From owner-freebsd-security Sun Nov 7 4:31:51 1999 Delivered-To: freebsd-security@freebsd.org Received: from smtp.tiscalinet.it (fornax.tiscalinet.it [195.130.224.67]) by hub.freebsd.org (Postfix) with SMTP id 4DE9114DA0 for ; Sun, 7 Nov 1999 04:31:43 -0800 (PST) (envelope-from jack@netsys.it) Received: (qmail 12911 invoked by uid 7770); 7 Nov 1999 12:20:22 -0000 Received: from mi2-711.tiscalinet.it (212.123.71.77) by fornax.tiscalinet.it with SMTP; 7 Nov 1999 12:20:22 -0000 Date: Sun, 7 Nov 1999 11:30:39 +0100 (CET) From: nessuno X-Sender: jack@dream-810.ddt.ita.gov To: freebsd-security@FreeBSD.ORG Subject: subscribe freebsd-security lordo@itapac.net Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org subscribe freebsd-security lordo@itapac.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Nov 7 4:41:59 1999 Delivered-To: freebsd-security@freebsd.org Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31]) by hub.freebsd.org (Postfix) with ESMTP id 568E614FDE; Sun, 7 Nov 1999 04:41:52 -0800 (PST) (envelope-from des@flood.ping.uio.no) Received: (from des@localhost) by flood.ping.uio.no (8.9.3/8.9.3) id NAA13458; Sun, 7 Nov 1999 13:41:48 +0100 (CET) (envelope-from des) To: "Kenneth D. Merry" Cc: jlemon@americantv.com (Jonathan Lemon), current@freebsd.org Subject: Re: TCP sockets stuck in the CLOSING state References: <199911052219.PAA01743@panzer.kdm.org> From: Dag-Erling Smorgrav Date: 07 Nov 1999 13:41:48 +0100 In-Reply-To: "Kenneth D. Merry"'s message of "Fri, 5 Nov 1999 15:19:41 -0700 (MST)" Message-ID: Lines: 61 User-Agent: Gnus/5.070097 (Pterodactyl Gnus v0.97) Emacs/20.4 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org [bringing this back to -current, with a Bcc to -security] "Kenneth D. Merry" writes: > Jonathan Lemon wrote... > > In article you write: > > > Before I spend a lot of time hunting this down, I figured it might be worth > > > asking -- is there any particular reason why TCP sockets may be getting > > > stuck in the CLOSING state more often now? > > Not sure. But here's a tcpdump trace of a socket that ends up in the > > CLOSING state. (on the host ``cache''). > > [...] > > 1. the other end (folly) never acks the FIN. The packets at > > timestamp .492154 and .492160 do not cover the FIN in the > > sequence space. Yet the host `folly' closes the socket. This is weird, and probably deserves some investigation (at least if cache and folly are on the same LAN; otherwise there's a non-zero possibility of the ACK simply getting lost on the way) > > 2. the end that is stuck in CLOSING (cache) never retransmits > > the FIN. (The tcpdump extends for about 5 minutes after the > > last packet, with 0 packets lost). It's not supposed to (according to RFC793). > > Both machines are running -current from early this week. > > Those are definitely odd. > > After looking through the changes since June, I think (and DES seems to > agree) that the problems are most likely in your timeout code from August. > Most every other change in the TCP stack has been cosmetic, or #ifdefed, so > it wouldn't be enabled by default. > > He is going to try to find the problem, although it's most likely a pretty > subtle bug. Well, the TCP state machine was never a fun read, amd I haven't had time to look very closely at the problem yet, but it seems that there is no way for a connection to leave the TCPS_CLOSING state other than the receipt of an ACK matching a previously sent FIN. If the ACK gets lost, the connection is stuck in TCPS_CLOSING forever (I have a connection that's been stuck in TCPS_CLOSING for at least three days now). The only instance I can find where a connection in TCPS_CLOSING state is closed even if no ACK has been received is when the socket has the SO_KEEPALIVE option set (tcp_timer_keep() in tcp_timer.c). Note that the state transition diagram in RFC793 does not specify a timeout for the CLOSING -> TIME_WAIT transition, so any faithful implementation of RFC793 has this bug (but why doesn't this happen on -STABLE, or on pre-August -CURRENT?) This hints at a potential DoS vulnerability. Hack a TCP stack to never acknowledge FIN segments, and blast away at your victim; chances are he'll run out of mbufs before you run out of source ports (each source port can only be used once in the attack). Give me a few hours and I might be able to verify this vulnerability experimentally. DES -- Dag-Erling Smorgrav - des@flood.ping.uio.no To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Nov 7 6: 3:27 1999 Delivered-To: freebsd-security@freebsd.org Received: from obi.netsys.it (obi.netsys.it [194.244.100.2]) by hub.freebsd.org (Postfix) with ESMTP id 4AC7C14F6D for ; Sun, 7 Nov 1999 06:03:21 -0800 (PST) (envelope-from jack@netsys.it) Received: from x2-37.netsys.it (x2-37.netsys.it [194.244.100.87]) by obi.netsys.it (8.9.3/8.9.3/Debian/GNU) with ESMTP id PAA29378 for ; Sun, 7 Nov 1999 15:00:22 +0100 Date: Sun, 7 Nov 1999 13:02:14 +0100 (CET) From: jack X-Sender: jack@dream-810.ddt.ita.gov To: freebsd-security@FreeBSD.ORG Subject: subscribe freebsd-security In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org subscribe freebsd-security To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Nov 7 7: 1:48 1999 Delivered-To: freebsd-security@freebsd.org Received: from houston.matchlogic.com (houston.matchlogic.com [205.216.147.127]) by hub.freebsd.org (Postfix) with ESMTP id 0573314D97; Sun, 7 Nov 1999 07:01:38 -0800 (PST) (envelope-from crandall@matchlogic.com) Received: by houston.matchlogic.com with Internet Mail Service (5.5.2650.21) id ; Sun, 7 Nov 1999 08:01:37 -0700 Message-ID: <64003B21ECCAD11185C500805F31EC0304621B1F@houston.matchlogic.com> From: Charles Randall To: Alexandr Gribenko , security@freebsd.org, QuestionsBSD Subject: RE: Encrypted HDD Date: Sun, 7 Nov 1999 08:01:36 -0700 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: text/plain; charset="windows-1255" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org There's CFS in ports. This came up in July, here's the answer that was given then, http://x33.deja.com/getdoc.xp?AN=498881531 Charles -----Original Message----- From: Alexandr Gribenko [mailto:aeg@iname.com] Sent: Sunday, November 07, 1999 12:22 AM To: security@freebsd.org; QuestionsBSD Subject: Encrypted HDD Has anyone tried/seen something like this on FreeBSD BOX?? I am not paranoic, I am just creating VERY public FreeBSD server, anyone have access to the box itself I used all my ideas like loading splash screen and setting timeout to 1 second ;o) the idea is to disable access to file systems by loading from fixit/other floppy Do not recommend me to remove FDD driver, I did it ;o) I do have a backup ;o) The problem is that it is too public (Da school man ;o) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Nov 7 9: 6:47 1999 Delivered-To: freebsd-security@freebsd.org Received: from bsdie.rwsystems.net (bsdie.rwsystems.net [209.197.223.2]) by hub.freebsd.org (Postfix) with ESMTP id 50BDB14BE4; Sun, 7 Nov 1999 09:06:41 -0800 (PST) (envelope-from jwyatt@rwsystems.net) Received: from bsdie.rwsystems.net([209.197.223.2]) (2887 bytes) by bsdie.rwsystems.net via sendmail with P:esmtp/R:bind_hosts/T:inet_zone_bind_smtp (sender: ) id for ; Sun, 7 Nov 1999 11:01:25 -0600 (CST) (Smail-3.2.0.106 1999-Mar-31 #1 built 1999-Aug-7) Date: Sun, 7 Nov 1999 11:01:25 -0600 (CST) From: James Wyatt To: Alexandr Gribenko Cc: security@freebsd.org, QuestionsBSD Subject: Physical security hints (Was: Encrypted HDD) In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sun, 7 Nov 1999, Alexandr Gribenko wrote: > Has anyone tried/seen something like this on FreeBSD BOX?? > I am not paranoic, I am just creating VERY public FreeBSD server, anyone > have access to the box itself > I used all my ideas like loading splash screen and setting timeout to 1 > second ;o) > the idea is to disable access to file systems by loading from fixit/other > floppy > Do not recommend me to remove FDD driver, I did it ;o) > I do have a backup ;o) > The problem is that it is too public (Da school man ;o) Like everyone says: "You can't stop the determined individual in the right circumstances." That said, you can do a few things: 1) See if you can secure the case 1a) I'm guessing that buying a secure case is too expensive here. 1b) If you can find a system the university (or a company) is tossing that they bought a secure case or case lock for, gut the case and replace it's guts with your favorites or move the lock to your case. 1c) Last resort: Replace case screws with Torx (or other) 'security screws'. 'They' can get the tool at Home Depot or an auto supply, but it is better than Phillips or 'standard' screws on most techie pocket knives will usually take care of. 2) Remove the knobs on the front 2a) If there is a 'keylock' key switch on the front, use it for reset. 2b) If there is a reset or power-off button, disconnect it. 2c) Set the BIOS to always-on and ignore-front-switch. 2d> If there is a power switch on front, bypass it or superglue it on. 3) Set the BIOS to discourage tampering 3a) Password protect the BIOS; the rest of these kinda depend on it. Put the password on a folded sticky note inside so you don't have to lose the settings if you forget. If they can read the note sealed in the machine,they can reset the password anyway. 3b) Set it boot from wd0/ATAPI before fd0/floppy. If you can't, set it to swap the fd0/fd1 drives. Floppy still usable, but not bootable. 3c) Disable any network or CDROM boot. All this stuff is OS neutral for kiosks and such, the FreeBSD points are more tricky and should cover the fact they can still reach the power cord in the back. Has anyone been able to make network booting work for FreeBSD? - Jy@ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Nov 7 9:59: 2 1999 Delivered-To: freebsd-security@freebsd.org Received: from fledge.watson.org (fledge.watson.org [204.156.12.50]) by hub.freebsd.org (Postfix) with ESMTP id 4BF9A14D8A for ; Sun, 7 Nov 1999 09:58:59 -0800 (PST) (envelope-from robert@cyrus.watson.org) Received: from fledge.watson.org (robert@fledge.pr.watson.org [192.0.2.3]) by fledge.watson.org (8.9.3/8.9.3) with SMTP id MAA06816 for ; Sun, 7 Nov 1999 12:58:58 -0500 (EST) (envelope-from robert@cyrus.watson.org) Date: Sun, 7 Nov 1999 12:58:58 -0500 (EST) From: Robert Watson X-Sender: robert@fledge.watson.org Reply-To: Robert Watson To: freebsd-security@freebsd.org Subject: Nov 6 18:47:25 fledge /kernel: pid 3988 (sendmail), uid 0: exited , on signal 4 Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Noticed this in my system log: Nov 6 18:47:25 fledge /kernel: pid 3988 (sendmail), uid 0: exited on signal 4 This doesn't normally happen and is a bit concerning. fledge:~> telnet localhost 25 Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. 220 fledge.watson.org ESMTP Sendmail 8.9.3/8.9.3; Sun, 7 Nov 1999 12:27:54 -0500 (EST) Which is the default version shipped in 3.3-RELEASE (or at least, this is currently a vanilla 3.3-RELEASE box :-). I'm concerned this could be a buffer-based attack, but don't see any of the signs of a successful compromise. Also, there were no signs of a scan of other open ports at the time. Has anyone else seen any of these lately? Robert N M Watson robert@fledge.watson.org http://www.watson.org/~robert/ PGP key fingerprint: AF B5 5F FF A6 4A 79 37 ED 5F 55 E9 58 04 6A B1 TIS Labs at Network Associates, Safeport Network Services To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Nov 7 10:35:37 1999 Delivered-To: freebsd-security@freebsd.org Received: from hotmail.com (law-f228.hotmail.com [209.185.130.166]) by hub.freebsd.org (Postfix) with SMTP id 7048F14A21 for ; Sun, 7 Nov 1999 10:35:35 -0800 (PST) (envelope-from skalir@hotmail.com) Received: (qmail 5194 invoked by uid 0); 7 Nov 1999 18:35:34 -0000 Message-ID: <19991107183534.5193.qmail@hotmail.com> Received: from 207.224.147.181 by www.hotmail.com with HTTP; Sun, 07 Nov 1999 10:35:34 PST X-Originating-IP: [207.224.147.181] From: "skalir scalar" To: freebsd-security@freebsd.org Subject: file name with questions - rm on it seg faults!!! Date: Sun, 07 Nov 1999 09:35:34 AKST Mime-Version: 1.0 Content-Type: text/plain; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org some fool on my system which I have removed but not his home directory had this in it: (root@hidden)[hidden]% ls -a ?YOUR PUBLIC SSH1 KEY (-b 512) GOES HERE!? . .. (root@hidden)[hidden]% rm -Rf *YOUR* Segmentation fault (core dumped) so how the fuck can I remove it? thx! ______________________________________________________ Get Your Private, Free Email at http://www.hotmail.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Nov 7 12: 6:14 1999 Delivered-To: freebsd-security@freebsd.org Received: from megaweapon.zigg.com (megaweapon.zigg.com [206.114.60.8]) by hub.freebsd.org (Postfix) with ESMTP id AE4A914C4A for ; Sun, 7 Nov 1999 12:06:08 -0800 (PST) (envelope-from matt@zigg.com) Received: from localhost (matt@localhost) by megaweapon.zigg.com (8.9.3/8.9.3) with ESMTP id PAA75273 for ; Sun, 7 Nov 1999 15:05:43 -0500 (EST) (envelope-from matt@zigg.com) Date: Sun, 7 Nov 1999 15:05:42 -0500 (EST) From: Matt Behrens To: freebsd-security@FreeBSD.ORG Subject: Re: file name with questions - rm on it seg faults!!! In-Reply-To: <19991107183534.5193.qmail@hotmail.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sun, 7 Nov 1999, skalir scalar wrote: : some fool on my system which I have removed but not his home : directory had this in it: : : (root@hidden)[hidden]% ls -a : ?YOUR PUBLIC SSH1 KEY (-b 512) GOES HERE!? . .. : (root@hidden)[hidden]% rm -Rf *YOUR* : Segmentation fault (core dumped) : : so how the fuck can I remove it? : : thx! Hardly seems security-related. Would have been much better asked in -questions, and sans profanity (it sure doesn't seem like a situation where profanity is called for.) First of all, since touch '?YOUR PUBLIC SSH1 KEY (-b 512) GOES HERE!?' creates this file, it's logical to presume that rm '?YOUR PUBLIC SSH1 KEY (-b 512) GOES HERE!?' would also remove it (which it did). But I had no problems with rm *YOUR* either. I didn't try -Rf because that was silly; there were no permissions problems requiring the force flag, and being a file recursively deleting it seemed rather silly as well. I would wager that your segfault came as a result of an rm binary built at some point on a machine with faulty memory. Mine came from 3.3-STABLE as of a week or two ago and had no such problem. Matt Behrens Owner/Administrator, zigg.com Chief Engineer, Nameless IRC Network To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Nov 7 14:30:31 1999 Delivered-To: freebsd-security@freebsd.org Received: from norn.ca.eu.org (cr965240-b.abtsfd1.bc.wave.home.com [24.113.19.137]) by hub.freebsd.org (Postfix) with ESMTP id ED79614BE4 for ; Sun, 7 Nov 1999 14:30:23 -0800 (PST) (envelope-from cpiazza@norn.ca.eu.org) Received: by norn.ca.eu.org (Postfix, from userid 1000) id 820A713A; Sun, 7 Nov 1999 14:04:20 -0800 (PST) Date: Sun, 7 Nov 1999 14:04:20 -0800 From: Chris Piazza To: Matt Behrens Cc: freebsd-security@FreeBSD.ORG, skalir scalar Subject: Re: file name with questions - rm on it seg faults!!! Message-ID: <19991107140420.A6070@norn.ca.eu.org> References: <19991107183534.5193.qmail@hotmail.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: ; from matt@zigg.com on Sun, Nov 07, 1999 at 03:05:42PM -0500 X-Operating-System: FreeBSD 4.0-CURRENT Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sun, Nov 07, 1999 at 03:05:42PM -0500, Matt Behrens wrote: > On Sun, 7 Nov 1999, skalir scalar wrote: > > : some fool on my system which I have removed but not his home > : directory had this in it: > : > : (root@hidden)[hidden]% ls -a > : ?YOUR PUBLIC SSH1 KEY (-b 512) GOES HERE!? . .. > : (root@hidden)[hidden]% rm -Rf *YOUR* > : Segmentation fault (core dumped) > : > : so how the fuck can I remove it? > : > : thx! > > Hardly seems security-related. Would have been much better asked > in -questions, and sans profanity (it sure doesn't seem like a > situation where profanity is called for.) Actually this does have some relevence to -security; it's created by the exploit outlined in ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-99:05.fts.asc See http://www.freebsd.org/cgi/getmsg.cgi?fetch=89776+0+/usr/local/www/db/text/1999/freebsd-security/19990905.freebsd-security and click the 'next in thread' link there. I'd suggest that he updates his machine to 3.3-RELEASE or -STABLE... > > First of all, since > > touch '?YOUR PUBLIC SSH1 KEY (-b 512) GOES HERE!?' > > creates this file, it's logical to presume that > The actual problem is the directory tree beneath that. The fact that it's still called "YOUR PUBLIC SSH1 KEY..." is a pretty good example of a script kiddie who can't even read instructions :-). -Chris -- cpiazza@home.net cpiazza@FreeBSD.org Abbotsford, BC, Canada To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Nov 7 17:29:13 1999 Delivered-To: freebsd-security@freebsd.org Received: from green.myip.org (localhost [127.0.0.1]) by hub.freebsd.org (Postfix) with ESMTP id 20D9B150F9 for ; Sun, 7 Nov 1999 17:28:32 -0800 (PST) (envelope-from green@FreeBSD.org) Received: from localhost ([127.0.0.1] ident=green) by green.myip.org with esmtp (Exim 3.02 #1) id 11kb1u-000Bup-00; Sun, 07 Nov 1999 17:43:23 -0500 Date: Sun, 7 Nov 1999 17:43:22 -0500 (EST) From: Brian Fundakowski Feldman X-Sender: green@green.myip.org To: Matt Behrens Cc: freebsd-security@FreeBSD.ORG Subject: Re: file name with questions - rm on it seg faults!!! In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Actually, the problem is fts(3) being broken. Use my little program for this situation over at http://www.freebsd.org/~green/deltree.c -- Brian Fundakowski Feldman \ FreeBSD: The Power to Serve! / green@FreeBSD.org `------------------------------' To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Nov 7 18: 6: 1 1999 Delivered-To: freebsd-security@freebsd.org Received: from s01.arpa-canada.net (s01.arpa-canada.net [209.104.122.2]) by hub.freebsd.org (Postfix) with ESMTP id 6220615104; Sun, 7 Nov 1999 18:05:58 -0800 (PST) (envelope-from matt@BabCom.ORG) Received: by s01.arpa-canada.net (Postfix, from userid 1001) id 78E25B885; Sun, 7 Nov 1999 21:05:57 -0500 (EST) Received: from localhost (localhost [127.0.0.1]) by s01.arpa-canada.net (Postfix) with ESMTP id 73038E; Sun, 7 Nov 1999 21:05:57 -0500 (EST) Date: Sun, 7 Nov 1999 21:05:57 -0500 (EST) From: matt X-Sender: matt@s01.arpa-canada.net To: Brian Fundakowski Feldman Cc: Matt Behrens , freebsd-security@FreeBSD.ORG Subject: Re: file name with questions - rm on it seg faults!!! In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org This is the same 'bug' that find had w/ the possible exploit via the periodic program, correct? I remember this being discussed but did not recall seeing it applied to 'rm' .. BTW, Somewhere down the line, the original author's email address was lost in the cc's.. Oh well.. -Matt On Sun, 7 Nov 1999, Brian Fundakowski Feldman wrote: : Actually, the problem is fts(3) being broken. Use my little program for : this situation over at http://www.freebsd.org/~green/deltree.c : : -- : Brian Fundakowski Feldman \ FreeBSD: The Power to Serve! / : green@FreeBSD.org `------------------------------' : : : : To Unsubscribe: send mail to majordomo@FreeBSD.org : with "unsubscribe freebsd-security" in the body of the message : -- "If the primates that we came from had known that someday politicians would come out of the...the gene pool, they'd a stayed up in the trees and written evolution off as a bad idea. Hell, I always thought the opposable thumb was overrated." -Sheridan, "A Distant Star" To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Nov 7 18:59:20 1999 Delivered-To: freebsd-security@freebsd.org Received: from green.myip.org (localhost [127.0.0.1]) by hub.freebsd.org (Postfix) with ESMTP id 12E8914ECD for ; Sun, 7 Nov 1999 18:58:55 -0800 (PST) (envelope-from green@FreeBSD.org) Received: from localhost ([127.0.0.1] ident=green) by green.myip.org with esmtp (Exim 3.02 #1) id 11kewA-000CBw-00; Sun, 07 Nov 1999 21:53:42 -0500 Date: Sun, 7 Nov 1999 21:53:41 -0500 (EST) From: Brian Fundakowski Feldman X-Sender: green@green.myip.org To: matt Cc: Matt Behrens , freebsd-security@FreeBSD.ORG Subject: Re: file name with questions - rm on it seg faults!!! In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sun, 7 Nov 1999, matt wrote: > > > This is the same 'bug' that find had w/ the possible exploit via the > periodic program, correct? I remember this being discussed but did not > recall seeing it applied to 'rm' .. BTW, Somewhere down the line, the > original author's email address was lost in the cc's.. Oh well.. > > -Matt That's correct, since they both use fts(3). I recall that it's still not fixed; even in OpenBSD's source, it's better than ours getting crashed, but it's still not fixed properly. > > On Sun, 7 Nov 1999, Brian Fundakowski Feldman wrote: > > : Actually, the problem is fts(3) being broken. Use my little program for > : this situation over at http://www.freebsd.org/~green/deltree.c > : > : -- > : Brian Fundakowski Feldman \ FreeBSD: The Power to Serve! / > : green@FreeBSD.org `------------------------------' > : > : > : > : To Unsubscribe: send mail to majordomo@FreeBSD.org > : with "unsubscribe freebsd-security" in the body of the message > : > > -- > "If the primates that we came from had known that someday politicians > would come out of the...the gene pool, they'd a stayed up in the trees > and written evolution off as a bad idea. Hell, I always thought the > opposable thumb was overrated." > -Sheridan, "A Distant Star" > > -- Brian Fundakowski Feldman \ FreeBSD: The Power to Serve! / green@FreeBSD.org `------------------------------' To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Nov 7 19:42:31 1999 Delivered-To: freebsd-security@freebsd.org Received: from s01.arpa-canada.net (s01.arpa-canada.net [209.104.122.2]) by hub.freebsd.org (Postfix) with ESMTP id 2D5BB14D5C; Sun, 7 Nov 1999 19:42:29 -0800 (PST) (envelope-from matt@BabCom.ORG) Received: by s01.arpa-canada.net (Postfix, from userid 1001) id A806AB885; Sun, 7 Nov 1999 22:42:05 -0500 (EST) Received: from localhost (localhost [127.0.0.1]) by s01.arpa-canada.net (Postfix) with ESMTP id 96F3AE; Sun, 7 Nov 1999 22:41:58 -0500 (EST) Date: Sun, 7 Nov 1999 22:41:45 -0500 (EST) From: matt X-Sender: matt@s01.arpa-canada.net To: Brian Fundakowski Feldman Cc: freebsd-security@FreeBSD.ORG Subject: Re: file name with questions - rm on it seg faults!!! In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sun, 7 Nov 1999, Brian Fundakowski Feldman wrote: [.snip.] : That's correct, since they both use fts(3). I recall that it's still : not fixed; even in OpenBSD's source, it's better than ours getting : crashed, but it's still not fixed properly. By 'not fixed' do you mean that the problem is not "properly" fixed, or that the vulnerabilty is still there? [.snip.] : -- : Brian Fundakowski Feldman \ FreeBSD: The Power to Serve! / : green@FreeBSD.org `------------------------------' -- "If the primates that we came from had known that someday politicians would come out of the...the gene pool, they'd a stayed up in the trees and written evolution off as a bad idea. Hell, I always thought the opposable thumb was overrated." -Sheridan, "A Distant Star" To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Nov 7 22:27: 4 1999 Delivered-To: freebsd-security@freebsd.org Received: from cc942873-a.ewndsr1.nj.home.com (cc942873-a.ewndsr1.nj.home.com [24.2.89.207]) by hub.freebsd.org (Postfix) with ESMTP id 606AF14E4D for ; Sun, 7 Nov 1999 22:26:59 -0800 (PST) (envelope-from cjc@cc942873-a.ewndsr1.nj.home.com) Received: (from cjc@localhost) by cc942873-a.ewndsr1.nj.home.com (8.9.3/8.9.3) id BAA37270 for freebsd-security@freebsd.org; Mon, 8 Nov 1999 01:30:32 -0500 (EST) (envelope-from cjc) From: "Crist J. Clark" Message-Id: <199911080630.BAA37270@cc942873-a.ewndsr1.nj.home.com> Subject: Using Tripwire To: freebsd-security@freebsd.org Date: Mon, 8 Nov 1999 01:30:32 -0500 (EST) Reply-To: cjclark@home.com X-Mailer: ELM [version 2.4ME+ PL54 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I am finally getting around to configuring tripwire since we plan on exposing more of our mailserver to the Big, Bad Internet. I had installed tripwire, but never really got into configuring it. I have been looking at the manpages and the default/example tw.config that the port includes. There are a few things that I have not been able to figure out how to do (if they can be done). Is there a way to look a certain _depth_ into a directory tree? For example, I want to do something like this, /home R =/home/user1 +pigun =/home/user2 +pigun . . . That is, in the /home filesystem, I want to watch for new things appearing/disapprearing at the 'user level' and make sure that individual user's home dirs do not get permissions or ownership changed. Is there a way within tripwire to generate the /home/user1, /home/user2, etc. listing without doing it myself and so it can be made to self-update properly? Finally, I am having trouble tracking down more complete tripwire documentation. A quick web search fills up with info on the commercial 2.x versions. Hard to tell what is "new and improved" and what applies to the old freeware version in those. Can anyone point me in the right direction for tripewire version 1.2 docs beyond the manpages? Oh, and as for the manpages, tw.config(5) references a twconvert(8) page which does not exist on my system or in the tripwire package contents. And the siggen(8) manpage (which has headers saying "SIGFETCH(8)") is not referenced by tripwire(8); I only found it looking for twconvert(8) in the package list. Would that be a ports PR? Or is this not gonna get fixed? Wait, one other thing I just remembered, I guess if you are running tripwire, the portion of the default security check that searches for changed set[ug]id files is redundant (depending on your tripwire config, other checks may be redundant too). Anyone have a modified script to offer up? Is that a good place to run tripwire from? -- Crist J. Clark cjclark@home.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Nov 8 1:11:54 1999 Delivered-To: freebsd-security@freebsd.org Received: from sonet.crimea.ua (OTC-sl3-FLY.CRIS.NET [212.110.136.71]) by hub.freebsd.org (Postfix) with ESMTP id C41A9151A7 for ; Mon, 8 Nov 1999 01:11:40 -0800 (PST) (envelope-from phantom@scorpion.crimea.ua) Received: (from uucp@localhost) by sonet.crimea.ua (8.8.8/8.8.8) with UUCP id LAA29506; Mon, 8 Nov 1999 11:15:15 +0300 (MSK) (envelope-from phantom@scorpion.crimea.ua) Received: (from phantom@localhost) by scorpion.crimea.ua (8.8.8/8.8.5+ssl+keepalive) id MAA01414; Mon, 8 Nov 1999 12:02:32 +0300 (MSK) Date: Mon, 8 Nov 1999 12:02:32 +0300 From: Alexey Zelkin To: nessuno Cc: freebsd-security@FreeBSD.ORG Subject: Re: subscribe freebsd-security lordo@itapac.net Message-ID: <19991108120232.B3560@scorpion.crimea.ua> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.95.7i In-Reply-To: X-Operating-System: FreeBSD 2.2.7-RELEASE i386 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org hi, On Sun, Nov 07, 1999 at 11:30:39AM +0100, nessuno wrote: > subscribe freebsd-security lordo@itapac.net Please read following document before sending anything to FreeBSD mail lists: http://www.FreeBSD.org/handbook/eresources.html#ERESOURCES-SUBSCRIBE Thanks! -- /* Alexey Zelkin && phantom@cris.net */ /* Tavric National University && phantom@crimea.edu */ /* http://www.ccssu.crimea.ua/~phantom && phantom@FreeBSD.org */ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Nov 8 3:43:45 1999 Delivered-To: freebsd-security@freebsd.org Received: from gaia.nimnet.asn.au (nimbin.lnk.telstra.net [139.130.45.143]) by hub.freebsd.org (Postfix) with ESMTP id 1EE7F14BCD for ; Mon, 8 Nov 1999 03:43:30 -0800 (PST) (envelope-from smithi@nimnet.asn.au) Received: from localhost (smithi@localhost) by gaia.nimnet.asn.au (8.8.8/8.8.8R1.0) with SMTP id WAA03377 for ; Mon, 8 Nov 1999 22:43:48 +1100 (EST) (envelope-from smithi@nimnet.asn.au) Date: Mon, 8 Nov 1999 22:43:48 +1100 (EST) From: Ian Smith To: security@freebsd.org Subject: Port 1243 scans Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi folks, The last two days we've had several attempted scans of tcp port 1243 from two systems in our locality, presumably over our /26 subnet. This seems to be their only port of interest; I only noticed it due to their having scanned unallocated addresses to which ipfw logs access attempts. What are they looking for? Is this one of these Netbus/BO things? We do have Windoze boxes on the LAN, as some with local knowledge would know; I guess I'll have to bolt down ports that wouldn't worry freebsd boxes. To save asking more silly questions, is there a list of ports used by various nasties somewhere out there (not in /etc/services, obviously). If it matters, this is a 2.2.6-RELEASE box with known security fixes, soon to be upgraded to 3.3, once the airmail arrives. Cheers, Ian To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Nov 8 5:47: 4 1999 Delivered-To: freebsd-security@freebsd.org Received: from pegasus.cc.ucf.edu (Pegasus.cc.ucf.edu [132.170.240.30]) by hub.freebsd.org (Postfix) with ESMTP id 66C3614F10 for ; Mon, 8 Nov 1999 05:46:59 -0800 (PST) (envelope-from ewayte@pegasus.cc.ucf.edu) Received: from pegasus.cc.ucf.edu (pegasus.cc.ucf.edu [132.170.240.30]) Ident [ewayte] by pegasus.cc.ucf.edu (Postfix) with ESMTP id 96C883428; Mon, 8 Nov 1999 08:46:57 -0500 (EST) Date: Mon, 8 Nov 1999 08:46:57 -0500 (EST) From: Eric Wayte To: Ian Smith Cc: security@freebsd.org Subject: Re: Port 1243 scans In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org A complete list of assigned port numbers can be found at: http://www.faqs.org/rfcs/rfc1700.html ftp://ftp.isi.edu/in-notes/iana/assignments/port-numbers It appears that 1243 is unassigned. Good luck, Eric Wayte, DBA Univ. of Central Florida ewayte@pegasus.cc.ucf.edu On Mon, 8 Nov 1999, Ian Smith wrote: > Date: Mon, 8 Nov 1999 22:43:48 +1100 (EST) > From: Ian Smith > To: security@freebsd.org > Subject: Port 1243 scans > > Hi folks, > > The last two days we've had several attempted scans of tcp port 1243 > from two systems in our locality, presumably over our /26 subnet. This > seems to be their only port of interest; I only noticed it due to their > having scanned unallocated addresses to which ipfw logs access attempts. > > What are they looking for? Is this one of these Netbus/BO things? We do > have Windoze boxes on the LAN, as some with local knowledge would know; > I guess I'll have to bolt down ports that wouldn't worry freebsd boxes. > > To save asking more silly questions, is there a list of ports used by > various nasties somewhere out there (not in /etc/services, obviously). > > If it matters, this is a 2.2.6-RELEASE box with known security fixes, > soon to be upgraded to 3.3, once the airmail arrives. > > Cheers, Ian > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Nov 8 10:12:49 1999 Delivered-To: freebsd-security@freebsd.org Received: from gaia.nimnet.asn.au (nimbin.lnk.telstra.net [139.130.45.143]) by hub.freebsd.org (Postfix) with ESMTP id 23DDA15260 for ; Mon, 8 Nov 1999 10:12:43 -0800 (PST) (envelope-from smithi@nimnet.asn.au) Received: from localhost (smithi@localhost) by gaia.nimnet.asn.au (8.8.8/8.8.8R1.0) with SMTP id FAA12260; Tue, 9 Nov 1999 05:12:31 +1100 (EST) (envelope-from smithi@nimnet.asn.au) Date: Tue, 9 Nov 1999 05:12:30 +1100 (EST) From: Ian Smith Reply-To: Ian Smith To: Eric Wayte Cc: security@freebsd.org Subject: Re: Port 1243 scans In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, 8 Nov 1999, Eric Wayte wrote: > A complete list of assigned port numbers can be found at: > > http://www.faqs.org/rfcs/rfc1700.html > ftp://ftp.isi.edu/in-notes/iana/assignments/port-numbers Thanks Eric, useful; hard to beat Postel's docs for clarity, and the latter is current as of November 5th. However .. > It appears that 1243 is unassigned. Thought it might be :-) Now blocked and logged, but I'm still curious. Cheers, Ian To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Nov 8 10:19:24 1999 Delivered-To: freebsd-security@freebsd.org Received: from faith.cs.utah.edu (faith.cs.utah.edu [155.99.198.108]) by hub.freebsd.org (Postfix) with ESMTP id 24505152BA for ; Mon, 8 Nov 1999 10:19:11 -0800 (PST) (envelope-from danderse@faith.cs.utah.edu) Received: (from danderse@localhost) by faith.cs.utah.edu (8.9.3/8.9.3) id LAA09387; Mon, 8 Nov 1999 11:18:31 -0700 (MST) From: David G Andersen Message-Id: <199911081818.LAA09387@faith.cs.utah.edu> Subject: Re: Port 1243 scans To: smithi@nimnet.asn.au Date: Mon, 8 Nov 1999 11:18:31 -0700 (MST) Cc: ewayte@pegasus.cc.ucf.edu, security@FreeBSD.ORG In-Reply-To: from "Ian Smith" at Nov 9, 99 05:12:30 am X-Mailer: ELM [version 2.4 PL25] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Right. What you want instead is: Well-known port numbers for trojan horse programs: http://www.sans.org/newlook/resources/IDFAQ/oddports.htm Unfortunately, 1243 doesn't appear to be used by anything in this list, either. Which is still useful information in and of itself. :) It's probably someone's customized thing, or an obscure program. -Dave Lo and behold, Ian Smith once said: > > On Mon, 8 Nov 1999, Eric Wayte wrote: > > > A complete list of assigned port numbers can be found at: > > > > http://www.faqs.org/rfcs/rfc1700.html > > ftp://ftp.isi.edu/in-notes/iana/assignments/port-numbers > > Thanks Eric, useful; hard to beat Postel's docs for clarity, and the > latter is current as of November 5th. However .. > > > It appears that 1243 is unassigned. > > Thought it might be :-) Now blocked and logged, but I'm still curious. > > Cheers, Ian > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > -- work: dga@lcs.mit.edu me: dga@pobox.com MIT Laboratory for Computer Science http://www.angio.net/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Nov 8 10:30:46 1999 Delivered-To: freebsd-security@freebsd.org Received: from trooper.velocet.net (trooper.velocet.net [216.126.82.226]) by hub.freebsd.org (Postfix) with ESMTP id BEFA014C1E for ; Mon, 8 Nov 1999 10:30:42 -0800 (PST) (envelope-from dgilbert@trooper.velocet.net) Received: (from dgilbert@localhost) by trooper.velocet.net (8.9.3/8.9.3) id NAA02623; Mon, 8 Nov 1999 13:30:41 -0500 (EST) (envelope-from dgilbert) From: David Gilbert MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <14375.5840.975982.927941@trooper.velocet.net> Date: Mon, 8 Nov 1999 13:30:40 -0500 (EST) To: freebsd-security@freebsd.org Subject: A new 'sploit? X-Mailer: VM 6.75 under 20.4 "Emerald" XEmacs Lucid Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On one of our client's servers, we found a directory structure full of alternating Your public key (512-bit) goes here and capital-A-repeated directory names. I assume the script kiddie should have replaced all the capital-A's with their public key. Inside these directories 'find.core' was linked to /root/.ssh/authorized_keys Now... since my authorized_keys file is not overwritten, I gather that root processes don't drop core any longer? Maybe I have corefiles ulimited to 0. Anyways... I'm still stuck with trying to remove this giant block of directories. Bash won't allow me to cd into them, but if I cd into them with sh, I can get all the way to the end. Once I'm in that last directory, if I try to run any command (any non-internal command), I get: [1:\#:\!]\u@eve:\w> pwd | wc wc: argument list too long [1:\#:\!]\u@eve:\w> pwd >/tmp/foo [1:\#:\!]\u@eve:\w> wc /tmp/foo wc: argument list too long [1:\#:\!]\u@eve:\w> echo * find.core [1:\#:\!]\u@eve:\w> rm fine.core rm: argument list too long FYI (I'm not going to include the whole file): [1:19:319]root@eve:/usr/local/bin> wc /tmp/foo 601 2701 87914 /tmp/foo [1:20:320]root@eve:/usr/local/bin> head /tmp/foo /u/adam/10622/ YOUR PUBLIC SSH1 KEY (-b 512) GOES HERE! /AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/ YOUR PUBLIC SSH1 KEY (-b 512) GOES HERE! /AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/ YOUR PUBLIC SSH1 KEY (-b 512) GOES HERE! /AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/ YOUR PUBLIC SSH1 KEY (-b 512) GOES HERE! /AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/ YOUR PUBLIC SSH1 KEY (-b 512) GOES HERE! Dave. -- ============================================================================ |David Gilbert, Velocet Communications. | Two things can only be | |Mail: dgilbert@velocet.net | equal if and only if they | |http://www.velocet.net/~dgilbert | are precisely opposite. | =========================================================GLO================ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Nov 8 10:56:56 1999 Delivered-To: freebsd-security@freebsd.org Received: from gwia.umsmed.edu (adu.umsmed.edu [192.207.213.132]) by hub.freebsd.org (Postfix) with SMTP id 4887414C4C for ; Mon, 8 Nov 1999 10:56:45 -0800 (PST) (envelope-from rbelk@noc.umsmed.edu) Received: from D1-Message_Server by gwia.umsmed.edu with Novell_GroupWise; Mon, 08 Nov 1999 12:56:45 -0600 Message-Id: X-Mailer: Novell GroupWise 5.5 Date: Mon, 08 Nov 1999 12:56:43 -0600 From: "Randy Belk" To: Subject: auth d4a9cdf2 subscribe freebsd-security rbelk@noc.umsmed.edu Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: quoted-printable Content-Disposition: inline Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org auth d4a9cdf2 subscribe freebsd-security rbelk@noc.umsmed.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Nov 8 11:17: 3 1999 Delivered-To: freebsd-security@freebsd.org Received: from granite.sentex.net (granite.sentex.ca [199.212.134.1]) by hub.freebsd.org (Postfix) with ESMTP id 6689C14E7E for ; Mon, 8 Nov 1999 11:16:59 -0800 (PST) (envelope-from mike@sentex.net) Received: from simoeon (simeon.sentex.ca [209.112.4.47]) by granite.sentex.net (8.8.8/8.6.9) with SMTP id OAA13238; Mon, 8 Nov 1999 14:16:58 -0500 (EST) Message-Id: <3.0.5.32.19991108141542.0181c690@staff.sentex.ca> X-Sender: mdtpop@staff.sentex.ca X-Mailer: QUALCOMM Windows Eudora Light Version 3.0.5 (32) Date: Mon, 08 Nov 1999 14:15:42 -0500 To: David Gilbert , freebsd-security@FreeBSD.ORG From: Mike Tancsa Subject: Re: A new 'sploit? In-Reply-To: <14375.5840.975982.927941@trooper.velocet.net> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 01:30 PM 11/8/99 -0500, David Gilbert wrote: >On one of our client's servers, we found a directory structure full of >alternating Your public key (512-bit) goes here and >capital-A-repeated directory names. I assume the script kiddie should >have replaced all the capital-A's with their public key. Inside these >directories 'find.core' was linked to /root/.ssh/authorized_keys It is an 'old' exploit for the fts bug/hole. See the ongoing discussion "file name with questions - rm on it seg faults!!!" and ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-99:05.fts.asc This does effect 2.2.x, however if you cvsup RELENG_2_2 it is patched... ---Mike ------------------------------------------------------------------------ Mike Tancsa, tel 01.519.651.3400 Network Administrator, mike@sentex.net Sentex Communications www.sentex.net Cambridge, Ontario Canada To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Nov 8 11:38:44 1999 Delivered-To: freebsd-security@freebsd.org Received: from oracle.clara.net (oracle.clara.net [195.8.69.94]) by hub.freebsd.org (Postfix) with ESMTP id A4AC515277 for ; Mon, 8 Nov 1999 11:38:32 -0800 (PST) (envelope-from NOSPAMrichy@hunter13.com) Received: from [195.8.86.207] (helo=unix.hunter13.lan ident=root) by oracle.clara.net with esmtp (Exim 2.12 #2) id 11kucY-000Ldm-00 for security@FreeBSD.ORG; Mon, 8 Nov 1999 19:38:31 +0000 Received: from rich.hunter13.lan (richy@rich.hunter13.lan [192.168.0.1]) by unix.hunter13.lan (8.9.3/8.9.3) with SMTP id TAA19533 for ; Mon, 8 Nov 1999 19:38:29 GMT (envelope-from NOSPAMrichy@hunter13.com) From: Richard Yeardley To: security@FreeBSD.ORG Subject: Re: Port 1243 scans Date: Mon, 08 Nov 1999 19:39:42 +0000 Organization: Hunter 13 Message-ID: <8yYnOPqvBeTUvzVjGPbHBD=XU=FC@4ax.com> References: In-Reply-To: X-Mailer: Forte Agent 1.6/32.525 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, 8 Nov 1999 22:43:48 +1100 (EST), Ian Smith wrote: >Hi folks, > >The last two days we've had several attempted scans of tcp port 1243 >from two systems in our locality, presumably over our /26 subnet. This >seems to be their only port of interest; I only noticed it due to their >having scanned unallocated addresses to which ipfw logs access attempts. > >What are they looking for? Is this one of these Netbus/BO things? We do >have Windoze boxes on the LAN, as some with local knowledge would know; >I guess I'll have to bolt down ports that wouldn't worry freebsd boxes. > >To save asking more silly questions, is there a list of ports used by >various nasties somewhere out there (not in /etc/services, obviously). > >If it matters, this is a 2.2.6-RELEASE box with known security fixes, >soon to be upgraded to 3.3, once the airmail arrives. > >Cheers, Ian I had a similar thing the other day - this time from two hosts at btinternet.com here in the uk. Perhaps it's a known port on one of the new chat apps - eg AOL Instant Messager? Rich. --=20 =46BSD3.3R : IBM PR233 : 64MB RAM : 4.3GB HD : V90 modem : NE2000 PCI Apache 1.3.9+PHP 3.12 : named : socks5 v1.0r10 : ipfw : mysql 3.22 fetchmail 5.1.2 : qpopper 2.53 : procmail 3.13.1 : ircd 2.10.1 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Nov 8 11:46:36 1999 Delivered-To: freebsd-security@freebsd.org Received: from gaia.nimnet.asn.au (nimbin.lnk.telstra.net [139.130.45.143]) by hub.freebsd.org (Postfix) with ESMTP id 1F251152B2 for ; Mon, 8 Nov 1999 11:46:21 -0800 (PST) (envelope-from smithi@nimnet.asn.au) Received: from localhost (smithi@localhost) by gaia.nimnet.asn.au (8.8.8/8.8.8R1.0) with SMTP id GAA14665; Tue, 9 Nov 1999 06:45:55 +1100 (EST) (envelope-from smithi@nimnet.asn.au) Date: Tue, 9 Nov 1999 06:45:55 +1100 (EST) From: Ian Smith Reply-To: Ian Smith To: David G Andersen Cc: ewayte@pegasus.cc.ucf.edu, security@FreeBSD.ORG Subject: Re: Port 1243 scans In-Reply-To: <199911081818.LAA09387@faith.cs.utah.edu> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, 8 Nov 1999, David G Andersen wrote: > Right. What you want instead is: > > Well-known port numbers for trojan horse programs: > > http://www.sans.org/newlook/resources/IDFAQ/oddports.htm > > Unfortunately, 1243 doesn't appear to be used by anything in this list, > either. Which is still useful information in and of itself. :) It's > probably someone's customized thing, or an obscure program. Had a look at that, thankyou David. Also had some email pointing to: http://www.robertgraham.com/pubs/firewall-seen.html which seems to contain a wealth of material on various port attacks: 1243 Sub-7 Trojan Horse (TCP). This is a commonly seen scan looking for systems compromised by this trojan. Sub-Seven scans are becoming very frequent, primarily due to an easy-to-use scanner built-in to the client. Thanks to all who helped. Now to find out who, how, and whether .. Cheers, Ian To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Nov 8 11:55:13 1999 Delivered-To: freebsd-security@freebsd.org Received: from eyes.umd.edu (eyes.umd.edu [128.8.90.7]) by hub.freebsd.org (Postfix) with ESMTP id C922214D03 for ; Mon, 8 Nov 1999 11:55:02 -0800 (PST) (envelope-from cheiser@eyes.umd.edu) Received: from localhost (cheiser@localhost) by eyes.umd.edu (8.9.3/8.9.3) with ESMTP id OAA99130; Mon, 8 Nov 1999 14:55:36 -0500 (EST) (envelope-from cheiser@eyes.umd.edu) Date: Mon, 8 Nov 1999 14:55:35 -0500 (EST) From: Chris Heiser To: FreeBSD-announce@freeebsd.org, FreeBSD-security@freebsd.org Subject: subscribe Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org subscribe To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Nov 8 13:49:14 1999 Delivered-To: freebsd-security@freebsd.org Received: from inet.chip-web.com (adsl-63-195-43-53.dsl.snfc21.pacbell.net [63.195.43.53]) by hub.freebsd.org (Postfix) with SMTP id 6C6E614BCD for ; Mon, 8 Nov 1999 13:49:11 -0800 (PST) (envelope-from ludwigp@bigfoot.com) Received: (qmail 11429 invoked from network); 8 Nov 1999 21:49:10 -0000 Received: from toy.chip-web.com (HELO bigfoot.com) (@172.16.1.30) by inet.chip-web.com with SMTP; 8 Nov 1999 21:49:10 -0000 Message-ID: <38274556.F118488B@bigfoot.com> Date: Mon, 08 Nov 1999 13:49:10 -0800 From: Ludwig Pummer X-Mailer: Mozilla 4.7 [en] (X11; I; FreeBSD 3.3-STABLE i386) X-Accept-Language: en MIME-Version: 1.0 To: David Gilbert Cc: freebsd-security@freebsd.org Subject: Re: A new 'sploit? References: <14375.5840.975982.927941@trooper.velocet.net> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org David Gilbert wrote: > I'm still stuck with trying to remove this giant block of > directories. Bash won't allow me to cd into them, but if I cd into > them with sh, I can get all the way to the end. Once I'm in that last > directory, if I try to run any command (any non-internal command), I > get: > Subject: Re: how to remove directories made by the core-following-symlink test code? > Date: Wed, 1 Sep 1999 03:49:54 +0200 > From: Harold Gutch > To: Markus Holmberg , freebsd-security@FreeBSD.ORG > > > On Wed, Sep 01, 1999 at 03:23:16AM +0200, Markus Holmberg wrote: > > Wanted to test if the 2.2.8-STABLE production box here was vulnerable, so I > > compiled and executed with the deep dir structure as a result.. > > > > Am I missing something very trivial here, or how am I supposed to do to > > remove the very deep directory structure that was made by the > > core-follow-symlink test/exploit/whatever code? > > > > A normal "rm -rf " won't do it.. > > > I had the same problem - my (quick) solution was something like > while (true) do mv * a && cd a done > > which would rename every directory to "a" (as every directory > contains only a single subdirectory), which then could be removed > with "rm -rf ". > > bye, > Harold > > -- > Sleep is an abstinence syndrome wich occurs due to lack of caffein. > Wed Mar 4 04:53:33 CET 1998 #unix, ircnet To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Nov 8 15:56:24 1999 Delivered-To: freebsd-security@freebsd.org Received: from cx47987-b.escnd1.sdca.home.com (cx47987-b.escnd1.sdca.home.com [24.0.175.250]) by hub.freebsd.org (Postfix) with ESMTP id C31B6153EC for ; Mon, 8 Nov 1999 15:56:15 -0800 (PST) (envelope-from larry@mail.interactivate.com) Received: from cx47987-c (cx47987-c.escnd1.sdca.home.com [24.0.175.251]) by cx47987-b.escnd1.sdca.home.com (8.9.3/8.9.3) with ESMTP id PAA22468 for ; Mon, 8 Nov 1999 15:47:24 -0800 (PST) (envelope-from larry@mail.interactivate.com) Message-Id: <4.2.2.19991108155541.00bcba40@mail.interactivate.com> X-Sender: larry@mail.interactivate.com X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.2 Date: Mon, 08 Nov 1999 15:57:01 -0800 To: security@FreeBSD.ORG From: Lawrence Sica Subject: Port 137 hitting my server Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org All, I keep getting hits to port 137 on my server. I know this is a netbios thing, and am not running samba. The server in question is a webserver. I was wondering any legitimate cause for this? TIA, Larry Sica To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Nov 8 16:27:26 1999 Delivered-To: freebsd-security@freebsd.org Received: from ruff.cs.jmu.edu (ruff.cs.jmu.edu [134.126.20.220]) by hub.freebsd.org (Postfix) with SMTP id 61B1814BFC for ; Mon, 8 Nov 1999 16:27:14 -0800 (PST) (envelope-from cazz@ruff.cs.jmu.edu) Received: (qmail 1307 invoked by uid 522); 9 Nov 1999 00:27:02 -0000 Date: Mon, 8 Nov 1999 19:27:02 -0500 From: Brian To: Lawrence Sica Cc: security@FreeBSD.ORG Subject: Re: Port 137 hitting my server Message-ID: <19991108192702.A494@ruff.cs.jmu.edu> References: <4.2.2.19991108155541.00bcba40@mail.interactivate.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.95.4us In-Reply-To: <4.2.2.19991108155541.00bcba40@mail.interactivate.com>; from Lawrence Sica on Mon, Nov 08, 1999 at 03:57:01PM -0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > I keep getting hits to port 137 on my server. I know this is a > netbios thing, and am not running samba. The server in question > is a webserver. I was wondering any legitimate cause for this? sounds like someone has setup one of the zillion 'who is running a samba server on our network' cgi things. they are almost all icky. at jmu, i get around 15 probes a minute from these things. i don't want to count how many times a milisecond i get probed by the 7500 machines on the single subnet i am attached to. (yes, 7500 machines on one subnet, almost all of them using M$ networking, and very few of them actually using the wins server.) -b To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Nov 8 18:55:19 1999 Delivered-To: freebsd-security@freebsd.org Received: from shemp.palomine.net (shemp.palomine.net [205.198.88.200]) by hub.freebsd.org (Postfix) with SMTP id 4B12614CEF for ; Mon, 8 Nov 1999 18:55:16 -0800 (PST) (envelope-from cjohnson@palomine.net) Received: (qmail 22487 invoked by uid 1000); 9 Nov 1999 02:55:15 -0000 Date: Mon, 8 Nov 1999 21:55:15 -0500 From: Chris Johnson To: Lawrence Sica Cc: security@FreeBSD.ORG Subject: Re: Port 137 hitting my server Message-ID: <19991108215515.A22452@palomine.net> References: <4.2.2.19991108155541.00bcba40@mail.interactivate.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.95.6i In-Reply-To: <4.2.2.19991108155541.00bcba40@mail.interactivate.com>; from Lawrence Sica on Mon, Nov 08, 1999 at 03:57:01PM -0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, Nov 08, 1999 at 03:57:01PM -0800, Lawrence Sica wrote: > All, > > I keep getting hits to port 137 on my server. I know this is a netbios > thing, and am not running samba. The server in question is a webserver. I > was wondering any legitimate cause for this? I get zillions of these. I think that it's something that Windows does on its own, unbeknownst to the person at the controls. I don't think that anyone is intentioanlly probing anything. Chris To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Nov 8 19:12:16 1999 Delivered-To: freebsd-security@freebsd.org Received: from mail.negativezero.com (mail.negativezero.com [208.179.42.2]) by hub.freebsd.org (Postfix) with SMTP id EF813152E9 for ; Mon, 8 Nov 1999 19:12:00 -0800 (PST) (envelope-from Mike@Zipoff.com) Received: (qmail 10886 invoked from network); 9 Nov 1999 03:12:26 -0000 Received: from usimsptc11-209.usinternet.com (HELO jellyfish) (216.17.12.209) by mail.negativezero.com with SMTP; 9 Nov 1999 03:12:26 -0000 X-Sender: nz-zipoff@mail.negativezero.com (Unverified) X-Mailer: QUALCOMM Windows Eudora Pro Version 4.0 Date: Mon, 08 Nov 1999 21:07:33 -0700 To: security@FreeBSD.ORG, Chris Johnson , Lawrence Sica From: Mike Uttech Subject: Re: Port 137 hitting my server In-Reply-To: <19991108215515.A22452@palomine.net> References: <4.2.2.19991108155541.00bcba40@mail.interactivate.com> <4.2.2.19991108155541.00bcba40@mail.interactivate.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Message-Id: <19991109031211.EF813152E9@hub.freebsd.org> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org This is caused by Internet Explorer 5. I remember running into this annoying situation and after blocking it at the routers I figured out that it was IE 5 doing it. I used to know why it was probing to see if NETBIOS was running, but at the moment, I cannot remember it. Hope this helps, At 07:55 PM 11/8/99 , Chris Johnson wrote: >On Mon, Nov 08, 1999 at 03:57:01PM -0800, Lawrence Sica wrote: >> All, >> >> I keep getting hits to port 137 on my server. I know this is a netbios >> thing, and am not running samba. The server in question is a webserver. I >> was wondering any legitimate cause for this? > >I get zillions of these. I think that it's something that Windows does on its >own, unbeknownst to the person at the controls. I don't think that anyone is >intentioanlly probing anything. > >Chris > > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-security" in the body of the message > Mike Uttech Mike@zipoff.com System Administration Phone: 612-420-9655 Pager: 612-538-3886 -or- Page@zipoff.com Cell: 612-280-4327 Icq: 107438 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Nov 8 19:54:23 1999 Delivered-To: freebsd-security@freebsd.org Received: from fgwmail2.fujitsu.co.jp (fgwmail2.fujitsu.co.jp [192.51.44.32]) by hub.freebsd.org (Postfix) with ESMTP id D9CE114E54; Mon, 8 Nov 1999 19:54:06 -0800 (PST) (envelope-from shin@nd.net.fujitsu.co.jp) Received: from m3.gw.fujitsu.co.jp by fgwmail2.fujitsu.co.jp (8.9.3/3.7W-MX9910-Fujitsu Gateway) id MAA28010; Tue, 9 Nov 1999 12:54:02 +0900 (JST) Received: from chisato.nd.net.fujitsu.co.jp by m3.gw.fujitsu.co.jp (8.9.3/3.7W-9910-Fujitsu Domain Master) id MAA11458; Tue, 9 Nov 1999 12:54:01 +0900 (JST) Received: from localhost (dhcp7186.nd.net.fujitsu.co.jp [10.18.7.186]) by chisato.nd.net.fujitsu.co.jp (8.8.5+2.7Wbeta5/3.3W8chisato-970826) with ESMTP id MAA22597; Tue, 9 Nov 1999 12:54:00 +0900 (JST) To: freebsd-hackers@freebsd.org, freebsd-security@FreeBSD.ORG Subject: Should jail treat ip-number? X-Mailer: Mew version 1.94 on Emacs 20.4 / Mule 4.0 (HANANOEN) X-Prom-Mew: Prom-Mew 1.93.4 (procmail reader for Mew) Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-Id: <19991109125445E.shin@nd.net.fujitsu.co.jp> Date: Tue, 09 Nov 1999 12:54:45 +0900 From: Yoshinobu Inoue X-Dispatcher: imput version 990905(IM130) Lines: 30 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hello, I have some concern about jail, and would like to discuss them. Currentlly jail set an ip-number and let prisoned processes only to bind it. My concerns are, (1)When IPv6 is added to the system, more general id would be desirable. (2)What is the goal of the restriction? If physical level access protection is wanted, then specifing interface name is more general and certain way of achieving it. (Because when that ip-number is replaced to another network interface, then the restriction also will move on it) If some virtual network level protection is wanted, then specifying ip-number is suitable, but I think more general id should be used such as a pointer to a sockaddr. I think kernel change will not so much for any above addition or changes, but there will be some backword compatibility issue for API. (some member addition to the jail structure, and jail command extensions) Yoshinobu Inoue To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Nov 8 20: 5:26 1999 Delivered-To: freebsd-security@freebsd.org Received: from phoenix.volant.org (phoenix.volant.org [205.179.79.193]) by hub.freebsd.org (Postfix) with ESMTP id 809B714E54 for ; Mon, 8 Nov 1999 20:05:23 -0800 (PST) (envelope-from patl@phoenix.volant.org) Received: from asimov.phoenix.volant.org ([205.179.79.65]) by phoenix.volant.org with smtp (Exim 1.92 #8) id 11l2Wv-0002Zz-00; Mon, 8 Nov 1999 20:05:13 -0800 Received: from localhost by asimov.phoenix.volant.org (SMI-8.6/SMI-SVR4) id UAA25343; Mon, 8 Nov 1999 20:05:08 -0800 Date: Mon, 8 Nov 1999 20:05:08 -0800 (PST) From: patl@phoenix.volant.org Reply-To: patl@phoenix.volant.org Subject: Re: Port 137 hitting my server To: Mike Uttech Cc: security@FreeBSD.ORG, Chris Johnson , Lawrence Sica In-Reply-To: <19991109031211.EF813152E9@hub.freebsd.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; CHARSET=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On 8-Nov-99 at 19:13, Mike Uttech (Mike@Zipoff.com) wrote: > This is caused by Internet Explorer 5. I remember running into this > annoying situation and after blocking it at the routers I figured out that > it was IE 5 doing it. I used to know why it was probing to see if NETBIOS > was running, but at the moment, I cannot remember it. It isn't just IE5; it seems to be Windows 95/98. My girlfriend's notebook generates them pretty much whenever it is running; and we've eliminated MSIE as much as possible on that machine in favor of Netscape. I looked into it a while back; and the consensus was that they are harmless and not even worth logging. -Pat To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Nov 8 20:14:32 1999 Delivered-To: freebsd-security@freebsd.org Received: from mail.pinboard.com (mail.pinboard.com [194.209.195.7]) by hub.freebsd.org (Postfix) with ESMTP id 5A9CA14D17 for ; Mon, 8 Nov 1999 20:14:28 -0800 (PST) (envelope-from HTS@pinboard.com) Received: (from uucp@localhost) by mail.pinboard.com (8.9.1/8.9.1/19980920-01/KK) with UUCP id FAA04545; Tue, 9 Nov 1999 05:14:24 +0100 (CET) (envelope-from: HTS@pinboard.com) Received: from beaver.pbdhome.pinboard.com (beaver.pbdhome.pinboard.com [192.168.0.7]) by squirrel.pbdhome.pinboard.com (8.9.1/8.9.1-19980817-01/KK) with SMTP id WAA17570; Mon, 8 Nov 1999 22:33:06 +0100 (CET) (envelope-from: HTS@pinboard.com) Message-Id: <3.0.5.16.19991108213152.3aafc246@pop.pbdhome.pinboard.com> Organization: PINBOARD - http://www.pinboard.com/ X-Sender: kurt@pop.pbdhome.pinboard.com (Unverified) X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.5 (16) Date: Mon, 08 Nov 1999 21:31:52 +0100 To: freebsd-security@freebsd.org From: HTS Subject: Re: Port 1243 scans Cc: Ian Smith In-Reply-To: References: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > > It appears that 1243 is unassigned. > >Thought it might be :-) Now blocked and logged, but I'm still curious. TCP/1243 apparently is being used by a NetBus clone called SubSeven. Cheers! To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Nov 8 20:40:30 1999 Delivered-To: freebsd-security@freebsd.org Received: from alcanet.com.au (border.alcanet.com.au [203.62.196.10]) by hub.freebsd.org (Postfix) with ESMTP id 88B5D1507E for ; Mon, 8 Nov 1999 20:40:26 -0800 (PST) (envelope-from jeremyp@gsmx07.alcatel.com.au) Received: by border.alcanet.com.au id <40371>; Tue, 9 Nov 1999 15:33:30 +1100 Content-return: prohibited Date: Tue, 9 Nov 1999 15:39:18 +1100 From: Peter Jeremy Subject: Re: Port 137 hitting my server In-reply-to: To: patl@phoenix.volant.org Cc: security@FreeBSD.ORG Reply-To: peter.jeremy@alcatel.com.au Message-Id: <99Nov9.153330est.40371@border.alcanet.com.au> MIME-version: 1.0 X-Mailer: Mutt 1.0pre3i Content-type: text/plain; charset=us-ascii References: <19991109031211.EF813152E9@hub.freebsd.org> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On 1999-Nov-09 15:05:08 +1100, patl@phoenix.volant.org wrote: >I looked into it a while back; and the consensus was that they are >harmless and not even worth logging. Unless you're feeling particularly ornery, in which case you could write a daemon which responded with various ICMP messages (returning a network redirect to 127.0.0.1 should quieten the offending machine :-). Peter To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Nov 8 22: 5:38 1999 Delivered-To: freebsd-security@freebsd.org Received: from critter.freebsd.dk (critter.freebsd.dk [212.242.40.131]) by hub.freebsd.org (Postfix) with ESMTP id D9E9814A1F; Mon, 8 Nov 1999 22:05:33 -0800 (PST) (envelope-from phk@critter.freebsd.dk) Received: from critter.freebsd.dk (localhost [127.0.0.1]) by critter.freebsd.dk (8.9.3/8.9.2) with ESMTP id HAA21884; Tue, 9 Nov 1999 07:05:17 +0100 (CET) (envelope-from phk@critter.freebsd.dk) To: Yoshinobu Inoue Cc: freebsd-hackers@FreeBSD.ORG, freebsd-security@FreeBSD.ORG Subject: Re: Should jail treat ip-number? In-reply-to: Your message of "Tue, 09 Nov 1999 12:54:45 +0900." <19991109125445E.shin@nd.net.fujitsu.co.jp> Date: Tue, 09 Nov 1999 07:05:17 +0100 Message-ID: <21882.942127517@critter.freebsd.dk> From: Poul-Henning Kamp Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message <19991109125445E.shin@nd.net.fujitsu.co.jp>, Yoshinobu Inoue writes: >Hello, > >I have some concern about jail, and would like to discuss them. > >Currentlly jail set an ip-number and let prisoned processes >only to bind it. >My concerns are, > >(1)When IPv6 is added to the system, more general id would be > desirable. I agree, *IF* IPv6 ever becomes a reality, we will look at this. >(2)What is the goal of the restriction? To isolate people in the jail from the "real" machine and from other jails. > If physical level access protection is wanted, it isn't. -- Poul-Henning Kamp FreeBSD coreteam member phk@FreeBSD.ORG "Real hackers run -current on their laptop." FreeBSD -- It will take a long time before progress goes too far! To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Nov 8 23:53:33 1999 Delivered-To: freebsd-security@freebsd.org Received: from zibbi.mikom.csir.co.za (zibbi.mikom.csir.co.za [146.64.24.58]) by hub.freebsd.org (Postfix) with ESMTP id 1270B14D51; Mon, 8 Nov 1999 23:53:23 -0800 (PST) (envelope-from jhay@zibbi.mikom.csir.co.za) Received: (from jhay@localhost) by zibbi.mikom.csir.co.za (8.9.3/8.9.3) id JAA89881; Tue, 9 Nov 1999 09:52:46 +0200 (SAT) (envelope-from jhay) From: John Hay Message-Id: <199911090752.JAA89881@zibbi.mikom.csir.co.za> Subject: Re: Should jail treat ip-number? In-Reply-To: <21882.942127517@critter.freebsd.dk> from Poul-Henning Kamp at "Nov 9, 1999 07:05:17 am" To: phk@critter.freebsd.dk (Poul-Henning Kamp) Date: Tue, 9 Nov 1999 09:52:45 +0200 (SAT) Cc: shin@nd.net.fujitsu.co.jp (Yoshinobu Inoue), freebsd-hackers@FreeBSD.ORG, freebsd-security@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL54 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > > > >I have some concern about jail, and would like to discuss them. > > > >Currentlly jail set an ip-number and let prisoned processes > >only to bind it. > >My concerns are, > > > >(1)When IPv6 is added to the system, more general id would be > > desirable. > > I agree, *IF* IPv6 ever becomes a reality, we will look at this. So when will you consider that it became a reality? :-) Or am I just dreaming that some operating systems and routers ship with IPv6 and that IANA, ARIN, APNIC and RIPE are dishing out IPv6 addresses and that we are in the process of getting Kame integrated into FreeBSD? :-) John -- John Hay -- John.Hay@mikom.csir.co.za To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Nov 9 0: 4:54 1999 Delivered-To: freebsd-security@freebsd.org Received: from critter.freebsd.dk (critter.freebsd.dk [212.242.40.131]) by hub.freebsd.org (Postfix) with ESMTP id 1B43714DB2; Tue, 9 Nov 1999 00:04:47 -0800 (PST) (envelope-from phk@critter.freebsd.dk) Received: from critter.freebsd.dk (localhost [127.0.0.1]) by critter.freebsd.dk (8.9.3/8.9.2) with ESMTP id JAA22240; Tue, 9 Nov 1999 09:03:53 +0100 (CET) (envelope-from phk@critter.freebsd.dk) To: John Hay Cc: shin@nd.net.fujitsu.co.jp (Yoshinobu Inoue), freebsd-hackers@FreeBSD.ORG, freebsd-security@FreeBSD.ORG Subject: Re: Should jail treat ip-number? In-reply-to: Your message of "Sat, 09 Nov 1999 09:52:45 +0200." <199911090752.JAA89881@zibbi.mikom.csir.co.za> Date: Tue, 09 Nov 1999 09:03:53 +0100 Message-ID: <22238.942134633@critter.freebsd.dk> From: Poul-Henning Kamp Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message <199911090752.JAA89881@zibbi.mikom.csir.co.za>, John Hay writes: >> >My concerns are, >> > >> >(1)When IPv6 is added to the system, more general id would be >> > desirable. >> >> I agree, *IF* IPv6 ever becomes a reality, we will look at this. > >So when will you consider that it became a reality? :-) Or am I just >dreaming that some operating systems and routers ship with IPv6 and >that IANA, ARIN, APNIC and RIPE are dishing out IPv6 addresses and >that we are in the process of getting Kame integrated into FreeBSD? :-) Once I have 50% or more of my users using IPv6 I'll consider it a reality. So far IPv6 has gotten no futher than OSI ever did. -- Poul-Henning Kamp FreeBSD coreteam member phk@FreeBSD.ORG "Real hackers run -current on their laptop." FreeBSD -- It will take a long time before progress goes too far! To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Nov 9 0:25:15 1999 Delivered-To: freebsd-security@freebsd.org Received: from zibbi.mikom.csir.co.za (zibbi.mikom.csir.co.za [146.64.24.58]) by hub.freebsd.org (Postfix) with ESMTP id DEED014DB2; Tue, 9 Nov 1999 00:25:06 -0800 (PST) (envelope-from jhay@zibbi.mikom.csir.co.za) Received: (from jhay@localhost) by zibbi.mikom.csir.co.za (8.9.3/8.9.3) id KAA90295; Tue, 9 Nov 1999 10:24:28 +0200 (SAT) (envelope-from jhay) From: John Hay Message-Id: <199911090824.KAA90295@zibbi.mikom.csir.co.za> Subject: Re: Should jail treat ip-number? In-Reply-To: <22238.942134633@critter.freebsd.dk> from Poul-Henning Kamp at "Nov 9, 1999 09:03:53 am" To: phk@critter.freebsd.dk (Poul-Henning Kamp) Date: Tue, 9 Nov 1999 10:24:28 +0200 (SAT) Cc: jhay@mikom.csir.co.za (John Hay), shin@nd.net.fujitsu.co.jp (Yoshinobu Inoue), freebsd-hackers@FreeBSD.ORG, freebsd-security@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL54 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > >> >My concerns are, > >> > > >> >(1)When IPv6 is added to the system, more general id would be > >> > desirable. > >> > >> I agree, *IF* IPv6 ever becomes a reality, we will look at this. > > > >So when will you consider that it became a reality? :-) Or am I just > >dreaming that some operating systems and routers ship with IPv6 and > >that IANA, ARIN, APNIC and RIPE are dishing out IPv6 addresses and > >that we are in the process of getting Kame integrated into FreeBSD? :-) > > Once I have 50% or more of my users using IPv6 I'll consider it a > reality. hehehe, but your users will not move to IPv6, because they will say: "We are used to being able to use jail on IPv4 and you say we must wait until there is more than 50% of us using IPv6 before we will get jail for IPv6?". :-) And we can substitute whatever functionality for jail. If we want people to even think of moving to IPv6 we will have to make as much of FreeBSD's functionality work on there as possible. > > So far IPv6 has gotten no futher than OSI ever did. I think I was lucky to have mostly been screened from OSI, so I can't really compare them. IPv6 seem quitealive to me though. John -- John Hay -- John.Hay@mikom.csir.co.za To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Nov 9 0:30:40 1999 Delivered-To: freebsd-security@freebsd.org Received: from critter.freebsd.dk (critter.freebsd.dk [212.242.40.131]) by hub.freebsd.org (Postfix) with ESMTP id 7D67F14C22; Tue, 9 Nov 1999 00:30:35 -0800 (PST) (envelope-from phk@critter.freebsd.dk) Received: from critter.freebsd.dk (localhost [127.0.0.1]) by critter.freebsd.dk (8.9.3/8.9.2) with ESMTP id JAA22400; Tue, 9 Nov 1999 09:29:12 +0100 (CET) (envelope-from phk@critter.freebsd.dk) To: John Hay Cc: shin@nd.net.fujitsu.co.jp (Yoshinobu Inoue), freebsd-hackers@FreeBSD.ORG, freebsd-security@FreeBSD.ORG Subject: Re: Should jail treat ip-number? In-reply-to: Your message of "Sat, 09 Nov 1999 10:24:28 +0200." <199911090824.KAA90295@zibbi.mikom.csir.co.za> Date: Tue, 09 Nov 1999 09:29:11 +0100 Message-ID: <22398.942136151@critter.freebsd.dk> From: Poul-Henning Kamp Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message <199911090824.KAA90295@zibbi.mikom.csir.co.za>, John Hay writes: >If we want >people to even think of moving to IPv6 we will have to make as much >of FreeBSD's functionality work on there as possible. I personally do not see IPv6 as being desirable at this time. It suffers from second systems syndrome and doesn't provide any benefit for the end-user so there is no incentive for users to upgrade. >> So far IPv6 has gotten no futher than OSI ever did. > >I think I was lucky to have mostly been screened from OSI, so I can't >really compare them. IPv6 seem quitealive to me though. Ohh, OSI was quite a live for a long time as well, until the government funded life-support was cut, then it evaporated overnight. -- Poul-Henning Kamp FreeBSD coreteam member phk@FreeBSD.ORG "Real hackers run -current on their laptop." FreeBSD -- It will take a long time before progress goes too far! To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Nov 9 3:26:35 1999 Delivered-To: freebsd-security@freebsd.org Received: from sanson.reyes.somos.net (freyes.static.inch.com [207.240.212.43]) by hub.freebsd.org (Postfix) with ESMTP id C776214DA1 for ; Tue, 9 Nov 1999 03:26:06 -0800 (PST) (envelope-from fran@reyes.somos.net) Received: from tomasa (tomasa.reyes.somos.net [10.0.0.11]) by sanson.reyes.somos.net (8.9.3/8.9.3) with SMTP id GAA79768 for ; Tue, 9 Nov 1999 06:24:21 -0500 (EST) (envelope-from fran@reyes.somos.net) Message-Id: <199911091124.GAA79768@sanson.reyes.somos.net> From: "Francisco Reyes" To: "freebsd-security@freebsd.org" Date: Tue, 09 Nov 1999 06:26:01 -0500 Reply-To: "Francisco Reyes" X-Mailer: PMMail 98 Professional (2.01.1600) For Windows 98 (4.10.1998) MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Subject: How to secure local nntp server? Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I recently switched from Dnews to Leafnode++ for my home nntp server (exactly 2 days ago). Today I got a note from someone telling me that my news server had been Hijacked. I inmediately did a "deny log any to any 119" and removed leafnode from inetd. Sure enough I saw in the logs minutes later a computer trying to connect to my news server. How can I secure my news server? I can't think of what rules to use with IPFW. Basically I want the server to be able to connect to external news servers, but only want my internal network to be able to read from it. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Nov 9 4: 5:40 1999 Delivered-To: freebsd-security@freebsd.org Received: from verdi.nethelp.no (verdi.nethelp.no [158.36.41.162]) by hub.freebsd.org (Postfix) with SMTP id D5AA5151A7 for ; Tue, 9 Nov 1999 04:05:26 -0800 (PST) (envelope-from sthaug@nethelp.no) Received: (qmail 58332 invoked by uid 1001); 9 Nov 1999 12:05:25 +0000 (GMT) To: jhay@mikom.csir.co.za Cc: phk@critter.freebsd.dk, shin@nd.net.fujitsu.co.jp, freebsd-hackers@FreeBSD.ORG, freebsd-security@FreeBSD.ORG Subject: Re: Should jail treat ip-number? From: sthaug@nethelp.no In-Reply-To: Your message of "Tue, 9 Nov 1999 09:52:45 +0200 (SAT)" References: <199911090752.JAA89881@zibbi.mikom.csir.co.za> X-Mailer: Mew version 1.05+ on Emacs 19.34.2 Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Date: Tue, 09 Nov 1999 13:05:25 +0100 Message-ID: <58330.942149125@verdi.nethelp.no> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > > I agree, *IF* IPv6 ever becomes a reality, we will look at this. > > So when will you consider that it became a reality? :-) Or am I just > dreaming that some operating systems and routers ship with IPv6 and > that IANA, ARIN, APNIC and RIPE are dishing out IPv6 addresses and > that we are in the process of getting Kame integrated into FreeBSD? :-) When there are several Internet Exchange points with routers using non-tunneled IPv6, exchanging significant traffic? Steinar Haug, Nethelp consulting, sthaug@nethelp.no To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Nov 9 7:20:59 1999 Delivered-To: freebsd-security@freebsd.org Received: from mppsystems.com (dslmpp.pro-ns.net [208.210.148.205]) by hub.freebsd.org (Postfix) with ESMTP id 96196150F7 for ; Tue, 9 Nov 1999 07:20:34 -0800 (PST) (envelope-from mpp@mppsystems.com) Received: (from mpp@localhost) by mppsystems.com (8.9.3/8.9.3) id GAA07316; Tue, 9 Nov 1999 06:03:20 -0600 (CST) (envelope-from mpp) Date: Tue, 9 Nov 1999 06:03:20 -0600 From: Mike Pritchard To: Lawrence Sica Cc: security@FreeBSD.ORG Subject: Re: Port 137 hitting my server Message-ID: <19991109060320.B7018@mppsystems.com> References: <4.2.2.19991108155541.00bcba40@mail.interactivate.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0pre3i In-Reply-To: <4.2.2.19991108155541.00bcba40@mail.interactivate.com> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, Nov 08, 1999 at 03:57:01PM -0800, Lawrence Sica wrote: > All, > > I keep getting hits to port 137 on my server. I know this is a netbios > thing, and am not running samba. The server in question is a webserver. I > was wondering any legitimate cause for this? I've noticed a lot of these types of hits after playing around with alladvantage.com (get paid to surf the web!). I have no idea what they are looking for. At least from that particular web site, I haven't seen any real pattern to it, except that I see more of them after making use of their software. -Mike -- Mike Pritchard mpp@FreeBSD.org or mpp@mppsystems.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Nov 9 7:47: 0 1999 Delivered-To: freebsd-security@freebsd.org Received: from adm.sci-nnov.ru (adm.sci-nnov.ru [195.122.226.2]) by hub.freebsd.org (Postfix) with ESMTP id D142514E03 for ; Tue, 9 Nov 1999 07:46:52 -0800 (PST) (envelope-from vlad@sandy.ru) Received: from anonymous.sandy.ru (anonymous.sandy.ru [195.122.226.12]) by adm.sci-nnov.ru (8.9.3/Dmiter-4.1) with ESMTP id SAA37541; Tue, 9 Nov 1999 18:43:00 +0300 (MSK) Date: Tue, 9 Nov 1999 18:43:05 +0300 From: Vladimir Dubrovin X-Mailer: The Bat! (v1.34) S/N D33CD428 Reply-To: Vladimir Dubrovin Organization: Sandy Info X-Priority: 3 (Normal) Message-ID: <3779.991109@sandy.ru> To: Mike Pritchard Cc: security@FreeBSD.ORG Subject: Re[2]: Port 137 hitting my server In-reply-To: <19991109060320.B7018@mppsystems.com> References: <19991109060320.B7018@mppsystems.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hello Mike Pritchard, 09.11.99 15:03, you wrote: Port 137 hitting my server; M> On Mon, Nov 08, 1999 at 03:57:01PM -0800, Lawrence Sica wrote: >> All, >> >> I keep getting hits to port 137 on my server. I know this is a netbios >> thing, and am not running samba. The server in question is a webserver. I >> was wondering any legitimate cause for this? M> I've noticed a lot of these types of hits after playing around M> with alladvantage.com (get paid to surf the web!). I have no idea M> what they are looking for. At least from that particular web site, M> I haven't seen any real pattern to it, except that I see more of them M> after making use of their software. M> -Mike UDP 137 is a port for NetBIOS name resolution. Microsoft realization for IP->name resolution includes both DNS and netbios resolution. Every time you connect to hosts running MS products (for example IIS) which resolves your IP - host tries to resolve your NetBIOS name by sending UDP packet to your 137 port. Noone hacks you it's ok ;) You're wrong if you think only MS products do things like that. E.g. sendmail tries to check your name via authorization (TCP 113) protocol. With best regards, Vladimir MCSE, MCP+I +=-=-=-=-=-=-=-=-=+ |Vladimir Dubrovin| | Sandy Info, ISP | +=-=-=-=-=-=-=-=-=+ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Nov 9 8: 0:47 1999 Delivered-To: freebsd-security@freebsd.org Received: from indyio.rz.uni-sb.de (indyio.rz.uni-sb.de [134.96.7.3]) by hub.freebsd.org (Postfix) with ESMTP id 1B9EF14EF4 for ; Tue, 9 Nov 1999 08:00:41 -0800 (PST) (envelope-from netchild@Vodix.CS.Uni-SB.de) Received: from mars.rz.uni-sb.de (ns0.rz.uni-sb.de [134.96.7.5]) by indyio.rz.uni-sb.de (8.9.3/8.9.3) with ESMTP id QAA10130779; Tue, 9 Nov 1999 16:59:54 +0100 (CET) Received: from work.net.local (maxtnt-063.telip.uni-sb.de [134.96.70.190]) by mars.rz.uni-sb.de (8.8.8/8.8.4/8.8.2) with ESMTP id QAA09327; Tue, 9 Nov 1999 16:59:55 +0100 (CET) Received: from Vodix.CS.Uni-SB.de (netchild@localhost.net.local [127.0.0.1]) by work.net.local (8.9.3/8.9.3) with ESMTP id QAA37804; Tue, 9 Nov 1999 16:38:50 +0100 (CET) (envelope-from netchild@Vodix.CS.Uni-SB.de) Message-Id: <199911091538.QAA37804@work.net.local> Date: Tue, 9 Nov 1999 16:38:49 +0100 (CET) From: A.Leidinger@WJPServer.CS.Uni-SB.de Subject: Re: How to secure local nntp server? To: fran@reyes.somos.net Cc: freebsd-security@FreeBSD.ORG In-Reply-To: <199911091124.GAA79768@sanson.reyes.somos.net> MIME-Version: 1.0 Content-Type: TEXT/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On 9 Nov, Francisco Reyes wrote: > How can I secure my news server? In this case configure your /etc/hosts.allow propperly (I assume you use a decent FreeBSD with tcpwrappers support) Bye, Alexander. -- Apologies are so hard to give. Would you accept some potatoes instead? http://netchild.home.pages.de A.Leidinger+Home @ WJPServer.CS.Uni-SB.de Key fingerprint = 7423 F3E6 3A7E B334 A9CC B10A 1F5F 130A A638 6E7E To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Nov 9 9:28:51 1999 Delivered-To: freebsd-security@freebsd.org Received: from fgwmail3.fujitsu.co.jp (fgwmail3.fujitsu.co.jp [192.51.44.33]) by hub.freebsd.org (Postfix) with ESMTP id 455A21509B; Tue, 9 Nov 1999 09:28:41 -0800 (PST) (envelope-from shin@nd.net.fujitsu.co.jp) Received: from m3.gw.fujitsu.co.jp by fgwmail3.fujitsu.co.jp (8.9.3/3.7W-MX9910-Fujitsu Gateway) id CAA12659; Wed, 10 Nov 1999 02:28:07 +0900 (JST) Received: from incapgw.fujitsu.co.jp by m3.gw.fujitsu.co.jp (8.9.3/3.7W-9910-Fujitsu Domain Master) id CAA21948; Wed, 10 Nov 1999 02:28:06 +0900 (JST) Received: from localhost ([192.168.245.44]) by incapgw.fujitsu.co.jp (8.9.3/3.7W-9910) id CAA29305; Wed, 10 Nov 1999 02:28:04 +0900 (JST) To: phk@critter.freebsd.dk Cc: jhay@mikom.csir.co.za, freebsd-hackers@FreeBSD.ORG, freebsd-security@FreeBSD.ORG Subject: Re: Should jail treat ip-number? In-Reply-To: <22398.942136151@critter.freebsd.dk> References: <199911090824.KAA90295@zibbi.mikom.csir.co.za> <22398.942136151@critter.freebsd.dk> <22238.942134633@critter.freebsd.dk> <23737.942154864@critter.freebsd.dk> X-Mailer: Mew version 1.94 on Emacs 20.4 / Mule 4.0 (HANANOEN) X-Prom-Mew: Prom-Mew 1.93.4 (procmail reader for Mew) Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-Id: <19991110022852N.shin@nd.net.fujitsu.co.jp> Date: Wed, 10 Nov 1999 02:28:52 +0900 From: Yoshinobu Inoue X-Dispatcher: imput version 990905(IM130) Lines: 47 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > >> I agree, *IF* IPv6 ever becomes a reality, we will look at this. Actually I just started to import KAME into freebsd-current, and found jail code in kernel pcb part. > >If we want > >people to even think of moving to IPv6 we will have to make as much > >of FreeBSD's functionality work on there as possible. Just from same reason, I would like to make IPv6 available also for jail functionality. > I personally do not see IPv6 as being desirable at this time. > > It suffers from second systems syndrome and doesn't provide any > benefit for the end-user so there is no incentive for users to > upgrade. But there is also some people like me who think IPv6 give several benefit for the end-user that IPv4 can't give. Then do you think even such people should not update jail to support IPv6? > >:>(2)What is the goal of the restriction? > > > >:To isolate people in the jail from the "real" machine and from > >:other jails. > > > 1. All tcp/ip forced to use a particular IP#. This allows you to have > several inetd/sendmail/apache running, one per jail. My imagination was poor, and thanks for your explanation. Now I have a new concern and comment. (1)It seems to me that once an IP# is specified for a jail, then that IP# should not be re-specified for another jail. Is this true? (2)If (1) is true, then number of jail is restricted to the number of IP address assigned to that machine. Then IPv6 support for jail should be very good thing, because extremely many IP addresses become available for a machine with IPv6. (which is not with IPv4) Yoshinobu Inoue To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Nov 9 9:38:30 1999 Delivered-To: freebsd-security@freebsd.org Received: from critter.freebsd.dk (critter.freebsd.dk [212.242.40.131]) by hub.freebsd.org (Postfix) with ESMTP id B147414C58; Tue, 9 Nov 1999 09:38:24 -0800 (PST) (envelope-from phk@critter.freebsd.dk) Received: from critter.freebsd.dk (localhost [127.0.0.1]) by critter.freebsd.dk (8.9.3/8.9.2) with ESMTP id SAA24339; Tue, 9 Nov 1999 18:37:33 +0100 (CET) (envelope-from phk@critter.freebsd.dk) To: Yoshinobu Inoue Cc: jhay@mikom.csir.co.za, freebsd-hackers@FreeBSD.ORG, freebsd-security@FreeBSD.ORG Subject: Re: Should jail treat ip-number? In-reply-to: Your message of "Wed, 10 Nov 1999 02:28:52 +0900." <19991110022852N.shin@nd.net.fujitsu.co.jp> Date: Tue, 09 Nov 1999 18:37:32 +0100 Message-ID: <24337.942169052@critter.freebsd.dk> From: Poul-Henning Kamp Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message <19991110022852N.shin@nd.net.fujitsu.co.jp>, Yoshinobu Inoue writes: >(1)It seems to me that once an IP# is specified for a jail, > then that IP# should not be re-specified for another jail. > Is this true? Generally yes, although nothing in the code tries to (nor should it try to) enforce it. >(2)If (1) is true, then number of jail is restricted to the > number of IP address assigned to that machine. > Then IPv6 support for jail should be very good thing, > because extremely many IP addresses become available for > a machine with IPv6. (which is not with IPv4) I'm not against adding IPv6 functionality to jail(2), my point is merely that until somebody who has sufficient time & ability to fiddle with it does it, it's not going to happen. The usual rule applies: "Great idea, why don't you send me patches which does this ?" -- Poul-Henning Kamp FreeBSD coreteam member phk@FreeBSD.ORG "Real hackers run -current on their laptop." FreeBSD -- It will take a long time before progress goes too far! To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Nov 9 9:58:48 1999 Delivered-To: freebsd-security@freebsd.org Received: from fgwmail5.fujitsu.co.jp (fgwmail5.fujitsu.co.jp [192.51.44.35]) by hub.freebsd.org (Postfix) with ESMTP id 3C7F91531A; Tue, 9 Nov 1999 09:58:30 -0800 (PST) (envelope-from shin@nd.net.fujitsu.co.jp) Received: from m4.gw.fujitsu.co.jp by fgwmail5.fujitsu.co.jp (8.9.3/3.7W-MX9910-Fujitsu Gateway) id CAA29762; Wed, 10 Nov 1999 02:58:08 +0900 (JST) Received: from incapgw.fujitsu.co.jp by m4.gw.fujitsu.co.jp (8.9.3/3.7W-9910-Fujitsu Domain Master) id CAA22146; Wed, 10 Nov 1999 02:58:07 +0900 (JST) Received: from localhost ([192.168.245.90]) by incapgw.fujitsu.co.jp (8.9.3/3.7W-9910) id CAA29933; Wed, 10 Nov 1999 02:58:06 +0900 (JST) To: phk@critter.freebsd.dk Cc: jhay@mikom.csir.co.za, freebsd-hackers@FreeBSD.ORG, freebsd-security@FreeBSD.ORG Subject: Re: Should jail treat ip-number? In-Reply-To: <24337.942169052@critter.freebsd.dk> References: <19991110022852N.shin@nd.net.fujitsu.co.jp> <24337.942169052@critter.freebsd.dk> X-Mailer: Mew version 1.94 on Emacs 20.4 / Mule 4.0 (HANANOEN) X-Prom-Mew: Prom-Mew 1.93.4 (procmail reader for Mew) Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-Id: <19991110025853X.shin@nd.net.fujitsu.co.jp> Date: Wed, 10 Nov 1999 02:58:53 +0900 From: Yoshinobu Inoue X-Dispatcher: imput version 990905(IM130) Lines: 15 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > I'm not against adding IPv6 functionality to jail(2), my point is > merely that until somebody who has sufficient time & ability to > fiddle with it does it, it's not going to happen. > > The usual rule applies: > > "Great idea, why don't you send me patches which does this ?" OK, then I'll try making patches and send you. My current Idea is that adding a new member, a pointer to sockaddr to the jail structure, and leave current ip_number member for backward compatibility. (Also with associated changes in kernel and the jail command) Yoshinobu Inoue To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Nov 9 10: 8:59 1999 Delivered-To: freebsd-security@freebsd.org Received: from frmug.org (frmug-gw.frmug.org [193.56.58.252]) by hub.freebsd.org (Postfix) with ESMTP id 4256D1524C for ; Tue, 9 Nov 1999 10:08:40 -0800 (PST) (envelope-from roberto@keltia.freenix.fr) Received: (from uucp@localhost) by frmug.org (8.9.3/frmug-2.5/nospam) with UUCP id TAA03131 for security@FreeBSD.ORG; Tue, 9 Nov 1999 19:08:35 +0100 (CET) (envelope-from roberto@keltia.freenix.fr) Received: by keltia.freenix.fr (Postfix, from userid 101) id 2ADF68711; Tue, 9 Nov 1999 07:56:34 +0100 (CET) Date: Tue, 9 Nov 1999 07:56:34 +0100 From: Ollivier Robert To: security@FreeBSD.ORG Subject: Re: Port 137 hitting my server Message-ID: <19991109075634.A30534@keltia.freenix.fr> Mail-Followup-To: security@FreeBSD.ORG References: <19991109031211.EF813152E9@hub.freebsd.org> <99Nov9.153330est.40371@border.alcanet.com.au> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii User-Agent: Mutt/1.0pre2i In-Reply-To: <99Nov9.153330est.40371@border.alcanet.com.au> X-Operating-System: FreeBSD 4.0-CURRENT/ELF AMD-K6/200 & 2x PPro/200 SMP Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org According to Peter Jeremy: > (returning a network redirect to 127.0.0.1 should quieten the > offending machine :-). Crashing the machine most likely... :-) -- Ollivier ROBERT -=- FreeBSD: The Power to Serve! -=- roberto@keltia.freenix.fr FreeBSD keltia.freenix.fr 4.0-CURRENT #75: Tue Nov 2 21:03:12 CET 1999 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Nov 9 12:28: 6 1999 Delivered-To: freebsd-security@freebsd.org Received: from crash.ab.videon.ca (crash.ab.videon.ca [206.75.216.220]) by hub.freebsd.org (Postfix) with ESMTP id 2437215148 for ; Tue, 9 Nov 1999 12:28:02 -0800 (PST) (envelope-from cwasser@v-wave.com) Received: from area51 (area51.v-wave.com [24.108.26.39]) by crash.ab.videon.ca (8.9.2/8.9.2) with SMTP id NAA15168; Tue, 9 Nov 1999 13:27:43 -0700 (MST) Message-ID: <001d01bf2af1$38b2f380$271a6c18@vwave.com> From: "Chris Wasser" To: "Vladimir Dubrovin" , "Mike Pritchard" Cc: References: <19991109060320.B7018@mppsystems.com> <3779.991109@sandy.ru> Subject: Re: Re[2]: Port 137 hitting my server Date: Tue, 9 Nov 1999 13:29:15 -0700 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2615.200 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2615.200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org ----- Original Message ----- > UDP 137 is a port for NetBIOS name resolution. Microsoft realization > for IP->name resolution includes both DNS and netbios resolution. Every > time you connect to hosts running MS products (for example IIS) > which resolves your IP - host tries to resolve your NetBIOS name by > sending UDP packet to your 137 port. Noone hacks you it's ok ;) This is common knowledge. > You're wrong if you think only MS products do things like that. E.g. > sendmail tries to check your name via authorization (TCP 113) > protocol. Polling port 113 (identd) is one thing, NETBIOS name resolution is quite another. Microsoft always wants to be different from everyone, including by attempting to rewrite standards. > MCSE, MCP+I Sorry to break the news to you, but those aren't worth the paper they're printed on. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Nov 9 13:47:55 1999 Delivered-To: freebsd-security@freebsd.org Received: from athserv.otenet.gr (athserv.otenet.gr [195.170.0.1]) by hub.freebsd.org (Postfix) with ESMTP id ED0B71536D for ; Tue, 9 Nov 1999 13:47:43 -0800 (PST) (envelope-from keramida@diogenis.ceid.upatras.gr) Received: from hades.hell.gr (patr530-a029.otenet.gr [195.167.115.29]) by athserv.otenet.gr (8.9.3/8.9.3) with SMTP id XAA15189 for ; Tue, 9 Nov 1999 23:47:25 +0200 (EET) Received: (qmail 19593 invoked by uid 1001); 9 Nov 1999 14:37:11 -0000 To: freebsd-security@freebsd.org Subject: Re: Port 137 hitting my server References: <19991109031211.EF813152E9@hub.freebsd.org> <99Nov9.153330est.40371@border.alcanet.com.au> From: Giorgos Keramidas Date: 09 Nov 1999 16:37:11 +0200 In-Reply-To: Peter Jeremy's message of "Tue, 9 Nov 1999 15:39:18 +1100" Message-ID: <86emdz68a0.fsf@localhost.hell.gr> Lines: 13 X-Mailer: Gnus v5.6.45/XEmacs 21.1 - "20 Minutes to Nikko" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Peter Jeremy writes: > Unless you're feeling particularly ornery, in which case you > could write a daemon which responded with various ICMP messages > (returning a network redirect to 127.0.0.1 should quieten the > offending machine :-). That is assuming that Windows machines will respect a net-redirect, which having no such machines close to me right now I can not verify. -- Giorgos Keramidas, "What we have to learn to do, we learn by doing." [Aristotle] To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Nov 9 13:56:47 1999 Delivered-To: freebsd-security@freebsd.org Received: from server.computeralt.com (server.computeralt.com [207.41.29.10]) by hub.freebsd.org (Postfix) with ESMTP id 4AF2315457 for ; Tue, 9 Nov 1999 13:56:25 -0800 (PST) (envelope-from scott@computeralt.com) Received: from scott (scott.computeralt.com [207.41.29.100]) by server.computeralt.com (8.9.3/8.9.1) with ESMTP id QAA05606; Tue, 9 Nov 1999 16:56:07 -0500 (EST) Message-Id: <4.2.2.19991109165510.00ad3720@mail.computeralt.com> X-Sender: scott@mail.computeralt.com X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.2 Date: Tue, 09 Nov 1999 16:56:26 -0500 To: HTS , freebsd-security@FreeBSD.ORG From: "Scott I. Remick" Subject: Re: Port 1243 scans Cc: Ian Smith In-Reply-To: <3.0.5.16.19991108213152.3aafc246@pop.pbdhome.pinboard.com> References: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 03:31 PM 11/8/99 , HTS wrote: >TCP/1243 apparently is being used by a NetBus clone called SubSeven. Correct. And for a very comprehensive list of ports used by various trojans and such, go here: ----------------------- Scott I. Remick scott@computeralt.com Network and Information (802)388-7545 ext. 236 Systems Manager FAX:(802)388-3697 Computer Alternatives, Inc. http://www.computeralt.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Nov 9 15:10:31 1999 Delivered-To: freebsd-security@freebsd.org Received: from frmug.org (frmug-gw.frmug.org [193.56.58.252]) by hub.freebsd.org (Postfix) with ESMTP id 9B00414CF0; Tue, 9 Nov 1999 15:10:24 -0800 (PST) (envelope-from roberto@keltia.freenix.fr) Received: (from uucp@localhost) by frmug.org (8.9.3/frmug-2.5/nospam) with UUCP id AAA16499; Wed, 10 Nov 1999 00:10:21 +0100 (CET) (envelope-from roberto@keltia.freenix.fr) Received: by keltia.freenix.fr (Postfix, from userid 101) id B57E287AB; Wed, 10 Nov 1999 00:00:04 +0100 (CET) Date: Wed, 10 Nov 1999 00:00:04 +0100 From: Ollivier Robert To: freebsd-hackers@FreeBSD.ORG, freebsd-security@FreeBSD.ORG Subject: Re: Should jail treat ip-number? Message-ID: <19991110000004.A37063@keltia.freenix.fr> Mail-Followup-To: freebsd-hackers@FreeBSD.ORG, freebsd-security@FreeBSD.ORG References: <199911090824.KAA90295@zibbi.mikom.csir.co.za> <22398.942136151@critter.freebsd.dk> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii User-Agent: Mutt/1.0pre2i In-Reply-To: <22398.942136151@critter.freebsd.dk> X-Operating-System: FreeBSD 4.0-CURRENT/ELF AMD-K6/200 & 2x PPro/200 SMP Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org According to Poul-Henning Kamp: > I personally do not see IPv6 as being desirable at this time. I see it as very desirable now for several reasons besides the usual ones (shortage of address space, explosion of routing tables): - it provides true mobility (still in the works I know), - the larger address space enables one to avoid the NAT abomination, - security is mandatory (even if many people don't wand the overhead), - autoconfiguration is really great > Ohh, OSI was quite a live for a long time as well, until the government > funded life-support was cut, then it evaporated overnight. OSI is still present in two major areas: telecom systems (GSM, supervision of the same) and Aeronautical systems (Air Traffic Management / Control). I work in the latter and we're pushing IPv6 as much as we can. -- Ollivier ROBERT -=- FreeBSD: The Power to Serve! -=- roberto@keltia.freenix.fr FreeBSD keltia.freenix.fr 4.0-CURRENT #75: Tue Nov 2 21:03:12 CET 1999 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Nov 9 15:27:33 1999 Delivered-To: freebsd-security@freebsd.org Received: from icg.interactivate.com (icg.interactivate.com [207.110.42.216]) by hub.freebsd.org (Postfix) with ESMTP id DC23114E1A for ; Tue, 9 Nov 1999 15:27:31 -0800 (PST) (envelope-from larry@interactivate.com) Received: from localhost (larry@localhost) by icg.interactivate.com (8.9.3/8.9.3) with ESMTP id PAA25279; Tue, 9 Nov 1999 15:13:17 -0800 (PST) Date: Tue, 9 Nov 1999 15:13:17 -0800 (PST) From: Larry Sica X-Sender: larry@icg To: Giorgos Keramidas Cc: freebsd-security@FreeBSD.ORG Subject: Re: Port 137 hitting my server In-Reply-To: <86emdz68a0.fsf@localhost.hell.gr> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org actually the only thing i'd want to do is get rid of the annoying log messages. How could i tell syslog not to log that particular things (this is veering offt opic now i think) On 9 Nov 1999, Giorgos Keramidas wrote: > Peter Jeremy writes: > > > Unless you're feeling particularly ornery, in which case you > > could write a daemon which responded with various ICMP messages > > (returning a network redirect to 127.0.0.1 should quieten the > > offending machine :-). > > That is assuming that Windows machines will respect a net-redirect, > which having no such machines close to me right now I can not verify. > > -- > Giorgos Keramidas, > "What we have to learn to do, we learn by doing." [Aristotle] > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Nov 9 15:40: 4 1999 Delivered-To: freebsd-security@freebsd.org Received: from athserv.otenet.gr (athserv.otenet.gr [195.170.0.1]) by hub.freebsd.org (Postfix) with ESMTP id 474BA14CF0 for ; Tue, 9 Nov 1999 15:39:59 -0800 (PST) (envelope-from keramida@diogenis.ceid.upatras.gr) Received: from hades.hell.gr (patr530-a029.otenet.gr [195.167.115.29]) by athserv.otenet.gr (8.9.3/8.9.3) with SMTP id BAA13423 for ; Wed, 10 Nov 1999 01:39:57 +0200 (EET) Received: (qmail 2728 invoked by uid 1001); 9 Nov 1999 23:41:58 -0000 To: freebsd-security@freebsd.org Subject: Re: Port 137 hitting my server References: From: Giorgos Keramidas Date: 10 Nov 1999 01:41:58 +0200 In-Reply-To: Larry Sica's message of "Tue, 9 Nov 1999 15:13:17 -0800 (PST)" Message-ID: <86u2mvgrll.fsf@localhost.hell.gr> Lines: 17 X-Mailer: Gnus v5.6.45/XEmacs 21.1 - "20 Minutes to Nikko" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Larry Sica writes: > actually the only thing i'd want to do is get rid of the annoying log > messages. How could i tell syslog not to log that particular things (this > is veering offt opic now i think) I am assuming that you're using ipfw here, and that you have a rule looking something like: 0600 deny log from any to any 137 via if0 or close to this. Remove the 'log' keyword and you're done with logging of these packets. -- Giorgos Keramidas, "What we have to learn to do, we learn by doing." [Aristotle] To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Nov 9 16:39:34 1999 Delivered-To: freebsd-security@freebsd.org Received: from enst.enst.fr (enst.enst.fr [137.194.2.16]) by hub.freebsd.org (Postfix) with ESMTP id 48742151DA; Tue, 9 Nov 1999 16:39:20 -0800 (PST) (envelope-from beyssac@enst.fr) Received: from bofh.enst.fr (bofh-2.enst.fr [137.194.2.37]) by enst.enst.fr (8.9.1a/8.9.1) with ESMTP id BAA05128; Wed, 10 Nov 1999 01:39:18 +0100 (MET) Received: by bofh.enst.fr (Postfix, from userid 12426) id C8CFCD246; Wed, 10 Nov 1999 01:39:13 +0100 (CET) Message-ID: <19991110013913.A5181@enst.fr> Date: Wed, 10 Nov 1999 01:39:13 +0100 From: Pierre Beyssac To: Yoshinobu Inoue , freebsd-hackers@FreeBSD.ORG, freebsd-security@FreeBSD.ORG Subject: Re: Should jail treat ip-number? References: <19991109125445E.shin@nd.net.fujitsu.co.jp> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.93.2i In-Reply-To: <19991109125445E.shin@nd.net.fujitsu.co.jp>; from Yoshinobu Inoue on Tue, Nov 09, 1999 at 12:54:45PM +0900 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, Nov 09, 1999 at 12:54:45PM +0900, Yoshinobu Inoue wrote: > Currentlly jail set an ip-number and let prisoned processes > only to bind it. [ the current jail(2) interface and its future WRT IPv6 ] > I think kernel change will not so much for any above addition > or changes, but there will be some backword compatibility > issue for API. (some member addition to the jail structure, > and jail command extensions) There's been a discussion a few weeks ago on freebsd-security on this very matter. See attached mail below. The conclusion was that jail(2) should be fixed to use a sockaddr instead of a 32 bit int to specify the address. That seems to be the first logical step, even before making jail(2) IPv6-compliant. Pierre Date: Sun, 19 Sep 1999 11:58:39 -0400 (EDT) From: Garrett Wollman Message-Id: <199909191558.LAA64750@khavrinen.lcs.mit.edu> To: Matthew Dillon Cc: Poul-Henning Kamp , security@FreeBSD.ORG Subject: Re: BPF on in 3.3-RC GENERIC kernel In-Reply-To: <199909190551.WAA68627@apollo.backplane.com> References: <12516.937680952@critter.freebsd.dk> <199909190551.WAA68627@apollo.backplane.com> < said: > struct sockaddr is the standard for specifying an IP address. Jail > isn't using it, not even for IPV4. It's using an unsigned 32 bit int. > Hell, it isn't even using a struct in_addr! The field is plain and > simply inappropriately specified in the structure. For once, I agree with Matt. As titular networking czar, I'm asking you, Poul, to please fix the interface. -GAWollman -- Garrett A. Wollman | O Siem / We are all family / O Siem / We're all the same wollman@lcs.mit.edu | O Siem / The fires of freedom Opinions not those of| Dance in the burning flame MIT, LCS, CRS, or NSA| - Susan Aglukark and Chad Irschick To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Nov 9 18:12: 2 1999 Delivered-To: freebsd-security@freebsd.org Received: from vasquez.zip.com.au (vasquez.zip.com.au [203.12.97.41]) by hub.freebsd.org (Postfix) with ESMTP id F29DE1516A for ; Tue, 9 Nov 1999 18:11:51 -0800 (PST) (envelope-from ncb@zip.com.au) Received: from zipperii.zip.com.au (ncb@zipperii.zip.com.au [203.12.97.87]) by vasquez.zip.com.au (8.9.2/8.9.1) with ESMTP id NAA08798 for ; Wed, 10 Nov 1999 13:11:46 +1100 (EST) Date: Wed, 10 Nov 1999 13:11:49 +1100 (EST) From: Nicholas Brawn To: freebsd-security@freebsd.org Subject: Status of Passwords/etc in FreeBSD-stable Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Couple of questions: 1. Does stable support bcrypt or equivalent. If not are there any plans to implement this? 2. Is there any moves to centralise password-related configuration to a passwd.conf? Min/Max lengths, etc. Cheers, Nick -- Email: ncb@zip.com.au (or) nicholas.brawn@hushmail.com Key fingerprint = F012 74CA BDCC 512E 61D4 0A8F 1D5D 8DAD 03A3 241F To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 10 1:16:27 1999 Delivered-To: freebsd-security@freebsd.org Received: from adm.sci-nnov.ru (adm.sci-nnov.ru [195.122.226.2]) by hub.freebsd.org (Postfix) with ESMTP id BED8114C47 for ; Wed, 10 Nov 1999 01:16:20 -0800 (PST) (envelope-from vlad@sandy.ru) Received: from anonymous.sandy.ru (anonymous.sandy.ru [195.122.226.12]) by adm.sci-nnov.ru (8.9.3/Dmiter-4.1) with ESMTP id MAA33490; Wed, 10 Nov 1999 12:10:26 +0300 (MSK) Date: Wed, 10 Nov 1999 12:10:29 +0300 From: Vladimir Dubrovin X-Mailer: The Bat! (v1.34) S/N D33CD428 Reply-To: Vladimir Dubrovin Organization: Sandy Info X-Priority: 3 (Normal) Message-ID: <13507.991110@sandy.ru> To: Giorgos Keramidas Cc: freebsd-security@freebsd.org Subject: Re[2]: Port 137 hitting my server In-reply-To: <86u2mvgrll.fsf@localhost.hell.gr> References: <86u2mvgrll.fsf@localhost.hell.gr> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hello Giorgos Keramidas, 10.11.99 2:41, you wrote: Port 137 hitting my server; G> Larry Sica writes: >> actually the only thing i'd want to do is get rid of the annoying log >> messages. How could i tell syslog not to log that particular things (this >> is veering offt opic now i think) G> I am assuming that you're using ipfw here, and that you have a rule G> looking something like: G> 0600 deny log from any to any 137 via if0 If you're so scared about UDP 137 use something like 0600 unreach port udp from any 137 to any 137 ... 0610 deny log udp from any to any 137 ... It's better use unreach instead of deny since some servers (not all) will wait for name resolution before sending data and "deny" will slow down you browsing, because server will wait until timeout. NetBIOS always uses 137 as both source and destination ports, if source port is different from 137 then someone is trying to fingertip your network. G> or close to this. Remove the 'log' keyword and you're done with G> logging of these packets. +=-=-=-=-=-=-=-=-=+ |Vladimir Dubrovin| | Sandy Info, ISP | +=-=-=-=-=-=-=-=-=+ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 10 5:10:31 1999 Delivered-To: freebsd-security@freebsd.org Received: from mirage.nlink.com.br (mirage.nlink.com.br [200.249.195.3]) by hub.freebsd.org (Postfix) with ESMTP id EDB2614DA4 for ; Wed, 10 Nov 1999 05:10:18 -0800 (PST) (envelope-from paulo@nlink.com.br) Received: from localhost (paulo@localhost) by mirage.nlink.com.br (8.9.3/8.9.1) with SMTP id LAA23164 for ; Wed, 10 Nov 1999 11:10:17 -0200 (EDT) Date: Wed, 10 Nov 1999 11:10:17 -0200 (EDT) From: Paulo Fragoso To: freebsd-security@freebsd.org Subject: smrsh for qmail Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi, Are there any alternative like smrsh for qmail? Thanks, Paulo Fragoso. ------ " ... Overall we've found FreeBSD to excel in performace, stability, technical support, and of course price. Two years after discovering FreeBSD, we have yet to find a reason why we switch to anything else" -David Filo, Yahoo! To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 10 7:38:27 1999 Delivered-To: freebsd-security@freebsd.org Received: from point.osg.gov.bc.ca (point.osg.gov.bc.ca [142.32.102.44]) by hub.freebsd.org (Postfix) with ESMTP id 5016B151EB for ; Wed, 10 Nov 1999 07:38:22 -0800 (PST) (envelope-from cy@cschuber.net.gov.bc.ca) Received: (from daemon@localhost) by point.osg.gov.bc.ca (8.8.7/8.8.8) id HAA31491; Wed, 10 Nov 1999 07:38:21 -0800 Received: from cschuber.net.gov.bc.ca(142.31.240.113), claiming to be "cwsys.cwsent.com" via SMTP by point.osg.gov.bc.ca, id smtpda31483; Wed Nov 10 07:37:57 1999 Received: (from uucp@localhost) by cwsys.cwsent.com (8.9.3/8.9.1) id HAA34906; Wed, 10 Nov 1999 07:36:51 -0800 (PST) Message-Id: <199911101536.HAA34906@cwsys.cwsent.com> Received: from localhost.cwsent.com(127.0.0.1), claiming to be "cwsys" via SMTP by localhost.cwsent.com, id smtpdc34901; Wed Nov 10 07:36:26 1999 X-Mailer: exmh version 2.1.0 09/18/1999 Reply-To: Cy Schubert - ITSD Open Systems Group From: Cy Schubert - ITSD Open Systems Group X-OS: FreeBSD 3.3-RELEASE X-Sender: cy To: Robert Watson Cc: freebsd-security@FreeBSD.ORG Subject: Re: Nov 6 18:47:25 fledge /kernel: pid 3988 (sendmail), uid 0: exited , on signal 4 In-reply-to: Your message of "Sun, 07 Nov 1999 12:58:58 EST." Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Wed, 10 Nov 1999 07:36:26 -0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message , Robert Watson writes: > > Noticed this in my system log: > > Nov 6 18:47:25 fledge /kernel: pid 3988 (sendmail), uid 0: exited on > signal 4 > > This doesn't normally happen and is a bit concerning. > > fledge:~> telnet localhost 25 > Trying 127.0.0.1... > Connected to localhost. > Escape character is '^]'. > 220 fledge.watson.org ESMTP Sendmail 8.9.3/8.9.3; Sun, 7 Nov 1999 12:27:54 > -0500 (EST) > > Which is the default version shipped in 3.3-RELEASE (or at least, this is > currently a vanilla 3.3-RELEASE box :-). > > I'm concerned this could be a buffer-based attack, but don't see any of > the signs of a successful compromise. Also, there were no signs of a > scan of other open ports at the time. > > Has anyone else seen any of these lately? It's very likely that there may be a buffer overrun being exploited on the Net and that whoever was attacking your machine may have been using an exploit engineered for Linux Sendmail or another version of FreeBSD. It is also possible that you may have bad memory in the box in question. Also possible is a FreeBSD bug that manifests itself under certain conditions, e.g. inetd and cron problems in <3.1. You may wish to consider installing the smtpd port. Obtuse Smtpd front- ends itself to Sendmail to provide an architecture similar to that of Qmail, except that Sendmail still needs to be setuid root if you wish to continue support executing programs via .forward. If that's not important to you, then you can make Sendmail setgid mail, making sure that /var/mail and /var/spool/mqueue are group mail writable. It also might be possible to write an application, similar to smrsh, that would securely invoke programs referenced in .forward files under each user's own id, entirely negating the need to have a setuid Sendmail. Regards, Phone: (250)387-8437 Cy Schubert Fax: (250)387-5766 Sun/DEC Team, UNIX Group Internet: Cy.Schubert@uumail.gov.bc.ca ITSD Cy.Schubert@gems8.gov.bc.ca Province of BC "e**(i*pi)+1=0" To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 10 10: 0:38 1999 Delivered-To: freebsd-security@freebsd.org Received: from gratis.grondar.za (gratis.grondar.za [196.7.18.133]) by hub.freebsd.org (Postfix) with ESMTP id 684FD1529E for ; Wed, 10 Nov 1999 10:00:31 -0800 (PST) (envelope-from mark@grondar.za) Received: from grondar.za (localhost [127.0.0.1]) by gratis.grondar.za (8.9.3/8.9.3) with ESMTP id UAA09963; Wed, 10 Nov 1999 20:00:14 +0200 (SAST) (envelope-from mark@grondar.za) Message-Id: <199911101800.UAA09963@gratis.grondar.za> To: Garrett Wollman Cc: security@FreeBSD.ORG Subject: Re: PAM module for Kerberos 5? Date: Wed, 10 Nov 1999 20:00:13 +0200 From: Mark Murray Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > Has anyone gone to the effort yet of making a PAM module for Kerberos > 5? How about passwd(1)? > That's one of the last things I need before I can move our KDC > over to Kerberos 5.... The Kerberos I am going to import (Heimdal) has one. M -- Mark Murray Join the anti-SPAM movement: http://www.cauce.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 10 10: 8:47 1999 Delivered-To: freebsd-security@freebsd.org Received: from gratis.grondar.za (gratis.grondar.za [196.7.18.133]) by hub.freebsd.org (Postfix) with ESMTP id 605231525E; Wed, 10 Nov 1999 10:08:40 -0800 (PST) (envelope-from mark@grondar.za) Received: from grondar.za (localhost [127.0.0.1]) by gratis.grondar.za (8.9.3/8.9.3) with ESMTP id UAA10193; Wed, 10 Nov 1999 20:08:37 +0200 (SAST) (envelope-from mark@grondar.za) Message-Id: <199911101808.UAA10193@gratis.grondar.za> To: Kris Kennaway Cc: "Jason C. Wells" , Robert Watson , security@FreeBSD.ORG Subject: Re: krb5 integration Was: Kerberos integration into ports--in particular, SSH Date: Wed, 10 Nov 1999 20:08:37 +0200 From: Mark Murray Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > > I have been monkeying with krb5 in order to get it to clobber FreeBSD > > binaries, libs, and includes and hence be "integrated" into the system. I > > am no programmer but things seem to be working. Also, I am not quite done > > yet. > > > > Is this something you guys would be interested in? Or is my approach too > > sophomoric for a real development effort? > > Mark Murray has been working on krb5 integration - in fact, I thought he'd > already imported it into the crypto/ distribution. I am very interested!! M -- Mark Murray Join the anti-SPAM movement: http://www.cauce.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 10 10: 9:16 1999 Delivered-To: freebsd-security@freebsd.org Received: from gratis.grondar.za (gratis.grondar.za [196.7.18.133]) by hub.freebsd.org (Postfix) with ESMTP id 9473A1525E for ; Wed, 10 Nov 1999 10:09:09 -0800 (PST) (envelope-from mark@grondar.za) Received: from grondar.za (localhost [127.0.0.1]) by gratis.grondar.za (8.9.3/8.9.3) with ESMTP id UAA10174; Wed, 10 Nov 1999 20:07:32 +0200 (SAST) (envelope-from mark@grondar.za) Message-Id: <199911101807.UAA10174@gratis.grondar.za> To: Mike Nowlin Cc: Robert Watson , security@FreeBSD.ORG Subject: Re: Kerberos integration into ports--in particular, SSH Date: Wed, 10 Nov 1999 20:07:31 +0200 From: Mark Murray Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > We developed some changes to ftpd to support PAM (haven't submitted them > yet -- a couple of quirks to work out), but I'm sure a lot of the system > doesn't handle it yet. > > Is there a doc somewhere which gets into this, or does one need to be > written? We're trying to handle security through a PAM/(PostgreSQL|MySQL) > interface as much as possible, so we're willing to do a bit of fixing if > necessary. Cool! Please bug me to do this; I am the current PAM guy... M -- Mark Murray Join the anti-SPAM movement: http://www.cauce.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 10 10:17:45 1999 Delivered-To: freebsd-security@freebsd.org Received: from gratis.grondar.za (gratis.grondar.za [196.7.18.133]) by hub.freebsd.org (Postfix) with ESMTP id EC8FF1527A; Wed, 10 Nov 1999 10:17:22 -0800 (PST) (envelope-from mark@grondar.za) Received: from grondar.za (localhost [127.0.0.1]) by gratis.grondar.za (8.9.3/8.9.3) with ESMTP id UAA10603; Wed, 10 Nov 1999 20:17:12 +0200 (SAST) (envelope-from mark@grondar.za) Message-Id: <199911101817.UAA10603@gratis.grondar.za> To: "Jordan K. Hubbard" Cc: Kris Kennaway , security@FreeBSD.ORG, ports@FreeBSD.ORG Subject: Re: OpenSSH patches Date: Wed, 10 Nov 1999 20:17:11 +0200 From: Mark Murray Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On my TODO list. It will take a while, 'cos I want things to stabilise. I also need to kick of another, more important project. M > I, for one, would like to see this bundled with the default > distribution and I think our existing degree of crypto separation is > enough to take care of the legal issues, not that anyone really knows > what those are anymore since the latest round of Clinton > administration statements. > > In today's environment, ssh is far more useful than telnet or rlogin, > yet we bundle both. It would be nice to have a system come up for the > first time already capable of being logged into remotely in a secure > fashion - it would save me, for one, a lot of extra hassle in > installing new machines since getting ssh on there is a necessary > component to being able to leave a drafty machine room and continue > the installation and configuration from a more comfortable place. > > - Jordan > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- Mark Murray Join the anti-SPAM movement: http://www.cauce.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 10 10:18:17 1999 Delivered-To: freebsd-security@freebsd.org Received: from gratis.grondar.za (gratis.grondar.za [196.7.18.133]) by hub.freebsd.org (Postfix) with ESMTP id 9B68C1540D; Wed, 10 Nov 1999 10:18:02 -0800 (PST) (envelope-from mark@grondar.za) Received: from grondar.za (localhost [127.0.0.1]) by gratis.grondar.za (8.9.3/8.9.3) with ESMTP id UAA10615; Wed, 10 Nov 1999 20:18:00 +0200 (SAST) (envelope-from mark@grondar.za) Message-Id: <199911101818.UAA10615@gratis.grondar.za> To: Kris Kennaway Cc: "Jordan K. Hubbard" , security@FreeBSD.ORG, ports@FreeBSD.ORG Subject: Re: OpenSSH patches Date: Wed, 10 Nov 1999 20:18:00 +0200 From: Mark Murray Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > No objections from me! We will of course need to import OpenSSL as well, > but I can see only good things coming from that. Only the libcrypto part of it, as far as I can see. M -- Mark Murray Join the anti-SPAM movement: http://www.cauce.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 10 10:20:28 1999 Delivered-To: freebsd-security@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 758) id 6902A14D23; Wed, 10 Nov 1999 10:20:21 -0800 (PST) Received: from localhost (localhost [127.0.0.1]) by hub.freebsd.org (Postfix) with ESMTP id 55EEC1CD404; Wed, 10 Nov 1999 10:20:21 -0800 (PST) (envelope-from kris@hub.freebsd.org) Date: Wed, 10 Nov 1999 10:20:21 -0800 (PST) From: Kris Kennaway To: Nicholas Brawn Cc: freebsd-security@freebsd.org Subject: Re: Status of Passwords/etc in FreeBSD-stable In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, 10 Nov 1999, Nicholas Brawn wrote: > Couple of questions: > 1. Does stable support bcrypt or equivalent. If not are there any plans to > implement this? No and yes. See http://www.physics.adelaide.edu.au/~kkennawa/crypt-990725.tar.gz which is a replacement libcrypt which supports external plug-in crypt "modules" (openbsd-style bcrypt is included). I really need to check whether that tarball actually compiles - someone told me a while ago I left out a header file. This is a WIP, and in particular will not allow external modules to be used for statically-linked binaries (just the two historical formats: MD5 and DES). This is a limitation of dlopen() which I hope will one day get resolved (hacking around it would be ugly). One day when I get time to revisit this and clean it up a bit I plan to try and import it into -current. > 2. Is there any moves to centralise password-related configuration to a > passwd.conf? Min/Max lengths, etc. The above code uses login.conf to specify login capabilities about which password algorithm to use for a user's new password, and any algorithm parameters (e.g. number of rounds for bcrypt). A separate passwd.conf would be a bad idea, IMO. I don't see what you'd need a maximum password length variable for, but there is already a minpasswordlen capability. Kris ---- Cthulhu for President! For when you're tired of choosing the _lesser_ of two evils.. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 10 10:21:57 1999 Delivered-To: freebsd-security@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 758) id B7A7A153B6; Wed, 10 Nov 1999 10:21:54 -0800 (PST) Received: from localhost (localhost [127.0.0.1]) by hub.freebsd.org (Postfix) with ESMTP id A66D21CD404; Wed, 10 Nov 1999 10:21:54 -0800 (PST) (envelope-from kris@hub.freebsd.org) Date: Wed, 10 Nov 1999 10:21:54 -0800 (PST) From: Kris Kennaway To: Mark Murray Cc: "Jordan K. Hubbard" , security@FreeBSD.ORG, ports@FreeBSD.ORG Subject: Re: OpenSSH patches In-Reply-To: <199911101818.UAA10615@gratis.grondar.za> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, 10 Nov 1999, Mark Murray wrote: > > No objections from me! We will of course need to import OpenSSL as well, > > but I can see only good things coming from that. > > Only the libcrypto part of it, as far as I can see. Yep, but if we import the whole thing we could add https:// capabilities to fetch(1) :-) Kris ---- Cthulhu for President! For when you're tired of choosing the _lesser_ of two evils.. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 10 10:25:25 1999 Delivered-To: freebsd-security@freebsd.org Received: from gratis.grondar.za (gratis.grondar.za [196.7.18.133]) by hub.freebsd.org (Postfix) with ESMTP id 59C8C153FA for ; Wed, 10 Nov 1999 10:25:18 -0800 (PST) (envelope-from mark@grondar.za) Received: from grondar.za (localhost [127.0.0.1]) by gratis.grondar.za (8.9.3/8.9.3) with ESMTP id UAA10746; Wed, 10 Nov 1999 20:24:41 +0200 (SAST) (envelope-from mark@grondar.za) Message-Id: <199911101824.UAA10746@gratis.grondar.za> To: Jacques Vidrine Cc: "Jordan K. Hubbard" , security@FreeBSD.ORG Subject: Re: OpenSSH patches Date: Wed, 10 Nov 1999 20:24:40 +0200 From: Mark Murray Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > [dropped -ports] > On 2 November 1999 at 10:58, "Jordan K. Hubbard" wrote: > > For a lot of good reasons, this is something we really > > need, even if we have to take a few chances and/or move a CVS server > > to Canada. :) > > Don't we already have a CVS server in South Africa for this kind of > thing? How would folk feel about the International CVS Repo holding "better" crypto thathan the WC one (until the relevant patents expire)? I can do this in such a way as to make all other code identical, and anyone will be able to get both binary and source from it. It is heavily mirrored as well :-) M -- Mark Murray Join the anti-SPAM movement: http://www.cauce.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 10 16:45:48 1999 Delivered-To: freebsd-security@freebsd.org Received: from sand2.sentex.ca (sand2.sentex.ca [209.167.248.3]) by hub.freebsd.org (Postfix) with ESMTP id EE44014E76; Wed, 10 Nov 1999 16:45:36 -0800 (PST) (envelope-from mike@sentex.net) Received: from gravel (ospf-mdt.sentex.net [205.211.164.81]) by sand2.sentex.ca (8.8.8/8.8.8) with SMTP id TAA13939; Wed, 10 Nov 1999 19:45:32 -0500 (EST) (envelope-from mike@sentex.net) Message-Id: <4.1.19991110194035.04c62100@granite.sentex.ca> X-Sender: mdtancsa@granite.sentex.ca X-Mailer: QUALCOMM Windows Eudora Pro Version 4.1 Date: Wed, 10 Nov 1999 19:45:53 -0500 To: freebsd-security@FreeBSD.ORG From: Mike Tancsa Subject: BIND NXT Bug Vulnerability Cc: security-officer@FreeBSD.ORG Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I imagine the right people are aware of this, but in case not, can someone commit the relavant patches to STABLE ? ---Mike >Return-Path: owner-bugtraq@SECURITYFOCUS.COM >Received: from vinyl.sentex.ca (vinyl.sentex.ca [209.112.4.14]) by >granite.sentex.net (8.8.8/8.6.9) with ESMTP id RAA20973; Wed, 10 Nov 1999 >17:08:55 -0500 (EST) >Received: from lists.securityfocus.com (lists.securityfocus.com >[207.126.127.68]) > by vinyl.sentex.ca (8.9.3/8.9.3) with ESMTP id RAA81815; > Wed, 10 Nov 1999 17:08:54 -0500 (EST) > (envelope-from owner-bugtraq@SECURITYFOCUS.COM) >Received: from lists.securityfocus.com (lists.securityfocus.com >[207.126.127.68]) > by lists.securityfocus.com (Postfix) with ESMTP > id 28E0D1F452; Wed, 10 Nov 1999 14:00:05 -0800 (PST) >Received: from LISTS.SECURITYFOCUS.COM by LISTS.SECURITYFOCUS.COM > (LISTSERV-TCP/IP release 1.8d) with spool id 1078020 for > BUGTRAQ@LISTS.SECURITYFOCUS.COM; Wed, 10 Nov 1999 13:57:41 -0800 >Approved-By: aleph1@SECURITYFOCUS.COM >Delivered-To: bugtraq@lists.securityfocus.com >Received: from securityfocus.com (securityfocus.com [207.126.127.66]) by > lists.securityfocus.com (Postfix) with SMTP id 5434C1EEB7 for > ; Wed, 10 Nov 1999 13:55:25 -0800 > (PST) >Received: (qmail 21608 invoked by alias); 10 Nov 1999 21:55:25 -0000 >Delivered-To: bugtraq@securityfocus.com >Received: (qmail 21605 invoked by uid 101); 10 Nov 1999 21:55:25 -0000 >Mime-Version: 1.0 >Content-Type: text/plain; charset=us-ascii >X-Mailer: Mutt 1.0pre3i >Message-ID: <19991110135525.A21417@securityfocus.com> >Date: Wed, 10 Nov 1999 13:55:25 -0800 >Reply-To: aleph1@SECURITYFOCUS.COM >Sender: Bugtraq List >From: Elias Levy >Subject: BIND NXT Bug Vulnerability >X-To: bugtraq@securityfocus.com >To: BUGTRAQ@SECURITYFOCUS.COM >X-UIDL: b701b883efa18881267af4a91d6d1eb7 > >http://www.isc.org/products/BIND/bind-security-19991108.html > > >Name: "nxt bug" > > Versions affected: 8.2, 8.2 patchlevel 1, 8.2.1 > Severity: CRITICAL > Exploitable: Remotely > Type: Access possible > >Description: > > A bug in the processing of NXT records can theoretically allow an > attacker to gain access to the system running the DNS server at > whatever privilege level the DNS server runs at. > >Workarounds: > > None. > >Active Exploits: > > At this time, ISC is unaware of any active exploits of this > vulnerability however given the potential access this vulnerability > represents, it is probable scripts will be created in the near future > that make use of this vulnerability. > >-- >Elias Levy >Security Focus >http://www.securityfocus.com/ ********************************************************************** Mike Tancsa, Network Admin * mike@sentex.net Sentex Communications Corp, * http://www.sentex.net/mike Cambridge, Ontario * 01.519.651.3400 Canada * To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 10 17:26:21 1999 Delivered-To: freebsd-security@freebsd.org Received: from fledge.watson.org (fledge.watson.org [204.156.12.50]) by hub.freebsd.org (Postfix) with ESMTP id 786D415413; Wed, 10 Nov 1999 17:26:07 -0800 (PST) (envelope-from robert@cyrus.watson.org) Received: from fledge.watson.org (robert@fledge.pr.watson.org [192.0.2.3]) by fledge.watson.org (8.9.3/8.9.3) with SMTP id UAA30454; Wed, 10 Nov 1999 20:25:58 -0500 (EST) (envelope-from robert@cyrus.watson.org) Date: Wed, 10 Nov 1999 20:25:58 -0500 (EST) From: Robert Watson X-Sender: robert@fledge.watson.org Reply-To: Robert Watson To: Mike Tancsa Cc: freebsd-security@FreeBSD.ORG, security-officer@FreeBSD.ORG Subject: Re: BIND NXT Bug Vulnerability In-Reply-To: <4.1.19991110194035.04c62100@granite.sentex.ca> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org 3.3-RELEASE appears to use 8.1.2, which I believe is not vulnerable. My understanding is that this bug was introduced in 8.2.* of BIND. Please correct me if I am wrong. I don't know what -STABLE is currently using. On Wed, 10 Nov 1999, Mike Tancsa wrote: > > I imagine the right people are aware of this, but in case not, can someone > commit the relavant patches to STABLE ? > > ---Mike > > > >Return-Path: owner-bugtraq@SECURITYFOCUS.COM > >Received: from vinyl.sentex.ca (vinyl.sentex.ca [209.112.4.14]) by > >granite.sentex.net (8.8.8/8.6.9) with ESMTP id RAA20973; Wed, 10 Nov 1999 > >17:08:55 -0500 (EST) > >Received: from lists.securityfocus.com (lists.securityfocus.com > >[207.126.127.68]) > > by vinyl.sentex.ca (8.9.3/8.9.3) with ESMTP id RAA81815; > > Wed, 10 Nov 1999 17:08:54 -0500 (EST) > > (envelope-from owner-bugtraq@SECURITYFOCUS.COM) > >Received: from lists.securityfocus.com (lists.securityfocus.com > >[207.126.127.68]) > > by lists.securityfocus.com (Postfix) with ESMTP > > id 28E0D1F452; Wed, 10 Nov 1999 14:00:05 -0800 (PST) > >Received: from LISTS.SECURITYFOCUS.COM by LISTS.SECURITYFOCUS.COM > > (LISTSERV-TCP/IP release 1.8d) with spool id 1078020 for > > BUGTRAQ@LISTS.SECURITYFOCUS.COM; Wed, 10 Nov 1999 13:57:41 -0800 > >Approved-By: aleph1@SECURITYFOCUS.COM > >Delivered-To: bugtraq@lists.securityfocus.com > >Received: from securityfocus.com (securityfocus.com [207.126.127.66]) by > > lists.securityfocus.com (Postfix) with SMTP id 5434C1EEB7 for > > ; Wed, 10 Nov 1999 13:55:25 -0800 > > (PST) > >Received: (qmail 21608 invoked by alias); 10 Nov 1999 21:55:25 -0000 > >Delivered-To: bugtraq@securityfocus.com > >Received: (qmail 21605 invoked by uid 101); 10 Nov 1999 21:55:25 -0000 > >Mime-Version: 1.0 > >Content-Type: text/plain; charset=us-ascii > >X-Mailer: Mutt 1.0pre3i > >Message-ID: <19991110135525.A21417@securityfocus.com> > >Date: Wed, 10 Nov 1999 13:55:25 -0800 > >Reply-To: aleph1@SECURITYFOCUS.COM > >Sender: Bugtraq List > >From: Elias Levy > >Subject: BIND NXT Bug Vulnerability > >X-To: bugtraq@securityfocus.com > >To: BUGTRAQ@SECURITYFOCUS.COM > >X-UIDL: b701b883efa18881267af4a91d6d1eb7 > > > >http://www.isc.org/products/BIND/bind-security-19991108.html > > > > > >Name: "nxt bug" > > > > Versions affected: 8.2, 8.2 patchlevel 1, 8.2.1 > > Severity: CRITICAL > > Exploitable: Remotely > > Type: Access possible > > > >Description: > > > > A bug in the processing of NXT records can theoretically allow an > > attacker to gain access to the system running the DNS server at > > whatever privilege level the DNS server runs at. > > > >Workarounds: > > > > None. > > > >Active Exploits: > > > > At this time, ISC is unaware of any active exploits of this > > vulnerability however given the potential access this vulnerability > > represents, it is probable scripts will be created in the near future > > that make use of this vulnerability. > > > >-- > >Elias Levy > >Security Focus > >http://www.securityfocus.com/ > > ********************************************************************** > Mike Tancsa, Network Admin * mike@sentex.net > Sentex Communications Corp, * http://www.sentex.net/mike > Cambridge, Ontario * 01.519.651.3400 > Canada * > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > Robert N M Watson robert@fledge.watson.org http://www.watson.org/~robert/ PGP key fingerprint: AF B5 5F FF A6 4A 79 37 ED 5F 55 E9 58 04 6A B1 TIS Labs at Network Associates, Safeport Network Services To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 10 17:29:31 1999 Delivered-To: freebsd-security@freebsd.org Received: from sand2.sentex.ca (sand2.sentex.ca [209.167.248.3]) by hub.freebsd.org (Postfix) with ESMTP id 4CBDE14DA6 for ; Wed, 10 Nov 1999 17:29:22 -0800 (PST) (envelope-from mike@sentex.net) Received: from gravel (ospf-mdt.sentex.net [205.211.164.81]) by sand2.sentex.ca (8.8.8/8.8.8) with SMTP id UAA14202; Wed, 10 Nov 1999 20:29:13 -0500 (EST) (envelope-from mike@sentex.net) Message-Id: <4.1.19991110202719.04c5ee30@granite.sentex.ca> X-Sender: mdtancsa@granite.sentex.ca X-Mailer: QUALCOMM Windows Eudora Pro Version 4.1 Date: Wed, 10 Nov 1999 20:29:34 -0500 To: Robert Watson From: Mike Tancsa Subject: Re: BIND NXT Bug Vulnerability Cc: freebsd-security@FreeBSD.ORG In-Reply-To: References: <4.1.19991110194035.04c62100@granite.sentex.ca> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 08:25 PM 11/10/99 , Robert Watson wrote: >3.3-RELEASE appears to use 8.1.2, which I believe is not vulnerable. My >understanding is that this bug was introduced in 8.2.* of BIND. Please >correct me if I am wrong. Actually, the initial posting to bugtraq only shows some of the picture. There are in fact 6 bugs listed on the given URL, e.g. Name: "solinger bug" Versions affected: 8.1, 8.1.1, 8.1.2, 8.2, 8.2 patchlevel 1, 8.2.1 Severity: SERIOUS Exploitable: Remotely Type: Denial of service ---Mike ********************************************************************** Mike Tancsa, Network Admin * mike@sentex.net Sentex Communications Corp, * http://www.sentex.net/mike Cambridge, Ontario * 01.519.651.3400 Canada * To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 10 17:51:15 1999 Delivered-To: freebsd-security@freebsd.org Received: from fledge.watson.org (fledge.watson.org [204.156.12.50]) by hub.freebsd.org (Postfix) with ESMTP id 9519314E70 for ; Wed, 10 Nov 1999 17:51:13 -0800 (PST) (envelope-from robert@cyrus.watson.org) Received: from fledge.watson.org (robert@fledge.pr.watson.org [192.0.2.3]) by fledge.watson.org (8.9.3/8.9.3) with SMTP id UAA30553; Wed, 10 Nov 1999 20:51:12 -0500 (EST) (envelope-from robert@cyrus.watson.org) Date: Wed, 10 Nov 1999 20:51:11 -0500 (EST) From: Robert Watson X-Sender: robert@fledge.watson.org Reply-To: Robert Watson To: Mike Tancsa Cc: freebsd-security@FreeBSD.ORG Subject: Re: BIND NXT Bug Vulnerability In-Reply-To: <4.1.19991110202719.04c5ee30@granite.sentex.ca> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, 10 Nov 1999, Mike Tancsa wrote: > At 08:25 PM 11/10/99 , Robert Watson wrote: > >3.3-RELEASE appears to use 8.1.2, which I believe is not vulnerable. My > >understanding is that this bug was introduced in 8.2.* of BIND. Please > >correct me if I am wrong. > > Actually, the initial posting to bugtraq only shows some of the picture. > There are in fact 6 bugs listed on the given URL, So 3.3-RELEASE is vulnerable to DOS, and not vulnerable to the remote access attack. Which is nice, but not ideal :-). Unfortunately, I wouldn't happen to be committer, so I wouldn't be commiting that one. :-) Robert N M Watson robert@fledge.watson.org http://www.watson.org/~robert/ PGP key fingerprint: AF B5 5F FF A6 4A 79 37 ED 5F 55 E9 58 04 6A B1 TIS Labs at Network Associates, Safeport Network Services To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 10 18:23:10 1999 Delivered-To: freebsd-security@freebsd.org Received: from s01.arpa-canada.net (s01.arpa-canada.net [209.104.122.2]) by hub.freebsd.org (Postfix) with ESMTP id 5165414C8C for ; Wed, 10 Nov 1999 18:23:07 -0800 (PST) (envelope-from matt@BabCom.ORG) Received: by s01.arpa-canada.net (Postfix, from userid 1001) id 2461CB885; Wed, 10 Nov 1999 21:23:07 -0500 (EST) Received: from localhost (localhost [127.0.0.1]) by s01.arpa-canada.net (Postfix) with ESMTP id 1E509E; Wed, 10 Nov 1999 21:23:07 -0500 (EST) Date: Wed, 10 Nov 1999 21:23:07 -0500 (EST) From: matt X-Sender: matt@s01.arpa-canada.net To: Mike Tancsa Cc: Robert Watson , freebsd-security@FreeBSD.ORG Subject: Re: BIND NXT Bug Vulnerability In-Reply-To: <4.1.19991110202719.04c5ee30@granite.sentex.ca> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org The ports tree currently has 8.2.1 though, I'm sure alot of people have resorted to using this, I have. Has the maintainer of this port been contacted yet? -matt On Wed, 10 Nov 1999, Mike Tancsa wrote: : At 08:25 PM 11/10/99 , Robert Watson wrote: : >3.3-RELEASE appears to use 8.1.2, which I believe is not vulnerable. My : >understanding is that this bug was introduced in 8.2.* of BIND. Please : >correct me if I am wrong. : : Actually, the initial posting to bugtraq only shows some of the picture. : There are in fact 6 bugs listed on the given URL, : : e.g. : : Name: "solinger bug" : Versions affected: 8.1, 8.1.1, 8.1.2, 8.2, 8.2 patchlevel 1, 8.2.1 : Severity: SERIOUS : Exploitable: Remotely : Type: Denial of service : : : ---Mike : ********************************************************************** : Mike Tancsa, Network Admin * mike@sentex.net : Sentex Communications Corp, * http://www.sentex.net/mike : Cambridge, Ontario * 01.519.651.3400 : Canada * : : : To Unsubscribe: send mail to majordomo@FreeBSD.org : with "unsubscribe freebsd-security" in the body of the message : -- "If the primates that we came from had known that someday politicians would come out of the...the gene pool, they'd a stayed up in the trees and written evolution off as a bad idea. Hell, I always thought the opposable thumb was overrated." -Sheridan, "A Distant Star" To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 10 18:41: 7 1999 Delivered-To: freebsd-security@freebsd.org Received: from sand2.sentex.ca (sand2.sentex.ca [209.167.248.3]) by hub.freebsd.org (Postfix) with ESMTP id 0530315478; Wed, 10 Nov 1999 18:40:09 -0800 (PST) (envelope-from mike@sentex.net) Received: from gravel (ospf-mdt.sentex.net [205.211.164.81]) by sand2.sentex.ca (8.8.8/8.8.8) with SMTP id VAA14628; Wed, 10 Nov 1999 21:40:08 -0500 (EST) (envelope-from mike@sentex.net) Message-Id: <4.1.19991110213919.04565e60@granite.sentex.ca> X-Sender: mdtancsa@granite.sentex.ca X-Mailer: QUALCOMM Windows Eudora Pro Version 4.1 Date: Wed, 10 Nov 1999 21:40:29 -0500 To: matt From: Mike Tancsa Subject: Re: BIND NXT Bug Vulnerability Cc: freebsd-security@FreeBSD.ORG, jseger@FreeBSD.ORG In-Reply-To: References: <4.1.19991110202719.04c5ee30@granite.sentex.ca> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 09:23 PM 11/10/99 , matt wrote: > >The ports tree currently has 8.2.1 though, I'm sure alot of people have >resorted to using this, I have. Has the maintainer of this port been >contacted yet? -matt I dont know, but I cc'd him on this just in case. ---Mike >On Wed, 10 Nov 1999, Mike Tancsa wrote: > >: At 08:25 PM 11/10/99 , Robert Watson wrote: >: >3.3-RELEASE appears to use 8.1.2, which I believe is not vulnerable. My >: >understanding is that this bug was introduced in 8.2.* of BIND. Please >: >correct me if I am wrong. >: >: Actually, the initial posting to bugtraq only shows some of the picture. >: There are in fact 6 bugs listed on the given URL, >: >: e.g. >: >: Name: "solinger bug" >: Versions affected: 8.1, 8.1.1, 8.1.2, 8.2, 8.2 patchlevel 1, 8.2.1 >: Severity: SERIOUS >: Exploitable: Remotely >: Type: Denial of service >: >: >: ---Mike >: ********************************************************************** >: Mike Tancsa, Network Admin * mike@sentex.net >: Sentex Communications Corp, * http://www.sentex.net/mike >: Cambridge, Ontario * 01.519.651.3400 >: Canada * >: >: >: To Unsubscribe: send mail to majordomo@FreeBSD.org >: with "unsubscribe freebsd-security" in the body of the message >: > >-- >"If the primates that we came from had known that someday politicians > would come out of the...the gene pool, they'd a stayed up in the trees > and written evolution off as a bad idea. Hell, I always thought the > opposable thumb was overrated." > -Sheridan, "A Distant Star" > > > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-security" in the body of the message > ********************************************************************** Mike Tancsa, Network Admin * mike@sentex.net Sentex Communications Corp, * http://www.sentex.net/mike Cambridge, Ontario * 01.519.651.3400 Canada * To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 10 20: 5:23 1999 Delivered-To: freebsd-security@freebsd.org Received: from rover.village.org (rover.village.org [204.144.255.49]) by hub.freebsd.org (Postfix) with ESMTP id AADC014DC8 for ; Wed, 10 Nov 1999 20:05:18 -0800 (PST) (envelope-from imp@harmony.village.org) Received: from harmony.village.org (harmony.village.org [10.0.0.6]) by rover.village.org (8.9.3/8.9.3) with ESMTP id VAA98952; Wed, 10 Nov 1999 21:05:16 -0700 (MST) (envelope-from imp@harmony.village.org) Received: from harmony.village.org (localhost.village.org [127.0.0.1]) by harmony.village.org (8.9.3/8.8.3) with ESMTP id VAA09688; Wed, 10 Nov 1999 21:05:05 -0700 (MST) Message-Id: <199911110405.VAA09688@harmony.village.org> To: David Gilbert Subject: Re: A new 'sploit? Cc: freebsd-security@FreeBSD.ORG In-reply-to: Your message of "Mon, 08 Nov 1999 13:30:40 EST." <14375.5840.975982.927941@trooper.velocet.net> References: <14375.5840.975982.927941@trooper.velocet.net> Date: Wed, 10 Nov 1999 21:05:05 -0700 From: Warner Losh Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message <14375.5840.975982.927941@trooper.velocet.net> David Gilbert writes: : Now... since my authorized_keys file is not overwritten, I gather that : root processes don't drop core any longer? Maybe I have corefiles : ulimited to 0. Anyways... There was a security advisory about this a while ago. Upgrade your fts.c, rebuild the world and they will go away. Warner To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 10 20: 8:19 1999 Delivered-To: freebsd-security@freebsd.org Received: from rover.village.org (rover.village.org [204.144.255.49]) by hub.freebsd.org (Postfix) with ESMTP id 08A5D14DBA for ; Wed, 10 Nov 1999 20:08:15 -0800 (PST) (envelope-from imp@harmony.village.org) Received: from harmony.village.org (harmony.village.org [10.0.0.6]) by rover.village.org (8.9.3/8.9.3) with ESMTP id VAA98973; Wed, 10 Nov 1999 21:08:14 -0700 (MST) (envelope-from imp@harmony.village.org) Received: from harmony.village.org (localhost.village.org [127.0.0.1]) by harmony.village.org (8.9.3/8.8.3) with ESMTP id VAA09730; Wed, 10 Nov 1999 21:08:12 -0700 (MST) Message-Id: <199911110408.VAA09730@harmony.village.org> To: Igor Roshchin Subject: Re: suidperl ? (Was: Examining FBSD set[ug]ids and their use) Cc: robert+freebsd@cyrus.watson.org, freebsd-security@FreeBSD.ORG In-reply-to: Your message of "Thu, 04 Nov 1999 10:01:54 CST." <199911041601.KAA10471@alecto.physics.uiuc.edu> References: <199911041601.KAA10471@alecto.physics.uiuc.edu> Date: Wed, 10 Nov 1999 21:08:12 -0700 From: Warner Losh Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message <199911041601.KAA10471@alecto.physics.uiuc.edu> Igor Roshchin writes: : Does anything in FreeBSD 3.x depend on suidperl being suid ? No. Your best bet is to delete it if you don't need it. : Would anything break in the system and/or system utilities if : it is stripped off ? Nothing in the base system. Warner To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 10 20:14:32 1999 Delivered-To: freebsd-security@freebsd.org Received: from rover.village.org (rover.village.org [204.144.255.49]) by hub.freebsd.org (Postfix) with ESMTP id 2982E14DBA for ; Wed, 10 Nov 1999 20:14:27 -0800 (PST) (envelope-from imp@harmony.village.org) Received: from harmony.village.org (harmony.village.org [10.0.0.6]) by rover.village.org (8.9.3/8.9.3) with ESMTP id VAA99006; Wed, 10 Nov 1999 21:14:26 -0700 (MST) (envelope-from imp@harmony.village.org) Received: from harmony.village.org (localhost.village.org [127.0.0.1]) by harmony.village.org (8.9.3/8.8.3) with ESMTP id VAA09777; Wed, 10 Nov 1999 21:14:26 -0700 (MST) Message-Id: <199911110414.VAA09777@harmony.village.org> To: "Harry M. Leitzell" Subject: Re: stack protecting Cc: Paul Hart , Andre Gironda , freebsd-security@FreeBSD.ORG In-reply-to: Your message of "Wed, 03 Nov 1999 21:41:48 EST." References: Date: Wed, 10 Nov 1999 21:14:25 -0700 From: Warner Losh Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message "Harry M. Leitzell" writes: : Ounce of prevention is worth a ... You get the point. I agree : that some sort of buffer overflow prevention in FreeBSD would be loved by : all even if they do not choose to use it. Anyhow, it would be nice to see : a Stack + Heap Guard that does not break certain aspects of an OS that : people use (gdb modified so that it correctly reads the format of an : activation record on the stack that was changed would be nice). I am : trying to remember the reason that OpenBSD decided against such designs. : Anyone? Because the OpenBSD folk want to fix all bugs, and buffer overflows are bugs. There are several competing ways of fixing this, none of which are entirely satisfactory. Mostly people complain about the overhead of these systems, but on a fast machine you'll likely not notice. They also generally only protect against smash the stack overflows, although some do offer some limited protect against global variable or heap overflows. Warner To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 10 21:34:50 1999 Delivered-To: freebsd-security@freebsd.org Received: from gatekeeper.veriohosting.com (gatekeeper.veriohosting.com [192.41.0.2]) by hub.freebsd.org (Postfix) with ESMTP id 6A93F14C0B for ; Wed, 10 Nov 1999 21:34:47 -0800 (PST) (envelope-from hart@iserver.com) Received: by gatekeeper.veriohosting.com; Wed, 10 Nov 1999 22:34:46 -0700 (MST) Received: from unknown(192.168.1.109) by gatekeeper.veriohosting.com via smap (V3.1.1) id xma002961; Wed, 10 Nov 99 22:34:27 -0700 Received: (hart@localhost) by anchovy.orem.iserver.com (8.9.3) id WAA07938; Wed, 10 Nov 1999 22:32:18 -0700 (MST) Date: Wed, 10 Nov 1999 22:32:17 -0700 (MST) From: Paul Hart X-Sender: hart@anchovy.orem.iserver.com To: Warner Losh Cc: freebsd-security@freebsd.org Subject: Re: suidperl ? (Was: Examining FBSD set[ug]ids and their use) In-Reply-To: <199911110408.VAA09730@harmony.village.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, 10 Nov 1999, Warner Losh wrote: > : Would anything break in the system and/or system utilities if > : it is stripped off ? > > Nothing in the base system. What about /usr/bin/keyinfo? Paul Hart -- Paul Robert Hart ><8> ><8> ><8> Verio Web Hosting, Inc. hart@iserver.com ><8> ><8> ><8> http://www.iserver.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 10 21:36: 9 1999 Delivered-To: freebsd-security@freebsd.org Received: from rover.village.org (rover.village.org [204.144.255.49]) by hub.freebsd.org (Postfix) with ESMTP id 537E714C46 for ; Wed, 10 Nov 1999 21:36:05 -0800 (PST) (envelope-from imp@harmony.village.org) Received: from harmony.village.org (harmony.village.org [10.0.0.6]) by rover.village.org (8.9.3/8.9.3) with ESMTP id WAA99199; Wed, 10 Nov 1999 22:36:03 -0700 (MST) (envelope-from imp@harmony.village.org) Received: from harmony.village.org (localhost.village.org [127.0.0.1]) by harmony.village.org (8.9.3/8.8.3) with ESMTP id WAA10074; Wed, 10 Nov 1999 22:36:06 -0700 (MST) Message-Id: <199911110536.WAA10074@harmony.village.org> To: Paul Hart Subject: Re: suidperl ? (Was: Examining FBSD set[ug]ids and their use) Cc: freebsd-security@freebsd.org In-reply-to: Your message of "Wed, 10 Nov 1999 22:32:17 MST." References: Date: Wed, 10 Nov 1999 22:36:06 -0700 From: Warner Losh Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message Paul Hart writes: : On Wed, 10 Nov 1999, Warner Losh wrote: : : > : Would anything break in the system and/or system utilities if : > : it is stripped off ? : > : > Nothing in the base system. : : What about /usr/bin/keyinfo? I stand corrected... Since I don't use skey, I'd never noticed... Warner To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 10 23:20:33 1999 Delivered-To: freebsd-security@freebsd.org Received: from david.siemens.de (david.siemens.de [192.35.17.14]) by hub.freebsd.org (Postfix) with ESMTP id 965FF14CB7; Wed, 10 Nov 1999 23:20:27 -0800 (PST) (envelope-from ust@cert.siemens.de) X-Envelope-Sender-Is: ust@cert.siemens.de (at relayer david.siemens.de) Received: from mail1.siemens.de (mail1.siemens.de [139.23.33.14]) by david.siemens.de (8.9.3/8.9.3) with ESMTP id IAA22507; Thu, 11 Nov 1999 08:20:26 +0100 (MET) Received: from mars.cert.siemens.de (ust.mchp.siemens.de [139.23.201.17]) by mail1.siemens.de (8.9.3/8.9.3) with ESMTP id IAA18172; Thu, 11 Nov 1999 08:20:25 +0100 (MET) Received: from alaska.cert.siemens.de (alaska.cert.siemens.de [139.23.202.134]) by mars.cert.siemens.de (8.9.3/8.9.3/Siemens CERT [ $Revision: 1.9 ]) with ESMTP id IAA26033; Thu, 11 Nov 1999 08:20:25 +0100 (CET) Received: (from ust@localhost) by alaska.cert.siemens.de (8.9.3/8.9.3/alaska [ $Revision: 1.2 ]) id HAA17258; Thu, 11 Nov 1999 07:20:25 GMT (envelope-from ust) Date: Thu, 11 Nov 1999 08:20:24 +0100 From: Udo Schweigert To: Mike Tancsa Cc: matt , freebsd-security@FreeBSD.ORG, jseger@FreeBSD.ORG Subject: patch for bind8 port (was: BIND NXT Bug Vulnerability) Message-ID: <19991111082024.A17215@alaska.cert.siemens.de> References: <4.1.19991110202719.04c5ee30@granite.sentex.ca> <4.1.19991110213919.04565e60@granite.sentex.ca> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: <4.1.19991110213919.04565e60@granite.sentex.ca>; from mike@sentex.net on Wed, Nov 10, 1999 at 09:40:29PM -0500 X-Operating-System: FreeBSD 3.3-STABLE Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, Nov 10, 1999 at 09:40:29PM -0500, Mike Tancsa wrote: > At 09:23 PM 11/10/99 , matt wrote: > > > >The ports tree currently has 8.2.1 though, I'm sure alot of people have > >resorted to using this, I have. Has the maintainer of this port been > >contacted yet? -matt > Here is a patch for the port. Regards ------------------------------------------------------------------------------- Udo Schweigert || Voice : +49 89 636 42170 Siemens AG, Siemens CERT || Fax : +49 89 636 41166 ZT IK 3 || email : Udo.Schweigert@mchp.siemens.de D-81730 Muenchen / Germany || : ust@cert.siemens.de PGP fingerprint || 2A 53 F6 A6 30 59 64 02 6B C4 E0 73 B2 C9 6C E7 ------------------------------------------------------------------------------- diff -ru bind8.org/Makefile bind8/Makefile --- bind8.org/Makefile Tue Sep 7 17:30:33 1999 +++ bind8/Makefile Thu Nov 11 08:15:09 1999 @@ -1,14 +1,14 @@ # New ports collection makefile for: bind -# Version required: 8.2.1 +# Version required: 8.2.2-p3 # Date created: 18 July 1997 # Whom: jseger@scds.com # # $FreeBSD: ports/net/bind8/Makefile,v 1.14 1999/08/30 14:22:09 peter Exp $ # -DISTNAME= bind-8.2.1 +DISTNAME= bind-8.2.2-p3 CATEGORIES= net -MASTER_SITES= ftp://ftp.isc.org/isc/bind/src/8.2.1/ +MASTER_SITES= ftp://ftp.isc.org/isc/bind/src/8.2.2-P3/ DISTFILES= bind-src.tar.gz bind-doc.tar.gz MAINTAINER= jseger@FreeBSD.org diff -ru bind8.org/files/md5 bind8/files/md5 --- bind8.org/files/md5 Thu Jul 29 20:51:21 1999 +++ bind8/files/md5 Thu Nov 11 08:11:23 1999 @@ -1,2 +1,2 @@ -MD5 (bind-src.tar.gz) = 449cad9c83d31c28179d3fa9dabd3a38 -MD5 (bind-doc.tar.gz) = 52ba164906f8cb5d0fe1d06ceb5ac5db +MD5 (bind-src.tar.gz) = c782af1a8058d6d2d3c95c1385a5c8c0 +MD5 (bind-doc.tar.gz) = 42025ab4bed0f13ab612ec5984abe2f0 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 10 23:44:14 1999 Delivered-To: freebsd-security@freebsd.org Received: from wint.itfs.nsk.su (wint.itfs.nsk.su [212.20.32.43]) by hub.freebsd.org (Postfix) with ESMTP id 2CFC414D7B for ; Wed, 10 Nov 1999 23:44:10 -0800 (PST) (envelope-from nnd@wint.itfs.nsk.su) Received: (from nnd@localhost) by wint.itfs.nsk.su (8.9.3/8.9.3) id NAA77123; Thu, 11 Nov 1999 13:42:30 +0600 (NOVT) (envelope-from nnd) Date: Thu, 11 Nov 1999 13:42:30 +0600 (NOVT) Message-Id: <199911110742.NAA77123@wint.itfs.nsk.su> From: nnd@mail.nsk.ru To: security@freebsd.org Subject: Re: patch for bind8 port X-Newsgroups: itfs.freebsd.security In-Reply-To: <19991111082024.A17215@alaska.cert.siemens.de> User-Agent: tin/pre-1.4-19990927 ("Nine While Nine") (UNIX) (FreeBSD/4.0-CURRENT (i386)) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In <19991111082024.A17215@alaska.cert.siemens.de> Udo Schweigert wrote: > On Wed, Nov 10, 1999 at 09:40:29PM -0500, Mike Tancsa wrote: >> At 09:23 PM 11/10/99 , matt wrote: >> > >> >The ports tree currently has 8.2.1 though, I'm sure alot of people have >> >resorted to using this, I have. Has the maintainer of this port been >> >contacted yet? -matt >> > > Here is a patch for the port. This is great, BUT there is the 'patch4' on the isc site which is NECESSARY for bind-8.2.2-P3 to work. N.Dudorov To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 11 1: 8:27 1999 Delivered-To: freebsd-security@freebsd.org Received: from s01.arpa-canada.net (s01.arpa-canada.net [209.104.122.2]) by hub.freebsd.org (Postfix) with ESMTP id 9306314CE5 for ; Thu, 11 Nov 1999 01:08:24 -0800 (PST) (envelope-from matt@BabCom.ORG) Received: by s01.arpa-canada.net (Postfix, from userid 1001) id B7CD6B885; Thu, 11 Nov 1999 04:08:23 -0500 (EST) Received: from localhost (localhost [127.0.0.1]) by s01.arpa-canada.net (Postfix) with ESMTP id B4D88E for ; Thu, 11 Nov 1999 04:08:23 -0500 (EST) Date: Thu, 11 Nov 1999 04:08:23 -0500 (EST) From: matt X-Sender: matt@s01.arpa-canada.net To: FreeBSD-SECURITY Subject: Re: Bind bug, patch to ports (Sorry, I lost the original message) Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org If you add the following to the Makefile and files/md5 after patching with the patch (I'm so sorry, I lost the email and don't have your name) supplied for the ports tree, it'll work: -- to Makefile -- PATCH_SITES= ftp://ftp.isc.org/isc/bind/src/8.2.2-P3/ PATCHFILES= patch4 -- to files/md5 -- MD5 (patch4) = b9b05dca4b591ad73b17f7262afa6636 Sorry if this is dirty, it is, but it worked on my system. Please note that the MD5 on patch4 is from my machine after downloading patch4 from ftp.isc.org, they did not provide an md5. I suppose it isn't needed if you make without checksum, it's there for ease of use. Matt -- "If the primates that we came from had known that someday politicians would come out of the...the gene pool, they'd a stayed up in the trees and written evolution off as a bad idea. Hell, I always thought the opposable thumb was overrated." -Sheridan, "A Distant Star" To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 11 6:14: 9 1999 Delivered-To: freebsd-security@freebsd.org Received: from gdr.dhis.org (m9.ozxpress.com.au [203.46.112.159]) by hub.freebsd.org (Postfix) with ESMTP id A418714D11 for ; Thu, 11 Nov 1999 06:13:47 -0800 (PST) (envelope-from phil@ozxpress.com.au) Received: (from right@localhost) by gdr.dhis.org (8.9.3/8.9.1) id AAA25378; Fri, 12 Nov 1999 00:13:20 +1000 (EST) (envelope-from phil@ozxpress.com.au) Date: Fri, 12 Nov 1999 00:13:20 +1000 (EST) Message-Id: <199911111413.AAA25378@gdr.dhis.org> X-Authentication-Warning: raven.gdr.dhis.org: right set sender to phil@ozxpress.com.au using -f From: phil grainger To: security@freebsd.org Reply-To: phil grainger MIME-Version: 1.0 Content-Type: text/plain Content-Transfer-Encoding: 8bit User-Agent: IMP/PHP3 Imap webMail Program 2.0.10 Subject: mucked up an install... Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org hi guys, hey i have mucked up my password list on a machine from what i can gather from vipw ... the root password is now about 3 times the length of every other user on the system ... i tried adding a user and the password is also 3 times longer than normal users. I assume this must be some form of higher encryption than normal. is there any way to avoid having to re-enter every password for every user ? phil grainger ----------------------------------------------------- This mail sent through IMP: http://web.horde.org/imp/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 11 6:21:29 1999 Delivered-To: freebsd-security@freebsd.org Received: from supra.rotterdam.luna.net (supra.rotterdam.luna.net [194.151.24.24]) by hub.freebsd.org (Postfix) with ESMTP id 5254F14D11 for ; Thu, 11 Nov 1999 06:21:26 -0800 (PST) (envelope-from stephanb@luna.nl) Received: (from stephanb@localhost) by supra.rotterdam.luna.net (•8.8.8/tcpwrp+ismx/8.8.8/chk+tcpwrpr) id PAA12831; Thu, 11 Nov 1999 15:20:54 +0100 (CET) Date: Thu, 11 Nov 1999 15:20:54 +0100 From: Stephan van Beerschoten To: phil grainger Cc: security@FreeBSD.ORG Subject: Re: mucked up an install... Message-ID: <19991111152054.C8293@supra.rotterdam.luna.net> References: <199911111413.AAA25378@gdr.dhis.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.95.6i In-Reply-To: <199911111413.AAA25378@gdr.dhis.org>; from phil grainger on Fri, Nov 12, 1999 at 12:13:20AM +1000 Organization: Luna Internet Services http://www.luna.nl Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, Nov 12, 1999 at 12:13:20AM +1000, phil grainger wrote: > the root password is now about 3 times the length of > every other user on the system ... Does the hash start with $1$Of or something like that ? My guess is that you (or some co-admin) has enabled MD5 hashing on your machine, and that by changing passwords, you change from DES to MD5 too. -Steve -- Stephan van Beerschoten Email: stephanb@luna.nl Network Engineer Luna Internet Services www.luna.nl PO Box 28013 3003 KA Rotterdam NL PGPKey fingerprint = 45 57 97 61 B2 12 FB 4C 77 8D 35 29 C4 2A 2D 27 The perl script is correct if its get this job done before your boss fires you To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 11 6:23:50 1999 Delivered-To: freebsd-security@freebsd.org Received: from supra.rotterdam.luna.net (supra.rotterdam.luna.net [194.151.24.24]) by hub.freebsd.org (Postfix) with ESMTP id EC9EE15469 for ; Thu, 11 Nov 1999 06:23:46 -0800 (PST) (envelope-from stephanb@luna.nl) Received: (from stephanb@localhost) by supra.rotterdam.luna.net (•8.8.8/tcpwrp+ismx/8.8.8/chk+tcpwrpr) id PAA12874 for security@freebsd.org; Thu, 11 Nov 1999 15:23:46 +0100 (CET) Date: Thu, 11 Nov 1999 15:22:39 +0100 From: Stephan van Beerschoten To: phil grainger Subject: Re: mucked up an install... Message-ID: <19991111152239.D8293@supra.rotterdam.luna.net> References: <199911111413.AAA25378@gdr.dhis.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.95.6i In-Reply-To: <199911111413.AAA25378@gdr.dhis.org>; from phil grainger on Fri, Nov 12, 1999 at 12:13:20AM +1000 Organization: Luna Internet Services http://www.luna.nl Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, Nov 12, 1999 at 12:13:20AM +1000, phil grainger wrote: > is there any way to avoid having to re-enter every > password for every user ? Sorry for the double post, I just screened your message quickly and forgot this question. Ehm, what you could do, is let every password of every user 'expire' and let them change it at next logon. After a while you'll notice the change. And you can weed out old account with a thing like this :) -Steve -- Stephan van Beerschoten Email: stephanb@luna.nl Network Engineer Luna Internet Services www.luna.nl PO Box 28013 3003 KA Rotterdam NL PGPKey fingerprint = 45 57 97 61 B2 12 FB 4C 77 8D 35 29 C4 2A 2D 27 The perl script is correct if its get this job done before your boss fires you To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 11 7:19: 3 1999 Delivered-To: freebsd-security@freebsd.org Received: from vinyl.sentex.ca (vinyl.sentex.ca [209.112.4.14]) by hub.freebsd.org (Postfix) with ESMTP id B8AE014D3A; Thu, 11 Nov 1999 07:18:59 -0800 (PST) (envelope-from mike@sentex.net) Received: from granite.sentex.net (granite-atm.sentex.ca [209.112.4.1]) by vinyl.sentex.ca (8.9.3/8.9.3) with ESMTP id KAA60033; Thu, 11 Nov 1999 10:18:58 -0500 (EST) (envelope-from mike@sentex.net) Received: from simoeon (simeon.sentex.ca [209.112.4.47]) by granite.sentex.net (8.8.8/8.6.9) with SMTP id KAA03501; Thu, 11 Nov 1999 10:18:58 -0500 (EST) Message-Id: <3.0.5.32.19991111101750.01fd0cb0@staff.sentex.ca> X-Sender: mdtpop@staff.sentex.ca X-Mailer: QUALCOMM Windows Eudora Light Version 3.0.5 (32) Date: Thu, 11 Nov 1999 10:17:50 -0500 To: Udo Schweigert From: Mike Tancsa Subject: Re: patch for bind8 port (was: BIND NXT Bug Vulnerability) Cc: freebsd-security@FreeBSD.ORG, jseger@FreeBSD.ORG In-Reply-To: <19991111082024.A17215@alaska.cert.siemens.de> References: <4.1.19991110213919.04565e60@granite.sentex.ca> <4.1.19991110202719.04c5ee30@granite.sentex.ca> <4.1.19991110213919.04565e60@granite.sentex.ca> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 08:20 AM 11/11/99 +0100, Udo Schweigert wrote: >On Wed, Nov 10, 1999 at 09:40:29PM -0500, Mike Tancsa wrote: >> At 09:23 PM 11/10/99 , matt wrote: >> > >> >The ports tree currently has 8.2.1 though, I'm sure alot of people have >> >resorted to using this, I have. Has the maintainer of this port been >> >contacted yet? -matt >> > >Here is a patch for the port. You also want patch4 that the ISC folks point out. I just made it patch-ac and put it in the patches directory for the port, and fixed the diff path. Index: src/bin/named-xfer/named-xfer.c =================================================================== RCS file: /proj/cvs/isc/bind/src/bin/named-xfer/named-xfer.c,v retrieving revision 8.88 retrieving revision 8.89 diff -c -r8.88 -r8.89 *** src/bin/named-xfer/named-xfer.c 1999/11/08 23:01:39 8.88 --- src/bin/named-xfer/named-xfer.c 1999/11/09 20:36:54 8.89 *************** *** 2195,2201 **** zp->z_origin, zp_finish.z_serial); } soa_cnt++; ! if ((methode == ISIXFR) || (soa_cnt > 2)) { return (result); } } else { --- 2195,2201 ---- zp->z_origin, zp_finish.z_serial); } soa_cnt++; ! if ((methode == ISIXFR) || (soa_cnt >= 2)) { return (result); } } else { ------------------------------------------------------------------------ Mike Tancsa, tel 01.519.651.3400 Network Administrator, mike@sentex.net Sentex Communications www.sentex.net Cambridge, Ontario Canada To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 11 7:56:49 1999 Delivered-To: freebsd-security@freebsd.org Received: from entic.net (shell.entic.net [209.157.122.66]) by hub.freebsd.org (Postfix) with SMTP id 08FC91548F for ; Thu, 11 Nov 1999 07:56:45 -0800 (PST) (envelope-from aj@entic.net) Received: (qmail 25181 invoked by uid 1000); 11 Nov 1999 15:57:01 -0000 Date: Thu, 11 Nov 1999 07:57:00 -0800 (PST) From: Anil Jangity To: Udo Schweigert Cc: Mike Tancsa , matt , freebsd-security@FreeBSD.ORG, jseger@FreeBSD.ORG Subject: Re: patch for bind8 port (was: BIND NXT Bug Vulnerability) In-Reply-To: <19991111082024.A17215@alaska.cert.siemens.de> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, 11 Nov 1999, Udo Schweigert wrote: |On Wed, Nov 10, 1999 at 09:40:29PM -0500, Mike Tancsa wrote: |> At 09:23 PM 11/10/99 , matt wrote: |> > |> >The ports tree currently has 8.2.1 though, I'm sure alot of people have |> >resorted to using this, I have. Has the maintainer of this port been |> >contacted yet? -matt |> | |Here is a patch for the port. There was also a patch4, with a minor fix to the xfer code: ftp.isc.org/isc/bind/src/8.2.2-P3/patch4 | |Regards | |------------------------------------------------------------------------------- |Udo Schweigert || Voice : +49 89 636 42170 |Siemens AG, Siemens CERT || Fax : +49 89 636 41166 |ZT IK 3 || email : Udo.Schweigert@mchp.siemens.de |D-81730 Muenchen / Germany || : ust@cert.siemens.de |PGP fingerprint || 2A 53 F6 A6 30 59 64 02 6B C4 E0 73 B2 C9 6C E7 |------------------------------------------------------------------------------- Kind regards, Anil Jangity "Work like you don't need money, love like you've never been hurt, and dance like no one's watching." To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 11 8:14: 1 1999 Delivered-To: freebsd-security@freebsd.org Received: from freebsd.navon.org.il (freebsd.navon.org.il [192.117.131.10]) by hub.freebsd.org (Postfix) with ESMTP id 2243A14CA7 for ; Thu, 11 Nov 1999 08:13:54 -0800 (PST) (envelope-from root@freebsd.navon.org.il) Received: from localhost (root@localhost) by freebsd.navon.org.il (8.9.3/8.9.3) with ESMTP id SAA02489 for ; Thu, 11 Nov 1999 18:17:43 +0200 (IST) (envelope-from root@freebsd.navon.org.il) Date: Thu, 11 Nov 1999 18:17:43 +0200 (IST) From: Charlie ROOT To: freebsd-security@freebsd.org Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org subscribe freebsd-security To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 11 10:26: 2 1999 Delivered-To: freebsd-security@freebsd.org Received: from java.dpcsys.com (java.dpcsys.com [206.16.184.7]) by hub.freebsd.org (Postfix) with ESMTP id EBC0D15475 for ; Thu, 11 Nov 1999 10:25:58 -0800 (PST) (envelope-from dan@dpcsys.com) Received: from localhost (dan@localhost) by java.dpcsys.com (8.9.1a/8.9.1) with SMTP id KAA13979; Thu, 11 Nov 1999 10:25:39 -0800 (PST) Date: Thu, 11 Nov 1999 10:25:39 -0800 (PST) From: Dan Busarow To: matt Cc: freebsd-security@FreeBSD.ORG Subject: Re: BIND NXT Bug Vulnerability In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, 10 Nov 1999, matt wrote: > The ports tree currently has 8.2.1 though, I'm sure alot of people have > resorted to using this, I have. Has the maintainer of this port been > contacted yet? -matt bind builds perfectly from the source. # make stdlinks # make clean # make depend # make all # make install Done. It looks for named.conf in /etc instead of /etc/namedb but we have named_flags available or you can just symlink /etc/namedb/named.conf to /etc/named.conf which is what I do. You could also edit src/port/freebsd/Makefile.set and change DESTETC to suit. Relying on ports for crital bits such as bind and sendmail seems, uh, risky? Dan -- Dan Busarow 949 443 4172 Dana Point Communications, Inc. dan@dpcsys.com Dana Point, California 83 09 EF 59 E0 11 89 B4 8D 09 DB FD E1 DD 0C 82 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 11 11:26:13 1999 Delivered-To: freebsd-security@freebsd.org Received: from eastwood.aldigital.algroup.co.uk (eastwood.aldigital.algroup.co.uk [194.128.162.193]) by hub.freebsd.org (Postfix) with ESMTP id A6E5C14ED2 for ; Thu, 11 Nov 1999 11:24:54 -0800 (PST) (envelope-from adam@algroup.co.uk) Received: from algroup.co.uk ([192.168.192.2]) by eastwood.aldigital.algroup.co.uk (8.8.8/8.6.12) with ESMTP id SAA11195; Thu, 11 Nov 1999 18:38:51 GMT Message-ID: <382B0D3D.EFB416B3@algroup.co.uk> Date: Thu, 11 Nov 1999 18:38:53 +0000 From: Adam Laurie X-Mailer: Mozilla 4.7 [en-gb] (Win98; I) X-Accept-Language: en MIME-Version: 1.0 To: Mark Murray Cc: Jacques Vidrine , "Jordan K. Hubbard" , security@FreeBSD.ORG Subject: Re: OpenSSH patches References: <199911101824.UAA10746@gratis.grondar.za> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Mark Murray wrote: > > > [dropped -ports] > > On 2 November 1999 at 10:58, "Jordan K. Hubbard" wrote: > > > For a lot of good reasons, this is something we really > > > need, even if we have to take a few chances and/or move a CVS server > > > to Canada. :) > > > > Don't we already have a CVS server in South Africa for this kind of > > thing? > > How would folk feel about the International CVS Repo holding "better" > crypto thathan the WC one (until the relevant patents expire)? > > I can do this in such a way as to make all other code identical, > and anyone will be able to get both binary and source from it. It > is heavily mirrored as well :-) Sounds a very sensible option. cheers, Adam -- Adam Laurie Tel: +44 (181) 742 0755 A.L. Digital Ltd. Fax: +44 (181) 742 5995 Voysey House Barley Mow Passage http://www.aldigital.co.uk London W4 4GB mailto:adam@algroup.co.uk UNITED KINGDOM PGP key on keyservers To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 11 11:42:28 1999 Delivered-To: freebsd-security@freebsd.org Received: from broccoli.graphics.cornell.edu (broccoli.graphics.cornell.edu [128.84.247.53]) by hub.freebsd.org (Postfix) with ESMTP id 8FC0614BF4 for ; Thu, 11 Nov 1999 11:42:10 -0800 (PST) (envelope-from mkc@Graphics.Cornell.EDU) Received: from graphics.cornell.edu by broccoli.graphics.cornell.edu with ESMTP (1.37.109.16/16.2) id AA298389320; Thu, 11 Nov 1999 14:42:00 -0500 Message-Id: <199911111942.AA298389320@broccoli.graphics.cornell.edu> X-Mailer: exmh version 2.0zeta 7/24/97 To: Dan Busarow Cc: matt , freebsd-security@FreeBSD.ORG Subject: Re: BIND NXT Bug Vulnerability In-Reply-To: Your message of "Thu, 11 Nov 1999 10:25:39 PST." Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Thu, 11 Nov 1999 14:41:59 -0500 From: Mitch Collinsworth Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >bind builds perfectly from the source. > ># make stdlinks ># make clean ># make depend ># make all ># make install > >Done. It looks for named.conf in /etc instead of /etc/namedb but we >have named_flags available or you can just symlink /etc/namedb/named.conf >to /etc/named.conf which is what I do. > >You could also edit src/port/freebsd/Makefile.set and change >DESTETC to suit. Does DESTETC really control this? I was poking around looking for why it was looking in /etc rather than /etc/namedb and found this. Then I looked back at my 8.1.2 install which was from the ports and defaults to /etc/namedb and DESTETC was set to /etc there as well. Oddly, the default ISC install creates an /etc/namedb/named.conf, but the named it creates looks for /etc/named.conf. Weird. -Mitch To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 11 11:48:57 1999 Delivered-To: freebsd-security@freebsd.org Received: from penelope.skunk.org (penelope.skunk.org [208.133.204.51]) by hub.freebsd.org (Postfix) with ESMTP id 05BF214BF4 for ; Thu, 11 Nov 1999 11:48:34 -0800 (PST) (envelope-from ben@penelope.skunk.org) Received: from localhost (ben@localhost) by penelope.skunk.org (8.9.3/8.9.3) with ESMTP id OAA99963 for ; Thu, 11 Nov 1999 14:56:00 -0500 (EST) Date: Thu, 11 Nov 1999 14:56:00 -0500 (EST) From: Ben Rosengart To: security@freebsd.org Subject: CERT Advisory CA-99.14 - Multiple Vulnerabilities in BIND (fwd) Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Just on the off-chance that anyone who's running BIND hasn't seen this, here is the CERT security advisory for the multiple BIND vulnerabilities that were disclosed yesterday. Has the newest BIND been imported into the FreeBSD tree yet? -- Ben Rosengart UNIX Systems Engineer, Skunk Group StarMedia Network, Inc. ---------- Forwarded message ---------- Date: Thu, 11 Nov 1999 10:03:13 -0800 From: Aleph One To: BUGTRAQ@SECURITYFOCUS.COM Subject: CERT Advisory CA-99.14 - Multiple Vulnerabilities in BIND -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 CERT Advisory CA-99-14 Multiple Vulnerabilities in BIND Original release date: November 10, 1999 Last revised: -- Source: CERT/CC A complete revision history is at the end of this file. Systems Affected * Systems running various versions of BIND I. Description Six vulnerabilities have been found in BIND, the popular domain name server from the Internet Software Consortium (ISC). One of these vulnerabilities may allow remote intruders to gain privileged access to name servers. Vulnerability #1: the "nxt bug" Some versions of BIND fail to properly validate NXT records. This improper validation could allow an intruder to overflow a buffer and execute arbitrary code with the privileges of the name server. NXT record support was introduced in BIND version 8.2. Prior versions of BIND, including 4.x, are not vulnerable to this problem. The ISC-supplied version of BIND corrected this problem in version 8.2.2. Vulnerability #2: the "sig bug" This vulnerability involves a failure to properly validate SIG records, allowing a remote intruder to crash named; see the impact section for additional details. SIG record support is found in multiple versions of BIND, including 4.9.5 through 8.x. Vulnerability #3: the "so_linger bug" By intentionally violating the expected protocols for closing a TCP session, remote intruders can cause named to pause for periods up to 120 seconds. Vulnerability #4: the "fdmax bug" Remote intruders can consume more file descriptors than BIND can properly manage, causing named to crash. Vulnerability #5: the "maxdname bug" Improper handling of certain data copied from the network could allow a remote intruder to disrupt the normal operation of your name server, possibly including a crash. Vulnerability #6: the "naptr bug" Some versions of BIND fail to validate zone information loaded from disk files. In environments with unusual combinations of permissions and protections, this could allow an intruder to crash named. Other recent BIND-related vulnerabilities AusCERT recently published a report describing denial-of-service attacks against name servers. These attacks are unrelated to the issues described in this advisory. For information on the denial-of-service attacks described by AusCERT, please see AusCERT Alert AL-1999.004 available at: ftp://ftp.auscert.org.au/pub/auscert/advisory/AL-1999.004.dns_dos II. Impact Vulnerability #1 By exploiting this vulnerability, remote intruders can execute arbitrary code with the privileges of the user running named, typically root. Vulnerabilities #2, #4, and #5 By exploiting these vulnerabilities, remote intruders can disrupt the normal operation of your name server, possibly causing a crash. Vulnerability #3 By periodically exercising this vulnerability, remote intruders can disrupt the ability of your name server to respond to legitimate queries. By intermittently exercising this vulnerability, intruders can seriously degrade the performance of your name server. Vulnerability #6 Local intruders who gain write access to your zone files can cause named to crash. III. Solution Apply a patch from your vendor or update to a later version of BIND Many operating system vendors distribute BIND with their operating system. Depending on your support procedures, arrangements, and contracts, you may wish to obtain BIND from your operating system vendor rather than directly from ISC. Appendix A contains information provided by vendors for this advisory. We will update the appendix as we receive more information. If you do not see your vendor's name, the CERT/CC did not hear from that vendor. Please contact your vendor directly. Appendix A. Vendor Information Vendor Name Caldera See ftp://ftp.calderasystems.com/pub/OpenLinux/updates/2.3/current MD5s db1dda05dbe0f67c2bd2e5049096b42c RPMS/bind-8.2.2p3-1.i386.rpm 82bbe025ac091831904c71c885071db1 RPMS/bind-doc-8.2.2p3-1.i386.rpm 2f9a30444046af551eafd8e6238a50c6 RPMS/bind-utils-8.2.2p3-1.i386.rpm 0e4f041549bdd798cb505c82a8911198 SRPMS/bind-8.2.2p3-1.src.rpm Compaq Computer Corporation At the time of writing this document, Compaq is currently investigating the potential impact to Compaq's BIND release(s). As further information becomes available Compaq will provide notice of the completion/availability of any necessary patches through AES services (DIA, DSNlink FLASH and posted to the Services WEB page) and be available from your normal Compaq Services Support channel. Data General We are investigating. We will provide an update when our investigation is complete. Hewlett-Packard Company HP is vulnerable, see the chart in the ISC advisory for details on your installed version of BIND. Our fix strategy is under investigation, watch for updates to this CERT advisory in the CERT archives, or an HP security advisory/bulletin. IBM Corporation The bind8 shipped with AIX 4.3.x is vulnerable. We are currently working on the following APARs which will be available soon: APAR 4.3.x: IY05851 To Order APARs may be ordered using Electronic Fix Distribution (via FixDist) or from the IBM Support Center. For more information on FixDist, reference URL: http://aix.software.ibm.com/aix.us/swfixes/ or send e-mail to aixserv@austin.ibm.com with a subject of "FixDist". IBM and AIX are registered trademarks of International Business Machines Corporation. The Internet Software Consortium ISC has published an advisory regarding these problems, available at http://www.isc.org/products/BIND/bind-security-19991108.html The ISC advisory also includes a table summarizing which versions of BIND are susceptible to the vulnerabilities described in this advisory. OpenBSD As far as we know, we don't ship with any of those vulnerabilities. Santa Cruz Operation, Inc Security patches for the following SCO products will be made available at http://www.sco.com/security OpenServer 5.x.x, UnixWare 7.x.x, UnixWare 2.x.x Sun Microsystems Vulnerability #1 Solaris 2.3, 2.4, 2.5, 2.5.1, 2.6, and 7 are not vulnerable. Vulnerability #2 Solaris 2.3, 2.4, 2.5, 2.5.1, 2.6, and 7 are not vulnerable. Vulnerability #3 Solaris 2.3, 2.4, 2.5, 2.5.1, and 2.6 are not vulnerable. Sun will be producing patches for Solaris 7. Vulnerability #4 Solaris 2.3, 2.4, 2.5, 2.5.1, and 2.6 are not vulnerable. Solaris 7 is probably not vulnerable. We are still investigating. Vulnerability #5 Solaris 2.3, 2.4, 2.5, 2.5.1, and 2.6 are not vulnerable. Sun will be producing patches for Solaris 7. Vulnerability #6 Solaris 2.3, 2.4, 2.5, 2.5.1, and 2.6 are not vulnerable. Sun will be producing patches for Solaris 7. _________________________________________________________________ The CERT Coordination Center would like to thank David Conrad, Paul Vixie and Bob Halley of the Internet Software Consortium for notifying us of these problems and for their help in constructing the advisory, and Olaf Kirch of Caldera for notifying us of some of these problems and providing technical assistance and advice. ______________________________________________________________________ This document is available from: http://www.cert.org/advisories/CA-99-14-bind.html ______________________________________________________________________ CERT/CC Contact Information Email: cert@cert.org Phone: +1 412-268-7090 (24-hour hotline) Fax: +1 412-268-6989 Postal address: CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh PA 15213-3890 U.S.A. CERT personnel answer the hotline 08:00-20:00 EST(GMT-5) / EDT(GMT-4) Monday through Friday; they are on call for emergencies during other hours, on U.S. holidays, and on weekends. Using encryption We strongly urge you to encrypt sensitive information sent by email. Our public PGP key is available from http://www.cert.org/CERT_PGP.key If you prefer to use DES, please call the CERT hotline for more information. Getting security information CERT publications and other security information are available from our web site http://www.cert.org/ To be added to our mailing list for advisories and bulletins, send email to cert-advisory-request@cert.org and include SUBSCRIBE your-email-address in the subject of your message. Copyright 1999 Carnegie Mellon University. Conditions for use, disclaimers, and sponsorship information can be found in http://www.cert.org/legal_stuff.html * "CERT" and "CERT Coordination Center" are registered in the U.S. Patent and Trademark Office. ______________________________________________________________________ NO WARRANTY Any material furnished by Carnegie Mellon University and the Software Engineering Institute is furnished on an "as is" basis. Carnegie Mellon University makes no warranties of any kind, either expressed or implied as to any matter including, but not limited to, warranty of fitness for a particular purpose or merchantability, exclusivity or results obtained from use of the material. Carnegie Mellon University does not make any warranty of any kind with respect to freedom from patent, trademark, or copyright infringement. _________________________________________________________________ Revision History November 10, 1999: Initial release -----BEGIN PGP SIGNATURE----- Version: PGP for Personal Privacy 5.0 Charset: noconv iQA/AwUBOCo3W1r9kb5qlZHQEQIY9QCgjh17l5yAtNrLFSSj2EJ3HYUe8hgAoOol 1lRvWBJAlYs63OEqqJ+mCfr2 =bBA/ -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 11 12: 2: 6 1999 Delivered-To: freebsd-security@freebsd.org Received: from java.dpcsys.com (java.dpcsys.com [206.16.184.7]) by hub.freebsd.org (Postfix) with ESMTP id 194DB14CA2 for ; Thu, 11 Nov 1999 12:01:26 -0800 (PST) (envelope-from dan@dpcsys.com) Received: from localhost (dan@localhost) by java.dpcsys.com (8.9.1a/8.9.1) with SMTP id MAA05433; Thu, 11 Nov 1999 12:00:51 -0800 (PST) Date: Thu, 11 Nov 1999 12:00:51 -0800 (PST) From: Dan Busarow To: Mitch Collinsworth Cc: freebsd-security@FreeBSD.ORG Subject: Re: BIND NXT Bug Vulnerability In-Reply-To: <199911111942.AA298389320@broccoli.graphics.cornell.edu> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, 11 Nov 1999, Mitch Collinsworth wrote: > Dan Busarow wrote: > >You could also edit src/port/freebsd/Makefile.set and change > >DESTETC to suit. > > Does DESTETC really control this? I was poking around looking for > why it was looking in /etc rather than /etc/namedb and found this. > Then I looked back at my 8.1.2 install which was from the ports and > defaults to /etc/namedb and DESTETC was set to /etc there as well. Don't know for sure, the port may change it in pathtemplate.h But INSTALL claims that setting DESTETC is the way to do it. > Oddly, the default ISC install creates an /etc/namedb/named.conf, > but the named it creates looks for /etc/named.conf. Weird. Odd, didn't for me when I installed it, my named.conf isn't actually in /etc/namedb so it should have if it wanted to. Dan -- Dan Busarow 949 443 4172 Dana Point Communications, Inc. dan@dpcsys.com Dana Point, California 83 09 EF 59 E0 11 89 B4 8D 09 DB FD E1 DD 0C 82 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 11 12:32:10 1999 Delivered-To: freebsd-security@freebsd.org Received: from s01.arpa-canada.net (s01.arpa-canada.net [209.104.122.2]) by hub.freebsd.org (Postfix) with ESMTP id 84FF514BE9 for ; Thu, 11 Nov 1999 12:31:56 -0800 (PST) (envelope-from matt@BabCom.ORG) Received: by s01.arpa-canada.net (Postfix, from userid 1001) id 0EC54B885; Thu, 11 Nov 1999 15:31:54 -0500 (EST) Received: from localhost (localhost [127.0.0.1]) by s01.arpa-canada.net (Postfix) with ESMTP id 09133E; Thu, 11 Nov 1999 15:31:54 -0500 (EST) Date: Thu, 11 Nov 1999 15:31:53 -0500 (EST) From: matt X-Sender: matt@s01.arpa-canada.net To: Dan Busarow Cc: freebsd-security@FreeBSD.ORG Subject: Re: BIND NXT Bug Vulnerability In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, 11 Nov 1999, Dan Busarow wrote: [...] : Relying on ports for crital bits such as bind and sendmail seems, uh, : risky? Considering that the version of bind included in -STABLE (supped 10-14-99) is 8.1.2, so I hate to rely on ports, but this does seem to be the quickest method for keeping up on new versions. There is virtually no difference in compiling bind from the ports or from raw source, the former is simply an easier way, and keeps things in order with little hassle. : Dan : -- : Dan Busarow 949 443 4172 : Dana Point Communications, Inc. dan@dpcsys.com : Dana Point, California 83 09 EF 59 E0 11 89 B4 8D 09 DB FD E1 DD 0C 82 Matt -- "If the primates that we came from had known that someday politicians would come out of the...the gene pool, they'd a stayed up in the trees and written evolution off as a bad idea. Hell, I always thought the opposable thumb was overrated." -Sheridan, "A Distant Star" To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 11 12:37:36 1999 Delivered-To: freebsd-security@freebsd.org Received: from broccoli.graphics.cornell.edu (broccoli.graphics.cornell.edu [128.84.247.53]) by hub.freebsd.org (Postfix) with ESMTP id D938814D6F for ; Thu, 11 Nov 1999 12:37:27 -0800 (PST) (envelope-from mkc@Graphics.Cornell.EDU) Received: from graphics.cornell.edu by broccoli.graphics.cornell.edu with ESMTP (1.37.109.16/16.2) id AA298892642; Thu, 11 Nov 1999 15:37:22 -0500 Message-Id: <199911112037.AA298892642@broccoli.graphics.cornell.edu> X-Mailer: exmh version 2.0zeta 7/24/97 To: Dan Busarow Cc: freebsd-security@FreeBSD.ORG Subject: Re: BIND NXT Bug Vulnerability In-Reply-To: Your message of "Thu, 11 Nov 1999 12:00:51 PST." Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Thu, 11 Nov 1999 15:37:22 -0500 From: Mitch Collinsworth Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >> Oddly, the default ISC install creates an /etc/namedb/named.conf, >> but the named it creates looks for /etc/named.conf. Weird. > >Odd, didn't for me when I installed it, my named.conf isn't actually >in /etc/namedb so it should have if it wanted to. I think this was my mis-interpretation of what I saw. I built and installed named from the ISC src and then looked in /etc/namedb and found a named.conf. Looking now at another FBSD system that has never had named installed on it I see an /etc/namedb/named.conf there, too, so now I'll assume it came from FBSD and not from ISC. oops. -Mitch To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 11 13:33: 7 1999 Delivered-To: freebsd-security@freebsd.org Received: from infowest.com (ns1.infowest.com [204.17.177.10]) by hub.freebsd.org (Postfix) with ESMTP id 44A3414BFE for ; Thu, 11 Nov 1999 13:33:02 -0800 (PST) (envelope-from root@infowest.com) Received: by infowest.com (Postfix, from userid 0) id D44DE20F66; Thu, 11 Nov 1999 14:33:01 -0700 (MST) To: security@freebsd.org Subject: Re: BIND NXT Bug Vulnerability Reply-To: From: "Aaron D. Gifford" Message-Id: <19991111213301.D44DE20F66@infowest.com> Date: Thu, 11 Nov 1999 14:33:01 -0700 (MST) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hmmm, looking at the ISC BIND web site page regarding versions and the various newly discovered problems that affect them, it appears that 8.1.2 is vulnerable to only 5 of the 6 new problems, but NOT the NXT bug. A few fun things I discovered when upgrading from 8.1.2 to 8.2.2-P3 include: The new version no longer supports "allow-query" sections in the "hint" zone type. The old 8.1.2 happily accepted them without complaint. When I restarted with the new version, this caused my "." zone hits file to be rejected, so all queries to the outside world stopped dead in the water until I removed that section. As was already mentioned in this thread, BIND's default installation and startup location for the named.conf file is /etc/named.conf while FreeBSD's is /etc/namedb/named.conf -- a quick symlink fixes that too. Aaron out. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 11 15: 2:57 1999 Delivered-To: freebsd-security@freebsd.org Received: from gatekeeper.veriohosting.com (gatekeeper.veriohosting.com [192.41.0.2]) by hub.freebsd.org (Postfix) with ESMTP id 681EB14E4A for ; Thu, 11 Nov 1999 15:02:55 -0800 (PST) (envelope-from hart@iserver.com) Received: by gatekeeper.veriohosting.com; Thu, 11 Nov 1999 16:02:50 -0700 (MST) Received: from unknown(192.168.1.109) by gatekeeper.veriohosting.com via smap (V3.1.1) id xma001662; Thu, 11 Nov 99 16:02:21 -0700 Received: (hart@localhost) by anchovy.orem.iserver.com (8.9.3) id QAA09451; Thu, 11 Nov 1999 16:00:09 -0700 (MST) Date: Thu, 11 Nov 1999 16:00:09 -0700 (MST) From: Paul Hart X-Sender: hart@anchovy.orem.iserver.com To: "Aaron D. Gifford" Cc: freebsd-security@FreeBSD.ORG Subject: Re: BIND NXT Bug Vulnerability In-Reply-To: <19991111213301.D44DE20F66@infowest.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, 11 Nov 1999, Aaron D. Gifford wrote: > As was already mentioned in this thread, BIND's default installation > and startup location for the named.conf file is /etc/named.conf > while FreeBSD's is /etc/namedb/named.conf -- a quick symlink fixes > that too. Why don't we stop being the oddball and make the named that comes with FreeBSD use /etc/named.conf as its configuration file? Paul Hart -- Paul Robert Hart ><8> ><8> ><8> Verio Web Hosting, Inc. hart@iserver.com ><8> ><8> ><8> http://www.iserver.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 11 15:11:14 1999 Delivered-To: freebsd-security@freebsd.org Received: from lariat.lariat.org (lariat.lariat.org [206.100.185.2]) by hub.freebsd.org (Postfix) with ESMTP id EB6A914F5C for ; Thu, 11 Nov 1999 15:11:07 -0800 (PST) (envelope-from brett@lariat.org) Received: from mustang (IDENT:ppp0.lariat.org@lariat.lariat.org [206.100.185.2]) by lariat.lariat.org (8.9.3/8.9.3) with ESMTP id QAA20958 for ; Thu, 11 Nov 1999 16:10:46 -0700 (MST) Message-Id: <4.2.0.58.19991111160840.042469d0@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.0.58 Date: Thu, 11 Nov 1999 16:10:53 -0700 To: security@freebsd.org From: Brett Glass Subject: Why not sandbox BIND? Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org OpenBSD sandboxes BIND, which means that most of the vulnerabilities in the CERT advisory would be moot. Should the same be done by default in FreeBSD? There's no reason for BIND to be privileged. --Brett To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 11 15:22:10 1999 Delivered-To: freebsd-security@freebsd.org Received: from nemesis.psionic.com (mcn-0220.aus.tx.bbnow.net [24.219.84.220]) by hub.freebsd.org (Postfix) with ESMTP id CCEA014F02 for ; Thu, 11 Nov 1999 15:22:02 -0800 (PST) (envelope-from crowland@psionic.com) Received: from dolemite.psionic.com (unknown [192.168.2.10]) by nemesis.psionic.com (Postfix) with ESMTP id AE88C51B5; Thu, 11 Nov 1999 17:40:19 -0600 (CST) Date: Thu, 11 Nov 1999 17:21:12 -0600 (CST) From: "Craig H. Rowland" To: Brett Glass Cc: security@freebsd.org Subject: Re: Why not sandbox BIND? In-Reply-To: <4.2.0.58.19991111160840.042469d0@localhost> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org BIND 8.x allows one to chroot() it very easily. There are even built in command line options to facilitate this. I wrote a quick document up on how to do this for OpenBSD a while back. Since they now run BIND chroot()ed by default now it may be moot, but still contains useful information that apply directly to the FreeBSD platform. Such a simple precaution as running BIND in a chroot() area can really prevent a lot of problems if something goes wrong. I personally wouldn't run BIND without this protection. http://www.psionic.com/papers/dns/dns-openbsd/ -- Craig On Thu, 11 Nov 1999, Brett Glass wrote: > OpenBSD sandboxes BIND, which means that most of the vulnerabilities in the > CERT advisory would be moot. > > Should the same be done by default in FreeBSD? There's no reason for BIND > to be privileged. > > --Brett > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 11 15:24:36 1999 Delivered-To: freebsd-security@freebsd.org Received: from eastwood.aldigital.algroup.co.uk (eastwood.aldigital.algroup.co.uk [194.128.162.193]) by hub.freebsd.org (Postfix) with ESMTP id EFB8414DEA for ; Thu, 11 Nov 1999 15:24:32 -0800 (PST) (envelope-from adam@algroup.co.uk) Received: from algroup.co.uk ([192.168.192.2]) by eastwood.aldigital.algroup.co.uk (8.8.8/8.6.12) with ESMTP id XAA23817; Thu, 11 Nov 1999 23:24:10 GMT Message-ID: <382B5020.396D9FCC@algroup.co.uk> Date: Thu, 11 Nov 1999 23:24:16 +0000 From: Adam Laurie X-Mailer: Mozilla 4.7 [en-gb] (Win98; I) X-Accept-Language: en MIME-Version: 1.0 To: agifford@infowest.com Cc: security@FreeBSD.ORG Subject: Re: BIND NXT Bug Vulnerability References: <19991111213301.D44DE20F66@infowest.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org "Aaron D. Gifford" wrote: > > Hmmm, looking at the ISC BIND web site page regarding versions and > the various newly discovered problems that affect them, it appears > that 8.1.2 is vulnerable to only 5 of the 6 new problems, but NOT > the NXT bug. > > A few fun things I discovered when upgrading from 8.1.2 to 8.2.2-P3 > include: > > The new version no longer supports "allow-query" sections in the > "hint" zone type. The old 8.1.2 happily accepted them without > complaint. When I restarted with the new version, this caused > my "." zone hits file to be rejected, so all queries to the outside > world stopped dead in the water until I removed that section. > > As was already mentioned in this thread, BIND's default installation > and startup location for the named.conf file is /etc/named.conf > while FreeBSD's is /etc/namedb/named.conf -- a quick symlink fixes > that too. A most timely bit of info... Wish I'd read this a couple of hours ago! :) FYI, allow-transfer causes the same problem. cheers, Adam -- Adam Laurie Tel: +44 (181) 742 0755 A.L. Digital Ltd. Fax: +44 (181) 742 5995 Voysey House Barley Mow Passage http://www.aldigital.co.uk London W4 4GB mailto:adam@algroup.co.uk UNITED KINGDOM PGP key on keyservers To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 11 15:31:12 1999 Delivered-To: freebsd-security@freebsd.org Received: from kithrup.com (kithrup.com [205.179.156.40]) by hub.freebsd.org (Postfix) with ESMTP id 5FA7514F4D for ; Thu, 11 Nov 1999 15:31:09 -0800 (PST) (envelope-from sef@kithrup.com) Received: (from sef@localhost) by kithrup.com (8.8.8/8.8.8) id PAA20772; Thu, 11 Nov 1999 15:31:08 -0800 (PST) (envelope-from sef) Date: Thu, 11 Nov 1999 15:31:08 -0800 (PST) From: Sean Eric Fagan Message-Id: <199911112331.PAA20772@kithrup.com> To: security@freebsd.org Reply-To: security@freebsd.org Subject: Re: Why not sandbox BIND? In-Reply-To: References: <4.2.0.58.19991111160840.042469d0@localhost> Organization: Kithrup Enterprises, Ltd. Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In article you write: >BIND 8.x allows one to chroot() it very easily. One of the principal bind developers has taken the existing linux capabilities implementation and run bind under it. He's very happy -- it runs as root, and yet pretty much can't do anything. As that feature is useful for _other_ things (think sendmail), I think that's the direction to go in, really. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 11 15:46:56 1999 Delivered-To: freebsd-security@freebsd.org Received: from point.osg.gov.bc.ca (point.osg.gov.bc.ca [142.32.102.44]) by hub.freebsd.org (Postfix) with ESMTP id DB42C14F68 for ; Thu, 11 Nov 1999 15:46:52 -0800 (PST) (envelope-from cy@cschuber.net.gov.bc.ca) Received: (from daemon@localhost) by point.osg.gov.bc.ca (8.8.7/8.8.8) id PAA05713; Thu, 11 Nov 1999 15:46:51 -0800 Received: from cschuber.net.gov.bc.ca(142.31.240.113), claiming to be "cwsys.cwsent.com" via SMTP by point.osg.gov.bc.ca, id smtpda05711; Thu Nov 11 15:46:49 1999 Received: (from uucp@localhost) by cwsys.cwsent.com (8.9.3/8.9.1) id PAA65881; Thu, 11 Nov 1999 15:46:47 -0800 (PST) Message-Id: <199911112346.PAA65881@cwsys.cwsent.com> Received: from localhost.cwsent.com(127.0.0.1), claiming to be "cwsys" via SMTP by localhost.cwsent.com, id smtpds65877; Thu Nov 11 15:46:14 1999 X-Mailer: exmh version 2.1.0 09/18/1999 Reply-To: Cy Schubert - ITSD Open Systems Group From: Cy Schubert - ITSD Open Systems Group X-OS: FreeBSD 3.3-RELEASE X-Sender: cy To: Brett Glass Cc: security@FreeBSD.ORG Subject: Re: Why not sandbox BIND? In-reply-to: Your message of "Thu, 11 Nov 1999 16:10:53 MST." <4.2.0.58.19991111160840.042469d0@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Thu, 11 Nov 1999 15:46:14 -0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message <4.2.0.58.19991111160840.042469d0@localhost>, Brett Glass writes: > OpenBSD sandboxes BIND, which means that most of the vulnerabilities in the > CERT advisory would be moot. > > Should the same be done by default in FreeBSD? There's no reason for BIND > to be privileged. Just put something like the following in named.conf. named_flags="-c /usr/local/etc/namedb/named.conf -u named -g named -t /var/named" Regards, Phone: (250)387-8437 Cy Schubert Fax: (250)387-5766 Sun/DEC Team, UNIX Group Internet: Cy.Schubert@uumail.gov.bc.ca ITSD Cy.Schubert@gems8.gov.bc.ca Province of BC "e**(i*pi)+1=0" To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 11 21: 9:47 1999 Delivered-To: freebsd-security@freebsd.org Received: from lariat.lariat.org (lariat.lariat.org [206.100.185.2]) by hub.freebsd.org (Postfix) with ESMTP id 300DF14FED for ; Thu, 11 Nov 1999 21:09:44 -0800 (PST) (envelope-from brett@lariat.org) Received: from mustang (IDENT:ppp0.lariat.org@lariat.lariat.org [206.100.185.2]) by lariat.lariat.org (8.9.3/8.9.3) with ESMTP id WAA24221; Thu, 11 Nov 1999 22:09:19 -0700 (MST) Message-Id: <4.2.0.58.19991111220759.044f46d0@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.0.58 Date: Thu, 11 Nov 1999 22:09:33 -0700 To: Cy Schubert - ITSD Open Systems Group From: Brett Glass Subject: Re: Why not sandbox BIND? Cc: security@FreeBSD.ORG In-Reply-To: <199911112346.PAA65881@cwsys.cwsent.com> References: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I assume you mean rc.conf, not named.conf. In any case, maybe there should be a "sandbox BIND" flag in rc.conf that selects a sandboxed configuration and is on by default. Also, it'd be nice to have the user "named" already in /etc/passwd and ready to go. --Brett At 03:46 PM 11/11/1999 -0800, Cy Schubert - ITSD Open Systems Group wrote: >In message <4.2.0.58.19991111160840.042469d0@localhost>, Brett Glass writes: > > OpenBSD sandboxes BIND, which means that most of the vulnerabilities in the > > CERT advisory would be moot. > > > > Should the same be done by default in FreeBSD? There's no reason for BIND > > to be privileged. > >Just put something like the following in named.conf. > >named_flags="-c /usr/local/etc/namedb/named.conf -u named -g named -t /var/named" > > >Regards, Phone: (250)387-8437 >Cy Schubert Fax: (250)387-5766 >Sun/DEC Team, UNIX Group Internet: Cy.Schubert@uumail.gov.bc.ca >ITSD Cy.Schubert@gems8.gov.bc.ca >Province of BC > "e**(i*pi)+1=0" > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 11 22:13:43 1999 Delivered-To: freebsd-security@freebsd.org Received: from vampire.gothic.net.au (vampire.gothic.net.au [202.182.72.18]) by hub.freebsd.org (Postfix) with ESMTP id 92DA914D6E for ; Thu, 11 Nov 1999 22:13:38 -0800 (PST) (envelope-from sean@gothic.net.au) Received: by vampire.gothic.net.au (Postfix, from userid 1000) id D3865A829; Fri, 12 Nov 1999 17:13:36 +1100 (EST) Received: from localhost (localhost [127.0.0.1]) by vampire.gothic.net.au (Postfix) with ESMTP id A9AA4380A; Fri, 12 Nov 1999 17:13:36 +1100 (EST) Date: Fri, 12 Nov 1999 17:13:36 +1100 (EST) From: Sean Winn To: Brett Glass Cc: security@FreeBSD.ORG Subject: Re: Why not sandbox BIND? In-Reply-To: <4.2.0.58.19991111220759.044f46d0@localhost> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, 11 Nov 1999, Brett Glass wrote: > I assume you mean rc.conf, not named.conf. > > In any case, maybe there should be a "sandbox BIND" flag in rc.conf > that selects a sandboxed configuration and is on by default. > Also, it'd be nice to have the user "named" already in /etc/passwd > and ready to go. As in the existing... bind:*:53:53:Bind Sandbox:/:/sbin/nologin In /etc/defaults/rc.conf there's an example named_flags line... #named_flags="-u bind -g bind" # Flags for named -- Sean Winn email: sean@gothic.net.au All opinions valued at $0.02, and not subject to inflation. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Nov 12 2:42:21 1999 Delivered-To: freebsd-security@freebsd.org Received: from verdi.nethelp.no (verdi.nethelp.no [158.36.41.162]) by hub.freebsd.org (Postfix) with SMTP id 9646B14C05 for ; Fri, 12 Nov 1999 02:42:07 -0800 (PST) (envelope-from sthaug@nethelp.no) Received: (qmail 45565 invoked by uid 1001); 12 Nov 1999 10:42:03 +0000 (GMT) To: aj@entic.net Cc: ust@cert.siemens.de, mike@sentex.net, matt@BabCom.ORG, freebsd-security@FreeBSD.ORG, jseger@FreeBSD.ORG Subject: Re: patch for bind8 port (was: BIND NXT Bug Vulnerability) From: sthaug@nethelp.no In-Reply-To: Your message of "Thu, 11 Nov 1999 07:57:00 -0800 (PST)" References: X-Mailer: Mew version 1.05+ on Emacs 19.34.2 Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Date: Fri, 12 Nov 1999 11:42:03 +0100 Message-ID: <45563.942403323@verdi.nethelp.no> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > |Here is a patch for the port. > > There was also a patch4, with a minor fix to the xfer code: > > ftp.isc.org/isc/bind/src/8.2.2-P3/patch4 This fix is definitely not minor in the sense of "little importance". Without this fix: - Zones will be *stored on disk* (by named-xfer) with two SOAs, because this is the format on the wire. - Because they are stored on disk with two SOAs, they will be rejected by named the next time it tries to read the zones (for instance when it is restarted). (Yes, we had this happen to us on a name server which is slave for around 12.000 zones. Not a pleasant experience.) Steinar Haug, Nethelp consulting, sthaug@nethelp.no To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Nov 12 7:21:13 1999 Delivered-To: freebsd-security@freebsd.org Received: from jade.chc-chimes.com (jade.chc-chimes.com [216.28.46.6]) by hub.freebsd.org (Postfix) with ESMTP id 7357414DFC for ; Fri, 12 Nov 1999 07:21:05 -0800 (PST) (envelope-from billf@chc-chimes.com) Received: by jade.chc-chimes.com (Postfix, from userid 1001) id 3DDB61C4D; Fri, 12 Nov 1999 09:22:52 -0500 (EST) Received: from localhost (localhost [127.0.0.1]) by jade.chc-chimes.com (Postfix) with ESMTP id 3AA523836; Fri, 12 Nov 1999 09:22:52 -0500 (EST) Date: Fri, 12 Nov 1999 09:22:52 -0500 (EST) From: Bill Fumerola To: Brett Glass Cc: Cy Schubert - ITSD Open Systems Group , security@FreeBSD.ORG Subject: Re: Why not sandbox BIND? In-Reply-To: <4.2.0.58.19991111220759.044f46d0@localhost> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, 11 Nov 1999, Brett Glass wrote: > I assume you mean rc.conf, not named.conf. > > In any case, maybe there should be a "sandbox BIND" flag in rc.conf > that selects a sandboxed configuration and is on by default. > Also, it'd be nice to have the user "named" already in /etc/passwd > and ready to go. bind:*:53:53::0:0:Bind Sandbox:/:/sbin/nologin You mean like that in src/etc/master.passwd? -- - bill fumerola - billf@chc-chimes.com - BF1560 - computer horizons corp - - ph:(800) 252-2421 - bfumerol@computerhorizons.com - billf@FreeBSD.org - To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Nov 12 7:46: 6 1999 Delivered-To: freebsd-security@freebsd.org Received: from overcee.netplex.com.au (overcee.netplex.com.au [202.12.86.7]) by hub.freebsd.org (Postfix) with ESMTP id 960FE14EFD for ; Fri, 12 Nov 1999 07:46:00 -0800 (PST) (envelope-from peter@netplex.com.au) Received: from netplex.com.au (localhost [127.0.0.1]) by overcee.netplex.com.au (Postfix) with ESMTP id DAC251C6D; Fri, 12 Nov 1999 23:45:59 +0800 (WST) (envelope-from peter@netplex.com.au) X-Mailer: exmh version 2.0.2 2/24/98 To: Bill Fumerola Cc: Brett Glass , Cy Schubert - ITSD Open Systems Group , security@FreeBSD.ORG Subject: Re: Why not sandbox BIND? In-reply-to: Your message of "Fri, 12 Nov 1999 09:22:52 EST." Date: Fri, 12 Nov 1999 23:45:59 +0800 From: Peter Wemm Message-Id: <19991112154559.DAC251C6D@overcee.netplex.com.au> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Bill Fumerola wrote: > On Thu, 11 Nov 1999, Brett Glass wrote: > > > I assume you mean rc.conf, not named.conf. > > > > In any case, maybe there should be a "sandbox BIND" flag in rc.conf > > that selects a sandboxed configuration and is on by default. > > Also, it'd be nice to have the user "named" already in /etc/passwd > > and ready to go. > > bind:*:53:53::0:0:Bind Sandbox:/:/sbin/nologin > > You mean like that in src/etc/master.passwd? *Beware* - do not do this if you have dyanmic interface configuration, eg if you run ppp[d] or anything. Bind depends on being able to bind to port 53 if the interface configuration changes. This is why it's not on by default. Cheers, -Peter To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Nov 12 7:57:25 1999 Delivered-To: freebsd-security@freebsd.org Received: from fasterix.frmug.org (s192.paris-90.cybercable.fr [212.198.90.192]) by hub.freebsd.org (Postfix) with ESMTP id 7840114E38; Fri, 12 Nov 1999 07:57:21 -0800 (PST) (envelope-from pb@fasterix.frmug.org) Received: (from pb@localhost) by fasterix.frmug.org (8.9.3/8.9.3/pb-19990315) id QAA18615; Fri, 12 Nov 1999 16:55:45 +0100 (CET) Message-ID: <19991112165545.A18571@fasterix.frmug.org> Date: Fri, 12 Nov 1999 16:55:45 +0100 From: Pierre Beyssac To: sthaug@nethelp.no, aj@entic.net Cc: ust@cert.siemens.de, mike@sentex.net, matt@BabCom.ORG, freebsd-security@FreeBSD.ORG, jseger@FreeBSD.ORG Subject: Re: patch for bind8 port (was: BIND NXT Bug Vulnerability) References: <45563.942403323@verdi.nethelp.no> Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Mailer: Mutt 0.92.8i In-Reply-To: <45563.942403323@verdi.nethelp.no>; from sthaug@nethelp.no on Fri, Nov 12, 1999 at 11:42:03AM +0100 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, Nov 12, 1999 at 11:42:03AM +0100, sthaug@nethelp.no wrote: > - Zones will be *stored on disk* (by named-xfer) with two SOAs, because > this is the format on the wire. > > - Because they are stored on disk with two SOAs, they will be rejected > by named the next time it tries to read the zones (for instance when it > is restarted). Actually, the zone is not completely rejected: the secondaries fetch an up-to-date copy and serve it, but they disable the AA flag in the replies. It is much better than not serving the zone at all. It's currently happening to me on some secondaries for zone eu.org, but there's no harm done. -- Pierre Beyssac pb@fasterix.frmug.org pb@fasterix.freenix.org BSD : il y a moins bien, mais c'est coté en bourse Free domains: http://www.eu.org/ or mail dns-manager@EU.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Nov 12 8:13:32 1999 Delivered-To: freebsd-security@freebsd.org Received: from itesec.hsc.fr (itesec.hsc.fr [192.70.106.33]) by hub.freebsd.org (Postfix) with ESMTP id 551FC14F27 for ; Fri, 12 Nov 1999 08:13:26 -0800 (PST) (envelope-from Alain.Thivillon@hsc.fr) Received: by itesec.hsc.fr (Postfix) id A778810EC2; Fri, 12 Nov 1999 17:13:25 +0100 (CET) Received: by itesec.hsc.fr (Postfix) id A778810EC2; Fri, 12 Nov 1999 17:13:25 +0100 (CET) Date: Fri, 12 Nov 1999 17:08:35 +0100 From: Alain Thivillon To: security@FreeBSD.ORG Subject: Re: Why not sandbox BIND? Message-ID: <19991112170835.J352@yoko.hsc.fr> References: <19991112154559.DAC251C6D@overcee.netplex.com.au> Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Mailer: Mutt 1.0pre2i In-Reply-To: <19991112154559.DAC251C6D@overcee.netplex.com.au> X-Organization: Herve Schauer Consultants Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Peter Wemm écrivait (wrote) : > *Beware* - do not do this if you have dyanmic interface configuration, eg > if you run ppp[d] or anything. Bind depends on being able to bind to port > 53 if the interface configuration changes. This is why it's not on by > default. You should also please note that the sandbox should be in same FS as /var/run/log if you want logging via syslog continue working. I use this : named_flags="-t /var/named -c /etc/named.conf" and : 78 [17:06] thivillo@yoko:/# ls -lR /var/named total 4 drwxr-xr-x 2 root wheel 512 Nov 12 16:43 etc/ drwxr-xr-x 4 root wheel 512 Nov 12 16:43 var/ /var/named/etc: total 4 -rw-r--r-- 1 root wheel 1927 Nov 12 16:43 named.conf /var/named/var: total 4 drwxr-xr-x 2 root wheel 512 Nov 12 16:42 named/ drwxr-xr-x 2 root wheel 512 Nov 12 17:05 run/ /var/named/var/named: total 640 [Zones] /var/named/var/run: total 2 srw-rw-rw- 2 root wheel 0 Nov 12 13:59 log= -rw-r--r-- 1 root wheel 5 Nov 12 17:05 named.pid srw------- 1 root wheel 0 Nov 12 17:05 ndc= /var/named/var/run/log is a hard link to /var/run/log Bind 8.2.2P3 is happy : Nov 12 16:05:28 yoko named[1595]: listening on [127.0.0.1].53 (lo0) Nov 12 16:05:28 yoko named[1595]: listening on [192.70.106.76].53 (ep0) Nov 12 16:05:28 yoko named[1595]: Forwarding source address is [0.0.0.0].1272 Nov 12 16:05:28 yoko named[1596]: chrooted to /var/named Nov 12 16:05:28 yoko named[1596]: Ready to answer queries. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Nov 12 8:16:15 1999 Delivered-To: freebsd-security@freebsd.org Received: from vinyl.sentex.ca (vinyl.sentex.ca [209.112.4.14]) by hub.freebsd.org (Postfix) with ESMTP id BB28C14F27 for ; Fri, 12 Nov 1999 08:16:07 -0800 (PST) (envelope-from mike@sentex.net) Received: from granite.sentex.net (granite-atm.sentex.ca [209.112.4.1]) by vinyl.sentex.ca (8.9.3/8.9.3) with ESMTP id LAA87952 for ; Fri, 12 Nov 1999 11:16:03 -0500 (EST) (envelope-from mike@sentex.net) Received: from simoeon (simeon.sentex.ca [209.112.4.47]) by granite.sentex.net (8.8.8/8.6.9) with SMTP id LAA17982 for ; Fri, 12 Nov 1999 11:16:03 -0500 (EST) Message-Id: <3.0.5.32.19991112111449.00b273f0@staff.sentex.ca> X-Sender: mdtpop@staff.sentex.ca X-Mailer: QUALCOMM Windows Eudora Light Version 3.0.5 (32) Date: Fri, 12 Nov 1999 11:14:49 -0500 To: freebsd-security@freebsd.org From: Mike Tancsa Subject: safe protocols to eat via ipfw Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Apart from dropping spoofed addresses, what ICMP types do people generally block at their borders ? I noticed a lot of redirects coming at my dialups this morning from the outside world.... is deny icmp from any to any in recv icmptype 5 a good thing to do ? Does it break anything ? ---Mike ------------------------------------------------------------------------ Mike Tancsa, tel 01.519.651.3400 Network Administrator, mike@sentex.net Sentex Communications www.sentex.net Cambridge, Ontario Canada To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Nov 12 8:24:47 1999 Delivered-To: freebsd-security@freebsd.org Received: from enst.enst.fr (enst.enst.fr [137.194.2.16]) by hub.freebsd.org (Postfix) with ESMTP id 00F8A14FD1 for ; Fri, 12 Nov 1999 08:24:40 -0800 (PST) (envelope-from beyssac@enst.fr) Received: from bofh.enst.fr (bofh-2.enst.fr [137.194.2.37]) by enst.enst.fr (8.9.1a/8.9.1) with ESMTP id RAA06852; Fri, 12 Nov 1999 17:24:38 +0100 (MET) Received: by bofh.enst.fr (Postfix, from userid 12426) id 167A0D226; Fri, 12 Nov 1999 17:24:38 +0100 (CET) Message-ID: <19991112172438.A57962@enst.fr> Date: Fri, 12 Nov 1999 17:24:38 +0100 From: Pierre Beyssac To: Alain Thivillon , security@FreeBSD.ORG Subject: Re: Why not sandbox BIND? References: <19991112154559.DAC251C6D@overcee.netplex.com.au> <19991112170835.J352@yoko.hsc.fr> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.93.2i In-Reply-To: <19991112170835.J352@yoko.hsc.fr>; from Alain Thivillon on Fri, Nov 12, 1999 at 05:08:35PM +0100 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, Nov 12, 1999 at 05:08:35PM +0100, Alain Thivillon wrote: > > if you run ppp[d] or anything. Bind depends on being able to bind to port > > 53 if the interface configuration changes. This is why it's not on by > > default. > > You should also please note that the sandbox should be in same FS as > /var/run/log if you want logging via syslog continue working. You don't need this. /var/run/log can be a symbolic link to /chroot/var/run/log, then you start sysglod with option -p /chroot/var/run/log. The only gotcha is that you need to cleanup /chroot/var/run/ at startup or syslogd won't start. That's what I use on ns.eu.org but it took me some time for figure it out... Even better, you can use syslogd's -l option to create as many /chroot/dev/log as you need for chrooted environements, as explained by Craig Rowland in his paper. Then you don't need any symbolic or hard link stuff. -- Pierre Beyssac pb@enst.fr To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Nov 12 9:15:28 1999 Delivered-To: freebsd-security@freebsd.org Received: from mail.vr.IN-Berlin.DE (gnu.in-berlin.de [192.109.42.4]) by hub.freebsd.org (Postfix) with ESMTP id 0229214F67 for ; Fri, 12 Nov 1999 09:15:16 -0800 (PST) (envelope-from server.nostromo.in-berlin.de!ripley@servicia.in-berlin.de) Received: from uriela.in-berlin.de (IDENT:root@servicia.in-berlin.de [192.109.42.145]) by mail.vr.IN-Berlin.DE (8.9.3/8.9.3) with ESMTP id SAA25046 for ; Fri, 12 Nov 1999 18:15:11 +0100 (CET) (envelope-from server.nostromo.in-berlin.de!ripley@servicia.in-berlin.de) Received: by uriela.in-berlin.de (Smail-3.2.0.101 1997-Dec-17 #1) id m11mLnW-000VRLC; Fri, 12 Nov 1999 19:51:46 +0100 (CET) Received: (from ripley@localhost) by server.nostromo.in-berlin.de (8.9.3/8.9.3) id AAA83368 for freebsd-security@FreeBSD.ORG; Fri, 12 Nov 1999 00:23:29 +0100 (CET) (envelope-from ripley) Date: Fri, 12 Nov 1999 00:23:29 +0100 From: "H. Eckert" To: freebsd-security@FreeBSD.ORG Subject: Re: Status of Passwords/etc in FreeBSD-stable Message-ID: <19991112002328.B81323@server.nostromo.in-berlin.de> References: Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Mailer: Mutt 0.95.6i In-Reply-To: ; from Kris Kennaway on Wed, Nov 10, 1999 at 10:20:21AM -0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Quoting Kris Kennaway (kris@hub.freebsd.org): > I don't see what you'd need a maximum password length variable for, but > there is already a minpasswordlen capability. Pre-3.x truncated passwords over 8 chars. As 3.x now supports longer passwords I found I had trouble with Netatalk filesharing, as the Mac's input field only allows 8 chars. So it could be useful in a user's environment to restrict the length so that the users can't set a password that's not going to work for them anyway... I have not yet tried whether MacOS 9 changes this behaviour, though... Greetings, Ripley -- H. Eckert, 10777 Berlin, Germany, http://www.in-berlin.de/User/nostromo/ ISO 8859-1: Ä=Ae, Ö=Oe, Ü=Ue, ä=ae, ö=oe, ü=ue, ß=sz. "(Technobabbel)" (Jetrel) - "Müssen wir uns diesen Schwachsinn wirklich anhören?" (Neelix) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Nov 12 9:25:14 1999 Delivered-To: freebsd-security@freebsd.org Received: from lariat.lariat.org (lariat.lariat.org [206.100.185.2]) by hub.freebsd.org (Postfix) with ESMTP id 1E96414E18 for ; Fri, 12 Nov 1999 09:25:02 -0800 (PST) (envelope-from brett@lariat.org) Received: from mustang (IDENT:ppp0.lariat.org@lariat.lariat.org [206.100.185.2]) by lariat.lariat.org (8.9.3/8.9.3) with ESMTP id KAA29005; Fri, 12 Nov 1999 10:24:29 -0700 (MST) Message-Id: <4.2.0.58.19991112102309.045abf00@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.0.58 Date: Fri, 12 Nov 1999 10:24:44 -0700 To: Bill Fumerola From: Brett Glass Subject: Re: Why not sandbox BIND? Cc: Cy Schubert - ITSD Open Systems Group , security@FreeBSD.ORG In-Reply-To: References: <4.2.0.58.19991111220759.044f46d0@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Our production systems are running an older version of FreeBSD (we always stay a bit behind the leading edge), so they do not have that user. --Brett At 09:22 AM 11/12/1999 -0500, Bill Fumerola wrote: >On Thu, 11 Nov 1999, Brett Glass wrote: > > > I assume you mean rc.conf, not named.conf. > > > > In any case, maybe there should be a "sandbox BIND" flag in rc.conf > > that selects a sandboxed configuration and is on by default. > > Also, it'd be nice to have the user "named" already in /etc/passwd > > and ready to go. > >bind:*:53:53::0:0:Bind Sandbox:/:/sbin/nologin > >You mean like that in src/etc/master.passwd? > >-- >- bill fumerola - billf@chc-chimes.com - BF1560 - computer horizons corp - >- ph:(800) 252-2421 - bfumerol@computerhorizons.com - billf@FreeBSD.org - > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Nov 12 9:30:48 1999 Delivered-To: freebsd-security@freebsd.org Received: from lariat.lariat.org (lariat.lariat.org [206.100.185.2]) by hub.freebsd.org (Postfix) with ESMTP id D8D4B1519E for ; Fri, 12 Nov 1999 09:30:33 -0800 (PST) (envelope-from brett@lariat.org) Received: from mustang (IDENT:ppp0.lariat.org@lariat.lariat.org [206.100.185.2]) by lariat.lariat.org (8.9.3/8.9.3) with ESMTP id KAA29096; Fri, 12 Nov 1999 10:29:38 -0700 (MST) Message-Id: <4.2.0.58.19991112102519.045cf510@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.0.58 Date: Fri, 12 Nov 1999 10:26:43 -0700 To: Peter Wemm , Bill Fumerola From: Brett Glass Subject: Re: Why not sandbox BIND? Cc: Cy Schubert - ITSD Open Systems Group , security@FreeBSD.ORG In-Reply-To: <19991112154559.DAC251C6D@overcee.netplex.com.au> References: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org It'd be a shame if a PPP dial-up server couldn't sandbox BIND, since it's a good idea to keep a DNS server as close to the dial-ups as possible. Any ideas about how one might work around this, short of going to a capabilities-based security model? --Brett At 11:45 PM 11/12/1999 +0800, Peter Wemm wrote: >*Beware* - do not do this if you have dyanmic interface configuration, eg >if you run ppp[d] or anything. Bind depends on being able to bind to port >53 if the interface configuration changes. This is why it's not on by >default. > >Cheers, >-Peter To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Nov 12 9:33:30 1999 Delivered-To: freebsd-security@freebsd.org Received: from florence.pavilion.net (florence.pavilion.net [194.242.128.25]) by hub.freebsd.org (Postfix) with ESMTP id C663B14BC5 for ; Fri, 12 Nov 1999 09:33:19 -0800 (PST) (envelope-from joe@florence.pavilion.net) Received: (from joe@localhost) by florence.pavilion.net (8.9.3/8.8.8) id RAA16772; Fri, 12 Nov 1999 17:33:06 GMT (envelope-from joe) Date: Fri, 12 Nov 1999 17:33:06 +0000 From: Josef Karthauser To: Brett Glass Cc: Bill Fumerola , Cy Schubert - ITSD Open Systems Group , security@FreeBSD.ORG Subject: Re: Why not sandbox BIND? Message-ID: <19991112173306.D76708@florence.pavilion.net> References: <4.2.0.58.19991111220759.044f46d0@localhost> <4.2.0.58.19991112102309.045abf00@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0pre2i In-Reply-To: <4.2.0.58.19991112102309.045abf00@localhost> X-NCC-RegID: uk.pavilion Organisation: Pavilion Internet plc, Lees House, 21-23 Dyke Road, Brighton, England Phone: +44-845-333-5000 Fax: +44-845-333-5001 Mobile: +44-403-596893 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, Nov 12, 1999 at 10:24:44AM -0700, Brett Glass wrote: > Our production systems are running an older version of FreeBSD (we > always stay a bit behind the leading edge), so they do not have > that user. > > --Brett You are _quite_ a way behind. I believe that almost all of the 3.X releases have had this ability. (If you're running later mergemaster is your friend ;) Joe -- Josef Karthauser FreeBSD: How many times have you booted today? Technical Manager Viagra for your server (http://www.uk.freebsd.org) Pavilion Internet plc. [joe@pavilion.net, joe@uk.freebsd.org, joe@tao.org.uk] To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Nov 12 10:10:50 1999 Delivered-To: freebsd-security@freebsd.org Received: from broccoli.graphics.cornell.edu (broccoli.graphics.cornell.edu [128.84.247.53]) by hub.freebsd.org (Postfix) with ESMTP id C841E14F43 for ; Fri, 12 Nov 1999 10:10:38 -0800 (PST) (envelope-from mkc@Graphics.Cornell.EDU) Received: from graphics.cornell.edu by broccoli.graphics.cornell.edu with ESMTP (1.37.109.16/16.2) id AA008670229; Fri, 12 Nov 1999 13:10:29 -0500 Message-Id: <199911121810.AA008670229@broccoli.graphics.cornell.edu> X-Mailer: exmh version 2.0zeta 7/24/97 To: Josef Karthauser Cc: Brett Glass , security@FreeBSD.ORG Subject: Re: Why not sandbox BIND? In-Reply-To: Your message of "Fri, 12 Nov 1999 17:33:06 GMT." <19991112173306.D76708@florence.pavilion.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Fri, 12 Nov 1999 13:10:28 -0500 From: Mitch Collinsworth Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >> Our production systems are running an older version of FreeBSD (we >> always stay a bit behind the leading edge), so they do not have >> that user. > >You are _quite_ a way behind. I believe that almost all of the 3.X releases >have had this ability. This is _quite_ an exaggeration. It's not in 3.0-R, which came out this calendar year. It's in 3.2-R but I'm not sure about 3.1-R. Don't have one of those handy to check. -Mitch To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Nov 12 10:31: 5 1999 Delivered-To: freebsd-security@freebsd.org Received: from jade.chc-chimes.com (jade.chc-chimes.com [216.28.46.6]) by hub.freebsd.org (Postfix) with ESMTP id DC81F151FA for ; Fri, 12 Nov 1999 10:30:53 -0800 (PST) (envelope-from billf@chc-chimes.com) Received: by jade.chc-chimes.com (Postfix, from userid 1001) id 2B2031C4D; Fri, 12 Nov 1999 12:32:39 -0500 (EST) Received: from localhost (localhost [127.0.0.1]) by jade.chc-chimes.com (Postfix) with ESMTP id 268093836; Fri, 12 Nov 1999 12:32:39 -0500 (EST) Date: Fri, 12 Nov 1999 12:32:39 -0500 (EST) From: Bill Fumerola To: Mitch Collinsworth Cc: Josef Karthauser , Brett Glass , security@FreeBSD.ORG Subject: Re: Why not sandbox BIND? In-Reply-To: <199911121810.AA008670229@broccoli.graphics.cornell.edu> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, 12 Nov 1999, Mitch Collinsworth wrote: > This is _quite_ an exaggeration. It's not in 3.0-R, which came out > this calendar year. It's in 3.2-R but I'm not sure about 3.1-R. > Don't have one of those handy to check. http://www.freebsd.org/cgi/cvsweb.cgi/src/etc/master.passwd, or check in a cvs repository near you. -- - bill fumerola - billf@chc-chimes.com - BF1560 - computer horizons corp - - ph:(800) 252-2421 - bfumerol@computerhorizons.com - billf@FreeBSD.org - To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Nov 12 11:19:49 1999 Delivered-To: freebsd-security@freebsd.org Received: from haldjas.folklore.ee (Haldjas.folklore.ee [193.40.6.121]) by hub.freebsd.org (Postfix) with ESMTP id 6E10814BCE for ; Fri, 12 Nov 1999 11:19:43 -0800 (PST) (envelope-from narvi@haldjas.folklore.ee) Received: from localhost (narvi@localhost) by haldjas.folklore.ee (8.9.3/8.9.3) with SMTP id VAA85672; Fri, 12 Nov 1999 21:19:17 +0200 (EET) (envelope-from narvi@haldjas.folklore.ee) Date: Fri, 12 Nov 1999 21:19:17 +0200 (EET) From: Narvi To: "H. Eckert" Cc: freebsd-security@FreeBSD.ORG Subject: Re: Status of Passwords/etc in FreeBSD-stable In-Reply-To: <19991112002328.B81323@server.nostromo.in-berlin.de> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Content-Transfer-Encoding: QUOTED-PRINTABLE Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, 12 Nov 1999, H. Eckert wrote: > Quoting Kris Kennaway (kris@hub.freebsd.org): > > I don't see what you'd need a maximum password length variable for, but > > there is already a minpasswordlen capability. >=20 > Pre-3.x truncated passwords over 8 chars. As 3.x now supports > longer passwords I found I had trouble with Netatalk filesharing, > as the Mac's input field only allows 8 chars. It definately did not. Or if it did, then if you used DES passwords. FreeBSD 2.1.0 (and up) were all definately very capable of supporting longer than 8 characetr passwords.=20 > So it could be useful in a user's environment to restrict the > length so that the users can't set a password that's not going > to work for them anyway... > I have not yet tried whether MacOS 9 changes this behaviour, though... >=20 > Greetings, > =09=09=09=09Ripley > --=20 > H. Eckert, 10777 Berlin, Germany, http://www.in-berlin.de/User/nostromo/ > ISO 8859-1: =C4=3DAe, =D6=3DOe, =DC=3DUe, =E4=3Dae, =F6=3Doe, =FC=3Due, = =DF=3Dsz. > "(Technobabbel)" (Jetrel) - "M=FCssen wir uns diesen Schwachsinn wirklich > anh=F6ren?" (Neelix) >=20 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Nov 12 11:29:28 1999 Delivered-To: freebsd-security@freebsd.org Received: from rucus.ru.ac.za (rucus.ru.ac.za [146.231.29.2]) by hub.freebsd.org (Postfix) with SMTP id BA6E414A2C for ; Fri, 12 Nov 1999 11:29:14 -0800 (PST) (envelope-from bvi@rucus.ru.ac.za) Received: (qmail 95274 invoked by uid 374); 12 Nov 1999 19:29:12 -0000 Date: Fri, 12 Nov 1999 21:29:12 +0200 From: Barry Irwin To: Josef Karthauser Cc: Brett Glass , Bill Fumerola , Cy Schubert - ITSD Open Systems Group , security@FreeBSD.ORG Subject: Re: Why not sandbox BIND? Message-ID: <19991112212912.Z57266@rucus.ru.ac.za> References: <4.2.0.58.19991111220759.044f46d0@localhost> <19991112173306.D76708@florence.pavilion.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: <19991112173306.D76708@florence.pavilion.net>; from joe@pavilion.net on Fri, Nov 12, 1999 at 05:33:06PM +0000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri 1999-11-12 (17:33), Josef Karthauser wrote: > On Fri, Nov 12, 1999 at 10:24:44AM -0700, Brett Glass wrote: > > Our production systems are running an older version of FreeBSD (we > > always stay a bit behind the leading edge), so they do not have > > that user. > > > > --Brett > > You are _quite_ a way behind. I believe that almost all of the 3.X releases > have had this ability. (If you're running later mergemaster is your friend ;) 3.2 System CVSup'd doesnt have it by default su-2.03# cat /etc/passwd | grep named su-2.03# uname -a FreeBSD shagrat.moria.org 3.3-STABLE FreeBSD 3.3-STABLE #0: Thu Oct 21 15:40:30 SAST 1999 bvi@shagrat.moria.org:/usr/src/sys/compile/bvi.SHAGRAT i386 Same on my other straight 3.2-STABLE system Adding a user for named is one of the first things I do on a new systen, along with adding a specific user for httpd , rather than the default nobody. IMO, most daemons that dont need any special privilege should be run as their own user, this includes things like squid, mail ( qmail has a nice broken up privilege levels model). Think it would be a good idea to possibly add these in by default on a New BSD install. No reason for named to run as root whatsoever ( well other than the inital bind) Barry -- -------------------------------------------------------------------------- Barry Irwin IRC: balin@zanet (#linux) bvi@moria.org http://rucus.ru.ac.za/~bvi Whois BI414 - PMPN8EZ - http://moria.org -------------------------------------------------------------------------- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Nov 12 11:44:11 1999 Delivered-To: freebsd-security@freebsd.org Received: from rucus.ru.ac.za (rucus.ru.ac.za [146.231.29.2]) by hub.freebsd.org (Postfix) with SMTP id 115A214CD3 for ; Fri, 12 Nov 1999 11:44:00 -0800 (PST) (envelope-from bvi@rucus.ru.ac.za) Received: (qmail 98654 invoked by uid 374); 12 Nov 1999 19:43:58 -0000 Date: Fri, 12 Nov 1999 21:43:58 +0200 From: Barry Irwin To: Mike Tancsa Cc: freebsd-security@FreeBSD.ORG Subject: Re: safe protocols to eat via ipfw Message-ID: <19991112214358.B57266@rucus.ru.ac.za> References: <3.0.5.32.19991112111449.00b273f0@staff.sentex.ca> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: <3.0.5.32.19991112111449.00b273f0@staff.sentex.ca>; from mike@sentex.net on Fri, Nov 12, 1999 at 11:14:49AM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri 1999-11-12 (11:14), Mike Tancsa wrote: > > Apart from dropping spoofed addresses, what ICMP types do people generally > block at their borders ? I noticed a lot of redirects coming at my dialups > this morning from the outside world.... > is deny icmp from any to any in recv icmptype 5 > a good thing to do ? Does it break anything ? This ins a nice friendly world would be used by a router to tell you things have moved around, and that another router should be used instead, due to it havng a better path. However the reality of the net today is that it isnt a all together friendly place. Some of these icmp redirects coule be valid others howver could be malicious in nature. My suggestion would be to kill it off ( maybe with a log option) and see what happens, possibly just deny it for dialup users. Another ICMP type that I've seen abused is the ICMP type 3 ( destination unreachable). The most common implementation of this abuse that I've come across is on IRC where users are 'nuked' with a faked ICMP unreachable message for the server , and the server recieves a similar spoof. , the net result being a disconnection of the user from the server. According to Steven's TCP/IP book , there are 15 codes falling under ICMP type 3. Killing this could enhance your security, but would almost certianly start causing problems with hosts that really are unreachable, instead of an ICMP message being returned, the TCP connection would just have to timeout. Again , this could be something you could consider just implementing for your dialups. Non of the other ICMP codes look too problematic ( Router soclicitation/advertisement type 10 and 11 - maybe although I'm not sure how much this is used anymore). Barry -- -------------------------------------------------------------------------- Barry Irwin IRC: balin@zanet (#linux) bvi@moria.org http://rucus.ru.ac.za/~bvi Whois BI414 - PMPN8EZ - http://moria.org -------------------------------------------------------------------------- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Nov 12 11:47:18 1999 Delivered-To: freebsd-security@freebsd.org Received: from apollo.backplane.com (apollo.backplane.com [216.240.41.2]) by hub.freebsd.org (Postfix) with ESMTP id 18E2C14EA9 for ; Fri, 12 Nov 1999 11:47:15 -0800 (PST) (envelope-from dillon@apollo.backplane.com) Received: (from dillon@localhost) by apollo.backplane.com (8.9.3/8.9.1) id LAA24616; Fri, 12 Nov 1999 11:46:54 -0800 (PST) (envelope-from dillon) Date: Fri, 12 Nov 1999 11:46:54 -0800 (PST) From: Matthew Dillon Message-Id: <199911121946.LAA24616@apollo.backplane.com> To: Barry Irwin Cc: Josef Karthauser , Brett Glass , Bill Fumerola , Cy Schubert - ITSD Open Systems Group , security@FreeBSD.ORG Subject: Re: Why not sandbox BIND? References: <4.2.0.58.19991111220759.044f46d0@localhost> <19991112173306.D76708@florence.pavilion.net> <19991112212912.Z57266@rucus.ru.ac.za> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org :> > --Brett :> :> You are _quite_ a way behind. I believe that almost all of the 3.X releases :> have had this ability. (If you're running later mergemaster is your friend ;) : :3.2 System CVSup'd doesnt have it by default :su-2.03# cat /etc/passwd | grep named :su-2.03# uname -a :FreeBSD shagrat.moria.org 3.3-STABLE FreeBSD 3.3-STABLE #0: Thu Oct 21 Try greping for 'bind', not 'named'. And it would have to be a fresh install rather then an upgrade. There is also a newly added 'bind' group. 3.x also has the ability to sandbox comsat and ntalk and, in fact, this is the default now for these programs. We can't do the same for bind because certain aspects of the program (such as rebinding for dynamic interface changes) fail to operate properly in a sandboxed environment. - Speaking of default system configurations - what do people think about turning off the 'ftp' service in the default configuration? I think its time has come. 'ftp' is the only major program left in inetd that is complex enough to still be relatively worrysome to me, and anyone who expects to be able to use it to get to machine X that they have just installed will also know how to turn on the service on machine X. -Matt To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Nov 12 11:53:32 1999 Delivered-To: freebsd-security@freebsd.org Received: from lariat.lariat.org (lariat.lariat.org [206.100.185.2]) by hub.freebsd.org (Postfix) with ESMTP id 0D60E14EA9 for ; Fri, 12 Nov 1999 11:53:29 -0800 (PST) (envelope-from brett@lariat.org) Received: from mustang (IDENT:ppp0.lariat.org@lariat.lariat.org [206.100.185.2]) by lariat.lariat.org (8.9.3/8.9.3) with ESMTP id MAA00800; Fri, 12 Nov 1999 12:52:43 -0700 (MST) Message-Id: <4.2.0.58.19991112125043.00c85f00@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.0.58 Date: Fri, 12 Nov 1999 12:52:54 -0700 To: Matthew Dillon , Barry Irwin From: Brett Glass Subject: Disabling FTP by default Cc: Josef Karthauser , Bill Fumerola , Cy Schubert - ITSD Open Systems Group , security@FreeBSD.ORG In-Reply-To: <199911121946.LAA24616@apollo.backplane.com> References: <4.2.0.58.19991111220759.044f46d0@localhost> <19991112173306.D76708@florence.pavilion.net> <19991112212912.Z57266@rucus.ru.ac.za> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 11:46 AM 11/12/1999 -0800, Matthew Dillon wrote: > Speaking of default system configurations - what do people think about > turning off the 'ftp' service in the default configuration? I'm in favor of making it an option in /stand/sysinstall, just as anonymous FTP is. The default should be to disable the daemon. It'd sure be nice if there were an unencumbered scp to enable instead. I understand that the OpenBSD folks have a BSD-licensed SSH in the works, but it might still be encumbered by patents..... Does anyone know what the legal issues are here in the US? --Brett To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Nov 12 12: 2:46 1999 Delivered-To: freebsd-security@freebsd.org Received: from broccoli.graphics.cornell.edu (broccoli.graphics.cornell.edu [128.84.247.53]) by hub.freebsd.org (Postfix) with ESMTP id 61F1414CF0 for ; Fri, 12 Nov 1999 12:02:43 -0800 (PST) (envelope-from mkc@Graphics.Cornell.EDU) Received: from graphics.cornell.edu by broccoli.graphics.cornell.edu with ESMTP (1.37.109.16/16.2) id AA009816951; Fri, 12 Nov 1999 15:02:31 -0500 Message-Id: <199911122002.AA009816951@broccoli.graphics.cornell.edu> X-Mailer: exmh version 2.0zeta 7/24/97 To: Barry Irwin Cc: security@FreeBSD.ORG Subject: Re: Why not sandbox BIND? In-Reply-To: Your message of "Fri, 12 Nov 1999 21:29:12 +0200." <19991112212912.Z57266@rucus.ru.ac.za> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Fri, 12 Nov 1999 15:02:30 -0500 From: Mitch Collinsworth Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >3.2 System CVSup'd doesnt have it by default >su-2.03# cat /etc/passwd | grep named >su-2.03# uname -a >FreeBSD shagrat.moria.org 3.3-STABLE FreeBSD 3.3-STABLE #0: Thu Oct 21 >15:40:30 SAST 1999 >bvi@shagrat.moria.org:/usr/src/sys/compile/bvi.SHAGRAT >i386 > >Same on my other straight 3.2-STABLE system You must have started reading this thread in the middle. It's been stated at least 2 or 3 times now: # grep bind /etc/passwd bind:*:53:53:Bind Sandbox:/:/sbin/nologin (This is 3.2-R.) -Mitch To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Nov 12 13:15:45 1999 Delivered-To: freebsd-security@freebsd.org Received: from ns.mt.sri.com (ns.mt.sri.com [206.127.79.91]) by hub.freebsd.org (Postfix) with ESMTP id D121F15029 for ; Fri, 12 Nov 1999 13:15:34 -0800 (PST) (envelope-from nate@mt.sri.com) Received: from mt.sri.com (rocky.mt.sri.com [206.127.76.100]) by ns.mt.sri.com (8.9.3/8.9.3) with SMTP id OAA18298; Fri, 12 Nov 1999 14:14:43 -0700 (MST) (envelope-from nate@rocky.mt.sri.com) Received: by mt.sri.com (SMI-8.6/SMI-SVR4) id OAA20606; Fri, 12 Nov 1999 14:14:41 -0700 Date: Fri, 12 Nov 1999 14:14:41 -0700 Message-Id: <199911122114.OAA20606@mt.sri.com> From: Nate Williams MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit To: Matthew Dillon Cc: Barry Irwin , Josef Karthauser , Brett Glass , Bill Fumerola , Cy Schubert - ITSD Open Systems Group , security@FreeBSD.ORG Subject: Re: Why not sandbox BIND? In-Reply-To: <199911121946.LAA24616@apollo.backplane.com> References: <4.2.0.58.19991111220759.044f46d0@localhost> <19991112173306.D76708@florence.pavilion.net> <19991112212912.Z57266@rucus.ru.ac.za> <199911121946.LAA24616@apollo.backplane.com> X-Mailer: VM 6.34 under 19.16 "Lille" XEmacs Lucid Reply-To: nate@mt.sri.com (Nate Williams) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > Speaking of default system configurations - what do people think about > turning off the 'ftp' service in the default configuration? Personally, I don't like it. At least, not until SSH becomes a default protocol in the system, since otherwise there is no way to transfer files to/from FreeBSD boxes easily. Nate To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Nov 12 16:15:11 1999 Delivered-To: freebsd-security@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 758) id 6E65414DBB; Fri, 12 Nov 1999 16:15:10 -0800 (PST) Received: from localhost (localhost [127.0.0.1]) by hub.freebsd.org (Postfix) with ESMTP id 5BAC31CD437; Fri, 12 Nov 1999 16:15:09 -0800 (PST) (envelope-from kris@hub.freebsd.org) Date: Fri, 12 Nov 1999 16:15:09 -0800 (PST) From: Kris Kennaway To: "H. Eckert" Cc: freebsd-security@FreeBSD.ORG Subject: Re: Status of Passwords/etc in FreeBSD-stable In-Reply-To: <19991112002328.B81323@server.nostromo.in-berlin.de> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, 12 Nov 1999, H. Eckert wrote: > Quoting Kris Kennaway (kris@hub.freebsd.org): > > I don't see what you'd need a maximum password length variable for, but > > there is already a minpasswordlen capability. > > Pre-3.x truncated passwords over 8 chars. As 3.x now supports > longer passwords I found I had trouble with Netatalk filesharing, > as the Mac's input field only allows 8 chars. > So it could be useful in a user's environment to restrict the > length so that the users can't set a password that's not going > to work for them anyway... > I have not yet tried whether MacOS 9 changes this behaviour, though... The only thing I can think you might be referring to here is that DES passwords, by design, are limited to 8 characters. Extra characters beyond 8 are silently ignored (e.g. you can type as much as you want, as long as the first 8 are correct). MD5 passwords, on the other hand, have essentially infinite length and have been supported by FreeBSD since at least 2.0. Probably you switched from DES to MD5 passwords when you upgraded. Having said that, your netatalk example shows there's at least some need for it - it would be a fairly simple matter to copy the minpasswordlen code. If you submit the patch I'll try and get it committed. Kris ---- Cthulhu for President! For when you're tired of choosing the _lesser_ of two evils.. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Nov 12 16:19:54 1999 Delivered-To: freebsd-security@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 758) id 3B35814DBB; Fri, 12 Nov 1999 16:19:49 -0800 (PST) Received: from localhost (localhost [127.0.0.1]) by hub.freebsd.org (Postfix) with ESMTP id 26CA01CD438; Fri, 12 Nov 1999 16:19:49 -0800 (PST) (envelope-from kris@hub.freebsd.org) Date: Fri, 12 Nov 1999 16:19:49 -0800 (PST) From: Kris Kennaway To: Barry Irwin Cc: Josef Karthauser , Brett Glass , Bill Fumerola , Cy Schubert - ITSD Open Systems Group , security@FreeBSD.ORG Subject: Re: Why not sandbox BIND? In-Reply-To: <19991112212912.Z57266@rucus.ru.ac.za> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, 12 Nov 1999, Barry Irwin wrote: > 3.2 System CVSup'd doesnt have it by default > su-2.03# cat /etc/passwd | grep named That's because, as several people have explained, the user is 'bind', not 'named'. The bind user and group was added by Matt Dillon on Dec 1, 1998, according to http://www.freebsd.org/cgi/cvsweb.cgi/src/etc/master.passwd, and is present in 3.1-R, 3.2-R and 3.3-R The reason why sandboxing is not enabled by default has been explained elsewhere in this thread. Kris ---- Cthulhu for President! For when you're tired of choosing the _lesser_ of two evils.. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Nov 12 16:26:43 1999 Delivered-To: freebsd-security@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 758) id 47D5D15090; Fri, 12 Nov 1999 16:25:58 -0800 (PST) Received: from localhost (localhost [127.0.0.1]) by hub.freebsd.org (Postfix) with ESMTP id 3353F1CD428; Fri, 12 Nov 1999 16:25:58 -0800 (PST) (envelope-from kris@hub.freebsd.org) Date: Fri, 12 Nov 1999 16:25:58 -0800 (PST) From: Kris Kennaway To: Brett Glass Cc: Matthew Dillon , Barry Irwin , Josef Karthauser , Bill Fumerola , Cy Schubert - ITSD Open Systems Group , security@FreeBSD.ORG Subject: Re: Disabling FTP by default In-Reply-To: <4.2.0.58.19991112125043.00c85f00@localhost> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, 12 Nov 1999, Brett Glass wrote: > I'm in favor of making it an option in /stand/sysinstall, just as anonymous > FTP is. The default should be to disable the daemon. > > It'd sure be nice if there were an unencumbered scp to enable instead. > I understand that the OpenBSD folks have a BSD-licensed SSH in the works, > but it might still be encumbered by patents..... Does anyone know what > the legal issues are here in the US? It's in /usr/ports/security/openssh which (now) fetches the source from outside the US. However, it still uses RSA, which means no commercial use within the US without a license, until the RSA patent expires next year. Kris ---- Cthulhu for President! For when you're tired of choosing the _lesser_ of two evils.. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Nov 12 16:30:37 1999 Delivered-To: freebsd-security@freebsd.org Received: from fasterix.frmug.org (s192.paris-90.cybercable.fr [212.198.90.192]) by hub.freebsd.org (Postfix) with ESMTP id E607914A00 for ; Fri, 12 Nov 1999 16:30:31 -0800 (PST) (envelope-from pb@fasterix.frmug.org) Received: (from pb@localhost) by fasterix.frmug.org (8.9.3/8.9.3/pb-19990315) id BAA62899; Sat, 13 Nov 1999 01:28:55 +0100 (CET) Message-ID: <19991113012855.A62879@fasterix.frmug.org> Date: Sat, 13 Nov 1999 01:28:55 +0100 From: Pierre Beyssac To: Nate Williams , Matthew Dillon Cc: Barry Irwin , Josef Karthauser , Brett Glass , Bill Fumerola , Cy Schubert - ITSD Open Systems Group , security@FreeBSD.ORG Subject: Re: Why not sandbox BIND? References: <4.2.0.58.19991111220759.044f46d0@localhost> <19991112173306.D76708@florence.pavilion.net> <19991112212912.Z57266@rucus.ru.ac.za> <199911121946.LAA24616@apollo.backplane.com> <199911122114.OAA20606@mt.sri.com> Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Mailer: Mutt 0.92.8i In-Reply-To: <199911122114.OAA20606@mt.sri.com>; from Nate Williams on Fri, Nov 12, 1999 at 02:14:41PM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, Nov 12, 1999 at 02:14:41PM -0700, Nate Williams wrote: > > Speaking of default system configurations - what do people think about > > turning off the 'ftp' service in the default configuration? > > Personally, I don't like it. At least, not until SSH becomes a default > protocol in the system, since otherwise there is no way to transfer > files to/from FreeBSD boxes easily. You could still easily reenable ftpd if you need it. Given recent vulnerability history on many ftp daemons, I think it might be safer to disable FTP by default. -- Pierre Beyssac pb@fasterix.frmug.org pb@fasterix.freenix.org BSD : il y a moins bien, mais c'est coté en bourse Free domains: http://www.eu.org/ or mail dns-manager@EU.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Nov 12 16:31:55 1999 Delivered-To: freebsd-security@freebsd.org Received: from ns.mt.sri.com (ns.mt.sri.com [206.127.79.91]) by hub.freebsd.org (Postfix) with ESMTP id 73B1C150E5 for ; Fri, 12 Nov 1999 16:31:48 -0800 (PST) (envelope-from nate@mt.sri.com) Received: from mt.sri.com (rocky.mt.sri.com [206.127.76.100]) by ns.mt.sri.com (8.9.3/8.9.3) with SMTP id RAA20045; Fri, 12 Nov 1999 17:31:15 -0700 (MST) (envelope-from nate@rocky.mt.sri.com) Received: by mt.sri.com (SMI-8.6/SMI-SVR4) id RAA21117; Fri, 12 Nov 1999 17:31:14 -0700 Date: Fri, 12 Nov 1999 17:31:14 -0700 Message-Id: <199911130031.RAA21117@mt.sri.com> From: Nate Williams MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit To: Pierre Beyssac Cc: Nate Williams , Matthew Dillon , Barry Irwin , Josef Karthauser , Brett Glass , Bill Fumerola , Cy Schubert - ITSD Open Systems Group , security@FreeBSD.ORG Subject: Re: Why not sandbox BIND? In-Reply-To: <19991113012855.A62879@fasterix.frmug.org> References: <4.2.0.58.19991111220759.044f46d0@localhost> <19991112173306.D76708@florence.pavilion.net> <19991112212912.Z57266@rucus.ru.ac.za> <199911121946.LAA24616@apollo.backplane.com> <199911122114.OAA20606@mt.sri.com> <19991113012855.A62879@fasterix.frmug.org> X-Mailer: VM 6.34 under 19.16 "Lille" XEmacs Lucid Reply-To: nate@mt.sri.com (Nate Williams) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > > > Speaking of default system configurations - what do people think about > > > turning off the 'ftp' service in the default configuration? > > > > Personally, I don't like it. At least, not until SSH becomes a default > > protocol in the system, since otherwise there is no way to transfer > > files to/from FreeBSD boxes easily. > > You could still easily reenable ftpd if you need it. Or, you could still easily disable ftpd since you almost *always* need it right away. > Given recent vulnerability history on many ftp daemons, I think it > might be safer to disable FTP by default. FreeBSD's ftpd is not succeptible. Given the argument, why don't we disable *ALL* network access, since all are suspect to breakins. :( (I'm kidding of course...) Nate To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Nov 13 0: 0: 9 1999 Delivered-To: freebsd-security@freebsd.org Received: from slipstreams.net (slipstreams.net [208.45.226.107]) by hub.freebsd.org (Postfix) with ESMTP id 1741914E29 for ; Sat, 13 Nov 1999 00:00:06 -0800 (PST) (envelope-from kupek@slipstreams.net) Received: from PIII (arcane.slipstreams.net [192.168.1.1]) by slipstreams.net (8.9.3/8.9.3) with SMTP id XAA25185; Fri, 12 Nov 1999 23:54:32 -0800 (PST) (envelope-from kupek@slipstreams.net) Message-ID: <004d01bf2dad$55b6d1e0$0101a8c0@slipstreams.net> From: "kupek" To: "Matthew Dillon" Cc: References: <4.2.0.58.19991111220759.044f46d0@localhost> <19991112173306.D76708@florence.pavilion.net> <19991112212912.Z57266@rucus.ru.ac.za> <199911121946.LAA24616@apollo.backplane.com> Subject: Re: Why not sandbox BIND? Date: Sat, 13 Nov 1999 00:01:36 -0800 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2615.200 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2615.200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org True, BIND can't be sandbox'd by default. But as someone said earlier, it should be pretty simple to add an option for rc.conf that will let people sandbox bind, and a warning that they shouldn't do it with a dynamic IP.. true, its not necessary, but it would probably be helpful to at least a few people. ----- Original Message ----- From: Matthew Dillon To: Barry Irwin Subject: Re: Why not sandbox BIND? :> > --Brett :> :> You are _quite_ a way behind. I believe that almost all of the 3.X releases :> have had this ability. (If you're running later mergemaster is your friend ;) : :3.2 System CVSup'd doesnt have it by default :su-2.03# cat /etc/passwd | grep named :su-2.03# uname -a :FreeBSD shagrat.moria.org 3.3-STABLE FreeBSD 3.3-STABLE #0: Thu Oct 21 Try greping for 'bind', not 'named'. And it would have to be a fresh install rather then an upgrade. There is also a newly added 'bind' group. 3.x also has the ability to sandbox comsat and ntalk and, in fact, this is the default now for these programs. We can't do the same for bind because certain aspects of the program (such as rebinding for dynamic interface changes) fail to operate properly in a sandboxed environment. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Nov 13 19:24:52 1999 Delivered-To: freebsd-security@freebsd.org Received: from proxy2.ba.best.com (proxy2.ba.best.com [206.184.139.14]) by hub.freebsd.org (Postfix) with ESMTP id B6B0B152CA for ; Sat, 13 Nov 1999 19:24:33 -0800 (PST) (envelope-from mda@discerning.com) Received: from MDAXKE (mg130-166.ricochet.net [204.179.130.166]) by proxy2.ba.best.com (8.9.3/8.9.2/best.out) with ESMTP id TAA04222 for ; Sat, 13 Nov 1999 19:22:41 -0800 (PST) Date: Sat, 13 Nov 1999 19:22:38 -0800 From: "Mark D. Anderson" To: freebsd-security@FreeBSD.ORG Subject: SYN flood and freebsd? Message-ID: <1923120592.942520958@MDAXKE> X-Mailer: Mulberry (Win32) [2.0.0a6, s/n U-301276] MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Content-Disposition: inline Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org i've searched around deja and freebsd.org and come up wanting (email archives show rarely show resolutions...). what is the current status in stable and latest regarding defense against SYN flood, and how is it implemented? i found some discussion regarding the inadequacy of the "SYN cookie" defense added to linux -- i couldn't make out whether that fix has actually been withdrawn from linux or not. i also didn't find an explanation of exactly what was bad about it -- something about firewalls or NAT. and openbsd has apparently settled on a random dropping of old half-open connections. appreciate some clarification on this, as well as pointers to where answers to things like this might be found, for those of us who don't want to run grep through kernel sources. -mda To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Nov 13 19:39:29 1999 Delivered-To: freebsd-security@freebsd.org Received: from trooper.velocet.net (trooper.velocet.net [216.126.82.226]) by hub.freebsd.org (Postfix) with ESMTP id E204014E6A for ; Sat, 13 Nov 1999 19:39:04 -0800 (PST) (envelope-from dgilbert@trooper.velocet.net) Received: (from dgilbert@localhost) by trooper.velocet.net (8.9.3/8.9.3) id WAA04353; Sat, 13 Nov 1999 22:39:03 -0500 (EST) (envelope-from dgilbert) From: David Gilbert MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <14382.11991.536272.989358@trooper.velocet.net> Date: Sat, 13 Nov 1999 22:39:03 -0500 (EST) To: security@FreeBSD.ORG Subject: Re: sandboxed bind. In-Reply-To: References: X-Mailer: VM 6.75 under 20.4 "Emerald" XEmacs Lucid Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I went through the motions to sandbox bind. My only real complaint was that named-xfer was dynamically loaded (greatly increasing the cruft that had to be in the sandbox). Is there an easy way to determine exactly what libraries are required by an executable, BTW? Dave. -- ============================================================================ |David Gilbert, Velocet Communications. | Two things can only be | |Mail: dgilbert@velocet.net | equal if and only if they | |http://www.velocet.net/~dgilbert | are precisely opposite. | =========================================================GLO================ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Nov 13 19:45:43 1999 Delivered-To: freebsd-security@freebsd.org Received: from apollo.backplane.com (apollo.backplane.com [216.240.41.2]) by hub.freebsd.org (Postfix) with ESMTP id 8B5FA1535F for ; Sat, 13 Nov 1999 19:44:53 -0800 (PST) (envelope-from dillon@apollo.backplane.com) Received: (from dillon@localhost) by apollo.backplane.com (8.9.3/8.9.1) id TAA32979; Sat, 13 Nov 1999 19:44:38 -0800 (PST) (envelope-from dillon) Date: Sat, 13 Nov 1999 19:44:38 -0800 (PST) From: Matthew Dillon Message-Id: <199911140344.TAA32979@apollo.backplane.com> To: David Gilbert Cc: security@FreeBSD.ORG Subject: Re: sandboxed bind. References: <14382.11991.536272.989358@trooper.velocet.net> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org :I went through the motions to sandbox bind. My only real complaint :was that named-xfer was dynamically loaded (greatly increasing the :cruft that had to be in the sandbox). : :Is there an easy way to determine exactly what libraries are required :by an executable, BTW? : :Dave. : :-- :============================================================================ :|David Gilbert, Velocet Communications. | Two things can only be | 'ldd programname' Another thing you can do which works quite well is to simply ktrace named when you start it up: ktrace -i -t cn named.... Let it run for a while, including allowing it to fork/exec whahtever programs it needs to fork/exec, and then do a 'ktrace -C' to turn off the ktracing. You can then do: kdump -R | less You can grep through the kdump output too to locate the files that named opened, including libraries loaded and auxillary files opened by clib and other libraries. I don't use chrooted environments myself... I used to but they're just too difficult to maintain across updates and other things. It would be nice if there were something inbetween -- something that, for example, disables suid and sgid within a set of processes that works in a manner similar to a chroot'd environment. Without access to suid/sgid binaries there is precious little a program run in a user/group sandbox can do outside the sandbox. -Matt Matthew Dillon To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Nov 13 19:55: 2 1999 Delivered-To: freebsd-security@freebsd.org Received: from trooper.velocet.net (trooper.velocet.net [216.126.82.226]) by hub.freebsd.org (Postfix) with ESMTP id F375915272 for ; Sat, 13 Nov 1999 19:54:57 -0800 (PST) (envelope-from dgilbert@trooper.velocet.net) Received: (from dgilbert@localhost) by trooper.velocet.net (8.9.3/8.9.3) id WAA04633; Sat, 13 Nov 1999 22:54:49 -0500 (EST) (envelope-from dgilbert) From: David Gilbert MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <14382.12936.936602.17527@trooper.velocet.net> Date: Sat, 13 Nov 1999 22:54:48 -0500 (EST) To: Matthew Dillon Cc: David Gilbert , security@FreeBSD.ORG Subject: Re: sandboxed bind. In-Reply-To: <199911140344.TAA32979@apollo.backplane.com> References: <14382.11991.536272.989358@trooper.velocet.net> <199911140344.TAA32979@apollo.backplane.com> X-Mailer: VM 6.75 under 20.4 "Emerald" XEmacs Lucid Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >>>>> "Matthew" == Matthew Dillon writes: Matthew> I don't use chrooted environments myself... I used to but Matthew> they're just too difficult to maintain across updates and Matthew> other things. It would be nice if there were something Matthew> inbetween -- something that, for example, disables suid and Matthew> sgid within a set of processes that works in a manner similar Matthew> to a chroot'd environment. Without access to suid/sgid Matthew> binaries there is precious little a program run in a Matthew> user/group sandbox can do outside the sandbox. Well... you use the tools at hand to protect yourself as best you can... This naturally leads into a discussion (had many times, I'm sure) about an entire rethinking of the UN*X security model. The permanent givaway of privs is a good idea... as is the ability to have some privs without all of them. I've often thought that the ability to change to an arbitrary user that login does could be structured without login being root, for instance. Dave. -- ============================================================================ |David Gilbert, Velocet Communications. | Two things can only be | |Mail: dgilbert@velocet.net | equal if and only if they | |http://www.velocet.net/~dgilbert | are precisely opposite. | =========================================================GLO================ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Nov 13 19:56:37 1999 Delivered-To: freebsd-security@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 758) id E450415271; Sat, 13 Nov 1999 19:56:32 -0800 (PST) Received: from localhost (localhost [127.0.0.1]) by hub.freebsd.org (Postfix) with ESMTP id D10151CD443; Sat, 13 Nov 1999 19:56:32 -0800 (PST) (envelope-from kris@hub.freebsd.org) Date: Sat, 13 Nov 1999 19:56:32 -0800 (PST) From: Kris Kennaway To: Steve Price Cc: cvs-committers@FreeBSD.org, cvs-all@FreeBSD.org, security@freebsd.org Subject: Re: cvs commit: ports/www/thttpd Makefile ports/www/thttpd/files md5 In-Reply-To: <199911140303.TAA85353@freefall.freebsd.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sat, 13 Nov 1999, Steve Price wrote: > steve 1999/11/13 19:03:32 PST > > Modified files: > www/thttpd Makefile > www/thttpd/files md5 > Log: > Update to version 2.05. This fixes a buffer overflow present in prior versions. Everyone should upgrade. Kris ---- Cthulhu for President! For when you're tired of choosing the _lesser_ of two evils.. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Nov 13 21: 7:30 1999 Delivered-To: freebsd-security@freebsd.org Received: from sand2.sentex.ca (sand2.sentex.ca [209.167.248.3]) by hub.freebsd.org (Postfix) with ESMTP id D549914A18; Sat, 13 Nov 1999 21:07:24 -0800 (PST) (envelope-from mike@sentex.net) Received: from gravel (ospf-mdt.sentex.net [205.211.164.81]) by sand2.sentex.ca (8.8.8/8.8.8) with SMTP id AAA18191; Sun, 14 Nov 1999 00:07:21 -0500 (EST) (envelope-from mike@sentex.net) Message-Id: <4.1.19991114000355.04d7f230@granite.sentex.ca> X-Sender: mdtancsa@granite.sentex.ca X-Mailer: QUALCOMM Windows Eudora Pro Version 4.1 Date: Sun, 14 Nov 1999 00:08:12 -0500 To: freebsd-security@freebsd.org From: Mike Tancsa Subject: Fwd: ssh-1.2.27 remote buffer overflow - exploitable (VD#7) Cc: security-officer@freebsd.org Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Is there a patch to this ? Or is openssh the way to go ? ---Mike >There appears to be a serious vulnerability in ssh 1.2.27. I will let the >folks who worked on this issue describe. There was brief discussion on >vuln-dev on the politics of ssh 1 vs. ssh 2, etc... you may or may not >want to play that out on Bugtraq. One of the key points of the SSH 1 vs. >SSH 2 debate is regarding licensing. Basically, because of a less strict >license on SSH 1, more folks are likely to be running that version. (This >is all referring to the Datafellows implementation that everyone uses, >rather than standards and protocols, I presume.) > >As usually, check the vuln-dev archives if you want the full story. This >isn't necessarily a dead topic there yet, but this issue should get out >there sooner rather than later. > > BB > >------------------------------------------------------------------- > >To: Exploit-Dev >Subject: ssh-1.2.27 remote buffer overflow - exploitable >Date: Mon Nov 08 1999 16:48:53 >Author: Frank >Message-ID: <19991109014853.3239.qmail@securityfocus.com> > >This is submitted to the Freebsd bug tracking system, although there are >doubtless other vendors who leave this package, despite the existence of >the ssh-2.X. While Debian appears to be immune, I was able to crash my >ssh daemon (much to my dismay), and there appears the potential to execute >arbitrary code, as long as you encrypt it first... > >Here is the freebsd report.. it describes the method to crash a remote Ssh >daemon (lets hope you ran sshd from your xinetd, etc). > >http://www.freebsd.org/cgi/query-pr.cgi?pr=14749 > >------------------------------------------------------------------- > >To: Exploit-Dev >Subject: Re: ssh-1.2.27 remote buffer overflow - exploitable >Date: Mon Nov 08 1999 21:04:19 >Author: Daniel Jacobowitz >Message-ID: <19991109110419.A29502@drow.res.cmu.edu> > > >Debian is immune for the (somewhat messy) reasons that they do not link >ssh to rsaref, last time that I checked. > > >------------------------------------------------------------------- > >To: Exploit-Dev >Subject: Re: ssh-1.2.27 remote buffer overflow - exploitable >Date: Mon Nov 08 1999 21:24:17 >Author: Daniel Jacobowitz >Message-ID: <19991109112417.A30046@drow.res.cmu.edu> > > >And here's a patch. Not tested, as I don't use the rsaref glue on any >machine here. > > >Ed: Patch can be found at: > >http://www.securityfocus.com/templates/archive.pike?list=82&date=1999-11-08& >msg=19991109112417.A30046@drow.res.cmu.edu > >------------------------------------------------------------------- > >To: Exploit-Dev >Subject: Re: ssh-1.2.27 remote buffer overflow - exploitable >Date: Tue Nov 09 1999 04:42:16 >Author: Jochen Bauer >Message-ID: <19991109124216.A28812@luna.theo2.physik.uni-stuttgart.de> > >I've taken a closer look at the problem. Here's my analysis: > >In sshd.c, around line 1513 the client-generated session key, >that has been encrypted with the server and host public keys, >is received from the client as a multiple precision integer. > >/* Get the encrypted integer. */ > mpz_init(&session_key_int); > packet_get_mp_int(&session_key_int); > >The encrypted session key is then (around line 1525) passed >to rsa_private_decrypt to do the first part of the decryption, >which is either decryption using the server private key or >decryption using the host private key, depending on which key >has the larger modulus. > >rsa_private_decrypt(&session_key_int, &session_key_int, > &sensitive_data.private_key); > >If RSAREF is used (i.e. RSAREF is defined in the code), the >rsa_private_decrypt function in rsaglue.c (around line 162) >looks like: > >void rsa_private_decrypt(MP_INT *output, MP_INT *input, RSAPrivateKey *key) >{ > unsigned char input_data[MAX_RSA_MODULUS_LEN]; > unsigned char output_data[MAX_RSA_MODULUS_LEN] > unsigned int input_len, output_len, input_bits; > [...] > input_bits = mpz_sizeinbase(input, 2); > input_len = (input_bits + 7) / 8; > gmp_to_rsaref(input_data, input_len, input); > [...] >} > >The trouble spot is the fixed length buffer >input_data[MAX_RSA_MODULUS_LEN]. A pointer to this buffer is >passed to the conversion function gmp_to_rsaref along with a >pointer to the encrypted session key and the length (input_len) >of the encrypted session key, which may be greater than >[MAX_RSA_MODULUS_LEN]. gmp_to_rsaref (located around line 79 of >rsaglue.c) simply calls mp_linearize_msb_first(buf, len, value). > >void gmp_to_rsaref(unsigned char *buf, unsigned int len, MP_INT *value) >{ > mp_linearize_msb_first(buf, len, value); >} > >mp_linearize_msb_first is contained in mpaux.c around line 41. >The function looks like: > >void mp_linearize_msb_first(unsigned char *buf, unsigned int len, > MP_INT *value) >{ > unsigned int i; > MP_INT aux; > mpz_init_set(&aux, value); > for (i = len; i >= 4; i -= 4) <------- > { > unsigned long limb = mpz_get_ui(&aux); > PUT_32BIT(buf + i - 4, limb); <------- > mpz_div_2exp(&aux, &aux, 32); > } > [...] >} > >There's the overflow! len is the length of the encrypted session >key, while buf is a pointer to the fixed length buffer >input_data[MAX_RSA_MODULUS_LEN] and no check wether len is >greater than MAX_RSA_MODULUS_LEN is performed. The fix should be >obvious! > >About the possible exploit: > >In this particular overflow, the encrypted, client generated session >key has to be taken as the exploit buffer. I.e. the shellcode, NOPs >and jump address has to sent to the server instead of the encrypted >session key. To make that clear: The shellcode, NOPs and jump address >don't have to be encrypted as they are taken as the ENCRYPTED session >key. > >However, the data that is finally written into the buffer are the >limbs of the multiple precision integer that session_key_int is >assumed to be. The exploit buffer code therefore must be converted >into a multiple precision integer, which upon extraction of the limbs >into the buffer yields the correct exploit buffer code. The best way >would probably be to start from the exploit buffer as it should finally >be to overflow the target buffer and use the functions of the GNU >multiple precision integer library to reverse the procedure happening >to the encrypted session key in the sshd code step be step, leading to >the exploit buffer that has to be sent instead of the encrypted session >key. > >That may be difficult, be it think it's possible. ********************************************************************** Mike Tancsa, Network Admin * mike@sentex.net Sentex Communications Corp, * http://www.sentex.net/mike Cambridge, Ontario * 01.519.651.3400 Canada * To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message