtp id 0yyXx0-0001br-00; Tue, 21 Jul 1998 09:39:11 +0100 Received: by gateway.euristix.ie id <19713>; Tue, 21 Jul 1998 09:37:36 +0100 Message-Id: <98Jul21.093736bst.19713@gateway.euristix.ie> Date: Tue, 21 Jul 1998 10:39:29 +0100 From: Niall Smart X-Mailer: Mozilla 4.05 [en] (X11; I; FreeBSD 3.0-CURRENT i386) MIME-Version: 1.0 To: Brett Glass CC: Alexandre Snarskii , Warner Losh , Archie Cobbs , security@FreeBSD.ORG Subject: Re: The 99,999-bug question: Why can you execute from the stack? References: <199807200148.TAA07794@harmony.village.org> <199807200102.SAA07953@bubba.whistle.com> <199807200148.TAA07794@harmony.village.org> <199807201714.LAA19993@lariat.lariat.org> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Brett Glass wrote: > > Waitaminnit. Intel installed, IN THE x86 CHIPS WE ARE NOW USING, special > hardware designed to guard against these exploits. The mechanisms > they designed are called "segments" and "call gates" (among other > things). And what do we do? We turn it off. In fact, Intel sees > so few people using these vital features that it doesn't bother > to speed them up in new CPU models, as they do other parts of > the chip. > > In short, the hackers who want slightly more convenient "flat" > address spaces have contributed in devastating ways to the problems > we have now. Eh? Call gates are entry points to different priviledge levels. I don't see how you intend to use them to stop the problem of the buffer overflow. The primary reason for their existance is to provide OS developers with the ability to layer the OS so that the TCP/IP stack can't munge the VM's data structures for example. Niall To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Tue Jul 21 02:06:40 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id CAA11388 for freebsd-security-outgoing; Tue, 21 Jul 1998 02:06:40 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from ns0.fast.net.uk (ns0.fast.net.uk [194.207.104.1]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id CAA11376 for ; Tue, 21 Jul 1998 02:06:31 -0700 (PDT) (envelope-from netadmin@fastnet.co.uk) Received: from bofh.fast.net.uk (bofh.fast.net.uk [194.207.104.22]) by ns0.fast.net.uk (8.9.0/8.8.7) with ESMTP id KAA03830; Tue, 21 Jul 1998 10:06:10 +0100 (BST) Received: from localhost (localhost [127.0.0.1]) by bofh.fast.net.uk (8.8.8/8.8.5) with SMTP id KAA28076; Tue, 21 Jul 1998 10:06:11 +0100 (BST) Date: Tue, 21 Jul 1998 10:06:11 +0100 (BST) From: Jay Tribick X-Sender: netadmin@bofh.fast.net.uk To: Andrew McNaughton cc: Garance A Drosihn , Paul Hart , Brett Glass , security@FreeBSD.ORG Subject: Re: The 99,999-bug question: Why can you execute from the stack? In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org | > It is not a hard change. That, however, is no consolation to anyone | > nailed by this. The fact is that QPOPPER did use vsprintf, and that | > (apparently) no one noticed it. It wasn't *Brett's* coding style that | > will cause *Brett* to lose a few weeks of time here. | > | > Perhaps we could think up some changes which would make these bad | > coding decisions much more obvious. And if we do that, then maybe we | > catch more of them before getting bitten by them, instead of after the | > fact. I don't mean to be inflammatory here, I just wonder if there's | > some changes which could be made which would safe "future Brett's" from | > losing a large chunk of time. | | -- cut -- | #!/bin/sh | for i in `ls /bin/* /usr/bin/* /usr/local/bin/*` | do | strings $i | grep vsprintf | sed -e "s|^|$i: |" | done | | -- cut -- You think that's bad? su-2.01# find /bin /sbin /usr/bin /usr/sbin /usr/local/sbin /usr/local/bin -perm -4000 | awk '{ print "strings "$1" | grep vsprintf | sed -e \"s|^|"$1": |\"" }' >temp su-2.01# sh ./temp /usr/sbin/pppd: _vsprintf /usr/local/sbin/amcheck: _vsprintf /usr/local/bin/ssh: _vsprintf I haven't had chance to look at the ssh code but why would it need to use vsprintf?? And also, why is it installed suid root? Amcheck's even more worrying (part of the Amanda backup distrib.) Mind you, none of these take input from STDIN or any other means so it would probably be a lot harder to exploit. su-2.01# uname -a FreeBSD server1.fastnet.co.uk 2.2.6-RELEASE FreeBSD 2.2.6-RELEASE #0: Mon Jun 22 17:33:00 BST 1998 kronus@anarchy.fast.net.uk:/usr/src/sys/compile/ANARCHY i386 su-2.01# Regards, Jay Tribick [| Network Administrator | FastNet International | http://fast.net.uk/ |] [| Finger netadmin@fastnet.co.uk for contact information |] [| T: +44 (0)1273 677633 F: +44 (0)1273 621631 e: netadmin@fast.net.uk |] To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Tue Jul 21 02:20:18 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id CAA12956 for freebsd-security-outgoing; Tue, 21 Jul 1998 02:20:18 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from gatekeeper.alcatel.com.au (gatekeeper.alcatel.com.au [203.17.66.1]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id CAA12856 for ; Tue, 21 Jul 1998 02:20:04 -0700 (PDT) (envelope-from peter.jeremy@alcatel.com.au) Received: from mfg1.cim.alcatel.com.au ("port 3760"@[139.188.23.1]) by gatekeeper.alcatel.com.au (PMDF V5.1-7 #U2695) with ESMTP id <01IZO525QM8W00007X@gatekeeper.alcatel.com.au> for security@FreeBSD.ORG; Tue, 21 Jul 1998 17:25:56 +1000 Received: from gsms01.alcatel.com.au by cim.alcatel.com.au (PMDF V5.1-10 #U2695) with ESMTP id <01IZNW18VCG0JK9GH6@cim.alcatel.com.au>; Tue, 21 Jul 1998 13:01:30 +1000 Received: (from jeremyp@localhost) by gsms01.alcatel.com.au (8.8.8/8.7.3) id NAA10787; Tue, 21 Jul 1998 13:01:27 +1000 (EST) Date: Tue, 21 Jul 1998 13:01:27 +1000 (EST) From: Peter Jeremy Subject: Re: The 99,999-bug question: Why can you execute from the stack? To: Don.Lewis@tsc.tdk.com Cc: security@FreeBSD.ORG Message-id: <199807210301.NAA10787@gsms01.alcatel.com.au> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, 20 Jul 1998 14:30:33 -0700, Don Lewis wrote: >In the situations where I've used code compiled this way, it seems >to average about a factor of 20 more expensive in terms of CPU usage. I have used this code in the past, and that sounds about right. >If this is acceptable to you, feel free to get the GCC patches and >recompile userland (or at least those pieces that are compatible >with the bounds checker). See >. Note that this code is getting fairly old and doesn't appear to be maintained. I am aware of the following undocumented bugs with it: - str[n]casecmp() doesn't work when either string contains characters with the MSB set (I have submitted patches to fix this). - side-effects in multi-dimensional array references are evaluated multiple times. In particular `foo[y++][x]' increments y by 2. (I can see why this is occurring, but I haven't been able to work out how to cleanly fix it). Given the (documented) restrictions relating to signal handlers and setjmp/longjmp, together with the second bug above, I don't believe it's usable as a general-purpose debugging tool. I think this is unfortunate, because it can be very useful. Peter -- Peter Jeremy (VK2PJ) peter.jeremy@alcatel.com.au Alcatel Australia Limited 41 Mandible St Phone: +61 2 9690 5019 ALEXANDRIA NSW 2015 Fax: +61 2 9690 5247 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Tue Jul 21 02:35:57 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id CAA15995 for freebsd-security-outgoing; Tue, 21 Jul 1998 02:35:57 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from tyree.iii.co.uk (tyree.iii.co.uk [195.89.149.230]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id CAA15990 for ; Tue, 21 Jul 1998 02:35:55 -0700 (PDT) (envelope-from nik@iii.co.uk) From: nik@iii.co.uk Received: from carrig.strand.iii.co.uk (carrig.strand.iii.co.uk [192.168.7.25]) by tyree.iii.co.uk (8.8.8/8.8.8) with ESMTP id KAA29611; Tue, 21 Jul 1998 10:35:29 +0100 (BST) Received: (from nik@localhost) by carrig.strand.iii.co.uk (8.8.8/8.8.7) id KAA14102; Tue, 21 Jul 1998 10:34:28 +0100 (BST) Message-ID: <19980721103427.52369@iii.co.uk> Date: Tue, 21 Jul 1998 10:34:27 +0100 To: Nicholas Charles Brawn Cc: Phil Gilley , freebsd-security@FreeBSD.ORG Subject: Re: FreeBSD ipfw Configuration Page References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.85e In-Reply-To: ; from Nicholas Charles Brawn on Tue, Jul 21, 1998 at 11:13:53AM +1000 Organization: interactive investor Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, Jul 21, 1998 at 11:13:53AM +1000, Nicholas Charles Brawn wrote: > If others think this is a worthwhile idea, could such pages be linked to > from www.freebsd.org/security/security.html? They could. If you've got a patch I'll cheerfully commit it. N -- Work: nik@iii.co.uk | FreeBSD + Perl + Apache Rest: nik@nothing-going-on.demon.co.uk | Remind me again why we need Play: nik@freebsd.org | Microsoft? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Tue Jul 21 02:36:51 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id CAA16248 for freebsd-security-outgoing; Tue, 21 Jul 1998 02:36:51 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from Tyr.office.EFN.org (root@[204.214.99.45]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id CAA16242 for ; Tue, 21 Jul 1998 02:36:49 -0700 (PDT) (envelope-from spy@tyr.office.efn.org) Received: from Tyr.office.EFN.org (IDENT:spy@Tyr.office.EFN.org [204.214.99.45]) by Tyr.office.EFN.org (8.9.0/8.9.0) with SMTP id CAA10083; Tue, 21 Jul 1998 02:36:15 -0700 (PDT) Date: Tue, 21 Jul 1998 02:36:14 -0700 (PDT) From: Ben Reply-To: ben@efn.org To: Jay Tribick cc: security@FreeBSD.ORG Subject: ssh vsprintf (was the lame whoose-language is better war) In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, 21 Jul 1998, Jay Tribick wrote: > > I haven't had chance to look at the ssh code but why would it > need to use vsprintf?? And also, why is it installed suid root? from the configure --help for ssh-1.2.26 --enable-suid-ssh Install ssh as suid root (default) --disable-suid-ssh Install ssh without suid bit from the INSTALL that has come with every version of ssh. CLIENT SUID ROOT, SERVER RUN AS ROOT This package installs two programs that need special privileges. Ssh is the client program, and it is by default installed as suid root, because it needs to create a privileged port in order to use .rhosts files for authentication. If it is not installed as suid root, it will still be usable, but .rhosts authentication will not be available. Also, the private host key file is readable by root only. >Mind you, none of these take input from STDIN or any other >means so it would probably be a lot harder to exploit. On the contrary, if you glance through the ssh code for vsprintf it comes up in the sshd and ssh packet creation code, as well as scp.c. Both of which do take input from just about anything, including of course stdin. from packet.c This file contains code implementing the packet protocol and communication with the other side. This same code is used both on client and server side. ... void packet_send_debug(const char *fmt, ...) { char buf[1024]; ... va_start(args, fmt); vsprintf(buf, fmt, args); > > Regards, > > Jay Tribick -ben@efn.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Tue Jul 21 02:42:43 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id CAA17199 for freebsd-security-outgoing; Tue, 21 Jul 1998 02:42:43 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from ns0.fast.net.uk (ns0.fast.net.uk [194.207.104.1]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id CAA17183 for ; Tue, 21 Jul 1998 02:42:41 -0700 (PDT) (envelope-from netadmin@fastnet.co.uk) Received: from bofh.fast.net.uk (bofh.fast.net.uk [194.207.104.22]) by ns0.fast.net.uk (8.9.0/8.8.7) with ESMTP id KAA05889; Tue, 21 Jul 1998 10:42:21 +0100 (BST) Received: from localhost (localhost [127.0.0.1]) by bofh.fast.net.uk (8.8.8/8.8.5) with SMTP id KAA28221; Tue, 21 Jul 1998 10:42:22 +0100 (BST) Date: Tue, 21 Jul 1998 10:42:22 +0100 (BST) From: Jay Tribick X-Sender: netadmin@bofh.fast.net.uk To: ben@efn.org cc: security@FreeBSD.ORG Subject: Re: Ssh vsprintf (was the lame whoose-language is better war) In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org | > I haven't had chance to look at the ssh code but why would it | > need to use vsprintf?? And also, why is it installed suid root? | | This package installs two programs that need special privileges. Ssh | is the client program, and it is by default installed as suid root, | because it needs to create a privileged port in order to use .rhosts | files for authentication. If it is not installed as suid root, it will | still be usable, but .rhosts authentication will not be available. Also, the | private host key file is readable by root only. Hmm.. Just OOI why would it need to be suid root to read the .rhosts file? Surely there's a better solution, maybe installing it sgid within it's own group? | >Mind you, none of these take input from STDIN or any other | >means so it would probably be a lot harder to exploit. | | On the contrary, if you glance through the ssh code for vsprintf it comes up | in the sshd and ssh packet creation code, as well as scp.c. Both of which do | take input from just about anything, including of course stdin. I stand corrected - I haven't had chance to look at the source code yet. Has anyone done an audit on it? Regards, Jay Tribick [| Network Administrator | FastNet International | http://fast.net.uk/ |] [| Finger netadmin@fastnet.co.uk for contact information |] [| T: +44 (0)1273 677633 F: +44 (0)1273 621631 e: netadmin@fast.net.uk |] To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Tue Jul 21 02:50:15 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id CAA18263 for freebsd-security-outgoing; Tue, 21 Jul 1998 02:50:15 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from ns0.fast.net.uk (ns0.fast.net.uk [194.207.104.1]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id CAA18252 for ; Tue, 21 Jul 1998 02:50:10 -0700 (PDT) (envelope-from netadmin@fastnet.co.uk) Received: from bofh.fast.net.uk (bofh.fast.net.uk [194.207.104.22]) by ns0.fast.net.uk (8.9.0/8.8.7) with ESMTP id KAA06211 for ; Tue, 21 Jul 1998 10:49:50 +0100 (BST) Received: from localhost (localhost [127.0.0.1]) by bofh.fast.net.uk (8.8.8/8.8.5) with SMTP id KAA28241 for ; Tue, 21 Jul 1998 10:49:51 +0100 (BST) Date: Tue, 21 Jul 1998 10:49:51 +0100 (BST) From: Jay Tribick X-Sender: netadmin@bofh.fast.net.uk To: security@FreeBSD.ORG Subject: GCC Bounds Checking Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org If anyone's interested I found the GCC Bounds Checking page: http://www-dse.doc.ic.ac.uk/~rj3/bounds-checking.html Regards, Jay Tribick [| Network Administrator | FastNet International | http://fast.net.uk/ |] [| Finger netadmin@fastnet.co.uk for contact information |] [| T: +44 (0)1273 677633 F: +44 (0)1273 621631 e: netadmin@fast.net.uk |] To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Tue Jul 21 03:28:05 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id DAA22194 for freebsd-security-outgoing; Tue, 21 Jul 1998 03:28:05 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from ns1.yes.no (ns1.yes.no [195.119.24.10]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id DAA22140 for ; Tue, 21 Jul 1998 03:27:53 -0700 (PDT) (envelope-from eivind@bitbox.follo.net) Received: from bitbox.follo.net (bitbox.follo.net [195.204.143.218]) by ns1.yes.no (8.8.7/8.8.7) with ESMTP id KAA12724; Tue, 21 Jul 1998 10:27:14 GMT Received: (from eivind@localhost) by bitbox.follo.net (8.8.8/8.8.6) id MAA22417; Tue, 21 Jul 1998 12:27:13 +0200 (MET DST) Message-ID: <19980721122712.06998@follo.net> Date: Tue, 21 Jul 1998 12:27:12 +0200 From: Eivind Eklund To: Brett Glass , "Gentry A. Bieker" , security@FreeBSD.ORG Subject: Re: Why is there no info on the QPOPPER hack? References: <199807201740.LAA20525@lariat.lariat.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.89.1i In-Reply-To: <199807201740.LAA20525@lariat.lariat.org>; from Brett Glass on Mon, Jul 20, 1998 at 11:39:57AM -0600 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, Jul 20, 1998 at 11:39:57AM -0600, Brett Glass wrote: > At 11:28 AM 7/20/98 -0500, you wrote: > >> You don't expect all of your software to automaticly upgrade for >> you, do you? > > That's a darn good idea. Several Windows apps do this already. Why not > the FreeBSD ports? Because we/I haven't rolled in FreeBSD's cryptographic infrastructure yet? Ideally, there should be an 'urgent upgrades' list that let us push out security-related upgrades from each release. Eivind, who should nag his co-worker until those last three hours of integration actually happens... To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Tue Jul 21 03:40:12 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id DAA24060 for freebsd-security-outgoing; Tue, 21 Jul 1998 03:40:12 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from hosting.doublesquare.com (hosting.doublesquare.com [195.5.128.151]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id DAA23886 for ; Tue, 21 Jul 1998 03:39:55 -0700 (PDT) (envelope-from ark@eltex.ru) From: ark@eltex.ru Received: from eltex.ru (eltax-spiiras.nw.ru [195.19.204.46] (may be forged)) by hosting.doublesquare.com (8.8.8/8.8.8) with ESMTP id PAA14101; Tue, 21 Jul 1998 15:01:58 +0400 (MSD) (envelope-from ark@eltex.ru) Received: from paranoid.eltex.spb.ru (border.eltex.ru [195.19.198.2]) by eltex.ru (8.8.8/8.8.8) with ESMTP id OAA03053; Tue, 21 Jul 1998 14:39:25 +0400 (MSD) (envelope-from ark@eltex.ru) Received: (from ark@localhost) by paranoid.eltex.spb.ru (8.8.8/8.7.3) id OAA16327; Tue, 21 Jul 1998 14:38:15 GMT Date: Tue, 21 Jul 1998 14:38:15 GMT Message-Id: <199807211438.OAA16327@paranoid.eltex.spb.ru> In-Reply-To: from "Jay Tribick " Organization: "Klingon Imperial Intelligence Service" Subject: Re: Ssh vsprintf (was the lame whoose-language is better war) To: netadmin@fastnet.co.uk Cc: ben@efn.org, security@FreeBSD.ORG Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- nuqneH, Jay Tribick said : > > | > I haven't had chance to look at the ssh code but why would it > | > need to use vsprintf?? And also, why is it installed suid root? > | > | This package installs two programs that need special privileges. Ssh > | is the client program, and it is by default installed as suid root, > | because it needs to create a privileged port in order to use .rhosts > | files for authentication. If it is not installed as suid root, it will > | still be usable, but .rhosts authentication will not be available. Also, the > | private host key file is readable by root only. > > Hmm.. Just OOI why would it need to be suid root to read the .rhosts > file? Surely there's a better solution, maybe installing it sgid > within it's own group? AFAIR it is _client_ that needs root to initiate connection from a privileged port. Mandatory for .rhosts authentication. _ _ _ _ _ _ _ {::} {::} {::} CU in Hell _| o |_ | | _|| | / _||_| |_ |_ |_ (##) (##) (##) /Arkan#iD |_ o _||_| _||_| / _| | o |_||_||_| [||] [||] [||] Do i believe in Bible? Hell,man,i've seen one! -----BEGIN PGP SIGNATURE----- Version: 2.6.3i Charset: noconv iQCVAwUBNbSn1qH/mIJW9LeBAQFj/gP+IT/WSU054BY1h0xVdywwFKQG7dhXY5tF XOVQEyjwebGfhT6GelnVZoQINkTS/riutQEAZxQea/pM/0gcQVfDHQK0YFffhbaa qPtFvnK1aR4gZddC9RyAdNRfKzwiuZ49txtCx6h4ulUXkxw33iBn3svkmZsH/uE5 zuXkjUJYWRU= =Njv2 -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Tue Jul 21 03:48:50 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id DAA25186 for freebsd-security-outgoing; Tue, 21 Jul 1998 03:48:50 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from ns0.fast.net.uk (ns0.fast.net.uk [194.207.104.1]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id DAA25181 for ; Tue, 21 Jul 1998 03:48:48 -0700 (PDT) (envelope-from netadmin@fastnet.co.uk) Received: from bofh.fast.net.uk (bofh.fast.net.uk [194.207.104.22]) by ns0.fast.net.uk (8.9.0/8.8.7) with ESMTP id LAA09512; Tue, 21 Jul 1998 11:48:23 +0100 (BST) Received: from localhost (localhost [127.0.0.1]) by bofh.fast.net.uk (8.8.8/8.8.5) with SMTP id LAA28686; Tue, 21 Jul 1998 11:48:24 +0100 (BST) Date: Tue, 21 Jul 1998 11:48:24 +0100 (BST) From: Jay Tribick X-Sender: netadmin@bofh.fast.net.uk To: ark@eltex.ru cc: ben@efn.org, security@FreeBSD.ORG Subject: Re: Ssh vsprintf (was the lame whoose-language is better war) In-Reply-To: <199807211438.OAA16327@paranoid.eltex.spb.ru> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org | > | > I haven't had chance to look at the ssh code but why would it | > | > need to use vsprintf?? And also, why is it installed suid root? | > | | > | This package installs two programs that need special privileges. Ssh | > | is the client program, and it is by default installed as suid root, | > | because it needs to create a privileged port in order to use .rhosts | > | files for authentication. If it is not installed as suid root, it will | > | still be usable, but .rhosts authentication will not be available. Also, the | > | private host key file is readable by root only. | > | > Hmm.. Just OOI why would it need to be suid root to read the .rhosts | > file? Surely there's a better solution, maybe installing it sgid | > within it's own group? | | AFAIR it is _client_ that needs root to initiate connection from a | privileged port. Mandatory for .rhosts authentication. Yeh your right.. bash-2.00# whereis rlogin rlogin: /usr/bin/rlogin /usr/share/man/man1/rlogin.1.gz /usr/src/usr.bin/rlogin bash-2.00# cd /usr/bin bash-2.00# chmod 755 rlogin bash-2.00# su kronus su-2.00$ rlogin kaos.fast.net.uk rlogin: remote host doesn't support Kerberos: Connection refused rcmd: socket: Permission denied su-2.00$ | _ _ _ _ _ _ _ | {::} {::} {::} CU in Hell _| o |_ | | _|| | / _||_| |_ |_ |_ | (##) (##) (##) /Arkan#iD |_ o _||_| _||_| / _| | o |_||_||_| | [||] [||] [||] Do i believe in Bible? Hell,man,i've seen one! Oh my god :) A FidoNet address? That still exists? Regards, Jay Tribick [| Network Administrator | FastNet International | http://fast.net.uk/ |] [| Finger netadmin@fastnet.co.uk for contact information |] [| T: +44 (0)1273 677633 F: +44 (0)1273 621631 e: netadmin@fast.net.uk |] To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Tue Jul 21 04:20:54 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id EAA00427 for freebsd-security-outgoing; Tue, 21 Jul 1998 04:20:54 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from lariat.lariat.org (ppp1000.lariat.org@[206.100.185.2]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id EAA00417 for ; Tue, 21 Jul 1998 04:20:51 -0700 (PDT) (envelope-from brett@lariat.org) Received: (from brett@localhost) by lariat.lariat.org (8.8.8/8.8.8) id FAA07335; Tue, 21 Jul 1998 05:20:28 -0600 (MDT) Message-Id: <199807211120.FAA07335@lariat.lariat.org> X-Sender: brett@mail.lariat.org X-Mailer: QUALCOMM Windows Eudora Pro Version 4.0.1 Date: Tue, 21 Jul 1998 05:20:24 -0600 To: "Jordan K. Hubbard" , Garance A Drosihn From: Brett Glass Subject: Re: Projects to improve security (related to C) Cc: security@FreeBSD.ORG In-Reply-To: <27231.900993063@time.cdrom.com> References: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 08:51 PM 7/20/98 -0700, Jordan K. Hubbard wrote: >> However, I don't want to just drop this issue either. Could we think >> of projects we could do in the next few months, for instance, which >> might help us to improve security? Even if we won't have time to > >Audit. Audit audit audit. More like audit, audit, audit, audit, audit, audit, audit.... Ad infinitum. Ad nauseam. Unreliably. Missing all sorts of holes and bugs. It's not only tedious -- it also doesn't work. Again, quality and security shouldn't be tested in. Or audited in (which is worse, because it misses much more than a mechanical test). --Brett To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Tue Jul 21 04:23:13 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id EAA00882 for freebsd-security-outgoing; Tue, 21 Jul 1998 04:23:13 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from time.cdrom.com (root@time.cdrom.com [204.216.27.226]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id EAA00864 for ; Tue, 21 Jul 1998 04:23:09 -0700 (PDT) (envelope-from jkh@time.cdrom.com) Received: from time.cdrom.com (jkh@localhost.cdrom.com [127.0.0.1]) by time.cdrom.com (8.8.8/8.8.8) with ESMTP id EAA08138; Tue, 21 Jul 1998 04:21:57 -0700 (PDT) (envelope-from jkh@time.cdrom.com) To: Brett Glass cc: Garance A Drosihn , security@FreeBSD.ORG Subject: Re: Projects to improve security (related to C) In-reply-to: Your message of "Tue, 21 Jul 1998 05:20:24 MDT." <199807211120.FAA07335@lariat.lariat.org> Date: Tue, 21 Jul 1998 04:21:56 -0700 Message-ID: <8134.901020116@time.cdrom.com> From: "Jordan K. Hubbard" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > More like audit, audit, audit, audit, audit, audit, audit.... Ad > infinitum. Ad nauseam. Unreliably. Missing all sorts of holes and > bugs. It's not only tedious -- it also doesn't work. I suspect Theo would disagree with you, but short of switching everyone over to Java or installing a series of band-aid patches which only fix _some_ of the problems (and, in security, that really is locking the door while leaving the window open) I fail to see how you intend to deal with it in any more pragmatic a fashion. - Jordan To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Tue Jul 21 04:53:28 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id EAA05937 for freebsd-security-outgoing; Tue, 21 Jul 1998 04:53:28 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from verdi.nethelp.no (verdi.nethelp.no [158.36.41.162]) by hub.freebsd.org (8.8.8/8.8.8) with SMTP id EAA05908 for ; Tue, 21 Jul 1998 04:53:14 -0700 (PDT) (envelope-from sthaug@nethelp.no) From: sthaug@nethelp.no Received: (qmail 14725 invoked by uid 1001); 21 Jul 1998 11:52:52 +0000 (GMT) To: netadmin@fastnet.co.uk Cc: security@FreeBSD.ORG Subject: Re: Ssh vsprintf (was the lame whoose-language is better war) In-Reply-To: Your message of "Tue, 21 Jul 1998 11:48:24 +0100 (BST)" References: X-Mailer: Mew version 1.05+ on Emacs 19.34.2 Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Date: Tue, 21 Jul 1998 13:52:52 +0200 Message-ID: <14723.901021972@verdi.nethelp.no> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > | AFAIR it is _client_ that needs root to initiate connection from a > | privileged port. Mandatory for .rhosts authentication. > > Yeh your right.. But most of the time when you use SSH you don't *need* .rhosts type "authentication" - because you're using RSA authentication or password over an encrypted channel. If you don't need .rhosts "authentication", it's a good idea to turn off setuid root for the ssh client. Steinar Haug, Nethelp consulting, sthaug@nethelp.no To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Tue Jul 21 05:27:57 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id FAA10114 for freebsd-security-outgoing; Tue, 21 Jul 1998 05:27:57 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from ns.cityip.co.za (ns.cityip.co.za [196.25.223.140]) by hub.freebsd.org (8.8.8/8.8.8) with SMTP id FAA10006 for ; Tue, 21 Jul 1998 05:26:52 -0700 (PDT) (envelope-from wjv@cityip.co.za) Received: from wjv by ns.cityip.co.za with local (Exim 1.82 #2) id 0yybTP-00018j-00; Tue, 21 Jul 1998 14:24:51 +0200 Message-ID: <19980721142451.A4361@cityip.co.za> Date: Tue, 21 Jul 1998 14:24:51 +0200 From: Johann Visagie To: Philippe Regnauld Cc: security@FreeBSD.ORG Subject: Re: ipfw & icmp question References: <19980530234807.14632@deepo.prosa.dk> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.91.1i In-Reply-To: <19980530234807.14632@deepo.prosa.dk>; from Philippe Regnauld on Sat, May 30, 1998 at 11:48:08PM +0200 X-PGP: ftp://ftp.cityip.co.za/users/wjv/pubkey.asc X-URL: http://www.cityip.co.za/~wjv/ Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sat, 30 May 1998 at 23:48 SAT, Philippe Regnauld wrote: > > I am a bit puzzled regarding the following situation: > > I have a machine with IPFW setup to send "port unreachable" if > a connection attempt is made on port 113/TCP (identd). The policy > is default deny. Here is what happens when I do "telnet host 113" Sorry, can't help you with that one. I just allow queries to 113/tcp and make sure there's nothing running on the port. *shrug* > PS: in the /etc/rc.firewall (2.2.6 still), one rule says > for the "Simple firewall setup": > > # Allow DNS queries out in the world > /sbin/ipfw add pass udp from any 53 to ${oip} > /sbin/ipfw add pass udp from ${oip} to any 53 > > This is a but confusing -- from reading the rules, I understand: > > "Allow DNS queries, from out in the world, to us", while > the formulation above says "Allow DNS queries from inside/here > out into the world". Nope, your resolver library will originate the query on an arbitrary port greater than 1023, and connect to 53/udp on the remote nameserver. The remote nameserver returns the replay from its port 53 to your arbitrary port. The above rules allows _your_ host to query a remote host, as the comment indicates. To enable it the other way round: /sbin/ipfw add pass udp from ${oip} 53 to any /sbin/ipfw add pass udp from any to ${oip} 53 However, it may not be necessary to add the above rules, since most resolver libraries will try to query via TCP if UDP failes, i.e. you can simply add: /sbin/ipfw add pass tcp from any to ${oip} 53 setup (Assuming you allow already established connections by default elsewhere.) -- V Johann Visagie | Email: wjv@CityIP.co.za | Tel: +27 21 419-7878 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Tue Jul 21 05:34:14 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id FAA11130 for freebsd-security-outgoing; Tue, 21 Jul 1998 05:34:14 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from ns.cityip.co.za (ns.cityip.co.za [196.25.223.140]) by hub.freebsd.org (8.8.8/8.8.8) with SMTP id FAA10642 for ; Tue, 21 Jul 1998 05:30:56 -0700 (PDT) (envelope-from wjv@cityip.co.za) Received: from wjv by ns.cityip.co.za with local (Exim 1.82 #2) id 0yybXg-000192-00; Tue, 21 Jul 1998 14:29:16 +0200 Message-ID: <19980721142916.B4361@cityip.co.za> Date: Tue, 21 Jul 1998 14:29:16 +0200 From: Johann Visagie To: Steve Reid , freebsd-security@FreeBSD.ORG Subject: Re: /usr/sbin/named References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.91.1i In-Reply-To: ; from Steve Reid on Sun, May 31, 1998 at 11:56:23PM -0700 X-PGP: ftp://ftp.cityip.co.za/users/wjv/pubkey.asc X-URL: http://www.cityip.co.za/~wjv/ Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sun, 31 May 1998 at 23:56 SAT, Steve Reid wrote: > > Is /usr/sbin/named as distributed with FreeBSD 2.2.6-RELEASE vulnerable > to known exploits? If it had been vulnerable you would've been hacked already. :-) There was widespread exploitation of that hole, especially after the release of mscan. >From what I can establish, no recent versions of FreeBSD are vulnerable OOTB, since the named is /not/ compiled with inverse queries enabled by default. I've tried the exploit on a number of machines to no avail. (Oh the other hand, many RedHat Linux machines are vulnerable, depending on which version of RedHat's named RPM is installed.) -- V Johann Visagie | Email: wjv@CityIP.co.za | Tel: +27 21 419-7878 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Tue Jul 21 06:01:31 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id GAA14865 for freebsd-security-outgoing; Tue, 21 Jul 1998 06:01:31 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from mb05.swip.net (mb05.swip.net [193.12.122.209]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id GAA14860 for ; Tue, 21 Jul 1998 06:01:30 -0700 (PDT) (envelope-from mg24174@gaia.swipnet.se) Received: from nic.swipnet.se (dialup159-2-53.swipnet.se [130.244.159.117]) by mb05.swip.net (8.8.8/8.8.8) with ESMTP id PAA21950 for ; Tue, 21 Jul 1998 15:01:11 +0200 (MET DST) Message-ID: <35B48FB3.E1F434AA@gaia.swipnet.se> Date: Tue, 21 Jul 1998 14:55:15 +0200 From: joppe X-Mailer: Mozilla 4.0 [en] (Win95; I) MIME-Version: 1.0 To: freebsd-security@FreeBSD.ORG X-Priority: 3 (Normal) Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org subscribe freebsd-security To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Tue Jul 21 06:05:50 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id GAA15504 for freebsd-security-outgoing; Tue, 21 Jul 1998 06:05:50 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from hosting.doublesquare.com (hosting.doublesquare.com [195.5.128.151]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id GAA15490 for ; Tue, 21 Jul 1998 06:05:30 -0700 (PDT) (envelope-from ark@eltex.ru) From: ark@eltex.ru Received: from eltex.ru (eltax-spiiras.nw.ru [195.19.204.46] (may be forged)) by hosting.doublesquare.com (8.8.8/8.8.8) with ESMTP id RAA14419; Tue, 21 Jul 1998 17:27:12 +0400 (MSD) (envelope-from ark@eltex.ru) Received: from paranoid.eltex.spb.ru (border.eltex.ru [195.19.198.2]) by eltex.ru (8.8.8/8.8.8) with ESMTP id RAA03411; Tue, 21 Jul 1998 17:04:41 +0400 (MSD) (envelope-from ark@eltex.ru) Received: (from ark@localhost) by paranoid.eltex.spb.ru (8.8.8/8.7.3) id RAA16737; Tue, 21 Jul 1998 17:03:32 GMT Date: Tue, 21 Jul 1998 17:03:32 GMT Message-Id: <199807211703.RAA16737@paranoid.eltex.spb.ru> In-Reply-To: <14723.901021972@verdi.nethelp.no> from "sthaug@nethelp.no" Organization: "Klingon Imperial Intelligence Service" Subject: Re: Ssh vsprintf (was the lame whoose-language is better war) To: sthaug@nethelp.no Cc: netadmin@fastnet.co.uk, security@FreeBSD.ORG Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- nuqneH, sthaug@nethelp.no said : > > | AFAIR it is _client_ that needs root to initiate connection from a > > | privileged port. Mandatory for .rhosts authentication. > > > > Yeh your right.. > > But most of the time when you use SSH you don't *need* .rhosts type > "authentication" - because you're using RSA authentication or password > over an encrypted channel. > > If you don't need .rhosts "authentication", it's a good idea to turn > off setuid root for the ssh client. afair RSArhosts needs privileged port as well.. _ _ _ _ _ _ _ {::} {::} {::} CU in Hell _| o |_ | | _|| | / _||_| |_ |_ |_ (##) (##) (##) /Arkan#iD |_ o _||_| _||_| / _| | o |_||_||_| [||] [||] [||] Do i believe in Bible? Hell,man,i've seen one! -----BEGIN PGP SIGNATURE----- Version: 2.6.3i Charset: noconv iQCVAwUBNbTJ4qH/mIJW9LeBAQH9sgP5ASi2tYY0Qbp2GUxl3MMLE1/MgBIjti0d /ypgW0eVAbp0K5Nr0ZAVdZKzP4QNxq9IIxBDJDoa1YRd3hvdfEUUyZuyl4JWdNcE aE2xuyJR63O0SPFWFLaqRzcs7ZSy9qcPz9qsf+fzUMLwaNjUpRS1avOC5sOjdt3F 1Vv5OM5iOOg= =cF4h -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Tue Jul 21 06:24:38 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id GAA18140 for freebsd-security-outgoing; Tue, 21 Jul 1998 06:24:38 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from gizmo.dimension.net (gizmo.dimension.net [209.12.7.20]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id GAA18133 for ; Tue, 21 Jul 1998 06:24:34 -0700 (PDT) (envelope-from jaitken@dimension.net) Received: (from jaitken@localhost) by gizmo.dimension.net (8.8.8/8.8.8) id JAA03501; Tue, 21 Jul 1998 09:24:02 -0400 (EDT) From: Jeff Aitken Message-Id: <199807211324.JAA03501@gizmo.dimension.net> Subject: Re: Projects to improve security (related to C) In-Reply-To: <199807211120.FAA07335@lariat.lariat.org> from Brett Glass at "Jul 21, 98 05:20:24 am" To: brett@lariat.org (Brett Glass) Date: Tue, 21 Jul 1998 09:24:01 -0400 (EDT) Cc: jkh@time.cdrom.com, drosih@rpi.edu, security@FreeBSD.ORG Reply-to: jaitken@dimension.net X-Mailer: ELM [version 2.4ME+ PL38 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Brett Glass writes: > At 08:51 PM 7/20/98 -0700, Jordan K. Hubbard wrote: > >Audit. Audit audit audit. > > More like audit, audit, audit, audit, audit, audit, audit.... Ad > infinitum. Ad nauseam. Unreliably. Missing all sorts of holes and > bugs. It's not only tedious -- it also doesn't work. > > Again, quality and security shouldn't be tested in. Or audited in > (which is worse, because it misses much more than a mechanical > test). Hello?! Earth to Brett? Have we met? While what you're saying looks good on paper, I am reminded of a quote I saw while in college: "In theory, there's no difference between theory and practice, but in practice there is." So in theory, it would be nice if everyone would design security in to what they write (even if they are writing it for free, in their spare time, because they enjoy it, not because they want you to use it for mission-critical systems). In theory, programming languages would make it difficult if not impossible for you to shoot yourself in the foot. In theory, mistakes can be avoided if we're careful enough. In theory, if we're not satisfied with the quality of a piece of code (e.g., qpopper) there should be someone willing to drop everything he is doing to write a replacement. Here in the real world, however, a slightly different set of rules apply. C lets you shoot yourself in the foot with remarkable ease. Nonetheless, we use operating systems written in C. We depend upon applications written in C. There are millions and millions of lines of existing C code, and NO ONE IN THEIR RIGHT MIND is going to recode all of it in another language in the fruitless hope that it will eliminate security flaws. (Never mind the fact that this *wouldn't* fix many of them anyway). Here in the real world, practicality reigns. We have a limited number of very devoted volunteers who bust their ass to give us a remarkably secure and stable operating system. Others do a tremendous amount of work to give us ported applications, so that we end users can just concentrate on *using* the system for our own purposes. If you really care about this, then step down off the soapbox, take off the rose-colored glasses, and help fix what's broken. Preaching to the choir is not going to get anything done. --Jeff To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Tue Jul 21 06:33:39 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id GAA19136 for freebsd-security-outgoing; Tue, 21 Jul 1998 06:33:39 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from gilgamesch.bik-gmbh.de (gilgamesch.bik-gmbh.de [194.233.237.91]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id GAA19127 for ; Tue, 21 Jul 1998 06:33:26 -0700 (PDT) (envelope-from cracauer@gilgamesch.bik-gmbh.de) Received: (from cracauer@localhost) by gilgamesch.bik-gmbh.de (8.8.8/8.7.3) id PAA00874 for security@freebsd.org; Tue, 21 Jul 1998 15:37:15 +0200 (MET DST) Message-ID: <19980721153715.A714@bik-gmbh.de> Date: Tue, 21 Jul 1998 15:37:15 +0200 From: Martin Cracauer To: security@FreeBSD.ORG Subject: Re: Projects to improve security (related to C) References: <199807201732.LAA20377@lariat.lariat.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.93.1i In-Reply-To: ; from Garance A Drosihn on Mon, Jul 20, 1998 at 09:48:11PM -0400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org All this talk about "unsave" C being the reason for breakable programs is mislead in my opinion. If you switch to a language with bound checks, you will depend of the language runtime and I think that makes matter worse, not better. Even if you wrote correct code yourself, you might be vulnerable. Examples: Sun's JVM isn't a real example of excellent memory management, I would bet it has buffer overruns as well. I certainly trust my own C coding in usualy chunks more than trust the JVM coding for the entire runtime. If you use a highly-optimizing Just-in-time compiler for whatever language you will have the compiler remove bounds checks in cases when it thinks it is save. This is a very complex task, hopefully not so complex that the program doesn't work, but solving this task so that the system is resistent against intentioal attacks by highly-skilled people is a different matter. In Common Lisp you usually have a switch to control bound checking at runtime, a high-performance network server software will probably have switched it off by default. As comfortable as Common Lisp with is default to bounds checks may be, as unintuitive can it become when you want to know exactly what the compiler did with your code. Also, with garbage-collected runtimes denial-of-service attacks become easier. I'm certainly not a gainst garbage collection in general, but IMO it somewhwat depends on choosing the right GC system for the task and intended input. If I had to choose GC scheme that might be faced with input that has no other intention than to cause excessive GC pauses, I wouldn't be so sure how much research that would take. In languages that support threadings, things become even worse, since in most (all?) major runtimes all threads are being stopped for GC. Not to speak of dynamically code loading (Java) or generating (Common Lisp). Considering how much time of highly-skilled people is being put into conventional buffer-overrun exploits, I certainly can't be sure to protect my dynamic-code scheme when the same enery is being focused on attacking it. As Java has shown a number of times. I love a number of languages that have bounds checking, but security is one reason I mainly code in C. It's not that difficult to protect your code from being tricked into something else, at least with regards to buffer overruns if your knowledge is somewhat adaequate for the task at hand. It is much more difficult to judge over your language compiler and runtime. You might say: Yes, but if I run third-party software I feel better if it's written in java than in C, because the author doesn't have sp much opportunity to do things wrong, I'd say, don't run code you don't trust. Security problems are more than buffer overflows. If some person isn't capable or willing to avoid buffer overflows in C (as I said, one of the easier solvable security problems), he/she probably doesn't have a clue or doesn't care about other problems as well. So don't run the code. You might even use the easily reviewable bounds issue to judge over the code. If he/she didn't get that one right, you know what you will get. If it's written in Java, you don't have such an easy indicator. Martin -- %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% Martin Cracauer http://www.cons.org/cracauer BSD User Group Hamburg, Germany http://www.bsdhh.org/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Tue Jul 21 07:05:15 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id HAA25046 for freebsd-security-outgoing; Tue, 21 Jul 1998 07:05:15 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from aniwa.sky (aniwa.actrix.gen.nz [203.96.56.186]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id HAA25029 for ; Tue, 21 Jul 1998 07:05:06 -0700 (PDT) (envelope-from andrew@squiz.co.nz) Received: from localhost (andrew@localhost) by aniwa.sky (8.8.7/8.8.7) with SMTP id CAA13832; Wed, 22 Jul 1998 02:03:51 +1200 (NZST) (envelope-from andrew@squiz.co.nz) Date: Wed, 22 Jul 1998 02:03:50 +1200 (NZST) From: Andrew McNaughton X-Sender: andrew@aniwa.sky Reply-To: andrew@squiz.co.nz To: proff@iq.org cc: drosih@rpi.edu, hart@iserver.com, brett@lariat.org, security@FreeBSD.ORG Subject: Re: f-greping across the universe In-Reply-To: <19980721082257.3945.qmail@iq.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, 21 Jul 1998 proff@iq.org wrote: > Date: Tue, 21 Jul 1998 18:22:57 +1000 (EST) > From: proff@iq.org > To: andrew@squiz.co.nz > Cc: drosih@rpi.edu, hart@iserver.com, brett@lariat.org, > security@FreeBSD.ORG > Subject: Re: f-greping across the universe > > > -- cut -- > > #!/bin/sh > > for i in `ls /bin/* /usr/bin/* /usr/local/bin/*` > > do > > strings $i | grep vsprintf | sed -e "s|^|$i: |" > > done > > > > -- cut -- > > > > Yikes. > > You can't just leak OpenBSD trade secrets like that. You > must understand the grueling hours Theo & friends spent > creating their meister work. > > Cheers, > Julian. I hope you're not serious. I understand the gruelling bit all to well, but which library routines you use is about as secret as the above shell code suggests, and even if one didn't realize you could search the binaries, the source is available for most of that also. The number of uses of vsprintf that the above shell code turns up does seem to underline the need to deal with the problem. It's not just novice programmers who make mistakes. Certainly the problem is not OS specific. Another semi-solution to throw into the mix: It's beyond my capabilities (or at least well outside my current expertise), but given an executable which is built with gcc (or something else, but I imagine this would be compiler specific), is it possible in general to reverse engineer it, so that calls to vsprintf and other routines are replaced by one which identifies how much space is available in the appropriate stackframe, and rewrite the executable code in memory so that the call to the unsafe routine is replaced with a version which is at least bounded to the dataspace allocated to that routine. How much does this help anyway. Can one effect a buffer overflow by overwriting data pointers in a user's data space? I haven't written C for an Intel machine since the 286, but I gather more recent CPU's help to maintain a division between code and data? Andrew McNaughton To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Tue Jul 21 09:02:03 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id JAA16126 for freebsd-security-outgoing; Tue, 21 Jul 1998 09:02:03 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from mercury.jorsm.com (mercury.jorsm.com [207.112.128.9]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id JAA16090 for ; Tue, 21 Jul 1998 09:01:55 -0700 (PDT) (envelope-from jer@jorsm.com) Received: from localhost (jer@localhost) by mercury.jorsm.com (8.8.7/8.8.7) with SMTP id LAA08309; Tue, 21 Jul 1998 11:01:16 -0500 (CDT) Date: Tue, 21 Jul 1998 11:01:16 -0500 (CDT) From: Jeremy Shaffner To: Brett Glass cc: "Christopher G. Petrilli" , "Gentry A. Bieker" , security@FreeBSD.ORG Subject: Re: Why is there no info on the QPOPPER hack? In-Reply-To: <199807201845.MAA21839@lariat.lariat.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, 20 Jul 1998, Brett Glass wrote: > Reliance on mailing lists such as Bugtraq does not do any more or less > to "replace the administrator's brain." Fact is, when a trusted authority > says that there's a hole to be closed, I want action. I'm perfectly content > to review what happened after the fact. > > --Brett Glass > Have you not gotten the message by now? The Qpopper problem is old news, and Jordan released patches to the popper port the same day. Pretty fast action I'd say, and I dunno, something tells me he's trustworthy, but I can't quite put my finger on it. Like everyone said, it was impossible to NOT know about it. Where were you? -===================================================================- Jeremy Shaffner JORSM Internet Senior Technical Support Northwest Indiana's Premium jer@jorsm.com Internet Service Provider support@jorsm.com http://www.jorsm.com -===================================================================- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Tue Jul 21 09:19:18 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id JAA19599 for freebsd-security-outgoing; Tue, 21 Jul 1998 09:19:18 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from mercury.jorsm.com (mercury.jorsm.com [207.112.128.9]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id JAA19576 for ; Tue, 21 Jul 1998 09:19:15 -0700 (PDT) (envelope-from jer@jorsm.com) Received: from localhost (jer@localhost) by mercury.jorsm.com (8.8.7/8.8.7) with SMTP id LAA09133; Tue, 21 Jul 1998 11:18:39 -0500 (CDT) Date: Tue, 21 Jul 1998 11:18:38 -0500 (CDT) From: Jeremy Shaffner To: Brett Glass cc: "Matthew N. Dodd" , "Christopher G. Petrilli" , "Gentry A. Bieker" , security@FreeBSD.ORG Subject: Re: Why is there no info on the QPOPPER hack? In-Reply-To: <199807202352.RAA27271@lariat.lariat.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, 20 Jul 1998, Brett Glass wrote: > Thousands (maybe tens or hundreds of thousands) of systems have been > potentially compromised because that code was in the FreeBSD Ports > library. I'd find it hard to believe that such a scheme would do > anything but improve the odds that the hole would be closed. How does "have been potentially" work? > And, no, CVSup is not an answer. Isn't it? See below. > On production machines, you don't want to CVSup to the latest version -- > you just want to pick up known good patches for significant problems. > > --Brett Pardon my ignorance, since I haven't used CVS, but isn't that what the "ports" are? A skeleton with the necessary patches and a Makefile that fetches the distfile if you don't already have it? Like I said before, Jordan had an updated -stable port the same day. And if you get that new port by downloading it manually, or by letting CVSup do it "Automagically" does it really matter? It's the same either way. Sure sounds like an answer to me. -===================================================================- Jeremy Shaffner JORSM Internet Senior Technical Support Northwest Indiana's Premium jer@jorsm.com Internet Service Provider support@jorsm.com http://www.jorsm.com -===================================================================- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Tue Jul 21 09:27:32 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id JAA21110 for freebsd-security-outgoing; Tue, 21 Jul 1998 09:27:32 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from nexus6.source.net (nexus6.source.net [206.100.10.4]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id JAA21099 for ; Tue, 21 Jul 1998 09:27:19 -0700 (PDT) (envelope-from webmaster@source.net) Received: from replicant (replicant.source.net [206.100.10.3]) by nexus6.source.net (8.8.8/8.8.5) with SMTP id JAA23393 for ; Tue, 21 Jul 1998 09:26:58 -0700 (PDT) From: "Webmaster" To: Date: Tue, 21 Jul 1998 09:19:56 -0700 Message-ID: <000701bdb4c3$66877e20$030a64ce@replicant.source.net> MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_0008_01BDB488.BA28A620" X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook 8.5, Build 4.71.2173.0 X-MimeOLE: Produced By Microsoft MimeOLE V4.72.2106.4 Importance: Normal Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org This is a multi-part message in MIME format. ------=_NextPart_000_0008_01BDB488.BA28A620 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit subscribe ------=_NextPart_000_0008_01BDB488.BA28A620 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable
subscribe
------=_NextPart_000_0008_01BDB488.BA28A620-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Tue Jul 21 10:07:52 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id KAA28747 for freebsd-security-outgoing; Tue, 21 Jul 1998 10:07:52 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from mercury.jorsm.com (mercury.jorsm.com [207.112.128.9]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id KAA28742 for ; Tue, 21 Jul 1998 10:07:51 -0700 (PDT) (envelope-from jer@jorsm.com) Received: from localhost (jer@localhost) by mercury.jorsm.com (8.8.7/8.8.7) with SMTP id MAA11965; Tue, 21 Jul 1998 12:07:21 -0500 (CDT) Date: Tue, 21 Jul 1998 12:07:21 -0500 (CDT) From: Jeremy Shaffner To: Brett Glass cc: Paul Hart , security@FreeBSD.ORG Subject: Re: The 99,999-bug question: Why can you execute from the stack? In-Reply-To: <199807202328.RAA26899@lariat.lariat.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, 20 Jul 1998, Brett Glass wrote: > At 02:57 PM 7/20/98 -0600, Paul Hart wrote: > > >Consider Bugtraq and the other popular security mailing lists as required > >reading. Absolutely. None of these holes would have taken you by > >surprise if you had diligently read these lists. > > Not necessarily. An exploit can be used long before it hits the lists. > > Not not necessarily. Absolutely. If you were ware of it when the rest of us were, you would have had it fixed. Period. -===================================================================- Jeremy Shaffner JORSM Internet Senior Technical Support Northwest Indiana's Premium jer@jorsm.com Internet Service Provider support@jorsm.com http://www.jorsm.com -===================================================================- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Tue Jul 21 11:25:36 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id LAA10154 for freebsd-security-outgoing; Tue, 21 Jul 1998 11:25:36 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from lariat.lariat.org (ppp1000.lariat.org@[206.100.185.2]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id LAA10146 for ; Tue, 21 Jul 1998 11:25:33 -0700 (PDT) (envelope-from brett@lariat.org) Received: (from brett@localhost) by lariat.lariat.org (8.8.8/8.8.8) id MAA14302; Tue, 21 Jul 1998 12:24:53 -0600 (MDT) Message-Id: <199807211824.MAA14302@lariat.lariat.org> X-Sender: brett@mail.lariat.org X-Mailer: QUALCOMM Windows Eudora Pro Version 4.0.1 Date: Tue, 21 Jul 1998 12:24:50 -0600 To: Jon Hamilton From: Brett Glass Subject: Re: Why is there no info on the QPOPPER hack? Cc: security@FreeBSD.ORG In-Reply-To: <199807210332.VAA00941@lariat.lariat.org> References: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 10:34 PM 7/20/98 -0500, Jon Hamilton wrote: >The sky is falling! Where is that warranty? Oh, that's right, there isn't >one. The people who are responsible for keeping those machines safe are >just going to have to be responsible for keeping them safe, I guess. And every one of them will respond instantly to every security advisory, so no crackers will ever get in. Nice fantasy. >True, but how often do we see problems where "-current won't compile" or >where patches went in which were unchecked or otherwise caused problems? >You're talking about a volunteer effort, and I just don't see you getting >the kind of rigor out of it that you'd need for something like you're >suggesting. This is not meant to denigrate the effort any of the >maintainers put in - I am arguing that it's not reasonable to expect such >a level of effort from them, and if not them, then who? A security team formed for that purpose. A group of people who DO hang on ever Bugtraq message (if not individually, then collectively). As for "-current won't compile" problems -- they're unlikely to occur because the patches will likely be to small bits of the OS. >Wave your hands some more. Are you _really_ sure that you trust your >local copy of pgp (or whatever other method you want to use)? As much as I trust CVSupping to close a hole. And, yes, I do place a high level of trust in strong crypto. As must all of us. --Brett Glass To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Tue Jul 21 11:29:40 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id LAA10934 for freebsd-security-outgoing; Tue, 21 Jul 1998 11:29:40 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from lariat.lariat.org (ppp1000.lariat.org@[206.100.185.2]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id LAA10908 for ; Tue, 21 Jul 1998 11:29:34 -0700 (PDT) (envelope-from brett@lariat.org) Received: (from brett@localhost) by lariat.lariat.org (8.8.8/8.8.8) id MAA14394; Tue, 21 Jul 1998 12:29:10 -0600 (MDT) Message-Id: <199807211829.MAA14394@lariat.lariat.org> X-Sender: brett@mail.lariat.org X-Mailer: QUALCOMM Windows Eudora Pro Version 4.0.1 Date: Tue, 21 Jul 1998 12:29:06 -0600 To: "Matthew N. Dodd" From: Brett Glass Subject: Re: Why is there no info on the QPOPPER hack? Cc: security@FreeBSD.ORG In-Reply-To: References: <199807210311.VAA00475@lariat.lariat.org> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 11:37 PM 7/20/98 -0400, Matthew N. Dodd wrote: >Ok, you convinced me. > >When are you going to have this service operational? As soon as we could pull a team together to do it, I'd be willing to start. >How much are you going to charge for it? Why not see if it could be made a volunteer effort? >What sort of guarantee (maney back? plus?) are you going to give me? Again, ideally it'd be free. The persons involved would already be updating their own systems, so only a small amount of additional effort would be involved in propagating the updates. >Who is your insurance carrier? (you must be getting great rates!) Who is FreeBSD.ORG's insurance carrier for situations where it releases code with bugs or holes? ;-) --Brett To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Tue Jul 21 11:43:42 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id LAA12923 for freebsd-security-outgoing; Tue, 21 Jul 1998 11:43:42 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from mail1.its.rpi.edu (root@mail1.its.rpi.edu [128.113.100.7]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id LAA12907 for ; Tue, 21 Jul 1998 11:43:34 -0700 (PDT) (envelope-from drosih@rpi.edu) Received: from [128.113.24.47] (gilead.acs.rpi.edu [128.113.24.47]) by mail1.its.rpi.edu (8.8.8/8.8.6) with ESMTP id OAA35892 for ; Tue, 21 Jul 1998 14:43:19 -0400 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" X-Sender: drosih@pop1.rpi.edu Message-Id: In-Reply-To: References: <199807202328.RAA26899@lariat.lariat.org> Date: Tue, 21 Jul 1998 14:47:15 -0400 To: security@FreeBSD.ORG From: Garance A Drosihn Subject: Re: The 99,999-bug question: Why can you execute from the stack? Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 12:07 PM -0500 7/21/98, Jeremy Shaffner wrote: >On Mon, 20 Jul 1998, Brett Glass wrote: > >> At 02:57 PM 7/20/98 -0600, Paul Hart wrote: >> >> > Consider Bugtraq and the other popular security mailing lists as >> > required reading. Absolutely. None of these holes would have >> > taken you by surprise if you had diligently read these lists. >> >> Not necessarily. An exploit can be used long before it hits the >> lists. > > > Not not necessarily. Absolutely. If you were ware of it when the > rest of us were, you would have had it fixed. Period. I expect some corrolary of Murphy's Law will dictate that at least some breakins will occur while you're on vacation, or over long holidays. How we should respond to that is still debatable, I am just saying that you can still get "taken by surprise", unless you really plan on working 24 hours a day, 7 days a week, and never take any vacation. --- Garance Alistair Drosehn = gad@eclipse.its.rpi.edu Senior Systems Programmer or drosih@rpi.edu Rensselaer Polytechnic Institute To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Tue Jul 21 11:44:38 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id LAA13164 for freebsd-security-outgoing; Tue, 21 Jul 1998 11:44:38 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from mail1.its.rpi.edu (root@mail1.its.rpi.edu [128.113.100.7]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id LAA13146 for ; Tue, 21 Jul 1998 11:44:28 -0700 (PDT) (envelope-from drosih@rpi.edu) Received: from [128.113.24.47] (gilead.acs.rpi.edu [128.113.24.47]) by mail1.its.rpi.edu (8.8.8/8.8.6) with ESMTP id OAA14854 for ; Tue, 21 Jul 1998 14:44:11 -0400 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" X-Sender: drosih@pop1.rpi.edu Message-Id: In-Reply-To: <27231.900993063@time.cdrom.com> References: Your message of "Mon, 20 Jul 1998 21:48:11 EDT." Date: Tue, 21 Jul 1998 14:48:07 -0400 To: security@FreeBSD.ORG From: Garance A Drosihn Subject: Re: Projects to improve security (related to C) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 8:51 PM -0700 7/20/98, Jordan K. Hubbard wrote: > garance wrote: >> However, I don't want to just drop this issue either. Could we think >> of projects we could do in the next few months, for instance, which >> might help us to improve security? Even if we won't have time to > > Audit. Audit audit audit. Like I said in my previous email, just > *five minutes* looking through the popper sources was enough time to > have my jaw dropping in sheer horror at how badly we'd dropped that > particular ball and I don't think it would take a rocket scientist to > identify the top 10 ports in need of first attention. Start with > ports/net and ports/mail and you'll have more than enough to work on. > > This whole auditing idea is also hardly new or innovative - those who > remember back a year or so will recall my starting a "FreeBSD auditing > project" complete with its own web page, auditors list, etc. Almost > nothing came of it because people just weren't willing to actually > DO THE WORK of auditing the code, they only wanted to talk about how > much it was necessary. :-) Would it help if we increased the work of *not* auditting, such as having the default sprintf (and other risky routines) cause compile-time problems? Auditing as a separate step is more often going to get put off until the developer "has time". If you need to address some of the classic culprits just to get it to compile, you're much more likely to "find the time"... > There's only one solution, one which OpenBSD has made significant > marketing points out of, and that's to go through the code and look > for holes resulting from poor programming practices. Indeed. I like the fact that they're doing this, and that they are able to make those marketting points out of it. Could we hire them to audit all the FreeBSD code, and then we would get the marketting points? :-) --- Garance Alistair Drosehn = gad@eclipse.its.rpi.edu Senior Systems Programmer or drosih@rpi.edu Rensselaer Polytechnic Institute To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Tue Jul 21 11:48:54 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id LAA14134 for freebsd-security-outgoing; Tue, 21 Jul 1998 11:48:54 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from lariat.lariat.org (ppp1000.lariat.org@[206.100.185.2]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id LAA14103 for ; Tue, 21 Jul 1998 11:48:39 -0700 (PDT) (envelope-from brett@lariat.org) Received: (from brett@localhost) by lariat.lariat.org (8.8.8/8.8.8) id MAA14756; Tue, 21 Jul 1998 12:48:07 -0600 (MDT) Message-Id: <199807211848.MAA14756@lariat.lariat.org> X-Sender: brett@mail.lariat.org X-Mailer: QUALCOMM Windows Eudora Pro Version 4.0.1 Date: Tue, 21 Jul 1998 12:48:03 -0600 To: Niall Smart From: Brett Glass Subject: Re: The 99,999-bug question: Why can you execute from the stack? Cc: security@FreeBSD.ORG In-Reply-To: <98Jul21.093736bst.19713@gateway.euristix.ie> References: <199807200148.TAA07794@harmony.village.org> <199807200102.SAA07953@bubba.whistle.com> <199807200148.TAA07794@harmony.village.org> <199807201714.LAA19993@lariat.lariat.org> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 10:39 AM 7/21/98 +0100, Niall Smart wrote: >Eh? Call gates are entry points to different priviledge levels. I >don't >see how you intend to use them to stop the problem of the buffer >overflow. Call gates don't necessarily do ring transitions. They DO make sure you can't jump into the middle of a routine. They're not intended to stop buffer overflow, but to prevent an even more subtle hack. --Brett To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Tue Jul 21 11:59:35 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id LAA16813 for freebsd-security-outgoing; Tue, 21 Jul 1998 11:59:35 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from lariat.lariat.org (ppp1000.lariat.org@[206.100.185.2]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id LAA16794 for ; Tue, 21 Jul 1998 11:59:29 -0700 (PDT) (envelope-from brett@lariat.org) Received: (from brett@localhost) by lariat.lariat.org (8.8.8/8.8.8) id MAA14931; Tue, 21 Jul 1998 12:59:02 -0600 (MDT) Message-Id: <199807211859.MAA14931@lariat.lariat.org> X-Sender: brett@mail.lariat.org X-Mailer: QUALCOMM Windows Eudora Pro Version 4.0.1 Date: Tue, 21 Jul 1998 12:58:59 -0600 To: "Jordan K. Hubbard" From: Brett Glass Subject: Re: Projects to improve security (related to C) Cc: security@FreeBSD.ORG In-Reply-To: <8134.901020116@time.cdrom.com> References: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 04:21 AM 7/21/98 -0700, Jordan K. Hubbard wrote: >I suspect Theo would disagree with you, but short of switching >everyone over to Java or installing a series of band-aid patches which >only fix _some_ of the problems (and, in security, that really is >locking the door while leaving the window open) I fail to see how you >intend to deal with it in any more pragmatic a fashion. Well, I've looked this week at the possibility of doing a mechanical translation of FreeBSD into a type-safe language with range and bounds checking, then fixing the trouble spots manually. Apparently, there's a company called Reasoning Systems that actually has tools that can do such things. In the meantime, there are some things that can be done even with the code still written in C. we can (and must!) bite the bullet and kick sprintf, vsprintf, and similar functions OUT of the libraries. Yes, it'll be a bit of a pain, but... no pain, no gain. Other exploits will, of course, have to be handled in other ways. But taking a hopeless attitude (i.e. we can't close all the holes right away, so why close any?) is leaving ALL the doors and windows open. And that's worse. --Brett To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Tue Jul 21 12:09:54 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id MAA19070 for freebsd-security-outgoing; Tue, 21 Jul 1998 12:09:54 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from lariat.lariat.org (ppp1000.lariat.org@[206.100.185.2]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id MAA19054 for ; Tue, 21 Jul 1998 12:09:44 -0700 (PDT) (envelope-from brett@lariat.org) Received: (from brett@localhost) by lariat.lariat.org (8.8.8/8.8.8) id NAA15137; Tue, 21 Jul 1998 13:09:16 -0600 (MDT) Message-Id: <199807211909.NAA15137@lariat.lariat.org> X-Sender: brett@mail.lariat.org X-Mailer: QUALCOMM Windows Eudora Pro Version 4.0.1 Date: Tue, 21 Jul 1998 13:09:13 -0600 To: jaitken@dimension.net From: Brett Glass Subject: Re: Projects to improve security (related to C) Cc: jkh@time.cdrom.com, drosih@rpi.edu, security@FreeBSD.ORG In-Reply-To: <199807211324.JAA03501@gizmo.dimension.net> References: <199807211120.FAA07335@lariat.lariat.org> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 09:24 AM 7/21/98 -0400, Jeff Aitken wrote: If you really care about this, then step down off the soapbox, take >off the rose-colored glasses, and help fix what's broken. Preaching >to the choir is not going to get anything done. If the goal is to get the choir to sing in a different language, or in such a way that they don't shatter the windows, it just might! --Brett To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Tue Jul 21 12:18:59 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id MAA20609 for freebsd-security-outgoing; Tue, 21 Jul 1998 12:18:59 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from lariat.lariat.org (ppp1000.lariat.org@[206.100.185.2]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id MAA20597 for ; Tue, 21 Jul 1998 12:18:55 -0700 (PDT) (envelope-from brett@lariat.org) Received: (from brett@localhost) by lariat.lariat.org (8.8.8/8.8.8) id NAA15306; Tue, 21 Jul 1998 13:18:34 -0600 (MDT) Message-Id: <199807211918.NAA15306@lariat.lariat.org> X-Sender: brett@mail.lariat.org X-Mailer: QUALCOMM Windows Eudora Pro Version 4.0.1 Date: Tue, 21 Jul 1998 13:18:31 -0600 To: Martin Cracauer , security@FreeBSD.ORG From: Brett Glass Subject: Re: Projects to improve security (related to C) In-Reply-To: <19980721153715.A714@bik-gmbh.de> References: <199807201732.LAA20377@lariat.lariat.org> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 03:37 PM 7/21/98 +0200, Martin Cracauer wrote: >If some person isn't capable or willing to avoid buffer overflows in C >(as I said, one of the easier solvable security problems), he/she >probably doesn't have a clue or doesn't care about other problems as >well. So don't run the code. You might even use the easily reviewable >bounds issue to judge over the code. If he/she didn't get that one >right, you know what you will get. If it's written in Java, you don't >have such an easy indicator. Sorry, but I don't buy the notion that the possibility of SOME bugs is an excuse to let more of them slip by. That's like saying, "So what if the Ford Pinto blows up when hit in the rear? If we fixed that, we wouldn't suspect that the car's radio was designed badly." --Brett To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Tue Jul 21 12:26:19 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id MAA21770 for freebsd-security-outgoing; Tue, 21 Jul 1998 12:26:19 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from lariat.lariat.org (ppp1000.lariat.org@[206.100.185.2]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id MAA21761 for ; Tue, 21 Jul 1998 12:26:15 -0700 (PDT) (envelope-from brett@lariat.org) Received: (from brett@localhost) by lariat.lariat.org (8.8.8/8.8.8) id NAA15444; Tue, 21 Jul 1998 13:25:54 -0600 (MDT) Message-Id: <199807211925.NAA15444@lariat.lariat.org> X-Sender: brett@mail.lariat.org X-Mailer: QUALCOMM Windows Eudora Pro Version 4.0.1 Date: Tue, 21 Jul 1998 13:25:51 -0600 To: security@FreeBSD.ORG From: Brett Glass Subject: Re: Why is there no info on the QPOPPER hack? Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 11:01 AM 7/21/98 -0500, Jeremy Shaffner wrote: >Like everyone said, it was impossible to NOT know about it. Where were >you? Ullapool. (For those of you who aren't intimately familiar with the geography of Great Britain, it's a tiny fishing village on the west coast of Scotland. It's so close to the Arctic Circle that it doesn't get dark in summer.) Incidentally, the reason I was there was because I was on honeymoon. My laptop came along for the ride, but I had about half a week's backlog of mail. That was enough. --Brett To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Tue Jul 21 12:29:01 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id MAA22050 for freebsd-security-outgoing; Tue, 21 Jul 1998 12:29:01 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from lariat.lariat.org (ppp1000.lariat.org@[206.100.185.2]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id MAA22038 for ; Tue, 21 Jul 1998 12:28:57 -0700 (PDT) (envelope-from brett@lariat.org) Received: (from brett@localhost) by lariat.lariat.org (8.8.8/8.8.8) id NAA15499; Tue, 21 Jul 1998 13:28:26 -0600 (MDT) Message-Id: <199807211928.NAA15499@lariat.lariat.org> X-Sender: brett@mail.lariat.org X-Mailer: QUALCOMM Windows Eudora Pro Version 4.0.1 Date: Tue, 21 Jul 1998 13:28:23 -0600 To: Jeremy Shaffner From: Brett Glass Subject: Re: Why is there no info on the QPOPPER hack? Cc: security@FreeBSD.ORG In-Reply-To: References: <199807202352.RAA27271@lariat.lariat.org> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 11:18 AM 7/21/98 -0500, Jeremy Shaffner wrote: >How does "have been potentially" work? It means they're wide open and ready to be hacked. NOW. >Pardon my ignorance, since I haven't used CVS, but isn't that what the >"ports" are? A skeleton with the necessary patches and a Makefile that >fetches the distfile if you don't already have it? Like I said before, >Jordan had an updated -stable port the same day. New holes are still being found in Qualcomm's THIRD update. >And if you get that new >port by downloading it manually, or by letting CVSup do it >"Automagically" does it really matter? It's the same either way. Not if you don't get word before you're hit. --Brett To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Tue Jul 21 12:34:36 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id MAA22994 for freebsd-security-outgoing; Tue, 21 Jul 1998 12:34:36 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from sasami.jurai.net (winter@sasami.jurai.net [207.153.65.3]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id MAA22987 for ; Tue, 21 Jul 1998 12:34:30 -0700 (PDT) (envelope-from winter@jurai.net) Received: from localhost (winter@localhost) by sasami.jurai.net (8.8.8/8.8.7) with SMTP id PAA08178; Tue, 21 Jul 1998 15:34:07 -0400 (EDT) Date: Tue, 21 Jul 1998 15:34:07 -0400 (EDT) From: "Matthew N. Dodd" To: Brett Glass cc: Jon Hamilton , security@FreeBSD.ORG Subject: Re: Why is there no info on the QPOPPER hack? In-Reply-To: <199807211824.MAA14302@lariat.lariat.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, 21 Jul 1998, Brett Glass wrote: > At 10:34 PM 7/20/98 -0500, Jon Hamilton wrote: > > >The sky is falling! Where is that warranty? Oh, that's right, there isn't > >one. The people who are responsible for keeping those machines safe are > >just going to have to be responsible for keeping them safe, I guess. > > And every one of them will respond instantly to every security advisory, > so no crackers will ever get in. Nice fantasy. The last time we had a major sendmail problem the response time of the group I was in was about 4 hours; a dozen machines fixed, patches integrated into private source trees etc. -That- is the kind of turn around time you need when you're using free software. If you're not able so stand on the line and keep watch, set procmail up to turn down your network every time a Bugtraq message with 'exploit' and 'foo' turns up. > A security team formed for that purpose. A group of people who DO hang on > ever Bugtraq message (if not individually, then collectively). As for > "-current won't compile" problems -- they're unlikely to occur because > the patches will likely be to small bits of the OS. Who pays this team then? > As much as I trust CVSupping to close a hole. And, yes, I do place a high > level of trust in strong crypto. As must all of us. *yawn* This is going to be the next "Information wants to be free!" type mantra isn't it. /* Matthew N. Dodd | A memory retaining a love you had for life winter@jurai.net | As cruel as it seems nothing ever seems to http://www.jurai.net/~winter | go right - FLA M 3.1:53 */ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Tue Jul 21 12:51:42 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id MAA25825 for freebsd-security-outgoing; Tue, 21 Jul 1998 12:51:42 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from lariat.lariat.org (ppp1000.lariat.org@[206.100.185.2]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id MAA25815 for ; Tue, 21 Jul 1998 12:51:38 -0700 (PDT) (envelope-from brett@lariat.org) Received: (from brett@localhost) by lariat.lariat.org (8.8.8/8.8.8) id NAA15949; Tue, 21 Jul 1998 13:51:06 -0600 (MDT) Message-Id: <199807211951.NAA15949@lariat.lariat.org> X-Sender: brett@mail.lariat.org X-Mailer: QUALCOMM Windows Eudora Pro Version 4.0.1 Date: Tue, 21 Jul 1998 13:51:04 -0600 To: "Matthew N. Dodd" From: Brett Glass Subject: Re: Why is there no info on the QPOPPER hack? Cc: security@FreeBSD.ORG In-Reply-To: References: <199807211824.MAA14302@lariat.lariat.org> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 03:34 PM 7/21/98 -0400, Matthew N. Dodd wrote: >Who pays this team then? Who pays the FreeBSD developers? >> As much as I trust CVSupping to close a hole. And, yes, I do place a high >> level of trust in strong crypto. As must all of us. > >*yawn* This is going to be the next "Information wants to be free!" >type mantra isn't it. If you don't like it, suggest a form of verification that's more practical and dependable. --Brett Glass To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Tue Jul 21 12:52:59 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id MAA26072 for freebsd-security-outgoing; Tue, 21 Jul 1998 12:52:59 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from lariat.lariat.org (ppp1000.lariat.org@[206.100.185.2]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id MAA26065 for ; Tue, 21 Jul 1998 12:52:56 -0700 (PDT) (envelope-from brett@lariat.org) Received: (from brett@localhost) by lariat.lariat.org (8.8.8/8.8.8) id NAA15969; Tue, 21 Jul 1998 13:52:34 -0600 (MDT) Message-Id: <199807211952.NAA15969@lariat.lariat.org> X-Sender: brett@mail.lariat.org X-Mailer: QUALCOMM Windows Eudora Pro Version 4.0.1 Date: Tue, 21 Jul 1998 13:52:32 -0600 To: "Matthew N. Dodd" From: Brett Glass Subject: Re: Why is there no info on the QPOPPER hack? Cc: security@FreeBSD.ORG In-Reply-To: References: <199807211824.MAA14302@lariat.lariat.org> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 03:34 PM 7/21/98 -0400, Matthew N. Dodd wrote: >If you're not able so stand on the line and keep watch, set procmail up to >turn down your network every time a Bugtraq message with 'exploit' and >'foo' turns up. In other words, make the system self-destruct when I stop watching long enough to have a life. Really practical. --Brett To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Tue Jul 21 13:27:17 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id NAA03611 for freebsd-security-outgoing; Tue, 21 Jul 1998 13:27:17 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from sasami.jurai.net (winter@sasami.jurai.net [207.153.65.3]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id NAA03599 for ; Tue, 21 Jul 1998 13:27:13 -0700 (PDT) (envelope-from winter@jurai.net) Received: from localhost (winter@localhost) by sasami.jurai.net (8.8.8/8.8.7) with SMTP id QAA08730; Tue, 21 Jul 1998 16:26:51 -0400 (EDT) Date: Tue, 21 Jul 1998 16:26:51 -0400 (EDT) From: "Matthew N. Dodd" To: Brett Glass cc: security@FreeBSD.ORG Subject: Re: Why is there no info on the QPOPPER hack? In-Reply-To: <199807211952.NAA15969@lariat.lariat.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, 21 Jul 1998, Brett Glass wrote: > At 03:34 PM 7/21/98 -0400, Matthew N. Dodd wrote: > >If you're not able so stand on the line and keep watch, set procmail up to > >turn down your network every time a Bugtraq message with 'exploit' and > >'foo' turns up. > > In other words, make the system self-destruct when I stop watching long > enough to have a life. Really practical. To quote Robert De Niro in _Heat_ , "Thats the dicipline..." I'm taking the side of devil's advocate here; some has to. I could easily take your side and argue it as well. Security means constant vigilance; you can't let down your guard. If your desire to have a life conflicts with this vigilance, you or your employer need to make adjustments. Free software isn't for everyone. If you are the only one standing on the line, maybe your shop is understaffed. Bring this up with your boss; misrepresenting the costs of doing business is nearly always fatal. While we can strive to make software better, the reality is that we will have limited success, and only slow the tide of problems with poorly written software. We may try to implement automated tools to make our lives easier; these do not provide a substitue for our watchful vigilance. As others have said, a patch was posted for the problem the same day, where were you? Keep in mind that a $5.50/hr person to read bugtraq and rootshell and others may well be worth having if it means you get immediate notice of problems. Such people should not be difficult to come by, but few of them will last past six months. You seem to dislike the solutions I propose that don't satisfy your sense of asthetics. While paying for a solution may not be pretty, sometimes its the only efficient choice. /* Matthew N. Dodd | A memory retaining a love you had for life winter@jurai.net | As cruel as it seems nothing ever seems to http://www.jurai.net/~winter | go right - FLA M 3.1:53 */ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Tue Jul 21 13:53:00 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id NAA09630 for freebsd-security-outgoing; Tue, 21 Jul 1998 13:53:00 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from kendra.ne.mediaone.net (kendra.ne.mediaone.net [24.128.94.182]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id NAA09538 for ; Tue, 21 Jul 1998 13:52:35 -0700 (PDT) (envelope-from ahd@kew.com) Received: (from ahd@localhost) by kendra.ne.mediaone.net (8.9.0/8.9.0) id QAA05632; Tue, 21 Jul 1998 16:51:58 -0400 (EDT) Date: Tue, 21 Jul 1998 16:51:58 -0400 (EDT) From: Drew Derbyshire Message-Id: <199807212051.QAA05632@kendra.ne.mediaone.net> To: security@FreeBSD.ORG Subject: hacked and don't know why Cc: dave@psyton.com, dmwatt@watt.com, greg@bbs.com, rks@kew.com, sgk@twinlight.com Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org My firewall was hacked last night and I don't know how. Only damage is the complete loss of /dev, /bin, and /var/log directories. The system was more or less up when I checked it this morning, but I had to crash it and rebuild/reload the affected directories using the 2.2.26 live file system CD-ROM. System is FreeBSD 2.2.6 with additions of: sendmail 8.9.0 (restricted shell enabled) ftpmail (restricted to local anonymous ftp server) majordomo apache 1.3.0 (no CGI scripts enabled) samba 1.9.18.p5 firewall filtering is enabled, major services allowed include anonymous FTP, SMTP (sendmail 8.9.0), and WWW. natd is running for outbound access. I'll be happy to privately send the full firewall list to interested parties, I'm mostly not posting it to prevent it from being publicly archived. A unique service is UUCP, but that was actually unaffected by the hacking. Permissions, like those on the anonymous FTP directory, look secure. As with the firewall configuration, I can provide more information on request (I do make mistakes, like anyone). Inbound UUCP connections are restricted as part of the firewall. Only spouse and self have samba access, only few trusted friends (3) have any non-anonymous access. All outside network access requires either S/Key one time passwords or secure shell; I don't know of any passwords getting out. The samba is a little backlevel, but the known problems with fixes out for it are require the person has access to the system in question; this should not be an issue with my configuration. A sweep of the file system comparing to the 2.2.6 live file system CD-ROM shows no unexpected/unauthorized changes. Note that because the CD-ROM has the export versions of some programs, the check is not perfect since the affected programs tend to be security related. Suggestions to prevent a repeat? I'm going to build a new system from scratch to insure clean binaries and the like, but I don't know what hole I left open ... I am of course also looking at the CERT check list to see where/what I f--ked up with. -ahd- -- Drew Derbyshire Internet: ahd@kew.com Kendra Electronic Wonderworks Telephone: 781-279-9812 Copywight 1994 Elmer Fudd. All wights wesewved. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Tue Jul 21 14:24:22 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id OAA16786 for freebsd-security-outgoing; Tue, 21 Jul 1998 14:24:22 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from Tyr.office.EFN.org (root@[204.214.99.45]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id OAA16691 for ; Tue, 21 Jul 1998 14:23:49 -0700 (PDT) (envelope-from spy@tyr.office.efn.org) Received: from Tyr.office.EFN.org (IDENT:spy@Tyr.office.EFN.org [204.214.99.45]) by Tyr.office.EFN.org (8.9.0/8.9.0) with SMTP id OAA13112; Tue, 21 Jul 1998 14:22:18 -0700 (PDT) Date: Tue, 21 Jul 1998 14:22:18 -0700 (PDT) From: Ben Reply-To: ben@efn.org To: Brett Glass cc: Jeremy Shaffner , security@FreeBSD.ORG Subject: Re: Why is there no info on the QPOPPER hack? In-Reply-To: <199807211928.NAA15499@lariat.lariat.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, 21 Jul 1998, Brett Glass wrote: > >How does "have been potentially" work? > > It means they're wide open and ready to be hacked. NOW. > > >Pardon my ignorance, since I haven't used CVS, but isn't that what the > >"ports" are? A skeleton with the necessary patches and a Makefile that > >fetches the distfile if you don't already have it? Like I said before, > >Jordan had an updated -stable port the same day. > > New holes are still being found in Qualcomm's THIRD update. Due to the large cpu usage, and the disk space needed on large production machines for /var/pop when qpopper copies over the users mail spool, we went to using cucipop. You might try this too, it uses about 30% less cpu, and doesn't have these exploits(yet? I haven't looked through it's code) -> ftp://ftp.informatik.rwth-aachen.de/pub/packages/cucipop/ > > >And if you get that new > >port by downloading it manually, or by letting CVSup do it > >"Automagically" does it really matter? It's the same either way. > > Not if you don't get word before you're hit. The only way to be truly secure is to stay on top of things. Why wasn't someone else filling in for you during your vacation? > --Brett -ben@efn.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Tue Jul 21 14:30:53 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id OAA18786 for freebsd-security-outgoing; Tue, 21 Jul 1998 14:30:53 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from lariat.lariat.org (ppp1000.lariat.org@[206.100.185.2]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id OAA18714 for ; Tue, 21 Jul 1998 14:30:33 -0700 (PDT) (envelope-from brett@lariat.org) Received: (from brett@localhost) by lariat.lariat.org (8.8.8/8.8.8) id PAA17747; Tue, 21 Jul 1998 15:30:08 -0600 (MDT) Message-Id: <199807212130.PAA17747@lariat.lariat.org> X-Sender: brett@mail.lariat.org X-Mailer: QUALCOMM Windows Eudora Pro Version 4.0.1 Date: Tue, 21 Jul 1998 15:30:05 -0600 To: ben@efn.org From: Brett Glass Subject: Re: Why is there no info on the QPOPPER hack? Cc: Jeremy Shaffner , security@FreeBSD.ORG In-Reply-To: References: <199807211928.NAA15499@lariat.lariat.org> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 02:22 PM 7/21/98 -0700, Ben wrote: >Due to the large cpu usage, and the disk space needed on large production >machines for /var/pop when qpopper copies over the users mail spool, we went >to using cucipop. You might try this too, it uses about 30% less cpu, and >doesn't have these exploits(yet? I haven't looked through it's code) > > -> ftp://ftp.informatik.rwth-aachen.de/pub/packages/cucipop/ > I have written the developer asking if cucipop supports XTND XMIT. This command is necessary to allow users who log in from outside the LAN to send e-mail through the server, since we have disabled relaying to avoid spam. I haven't gotten an answer. >The only way to be truly secure is to stay on top of things. Why wasn't someone >else filling in for you during your vacation? There was one, and he would have called me if he'd seen a problem. But people who know UNIX even at the level I know it (approximately journeyman level; I'm certainly no expert sysadmin) are in short supply . He's an NT expert, and would have called me for direction if he had to do anything nontrivial. --Brett To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Tue Jul 21 14:35:00 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id OAA20036 for freebsd-security-outgoing; Tue, 21 Jul 1998 14:35:00 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from marta.arcom.spb.su (marta.arcom.spb.su [195.190.100.18]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id OAA19984 for ; Tue, 21 Jul 1998 14:34:43 -0700 (PDT) (envelope-from snar@marta.arcom.spb.su) Received: (from snar@localhost) by marta.arcom.spb.su (8.8.8/t/97-Mar-14) id BAA18466; Wed, 22 Jul 1998 01:31:21 +0400 (MSD) Message-ID: <19980722013120.32585@nevalink.ru> Date: Wed, 22 Jul 1998 01:31:20 +0400 From: Alexandre Snarskii To: Don Lewis , Alexandre Snarskii , Warner Losh , Archie Cobbs Cc: Brett Glass , security@FreeBSD.ORG Subject: Re: The 99,999-bug question: Why can you execute from the stack? References: <199807202130.OAA27539@salsa.gv.tsc.tdk.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.89i In-Reply-To: <199807202130.OAA27539@salsa.gv.tsc.tdk.com>; from Don Lewis on Mon, Jul 20, 1998 at 02:30:33PM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, Jul 20, 1998 at 02:30:33PM -0700, Don Lewis wrote: > On Jul 20, 3:29pm, Alexandre Snarskii wrote: > } Subject: Re: The 99,999-bug question: Why can you execute from the stack? > } On Sun, Jul 19, 1998 at 07:48:30PM -0600, Warner Losh wrote: > > } > Another high cost option would be to have a purify/checker-like > } > functionality compiled into everything and cause a segv or some other > } > generally fatal signal. This would solve all the overflows, but again > } > at a huge price. > } > } At huge computing price. Measured in seconds, spent by processor > } to perform needed computing. > > It may be worse than that. In a desparate attempt to track down a > bug in BIND, I recompiled it with the bounds checking version of > gcc. On a fairly zippy machine, it took about half an hour to load > a few zones with a total of a few hundred hosts. Under light query > load it was gobbling about 30% of the CPU. You got the named with _total_ bounds checking. With correct bounds checking only on some functions (strcpy/sprintf/strcat et al, which gets the 95% buffer overflows since Internet worm ) my named works just fine. > In the situations where I've used code compiled this way, it seems > to average about a factor of 20 more expensive in terms of CPU usage. Strange result. Program, which does nothig but 100.000 strcpy's works _six_ times slower with bounds checking, but not 20... -- Alexandre Snarskii the source code is included To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Tue Jul 21 14:53:10 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id OAA24397 for freebsd-security-outgoing; Tue, 21 Jul 1998 14:53:10 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from marta.arcom.spb.su (marta.arcom.spb.su [195.190.100.18]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id OAA24381 for ; Tue, 21 Jul 1998 14:53:04 -0700 (PDT) (envelope-from snar@marta.arcom.spb.su) Received: (from snar@localhost) by marta.arcom.spb.su (8.8.8/t/97-Mar-14) id BAA18667; Wed, 22 Jul 1998 01:50:30 +0400 (MSD) Message-ID: <19980722015030.15881@nevalink.ru> Date: Wed, 22 Jul 1998 01:50:30 +0400 From: Alexandre Snarskii To: Garance A Drosihn , security@FreeBSD.ORG Subject: Re: Projects to improve security (related to C) References: <27231.900993063@time.cdrom.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.89i In-Reply-To: ; from Garance A Drosihn on Tue, Jul 21, 1998 at 02:48:07PM -0400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, Jul 21, 1998 at 02:48:07PM -0400, Garance A Drosihn wrote: > > Audit. Audit audit audit. Like I said in my previous email, just > > *five minutes* looking through the popper sources was enough time to > > have my jaw dropping in sheer horror at how badly we'd dropped that > > particular ball and I don't think it would take a rocket scientist to > > identify the top 10 ports in need of first attention. Start with > > ports/net and ports/mail and you'll have more than enough to work on. Well, there is a really best way to. But, it costs too much time - qualified auditing must be done not once, but every time, when the port sources changed - no one but main developer knows about new possible security holes :) > Would it help if we increased the work of *not* auditting, such as > having the default sprintf (and other risky routines) cause > compile-time problems? Auditing as a separate step is more often > going to get put off until the developer "has time". If you need > to address some of the classic culprits just to get it to compile, > you're much more likely to "find the time"... As for me, that is not a really good idea. It brokes one of FreeBSD policies - 'we have so many applications ported' :) Better way is to have these routines safe from stack violations - what is done with libparanoia. ( Also, don't forget about programs, which shipped in binary form - netscape f.e. :) ) > > There's only one solution, one which OpenBSD has made significant > > marketing points out of, and that's to go through the code and look > > for holes resulting from poor programming practices. > > Indeed. I like the fact that they're doing this, and that they are > able to make those marketting points out of it. Could we hire them > to audit all the FreeBSD code, and then we would get the marketting > points? :-) Dont forget, that OpenBSD team dont auditing ports. And they just removed qpopper from his ports collection after the exploit. -- Alexandre Snarskii the source code is included To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Tue Jul 21 15:16:35 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id PAA27065 for freebsd-security-outgoing; Tue, 21 Jul 1998 15:16:35 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from indigo.ie (nsmart@ts01-022.dublin.indigo.ie [194.125.134.32]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id PAA27054 for ; Tue, 21 Jul 1998 15:16:23 -0700 (PDT) (envelope-from rotel@indigo.ie) Received: (from nsmart@localhost) by indigo.ie (8.8.8/8.8.7) id XAA02709; Tue, 21 Jul 1998 23:10:27 +0100 (IST) (envelope-from rotel@indigo.ie) From: Niall Smart Message-Id: <199807212210.XAA02709@indigo.ie> Date: Tue, 21 Jul 1998 23:10:27 +0000 In-Reply-To: <8496.900909928@time.cdrom.com>; "Jordan K. Hubbard" Reply-To: rotel@indigo.ie X-Files: The truth is out there X-Mailer: Mail User's Shell (7.2.6 beta(3) 11/17/96) To: "Jordan K. Hubbard" , Brett Glass Subject: Re: The 99,999-bug question: Why can you execute from the stack? Cc: dg@root.com, Warner Losh , Archie Cobbs , security@FreeBSD.ORG Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Jul 19, 9:45pm, "Jordan K. Hubbard" wrote: > > Seriously, that code had so many potential exploits and stack > overflows that I seriously doubt all the stack protection in the world > would have saved you. It didn't need a band-aid, it needed a thorough > audit which now, after all the horses have escaped the barn, seems to > finally be happening. Auditing isn't the answer to programs which have been maldesigned and malimplemented right from the very beginning, rm is. Sometimes programs reach a point of no return, at which the only sensible thing to do is start again with the benefit of experience. Sendmail and QMail are good examples of the former and latter. Niall -- Niall Smart. PGP: finger njs3@motmot.doc.ic.ac.uk FreeBSD: Turning PC's into Workstations: www.freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Tue Jul 21 15:29:18 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id PAA29311 for freebsd-security-outgoing; Tue, 21 Jul 1998 15:29:18 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from rover.village.org (rover.village.org [204.144.255.49]) by hub.freebsd.org (8.8.8/8.8.8) with SMTP id PAA29301 for ; Tue, 21 Jul 1998 15:29:12 -0700 (PDT) (envelope-from imp@village.org) Received: from harmony [10.0.0.6] by rover.village.org with esmtp (Exim 1.71 #1) id 0yyktv-000558-00; Tue, 21 Jul 1998 16:28:51 -0600 Received: from harmony.village.org (localhost.village.org [127.0.0.1]) by harmony.village.org (8.8.8/8.8.3) with ESMTP id QAA28673; Tue, 21 Jul 1998 16:31:16 -0600 (MDT) Message-Id: <199807212231.QAA28673@harmony.village.org> To: Alexandre Snarskii Subject: Re: The 99,999-bug question: Why can you execute from the stack? Cc: Don Lewis , Archie Cobbs , Brett Glass , security@FreeBSD.ORG In-reply-to: Your message of "Wed, 22 Jul 1998 01:31:20 +0400." <19980722013120.32585@nevalink.ru> References: <19980722013120.32585@nevalink.ru> <199807202130.OAA27539@salsa.gv.tsc.tdk.com> Date: Tue, 21 Jul 1998 16:31:16 -0600 From: Warner Losh Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message <19980722013120.32585@nevalink.ru> Alexandre Snarskii writes: : You got the named with _total_ bounds checking. : With correct bounds checking only on some functions : (strcpy/sprintf/strcat et al, which gets the 95% buffer : overflows since Internet worm ) my named works just fine. Purify, on Sparcs, run at 2.0x the time and 1.5x the memory. Unless the 1.5x memory requirement pushes you into thrashing mode. Alexandre is right that adding this checking will help. Won't catch everything, but it will catch many things. The more of these things that happen, the more I think that some of these stop-gap measures may be warranted to buy time for a more comprehensive solution. However, I worry that with stop gaps in place, that no comprehensive solution would be forth coming. Warner To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Tue Jul 21 15:29:56 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id PAA29386 for freebsd-security-outgoing; Tue, 21 Jul 1998 15:29:56 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from lariat.lariat.org (ppp1000.lariat.org@[206.100.185.2]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id PAA29380 for ; Tue, 21 Jul 1998 15:29:54 -0700 (PDT) (envelope-from brett@lariat.org) Received: (from brett@localhost) by lariat.lariat.org (8.8.8/8.8.8) id QAA18807; Tue, 21 Jul 1998 16:29:32 -0600 (MDT) Message-Id: <199807212229.QAA18807@lariat.lariat.org> X-Sender: brett@mail.lariat.org X-Mailer: QUALCOMM Windows Eudora Pro Version 4.0.1 Date: Tue, 21 Jul 1998 16:22:41 -0600 To: security@FreeBSD.ORG From: Brett Glass Subject: Re: The 99,999-bug question: Why can you execute from the stack? In-Reply-To: <199807212210.XAA02709@indigo.ie> References: <8496.900909928@time.cdrom.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 11:10 PM 7/21/98 +0000, Niall Smart wrote: >Auditing isn't the answer to programs which have been maldesigned >and malimplemented right from the very beginning, rm is. Sometimes >programs reach a point of no return, at which the only sensible >thing to do is start again with the benefit of experience. Sendmail >and QMail are good examples of the former and latter. Fortunately, now that UUCP mail addressing, BITNET, etc. have been so thoroughly deprecated, there's no real need for a mail router that translates addresses -- the primary purpose of Sendmail. Something much simpler will do now. --Brett Glass To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Tue Jul 21 16:05:43 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id QAA05758 for freebsd-security-outgoing; Tue, 21 Jul 1998 16:05:43 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from gatekeeper.alcatel.com.au (gatekeeper.alcatel.com.au [203.17.66.1]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id QAA05748 for ; Tue, 21 Jul 1998 16:05:37 -0700 (PDT) (envelope-from peter.jeremy@alcatel.com.au) Received: from mfg1.cim.alcatel.com.au ("port 4294"@[139.188.23.1]) by gatekeeper.alcatel.com.au (PMDF V5.1-7 #U2695) with ESMTP id <01IZP21SUVSW0002MK@gatekeeper.alcatel.com.au> for security@FreeBSD.ORG; Wed, 22 Jul 1998 09:04:32 +1000 Received: from gsms01.alcatel.com.au by cim.alcatel.com.au (PMDF V5.1-10 #U2695) with ESMTP id <01IZP21Q6LE8JK9R2L@cim.alcatel.com.au>; Wed, 22 Jul 1998 09:04:28 +1000 Received: (from jeremyp@localhost) by gsms01.alcatel.com.au (8.8.8/8.7.3) id JAA28032; Wed, 22 Jul 1998 09:04:27 +1000 (EST) Date: Wed, 22 Jul 1998 09:04:27 +1000 (EST) From: Peter Jeremy Subject: Re: The 99,999-bug question: Why can you execute from the stack? To: snar@paranoia.ru Cc: security@FreeBSD.ORG Message-id: <199807212304.JAA28032@gsms01.alcatel.com.au> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, 22 Jul 1998 01:31:20 +0400, Alexandre Snarskii wrote: >On Mon, Jul 20, 1998 at 02:30:33PM -0700, Don Lewis wrote: >> In the situations where I've used code compiled this way, it seems >> to average about a factor of 20 more expensive in terms of CPU usage. > >Strange result. Program, which does nothig but 100.000 strcpy's >works _six_ times slower with bounds checking, but not 20... It's strongly dependent on which strcpy was used: 1) If you use the strcpy in libc, then there's no bounds checking - all you get is that both the source and destination pointers are valid when strcpy is called. 2) The bounds checking library includes a strcpy which is bounds checking aware - it explicitly checks the source string and destination buffer for validity and compatibility and then performs the copy without further checks. 3) If you wrote your own strcpy, then each time you copy a character, both the source and destination pointers will be checked. Six times is about right for the second case. I got about 200 times for the third case. Peter -- Peter Jeremy (VK2PJ) peter.jeremy@alcatel.com.au Alcatel Australia Limited 41 Mandible St Phone: +61 2 9690 5019 ALEXANDRIA NSW 2015 Fax: +61 2 9690 5247 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Tue Jul 21 16:29:30 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id QAA09718 for freebsd-security-outgoing; Tue, 21 Jul 1998 16:29:30 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from marta.arcom.spb.su (marta.arcom.spb.su [195.190.100.18]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id QAA09711 for ; Tue, 21 Jul 1998 16:29:27 -0700 (PDT) (envelope-from snar@marta.arcom.spb.su) Received: (from snar@localhost) by marta.arcom.spb.su (8.8.8/t/97-Mar-14) id DAA19580; Wed, 22 Jul 1998 03:26:47 +0400 (MSD) Message-ID: <19980722032647.05314@nevalink.ru> Date: Wed, 22 Jul 1998 03:26:47 +0400 From: Alexandre Snarskii To: Peter Jeremy Cc: security@FreeBSD.ORG Subject: Re: The 99,999-bug question: Why can you execute from the stack? References: <199807212304.JAA28032@gsms01.alcatel.com.au> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.89i In-Reply-To: <199807212304.JAA28032@gsms01.alcatel.com.au>; from Peter Jeremy on Wed, Jul 22, 1998 at 09:04:27AM +1000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, Jul 22, 1998 at 09:04:27AM +1000, Peter Jeremy wrote: > On Wed, 22 Jul 1998 01:31:20 +0400, Alexandre Snarskii wrote: > >On Mon, Jul 20, 1998 at 02:30:33PM -0700, Don Lewis wrote: > >> In the situations where I've used code compiled this way, it seems > >> to average about a factor of 20 more expensive in terms of CPU usage. > > > >Strange result. Program, which does nothig but 100.000 strcpy's > >works _six_ times slower with bounds checking, but not 20... > > It's strongly dependent on which strcpy was used: Sorry, it should be explained that i used handwritten strcpy from libparanoia. > 1) If you use the strcpy in libc, then there's no bounds checking - > all you get is that both the source and destination pointers are > valid when strcpy is called. > 2) The bounds checking library includes a strcpy which is bounds > checking aware - it explicitly checks the source string and > destination buffer for validity and compatibility and then performs > the copy without further checks. > 3) If you wrote your own strcpy, then each time you copy a character, > both the source and destination pointers will be checked. Fourth way :) First thing, which strcpy does is a call to function, which saves last 10 BP/IP pairs from stack to internal array, then original strcpy code executed ( w/out any checking ), and at exit called function, which retrieves last 10 BP/IP pairs and compares it with saved ones. Really there are a little more complicated algorhytm, but, i hope you got the main idea. -- Alexandre Snarskii the source code is included To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Tue Jul 21 16:49:54 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id QAA13268 for freebsd-security-outgoing; Tue, 21 Jul 1998 16:49:54 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from time.cdrom.com (root@time.cdrom.com [204.216.27.226]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id QAA13245 for ; Tue, 21 Jul 1998 16:49:37 -0700 (PDT) (envelope-from jkh@time.cdrom.com) Received: from time.cdrom.com (jkh@localhost.cdrom.com [127.0.0.1]) by time.cdrom.com (8.8.8/8.8.8) with ESMTP id QAA10691 for ; Tue, 21 Jul 1998 16:48:29 -0700 (PDT) (envelope-from jkh@time.cdrom.com) To: security@FreeBSD.ORG Subject: Re: Projects to improve security (related to C) In-reply-to: Your message of "Tue, 21 Jul 1998 13:18:31 MDT." <199807211918.NAA15306@lariat.lariat.org> Date: Tue, 21 Jul 1998 16:48:29 -0700 Message-ID: <10687.901064909@time.cdrom.com> From: "Jordan K. Hubbard" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Can we please end this thread now? It's no longer accomplishing anything but general acrimony, I've had 3 people appeal to me personally to either muzzle Brett or have him taken out back and shot, and I really do think we're in the diminishing returns department at this stage. Please, enough! I think everyone has more than made their points at this stage and we're now at the repeat-them-until-everyone-barfs point. I know some folks feel strongly about this, but there are limits to everything. Thanks! - Jordan To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Tue Jul 21 16:56:58 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id QAA14814 for freebsd-security-outgoing; Tue, 21 Jul 1998 16:56:58 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from enya.hilink.com.au (enya.hilink.com.au [203.8.14.116]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id QAA14709 for ; Tue, 21 Jul 1998 16:56:28 -0700 (PDT) (envelope-from danny@enya.hilink.com.au) Received: from localhost (danny@localhost) by enya.hilink.com.au (8.8.8/8.8.7) with SMTP id JAA03991; Wed, 22 Jul 1998 09:55:31 +1000 (EST) (envelope-from danny@enya.hilink.com.au) Date: Wed, 22 Jul 1998 09:55:31 +1000 (EST) From: "Daniel O'Callaghan" To: Johann Visagie cc: Philippe Regnauld , security@FreeBSD.ORG Subject: Re: ipfw & icmp question In-Reply-To: <19980721142451.A4361@cityip.co.za> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, 21 Jul 1998, Johann Visagie wrote: > On Sat, 30 May 1998 at 23:48 SAT, Philippe Regnauld wrote: > > > > I am a bit puzzled regarding the following situation: > > > > I have a machine with IPFW setup to send "port unreachable" if > > a connection attempt is made on port 113/TCP (identd). The policy > > is default deny. Here is what happens when I do "telnet host 113" > > Sorry, can't help you with that one. I just allow queries to 113/tcp and > make sure there's nothing running on the port. *shrug* Don't send port unreachable. FreeBSD sees that as a temporary failure. Send a TCP RST using "ipfw add rule# reset tcp from any to any 113" Danny To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Tue Jul 21 17:04:48 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id RAA16669 for freebsd-security-outgoing; Tue, 21 Jul 1998 17:04:48 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from pobox.com (lafra-28.mdm.mke.execpc.com [169.207.80.156]) by hub.freebsd.org (8.8.8/8.8.8) with SMTP id RAA16588 for ; Tue, 21 Jul 1998 17:04:27 -0700 (PDT) (envelope-from hamilton@pobox.com) Message-Id: <199807220004.RAA16588@hub.freebsd.org> Received: (qmail 11716 invoked from network); 21 Jul 1998 19:06:39 -0500 Received: from localhost (HELO pobox.com) (127.0.0.1) by localhost with SMTP; 21 Jul 1998 19:06:39 -0500 To: Brett Glass cc: security@FreeBSD.ORG Subject: Re: Why is there no info on the QPOPPER hack? In-reply-to: Your message of "Tue, 21 Jul 1998 12:24:50 MDT." <199807211824.MAA14302@lariat.lariat.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Tue, 21 Jul 1998 19:06:38 -0500 From: Jon Hamilton Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message <199807211824.MAA14302@lariat.lariat.org>, Brett Glass wrote: } At 10:34 PM 7/20/98 -0500, Jon Hamilton wrote: } } >The sky is falling! Where is that warranty? Oh, that's right, there isn't } >one. The people who are responsible for keeping those machines safe are } >just going to have to be responsible for keeping them safe, I guess. } } And every one of them will respond instantly to every security advisory, } so no crackers will ever get in. Nice fantasy. I have made no such claim. } >True, but how often do we see problems where "-current won't compile" or } >where patches went in which were unchecked or otherwise caused problems? } >You're talking about a volunteer effort, and I just don't see you getting } >the kind of rigor out of it that you'd need for something like you're } >suggesting. This is not meant to denigrate the effort any of the } >maintainers put in - I am arguing that it's not reasonable to expect such } >a level of effort from them, and if not them, then who? } } A security team formed for that purpose. A group of people who DO hang on } ever Bugtraq message (if not individually, then collectively). As for } "-current won't compile" problems -- they're unlikely to occur because } the patches will likely be to small bits of the OS. You're being casually dismissive of a real issue again. Surely you aren't going to try to keep a straight face while suggesting that it's rare to see a quick bug fix for an exploit that either causes more problems than it solves, or doesn't address the problem it's meant to fix? Where do you propose to find these people, and what makes you think they're going to perform this task for you for low or no cost? I hope you manage to institute something and make it work; it'd be a good thing. I don't see it happening within the parameters you've laid out, though, and given your frequent use of the third person, I doubt very much that you will put much effort into making anything happen, other than complaining that nobody has already done it for you. } >Wave your hands some more. Are you _really_ sure that you trust your } >local copy of pgp (or whatever other method you want to use)? } } As much as I trust CVSupping to close a hole. And, yes, I do place a high } level of trust in strong crypto. As must all of us. All the world doesn't look like your installation, and solutions that work just fine and make good sense for your installation may simply not fit elsewhere. -- Jon Hamilton hamilton@pobox.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Tue Jul 21 17:07:37 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id RAA17336 for freebsd-security-outgoing; Tue, 21 Jul 1998 17:07:37 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from adam.adonai.net (adam.adonai.net [207.8.83.2]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id RAA17233 for ; Tue, 21 Jul 1998 17:07:11 -0700 (PDT) (envelope-from leec@adam.adonai.net) Received: from localhost (leec@localhost) by adam.adonai.net (8.8.7/8.8.7) with SMTP id TAA05749; Tue, 21 Jul 1998 19:06:24 -0500 (CDT) (envelope-from leec@adam.adonai.net) Date: Tue, 21 Jul 1998 19:06:24 -0500 (CDT) From: "Lee Crites (ASC)" To: Drew Derbyshire cc: security@FreeBSD.ORG Subject: Re: hacked and don't know why In-Reply-To: <199807212051.QAA05632@kendra.ne.mediaone.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, 21 Jul 1998, Drew Derbyshire wrote: =>My firewall was hacked last night and I don't know how. => =>Only damage is the complete loss of /dev, /bin, and /var/log =>directories. The system was more or less up when I checked it =>this morning, but I had to crash it and rebuild/reload the =>affected directories using the 2.2.26 live file system CD-ROM. This is almost a frightening message. We were hacked like this two weeks ago. How frequently are FreeBSD systems getting hacked into? Is there even anyone who has stats on this kind of thing? In my case, the bin directories (/bin, /sbin, /usr/bin, /usr/sbin, etc) were still there, just that every program was replaced with the exact same "dummy" program. All were, as I recall, around 180k (exact same size with cmp showing no differences in any of them. The funny thing is that ls did what ls was supposed to do, ps did what it was supposed to do, etc, even though they were the same size and cmp'd as identicle. The biggest problem we had was this happened at the same time I was involved in an accident which left me with a fairly severe concussion. I knew I was too far gone to really figure out what was happening, so I just unplugged my router and rebuilt from scratch. (note: this was a realistic two day job which stretched to nearly 10 days as I recovered from the effects of the accident -- not something I'd recommend to anyone else) =>firewall filtering is enabled, major services allowed include In my case, there was no firewall. =>Suggestions to prevent a repeat? I'm going to build a new =>system from scratch to insure clean binaries and the like, but =>I don't know what hole I left open ... Ditto for the request for suggestions. Is there a FreeBSD related checklist for security issues like this? Lee =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Lee Crites Adonai Services Company, Round Rock, Texas leec@adonai.net http://www.adonai.net/~leec =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Tue Jul 21 17:10:57 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id RAA18246 for freebsd-security-outgoing; Tue, 21 Jul 1998 17:10:57 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from adam.adonai.net (adam.adonai.net [207.8.83.2]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id RAA18131 for ; Tue, 21 Jul 1998 17:10:23 -0700 (PDT) (envelope-from leec@adam.adonai.net) Received: from localhost (leec@localhost) by adam.adonai.net (8.8.7/8.8.7) with SMTP id TAA05753; Tue, 21 Jul 1998 19:09:57 -0500 (CDT) (envelope-from leec@adam.adonai.net) Date: Tue, 21 Jul 1998 19:09:57 -0500 (CDT) From: "Lee Crites (ASC)" To: Brett Glass cc: security@FreeBSD.ORG Subject: Re: Projects to improve security (related to C) In-Reply-To: <199807211859.MAA14931@lariat.lariat.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, 21 Jul 1998, Brett Glass wrote: =>Well, I've looked this week at the possibility of doing a =>mechanical translation of FreeBSD into a type-safe language =>with range and bounds checking, then fixing the trouble spots =>manually. Apparently, there's a company called Reasoning =>Systems that actually has tools that can do such things. What language(s) are you looking into or considering? I've seen java suggested, but is it the only option? Lee =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Lee Crites Adonai Services Company, Round Rock, Texas leec@adonai.net http://www.adonai.net/~leec =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Tue Jul 21 17:20:53 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id RAA20654 for freebsd-security-outgoing; Tue, 21 Jul 1998 17:20:53 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from gatekeeper.iserver.com (gatekeeper.iserver.com [206.107.170.2]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id RAA20563 for ; Tue, 21 Jul 1998 17:20:23 -0700 (PDT) (envelope-from hart@iserver.com) Received: by gatekeeper.iserver.com; Tue, 21 Jul 1998 18:19:57 -0600 (MDT) Received: from unknown(192.168.1.109) by gatekeeper.iserver.com via smap (V3.1.1) id xma004313; Tue, 21 Jul 98 18:19:38 -0600 Received: (hart@localhost) by anchovy.orem.iserver.com (8.8.5) id SAA09362; Tue, 21 Jul 1998 18:08:18 -0600 (MDT) Date: Tue, 21 Jul 1998 18:08:17 -0600 (MDT) From: Paul Hart X-Sender: hart@anchovy.orem.iserver.com To: Ben cc: Brett Glass , Jeremy Shaffner , security@FreeBSD.ORG Subject: Re: Why is there no info on the QPOPPER hack? In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, 21 Jul 1998, Ben wrote: > We went to using cucipop. You might try this too, it uses about 30% > less cpu, and doesn't have these exploits (yet? I haven't looked through > it's code) > > -> ftp://ftp.informatik.rwth-aachen.de/pub/packages/cucipop/ The cucipop sources don't look anything like the procmail sources, do they? The author might be a good programmer but his C formatting style is probably the most horrible and wretched thing I have ever encountered. It is literally painful to read, and almost impossible to follow. Paul Hart -- Paul Robert Hart ><8> ><8> ><8> Verio Web Hosting, Inc. hart@iserver.com ><8> ><8> ><8> http://www.iserver.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Tue Jul 21 17:40:06 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id RAA24092 for freebsd-security-outgoing; Tue, 21 Jul 1998 17:40:06 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: (from jmb@localhost) by hub.freebsd.org (8.8.8/8.8.8) id RAA24040; Tue, 21 Jul 1998 17:39:52 -0700 (PDT) (envelope-from jmb) From: "Jonathan M. Bresler" Message-Id: <199807220039.RAA24040@hub.freebsd.org> Subject: Re: The 99,999-bug question: Why can you execute from the stack? In-Reply-To: <199807212229.QAA18807@lariat.lariat.org> from Brett Glass at "Jul 21, 98 04:22:41 pm" To: brett@lariat.org (Brett Glass) Date: Tue, 21 Jul 1998 17:39:51 -0700 (PDT) Cc: security@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL32 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Brett Glass wrote: > At 11:10 PM 7/21/98 +0000, Niall Smart wrote: > > >Auditing isn't the answer to programs which have been maldesigned > >and malimplemented right from the very beginning, rm is. Sometimes > >programs reach a point of no return, at which the only sensible > >thing to do is start again with the benefit of experience. Sendmail > >and QMail are good examples of the former and latter. > > Fortunately, now that UUCP mail addressing, BITNET, etc. have been so > thoroughly deprecated, there's no real need for a mail router that > translates addresses -- the primary purpose of Sendmail. Something much > simpler will do now. VMailer from Wietse Venema. now in alpah, beta should be available later this year. if you read chat, you are using it already. jmb To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Tue Jul 21 18:17:44 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id SAA00341 for freebsd-security-outgoing; Tue, 21 Jul 1998 18:17:44 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from lariat.lariat.org (ppp1000.lariat.org@[206.100.185.2]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id SAA00329 for ; Tue, 21 Jul 1998 18:17:37 -0700 (PDT) (envelope-from brett@lariat.org) Received: (from brett@localhost) by lariat.lariat.org (8.8.8/8.8.8) id TAA21819; Tue, 21 Jul 1998 19:17:15 -0600 (MDT) Message-Id: <199807220117.TAA21819@lariat.lariat.org> X-Sender: brett@mail.lariat.org X-Mailer: QUALCOMM Windows Eudora Pro Version 4.0.1 Date: Tue, 21 Jul 1998 19:17:13 -0600 To: "Jordan K. Hubbard" , security@FreeBSD.ORG From: Brett Glass Subject: Re: Projects to improve security (related to C) In-Reply-To: <10687.901064909@time.cdrom.com> References: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Well, if we're going to reach closure on this, I think there should be some positive decisions made and action taken. Clearly, we've seen some problems that need fixing; the worst thing that can happen is that people will do nothing. Constructive suggestions? --Brett At 04:48 PM 7/21/98 -0700, Jordan K. Hubbard wrote: >Can we please end this thread now? It's no longer accomplishing >anything but general acrimony, I've had 3 people appeal to me >personally to either muzzle Brett or have him taken out back and shot, >and I really do think we're in the diminishing returns department at >this stage. > >Please, enough! I think everyone has more than made their points at >this stage and we're now at the repeat-them-until-everyone-barfs >point. I know some folks feel strongly about this, but there are >limits to everything. > >Thanks! > >- Jordan > > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Tue Jul 21 18:23:36 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id SAA01377 for freebsd-security-outgoing; Tue, 21 Jul 1998 18:23:36 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from lariat.lariat.org (ppp1000.lariat.org@[206.100.185.2]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id SAA01362 for ; Tue, 21 Jul 1998 18:23:29 -0700 (PDT) (envelope-from brett@lariat.org) Received: (from brett@localhost) by lariat.lariat.org (8.8.8/8.8.8) id TAA21937; Tue, 21 Jul 1998 19:23:04 -0600 (MDT) Message-Id: <199807220123.TAA21937@lariat.lariat.org> X-Sender: brett@mail.lariat.org X-Mailer: QUALCOMM Windows Eudora Pro Version 4.0.1 Date: Tue, 21 Jul 1998 19:23:01 -0600 To: Jon Hamilton From: Brett Glass Subject: Making it work (Was: Why is there no info on the QPOPPER hack?) Cc: security@FreeBSD.ORG In-Reply-To: <199807220004.SAA20560@lariat.lariat.org> References: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 07:06 PM 7/21/98 -0500, Jon Hamilton wrote: >You're being casually dismissive of a real issue again. Surely you >aren't going to try to keep a straight face while suggesting that >it's rare to see a quick bug fix for an exploit that either causes >more problems than it solves, or doesn't address the problem it's meant >to fix? This is usually because the patch is created in a hurry by one individual without adequate review. That's where the notion of a team comes in. >Where do you propose to find these people, and what makes you >think they're going to perform this task for you for low or no cost? Self-interest. These will likely be the same people who are motivated to close holes in their own systems fast, and will appreciate the chance to work with a team rather than fending entirely for themselves. >All the world doesn't look like your installation, and solutions that >work just fine and make good sense for your installation may simply >not fit elsewhere. I think if one limits the scope of solutions to patched versions of existing programs, it becomes feasible to allow an automatic update. Nothing's foolproof, of course. For example, if a DoS attack came before the patch arrived, it might not get installed. But the odds are good that it would help. --Brett To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Tue Jul 21 18:26:19 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id SAA02074 for freebsd-security-outgoing; Tue, 21 Jul 1998 18:26:19 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from lariat.lariat.org (ppp1000.lariat.org@[206.100.185.2]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id SAA01948 for ; Tue, 21 Jul 1998 18:26:04 -0700 (PDT) (envelope-from brett@lariat.org) Received: (from brett@localhost) by lariat.lariat.org (8.8.8/8.8.8) id TAA21968; Tue, 21 Jul 1998 19:25:23 -0600 (MDT) Message-Id: <199807220125.TAA21968@lariat.lariat.org> X-Sender: brett@mail.lariat.org X-Mailer: QUALCOMM Windows Eudora Pro Version 4.0.1 Date: Tue, 21 Jul 1998 19:25:21 -0600 To: "Lee Crites (ASC)" From: Brett Glass Subject: Translation to a safer language (Was: Projects to improve security) Cc: security@FreeBSD.ORG In-Reply-To: References: <199807211859.MAA14931@lariat.lariat.org> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Pascal, Modula-2, Modula-3, and Ada are the most obvious candidates; of course, a new language could be developed with this application in mind. (The advantage of developing something new is that it could have obvious, but safe, mappings from C constructs, facilitating machine translation.) Ideas? --Brett At 07:09 PM 7/21/98 -0500, Lee Crites (ASC) wrote: >On Tue, 21 Jul 1998, Brett Glass wrote: > >=>Well, I've looked this week at the possibility of doing a >=>mechanical translation of FreeBSD into a type-safe language >=>with range and bounds checking, then fixing the trouble spots >=>manually. Apparently, there's a company called Reasoning >=>Systems that actually has tools that can do such things. > >What language(s) are you looking into or considering? I've seen >java suggested, but is it the only option? > >Lee > > =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= > Lee Crites > Adonai Services Company, Round Rock, Texas > leec@adonai.net http://www.adonai.net/~leec > =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Tue Jul 21 18:43:16 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id SAA05072 for freebsd-security-outgoing; Tue, 21 Jul 1998 18:43:16 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from kendra.ne.mediaone.net (kendra.ne.mediaone.net [24.128.94.182]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id SAA05067 for ; Tue, 21 Jul 1998 18:43:13 -0700 (PDT) (envelope-from ahd@kew.com) Received: (from ahd@localhost) by kendra.ne.mediaone.net (8.9.0/8.9.0) id VAA00776; Tue, 21 Jul 1998 21:42:45 -0400 (EDT) Date: Tue, 21 Jul 1998 21:42:45 -0400 (EDT) From: Drew Derbyshire Message-Id: <199807220142.VAA00776@kendra.ne.mediaone.net> To: trouble@webfyre.com Subject: Re: hacked and don't know why Cc: security@FreeBSD.ORG In-Reply-To: <35B4CDBD.67F9043@iwebb.com> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I believe the trouble has been located. I'm running a pre-2.5 version of qpopper, which just had a CERT advisory put up on it for a buffer overflow problem. Until I can upgrade the version, I've restricted access to it via packet filtering. -ahd- -- Drew Derbyshire Internet: ahd@kew.com Kendra Electronic Wonderworks Telephone: 781-279-9812 Every Creature has within him the wild, uncontrollable urge to PUNT. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Tue Jul 21 19:11:52 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id TAA10794 for freebsd-security-outgoing; Tue, 21 Jul 1998 19:11:52 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from pobox.com (lafra-28.mdm.mke.execpc.com [169.207.80.156]) by hub.freebsd.org (8.8.8/8.8.8) with SMTP id TAA10787 for ; Tue, 21 Jul 1998 19:11:44 -0700 (PDT) (envelope-from hamilton@pobox.com) Message-Id: <199807220211.TAA10787@hub.freebsd.org> Received: (qmail 13105 invoked from network); 21 Jul 1998 21:13:51 -0500 Received: from localhost (HELO pobox.com) (127.0.0.1) by localhost with SMTP; 21 Jul 1998 21:13:51 -0500 To: Brett Glass cc: security@FreeBSD.ORG Subject: Re: Making it work (Was: Why is there no info on the QPOPPER hack?) In-reply-to: Your message of "Tue, 21 Jul 1998 19:23:01 MDT." <199807220123.TAA21937@lariat.lariat.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Tue, 21 Jul 1998 21:13:51 -0500 From: Jon Hamilton Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message <199807220123.TAA21937@lariat.lariat.org>, Brett Glass wrote: } At 07:06 PM 7/21/98 -0500, Jon Hamilton wrote: } } >You're being casually dismissive of a real issue again. Surely you } >aren't going to try to keep a straight face while suggesting that } >it's rare to see a quick bug fix for an exploit that either causes } >more problems than it solves, or doesn't address the problem it's meant } >to fix? } } This is usually because the patch is created in a hurry by one individual } without adequate review. That's where the notion of a team comes in. And this team is going to flash the bat signal and gather round the table every time any member finds any problem in any software? How do you balance the delay of having many people examine the problem (and the fix) vs. having fewer people do the work and getting the result out more quickly? How large is this team? What happens when there's disagreement among the team as to what is or isn't a good fix? What about the fact that you're still applying band-aids to poorly written code in the first place, in effect treating the symptom rather than the cause? } >Where do you propose to find these people, and what makes you } >think they're going to perform this task for you for low or no cost? } } Self-interest. These will likely be the same people who are motivated } to close holes in their own systems fast, and will appreciate the } chance to work with a team rather than fending entirely for themselves. You've found the right motivation, but I don't think you'll find enough people who are both interested in such an endeavor and willing/able to be part of a group such as you're describing. Once you get a group larger than a certain critical mass, it becomes a time sucking pig trying to generate some semblance of consensus, and people spend lots of time bickering rather than doing something more productive. Not entirely unlike this thread. } >All the world doesn't look like your installation, and solutions that } >work just fine and make good sense for your installation may simply } >not fit elsewhere. } } I think if one limits the scope of solutions to patched versions of } existing programs, it becomes feasible to allow an automatic update. For you, and for installations like yours which are managed by people who think the same way you do. If there are enough such combinations, maybe your idea will fly. } Nothing's foolproof, of course. For example, if a DoS attack came before } the patch arrived, it might not get installed. But the odds are good that } it would help. Well, if a DoS attack came before the patch arrived and the patch wasn't able to make it, the odds are very poor that it'd help :) I suspect that you meant that in a big picture sort of way, your idea would solve more problems than it creates. I still think there's more hidden overhead in there than you're acknowledging, and there are other problems waiting to bite you which you seem eager to dismiss out of hand, but it is of course your prerogative to charge ahead down your chosen path. I don't imagine the odds are very good at this point that either of us is going to convince the other that he's wrong, and since the arguments are starting to come full circle, I think it's getting to be time to move on. I'll keep an eye out for announcements of your project's success. -- Jon Hamilton hamilton@pobox.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Tue Jul 21 19:47:00 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id TAA16325 for freebsd-security-outgoing; Tue, 21 Jul 1998 19:47:00 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from beatrice.rutgers.edu (beatrice.rutgers.edu [165.230.209.143]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id TAA16284 for ; Tue, 21 Jul 1998 19:46:40 -0700 (PDT) (envelope-from easmith@beatrice.rutgers.edu) Received: (from easmith@localhost) by beatrice.rutgers.edu (980427.SGI.8.8.8/970903.SGI.AUTOCF) id WAA12184; Tue, 21 Jul 1998 22:45:05 -0400 (EDT) From: "Allen Smith" Message-Id: <9807212245.ZM12182@beatrice.rutgers.edu> Date: Tue, 21 Jul 1998 22:45:04 -0400 In-Reply-To: Brett Glass "Translation to a safer language (Was: Projects to improve security)" (Jul 21, 7:25pm) References: <199807211859.MAA14931@lariat.lariat.org> <199807220125.TAA21968@lariat.lariat.org> X-Mailer: Z-Mail (3.2.3 08feb96 MediaMail) To: Brett Glass , "Lee Crites (ASC)" Subject: Re: Translation to a safer language (Was: Projects to improve security) Cc: security@FreeBSD.ORG Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Jul 21, 7:25pm, Brett Glass (possibly) wrote: > Pascal, Modula-2, Modula-3, and Ada are the most obvious > candidates; of course, a new language could be developed > with this application in mind. (The advantage of developing > something new is that it could have obvious, but safe, > mappings from C constructs, facilitating machine > translation.) Ideas? Might I suggest Perl at this point? A. it's got built-in security stuff such as tainting; B. a Perl-to-C translator/complier is under active development (indeed, as of last count the main problem was getting it to turn out highly optimizable code, not in getting it to turn out correct code); and C. it already has similarities C in quite a few ways, making porting easier. -Allen -- Allen Smith easmith@beatrice.rutgers.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Tue Jul 21 19:54:22 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id TAA17369 for freebsd-security-outgoing; Tue, 21 Jul 1998 19:54:22 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from lariat.lariat.org (ppp1000.lariat.org@[206.100.185.2]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id TAA17338 for ; Tue, 21 Jul 1998 19:54:11 -0700 (PDT) (envelope-from brett@lariat.org) Received: (from brett@localhost) by lariat.lariat.org (8.8.8/8.8.8) id UAA23367; Tue, 21 Jul 1998 20:50:20 -0600 (MDT) Message-Id: <199807220250.UAA23367@lariat.lariat.org> X-Sender: brett@mail.lariat.org X-Mailer: QUALCOMM Windows Eudora Pro Version 4.0.1 Date: Tue, 21 Jul 1998 20:50:18 -0600 To: "Allen Smith" , "Lee Crites (ASC)" From: Brett Glass Subject: Re: Translation to a safer language (Was: Projects to improve security) Cc: security@FreeBSD.ORG In-Reply-To: <9807212245.ZM12182@beatrice.rutgers.edu> References: <199807211859.MAA14931@lariat.lariat.org> <199807220125.TAA21968@lariat.lariat.org> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org The question would be whether it would be efficient enough. Perl might drop back to near-interpreted speed if certain constructs were used. Also, Perl isn't strongly typed, so it might not catch certain errors. --Brett At 10:45 PM 7/21/98 -0400, Allen Smith wrote: >Might I suggest Perl at this point? > > A. it's got built-in security stuff such as tainting; > B. a Perl-to-C translator/complier is under active development > (indeed, as of last count the main problem was getting it > to turn out highly optimizable code, not in getting it to > turn out correct code); >and C. it already has similarities C in quite a few ways, making > porting easier. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Tue Jul 21 19:55:46 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id TAA17546 for freebsd-security-outgoing; Tue, 21 Jul 1998 19:55:46 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from lariat.lariat.org (ppp1000.lariat.org@[206.100.185.2]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id TAA17539 for ; Tue, 21 Jul 1998 19:55:43 -0700 (PDT) (envelope-from brett@lariat.org) Received: (from brett@localhost) by lariat.lariat.org (8.8.8/8.8.8) id UAA23447; Tue, 21 Jul 1998 20:55:15 -0600 (MDT) Message-Id: <199807220255.UAA23447@lariat.lariat.org> X-Sender: brett@mail.lariat.org X-Mailer: QUALCOMM Windows Eudora Pro Version 4.0.1 Date: Tue, 21 Jul 1998 20:55:13 -0600 To: Jon Hamilton From: Brett Glass Subject: Re: Making it work (Was: Why is there no info on the QPOPPER hack?) Cc: security@FreeBSD.ORG In-Reply-To: <199807220211.UAA22700@lariat.lariat.org> References: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 09:13 PM 7/21/98 -0500, Jon Hamilton wrote: >And this team is going to flash the bat signal and gather round the >table every time any member finds any problem in any software? If it's in the Ports collection or in a built-in FreeBSD utility, an alert should go out, certainly. >How do >you balance the delay of having many people examine the problem (and the >fix) vs. having fewer people do the work and getting the result out more >quickly? How large is this team? What happens when there's disagreement >among the team as to what is or isn't a good fix? What about the fact that >you're still applying band-aids to poorly written code in the first place, >in effect treating the symptom rather than the cause? How are these problems handled by the current development team? >You've found the right motivation, but I don't think you'll find enough people >who are both interested in such an endeavor and willing/able to be part of >a group such as you're describing. Once you get a group larger than a >certain critical mass, it becomes a time sucking pig trying to generate >some semblance of consensus, and people spend lots of time bickering rather >than doing something more productive. You're very pessimistic! Who here is more optimistic and would be willing to try it? >I suspect that you meant that in a big picture sort of way, your idea would >solve more problems than it creates. I still think there's more hidden >overhead in there than you're acknowledging, and there are other problems >waiting to bite you which you seem eager to dismiss out of hand, Again, you're being incredibly pessimistic. I think it can work. Volunteers for the "instant update" team, please send me private e-mail! --Brett To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Tue Jul 21 20:13:45 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id UAA19314 for freebsd-security-outgoing; Tue, 21 Jul 1998 20:13:45 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from beatrice.rutgers.edu (beatrice.rutgers.edu [165.230.209.143]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id UAA19309 for ; Tue, 21 Jul 1998 20:13:44 -0700 (PDT) (envelope-from easmith@beatrice.rutgers.edu) Received: (from easmith@localhost) by beatrice.rutgers.edu (980427.SGI.8.8.8/970903.SGI.AUTOCF) id XAA12557; Tue, 21 Jul 1998 23:12:10 -0400 (EDT) From: "Allen Smith" Message-Id: <9807212312.ZM12555@beatrice.rutgers.edu> Date: Tue, 21 Jul 1998 23:12:10 -0400 In-Reply-To: Brett Glass "Re: Translation to a safer language (Was: Projects to improve security)" (Jul 21, 8:50pm) References: <"Brett Glass <199807211859.MAA14931@lariat.lariat.org> <199807220125.TAA21968@lariat.lariat.org> <199807220250.UAA23367@lariat.lariat.org> X-Mailer: Z-Mail (3.2.3 08feb96 MediaMail) To: Brett Glass , "Lee Crites (ASC)" Subject: Re: Translation to a safer language (Was: Projects to improve security) Cc: security@FreeBSD.ORG Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Jul 21, 8:50pm, Brett Glass (possibly) wrote: > The question would be whether it would be efficient enough. Perl might > drop back to near-interpreted speed if certain constructs were used. Regarding this, I'd point out that the main thing slowing Perl down as compared to C for most applications is the interpretation step - not the running step. (I say most applications because Perl is a lot easier to write efficient string stuff in than C.) In other words, code based on Perl's code with the interpretation stuff removed is likely to result in quite fast code indeed. > Also, Perl isn't strongly typed, so it might not catch certain errors. I can see this on strings vs integers/floats. Perl does have the capability for function prototypes (at least in recent versions). -Allen -- Allen Smith easmith@beatrice.rutgers.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Tue Jul 21 21:43:06 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id VAA01032 for freebsd-security-outgoing; Tue, 21 Jul 1998 21:43:06 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from zeus.theinternet.com.au (akm@zeus.theinternet.com.au [203.34.176.2]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id VAA01027 for ; Tue, 21 Jul 1998 21:43:01 -0700 (PDT) (envelope-from akm@zeus.theinternet.com.au) Received: (from akm@localhost) by zeus.theinternet.com.au (8.8.7/8.8.7) id OAA08927; Wed, 22 Jul 1998 14:38:40 GMT (envelope-from akm) From: Andrew Kenneth Milton Message-Id: <199807221438.OAA08927@zeus.theinternet.com.au> Subject: Re: Translation to a safer language (Was: Projects to improve security) In-Reply-To: <199807220250.UAA23367@lariat.lariat.org> from Brett Glass at "Jul 21, 98 08:50:18 pm" To: brett@lariat.org (Brett Glass) Date: Wed, 22 Jul 1998 14:38:40 +0000 (GMT) Cc: easmith@beatrice.rutgers.edu, leec@adam.adonai.net, security@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL32 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org +----[ Brett Glass ]--------------------------------------------- | The question would be whether it would be efficient enough. Perl might | drop back to near-interpreted speed if certain constructs were used. | Also, Perl isn't strongly typed, so it might not catch certain errors. | Anything with a cast operator is out then... That nails, C++, Modula*, Java, C. Occam2 would be kinda neat, instant support for MP stuff d8). Now if we can just get a transputer port of FreeBSD... Bad code, is bad code, it doesn't matter what language you code in. The only way to prevent bad code is to audit and test. -- Totally Holistic Enterprises Internet| P:+61 7 3870 0066 | Andrew The Internet (Aust) Pty Ltd | F:+61 7 3870 4477 | Milton ACN: 082 081 472 | M:+61 416 022 411 |72 Col .Sig PO Box 403 Booval QLD Australia 4304 |akm@theinternet.com.au|Specialist To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Tue Jul 21 21:56:50 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id VAA02990 for freebsd-security-outgoing; Tue, 21 Jul 1998 21:56:50 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from noc.datagrid.com (qmailr@noc.datagrid.com [209.133.83.32]) by hub.freebsd.org (8.8.8/8.8.8) with SMTP id VAA02975 for ; Tue, 21 Jul 1998 21:56:39 -0700 (PDT) (envelope-from bugtraq@noc.datagrid.com) Received: (qmail 9552 invoked by uid 1040); 22 Jul 1998 04:56:31 -0000 Date: Tue, 21 Jul 1998 21:56:31 -0700 (PDT) From: bugtraq To: FreeBSD-security@FreeBSD.ORG Subject: Subscribe Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Subscirbe To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Tue Jul 21 22:13:52 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id WAA05950 for freebsd-security-outgoing; Tue, 21 Jul 1998 22:13:52 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from fallout.campusview.indiana.edu (fallout.campusview.indiana.edu [149.159.1.1]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id WAA05932 for ; Tue, 21 Jul 1998 22:13:47 -0700 (PDT) (envelope-from jfieber@indiana.edu) Received: from localhost (jfieber@localhost) by fallout.campusview.indiana.edu (8.8.8/8.8.7) with SMTP id AAA11396; Wed, 22 Jul 1998 00:13:21 -0500 (EST) Date: Wed, 22 Jul 1998 00:13:21 -0500 (EST) From: John Fieber To: Brett Glass cc: security@FreeBSD.ORG Subject: Re: Projects to improve security (related to C) In-Reply-To: <199807220117.TAA21819@lariat.lariat.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, 21 Jul 1998, Brett Glass wrote: > be some positive decisions made and action taken. Clearly, we've > seen some problems that need fixing; the worst thing that can happen > is that people will do nothing. Constructive suggestions? If you want an automagic patching system and you think it will be a "marketable" product, the standard next step is to build a proof-of-concept prototype for some marketing tests. It seems such a system would need three componets. * A mechanism for manufacturing and packaging and labeling band-aids[1] * A band-aid delivery service * A mechanism for safely applying the band-aids I personally think the scheme would be most marketable if the last stage had a "let me look at it first" mode in addition to an automagic mode. So, go at it! :) Remember, FreeBSD is volunteer powered. -john [1] Since some in this lively exchange propose that the whole C based universe is fundamentally broken, band-aids may be the best we can do. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Tue Jul 21 22:20:34 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id WAA06709 for freebsd-security-outgoing; Tue, 21 Jul 1998 22:20:34 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from time.cdrom.com (root@time.cdrom.com [204.216.27.226]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id WAA06701 for ; Tue, 21 Jul 1998 22:20:30 -0700 (PDT) (envelope-from jkh@time.cdrom.com) Received: from time.cdrom.com (jkh@localhost.cdrom.com [127.0.0.1]) by time.cdrom.com (8.8.8/8.8.8) with ESMTP id WAA11758; Tue, 21 Jul 1998 22:19:02 -0700 (PDT) (envelope-from jkh@time.cdrom.com) To: "Lee Crites (ASC)" cc: Drew Derbyshire , security@FreeBSD.ORG Subject: Re: hacked and don't know why In-reply-to: Your message of "Tue, 21 Jul 1998 19:06:24 CDT." Date: Tue, 21 Jul 1998 22:19:02 -0700 Message-ID: <11754.901084742@time.cdrom.com> From: "Jordan K. Hubbard" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > This is almost a frightening message. We were hacked like this > two weeks ago. How frequently are FreeBSD systems getting hacked > into? Is there even anyone who has stats on this kind of thing? Not frightening, just depressing because once you investigate these incidents you find that in 99.9% of the cases, it was down to one of two things: 1. A security hole introduced through bad administration (someone fumble-fingers a firewall config and now suddenly the entire net is open to the outside). 2. A well-known security hole that has been announced on Bugtrax and other places but is not closed by the local admins. People who remember all the way back to Robert T. Morris's Internet Worm will recall that half the systems attacked were Suns running an ancient version of fingerd for which patches had been available for months and for which Sun had released several public advisories. Did the admins bother to find out about this or, even once it was generally known, apply the patches? No. As long as human factors issues like this remain the biggest security hole of all, I doubt you're going to see an end to this. A FreeBSD (or Linux or Solaris or AIX or ...) box is only as secure as its admins are willing to make it. - Jordan To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Tue Jul 21 22:35:17 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id WAA08521 for freebsd-security-outgoing; Tue, 21 Jul 1998 22:35:17 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from biggusdiskus.flyingfox.com (biggusdiskus.flyingfox.com [205.162.1.28]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id WAA08513 for ; Tue, 21 Jul 1998 22:35:09 -0700 (PDT) (envelope-from jas@flyingfox.com) Received: (from jas@localhost) by biggusdiskus.flyingfox.com (8.8.8/8.8.5) id WAA11804; Tue, 21 Jul 1998 22:36:50 -0700 (PDT) Date: Tue, 21 Jul 1998 22:36:50 -0700 (PDT) From: Jim Shankland Message-Id: <199807220536.WAA11804@biggusdiskus.flyingfox.com> To: ahd@kew.com, leec@adam.adonai.net Subject: Re: hacked and don't know why Cc: security@FreeBSD.ORG In-Reply-To: Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org "Lee Crites (ASC)" writes: > In my case, the bin directories (/bin, /sbin, /usr/bin, > /usr/sbin, etc) were still there, just that every program was > replaced with the exact same "dummy" program. All were, as I > recall, around 180k (exact same size with cmp showing no > differences in any of them. The funny thing is that ls did what > ls was supposed to do, ps did what it was supposed to do, etc, > even though they were the same size and cmp'd as identicle. I *definitely* want to know how to squeeze every executable in /bin, /sbin, /usr/bin, and /usr/sbin into one 180KB file. I'll bet Jordan would, too, if he hadn't foresworn working on sysinstall :-). The symptoms you describe (not counting the blow to the head), as well as Drew's, make me think "filesystem damage due to failing/flakey hardware" before "security compromise." Can't say for sure, of course; and in both cases, the evidence is gone. But I think you may be jumping to conclusions a bit to assert, "We were hacked like this two weeks ago." Jim Shankland Flying Fox Computer Systems, Inc. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Tue Jul 21 23:14:42 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id XAA15515 for freebsd-security-outgoing; Tue, 21 Jul 1998 23:14:42 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from lariat.lariat.org (ppp1000.lariat.org@[206.100.185.2]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id XAA15430 for ; Tue, 21 Jul 1998 23:14:20 -0700 (PDT) (envelope-from brett@lariat.org) Received: (from brett@localhost) by lariat.lariat.org (8.8.8/8.8.8) id AAA26581; Wed, 22 Jul 1998 00:13:34 -0600 (MDT) Message-Id: <199807220613.AAA26581@lariat.lariat.org> X-Sender: brett@mail.lariat.org X-Mailer: QUALCOMM Windows Eudora Pro Version 4.0.1 Date: Wed, 22 Jul 1998 00:13:29 -0600 To: Jim Shankland , ahd@kew.com, leec@adam.adonai.net From: Brett Glass Subject: Re: hacked and don't know why Cc: security@FreeBSD.ORG In-Reply-To: <199807220536.WAA11804@biggusdiskus.flyingfox.com> References: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org The symptoms aren't hard to understand. As I found out when we were hit by the same hack, buffer overflow exploits also hose memory.... The disk cache, kernel data, possibly even page tables can be corrupted. Nothing's safe. If you do anything to your file system before rebooting, you can wind up with corrupted directories and worse. This happened to us. --Brett At 10:36 PM 7/21/98 -0700, Jim Shankland wrote: >"Lee Crites (ASC)" writes: > >> In my case, the bin directories (/bin, /sbin, /usr/bin, >> /usr/sbin, etc) were still there, just that every program was >> replaced with the exact same "dummy" program. All were, as I >> recall, around 180k (exact same size with cmp showing no >> differences in any of them. The funny thing is that ls did what >> ls was supposed to do, ps did what it was supposed to do, etc, >> even though they were the same size and cmp'd as identicle. > >I *definitely* want to know how to squeeze every executable in >/bin, /sbin, /usr/bin, and /usr/sbin into one 180KB file. I'll >bet Jordan would, too, if he hadn't foresworn working on sysinstall :-). > >The symptoms you describe (not counting the blow to the head), as >well as Drew's, make me think "filesystem damage due to failing/flakey >hardware" before "security compromise." Can't say for sure, >of course; and in both cases, the evidence is gone. But I think >you may be jumping to conclusions a bit to assert, "We were hacked >like this two weeks ago." > >Jim Shankland >Flying Fox Computer Systems, Inc. > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Tue Jul 21 23:28:51 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id XAA18027 for freebsd-security-outgoing; Tue, 21 Jul 1998 23:28:51 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from echonyc.com (echonyc.com [198.67.15.2]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id XAA18009 for ; Tue, 21 Jul 1998 23:28:46 -0700 (PDT) (envelope-from benedict@echonyc.com) Received: from localhost (benedict@localhost) by echonyc.com (8.8.7/8.8.7) with SMTP id CAA05114; Wed, 22 Jul 1998 02:28:11 -0400 (EDT) Date: Wed, 22 Jul 1998 02:28:10 -0400 (EDT) From: Snob Art Genre Reply-To: ben@rosengart.com To: Brett Glass cc: Jim Shankland , ahd@kew.com, leec@adam.adonai.net, security@FreeBSD.ORG Subject: Re: hacked and don't know why In-Reply-To: <199807220613.AAA26581@lariat.lariat.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, 22 Jul 1998, Brett Glass wrote: > The symptoms aren't hard to understand. As I found out when we > were hit by the same hack, buffer overflow exploits also > hose memory.... The disk cache, kernel data, possibly even page tables > can be corrupted. Nothing's safe. If you do anything to your file > system before rebooting, you can wind up with corrupted directories > and worse. This happened to us. This doesn't sound correct. Buffer overflows can give you unauthorized access to user memory, but shouldn't give you access to kernel memory at all. Otherwise running "crashme" as root would have more effect than it does (none). Ben "You have your mind on computers, it seems." To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Tue Jul 21 23:41:28 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id XAA20412 for freebsd-security-outgoing; Tue, 21 Jul 1998 23:41:28 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from ns1.yes.no (ns1.yes.no [195.119.24.10]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id XAA20390 for ; Tue, 21 Jul 1998 23:41:14 -0700 (PDT) (envelope-from eivind@bitbox.follo.net) Received: from bitbox.follo.net (bitbox.follo.net [195.204.143.218]) by ns1.yes.no (8.8.7/8.8.7) with ESMTP id GAA07551; Wed, 22 Jul 1998 06:40:28 GMT Received: (from eivind@localhost) by bitbox.follo.net (8.8.8/8.8.6) id IAA29093; Wed, 22 Jul 1998 08:40:27 +0200 (MET DST) Message-ID: <19980722084026.45975@follo.net> Date: Wed, 22 Jul 1998 08:40:26 +0200 From: Eivind Eklund To: Alexandre Snarskii , Garance A Drosihn , security@FreeBSD.ORG Subject: Re: Projects to improve security (related to C) References: <27231.900993063@time.cdrom.com> <19980722015030.15881@nevalink.ru> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.89.1i In-Reply-To: <19980722015030.15881@nevalink.ru>; from Alexandre Snarskii on Wed, Jul 22, 1998 at 01:50:30AM +0400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, Jul 22, 1998 at 01:50:30AM +0400, Alexandre Snarskii wrote: > > > There's only one solution, one which OpenBSD has made significant > > > marketing points out of, and that's to go through the code and look > > > for holes resulting from poor programming practices. > > > > Indeed. I like the fact that they're doing this, and that they are > > able to make those marketting points out of it. Could we hire them > > to audit all the FreeBSD code, and then we would get the marketting > > points? :-) No. I've investigated this option, and it did not seem at all feasible at the time. However, you _could_ hire somebody to merge over all the good changes from OpenBSD. > Dont forget, that OpenBSD team dont auditing ports. And they > just removed qpopper from his ports collection after the exploit. Which IMO was the right decision. This isn't the first time qpopper has had a serious security hole (though I don't think any of them have been that widely exposed before), and I don't believe it will be the last. Eivind. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Tue Jul 21 23:44:36 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id XAA21115 for freebsd-security-outgoing; Tue, 21 Jul 1998 23:44:36 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from beatrice.rutgers.edu (beatrice.rutgers.edu [165.230.209.143]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id XAA21110 for ; Tue, 21 Jul 1998 23:44:33 -0700 (PDT) (envelope-from easmith@beatrice.rutgers.edu) Received: (from easmith@localhost) by beatrice.rutgers.edu (980427.SGI.8.8.8/970903.SGI.AUTOCF) id CAA23350; Wed, 22 Jul 1998 02:42:57 -0400 (EDT) From: "Allen Smith" Message-Id: <9807220242.ZM23348@beatrice.rutgers.edu> Date: Wed, 22 Jul 1998 02:42:56 -0400 In-Reply-To: John Fieber "Re: Projects to improve security (related to C)" (Jul 22, 12:13am) References: X-Mailer: Z-Mail (3.2.3 08feb96 MediaMail) To: John Fieber , Brett Glass Subject: Re: Projects to improve security (related to C) Cc: security@FreeBSD.ORG Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Jul 22, 12:13am, John Fieber (possibly) wrote: > I personally think the scheme would be most marketable if the > last stage had a "let me look at it first" mode in addition to an > automagic mode. Suggestion: a "let me look at it, and apply it if I don't respond within x hours" mode (i.e., email to the admin & do it if you don't get an email back saying otherwise) would be good; that way, people don't have to remember to switch between modes when they're on vacation. (I'd guess one would tend to forget when one was about to go on one's honeymoon, for instance...) -Allen -- Allen Smith easmith@beatrice.rutgers.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Wed Jul 22 00:02:45 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id AAA24147 for freebsd-security-outgoing; Wed, 22 Jul 1998 00:02:45 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from trinity.radio-do.de (fn@trinity.Radio-do.de [193.101.164.3]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id AAA24136 for ; Wed, 22 Jul 1998 00:02:39 -0700 (PDT) (envelope-from fn@trinity.radio-do.de) Received: (from fn@localhost) by trinity.radio-do.de (8.8.8/8.8.5/RADIO-1.1) id JAA00896; Wed, 22 Jul 1998 09:01:50 +0200 (CEST) Message-ID: <19980722090149.A877@radio-do.de> Date: Wed, 22 Jul 1998 09:01:49 +0200 From: Frank Nobis To: "Jordan K. Hubbard" , "Lee Crites (ASC)" Cc: Drew Derbyshire , security@FreeBSD.ORG Subject: Re: hacked and don't know why References: <11754.901084742@time.cdrom.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.91.1i In-Reply-To: <11754.901084742@time.cdrom.com>; from Jordan K. Hubbard on Tue, Jul 21, 1998 at 10:19:02PM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, Jul 21, 1998 at 10:19:02PM -0700, Jordan K. Hubbard wrote: > > This is almost a frightening message. We were hacked like this > > two weeks ago. How frequently are FreeBSD systems getting hacked > > into? Is there even anyone who has stats on this kind of thing? > > Not frightening, just depressing because once you investigate these > incidents you find that in 99.9% of the cases, it was down to one of > two things: > > 1. A security hole introduced through bad administration (someone > fumble-fingers a firewall config and now suddenly the entire net is > open to the outside). > > 2. A well-known security hole that has been announced on Bugtrax and > other places but is not closed by the local admins. That is exactly the point. A few days after the qpopper exloit has been published on buqtraq, I monitored a few hack attempts at my gateway. Good for me that I installed the patched version of qpopper one day before. Frank -- Frank Nobis Email: PGP AVAILABLE Landgrafenstr. 130 dg3dcn http://www.radio-do.de/~fn/ 44139 Dortmund Powered by FreeBSD To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Wed Jul 22 00:53:09 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id AAA02160 for freebsd-security-outgoing; Wed, 22 Jul 1998 00:53:09 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from implode.root.com (implode.root.com [198.145.90.17]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id AAA02138 for ; Wed, 22 Jul 1998 00:52:56 -0700 (PDT) (envelope-from root@implode.root.com) Received: from implode.root.com (localhost [127.0.0.1]) by implode.root.com (8.8.5/8.8.5) with ESMTP id AAA27286; Wed, 22 Jul 1998 00:51:19 -0700 (PDT) Message-Id: <199807220751.AAA27286@implode.root.com> To: Brett Glass cc: Jim Shankland , ahd@kew.com, leec@adam.adonai.net, security@FreeBSD.ORG Subject: Re: hacked and don't know why In-reply-to: Your message of "Wed, 22 Jul 1998 00:13:29 MDT." <199807220613.AAA26581@lariat.lariat.org> From: David Greenman Reply-To: dg@root.com Date: Wed, 22 Jul 1998 00:51:19 -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >The symptoms aren't hard to understand. As I found out when we >were hit by the same hack, buffer overflow exploits also >hose memory.... The disk cache, kernel data, possibly even page tables >can be corrupted. Nothing's safe. If you do anything to your file >system before rebooting, you can wind up with corrupted directories >and worse. This happened to us. Um, sorry, but that is not true. Buffer overflows only affect the process; they do not affect the kernel. If you had corrupted directories or other filesystem problems, then you either have hardware problems or you experianced a very bizzare and unknown bug. -DG David Greenman Co-founder/Principal Architect, The FreeBSD Project To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Wed Jul 22 01:34:15 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id BAA10662 for freebsd-security-outgoing; Wed, 22 Jul 1998 01:34:15 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from ns0.fast.net.uk (ns0.fast.net.uk [194.207.104.1]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id BAA10559 for ; Wed, 22 Jul 1998 01:33:40 -0700 (PDT) (envelope-from netadmin@fastnet.co.uk) Received: from bofh.fast.net.uk (bofh.fast.net.uk [194.207.104.22]) by ns0.fast.net.uk (8.9.0/8.8.7) with ESMTP id JAA03160; Wed, 22 Jul 1998 09:33:14 +0100 (BST) Received: from localhost (localhost [127.0.0.1]) by bofh.fast.net.uk (8.8.8/8.8.5) with SMTP id JAA02003; Wed, 22 Jul 1998 09:33:15 +0100 (BST) Date: Wed, 22 Jul 1998 09:33:15 +0100 (BST) From: Jay Tribick X-Sender: netadmin@bofh.fast.net.uk To: John Fieber cc: Brett Glass , security@FreeBSD.ORG Subject: Re: Projects to improve security (related to C) In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org | > be some positive decisions made and action taken. Clearly, we've | > seen some problems that need fixing; the worst thing that can happen | > is that people will do nothing. Constructive suggestions? | | If you want an automagic patching system and you think it will | be a "marketable" product, the standard next step is to build a | proof-of-concept prototype for some marketing tests. | | It seems such a system would need three componets. | | * A mechanism for manufacturing and packaging and labeling band-aids[1] | * A band-aid delivery service | * A mechanism for safely applying the band-aids | | I personally think the scheme would be most marketable if the | last stage had a "let me look at it first" mode in addition to an | automagic mode. I agree with this, I also think we should have versions that are a full source code distribution of the patch - in case we can't apply it cleanly over existing source or if we've 'hacked' at our the source already. Regards, Jay Tribick -- [| Network Administrator | FastNet International | http://fast.net.uk/ |] [| Finger netadmin@fastnet.co.uk for contact information |] [| T: +44 (0)1273 677633 F: +44 (0)1273 621631 e: netadmin@fast.net.uk |] To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Wed Jul 22 01:38:52 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id BAA11891 for freebsd-security-outgoing; Wed, 22 Jul 1998 01:38:52 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from ns0.fast.net.uk (ns0.fast.net.uk [194.207.104.1]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id BAA11783 for ; Wed, 22 Jul 1998 01:38:25 -0700 (PDT) (envelope-from netadmin@fastnet.co.uk) Received: from bofh.fast.net.uk (bofh.fast.net.uk [194.207.104.22]) by ns0.fast.net.uk (8.9.0/8.8.7) with ESMTP id JAA03510; Wed, 22 Jul 1998 09:38:01 +0100 (BST) Received: from localhost (localhost [127.0.0.1]) by bofh.fast.net.uk (8.8.8/8.8.5) with SMTP id JAA02024; Wed, 22 Jul 1998 09:38:02 +0100 (BST) Date: Wed, 22 Jul 1998 09:38:02 +0100 (BST) From: Jay Tribick X-Sender: netadmin@bofh.fast.net.uk To: Jon Hamilton cc: Brett Glass , security@FreeBSD.ORG Subject: Re: Why is there no info on the QPOPPER hack? In-Reply-To: <199807220004.RAA16588@hub.freebsd.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org | } A security team formed for that purpose. A group of people who DO hang on | } ever Bugtraq message (if not individually, then collectively). As for | } "-current won't compile" problems -- they're unlikely to occur because | } the patches will likely be to small bits of the OS. The patches are more likely to be parts of libexec, suid programs or anything that's running as a daemon or suid-root. I myself have modified many of the packages and daemons running on our servers so there's no way a patch can be installed autonomously without me getting the original source, patching that and then re-integrating all my new code into it! | } >Wave your hands some more. Are you _really_ sure that you trust your | } >local copy of pgp (or whatever other method you want to use)? | } | } As much as I trust CVSupping to close a hole. And, yes, I do place a high | } level of trust in strong crypto. As must all of us. | | All the world doesn't look like your installation, and solutions that | work just fine and make good sense for your installation may simply | not fit elsewhere. I agree - there will be always be servers out there that are too heavily patched by the admins own code that it's just not feasible to install every new security fix that comes out .. which brings us back to the band-aid problem :( Regards, Jay Tribick -- [| Network Administrator | FastNet International | http://fast.net.uk/ |] [| Finger netadmin@fastnet.co.uk for contact information |] [| T: +44 (0)1273 677633 F: +44 (0)1273 621631 e: netadmin@fast.net.uk |] To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Wed Jul 22 01:40:20 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id BAA12214 for freebsd-security-outgoing; Wed, 22 Jul 1998 01:40:20 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from ns0.fast.net.uk (ns0.fast.net.uk [194.207.104.1]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id BAA12104 for ; Wed, 22 Jul 1998 01:39:54 -0700 (PDT) (envelope-from netadmin@fastnet.co.uk) Received: from bofh.fast.net.uk (bofh.fast.net.uk [194.207.104.22]) by ns0.fast.net.uk (8.9.0/8.8.7) with ESMTP id JAA03599; Wed, 22 Jul 1998 09:39:30 +0100 (BST) Received: from localhost (localhost [127.0.0.1]) by bofh.fast.net.uk (8.8.8/8.8.5) with SMTP id JAA02028; Wed, 22 Jul 1998 09:39:30 +0100 (BST) Date: Wed, 22 Jul 1998 09:39:30 +0100 (BST) From: Jay Tribick X-Sender: netadmin@bofh.fast.net.uk To: "Jordan K. Hubbard" cc: security@FreeBSD.ORG Subject: Re: Projects to improve security (related to C) In-Reply-To: <10687.901064909@time.cdrom.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org | Can we please end this thread now? It's no longer accomplishing | anything but general acrimony, I've had 3 people appeal to me | personally to either muzzle Brett or have him taken out back and shot, | and I really do think we're in the diminishing returns department at | this stage. | | Please, enough! I think everyone has more than made their points at | this stage and we're now at the repeat-them-until-everyone-barfs | point. I know some folks feel strongly about this, but there are | limits to everything. Agreed - perhaps a seperate list should be setup to discuss this project if we are going to go ahead with it. If freebsd.org's not willing to host it just ask and I'll do it. Regards, Jay Tribick -- [| Network Administrator | FastNet International | http://fast.net.uk/ |] [| Finger netadmin@fastnet.co.uk for contact information |] [| T: +44 (0)1273 677633 F: +44 (0)1273 621631 e: netadmin@fast.net.uk |] To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Wed Jul 22 04:29:44 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id EAA12292 for freebsd-security-outgoing; Wed, 22 Jul 1998 04:29:44 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from kendra.ne.mediaone.net (kendra.ne.mediaone.net [24.128.94.182]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id EAA12284 for ; Wed, 22 Jul 1998 04:29:35 -0700 (PDT) (envelope-from ahd@kew.com) Received: (from ahd@localhost) by kendra.ne.mediaone.net (8.9.0/8.9.0) id HAA02050; Wed, 22 Jul 1998 07:29:09 -0400 (EDT) Date: Wed, 22 Jul 1998 07:29:09 -0400 (EDT) From: Drew Derbyshire Message-Id: <199807221129.HAA02050@kendra.ne.mediaone.net> To: jas@flyingfox.com Subject: Re: hacked and don't know why Cc: security@FreeBSD.ORG In-Reply-To: <199807220536.WAA11804@biggusdiskus.flyingfox.com> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > From jas@flyingfox.com Wed Jul 22 01:34:38 1998 > The symptoms you describe (not counting the blow to the head), as > well as Drew's, make me think "filesystem damage due to failing/flakey > hardware" before "security compromise." Can't say for sure, > of course; and in both cases, the evidence is gone. But I think > you may be jumping to conclusions a bit to assert, "We were hacked > like this two weeks ago." I have to disagree with the flaky hardware in my case; the directories were on two distinct file systems and the changes were surgical in nature -- i.e. the most cosmetic damage with the least effort. Furthermore, I am having a BAD (bad144? :-)) summer here where I've lost three drives (all WD IDE's), I'm getting really good at seeing the failure mode for those drives. The point of my original post (thanks to all who replied) was NOT that FreeBSD is insecure and or I was specifically targeted because someone hates me -- I presumed the hacking exploited a known hole which I personally erred in covering quickly because *I* didn't know why. (Hence the offer to share my firewall config, since it was a likely source of the problem.) I also erred if I didn't mention POP in the original message, especially since that appears to be the source of the problem. I agree with Jordan, we're human and we do the best we can, but mistakes happen. -ahd- -- Drew Derbyshire Internet: ahd@kew.com Kendra Electronic Wonderworks Telephone: 781-279-9812 May the Hack be with you! To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Wed Jul 22 04:36:37 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id EAA13312 for freebsd-security-outgoing; Wed, 22 Jul 1998 04:36:37 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from aniwa.sky (aniwa.actrix.gen.nz [203.96.56.186]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id EAA13297 for ; Wed, 22 Jul 1998 04:36:25 -0700 (PDT) (envelope-from andrew@squiz.co.nz) Received: from localhost (andrew@localhost) by aniwa.sky (8.8.7/8.8.7) with SMTP id XAA06023; Wed, 22 Jul 1998 23:34:48 +1200 (NZST) (envelope-from andrew@squiz.co.nz) Date: Wed, 22 Jul 1998 23:34:47 +1200 (NZST) From: Andrew McNaughton X-Sender: andrew@aniwa.sky Reply-To: andrew@squiz.co.nz To: Brett Glass cc: Jim Shankland , ahd@kew.com, leec@adam.adonai.net, security@FreeBSD.ORG Subject: Re: hacked and don't know why In-Reply-To: <199807220613.AAA26581@lariat.lariat.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, 22 Jul 1998, Brett Glass wrote: > Date: Wed, 22 Jul 1998 00:13:29 -0600 > From: Brett Glass > To: Jim Shankland , ahd@kew.com, leec@adam.adonai.net > Cc: security@FreeBSD.ORG > Subject: Re: hacked and don't know why > > The symptoms aren't hard to understand. As I found out when we > were hit by the same hack, buffer overflow exploits also > hose memory.... The disk cache, kernel data, possibly even page tables > can be corrupted. Nothing's safe. If you do anything to your file > system before rebooting, you can wind up with corrupted directories > and worse. This happened to us. > > --Brett If it's any consolation, this probably means that the hackers overwrote the wrong bit, and failed to effect anything more than a DOS. It should probably be treated as a warning that if you fix things up without finding the problem they might be more successful on the next attempt. Andrew To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Wed Jul 22 05:26:00 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id FAA19492 for freebsd-security-outgoing; Wed, 22 Jul 1998 05:26:00 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from brooklyn.slack.net (root@brooklyn.slack.net [206.41.21.102]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id FAA19487 for ; Wed, 22 Jul 1998 05:25:57 -0700 (PDT) (envelope-from andrewr@brooklyn.slack.net) Received: from localhost (andrewr@localhost) by brooklyn.slack.net (8.8.7/8.8.7) with SMTP id IAA16355; Wed, 22 Jul 1998 08:31:09 -0400 (EDT) Date: Wed, 22 Jul 1998 08:31:09 -0400 (EDT) From: andrewr To: Eivind Eklund cc: Alexandre Snarskii , Garance A Drosihn , security@FreeBSD.ORG Subject: Re: Projects to improve security (related to C) In-Reply-To: <19980722084026.45975@follo.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Basically to end this thread, which Jordan requested alittle while ago, I suggest this: If the FreeBSD core members wish to do a full scale security audit, then, hey, make a call out for people who would like be on the team, figure out some other way to get a group together. However, if no security audit is wishing to take place by the core team, then, well.. Hack the code for your *own* system and have fun. Andrew To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Wed Jul 22 06:13:40 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id GAA27621 for freebsd-security-outgoing; Wed, 22 Jul 1998 06:13:40 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from time.cdrom.com (root@time.cdrom.com [204.216.27.226]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id GAA27609 for ; Wed, 22 Jul 1998 06:13:35 -0700 (PDT) (envelope-from jkh@time.cdrom.com) Received: from time.cdrom.com (jkh@localhost.cdrom.com [127.0.0.1]) by time.cdrom.com (8.8.8/8.8.8) with ESMTP id GAA13801; Wed, 22 Jul 1998 06:12:02 -0700 (PDT) (envelope-from jkh@time.cdrom.com) To: andrewr cc: Eivind Eklund , Alexandre Snarskii , Garance A Drosihn , security@FreeBSD.ORG Subject: Re: Projects to improve security (related to C) In-reply-to: Your message of "Wed, 22 Jul 1998 08:31:09 EDT." Date: Wed, 22 Jul 1998 06:12:02 -0700 Message-ID: <13797.901113122@time.cdrom.com> From: "Jordan K. Hubbard" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > If the FreeBSD core members wish to do a full scale security > audit, then, hey, make a call out for people who would like be on the The FreeBSD core team members, by and large, already have TODO lists stretching well into next year. Do we want an audit to happen? Yes, of course. Do we have time to do all the work ourselves or even actively lead such a project in day-to-day operations? Probably not, no. We've already gone through one security officer and another has come close to resigning several times due to lack of time (these people have real jobs too, you know!) - it is a real problem which will only be mitigated by more USERS stepping up to the plate and becoming volunteers themselves. They also need someone to lead them in this effort, probably more than one person, and this is also an area where users can contribute their time and energy. Do I hear Andrew volunteering here? :-) - Jordan To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Wed Jul 22 07:13:58 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id HAA05066 for freebsd-security-outgoing; Wed, 22 Jul 1998 07:13:58 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from ns1.seidata.com (ns1.seidata.com [208.10.211.2]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id HAA05051 for ; Wed, 22 Jul 1998 07:13:47 -0700 (PDT) (envelope-from mike@seidata.com) Received: from localhost (mike@localhost) by ns1.seidata.com (8.8.8/8.8.5) with SMTP id KAA26328 for ; Wed, 22 Jul 1998 10:17:29 -0400 (EDT) Date: Wed, 22 Jul 1998 10:17:27 -0400 (EDT) From: Mike To: security@FreeBSD.ORG Subject: Re: hacked and don't know why In-Reply-To: <199807220142.VAA00776@kendra.ne.mediaone.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, 21 Jul 1998, Drew Derbyshire wrote: > I believe the trouble has been located. I'm running a pre-2.5 version > of qpopper, which just had a CERT advisory put up on it for a buffer 'Just'? The Qpopper problems have been touted on almost every list I'm on for what seems like an eternity. This is the second-third time within the past week that I've heard people place blame for lack of security upon FreeBSD when it should have been placed elsewhere. Like stated, you're bound to get hit by the train if you keep your head stuck in a hole. Not that I don't have sympathy for individuals in cases like this, and not that I think it couldn't happen to anyone (it could!), but I just find it ironic that everytime I see blame placed so quickly, it is usually placed in the wrong place. -mike To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Wed Jul 22 07:16:58 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id HAA05696 for freebsd-security-outgoing; Wed, 22 Jul 1998 07:16:58 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from brooklyn.slack.net (root@brooklyn.slack.net [206.41.21.102]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id HAA05683 for ; Wed, 22 Jul 1998 07:16:54 -0700 (PDT) (envelope-from andrewr@brooklyn.slack.net) Received: from localhost (andrewr@localhost) by brooklyn.slack.net (8.8.7/8.8.7) with SMTP id KAA16576; Wed, 22 Jul 1998 10:21:56 -0400 (EDT) Date: Wed, 22 Jul 1998 10:21:56 -0400 (EDT) From: andrewr To: "Jordan K. Hubbard" cc: Eivind Eklund , Alexandre Snarskii , Garance A Drosihn , security@FreeBSD.ORG Subject: Re: Projects to improve security (related to C) In-Reply-To: <13797.901113122@time.cdrom.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > > The FreeBSD core team members, by and large, already have TODO lists > stretching well into next year. Do we want an audit to happen? Yes, > of course. Do we have time to do all the work ourselves or even > actively lead such a project in day-to-day operations? Probably not, > no. We've already gone through one security officer and another has > come close to resigning several times due to lack of time (these > people have real jobs too, you know!) - it is a real problem which Very understandable. Time is something that everyone lacks. > will only be mitigated by more USERS stepping up to the plate and > becoming volunteers themselves. They also need someone to lead them > in this effort, probably more than one person, and this is also an > area where users can contribute their time and energy. Do I hear > Andrew volunteering here? :-) Hahah, Well. I could talk to some people about starting up a team, for I do have some people in mind. Is that good enough? Andrew > > - Jordan > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Wed Jul 22 07:20:56 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id HAA06574 for freebsd-security-outgoing; Wed, 22 Jul 1998 07:20:56 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from time.cdrom.com (root@time.cdrom.com [204.216.27.226]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id HAA06544 for ; Wed, 22 Jul 1998 07:20:48 -0700 (PDT) (envelope-from jkh@time.cdrom.com) Received: from time.cdrom.com (jkh@localhost.cdrom.com [127.0.0.1]) by time.cdrom.com (8.8.8/8.8.8) with ESMTP id HAA14073; Wed, 22 Jul 1998 07:19:18 -0700 (PDT) (envelope-from jkh@time.cdrom.com) To: andrewr cc: Eivind Eklund , Alexandre Snarskii , Garance A Drosihn , security@FreeBSD.ORG Subject: Re: Projects to improve security (related to C) In-reply-to: Your message of "Wed, 22 Jul 1998 10:21:56 EDT." Date: Wed, 22 Jul 1998 07:19:18 -0700 Message-ID: <14069.901117158@time.cdrom.com> From: "Jordan K. Hubbard" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > Hahah, Well. I could talk to some people about starting up a team, for I > do have some people in mind. Is that good enough? Yes, but only if it ends up producing results. ;-) - Jordan To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Wed Jul 22 07:21:55 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id HAA06988 for freebsd-security-outgoing; Wed, 22 Jul 1998 07:21:55 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from bright.ny.otec.com (bright.ny.otec.com [209.3.16.125]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id HAA06963 for ; Wed, 22 Jul 1998 07:21:52 -0700 (PDT) (envelope-from bright@hotjobs.com) Received: from localhost (bright@localhost) by bright.ny.otec.com (8.8.8/8.8.8) with SMTP id KAA27109; Wed, 22 Jul 1998 10:21:32 -0500 (EST) (envelope-from bright@hotjobs.com) X-Authentication-Warning: bright.ny.otec.com: bright owned process doing -bs Date: Wed, 22 Jul 1998 10:21:31 -0500 (EST) From: Alfred Perlstein X-Sender: bright@bright.ny.otec.com To: Allen Smith cc: Brett Glass , "Lee Crites (ASC)" , security@FreeBSD.ORG Subject: Re: Translation to a safer language (Was: Projects to improve security) In-Reply-To: <9807212312.ZM12555@beatrice.rutgers.edu> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org could we stop the anti C stuff on -security? this is really -chat material already. thanks, Alfred To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Wed Jul 22 07:22:00 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id HAA07013 for freebsd-security-outgoing; Wed, 22 Jul 1998 07:22:00 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from brooklyn.slack.net (root@brooklyn.slack.net [206.41.21.102]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id HAA06987 for ; Wed, 22 Jul 1998 07:21:55 -0700 (PDT) (envelope-from andrewr@brooklyn.slack.net) Received: from localhost (andrewr@localhost) by brooklyn.slack.net (8.8.7/8.8.7) with SMTP id KAA11425; Wed, 22 Jul 1998 10:27:19 -0400 (EDT) Date: Wed, 22 Jul 1998 10:27:19 -0400 (EDT) From: andrewr To: "Jordan K. Hubbard" cc: Eivind Eklund , Alexandre Snarskii , Garance A Drosihn , security@FreeBSD.ORG Subject: Re: Projects to improve security (related to C) In-Reply-To: <14069.901117158@time.cdrom.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, 22 Jul 1998, Jordan K. Hubbard wrote: > > Yes, but only if it ends up producing results. ;-) > > - Jordan > Results? What are those? Just joking. I will *seriously* speak with a few people about this. See what their ideas are and time schedule and see if maybe getting this going would be feasible. I will post info as I get it. Andrew To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Wed Jul 22 07:54:26 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id HAA14893 for freebsd-security-outgoing; Wed, 22 Jul 1998 07:54:26 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from lariat.lariat.org (ppp1000.lariat.org@[206.100.185.2]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id HAA14879 for ; Wed, 22 Jul 1998 07:54:20 -0700 (PDT) (envelope-from brett@lariat.org) Received: (from brett@localhost) by lariat.lariat.org (8.8.8/8.8.8) id IAA03997; Wed, 22 Jul 1998 08:53:52 -0600 (MDT) Message-Id: <199807221453.IAA03997@lariat.lariat.org> X-Sender: brett@mail.lariat.org X-Mailer: QUALCOMM Windows Eudora Pro Version 4.0.1 Date: Wed, 22 Jul 1998 08:53:47 -0600 To: ben@rosengart.com From: Brett Glass Subject: Re: hacked and don't know why Cc: Jim Shankland , ahd@kew.com, leec@adam.adonai.net, security@FreeBSD.ORG In-Reply-To: References: <199807220613.AAA26581@lariat.lariat.org> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In that case, we have an as-yet-diagnosed bug in the system. We really experienced disk corruption -- especially of directories -- during the QPopper buffer overflow hack. Files got the wrong owners and permissions; bitmaps were set wrong; the works. Every file that was touched between the exploit and the next reboot was subject to these problems. It's a good argument for stack protection. --Brett At 02:28 AM 7/22/98 -0400, Snob Art Genre wrote: >On Wed, 22 Jul 1998, Brett Glass wrote: > >> The symptoms aren't hard to understand. As I found out when we >> were hit by the same hack, buffer overflow exploits also >> hose memory.... The disk cache, kernel data, possibly even page tables >> can be corrupted. Nothing's safe. If you do anything to your file >> system before rebooting, you can wind up with corrupted directories >> and worse. This happened to us. > >This doesn't sound correct. Buffer overflows can give you unauthorized >access to user memory, but shouldn't give you access to kernel memory at >all. Otherwise running "crashme" as root would have more effect than it >does (none). > > > Ben > >"You have your mind on computers, it seems." > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Wed Jul 22 08:00:35 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id IAA15879 for freebsd-security-outgoing; Wed, 22 Jul 1998 08:00:35 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from lariat.lariat.org (ppp1000.lariat.org@[206.100.185.2]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id IAA15866 for ; Wed, 22 Jul 1998 08:00:31 -0700 (PDT) (envelope-from brett@lariat.org) Received: (from brett@localhost) by lariat.lariat.org (8.8.8/8.8.8) id IAA04129; Wed, 22 Jul 1998 08:59:59 -0600 (MDT) Message-Id: <199807221459.IAA04129@lariat.lariat.org> X-Sender: brett@mail.lariat.org X-Mailer: QUALCOMM Windows Eudora Pro Version 4.0.1 Date: Wed, 22 Jul 1998 08:59:53 -0600 To: Andrew Kenneth Milton From: Brett Glass Subject: Re: Translation to a safer language (Was: Projects to improve security) Cc: security@FreeBSD.ORG In-Reply-To: <199807221438.OAA08927@zeus.theinternet.com.au> References: <199807220250.UAA23367@lariat.lariat.org> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 02:38 PM 7/22/98 +0000, Andrew Kenneth Milton wrote: >Anything with a cast operator is out then... > >That nails, C++, Modula*, Java, C. I disagree. Casting used in certain limited ways is necessary, as are variant records. However, mechanisms must be in place to use it safelly. >Bad code, is bad code, it doesn't matter what language you code in. However, the language can make sure that much of the bad code won't compile, or that problems will be caught at runtime. >The only way to prevent bad code is to audit and test. It'd be nice if even *that* worked. I've developed a renewed interest in mechanical verification. --Brett To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Wed Jul 22 08:35:50 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id IAA21071 for freebsd-security-outgoing; Wed, 22 Jul 1998 08:35:50 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from kendra.ne.mediaone.net (kendra.ne.mediaone.net [24.128.94.182]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id IAA21049 for ; Wed, 22 Jul 1998 08:35:40 -0700 (PDT) (envelope-from ahd@kew.com) Received: (from ahd@localhost) by kendra.ne.mediaone.net (8.9.0/8.9.0) id LAA03172; Wed, 22 Jul 1998 11:35:16 -0400 (EDT) Date: Wed, 22 Jul 1998 11:35:16 -0400 (EDT) From: Drew Derbyshire Message-Id: <199807221535.LAA03172@kendra.ne.mediaone.net> To: brett@lariat.org Subject: Re: hacked and don't know why Cc: security@FreeBSD.ORG In-Reply-To: <199807221453.IAA03997@lariat.lariat.org> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I did not see the corruption problems reported with the other QPOP attack; as I noted before, the visitors to my system were surgical in their wanton destruction, I think they wanted me to know they could done worse but didn't. -ahd- -- Drew Derbyshire Internet: ahd@kew.com Kendra Electronic Wonderworks Telephone: 781-279-9812 The best way to accelerate Windows is at escape velocity. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Wed Jul 22 08:53:08 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id IAA23967 for freebsd-security-outgoing; Wed, 22 Jul 1998 08:53:08 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from fledge.watson.org (root@COPLAND.CODA.CS.CMU.EDU [128.2.222.48]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id IAA23950 for ; Wed, 22 Jul 1998 08:52:54 -0700 (PDT) (envelope-from robert@cyrus.watson.org) Received: from fledge.watson.org (robert@fledge.pr.watson.org [192.0.2.3]) by fledge.watson.org (8.8.8/8.8.8) with SMTP id LAA15746; Wed, 22 Jul 1998 11:51:28 -0400 (EDT) Date: Wed, 22 Jul 1998 11:51:28 -0400 (EDT) From: Robert Watson X-Sender: robert@fledge.watson.org Reply-To: Robert Watson To: Jim Shankland cc: ahd@kew.com, leec@adam.adonai.net, security@FreeBSD.ORG Subject: Re: hacked and don't know why In-Reply-To: <199807220536.WAA11804@biggusdiskus.flyingfox.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I would guess you were seeing the results of the following: 1. A botched attempt to patch ls to miss modifications to the file system 2. A botched attempt to use an lkm to intercept syscalls to hide changes to the file system The first sounds like a broken rootkit, the second is a more scary (but not hard to implement) case. If someone has written a nice lkm-based rootkit for FreeBSD, then we may be missing a lot of breakins in our counts of breakins. I would guess that the large majority of breakins go undiscovered *anyway*, so this does not bode well. If you boot off of the rescue disk, or off CD, and do an md5 of ls with a trusted copy of md5, what do you see? On Tue, 21 Jul 1998, Jim Shankland wrote: > "Lee Crites (ASC)" writes: > > > In my case, the bin directories (/bin, /sbin, /usr/bin, > > /usr/sbin, etc) were still there, just that every program was > > replaced with the exact same "dummy" program. All were, as I > > recall, around 180k (exact same size with cmp showing no > > differences in any of them. The funny thing is that ls did what > > ls was supposed to do, ps did what it was supposed to do, etc, > > even though they were the same size and cmp'd as identicle. > > I *definitely* want to know how to squeeze every executable in > /bin, /sbin, /usr/bin, and /usr/sbin into one 180KB file. I'll > bet Jordan would, too, if he hadn't foresworn working on sysinstall :-). > > The symptoms you describe (not counting the blow to the head), as > well as Drew's, make me think "filesystem damage due to failing/flakey > hardware" before "security compromise." Can't say for sure, > of course; and in both cases, the evidence is gone. But I think > you may be jumping to conclusions a bit to assert, "We were hacked > like this two weeks ago." > > Jim Shankland > Flying Fox Computer Systems, Inc. > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe security" in the body of the message > Robert N Watson Carnegie Mellon University http://www.cmu.edu/ TIS Labs at Network Associates, Inc. http://www.tis.com/ SafePort Network Services http://www.safeport.com/ robert@fledge.watson.org http://www.watson.org/~robert/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Wed Jul 22 08:56:45 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id IAA24923 for freebsd-security-outgoing; Wed, 22 Jul 1998 08:56:45 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from fledge.watson.org (root@COPLAND.CODA.CS.CMU.EDU [128.2.222.48]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id IAA24901 for ; Wed, 22 Jul 1998 08:56:40 -0700 (PDT) (envelope-from robert@cyrus.watson.org) Received: from fledge.watson.org (robert@fledge.pr.watson.org [192.0.2.3]) by fledge.watson.org (8.8.8/8.8.8) with SMTP id LAA15760; Wed, 22 Jul 1998 11:56:03 -0400 (EDT) Date: Wed, 22 Jul 1998 11:56:03 -0400 (EDT) From: Robert Watson X-Sender: robert@fledge.watson.org Reply-To: Robert Watson To: Brett Glass cc: Jim Shankland , ahd@kew.com, leec@adam.adonai.net, security@FreeBSD.ORG Subject: Re: hacked and don't know why In-Reply-To: <199807220613.AAA26581@lariat.lariat.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Only if it is a kernel based buffer overflow. Userland buffer-overflws would not have this effect. They hose the one application, not the system. BTW, in the BSD 4.4lite design book, there is a footnote on the page describing the transfer of "rights" (file descriptors) via unix domain sockets. It indicates that the unp_gc() functionality does not mark transferred file descriptors as reachable in a situation involving accept on a listening socket. It seems like it might be possible to abuse this to steal file descriptors from other processes -- that is, if you still have a valid cmsghdr entry for the file descriptor, but that the file descriptor was garbage collected, the unp_externalize call might end up giving you a reference to a file descriptor owned by someone else (that was allocated shortly after the unp_gc() call). If you ran the right programs at the right times, you might be able to race yourself a copy of a file descriptor (with good creds) referring to the password file, etc. If you just got a bad fd, you might be able to crash the kernel or such. I've been rewriting sections of the unp_externalize behavior to allow lkm hooks for my ktokens code, and also found one or two other bugs in that code. I've fixed one and will submit patches for that (it could result in a kernel crash, but I'm not sure, as it's in the process's kernel stack), but if someone wants to audit kernel code, that might be a good place to check. On Wed, 22 Jul 1998, Brett Glass wrote: > The symptoms aren't hard to understand. As I found out when we > were hit by the same hack, buffer overflow exploits also > hose memory.... The disk cache, kernel data, possibly even page tables > can be corrupted. Nothing's safe. If you do anything to your file > system before rebooting, you can wind up with corrupted directories > and worse. This happened to us. > > --Brett > > At 10:36 PM 7/21/98 -0700, Jim Shankland wrote: > > >"Lee Crites (ASC)" writes: > > > >> In my case, the bin directories (/bin, /sbin, /usr/bin, > >> /usr/sbin, etc) were still there, just that every program was > >> replaced with the exact same "dummy" program. All were, as I > >> recall, around 180k (exact same size with cmp showing no > >> differences in any of them. The funny thing is that ls did what > >> ls was supposed to do, ps did what it was supposed to do, etc, > >> even though they were the same size and cmp'd as identicle. > > > >I *definitely* want to know how to squeeze every executable in > >/bin, /sbin, /usr/bin, and /usr/sbin into one 180KB file. I'll > >bet Jordan would, too, if he hadn't foresworn working on sysinstall :-). > > > >The symptoms you describe (not counting the blow to the head), as > >well as Drew's, make me think "filesystem damage due to failing/flakey > >hardware" before "security compromise." Can't say for sure, > >of course; and in both cases, the evidence is gone. But I think > >you may be jumping to conclusions a bit to assert, "We were hacked > >like this two weeks ago." > > > >Jim Shankland > >Flying Fox Computer Systems, Inc. > > > >To Unsubscribe: send mail to majordomo@FreeBSD.org > >with "unsubscribe security" in the body of the message > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe security" in the body of the message > Robert N Watson Carnegie Mellon University http://www.cmu.edu/ TIS Labs at Network Associates, Inc. http://www.tis.com/ SafePort Network Services http://www.safeport.com/ robert@fledge.watson.org http://www.watson.org/~robert/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Wed Jul 22 09:25:04 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id JAA01357 for freebsd-security-outgoing; Wed, 22 Jul 1998 09:25:04 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from bytor.rush.net (lynch@bytor.rush.net [209.45.245.145]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id JAA01332 for ; Wed, 22 Jul 1998 09:24:54 -0700 (PDT) (envelope-from lynch@rush.net) Received: from localhost (lynch@localhost) by bytor.rush.net (8.9.1/8.8.8) with SMTP id MAA02661; Wed, 22 Jul 1998 12:24:20 -0400 (EDT) (envelope-from lynch@rush.net) Date: Wed, 22 Jul 1998 12:24:18 -0400 (EDT) From: Pat Lynch To: Brett Glass cc: "Matthew N. Dodd" , security@FreeBSD.ORG Subject: Re: Why is there no info on the QPOPPER hack? In-Reply-To: <199807211952.NAA15969@lariat.lariat.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org my god someone has a life...you sure you are one of us? just my 2 cents, as someone who tries to juggle a life and my job. and congrats on your wedding btw... I always have one person to watch my machines when I'm gone, someone I trust, someone I know is up to date on security issues. Facts remain is if you get cracked, thats your responsibility. there are many tools that can be used ahead of time proactively in these situations that make it easier to clean up even if some damage is done. tripwire is one of them, make sure you move the database onto a removable medium so that its "read-only", then pack it away for safekeeping. Noone is faulting you for getting hacked, but blaming the FreeBSD team is also not too rational as well. the auto-update is a scary thing, and I wouldn;t trust it, being extra-paranoid about machines. I know you were on your honeymoon, but isn;t there someone else that can take the reigns while you are gone? what if something happens to you? and when you reinstall the machine, use tripwire, maybe next time you won;t have to totally reinstall =) -Pat ___________________________________________________________________________ Pat Lynch lynch@rush.net Systems Administrator Rush Networking ___________________________________________________________________________ On Tue, 21 Jul 1998, Brett Glass wrote: > At 03:34 PM 7/21/98 -0400, Matthew N. Dodd wrote: > > >If you're not able so stand on the line and keep watch, set procmail up to > >turn down your network every time a Bugtraq message with 'exploit' and > >'foo' turns up. > > In other words, make the system self-destruct when I stop watching long enough > to have a life. Really practical. > > --Brett > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Wed Jul 22 09:25:28 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id JAA01410 for freebsd-security-outgoing; Wed, 22 Jul 1998 09:25:28 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from time.cdrom.com (root@time.cdrom.com [204.216.27.226]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id JAA01388 for ; Wed, 22 Jul 1998 09:25:19 -0700 (PDT) (envelope-from jkh@time.cdrom.com) Received: from time.cdrom.com (jkh@localhost.cdrom.com [127.0.0.1]) by time.cdrom.com (8.8.8/8.8.8) with ESMTP id JAA14694; Wed, 22 Jul 1998 09:23:17 -0700 (PDT) (envelope-from jkh@time.cdrom.com) To: Brett Glass cc: ben@rosengart.com, Jim Shankland , ahd@kew.com, leec@adam.adonai.net, security@FreeBSD.ORG Subject: Re: hacked and don't know why In-reply-to: Your message of "Wed, 22 Jul 1998 08:53:47 MDT." <199807221453.IAA03997@lariat.lariat.org> Date: Wed, 22 Jul 1998 09:23:17 -0700 Message-ID: <14690.901124597@time.cdrom.com> From: "Jordan K. Hubbard" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > In that case, we have an as-yet-diagnosed bug in the system. We > really experienced disk corruption -- especially of directories -- > during the QPopper buffer overflow hack. Files got the wrong But tou have no idea as to whether or not this was directly due to the attack or to the hacker's subsequent parading around as root. You admitted yourself that you were several thousand miles away at the time and didn't find out until your return - it could have been anything and these conclusions your reaching are simply bad science. > It's a good argument for stack protection. No it's not. It's just an argument which I thought we agreed to end by now. :) - Jordan To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Wed Jul 22 09:26:18 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id JAA01611 for freebsd-security-outgoing; Wed, 22 Jul 1998 09:26:18 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from bytor.rush.net (lynch@bytor.rush.net [209.45.245.145]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id JAA01522 for ; Wed, 22 Jul 1998 09:26:01 -0700 (PDT) (envelope-from lynch@rush.net) Received: from localhost (lynch@localhost) by bytor.rush.net (8.9.1/8.8.8) with SMTP id MAA02672; Wed, 22 Jul 1998 12:25:29 -0400 (EDT) (envelope-from lynch@rush.net) Date: Wed, 22 Jul 1998 12:25:28 -0400 (EDT) From: Pat Lynch To: "Jordan K. Hubbard" cc: security@FreeBSD.ORG Subject: Re: Projects to improve security (related to C) In-Reply-To: <10687.901064909@time.cdrom.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org sorry jkh, didn;t see this post til now =) ___________________________________________________________________________ Pat Lynch lynch@rush.net Systems Administrator Rush Networking ___________________________________________________________________________ On Tue, 21 Jul 1998, Jordan K. Hubbard wrote: > Can we please end this thread now? It's no longer accomplishing > anything but general acrimony, I've had 3 people appeal to me > personally to either muzzle Brett or have him taken out back and shot, > and I really do think we're in the diminishing returns department at > this stage. > > Please, enough! I think everyone has more than made their points at > this stage and we're now at the repeat-them-until-everyone-barfs > point. I know some folks feel strongly about this, but there are > limits to everything. > > Thanks! > > - Jordan > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Wed Jul 22 09:34:55 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id JAA03802 for freebsd-security-outgoing; Wed, 22 Jul 1998 09:34:55 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from bytor.rush.net (lynch@bytor.rush.net [209.45.245.145]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id JAA03757 for ; Wed, 22 Jul 1998 09:34:39 -0700 (PDT) (envelope-from lynch@rush.net) Received: from localhost (lynch@localhost) by bytor.rush.net (8.9.1/8.8.8) with SMTP id MAA02690; Wed, 22 Jul 1998 12:33:12 -0400 (EDT) (envelope-from lynch@rush.net) Date: Wed, 22 Jul 1998 12:33:10 -0400 (EDT) From: Pat Lynch To: "Jordan K. Hubbard" cc: andrewr , Eivind Eklund , Alexandre Snarskii , Garance A Drosihn , security@FreeBSD.ORG Subject: Re: Projects to improve security (related to C) In-Reply-To: <13797.901113122@time.cdrom.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I'd certainly get involved in this, I wonder if Al would as well =) =) =) ___________________________________________________________________________ Pat Lynch lynch@rush.net Systems Administrator Rush Networking ___________________________________________________________________________ On Wed, 22 Jul 1998, Jordan K. Hubbard wrote: > > If the FreeBSD core members wish to do a full scale security > > audit, then, hey, make a call out for people who would like be on the > > The FreeBSD core team members, by and large, already have TODO lists > stretching well into next year. Do we want an audit to happen? Yes, > of course. Do we have time to do all the work ourselves or even > actively lead such a project in day-to-day operations? Probably not, > no. We've already gone through one security officer and another has > come close to resigning several times due to lack of time (these > people have real jobs too, you know!) - it is a real problem which > will only be mitigated by more USERS stepping up to the plate and > becoming volunteers themselves. They also need someone to lead them > in this effort, probably more than one person, and this is also an > area where users can contribute their time and energy. Do I hear > Andrew volunteering here? :-) > > - Jordan > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Wed Jul 22 09:36:41 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id JAA04212 for freebsd-security-outgoing; Wed, 22 Jul 1998 09:36:41 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from lariat.lariat.org (ppp1000.lariat.org@[206.100.185.2]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id JAA04133 for ; Wed, 22 Jul 1998 09:36:19 -0700 (PDT) (envelope-from brett@lariat.org) Received: (from brett@localhost) by lariat.lariat.org (8.8.8/8.8.8) id KAA06020; Wed, 22 Jul 1998 10:35:54 -0600 (MDT) Message-Id: <199807221635.KAA06020@lariat.lariat.org> X-Sender: brett@mail.lariat.org X-Mailer: QUALCOMM Windows Eudora Pro Version 4.0.1 Date: Wed, 22 Jul 1998 10:35:51 -0600 To: "Jordan K. Hubbard" From: Brett Glass Subject: Re: hacked and don't know why Cc: ben@rosengart.com, Jim Shankland , ahd@kew.com, leec@adam.adonai.net, security@FreeBSD.ORG In-Reply-To: <14690.901124597@time.cdrom.com> References: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 09:23 AM 7/22/98 -0700, Jordan K. Hubbard wrote: >But tou have no idea as to whether or not this was directly due to the >attack or to the hacker's subsequent parading around as root. Well, even someone parading around as root wouldn't have much purpose in changing the ownership of files to User 30005 (no ID) or in changing the group ownership to random gid's. Very obvious and not good for hacking. Also, the ownership changed to strange things when OTHERS touched their files. There was definitely a malfunction on the system level. --Brett To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Wed Jul 22 09:41:18 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id JAA05679 for freebsd-security-outgoing; Wed, 22 Jul 1998 09:41:18 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from lariat.lariat.org (ppp1000.lariat.org@[206.100.185.2]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id JAA05575 for ; Wed, 22 Jul 1998 09:40:46 -0700 (PDT) (envelope-from brett@lariat.org) Received: (from brett@localhost) by lariat.lariat.org (8.8.8/8.8.8) id KAA06112; Wed, 22 Jul 1998 10:40:04 -0600 (MDT) Message-Id: <199807221640.KAA06112@lariat.lariat.org> X-Sender: brett@mail.lariat.org X-Mailer: QUALCOMM Windows Eudora Pro Version 4.0.1 Date: Wed, 22 Jul 1998 10:39:58 -0600 To: Pat Lynch From: Brett Glass Subject: Re: Why is there no info on the QPOPPER hack? Cc: "Matthew N. Dodd" , security@FreeBSD.ORG In-Reply-To: References: <199807211952.NAA15969@lariat.lariat.org> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 12:24 PM 7/22/98 -0400, Pat Lynch wrote: >my god someone has a life...you sure you are one of us? At my wedding, one of the Best Men toasted (or is it "roasted") me by saying that he always thought I must be from another planet... and that it was lucky that my new bride happened to be from the same one. ;-) >I always have one person to watch my machines when I'm gone, someone I >trust, someone I know is up to date on security issues. This is Laramie, Wyoming! The person watching the system was an NT expert, and Heaven knows they have to know about security. But this happened so fast after first postings of exploits that there was no time. And there was no CERT advisory. Had I gotten word, I even could have directed him to do something from abroad. --Brett To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Wed Jul 22 10:18:12 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id KAA12971 for freebsd-security-outgoing; Wed, 22 Jul 1998 10:18:12 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from sasami.jurai.net (winter@sasami.jurai.net [207.153.65.3]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id KAA12909 for ; Wed, 22 Jul 1998 10:17:51 -0700 (PDT) (envelope-from winter@jurai.net) Received: from localhost (winter@localhost) by sasami.jurai.net (8.8.8/8.8.7) with SMTP id NAA24479; Wed, 22 Jul 1998 13:17:09 -0400 (EDT) Date: Wed, 22 Jul 1998 13:17:08 -0400 (EDT) From: "Matthew N. Dodd" To: Brett Glass cc: Pat Lynch , security@FreeBSD.ORG Subject: Re: Why is there no info on the QPOPPER hack? In-Reply-To: <199807221640.KAA06112@lariat.lariat.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, 22 Jul 1998, Brett Glass wrote: > This is Laramie, Wyoming! The person watching the system was an NT > expert, and Heaven knows they have to know about security. But this > happened so fast after first postings of exploits that there was no > time. And there was no CERT advisory. This is clearly the cause of your problem. Your attempts to solve your administrative problem with a technical solution will only give you a false sense of security. Most people don't let the village idiot watch their horse for them. Were I your superior, I would hold you directly responsible for the break in; its a simple as that. Leaving a customer impacting system in the hands of unqualified and improperly trained staff without proper instructions is negligent. If your 'shop' is a mom and pop operation and doesn't have funding for proper staffing then thats where you're at and you'll have to live with the consequences. When I worked at an ISP startup I lived at the office for the first six months (I'm not kidding), and didn't do anything else outside of eat, sleep, drive to/from work and put in 18 to 20 hour days for the period after that. As you have discovered, that sort of work environment is mutually exclusive from having a life. Attempting to give yourself a false sense of security by inventing solutions that address the symptoms and not the root of your problem is only setting yourself up for further security problems. I wish you'd stop trying to convince yourself that some miracle of modern technology would have saved you from your break-in and admit that security is in your own hands. It is highly altruistic of you to desire a solution that prevents the same thing from happening to others but I think you are overly simplifying the issues involved in taking your idea from a pipe dream to reality. Congrats on getting married; your life (which you will be required to have now) will never be the same and your work habits will most definately change. :) /* Matthew N. Dodd | A memory retaining a love you had for life winter@jurai.net | As cruel as it seems nothing ever seems to http://www.jurai.net/~winter | go right - FLA M 3.1:53 */ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Wed Jul 22 11:01:26 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id LAA19380 for freebsd-security-outgoing; Wed, 22 Jul 1998 11:01:26 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from time.cdrom.com (root@time.cdrom.com [204.216.27.226]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id LAA19373 for ; Wed, 22 Jul 1998 11:01:24 -0700 (PDT) (envelope-from jkh@time.cdrom.com) Received: from time.cdrom.com (jkh@localhost.cdrom.com [127.0.0.1]) by time.cdrom.com (8.8.8/8.8.8) with ESMTP id KAA15003; Wed, 22 Jul 1998 10:59:49 -0700 (PDT) (envelope-from jkh@time.cdrom.com) To: Brett Glass cc: ben@rosengart.com, Jim Shankland , ahd@kew.com, leec@adam.adonai.net, security@FreeBSD.ORG Subject: Re: hacked and don't know why In-reply-to: Your message of "Wed, 22 Jul 1998 10:35:51 MDT." <199807221635.KAA06020@lariat.lariat.org> Date: Wed, 22 Jul 1998 10:59:49 -0700 Message-ID: <14999.901130389@time.cdrom.com> From: "Jordan K. Hubbard" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > Well, even someone parading around as root wouldn't have much purpose > in changing the ownership of files to User 30005 (no ID) or in changing > the group ownership to random gid's. Very obvious and not good for hacking. You're assuming that the hackers knew what they were doing or that they didn't attempt to run other exploit scripts which malfunctioned. > files. There was definitely a malfunction on the system level. I still see no proof of that. This is poor science without any actual evidence to back it up and you're merely engaging in speculation here. To say something is "definitely" a certain way without clear proof of it does not enhance one's credibility. - Jordan To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Wed Jul 22 11:08:21 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id LAA20490 for freebsd-security-outgoing; Wed, 22 Jul 1998 11:08:21 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from fallout.campusview.indiana.edu (fallout.campusview.indiana.edu [149.159.1.1]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id LAA20447 for ; Wed, 22 Jul 1998 11:08:15 -0700 (PDT) (envelope-from jfieber@indiana.edu) Received: from localhost (jfieber@localhost) by fallout.campusview.indiana.edu (8.8.8/8.8.7) with SMTP id NAA13492; Wed, 22 Jul 1998 13:07:37 -0500 (EST) Date: Wed, 22 Jul 1998 13:07:36 -0500 (EST) From: John Fieber To: Jay Tribick cc: Brett Glass , security@FreeBSD.ORG Subject: Re: Projects to improve security (automagic patching) In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, 22 Jul 1998, Jay Tribick wrote: > I agree with this, I also think we should have versions that are > a full source code distribution of the patch - in case we can't > apply it cleanly over existing source or if we've 'hacked' at > our the source already. If you have hacked your source already, presumably you had a good reason for doing it. I usually run a "release + a couple tweaks" kernel, and in a number of cases, my port building practice is something like "make patch, tweak, tweak, tweak, make, su, make install". So, something that comes in and automatically re-builds a port could cause some grief. My /usr is mounted read-only so there is one site-specific automatic update wrinkle right there. You also have to account for multiple patches for the same problem. Patch A is sent out, then discovered to be not quite right so Path B is sent out. What if some sites didn't apply patch A? Do you manufacture patches relative to all possible configurations (not!) or send complete files and establish a "don't touch this!" registry for local customizations? In the don't-touch-this case, then there is an alarm mechanism to alert the sysadmin of a patch conflict. Band-aid delivery is trivial, in a relative way. Bandaid manufacture and automated band-aid application are minefields waiting to blow someone up. Automated patch application may be complex enough that reliability and correctness are hard to guarantee. In the end, managing the "automated" system may be just as labor intensive and error prone as the old fashioned method of paying attention to BUGTRAQ and rootshell.com. Count me as a skeptic, but I'll reserve final judgement until I've seen some prototypes demonstrated. -john To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Wed Jul 22 11:15:38 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id LAA21512 for freebsd-security-outgoing; Wed, 22 Jul 1998 11:15:38 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from lariat.lariat.org (ppp1000.lariat.org@[206.100.185.2]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id LAA21504 for ; Wed, 22 Jul 1998 11:15:32 -0700 (PDT) (envelope-from brett@lariat.org) Received: (from brett@localhost) by lariat.lariat.org (8.8.8/8.8.8) id MAA07768; Wed, 22 Jul 1998 12:15:08 -0600 (MDT) Message-Id: <199807221815.MAA07768@lariat.lariat.org> X-Sender: brett@mail.lariat.org X-Mailer: QUALCOMM Windows Eudora Pro Version 4.0.1 Date: Wed, 22 Jul 1998 12:15:05 -0600 To: "Matthew N. Dodd" From: Brett Glass Subject: Re: Why is there no info on the QPOPPER hack? Cc: Pat Lynch , security@FreeBSD.ORG In-Reply-To: References: <199807221640.KAA06112@lariat.lariat.org> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 01:17 PM 7/22/98 -0400, Matthew N. Dodd wrote: >This is clearly the cause of your problem. Your attempts to solve your >administrative problem with a technical solution will only give you a >false sense of security. > >Most people don't let the village idiot watch their horse for them. The person who was left in charge was not the "village idiot" by any means. The server is run and maintained by a group for its own benefit, and each of us has a different area of specialization. UNIX experts are not exactly crawling out of the woodwork, alas. >I wish you'd stop trying to convince yourself that some miracle of modern >technology would have saved you from your break-in No "miracles" here. Just a distribution system for fixes which parallels the one via which the buggy software was installed in the first place. It's easy to do a network install of FreeBSD; it ought to be easy to get automatic fixes for security holes. --Brett Glass To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Wed Jul 22 11:19:04 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id LAA22156 for freebsd-security-outgoing; Wed, 22 Jul 1998 11:19:04 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from lariat.lariat.org (ppp1000.lariat.org@[206.100.185.2]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id LAA22135 for ; Wed, 22 Jul 1998 11:18:57 -0700 (PDT) (envelope-from brett@lariat.org) Received: (from brett@localhost) by lariat.lariat.org (8.8.8/8.8.8) id MAA07833; Wed, 22 Jul 1998 12:18:23 -0600 (MDT) Message-Id: <199807221818.MAA07833@lariat.lariat.org> X-Sender: brett@mail.lariat.org X-Mailer: QUALCOMM Windows Eudora Pro Version 4.0.1 Date: Wed, 22 Jul 1998 12:18:21 -0600 To: "Jordan K. Hubbard" From: Brett Glass Subject: Re: hacked and don't know why Cc: ben@rosengart.com, Jim Shankland , ahd@kew.com, leec@adam.adonai.net, security@FreeBSD.ORG In-Reply-To: <14999.901130389@time.cdrom.com> References: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 10:59 AM 7/22/98 -0700, Jordan K. Hubbard wrote: >You're assuming that the hackers knew what they were doing or that >they didn't attempt to run other exploit scripts which malfunctioned. Well, when *I* touched files their directory entries were also corrupted. This indicates that something deep within the system was hosed. And since the problem went away after a reboot, it appears to be the result of memory corruption. Even other exploit scripts would run in userland, so this suggests (no, there's no good way to establish it for sure yet) that the integrity of the kernel was breached. --Brett To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Wed Jul 22 11:24:41 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id LAA23394 for freebsd-security-outgoing; Wed, 22 Jul 1998 11:24:41 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from kendra.ne.mediaone.net (kendra.ne.mediaone.net [24.128.94.182]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id LAA23372 for ; Wed, 22 Jul 1998 11:24:30 -0700 (PDT) (envelope-from ahd@kew.com) Received: (from ahd@localhost) by kendra.ne.mediaone.net (8.9.0/8.9.0) id OAA03826 for security@freebsd.org; Wed, 22 Jul 1998 14:23:59 -0400 (EDT) Date: Wed, 22 Jul 1998 14:23:59 -0400 (EDT) From: Drew Derbyshire Message-Id: <199807221823.OAA03826@kendra.ne.mediaone.net> To: security@FreeBSD.ORG Subject: Re: hacked and don't know why In-Reply-To: <14999.901130389@time.cdrom.com> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > From jkh@time.cdrom.com Wed Jul 22 14:00:53 1998 > > Well, even someone parading around as root wouldn't have much purpose > > in changing the ownership of files to User 30005 (no ID) or in changing > > the group ownership to random gid's. Very obvious and not good for hacking. > > You're assuming that the hackers knew what they were doing or that > they didn't attempt to run other exploit scripts which malfunctioned. Goodness knows, I'm willing to disagree with Jordan (whether I should or not :-)), but he's on target with this. Remember, these are actually crackers, not hackers; if they were any good at writing code, don't you think they find better things to do? Even if they did know what they were doing, there is nothing to say they didn't trash the place on purpose. I'd suggest we move on ... BTW, I did bother to just check what's the qpopper version now in the ports collection, it's 2.53. (I personally didn't know). My thanks to the nice people handling the ports who have kept it updated. -- Drew Derbyshire Internet: ahd@kew.com Kendra Electronic Wonderworks Telephone: 781-279-9812 Harris's Lament: All the good ones are taken To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Wed Jul 22 12:08:19 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id MAA01680 for freebsd-security-outgoing; Wed, 22 Jul 1998 12:08:19 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from sasami.jurai.net (winter@sasami.jurai.net [207.153.65.3]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id MAA01537 for ; Wed, 22 Jul 1998 12:07:36 -0700 (PDT) (envelope-from winter@jurai.net) Received: from localhost (winter@localhost) by sasami.jurai.net (8.8.8/8.8.7) with SMTP id PAA25690; Wed, 22 Jul 1998 15:07:04 -0400 (EDT) Date: Wed, 22 Jul 1998 15:07:03 -0400 (EDT) From: "Matthew N. Dodd" To: Brett Glass cc: Pat Lynch , security@FreeBSD.ORG Subject: Re: Why is there no info on the QPOPPER hack? In-Reply-To: <199807221815.MAA07768@lariat.lariat.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, 22 Jul 1998, Brett Glass wrote: > At 01:17 PM 7/22/98 -0400, Matthew N. Dodd wrote: > >Most people don't let the village idiot watch their horse for them. > > The person who was left in charge was not the "village idiot" by > any means. The server is run and maintained by a group for its own benefit, > and each of us has a different area of specialization. UNIX experts are > not exactly crawling out of the woodwork, alas. Of course hen's not 'the village idiot'. However, I'm no more qualified to run NT machines as your average NT admin is qualified to run Unix boxes. As I've neither the time or the inclination to learn NT at the level that would make me useful in supporting it, for purposes of conversation, I'm 'the village idiot' when it comes to NT. From your posts it would seem that your NT admin is in much the same situation regarding Unix. > No "miracles" here. Just a distribution system for fixes which parallels > the one via which the buggy software was installed in the first place. > It's easy to do a network install of FreeBSD; it ought to be easy to get > automatic fixes for security holes. You aren't solving the problem; others have added their words to this topic as well. Your solution would have resulted in a non functioning POP3 server and you would have quickly disabled the service once you realized the control you were giving a 3rd party over your systems and your life. If you don't get it, you don't get it. My efforts to play the devil's advocate in this issue have not caused you to re-examine your position. Any further replies should be off-list. Thanks. /* Matthew N. Dodd | A memory retaining a love you had for life winter@jurai.net | As cruel as it seems nothing ever seems to http://www.jurai.net/~winter | go right - FLA M 3.1:53 */ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Wed Jul 22 13:01:01 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id NAA13386 for freebsd-security-outgoing; Wed, 22 Jul 1998 13:01:01 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from rover.village.org (rover.village.org [204.144.255.49]) by hub.freebsd.org (8.8.8/8.8.8) with SMTP id NAA13301 for ; Wed, 22 Jul 1998 13:00:32 -0700 (PDT) (envelope-from imp@village.org) Received: from harmony [10.0.0.6] by rover.village.org with esmtp (Exim 1.71 #1) id 0yz53X-0005gk-00; Wed, 22 Jul 1998 14:00:07 -0600 Received: from harmony.village.org (localhost.village.org [127.0.0.1]) by harmony.village.org (8.8.8/8.8.3) with ESMTP id OAA04885; Wed, 22 Jul 1998 14:02:43 -0600 (MDT) Message-Id: <199807222002.OAA04885@harmony.village.org> To: Eivind Eklund Subject: Re: Projects to improve security (related to C) Cc: Alexandre Snarskii , Garance A Drosihn , security@FreeBSD.ORG In-reply-to: Your message of "Wed, 22 Jul 1998 08:40:26 +0200." <19980722084026.45975@follo.net> References: <19980722084026.45975@follo.net> <27231.900993063@time.cdrom.com> <19980722015030.15881@nevalink.ru> Date: Wed, 22 Jul 1998 14:02:43 -0600 From: Warner Losh Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message <19980722084026.45975@follo.net> Eivind Eklund writes: : However, you _could_ hire somebody to merge over all the good changes : from OpenBSD. And there are plenty of people here with lots of experience in that area that would love the extra income... I know that I'd give special low rates for this sort of work to someone who is intersted in funding it. Warner To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Wed Jul 22 13:05:56 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id NAA14237 for freebsd-security-outgoing; Wed, 22 Jul 1998 13:05:56 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from rover.village.org (rover.village.org [204.144.255.49]) by hub.freebsd.org (8.8.8/8.8.8) with SMTP id NAA14195 for ; Wed, 22 Jul 1998 13:05:32 -0700 (PDT) (envelope-from imp@village.org) Received: from harmony [10.0.0.6] by rover.village.org with esmtp (Exim 1.71 #1) id 0yz58O-0005gs-00; Wed, 22 Jul 1998 14:05:08 -0600 Received: from harmony.village.org (localhost.village.org [127.0.0.1]) by harmony.village.org (8.8.8/8.8.3) with ESMTP id OAA04906; Wed, 22 Jul 1998 14:07:44 -0600 (MDT) Message-Id: <199807222007.OAA04906@harmony.village.org> To: Pat Lynch Subject: Re: Projects to improve security (related to C) Cc: "Jordan K. Hubbard" , andrewr , Eivind Eklund , Alexandre Snarskii , Garance A Drosihn , security@FreeBSD.ORG In-reply-to: Your message of "Wed, 22 Jul 1998 12:33:10 EDT." References: Date: Wed, 22 Jul 1998 14:07:44 -0600 From: Warner Losh Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message Pat Lynch writes: : I'd certainly get involved in this, I wonder if Al would as well =) =) =) The history of these inititives has been somehwat less than encouraging. We tried this a while ago and got some, but not a lot of tangible results. The biggest problem before was that many people doing the audit didn't know what to look for, so missed a lot of things..... Also, it is a huge effort to coordinate. The effort also suffered from lack of time of some of the participants. Warner To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Wed Jul 22 13:25:01 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id NAA17634 for freebsd-security-outgoing; Wed, 22 Jul 1998 13:25:01 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from brooklyn.slack.net (root@brooklyn.slack.net [206.41.21.102]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id NAA17575 for ; Wed, 22 Jul 1998 13:24:37 -0700 (PDT) (envelope-from andrewr@brooklyn.slack.net) Received: from localhost (andrewr@localhost) by brooklyn.slack.net (8.8.7/8.8.7) with SMTP id QAA27582; Wed, 22 Jul 1998 16:29:10 -0400 (EDT) Date: Wed, 22 Jul 1998 16:29:10 -0400 (EDT) From: andrewr To: Warner Losh cc: Pat Lynch , "Jordan K. Hubbard" , Eivind Eklund , Alexandre Snarskii , Garance A Drosihn , security@FreeBSD.ORG Subject: Re: Projects to improve security (related to C) In-Reply-To: <199807222007.OAA04906@harmony.village.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, 22 Jul 1998, Warner Losh wrote: > In message Pat Lynch writes: > : I'd certainly get involved in this, I wonder if Al would as well =) =) =) > > The history of these inititives has been somehwat less than > encouraging. We tried this a while ago and got some, but not a lot of > tangible results. > > The biggest problem before was that many people doing the audit didn't > know what to look for, so missed a lot of things..... Which is why I am going to ask people who I know for sure know what to look for. > > Also, it is a huge effort to coordinate. The effort also suffered > from lack of time of some of the participants. Another thing I am going to ask from the participants is that they really DO have time. It's up to them to make the correct choice.. The choice to help out and make their OS better, or to slack and hurt the project. Andrew > > Warner > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Wed Jul 22 13:27:44 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id NAA18134 for freebsd-security-outgoing; Wed, 22 Jul 1998 13:27:44 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from ns.cityip.co.za (ns.cityip.co.za [196.25.223.140]) by hub.freebsd.org (8.8.8/8.8.8) with SMTP id NAA18083 for ; Wed, 22 Jul 1998 13:27:22 -0700 (PDT) (envelope-from wjv@cityip.co.za) Received: from wjv by ns.cityip.co.za with local (Exim 1.82 #2) id 0yz5Qo-0002Pa-00; Wed, 22 Jul 1998 22:24:10 +0200 Message-ID: <19980722222410.A9261@cityip.co.za> Date: Wed, 22 Jul 1998 22:24:10 +0200 From: Johann Visagie To: Drew Derbyshire , brett@lariat.org Cc: security@FreeBSD.ORG Subject: Re: hacked and don't know why References: <199807221453.IAA03997@lariat.lariat.org> <199807221535.LAA03172@kendra.ne.mediaone.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.91.1i In-Reply-To: <199807221535.LAA03172@kendra.ne.mediaone.net>; from Drew Derbyshire on Wed, Jul 22, 1998 at 11:35:16AM -0400 X-PGP: ftp://ftp.cityip.co.za/users/wjv/pubkey.asc X-URL: http://www.cityip.co.za/~wjv/ Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, 22 Jul 1998 at 11:35 SAT, Drew Derbyshire wrote: > > I did not see the corruption problems reported with the other QPOP > attack; as I noted before, the visitors to my system were surgical > in their wanton destruction, I think they wanted me to know they > could done worse but didn't. In a certain sense you're lucky. Many of these latest vulnerabilities had pre-cooked exploits released for them. Add mscan to the mix, and it was a real script kiddie hackfest. I know of a number of servers which were fdisked. A more "experienced" hacker would never stoop to that. In fact, you'd probably never even know he was there. And he'd never leave. -- V Johann Visagie | Email: wjv@CityIP.co.za | Tel: +27 21 419-7878 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Wed Jul 22 13:34:02 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id NAA19157 for freebsd-security-outgoing; Wed, 22 Jul 1998 13:34:02 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from rover.village.org (rover.village.org [204.144.255.49]) by hub.freebsd.org (8.8.8/8.8.8) with SMTP id NAA19093 for ; Wed, 22 Jul 1998 13:33:59 -0700 (PDT) (envelope-from imp@village.org) Received: from harmony [10.0.0.6] by rover.village.org with esmtp (Exim 1.71 #1) id 0yz5Zz-0005hu-00; Wed, 22 Jul 1998 14:33:39 -0600 Received: from harmony.village.org (localhost.village.org [127.0.0.1]) by harmony.village.org (8.8.8/8.8.3) with ESMTP id OAA05154; Wed, 22 Jul 1998 14:36:15 -0600 (MDT) Message-Id: <199807222036.OAA05154@harmony.village.org> To: andrewr Subject: Re: Projects to improve security (related to C) Cc: Pat Lynch , "Jordan K. Hubbard" , Eivind Eklund , Alexandre Snarskii , Garance A Drosihn , security@FreeBSD.ORG In-reply-to: Your message of "Wed, 22 Jul 1998 16:29:10 EDT." References: Date: Wed, 22 Jul 1998 14:36:15 -0600 From: Warner Losh Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message andrewr writes: : Which is why I am going to ask people who I know for sure know what to : look for. Asking and getting are two different things :-). However, most anybody can do find /usr/src/blah | xargs egrep sprintf. : > Also, it is a huge effort to coordinate. The effort also suffered : > from lack of time of some of the participants. : : Another thing I am going to ask from the participants is that they really : DO have time. It's up to them to make the correct choice.. The choice to : help out and make their OS better, or to slack and hurt the project. I think that this is a dangerous attitude. People want to do these things, but often times other things come up to prevent them from putting the time into the project. You'll likely need, to run a successful project, some flexibility in this, plus assigning the tree to multiple people. It is far easier to give the tree out in small chunks than in large chunks. At least it is easier for people to finish them. Warner To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Wed Jul 22 14:06:14 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id OAA24217 for freebsd-security-outgoing; Wed, 22 Jul 1998 14:06:14 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from mail1.its.rpi.edu (root@mail1.its.rpi.edu [128.113.100.7]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id OAA24194 for ; Wed, 22 Jul 1998 14:06:09 -0700 (PDT) (envelope-from drosih@rpi.edu) Received: from [128.113.24.47] (gilead.acs.rpi.edu [128.113.24.47]) by mail1.its.rpi.edu (8.8.8/8.8.6) with ESMTP id RAA43108; Wed, 22 Jul 1998 17:05:49 -0400 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" X-Sender: drosih@pop1.rpi.edu Message-Id: In-Reply-To: References: <199807221640.KAA06112@lariat.lariat.org> Date: Wed, 22 Jul 1998 17:09:46 -0400 To: "Matthew N. Dodd" From: Garance A Drosihn Subject: Re: Why is there no info on the QPOPPER hack? Cc: security@FreeBSD.ORG Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 1:17 PM -0400 7/22/98, Matthew N. Dodd wrote: >On Wed, 22 Jul 1998, Brett Glass wrote: >> This is Laramie, Wyoming! The person watching the system was an NT >> expert, and Heaven knows they have to know about security. But this >> happened so fast after first postings of exploits that there was no >> time. And there was no CERT advisory. > > This is clearly the cause of your problem. Your attempts to solve > your administrative problem with a technical solution will only give > you a false sense of security. > > Most people don't let the village idiot watch their horse for them. This really is overly hostile. I can sympathize with Brett, who just got bit bad over pathetic code, a lot more than someone who is just peeved because Brett is so worked up. Yes, he's a bit over the top, but at least I can understand *why* he might be. Seems to me you could reply at a few decibels lower volume than he's running at. It is also not going to do anything but add fuel to a fire, and the security list is probably already busier right now than it really needs to be. I can just see it now, we're going to have people quiting the security list because it's too busy with dueling flame-wars, and thus they'll miss the announcement of the next security problem. --- Garance Alistair Drosehn = gad@eclipse.its.rpi.edu Senior Systems Programmer or drosih@rpi.edu Rensselaer Polytechnic Institute To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Wed Jul 22 14:19:42 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id OAA26580 for freebsd-security-outgoing; Wed, 22 Jul 1998 14:19:42 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from osorio.eletrosul.gov.br (osorio.eletrosul.gov.br [200.19.97.3]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id OAA26179 for ; Wed, 22 Jul 1998 14:17:32 -0700 (PDT) (envelope-from cgomes@eletrosul.gov.br) Received: from cgomes.eletrosul.gov.br (cgomes.eletrosul [172.16.1.109]) by osorio.eletrosul.gov.br (8.8.5/8.8.5) with ESMTP id SAA23426 for ; Wed, 22 Jul 1998 18:08:08 -0300 (EST) Message-Id: <199807222108.SAA23426@osorio.eletrosul.gov.br> From: "Carlos Gomes" To: Subject: subscribe Date: Wed, 22 Jul 1998 18:17:58 -0300 X-MSMail-Priority: Normal X-Priority: 3 X-Mailer: Microsoft Internet Mail 4.70.1155 MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org subscribe me To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Wed Jul 22 14:56:36 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id OAA03803 for freebsd-security-outgoing; Wed, 22 Jul 1998 14:56:36 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from ns0.iticom.net (root@[208.139.225.1]) by hub.freebsd.org (8.8.8/8.8.8) with SMTP id OAA03798 for ; Wed, 22 Jul 1998 14:56:33 -0700 (PDT) (envelope-from support@iwebb.com) Received: from iwebb.com by ns0.iticom.net ; Wed, 22 Jul 1998 21:54:14 +000 Message-ID: <35B5F2C4.9A333B3F@iwebb.com> Date: Wed, 22 Jul 1998 09:10:13 -0500 From: Support Reply-To: trouble@webfyre.com X-Mailer: Mozilla 4.05 [en] (X11; I; FreeBSD 2.2.7-RELEASE i386) MIME-Version: 1.0 To: Garance A Drosihn CC: "Matthew N. Dodd" , security@FreeBSD.ORG Subject: Re: Why is there no info on the QPOPPER hack? References: <199807221640.KAA06112@lariat.lariat.org> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > --- > Garance Alistair Drosehn = gad@eclipse.its.rpi.edu > Senior Systems Programmer or drosih@rpi.edu > Rensselaer Polytechnic Institute My two cents......... in one url ......... www.rootshell.com ........ in one word.... bugtrag......... follow them closely , or potentially pay... NOW GET OVER IT...! qpopper was posted a long time ago....... its as old news as teardrop is at this point... if your going to play in security and unix operating systems, its damn near a full time job, and ive read bout enuff of this qpopper ..... let it go already.....!!! Sincerely, Scott V. Kamp Network/Internet Security Manager CyberCom, Inc Interweb Technologies, Inc. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Wed Jul 22 15:02:43 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id PAA05174 for freebsd-security-outgoing; Wed, 22 Jul 1998 15:02:43 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from homeport.org (lighthouse.homeport.org [205.136.65.198]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id PAA05158 for ; Wed, 22 Jul 1998 15:02:34 -0700 (PDT) (envelope-from adam@homeport.org) Received: (adam@localhost) by homeport.org (8.8.5/8.6.9) id SAA28072; Wed, 22 Jul 1998 18:01:15 -0400 (EDT) From: Adam Shostack Message-Id: <199807222201.SAA28072@homeport.org> Subject: Re: Projects to improve security (related to C) In-Reply-To: from andrewr at "Jul 22, 98 04:29:10 pm" To: andrewr@slack.net (andrewr) Date: Wed, 22 Jul 1998 18:01:15 -0400 (EDT) Cc: security@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL27 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org | > The biggest problem before was that many people doing the audit didn't | > know what to look for, so missed a lot of things..... | | Which is why I am going to ask people who I know for sure know what to | look for. Could I suggest that rather than insist on getting skilled people, you consider offering help to volunteers? Something like my review guidelines (which need more on temp races) can let someone without a lot of knowlege contribute first pass, so you can focus your good people on the uglier code. A complete audit takes years of work by a few highly skilled and dedicated people, but reading the Open- cvs logs and seeing if the changed code exists in Free- is not a high skill task. And its where a lot of high payoff results will be. You might also want to listen to the linux audit project folks, to see how they're addressing things. The list is ezmlm run at security-audit-subscribe@ferret.lmh.ox.ac.uk Adam -- "It is seldom that liberty of any kind is lost all at once." -Hume To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Wed Jul 22 15:23:53 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id PAA08564 for freebsd-security-outgoing; Wed, 22 Jul 1998 15:23:53 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from coleridge.kublai.com (coleridge.kublai.com [207.96.1.116]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id PAA08554 for ; Wed, 22 Jul 1998 15:23:46 -0700 (PDT) (envelope-from shmit@natasya.kublai.com) Received: from natasya.kublai.com (natasya.kublai.com [207.172.25.236]) by coleridge.kublai.com (8.8.8/8.8.8) with ESMTP id SAA03941; Wed, 22 Jul 1998 18:23:25 -0400 (EDT) (envelope-from shmit@natasya.kublai.com) Received: (from shmit@localhost) by natasya.kublai.com (8.8.8/8.8.8) id SAA03139; Wed, 22 Jul 1998 18:23:24 -0400 (EDT) Message-ID: <19980722182324.26248@kublai.com> Date: Wed, 22 Jul 1998 18:23:24 -0400 From: Brian Cully To: Brett Glass , "Jordan K. Hubbard" Cc: security@FreeBSD.ORG Subject: Re: Projects to improve security (related to C) Reply-To: shmit@kublai.com References: <8134.901020116@time.cdrom.com> <199807211859.MAA14931@lariat.lariat.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.89i In-Reply-To: <199807211859.MAA14931@lariat.lariat.org>; from Brett Glass on Tue, Jul 21, 1998 at 12:58:59PM -0600 X-Sender: If your mailer pays attention to this, it's broken. X-PGP-Info: finger shmit@kublai.com for my public key. Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, Jul 21, 1998 at 12:58:59PM -0600, Brett Glass wrote: > In the meantime, there are some things that can be done even with the > code still written in C. we can (and must!) bite the bullet and kick sprintf, > vsprintf, and similar functions OUT of the libraries. Yes, it'll be a > bit of a pain, but... no pain, no gain. Uhh... what? I seriously hope you're not suggesting that programmers should not have access to the various un-bounds-checked functions. I know that when I program, I instinctively put an `n' in my function calls, but sometimes that's not possible, so I make sure that arrays are bounds-checked before going into the call. Any reasonable programmer will flinch at using the un-checked versions of the calls and do his damndest to make sure there's no overflow condition. Sure, there are bad programmers out there, who don't bother with the appropriate steps, but that doesn't mean the good ones should suffer. -- Brian Cully ``And when one of our comrades was taken prisoner, blindfolded, hung upside-down, shot, and burned, we thought to ourselves, `These are the best experiences of our lives''' -Pathology (Joe Frank, Somewhere Out There) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Wed Jul 22 16:33:16 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id QAA19233 for freebsd-security-outgoing; Wed, 22 Jul 1998 16:33:16 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from mail1.its.rpi.edu (root@mail1.its.rpi.edu [128.113.100.7]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id QAA19224 for ; Wed, 22 Jul 1998 16:33:13 -0700 (PDT) (envelope-from drosih@rpi.edu) Received: from [128.113.24.47] (gilead.acs.rpi.edu [128.113.24.47]) by mail1.its.rpi.edu (8.8.8/8.8.6) with ESMTP id TAA76314; Wed, 22 Jul 1998 19:32:45 -0400 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" X-Sender: drosih@pop1.rpi.edu Message-Id: In-Reply-To: <199807221535.LAA03172@kendra.ne.mediaone.net> References: <199807221453.IAA03997@lariat.lariat.org> Date: Wed, 22 Jul 1998 19:36:41 -0400 To: Drew Derbyshire From: Garance A Drosihn Subject: Re: hacked and don't know why Cc: security@FreeBSD.ORG Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 11:35 AM -0400 7/22/98, Drew Derbyshire wrote: > I did not see the corruption problems reported with the other QPOP > attack; as I noted before, the visitors to my system were surgical > in their wanton destruction, I think they wanted me to know they > could done worse but didn't. For what it's worth, a long time ago we had a break-in problem, not on FreeBSD, where all the binaries in /usr/bin (or some other common directories) were replaced with a single executable, and all programs seemed to still work fine. That executable would see a few things about what privileges it was running with before trying to do nasty things. No matter what, it would then run the *real* program, so the user always got the results that they were expecting to see. All the *real* programs were buried in a non-obvious directory. So, the nasty program would find out what path it was started up as, and then just add /var/.hidden/non-obviousplace on to the front of that pathname. So, the exact same executable could be used to replace all executables in a given directory. We unhooked the machine from the network, learned what we could about what had happened, and reformatted & rebuilt all the information on the hard drive... --- Garance Alistair Drosehn = gad@eclipse.its.rpi.edu Senior Systems Programmer or drosih@rpi.edu Rensselaer Polytechnic Institute To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Wed Jul 22 19:25:23 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id TAA17861 for freebsd-security-outgoing; Wed, 22 Jul 1998 19:25:23 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from alcanet.com.au (border.alcanet.com.au [203.62.196.10]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id TAA17629 for ; Wed, 22 Jul 1998 19:23:23 -0700 (PDT) (envelope-from peter.jeremy@auss2.alcatel.com.au) Received: by border.alcanet.com.au id <40333>; Thu, 23 Jul 1998 12:20:48 +1000 Date: Thu, 23 Jul 1998 12:20:53 +1000 From: Peter Jeremy Subject: Re: Projects to improve security (related to C) To: security@FreeBSD.ORG Message-Id: <98Jul23.122048est.40333@border.alcanet.com.au> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, 22 Jul 1998 18:23:24 -0400, Brian Cully wrote: >On Tue, Jul 21, 1998 at 12:58:59PM -0600, Brett Glass wrote: >> In the meantime, there are some things that can be done even with the >> code still written in C. we can (and must!) bite the bullet and kick sprintf, >> vsprintf, and similar functions OUT of the libraries. Yes, it'll be a >> bit of a pain, but... no pain, no gain. > >Uhh... what? I seriously hope you're not suggesting that programmers >should not have access to the various un-bounds-checked functions. What Brett suggests might be a bit impractical, but we can easily give [v]sprintf() et al the same treatment as gets(): If the linker currently sees a reference to gets(), it reports "warning: this program uses gets(), which is unsafe." The same message is written to stderr when gets() is called. I don't believe it is reasonable to apply the same stigma to the (unchecked) str...() functions - they are not inherently unsafe (unlike gets() and many [v]sprintf() calls). This does bring up the issue of where to draw the line as far as `unsafe' functions are concerned. I can think of the following standard functions which have the potential for buffer overflows when used correctly (ie parameter types are appropriate and passed buffers match their passed sizes etc): *scanf(), [v]sprintf(), gets(), wctomb(), strcpy() and strcat(). I suspect it would be relatively difficult to exploit wctomb(). Has anyone tried looking for exploits using *scanf() functions? I have often thought about building a bounds-checking sandbox for debugging C code using C++ by overloading [], ->, unary * and unary &. The killer is the amount of effort needed to re-define all the builtin types and define the appropriate (template) class. (And there may be some gotchas with differences between ANSI C and C++ - I haven't looked too hard at that side). Depending on the resultant slowdown, it might be practical to live with the result in this form. Peter -- Peter Jeremy (VK2PJ) peter.jeremy@alcatel.com.au Alcatel Australia Limited 41 Mandible St Phone: +61 2 9690 5019 ALEXANDRIA NSW 2015 Fax: +61 2 9690 5247 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Wed Jul 22 19:34:47 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id TAA19232 for freebsd-security-outgoing; Wed, 22 Jul 1998 19:34:47 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from lariat.lariat.org (ppp1000.lariat.org@[206.100.185.2]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id TAA19211 for ; Wed, 22 Jul 1998 19:34:42 -0700 (PDT) (envelope-from brett@lariat.org) Received: (from brett@localhost) by lariat.lariat.org (8.8.8/8.8.8) id UAA15923; Wed, 22 Jul 1998 20:34:16 -0600 (MDT) Message-Id: <199807230234.UAA15923@lariat.lariat.org> X-Sender: brett@mail.lariat.org X-Mailer: QUALCOMM Windows Eudora Pro Version 4.0.1 Date: Wed, 22 Jul 1998 20:34:13 -0600 To: "Matthew N. Dodd" From: Brett Glass Subject: Re: Why is there no info on the QPOPPER hack? Cc: Pat Lynch , security@FreeBSD.ORG In-Reply-To: References: <199807221815.MAA07768@lariat.lariat.org> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 03:07 PM 7/22/98 -0400, Matthew N. Dodd wrote: >Of course hen's not 'the village idiot'. However, I'm no more qualified >to run NT machines as your average NT admin is qualified to run Unix >boxes. No, but an NT admin is still qualified to help with problems under someone else's direction. >Your solution would have resulted in a non functioning >POP3 server and you would have quickly disabled the service once you >realized the control you were giving a 3rd party over your systems and >your life. Asserted without proof, and ad hominem. --Brett Glass To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Wed Jul 22 20:06:26 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id UAA23459 for freebsd-security-outgoing; Wed, 22 Jul 1998 20:06:26 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from ns0.iticom.net (root@[208.139.225.1]) by hub.freebsd.org (8.8.8/8.8.8) with SMTP id UAA23411 for ; Wed, 22 Jul 1998 20:06:17 -0700 (PDT) (envelope-from trouble@webfyre.com) Received: from webfyre.com by ns0.iticom.net ; Thu, 23 Jul 1998 03:03:49 +000 Message-ID: <35B63B57.9FA9995@webfyre.com> Date: Wed, 22 Jul 1998 14:19:51 -0500 From: "Security Mgr." Reply-To: trouble@webfyre.com Organization: Web Fyre X-Mailer: Mozilla 4.05 [en] (X11; I; FreeBSD 2.2.7-RELEASE i386) MIME-Version: 1.0 To: Pat Lynch CC: "Jordan K. Hubbard" , andrewr , Eivind Eklund , Alexandre Snarskii , Garance A Drosihn , security@FreeBSD.ORG Subject: Re: Projects to improve security (related to C) References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Pat Lynch wrote: > I'd certainly get involved in this, I wonder if Al would as well =) =) =) > > ___________________________________________________________________________ > > Pat Lynch lynch@rush.net > Systems Administrator Rush Networking Would it not just be wiser to create a security-audit mailing list, and let someone who knows secure programming and has a brain moderate it, and then allow it as an open mailing list for whomever wants to partake.... To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Thu Jul 23 20:39:51 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id UAA01801 for freebsd-security-outgoing; Thu, 23 Jul 1998 20:39:51 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from po6.andrew.cmu.edu (PO6.ANDREW.CMU.EDU [128.2.10.106]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id UAA01777 for ; Thu, 23 Jul 1998 20:39:37 -0700 (PDT) (envelope-from tcrimi+@andrew.cmu.edu) Received: (from postman@localhost) by po6.andrew.cmu.edu (8.8.5/8.8.2) id XAA10180 for security@FreeBSD.ORG; Thu, 23 Jul 1998 23:39:10 -0400 (EDT) Received: via switchmail; Thu, 23 Jul 1998 23:39:09 -0400 (EDT) Received: from unix17.andrew.cmu.edu via qmail ID ; Thu, 23 Jul 1998 23:37:55 -0400 (EDT) Received: from unix17.andrew.cmu.edu via qmail ID ; Thu, 23 Jul 1998 23:37:55 -0400 (EDT) Received: from mms.4.60.Jun.27.1996.03.02.53.sun4.51.EzMail.2.0.CUILIB.3.45.SNAP.NOT.LINKED.unix17.andrew.cmu.edu.sun4m.54 via MS.5.6.unix17.andrew.cmu.edu.sun4_51; Thu, 23 Jul 1998 23:37:55 -0400 (EDT) Message-ID: Date: Thu, 23 Jul 1998 23:37:55 -0400 (EDT) From: Thomas Valentino Crimi To: security@FreeBSD.ORG Subject: Re: Projects to improve security (related to C) In-Reply-To: <98Jul23.122048est.40333@border.alcanet.com.au> References: <98Jul23.122048est.40333@border.alcanet.com.au> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Checking the FreeBSD site, ther is already a published list of "Programer Do's and Don'ts" at http://www.freebsd.org/security/programmers.html this includes a list of extra things to look for when auditing code. I think I'm going to begin taking people up on this beginning with the smaller utilties (which may turn up little or nothing) and moving on up. Ports seem to be the bigger culprits.. and FreeBSD being able to claim more secure versions than even the standard distribs can only give up extra points. If this takes off Freebsd-audit would be an excellent idea. At the moment, who would be the 'more experienced' people to talk to if I were to find something in need of a patch. I have a good understanding of the issues involved but this would be my first venture in touching FreeBSD proper so I of course want some watchful eye over me. ;) Is send-pr enough to bring it to attention? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Thu Jul 23 21:19:50 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id VAA07828 for freebsd-security-outgoing; Thu, 23 Jul 1998 21:19:50 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from adam.adonai.net (adam.adonai.net [207.8.83.2]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id VAA07810 for ; Thu, 23 Jul 1998 21:19:41 -0700 (PDT) (envelope-from leec@adam.adonai.net) Received: from localhost (leec@localhost) by adam.adonai.net (8.8.7/8.8.7) with SMTP id XAA09879; Thu, 23 Jul 1998 23:19:05 -0500 (CDT) (envelope-from leec@adam.adonai.net) Date: Thu, 23 Jul 1998 23:19:05 -0500 (CDT) From: "Lee Crites (ASC)" To: Garance A Drosihn cc: Drew Derbyshire , security@FreeBSD.ORG Subject: Re: hacked and don't know why In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, 22 Jul 1998, Garance A Drosihn wrote: =>That executable would see a few things about what privileges it =>was running with before trying to do nasty things. No matter =>what, it would then run the *real* program, so the user always =>got the results that they were expecting to see. All the =>*real* programs were buried in a non-obvious directory. So, =>the nasty program would find out what path it was started up =>as, and then just add /var/.hidden/non-obviousplace on to the =>front of that pathname. So, the exact same executable could be =>used to replace all executables in a given directory. This sounds exactly like what I was seeing. After I regained some presense of mind I thought it would have been nice if I could have checked for something like that. In fact, for all I know, the "executable" I was looking at might have just been a script. Okay, okay, a 180-something-k script might be a little excessive, but the point is I have no idea what was there. I did notice, though, that each command appeared to work properly even though the command itself was exactly the same as all of the other ones. Lee =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Lee Crites Adonai Services Company, Round Rock, Texas leec@adonai.net http://www.adonai.net/~leec =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Thu Jul 23 21:31:38 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id VAA10417 for freebsd-security-outgoing; Thu, 23 Jul 1998 21:31:38 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from adam.adonai.net (adam.adonai.net [207.8.83.2]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id VAA10315 for ; Thu, 23 Jul 1998 21:31:14 -0700 (PDT) (envelope-from leec@adam.adonai.net) Received: from localhost (leec@localhost) by adam.adonai.net (8.8.7/8.8.7) with SMTP id XAA09893; Thu, 23 Jul 1998 23:30:49 -0500 (CDT) (envelope-from leec@adam.adonai.net) Date: Thu, 23 Jul 1998 23:30:49 -0500 (CDT) From: "Lee Crites (ASC)" To: Brett Glass cc: security@FreeBSD.ORG Subject: Re: Translation to a safer language... In-Reply-To: <199807220125.TAA21968@lariat.lariat.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, 21 Jul 1998, Brett Glass wrote: =>Pascal, Modula-2, Modula-3, and Ada are the most obvious Pascal is a good language. I still have more pascal code on my system than any other single language. I'm not thinking it would be a good candidate, though. Not because I don't think the language can handle it, but because I don't think there are enough really good pascal programmers. Most people have taken a pascal programming class sometime and would think they could "handle" it, only to find out we turned out as bad a system as we were trying to replace... Modula-X isn't that much different than pascal. The main difference (in my mind, anyway) is that most of the programmers would sense the need to learn a new language. This way we would at least start with people who were "fully trained" in the language. I've seen a few non-dod programs in ada, but not enough to really make an analysis of the abilities of the language. =>candidates; of course, a new language could be developed with =>this application in mind. (The advantage of developing =>something new is that it could have obvious, but safe, mappings =>from C constructs, facilitating machine translation.) Ideas? A new language doesn't seem like it would be a good idea to me. We'd have to work on debugging a new language and a new compiler and new libraries at the same time we are working on the operating system. It could happen, but I think we'd be better off with an existing language. I'd like to see some object oriented direction -- perhaps object pascal or mod-3. But all of this is the mindless ramblings of someone way out of the loop, so take it for what it is (is not) worth... Lee =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Lee Crites Adonai Services Company, Round Rock, Texas leec@adonai.net http://www.adonai.net/~leec =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Thu Jul 23 21:37:33 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id VAA11957 for freebsd-security-outgoing; Thu, 23 Jul 1998 21:37:33 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from adam.adonai.net (adam.adonai.net [207.8.83.2]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id VAA11913 for ; Thu, 23 Jul 1998 21:37:21 -0700 (PDT) (envelope-from leec@adam.adonai.net) Received: from localhost (leec@localhost) by adam.adonai.net (8.8.7/8.8.7) with SMTP id XAA09900; Thu, 23 Jul 1998 23:36:47 -0500 (CDT) (envelope-from leec@adam.adonai.net) Date: Thu, 23 Jul 1998 23:36:47 -0500 (CDT) From: "Lee Crites (ASC)" To: Brett Glass cc: Andrew Kenneth Milton , security@FreeBSD.ORG Subject: Re: Translation to a safer language (Was: Projects to improve security) In-Reply-To: <199807221459.IAA04129@lariat.lariat.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, 22 Jul 1998, Brett Glass wrote: =>>The only way to prevent bad code is to audit and test. => =>It'd be nice if even *that* worked. I've developed a renewed interest =>in mechanical verification. There is this guy named Michael Fagan who is going about teaching what he calls Fagan Inspections. It sounds okay on the surface, but there is nothing magical about it. Faganized code *should* have fewer defects in it -- any code you and three friends spend 40% of your time inspecting had darn well better have fewer defects! Actually, I said that backwards -- 40% of your coding man hours will be in inspections. If you had a 60 man hour project, then it would be 100 man hours including the inspections. There are a lot of stats showing a real defect reduction by Faganizing your code (and documents -- they both work). Motorola, for instance, swears by them. (...we are still at the stage of swearing *at* them...) It *is* possible for an inspection process to work. It just takes more time, effort, and discipline than most organizations can handle. Lee =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Lee Crites Adonai Services Company, Round Rock, Texas leec@adonai.net http://www.adonai.net/~leec =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Fri Jul 24 01:33:52 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id BAA18248 for freebsd-security-outgoing; Fri, 24 Jul 1998 01:33:52 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from ns0.fast.net.uk (ns0.fast.net.uk [194.207.104.1]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id BAA18231 for ; Fri, 24 Jul 1998 01:33:42 -0700 (PDT) (envelope-from netadmin@fastnet.co.uk) Received: from bofh.fast.net.uk (bofh.fast.net.uk [194.207.104.22]) by ns0.fast.net.uk (8.9.0/8.8.7) with ESMTP id JAA02260; Fri, 24 Jul 1998 09:33:13 +0100 (BST) Received: from localhost (localhost [127.0.0.1]) by bofh.fast.net.uk (8.8.8/8.8.5) with SMTP id JAA21668; Fri, 24 Jul 1998 09:33:14 +0100 (BST) Date: Fri, 24 Jul 1998 09:33:14 +0100 (BST) From: Jay Tribick X-Sender: netadmin@bofh.fast.net.uk To: "Lee Crites (ASC)" cc: Garance A Drosihn , Drew Derbyshire , security@FreeBSD.ORG Subject: Re: hacked and don't know why In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org | =>That executable would see a few things about what privileges it | =>was running with before trying to do nasty things. No matter | =>what, it would then run the *real* program, so the user always | =>got the results that they were expecting to see. All the | =>*real* programs were buried in a non-obvious directory. So, | =>the nasty program would find out what path it was started up | =>as, and then just add /var/.hidden/non-obviousplace on to the | =>front of that pathname. So, the exact same executable could be | =>used to replace all executables in a given directory. | | This sounds exactly like what I was seeing. After I regained | some presense of mind I thought it would have been nice if I | could have checked for something like that. In fact, for all I | know, the "executable" I was looking at might have just been a | script. Okay, okay, a 180-something-k script might be a little | excessive, but the point is I have no idea what was there. I did | notice, though, that each command appeared to work properly even | though the command itself was exactly the same as all of the | other ones. Just thought I'd point out that it's quite possible this was a rootkit - if you look on your system you'll find a little-known about utility called crunchgen which can concatenate and compress multiple executables into one file. If you then do various symlinks to this file it will exec the appropriate function. RTFM - 'man crunchgen' :) Regards, Jay Tribick -- [| Network Administrator | FastNet International | http://fast.net.uk/ |] [| Finger netadmin@fastnet.co.uk for contact information |] [| T: +44 (0)1273 677633 F: +44 (0)1273 621631 e: netadmin@fast.net.uk |] To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Fri Jul 24 02:10:09 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id CAA25030 for freebsd-security-outgoing; Fri, 24 Jul 1998 02:10:09 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from ns1.yes.no (ns1.yes.no [195.119.24.10]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id CAA24966 for ; Fri, 24 Jul 1998 02:09:33 -0700 (PDT) (envelope-from eivind@bitbox.follo.net) Received: from bitbox.follo.net (bitbox.follo.net [195.204.143.218]) by ns1.yes.no (8.8.7/8.8.7) with ESMTP id JAA08973; Fri, 24 Jul 1998 09:08:54 GMT Received: (from eivind@localhost) by bitbox.follo.net (8.8.8/8.8.6) id LAA11204; Fri, 24 Jul 1998 11:08:53 +0200 (MET DST) Message-ID: <19980724110852.62387@follo.net> Date: Fri, 24 Jul 1998 11:08:52 +0200 From: Eivind Eklund To: "Lee Crites (ASC)" , Brett Glass Cc: Andrew Kenneth Milton , security@FreeBSD.ORG Subject: Re: Translation to a safer language (Was: Projects to improve security) References: <199807221459.IAA04129@lariat.lariat.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.89.1i In-Reply-To: ; from Lee Crites (ASC) on Thu, Jul 23, 1998 at 11:36:47PM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, Jul 23, 1998 at 11:36:47PM -0500, Lee Crites (ASC) wrote: > On Wed, 22 Jul 1998, Brett Glass wrote: > > =>>The only way to prevent bad code is to audit and test. > => > =>It'd be nice if even *that* worked. I've developed a renewed interest > =>in mechanical verification. > > There is this guy named Michael Fagan who is going about teaching > what he calls Fagan Inspections. It sounds okay on the surface, > but there is nothing magical about it. Faganized code *should* > have fewer defects in it -- any code you and three friends spend > 40% of your time inspecting had darn well better have fewer > defects! Actually, I said that backwards -- 40% of your coding > man hours will be in inspections. If you had a 60 man hour > project, then it would be 100 man hours including the > inspections. > > There are a lot of stats showing a real defect reduction by > Faganizing your code (and documents -- they both work). > Motorola, for instance, swears by them. (...we are still at the > stage of swearing *at* them...) Inspections (or "Fagan inspections" if you want) work. They're difficult to introduce and require physical presence, but when you get them working they both synchronize how people work, thus making it easier to share code, and make a relly significant dent in the number of defects. From a personal viewpoint (I didn't measure this), they seemed much more effective than just doing reviews. Eivind. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Fri Jul 24 02:14:39 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id CAA25716 for freebsd-security-outgoing; Fri, 24 Jul 1998 02:14:39 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from ns1.yes.no (ns1.yes.no [195.119.24.10]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id CAA25703 for ; Fri, 24 Jul 1998 02:14:28 -0700 (PDT) (envelope-from eivind@bitbox.follo.net) Received: from bitbox.follo.net (bitbox.follo.net [195.204.143.218]) by ns1.yes.no (8.8.7/8.8.7) with ESMTP id JAA09054; Fri, 24 Jul 1998 09:14:02 GMT Received: (from eivind@localhost) by bitbox.follo.net (8.8.8/8.8.6) id LAA11218; Fri, 24 Jul 1998 11:14:02 +0200 (MET DST) Message-ID: <19980724111402.00430@follo.net> Date: Fri, 24 Jul 1998 11:14:02 +0200 From: Eivind Eklund To: Brett Glass , Andrew Kenneth Milton Cc: security@FreeBSD.ORG Subject: Re: Translation to a safer language (Was: Projects to improve security) References: <199807220250.UAA23367@lariat.lariat.org> <199807221438.OAA08927@zeus.theinternet.com.au> <199807221459.IAA04129@lariat.lariat.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.89.1i In-Reply-To: <199807221459.IAA04129@lariat.lariat.org>; from Brett Glass on Wed, Jul 22, 1998 at 08:59:53AM -0600 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, Jul 22, 1998 at 08:59:53AM -0600, Brett Glass wrote: > At 02:38 PM 7/22/98 +0000, Andrew Kenneth Milton wrote: > > >Anything with a cast operator is out then... > > > >That nails, C++, Modula*, Java, C. > > I disagree. Casting used in certain limited ways is necessary, > as are variant records. However, mechanisms must be in place > to use it safelly. Casting should not be necessary - there came new typesystems last year that let you describe complex cases (this is an integer, real, or JPEG picture, but not a generic picture) and do compile-time verification on them. The typesystems are (supposedly) generic enough to be useful for the way Lisp is typically used, and still simple enough that they can be mechanically verified. Now, if I'd only remembered their name... Eivind. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Fri Jul 24 02:40:06 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id CAA29439 for freebsd-security-outgoing; Fri, 24 Jul 1998 02:40:06 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from ns1.yes.no (ns1.yes.no [195.119.24.10]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id CAA29360 for ; Fri, 24 Jul 1998 02:39:52 -0700 (PDT) (envelope-from eivind@bitbox.follo.net) Received: from bitbox.follo.net (bitbox.follo.net [195.204.143.218]) by ns1.yes.no (8.8.7/8.8.7) with ESMTP id JAA09367; Fri, 24 Jul 1998 09:39:25 GMT Received: (from eivind@localhost) by bitbox.follo.net (8.8.8/8.8.6) id LAA11283; Fri, 24 Jul 1998 11:39:24 +0200 (MET DST) Message-ID: <19980724113923.54830@follo.net> Date: Fri, 24 Jul 1998 11:39:23 +0200 From: Eivind Eklund To: John Fieber , Jay Tribick Cc: Brett Glass , security@FreeBSD.ORG Subject: Re: Projects to improve security (automagic patching) References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.89.1i In-Reply-To: ; from John Fieber on Wed, Jul 22, 1998 at 01:07:36PM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, Jul 22, 1998 at 01:07:36PM -0500, John Fieber wrote: > Band-aid delivery is trivial, in a relative way. Bandaid > manufacture and automated band-aid application are minefields > waiting to blow someone up. Automated patch application may be > complex enough that reliability and correctness are hard to > guarantee. In the end, managing the "automated" system may be > just as labor intensive and error prone as the old fashioned > method of paying attention to BUGTRAQ and rootshell.com. IMO: You don't transfer source patches, you transfer binary patches. These are relative to a very specific set of files: The exact binaries we distribute as part of the last release. If somebody has patched relative to this, then assume they know what they're doing and drop the patch in the bit-bucket (with a notification to the admin indicating that this has happened, of course). Eivind. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Fri Jul 24 15:48:08 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id PAA15667 for freebsd-security-outgoing; Fri, 24 Jul 1998 15:48:08 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from lariat.lariat.org (ppp1000.lariat.org@[206.100.185.2]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id PAA15639 for ; Fri, 24 Jul 1998 15:47:48 -0700 (PDT) (envelope-from brett@lariat.org) Received: (from brett@localhost) by lariat.lariat.org (8.8.8/8.8.8) id QAA28014; Fri, 24 Jul 1998 16:47:21 -0600 (MDT) Message-Id: <199807242247.QAA28014@lariat.lariat.org> X-Sender: brett@mail.lariat.org X-Mailer: QUALCOMM Windows Eudora Pro Version 4.0.1 Date: Fri, 24 Jul 1998 16:47:08 -0600 To: security@FreeBSD.ORG From: Brett Glass Subject: Does this hole affect FreeBSD 2.2.7 too? Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >Approved-By: aleph1@DFW.NET >Date: Fri, 24 Jul 1998 16:40:41 -0400 >Reply-To: twiztah >Sender: Bugtraq List >From: twiztah >Subject: SECURITY: new ncurses packages >X-cc: scoop@freshmeat.net, maxho@maxho.com >To: BUGTRAQ@NETSPACE.ORG > >Potential security problems have been identified in all versions of ncurses >packages shipped with Red Hat Linux. > >Users of Red Hat Linux are recommended to upgrade to the new packages >available under updates directory on our ftp site: > > >* Red Hat Linux 5.1: >==================== > >alpha: >- ------ >rpm -Uvh ftp://ftp.redhat.com/pub/redhat/updates/5.1/alpha/ncurses-4.2-8.alpha.rpm >rpm -Uvh ftp://ftp.redhat.com/pub/redhat/updates/5.1/alpha/ncurses-devel-4.2-8.alpha. rpm >rpm -Uvh ftp://ftp.redhat.com/pub/redhat/updates/5.1/alpha/ncurses3-1.9.9e-6.alpha.rpm > >i386: >- ----- >rpm -Uvh ftp://ftp.redhat.com/pub/redhat/updates/5.1/i386/ncurses-4.2-8.i386.rpm >rpm -Uvh ftp://ftp.redhat.com/pub/redhat/updates/5.1/i386/ncurses-devel-4.2-8.i386.rpm >rpm -Uvh ftp://ftp.redhat.com/pub/redhat/updates/5.1/i386/ncurses3-1.9.9e-6.i386.rpm > >sparc: >- ------ >rpm -Uvh ftp://ftp.redhat.com/pub/redhat/updates/5.1/sparc/ncurses-4.2-8.sparc.rpm >rpm -Uvh ftp://ftp.redhat.com/pub/redhat/updates/5.1/sparc/ncurses-devel-4.2-8.sparc. rpm >rpm -Uvh ftp://ftp.redhat.com/pub/redhat/updates/5.1/sparc/ncurses3-1.9.9e-6.sparc.rpm > >Source RPM: >- ----------- >rpm -Uvh ftp://ftp.redhat.com/pub/redhat/updates/5.1/SRPMS/ncurses-4.2-8.src.rpm >rpm -Uvh ftp://ftp.redhat.com/pub/redhat/updates/5.1/SRPMS/ncurses3-1.9.9e-6.src.rpm > > >* Red Hat Linux 5.0: >==================== > >alpha: >- ------ >rpm -Uvh ftp://ftp.redhat.com/pub/redhat/updates/5.0/alpha/ncurses-1.9.9e-9.alpha.rpm >rpm -Uvh ftp://ftp.redhat.com/pub/redhat/updates/5.0/alpha/ncurses-devel-1.9.9e-9.alp ha.rpm > >i386: >- ----- >rpm -Uvh ftp://ftp.redhat.com/pub/redhat/updates/5.0/i386/ncurses-1.9.9e-9.i386.rpm >rpm -Uvh ftp://ftp.redhat.com/pub/redhat/updates/5.0/i386/ncurses-devel-1.9.9e-9.i386 .rpm > >Source RPM: >- ----------- >ftp://ftp.redhat.com/pub/redhat/updates/5.0/SRPMS/ncurses-1.9.9e-9.src.rpm > >* Red Hat Linux 4.2: >==================== > >alpha: >- ------ >rpm -Uvh ftp://ftp.redhat.com/pub/redhat/updates/4.2/alpha/ncurses-1.9.9e-4.1.alpha.rpm >rpm -Uvh ftp://ftp.redhat.com/pub/redhat/updates/4.2/alpha/ncurses-devel-1.9.9e-4.1.a lpha.rpm > >i386: >- ----- >rpm -Uvh ftp://ftp.redhat.com/pub/redhat/updates/4.2/i386/ncurses-1.9.9e-4.1.i386.rpm >rpm -Uvh ftp://ftp.redhat.com/pub/redhat/updates/4.2/i386/ncurses-devel-1.9.9e-4.1.i3 86.rpm > >sparc: >- ------ >rpm -Uvh ftp://ftp.redhat.com/pub/redhat/updates/4.2/sparc/ncurses-1.9.9e-4.1.sparc.rpm >rpm -Uvh ftp://ftp.redhat.com/pub/redhat/updates/4.2/sparc/ncurses-devel-1.9.9e-4.1.s parc.rpm > >Source RPM: >- ---------- >ftp://ftp.redhat.com/pub/redhat/updates/4.2/SRPMS/ncurses-1.9.9e-4.1.src.rpm > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Sat Jul 25 06:47:59 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id GAA20042 for freebsd-security-outgoing; Sat, 25 Jul 1998 06:47:59 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from hotmail.com (f36.hotmail.com [207.82.250.47]) by hub.freebsd.org (8.8.8/8.8.8) with SMTP id GAA20037 for ; Sat, 25 Jul 1998 06:47:56 -0700 (PDT) (envelope-from dead_line@hotmail.com) Received: (qmail 23087 invoked by uid 0); 25 Jul 1998 13:47:02 -0000 Message-ID: <19980725134702.23086.qmail@hotmail.com> Received: from 168.187.146.202 by www.hotmail.com with HTTP; Sat, 25 Jul 1998 06:47:02 PDT X-Originating-IP: [168.187.146.202] From: "Dead_ Line" To: security@FreeBSD.ORG Subject: Need an offer Content-Type: text/plain Date: Sat, 25 Jul 1998 06:47:02 PDT Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi there i need an offer. if u can help me with it. i need to create an IRC server *DALnet server* Under some conditions ,, plz read this page. http://www.dal.net/vote/server-app.txt i need 1) CPU machine a) PII 333 *AT least* b) 128 MB ram *AT least* c) 3.X GB mem.*AT least* d) Shell FreeBsd operating. = Inform me this how much will cost and offer the folloing services also. 1) i need the machine work from your site if u can offer this a) Lease Internet line 24 hours / 7 days Under T3 Speed b) install on it IRCd software. * i will inform u about it* --------------------------------------------------- can u Email me how much the machine will cost and monthly the other service will cost. Thnx alot for help. Dead^Line ( my nick in irc.dal.net ) thnx ______________________________________________________ Get Your Private, Free Email at http://www.hotmail.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Sat Jul 25 07:30:47 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id HAA23138 for freebsd-security-outgoing; Sat, 25 Jul 1998 07:30:47 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from time.cdrom.com (root@time.cdrom.com [204.216.27.226]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id HAA23133 for ; Sat, 25 Jul 1998 07:30:46 -0700 (PDT) (envelope-from jkh@time.cdrom.com) Received: from time.cdrom.com (jkh@localhost.cdrom.com [127.0.0.1]) by time.cdrom.com (8.8.8/8.8.8) with ESMTP id HAA26337; Sat, 25 Jul 1998 07:29:47 -0700 (PDT) (envelope-from jkh@time.cdrom.com) To: "Dead_ Line" cc: security@FreeBSD.ORG Subject: Re: Need an offer In-reply-to: Your message of "Sat, 25 Jul 1998 06:47:02 PDT." <19980725134702.23086.qmail@hotmail.com> Date: Sat, 25 Jul 1998 07:29:47 -0700 Message-ID: <26333.901376987@time.cdrom.com> From: "Jordan K. Hubbard" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I think you are somewhat confused here. This is the FreeBSD security mailing list, a list for discussing security issues with FreeBSD. We do not sell hardware, hardware consulting services or co-location facilities of any sort nor do we endorse any particular such services. I think you were somehow given the wrong mailing list. :) - Jordan > Hi there > > i need an offer. if u can help me with it. > > i need to create an IRC server *DALnet server* > > Under some conditions ,, plz read this page. > > http://www.dal.net/vote/server-app.txt > > i need > > 1) CPU machine > > a) PII 333 *AT least* > b) 128 MB ram *AT least* > c) 3.X GB mem.*AT least* > d) Shell FreeBsd operating. > > = Inform me this how much will cost > > > and offer the folloing services also. > > 1) i need the machine work from your site if u can offer this > > a) Lease Internet line 24 hours / 7 days Under T3 Speed > b) install on it IRCd software. * i will inform u about it* > > --------------------------------------------------- > > > can u Email me how much the machine will cost and monthly the other > service will cost. > > Thnx alot for help. > > > > > Dead^Line ( my nick in irc.dal.net ) thnx > > > > ______________________________________________________ > Get Your Private, Free Email at http://www.hotmail.com > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Sat Jul 25 07:33:28 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id HAA23375 for freebsd-security-outgoing; Sat, 25 Jul 1998 07:33:28 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from fledge.watson.org (root@COPLAND.CODA.CS.CMU.EDU [128.2.222.48]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id HAA23370 for ; Sat, 25 Jul 1998 07:33:26 -0700 (PDT) (envelope-from robert@cyrus.watson.org) Received: from fledge.watson.org (robert@fledge.pr.watson.org [192.0.2.3]) by fledge.watson.org (8.8.8/8.8.8) with SMTP id KAA00735 for ; Sat, 25 Jul 1998 10:33:01 -0400 (EDT) Date: Sat, 25 Jul 1998 10:33:01 -0400 (EDT) From: Robert Watson X-Sender: robert@fledge.watson.org Reply-To: Robert Watson To: security@FreeBSD.ORG Subject: Re: Need an offer In-Reply-To: <19980725134702.23086.qmail@hotmail.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Looks like he *needs* security, but may not have asked the right questions of us :-). On Sat, 25 Jul 1998, Dead_ Line wrote: > Hi there > > i need an offer. if u can help me with it. > > i need to create an IRC server *DALnet server* > > Under some conditions ,, plz read this page. > > http://www.dal.net/vote/server-app.txt > > i need > > 1) CPU machine > > a) PII 333 *AT least* > b) 128 MB ram *AT least* > c) 3.X GB mem.*AT least* > d) Shell FreeBsd operating. > > = Inform me this how much will cost > > > and offer the folloing services also. > > 1) i need the machine work from your site if u can offer this > > a) Lease Internet line 24 hours / 7 days Under T3 Speed > b) install on it IRCd software. * i will inform u about it* > > --------------------------------------------------- > > > can u Email me how much the machine will cost and monthly the other > service will cost. > > Thnx alot for help. > > > > > Dead^Line ( my nick in irc.dal.net ) thnx > > > > ______________________________________________________ > Get Your Private, Free Email at http://www.hotmail.com > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe security" in the body of the message > Robert N Watson Carnegie Mellon University http://www.cmu.edu/ TIS Labs at Network Associates, Inc. http://www.tis.com/ SafePort Network Services http://www.safeport.com/ robert@fledge.watson.org http://www.watson.org/~robert/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message