From owner-freebsd-security Sun Aug 30 11:11:19 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id LAA16082 for freebsd-security-outgoing; Sun, 30 Aug 1998 11:11:19 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from ns2.sminter.com.ar (ns2.sminter.com.ar [200.10.100.11]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id LAA16072 for ; Sun, 30 Aug 1998 11:11:11 -0700 (PDT) (envelope-from Recabarren!fpscha@ns2.sminter.com.ar) Received: (from uucp@localhost) by ns2.sminter.com.ar (8.8.5/8.8.4) id PAA26212 for FreeBSD.ORG!security; Sun, 30 Aug 1998 15:07:44 -0300 (GMT) >Received: (from fpscha@localhost) by localhost.schapachnik.com.ar (8.8.8/8.8.5) id AAA02566; Sun, 30 Aug 1998 00:53:39 -0300 (ART) From: "Fernando P. Schapachnik" Message-Id: <199808300353.AAA02566@localhost.schapachnik.com.ar> Subject: Re: Shell history (Was: Re: post breakin log) In-Reply-To: from "Jan B. Koum" at "Aug 28, 98 03:11:19 pm" To: jkb@best.com (Jan B. Koum) Date: Sun, 30 Aug 1998 00:53:38 -0300 (ART) Cc: security@FreeBSD.ORG Reply-To: fpscha@schapachnik.com.ar X-Mailer: ELM [version 2.4ME+ PL38 (25)] MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Content-Type: text/plain; charset=ISO-8859-1 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org En un mensaje anterior Jan B. Koum escribió: > > cat /dev/null > typescript What about chflaging typescript to append only? > > -- Yan > > www.best.com/~jkb/ Unix users of the world unite: > www.{free,open,net}bsd.org | www.linux.org | www.apache.org | www.perl.com > "Turn up the lights, I don't want to go home in the dark." > > On Fri, 28 Aug 1998, Zahemszky Gabor wrote: > > >> > >> This is assuming intruder will not try to change shell, turn off > >> history within the shell and is in general pretty clueless when it comes > >> to shell history. :) > >> A friend of mine came up with an idea to create a shell which > >> would log everything a user does.. not via shell history mechanism, but > >> rather ala watch(8). Everything user types would go into some files > >> somewhere. Then again, nothing ever came out of it. > > > >man script > > > >ZGabor at CoDe dot HU > > > >-- > >#!/bin/ksh > >Z='21N16I25C25E30, 40M30E33E25T15U!' ;IFS=' ABCDEFGHIJKLMNOPQRSTUVWXYZ ';set $Z ;for i { [[ $i = ? ]]&&print $i&&break;[[ $i = ??? ]]&&j=$i&&i=${i%?};typeset -i40 i=8#$i;print -n ${i#???};[[ "$j" = ??? ]]&&print -n "${j#??} "&&j=;typeset +i i;};IFS=' 0 123456789 ';set $Z;X=;for i { [[ $i = , ]]&&i=2;[[ $i = ?? ]]||typeset -l i;X="$X $i";typeset +l i;};print "$X" > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > Fernando P. Schapachnik fpscha@schapachnik.com.ar To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Aug 30 19:32:53 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id TAA08126 for freebsd-security-outgoing; Sun, 30 Aug 1998 19:32:53 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from coal.sentex.ca (coal.sentex.ca [209.112.4.16]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id TAA08112; Sun, 30 Aug 1998 19:32:48 -0700 (PDT) (envelope-from mike@sentex.net) Received: from gravel (ospf-mdt.sentex.net [205.211.164.81]) by coal.sentex.ca (8.8.8/8.8.7) with SMTP id WAA07343; Sun, 30 Aug 1998 22:31:46 -0400 (EDT) (envelope-from mike@sentex.net) Message-Id: <3.0.5.32.19980830223530.00f7a710@sentex.net> X-Sender: mdtancsa@sentex.net X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.5 (32) Date: Sun, 30 Aug 1998 22:35:30 -0400 To: security@FreeBSD.ORG From: Mike Tancsa Subject: FreeBSD's RST validation (security question) Cc: questions@FreeBSD.ORG Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Just wondering if this latest bugtraq post has been addressed yet ? ---Mike >Approved-By: aleph1@DFW.NET >X-Mailer: Mutt 0.92.8i >Date: Sun, 30 Aug 1998 17:21:41 -0700 >Reply-To: Tristan Horn >Sender: Bugtraq List >From: Tristan Horn >Subject: FreeBSD's RST validation >To: BUGTRAQ@netspace.org > >RFC 793, pages 36-39 (chapter 3.5) describes closing connections with >TCP. Page 37 is of particular interest: > > Reset Processing > > In all states except SYN-SENT, all reset (RST) segments are validated > by checking their SEQ-fields. A reset is valid if its sequence number > is in the window. In the SYN-SENT state (a RST received in response > to an initial SYN), the RST is acceptable if the ACK field > acknowledges the SYN. > >Unfortunately, FreeBSD (2.2.5, 2.2.6, 2.2.7, 3.0) does not appear to >validate RST segments to this extent. In other words, only the packets' >IP/port pairs are checked. > >In my limited testing (oddly enough, not many people would consent to >DoS), Solaris, OSF/1, Linux and Windows 98 appear to conform to RFC 793 >in this regard. I have not yet been able to check NetBSD, OpenBSD, BSDI, >etc. > >This problem gets worse when you bring it to multi-user FreeBSD boxes >where netstat, systat -net, lsof (if improperly configured) and the like >can be used to get all IP/port pairs in use. I suggest (especially to >BEST) that these be chmod g-s or o-x'd until the problem is resolved. > >In cases where you only have the port number for one side of the >connection, exploiting the vulnerability is still fairly trivial. In >many (most?) cases, port 0 bind()s will start you off at port 1024 and >increment by one from there. Kudos to the OSes that already use random >or pseudorandom source ports... > >If the target is an IRC server or uses TCP wrappers, chances are that >you can telnet to it and you'll get a connection back to your ident port. >This will give you the high port. > >IRC in particular will probably be affected, due to the ease of getting >addresses and such. /stats L even used to give you the port numbers >for users, servers and listening sockets, but I believe this was fixed >in /hybrid a while back, and then +CS. /stats c should just be disabled >for non-opers since it lets people find the port # for autoconnects. > >SSH and similar secure sessions are in great danger because ports are >manually bound to, starting at 1023 and decrementing from there. > >BSD exploit code is attached (thanks to those who made land and ported >it!). Note that 'dstaddr' is where the RST packet is actually sent, so >it must be the address of a buggy machine. > >This (like /many/ other attacks) would be much less of a concern if more >people did ingress filtering. > >TS4 rocks! > >Tris > > > > > ********************************************************************** Mike Tancsa, Network Admin * mike@sentex.net Sentex Communications Corp, * http://www.sentex.net/mike Cambridge, Ontario * 01.519.651.3400 Canada * To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Aug 30 22:53:35 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id WAA27760 for freebsd-security-outgoing; Sun, 30 Aug 1998 22:53:35 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from silver.teardrop.org (silver.teardrop.org [169.197.56.132]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id WAA27741; Sun, 30 Aug 1998 22:53:31 -0700 (PDT) (envelope-from sno@teardrop.org) Received: from localhost (sno@localhost) by silver.teardrop.org (8.x.x/8.x.x) with SMTP id WAA02912; Sun, 30 Aug 1998 22:23:47 -0700 (MST) Date: Sun, 30 Aug 1998 22:23:47 -0700 (MST) From: James Snow To: Mike Tancsa cc: security@FreeBSD.ORG, questions@FreeBSD.ORG Subject: Re: FreeBSD's RST validation (security question) In-Reply-To: <3.0.5.32.19980830223530.00f7a710@sentex.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sun, 30 Aug 1998, Mike Tancsa wrote: > Just wondering if this latest bugtraq post has been addressed yet ? For what it's worth, I sent in the best description of that DoS attack I could muster up with the few details I was given at the time after the poster reset every TCP connection on my machine late last night. I haven't heard anything back yet but I think in my attempt to keep it quiet, I may have sent it to a list where it didn't get seen at all. I apologize. -James Snow / - - - - - - - - - - - - - - - - - - - - - - - - - - - \ | We live in the short term, | org dot teardrop at sno | | and hope for the best. | I am Geek. Hear me ^G. | \ - - - - - - - - - - - - - - - - - - - - - - - - - - - / To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Aug 31 05:57:28 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id FAA15066 for freebsd-security-outgoing; Mon, 31 Aug 1998 05:57:28 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from mail.euroweb.hu (mail.euroweb.hu [193.226.220.4]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id FAA15057 for ; Mon, 31 Aug 1998 05:57:23 -0700 (PDT) (envelope-from hu006co@mail.euroweb.hu) Received: (from hu006co@localhost) by mail.euroweb.hu (8.8.5/8.8.5) id OAA29865 for freebsd.org!freebsd-security; Mon, 31 Aug 1998 14:56:15 +0200 (MET DST) Received: (from zgabor@localhost) by CoDe.hu (8.8.8/8.8.8) id LAA00544 for freebsd-security@freebsd.org; Mon, 31 Aug 1998 11:43:15 +0200 (CEST) (envelope-from zgabor) From: Zahemszky Gabor Message-Id: <199808310943.LAA00544@CoDe.hu> Subject: Re: Shell history In-Reply-To: <3.0.3.32.19980829153814.0076e548@207.227.119.2> from "Jeffrey J. Mountin" at "Aug 29, 98 03:38:14 pm" To: freebsd.org!freebsd-security@zg.CoDe.hu Date: Mon, 31 Aug 1998 11:43:15 +0200 (CEST) X-Mailer: ELM [version 2.4ME+ PL38 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > >> Sort of an automated chroot thing you can't bypass I guess. > > > >Build a chrooted area with /etc, /bin, /usr/bin, /usr/lib, /usr/libexec > >files which are necessary. > >Change inetd to run telnetd.sh and have telnetd.sh do: > > > >----- > >#!/bin/sh > >cd /newroot > >/usr/sbin/chroot . exec /usr/libexec/telnetd > >----- > > > >Danny > > This means that there would be common area for all shell users and I'd wonder if root would be restricted to console and ssh perhaps. In some AT&T Unices (HP, if I know well), this is the job of login: if that user has a star ``*'' as shell (the /etc/passwd line of that user is like: user:passwd:uid:gid:gcos:home:* ), than login is chroot to home, and start another login, with a /etc/passwd in that chrooted environment. Well, with that way, that user has to type two login/passwd sequence, but I think it's not a bad idea. ZGabor at CoDe dot HU -- #!/bin/ksh Z='21N16I25C25E30, 40M30E33E25T15U!' ;IFS=' ABCDEFGHIJKLMNOPQRSTUVWXYZ ';set $Z ;for i { [[ $i = ? ]]&&print $i&&break;[[ $i = ??? ]]&&j=$i&&i=${i%?};typeset -i40 i=8#$i;print -n ${i#???};[[ "$j" = ??? ]]&&print -n "${j#??} "&&j=;typeset +i i;};IFS=' 0123456789 ';set $Z;X=;for i { [[ $i = , ]]&&i=2;[[ $i = ?? ]]||typeset -l i;X="$X $i";typeset +l i;};print "$X" To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Aug 31 06:07:53 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id GAA16413 for freebsd-security-outgoing; Mon, 31 Aug 1998 06:07:53 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from gatekeeper.tsc.tdk.com (gatekeeper.tsc.tdk.com [207.113.159.21]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id GAA16408 for ; Mon, 31 Aug 1998 06:07:50 -0700 (PDT) (envelope-from gdonl@tsc.tdk.com) Received: from sunrise.gv.tsc.tdk.com (root@sunrise.gv.tsc.tdk.com [192.168.241.191]) by gatekeeper.tsc.tdk.com (8.8.8/8.8.8) with ESMTP id GAA19886; Mon, 31 Aug 1998 06:06:42 -0700 (PDT) (envelope-from gdonl@tsc.tdk.com) Received: from salsa.gv.tsc.tdk.com (salsa.gv.tsc.tdk.com [192.168.241.194]) by sunrise.gv.tsc.tdk.com (8.8.5/8.8.5) with ESMTP id GAA20104; Mon, 31 Aug 1998 06:06:41 -0700 (PDT) Received: (from gdonl@localhost) by salsa.gv.tsc.tdk.com (8.8.5/8.8.5) id GAA27281; Mon, 31 Aug 1998 06:06:36 -0700 (PDT) From: Don Lewis Message-Id: <199808311306.GAA27281@salsa.gv.tsc.tdk.com> Date: Mon, 31 Aug 1998 06:06:36 -0700 In-Reply-To: Tristan Horn "FreeBSD's RST validation" (Aug 30, 5:21pm) X-Mailer: Mail User's Shell (7.2.6 alpha(3) 7/19/95) To: Tristan Horn , BUGTRAQ@netspace.org, security@FreeBSD.ORG Subject: Re: FreeBSD's RST validation Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Aug 30, 5:21pm, Tristan Horn wrote: } Subject: FreeBSD's RST validation } --ZRyEpB+iJ+qUx0kp } Content-Type: multipart/mixed; boundary=qGV0fN9tzfkG3CxV } } } --qGV0fN9tzfkG3CxV } Content-Type: text/plain; charset=us-ascii } } RFC 793, pages 36-39 (chapter 3.5) describes closing connections with } TCP. Page 37 is of particular interest: } } Reset Processing } } In all states except SYN-SENT, all reset (RST) segments are validated } by checking their SEQ-fields. A reset is valid if its sequence number } is in the window. In the SYN-SENT state (a RST received in response } to an initial SYN), the RST is acceptable if the ACK field } acknowledges the SYN. } } Unfortunately, FreeBSD (2.2.5, 2.2.6, 2.2.7, 3.0) does not appear to } validate RST segments to this extent. In other words, only the packets' } IP/port pairs are checked. Back in December 1997, I posted the following patch for the LAND attack and also implemented stricter RST validation. The variation of the LAND fix in the first two chunks of this patch was implemented (you'll have to look carefully at the code to find the second chunk), but I don't believe the rest of the fixes in this patch were applied. I've been running a version of this patch altered for 2.1.x since December without problems. If you remove the first two chunks of this patch, it will apply cleanly to the 2.2-stable version of tcp_input.c, though I have no idea if it will work ... ----------------- Cut Here -------------------------- --- tcp_input.c.2_2 Mon Dec 1 16:49:21 1997 +++ tcp_input.c Wed Dec 3 02:21:45 1997 @@ -318,19 +318,6 @@ #endif /* TUBA_INCLUDE */ /* - * Reject attempted self-connects. XXX This actually masks - * a bug elsewhere, since self-connect should work. - * However, a urrently-active DoS attack in the Internet - * sends a phony self-connect request which causes an infinite - * loop. - */ - if (ti->ti_src.s_addr == ti->ti_dst.s_addr - && ti->ti_sport == ti->ti_dport) { - tcpstat.tcps_badsyn++; - goto drop; - } - - /* * Check that TCP offset makes sense, * pull out TCP options and adjust length. XXX */ @@ -654,6 +641,24 @@ if (m->m_flags & (M_BCAST|M_MCAST) || IN_MULTICAST(ntohl(ti->ti_dst.s_addr))) goto drop; + + /* + * Reject attempted self-connects. + * + * Doing the test here should prevent the "LAND" DoS + * attack without affecting legitimate self-connects + * which will occur in the SYN-SENT state. + * + * In the dropafterack code below we'll also fix the real + * bug in the SYN-RECEIVED state that causes the infinite + * loop since it can also be used to generate ACK storms. + */ + if (ti->ti_src.s_addr == ti->ti_dst.s_addr + && ti->ti_sport == ti->ti_dport) { + tcpstat.tcps_badsyn++; + goto drop; + } + am = m_get(M_DONTWAIT, MT_SONAME); /* XXX */ if (am == NULL) goto drop; @@ -962,17 +967,99 @@ /* * States other than LISTEN or SYN_SENT. - * First check timestamp, if present. + * First check the RST flag and sequence number since reset segments + * are exempt from the timestamp and connection count tests. This + * fixes a bug introduced by the Stevens, vol. 2, p. 960 bugfix + * below which allowed reset segments in half the sequence space + * to fall though and be processed (which gives forged reset + * segments with a random sequence number a 50 percent chance of + * killing a connection). + * Then check timestamp, if present. * Then check the connection count, if present. * Then check that at least some bytes of segment are within * receive window. If segment begins before rcv_nxt, * drop leading data (and SYN); if nothing left, just ack. * + * + * If the RST bit is set, check the sequence number to see + * if this is a valid reset segment. + * RFC 793 page 37: + * In all states except SYN-SENT, all reset (RST) segments + * are validated by checking their SEQ-fields. A reset is + * valid if its sequence number is in the window. + * Note: this does not take into account delayed ACKs, so + * we should test against last_ack_sent instead of rcv_nxt. + * Also, it does not make sense to allow reset segments with + * sequence numbers greater than last_ack_sent to be processed + * since these sequence numbers are just the acknowledgement + * numbers in our outgoing packets being echoed back at us, + * and these acknowledgement numbers are monotonically + * increasing. + * If we have multiple segments in flight, the intial reset + * segment sequence numbers will be to the left of last_ack_sent, + * but they will eventually catch up. + * In any case, it never made sense to trim reset segments to + * fit the receive window since RFC 1122 says: + * 4.2.2.12 RST Segment: RFC-793 Section 3.4 + * + * A TCP SHOULD allow a received RST segment to include data. + * + * DISCUSSION + * It has been suggested that a RST segment could contain + * ASCII text that encoded and explained the cause of the + * RST. No standard has yet been established for such + * data. + * + * If the reset segment passes the sequence number test examine + * the state: + * SYN_RECEIVED STATE: + * If passive open, return to LISTEN state. + * If active open, inform user that connection was refused. + * ESTABLISHED, FIN_WAIT_1, FIN_WAIT2, CLOSE_WAIT STATES: + * Inform user that connection was reset, and close tcb. + * CLOSING, LAST_ACK, TIME_WAIT STATES + * Close the tcb. + * TIME_WAIT state: + * Drop the segment - see Stevens, vol. 2, p. 964 and + * RFC 1337. + */ + if (tiflags&TH_RST) { + if (tp->last_ack_sent == ti->ti_seq) { + switch (tp->t_state) { + + case TCPS_SYN_RECEIVED: + so->so_error = ECONNREFUSED; + goto close; + + case TCPS_ESTABLISHED: + case TCPS_FIN_WAIT_1: + case TCPS_FIN_WAIT_2: + case TCPS_CLOSE_WAIT: + so->so_error = ECONNRESET; + close: + tp->t_state = TCPS_CLOSED; + tcpstat.tcps_drops++; + tp = tcp_close(tp); + break; + + case TCPS_CLOSING: + case TCPS_LAST_ACK: + tp = tcp_close(tp); + break; + + case TCPS_TIME_WAIT: + break; + } + } + goto drop; + } + + /* * RFC 1323 PAWS: If we have a timestamp reply on this segment * and it's less than ts_recent, drop it. */ - if ((to.to_flag & TOF_TS) != 0 && (tiflags & TH_RST) == 0 && - tp->ts_recent && TSTMP_LT(to.to_tsval, tp->ts_recent)) { + if ((to.to_flag & TOF_TS) != 0 && tp->ts_recent && + TSTMP_LT(to.to_tsval, tp->ts_recent)) { /* Check to see if ts_recent is over 24 days old. */ if ((int)(tcp_now - tp->ts_recent_age) > TCP_PAWS_IDLE) { @@ -1003,10 +1090,19 @@ * RST segments do not have to comply with this. */ if ((tp->t_flags & (TF_REQ_CC|TF_RCVD_CC)) == (TF_REQ_CC|TF_RCVD_CC) && - ((to.to_flag & TOF_CC) == 0 || tp->cc_recv != to.to_cc) && - (tiflags & TH_RST) == 0) + ((to.to_flag & TOF_CC) == 0 || tp->cc_recv != to.to_cc)) goto dropafterack; + /* + * In the SYN-RECEIVED state, validate that the packet belongs to + * this connection before trimming the data to fit the receive + * window. Check the sequence number versus IRS since we know + * the sequence numbers haven't wrapped. This is a partial fix + * for the "LAND" DoS attack. + */ + if (tp->t_state == TCPS_SYN_RECEIVED && SEQ_LT(ti->ti_seq, tp->irs)) + goto dropwithreset; + todrop = tp->rcv_nxt - ti->ti_seq; if (todrop > 0) { if (tiflags & TH_SYN) { @@ -1118,40 +1214,6 @@ } /* - * If the RST bit is set examine the state: - * SYN_RECEIVED STATE: - * If passive open, return to LISTEN state. - * If active open, inform user that connection was refused. - * ESTABLISHED, FIN_WAIT_1, FIN_WAIT2, CLOSE_WAIT STATES: - * Inform user that connection was reset, and close tcb. - * CLOSING, LAST_ACK, TIME_WAIT STATES - * Close the tcb. - */ - if (tiflags&TH_RST) switch (tp->t_state) { - - case TCPS_SYN_RECEIVED: - so->so_error = ECONNREFUSED; - goto close; - - case TCPS_ESTABLISHED: - case TCPS_FIN_WAIT_1: - case TCPS_FIN_WAIT_2: - case TCPS_CLOSE_WAIT: - so->so_error = ECONNRESET; - close: - tp->t_state = TCPS_CLOSED; - tcpstat.tcps_drops++; - tp = tcp_close(tp); - goto drop; - - case TCPS_CLOSING: - case TCPS_LAST_ACK: - case TCPS_TIME_WAIT: - tp = tcp_close(tp); - goto drop; - } - - /* * If a SYN is in the window, then this is an * error and we send an RST and drop the connection. */ @@ -1660,9 +1722,22 @@ /* * Generate an ACK dropping incoming segment if it occupies * sequence space, where the ACK reflects our state. - */ - if (tiflags & TH_RST) - goto drop; + * + * We can now skip the test for the RST flag since all + * paths to this code happen after packets containing + * RST have been dropped. + * + * In the SYN-RECEIVED state, don't send an ACK unless the + * segment we received passes the SYN-RECEIVED ACK test. + * If it fails send a RST. This breaks the loop in the + * "LAND" DoS attack, and also prevents an ACK storm + * between two listening ports that have been sent forged + * SYN segments, each with the source address of the other. + */ + if (tp->t_state == TCPS_SYN_RECEIVED && (tiflags & TH_ACK) && + (SEQ_GT(tp->snd_una, ti->ti_ack) || + SEQ_GT(ti->ti_ack, tp->snd_max)) ) + goto dropwithreset; #ifdef TCPDEBUG if (so->so_options & SO_DEBUG) tcp_trace(TA_DROP, ostate, tp, &tcp_saveti, 0); ----------------- Cut Here -------------------------- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Aug 31 08:40:46 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id IAA06422 for freebsd-security-outgoing; Mon, 31 Aug 1998 08:40:46 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from infowest.com (ns1.infowest.com [204.17.177.10]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id IAA06417 for ; Mon, 31 Aug 1998 08:40:44 -0700 (PDT) (envelope-from agifford@infowest.com) Received: from infowest.com (eq.net [207.49.60.250]) by infowest.com (8.8.8/8.8.8) with ESMTP id JAA29382 for ; Mon, 31 Aug 1998 09:39:45 -0600 (MDT) Message-ID: <35EAC3B6.258A308D@infowest.com> Date: Mon, 31 Aug 1998 09:39:34 -0600 From: "Aaron D. Gifford" X-Mailer: Mozilla 4.05 [en] (X11; U; FreeBSD 2.2.7-STABLE i386) MIME-Version: 1.0 To: security@FreeBSD.ORG Subject: Re: Shell history References: <199808310943.LAA00544@CoDe.hu> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Somebody said: > > >> Sort of an automated chroot thing you can't bypass I guess. And Danny responded: > > >Build a chrooted area with /etc, /bin, /usr/bin, /usr/lib, /usr/libexec > > >files which are necessary. > > >Change inetd to run telnetd.sh and have telnetd.sh do: > > > > > >----- > > >#!/bin/sh > > >cd /newroot > > >/usr/sbin/chroot . exec /usr/libexec/telnetd > > >----- > > > > > >Danny And a third party replied: > > This means that there would be common area for all shell users and I'd > > wonder if root would be restricted to console and ssh perhaps. Then Zahemszky Gabor informed: > In some AT&T Unices (HP, if I know well), this is the job of login: > if that user has a star ``*'' as shell (the /etc/passwd line of that user > is like: > user:passwd:uid:gid:gcos:home:* > ), > than login is chroot to home, and start another login, with a /etc/passwd in > that chrooted environment. Well, with that way, that user has to type > two login/passwd sequence, but I think it's not a bad idea. <> I had to set up a chrooted area for a few users recently, so I wrote a shell wrapper, chrsh. It chroots to the chroot jail then runs a shell or whatever within the jail. See http://www.eq.net/software/chrsh.html for more info. Tis FreeBSD specific. It let me specify which users I wanted chrooted and which I did not, and it lets the users login via telnet or ssh or whatever. Aaron out. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Aug 31 08:50:49 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id IAA07501 for freebsd-security-outgoing; Mon, 31 Aug 1998 08:50:49 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from infowest.com (ns1.infowest.com [204.17.177.10]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id IAA07496 for ; Mon, 31 Aug 1998 08:50:48 -0700 (PDT) (envelope-from agifford@infowest.com) Received: from infowest.com (eq.net [207.49.60.250]) by infowest.com (8.8.8/8.8.8) with ESMTP id JAA00665 for ; Mon, 31 Aug 1998 09:49:43 -0600 (MDT) Message-ID: <35EAC60C.1E2387BC@infowest.com> Date: Mon, 31 Aug 1998 09:49:32 -0600 From: "Aaron D. Gifford" X-Mailer: Mozilla 4.05 [en] (X11; U; FreeBSD 2.2.7-STABLE i386) MIME-Version: 1.0 To: security@FreeBSD.ORG Subject: Re: FreeBSD's RST validation References: <19980830172141.G1186@ethereal.net> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Tristan Horn wrote: > > RFC 793, pages 36-39 (chapter 3.5) describes closing connections with > TCP. Page 37 is of particular interest: > > Reset Processing > > In all states except SYN-SENT, all reset (RST) segments are validated > by checking their SEQ-fields. A reset is valid if its sequence number > is in the window. In the SYN-SENT state (a RST received in response > to an initial SYN), the RST is acceptable if the ACK field > acknowledges the SYN. > > Unfortunately, FreeBSD (2.2.5, 2.2.6, 2.2.7, 3.0) does not appear to > validate RST segments to this extent. In other words, only the packets' > IP/port pairs are checked. > > In my limited testing (oddly enough, not many people would consent to > DoS), Solaris, OSF/1, Linux and Windows 98 appear to conform to RFC 793 > in this regard. I have not yet been able to check NetBSD, OpenBSD, BSDI, > etc. > > This problem gets worse when you bring it to multi-user FreeBSD boxes > where netstat, systat -net, lsof (if improperly configured) and the like > can be used to get all IP/port pairs in use. I suggest (especially to > BEST) that these be chmod g-s or o-x'd until the problem is resolved. > > In cases where you only have the port number for one side of the > connection, exploiting the vulnerability is still fairly trivial. In > many (most?) cases, port 0 bind()s will start you off at port 1024 and > increment by one from there. Kudos to the OSes that already use random > or pseudorandom source ports... > > If the target is an IRC server or uses TCP wrappers, chances are that > you can telnet to it and you'll get a connection back to your ident port. > This will give you the high port. > > IRC in particular will probably be affected, due to the ease of getting > addresses and such. /stats L even used to give you the port numbers > for users, servers and listening sockets, but I believe this was fixed > in /hybrid a while back, and then +CS. /stats c should just be disabled > for non-opers since it lets people find the port # for autoconnects. > > SSH and similar secure sessions are in great danger because ports are > manually bound to, starting at 1023 and decrementing from there. > > BSD exploit code is attached (thanks to those who made land and ported > it!). Note that 'dstaddr' is where the RST packet is actually sent, so > it must be the address of a buggy machine. > > This (like /many/ other attacks) would be much less of a concern if more > people did ingress filtering. > > TS4 rocks! > > Tris <> <> After seeing the above post to BUGTRAQ, I'm now wondering, what's the status of a fix? I didn't bother testing the exploit against my 2.2.7-STABLE (as of the end of July) system -- perhaps I should. Is it already fixed in in STABLE? Curious, Aaron out. -- "E, not a minor, Aaron, I'm a tone!" To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Aug 31 11:25:53 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id LAA02419 for freebsd-security-outgoing; Mon, 31 Aug 1998 11:25:53 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from stennis.ca.sandia.gov (stennis.ca.sandia.gov [146.246.243.44]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id LAA02414 for ; Mon, 31 Aug 1998 11:25:51 -0700 (PDT) (envelope-from bmah@stennis.ca.sandia.gov) Received: (from bmah@localhost) by stennis.ca.sandia.gov (8.9.1/8.9.1) id LAA24622; Mon, 31 Aug 1998 11:24:36 -0700 (PDT) Message-Id: <199808311824.LAA24622@stennis.ca.sandia.gov> X-Mailer: exmh version 2.0.2 2/24/98 To: Don Lewis cc: Tristan Horn , BUGTRAQ@netspace.org, security@FreeBSD.ORG Subject: Re: FreeBSD's RST validation In-reply-to: Your message of "Mon, 31 Aug 1998 06:06:36 PDT." <199808311306.GAA27281@salsa.gv.tsc.tdk.com> From: bmah@CA.Sandia.GOV (Bruce A. Mah) Reply-to: bmah@CA.Sandia.GOV X-Face: g~c`.{#4q0"(V*b#g[i~rXgm*w;:nMfz%_RZLma)UgGN&=j`5vXoU^@n5v4:OO)c["!w)nD/!!~e4Sj7LiT'6*wZ83454H""lb{CC%T37O!!'S$S&D}sem7I[A 2V%N&+ X-Url: http://www.ca.sandia.gov/~bmah/ Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Mon, 31 Aug 1998 11:24:36 -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org If memory serves me right, Don Lewis wrote: > Back in December 1997, I posted the following patch for the LAND attack > and also implemented stricter RST validation. The variation of the > LAND fix in the first two chunks of this patch was implemented (you'll > have to look carefully at the code to find the second chunk), but I don't > believe the rest of the fixes in this patch were applied. > > I've been running a version of this patch altered for 2.1.x since December > without problems. If you remove the first two chunks of this patch, it > will apply cleanly to the 2.2-stable version of tcp_input.c, though I have > no idea if it will work ... [snip] Personally, I had something a little less radical in mind. Here's some context diffs against tcp_input.c in 2.2.7-RELEASE, which I sent to security-officer@freebsd.org last night after some quick testing. Now someone can tell me why this isn't the right solution. :-) Bruce. -----8<-----snip-----8<----- *** tcp_input.c-dist Mon May 18 10:12:44 1998 --- tcp_input.c Sun Aug 30 21:22:32 1998 *************** *** 809,815 **** goto dropwithreset; } if (tiflags & TH_RST) { ! if (tiflags & TH_ACK) tp = tcp_drop(tp, ECONNREFUSED); goto drop; } --- 809,818 ---- goto dropwithreset; } if (tiflags & TH_RST) { ! if ((tiflags & TH_ACK) && ! /* XXX outside window? XXX */ ! (SEQ_GT(ti->ti_ack, tp->iss) && ! SEQ_LEQ(ti->ti_ack, tp->snd_max))) tp = tcp_drop(tp, ECONNREFUSED); goto drop; } *************** *** 1147,1152 **** --- 1150,1159 ---- case TCPS_FIN_WAIT_1: case TCPS_FIN_WAIT_2: case TCPS_CLOSE_WAIT: + /* XXX outside window? XXX */ + if (SEQ_GEQ(ti->ti_seq, tp->rcv_nxt + tp->rcv_wnd) || + SEQ_LT(ti->ti_seq, tp->rcv_nxt)) + goto drop; so->so_error = ECONNRESET; close: tp->t_state = TCPS_CLOSED; To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Aug 31 11:56:54 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id LAA09913 for freebsd-security-outgoing; Mon, 31 Aug 1998 11:56:54 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from gatekeeper.tsc.tdk.com (gatekeeper.tsc.tdk.com [207.113.159.21]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id LAA09907 for ; Mon, 31 Aug 1998 11:56:51 -0700 (PDT) (envelope-from gdonl@tsc.tdk.com) Received: from sunrise.gv.tsc.tdk.com (root@sunrise.gv.tsc.tdk.com [192.168.241.191]) by gatekeeper.tsc.tdk.com (8.8.8/8.8.8) with ESMTP id LAA25851; Mon, 31 Aug 1998 11:55:10 -0700 (PDT) (envelope-from gdonl@tsc.tdk.com) Received: from salsa.gv.tsc.tdk.com (salsa.gv.tsc.tdk.com [192.168.241.194]) by sunrise.gv.tsc.tdk.com (8.8.5/8.8.5) with ESMTP id LAA26017; Mon, 31 Aug 1998 11:55:09 -0700 (PDT) Received: (from gdonl@localhost) by salsa.gv.tsc.tdk.com (8.8.5/8.8.5) id LAA28095; Mon, 31 Aug 1998 11:55:08 -0700 (PDT) From: Don Lewis Message-Id: <199808311855.LAA28095@salsa.gv.tsc.tdk.com> Date: Mon, 31 Aug 1998 11:55:07 -0700 In-Reply-To: bmah@CA.Sandia.GOV (Bruce A. Mah) "Re: FreeBSD's RST validation" (Aug 31, 11:24am) X-Mailer: Mail User's Shell (7.2.6 alpha(3) 7/19/95) To: bmah@CA.Sandia.GOV Subject: Re: FreeBSD's RST validation Cc: Tristan Horn , BUGTRAQ@netspace.org, security@FreeBSD.ORG Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Aug 31, 11:24am, Bruce A. Mah wrote: } Subject: Re: FreeBSD's RST validation } } Personally, I had something a little less radical in mind. Here's some } context diffs against tcp_input.c in 2.2.7-RELEASE, which I sent to } security-officer@freebsd.org last night after some quick testing. } } Now someone can tell me why this isn't the right solution. :-) } } Bruce. } } -----8<-----snip-----8<----- } } *** tcp_input.c-dist Mon May 18 10:12:44 1998 } --- tcp_input.c Sun Aug 30 21:22:32 1998 } *************** } *** 809,815 **** } goto dropwithreset; } } } if (tiflags & TH_RST) { } ! if (tiflags & TH_ACK) } tp = tcp_drop(tp, ECONNREFUSED); } goto drop; } } } --- 809,818 ---- } goto dropwithreset; } } } if (tiflags & TH_RST) { } ! if ((tiflags & TH_ACK) && } ! /* XXX outside window? XXX */ } ! (SEQ_GT(ti->ti_ack, tp->iss) && } ! SEQ_LEQ(ti->ti_ack, tp->snd_max))) } tp = tcp_drop(tp, ECONNREFUSED); } goto drop; } } As more data is sent across the connection, the wider the window for a spoofed RST opens. Once you send 2 GB, legitimate RSTs no longer work. You should probably be comparing against tp->snd_una instead of tp->iss. } *************** } *** 1147,1152 **** } --- 1150,1159 ---- } case TCPS_FIN_WAIT_1: } case TCPS_FIN_WAIT_2: } case TCPS_CLOSE_WAIT: } + /* XXX outside window? XXX */ } + if (SEQ_GEQ(ti->ti_seq, tp->rcv_nxt + tp->rcv_wnd) || } + SEQ_LT(ti->ti_seq, tp->rcv_nxt)) } + goto drop; } so->so_error = ECONNRESET; } close: } tp->t_state = TCPS_CLOSED; To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Aug 31 13:27:34 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id NAA24893 for freebsd-security-outgoing; Mon, 31 Aug 1998 13:27:34 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from stennis.ca.sandia.gov (stennis.ca.sandia.gov [146.246.243.44]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id NAA24885 for ; Mon, 31 Aug 1998 13:27:32 -0700 (PDT) (envelope-from bmah@stennis.ca.sandia.gov) Received: (from bmah@localhost) by stennis.ca.sandia.gov (8.9.1/8.9.1) id NAA24999; Mon, 31 Aug 1998 13:26:28 -0700 (PDT) Message-Id: <199808312026.NAA24999@stennis.ca.sandia.gov> X-Mailer: exmh version 2.0.2 2/24/98 To: Don Lewis cc: bmah@california.sandia.gov, Tristan Horn , BUGTRAQ@netspace.org, security@FreeBSD.ORG Subject: Re: FreeBSD's RST validation In-reply-to: Your message of "Mon, 31 Aug 1998 11:55:07 PDT." <199808311855.LAA28095@salsa.gv.tsc.tdk.com> From: bmah@CA.Sandia.GOV (Bruce A. Mah) Reply-to: bmah@CA.Sandia.GOV X-Face: g~c`.{#4q0"(V*b#g[i~rXgm*w;:nMfz%_RZLma)UgGN&=j`5vXoU^@n5v4:OO)c["!w)nD/!!~e4Sj7LiT'6*wZ83454H""lb{CC%T37O!!'S$S&D}sem7I[A 2V%N&+ X-Url: http://www.ca.sandia.gov/~bmah/ Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Mon, 31 Aug 1998 13:26:28 -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org If memory serves me right, Don Lewis wrote: > On Aug 31, 11:24am, Bruce A. Mah wrote: [snip] > } if (tiflags & TH_RST) { > } ! if ((tiflags & TH_ACK) && > } ! /* XXX outside window? XXX */ > } ! (SEQ_GT(ti->ti_ack, tp->iss) && > } ! SEQ_LEQ(ti->ti_ack, tp->snd_max))) > } tp = tcp_drop(tp, ECONNREFUSED); > } goto drop; > } } > > As more data is sent across the connection, the wider the window for > a spoofed RST opens. Once you send 2 GB, legitimate RSTs no longer > work. You should probably be comparing against tp->snd_una instead > of tp->iss. Hmmm. I was thinking specifically of the problem that with a RST arriving for a connection in SYN_SENT, the ACK in the RST-bearing segment has to acknowledge the initial SYN (thus, a test against tp->iss). I hadn't thought that the ever-increasing difference between tp->snd_una and tp->iss would be a problem, since at this point in the code, we know that the receiving end of the connection is in SYN_SENT, as opposed to, say, ESTABLISHED. Shouldn't (tp->snd_una == tp->iss) in this state, in which case, either would do? (Not trying to split hairs, but just trying to learn a little more.) Thanks, Bruce. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Aug 31 14:58:31 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id OAA10487 for freebsd-security-outgoing; Mon, 31 Aug 1998 14:58:31 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from gatekeeper.tsc.tdk.com (gatekeeper.tsc.tdk.com [207.113.159.21]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id OAA10482 for ; Mon, 31 Aug 1998 14:58:30 -0700 (PDT) (envelope-from gdonl@tsc.tdk.com) Received: from sunrise.gv.tsc.tdk.com (root@sunrise.gv.tsc.tdk.com [192.168.241.191]) by gatekeeper.tsc.tdk.com (8.8.8/8.8.8) with ESMTP id OAA29151; Mon, 31 Aug 1998 14:56:57 -0700 (PDT) (envelope-from gdonl@tsc.tdk.com) Received: from salsa.gv.tsc.tdk.com (salsa.gv.tsc.tdk.com [192.168.241.194]) by sunrise.gv.tsc.tdk.com (8.8.5/8.8.5) with ESMTP id OAA29054; Mon, 31 Aug 1998 14:56:56 -0700 (PDT) Received: (from gdonl@localhost) by salsa.gv.tsc.tdk.com (8.8.5/8.8.5) id OAA28434; Mon, 31 Aug 1998 14:56:55 -0700 (PDT) From: Don Lewis Message-Id: <199808312156.OAA28434@salsa.gv.tsc.tdk.com> Date: Mon, 31 Aug 1998 14:56:55 -0700 In-Reply-To: bmah@CA.Sandia.GOV (Bruce A. Mah) "Re: FreeBSD's RST validation" (Aug 31, 1:26pm) X-Mailer: Mail User's Shell (7.2.6 alpha(3) 7/19/95) To: bmah@CA.Sandia.GOV, Don Lewis Subject: Re: FreeBSD's RST validation Cc: BUGTRAQ@netspace.org, security@FreeBSD.ORG Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Aug 31, 1:26pm, Bruce A. Mah wrote: } Subject: Re: FreeBSD's RST validation } If memory serves me right, Don Lewis wrote: } } > On Aug 31, 11:24am, Bruce A. Mah wrote: } } [snip] } } > } if (tiflags & TH_RST) { } > } ! if ((tiflags & TH_ACK) && } > } ! /* XXX outside window? XXX */ } > } ! (SEQ_GT(ti->ti_ack, tp->iss) && } > } ! SEQ_LEQ(ti->ti_ack, tp->snd_max))) } > } tp = tcp_drop(tp, ECONNREFUSED); } > } goto drop; } > } } } > } > As more data is sent across the connection, the wider the window for } > a spoofed RST opens. Once you send 2 GB, legitimate RSTs no longer } > work. You should probably be comparing against tp->snd_una instead } > of tp->iss. } } Hmmm. I was thinking specifically of the problem that with a RST arriving for } a connection in SYN_SENT, the ACK in the RST-bearing segment has to } acknowledge the initial SYN (thus, a test against tp->iss). I hadn't thought } that the ever-increasing difference between tp->snd_una and tp->iss would be a } problem, since at this point in the code, we know that the receiving end of } the connection is in SYN_SENT, as opposed to, say, ESTABLISHED. Shouldn't } (tp->snd_una == tp->iss) in this state, in which case, either would do? (Not } trying to split hairs, but just trying to learn a little more.) Hmn, it's been a while since I looked at this stuff. Yup, I didn't notice that this was the SYN_SENT state and was thinking this was ESTABLISHED. Now that I look at this change some more, I think your added tests are a NOP because of the code just above this: if ((tiflags & TH_ACK) && (SEQ_LEQ(ti->ti_ack, tp->iss) || SEQ_GT(ti->ti_ack, tp->snd_max))) { [ snip comment ] if (taop->tao_ccsent != 0) goto drop; else goto dropwithreset; If the ACK is outside the window, the packet will already have been dropped before we even look for the RST flag. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Aug 31 19:59:22 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id TAA04569 for freebsd-security-outgoing; Mon, 31 Aug 1998 19:59:22 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from stennis.ca.sandia.gov (stennis.ca.sandia.gov [146.246.243.44]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id TAA04564 for ; Mon, 31 Aug 1998 19:59:21 -0700 (PDT) (envelope-from bmah@stennis.ca.sandia.gov) Received: (from bmah@localhost) by stennis.ca.sandia.gov (8.9.1/8.9.1) id TAA26568; Mon, 31 Aug 1998 19:58:16 -0700 (PDT) Message-Id: <199809010258.TAA26568@stennis.ca.sandia.gov> X-Mailer: exmh version 2.0.2 2/24/98 To: Don Lewis cc: bmah@california.sandia.gov, BUGTRAQ@netspace.org, security@FreeBSD.ORG Subject: Re: FreeBSD's RST validation In-reply-to: Your message of "Mon, 31 Aug 1998 14:56:55 PDT." <199808312156.OAA28434@salsa.gv.tsc.tdk.com> From: bmah@CA.Sandia.GOV (Bruce A. Mah) Reply-to: bmah@CA.Sandia.GOV X-Face: g~c`.{#4q0"(V*b#g[i~rXgm*w;:nMfz%_RZLma)UgGN&=j`5vXoU^@n5v4:OO)c["!w)nD/!!~e4Sj7LiT'6*wZ83454H""lb{CC%T37O!!'S$S&D}sem7I[A 2V%N&+ X-Url: http://www.ca.sandia.gov/~bmah/ Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Mon, 31 Aug 1998 19:58:16 -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org If memory serves me right, Don Lewis wrote: > Now that I look at this change some more, I think your added tests are > a NOP because of the code just above this: > > if ((tiflags & TH_ACK) && > (SEQ_LEQ(ti->ti_ack, tp->iss) || > SEQ_GT(ti->ti_ack, tp->snd_max))) { > [ snip comment ] > if (taop->tao_ccsent != 0) > goto drop; > else > goto dropwithreset; > > If the ACK is outside the window, the packet will already have been > dropped before we even look for the RST flag. Ah, yes. You're absolutely right. So it appears only the second of the original patches is useful (if it's correct, that is). This was a good day for me...I learned something. Thanks! Bruce. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Aug 31 22:00:54 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id WAA18530 for freebsd-security-outgoing; Mon, 31 Aug 1998 22:00:54 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from cheops.anu.edu.au (cheops.anu.edu.au [150.203.224.24]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id WAA18524 for ; Mon, 31 Aug 1998 22:00:51 -0700 (PDT) (envelope-from avalon@coombs.anu.edu.au) Message-Id: <199809010500.WAA18524@hub.freebsd.org> Received: by cheops.anu.edu.au (1.37.109.16/16.2) id AA085945963; Tue, 1 Sep 1998 14:59:23 +1000 From: Darren Reed Subject: Re: FreeBSD's RST validation To: Don.Lewis@tsc.tdk.com (Don Lewis) Date: Tue, 1 Sep 1998 14:59:23 +1000 (EST) Cc: security@FreeBSD.ORG In-Reply-To: <199808312156.OAA28434@salsa.gv.tsc.tdk.com> from "Don Lewis" at Aug 31, 98 02:56:55 pm X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Sigh, the correct patch is in the mail archives somewhere (either hackers or here). Just do the same as what NetBSD did. Darren In some mail from Bruce A. Mah, sie said: > > If memory serves me right, Don Lewis wrote: > > > Back in December 1997, I posted the following patch for the LAND attack > > and also implemented stricter RST validation. The variation of the > > LAND fix in the first two chunks of this patch was implemented (you'll > > have to look carefully at the code to find the second chunk), but I don't > > believe the rest of the fixes in this patch were applied. > > > > I've been running a version of this patch altered for 2.1.x since December > > without problems. If you remove the first two chunks of this patch, it > > will apply cleanly to the 2.2-stable version of tcp_input.c, though I have > > no idea if it will work ... > > [snip] > > Personally, I had something a little less radical in mind. Here's some > context diffs against tcp_input.c in 2.2.7-RELEASE, which I sent to > security-officer@freebsd.org last night after some quick testing. > > Now someone can tell me why this isn't the right solution. :-) > > Bruce. > > -----8<-----snip-----8<----- > > *** tcp_input.c-dist Mon May 18 10:12:44 1998 > --- tcp_input.c Sun Aug 30 21:22:32 1998 > *************** > *** 809,815 **** > goto dropwithreset; > } > if (tiflags & TH_RST) { > ! if (tiflags & TH_ACK) > tp = tcp_drop(tp, ECONNREFUSED); > goto drop; > } > --- 809,818 ---- > goto dropwithreset; > } > if (tiflags & TH_RST) { > ! if ((tiflags & TH_ACK) && > ! /* XXX outside window? XXX */ > ! (SEQ_GT(ti->ti_ack, tp->iss) && > ! SEQ_LEQ(ti->ti_ack, tp->snd_max))) > tp = tcp_drop(tp, ECONNREFUSED); > goto drop; > } > *************** > *** 1147,1152 **** > --- 1150,1159 ---- > case TCPS_FIN_WAIT_1: > case TCPS_FIN_WAIT_2: > case TCPS_CLOSE_WAIT: > + /* XXX outside window? XXX */ > + if (SEQ_GEQ(ti->ti_seq, tp->rcv_nxt + tp->rcv_wnd) || > + SEQ_LT(ti->ti_seq, tp->rcv_nxt)) > + goto drop; > so->so_error = ECONNRESET; > close: > tp->t_state = TCPS_CLOSED; > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Sep 2 19:15:05 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id TAA23272 for freebsd-security-outgoing; Wed, 2 Sep 1998 19:15:05 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from metronet.com (fohnix.metronet.com [192.245.137.2]) by hub.freebsd.org (8.8.8/8.8.8) with SMTP id TAA23267 for ; Wed, 2 Sep 1998 19:15:02 -0700 (PDT) (envelope-from pgilley@metronet.com) Received: from localhost by metronet.com with SMTP id AA12189 (5.67a/IDA1.5hp for ); Wed, 2 Sep 1998 21:14:45 -0500 Date: Wed, 2 Sep 1998 21:14:45 -0500 (CDT) From: Phil Gilley To: freebsd-security@FreeBSD.ORG Subject: securelevel variable in /etc/rc.conf Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Why isn't there a securelevel variable in /etc/rc.conf? If it's because one should change the securelevel before /etc/rc sucks in /etc/rc.conf, how about placing a comment in /etc/rc to the effect of "change securelevel here." Phil Gilley pgilley@metronet.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Sep 2 22:21:58 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id WAA16472 for freebsd-security-outgoing; Wed, 2 Sep 1998 22:21:58 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from shell6.ba.best.com (shell6.ba.best.com [206.184.139.137]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id WAA16466 for ; Wed, 2 Sep 1998 22:21:57 -0700 (PDT) (envelope-from jkb@best.com) Received: from localhost (jkb@localhost) by shell6.ba.best.com (8.9.0/8.9.0/best.sh) with SMTP id WAA14596; Wed, 2 Sep 1998 22:20:52 -0700 (PDT) X-Authentication-Warning: shell6.ba.best.com: jkb owned process doing -bs Date: Wed, 2 Sep 1998 22:20:51 -0700 (PDT) From: "Jan B. Koum " X-Sender: jkb@shell6.ba.best.com To: Phil Gilley cc: freebsd-security@FreeBSD.ORG Subject: Re: securelevel variable in /etc/rc.conf In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org There is one in 3.0: kern_securelevel_enable="NO" # kernel security level (see init(8)), kern_securelevel="-1" # range: -1..2 ; `-1' is the most insecure -- Yan "Twenty years from now you will be more disappointed by the things you didn't do than by the things you did do. So throw off the bowlines. Sail away from the safe harbor. Catch the trade winds in your sails. Explore. Dream. Discover." Mark Twain On Wed, 2 Sep 1998, Phil Gilley wrote: >Why isn't there a securelevel variable in /etc/rc.conf? If it's >because one should change the securelevel before /etc/rc sucks in >/etc/rc.conf, how about placing a comment in /etc/rc to the effect >of "change securelevel here." > >Phil Gilley >pgilley@metronet.com > > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Sep 3 11:58:11 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id LAA00471 for freebsd-security-outgoing; Thu, 3 Sep 1998 11:58:11 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from imparnet.imparcial.com.mx (imparnet.imparcial.com.mx [200.38.158.2]) by hub.freebsd.org (8.8.8/8.8.8) with SMTP id LAA00465 for ; Thu, 3 Sep 1998 11:58:03 -0700 (PDT) (envelope-from desiertos@deathsdoor.com) Received: from [200.38.158.45] by imparnet.imparcial.com.mx (NTMail 3.03.0014/1.abpu) with ESMTP id ga315386 for ; Thu, 3 Sep 1998 12:57:56 +0100 From: "desiertos" To: Subject: login.conf Date: Thu, 3 Sep 1998 12:54:19 -0600 X-MSMail-Priority: Normal X-Priority: 3 X-Mailer: Microsoft Internet Mail 4.70.1155 MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Message-Id: <18575635463554@imparcial.com.mx> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Some troubles with my login.conf, it doesnt appears to do any resource limits or accounting. All of my users are classified as 'standard' in my password file. My login.conf, this is it: # # standard - standard user defaults # standard:\ :accounted=true:\ :bootfull=true:\ :copyright=/etc/COPYRIGHT:\ :welcome=/etc/motd:\ :setenv=MAIL=/var/mail/$,BLOCKSIZE=K,EDITOR=/usr/bin/ee:\ :path=~/bin /bin /usr/bin /usr/local/bin:\ :manpath=/usr/share/man /usr/local/man:\ :nologin=/etc/nologin:\ :cputime=1h30m:\ :datasize=8M:\ :stacksize=2M:\ :memorylocked=4M:\ :memoryuse=8M:\ :filesize=8M:\ :coredumpsize=8M:\ :openfiles=24:\ :maxproc=32:\ :priority=0:\ :requirehome:\ :passwordperiod=90d:\ :umask=002:\ :ignoretime@:\ This is what I added at the end of these lines: :idletime=2m:\ :monthtime=24h:\ :sessiontime=30m:\ :sessionlimit=1:\ :tc=default: Yes, I did: cap_mkdb /etc/login.conf In my /etc/rc.conf, I did: check_quotas="YES" # Check quotas (or NO). accounting_enable="YES" # Turn on process accounting (or NO). Users dont get disconnected when 2 minutes idle, dont have 24 hours at month, and so on. What the heck I am missing? hehe... To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Sep 3 15:03:23 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id PAA01427 for freebsd-security-outgoing; Thu, 3 Sep 1998 15:03:23 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from gatekeeper.tsc.tdk.com (gatekeeper.tsc.tdk.com [207.113.159.21]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id PAA01418 for ; Thu, 3 Sep 1998 15:03:21 -0700 (PDT) (envelope-from gdonl@tsc.tdk.com) Received: from sunrise.gv.tsc.tdk.com (root@sunrise.gv.tsc.tdk.com [192.168.241.191]) by gatekeeper.tsc.tdk.com (8.8.8/8.8.8) with ESMTP id PAA18990; Thu, 3 Sep 1998 15:02:09 -0700 (PDT) (envelope-from gdonl@tsc.tdk.com) Received: from salsa.gv.tsc.tdk.com (salsa.gv.tsc.tdk.com [192.168.241.194]) by sunrise.gv.tsc.tdk.com (8.8.5/8.8.5) with ESMTP id PAA06922; Thu, 3 Sep 1998 15:02:08 -0700 (PDT) Received: (from gdonl@localhost) by salsa.gv.tsc.tdk.com (8.8.5/8.8.5) id PAA05032; Thu, 3 Sep 1998 15:02:06 -0700 (PDT) From: Don Lewis Message-Id: <199809032202.PAA05032@salsa.gv.tsc.tdk.com> Date: Thu, 3 Sep 1998 15:02:06 -0700 In-Reply-To: "Bruce A. Mah" "Re: FreeBSD's RST validation" (Aug 31, 7:58pm) X-Mailer: Mail User's Shell (7.2.6 alpha(3) 7/19/95) To: bmah@CA.Sandia.GOV, BUGTRAQ@netspace.org Subject: Re: FreeBSD's RST validation Cc: security@FreeBSD.ORG Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Aug 31, 7:58pm, "Bruce A. Mah" wrote: } Subject: Re: FreeBSD's RST validation } If memory serves me right, Don Lewis wrote: } } > Now that I look at this change some more, I think your added tests are } > a NOP because of the code just above this: } > } > if ((tiflags & TH_ACK) && } > (SEQ_LEQ(ti->ti_ack, tp->iss) || } > SEQ_GT(ti->ti_ack, tp->snd_max))) { } > [ snip comment ] } > if (taop->tao_ccsent != 0) } > goto drop; } > else } > goto dropwithreset; } > } > If the ACK is outside the window, the packet will already have been } > dropped before we even look for the RST flag. } } Ah, yes. You're absolutely right. So it appears only the second of the } original patches is useful (if it's correct, that is). Alas, the second part won't work either. The reason is that earlier in tcp_input() the code that trims the packet to fit the window adjusts the sequence number. todrop = tp->rcv_nxt - ti->ti_seq; if (todrop > 0) { [snip] m_adj(m, todrop); ti->ti_seq += todrop; ti->ti_len -= todrop; [snip] } so if the sequence number is less than rcv_nxt, it will always be set to rcv_nxt by the time this code gets through with it. *************** *** 1147,1152 **** --- 1150,1159 ---- case TCPS_FIN_WAIT_1: case TCPS_FIN_WAIT_2: case TCPS_CLOSE_WAIT: + /* XXX outside window? XXX */ + if (SEQ_GEQ(ti->ti_seq, tp->rcv_nxt + tp->rcv_wnd) || + SEQ_LT(ti->ti_seq, tp->rcv_nxt)) + goto drop; so->so_error = ECONNRESET; close: tp->t_state = TCPS_CLOSED; It appears that the RST sequence validation must be done before the packet is trimmed to fit the window (which my patch does). To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Sep 3 22:20:09 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id WAA29590 for freebsd-security-outgoing; Thu, 3 Sep 1998 22:20:09 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from fledge.watson.org (COPLAND.CODA.CS.CMU.EDU [128.2.222.48]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id WAA29584 for ; Thu, 3 Sep 1998 22:20:06 -0700 (PDT) (envelope-from robert@cyrus.watson.org) Received: from fledge.watson.org (robert@fledge.pr.watson.org [192.0.2.3]) by fledge.watson.org (8.8.8/8.8.8) with SMTP id BAA15394 for ; Fri, 4 Sep 1998 01:18:56 -0400 (EDT) Date: Fri, 4 Sep 1998 01:18:56 -0400 (EDT) From: Robert Watson X-Sender: robert@fledge.watson.org Reply-To: Robert Watson To: freebsd-security@FreeBSD.ORG Subject: posix capabilities Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I would like to implement posix capabilities and possible acls for FreeBSD. Unfortunately, while I have a link to the page listing the POSIX specs, I don't know which one is the right one :). If someone could send me the exact document name (or spec number) I'll go ahead and order it so I can give it a try. (unless jkh wants to mail me a copy? I'm not an IEEE member :). Thanks, Robert N Watson Carnegie Mellon University http://www.cmu.edu/ TIS Labs at Network Associates, Inc. http://www.tis.com/ SafePort Network Services http://www.safeport.com/ robert@fledge.watson.org http://www.watson.org/~robert/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Sep 3 22:58:46 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id WAA04025 for freebsd-security-outgoing; Thu, 3 Sep 1998 22:58:46 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from time.cdrom.com (time.cdrom.com [204.216.27.226]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id WAA04019 for ; Thu, 3 Sep 1998 22:58:44 -0700 (PDT) (envelope-from jkh@time.cdrom.com) Received: from time.cdrom.com (jkh@localhost.cdrom.com [127.0.0.1]) by time.cdrom.com (8.8.8/8.8.8) with ESMTP id WAA03169; Thu, 3 Sep 1998 22:57:26 -0700 (PDT) (envelope-from jkh@time.cdrom.com) To: Robert Watson cc: freebsd-security@FreeBSD.ORG Subject: Re: posix capabilities In-reply-to: Your message of "Fri, 04 Sep 1998 01:18:56 EDT." Date: Thu, 03 Sep 1998 22:57:25 -0700 Message-ID: <3165.904888645@time.cdrom.com> From: "Jordan K. Hubbard" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > I can give it a try. (unless jkh wants to mail me a copy? I'm not an > IEEE member :). Neither am I. :) - Jordan To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Sep 4 08:19:13 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id IAA03808 for freebsd-security-outgoing; Fri, 4 Sep 1998 08:19:13 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from mail.craxx.com (taz.craxx.com [195.108.198.110]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id IAA03780; Fri, 4 Sep 1998 08:18:46 -0700 (PDT) (envelope-from lva@dds.nl) Received: from uptight (cal050106.student.utwente.nl [130.89.230.96]) by mail.craxx.com (8.9.1a/8.9.1) with ESMTP id RAA01417; Fri, 4 Sep 1998 17:17:35 +0200 (CEST) From: "laurens van alphen" To: Cc: Subject: small LDA c program requested Date: Fri, 4 Sep 1998 17:17:20 +0200 Message-ID: <000501bdd817$1c440870$60e65982@uptight.student.utwente.nl> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 8bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook 8.5, Build 4.71.2173.0 Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V4.72.2106.4 Content-Transfer-Encoding: 8bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org hi all, working with cucipop-1.31 and the new vpop features. there are numerous bugs in the implementation that i basically fixed. my next move was a LDA that will deliver the way cucipop wants it: /var/mail/domain/user: #!/bin/sh umask 077 cat - >> /var/mail/${1}/${2} this indeed works. all i need now i a port to c for speed and security. things that need to be added are: - regex $1 and $2 to match a-z and - and . - check $1 (directory) exists, if not bail - check symlinks in $1 and $2 probably? the sendmail backend is this /etc/mail/virtusertable: user@domain: domain-user /etc/mail/aliases: domain-user: "|/path/to/script domain user" can i boil this in a sendmail Mmailer? am i missing something? can anyone help? suggestions welcome -- laurens van alphen craxx® e-consultants alphen@craxx.com http://craxx.com/ -- de informatie verzonden met dit e-mail bericht is uitsluitend bestemd voor de geadresseerde. gebruik van deze informatie door anderen dan de geadresseerde is verboden. openbaarmaking, vermenigvuldiging, verspreiding en/of verstrekking van deze informatie aan derden is niet toegestaan. craxx staat niet in voor de juiste en volledige verbrenging van de inhoud van een verzonden e-mail, noch voor tijdige ontvangst daarvan. -- the information contained in this communication is confidential and may be legally privileged. it is intended solely for the use of the individual or entity to whom it is addressed and others authorised to receive it. if you are not the intended recipient you are hereby notified that any disclosure, copying, distribution or taking any action in reliance of the contents of this information is strictly prohibited and may be unlawful. craxx is either liable for the proper and complete transmission of the information contained in this communication nor for any delay in its receipt. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Sep 4 12:45:19 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id MAA20755 for freebsd-security-outgoing; Fri, 4 Sep 1998 12:45:19 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from xylan.com (postal.xylan.com [208.8.0.248]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id MAA20746 for ; Fri, 4 Sep 1998 12:45:17 -0700 (PDT) (envelope-from wes@softweyr.com) Received: from mailhub.xylan.com by xylan.com (8.8.7/SMI-SVR4 (xylan-mgw 2.1 [OUT])) id MAA10880; Fri, 4 Sep 1998 12:45:56 -0700 (PDT) Received: from utah.XYLAN.COM by mailhub.xylan.com (SMI-8.6/SMI-SVR4 (mailhub 2.1 [HUB])) id MAA08647; Fri, 4 Sep 1998 12:43:02 -0700 Received: from softweyr.com by utah.XYLAN.COM (SMI-8.6/SMI-SVR4 (xylan utah [SPOOL])) id NAA14262; Fri, 4 Sep 1998 13:43:00 -0600 Message-ID: <35F19389.D62C0D42@softweyr.com> Date: Sat, 05 Sep 1998 13:39:53 -0600 From: Wes Peters Organization: Softweyr LLC X-Mailer: Mozilla 4.05 [en] (Win95; I) MIME-Version: 1.0 To: "Jordan K. Hubbard" CC: Robert Watson , freebsd-security@FreeBSD.ORG Subject: Re: posix capabilities References: <3165.904888645@time.cdrom.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Jordan K. Hubbard wrote: > > > I can give it a try. (unless jkh wants to mail me a copy? I'm not an > > IEEE member :). > > Neither am I. :) I'm a member of IEEE CS. Whadda ya need? -- Where am I, and what am I doing in this handbasket? Wes Peters +1.801.915.2061 Softweyr LLC wes@softweyr.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Sep 4 17:05:13 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id RAA01825 for freebsd-security-outgoing; Fri, 4 Sep 1998 17:05:13 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from xylan.com (postal.xylan.com [208.8.0.248]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id RAA01802; Fri, 4 Sep 1998 17:05:09 -0700 (PDT) (envelope-from wes@softweyr.com) Received: from mailhub.xylan.com by xylan.com (8.8.7/SMI-SVR4 (xylan-mgw 2.1 [OUT])) id PAA11925; Fri, 4 Sep 1998 15:38:00 -0700 (PDT) Received: from utah.XYLAN.COM by mailhub.xylan.com (SMI-8.6/SMI-SVR4 (mailhub 2.1 [HUB])) id PAA12204; Fri, 4 Sep 1998 15:35:04 -0700 Received: from softweyr.com by utah.XYLAN.COM (SMI-8.6/SMI-SVR4 (xylan utah [SPOOL])) id QAA16261; Fri, 4 Sep 1998 16:35:00 -0600 Message-ID: <35F1BBD9.7E2A42F@softweyr.com> Date: Sat, 05 Sep 1998 16:31:53 -0600 From: Wes Peters Organization: Softweyr LLC X-Mailer: Mozilla 4.04 [en] (X11; I; FreeBSD 2.2.6-RELEASE i386) MIME-Version: 1.0 To: laurens van alphen CC: freebsd-isp@FreeBSD.ORG, freebsd-security@FreeBSD.ORG Subject: Re: small LDA c program requested References: <000501bdd817$1c440870$60e65982@uptight.student.utwente.nl> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org laurens van alphen wrote: > > hi all, > > working with cucipop-1.31 and the new vpop features. there are numerous bugs > in the implementation that i basically fixed. > > my next move was a LDA that will deliver the way cucipop wants it: > /var/mail/domain/user: > > #!/bin/sh > umask 077 > cat - >> /var/mail/${1}/${2} > > this indeed works. all i need now i a port to c for speed and security. > things that need to be added are: OK, I've hacked up a quick little program to do this. The error checking is fairly good, but it could use some logging capabilities. I've attached a Berkeley-style copyright, so you're free to extend it if you wish. If this is something that is of general interest to cucipop users, let me know so I can send it to Mr. van den Berg, or at least to the FreeBSD port maintainer. > - regex $1 and $2 to match a-z and - and . Got that -- I didn't use regex, it's too expensive in this simple case. I assumed you meant A-Z a-z . - for domain and user names. If not, remove the uppercase characters from the string validChars in function invalidName. > - check $1 (directory) exists, if not bail Got that, too. I didn't check for writability, since that will happen when we try to open() the file anyhow. > - check symlinks in $1 and $2 probably? I can add that, if you can tell me what you want. What I have here will work fine even if both the domain directory and the user file are symlinks; it is symlink-unaware. > suggestions welcome No suggestions, just code. ;^) > -- the information contained in this communication is confidential and > may be legally privileged. it is intended solely for the use of the > individual or entity to whom it is addressed and others authorised to > receive it. if you are not the intended recipient you are hereby notified > that any disclosure, copying, distribution or taking any action in > reliance of the contents of this information is strictly prohibited and > may be unlawful. craxx is either liable for the proper and complete > transmission of the information contained in this communication nor > for any delay in its receipt. This has got to be the most draconian .sig I've ever seen. What, precisely, do you expect to accomplish with this? ;^) Here's the program, for your compiling enjoyment: /*================================================================ * * LDA: a small Local Delivery Agent for email. * *---------------------------------------------------------------- * * Copyright 1998 Softweyr LLC, South Jordan Utah USA. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions are * met: * * 1. Redistributions of source code must retain the above copyright notice, * this list of conditions and the following disclaimer. * * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * * THIS SOFTWARE IS PROVIDED BY SOFTWEYR LLC ``AS IS'' AND ANY EXPRESS OR * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. * IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE * POSSIBILITY OF SUCH DAMAGE. * *---------------------------------------------------------------- * * Author: Wes Peters, wes@softweyr.com * Date: 3 Sept 1998 * *================================================================*/ #include #include #include #include #include #include #include #include char *programName; void abort(char *why, ...) { va_list ap; fprintf(stderr, "%s: ", programName); va_start(ap, why); vfprintf(stderr, why, ap); va_end(ap); exit(-1); } int invalidName(char *name) { static char *validChars = "ABCDEFGHIJKLMNOPQRSTUVWXYSabcdefghijklmnopqrstuvwxyz-."; if (strlen(name) > NAME_MAX) { return 1; } return strcspn(name, validChars); } int main(int argc, char *argv[]) { char *domain, *user; int fd, nbytes; struct stat S; char mailbox[PATH_MAX + 1]; char buffer[BUFSIZ]; programName = argv[0]; domain = argv[1]; user = argv[2]; /* * Verify we have two arguments, and that they are valid domain/user * names. */ if (argc != 3) { abort("wrong number of arguments.\nusage: %s domain-name user-name", programName); } if (invalidName(argv[1])) { abort("incorrect domain name \"%s\".\n", domain); } if (invalidName(user)) { abort("incorrect user name \"%s\".\n", user); } /* * Make sure the domain directory exists and is writable. */ snprintf(mailbox, PATH_MAX, "/var/mail/%s", domain); if (stat(mailbox, &S) == -1) { abort("Cannot stat domain directory \"%s\".\n", mailbox); } if (!S_ISDIR(S.st_mode)) { abort("Domain directory \"%s\" is NOT a directory.\n", mailbox); } /* * Create the file and prepare to write. */ snprintf(mailbox, PATH_MAX, "/var/mail/%s/%s", domain, user); if ((fd = open(mailbox, O_WRONLY | O_APPEND | O_CREAT, 0600)) < 0) { abort("Cannot open user mailbox \"%s\" for appending.\n", mailbox); } /* * OK, copy stdin until exhausted. */ while ((nbytes = read(STDIN_FILENO, buffer, BUFSIZ)) > 0) { if (write(fd, buffer, nbytes) != nbytes) { abort("Error writing mailbox \"%s\".\n", mailbox); } } close(fd); return 0; } -- Where am I, and what am I doing in this handbasket? Wes Peters +1.801.915.2061 Softweyr LLC wes@softweyr.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Sep 4 21:27:29 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id VAA09266 for freebsd-security-outgoing; Fri, 4 Sep 1998 21:27:29 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from roma.coe.ufrj.br (roma.coe.ufrj.br [146.164.53.65]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id VAA09255; Fri, 4 Sep 1998 21:27:26 -0700 (PDT) (envelope-from jonny@jonny.eng.br) Received: (from jonny@localhost) by roma.coe.ufrj.br (8.8.8/8.8.8) id BAA20989; Sat, 5 Sep 1998 01:26:07 -0300 (EST) (envelope-from jonny) From: Joao Carlos Mendes Luis Message-Id: <199809050426.BAA20989@roma.coe.ufrj.br> Subject: Re: small LDA c program requested In-Reply-To: <35F1BBD9.7E2A42F@softweyr.com> from Wes Peters at "Sep 5, 98 04:31:53 pm" To: wes@softweyr.com (Wes Peters) Date: Sat, 5 Sep 1998 01:26:07 -0300 (EST) Cc: lva@dds.nl, freebsd-isp@FreeBSD.ORG, freebsd-security@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL40 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org #define quoting(Wes Peters) // /* // * Create the file and prepare to write. // */ // snprintf(mailbox, PATH_MAX, "/var/mail/%s/%s", domain, user); // if ((fd = open(mailbox, O_WRONLY | O_APPEND | O_CREAT, 0600)) < 0) // { // abort("Cannot open user mailbox \"%s\" for appending.\n", mailbox); // } // // /* // * OK, copy stdin until exhausted. // */ // while ((nbytes = read(STDIN_FILENO, buffer, BUFSIZ)) > 0) // { // if (write(fd, buffer, nbytes) != nbytes) // { // abort("Error writing mailbox \"%s\".\n", mailbox); // } // } // // close(fd); // return 0; Shouldn't you lock the file ? O_APPEND is only good for atomic writes, IIRC. Jonny -- Joao Carlos Mendes Luis M.Sc. Student jonny@jonny.eng.br Universidade Federal do Rio de Janeiro "There are two major products that come out of Berkeley: LSD and Unix. We don't believe this to be a coincidence." -- Jeremy S. Anderson To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Sep 5 00:17:18 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id AAA23767 for freebsd-security-outgoing; Sat, 5 Sep 1998 00:17:18 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from cheops.anu.edu.au (cheops.anu.edu.au [150.203.224.24] (may be forged)) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id AAA23758 for ; Sat, 5 Sep 1998 00:17:14 -0700 (PDT) (envelope-from avalon@coombs.anu.edu.au) Message-Id: <199809050717.AAA23758@hub.freebsd.org> Received: by cheops.anu.edu.au (1.37.109.16/16.2) id AA140499718; Sat, 5 Sep 1998 17:15:18 +1000 From: Darren Reed Subject: Re: FreeBSD's RST validation To: Don.Lewis@tsc.tdk.com (Don Lewis) Date: Sat, 5 Sep 1998 17:15:18 +1000 (EST) Cc: bmah@CA.Sandia.GOV, BUGTRAQ@netspace.org, security@FreeBSD.ORG In-Reply-To: <199809032202.PAA05032@salsa.gv.tsc.tdk.com> from "Don Lewis" at Sep 3, 98 03:02:06 pm X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org bah, why don't you just drop tcp packets which are outside the window regardless of what flag(s) are set ? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Sep 5 22:53:41 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id WAA01748 for freebsd-security-outgoing; Sat, 5 Sep 1998 22:53:41 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from obie.softweyr.com ([204.68.178.33]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id WAA01739; Sat, 5 Sep 1998 22:53:36 -0700 (PDT) (envelope-from wes@softweyr.com) Received: from softweyr.com (wes@zaphod.softweyr.com [204.68.178.35]) by obie.softweyr.com (8.8.8/8.8.8) with ESMTP id AAA01170; Sun, 6 Sep 1998 00:04:23 -0600 (MDT) (envelope-from wes@softweyr.com) Message-ID: <35F2248F.87CE70FC@softweyr.com> Date: Sat, 05 Sep 1998 23:58:39 -0600 From: Wes Peters Organization: Softweyr llc X-Mailer: Mozilla 4.05 [en] (X11; I; FreeBSD 2.2.6-RELEASE i386) MIME-Version: 1.0 To: Joao Carlos Mendes Luis CC: lva@dds.nl, freebsd-isp@FreeBSD.ORG, freebsd-security@FreeBSD.ORG Subject: Re: small LDA c program requested References: <199809050426.BAA20989@roma.coe.ufrj.br> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Joao Carlos Mendes Luis wrote: > > #define quoting(Wes Peters) > // /* > // * Create the file and prepare to write. > // */ > // snprintf(mailbox, PATH_MAX, "/var/mail/%s/%s", domain, user); > // if ((fd = open(mailbox, O_WRONLY | O_APPEND | O_CREAT, 0600)) < 0) > // { > // abort("Cannot open user mailbox \"%s\" for appending.\n", mailbox); > // } > // > // /* > // * OK, copy stdin until exhausted. > // */ > // while ((nbytes = read(STDIN_FILENO, buffer, BUFSIZ)) > 0) > // { > // if (write(fd, buffer, nbytes) != nbytes) > // { > // abort("Error writing mailbox \"%s\".\n", mailbox); > // } > // } > // > // close(fd); > // return 0; > > Shouldn't you lock the file ? O_APPEND is only good for atomic > writes, IIRC. You're right. A quick fix would be to open the file with O_EXLOCK and puke if the filesystem doesn't support locking; this would rule out NFS-mounted mailboxes. It would be better, IMHO, to collect the entire input and write it in a single call, but this might get expensive in terms of memory allocation. You could do it by allocating a number of large, fixed-size buffers and using writev for output, but what about some bonehead who mails a 40 Meg "Word" document? -- "Where am I, and what am I doing in this handbasket?" Wes Peters Softweyr LLC http://www.softweyr.com/~softweyr wes@softweyr.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Sep 5 23:10:56 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id XAA03712 for freebsd-security-outgoing; Sat, 5 Sep 1998 23:10:56 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from roma.coe.ufrj.br (roma.coe.ufrj.br [146.164.53.65]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id XAA03705; Sat, 5 Sep 1998 23:10:54 -0700 (PDT) (envelope-from jonny@jonny.eng.br) Received: (from jonny@localhost) by roma.coe.ufrj.br (8.8.8/8.8.8) id DAA01265; Sun, 6 Sep 1998 03:10:40 -0300 (EST) (envelope-from jonny) From: Joao Carlos Mendes Luis Message-Id: <199809060610.DAA01265@roma.coe.ufrj.br> Subject: Re: small LDA c program requested In-Reply-To: <35F2248F.87CE70FC@softweyr.com> from Wes Peters at "Sep 5, 98 11:58:39 pm" To: wes@softweyr.com (Wes Peters) Date: Sun, 6 Sep 1998 03:10:40 -0300 (EST) Cc: jonny@jonny.eng.br, lva@dds.nl, freebsd-isp@FreeBSD.ORG, freebsd-security@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL40 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org #define quoting(Wes Peters) // > Shouldn't you lock the file ? O_APPEND is only good for atomic // > writes, IIRC. // // You're right. A quick fix would be to open the file with O_EXLOCK // and puke if the filesystem doesn't support locking; this would rule // out NFS-mounted mailboxes. Which should not be used anyway, at least with the current implementation in FreeBSD. I've already lost lots of email by reading it over NFS. Now I just ssh the mail server and call elm from there. // It would be better, IMHO, to collect the entire input and write it in a // single call, but this might get expensive in terms of memory allocation. // You could do it by allocating a number of large, fixed-size buffers and // using writev for output, but what about some bonehead who mails a 40 Meg // "Word" document? Users are always ahead of managers in terms of finding new problems :) But I'm not sure. Wouldn't NFS break the write in smaller ones ? Is there such atomic write in NFS, even for VERY large blocks ? Jonny -- Joao Carlos Mendes Luis M.Sc. Student jonny@jonny.eng.br Universidade Federal do Rio de Janeiro "There are two major products that come out of Berkeley: LSD and Unix. We don't believe this to be a coincidence." -- Jeremy S. Anderson To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message