From owner-freebsd-security Sun Dec 13 02:05:03 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id CAA07835 for freebsd-security-outgoing; Sun, 13 Dec 1998 02:05:03 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from ns0.help-desk.co.uk (ns0.help-desk.co.uk [212.240.170.18]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id CAA07822 for ; Sun, 13 Dec 1998 02:05:00 -0800 (PST) (envelope-from root@ns0.help-desk.co.uk) Received: (from root@localhost) by ns0.help-desk.co.uk (8.8.8/8.8.8) id KAA15007 for freebsd-security@FreeBSD.ORG; Sun, 13 Dec 1998 10:04:56 GMT (envelope-from root) From: Charlie Root Message-Id: <199812131004.KAA15007@ns0.help-desk.co.uk> Subject: Kernel patches for 3.0? To: freebsd-security@FreeBSD.ORG Date: Sun, 13 Dec 1998 10:04:56 +0000 (GMT) X-Mailer: ELM [version 2.4ME+ PL40 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hello Please can anybody tell me where to look up information on the required kernel patches for freebsd version 3.0 security. pat To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Dec 13 02:37:40 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id CAA10795 for freebsd-security-outgoing; Sun, 13 Dec 1998 02:37:40 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from k6n1.znh.org (dialup8.gaffaneys.com [208.155.161.58]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id CAA10784 for ; Sun, 13 Dec 1998 02:37:23 -0800 (PST) (envelope-from zach@gaffaneys.com) Received: (from zach@localhost) by k6n1.znh.org (8.9.1/8.9.1) id KAA02884; Sun, 13 Dec 1998 10:35:48 GMT (envelope-from zach) Message-ID: <19981213043547.A2734@znh.org> Date: Sun, 13 Dec 1998 04:35:47 -0600 From: Zach Heilig To: Adam Shostack , Roger Marquis , security@FreeBSD.ORG Subject: Re: tripwire was Re: append-only devices for logging References: <199812120549.VAA18425@hub.freebsd.org> <19981212163532.A26497@weathership.homeport.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.93.2i In-Reply-To: <19981212163532.A26497@weathership.homeport.org>; from Adam Shostack on Sat, Dec 12, 1998 at 04:35:32PM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sat, Dec 12, 1998 at 04:35:32PM -0500, Adam Shostack wrote: > On Fri, Dec 11, 1998 at 10:46:51PM -0800, Roger Marquis wrote: > | Except when the floppy has bad sectors, and a large percent of floppys > | do, and sends the drive into an I/O loop that can't be fixed w/o a > | reboot. > It seems to me that thats a bug that ought to be fixed, that a bad > floppy can require a reboot. Everytime I've had problems with bad floppies, just replacing it in the drive with a good one allowed FreeBSD to get on with "life". [Keep an empty good floppy or two handy, or use some other removable media...]. Actually FreeBSD chokes on any "bad" media. I just tried to mount the unfixed zip 'tools' disk, and FreeBSD panic'ed [somewhere deep inside msdosfs -- something about an invalid disk structure -- I didn't keep notes, and didn't let it finish dumping core]. (each 'tools' disk comes formatted for both mac and pc, when you "fix" it, the disk becomes either a PC or a MAC format disk) -- Zach Heilig (zach@gaffaneys.com) Our one strength was that our senior officers were more flexible than theirs... How's that? We can customize our colonels. [ Illiad in User Friendly, Dec. 1, 1998 ] To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Dec 13 05:40:11 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id FAA29504 for freebsd-security-outgoing; Sun, 13 Dec 1998 05:40:11 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from ns1.sminter.com.ar (ns1.sminter.com.ar [200.10.100.10]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id FAA29496 for ; Sun, 13 Dec 1998 05:40:05 -0800 (PST) (envelope-from fpscha@ns1.sminter.com.ar) Received: (from fpscha@localhost) by ns1.sminter.com.ar (8.8.5/8.8.4) id KAA07898 for freebsd-security@freebsd.org; Sun, 13 Dec 1998 10:39:45 -0300 (GMT) From: Fernando Schapachnik Message-Id: <199812131339.KAA07898@ns1.sminter.com.ar> Subject: NIS+PAM+MD5 To: freebsd-security@FreeBSD.ORG Date: Sun, 13 Dec 1998 10:39:45 -0300 (GMT) X-Mailer: ELM [version 2.4ME+ PL40 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hello, A Universitary site here wants to use NIS + MD5 passwords + PAM. Is 3.0 ready for this? TIA! Fernando P. Schapachnik Administracion de la red S&M International SA To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Dec 13 08:41:10 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id IAA14404 for freebsd-security-outgoing; Sun, 13 Dec 1998 08:41:10 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from intra.ispchannel.net (intra.ispchannel.net [208.166.60.21]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id IAA14397 for ; Sun, 13 Dec 1998 08:41:07 -0800 (PST) (envelope-from nicole@ispchannel.com) Received: from dogbert.mediacity.com (dogbert.mediacity.com [208.138.36.140]) by intra.ispchannel.net (Postfix) with ESMTP id CAA85F00A; Sun, 13 Dec 1998 08:41:04 -0800 (PST) Message-ID: X-Mailer: XFMail 1.2 [p0] on FreeBSD X-Priority: 3 (Normal) Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 8bit MIME-Version: 1.0 Date: Sun, 13 Dec 1998 08:41:04 -0800 (PST) Organization: The ISP Channel From: Nicole Harrington To: freebsd-security@FreeBSD.ORG Subject: FW: ns security check output Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Greetings all Today I received this in my security check output message for one of our name servers. Could anyone shed some light on what this means, I definitely don't like the looks of it. Thanks! BTW - The IP's have been slightly changed for security reasons. Nicole checking setuid files and devices: checking for uids of 0: root 0 toor 0 ns kernel log messages: > attempted source route from 205.70.140.36 to 209.163.90.10 > attempted source route from 205.70.140.36 to 209.163.90.10 > attempted source route from 205.70.140.36 to 209.163.90.10 > attempted source route from 205.70.140.36 to 209.163.90.10 > attempted source route from 205.70.140.36 to 209.163.90.10 > attempted source route from 205.70.140.36 to 209.163.90.10 --------------End of forwarded message------------------------- |\ __ /| (`\ | o_o |__ ) ) // \\ Nicole Harrington | Systems Administrator -------------------(((---(((----------------------- nicole@mediacity.com - nicole@ispchannel.com www.mediacity.com - www.ispchannel.com Phone: 650-237-1454 - Pager: 415-301-2482 Powered By Coca-Cola and FreeBSD Why do doctors call what they do practice? Microsoft: What bug would you like today? ---------------------------------------------------- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Dec 13 11:37:16 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id LAA00674 for freebsd-security-outgoing; Sun, 13 Dec 1998 11:37:16 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from phoenix (phoenix.aye.net [206.185.8.134]) by hub.freebsd.org (8.8.8/8.8.8) with SMTP id LAA00669 for ; Sun, 13 Dec 1998 11:37:15 -0800 (PST) (envelope-from brich@aye.net) Received: (qmail 11471 invoked by uid 7506); 13 Dec 1998 19:28:23 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 13 Dec 1998 19:28:23 -0000 Date: Sun, 13 Dec 1998 14:28:22 -0500 (EST) From: Barrett Richardson To: Mike Thompson cc: freebsd-security@FreeBSD.ORG Subject: Re: Securing FreeBSD Internet Servers In-Reply-To: <4.0.1.19981212224345.00e1e370@mail.dnai.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sat, 12 Dec 1998, Mike Thompson wrote: > > Can someone point me in the general direction of other similar > resources that I can use to further ensure these servers are > secure? The more specific to FreeBSD the better, but I'll take > anything I can get. > > Thanks, > > Mike Thompson > > Check out http://www.best.com/~jkb I've been able to get the stackguard compiler http://church.cse.ogi.edu/DISC/projects/immunix up and going on 2.2.7 with some minor modifications. Currently running apache 1.3.3 and ssh 1.2.26 compiled with it in production and am getting ready to give qmail 1.03 the acid test. I'll send you more details if you want. I have patched imgact_aout.c, imgact_elf.c, and imgact_gzip.c to require a flag bit that can only be set by root before an executable can be run (John Dyson's idea). This prevents users from running arbitrary executeables (actually I need to modify ld.so so that LD_LIBRARY_PATH is hardcoded before the idea is complete -- Joel Ray Holveck's idea). I had to write a small util to set the flag on system binaries before a kernel with the patch is install else users wouldn't be able to run anything (I relaxed the requirement for root). Also need to take care not to set it on any user writeable shell scripts. Something I am in the process of implementing for qmail is have all the mail accounts (they won't have actual accounts on the system) run under the same non-root user and authenticate thru a different means than the password file. Then the authentication and local delivery do not have to be done as root. There won't be user accounts on this server (just staff) so I should be able to run qmail-smtpd on a non-priveleged port and redirect port 25 to via ipfilter. Then qmail-smtpd can be launched as a non-priveleged user (care must be taken in doing this as a user on the system could gain control of mail should your smtp agent die). Logging is all important. There are good tips in a recent thread "append only devices for logging". Something I am getting ready to try is setup a host whose justification for existance is logging. Raise the secure level and set the sappnd flag on the log files there, and set the immutable flag on just about everything else. On the production systems raise the secure level and set the immutable flag on syslog.conf, then have the production systems log to the syslog host. There is a recent 7 year thread "again logging" that should answer most questions about logging that aren't obvious in the man pages. I use md5 for password authentication and require the users to use 9 character passwords. They've been really understanding of that after a really ugly system breach we had last summer (it wasn't FreeBSD, our breach is one of the biggest reasons we switched). Inventory the suid system binaries. If you are not using something, do a chmod -s. -- Barrett To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Dec 13 11:40:04 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id LAA00932 for freebsd-security-outgoing; Sun, 13 Dec 1998 11:40:04 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from phoenix (phoenix.aye.net [206.185.8.134]) by hub.freebsd.org (8.8.8/8.8.8) with SMTP id LAA00920 for ; Sun, 13 Dec 1998 11:40:01 -0800 (PST) (envelope-from brich@aye.net) Received: (qmail 12723 invoked by uid 7506); 13 Dec 1998 19:37:50 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 13 Dec 1998 19:37:50 -0000 Date: Sun, 13 Dec 1998 14:37:50 -0500 (EST) From: Barrett Richardson To: Charlie Root cc: freebsd-security@FreeBSD.ORG Subject: Re: Kernel patches for 3.0? In-Reply-To: <199812131004.KAA15007@ns0.help-desk.co.uk> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Browse around in ftp://ftp.freebsd.org/pub/FreeBSD/CERT Look for a patch dated in Nov concerning how fragments are handled. Also beware of sending/receiving e-mail via root. - Barrett On Sun, 13 Dec 1998, Charlie Root wrote: > > Hello > > Please can anybody tell me where to look up information on the required > kernel patches for freebsd version 3.0 security. > > pat > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Dec 13 16:04:58 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id QAA00688 for freebsd-security-outgoing; Sun, 13 Dec 1998 16:04:58 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from sky.fit.qut.edu.au (sky.fit.qut.edu.au [131.181.2.4]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id QAA00635 for ; Sun, 13 Dec 1998 16:04:47 -0800 (PST) (envelope-from gaskell@fit.qut.edu.au) Received: from sentry.isrc.qut.edu.au (qmailr@sentry.isrc.qut.edu.au [131.181.97.10]) by sky.fit.qut.edu.au (8.8.8/8.8.8/tony) with SMTP id KAA17172 for ; Mon, 14 Dec 1998 10:04:40 +1000 (EST) Received: (qmail 29081 invoked from network); 14 Dec 1998 00:04:39 -0000 Received: from primrose.isrc.qut.edu.au (gaskell@131.181.6.10) by secure.isrc.qut.edu.au with SMTP; 14 Dec 1998 00:04:39 -0000 Date: Mon, 14 Dec 1998 10:04:38 +1000 (EST) From: Gary Gaskell X-Sender: gaskell@primrose.isrc.qut.edu.au To: Barrett Richardson cc: Mike Thompson , freebsd-security@FreeBSD.ORG Subject: Re: Securing FreeBSD Internet Servers In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sun, 13 Dec 1998, Barrett Richardson wrote: >an executable can be run (John Dyson's idea). This prevents >users from running arbitrary executeables (actually I need >to modify ld.so so that LD_LIBRARY_PATH is hardcoded before >the idea is complete -- Joel Ray Holveck's idea). I had to write I recall a previous project on Solaris where I used a flag to cc to tell the LD_LIBRARY_PATH and LD_RUN_PATH to a hardcoded value. I dunno if that could work for you on FreeBSD. My memory is a bit vague - sorry. Cheers, Gary To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Dec 13 22:59:44 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id WAA12871 for freebsd-security-outgoing; Sun, 13 Dec 1998 22:59:44 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from gratis.grondar.za (gratis.grondar.za [196.7.18.65]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id WAA12854 for ; Sun, 13 Dec 1998 22:59:39 -0800 (PST) (envelope-from mark@grondar.za) Received: from greenpeace.grondar.za (IDENT:TU3iiQYZhz0TcV+SFsYRl4H+twh/U8Ht@greenpeace.grondar.za [196.7.18.132]) by gratis.grondar.za (8.9.1/8.9.1) with ESMTP id IAA28269; Mon, 14 Dec 1998 08:59:31 +0200 (SAST) (envelope-from mark@grondar.za) Received: from grondar.za (IDENT:BuuqcHI58SVJVL1jtkJHvRHb7RHslAEt@localhost [127.0.0.1]) by greenpeace.grondar.za (8.9.1/8.9.1) with ESMTP id IAA61566; Mon, 14 Dec 1998 08:59:28 +0200 (SAST) (envelope-from mark@grondar.za) Message-Id: <199812140659.IAA61566@greenpeace.grondar.za> To: Fernando Schapachnik cc: freebsd-security@FreeBSD.ORG Subject: Re: NIS+PAM+MD5 In-Reply-To: Your message of " Sun, 13 Dec 1998 10:39:45 -0300." <199812131339.KAA07898@ns1.sminter.com.ar> References: <199812131339.KAA07898@ns1.sminter.com.ar> Date: Mon, 14 Dec 1998 08:59:25 +0200 From: Mark Murray Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Fernando Schapachnik wrote: > Hello, > A Universitary site here wants to use NIS + MD5 passwords + PAM. Is > 3.0 ready for this? No. End-of-Jan '99 is when JDP reckons he'll get to it. M -- Mark Murray Join the anti-SPAM movement: http://www.cauce.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Dec 14 06:05:17 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id GAA24766 for freebsd-security-outgoing; Mon, 14 Dec 1998 06:05:17 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from med.osd.mil (dsserver.med.osd.mil [161.14.8.94]) by hub.freebsd.org (8.8.8/8.8.8) with SMTP id GAA24761 for ; Mon, 14 Dec 1998 06:05:12 -0800 (PST) (envelope-from rpotts@med.osd.mil) Received: from ae1970.med.osd.mil by med.osd.mil with SMTP (5.65/25-eef) id AA03349; Mon, 14 Dec 98 09:04:44 -0500 From: "Ross Potts, CON, EDS/D-SIDDOMS" Message-Id: <9812140904.ZM-175429@161.14.216.105> Date: Mon, 14 Dec 1998 09:04:35 -0800 In-Reply-To: Mike Thompson "Securing FreeBSD Internet Servers" (Dec 12, 10:53pm) References: <4.0.1.19981212224345.00e1e370@mail.dnai.com> X-Mailer: ZM-Win (3.2.1 11Sep94) To: freebsd-security@FreeBSD.ORG Subject: Re: Securing FreeBSD Internet Servers Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org <> >ftp://ftp.auscert.org.au/pub/auscert/papers/unix_security_checklist >Can someone point me in the general direction of other similar >resources that I can use to further ensure these servers are >secure? The more specific to FreeBSD the better, but I'll take >anything I can get. And please feel free to post the list that comes up. -- Potts, Ross A. Internet : Ross.Potts@med.osd.mil EDS-D/SIDDOMS Phone : (703) 824-7601 Skyline Two, Suite 1200 Beeper : (888) 687-2709 5113 Leesburg Pike, FAX : (703) 824-4155 Falls Church, VA 22041 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Dec 14 19:06:22 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id TAA29171 for freebsd-security-outgoing; Mon, 14 Dec 1998 19:06:22 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from point.osg.gov.bc.ca (point.osg.gov.bc.ca [142.32.102.44]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id TAA29165 for ; Mon, 14 Dec 1998 19:06:19 -0800 (PST) (envelope-from cy@cschuber.net.gov.bc.ca) Received: (from daemon@localhost) by point.osg.gov.bc.ca (8.9.1/8.8.8) id TAA18741; Mon, 14 Dec 1998 19:06:13 -0800 Received: from cschuber.net.gov.bc.ca(142.31.240.113), claiming to be "cwsys.cwsent.com" via SMTP by point.osg.gov.bc.ca, id smtpda18739; Mon Dec 14 19:06:01 1998 Received: (from uucp@localhost) by cwsys.cwsent.com (8.9.1/8.9.1) id HAA07450; Sun, 13 Dec 1998 07:26:25 -0800 (PST) Message-Id: <199812131526.HAA07450@cwsys.cwsent.com> Received: from localhost.cwsent.com(127.0.0.1), claiming to be "cwsys" via SMTP by localhost.cwsent.com, id smtpdKa7442; Sun Dec 13 07:25:44 1998 X-Mailer: exmh version 2.0.2 2/24/98 Reply-to: Cy Schubert - ITSD Open Systems Group From: Cy Schubert - ITSD Open Systems Group X-Sender: cy To: Frank Tobin cc: FreeBSD-security Mailing List Subject: Re: Limiting which users can login via xdm In-reply-to: Your message of "Fri, 11 Dec 1998 23:47:32 CST." Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Sun, 13 Dec 1998 07:25:42 -0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message , Fran k Tobin writes: > I was wondering if there was a way to limit access to xdm according to > users. A major reason I'd like to be able to do this is that it could > ensure that I could keep track of logins to xdm that are done remotely. > Can one get xdm to use login(1), and consequently, check access via > /etc/login.access? Xdm's Xsession script could be modified to limit who has access to xdm. Xdm sets the USER and LOGNAME environment variables, which could be used to verify the user's identity. Alternatively you could get the user's identity from id or whoami. Regards, Phone: (250)387-8437 Cy Schubert Fax: (250)387-5766 Open Systems Group Internet: cschuber@uumail.gov.bc.ca ITSD Cy.Schubert@gems8.gov.bc.ca Government of BC To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Dec 15 07:59:20 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id HAA11529 for freebsd-security-outgoing; Tue, 15 Dec 1998 07:59:20 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from fledge.watson.org (FLEDGE.RES.CMU.EDU [128.2.93.229]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id HAA11524 for ; Tue, 15 Dec 1998 07:59:12 -0800 (PST) (envelope-from robert@cyrus.watson.org) Received: from fledge.watson.org (robert@fledge.pr.watson.org [192.0.2.3]) by fledge.watson.org (8.8.8/8.8.8) with SMTP id KAA19239; Tue, 15 Dec 1998 10:57:08 -0500 (EST) Date: Tue, 15 Dec 1998 10:57:08 -0500 (EST) From: Robert Watson X-Sender: robert@fledge.watson.org Reply-To: Robert Watson To: Cy Schubert - ITSD Open Systems Group cc: Frank Tobin , FreeBSD-security Mailing List Subject: Re: Limiting which users can login via xdm In-Reply-To: <199812131526.HAA07450@cwsys.cwsent.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Once PAM is in place, it provides a good checking point for the validity of certain types of behavior--such as logging in within the time bounds. PAM's account stage allows for multiple modules to check authorization. Presumably a login.conf module could be assembled that verified the user fell within the various bounds listed for their class in /etc/login.conf. Presumably, xdm would have to support PAM, and describe the terminal being logged into in some xdm-specific way (possibly xdm0...) for each user attached to the xdm, as well as providing the remotehost information to PAM. Presumably to do this properly, all address information should be passed around in the form of IP addresses, not host names--I'm not sure how the existing PAM stuff handles this. On Sun, 13 Dec 1998, Cy Schubert - ITSD Open Systems Group wrote: > In message >, Fran > k Tobin writes: > > I was wondering if there was a way to limit access to xdm according to > > users. A major reason I'd like to be able to do this is that it could > > ensure that I could keep track of logins to xdm that are done remotely. > > Can one get xdm to use login(1), and consequently, check access via > > /etc/login.access? > > Xdm's Xsession script could be modified to limit who has access to xdm. > Xdm sets the USER and LOGNAME environment variables, which could be > used to verify the user's identity. Alternatively you could get the > user's identity from id or whoami. > > > Regards, Phone: (250)387-8437 > Cy Schubert Fax: (250)387-5766 > Open Systems Group Internet: cschuber@uumail.gov.bc.ca > ITSD Cy.Schubert@gems8.gov.bc.ca > Government of BC > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > Robert N Watson robert@fledge.watson.org http://www.watson.org/~robert/ PGP key fingerprint: 03 01 DD 8E 15 67 48 73 25 6D 10 FC EC 68 C1 1C Carnegie Mellon University http://www.cmu.edu/ TIS Labs at Network Associates, Inc. http://www.tis.com/ SafePort Network Services http://www.safeport.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Dec 15 08:46:00 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id IAA17344 for freebsd-security-outgoing; Tue, 15 Dec 1998 08:46:00 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from fallout.campusview.indiana.edu (fallout.campusview.indiana.edu [149.159.1.1]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id IAA17317; Tue, 15 Dec 1998 08:45:57 -0800 (PST) (envelope-from jfieber@fallout.campusview.indiana.edu) Received: from localhost (jfieber@localhost) by fallout.campusview.indiana.edu (8.9.1/8.9.1) with ESMTP id LAA90727; Tue, 15 Dec 1998 11:45:49 -0500 (EST) Date: Tue, 15 Dec 1998 11:45:48 -0500 (EST) From: John Fieber To: Robert Watson cc: Frank Tobin , FreeBSD-security Mailing List , jdp@FreeBSD.ORG Subject: Re: Limiting which users can login via xdm In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, 15 Dec 1998, Robert Watson wrote: > Presumably a login.conf module could be assembled that verified the user > fell within the various bounds listed for their class in /etc/login.conf. The login(1) program currently does this to some degree. While the authentication has been PAMified, it looks to me like a lot more needs to be moved out into PAM account and session modules. The simplest would be to stick it all in pam_unix, or it could be broken down into finer grained modules. Does anyone already have plans for this? Thin it should be easy to hook xdm into this. I would assume that the Linux crowd already have some XDM patches kicking around for PAM.... -john To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Dec 15 09:05:37 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id JAA20932 for freebsd-security-outgoing; Tue, 15 Dec 1998 09:05:37 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from fledge.watson.org (FLEDGE.RES.CMU.EDU [128.2.93.229]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id IAA19325; Tue, 15 Dec 1998 08:56:24 -0800 (PST) (envelope-from robert@cyrus.watson.org) Received: from fledge.watson.org (robert@fledge.pr.watson.org [192.0.2.3]) by fledge.watson.org (8.8.8/8.8.8) with SMTP id LAA19557; Tue, 15 Dec 1998 11:56:10 -0500 (EST) Date: Tue, 15 Dec 1998 11:56:09 -0500 (EST) From: Robert Watson X-Sender: robert@fledge.watson.org Reply-To: Robert Watson To: John Fieber cc: Frank Tobin , FreeBSD-security Mailing List , jdp@FreeBSD.ORG Subject: Re: Limiting which users can login via xdm In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, 15 Dec 1998, John Fieber wrote: > On Tue, 15 Dec 1998, Robert Watson wrote: > > > Presumably a login.conf module could be assembled that verified the user > > fell within the various bounds listed for their class in /etc/login.conf. > > The login(1) program currently does this to some degree. While > the authentication has been PAMified, it looks to me like a lot > more needs to be moved out into PAM account and session modules. > The simplest would be to stick it all in pam_unix, or it could be > broken down into finer grained modules. > > Does anyone already have plans for this? > > Thin it should be easy to hook xdm into this. I would assume > that the Linux crowd already have some XDM patches kicking around > for PAM.... An important step would be to seperate the pam_unix code into seperate authentication and authorization modules. The reason for this, in my mind, is that most distributed authentication systems use the same authorization code--the standard, if it's in the password file, has a good shell, etc behavior. Kerberos won't tell you if the user can log in, but will tell you if they are the user (well, authentication :). As such, I think the distinction is an important one to represent in the pam code, even though the same module can quite happily serve both functions. I think seperating it would make the behavior clearer. I'm not sure if I like the PAM session suggestion that mounting home directories is a good thing to do via PAM--however, functionally speaking, it seems like the most convenient hook. I'm also not sure I like PAM spanning the setuid() call--it's something that needs to happen but makes me uncomfortable. In a sense, it would really be preferable if things like initgroups and setuid could happen in the setcred section as part of a setcred call, but I'm not sure that's feasible for ordering reasons and to prevent accidents. In my Coda PAM module, I've been having difficulties because Coda uses a heavy-weight RPC package and threading to manage the RPCs--to acquire tokens, you have to bootstrap the threading system, which screws with signal behavior, etc. In some senses, having modules run in the same process can cause a lot of hassle. On the other hand, we don't want debuggers attaching to subprocesses and interfering with PAM. I have concluded that the best solution is to move the token acquisition into Venus and have a worker thread handle it there, using ioctls to pass along appropriate information to Venus. This way no threading happens in a module, which could interfere with other threaded code (such as a pretty xwindows-based threaded login manager). But not all authentication systems are going to be as easy to clean up for inclusion with a PAM module. Now that I've used PAM, my opinion is that it is far better than what we had before--the modularity and configurability is great. But it's not quite ideal. :) BTW, does anyone know if there is a way to tell a particular PAM application to use a different config file? I'd rather not add the Coda behavior to my system-wide pam.conf while I'm testing it :). Robert N Watson robert@fledge.watson.org http://www.watson.org/~robert/ PGP key fingerprint: 03 01 DD 8E 15 67 48 73 25 6D 10 FC EC 68 C1 1C Carnegie Mellon University http://www.cmu.edu/ TIS Labs at Network Associates, Inc. http://www.tis.com/ SafePort Network Services http://www.safeport.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Dec 15 10:15:55 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id KAA00745 for freebsd-security-outgoing; Tue, 15 Dec 1998 10:15:55 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from obie.softweyr.com ([204.68.178.33]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id KAA00724 for ; Tue, 15 Dec 1998 10:15:48 -0800 (PST) (envelope-from wes@softweyr.com) Received: from softweyr.com (zaphod.softweyr.com [204.68.178.35]) by obie.softweyr.com (8.8.8/8.8.8) with ESMTP id LAA17415; Tue, 15 Dec 1998 11:09:48 -0700 (MST) (envelope-from wes@softweyr.com) Message-ID: <3676A5EA.B23FCA10@softweyr.com> Date: Tue, 15 Dec 1998 11:09:46 -0700 From: Wes Peters Organization: Softweyr llc X-Mailer: Mozilla 4.5 [en] (X11; U; FreeBSD 3.0-RELEASE i386) X-Accept-Language: en MIME-Version: 1.0 To: Robert Watson CC: Cy Schubert - ITSD Open Systems Group , Frank Tobin , FreeBSD-security Mailing List Subject: Re: Limiting which users can login via xdm References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Robert Watson wrote: > > Once PAM is in place, it provides a good checking point for the validity > of certain types of behavior--such as logging in within the time bounds. > PAM's account stage allows for multiple modules to check authorization. > Presumably a login.conf module could be assembled that verified the user > fell within the various bounds listed for their class in /etc/login.conf. > > Presumably, xdm would have to support PAM, and describe the terminal being > logged into in some xdm-specific way (possibly xdm0...) for each user > attached to the xdm, as well as providing the remotehost information to > PAM. Presumably to do this properly, all address information should be > passed around in the form of IP addresses, not host names--I'm not sure > how the existing PAM stuff handles this. XDM handles this using standard X notation for the server, i.e. :0 for a server at the local workstation, and hostname:0 for xterminal users. If PAM is going to be enhanced to handle XDM, it should correctly handle authentication using the X notation. -- "Where am I, and what am I doing in this handbasket?" Wes Peters Softweyr LLC http://www.softweyr.com/~softweyr wes@softweyr.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Dec 16 01:38:59 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id BAA15953 for freebsd-security-outgoing; Wed, 16 Dec 1998 01:38:59 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from uni-sb.de (uni-sb.de [134.96.252.33]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id BAA15924; Wed, 16 Dec 1998 01:38:50 -0800 (PST) (envelope-from rock@cs.uni-sb.de) Received: from cs.uni-sb.de (cs.uni-sb.de [134.96.252.31]) by uni-sb.de (8.9.1a/1998121400) with ESMTP id KAA12018; Wed, 16 Dec 1998 10:38:21 +0100 (CET) Received: from cs.uni-sb.de (acc1-220.telip.uni-sb.de [134.96.113.220]) by cs.uni-sb.de (8.9.1a/1998121400) with ESMTP id KAA27414; Wed, 16 Dec 1998 10:38:21 +0100 (CET) Message-ID: <36778044.A8FDC865@cs.uni-sb.de> Date: Wed, 16 Dec 1998 10:41:24 +0100 From: "D. Rock" X-Mailer: Mozilla 4.5 [de] (Win98; U) X-Accept-Language: de MIME-Version: 1.0 To: Matthew Dillon CC: freebsd-current@FreeBSD.ORG, freebsd-security@FreeBSD.ORG Subject: Re: kmem, tty, bind security enhancements commit. References: <199812010551.VAA02953@apollo.backplane.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Matthew Dillon schrieb: > > (2) > > Add a 'bind' user and a 'bind' group to master.passwd > > Use bind-8's -u and -g features to run named as bind:bind > in the default rc.conf: > > named_flags="-u bind -g bind" > > (Or find a way to figure out whether this uid/gid exists > and use the options or not use the options based on that, > which is more compatible with prior installations but adds > complexity that will quickly become stale. I suggest simply > making it the default in the CVS tree). > > Cavet: in a multi-interface situation, with an interface > that is brought up later, and so forth, named will not > be able to automatically rebind and must be restarted. > > (Also ensure that named.conf is either group-bind-readable or > world readable). Only a small glitch: % ndc reload now gives you everytime an named[24812]: couldn't create pid file '/var/run/named.pid' error message to syslog. It isn't a big deal, because on reload the pid doesn't change. But it's still annoying. Daniel To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Dec 16 04:39:09 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id EAA06654 for freebsd-security-outgoing; Wed, 16 Dec 1998 04:39:09 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id EAA06634; Wed, 16 Dec 1998 04:39:03 -0800 (PST) (envelope-from des@flood.ping.uio.no) Received: (from des@localhost) by flood.ping.uio.no (8.9.1/8.9.1) id NAA00529; Wed, 16 Dec 1998 13:38:51 +0100 (CET) (envelope-from des) To: "D. Rock" Cc: Matthew Dillon , freebsd-current@FreeBSD.ORG, freebsd-security@FreeBSD.ORG Subject: Re: kmem, tty, bind security enhancements commit. References: <199812010551.VAA02953@apollo.backplane.com> <36778044.A8FDC865@cs.uni-sb.de> From: Dag-Erling Smorgrav Date: 16 Dec 1998 13:38:51 +0100 In-Reply-To: "D. Rock"'s message of "Wed, 16 Dec 1998 10:41:24 +0100" Message-ID: Lines: 16 X-Mailer: Gnus v5.5/Emacs 19.34 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org "D. Rock" writes: > Only a small glitch: > % ndc reload > now gives you everytime an > named[24812]: couldn't create pid file '/var/run/named.pid' > error message to syslog. > It isn't a big deal, because on reload the pid doesn't change. But > it's still annoying. There are worse glitches. Interface scanning no longer works, and cache dumping no longer works unless you create a directory writeable by bind and configure named to use that. DES -- Dag-Erling Smorgrav - des@flood.ping.uio.no To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Dec 16 04:58:08 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id EAA08940 for freebsd-security-outgoing; Wed, 16 Dec 1998 04:58:08 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from shell6.ba.best.com (shell6.ba.best.com [206.184.139.137]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id EAA08935 for ; Wed, 16 Dec 1998 04:58:07 -0800 (PST) (envelope-from jkb@shell6.ba.best.com) Received: (from jkb@localhost) by shell6.ba.best.com (8.9.0/8.9.0/best.sh) id EAA26512; Wed, 16 Dec 1998 04:57:10 -0800 (PST) Message-ID: <19981216045710.C24315@best.com> Date: Wed, 16 Dec 1998 04:57:10 -0800 From: "Jan B. Koum " To: "Jordan K. Hubbard" , Jay Tribick Cc: Mark Newton , FREEBSD-SECURITY@FreeBSD.ORG Subject: Re: append-only devices for logging References: <30042.913284025@zippy.cdrom.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.93.2i In-Reply-To: <30042.913284025@zippy.cdrom.com>; from Jordan K. Hubbard on Thu, Dec 10, 1998 at 02:00:25AM -0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, Dec 10, 1998 at 02:00:25AM -0800, "Jordan K. Hubbard" wrote: > > True but if they have root then they can quite easily alter /etc/rc.local > > Anyone setting their securelevel to 2 and *meaning* it will have also > chflag'd many of the files in / (including this one) to be effectively > read-only. There's no point in locking all your doors and leaving a > window open, after all, and anyone clueful enough to run at such a > high secure level should also be clueful enough to know where all the > obvious doors and windows (like this one) are. :-) > > - Jordan > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message Sorry to bring up the week old thread folks, but as a note: if/when you do really want to take advantage of the securelevels 2 or 3, your system pretty much becomes manageable via console from a single user mode: % ls -lod . drwxr-xr-x 12 root wheel schg 512 Dec 12 01:38 . % ls -lod .. drwxr-xr-x 12 root wheel schg 512 Dec 12 01:38 .. % ls -loid / 2 drwxr-xr-x 12 root wheel schg 512 Dec 12 01:38 / % ls -loid /etc/rc* 15444 -r--r--r-- 1 root wheel schg 8246 Dec 11 15:58 /etc/rc 15565 -r--r--r-- 1 root wheel schg 8261 Dec 15 19:19 /etc/rc.conf 15890 -r--r--r-- 1 root wheel schg 8238 Dec 10 02:58 /etc/rc.conf.previous 15502 -r--r--r-- 1 root wheel schg 6946 Dec 12 00:15 /etc/rc.firewall 15892 -r--r--r-- 1 root wheel schg 2848 Dec 10 02:58 /etc/rc.i386 15893 -r--r--r-- 1 root wheel schg 641 Dec 10 02:58 /etc/rc.local 15894 -r--r--r-- 1 root wheel schg 7923 Dec 10 02:58 /etc/rc.network 15895 -r--r--r-- 1 root wheel schg 373 Dec 10 02:58 /etc/rc.pccard 15896 -r--r--r-- 1 root wheel schg 3368 Dec 10 02:58 /etc/rc.serial [snip] [daily/weekly/security/monthly/syslog.conf/ssh*] goes here -- Yan To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Dec 16 05:14:05 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id FAA11017 for freebsd-security-outgoing; Wed, 16 Dec 1998 05:14:05 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from shell6.ba.best.com (shell6.ba.best.com [206.184.139.137]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id FAA11011 for ; Wed, 16 Dec 1998 05:14:03 -0800 (PST) (envelope-from jkb@shell6.ba.best.com) Received: (from jkb@localhost) by shell6.ba.best.com (8.9.0/8.9.0/best.sh) id FAA28842; Wed, 16 Dec 1998 05:13:31 -0800 (PST) Message-ID: <19981216051330.A28228@best.com> Date: Wed, 16 Dec 1998 05:13:30 -0800 From: "Jan B. Koum " To: Robert Watson , CyberPsychotic Cc: freebsd-security@FreeBSD.ORG Subject: Re: Detecting remote host type and so on.. References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.93.2i In-Reply-To: ; from Robert Watson on Sat, Nov 28, 1998 at 04:35:27PM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sat, Nov 28, 1998 at 04:35:27PM -0500, Robert Watson wrote: > On Sat, 28 Nov 1998, CyberPsychotic wrote: > > > Hello people, > > This is probably abit offtopic, but anyway, That is not good when someone > > could figure out what platform you're running your Apache on. Recently I > > checked site http://www.netcraft.com which could tell you what server and > > on what platform you're running. They don't provide source for the code, > > so I just put my sniffer on, and pushed the button (they have webform) to > > see what that will do. All that box did, was a connection to my 80 port > > and issuing command HEAD / HTTP/1.0. All what comes for responce is: > > As far as I can tell, it is almost impossible to disguise the operating > system that you are running. Most platforms display distinctive banners, > have quirks in their IP implementation, or just made different design > choices that may be distinguished remotely (for example, choices about > timeouts, fragmentation issues, etc). While you can attempt to hide the > platform by disabling as many services as possible, removing banners, and > hiding behind a firewall that reformats packets and connections, there is > really not a whole lot to do. I find leaving the information there is > often more useful than not -- attempting to exploit a bug doesn't require > knowledge of the OS/version (try all versions you have an exploit for :), > but having the version information there can be useful in debugging > interoperability problems. > > Sort of like having the sendmail version there -- makes it easier to debug > problems, and lets you use wholesale network scanners to find old > versions; but for someone to try to exploit a bug they just try it out. > If you care a whole bunch, it could probably be cleaned up a bit, but I'm > not sure its worth the trouble. If you think the server says too much, > look at what your average WWW browser spews to the server :). > > > Robert N Watson > > robert@fledge.watson.org http://www.watson.org/~robert/ > PGP key fingerprint: 03 01 DD 8E 15 67 48 73 25 6D 10 FC EC 68 C1 1C > > Carnegie Mellon University http://www.cmu.edu/ > TIS Labs at Network Associates, Inc. http://www.tis.com/ > SafePort Network Services http://www.safeport.com/ > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message And yet another old thread, but now is the time. :) The nmap2 port scanner was released last night and it has support for remote OS fingerprinting. Ever wanted to find out exactly what OS someone was running on a device which has a TCP/IP stack? Now you can do so very easy. Get nmap from http://www.insecure.org/nmap - or from ports since the port was upgrade last night to the 2.0 version. -- Yan To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Dec 16 05:40:35 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id FAA14053 for freebsd-security-outgoing; Wed, 16 Dec 1998 05:40:35 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from ol.kyrnet.kg (ol.kyrnet.kg [195.254.160.10]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id FAA14048 for ; Wed, 16 Dec 1998 05:40:30 -0800 (PST) (envelope-from fygrave@tigerteam.net) Received: from gizmo.kyrnet.kg (IDENT:fygrave@gizmo.kyrnet.kg [195.254.160.13]) by ol.kyrnet.kg (8.9.1a/8.9.1) with ESMTP id SAA15889; Wed, 16 Dec 1998 18:09:11 +0600 Received: from localhost (fygrave@localhost) by gizmo.kyrnet.kg (8.9.1a/8.9.1) with ESMTP id SAA30052; Wed, 16 Dec 1998 18:38:19 +0500 X-Authentication-Warning: gizmo.kyrnet.kg: fygrave owned process doing -bs Date: Wed, 16 Dec 1998 18:38:19 +0500 (KGT) From: CyberPsychotic X-Sender: fygrave@gizmo.kyrnet.kg To: "Jan B. Koum " cc: Robert Watson , freebsd-security@FreeBSD.ORG Subject: Re: Detecting remote host type and so on.. In-Reply-To: <19981216051330.A28228@best.com> Message-ID: Confirm-receipt-to: fygrave@usa.net MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org ~ And yet another old thread, but now is the time. :) ~ ~ The nmap2 port scanner was released last night and it has ~ support for remote OS fingerprinting. Ever wanted to find ~ out exactly what OS someone was running on a device which ~ has a TCP/IP stack? Now you can do so very easy. Get nmap ~ from http://www.insecure.org/nmap - or from ports since ~ the port was upgrade last night to the 2.0 version. ~ Yes. I have noted the Fyodor's post on bugtraq today. (shh.. another Fyodor, but I can not claim a copyright for my real name :)) I also checked the webpage which covers some interesting points regarding this subject. Actually the idea is clear to me with remote OS detection,(thanks to people on the list) and nowdays I am busy with my personal experiments digging a various responces for all kind of maliformed packets. So far I've got Solaris/Linux and so BSD platforms for my experiments, but i think once I get my toys usable for anyone but me, I could share them for testing on other boxes. Thanks for the note anyway :). ~F. PS: There's another interesting toy, which, if slightly changed, could be used to detect people who attempt to detect your platform. http://www.false.com/security/scanlogd/ This is linux implementation, but I guess it could be ported to BSD's bpf instead of RAW_SOCK platform as well. I also had an idea, that you could defeat various OS probes using the same toy by spoofing various OS dependent responces and thus confuse such toys as nmap or queso. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Dec 16 12:17:02 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id MAA04449 for freebsd-security-outgoing; Wed, 16 Dec 1998 12:17:02 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from cheops.anu.edu.au (cheops.anu.edu.au [150.203.149.24]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id MAA04444 for ; Wed, 16 Dec 1998 12:16:59 -0800 (PST) (envelope-from avalon@cheops.anu.edu.au) Received: (from avalon@localhost) by cheops.anu.edu.au (8.9.1/8.9.1) id HAA25754; Thu, 17 Dec 1998 07:15:57 +1100 (EDT) From: Darren Reed Message-Id: <199812162015.HAA25754@cheops.anu.edu.au> Subject: Re: Detecting remote host type and so on.. To: fygrave@tigerteam.net (CyberPsychotic) Date: Thu, 17 Dec 1998 07:15:56 +1100 (EDT) Cc: jkb@best.com, robert+freebsd@cyrus.watson.org, freebsd-security@FreeBSD.ORG In-Reply-To: from "CyberPsychotic" at Dec 16, 98 06:38:19 pm X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In some mail from CyberPsychotic, sie said: [...] > This is linux implementation, but I guess it could be ported to BSD's bpf > instead of RAW_SOCK platform as well. I also had an idea, that you could > defeat various OS probes using the same toy by spoofing various OS > dependent responces and thus confuse such toys as nmap or queso. If everyone fixed theirs up, it would also be much harder. Whilst looking at the NetBSD ICMP code, I noticed some fields don't get converted back into network byte order for ICMP replies. You may want to try the patch below (with some finger work required) to fix this problem. Darren *** ip_icmp.c.orig Sun Dec 6 17:04:21 1998 --- ip_icmp.c Sun Dec 6 17:46:24 1998 *************** *** 159,165 **** m = m_gethdr(M_DONTWAIT, MT_HEADER); if (m == NULL) goto freeit; ! icmplen = oiplen + min(8, oip->ip_len); m->m_len = icmplen + ICMP_MINLEN; MH_ALIGN(m, m->m_len); icp = mtod(m, struct icmp *); --- 159,165 ---- m = m_gethdr(M_DONTWAIT, MT_HEADER); if (m == NULL) goto freeit; ! icmplen = oiplen + min(8, oip->ip_len - oiplen); m->m_len = icmplen + ICMP_MINLEN; MH_ALIGN(m, m->m_len); icp = mtod(m, struct icmp *); *************** *** 183,188 **** --- 183,191 ---- icp->icmp_nextmtu = htons(destifp->if_mtu); } + HTONS(oip->ip_id); + HTONS(oip->ip_off); + HTONS(oip->ip_len); icp->icmp_code = code; bcopy((caddr_t)oip, (caddr_t)&icp->icmp_ip, icmplen); nip = &icp->icmp_ip; *** ip_input.c.orig Sun Aug 9 21:11:14 1998 --- ip_input.c Sun Dec 6 17:26:31 1998 *************** *** 1139,1145 **** m_freem(m); return; } - HTONS(ip->ip_id); if (ip->ip_ttl <= IPTTLDEC) { icmp_error(m, ICMP_TIMXCEED, ICMP_TIMXCEED_INTRANS, dest, 0); return; --- 1139,1144 ---- *************** *** 1186,1201 **** if (rt->rt_ifa && (ip->ip_src.s_addr & ifatoia(rt->rt_ifa)->ia_subnetmask) == ifatoia(rt->rt_ifa)->ia_subnet) { ! if (rt->rt_flags & RTF_GATEWAY) ! dest = satosin(rt->rt_gateway)->sin_addr.s_addr; ! else ! dest = ip->ip_dst.s_addr; ! /* Router requirements says to only send host redirects */ ! type = ICMP_REDIRECT; ! code = ICMP_REDIRECT_HOST; #ifdef DIAGNOSTIC ! if (ipprintfs) ! printf("redirect (%d) to %x\n", code, (u_int32_t)dest); #endif } } --- 1185,1201 ---- if (rt->rt_ifa && (ip->ip_src.s_addr & ifatoia(rt->rt_ifa)->ia_subnetmask) == ifatoia(rt->rt_ifa)->ia_subnet) { ! if (rt->rt_flags & RTF_GATEWAY) ! dest = satosin(rt->rt_gateway)->sin_addr.s_addr; ! else ! dest = ip->ip_dst.s_addr; ! /* Router requirements says only send host redirects */ ! type = ICMP_REDIRECT; ! code = ICMP_REDIRECT_HOST; #ifdef DIAGNOSTIC ! if (ipprintfs) ! printf("redirect (%d) to %x\n", code, ! (u_int32_t)dest); #endif } } *** ip_output.c.orig Sun Aug 9 21:11:14 1998 --- ip_output.c Sun Dec 6 17:26:11 1998 *************** *** 172,177 **** --- 172,178 ---- ipstat.ips_localout++; } else { hlen = ip->ip_hl << 2; + HTONS(ip->ip_id); } /* * Route packet. *************** *** 368,375 **** * If small enough for mtu of path, can just send directly. */ if ((u_int16_t)ip->ip_len <= mtu) { ! ip->ip_len = htons((u_int16_t)ip->ip_len); ! ip->ip_off = htons((u_int16_t)ip->ip_off); ip->ip_sum = 0; ip->ip_sum = in_cksum(m, hlen); error = (*ifp->if_output)(ifp, m, sintosa(dst), ro->ro_rt); --- 369,376 ---- * If small enough for mtu of path, can just send directly. */ if ((u_int16_t)ip->ip_len <= mtu) { ! HTONS(ip->ip_len); ! HTONS(ip->ip_off); ip->ip_sum = 0; ip->ip_sum = in_cksum(m, hlen); error = (*ifp->if_output)(ifp, m, sintosa(dst), ro->ro_rt); *************** *** 437,443 **** } m->m_pkthdr.len = mhlen + len; m->m_pkthdr.rcvif = (struct ifnet *)0; ! mhip->ip_off = htons((u_int16_t)mhip->ip_off); mhip->ip_sum = 0; mhip->ip_sum = in_cksum(m, mhlen); ipstat.ips_ofragments++; --- 438,444 ---- } m->m_pkthdr.len = mhlen + len; m->m_pkthdr.rcvif = (struct ifnet *)0; ! HTONS(mhip->ip_off); mhip->ip_sum = 0; mhip->ip_sum = in_cksum(m, mhlen); ipstat.ips_ofragments++; *************** *** 451,457 **** m_adj(m, hlen + firstlen - (u_int16_t)ip->ip_len); m->m_pkthdr.len = hlen + firstlen; ip->ip_len = htons((u_int16_t)m->m_pkthdr.len); ! ip->ip_off = htons((u_int16_t)(ip->ip_off | IP_MF)); ip->ip_sum = 0; ip->ip_sum = in_cksum(m, hlen); sendorfree: --- 452,459 ---- m_adj(m, hlen + firstlen - (u_int16_t)ip->ip_len); m->m_pkthdr.len = hlen + firstlen; ip->ip_len = htons((u_int16_t)m->m_pkthdr.len); ! ip->ip_off |= IP_MF; ! HTONS(ip->ip_off); ip->ip_sum = 0; ip->ip_sum = in_cksum(m, hlen); sendorfree: *************** *** 1222,1229 **** * than the interface's MTU. Can this possibly matter? */ ip = mtod(copym, struct ip *); ! ip->ip_len = htons((u_int16_t)ip->ip_len); ! ip->ip_off = htons((u_int16_t)ip->ip_off); ip->ip_sum = 0; ip->ip_sum = in_cksum(copym, ip->ip_hl << 2); (void) looutput(ifp, copym, sintosa(dst), NULL); --- 1224,1231 ---- * than the interface's MTU. Can this possibly matter? */ ip = mtod(copym, struct ip *); ! HTONS(ip->ip_len); ! HTONS(ip->ip_off); ip->ip_sum = 0; ip->ip_sum = in_cksum(copym, ip->ip_hl << 2); (void) looutput(ifp, copym, sintosa(dst), NULL); *** udp_usrreq.c.orig Wed Jan 14 01:41:37 1998 --- udp_usrreq.c Sun Dec 6 17:44:53 1998 *************** *** 303,308 **** --- 303,309 ---- /* It was a debugger connect packet, just drop it now */ goto bad; #endif + ip->ip_len += ip->ip_hl << 2; icmp_error(m, ICMP_UNREACH, ICMP_UNREACH_PORT, 0, 0); return; } To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Dec 17 14:45:05 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id OAA28818 for freebsd-security-outgoing; Thu, 17 Dec 1998 14:45:05 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from zeus.tds.edu (zeus.tds.edu [38.149.131.15]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id OAA28809 for ; Thu, 17 Dec 1998 14:44:58 -0800 (PST) (envelope-from willow@tds.edu) Received: from zeus.tds.edu (willow@zeus.tds.edu [38.149.131.15]) by zeus.tds.edu (8.9.1a/8.9.1a) with ESMTP id RAA00282; Thu, 17 Dec 1998 17:44:22 -0500 (EST) Date: Thu, 17 Dec 1998 17:44:22 -0500 (EST) From: Willow To: Frank Tobin cc: FreeBSD-security Mailing List Subject: Re: Limiting which users can login via xdm In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org We just chgrp'd the X11 binaries to a group called xusers and remove world read/execute bit from X11R6/bin and added any users that we want to be able to use X to /etc/group -- Willow http://www.tds.edu/~willow icq: 19051309 (office) icq: 22034399 (home) -- On Fri, 11 Dec 1998, Frank Tobin wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > I was wondering if there was a way to limit access to xdm according to > users. A major reason I'd like to be able to do this is that it could > ensure that I could keep track of logins to xdm that are done remotely. > Can one get xdm to use login(1), and consequently, check access via > /etc/login.access? > > - -- > > Frank Tobin "To learn what is good and what is to be > http://www.bigfoot.com/~ftobin valued, those truths which cannot be > shaken or changed." Myst: The Book of Atrus > FreeBSD: The Power To Serve > > If you use Pine and PGP 5.0(i), try pgpenvelope. > http://www.bigfoot.com/~ftobin/resources.html > > -----BEGIN PGP SIGNATURE----- > Version: PGPfreeware 5.0i for non-commercial use > Charset: noconv > > iQA/AwUBNnH1vgL4UDr0DrZeEQJo0ACgrulKFqcHLUqw10DwJHF1/NSew/oAoLaR > c5IhVzfZKi2Rsq+z7iWFNvX9 > =nSD+ > -----END PGP SIGNATURE----- > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Dec 17 19:24:23 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id TAA04706 for freebsd-security-outgoing; Thu, 17 Dec 1998 19:24:23 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from schizo.cdsnet.net (schizo.cdsnet.net [204.118.244.32]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id TAA04701 for ; Thu, 17 Dec 1998 19:24:22 -0800 (PST) (envelope-from mrcpu@internetcds.com) Received: from localhost (mrcpu@localhost) by schizo.cdsnet.net (8.8.8/8.7.3) with ESMTP id TAA27751; Thu, 17 Dec 1998 19:20:19 -0800 (PST) Date: Thu, 17 Dec 1998 19:20:19 -0800 (PST) From: Jaye Mathisen X-Sender: mrcpu@schizo.cdsnet.net To: Fernando Schapachnik cc: James Wyatt , reese@chem.duke.edu, freebsd-security@FreeBSD.ORG Subject: Re: tripwire was Re: append-only devices for logging In-Reply-To: <199812111214.JAA25395@ns1.sminter.com.ar> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Content-Transfer-Encoding: 8BIT Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hmmm, I get permission denied trying to access this URL... Any other ways to get at it? On Fri, 11 Dec 1998, Fernando Schapachnik wrote: > En un mensaje anterior, James Wyatt escribió: > > On Thu, 10 Dec 1998, Charles Reese wrote: > > > Can tripwire be modified to compare two databases rather then one data base > > > and the current files? I ask because I monitor some systems remotely and I > > > would like to be able to automatically generate a tripwire database on the > > > remote system, ftp it to my local site and compare it with a previously > > > created database that I have stored here on read-only media. It is not > > > possible for me to use read-only media on the remote machine. > > > > This is a *great* idea! I had set the BIOS to boot w/o floppy and written > > the DB to a floppy I changed to R/O by hand. This has a limit of 1.44MB > > or 2.88 MB, depending on how much you spend for a floppy drive. I guess a > > zip disk would work too, but I was given a parallel zip which seems to be > > unsupported on FreeBSD. 8{( > > Also, you can use ssyslog to send (encripted) your logs to a "safe > machine". This is usefull if you are planning to protect logs from more > than one box. > > ssyslog can be found on http://www.core-sdi.com/ssyslog > > > Regards! > > Fernando P. Schapachnik > Administracion de la red > S&M International SA > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Dec 17 23:52:43 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id XAA03842 for freebsd-security-outgoing; Thu, 17 Dec 1998 23:52:43 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from fep04-svc.tin.it (mta04-acc.tin.it [212.216.176.35]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id XAA03833 for ; Thu, 17 Dec 1998 23:52:33 -0800 (PST) (envelope-from molter@tin.it) Received: from nympha.ecomotor.it ([212.216.1.207]) by fep04-svc.tin.it (InterMail v4.0 201-221-105) with SMTP id <19981218075211.BIYR23050.fep04-svc@nympha.ecomotor.it> for ; Fri, 18 Dec 1998 08:52:11 +0100 Received: (qmail 481 invoked by uid 1000); 18 Dec 1998 07:51:38 -0000 From: "Marco Molteni" Date: Fri, 18 Dec 1998 08:51:38 +0100 (CET) X-Sender: molter@nympha To: freebsd-security@FreeBSD.ORG Subject: buffer overflows and chroot Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi all, I am administering 3 FreeBSD machines at a lab at my University (yes, they are the *first* FreeBSD machines in my university :-) We are working on IPv6/IPsec with the nice KAME kit (hello Itojun). Yesterday came a guy, working on a "automatic buffer overflow exploiting program". I had to give him an account on my beloved machines, since my professor told me so. The situation is: I trust enough this guy not to do evil things, but his target is to get root via buffer overflow. He needs a compiler and some suid executables to test his tool. My question is: can I restrict him in a sort of sandbox? If I build a chroot environment with the tools he needs (compiler and bins) I can give him some suid executables, where the owner isn't root. Is it right? Marco (who started to sweat) --- "Hi, I have a Compaq machine running Windows 95. How do I install FreeBSD?" "I'm sorry, this is device driver testing: brain implants are two doors down on the right". (Bill Paul, on the freebsd-net mailing list) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Dec 18 00:52:15 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id AAA10778 for freebsd-security-outgoing; Fri, 18 Dec 1998 00:52:15 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from www.zdh.de (www.zdh.de [194.77.6.230]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id AAA10773 for ; Fri, 18 Dec 1998 00:52:13 -0800 (PST) (envelope-from stepken@fss.firmen-info.de) Received: from beatix (r-145.koln.ipdial.viaginterkom.de [62.180.37.145]) by www.zdh.de (8.8.7/8.8.7) with SMTP id KAA22419; Fri, 18 Dec 1998 10:38:52 +0100 Message-ID: <002501be2a64$5a4dd8e0$9125b43e@beatix.intra.net> From: "Guido Stepken" To: "Marco Molteni" , Subject: Re: buffer overflows and chroot Date: Fri, 18 Dec 1998 09:56:47 +0100 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 8bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 4.72.3110.1 X-MimeOLE: Produced By Microsoft MimeOLE V4.72.3110.3 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org This program is absolute nonsense. buffer overflows can be everywhere in a handshake of specific protocols (mail from: ...rcpt to: , smtp) and are found in many gets puts routines in the library and every bloody program, which makes use of such libs. Some programs are written without static arrays, which could be overflowed (8-) wietses new mail program), but with dynamic memory adressing. Those programs can not be overflowed by any trick, but it can result in heavy swapping and finally in a DoS attack. Kick him off ! This guy is unserious as well as your professor !!!!!! regards, Guido Stepken -----Ursprüngliche Nachricht----- Von: Marco Molteni An: freebsd-security@FreeBSD.ORG Datum: Freitag, 18. Dezember 1998 10:19 Betreff: buffer overflows and chroot >Hi all, > >I am administering 3 FreeBSD machines at a lab at my University (yes, they >are the *first* FreeBSD machines in my university :-) > >We are working on IPv6/IPsec with the nice KAME kit (hello Itojun). > >Yesterday came a guy, working on a "automatic buffer overflow exploiting >program". I had to give him an account on my beloved machines, since my >professor told me so. The situation is: I trust enough this guy not to do >evil things, but his target is to get root via buffer overflow. > >He needs a compiler and some suid executables to test his tool. My >question is: can I restrict him in a sort of sandbox? If I build a chroot >environment with the tools he needs (compiler and bins) I can give him >some suid executables, where the owner isn't root. Is it right? > >Marco (who started to sweat) >--- >"Hi, I have a Compaq machine running Windows 95. How do I install FreeBSD?" >"I'm sorry, this is device driver testing: brain implants are two doors > down on the right". (Bill Paul, on the freebsd-net mailing list) > > > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Dec 18 05:19:53 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id FAA07330 for freebsd-security-outgoing; Fri, 18 Dec 1998 05:19:53 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from fep04-svc.tin.it (mta04-acc.tin.it [212.216.176.35]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id FAA07301 for ; Fri, 18 Dec 1998 05:19:46 -0800 (PST) (envelope-from molter@tin.it) Received: from nympha.ecomotor.it ([212.216.21.125]) by fep04-svc.tin.it (InterMail v4.0 201-221-105) with SMTP id <19981218131932.DHGV23050.fep04-svc@nympha.ecomotor.it> for ; Fri, 18 Dec 1998 14:19:32 +0100 Received: (qmail 370 invoked by uid 1000); 18 Dec 1998 12:56:33 -0000 From: "Marco Molteni" Date: Fri, 18 Dec 1998 13:56:33 +0100 (CET) X-Sender: molter@nympha To: Guido Stepken cc: freebsd-security@FreeBSD.ORG Subject: A better explanation (was: buffer overflows and chroot) In-Reply-To: <002501be2a64$5a4dd8e0$9125b43e@beatix.intra.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, 18 Dec 1998, Guido Stepken wrote: > This program is absolute nonsense. buffer overflows can be everywhere in > a handshake of specific protocols (mail from: ...rcpt to: , smtp) and > are found in many gets puts routines in the library and every bloody > program, which makes use of such libs. Some programs are written without > static arrays, which could be overflowed (8-) wietses new mail program), > but with dynamic memory adressing. Those programs can not be overflowed > by any trick, but it can result in heavy swapping and finally in a DoS > attack. Kick him off ! This guy is unserious as well as your professor > !!!!!! Guido, maybe I didn't explained well the situation, so I'll retry, ok? I know what a buffer overflow is. I know that some buffer overflows can be exploited to execute another program (eg a shell), and that, if the program exploited is suid, you get a shell with the effective uid of the owner of the file, as is obvious. --> Automatic or not automatic (I don't mind how much automation there's in all this affair) <--, there are many ways to find and try to exploit a buffer overflow, right? Ok. In my situation I have a *legitimate* user, call him Bob, who actively searches such buffer overflows. He does it for research, and he isn't unserious as you state, I assure you. Anyway, I don't like the idea of anybody other than me being root on my machines. So my idea/question is: if I build a chroot jail for Bob, fitted with all he needs (eg /bin, /usr/bin, /usr/local/bin, /usr/libexec, etc) and I replace all the suid root binaries with suid root2 binaries, where root2 is a normal user, he can do his experiments, but he can't get root. Is my idea safe/right/doable? Marco --- "Hi, I have a Compaq machine running Windows 95. How do I install FreeBSD?" "I'm sorry, this is device driver testing: brain implants are two doors down on the right". (Bill Paul, on the freebsd-net mailing list) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Dec 18 05:50:30 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id FAA10110 for freebsd-security-outgoing; Fri, 18 Dec 1998 05:50:30 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from zippy.cdrom.com (zippy.cdrom.com [204.216.27.228]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id FAA10105 for ; Fri, 18 Dec 1998 05:50:29 -0800 (PST) (envelope-from jkh@zippy.cdrom.com) Received: from zippy.cdrom.com (jkh@localhost.cdrom.com [127.0.0.1]) by zippy.cdrom.com (8.9.1/8.9.1) with ESMTP id FAA62541; Fri, 18 Dec 1998 05:50:03 -0800 (PST) To: "Marco Molteni" cc: Guido Stepken , freebsd-security@FreeBSD.ORG Subject: Re: A better explanation (was: buffer overflows and chroot) In-reply-to: Your message of "Fri, 18 Dec 1998 13:56:33 +0100." Date: Fri, 18 Dec 1998 05:50:02 -0800 Message-ID: <62537.913989002@zippy.cdrom.com> From: "Jordan K. Hubbard" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > In my situation I have a *legitimate* user, call him Bob, who actively > searches such buffer overflows. He does it for research, and he isn't > unserious as you state, I assure you. If he's searching for truely interesting exploits and he needs root priviledge for this, then he must not be very serious about this. :-) It seems a truly dedicated attacker would want to show how things could be exploited *as an ordinary user* in making the case for a serious defense against buffer overflow and other similar types of exploits. Doing it as root is a little like proving you can "break" into a house when you have a full set of keys to all the doors. :-) > So my idea/question is: if I build a chroot jail for Bob, fitted with all > he needs (eg /bin, /usr/bin, /usr/local/bin, /usr/libexec, etc) and I > replace all the suid root binaries with suid root2 binaries, where root2 > is a normal user, he can do his experiments, but he can't get root. No chroot jail is really safe in the hands of someone with root access; he can always use raw device access to get at things outside the jail (or even destroy them inadvertantly during exploit testing). If someone wants to be root on a box, make him get his own to destroy. This is nothing that any computer facilities support department would generally allow, I can say that much, and if I asked for root access as "Bob" in just about any situation I can think of, the owners of the box in question would laugh wildly for about 5 minutes and then tell me to go jump myself. If I want that kind of access, I have to assume that it's going to have to be my own box. - Jordan To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Dec 18 07:06:17 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id HAA17654 for freebsd-security-outgoing; Fri, 18 Dec 1998 07:06:17 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from ns1.sminter.com.ar (ns1.sminter.com.ar [200.10.100.10]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id HAA17648 for ; Fri, 18 Dec 1998 07:06:14 -0800 (PST) (envelope-from fpscha@ns1.sminter.com.ar) Received: (from fpscha@localhost) by ns1.sminter.com.ar (8.8.5/8.8.4) id MAA06562; Fri, 18 Dec 1998 12:02:58 -0300 (GMT) From: Fernando Schapachnik Message-Id: <199812181502.MAA06562@ns1.sminter.com.ar> Subject: Re: tripwire was Re: append-only devices for logging In-Reply-To: from Jaye Mathisen at "Dec 17, 98 07:20:19 pm" To: mrcpu@internetcds.com (Jaye Mathisen) Date: Fri, 18 Dec 1998 12:02:58 -0300 (GMT) Cc: jwyatt@rwsystr.RWSystems.net, reese@chem.duke.edu, freebsd-security@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL40 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org En un mensaje anterior, Jaye Mathisen escribió: > > Hmmm, I get permission denied trying to access this URL... > > Any other ways to get at it? I mailed their webmaster. If the site doesn´t come to live I can send you the package (which is not the best option, but...). Regards. > > On Fri, 11 Dec 1998, Fernando Schapachnik wrote: ... > > > > ssyslog can be found on http://www.core-sdi.com/ssyslog Fernando P. Schapachnik Administracion de la red S&M International SA To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Dec 18 07:45:55 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id HAA22162 for freebsd-security-outgoing; Fri, 18 Dec 1998 07:45:55 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from phoenix (phoenix.aye.net [206.185.8.134]) by hub.freebsd.org (8.8.8/8.8.8) with SMTP id HAA22151 for ; Fri, 18 Dec 1998 07:45:53 -0800 (PST) (envelope-from brich@aye.net) Received: (qmail 15322 invoked by uid 7506); 18 Dec 1998 15:43:31 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 18 Dec 1998 15:43:31 -0000 Date: Fri, 18 Dec 1998 10:43:31 -0500 (EST) From: Barrett Richardson To: Marco Molteni cc: freebsd-security@FreeBSD.ORG Subject: Re: buffer overflows and chroot In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Would you conisder recompiling suid system binaries with the stackguard compiler? I have ben able to get it going on 2.2.x and have been wanting some real-world acid tests to throw at it. -- Barrett On Fri, 18 Dec 1998, Marco Molteni wrote: > Hi all, > > I am administering 3 FreeBSD machines at a lab at my University (yes, they > are the *first* FreeBSD machines in my university :-) > > We are working on IPv6/IPsec with the nice KAME kit (hello Itojun). > > Yesterday came a guy, working on a "automatic buffer overflow exploiting > program". I had to give him an account on my beloved machines, since my > professor told me so. The situation is: I trust enough this guy not to do > evil things, but his target is to get root via buffer overflow. > > He needs a compiler and some suid executables to test his tool. My > question is: can I restrict him in a sort of sandbox? If I build a chroot > environment with the tools he needs (compiler and bins) I can give him > some suid executables, where the owner isn't root. Is it right? > > Marco (who started to sweat) > --- > "Hi, I have a Compaq machine running Windows 95. How do I install FreeBSD?" > "I'm sorry, this is device driver testing: brain implants are two doors > down on the right". (Bill Paul, on the freebsd-net mailing list) > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Dec 18 09:22:02 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id JAA02607 for freebsd-security-outgoing; Fri, 18 Dec 1998 09:22:02 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from dragon.acadiau.ca (dragon.acadiau.ca [131.162.1.79]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id JAA02600 for ; Fri, 18 Dec 1998 09:22:00 -0800 (PST) (envelope-from 026809r@dragon.acadiau.ca) Received: from dragon (dragon [131.162.1.79]) by dragon.acadiau.ca (8.8.5/8.8.5) with ESMTP id NAA14050; Fri, 18 Dec 1998 13:21:03 -0400 (AST) Date: Fri, 18 Dec 1998 13:21:03 -0400 (AST) From: Michael Richards <026809r@acadiau.ca> X-Sender: 026809r@dragon To: Marco Molteni cc: Guido Stepken , freebsd-security@FreeBSD.ORG Subject: Re: A better explanation (was: buffer overflows and chroot) In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi. > So my idea/question is: if I build a chroot jail for Bob, fitted with all > he needs (eg /bin, /usr/bin, /usr/local/bin, /usr/libexec, etc) and I > replace all the suid root binaries with suid root2 binaries, where root2 > is a normal user, he can do his experiments, but he can't get root. As I recall, there are a number of ways to escape from a chroot jail. I think you should be reasonably safe with the standard binaries installed. You might want to run at a higher securelevel. If the point here is academic research into an automatic buffer overflow program, just give him 2 accounts and let him fiddle with exploiting from one userlevel to the other via a suid program. Seeing suid programs core dumping can be an indication that something funky is going on, but if he gets the overflow right on the first try, of course it won't core dump :0 -Michael To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Dec 18 11:11:21 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id LAA15525 for freebsd-security-outgoing; Fri, 18 Dec 1998 11:11:21 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from fep04-svc.tin.it (mta04-acc.tin.it [212.216.176.35]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id LAA15511 for ; Fri, 18 Dec 1998 11:11:04 -0800 (PST) (envelope-from molter@tin.it) Received: from nympha.ecomotor.it ([212.216.1.185]) by fep04-svc.tin.it (InterMail v4.0 201-221-105) with SMTP id <19981218191043.FLYF23050.fep04-svc@nympha.ecomotor.it> for ; Fri, 18 Dec 1998 20:10:43 +0100 Received: (qmail 360 invoked by uid 1000); 18 Dec 1998 18:57:08 -0000 From: "Marco Molteni" Date: Fri, 18 Dec 1998 19:57:07 +0100 (CET) X-Sender: molter@nympha To: "Jordan K. Hubbard" cc: freebsd-security@FreeBSD.ORG Subject: Re: A better explanation (was: buffer overflows and chroot) In-Reply-To: <62537.913989002@zippy.cdrom.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, 18 Dec 1998, Jordan K. Hubbard wrote: > > In my situation I have a *legitimate* user, call him Bob, who actively > > searches such buffer overflows. He does it for research, and he isn't > > unserious as you state, I assure you. > > If he's searching for truely interesting exploits and he needs root > priviledge for this, then he must not be very serious about this. :-) Jordan, obviously I agree with you, but I described something different. Scenario: 1. Bob is a non privileged user. 2. Bob actively searches for buffer overflows in suid binaries. 3. if Bob is able to do his job, soon or later he'll get root. 4. I don't mind if Bob is a good guy or a bad guy, I don't want anybody to be root on my machines. 5. I want to put him in a chroot jail full of suid binaries, but suid not to root, to pseudoroot, where pseudoroot is a non privileged user. 6. Bob can do all his experiments in his nice jail. 6. if Bob becomes pseudoroot, I am still safe, since: 6.1 he is in a chroot jail 6.2 in the jail there isn't any executable suid to a privileged user (root, bin, whatever). 6.3 from 6.2, he can't escape from the jail is 6.3 correct? > If someone wants to be root on a box, make him get his own to destroy. I perfectly agree. Marco To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Dec 18 11:11:45 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id LAA15586 for freebsd-security-outgoing; Fri, 18 Dec 1998 11:11:45 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from fep02-svc.tin.it (mta02-acc.tin.it [212.216.176.33]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id LAA15518 for ; Fri, 18 Dec 1998 11:11:20 -0800 (PST) (envelope-from molter@tin.it) Received: from nympha.ecomotor.it ([212.216.1.185]) by fep02-svc.tin.it (InterMail v4.0 201-221-105) with SMTP id <19981218191043.FRRJ15144.fep02-svc@nympha.ecomotor.it> for ; Fri, 18 Dec 1998 20:10:43 +0100 Received: (qmail 387 invoked by uid 1000); 18 Dec 1998 19:08:32 -0000 From: "Marco Molteni" Date: Fri, 18 Dec 1998 20:08:32 +0100 (CET) X-Sender: molter@nympha To: Michael Richards <026809r@acadiau.ca> cc: freebsd-security@FreeBSD.ORG Subject: Re: A better explanation (was: buffer overflows and chroot) In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, 18 Dec 1998, Michael Richards wrote: > > So my idea/question is: if I build a chroot jail for Bob, fitted with > > all he needs (eg /bin, /usr/bin, /usr/local/bin, /usr/libexec, etc) > > and I replace all the suid root binaries with suid root2 binaries, > > where root2 is a normal user, he can do his experiments, but he can't > > get root. > > If the point here is academic research into an automatic buffer overflow > program, exactly. If I could, I'd give him a box to crash, but I can't. > just give him 2 accounts and let him fiddle with exploiting from one > userlevel to the other via a suid program. ^^^^^^^^^ I think you mean "from one uid to the other". I agree, and this is what I first thought. But my idea of the jail comes from the fact that I can't disable him to try overflows on other suid executables, eg suid root ones. Marco To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Dec 18 11:14:01 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id LAA15918 for freebsd-security-outgoing; Fri, 18 Dec 1998 11:14:01 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from kitsune.swcp.com (swcp.com [198.59.115.2]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id LAA15867 for ; Fri, 18 Dec 1998 11:13:59 -0800 (PST) (envelope-from synk@swcp.com) Received: (from synk@localhost) by kitsune.swcp.com (8.8.8/1.2.3) id MAA07134; Fri, 18 Dec 1998 12:13:49 -0700 (MST) Date: Fri, 18 Dec 1998 12:13:49 -0700 (MST) From: Brendan Conoboy Message-Id: <199812181913.MAA07134@kitsune.swcp.com> To: molter@tin.it Subject: Re: A better explanation (was: buffer overflows and chroot) Cc: freebsd-security@FreeBSD.ORG Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > So my idea/question is: if I build a chroot jail for Bob, fitted with all > he needs (eg /bin, /usr/bin, /usr/local/bin, /usr/libexec, etc) and I > replace all the suid root binaries with suid root2 binaries, where root2 > is a normal user, he can do his experiments, but he can't get root. > > Is my idea safe/right/doable? Marco, As long as the root2 user has no different permissions to /dev than the user he starts out as, the idea is sound. On the other hand, some suid programs may behave differently than they would otherwise. This would be because (among other things) they wouldn't have the same kind of access to /dev that they used to have. That might taint the research results. -Brendan (synk@swcp.com) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Dec 18 12:02:22 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id MAA22473 for freebsd-security-outgoing; Fri, 18 Dec 1998 12:02:22 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from critter.freebsd.dk (critter.freebsd.dk [212.242.40.131]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id MAA22456 for ; Fri, 18 Dec 1998 12:02:16 -0800 (PST) (envelope-from phk@critter.freebsd.dk) Received: from critter.freebsd.dk (localhost [127.0.0.1]) by critter.freebsd.dk (8.9.1/8.8.5) with ESMTP id VAA11084; Fri, 18 Dec 1998 21:00:56 +0100 (CET) To: "Marco Molteni" cc: "Jordan K. Hubbard" , freebsd-security@FreeBSD.ORG Subject: Re: A better explanation (was: buffer overflows and chroot) In-reply-to: Your message of "Fri, 18 Dec 1998 19:57:07 +0100." Date: Fri, 18 Dec 1998 21:00:56 +0100 Message-ID: <11082.914011256@critter.freebsd.dk> From: Poul-Henning Kamp Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Marco and others. I have a set of patches which makes a chroot jail escape proof. These were developed under contract and will end up in FreeBSD sometime over the next year. My client wants to get a head start, and that is only fair. The basic concept is that root is only root in a jail if the filesystem protects the rest of the system, otherwise he isn't. For instance he can change the owner or modes on a file, but he cannot change IP# on an interface. He can bind to a priviledged TCP port, but only on the IP# which belongs to the jail. And so forth. Works pretty well. -- Poul-Henning Kamp FreeBSD coreteam member phk@FreeBSD.ORG "Real hackers run -current on their laptop." "ttyv0" -- What UNIX calls a $20K state-of-the-art, 3D, hi-res color terminal To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Dec 18 20:17:25 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id UAA18540 for freebsd-security-outgoing; Fri, 18 Dec 1998 20:17:25 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from lariat.lariat.org (lariat.lariat.org [206.100.185.2]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id UAA18535 for ; Fri, 18 Dec 1998 20:17:23 -0800 (PST) (envelope-from brett@lariat.org) Received: (from brett@localhost) by lariat.lariat.org (8.8.8/8.8.6) id VAA28532; Fri, 18 Dec 1998 21:17:12 -0700 (MST) Message-Id: <4.1.19981218211628.064e26e0@mail.lariat.org> X-Sender: brett@mail.lariat.org X-Mailer: QUALCOMM Windows Eudora Pro Version 4.1 Date: Fri, 18 Dec 1998 21:16:45 -0700 To: security@FreeBSD.ORG From: Brett Glass Subject: wordperfect 8 for linux security (forwarded from Bugtraq) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi, I sent a similar message to Corel about this. And I figured I'd send it out here in order to prevent people from opening up their systems by installing word perfect 8 before the problem is fixed. When wordperfect 8 is installed it creates a /tmp/wpc- directory with permissions 777. And all files inside of it are mode 666. And when these files are created, symlinks are followed. You already know what this means when root tries to install word perfect. So to those of you who are planning to install word perfect 8 for linux, don't do it as root. Pick another user for doing the job. -- Edsel Adap edsel@adap.org http://www.adap.org/~edsel/ LINUX - the choice of the GNU generation "Netscape is an application which grows to fill all available memory." - me To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Dec 18 20:57:57 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id UAA23307 for freebsd-security-outgoing; Fri, 18 Dec 1998 20:57:57 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from zippy.cdrom.com (zippy.cdrom.com [204.216.27.228]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id UAA23302 for ; Fri, 18 Dec 1998 20:57:56 -0800 (PST) (envelope-from jkh@zippy.cdrom.com) Received: from zippy.cdrom.com (jkh@localhost.cdrom.com [127.0.0.1]) by zippy.cdrom.com (8.9.1/8.9.1) with ESMTP id UAA64691; Fri, 18 Dec 1998 20:57:52 -0800 (PST) To: "Marco Molteni" cc: freebsd-security@FreeBSD.ORG Subject: Re: A better explanation (was: buffer overflows and chroot) In-reply-to: Your message of "Fri, 18 Dec 1998 19:57:07 +0100." Date: Fri, 18 Dec 1998 20:57:52 -0800 Message-ID: <64687.914043472@zippy.cdrom.com> From: "Jordan K. Hubbard" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > Scenario: > > [all reasonable points elided] > 5. I want to put him in a chroot jail full of suid binaries, but suid > not to root, to pseudoroot, where pseudoroot is a non privileged user. That won't work, however, since he can still "break out" of the chroot jail very easily, especially if he's someone who "knows his stuff" as you seem to indicate. It's a jail with paper mache' bars, nothing more. I still think he needs his own machine, full stop. - Jordan To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Dec 18 21:02:42 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id VAA23560 for freebsd-security-outgoing; Fri, 18 Dec 1998 21:02:42 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from zippy.cdrom.com (zippy.cdrom.com [204.216.27.228]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id VAA23555 for ; Fri, 18 Dec 1998 21:02:41 -0800 (PST) (envelope-from jkh@zippy.cdrom.com) Received: from zippy.cdrom.com (jkh@localhost.cdrom.com [127.0.0.1]) by zippy.cdrom.com (8.9.1/8.9.1) with ESMTP id UAA64703; Fri, 18 Dec 1998 20:59:04 -0800 (PST) To: Poul-Henning Kamp cc: "Marco Molteni" , freebsd-security@FreeBSD.ORG Subject: Re: A better explanation (was: buffer overflows and chroot) In-reply-to: Your message of "Fri, 18 Dec 1998 21:00:56 +0100." <11082.914011256@critter.freebsd.dk> Date: Fri, 18 Dec 1998 20:59:03 -0800 Message-ID: <64700.914043543@zippy.cdrom.com> From: "Jordan K. Hubbard" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > The basic concept is that root is only root in a jail if the filesystem > protects the rest of the system, otherwise he isn't. For instance he > can change the owner or modes on a file, but he cannot change IP# on > an interface. He can bind to a priviledged TCP port, but only on the > IP# which belongs to the jail. And so forth. Works pretty well. I assume that this works for all devices in /dev that can either be written to for raw access to devices or can be mmap'd for access to various interesting parts of memory? - Jordan To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Dec 18 23:49:46 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id XAA08189 for freebsd-security-outgoing; Fri, 18 Dec 1998 23:49:46 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from gatekeeper.tsc.tdk.com (gatekeeper.tsc.tdk.com [207.113.159.21]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id XAA08183 for ; Fri, 18 Dec 1998 23:49:45 -0800 (PST) (envelope-from gdonl@tsc.tdk.com) Received: from sunrise.gv.tsc.tdk.com (root@sunrise.gv.tsc.tdk.com [192.168.241.191]) by gatekeeper.tsc.tdk.com (8.8.8/8.8.8) with ESMTP id XAA26811; Fri, 18 Dec 1998 23:44:36 -0800 (PST) (envelope-from gdonl@tsc.tdk.com) Received: from salsa.gv.tsc.tdk.com (salsa.gv.tsc.tdk.com [192.168.241.194]) by sunrise.gv.tsc.tdk.com (8.8.5/8.8.5) with ESMTP id WAA24356; Fri, 18 Dec 1998 22:43:08 -0800 (PST) Received: (from gdonl@localhost) by salsa.gv.tsc.tdk.com (8.8.5/8.8.5) id WAA11564; Fri, 18 Dec 1998 22:41:45 -0800 (PST) From: Don Lewis Message-Id: <199812190641.WAA11564@salsa.gv.tsc.tdk.com> Date: Fri, 18 Dec 1998 22:41:45 -0800 In-Reply-To: Poul-Henning Kamp "Re: A better explanation (was: buffer overflows and chroot)" (Dec 18, 9:00pm) X-Mailer: Mail User's Shell (7.2.6 alpha(3) 7/19/95) To: Poul-Henning Kamp , "Marco Molteni" Subject: Re: A better explanation (was: buffer overflows and chroot) Cc: "Jordan K. Hubbard" , freebsd-security@FreeBSD.ORG Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Dec 18, 9:00pm, Poul-Henning Kamp wrote: } Subject: Re: A better explanation (was: buffer overflows and chroot) } I have a set of patches which makes a chroot jail escape proof. These } were developed under contract and will end up in FreeBSD sometime over } the next year. My client wants to get a head start, and that is only } fair. A year or so ago I implemented a more limited scheme to prevent access to the filesystem outside the chroot area. I'm in the process of cleaning it up and hope to post my patches soon. } The basic concept is that root is only root in a jail if the filesystem } protects the rest of the system, otherwise he isn't. For instance he } can change the owner or modes on a file, but he cannot change IP# on } an interface. He can bind to a priviledged TCP port, but only on the } IP# which belongs to the jail. And so forth. Works pretty well. The IP restrictions would be very handy for some of the stuff that I do. Can a process in jail kill() a process outside jail? Can the compartments nest? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Dec 19 02:22:47 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id CAA21371 for freebsd-security-outgoing; Sat, 19 Dec 1998 02:22:47 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from mail1.its.rpi.edu (mail1.its.rpi.edu [128.113.100.7]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id CAA21365 for ; Sat, 19 Dec 1998 02:22:46 -0800 (PST) (envelope-from drosih@rpi.edu) Received: from [128.113.24.47] (gilead.acs.rpi.edu [128.113.24.47]) by mail1.its.rpi.edu (8.8.8/8.8.6) with ESMTP id FAA156180; Sat, 19 Dec 1998 05:23:37 -0500 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" X-Sender: drosih@pop1.rpi.edu Message-Id: In-Reply-To: References: <62537.913989002@zippy.cdrom.com> Date: Sat, 19 Dec 1998 05:22:57 -0500 To: "Marco Molteni" From: Garance A Drosihn Subject: Re: A better explanation (was: buffer overflows and chroot) Cc: freebsd-security@FreeBSD.ORG Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 7:57 PM +0100 12/18/98, Marco Molteni wrote: >Scenario: > > 1. Bob is a non privileged user. > 2. Bob actively searches for buffer overflows in suid binaries. > 3. if Bob is able to do his job, soon or later he'll get root. > 4. I don't mind if Bob is a good guy or a bad guy, I don't want > anybody to be root on my machines. > 5. I want to put him in a chroot jail full of suid binaries, but > suid not to root, to pseudoroot, where pseudoroot is a > non privileged user. > 6. Bob can do all his experiments in his nice jail. > 6. if Bob becomes pseudoroot, I am still safe, since: > 6.1 he is in a chroot jail > 6.2 in the jail there isn't any executable suid to a privileged > user (root, bin, whatever). > 6.3 from 6.2, he can't escape from the jail > > is 6.3 correct? >From #2, Bob is running setuid binaries. Presumably he's running a long list of common setuid binaries, otherwise it'd be pointless research. Chances are that some of those programs are ones which will only work if they run as root. (say he wanted to pursue buffer overflows in lpd, for instance. Well, to do that he needs to have lpd running, and if you're not running lpd as root then it will not run very well -- at the very least it's an invalid test of lpd). What makes you think that you can limit his research by refusing to let him run the whole class of real-world setuid programs which have to be run as root? I can just see the brief description of his research: "I am attempting to explore buffer overflows in programs which don't matter in the first place, because they have no special privs". Given the above, #6.2 is invalid. If you want #4 to be true, given #2 and #3, then Bob needs to be on a machine which is not your machine. I realize you have said that you don't have a spare machine to put him on. I am just saying that if you don't have an extra machine, then chances are good that he'll have root on your machine. And once he has root (real root) on your machine, any chroot environment that you put him in will be irrelevent. --- Garance Alistair Drosehn = gad@eclipse.its.rpi.edu Senior Systems Programmer or drosih@rpi.edu Rensselaer Polytechnic Institute To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Dec 19 02:40:12 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id CAA23028 for freebsd-security-outgoing; Sat, 19 Dec 1998 02:40:12 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from mail1.its.rpi.edu (mail1.its.rpi.edu [128.113.100.7]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id CAA23023 for ; Sat, 19 Dec 1998 02:40:09 -0800 (PST) (envelope-from drosih@rpi.edu) Received: from [128.113.24.47] (gilead.acs.rpi.edu [128.113.24.47]) by mail1.its.rpi.edu (8.8.8/8.8.6) with ESMTP id FAA172816; Sat, 19 Dec 1998 05:36:06 -0500 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" X-Sender: drosih@pop1.rpi.edu Message-Id: In-Reply-To: <11082.914011256@critter.freebsd.dk> References: Your message of "Fri, 18 Dec 1998 19:57:07 +0100." Date: Sat, 19 Dec 1998 05:35:27 -0500 To: Poul-Henning Kamp , "Marco Molteni" From: Garance A Drosihn Subject: Re: A better explanation (was: buffer overflows and chroot) Cc: freebsd-security@FreeBSD.ORG Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 9:00 PM +0100 12/18/98, Poul-Henning Kamp wrote: > The basic concept is that root is only root in a jail if the > filesystem protects the rest of the system, otherwise he isn't. > For instance he can change the owner or modes on a file, but he > cannot change IP# on an interface. He can bind to a priviledged > TCP port, but only on the IP# which belongs to the jail. And so > forth. Works pretty well. I can see that this could be very useful in many chroot-ish situations. Given the nature of the research Marco described, though, I would expect "Bob" would want to test many programs which are doing privileged operations. I would think it would be a lot of work to setup a chroot jail which could run all those programs. (or at least, if *I* were the "Bob" in this example, I know what *I* would mean by "I want to research buffer overflows in setuid programs"...) Your changes do sound pretty interesting, though. --- Garance Alistair Drosehn = gad@eclipse.its.rpi.edu Senior Systems Programmer or drosih@rpi.edu Rensselaer Polytechnic Institute To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Dec 19 02:41:32 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id CAA23134 for freebsd-security-outgoing; Sat, 19 Dec 1998 02:41:32 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from mail1.its.rpi.edu (mail1.its.rpi.edu [128.113.100.7]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id CAA23115 for ; Sat, 19 Dec 1998 02:41:28 -0800 (PST) (envelope-from drosih@rpi.edu) Received: from [128.113.24.47] (gilead.acs.rpi.edu [128.113.24.47]) by mail1.its.rpi.edu (8.8.8/8.8.6) with ESMTP id FAA17626; Sat, 19 Dec 1998 05:42:27 -0500 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" X-Sender: drosih@pop1.rpi.edu Message-Id: In-Reply-To: References: <62537.913989002@zippy.cdrom.com> Date: Sat, 19 Dec 1998 05:41:48 -0500 To: "Marco Molteni" From: Garance A Drosihn Subject: Re: A better explanation (was: buffer overflows and chroot) Cc: freebsd-security@FreeBSD.ORG Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I (Garance) wrote: > > Chances are that some of those programs are ones which will > only work if they run as root. (say he wanted to pursue > buffer overflows in lpd, for instance. [etc] Er, I meant 'lpr' there... lpd runs as root, but isn't setuid! --- Garance Alistair Drosehn = gad@eclipse.its.rpi.edu Senior Systems Programmer or drosih@rpi.edu Rensselaer Polytechnic Institute To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Dec 19 03:15:21 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id DAA26205 for freebsd-security-outgoing; Sat, 19 Dec 1998 03:15:21 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from critter.freebsd.dk (critter.freebsd.dk [212.242.40.131]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id DAA26200 for ; Sat, 19 Dec 1998 03:15:19 -0800 (PST) (envelope-from phk@critter.freebsd.dk) Received: from critter.freebsd.dk (localhost [127.0.0.1]) by critter.freebsd.dk (8.9.1/8.8.5) with ESMTP id MAA36265; Sat, 19 Dec 1998 12:00:53 +0100 (CET) To: Don Lewis cc: "Marco Molteni" , "Jordan K. Hubbard" , freebsd-security@FreeBSD.ORG Subject: Re: A better explanation (was: buffer overflows and chroot) In-reply-to: Your message of "Fri, 18 Dec 1998 22:41:45 PST." <199812190641.WAA11564@salsa.gv.tsc.tdk.com> Date: Sat, 19 Dec 1998 12:00:53 +0100 Message-ID: <36263.914065253@critter.freebsd.dk> From: Poul-Henning Kamp Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >} The basic concept is that root is only root in a jail if the filesystem >} protects the rest of the system, otherwise he isn't. For instance he >} can change the owner or modes on a file, but he cannot change IP# on >} an interface. He can bind to a priviledged TCP port, but only on the >} IP# which belongs to the jail. And so forth. Works pretty well. > >The IP restrictions would be very handy for some of the stuff that I do. > >Can a process in jail kill() a process outside jail? Can the compartments >nest? No & no. -- Poul-Henning Kamp FreeBSD coreteam member phk@FreeBSD.ORG "Real hackers run -current on their laptop." "ttyv0" -- What UNIX calls a $20K state-of-the-art, 3D, hi-res color terminal To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Dec 19 06:02:59 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id GAA10626 for freebsd-security-outgoing; Sat, 19 Dec 1998 06:02:59 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from fep04-svc.tin.it (mta04-acc.tin.it [212.216.176.35]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id GAA10621 for ; Sat, 19 Dec 1998 06:02:55 -0800 (PST) (envelope-from molter@tin.it) Received: from nympha.ecomotor.it ([212.216.1.195]) by fep04-svc.tin.it (InterMail v4.0 201-221-105) with SMTP id <19981219140246.CCWY25703.fep04-svc@nympha.ecomotor.it> for ; Sat, 19 Dec 1998 15:02:46 +0100 Received: (qmail 676 invoked by uid 1000); 19 Dec 1998 13:59:07 -0000 From: "Marco Molteni" Date: Sat, 19 Dec 1998 14:59:07 +0100 (CET) X-Sender: molter@nympha To: Garance A Drosihn cc: freebsd-security@FreeBSD.ORG Subject: Re: A better explanation (was: buffer overflows and chroot) In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sat, 19 Dec 1998, Garance A Drosihn wrote: > Marco Molteni wrote: > >Scenario: > > > > 1. Bob is a non privileged user. > > 2. Bob actively searches for buffer overflows in suid binaries. > > 3. if Bob is able to do his job, soon or later he'll get root. > > 4. I don't mind if Bob is a good guy or a bad guy, I don't want > > anybody to be root on my machines. > > 5. I want to put him in a chroot jail full of suid binaries, but > > suid not to root, to pseudoroot, where pseudoroot is a > > non privileged user. > > 6. Bob can do all his experiments in his nice jail. > > 6. if Bob becomes pseudoroot, I am still safe, since: > > 6.1 he is in a chroot jail > > 6.2 in the jail there isn't any executable suid to a privileged > > user (root, bin, whatever). > > 6.3 from 6.2, he can't escape from the jail > > > > is 6.3 correct? > > From #2, Bob is running setuid binaries. Presumably he's running a long > list of common setuid binaries, otherwise it'd be pointless research. Yes, this is what I think. > Chances are that some of those programs are ones which will only work > if they run as root. (say he wanted to pursue buffer overflows in lpr, > for instance. Well, to do that he needs to have lpd running, and if > you're not running lpd as root then it will not run very well -- at the > very least it's an invalid test of lpd). I see your point > What makes you think that you can limit his research by refusing to let > him run the whole class of real-world setuid programs which have to be > run as root? As many already said, the only reasonable thing to do was, from the start, to give him spare machines to play with. Sometimes you have to accept situations you don't like. Since I have to give him an account, to limit the damages I'll put him in a custom tailored jail. If he is not comfortable with the environment / cannot do his tests, he'll have to physically bring in front of me my professor asking for more. At that time, I'll fight ;-) Marco To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Dec 19 06:15:50 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id GAA11396 for freebsd-security-outgoing; Sat, 19 Dec 1998 06:15:50 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from ol.kyrnet.kg (ol.kyrnet.kg [195.254.160.10]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id GAA11391 for ; Sat, 19 Dec 1998 06:15:45 -0800 (PST) (envelope-from mlists@gizmo.kyrnet.kg) Received: from gizmo.kyrnet.kg (IDENT:mlists@gizmo.kyrnet.kg [195.254.160.13]) by ol.kyrnet.kg (8.9.1a/8.9.1) with ESMTP id SAA22132; Sat, 19 Dec 1998 18:44:45 +0600 Received: from localhost (mlists@localhost) by gizmo.kyrnet.kg (8.9.1a/8.9.1) with ESMTP id TAA17740; Sat, 19 Dec 1998 19:13:54 +0500 Date: Sat, 19 Dec 1998 19:13:53 +0500 (KGT) From: CyberPsychotic Reply-To: fygrave@tigerteam.net To: Marco Molteni cc: freebsd-security@FreeBSD.ORG Subject: Re: buffer overflows and chroot In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org ~ Yesterday came a guy, working on a "automatic buffer overflow exploiting ~ program". I had to give him an account on my beloved machines, since my ~ professor told me so. The situation is: I trust enough this guy not to do ~ evil things, but his target is to get root via buffer overflow. ~ ~ He needs a compiler and some suid executables to test his tool. My ~ question is: can I restrict him in a sort of sandbox? If I build a chroot ~ environment with the tools he needs (compiler and bins) I can give him ~ some suid executables, where the owner isn't root. Is it right? ~ well, you may not give him suid binaries at all. if the needs to check whether his buff-overflow explotations works, all he needs, is just to make sure the buffer get overflowed, and his code gets executed. There are many ways to check it. :) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Dec 19 08:10:37 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id IAA21513 for freebsd-security-outgoing; Sat, 19 Dec 1998 08:10:37 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from ppc1.cybertime.ch (ppc1.cybertime.ch [194.191.120.136]) by hub.freebsd.org (8.8.8/8.8.8) with SMTP id IAA21508 for ; Sat, 19 Dec 1998 08:10:35 -0800 (PST) (envelope-from pajarola@cybertime.ch) Received: from gw1usr7.cybertime.ch by ppc1.cybertime.ch (AIX 4.1/UCB 5.64/4.03) id AA03354; Sat, 19 Dec 1998 17:10:29 +0100 Message-Id: <3.0.32.19981219170558.0080a8c0@www.dlc.cybertime.ch> X-Sender: pajarola@www.dlc.cybertime.ch X-Mailer: Windows Eudora Pro Version 3.0 (32) Date: Sat, 19 Dec 1998 17:10:36 +0100 To: security@FreeBSD.ORG From: Rico Pajarola Subject: nmap crashes inetd/portmap on 2.2.6 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org portscanning with nmap results in inetd crashing/hanging on FBSD 2.2.6 which makes an excellent DoS attack. Portmap is also affected, inetd hangs initializing rpc/udp services when you HUP it, making it somewhat more complicated to recover, as you'll have to restart all rpc services (in the correct order). It is not always reproducible (sometimes you need to try several times with different flags to nmap). I couldn't crash inetd on FBSD-Current (may 28 1998) so I guess it has been fixed. Are there any known issues I missed? other os are vulnerable as well (still testing). Rico Pajarola To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Dec 19 09:54:05 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id JAA29540 for freebsd-security-outgoing; Sat, 19 Dec 1998 09:54:05 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from enterprise.cs.unm.edu (enterprise.cs.unm.edu [198.59.151.20]) by hub.freebsd.org (8.8.8/8.8.8) with SMTP id JAA29535 for ; Sat, 19 Dec 1998 09:54:04 -0800 (PST) (envelope-from colinj@cs.unm.edu) Received: from viper.cs.unm.edu [198.59.151.25] by enterprise.cs.unm.edu with smtp (Exim 1.80 #2) id 0zrQZn-0000Ez-00; Sat, 19 Dec 1998 10:54:03 -0700 Date: Sat, 19 Dec 1998 10:55:14 -0700 (MST) From: Colin Eric Johnson To: Rico Pajarola Cc: security@FreeBSD.ORG Subject: Re: nmap crashes inetd/portmap on 2.2.6 In-Reply-To: <3.0.32.19981219170558.0080a8c0@www.dlc.cybertime.ch> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sat, 19 Dec 1998, Rico Pajarola wrote: > portscanning with nmap results in inetd crashing/hanging on FBSD 2.2.6 > which makes an excellent DoS attack. Portmap is also affected, inetd hangs > initializing rpc/udp services when you HUP it, making it somewhat more > complicated to recover, as you'll have to restart all rpc services (in the > correct order). It is not always reproducible (sometimes you need to try > several times with different flags to nmap). I couldn't crash inetd on > FBSD-Current (may 28 1998) so I guess it has been fixed. Are there any > known issues I missed? other os are vulnerable as well (still testing). I have seen similar behavior on Solaris 2.6 and NextStep 3.3 machines when they were scanned. In the former case the inetd stopped and in the latter the machine rebooted spontaneously. Colin E. Johnson | colinj@unm.edu | http://www.unm.edu/~colinj/ Harming only the humorless since 1967 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message