From owner-freebsd-security-notifications Mon Aug 20 14:56: 7 2001 Delivered-To: freebsd-security-notifications@freebsd.org Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id 49E6237B40E; Mon, 20 Aug 2001 14:56:00 -0700 (PDT) (envelope-from security-advisories@FreeBSD.org) Received: (from kris@localhost) by freefall.freebsd.org (8.11.4/8.11.4) id f7KLtvK62776; Mon, 20 Aug 2001 14:55:57 -0700 (PDT) (envelope-from security-advisories@FreeBSD.org) Date: Mon, 20 Aug 2001 14:55:57 -0700 (PDT) Message-Id: <200108202155.f7KLtvK62776@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: kris set sender to security-advisories@FreeBSD.org using -f From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Ports Security Advisory FreeBSD-SA-01:54.ports-telnetd Sender: owner-freebsd-security-notifications@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: Reply-To: postmaster@freebsd.org X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SA-01:54 Security Advisory FreeBSD, Inc. Topic: telnetd contains remote buffer overflow Category: ports Modules: krb5/heimdal/SSLtelnet Announced: 2001-08-20 Credits: Sebastian Affects: Ports collection prior to the correction date. Corrected: 2001-07-19 21:43:41 UTC (heimdal) 2001-07-24 15:29:39 UTC (krb5) SSLtelnet port not yet corrected FreeBSD only: NO I. Background telnetd is the server for the telnet remote virtual terminal protocol. II. Problem Description This advisory is closely related to the previously released FreeBSD-SA-01:49.telnetd.v1.1 advisory. That advisory pertains to the telnetd included in the base FreeBSD system. This advisory pertains to optional third-party telnetd implementations found in the FreeBSD ports collection. An overflowable buffer was found in the versions of telnetd included with several ports. These ports include: MIT Kerberos V (security/krb5) prior to version 1.2.2_2 Heimdal (security/heimdal) prior to version 0.4b_1 SSLtelnet (net/SSLtelnet) - this port is not yet fixed; see below. Due to incorrect bounds checking of data buffered for output to the remote client, an attacker can cause the telnetd process to overflow the buffer and crash, or execute arbitrary code as the user running telnetd, usually root. A valid user account and password is not required to exploit this vulnerability, only the ability to connect to a telnetd server. These ports are not installed by default, nor are they "part of FreeBSD" as such: they are part of the FreeBSD ports collection, which contains over 5600 third-party applications in a ready-to-install format. The ports collection shipped with FreeBSD 4.3 is vulnerable to this problem since it was discovered after its release, but the problems with the krb5 and heimdal ports were corrected prior to the (forthcoming) release of FreeBSD 4.4. The SSLtelnet vulnerability has not yet been corrected: due to divergences in the code, it is more difficult to correct the vulnerability in that port. This advisory will be reissued once the vulnerability is corrected. III. Impact Remote users can cause arbitrary code to be executed as the user running telnetd, usually root. IV. Workaround 1) Disable the telnet service, which is usually run out of inetd: comment out lines in /etc/inetd.conf that begin with the word `telnet', if present, e.g. telnet stream tcp nowait root /usr/local/libexec/telnetd telnetd telnet stream tcp6 nowait root /usr/local/libexec/telnetd telnetd and execute the following command as root: # kill -HUP `cat /var/run/inetd.pid` 2) Impose access restrictions using TCP wrappers (/etc/hosts.allow), or a network-level packet filter such as ipfw(8) or ipf(8) on the perimeter firewall or the local machine, to limit access to the telnet service to trusted machines. 3) Deinstall the affected ports/packages if they are installed. V. Solution The updated ports include fixes for this vulnerability: krb5-1.2.2_2 and later heimdal-0.4b_1 and later 1) Upgrade your entire ports collection and rebuild the affected ports (packages are not currently available for these ports). 2) Download a new port skeleton for the affected ports from: http://www.freebsd.org/ports/ and use it to rebuild the port. 3) Use the portcheckout utility to automate option (2) above. The portcheckout port is available in /usr/ports/devel/portcheckout or the package can be obtained from: ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/devel/portcheckout-2.0.tgz VI. Correction details The following list contains the revision numbers of each file that was corrected in the FreeBSD ports collection. Affected port (module) Path Revision - ------------------------------------------------------------------------- MIT Kerberos V (krb5) ports/security/krb5/Makefile 1.27 ports/security/krb5/files/patch-appl::telnet::telnetd::authenc.c 1.1 ports/security/krb5/files/patch-appl::telnet::telnetd::ext.h 1.2 ports/security/krb5/files/patch-appl::telnet::telnetd::slc.c 1.1 ports/security/krb5/files/patch-appl::telnet::telnetd::state.c 1.2 ports/security/krb5/files/patch-appl::telnet::telnetd::telnetd.c 1.2 ports/security/krb5/files/patch-appl::telnet::telnetd::termstat.c 1.1 ports/security/krb5/files/patch-appl::telnet::telnetd::utility.c 1.2 Heimdal (heimdal) ports/security/heimdal/Makefile 1.39 ports/security/heimdal/files/patch-ad 1.6 - ------------------------------------------------------------------------- VII. References -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iQCVAwUBO4GGS1UuHi5z0oilAQENdgQAn48FDb8KqMftJGSS2ueRb9aZPuosS/3T 2I6AC3AOtBIKe+3fhnURdivPIXBWMZ4GyzkctfvQ0NaKUnnVqTzoxdSVN4wStJ1e yXdJ9b4d5lyKvT0+JJI9IMylcA5o5kp5b36OpkB48Oo3y/4ZdiskJn3ZoU4zpBeU +uCUTpg3TGM= =SChg -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security-notifications" in the body of the message From owner-freebsd-security-notifications Tue Aug 21 13:39:39 2001 Delivered-To: freebsd-security-notifications@freebsd.org Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id 776C337B40A; Tue, 21 Aug 2001 13:39:32 -0700 (PDT) (envelope-from security-advisories@FreeBSD.org) Received: (from kris@localhost) by freefall.freebsd.org (8.11.4/8.11.4) id f7LKdWe21726; Tue, 21 Aug 2001 13:39:32 -0700 (PDT) (envelope-from security-advisories@FreeBSD.org) Date: Tue, 21 Aug 2001 13:39:32 -0700 (PDT) Message-Id: <200108212039.f7LKdWe21726@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: kris set sender to security-advisories@FreeBSD.org using -f From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-01:55.procfs Sender: owner-freebsd-security-notifications@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: Reply-To: postmaster@freebsd.org X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SA-01:55 Security Advisory FreeBSD, Inc. Topic: procfs vulnerability leaks set[ug]id process memory Category: core Module: procfs Announced: 2001-08-21 Credits: Joost Pol Affects: FreeBSD 4.x, 4.3-STABLE prior to the correction date. Corrected: 2001-08-12 07:29 PDT (4.3-STABLE) 2001-08-13 12:45 PDT (RELENG_4_3) FreeBSD only: Yes I. Background procfs is the process filesystem, which presents a filesystem interface to the system process table, together with associated data. procfs provides access to the memory space of processes via the synthetic /proc//mem file, subject to access control checks. linprocfs is an implementation of procfs which implements a Linux-style procfs, for use with Linux binaries so they can obtain access to exported kernel data. It uses procfs to provide the /proc//mem file. II. Problem Description Prior to the migration of system monitoring utilities (such as ps(8)) to use the sysctl(8) management interface, these utilities formerly used procfs and direct kernel memory access to extract process information, and they ran with the setgid kmem privilege to allow direct kernel memory access. The procfs code checks for gid kmem privilege when granting access to the /proc//mem file -- however, the code which is used to allow read-only access via the kmem group was incorrect, and inappropriately granted read access to the caller as long as they already had an open file descriptor for the procfs mem file. The result of this problem is that if a process initially has debugging rights to a second process, it may retain access to the target process' memory space, even if the target process has upgraded privilege by virtue of performing an execve() call on a setuid or setgid process. This vulnerability can lead to the leaking of sensitive information from such processes, which could be used as the basis for additional attacks, resulting in escalation of attacker privilege on the system. The linprocfs filesystem is also vulnerable to the problem if procfs support is available in the kernel (statically compiled in, or dynamically loaded as a module). If procfs support is not available then linprocfs is not vulnerable to this problem. All released versions of FreeBSD 4.x including FreeBSD 4.3-RELEASE are vulnerable to this problem if the procfs filesystem is in use. It was corrected prior to the (forthcoming) release of FreeBSD 4.4-RELEASE. III. Impact Attackers may be able to extract sensitive system information, such as password hashes from the /etc/master.passwd file, from setuid or setgid processes, such as su(1). This information could be used by attackers to escalate their privileges, possibly yielding root privileges on the local system. Because this attack may only be used on processes that initially are "debuggable" by the attacking process, this attack is limited to executed processes which gain privilege by virtue of being setuid or setgid, and so it cannot be used against other processes which are already running with privilege such as already-running daemons containing sensitive system information. IV. Workaround To work around the problem, perform the following steps as root: Unmount all instances of the procfs and linprocfs filesystems using the unmount(8) command: # umount -f -a -t procfs # umount -f -a -t linprocfs Disable the automatic mounting of all instances of procfs in /etc/fstab: remove or comment out the line(s) of the following form: proc /proc procfs rw 0 0 proc /compat/linux/proc linprocfs rw 0 0 V. Solution 1) Upgrade your vulnerable system to 4.3-STABLE or the RELENG_4_3 security branch, dated after the respective correction dates. 2) To patch your present system: download the relevant patch from the below location, and execute the following commands as root: # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-01:55/procfs.patch # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-01:55/procfs.patch.asc Verify the detached PGP signature using your PGP utility. This patch has been verified to apply to FreeBSD 4.3-RELEASE and 4.2-RELEASE (users of 4.2-RELEASE should already have the patch from FreeBSD SA-00:77.procfs installed). It may or may not apply to older, unsupported releases of FreeBSD. # cd /usr/src/sys # patch -p < /path/to/patch If procfs is statically compiled into the kernel (i.e. the kernel configuration file contains the line 'options PROCFS'), then rebuild and reinstall your kernel as described in http://www.freebsd.org/handbook/kernelconfig.html and reboot the system with the new kernel for the changes to take effect. By default procfs is statically compiled in the GENERIC kernel configuration. If procfs is dynamically loaded by KLD (use the kldstat(8) command to verify whether this is the case) and the system securelevel has not been raised to a level of 1 or higher, the system can be patched at run-time without requiring a reboot by performing the following steps after patching the source as described above: # cd /usr/src/sys/modules/procfs # make depend # make all install # umount -f -a -t procfs # kldunload procfs # kldload procfs # mount -a -t procfs 3) FreeBSD 4.3-RELEASE systems: An experimental upgrade package is available for users who wish to provide testing and feedback on the binary upgrade process. This package may be installed on FreeBSD 4.3-RELEASE systems only, and is intended for use on systems for which source patching is not practical or convenient. If you use the upgrade package, feedback (positive or negative) to security-officer@FreeBSD.org is requested so we can improve the process for future advisories. During the installation procedure, backup copies are made of the files which are replaced by the package. These backup copies will be reinstalled if the package is removed, reverting the system to a pre-patched state. # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/packages/SA-01:55/security-patch-procfs-01.55.tgz # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/packages/SA-01:55/security-patch-procfs-01.55.tgz.asc Verify the detached PGP signature using your PGP utility. # pkg_add security-patch-procfs-01.55.tgz Restart your system after applying the patch. VI. CVS Revisions The following $FreeBSD$ CVS revisions contain the fixes for this vulnerability. The $FreeBSD$ revision of installed sources can be examined using the ident(1) command. These revision IDs are not updated by applying the patch referenced above. [FreeBSD 4.3-STABLE] Revision Path 1.3.2.5 src/sys/i386/linux/linprocfs/linprocfs_vnops.c 1.32.2.2 src/sys/miscfs/procfs/procfs.h 1.46.2.2 src/sys/miscfs/procfs/procfs_mem.c 1.76.2.5 src/sys/miscfs/procfs/procfs_vnops.c [RELENG_4_3] Revision Path 1.3.2.3.2.1 src/sys/i386/linux/linprocfs/linprocfs_vnops.c 1.32.2.1.2.1 src/sys/miscfs/procfs/procfs.h 1.46.2.1.2.1 src/sys/miscfs/procfs/procfs_mem.c 1.76.2.3.2.1 src/sys/miscfs/procfs/procfs_vnops.c -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iQCVAwUBO4LGfFUuHi5z0oilAQGvFAP9Es3OpWi/tolP9Kfbw3+EWCfGupQ9QMtP xTKwwmp8epr+So1x+bHNaXBdGm5DJq4fvqUOh5kUHkNM5Gfkp2gPPwWXB9J6Ct3e ut3nUlJBeY8K+qV8DGdH4/InuW4HG+Jvw0WSGCmTZnz6q17K0ESJXp2cS5qB7eeL /66o9YNotkE= =FHFP -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security-notifications" in the body of the message From owner-freebsd-security-notifications Thu Aug 23 13:57:18 2001 Delivered-To: freebsd-security-notifications@freebsd.org Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id BF82337B40A; Thu, 23 Aug 2001 13:57:12 -0700 (PDT) (envelope-from security-advisories@FreeBSD.org) Received: (from kris@localhost) by freefall.freebsd.org (8.11.4/8.11.4) id f7NKvCO50877; Thu, 23 Aug 2001 13:57:12 -0700 (PDT) (envelope-from security-advisories@FreeBSD.org) Date: Thu, 23 Aug 2001 13:57:12 -0700 (PDT) Message-Id: <200108232057.f7NKvCO50877@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: kris set sender to security-advisories@FreeBSD.org using -f From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-01:56.tcp_wrappers Sender: owner-freebsd-security-notifications@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: Reply-To: postmaster@freebsd.org X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SA-01:56 Security Advisory FreeBSD, Inc. Topic: tcp_wrappers PARANOID hostname checking does not work Category: core Module: tcp_wrappers Announced: 2001-08-23 Credits: Tony Finch Affects: FreeBSD 4.1.1-RELEASE FreeBSD 4.2-RELEASE FreeBSD 4.3-RELEASE FreeBSD 4.3-STABLE before the correction date Corrected: 2001-07-04 20:18:11 UTC (FreeBSD 4.3-STABLE) 2001-07-04 20:18:54 UTC (RELENG_4_3) FreeBSD only: Yes I. Background FreeBSD has included Wietse Venema's tcp_wrappers since 3.2-RELEASE. tcp_wrappers allows one to add host-based ACLs to network applications, and additionally provides connection logging and some detection of DNS spoofing. II. Problem Description The addition of a flawed check for a numeric result during reverse DNS lookup causes tcp_wrappers to skip some of its sanity checking of DNS results. These sanity checks are only enabled by the 'PARANOID' ACL option in the configuration file, and simply weaken the 'PARANOID' host checks to the level of assurance provided by the regular host ACLs. This vulnerability was corrected prior to the (forthcoming) release of FreeBSD 4.4-RELEASE. III. Impact An attacker that can influence the results of reverse DNS lookups can bypass certain tcp_wrappers PARANOID ACL restrictions by impersonating a trusted host. Such an attacker would need to be able to spoof reverse DNS lookups, or more simply the attacker may be the administrator of the DNS zone including the IP address of the remote host. IV. Workaround None. V. Solution One of the following: 1) Upgrade your vulnerable FreeBSD system to 4.3-STABLE or the RELENG_4_3 security branch after the respective correction dates. 2) FreeBSD 4.x systems prior to the correction date: The following patche has been verified to apply to FreeBSD 4.2-RELEASE, 4.3-RELEASE and 4.3-STABLE dated prior to the correction date. This patch may or may not apply to older, unsupported releases of FreeBSD. Download the patch and the detached PGP signature from the following locations, and verify the signature using your PGP utility. ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-01:56/tcp_wrappers.patch ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-01:56/tcp_wrappers.patch.asc # cd /usr/src/ # patch -p < /path/to/patch # cd /usr/src/lib/libwrap # make depend && make all install One must also recompile any statically linked applications that link against libwrap.a. There are no such applications in the base system. 3) FreeBSD 4.3-RELEASE systems: An experimental upgrade package is available for users who wish to provide testing and feedback on the binary upgrade process. This package may be installed on FreeBSD 4.3-RELEASE systems only, and is intended for use on systems for which source patching is not practical or convenient. If you use the upgrade package, feedback (positive or negative) to security-officer@FreeBSD.org is requested so we can improve the process for future advisories. During the installation procedure, backup copies are made of the files which are replaced by the package. These backup copies will be reinstalled if the package is removed, reverting the system to a pre-patched state. # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/packages/SA-01:56/security-patch-tcp_wrappers-01.56.tgz # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/packages/SA-01:56/security-patch-tcp_wrappers-01.56.tgz.asc Verify the detached PGP signature using your PGP utility. # pkg_add security-patch-tcp_wrappers-01.56.tgz VI. Correction details The following list contains the $FreeBSD$ revision numbers of each file that was corrected, for the supported branches of FreeBSD. The $FreeBSD$ revision of installed sources can be examined using the ident(1) command. The patch provided above does not cause these revision numbers to be updated. [FreeBSD 4.3-STABLE] Revision Path 1.2.2.3 src/contrib/tcp_wrappers/socket.c [RELENG_4_3] Revision Path 1.2.2.2.2.1 src/contrib/tcp_wrappers/socket.c VII. References -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iQCVAwUBO4VsbFUuHi5z0oilAQGSLgQAlmWnYpSy1Da8Yvs4XkpQTgN32/9aBhM0 yMM+qnd80ZYUayTNyqxKvgJDc7nROUa/qt+lWp6U1a9wuQEPX72Zq7549l8/SfuB IkCsnwf6w8lzMCVYzTQeWm7qvf00QOWsqPCvIbw61SwPN1FfF8WLYBUCuT3hShJx r8mBg+t55eY= =az63 -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security-notifications" in the body of the message