From owner-freebsd-security Mon Jan 6 9:57:44 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8799C37B401 for ; Mon, 6 Jan 2003 09:57:39 -0800 (PST) Received: from energyhq.homeip.net (213-97-200-73.uc.nombres.ttd.es [213.97.200.73]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1573A43ED4 for ; Mon, 6 Jan 2003 09:57:38 -0800 (PST) (envelope-from flynn@energyhq.homeip.net) Received: from christine.energyhq.tk (christine.energyhq.tk [192.168.0.1]) by energyhq.homeip.net (Postfix) with SMTP id F15FBAF58D for ; Mon, 6 Jan 2003 18:57:37 +0100 (CET) Date: Mon, 6 Jan 2003 18:57:21 +0100 From: Miguel Mendez To: security@freebsd.org Subject: http://www.pine.nl/press/pine-cert-20030101.txt.asc Message-Id: <20030106185721.01414280.flynn@energyhq.homeip.net> X-Mailer: Sylpheed version 0.8.8 (GTK+ 1.2.10; i386-portbld-freebsd5.0) X-Face: 1j}k*2E>Y\+C~E|/wehi[:dCM,{N7/uE 3o# P,{t7gA/qnovFDDuyQV.1hdT7&#d)q"xY33}{_GS>kk'S{O]nE$A`T|\4&p\&mQyexOLb8}FO List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --=.LkiWpyNj,'h.JY Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit This bug has been fixed 4 hours ago -> http://www.freebsd.org/cgi/cvsweb.cgi/src/sys/kern/kern_descrip.c Here's the text... -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - ----------------------------------------------------------------------------- Pine Digital Security Advisory - ----------------------------------------------------------------------------- Advisory ID : PINE-CERT-20030101 Authors : Joost Pol Vendor Informed : 2002-12-30 Issue date : 2003-01-06 Application : Kernel Version(s) : Various Platforms : FreeBSD Availability : http://www.pine.nl/press/pine-cert-20030101.txt - ----------------------------------------------------------------------------- Synopsis While performing an audit for a customer, Pine Digital Security found an integer overflow in the FreeBSD kernel. Versions FreeBSD: RELENG_4 (aka -STABLE) : not vulnerable after 20021111 RELENG_5_0 (aka -CURRENT) : vulnerable in lseek(2) (199) All current -RELEASE versions : vulnerable in fpathconf(2) (192) OpenBSD/NetBSD: not vulnerable Impact Serious. This integer overflow could cause a system panic, resulting in a Denial-of-Service (DoS). Also, this could be used to escalate privileges or cause the system to disclose (sensitive) files. Description Inside the FreeBSD kernel each file (socket, device or regular file) opened is represented by a file structure (sys/file.h). Amongst other members this structure holds a reference counter (int f_count). This reference counter is increased by the fhold() function and decreased by the fdrop() function. (both in sys/file.h) For example, when a file is open(2)ed or dup(2)ed the reference counter is increased and when the file is close(2)ed again the reference counter is decreased. Once the reference counter reaches zero, the file structure itself is deallocated. Most system calls which perform (blocking) operations on a file will issue a fhold() call to prevent the file from being closed in the middle of an operation. Once the operation is finished the (extra) reference will be released again by issuing a fdrop() call. Inside the fpathconf(2) (192) system call we spotted a condition where a call to fdrop() is missing. When issueing a fpathconf(2) call on a socket it will return with an error condition but it will not release the extra file reference. Due to the missing fdrop() call inside the fpathconf(2) system call is it possible to overflow the reference counter of the file structure (int f_count). FreeBSD -CURRENT suffers from the same problem in another syscall. Exploitability Causing a system panic and privilege escalation have been confirmed. Exploitation of this bug will take time, depending on machine speed and system limits this could vary between hours and days. 1. System Panic A system panic can be caused by issuing around 2^31 calls to fpathconf(2) with a filedescriptor which references a socket. The reference counter (int f_count) will wrap to a negative value and this will cause a panic in close(2). 2. Privilege Escalation It is also possible (although more difficult) to gain root access using this bug. One would open(2) a socket and dup(2) it. One would then issue around 2^32 - 1 calls to fpathconf(2) causing the reference counter to wrap to 1. After closing the original filedescriptor the file structure will be deallocated. At this point the dup(2)ed file descriptor is still hanging around with a file structure pointing to unallocated memory. The final step, which is left as an excercise for the reader, is to have a sensitive file (like /etc/skeykeys) opened and allocated at the previously freed location. Once this happens the dup(2)ed file descriptor is still hanging around providing access to this file. This could result in the escalation of user privileges. Disclaimer Pine Digital Security does not release exploits. Although the missing fdrop() call in fpathconf(2) was noticed before by Nakamura Takayuki its impact was severely underestimated. Patches FreeBSD CVS should be updated. References http://www.pine.nl/press/pine-cert-20030101.txt file://usr/include/sys/file.h file://usr/src/sys/kern/kern_descrip.c file://usr/src/sys/kern/vfs_syscalls.c -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (SunOS) iD8DBQE+GXVR0jbIKvNgu5MRAlEMAJ9hCd/HkUfUsVyriSXTv9YvAChfeQCgtoJo 0AlK0bqR4Qtq0YLZJxiPnFc= =8KfX -----END PGP SIGNATURE----- -- Miguel Mendez - flynn@energyhq.homeip.net GPG Public Key :: http://energyhq.homeip.net/files/pubkey.txt EnergyHQ :: http://www.energyhq.tk Of course it runs NetBSD! --=.LkiWpyNj,'h.JY Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (FreeBSD) iD8DBQE+GcOGnLctrNyFFPERAp90AJwIF0cnghcQiUSes0a+5ilY2nzFEQCdGCyz 8VkJjs+KQBOkejmjpTtio94= =IvxL -----END PGP SIGNATURE----- --=.LkiWpyNj,'h.JY-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jan 6 10: 6:24 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 592D937B401 for ; Mon, 6 Jan 2003 10:06:18 -0800 (PST) Received: from smtp2.sentex.ca (smtp2.sentex.ca [199.212.134.9]) by mx1.FreeBSD.org (Postfix) with ESMTP id 94A3843EA9 for ; Mon, 6 Jan 2003 10:06:17 -0800 (PST) (envelope-from mike@sentex.net) Received: from lava.sentex.ca (pyroxene.sentex.ca [199.212.134.18]) by smtp2.sentex.ca (8.12.6/8.12.6) with ESMTP id h06I6BHV052260 for ; Mon, 6 Jan 2003 13:06:11 -0500 (EST) (envelope-from mike@sentex.net) Received: from simian.sentex.net (simeon.sentex.ca [192.168.43.27]) by lava.sentex.ca (8.12.6/8.12.6) with ESMTP id h06I8RHY044958 for ; Mon, 6 Jan 2003 13:08:28 -0500 (EST) (envelope-from mike@sentex.net) Message-Id: <5.2.0.9.0.20030106130825.04a3e0f8@marble.sentex.ca> X-Sender: mdtpop@marble.sentex.ca (Unverified) X-Mailer: QUALCOMM Windows Eudora Version 5.2.0.9 Date: Mon, 06 Jan 2003 13:09:44 -0500 To: freebsd-security@freebsd.org From: Mike Tancsa Subject: Fwd: OPENSSH REMOTE ROOT COMPROMISE ALL VERSIONS Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed X-Virus-Scanned: By Sentex Communications (lava/20020517) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org FYI, for those not on bugtraq. ---Mike >Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm >List-Id: >List-Post: >List-Help: >List-Unsubscribe: >List-Subscribe: >Delivered-To: mailing list bugtraq@securityfocus.com >Delivered-To: moderator for bugtraq@securityfocus.com >Date: Sat, 4 Jan 2003 19:37:03 -0800 >To: bugtraq@securityfocus.com >Subject: OPENSSH REMOTE ROOT COMPROMISE ALL VERSIONS >From: mmhs@hushmail.com >X-Spam-Status: No, hits=4.7 required=7.0 > tests=CASHCASHCASH,DISCLAIMER,KNOWN_MAILING_LIST, > LINES_OF_YELLING,LINES_OF_YELLING_2,LINES_OF_YELLING_3, > NO_REAL_NAME,PGP_SIGNATURE,SPAM_PHRASE_01_02,SUBJ_ALL_CAPS > version=2.43 >X-Spam-Level: **** >X-Virus-Scanned: By Sentex Communications (avscan1/20020517) > > >-----BEGIN PGP SIGNED MESSAGE----- > >*********** OPENSSH REMOTE ROOT COMPROMISE ALL VERSIONS *********** > >MICKEY MOUSE HACKING SQUADRON ADVISORY #2 > >DISCLAIMER >- ---------- > >The nation's zeroth private security intelligence firm, Mickey Mouse >Hacking Squadron uniquely addresses the challenges faced by both public- >and private-sector organizations in protecting critical information >assets. > >Our intelligence is timely, delivered 24 x 7, 365 (*) days per year; >relevant, fully customizable, and actionable intelligence is only >valuable if it makes a difference. > >(*) in the case of a leap year, we of course provide a 24 x 7, 366 days >premier service. > >TECHNICAL BACKGROUND >- -------------------- > >The following advisory is based on the excellent advisory published by >Global InterSec LLC *six months ago*: > >http://www.globalintersec.com/adv/openssh-2002062801.txt > >After more than six months of intensive underground research, our ISO >31337 certified security department evidenced that the bug (an integer >overflow, resulting in a heap overflow) described in the aforementioned >advisory still exists in OpenSSH 3.5p1 and 3.4p1, and remains trivially >exploitable. All existing PAM enabled versions of OpenSSH (3.5p1, 3.4p1 >and below) are therefore affected. > >Due to various advisories posted to various fora by unnamed security >companies, this bug was supposed to be nonexistent or nonexploitable. >Fortunately, Global InterSec LLC shed some light on the whole affair and >revealed the malignant nature of the oversight to the world. > >Their results were applied to the latest OpenSSH versions by privately >trained Mickey Mouse Hacking Squadron security specialists and revealed >that the exploitation techniques developed by Global InterSec LLC are >still applicable to the newest OpenSSH. > >PROOF OF CONCEPT >- ---------------- > >The following proof of concept is reproducing Global InterSec LLC >findings, enhanced with the patented research performed by Mickey Mouse >Hacking Squadron against OpenSSH 3.5p1. > >First of all, the OpenSSH 3.5p1 server has to be built (with PAM support >enabled): > >$ tar xzf openssh-3.5p1.tar.gz >$ cd openssh-3.5p1 >$ configure --with-pam >[...] >$ make sshd >[...] > >Before the SSH server is actually executed, the sshd_config file should >be modified in order to enable PAM ("PAMAuthenticationViaKbdInt yes"). > ># sshd > >In order to reveal the nature of the OpenSSH vulnerability, the next >step is to connect to the SSH server: > >$ ssh werewolf.research.mmhs.com >Password: > >Thanks to the "Password:" prompt, it is clear that PAM is actually >enabled (otherwise, the prompt would have been "user@host's password:"). >This unique fingerprinting technique was investigated by Mickey Mouse >Hacking Squadron, and is already present in the latest version of the >Mickey Mouse Hacking Squadron award winning network vulnerability >assessment tool. > >After the previous command was executed, the freshly spawned sshd >process has to be examined with a debugger, in order to set the correct >breakpoints within the input_userauth_info_response_pam() function of >OpenSSH, as demonstrated in the Global InterSec LLC advisory: > ># gdb sshd 6552 >(gdb) disassemble input_userauth_info_response_pam >[...] >0x80531bc : push %esi >0x80531bd : > call 0x807306c >[...] >(gdb) break *0x80531bd >Breakpoint 1 at 0x80531bd: file auth2-pam.c, line 158. >(gdb) continue >Continuing. > >Now that the buggy call to xfree() can be intercepted, the SSH client >should trigger the integer overlow and the resulting heap overflow: > >$ ssh werewolf.research.mmhs.com >Password: > >After that, the xfree() breakpoint is reached, and the next call to >free() should therefore be intercepted in order to comply with the >technique developed by Global InterSec LLC: > >Breakpoint 1, 0x080531bd in input_userauth_info_response_pam (type=61, > seqnr=7, ctxt=0x809c050) at auth2-pam.c:158 >158 xfree(resp); >(gdb) disassemble xfree >[...] >0x807308e : call 0x804ba14 >[...] >(gdb) break *0x807308e >Breakpoint 2 at 0x807308e: file xmalloc.c, line 55. >(gdb) continue >Continuing. > >Breakpoint 2, 0x0807308e in xfree (ptr=0x809dfb8) at xmalloc.c:55 >55 free(ptr); >(gdb) x /10x 0x809dfb8 >0x809dfb8: 0x41414141 0x41414141 0x41414141 0x41414141 >0x809dfc8: 0x41414141 0x41414141 0x41414141 0x41414141 >0x809dfd8: 0x41414141 0x41414141 > > >From here on, as demonstrated by Global InterSec LLC, exploitation >becomes trivial. For more information on exploiting calls to free() see >the excellent Phrack article "Once upon a free()" [2]. > >WORK AROUND >- ----------- > >As mentioned in http://www.openssh.com/txt/preauth.adv, and as >demonstrated by noir in http://www.phrack.org/phrack/60/p60-0x06.txt, >"you can prevent privilege escalation if you enable >UsePrivilegeSeparation in sshd_config." > >Love, > >- -- >Mickey Mouse Hacking Squadron >-----BEGIN PGP SIGNATURE----- >Version: Hush 2.2 (Java) >Note: This signature can be verified at https://www.hushtools.com/verify > >wlkEARECABkFAj4XqFwSHG1taHNAaHVzaG1haWwuY29tAAoJEMZ9fu0iAPxbgYEAoL0W >0oGQQvqwwZAGADonQ2TOUjNmAJ4zuUfANSpju97UjXdD65bkCy6M1A== >=YvOU >-----END PGP SIGNATURE----- > > > > >Concerned about your privacy? Follow this link to get >FREE encrypted email: https://www.hushmail.com/?l=2 > >Big $$$ to be made with the HushMail Affiliate Program: >https://www.hushmail.com/about.php?subloc=affiliate&l=427 -------------------------------------------------------------------- Mike Tancsa, tel +1 519 651 3400 Sentex Communications, mike@sentex.net Providing Internet since 1994 www.sentex.net Cambridge, Ontario Canada www.sentex.net/mike To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jan 6 12: 1: 3 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 433EB37B401 for ; Mon, 6 Jan 2003 12:00:56 -0800 (PST) Received: from web10108.mail.yahoo.com (web10108.mail.yahoo.com [216.136.130.58]) by mx1.FreeBSD.org (Postfix) with SMTP id D6B2543EB2 for ; Mon, 6 Jan 2003 12:00:55 -0800 (PST) (envelope-from twigles@yahoo.com) Message-ID: <20030106200055.85752.qmail@web10108.mail.yahoo.com> Received: from [68.5.49.41] by web10108.mail.yahoo.com via HTTP; Mon, 06 Jan 2003 12:00:55 PST Date: Mon, 6 Jan 2003 12:00:55 -0800 (PST) From: twig les Subject: Re: Fwd: OPENSSH REMOTE ROOT COMPROMISE ALL VERSIONS To: Mike Tancsa , freebsd-security@freebsd.org In-Reply-To: <5.2.0.9.0.20030106130825.04a3e0f8@marble.sentex.ca> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I didn't see anything about a patch on the openssh.org site but I may have missed it, any word? Was the team even notified before the posting (posting has a gleeful tone about it). --- Mike Tancsa wrote: > > FYI, for those not on bugtraq. > > ---Mike > > >Mailing-List: contact > bugtraq-help@securityfocus.com; run by ezmlm > >List-Id: > >List-Post: > >List-Help: > >List-Unsubscribe: > > >List-Subscribe: > > >Delivered-To: mailing list > bugtraq@securityfocus.com > >Delivered-To: moderator for > bugtraq@securityfocus.com > >Date: Sat, 4 Jan 2003 19:37:03 -0800 > >To: bugtraq@securityfocus.com > >Subject: OPENSSH REMOTE ROOT COMPROMISE ALL > VERSIONS > >From: mmhs@hushmail.com > >X-Spam-Status: No, hits=4.7 required=7.0 > > > tests=CASHCASHCASH,DISCLAIMER,KNOWN_MAILING_LIST, > > > LINES_OF_YELLING,LINES_OF_YELLING_2,LINES_OF_YELLING_3, > > > NO_REAL_NAME,PGP_SIGNATURE,SPAM_PHRASE_01_02,SUBJ_ALL_CAPS > > version=2.43 > >X-Spam-Level: **** > >X-Virus-Scanned: By Sentex Communications > (avscan1/20020517) > > > > > >-----BEGIN PGP SIGNED MESSAGE----- > > > >*********** OPENSSH REMOTE ROOT COMPROMISE ALL > VERSIONS *********** > > > >MICKEY MOUSE HACKING SQUADRON ADVISORY #2 > > > >DISCLAIMER > >- ---------- > > > >The nation's zeroth private security intelligence > firm, Mickey Mouse > >Hacking Squadron uniquely addresses the challenges > faced by both public- > >and private-sector organizations in protecting > critical information > >assets. > > > >Our intelligence is timely, delivered 24 x 7, 365 > (*) days per year; > >relevant, fully customizable, and actionable > intelligence is only > >valuable if it makes a difference. > > > >(*) in the case of a leap year, we of course > provide a 24 x 7, 366 days > >premier service. > > > >TECHNICAL BACKGROUND > >- -------------------- > > > >The following advisory is based on the excellent > advisory published by > >Global InterSec LLC *six months ago*: > > > >http://www.globalintersec.com/adv/openssh-2002062801.txt > > > >After more than six months of intensive underground > research, our ISO > >31337 certified security department evidenced that > the bug (an integer > >overflow, resulting in a heap overflow) described > in the aforementioned > >advisory still exists in OpenSSH 3.5p1 and 3.4p1, > and remains trivially > >exploitable. All existing PAM enabled versions of > OpenSSH (3.5p1, 3.4p1 > >and below) are therefore affected. > > > >Due to various advisories posted to various fora by > unnamed security > >companies, this bug was supposed to be nonexistent > or nonexploitable. > >Fortunately, Global InterSec LLC shed some light on > the whole affair and > >revealed the malignant nature of the oversight to > the world. > > > >Their results were applied to the latest OpenSSH > versions by privately > >trained Mickey Mouse Hacking Squadron security > specialists and revealed > >that the exploitation techniques developed by > Global InterSec LLC are > >still applicable to the newest OpenSSH. > > > >PROOF OF CONCEPT > >- ---------------- > > > >The following proof of concept is reproducing > Global InterSec LLC > >findings, enhanced with the patented research > performed by Mickey Mouse > >Hacking Squadron against OpenSSH 3.5p1. > > > >First of all, the OpenSSH 3.5p1 server has to be > built (with PAM support > >enabled): > > > >$ tar xzf openssh-3.5p1.tar.gz > >$ cd openssh-3.5p1 > >$ configure --with-pam > >[...] > >$ make sshd > >[...] > > > >Before the SSH server is actually executed, the > sshd_config file should > >be modified in order to enable PAM > ("PAMAuthenticationViaKbdInt yes"). > > > ># sshd > > > >In order to reveal the nature of the OpenSSH > vulnerability, the next > >step is to connect to the SSH server: > > > >$ ssh werewolf.research.mmhs.com > >Password: > > > >Thanks to the "Password:" prompt, it is clear that > PAM is actually > >enabled (otherwise, the prompt would have been > "user@host's password:"). > >This unique fingerprinting technique was > investigated by Mickey Mouse > >Hacking Squadron, and is already present in the > latest version of the > >Mickey Mouse Hacking Squadron award winning network > vulnerability > >assessment tool. > > > >After the previous command was executed, the > freshly spawned sshd > >process has to be examined with a debugger, in > order to set the correct > >breakpoints within the > input_userauth_info_response_pam() function of > >OpenSSH, as demonstrated in the Global InterSec LLC > advisory: > > > ># gdb sshd 6552 > >(gdb) disassemble input_userauth_info_response_pam > >[...] > >0x80531bc : > push %esi > >0x80531bd : > > call 0x807306c > >[...] > >(gdb) break *0x80531bd > >Breakpoint 1 at 0x80531bd: file auth2-pam.c, line > 158. > >(gdb) continue > >Continuing. > > > >Now that the buggy call to xfree() can be > intercepted, the SSH client > >should trigger the integer overlow and the > resulting heap overflow: > > > >$ ssh werewolf.research.mmhs.com > >Password: hit enter> > > > >After that, the xfree() breakpoint is reached, and > the next call to > >free() should therefore be intercepted in order to > comply with the > >technique developed by Global InterSec LLC: > > > >Breakpoint 1, 0x080531bd in > input_userauth_info_response_pam (type=61, > > seqnr=7, ctxt=0x809c050) at auth2-pam.c:158 > >158 xfree(resp); > >(gdb) disassemble xfree > >[...] > >0x807308e : call 0x804ba14 > >[...] > >(gdb) break *0x807308e > >Breakpoint 2 at 0x807308e: file xmalloc.c, line 55. > >(gdb) continue > >Continuing. > > > >Breakpoint 2, 0x0807308e in xfree (ptr=0x809dfb8) > at xmalloc.c:55 > === message truncated === ===== ----------------------------------------------------------- If you give a man a fish, he can eat for a day If you bludgeon him to death, you can eat the fish yourself ----------------------------------------------------------- __________________________________________________ Do you Yahoo!? Yahoo! Mail Plus - Powerful. Affordable. Sign up now. http://mailplus.yahoo.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jan 6 13:27:25 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7A28537B401 for ; Mon, 6 Jan 2003 13:27:23 -0800 (PST) Received: from spork.pantherdragon.org (spork.pantherdragon.org [206.29.168.146]) by mx1.FreeBSD.org (Postfix) with ESMTP id D326343EC2 for ; Mon, 6 Jan 2003 13:27:22 -0800 (PST) (envelope-from dmp@pantherdragon.org) Received: from sparx.techno.pagans (12-224-208-117.client.attbi.com [12.224.208.117]) by spork.pantherdragon.org (Postfix) with ESMTP id BFB3210138; Mon, 6 Jan 2003 13:27:16 -0800 (PST) Received: from pantherdragon.org (speck.techno.pagans [172.21.42.2]) by sparx.techno.pagans (Postfix) with ESMTP id 622D7AA98; Mon, 6 Jan 2003 13:27:12 -0800 (PST) Message-ID: <3E19F4B0.3090903@pantherdragon.org> Date: Mon, 06 Jan 2003 13:27:12 -0800 From: Darren Pilgrim User-Agent: Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.1) Gecko/20020826 X-Accept-Language: en-us, en MIME-Version: 1.0 To: Mike Tancsa Cc: freebsd-security@freebsd.org Subject: Re: Fwd: OPENSSH REMOTE ROOT COMPROMISE ALL VERSIONS References: <5.2.0.9.0.20030106130825.04a3e0f8@marble.sentex.ca> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Mike Tancsa wrote: > > FYI, for those not on bugtraq. The "advisory" is suspect. 1) The language used in the non-technical parts of the message are immature, detracting from the credibility of the author. 2) Most ssh clients sends your logged-in username by default if you don't specify one using the form "user@" on the command line. My PAM-disabled versions of OpenSSH do this. For a group that supposedly spent six months researching OpenSSH, you'd think they'd have noticed. >> Date: Sat, 4 Jan 2003 19:37:03 -0800 >> To: bugtraq@securityfocus.com >> Subject: OPENSSH REMOTE ROOT COMPROMISE ALL VERSIONS >> From: mmhs@hushmail.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jan 6 13:36:40 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 210BC37B401 for ; Mon, 6 Jan 2003 13:36:37 -0800 (PST) Received: from smtp2.sentex.ca (smtp2.sentex.ca [199.212.134.9]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3E26043EA9 for ; Mon, 6 Jan 2003 13:36:36 -0800 (PST) (envelope-from mike@sentex.net) Received: from lava.sentex.ca (pyroxene.sentex.ca [199.212.134.18]) by smtp2.sentex.ca (8.12.6/8.12.6) with ESMTP id h06LaUDD057295; Mon, 6 Jan 2003 16:36:30 -0500 (EST) (envelope-from mike@sentex.net) Received: from simian.sentex.net (simeon.sentex.ca [192.168.43.27]) by lava.sentex.ca (8.12.6/8.12.6) with ESMTP id h06LclHY088602; Mon, 6 Jan 2003 16:38:48 -0500 (EST) (envelope-from mike@sentex.net) Message-Id: <5.2.0.9.0.20030106163804.04630960@marble.sentex.ca> X-Sender: mdtpop@marble.sentex.ca (Unverified) X-Mailer: QUALCOMM Windows Eudora Version 5.2.0.9 Date: Mon, 06 Jan 2003 16:39:29 -0500 To: Darren Pilgrim From: Mike Tancsa Subject: Re: Fwd: OPENSSH REMOTE ROOT COMPROMISE ALL VERSIONS Cc: freebsd-security@freebsd.org In-Reply-To: <3E19F4B0.3090903@pantherdragon.org> References: <5.2.0.9.0.20030106130825.04a3e0f8@marble.sentex.ca> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed X-Virus-Scanned: By Sentex Communications (lava/20020517) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Yes, it does look a bit odd. There was another posting on bugtraq that says, -----------------begin quote As some may have gathered, the advisory recently posted by mmhs@hushmail.com was indeed a fake, intended to highlight several unclear statements made in GIS2002062801. The advisory in question is currently being updated with more detailed information and will be re-posted at: http://www.globalintersec.com/adv/openssh-2002062801.txt as soon as it becomes available. Note that the kbd-init flaw described in GIS2002062801 was proven to be exploitable in our lab although not all evidence to demonstrate this was provided in the original advisory. A mistake was made in the original advisory draft, where chunk content data was shown, rather than the entire corrupted malloc chunk. This will be amended in the revision. Also note that to our knowledge there are currently no known, exploitable flaws in OpenSSH 3.5p1, due to its use of PAM as suggested by mmhs@hushmail.com. It is almost certain that the posted bogus advisory was also intended to cause alarm amongst communities using OpenSSH, through miss-information. Global InterSec LLC. ------------------------------end quote-------------- At 01:27 PM 06/01/2003 -0800, Darren Pilgrim wrote: >Mike Tancsa wrote: >>FYI, for those not on bugtraq. > >The "advisory" is suspect. > >1) The language used in the non-technical parts of the message are >immature, detracting from the credibility of the author. > >2) Most ssh clients sends your logged-in username by default if you don't >specify one using the form "user@" on the command line. My PAM-disabled >versions of OpenSSH do this. For a group that supposedly spent six months >researching OpenSSH, you'd think they'd have noticed. > >>>Date: Sat, 4 Jan 2003 19:37:03 -0800 >>>To: bugtraq@securityfocus.com >>>Subject: OPENSSH REMOTE ROOT COMPROMISE ALL VERSIONS >>>From: mmhs@hushmail.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jan 6 13:39: 4 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5DD4E37B401 for ; Mon, 6 Jan 2003 13:39:02 -0800 (PST) Received: from aristotle.tamu.edu (Aristotle.tamu.edu [165.91.161.90]) by mx1.FreeBSD.org (Postfix) with ESMTP id CACD743F0A for ; Mon, 6 Jan 2003 13:39:01 -0800 (PST) (envelope-from rasmith@aristotle.tamu.edu) Received: from aristotle.tamu.edu (localhost [127.0.0.1]) by aristotle.tamu.edu (8.12.6/8.12.6) with ESMTP id h06Ld1Ka011779 for ; Mon, 6 Jan 2003 15:39:01 -0600 (CST) (envelope-from rasmith@aristotle.tamu.edu) Message-Id: <200301062139.h06Ld1Ka011779@aristotle.tamu.edu> To: freebsd-security@FreeBSD.ORG Subject: Re: Fwd: OPENSSH REMOTE ROOT COMPROMISE ALL VERSIONS In-Reply-To: Message from Darren Pilgrim of "Mon, 06 Jan 2003 13:27:12 PST." <3E19F4B0.3090903@pantherdragon.org> Mime-Version: 1.0 (generated by tm-edit 7.106) Content-Type: text/plain; charset=US-ASCII Date: Mon, 06 Jan 2003 15:39:01 -0600 From: Robin Smith X-Virus-Scanned: by amavisd-milter (http://amavis.org/) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org >>>>> "Darren" == Darren Pilgrim writes: Darren> Mike Tancsa wrote: >> FYI, for those not on bugtraq. Darren> The "advisory" is suspect. Whatever the credibility of this advisory, it seems the issue is handled just by turning on privilege separation. (1) Is that right? (2) Can anyone tell me any reason not to turn it on (apart from a few additional entries in the process table)? It's off in the default FreeBSD 4.7 config. Robin Smith To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jan 6 14:41:37 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E139037B401 for ; Mon, 6 Jan 2003 14:41:34 -0800 (PST) Received: from mailgate.rz.uni-karlsruhe.de (mailgate.rz.uni-karlsruhe.de [129.13.64.97]) by mx1.FreeBSD.org (Postfix) with ESMTP id D5AC043EA9 for ; Mon, 6 Jan 2003 14:41:33 -0800 (PST) (envelope-from cmt@rz.uni-karlsruhe.de) Received: from rz-ewok.rz.uni-karlsruhe.de (postfix@rz-ewok.rz.uni-karlsruhe.de [129.13.80.10]) by mailgate.rz.uni-karlsruhe.de with esmtp (Exim 3.36 #1) id 18Vfw4-0002Bf-00; Mon, 06 Jan 2003 23:41:32 +0100 Received: by rz-ewok.rz.uni-karlsruhe.de (Postfix, from userid 1005) id 2167F801; Mon, 6 Jan 2003 23:41:32 +0100 (CET) Date: Mon, 6 Jan 2003 23:41:32 +0100 From: Christoph Moench-Tegeder To: freebsd-security@FreeBSD.ORG Subject: Re: Fwd: OPENSSH REMOTE ROOT COMPROMISE ALL VERSIONS Message-ID: <20030106224131.GB21393@rz-ewok.rz.uni-karlsruhe.de> References: <3E19F4B0.3090903@pantherdragon.org> <200301062139.h06Ld1Ka011779@aristotle.tamu.edu> Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-15 Content-Disposition: inline In-Reply-To: <200301062139.h06Ld1Ka011779@aristotle.tamu.edu> User-Agent: Mutt/1.4i X-PGP-Key: RSA/2048 0xB816EBBD X-PGP-Fingerprint: 89 2E 6D 05 95 B8 D7 1F 7C 1D C3 1E 95 A0 9B 5D X-GPG: supported Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org ## Robin Smith (rasmith@aristotle.tamu.edu): > Whatever the credibility of this advisory, it seems the issue is handled > just by turning on privilege separation. If there was an exploit, an attacker shouldn't get root on your box but user sshd chroot()ed to /var/empty. This lessens the impact of bugs, but they don't vanish this way. > (2) Can anyone tell me any reason not to turn it on (apart from a few > additional entries in the process table)? It's off in the default FreeBSD > 4.7 config. It's on. OpenSSH >=3.4 hast priviledge seperation on by default and can be configured to the old behaviour by setting "UsePrivilegeSeparation no" (which is commented out in FreeBSD's config. Regards, cmt -- Spare Space To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jan 6 15:20: 0 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 28FE837B401 for ; Mon, 6 Jan 2003 15:19:57 -0800 (PST) Received: from hermes1.avenir-telematique.com (ategate1.ate.tm.fr [212.234.101.249]) by mx1.FreeBSD.org (Postfix) with SMTP id 5397E43EA9 for ; Mon, 6 Jan 2003 15:19:55 -0800 (PST) (envelope-from mrousseau@k-meleon.com) Received: (qmail 3253 invoked by uid 504); 6 Jan 2003 23:19:48 -0000 Received: from mrousseau@k-meleon.com by hermes1.avenir-telematique.com by uid 501 with qmail-scanner-1.14 (iscan: v3.1/v5.500-0829/349/47477. Clear:. Processed in 0.444746 secs); 06 Jan 2003 23:19:48 -0000 Received: from 139.144.62.62.9velizy1-0-ro-as-i3-2.9tel.net (HELO PestifereWin2k) (62.62.144.139) by 0 with SMTP; 6 Jan 2003 23:19:48 -0000 Message-ID: <003a01c2b5da$0e5ab9c0$2101a8c0@PestifereWin2k> From: "Maxence Rousseau" To: Subject: FAKE Fw: OPENSSH REMOTE ROOT COMPROMISE ALL VERSIONS Date: Tue, 7 Jan 2003 00:19:26 +0100 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4920.2300 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4920.2300 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org ----- Original Message ----- From: "Global InterSec Research" To: Sent: Monday, January 06, 2003 9:05 PM Subject: Re: OPENSSH REMOTE ROOT COMPROMISE ALL VERSIONS > > As some may have gathered, the advisory recently posted by mmhs@hushmail.com > was indeed a fake, intended to highlight several unclear statements made in GIS2002062801. > > The advisory in question is currently being updated with more detailed information and will be > re-posted at: http://www.globalintersec.com/adv/openssh-2002062801.txt as soon as it becomes > available. > > Note that the kbd-init flaw described in GIS2002062801 was proven to be exploitable in our lab > although not all evidence to demonstrate this was provided in the original advisory. A mistake > was made in the original advisory draft, where chunk content data was shown, rather than the > entire corrupted malloc chunk. This will be amended in the revision. > > Also note that to our knowledge there are currently no known, exploitable flaws in OpenSSH 3.5p1, > due to its use of PAM as suggested by mmhs@hushmail.com. It is almost certain that the posted > bogus advisory was also intended to cause alarm amongst communities using OpenSSH, through > miss-information. > > > Global InterSec LLC. > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jan 6 20:15:27 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id ACDFA37B401 for ; Mon, 6 Jan 2003 20:15:24 -0800 (PST) Received: from dmz2.unixjunkie.com (adsl-65-70-175-249.dsl.rcsntx.swbell.net [65.70.175.249]) by mx1.FreeBSD.org (Postfix) with ESMTP id A0DFB43EE1 for ; Mon, 6 Jan 2003 20:15:13 -0800 (PST) (envelope-from strgout@unixjunkie.com) Received: from mail.unixjunkie.com (mail [10.253.254.36]) by dmz2.unixjunkie.com (8.12.6/8.12.6) with ESMTP id h074KZeA000591 for ; Mon, 6 Jan 2003 22:20:35 -0600 (CST) (envelope-from strgout@mail.unixjunkie.com) Received: from mail.unixjunkie.com (mail [10.253.254.36]) by mail.unixjunkie.com (8.12.6/8.12.6) with ESMTP id h074KYZC000588 for ; Mon, 6 Jan 2003 22:20:35 -0600 (CST) (envelope-from strgout@mail.unixjunkie.com) Received: (from strgout@localhost) by mail.unixjunkie.com (8.12.6/8.12.6/Submit) id h074KYCk000587 for freebsd-security@freebsd.org; Mon, 6 Jan 2003 22:20:34 -0600 (CST) (envelope-from strgout) Date: Mon, 6 Jan 2003 22:20:34 -0600 From: John To: freebsd-security@freebsd.org Subject: Fwd: OPENSSH REMOTE ROOT COMPROMISE ALL VERSIONS Message-ID: <20030107042034.GA565@mail.unixjunkie.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.4i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org just for the record, UsePrivilegeSeparation is not enabled by default in FreeBSD upto 4.7-p2, However it is in 5.0-RC2. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jan 6 22:13:31 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B913237B401; Mon, 6 Jan 2003 22:13:29 -0800 (PST) Received: from spork.pantherdragon.org (spork.pantherdragon.org [206.29.168.146]) by mx1.FreeBSD.org (Postfix) with ESMTP id 29EC843E4A; Mon, 6 Jan 2003 22:13:29 -0800 (PST) (envelope-from dmp@pantherdragon.org) Received: from sparx.techno.pagans (12-224-208-117.client.attbi.com [12.224.208.117]) by spork.pantherdragon.org (Postfix) with ESMTP id 2719310138; Mon, 6 Jan 2003 22:13:22 -0800 (PST) Received: from pantherdragon.org (speck.techno.pagans [172.21.42.2]) by sparx.techno.pagans (Postfix) with ESMTP id A11BAAA8F; Mon, 6 Jan 2003 22:13:20 -0800 (PST) Message-ID: <3E1A7000.20308@pantherdragon.org> Date: Mon, 06 Jan 2003 22:13:20 -0800 From: Darren Pilgrim User-Agent: Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.1) Gecko/20020826 X-Accept-Language: en-us, en MIME-Version: 1.0 To: phk@freebsd.org Cc: Mike Tancsa , freebsd-security@freebsd.org Subject: Re: Fwd: OPENSSH REMOTE ROOT COMPROMISE ALL VERSIONS References: <24337.1041889079@critter.freebsd.dk> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org phk@freebsd.org wrote: > In message <3E19F4B0.3090903@pantherdragon.org>, Darren Pilgrim writes: >>Mike Tancsa wrote: >> >>>FYI, for those not on bugtraq. >> >>The "advisory" is suspect. >> >>1) The language used in the non-technical parts of the message are >>immature, detracting from the credibility of the author. > > If you were a bank-teller, would you ignore a bank-robber with a > gun because he spoke baby-language ? I probably wouldn't :-) Granted, I wouldn't ignore him, but I would have a hard time filling his bag between fits of histerics. Besides, I'm a netadmin, so I'd be either a security guard or on the loan commitee. I don't do sales. :) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jan 6 22:54:43 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 33FAB37B401 for ; Mon, 6 Jan 2003 22:54:41 -0800 (PST) Received: from mail.af-inet.net (adsl-66-123-253-180.dsl.sndg02.pacbell.net [66.123.253.180]) by mx1.FreeBSD.org (Postfix) with ESMTP id 929E543EA9 for ; Mon, 6 Jan 2003 22:54:40 -0800 (PST) (envelope-from jaron@af-inet.net) Received: (from jaron@localhost) by mail.af-inet.net (8.12.5/8.12.5) id h076se0l004392; Mon, 6 Jan 2003 22:54:40 -0800 Date: Mon, 6 Jan 2003 22:54:40 -0800 From: Jaron Omega To: freebsd-security@freebsd.org Cc: Darren Pilgrim Subject: Re: Fwd: OPENSSH REMOTE ROOT COMPROMISE ALL VERSIONS Message-ID: <20030107065440.GA4302@af-inet.net> References: <24337.1041889079@critter.freebsd.dk> <3E1A7000.20308@pantherdragon.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <3E1A7000.20308@pantherdragon.org> User-Agent: Mutt/1.3.28i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Mon, Jan 06, 2003 at 10:13:20PM -0800, Darren Pilgrim wrote: > phk@freebsd.org wrote: > >In message <3E19F4B0.3090903@pantherdragon.org>, Darren Pilgrim writes: > >>Mike Tancsa wrote: > >> > >>>FYI, for those not on bugtraq. > >> > >>The "advisory" is suspect. > >> > >>1) The language used in the non-technical parts of the message are > >>immature, detracting from the credibility of the author. > > > >If you were a bank-teller, would you ignore a bank-robber with a > >gun because he spoke baby-language ? I probably wouldn't :-) > > Granted, I wouldn't ignore him, but I would have a hard time filling his > bag between fits of histerics. Besides, I'm a netadmin, so I'd be > either a security guard or on the loan commitee. I don't do sales. :) No doubt we have all met those people that speak with authority, yet have none at all and those with timid voices relaying solid information. I've found that immaturity is in no way indicative to intelligence nor knowledge, but instead with maturity by itself. I also believe that truth is without circumstance, so under no circumstance would a truthful statement be miraculously deemed false or discredited. A clown or a professor, doesn't change the facts, just how you feel which is a flaw in character if you ask me. Omega To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jan 6 23: 8:49 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3B95737B401 for ; Mon, 6 Jan 2003 23:08:42 -0800 (PST) Received: from mail-router02.dynamic.qut.edu.au (mail-router02-eth0.qut.edu.au [131.181.254.10]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7CD7A43EA9 for ; Mon, 6 Jan 2003 23:08:40 -0800 (PST) (envelope-from k.bayliss@qut.edu.au) Received: from danger.its.dias.qut.edu.au (danger.its.dias.qut.edu.au [131.181.124.135]) by mail-router02.dynamic.qut.edu.au (Mirapoint Messaging Server MOS 3.2.2-GA) with ESMTP id AFP32100; Tue, 7 Jan 2003 17:08:35 +1000 (EST) Received: from localhost (bayliss@localhost) by danger.its.dias.qut.edu.au (8.12.3/8.12.3/Submit) with ESMTP id h0778Fal091028 for ; Tue, 7 Jan 2003 17:08:35 +1000 (EST) X-Authentication-Warning: danger.its.dias.qut.edu.au: bayliss owned process doing -bs Date: Tue, 7 Jan 2003 17:08:15 +1000 (EST) From: Keyran Bayliss X-X-Sender: bayliss@danger.its.dias.qut.edu.au To: freebsd-security@FreeBSD.ORG Subject: (AUSCERT ESB-2003.0007) Pine Digital Security Advisory - Integer overflow in FreeBSD kernel (fwd) Message-ID: <20030107170645.B75677@danger.its.dias.qut.edu.au> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Havn't seen anthing about it on this list yet.... can't see a patch on the site.... ?? K. ---------- Forwarded message ---------- Date: Tue, 07 Jan 2003 11:16:21 +1000 (EST) From: auscert@auscert.org.au To: auscert-subscriber@auscert.org.au Subject: (AUSCERT ESB-2003.0007) Pine Digital Security Advisory - Integer overflow in FreeBSD kernel -----BEGIN PGP SIGNED MESSAGE----- =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2003.0007 -- Pine Digital Security Advisory Integer overflow in FreeBSD kernel 07 January 2003 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: kernel Vendor: Pine Digital Security Operating System: FreeBSD Impact: Root Compromise Denial of Service Access Required: Existing Account - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - - ----------------------------------------------------------------------------- Pine Digital Security Advisory - - ----------------------------------------------------------------------------- Advisory ID : PINE-CERT-20030101 Authors : Joost Pol Vendor Informed : 2002-12-30 Issue date : 2003-01-06 Application : Kernel Version(s) : Various Platforms : FreeBSD Availability : http://www.pine.nl/press/pine-cert-20030101.txt - - ----------------------------------------------------------------------------- Synopsis While performing an audit for a customer, Pine Digital Security found an integer overflow in the FreeBSD kernel. Versions FreeBSD: RELENG_4 (aka -STABLE) : not vulnerable after 20021111 RELENG_5_0 (aka -CURRENT) : vulnerable in lseek(2) (199) All current -RELEASE versions : vulnerable in fpathconf(2) (192) OpenBSD/NetBSD: not vulnerable Impact Serious. This integer overflow could cause a system panic, resulting in a Denial-of-Service (DoS). Also, this could be used to escalate privileges or cause the system to disclose (sensitive) files. Description Inside the FreeBSD kernel each file (socket, device or regular file) opened is represented by a file structure (sys/file.h). Amongst other members this structure holds a reference counter (int f_count). This reference counter is increased by the fhold() function and decreased by the fdrop() function. (both in sys/file.h) For example, when a file is open(2)ed or dup(2)ed the reference counter is increased and when the file is close(2)ed again the reference counter is decreased. Once the reference counter reaches zero, the file structure itself is deallocated. Most system calls which perform (blocking) operations on a file will issue a fhold() call to prevent the file from being closed in the middle of an operation. Once the operation is finished the (extra) reference will be released again by issuing a fdrop() call. Inside the fpathconf(2) (192) system call we spotted a condition where a call to fdrop() is missing. When issueing a fpathconf(2) call on a socket it will return with an error condition but it will not release the extra file reference. Due to the missing fdrop() call inside the fpathconf(2) system call is it possible to overflow the reference counter of the file structure (int f_count). FreeBSD -CURRENT suffers from the same problem in another syscall. Exploitability Causing a system panic and privilege escalation have been confirmed. Exploitation of this bug will take time, depending on machine speed and system limits this could vary between hours and days. 1. System Panic A system panic can be caused by issuing around 2^31 calls to fpathconf(2) with a filedescriptor which references a socket. The reference counter (int f_count) will wrap to a negative value and this will cause a panic in close(2). 2. Privilege Escalation It is also possible (although more difficult) to gain root access using this bug. One would open(2) a socket and dup(2) it. One would then issue around 2^32 - 1 calls to fpathconf(2) causing the reference counter to wrap to 1. After closing the original filedescriptor the file structure will be deallocated. At this point the dup(2)ed file descriptor is still hanging around with a file structure pointing to unallocated memory. The final step, which is left as an excercise for the reader, is to have a sensitive file (like /etc/skeykeys) opened and allocated at the previously freed location. Once this happens the dup(2)ed file descriptor is still hanging around providing access to this file. This could result in the escalation of user privileges. Disclaimer Pine Digital Security does not release exploits. Although the missing fdrop() call in fpathconf(2) was noticed before by Nakamura Takayuki its impact was severely underestimated. Patches FreeBSD CVS should be updated. References http://www.pine.nl/press/pine-cert-20030101.txt file://usr/include/sys/file.h file://usr/src/sys/kern/kern_descrip.c file://usr/src/sys/kern/vfs_syscalls.c - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (SunOS) iD8DBQE+GXVR0jbIKvNgu5MRAlEMAJ9hCd/HkUfUsVyriSXTv9YvAChfeQCgtoJo 0AlK0bqR4Qtq0YLZJxiPnFc= =8KfX - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to use any or all of this information is the responsibility of each user or organisation, and should be done so in accordance with site policies and procedures. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 If you believe that your system has been compromised, contact AusCERT or your representative in FIRST (Forum of Incident Response and Security Teams). Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. -----BEGIN PGP SIGNATURE----- Version: 2.6.3i Charset: noconv Comment: http://www.auscert.org.au/render.html?it=1967 iQCVAwUBPhqu7Ch9+71yA2DNAQHXKgP/eaCn13hYy348VjR+bFlFIecxvSFSnC2m up0fom96MkKt1U3pxNKt8Nnt9kk3PKGpCAmoHipQRJ+hV0P9w7IrFWIhv1RSf15l lSSeU4KQxor7zn6j1xPj25Tmtlov1xAFj8LsLrnbYYM8fMG3YoA0TNYI1VAMVDBU WDWAghBU0nI= =2UKi -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jan 6 23:50:48 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BC9FD37B401 for ; Mon, 6 Jan 2003 23:50:45 -0800 (PST) Received: from mail-router02.dynamic.qut.edu.au (mail-router02-eth0.qut.edu.au [131.181.254.10]) by mx1.FreeBSD.org (Postfix) with ESMTP id A423843EB2 for ; Mon, 6 Jan 2003 23:50:44 -0800 (PST) (envelope-from k.bayliss@qut.edu.au) Received: from danger.its.dias.qut.edu.au (danger.its.dias.qut.edu.au [131.181.124.135]) by mail-router02.dynamic.qut.edu.au (Mirapoint Messaging Server MOS 3.2.2-GA) with ESMTP id AFP33737; Tue, 7 Jan 2003 17:50:43 +1000 (EST) Received: from localhost (bayliss@localhost) by danger.its.dias.qut.edu.au (8.12.3/8.12.3/Submit) with ESMTP id h077ohf5000261; Tue, 7 Jan 2003 17:50:43 +1000 (EST) X-Authentication-Warning: danger.its.dias.qut.edu.au: bayliss owned process doing -bs Date: Tue, 7 Jan 2003 17:50:43 +1000 (EST) From: Keyran Bayliss X-X-Sender: bayliss@danger.its.dias.qut.edu.au To: Colin Percival , "" Subject: Re: (AUSCERT ESB-2003.0007) Pine Digital Security Advisory - Integer overflow in FreeBSD kernel (fwd) In-Reply-To: <5.0.2.1.1.20030107071145.034acec0@popserver.sfu.ca> Message-ID: <20030107174449.N75677@danger.its.dias.qut.edu.au> References: <5.0.2.1.1.20030107071145.034acec0@popserver.sfu.ca> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Tue, 7 Jan 2003, Colin Percival wrote: > At 17:08 07/01/2003 +1000, Keyran Bayliss wrote: > >Havn't seen anthing about it on this list yet.... can't see a patch > > Well, there's an advisory on the FTP site: >ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-02:44.filedesc.asc > > which points at a patch and it's signature: > ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-02:44/filedesc.patch > ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-02:44/filedesc.patch.asc Groovy, thanks. I stupidly thought the "02" in the file name refered to the year... so I overlooked the advisory. What does the "02" refer to ? K. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jan 7 3:10:36 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 67B0E37B401 for ; Tue, 7 Jan 2003 03:10:34 -0800 (PST) Received: from eomer.vianetworks.nl (eomer.vianetworks.nl [212.61.15.10]) by mx1.FreeBSD.org (Postfix) with ESMTP id E458B43E4A for ; Tue, 7 Jan 2003 03:10:29 -0800 (PST) (envelope-from joao@bowtie.nl) Received: from uucp.iae.nl (uucp.iae.nl [212.61.26.37]) by eomer.vianetworks.nl (Postfix) with ESMTP id 26C6C21025 for ; Tue, 7 Jan 2003 12:10:28 +0100 (CET) Received: (from uucp@localhost) by uucp.iae.nl (8.9.1/8.9.1) with IAEhv.nl id MAA20756 for freebsd-security@freebsd.org; Tue, 7 Jan 2003 12:10:28 +0100 (MET) Received: from hume.intra.bowtie.nl (hume.intra.bowtie.nl [192.168.4.13]) by bowtie.nl (8.11.1/8.11.1) with SMTP id h07B11h17183 for ; Tue, 7 Jan 2003 12:01:01 +0100 (CET) (envelope-from joao@bowtie.nl) Date: Tue, 7 Jan 2003 12:01:00 +0100 From: Joao Schim To: freebsd-security@freebsd.org Subject: Re: (AUSCERT ESB-2003.0007) Pine Digital Security Advisory - Integer overflow in FreeBSD kernel (fwd) Message-Id: <20030107120100.6ee1010d.joao@bowtie.nl> In-Reply-To: <20030107174449.N75677@danger.its.dias.qut.edu.au> References: <5.0.2.1.1.20030107071145.034acec0@popserver.sfu.ca> <20030107174449.N75677@danger.its.dias.qut.edu.au> Organization: BowTie Technology BV X-Mailer: Sylpheed version 0.8.1 (GTK+ 1.2.10; i386-portbld-freebsd4.6) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Tue, 7 Jan 2003 17:50:43 +1000 (EST) Keyran Bayliss wrote: > On Tue, 7 Jan 2003, Colin Percival wrote: > > > At 17:08 07/01/2003 +1000, Keyran Bayliss wrote: > > >Havn't seen anthing about it on this list yet.... can't see a patch > > > > Well, there's an advisory on the FTP site: > >ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-02:44.filedesc.asc > > > > which points at a patch and it's signature: > > ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-02:44/filedesc.patch > > ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-02:44/filedesc.patch.asc > > Groovy, thanks. I stupidly thought the "02" in the file name refered to the > year... so I overlooked the advisory. > Aren't the advisories supposed to be sent to announce as well ? Haven't seen it come by. I like the event based character of it. Instead of looking around semi-paranoia to see wether new advisories are placed on the ftp or not. Regards, Joao Schim To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jan 7 4:29:13 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8B88837B401 for ; Tue, 7 Jan 2003 04:29:11 -0800 (PST) Received: from buexe.b-5.de (buexe.b-5.de [212.14.80.6]) by mx1.FreeBSD.org (Postfix) with ESMTP id DBFB643E4A for ; Tue, 7 Jan 2003 04:29:09 -0800 (PST) (envelope-from lupe@lupe-christoph.de) Received: from antalya.lupe-christoph.de ([172.17.0.9]) by buexe.b-5.de (8.11.6/8.11.6/b-5/buexe-2.1) with ESMTP id h07CT0p29778; Tue, 7 Jan 2003 13:29:01 +0100 Received: by antalya.lupe-christoph.de (Postfix, from userid 1000) id 805ED5E0; Tue, 7 Jan 2003 13:29:08 +0100 (CET) Date: Tue, 7 Jan 2003 13:29:08 +0100 To: Joao Schim Cc: freebsd-security@FreeBSD.ORG Subject: Re: (AUSCERT ESB-2003.0007) Pine Digital Security Advisory - Integer overflow in FreeBSD kernel (fwd) Message-ID: <20030107122908.GG6155@lupe-christoph.de> References: <5.0.2.1.1.20030107071145.034acec0@popserver.sfu.ca> <20030107174449.N75677@danger.its.dias.qut.edu.au> <20030107120100.6ee1010d.joao@bowtie.nl> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20030107120100.6ee1010d.joao@bowtie.nl> User-Agent: Mutt/1.4i From: lupe@lupe-christoph.de (Lupe Christoph) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Tuesday, 2003-01-07 at 12:01:00 +0100, Joao Schim wrote: > Aren't the advisories supposed to be sent to announce as well ? > Haven't seen it come by. It's not on http://www.de.freebsd.org/security/#adv either. > I like the event based character of it. Instead of looking around > semi-paranoia to see wether new advisories are placed on the ftp or not. Hmm. If it *was* on the Security page, websec would have found it, but websec can't do ftp servers... Lupe Christoph -- | lupe@lupe-christoph.de | http://www.lupe-christoph.de/ | | Big Misunderstandings #6398: The Titanic was not supposed to be | | unsinkable. The designer had a speech impediment. He said: "I have | | thith great unthinkable conthept ..." | To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jan 7 6:23:33 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 068C737B401 for ; Tue, 7 Jan 2003 06:23:31 -0800 (PST) Received: from gw.nectar.cc (gw.nectar.cc [208.42.49.153]) by mx1.FreeBSD.org (Postfix) with ESMTP id 083FD43ED8 for ; Tue, 7 Jan 2003 06:23:30 -0800 (PST) (envelope-from nectar@nectar.cc) Received: from madman.nectar.cc (madman.nectar.cc [10.0.1.111]) by gw.nectar.cc (Postfix) with ESMTP id 79FB047; Tue, 7 Jan 2003 08:23:29 -0600 (CST) Received: by madman.nectar.cc (Postfix, from userid 1001) id 09E105B6A; Tue, 7 Jan 2003 08:22:31 -0600 (CST) Date: Tue, 7 Jan 2003 08:22:31 -0600 From: "Jacques A. Vidrine" To: Keyran Bayliss Cc: Colin Percival , freebsd-security@FreeBSD.ORG Subject: Re: (AUSCERT ESB-2003.0007) Pine Digital Security Advisory - Integer overflow in FreeBSD kernel (fwd) Message-ID: <20030107142231.GA16138@madman.nectar.cc> Mail-Followup-To: "Jacques A. Vidrine" , Keyran Bayliss , Colin Percival , freebsd-security@FreeBSD.ORG References: <5.0.2.1.1.20030107071145.034acec0@popserver.sfu.ca> <20030107174449.N75677@danger.its.dias.qut.edu.au> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20030107174449.N75677@danger.its.dias.qut.edu.au> X-Url: http://www.celabo.org/ User-Agent: Mutt/1.5.1i-ja.1 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Tue, Jan 07, 2003 at 05:50:43PM +1000, Keyran Bayliss wrote: > Groovy, thanks. I stupidly thought the "02" in the file name refered to the > year... so I overlooked the advisory. > > What does the "02" refer to ? It stands for the year 2002. :-) It was 2002 when the problem was first pointed out, but probably I should have issued this as `SA-03:01' to avoid confusion. Ah well. Cheers, -- Jacques A. Vidrine http://www.celabo.org/ NTT/Verio SME . FreeBSD UNIX . Heimdal Kerberos jvidrine@verio.net . nectar@FreeBSD.org . nectar@kth.se To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jan 7 6:25:16 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 81AFC37B401 for ; Tue, 7 Jan 2003 06:25:12 -0800 (PST) Received: from gw.nectar.cc (gw.nectar.cc [208.42.49.153]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0D4E443E4A for ; Tue, 7 Jan 2003 06:25:12 -0800 (PST) (envelope-from nectar@nectar.cc) Received: from madman.nectar.cc (madman.nectar.cc [10.0.1.111]) by gw.nectar.cc (Postfix) with ESMTP id A347C69; Tue, 7 Jan 2003 08:25:11 -0600 (CST) Received: by madman.nectar.cc (Postfix, from userid 1001) id D09C45B6A; Tue, 7 Jan 2003 08:24:14 -0600 (CST) Date: Tue, 7 Jan 2003 08:24:14 -0600 From: "Jacques A. Vidrine" To: Joao Schim Cc: freebsd-security@freebsd.org Subject: Re: (AUSCERT ESB-2003.0007) Pine Digital Security Advisory - Integer overflow in FreeBSD kernel (fwd) Message-ID: <20030107142414.GB16138@madman.nectar.cc> Mail-Followup-To: "Jacques A. Vidrine" , Joao Schim , freebsd-security@freebsd.org References: <5.0.2.1.1.20030107071145.034acec0@popserver.sfu.ca> <20030107174449.N75677@danger.its.dias.qut.edu.au> <20030107120100.6ee1010d.joao@bowtie.nl> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20030107120100.6ee1010d.joao@bowtie.nl> X-Url: http://www.celabo.org/ User-Agent: Mutt/1.5.1i-ja.1 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Tue, Jan 07, 2003 at 12:01:00PM +0100, Joao Schim wrote: > Aren't the advisories supposed to be sent to announce as well ? > Haven't seen it come by. Yes, `supposed to be'. I will try again later today. Yesterday I also sent a mailing regarding a new FreeBSD security officer PGP key, but I didn't see that hit the list, either. Hmm. Cheers, -- Jacques A. Vidrine http://www.celabo.org/ NTT/Verio SME . FreeBSD UNIX . Heimdal Kerberos jvidrine@verio.net . nectar@FreeBSD.org . nectar@kth.se To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jan 7 6:27:41 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3895037B401 for ; Tue, 7 Jan 2003 06:27:38 -0800 (PST) Received: from gw.nectar.cc (gw.nectar.cc [208.42.49.153]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7FE1F43EDC for ; Tue, 7 Jan 2003 06:27:37 -0800 (PST) (envelope-from nectar@nectar.cc) Received: from madman.nectar.cc (madman.nectar.cc [10.0.1.111]) by gw.nectar.cc (Postfix) with ESMTP id 241E569 for ; Tue, 7 Jan 2003 08:27:37 -0600 (CST) Received: by madman.nectar.cc (Postfix, from userid 1001) id 23DE25B6A; Tue, 7 Jan 2003 08:26:40 -0600 (CST) Date: Tue, 7 Jan 2003 08:26:39 -0600 From: "Jacques A. Vidrine" To: freebsd-security@FreeBSD.org Subject: Fwd: [FreeBSD-SA-02:44.filedesc.asc - A favor, please?] Message-ID: <20030107142639.GC16138@madman.nectar.cc> Mail-Followup-To: "Jacques A. Vidrine" , freebsd-security@FreeBSD.org Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline X-Url: http://www.celabo.org/ User-Agent: Mutt/1.5.1i-ja.1 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Forwarded by request. -- Jacques A. Vidrine http://www.celabo.org/ NTT/Verio SME . FreeBSD UNIX . Heimdal Kerberos jvidrine@verio.net . nectar@FreeBSD.org . nectar@kth.se ----- Forwarded message from D J Hawkey Jr ----- Date: Tue, 7 Jan 2003 06:49:47 -0600 From: D J Hawkey Jr To: "Jacques A. Vidrine" Subject: FreeBSD-SA-02:44.filedesc.asc - A favor, please? Message-ID: <20030107064947.A784@sheol.localdomain> Reply-To: hawkeyd@visi.com Hi, Jacques. I'm wondering if you'd do me a favor, please, and post this notice to freebsd-security@freebsd.org for me? I am unable to post to that list, and so far, the postmaster is unable to figure out why (or, at least, he hasn't gotten back to me about it yet). ---8<--- The patches referenced in security advisory SA-02:44 have been backported to FreeBSD-4.5, and can be found at http://www.visi.com/~hawkeyd/freebsd-backports.html --->8--- Thanks, Dave -- ______________________ ______________________ \__________________ \ D. J. HAWKEY JR. / __________________/ \________________/\ hawkeyd@visi.com /\________________/ http://www.visi.com/~hawkeyd/ ----- End forwarded message ----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jan 7 9:40: 5 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 63B2D37B401 for ; Tue, 7 Jan 2003 09:40:03 -0800 (PST) Received: from txemail.bankofamerica.com (txemail.bankofamerica.com [171.161.160.14]) by mx1.FreeBSD.org (Postfix) with ESMTP id C57C043ED4 for ; Tue, 7 Jan 2003 09:40:02 -0800 (PST) (envelope-from Rick.Robinson@bankofamerica.com) Received: from tximail.bankofamerica.com (tximail.bankofamerica.com [171.182.168.13]) by txemail.bankofamerica.com (8.11.1/8.11.1) with ESMTP id h07Hdup21694 for ; Tue, 7 Jan 2003 17:39:56 GMT Received: from smtpsw01 (smtpsw01.bankofamerica.com [159.185.89.135]) by tximail.bankofamerica.com (8.11.1/8.11.1) with ESMTP id h07HdtQ09018 for ; Tue, 7 Jan 2003 17:39:56 GMT Content-return: allowed Date: Tue, 07 Jan 2003 11:39:43 -0600 From: "Robinson, Rick" Subject: Unix Password Expiration Questions To: "'freebsd-security@freebsd.org'" Message-id: MIME-version: 1.0 X-Mailer: Internet Mail Service (5.5.2655.55) Content-type: text/plain; charset=iso-8859-1 Content-transfer-encoding: 7BIT Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I also sent this question to freebsd-questions, but I am not sure if that is the right place for it. I am working on trying to setup Unix password expiration and I have run into a few problems. I have added the following lines into the login.conf. :passwordtime=90d:\ :warnpassword=5d:\ And now the passwords expire if they haven't been changed after 90 days. However I have a couple of questions. Right now once your password is expired the system doesn't force you to change your password to a different password. It prompts you for the old password and then when it prompts you for the new password it allows you to use the exact same password. That kind of defeats the purpose of expiring them in the first place. Is there anyway to force the user to use a new password? And even better is there a way to force them to not use one of their last 10 passwords? Also once the password has been changed the system is logging me out. This can be confusing if you don't notice you were logged out because it looks like it just dropped you to your shell when actuality it dropped you back tot he shell you were coming from. Is there anyway to get the system to not drop your connection when you change your password? Thanks for the help. Rick To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jan 7 9:48:16 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1057637B401 for ; Tue, 7 Jan 2003 09:48:12 -0800 (PST) Received: from gw.nectar.cc (gw.nectar.cc [208.42.49.153]) by mx1.FreeBSD.org (Postfix) with ESMTP id C513843ED8 for ; Tue, 7 Jan 2003 09:48:10 -0800 (PST) (envelope-from nectar@nectar.cc) Received: from madman.nectar.cc (madman.nectar.cc [10.0.1.111]) by gw.nectar.cc (Postfix) with ESMTP id CACE747 for ; Tue, 7 Jan 2003 11:48:09 -0600 (CST) Received: by madman.nectar.cc (Postfix, from userid 1001) id 0717A5CC2; Tue, 7 Jan 2003 11:47:11 -0600 (CST) Date: Tue, 7 Jan 2003 11:47:11 -0600 From: "Jacques A. Vidrine" To: freebsd-security@FreeBSD.org Subject: Updated FreeBSD Security Officer PGP Key Message-ID: <20030107174711.GB10745@madman.nectar.cc> Mail-Followup-To: "Jacques A. Vidrine" , freebsd-security@FreeBSD.org Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.5.1i-ja.1 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hello All, A new PGP key for the FreeBSD Security Officer role has been generated. The new PGP key ID is 0xCA6CDFB2 and the key itself is included in this message. A new key was generated for two reasons. In response to the requests of submitters, the Security Officer role was reorganized some time ago into a core security-officer and additional security-team mail alias, with membership as described at . The distribution of the new key reflects the new organization. Secondly, we have from time to time received reports that the previous, six-year-old key was found corrupted on public key servers. Although there is nothing `wrong' with the key itself (a good copy is always available on the FTP site and in the Handbook), it has inconvenienced our users enough to warrant deprecating the key. Please direct any questions to . Cheers, -- Jacques A. Vidrine http://www.celabo.org/ NTT/Verio SME . FreeBSD UNIX . Heimdal Kerberos jvidrine@verio.net . nectar@FreeBSD.org . nectar@kth.se -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1.2.1 (FreeBSD) mQGiBD1rpGQRBACJ1CQS7VnTTvH3wjscXQed2RoeVi+n3HtxaF9ApJbxb77dXk+/ DL1ZR0bcZ8s7uQ1D5BkrqSHevoA9FlEN02MM9qyIerXter2/ZEporVOG+/XMkIiV rd3AgVwUnawhOMKTlYmttcOpADKr9RkYvCT6QMqFDXJssbW7gPlEqOzhYwCgoIdD ygZ5RdfXm/hBnp+oTWadeIED/2WvL/Iy0YheRTSmTvEdK+Cd4xPhmY2SrrvF2+lE oFIn94C0fJhqKhJp+wGXmQ/h3yF0gcr1NfFBm6y1iztEz2n0ciaEmMf1tu0Y+u+Y E0/1Igpoj9Kj5xxRJD5wYyDi0qzxP8BhvJ6sKJtO+f6/OIgZ0ITYWakim7d3RrNV 0ditA/0XUvDgdEB0hm7iqR8FbwKNmS8DVKGs+CYrFwSBJ0vUH65WFapbdWbi2uwm 8CDKgSWpS16/PVr/ql84ePWdiVhHYmkkjuWPUFHSUcDiYL8YG9rnymw6Enx3Nyyr ewiUOJFzWN6/u3O4x2M9ljrQQ1FmmAbw9R4KT/KHOyBC0W+xHbQ3RnJlZUJTRCBT ZWN1cml0eSBPZmZpY2VyIDxzZWN1cml0eS1vZmZpY2VyQEZyZWVCU0Qub3JnPoha BBMRAgAaBQI9a6RkBQsHAwIBAxUCAwMWAgECHgECF4AACgkQFdaIBMps37J/wQCg je4X7iqjNbVDgwpk+98vc+/HoE4An1usSnfAlNcEcd+05ksTw1gPh+h2iEYEExEC AAYFAj1rq0oACgkQjDKM/xYG25XUdgCfU5F3sYm41Hf28rIlSZzQMat0thcAoI9g CvTZQ9bKEQbwtFVWIk2weU8ViJwEEwEBAAYFAj1rq2sACgkQVS4eLnPSiKWIFQP/ UYR/wbAka7y0ck0ILV1RRdG2XSnmcb4MSWf/LZwMfmaQ53MC+pHbRWbMZqZVlwrI RSown9qRvmFT0p47RdJ5ToKS8G8HI9vVJ/tjNU2bYfdtelrwZPvjOJ6Mn4+rzkbL 3OzUOZLqJC0LKvPoBMmTNzsW7Q2gyEMfIujBbnhvz3aJARwEEwEBAAYFAj1rr20A CgkQZ8KAjzPBYnu5NQf/eSvFPfkLpwQ2HGG5/2n3dfecW+U2FBHh1eULNkREtX+/ AixPveY5wJ6Nl3z1vYqelZN2xw/+ujE92bjEIZPQWM8y2xGZ2ynJPcIsITob2mOQ v+UePgCun3E3xPRCo+Ob0jhuT45MSoSFYeTw1xgMLbCGN7LowTAG3gzytyJALGGu awv+V9dUgp6H5GVv7ukTN0OODFg9G9ePbLnkr2/TSjZP9KIth4AYLAOmYqHcssuW /UCHbzQvoDmo7LZ3lSwlmoTjZ6/Z6QCbHvX0vdP0mDGx/PwXEaVR0+kxtScKHun1 noBBA48AwMNNtZrEHPRVH1vxaSTGYqLtnBV1z+b6UohGBBIRAgAGBQI9a+m2AAoJ EGxj2gSE0Nfn5VUAoMSonGArly+4U9yM/4uWCvL8mcv2AJ0acJM2ymhDJ1czJ7Jn hTE8Xo7HsYhGBBMRAgAGBQI9bIKkAAoJEIQ2twt/hoJob64An1BABq6aK4reFRv8 XXTX9984uYxSAJ4gnZLCSdA4U3pHyBsQTr8KtDYdb4hGBBMRAgAGBQI9bVVoAAoJ EDm2huD+gXpQmA0AoJ8lWlK+7PzyYSWKcItueryfx2uBAJ9Sm0elnPCWc7+gYfol 5MD+X74FYIkAlQMFED3TIstNVigheQUMEQEBa+YD/15yHDEuNRD+6KAeUNLYe0Eg bSxQmrkQqIm+7ipjjOUX37UJUlar5yzpKyBXv/WvYkvUxklK6YSRd3c7XL7ad9Fc 7II2efTUSOzZYP/xUeK3tFBSn94Lx5cmGjHf4WHPDODQz2nAKqEo2zMMlwCCh1Kz 2GY/hCzqmltplrERjUFAiJwEEwECAAYFAj3dTLAACgkQ4clLRt8d1HE69AP+PDOt c2wCs5idJB2fkOrLF7QW9QnfGEglBqpa+4vi78iYHQfnm8lM81xPCjnpLSI8Y8tE 7VU4LGRPGC1vxHaCyqGumcPgUCi7lMR/8RGs+5Wt5DsK11zlZ5gN81qys1xRU2qm hX/HXXQm+Yif39GmnwTXaHGlKYUsqCWcMlaOGdm5Ag0EPWukaRAIAPJl4g1DI4Cw 9fI6Q9Hk46Pwtpgiz4jDe+Yqd0bSUoP4kFD7D6PO4cgLqOz619lMszKVsO1PDzXm 1p2tSJPjIauknqJ4pbUWEhIB7+CkK0B8inVbzY3zDXh1U8ENUrIBrzDkG92TWIQq TIto0y31gVW+S8HUMqBvKotmnBgTq8I+BWzI+4LGoMnOD57ZwwdKI6Vjn0NJ6wCv RRwNjBWfErSnlv8JrFcoIsBiTUQkgru/lJYc6x4i07Bq5Lz4R+ug0Ns5/H0crwBp t0vK7YEHmAGFUiNKZuyUBSWzbiYxhEYec6vKx72AIbnrGxFa8vpjsm1+fOfyVQJd zpxnr2de2qMAAwUH/0hStQ91RUSp3KwQJ3U0GgnUO0hwRkZEJs40LWkpwblAZW36 IUBteNmQd7KTDaPcNH2PBF5wcu2Ag6+DtIp/zDX3nyJ9naw+arzKHf5vyrGLAEaq rIonrm/29v1TylFjGpFemOH9JnKHGJ6o95ZSgtl7JYXRD/vSfGNznnMeoJnrlsvE CcxYutNO+qFGbVpgvOeufMrhWg9ye/bNMGtJOqO/FrZl3kR6/TaTI83lbK5HsSqU Q3zUjIIwUOKKxRglBQyy6rqDp4zBV18V9kdrb30Q23qUWHmX244nQTZTk/V69V9t W3Gx1hEkC5kWbztBLWBHEYae0begIT/y+94EeC2IRgQYEQIABgUCPWukaQAKCRAV 1ogEymzfsrpOAJ4oQy5hHzOhKmce9YvLgdzcTNl93QCeKRrlaWusbYfqZn4BQsSp Yw90evo= =LTwM -----END PGP PUBLIC KEY BLOCK----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jan 8 8:19:39 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D4DF337B401 for ; Wed, 8 Jan 2003 08:19:35 -0800 (PST) Received: from kumprang.or.id (mrtg.kumprang.or.id [202.143.103.227]) by mx1.FreeBSD.org (Postfix) with SMTP id 80DBF43ED1 for ; Wed, 8 Jan 2003 08:19:20 -0800 (PST) (envelope-from budsz@kumprang.or.id) Received: (qmail 48856 invoked by uid 1008); 8 Jan 2003 16:21:59 -0000 Date: Wed, 8 Jan 2003 23:21:58 +0700 From: budsz To: FreeBSD-Security Subject: [security-advisories@freebsd.org: FreeBSD Security Advisory FreeBSD-SA-02:44.filedesc] Message-ID: <20030108162158.GC48296@kumprang.or.id> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline X-URL: "http://www.kumprang.or.id/~budsz/" X-Pubkey: "http://www.kumprang.or.id/~budsz/pubkey.txt" X-Pubkey-MD5: "http://www.kumprang.or.id/~budsz/pubkey-checksum.md5" X-Finger-Print: "A05A 268C 3CD4 ABBD D9EB 11E1 F64C 4B4E 6269 5304" X-Organization: "Internet Cafe and Game PC Kumprang" User-Agent: Mutt/1.5.3i X-Virus-Scanned: by AMaViS perl-11 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org II. Problem Description A programming error in the fpathconf system call can result in the given file descriptor's reference count being erroneously incremented. A similar problem exists in the developer preview versions of FreeBSD 5.0, affecting the lseek(2), dup(2), and other system calls. III. Impact A local attacker may cause the operating system to crash by repeatedly calling fpathconf on a file descriptor until the reference count wraps to a negative value, and then calling close on that file descriptor. Similarly, it may be possible to cause a file descriptor to reference unallocated kernel memory, but remain valid. If a new file is later opened and the kernel allocates the new file structure at the same memory location, then an attacker may be able to gain read or write access to that file. This may in turn lead to privilege escalation. IV. Workaround There is no workaround. V. Solution The following patch has been verified to apply to FreeBSD 4.4, 4.5, 4.6, and 4.7 systems. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-02:44/filedesc.patch # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-02:44/filedesc.patch.asc b) Apply the patch. # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in and reboot the system. The question: If I periodicly upgrade with cvsup stable and compile kernel it's will fix that problem, or I must patch only. does cvsup will replace all of source? -- budsz To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jan 8 8:25:23 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CE47837B401 for ; Wed, 8 Jan 2003 08:25:19 -0800 (PST) Received: from post-20.mail.nl.demon.net (post-20.mail.nl.demon.net [194.159.73.1]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1EE3543E4A for ; Wed, 8 Jan 2003 08:25:19 -0800 (PST) (envelope-from apehaar@text-only.demon.nl) Received: from [212.238.193.97] (helo=JOS) by post-20.mail.nl.demon.net with smtp (Exim 3.36 #1) id 18WJ13-000GRQ-00; Wed, 08 Jan 2003 16:25:18 +0000 Message-ID: <004101c2b732$89d59940$0201a8c0@JOS> From: "horcy" To: "budsz" Cc: References: <20030108162158.GC48296@kumprang.or.id> Subject: Re: [security-advisories@freebsd.org: FreeBSD Security Advisory FreeBSD-SA-02:44.filedesc] Date: Wed, 8 Jan 2003 17:25:20 +0100 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1106 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org II. Problem Description A programming error in the fpathconf system call can result in the given file descriptor's reference count being erroneously incremented. A similar problem exists in the developer preview versions of FreeBSD 5.0, affecting the lseek(2), dup(2), and other system calls. III. Impact A local attacker may cause the operating system to crash by repeatedly calling fpathconf on a file descriptor until the reference count wraps to a negative value, and then calling close on that file descriptor. Similarly, it may be possible to cause a file descriptor to reference unallocated kernel memory, but remain valid. If a new file is later opened and the kernel allocates the new file structure at the same memory location, then an attacker may be able to gain read or write access to that file. This may in turn lead to privilege escalation. IV. Workaround There is no workaround. V. Solution The following patch has been verified to apply to FreeBSD 4.4, 4.5, 4.6, and 4.7 systems. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-02:44/filedesc.patch # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-02:44/filedesc.patch.asc b) Apply the patch. # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in and reboot the system. The question: If I periodicly upgrade with cvsup stable and compile kernel it's will fix that problem, or I must patch only. does cvsup will replace all of source? --------------------------- Answer: if you cvsup to stable it will fix it and of course the patch will fix it. But you still have to recompile you kernel, so to if it was time for your cvsup stable then i sould suggest you do that. Both will take some time. So i would go for the cvsup. l8r horcy -- budsz To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jan 8 8:37:26 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BC1AA37B401 for ; Wed, 8 Jan 2003 08:37:23 -0800 (PST) Received: from kumprang.or.id (mrtg.kumprang.or.id [202.143.103.227]) by mx1.FreeBSD.org (Postfix) with SMTP id AACF443E4A for ; Wed, 8 Jan 2003 08:37:04 -0800 (PST) (envelope-from budsz@kumprang.or.id) Received: (qmail 49375 invoked by uid 1008); 8 Jan 2003 16:39:58 -0000 Date: Wed, 8 Jan 2003 23:39:57 +0700 From: budsz To: horcy Cc: FreeBSD-Security Subject: Re: [security-advisories@freebsd.org: FreeBSD Security Advisory FreeBSD-SA-02:44.filedesc] Message-ID: <20030108163957.GA49337@kumprang.or.id> References: <20030108162158.GC48296@kumprang.or.id> <004101c2b732$89d59940$0201a8c0@JOS> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <004101c2b732$89d59940$0201a8c0@JOS> X-URL: "http://www.kumprang.or.id/~budsz/" X-Pubkey: "http://www.kumprang.or.id/~budsz/pubkey.txt" X-Pubkey-MD5: "http://www.kumprang.or.id/~budsz/pubkey-checksum.md5" X-Finger-Print: "A05A 268C 3CD4 ABBD D9EB 11E1 F64C 4B4E 6269 5304" X-Organization: "Internet Cafe and Game PC Kumprang" User-Agent: Mutt/1.5.3i X-Virus-Scanned: by AMaViS perl-11 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Wed, Jan 08, 2003 at 05:25:20PM +0100, horcy wrote: >The question: > >If I periodicly upgrade with cvsup stable and compile kernel it's will fix >that problem, or I must patch only. does cvsup will replace all of >source? >--------------------------- >Answer: > >if you cvsup to stable it will fix it and of course the patch will fix it. >But you still have to recompile you kernel, so to if it was time for your >cvsup stable then i sould suggest you do that. Both will take some time. >So i would go for the cvsup. Ok, so I'am only recompile kernel and fix that problem. -- budsz To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jan 8 8:45:21 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4052437B401 for ; Wed, 8 Jan 2003 08:45:18 -0800 (PST) Received: from post-20.mail.nl.demon.net (post-20.mail.nl.demon.net [194.159.73.1]) by mx1.FreeBSD.org (Postfix) with ESMTP id AEA6043E4A for ; Wed, 8 Jan 2003 08:45:17 -0800 (PST) (envelope-from apehaar@text-only.demon.nl) Received: from [212.238.193.97] (helo=JOS) by post-20.mail.nl.demon.net with smtp (Exim 3.36 #1) id 18WJKO-000HOh-00; Wed, 08 Jan 2003 16:45:16 +0000 Message-ID: <005201c2b735$5483aae0$0201a8c0@JOS> From: "horcy" To: "budsz" Cc: References: <20030108162158.GC48296@kumprang.or.id> <004101c2b732$89d59940$0201a8c0@JOS> <20030108163957.GA49337@kumprang.or.id> Subject: Re: [security-advisories@freebsd.org: FreeBSD Security Advisory FreeBSD-SA-02:44.filedesc] Date: Wed, 8 Jan 2003 17:45:19 +0100 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1106 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org >Ok, so I'am only recompile kernel and fix that problem. Yup. But if you were planning to do a cvsup this week. Why not do it now. Saves you some time because the cvsup will contain the patch too ;) horcy ----- Original Message ----- From: "budsz" To: "horcy" Cc: "FreeBSD-Security" Sent: Wednesday, January 08, 2003 5:39 PM Subject: Re: [security-advisories@freebsd.org: FreeBSD Security Advisory FreeBSD-SA-02:44.filedesc] On Wed, Jan 08, 2003 at 05:25:20PM +0100, horcy wrote: >The question: > >If I periodicly upgrade with cvsup stable and compile kernel it's will fix >that problem, or I must patch only. does cvsup will replace all of >source? >--------------------------- >Answer: > >if you cvsup to stable it will fix it and of course the patch will fix it. >But you still have to recompile you kernel, so to if it was time for your >cvsup stable then i sould suggest you do that. Both will take some time. >So i would go for the cvsup. Ok, so I'am only recompile kernel and fix that problem. -- budsz To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jan 8 9: 1:20 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1762337B401 for ; Wed, 8 Jan 2003 09:01:18 -0800 (PST) Received: from smtp2.sentex.ca (smtp2.sentex.ca [199.212.134.9]) by mx1.FreeBSD.org (Postfix) with ESMTP id 519B143ED1 for ; Wed, 8 Jan 2003 09:01:17 -0800 (PST) (envelope-from mike@sentex.net) Received: from lava.sentex.ca (pyroxene.sentex.ca [199.212.134.18]) by smtp2.sentex.ca (8.12.6/8.12.6) with ESMTP id h08H19PA016579; Wed, 8 Jan 2003 12:01:09 -0500 (EST) (envelope-from mike@sentex.net) Received: from simian.sentex.net (simeon.sentex.ca [192.168.43.27]) by lava.sentex.ca (8.12.6/8.12.6) with ESMTP id h08H3NHY036967; Wed, 8 Jan 2003 12:03:26 -0500 (EST) (envelope-from mike@sentex.net) Message-Id: <5.2.0.9.0.20030108115322.05064cf0@marble.sentex.ca> X-Sender: mdtpop@marble.sentex.ca (Unverified) X-Mailer: QUALCOMM Windows Eudora Version 5.2.0.9 Date: Wed, 08 Jan 2003 12:04:00 -0500 To: budsz From: Mike Tancsa Subject: Re: [security-advisories@freebsd.org: FreeBSD Security Advisory FreeBSD-SA-02:44.filedesc] Cc: FreeBSD-Security In-Reply-To: <20030108163957.GA49337@kumprang.or.id> References: <004101c2b732$89d59940$0201a8c0@JOS> <20030108162158.GC48296@kumprang.or.id> <004101c2b732$89d59940$0201a8c0@JOS> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed X-Virus-Scanned: By Sentex Communications (lava/20020517) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org At 11:39 PM 08/01/2003 +0700, budsz wrote: >Ok, so I'am only recompile kernel and fix that problem. Unless you really know what you are doing, you need to follow the procedures outlined in the handbook http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/synching.html Specifically, you really need to do a buildworld/buildkernel in http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/makeworld.html ---Mike To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jan 8 19: 1:22 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A328837B401 for ; Wed, 8 Jan 2003 19:01:19 -0800 (PST) Received: from kumprang.or.id (mrtg.kumprang.or.id [202.143.103.227]) by mx1.FreeBSD.org (Postfix) with SMTP id 211B143EE1 for ; Wed, 8 Jan 2003 19:01:14 -0800 (PST) (envelope-from budsz@kumprang.or.id) Received: (qmail 54983 invoked by uid 1008); 9 Jan 2003 03:03:59 -0000 Date: Thu, 9 Jan 2003 10:03:58 +0700 From: budsz To: horcy Cc: FreeBSD-Security Subject: Re: [security-advisories@freebsd.org: FreeBSD Security Advisory FreeBSD-SA-02:44.filedesc] Message-ID: <20030109030358.GA53970@kumprang.or.id> References: <20030108162158.GC48296@kumprang.or.id> <004101c2b732$89d59940$0201a8c0@JOS> <20030108163957.GA49337@kumprang.or.id> <005201c2b735$5483aae0$0201a8c0@JOS> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <005201c2b735$5483aae0$0201a8c0@JOS> X-URL: "http://www.kumprang.or.id/~budsz/" X-Pubkey: "http://www.kumprang.or.id/~budsz/pubkey.txt" X-Pubkey-MD5: "http://www.kumprang.or.id/~budsz/pubkey-checksum.md5" X-Finger-Print: "A05A 268C 3CD4 ABBD D9EB 11E1 F64C 4B4E 6269 5304" X-Organization: "Internet Cafe and Game PC Kumprang" User-Agent: Mutt/1.5.3i X-Virus-Scanned: by AMaViS perl-11 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Wed, Jan 08, 2003 at 05:45:19PM +0100, horcy wrote: >Yup. >But if you were planning to do a cvsup this week. >Why not do it now. >Saves you some time because the cvsup will contain the patch too ;) Yeah, everyday I'am to do cvsup via cron. :) BTW that bug only core right? I mean no remote exploit or something else? -- budsz To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jan 8 19: 9:37 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D7AA437B401 for ; Wed, 8 Jan 2003 19:09:34 -0800 (PST) Received: from kumprang.or.id (netmon.kumprang.or.id [202.143.103.227]) by mx1.FreeBSD.org (Postfix) with SMTP id A5AF643EB2 for ; Wed, 8 Jan 2003 19:09:30 -0800 (PST) (envelope-from budsz@kumprang.or.id) Received: (qmail 55016 invoked by uid 1008); 9 Jan 2003 03:05:52 -0000 Date: Thu, 9 Jan 2003 10:05:51 +0700 From: budsz To: Mike Tancsa Cc: FreeBSD-Security Subject: Re: [security-advisories@freebsd.org: FreeBSD Security Advisory FreeBSD-SA-02:44.filedesc] Message-ID: <20030109030551.GB53970@kumprang.or.id> References: <004101c2b732$89d59940$0201a8c0@JOS> <20030108162158.GC48296@kumprang.or.id> <004101c2b732$89d59940$0201a8c0@JOS> <5.2.0.9.0.20030108115322.05064cf0@marble.sentex.ca> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <5.2.0.9.0.20030108115322.05064cf0@marble.sentex.ca> X-URL: "http://www.kumprang.or.id/~budsz/" X-Pubkey: "http://www.kumprang.or.id/~budsz/pubkey.txt" X-Pubkey-MD5: "http://www.kumprang.or.id/~budsz/pubkey-checksum.md5" X-Finger-Print: "A05A 268C 3CD4 ABBD D9EB 11E1 F64C 4B4E 6269 5304" X-Organization: "Internet Cafe and Game PC Kumprang" User-Agent: Mutt/1.5.3i X-Virus-Scanned: by AMaViS perl-11 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Wed, Jan 08, 2003 at 12:04:00PM -0500, Mike Tancsa wrote: >At 11:39 PM 08/01/2003 +0700, budsz wrote: > >>Ok, so I'am only recompile kernel and fix that problem. > >Unless you really know what you are doing, you need to follow the >procedures outlined in the handbook >http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/synching.html > >Specifically, you really need to do a buildworld/buildkernel in >http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/makeworld.html What!, I thing only recompile kernel after patch/cvsup, no make world right? -- budsz To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jan 8 22:38: 4 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 231C537B401 for ; Wed, 8 Jan 2003 22:38:02 -0800 (PST) Received: from straylight.ringlet.net (office.sbnd.net [217.75.140.130]) by mx1.FreeBSD.org (Postfix) with SMTP id D0B2243E4A for ; Wed, 8 Jan 2003 22:37:58 -0800 (PST) (envelope-from roam@ringlet.net) Received: (qmail 3315 invoked by uid 1000); 9 Jan 2003 06:37:20 -0000 Date: Thu, 9 Jan 2003 08:37:20 +0200 From: Peter Pentchev To: budsz Cc: Mike Tancsa , FreeBSD-Security Subject: Re: [security-advisories@freebsd.org: FreeBSD Security Advisory FreeBSD-SA-02:44.filedesc] Message-ID: <20030109063720.GB381@straylight.oblivion.bg> Mail-Followup-To: budsz , Mike Tancsa , FreeBSD-Security References: <004101c2b732$89d59940$0201a8c0@JOS> <20030108162158.GC48296@kumprang.or.id> <004101c2b732$89d59940$0201a8c0@JOS> <5.2.0.9.0.20030108115322.05064cf0@marble.sentex.ca> <20030109030551.GB53970@kumprang.or.id> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="WYTEVAkct0FjGQmd" Content-Disposition: inline In-Reply-To: <20030109030551.GB53970@kumprang.or.id> User-Agent: Mutt/1.5.3i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --WYTEVAkct0FjGQmd Content-Type: text/plain; charset=windows-1251 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Jan 09, 2003 at 10:05:51AM +0700, budsz wrote: > On Wed, Jan 08, 2003 at 12:04:00PM -0500, Mike Tancsa wrote: > >At 11:39 PM 08/01/2003 +0700, budsz wrote: > > > >>Ok, so I'am only recompile kernel and fix that problem. > > > >Unless you really know what you are doing, you need to follow the=20 > >procedures outlined in the handbook > >http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/synching.html > > > >Specifically, you really need to do a buildworld/buildkernel in > >http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/makeworld.html >=20 > What!, I thing only recompile kernel after patch/cvsup, no make world rig= ht? It depends - sometimes there are changes in the kernel code that affect interfaces between the kernel and the userland programs. This is quite rare, especially in the -stable branch, but it happens - and when it does happen, a kernel rebuilt without the 'world' would leave you with a system that does not really do all it should. Also, there are cases in which the __FreeBSD_version constant, which is stored in the kernel and exported to userland via the kern.osreldate sysctl, is used to determine whether the FreeBSD system has some specific feature. So-called 'FreeBSD_version bumps' are done when some important component of the FreeBSD base system changes, and other components (including ports) need to be made aware of that. If you rebuild your kernel across a __FreeBSD_version bump, but your world is still the old one, such components may erroneously attempt to use the new features, leading to more failures. In short, sometimes it is enough to rebuild the kernel, but to be on the safe side, always go through the procedure described in the makeworld.html linked to above. G'luck, Peter --=20 Peter Pentchev roam@ringlet.net roam@FreeBSD.org PGP key: http://people.FreeBSD.org/~roam/roam.key.asc Key fingerprint FDBA FD79 C26F 3C51 C95E DF9E ED18 B68D 1619 4553 The rest of this sentence is written in Thailand, on --WYTEVAkct0FjGQmd Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (FreeBSD) iD8DBQE+HRig7Ri2jRYZRVMRAit4AKCJHaRGnZLnBHP/n9i1LNQjllFvswCgkCRc rOXx6P3r4KQiVDLzZmkNZF0= =sEQn -----END PGP SIGNATURE----- --WYTEVAkct0FjGQmd-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jan 9 2:34:15 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6307137B401 for ; Thu, 9 Jan 2003 02:34:12 -0800 (PST) Received: from server1.cis-consultants.com (ATuileries-106-2-1-64.abo.wanadoo.fr [193.252.218.64]) by mx1.FreeBSD.org (Postfix) with ESMTP id AAB0843F18 for ; Thu, 9 Jan 2003 02:34:10 -0800 (PST) (envelope-from ronan.lenozach@cis-consultants.com) Received: from CIS2KS01.cis-consultants (mail.cis-consultants [192.168.1.26]) by server1.cis-consultants.com (Postfix) with ESMTP id 239A4D3E6 for ; Thu, 9 Jan 2003 12:29:36 +0100 (CET) Received: from CIS2KS01.cis-consultants ([192.168.1.26]) by CIS2KS01.cis-consultants with Microsoft SMTPSVC(5.0.2195.5329); Thu, 9 Jan 2003 11:34:08 +0100 MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Subject: IPsec in tunnel mode between Windows 2000 and FreeBSD content-class: urn:content-classes:message X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4920.2300 Date: Thu, 9 Jan 2003 11:34:08 +0100 Message-ID: <0690CF9CCB18EE4EB57E4E26A0CEC7BB0EF212@cis2ks01.cis-consultants> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: IPsec in tunnel mode between Windows 2000 and FreeBSD Thread-Index: AcK3yqQB9+Jm7E7yTmW8Oe65rnfCcQ== From: "Ronan LE NOZACH" Importance: normal To: X-OriginalArrivalTime: 09 Jan 2003 10:34:08.0513 (UTC) FILETIME=[A4279710:01C2B7CA] Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi everyone ! =20 I have to build an IPsec VPN between a Windows 2000 server (final host) = and a network behind a FreeBSD IPFW firewall with KAME/racoon. I want to = build this VPN with IPsec in tunnel mode and without L2TP ot IP in IP = encapsulation. After several tests, I managed IPsec communications : * between Windows 2000 and Linux-FreeS/Wan in transport mode and tunnel = mode * between Windows 2000 and FreeBSD-KAME in transport mode =20 But I didn't succeed to establish communications with IPsec in tunnel = mode between Windows 2000 and FreeBSD (actually, I managed IPsec = communications with IPsec in tunnel mode but only when both the Windows = 2000 server and the FreeBSD firewall are final hosts, which is not = sufficient because I want hosts in the network behind the firewall to be = able to communicate with the Windows 2000 server too !). So I'd like to = know if anyone has some experience or information about establishing = IPsec in tunnel mode between Windows 2000 and FreeBSD. If such = communication is not possible, does anyone know if IP in IP = encapsulation is possible with Windows 2000 ? =20 Ronan Le Nozach CIS Consultants Paris France ------------------------------------------------------------------ Ce message et les eventuelles pieces jointes sont confidentiels ou = appartenant a CIS Consultants et etablis a l'intention exclusive de ses = destinataires. Toute divulgation, utilisation, diffusion ou reproduction = (totale ou partielle) non-autorisee de ce message, ou des informations = qu'il contient, est interdite. Tout message electronique est susceptible = d'alteration. CIS Consultants decline toute responsabilite au titre de = ce message s'il a ete modifie ou falsifie. ------------------------------------------------------------------ This e-mail and any attachments contain confidential information = belonging to CIS Consultants and are intended solely for the addressees. = Any unauthorized disclosure, use, dissemination or copying (either whole = or partial) of this e-mail, or any information it contains, is = prohibited. E-mails are susceptible to alteration. Neither CIS = Consultants shall be liable for the message if altered or falsified. ------------------------------------------------------------------ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jan 9 2:43:12 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CA05237B401 for ; Thu, 9 Jan 2003 02:43:08 -0800 (PST) Received: from server1.cis-consultants.com (ATuileries-106-2-1-64.abo.wanadoo.fr [193.252.218.64]) by mx1.FreeBSD.org (Postfix) with ESMTP id CC64643E4A for ; Thu, 9 Jan 2003 02:43:07 -0800 (PST) (envelope-from ronan.lenozach@cis-consultants.com) Received: from CIS2KS01.cis-consultants (mail.cis-consultants [192.168.1.26]) by server1.cis-consultants.com (Postfix) with ESMTP id 4B298D3E6 for ; Thu, 9 Jan 2003 12:38:34 +0100 (CET) Received: from CIS2KS01.cis-consultants ([192.168.1.26]) by CIS2KS01.cis-consultants with Microsoft SMTPSVC(5.0.2195.5329); Thu, 9 Jan 2003 11:43:06 +0100 MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Subject: IPsec in tunnel mode between Windows 2000 and FreeBSD content-class: urn:content-classes:message X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4920.2300 Date: Thu, 9 Jan 2003 11:43:06 +0100 Message-ID: <0690CF9CCB18EE4EB57E4E26A0CEC7BB0EF214@cis2ks01.cis-consultants> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: IPsec in tunnel mode between Windows 2000 and FreeBSD Thread-Index: AcK3y+Ti66s4855LSN2DCDVYkmquVQ== From: "Ronan LE NOZACH" Importance: normal To: X-OriginalArrivalTime: 09 Jan 2003 10:43:06.0721 (UTC) FILETIME=[E4F39D10:01C2B7CB] Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi everyone ! I have to build an IPsec VPN between a Windows 2000 server (final host) = and a network behind a FreeBSD IPFW firewall with KAME/racoon. I want to = build this VPN with IPsec in tunnel mode and without L2TP ot IP in IP = encapsulation. After several tests, I managed IPsec communications : * between Windows 2000 and Linux-FreeS/Wan in transport mode and tunnel = mode * between Windows 2000 and FreeBSD-KAME in transport mode But I didn't succeed to establish communications with IPsec in tunnel = mode between Windows 2000 and FreeBSD (actually, I managed IPsec = communications with IPsec in tunnel mode but only when both the Windows = 2000 server and the FreeBSD firewall are final hosts, which is not = sufficient because I want hosts in the network behind the firewall to be = able to communicate with the Windows 2000 server too !). So I'd like to = know if anyone has some experience or information about establishing = IPsec in tunnel mode between Windows 2000 and FreeBSD. If such = communication is not possible, does anyone know if IP in IP = encapsulation is possible with Windows 2000 ? Ronan Le Nozach CIS Consultants Paris France ------------------------------------------------------------------ Ce message et les eventuelles pieces jointes sont confidentiels ou = appartenant a CIS Consultants et etablis a l'intention exclusive de ses = destinataires. Toute divulgation, utilisation, diffusion ou reproduction = (totale ou partielle) non-autorisee de ce message, ou des informations = qu'il contient, est interdite. Tout message electronique est susceptible = d'alteration. CIS Consultants decline toute responsabilite au titre de = ce message s'il a ete modifie ou falsifie. ------------------------------------------------------------------ This e-mail and any attachments contain confidential information = belonging to CIS Consultants and are intended solely for the addressees. = Any unauthorized disclosure, use, dissemination or copying (either whole = or partial) of this e-mail, or any information it contains, is = prohibited. E-mails are susceptible to alteration. Neither CIS = Consultants shall be liable for the message if altered or falsified. ------------------------------------------------------------------ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jan 10 14:40:49 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C715537B401 for ; Fri, 10 Jan 2003 14:40:47 -0800 (PST) Received: from fubar.adept.org (fubar.adept.org [63.147.172.249]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7BDB443F1E for ; Fri, 10 Jan 2003 14:40:47 -0800 (PST) (envelope-from mike@adept.org) Received: by fubar.adept.org (Postfix, from userid 1001) id 7CA391532E; Fri, 10 Jan 2003 14:37:46 -0800 (PST) Received: from localhost (localhost [127.0.0.1]) by fubar.adept.org (Postfix) with ESMTP id 7A65115213 for ; Fri, 10 Jan 2003 14:37:46 -0800 (PST) Date: Fri, 10 Jan 2003 14:37:46 -0800 (PST) From: Mike Hoskins To: security@freebsd.org Subject: Re: Unix Password Expiration Questions In-Reply-To: Message-ID: <20030110143510.F63003-100000@fubar.adept.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Tue, 7 Jan 2003, Robinson, Rick wrote: > :passwordtime=90d:\ > :warnpassword=5d:\ > And now the passwords expire if they haven't been changed after 90 days. > However I have a couple of questions. Right now once your password is > expired the system doesn't force you to change your password to a different > password. Most places I've seen do this using a 3rd party utility. These include passwd+, npasswd or epasswd. Here's a NASA article on epasswd, with references (URLs) to the other packages as well, http://www.nas.nasa.gov/Groups/Security/epasswd/article.html -- Mike Hoskins This message is RFC 1855 compliant, mike@adept.org www.adept.org/pub/rfcs/rfc1855.html To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message