From owner-freebsd-security@FreeBSD.ORG Sun Apr 13 06:53:02 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9567037B401 for ; Sun, 13 Apr 2003 06:53:02 -0700 (PDT) Received: from MailBox.iNES.RO (MailBox.iNES.RO [80.86.96.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id A1FA743F75 for ; Sun, 13 Apr 2003 06:53:01 -0700 (PDT) (envelope-from Alexandru.Balan@iNES.RO) Received: from [80.86.100.173] (BSD.iNES.RO [80.86.100.173]) by MailBox.iNES.RO (8.12.8/8.12.5) with ESMTP id h3DDqx5b020081 for ; Sun, 13 Apr 2003 16:52:59 +0300 From: Alexandru Balan To: freebsd-security@freebsd.org Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="=-2VGb4J8HtQmfUtUaaRDL" Organization: iNES Advertising Message-Id: <1050241980.32076.26.camel@BSD.iNES.RO> Mime-Version: 1.0 X-Mailer: Ximian Evolution 1.2.4 Date: 13 Apr 2003 16:53:00 +0300 X-RAVMilter-Version: 8.4.1(snapshot 20020919) (MailBox.iNES.RO) Subject: chfn, chsh, ls, ps - INFECTED X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 13 Apr 2003 13:53:02 -0000 --=-2VGb4J8HtQmfUtUaaRDL Content-Type: text/plain Content-Transfer-Encoding: quoted-printable My machine got hacked a few days ago through the samba bug. I reinstalled everything cvsuped src-all, and ran chkrootkit. No more LKM but still... Can anyone please advise ? bash-2.05b# chkrootkit | grep INFECTED Checking `chfn'... INFECTED Checking `chsh'... INFECTED Checking `date'... INFECTED Checking `ls'... INFECTED Checking `ps'... INFECTED --=20 Jay --=-2VGb4J8HtQmfUtUaaRDL Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (FreeBSD) iD8DBQA+mWu8Xj/84bdgpDIRAp1BAJwOmaWGSfWsS21QHTLYXTy38lGdngCghqve bV+S6DYKv2AGKqb0EB2Nu1c= =wyJ/ -----END PGP SIGNATURE----- --=-2VGb4J8HtQmfUtUaaRDL-- From owner-freebsd-security@FreeBSD.ORG Sun Apr 13 07:07:20 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6F37C37B401 for ; Sun, 13 Apr 2003 07:07:20 -0700 (PDT) Received: from mail-pm.star.spb.ru (mail-pm.star.spb.ru [217.195.82.1]) by mx1.FreeBSD.org (Postfix) with ESMTP id E3AED43F93 for ; Sun, 13 Apr 2003 07:07:18 -0700 (PDT) (envelope-from nkritsky@internethelp.ru) Received: from pink.star.spb.ru ([217.195.82.10]) by mail-pm.star.spb.ru (8.12.9/8.12.8) with ESMTP id h3DE7GSr074140; Sun, 13 Apr 2003 18:07:16 +0400 (MSD) Received: from IBMKA ([217.195.82.7]) by pink.star.spb.ru with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2653.13) id HTTQ4CY9; Sun, 13 Apr 2003 18:07:16 +0400 Date: Sun, 13 Apr 2003 18:07:46 +0400 From: "Nickolay A. Kritsky" X-Mailer: The Bat! (v1.49) Personal X-Priority: 3 (Normal) Message-ID: <11418603780.20030413180746@internethelp.ru> To: Alexandru Balan In-reply-To: <1050241980.32076.26.camel@BSD.iNES.RO> References: <1050241980.32076.26.camel@BSD.iNES.RO> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit cc: freebsd-security@freebsd.org Subject: Re: chfn, chsh, ls, ps - INFECTED X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: "Nickolay A. Kritsky" List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 13 Apr 2003 14:07:20 -0000 Hello Alexandru, Sunday, April 13, 2003, 5:53:00 PM, you wrote: AB> My machine got hacked a few days ago through the samba bug. I AB> reinstalled everything cvsuped src-all, and ran chkrootkit. No more LKM AB> but still... AB> Can anyone please advise ? AB> bash-2.05b# chkrootkit | grep INFECTED AB> Checking `chfn'... INFECTED AB> Checking `chsh'... INFECTED AB> Checking `date'... INFECTED AB> Checking `ls'... INFECTED AB> Checking `ps'... INFECTED This was mentioned on this list before. Is your system 5.x ? ;------------------------------------------- ; NKritsky ; mailto:nkritsky@internethelp.ru From owner-freebsd-security@FreeBSD.ORG Sun Apr 13 07:17:41 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 47C4B37B401 for ; Sun, 13 Apr 2003 07:17:41 -0700 (PDT) Received: from MailBox.iNES.RO (MailBox.iNES.RO [80.86.96.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 34CEA43FAF for ; Sun, 13 Apr 2003 07:17:40 -0700 (PDT) (envelope-from Alexandru.Balan@iNES.RO) Received: from [192.168.0.135] (Support.Local.iNES.RO [192.168.0.135] (may be forged)) by MailBox.iNES.RO (8.12.8/8.12.5) with ESMTP id h3DEHc5b021705; Sun, 13 Apr 2003 17:17:38 +0300 From: Alexandru Balan To: "Nickolay A. Kritsky" In-Reply-To: <11418603780.20030413180746@internethelp.ru> References: <1050241980.32076.26.camel@BSD.iNES.RO> <11418603780.20030413180746@internethelp.ru> Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="=-3LvR8UoXItrXR4SI7Kq1" Organization: iNES Advertising Message-Id: <1050243458.869.0.camel@BSD.iNES.RO> Mime-Version: 1.0 X-Mailer: Ximian Evolution 1.2.4 Date: 13 Apr 2003 17:17:38 +0300 X-RAVMilter-Version: 8.4.1(snapshot 20020919) (MailBox.iNES.RO) cc: freebsd-security@freebsd.org Subject: Re: chfn, chsh, ls, ps - INFECTED X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 13 Apr 2003 14:17:41 -0000 --=-3LvR8UoXItrXR4SI7Kq1 Content-Type: text/plain Content-Transfer-Encoding: quoted-printable Yes it is 5.x, I'm truly sorry if it was posted before but i just subscribe. I'll search in the archives. Thank you On Sun, 2003-04-13 at 17:07, Nickolay A. Kritsky wrote: > Hello Alexandru, >=20 > Sunday, April 13, 2003, 5:53:00 PM, you wrote: >=20 > AB> My machine got hacked a few days ago through the samba bug. I > AB> reinstalled everything cvsuped src-all, and ran chkrootkit. No more L= KM > AB> but still... > AB> Can anyone please advise ? >=20 > AB> bash-2.05b# chkrootkit | grep INFECTED > AB> Checking `chfn'... INFECTED > AB> Checking `chsh'... INFECTED > AB> Checking `date'... INFECTED > AB> Checking `ls'... INFECTED > AB> Checking `ps'... INFECTED >=20 > This was mentioned on this list before. Is your system 5.x ? >=20 > ;------------------------------------------- > ; NKritsky > ; mailto:nkritsky@internethelp.ru --=20 Jy --=-3LvR8UoXItrXR4SI7Kq1 Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (FreeBSD) iD8DBQA+mXGCXj/84bdgpDIRAqdDAJ4kvFOaF8Z12wRDMWhWD0CpOXbCzACfSjcP zG0qLI++1We4XeDizAF7O1Y= =/TVq -----END PGP SIGNATURE----- --=-3LvR8UoXItrXR4SI7Kq1-- From owner-freebsd-security@FreeBSD.ORG Sun Apr 13 08:20:46 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A5E2637B401 for ; Sun, 13 Apr 2003 08:20:46 -0700 (PDT) Received: from metathink.com (metathink.com [192.220.74.80]) by mx1.FreeBSD.org (Postfix) with SMTP id 4083D43F85 for ; Sun, 13 Apr 2003 08:20:46 -0700 (PDT) (envelope-from mns@BEST.COM) Received: (qmail 57332 invoked by uid 19024); 13 Apr 2003 15:28:39 -0000 Received: from unknown (HELO mark600x.BEST.COM) ([192.220.74.80]) (envelope-sender ) by 192.220.74.80 (qmail-ldap-1.03) with SMTP for ; 13 Apr 2003 15:28:39 -0000 Message-Id: <5.2.0.9.2.20030413101417.022481b0@127.0.0.1> X-Sender: (Unverified) X-Mailer: QUALCOMM Windows Eudora Version 5.2.0.9 Date: Sun, 13 Apr 2003 10:20:35 -0500 To: freebsd-security@freebsd.org From: Mark Shepard Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Subject: chroot() as non-root user? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 13 Apr 2003 15:20:46 -0000 I suspect this has been asked before but I'll ask anyway. Q1: Is it possible for a non-root process to perform a chroot? My interest is this: I have a typical ISP hosting account (verio; on a FreeBSD 4.4 server.) I'd like to install and run various CGI packages, yet protect myself (and my email, and my .ssh keys) from bugs being exploited in those CGI packages. Chroot at the start of each CGI would do the trick, but requires root. I suspect the answer here is "only root can do this"... which leads me to ask, in general: Q2: Why is chroot() only available to root? I'm aware of *one* security issue: if a non-root user can perform chroot(), they can alter the name-space "seen" by setuid programs, and potentially compromise them (assuming a user-writable directory [like /tmp] on the same partition as a setuid program.) Are there any other reasons? (Besides the issues with fchdir() which I assume are adequately fixed). Assuming there aren't any other issues leads to my last Q... Actually, a proposal: Q3: Why not allow non-root users to chroot() _as long as the target dir. is on a partition mounted nosuid_? Seems like this would be a simple mechanism (both to understand and to implement) and would allow regular users to take advantage of chroot to improve the security of scripts, CGIs, etc. Mark From owner-freebsd-security@FreeBSD.ORG Sun Apr 13 08:42:36 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id EAF4037B401 for ; Sun, 13 Apr 2003 08:42:36 -0700 (PDT) Received: from whale.sunbay.crimea.ua (whale.sunbay.crimea.ua [212.110.138.65]) by mx1.FreeBSD.org (Postfix) with ESMTP id 68BC343FD7 for ; Sun, 13 Apr 2003 08:42:33 -0700 (PDT) (envelope-from ru@whale.sunbay.crimea.ua) Received: from whale.sunbay.crimea.ua (ru@localhost [127.0.0.1]) h3DFfohJ093360 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Sun, 13 Apr 2003 18:41:54 +0300 (EEST) (envelope-from ru@whale.sunbay.crimea.ua) Received: (from ru@localhost) by whale.sunbay.crimea.ua (8.12.9/8.12.8/Submit) id h3DFfkJL093347; Sun, 13 Apr 2003 18:41:46 +0300 (EEST) (envelope-from ru) Date: Sun, 13 Apr 2003 18:41:46 +0300 From: Ruslan Ermilov To: Mark Shepard Message-ID: <20030413154146.GB92320@sunbay.com> References: <5.2.0.9.2.20030413101417.022481b0@127.0.0.1> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="St7VIuEGZ6dlpu13" Content-Disposition: inline In-Reply-To: <5.2.0.9.2.20030413101417.022481b0@127.0.0.1> User-Agent: Mutt/1.5.4i cc: freebsd-security@freebsd.org Subject: Re: chroot() as non-root user? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 13 Apr 2003 15:42:37 -0000 --St7VIuEGZ6dlpu13 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sun, Apr 13, 2003 at 10:20:35AM -0500, Mark Shepard wrote: >=20 > I suspect this has been asked before but I'll ask anyway. >=20 > Q1: Is it possible for a non-root process to perform a chroot? >=20 > My interest is this: I have a typical ISP hosting account (verio; on a= =20 > FreeBSD 4.4 server.) I'd like to install and run various CGI packages, y= et=20 > protect myself (and my email, and my .ssh keys) from bugs being exploited= =20 > in those CGI packages. Chroot at the start of each CGI would do the tric= k,=20 > but requires root. I suspect the answer here is "only root can do this".= =2E.=20 > which leads me to ask, in general: >=20 Yes. > Q2: Why is chroot() only available to root? I'm aware of *one* security= =20 > issue: if a non-root user can perform chroot(), they can alter the=20 > name-space "seen" by setuid programs, and potentially compromise them=20 > (assuming a user-writable directory [like /tmp] on the same partition as = a=20 > setuid program.) Are there any other reasons? (Besides the issues with= =20 > fchdir() which I assume are adequately fixed). Assuming there aren't any= =20 > other issues leads to my last Q... Actually, a proposal: >=20 You could then staff ${CHROOTDIR}/etc with arbitrary password databases that would allow you to su(1) there and do anything as root, e.g., ifconfig(8). > Q3: Why not allow non-root users to chroot() _as long as the target dir.= =20 > is on a partition mounted nosuid_? Seems like this would be a simple=20 > mechanism (both to understand and to implement) and would allow regular= =20 > users to take advantage of chroot to improve the security of scripts, CGI= s,=20 > etc. >=20 chroot(2) has no effect on the process's current directory; you could hide (hard-link) the setuid program (su(1)) there, so removing this protection on the syscall level can easily result in a compromise. chroot(8) changes the current working directory, but it's not setuid root. Cheers, --=20 Ruslan Ermilov Sysadmin and DBA, ru@sunbay.com Sunbay Software AG, ru@FreeBSD.org FreeBSD committer, +380.652.512.251 Simferopol, Ukraine http://www.FreeBSD.org The Power To Serve http://www.oracle.com Enabling The Information Age --St7VIuEGZ6dlpu13 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (FreeBSD) iD8DBQE+mYU6Ukv4P6juNwoRAjNaAJ4n8cni+m/6LgcrQoxMPKZ0tkVKWgCfX77s AOJJeJwuWYZEZZycYM9oLzQ= =l6XO -----END PGP SIGNATURE----- --St7VIuEGZ6dlpu13-- From owner-freebsd-security@FreeBSD.ORG Sun Apr 13 16:13:21 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3988037B401; Sun, 13 Apr 2003 16:13:21 -0700 (PDT) Received: from milla.ask33.net (milla.ask33.net [217.197.166.60]) by mx1.FreeBSD.org (Postfix) with ESMTP id 68EB343F85; Sun, 13 Apr 2003 16:13:20 -0700 (PDT) (envelope-from nick@milla.ask33.net) Received: by milla.ask33.net (Postfix, from userid 1001) id D061C3ABB4D; Mon, 14 Apr 2003 01:13:56 +0200 (CEST) Date: Mon, 14 Apr 2003 01:13:56 +0200 From: Pawel Jakub Dawidek To: Ruslan Ermilov Message-ID: <20030413231356.GC52293@garage.freebsd.pl> References: <5.2.0.9.2.20030413101417.022481b0@127.0.0.1> <20030413154146.GB92320@sunbay.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="JgQwtEuHJzHdouWu" Content-Disposition: inline In-Reply-To: <20030413154146.GB92320@sunbay.com> X-PGP-Key-URL: http://garage.freebsd.pl/jules.asc X-OS: FreeBSD 4.8-RELEASE i386 X-URL: http://garage.freebsd.pl User-Agent: Mutt/1.5.1i cc: freebsd-security@freebsd.org cc: Mark Shepard Subject: Re: chroot() as non-root user? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 13 Apr 2003 23:13:21 -0000 --JgQwtEuHJzHdouWu Content-Type: text/plain; charset=iso-8859-2 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sun, Apr 13, 2003 at 06:41:46PM +0300, Ruslan Ermilov wrote: +> chroot(2) has no effect on the process's current directory; you +> could hide (hard-link) the setuid program (su(1)) there, so +> removing this protection on the syscall level can easily result +> in a compromise. +>=20 +> chroot(8) changes the current working directory, but it's not +> setuid root. And if kern.chroot_allow_open_directories is set to 0? --=20 Pawel Jakub Dawidek pawel@dawidek.net UNIX Systems Programmer/Administrator http://garage.freebsd.pl Am I Evil? Yes, I Am! http://cerber.sourceforge.net --JgQwtEuHJzHdouWu Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (FreeBSD) iQCVAwUBPpnvND/PhmMH/Mf1AQHjlAP/Ryfb5NeTeqXltHB1bdgiPEsUkoIKDwiz nWP5ksN8k5B5WeCt+LhJdc3aN9rcxtE4/NWukfh4zesmsqz6PnkZqcIljLwNVEIj EjgKVgyA9x0aRuQ6OC0MXnWM8YZ8viw1CvfAhouQaF3c5WITPBhn9cJ8HjIrt07h WufxPLOD9Q8= =GNPz -----END PGP SIGNATURE----- --JgQwtEuHJzHdouWu-- From owner-freebsd-security@FreeBSD.ORG Sun Apr 13 16:43:24 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C4AEB37B401 for ; Sun, 13 Apr 2003 16:43:24 -0700 (PDT) Received: from milla.ask33.net (milla.ask33.net [217.197.166.60]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7D0BA43F85 for ; Sun, 13 Apr 2003 16:43:22 -0700 (PDT) (envelope-from nick@milla.ask33.net) Received: by milla.ask33.net (Postfix, from userid 1001) id 7DD793ABB4D; Mon, 14 Apr 2003 01:44:00 +0200 (CEST) Date: Mon, 14 Apr 2003 01:44:00 +0200 From: Pawel Jakub Dawidek To: Mark Shepard Message-ID: <20030413234400.GD52293@garage.freebsd.pl> References: <5.2.0.9.2.20030413101417.022481b0@127.0.0.1> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="IDYEmSnFhs3mNXr+" Content-Disposition: inline In-Reply-To: <5.2.0.9.2.20030413101417.022481b0@127.0.0.1> X-PGP-Key-URL: http://garage.freebsd.pl/jules.asc X-OS: FreeBSD 4.8-RELEASE i386 X-URL: http://garage.freebsd.pl User-Agent: Mutt/1.5.1i cc: freebsd-security@freebsd.org Subject: Re: chroot() as non-root user? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 13 Apr 2003 23:43:25 -0000 --IDYEmSnFhs3mNXr+ Content-Type: text/plain; charset=iso-8859-2 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sun, Apr 13, 2003 at 10:20:35AM -0500, Mark Shepard wrote: +> Q3: Why not allow non-root users to chroot() _as long as the target dir= .=20 +> is on a partition mounted nosuid_? Seems like this would be a simple=20 +> mechanism (both to understand and to implement) and would allow regular= =20 +> users to take advantage of chroot to improve the security of scripts, CG= Is,=20 +> etc. You can do this with CerbNG (avaliable at http://cerber.sourceforge.net). Policy could looks like this: #define NONSUID_PATH "/path/to/nonsuid/dir/*" if (syscall =3D=3D SYS_chroot && ruid > 0 && ismember(GET_GID("chroot"), gr= oups)) { reg[1] =3D realpath(arg[0]); if (reg[1] !@ NONSUID_PATH) { return(EPERM); } /* chdir first to that directory */ setsyscall(SYS_chdir); reg[0] =3D call(); if (reg[0] !=3D 0) { return(reg[0]); } setsyscall(SYS_chroot); /* give uid 0 for this syscall */ reg[0] =3D sucall(); if (reg[0] !=3D 0) { return(reg[0]); } log(LOG_INFO, "CerbNG:%s: %s(%s[%s]) (with euid 0).", pname, syscallname, arg[0], reg[1]); return(0); } =46rom now on members of group ,,chroot'' are able to use chroot(2) syscall without uid 0 if they want to chroot to some directory in NONSUID_PATH. --=20 Pawel Jakub Dawidek pawel@dawidek.net UNIX Systems Programmer/Administrator http://garage.freebsd.pl Am I Evil? Yes, I Am! http://cerber.sourceforge.net --IDYEmSnFhs3mNXr+ Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (FreeBSD) iQCVAwUBPpn2QD/PhmMH/Mf1AQHnIgP/cEzIXdeV/2kNCfG5mI4BKnKCGuj4iBY+ seKppte59rH5ExMKP1Z7QgCQqEkWPYgn1KRyalpX2U8QP+S3MXVXG0xbXe7E+YbQ eaIslM+0MIUEo8Abo5uYHvdEi7Aa0EC/PPLPp4YN/508kLWkNL49pT/fNb+oV+nc 9kwdZMvYlY4= =SEd+ -----END PGP SIGNATURE----- --IDYEmSnFhs3mNXr+-- From owner-freebsd-security@FreeBSD.ORG Mon Apr 14 01:58:56 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0430337B401 for ; Mon, 14 Apr 2003 01:58:56 -0700 (PDT) Received: from mail-pm.star.spb.ru (mail-pm.star.spb.ru [217.195.82.1]) by mx1.FreeBSD.org (Postfix) with ESMTP id CCAC843F75 for ; Mon, 14 Apr 2003 01:58:54 -0700 (PDT) (envelope-from nkritsky@internethelp.ru) Received: from pink.star.spb.ru ([217.195.82.10]) by mail-pm.star.spb.ru (8.12.9/8.12.8) with ESMTP id h3E8wqSr027620 for ; Mon, 14 Apr 2003 12:58:53 +0400 (MSD) Received: from IBMKA ([217.195.82.7]) by pink.star.spb.ru with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2653.13) id HTTQ4DWZ; Mon, 14 Apr 2003 12:58:52 +0400 Date: Mon, 14 Apr 2003 12:59:24 +0400 From: "Nickolay A. Kritsky" X-Mailer: The Bat! (v1.49) Personal X-Priority: 3 (Normal) Message-ID: <177486502273.20030414125924@internethelp.ru> To: freebsd-security@freebsd.org Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Subject: (OT) rfc1948 question X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: "Nickolay A. Kritsky" List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 14 Apr 2003 08:58:56 -0000 Hi, folks @ freebsd-security. First, I am not sure if this is apropriate topic for that list, so sorry, if it is not. Some time ago I have read rfc1948 (protection from blind TCP spoofing) and became interested in the way how it is implemented in FreeBSD. After some googling (BTW if you like Google you might be interested in this: http://register.spectator.ru/img/bart.gif ), I found this: http://www.freebsd.org/cgi/cvsweb.cgi/src/sys/netinet/tcp_subr.c where in "Revision 1.73.2.22" one can read: ;------------------Begin clipboard---------------------------- Much delayed but now present: RFC 1948 style sequence numbers In order to ensure security and functionality, RFC 1948 style initial sequence number generation has been implemented. Barring any major crypographic breakthroughs, this algorithm should be unbreakable. ;--------------------End clipboard---------------------------- In the diff to previous revision: http://www.freebsd.org/cgi/cvsweb.cgi/src/sys/netinet/tcp_subr.c.diff?r1=1.73.2.21&r2=1.73.2.22 is said: ;------------------Begin clipboard---------------------------- + * The ISNs in SYN-ACK packets have no monotonicity requirement, + * and should be as unpredictable as possible to avoid the possibility + * of spoofing and/or connection hijacking. To satisfy this + * requirement, SYN-ACK ISNs are generated via the arc4random() + * function. If exact RFC 1948 compliance is requested via sysctl, + * these ISNs will be generated just like those in SYN packets. ;--------------------End clipboard---------------------------- But then I took a quick glance on my fresh 4.6 box, and found that SYN-ACK generation was moved to tcp_syncache.c I did not managed to find any rfc1948 related info in CVS log for this file. Maybe I just missed it. Then I just looked into my copy of tcp_syncache.c and found that: ;------------------Begin clipboard---------------------------- if (tcp_syncookies) sc->sc_iss = syncookie_generate(sc); else sc->sc_iss = arc4random(); ;--------------------End clipboard---------------------------- Is it the place where synack iss is generated? If yes, then why net.inet.tcp.syncookies sysctl is turned on by default? Is arc4random not enough random? Was there another reason to `request exact RFC 1948 compliance' by default? I am not just curious about that issue (although I _am_ curious :) ), but I am currnetly trying to understand the risks of trusted_hosts kind of security from rfc1948 point of view. I am not some cryptoanalyst, well to be honest I am totally new in cryptography, but from what I have read arc4 (or RC4 - they supposed to be identical) looks quite good as SPRNG given ARC4_MAXRUNS and ARC4_RESEED_SECONDS values are 16384 and 300s. Can anybody shed some light on this topic or point me to the URL to read. Any help is very good. ;------------------------------------------- ; NKritsky ; mailto:nkritsky@internethelp.ru From owner-freebsd-security@FreeBSD.ORG Mon Apr 14 04:31:07 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 08FBA37B401 for ; Mon, 14 Apr 2003 04:31:07 -0700 (PDT) Received: from blurp.one.pl (blurp.t4.ds.pwr.wroc.pl [156.17.226.240]) by mx1.FreeBSD.org (Postfix) with SMTP id 18FCE43F93 for ; Mon, 14 Apr 2003 04:31:02 -0700 (PDT) (envelope-from gizmen@blurp.one.pl) Received: (qmail 4261 invoked by uid 1002); 14 Apr 2003 11:31:27 -0000 Date: Mon, 14 Apr 2003 13:31:27 +0200 From: GiZmen To: freebsd-security@FreeBSD.ORG Message-ID: <20030414113127.GB3861@blurp.one.pl> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.5.4i Subject: strange connection attempts X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 14 Apr 2003 11:31:07 -0000 hello, I have turned on sysctls variables: net.inet.tcp.log_in_vain: 1 net.inet.udp.log_in_vain: 1 And i have plenty of strange connection attempts on udp protocol Connection attempt to UDP xx.xx.x.xxx:55414 from 192.43.172.34:53 Apr 13 23:56:53 pals /kernel: Connection attempt to UDP xx.xx.x.xxx:55414 from 192.43.172.34:53 Connection attempt to UDP xx.xx.x.xxx:12545 from 192.42.93.36:53 Apr 13 23:56:54 pals /kernel: Connection attempt to UDP xx.xx..xxx:12545 from 192.42.93.36:53 Connection attempt to UDP xx.xx.x.xxx:44308 from 192.42.93.36:53 i know that those connections are from dns but why kernel logs such thing. I have statufull firewall and all trafic to any port on UDP protocol are deny and only those UDP datagrams from my resolver are passed back through dynamics rules. These connections are caused by returned queruies from dns servers. Is it normal to have such type connection attempts ? Can anybody help me solve my problem. -- Best Regards: GiZmen From owner-freebsd-security@FreeBSD.ORG Mon Apr 14 04:41:30 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 01E9937B401 for ; Mon, 14 Apr 2003 04:41:30 -0700 (PDT) Received: from mx8.mail.ru (mx8.mail.ru [194.67.57.18]) by mx1.FreeBSD.org (Postfix) with ESMTP id F20B943F75 for ; Mon, 14 Apr 2003 04:41:28 -0700 (PDT) (envelope-from h-k@mail.ru) Received: from [194.84.56.194] (port=3596 helo=194.84.56.194) by mx8.mail.ru with esmtp id 1952L1-000OcD-00 for freebsd-security@FreeBSD.ORG; Mon, 14 Apr 2003 15:41:27 +0400 Date: Mon, 14 Apr 2003 15:42:26 +0400 From: dawnshade X-Mailer: The Bat! (v1.62 Christmas Edition) X-Priority: 3 (Normal) Message-ID: <104322900125.20030414154226@mail.ru> To: freebsd-security@FreeBSD.ORG In-Reply-To: <20030414113127.GB3861@blurp.one.pl> References: <20030414113127.GB3861@blurp.one.pl> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Subject: Re: strange connection attempts X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: dawnshade List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 14 Apr 2003 11:41:30 -0000 G> I have turned on sysctls variables: G> net.inet.tcp.log_in_vain: 1 G> net.inet.udp.log_in_vain: 1 G> And i have plenty of strange connection attempts on udp protocol G> Connection attempt to UDP xx.xx.x.xxx:55414 from 192.43.172.34:53 G> Apr 13 23:56:53 pals /kernel: Connection attempt to UDP xx.xx.x.xxx:55414 from 192.43.172.34:53 G> Connection attempt to UDP xx.xx.x.xxx:12545 from 192.42.93.36:53 G> Apr 13 23:56:54 pals /kernel: Connection attempt to UDP xx.xx..xxx:12545 from 192.42.93.36:53 G> Connection attempt to UDP xx.xx.x.xxx:44308 from 192.42.93.36:53 G> i know that those connections are from dns but why kernel logs such thing. G> I have statufull firewall and all trafic to any port on UDP protocol are deny and G> only those UDP datagrams from my resolver are passed back through dynamics rules. G> These connections are caused by returned queruies from dns servers. G> Is it normal to have such type connection attempts ? G> Can anybody help me solve my problem. I think yes. Got a same messages. The suspicion on squid - when connect to some server not completed or refused. ---------- root@some_hostname.ru$ echo "reboot" > /etc/rc&&reboot ---------- Best regards, dawnshade mailto:h-k@mail.ru From owner-freebsd-security@FreeBSD.ORG Mon Apr 14 05:18:03 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A313537B401 for ; Mon, 14 Apr 2003 05:18:03 -0700 (PDT) Received: from pol.dyndns.org (pol.net1.nerim.net [80.65.225.93]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3EE5E43FA3 for ; Mon, 14 Apr 2003 05:18:02 -0700 (PDT) (envelope-from guy@device.dyndns.org) Received: from oemcomputer.device.dyndns.org (partserver.pol.local [172.16.10.10]) by pol.dyndns.org (8.12.6/8.12.6) with ESMTP id h3ECHiZT000932 for ; Mon, 14 Apr 2003 14:17:47 +0200 (CEST) Message-Id: <5.1.1.6.0.20030414135946.00aaaa68@device.dyndns.org> X-Sender: guy@device.dyndns.org X-Mailer: QUALCOMM Windows Eudora Version 5.1.1 Date: Mon, 14 Apr 2003 14:12:16 +0200 To: freebsd-security@freebsd.org From: "Guy P." In-Reply-To: <20030414113127.GB3861@blurp.one.pl> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed X-Virus-Scanned: by amavis-milter (http://www.amavis.org/) Subject: Re: strange connection attempts X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 14 Apr 2003 12:18:03 -0000 At 13:31 14/04/2003, GiZmen wrote: >I have turned on sysctls variables: >net.inet.tcp.log_in_vain: 1 >net.inet.udp.log_in_vain: 1 > >And i have plenty of strange connection attempts on udp protocol > > Connection attempt to UDP xx.xx.x.xxx:55414 from > 192.43.172.34:53 > Apr 13 23:56:53 pals /kernel: Connection attempt to UDP > xx.xx.x.xxx:55414 from 192.43.172.34:53 > Connection attempt to UDP xx.xx.x.xxx:12545 from > 192.42.93.36:53 > Apr 13 23:56:54 pals /kernel: Connection attempt to UDP xx.xx..xxx:12545 > from 192.42.93.36:53 > Connection attempt to UDP xx.xx.x.xxx:44308 from 192.42.93.36:53 > >i know that those connections are from dns but why kernel logs such thing. >I have statufull firewall and all trafic to any port on UDP protocol are >deny and >only those UDP datagrams from my resolver are passed back through dynamics >rules. >These connections are caused by returned queruies from dns servers. >Is it normal to have such type connection attempts ? > >Can anybody help me solve my problem. Yes it is normal. What happens is : 1) your system have to resolve a name. So it send querys to all(?) the multiple NS listed in /etc/resolv.conf 2) as soon it got the reply from one of the queried NS, it unbind the udp socket(s) it was listening on. 3) the slower-answering NS packets are still forwarded back by your statefull firewall, but as your resolver process is no longer listening, these latter replys are logged as unattended connection attempts. This could also happen if some timeout value was reached. Take this just as a wild guess on my side, as i'm not familiar with the internal resolver lib intrinsecs. Nothing to care about as long these "connection attempts" come from the NS that are listed in your resolv.conf If you mind about these "false positives", i'd suggest using a log analyzer utility such as /usr/ports/security/logcheck and instruct it to ignore these log entries. -- Guy From owner-freebsd-security@FreeBSD.ORG Mon Apr 14 08:15:21 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0692C37B401 for ; Mon, 14 Apr 2003 08:15:21 -0700 (PDT) Received: from kurdistan.ath.cx (adsl-64-169-155-173.dsl.chic01.pacbell.net [64.169.155.173]) by mx1.FreeBSD.org (Postfix) with ESMTP id 21A2343FBD for ; Mon, 14 Apr 2003 08:15:20 -0700 (PDT) (envelope-from sereciya@kurdistan.ath.cx) Received: from kurdistan.ath.cx (ns1 [127.0.0.1]) by kurdistan.ath.cx (8.12.8/8.12.6) with ESMTP id h3EFFK04091121 for ; Mon, 14 Apr 2003 08:15:20 -0700 (PDT) (envelope-from sereciya@kurdistan.ath.cx) Received: (from sereciya@localhost) by kurdistan.ath.cx (8.12.8/8.12.6/Submit) id h3EFFKqu091120 for freebsd-security@freebsd.org; Mon, 14 Apr 2003 08:15:20 -0700 (PDT) Date: Mon, 14 Apr 2003 08:15:20 -0700 From: =?unknown-8bit?Q?S=EAr=EAciya_Kurdistan=EE?= To: freebsd-security@freebsd.org Message-ID: <20030414151520.GD33167@kurdistan.ath.cx> References: <20030414113127.GB3861@blurp.one.pl> Mime-Version: 1.0 Content-Type: text/plain; charset=unknown-8bit Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <20030414113127.GB3861@blurp.one.pl> User-Agent: Mutt/1.4i Subject: Re: strange connection attempts X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 14 Apr 2003 15:15:21 -0000 Hello, > And i have plenty of strange connection attempts on udp protocol > > Connection attempt to UDP xx.xx.x.xxx:55414 from 192.43.172.34:53 > Apr 13 23:56:53 pals /kernel: Connection attempt to UDP xx.xx.x.xxx:55414 from 192.43.172.34:53 > Connection attempt to UDP xx.xx.x.xxx:12545 from 192.42.93.36:53 > Apr 13 23:56:54 pals /kernel: Connection attempt to UDP xx.xx..xxx:12545 from 192.42.93.36:53 > Connection attempt to UDP xx.xx.x.xxx:44308 from 192.42.93.36:53 > > i know that those connections are from dns but why kernel logs such thing. > I have statufull firewall and all trafic to any port on UDP protocol are deny and > only those UDP datagrams from my resolver are passed back through dynamics rules. Which is your ip address? the "xxx" or the 192.42.93.36? If you're address is the "xxx" then you're fine. DNS often uses the udp protocol. However, if it's the other way around and your address is 192.42... then, it means that the upstream DNS server is trying to get updates from you. Are you running a DNS server yourself? --$êrêciya Kurdistanî +--------------------------------------------------------------+ | Welat xwe ava nake, dest bidin hevdu, pist nedin tu dijminî | | Riya azadiyê ne hêsan e, hêviya xwe bernedin, dema me | | nêzîk e. | | | | Hevaltî bi kesên du rû nekin, hevaltî bi hevdu ra bikin | | Ne ji hevaltiya wan kesên pêxwas û rû dirêj, ne bi wan | | kesên xwînperest, ne jî ji yên din. | | | | -$êrêciya Kurdistanî | +--------------------------------------------------------------+ translation provided on request: sereciya@kurdistan.ath.cx From owner-freebsd-security@FreeBSD.ORG Mon Apr 14 11:02:32 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7681C37B404 for ; Mon, 14 Apr 2003 11:02:32 -0700 (PDT) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0F1EF43FB1 for ; Mon, 14 Apr 2003 11:02:31 -0700 (PDT) (envelope-from owner-bugmaster@freebsd.org) Received: from freefall.freebsd.org (peter@localhost [127.0.0.1]) by freefall.freebsd.org (8.12.9/8.12.9) with ESMTP id h3EI2UUp049333 for ; Mon, 14 Apr 2003 11:02:30 -0700 (PDT) (envelope-from owner-bugmaster@freebsd.org) Received: (from peter@localhost) by freefall.freebsd.org (8.12.9/8.12.9/Submit) id h3EI2ULu049328 for security@freebsd.org; Mon, 14 Apr 2003 11:02:30 -0700 (PDT) Date: Mon, 14 Apr 2003 11:02:30 -0700 (PDT) Message-Id: <200304141802.h3EI2ULu049328@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: peter set sender to owner-bugmaster@freebsd.org using -f From: FreeBSD bugmaster To: security@FreeBSD.org Subject: Current problem reports assigned to you X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 14 Apr 2003 18:02:32 -0000 Current FreeBSD problem reports No matches to your query From owner-freebsd-security@FreeBSD.ORG Mon Apr 14 12:44:10 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 57E2A37B401 for ; Mon, 14 Apr 2003 12:44:10 -0700 (PDT) Received: from blurp.one.pl (blurp.t4.ds.pwr.wroc.pl [156.17.226.240]) by mx1.FreeBSD.org (Postfix) with SMTP id E4B3243F85 for ; Mon, 14 Apr 2003 12:44:06 -0700 (PDT) (envelope-from gizmen@blurp.one.pl) Received: (qmail 49101 invoked by uid 1002); 14 Apr 2003 19:44:31 -0000 Date: Mon, 14 Apr 2003 21:44:31 +0200 From: GiZmen To: freebsd-security@FreeBSD.ORG Message-ID: <20030414194431.GA48589@blurp.one.pl> References: <20030414113127.GB3861@blurp.one.pl> <20030414151520.GD33167@kurdistan.ath.cx> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20030414151520.GD33167@kurdistan.ath.cx> User-Agent: Mutt/1.5.4i Subject: Re: strange connection attempts X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 14 Apr 2003 19:44:10 -0000 > Hello, > > > And i have plenty of strange connection attempts on udp protocol > > > > Connection attempt to UDP xx.xx.x.xxx:55414 from 192.43.172.34:53 > > Apr 13 23:56:53 pals /kernel: Connection attempt to UDP xx.xx.x.xxx:55414 from 192.43.172.34:53 > > Connection attempt to UDP xx.xx.x.xxx:12545 from 192.42.93.36:53 > > Apr 13 23:56:54 pals /kernel: Connection attempt to UDP xx.xx..xxx:12545 from 192.42.93.36:53 > > Connection attempt to UDP xx.xx.x.xxx:44308 from 192.42.93.36:53 > > > > i know that those connections are from dns but why kernel logs such thing. > > I have statufull firewall and all trafic to any port on UDP protocol are deny and > > only those UDP datagrams from my resolver are passed back through dynamics rules. > > Which is your ip address? the "xxx" or the 192.42.93.36? > > If you're address is the "xxx" then you're fine. DNS often uses the udp > protocol. > > However, if it's the other way around and your address is 192.42... > then, it means that the upstream DNS server is trying to get updates from > you. > > Are you running a DNS server yourself? ---end quoted text--- my address is "xxx" and 192.43..... is an expamle address of dns server. I know that dns use an udp protocol but is it normal to have these connection attempts?? Im running only local dnscache (from djbdns) on my box. I don have any dnsserver. I have plenty of such connections from dns servers, and i turned of sysctl net.inet.udp.log_in_vain=0 because this starts to annoy me :( -- Best Regards: GiZmen From owner-freebsd-security@FreeBSD.ORG Mon Apr 14 13:03:30 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E202337B401 for ; Mon, 14 Apr 2003 13:03:30 -0700 (PDT) Received: from rwcrmhc52.attbi.com (rwcrmhc52.attbi.com [216.148.227.88]) by mx1.FreeBSD.org (Postfix) with ESMTP id 52F6343FBD for ; Mon, 14 Apr 2003 13:03:30 -0700 (PDT) (envelope-from crist.clark@attbi.com) Received: from blossom.cjclark.org (12-234-159-107.client.attbi.com[12.234.159.107]) by rwcrmhc52.attbi.com (rwcrmhc52) with ESMTP id <2003041420032905200litite>; Mon, 14 Apr 2003 20:03:29 +0000 Received: from blossom.cjclark.org (localhost. [127.0.0.1]) by blossom.cjclark.org (8.12.8p1/8.12.3) with ESMTP id h3EK3Tki022192; Mon, 14 Apr 2003 13:03:29 -0700 (PDT) (envelope-from crist.clark@attbi.com) Received: (from cjc@localhost) by blossom.cjclark.org (8.12.8p1/8.12.8/Submit) id h3EK3P8q022191; Mon, 14 Apr 2003 13:03:25 -0700 (PDT) X-Authentication-Warning: blossom.cjclark.org: cjc set sender to crist.clark@attbi.com using -f Date: Mon, 14 Apr 2003 13:03:25 -0700 From: "Crist J. Clark" To: GiZmen Message-ID: <20030414200325.GB21249@blossom.cjclark.org> References: <20030414113127.GB3861@blurp.one.pl> <20030414151520.GD33167@kurdistan.ath.cx> <20030414194431.GA48589@blurp.one.pl> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20030414194431.GA48589@blurp.one.pl> User-Agent: Mutt/1.4.1i X-URL: http://people.freebsd.org/~cjc/ cc: freebsd-security@FreeBSD.ORG Subject: Re: strange connection attempts X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: "Crist J. Clark" List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 14 Apr 2003 20:03:31 -0000 On Mon, Apr 14, 2003 at 09:44:31PM +0200, GiZmen wrote: [snip] > my address is "xxx" and 192.43..... is an expamle address of dns server. > > I know that dns use an udp protocol but is it normal to have these connection > attempts?? Someone else already explained this. It comes down to: the timeout of your DNS application is shorter than the timeout on the firewall. Your DNS application sends out a query and waits... and gives up. When it give up, it closes the socket. However, the DNS server Out There manages to still return a response some time later. Your firewall has not timed out the UDP "connection" yet, so the response come through. But there is no listening socket anymore, so it gets logged_in_vain. -- Crist J. Clark | cjclark@alum.mit.edu | cjclark@jhu.edu http://people.freebsd.org/~cjc/ | cjc@freebsd.org From owner-freebsd-security@FreeBSD.ORG Mon Apr 14 18:39:14 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2DE1837B401 for ; Mon, 14 Apr 2003 18:39:14 -0700 (PDT) Received: from relay.pair.com (relay.pair.com [209.68.1.20]) by mx1.FreeBSD.org (Postfix) with SMTP id 4435843FB1 for ; Mon, 14 Apr 2003 18:39:13 -0700 (PDT) (envelope-from silby@silby.com) Received: (qmail 68539 invoked from network); 15 Apr 2003 01:39:12 -0000 Received: from niwun.pair.com (HELO localhost) (209.68.2.70) by relay.pair.com with SMTP; 15 Apr 2003 01:39:12 -0000 X-pair-Authenticated: 209.68.2.70 Date: Mon, 14 Apr 2003 15:35:18 -0500 (CDT) From: Mike Silbersack To: "Nickolay A. Kritsky" In-Reply-To: <177486502273.20030414125924@internethelp.ru> Message-ID: <20030414151700.L96953@odysseus.silby.com> References: <177486502273.20030414125924@internethelp.ru> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII cc: freebsd-security@freebsd.org Subject: Re: (OT) rfc1948 question X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 15 Apr 2003 01:39:14 -0000 On Mon, 14 Apr 2003, Nickolay A. Kritsky wrote: > Hi, folks @ freebsd-security. > > First, I am not sure if this is apropriate topic for that list, so > sorry, if it is not. I think it's the first on-topic post in years. :) > Is it the place where synack iss is generated? If yes, then why > net.inet.tcp.syncookies sysctl is turned on by default? Is arc4random > not enough random? Was there another reason to `request exact RFC 1948 > compliance' by default? I am not just curious about that issue > (although I _am_ curious :) ), but I am currnetly trying to understand > the risks of trusted_hosts kind of security from rfc1948 point of view. > I am not some cryptoanalyst, well to be honest I am totally new in > cryptography, but from what I have read arc4 (or RC4 - they supposed > to be identical) looks quite good as SPRNG given ARC4_MAXRUNS and > ARC4_RESEED_SECONDS values are 16384 and 300s. Can anybody shed some > light on this topic or point me to the URL to read. > > Any help is very good. > ;------------------------------------------- > ; NKritsky Ok, I've been planning to write a little paper talking about our choices in how FreeBSD generates sequence numbers, I guess I'll give you a quick overview. RFC1948 specifies that its algorithm be used for generating ISNs in SYN-ACK and SYN packets. However, RFC1948 is flawed in that it is _completely_ predictable for a given IP / port pair to anyone who has used that IP. So, if we used RFC1948 for SYN-ACK generation, all you would have to do is dialup from an AOL dynamic IP address once and connect to a FreeBSD box. From that point on, you would be able to spoof connections coming from that AOL dynamic IP until the box was rebooted. So, FreeBSD does not use RFC1948 for SYN-ACK packets, only SYN packets. Using RFC1948 for SYN packets isn't perfect, but it's an acceptable risk. Knowing the sequence number of a SYN may allow you to inject data and/or reset a connection. However, looking back at the AOL dynamic IP example, you can see that this is not an important case; any important server would be on a static IP, so you wouldn't be able to interfere with FreeBSD -> other server connections. Despite 1948's shortcomings, it's the best solution for SYN usage right now. Due to historical checks done during TIME-WAIT recycling on server-side sockets, we have to maintain monotonicity at all times in order to ensure that recycling works properly. (Luckily, SYN-ACK packets have no such monotonicity requirements, despite what certain people keep claiming.) So, FreeBSD's sequence number generation looks like this: SYN packets: stock RFC1948 SYN-ACK packets: arc4random or syncookies, depending on sysctl setting Now, to answer your question about syncookies: Yes, arc4random() generated SYN-ACK packets are more secure than syncookies. However, syncookies exist to solve a practical problem: syn flooding. If we tried to keep a listen queue entry for every SYN-ACK packet we sent out, and we were being flooded with 5000 SYN-ACKs a second, we would have to store tens of thousands of entries, which is not very feasible. Syncookies, on the other hand, require us to store no state, thereby allowing us to keep the memory used during a synflood bounded. While they do increase our susceptibility to spoofing a small amount, the tradeoff is worth it. And, if you disagree, the sysctl is there for your use. Note that syncookies do nothing to solve the problem of network bandwidth being used by a synflood attack; if an attacker can fill your uplink with bogus packets, syncookies can't do much to help. Also note that our initial syncookie implementation was flawed, and should be patched or disabled if you're running a 4.7 or older kernel. (See the recent security advisory for more info.) I hope that helps your understanding of the issues involved in TCP sequence number generation. Mike "Silby" Silbersack From owner-freebsd-security@FreeBSD.ORG Tue Apr 15 00:24:23 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C696437B401 for ; Tue, 15 Apr 2003 00:24:23 -0700 (PDT) Received: from relay.pair.com (relay.pair.com [209.68.1.20]) by mx1.FreeBSD.org (Postfix) with SMTP id 1752343F3F for ; Tue, 15 Apr 2003 00:24:23 -0700 (PDT) (envelope-from silby@silby.com) Received: (qmail 30471 invoked from network); 15 Apr 2003 07:24:22 -0000 Received: from niwun.pair.com (HELO localhost) (209.68.2.70) by relay.pair.com with SMTP; 15 Apr 2003 07:24:22 -0000 X-pair-Authenticated: 209.68.2.70 Date: Mon, 14 Apr 2003 21:20:32 -0500 (CDT) From: Mike Silbersack To: Alexander Leidinger In-Reply-To: <20030415084328.7d8d4237.Alexander@Leidinger.net> Message-ID: <20030414211944.Q1633@odysseus.silby.com> References: <177486502273.20030414125924@internethelp.ru> <20030415084328.7d8d4237.Alexander@Leidinger.net> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII cc: freebsd-security@freebsd.org Subject: Re: (OT) rfc1948 question X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 15 Apr 2003 07:24:24 -0000 On Tue, 15 Apr 2003, Alexander Leidinger wrote: > On Mon, 14 Apr 2003 15:35:18 -0500 (CDT) > Mike Silbersack wrote: > > > Also note that our initial syncookie implementation was flawed, and > > should be patched or disabled if you're running a 4.7 or older kernel. > > (See the recent security advisory for more info.) > > If I read UPDATING correctly, it's patched in a 4.7-p6 kernel, so this > should be "if you're running a 4.7-p5 or older kernel". > > Bye, > Alexander. Sounds right. The security branches which the SA says are patched can be trusted, I just assumed that everyone knew that. Mike "Silby" Silbersack From owner-freebsd-security@FreeBSD.ORG Tue Apr 15 07:04:41 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7F5BB37B404 for ; Tue, 15 Apr 2003 07:04:41 -0700 (PDT) Received: from gamk.com.br (3-039.ctame701-5.telepar.net.br [200.181.180.39]) by mx1.FreeBSD.org (Postfix) with SMTP id 6202243FE1 for ; Tue, 15 Apr 2003 07:04:37 -0700 (PDT) (envelope-from linke@calnet.com.br) Received: (qmail 32008 invoked from network); 15 Apr 2003 14:05:54 -0000 Received: from unknown (HELO casa.gamk.com.br) (127.0.0.1) by 0 with SMTP; 15 Apr 2003 14:05:54 -0000 Date: Tue, 15 Apr 2003 11:05:54 -0300 From: Diego Linke - GAMK To: freebsd-security@freebsd.org Message-Id: <20030415110554.7042acca.linke@calnet.com.br> X-Mailer: GAMK - Mail User Agent Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit cc: freebsd-questions@freebsd.org Subject: VPN with Nortel X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 15 Apr 2003 14:04:41 -0000 Hi, I need make a VPN between a FreeBSD and a Nortel... The IPSec of FreeBSD is compatible for this ? I will have that to use racoon to make ISAKMP or I can make without it? -- [ Diego Linke - GAMK ] System/Network/Security Administrator E-Mail/Site: gamk@gamk.com.br - http://www.gamk.com.br Public Key: http://www.gamk.com.br/gamk.asc Phone Number: (+5541) 9967-3464 From owner-freebsd-security@FreeBSD.ORG Tue Apr 15 14:24:09 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5E7D537B405 for ; Tue, 15 Apr 2003 14:24:09 -0700 (PDT) Received: from milla.ask33.net (milla.ask33.net [217.197.166.60]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9606B43F3F for ; Tue, 15 Apr 2003 14:24:06 -0700 (PDT) (envelope-from nick@milla.ask33.net) Received: by milla.ask33.net (Postfix, from userid 1001) id 5972C3ABB59; Tue, 15 Apr 2003 23:24:56 +0200 (CEST) Date: Tue, 15 Apr 2003 23:24:56 +0200 From: Pawel Jakub Dawidek To: Sascha Luck Message-ID: <20030415212456.GY52293@garage.freebsd.pl> References: <200304011409.25515.bofh@online.ie> <5639.1049203140@www34.gmx.net> <200304011603.45365.bofh@online.ie> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="6ysXqiu0yoUmUNJB" Content-Disposition: inline In-Reply-To: <200304011603.45365.bofh@online.ie> X-PGP-Key-URL: http://garage.freebsd.pl/jules.asc X-OS: FreeBSD 4.8-RELEASE i386 X-URL: http://garage.freebsd.pl User-Agent: Mutt/1.5.1i cc: freebsd-security@freebsd.org Subject: Re: Jails and multihoming X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 15 Apr 2003 21:24:09 -0000 --6ysXqiu0yoUmUNJB Content-Type: text/plain; charset=iso-8859-2 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Apr 01, 2003 at 04:03:37PM +0100, Sascha Luck wrote: +> > > are there any plans to allow FreeBSD jails to bind to more than one +> > > IP address? +> > +> > http://garage.freebsd.pl/mijail.tbz +> > http://garage.freebsd.pl/mijail.README +>=20 +> Thanks very much, I'll give that a try. It looks like it's only a=20 +> proof-of-concept, but is this patch going to be committed into the=20 +> mainstream source?=20 This patch doesn't handle INADDR_ANY correct. I've prepared a new one, but for FreeBSD-CURRENT: http://garage.freebsd.pl/mijail5.patch --=20 Pawel Jakub Dawidek pawel@dawidek.net UNIX Systems Programmer/Administrator http://garage.freebsd.pl Am I Evil? Yes, I Am! http://cerber.sourceforge.net --6ysXqiu0yoUmUNJB Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (FreeBSD) iQCVAwUBPpx4qD/PhmMH/Mf1AQEPdAP+MvQqiySbQKfCfr2wxinSSAuJLRpj/Z6w yuz5CUPdq/XU3XkFCuU5qR9fxGWwzPm7XVQBMlOe/ARMJRSKhFVLhuzbwpei/NFE hBN8w5iKYOdWbga6Hvwe66m7D7fTgNu0CBT8u1WEuTSPoRYfKwvqxoxizXtyWb6m dnVGSgRcfnM= =PRZr -----END PGP SIGNATURE----- --6ysXqiu0yoUmUNJB-- From owner-freebsd-security@FreeBSD.ORG Thu Apr 17 13:59:56 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CEED437B404 for ; Thu, 17 Apr 2003 13:59:56 -0700 (PDT) Received: from smtp-out.comcast.net (smtp-out.comcast.net [24.153.64.110]) by mx1.FreeBSD.org (Postfix) with ESMTP id E725543FBD for ; Thu, 17 Apr 2003 13:59:55 -0700 (PDT) (envelope-from apeiron@comcast.net) Received: from [192.168.0.8] (pcp01380957pcs.levtwn01.pa.comcast.net [68.81.162.166]) by mtaout10.icomcast.net (iPlanet Messaging Server 5.2 HotFix 1.14 (built Mar 18 2003)) security@freebsd.org; Thu, 17 Apr 2003 16:50:28 -0400 (EDT) Date: Thu, 17 Apr 2003 16:51:15 -0400 From: Christopher Nehren To: security@freebsd.org Message-id: <1050612674.1534.22.camel@prophecy.dyndns.org> Organization: MIME-version: 1.0 X-Mailer: Ximian Evolution 1.2.4 Content-type: multipart/signed; boundary="=-7HDuwzlPlR5r5UuaIUNP"; protocol="application/pgp-signature"; micalg=pgp-sha1 Subject: [Fwd: CERT Advisory CA-2003-13 Multiple Vulnerabilities in Snort Preprocessors] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 17 Apr 2003 20:59:57 -0000 --=-7HDuwzlPlR5r5UuaIUNP Content-Type: text/plain Content-Transfer-Encoding: quoted-printable I figured that someone reading this list might want to take a look at the proceeding, considering that the version of Snort in FreeBSD ports -is- affected. -----Forwarded Message----- > From: CERT Advisory > To: cert-advisory@cert.org > Subject: CERT Advisory CA-2003-13 Multiple Vulnerabilities in Snort Prepr= ocessors > Date: 17 Apr 2003 11:30:47 -0400 >=20 >=20 >=20 > -----BEGIN PGP SIGNED MESSAGE----- >=20 > CERT Advisory CA-2003-13 Multiple Vulnerabilities in Snort Preprocessors >=20 > Original release date: April 17, 2003 > Last revised: -- > Source: CERT/CC >=20 > A complete revision history can be found at the end of this file. >=20 > Systems Affected >=20 > * Snort IDS, versions 1.8 through 2.0 RC1 >=20 > Overview >=20 > There are two vulnerabilities in the Snort Intrusion Detection System, > each in a separate preprocessor module. Both vulnerabilities allow > remote attackers to execute arbitrary code with the privileges of the > user running Snort, typically root. >=20 > I. Description >=20 > The Snort intrusion detection system ships with a variety of > preprocessor modules that allow the user to selectively include > additional functionality. Researchers from two independent > organizations have discovered vulnerabilities in two of these modules, > the RPC preprocessor and the "stream4" TCP fragment reassembly > preprocessor. >=20 > For additional information regarding Snort, please see > =20 > http://www.snort.org/. >=20 > VU#139129 - Heap overflow in Snort "stream4" preprocessor (CAN-2003-00= 29) >=20 > Researchers at CORE Security Technologies have discovered a remotely > exploitable heap overflow in the Snort "stream4" preprocessor module. > This module allows Snort to reassemble TCP packet fragments for > further analysis. >=20 > To exploit this vulnerability, an attacker must disrupt the state > tracking mechanism of the preprocessor module by sending a series of > packets with crafted sequence numbers. This causes the module to > bypass a check for buffer overflow attempts and allows the attacker to > insert arbitrary code into the heap. >=20 > For additional information, please read the Core Security Technologies > Advisory located at >=20 > http://www.coresecurity.com/common/showdoc.php?idx=3D313&idxseccion= =3D10 >=20 > This vulnerability affects Snort versions 1.8.x, 1.9.x, and 2.0 prior > to RC1. Snort has published an advisory regarding this vulnerability; > it is available at >=20 > http://www.snort.org/advisories/snort-2003-04-16-1.txt. >=20 > VU#916785 - Buffer overflow in Snort RPC preprocessor (CAN-2003-0033) >=20 > Researchers at Internet Security Systems (ISS) have discovered a > remotely exploitable buffer overflow in the Snort RPC preprocessor > module. Martin Roesch, primary developer for Snort, described the > vulnerability as follows: >=20 > When the RPC decoder normalizes fragmented RPC records, it > incorrectly checks the lengths of what is being normalized against > the current packet size, leading to an overflow condition. The RPC > preprocessor is enabled by default. >=20 > For additional information, please read the ISS X-Force advisory > located at >=20 > http://www.iss.net/issEn/delivery/xforce/alertdetail.jsp?oid=3D21951 >=20 > This vulnerability affects Snort versions 1.8.x through 1.9.1 and > version 2.0 Beta. >=20 > II. Impact >=20 > Both VU#139129 and VU#916785 allow remote attackers to execute > arbitrary code with the privileges of the user running Snort, > typically root. In addition, it is not necessary for the attacker to > know the IP address of the Snort device they wish to attack; merely > sending malicious traffic where it can be observed by an affected > Snort sensor is sufficient to exploit these vulnerabilities. >=20 > III. Solution >=20 > Upgrade to Snort 2.0 >=20 > Both VU#139129 and VU#916785 are addressed in Snort version 2.0, which > is available at >=20 > http://www.snort.org/dl/snort-2.0.0.tar.gz >=20 > Binary-only versions of Snort are available from >=20 > http://www.snort.org/dl/binaries >=20 > For information from other vendors that ship affected versions of > Snort, please see Appendix A of this document. >=20 > Disable affected preprocessor modules >=20 > Sites that are unable to immediately upgrade affected Snort sensors > may prevent exploitation of this vulnerability by commenting out the > affected preprocessor modules in the "snort.conf" configuration file. >=20 > To prevent exploitation of VU#139129, comment out the following line: >=20 > preprocessor stream4_reassemble >=20 > To prevent exploitation of VU#916785, comment out the following line: >=20 > preprocessor rpc_decode: 111 32771 >=20 > After commenting out the affected modules, send a SIGHUP signal to the > affected Snort process to update the configuration. Note that > disabling these modules may have adverse affects on a sensor's ability > to correctly process RPC record fragments and TCP packet fragments. In > particular, disabling the "stream4" preprocessor module will prevent > the Snort sensor from detecting a variety of IDS evasion attacks. >=20 > Block outbound packets from Snort IDS systems >=20 > You may be able limit an attacker's capabilities if the system is > compromised by blocking all outbound traffic from the Snort sensor. > While this workaround will not prevent exploitation of the > vulnerability, it may make it more difficult for the attacker to > create a useful exploit. >=20 > Appendix A. - Vendor Information >=20 > This appendix contains information provided by vendors for this > advisory. As vendors report new information to the CERT/CC, we will > update this section and note the changes in our revision history. If a > particular vendor is not listed below, we have not received their > comments. >=20 > Apple Computer, Inc. >=20 > Snort is not shipped with Mac OS X or Mac OS X Server. >=20 > Ingrian Networks >=20 > Ingrian Networks products are not susceptible to VU#139129 and > VU#916785 since they do not use Snort. >=20 > Ingrian customers who are using the IDS Extender Service Engine to > mirror cleartext data to a Snort-based IDS should upgrade their IDS > software. >=20 > NetBSD >=20 > NetBSD does not include snort in the base system. >=20 > Snort is available from the 3rd party software system, pkgsrc. Users > who have installed net/snort, net/snort-mysql or net/snort-pgsql > should update to a fixed version. pkgsrc/security/audit-packages can > be used to keep up to date with these types of issues. >=20 > Red Hat Inc. >=20 > Not vulnerable. Red Hat does not ship Snort in any of our supported > products. >=20 > SGI >=20 > SGI does not ship snort as part of IRIX. >=20 > Snort >=20 > Snort 2.0 has undergone an external third party professional security > audit funded by Sourcefire. > _________________________________________________________________ >=20 > The CERT/CC acknowledges Bruce Leidl, Juan Pablo Martinez Kuhn, and > Alejandro David Weil of Core Security Technologies for their discovery > of VU#139129. We also acknowledge Mark Dowd and Neel Mehta of ISS > X-Force for their discovery of VU#916785. > _________________________________________________________________ >=20 > Authors: Jeffrey P. Lanza and Cory F. Cohen. > ______________________________________________________________________ >=20 > This document is available from: > http://www.cert.org/advisories/CA-2003-13.html > ______________________________________________________________________ >=20 > CERT/CC Contact Information >=20 > Email: cert@cert.org > Phone: +1 412-268-7090 (24-hour hotline) > Fax: +1 412-268-6989 > Postal address: > CERT Coordination Center > Software Engineering Institute > Carnegie Mellon University > Pittsburgh PA 15213-3890 > U.S.A. >=20 > CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) / > EDT(GMT-4) Monday through Friday; they are on call for emergencies > during other hours, on U.S. holidays, and on weekends. >=20 > Using encryption >=20 > We strongly urge you to encrypt sensitive information sent by email. > Our public PGP key is available from > http://www.cert.org/CERT_PGP.key >=20 > If you prefer to use DES, please call the CERT hotline for more > information. >=20 > Getting security information >=20 > CERT publications and other security information are available from > our web site > http://www.cert.org/ >=20 > To subscribe to the CERT mailing list for advisories and bulletins, > send email to majordomo@cert.org. Please include in the body of your > message >=20 > subscribe cert-advisory >=20 > * "CERT" and "CERT Coordination Center" are registered in the U.S. > Patent and Trademark Office. > ______________________________________________________________________ >=20 > NO WARRANTY > Any material furnished by Carnegie Mellon University and the Software > Engineering Institute is furnished on an "as is" basis. Carnegie > Mellon University makes no warranties of any kind, either expressed or > implied as to any matter including, but not limited to, warranty of > fitness for a particular purpose or merchantability, exclusivity or > results obtained from use of the material. Carnegie Mellon University > does not make any warranty of any kind with respect to freedom from > patent, trademark, or copyright infringement. > _________________________________________________________________ >=20 > Conditions for use, disclaimers, and sponsorship information >=20 > Copyright 2003 Carnegie Mellon University. >=20 > Revision History > April 17, 2003: Initial release >=20 > -----BEGIN PGP SIGNATURE----- > Version: PGP 6.5.8 >=20 > iQCVAwUBPp7GWGjtSoHZUTs5AQGmlAP+MWnegmA1Qft9AenH7xefffpEDVGDT+sl > T4iljwl/ySozE962r40mL4KCszZDPdwRW/MyMA7ZcFaoWbiZc/QrEhTa4A/YYJWC > A4kL1cEnM/LiQ7yYBSnJ6DIWDTo+M1PUS9so02M6a0f0e4jpzXZDJ5HmPDdo/aPq > NW70cU8gbgs=3D > =3DVs2Q > -----END PGP SIGNATURE----- --=-7HDuwzlPlR5r5UuaIUNP Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (FreeBSD) iD8DBQA+nxPCUdqurN0fljsRAsE6AKCKI7e4pcMXfc1KrD1aPFCWV4dASQCgrUzQ N+VKHdqwKg01oGdXRULa5CU= =cwVl -----END PGP SIGNATURE----- --=-7HDuwzlPlR5r5UuaIUNP-- From owner-freebsd-security@FreeBSD.ORG Thu Apr 17 14:14:54 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 666C837B401 for ; Thu, 17 Apr 2003 14:14:54 -0700 (PDT) Received: from freebsd.org.ru (www.freebsd.org.ru [194.84.67.5]) by mx1.FreeBSD.org (Postfix) with ESMTP id 655D543FA3 for ; Thu, 17 Apr 2003 14:14:53 -0700 (PDT) (envelope-from osa@freebsd.org.ru) Received: by freebsd.org.ru (Postfix, from userid 1000) id 8C353BD; Fri, 18 Apr 2003 01:14:51 +0400 (MSD) Date: Fri, 18 Apr 2003 01:14:51 +0400 From: "Sergey A. Osokin" To: Christopher Nehren Message-ID: <20030417211451.GM82446@freebsd.org.ru> References: <1050612674.1534.22.camel@prophecy.dyndns.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="vtzGhvizbBRQ85DL" Content-Disposition: inline In-Reply-To: <1050612674.1534.22.camel@prophecy.dyndns.org> User-Agent: Mutt/1.5.4i cc: security@freebsd.org Subject: Re: [Fwd: CERT Advisory CA-2003-13 Multiple Vulnerabilities in Snort Preprocessors] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: osa@FreeBSD.org.ru List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 17 Apr 2003 21:14:54 -0000 --vtzGhvizbBRQ85DL Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Apr 17, 2003 at 04:51:15PM -0400, Christopher Nehren wrote: > I figured that someone reading this list might want to take a look at > the proceeding, considering that the version of Snort in FreeBSD ports > -is- affected. Yes, you are right. Please look at http://www.freebsd.org/cgi/query-pr.cgi?pr=3Dports/51106 for review/test. Thanks. --=20 Rgdz, /"\ ASCII RIBBON CAMPAIGN Sergey Osokin aka oZZ, \ / AGAINST HTML MAIL http://ozz.pp.ru/ X AND NEWS / \ --vtzGhvizbBRQ85DL Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (FreeBSD) iQCVAwUBPp8ZS4/Va73vhFLNAQGQzAQAkdz2IrsGpyf9a0QlY+NyEft2IpLJ1WOi fw8+41z53gq4JVV1OoDdFSV0xnABapK6rbhrzD1ESvr0j6ozSyeMGqSqhrjKENqo gsguR3lHVLqm9yueE1B76pRbOT8br4fHdfaXJTRVFgTDUjwcZNNVzodn/BTpl2Ws jQvSDfXoESo= =lIMD -----END PGP SIGNATURE----- --vtzGhvizbBRQ85DL-- From owner-freebsd-security@FreeBSD.ORG Thu Apr 17 14:49:45 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3A88137B401 for ; Thu, 17 Apr 2003 14:49:45 -0700 (PDT) Received: from obsecurity.dyndns.org (adsl-63-207-60-150.dsl.lsan03.pacbell.net [63.207.60.150]) by mx1.FreeBSD.org (Postfix) with ESMTP id 54D4E43FBF for ; Thu, 17 Apr 2003 14:49:44 -0700 (PDT) (envelope-from kris@obsecurity.org) Received: from rot13.obsecurity.org (rot13.obsecurity.org [10.0.0.5]) by obsecurity.dyndns.org (Postfix) with ESMTP id 1FE7266CFA for ; Thu, 17 Apr 2003 14:49:44 -0700 (PDT) Received: by rot13.obsecurity.org (Postfix, from userid 1000) id EC6DD1187; Thu, 17 Apr 2003 14:49:43 -0700 (PDT) Date: Thu, 17 Apr 2003 14:49:43 -0700 From: Kris Kennaway To: security@freeBSD.org Message-ID: <20030417214943.GA92499@rot13.obsecurity.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="Kj7319i9nmIyA2yE" Content-Disposition: inline User-Agent: Mutt/1.4i Subject: [kris@FreeBSD.org: cvs commit: ports/security/snort Makefile distinfo pkg-plist ports/security/snort/files patch-snort.c] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 17 Apr 2003 21:49:45 -0000 --Kj7319i9nmIyA2yE Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable FYI Kris ----- Forwarded message from Kris Kennaway ----- X-Original-To: kkenn@localhost Delivered-To: kkenn@localhost.obsecurity.org Delivered-To: kris@freebsd.org Delivered-To: ports-committers@freebsd.org From: Kris Kennaway Date: Thu, 17 Apr 2003 14:45:03 -0700 (PDT) To: ports-committers@FreeBSD.org, cvs-ports@FreeBSD.org, cvs-all@FreeBSD.org Subject: cvs commit: ports/security/snort Makefile distinfo pkg-plist ports/security/snort/files patch-snort.c X-FreeBSD-CVS-Branch: HEAD Precedence: bulk X-Loop: FreeBSD.ORG X-UIDL: 58a7d456fd799ddf67cd2a767f5369f1 kris 2003/04/17 14:45:03 PDT FreeBSD ports repository Modified files: security/snort Makefile distinfo pkg-plist=20 security/snort/files patch-snort.c=20 Log: Update to snort 2.0.0. This fixes a security vulnerability: =20 The Sourcefire Vulnerability Research Team has learned of an integer overflow in the Snort stream4 preprocessor used by the Sourcefire Network Sensor product line. The Snort stream4 preprocessor (spp_stream4) incorrectly calculates segment size parameters during stream reassembly for certain sequence number ranges which can lead to an integer overflow that can be expanded to a heap overflow. =20 PR: 51106 Submitted by: Sergey A. Osokin =20 Revision Changes Path 1.34 +2 -2 ports/security/snort/Makefile http://cvsweb.FreeBSD.org/ports/security/snort/Makefile.diff?r1=3D1.33&r2= =3D1.34 1.19 +1 -1 ports/security/snort/distinfo http://cvsweb.FreeBSD.org/ports/security/snort/distinfo.diff?r1=3D1.18&r2= =3D1.19 1.4 +7 -32 ports/security/snort/files/patch-snort.c http://cvsweb.FreeBSD.org/ports/security/snort/files/patch-snort.c.diff?r1= =3D1.3&r2=3D1.4 1.10 +0 -2 ports/security/snort/pkg-plist http://cvsweb.FreeBSD.org/ports/security/snort/pkg-plist.diff?r1=3D1.9&r2= =3D1.10 ----- End forwarded message ----- --Kj7319i9nmIyA2yE Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (FreeBSD) iD8DBQE+nyF3Wry0BWjoQKURAhbBAJ49iJvBICar5Rv9e/i+5gZfkEQOfgCfWDa6 mDdm251aF1CT26LnOvGykMw= =SwWe -----END PGP SIGNATURE----- --Kj7319i9nmIyA2yE-- From owner-freebsd-security@FreeBSD.ORG Thu Apr 17 14:55:11 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7929F37B401 for ; Thu, 17 Apr 2003 14:55:11 -0700 (PDT) Received: from smtp-out.comcast.net (smtp-out.comcast.net [24.153.64.116]) by mx1.FreeBSD.org (Postfix) with ESMTP id E6F2943FA3 for ; Thu, 17 Apr 2003 14:55:10 -0700 (PDT) (envelope-from apeiron@comcast.net) Received: from [192.168.0.8] (pcp01380957pcs.levtwn01.pa.comcast.net [68.81.162.166]) by mtaout08.icomcast.net (iPlanet Messaging Server 5.2 HotFix 1.14 (built Mar 18 2003)) security@freebsd.org; Thu, 17 Apr 2003 17:46:08 -0400 (EDT) Date: Thu, 17 Apr 2003 17:46:55 -0400 From: Christopher Nehren In-reply-to: <20030417211451.GM82446@freebsd.org.ru> To: osa@FreeBSD.org.ru Message-id: <1050616015.1534.44.camel@prophecy.dyndns.org> Organization: MIME-version: 1.0 X-Mailer: Ximian Evolution 1.2.4 Content-type: multipart/signed; boundary="=-v86PtsyPfk7YRuneuNAu"; protocol="application/pgp-signature"; micalg=pgp-sha1 References: <1050612674.1534.22.camel@prophecy.dyndns.org> <20030417211451.GM82446@freebsd.org.ru> cc: security@freebsd.org Subject: Re: CERT Advisory for Snort in Ports X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 17 Apr 2003 21:55:11 -0000 --=-v86PtsyPfk7YRuneuNAu Content-Type: text/plain Content-Transfer-Encoding: quoted-printable On Thu, 2003-04-17 at 17:14, Sergey A. Osokin wrote: > Yes, you are right. > Please look at > http://www.freebsd.org/cgi/query-pr.cgi?pr=3Dports/51106 > for review/test. > Thanks. Ah, thanks. For some reason I'm not surprised that the information for the update is already there. =3D) I applied the patch that you submitted, and removed the files/patch-snort.c file, and everything works quite well.=20 --=-v86PtsyPfk7YRuneuNAu Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (FreeBSD) iD8DBQA+nyDPUdqurN0fljsRAj8DAKCkTb1UY2fJx15WqSoemHx5d5yMeQCdHs91 ZVWZMht0UN9qLGoalCeVUI0= =e4Wu -----END PGP SIGNATURE----- --=-v86PtsyPfk7YRuneuNAu-- From owner-freebsd-security@FreeBSD.ORG Thu Apr 17 15:01:29 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D6F4737B401 for ; Thu, 17 Apr 2003 15:01:29 -0700 (PDT) Received: from freebsd.org.ru (sweet.etrust.ru [194.84.67.5]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0B79243FA3 for ; Thu, 17 Apr 2003 15:01:29 -0700 (PDT) (envelope-from osa@freebsd.org.ru) Received: by freebsd.org.ru (Postfix, from userid 1000) id 73A9C123; Fri, 18 Apr 2003 02:01:25 +0400 (MSD) Date: Fri, 18 Apr 2003 02:01:25 +0400 From: "Sergey A. Osokin" To: Christopher Nehren Message-ID: <20030417220125.GO82446@freebsd.org.ru> References: <1050612674.1534.22.camel@prophecy.dyndns.org> <20030417211451.GM82446@freebsd.org.ru> <1050616015.1534.44.camel@prophecy.dyndns.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="EuxKj2iCbKjpUGkD" Content-Disposition: inline In-Reply-To: <1050616015.1534.44.camel@prophecy.dyndns.org> User-Agent: Mutt/1.5.4i cc: security@freebsd.org Subject: Re: CERT Advisory for Snort in Ports X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: osa@FreeBSD.org.ru List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 17 Apr 2003 22:01:30 -0000 --EuxKj2iCbKjpUGkD Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Apr 17, 2003 at 05:46:55PM -0400, Christopher Nehren wrote: > On Thu, 2003-04-17 at 17:14, Sergey A. Osokin wrote: > > Yes, you are right. > > Please look at > > http://www.freebsd.org/cgi/query-pr.cgi?pr=3Dports/51106 > > for review/test. > > Thanks. >=20 > Ah, thanks. For some reason I'm not surprised that the information for > the update is already there. =3D) I applied the patch that you submitted, > and removed the files/patch-snort.c file, and everything works quite > well.=20 Please use a fresh copy of security/snort. Its much more complete. --=20 Rgdz, /"\ ASCII RIBBON CAMPAIGN Sergey Osokin aka oZZ, \ / AGAINST HTML MAIL http://ozz.pp.ru/ X AND NEWS / \ --EuxKj2iCbKjpUGkD Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (FreeBSD) iQCVAwUBPp8kNY/Va73vhFLNAQHRWgQAolP6jHhZAntZn06+ePOfDGdAv/qRt47U c9c4UqaFtU9XCLLS30UtruXyNQNF+xNZqed1uhVrUT68kGU1b+Vyn1DObG+B1Jcc nCzBAUeB+CrXKJ/3N6XJgKKjmgFqQKE+RuiDF27K7Q28X+T7N9Dj09raF/RoudLy ppQR6LOKOzw= =3mVw -----END PGP SIGNATURE----- --EuxKj2iCbKjpUGkD-- From owner-freebsd-security@FreeBSD.ORG Thu Apr 17 15:31:51 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id EBCBC37B401 for ; Thu, 17 Apr 2003 15:31:51 -0700 (PDT) Received: from smtp-out.comcast.net (smtp-out.comcast.net [24.153.64.115]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5F83643FBF for ; Thu, 17 Apr 2003 15:31:51 -0700 (PDT) (envelope-from apeiron@comcast.net) Received: from [192.168.0.8] (pcp01380957pcs.levtwn01.pa.comcast.net [68.81.162.166]) by mtaout09.icomcast.net (iPlanet Messaging Server 5.2 HotFix 1.14 (built Mar 18 2003)) security@freebsd.org; Thu, 17 Apr 2003 18:24:45 -0400 (EDT) Date: Thu, 17 Apr 2003 18:25:32 -0400 From: Christopher Nehren In-reply-to: <20030417215940.GA92602@rot13.obsecurity.org> To: Kris Kennaway Message-id: <1050618332.1534.48.camel@prophecy.dyndns.org> Organization: MIME-version: 1.0 X-Mailer: Ximian Evolution 1.2.4 Content-type: multipart/signed; boundary="=-Evi5qWO0TYPDiF8GcNyy"; protocol="application/pgp-signature"; micalg=pgp-sha1 References: <1050612674.1534.22.camel@prophecy.dyndns.org> <20030417211451.GM82446@freebsd.org.ru> <1050616015.1534.44.camel@prophecy.dyndns.org> <20030417215940.GA92602@rot13.obsecurity.org> cc: security@freebsd.org Subject: Re: CERT Advisory for Snort in Ports X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 17 Apr 2003 22:31:52 -0000 --=-Evi5qWO0TYPDiF8GcNyy Content-Type: text/plain Content-Transfer-Encoding: quoted-printable On Thu, 2003-04-17 at 17:59, Kris Kennaway wrote: > Note that patch-snort.c should not have been completely removed. Use > the version I committed instead. I know -- but what I didn't know was that we have a committer watching the mailing list ready to fix it. =3D) --=-Evi5qWO0TYPDiF8GcNyy Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (FreeBSD) iD8DBQA+nyncUdqurN0fljsRAvv3AJ99oJh8Mye3BlwC2JNykTEFqLdCAgCfTdU9 e4ZLQIPfKOwHAObcibYVKfY= =Fmbs -----END PGP SIGNATURE----- --=-Evi5qWO0TYPDiF8GcNyy-- From owner-freebsd-security@FreeBSD.ORG Fri Apr 18 12:50:21 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1BFD837B401 for ; Fri, 18 Apr 2003 12:50:21 -0700 (PDT) Received: from smtp-out.comcast.net (smtp-out.comcast.net [24.153.64.116]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7D08043FCB for ; Fri, 18 Apr 2003 12:50:20 -0700 (PDT) (envelope-from apeiron@comcast.net) Received: from [192.168.0.8] (pcp01380957pcs.levtwn01.pa.comcast.net [68.81.162.166]) by mtaout01.icomcast.net (iPlanet Messaging Server 5.2 HotFix 1.12 (built Feb 13 2003)) security@freebsd.org; Fri, 18 Apr 2003 15:49:50 -0400 (EDT) Date: Fri, 18 Apr 2003 15:50:43 -0400 From: Christopher Nehren To: security@freebsd.org Message-id: <1050695443.1534.86.camel@prophecy.dyndns.org> Organization: MIME-version: 1.0 X-Mailer: Ximian Evolution 1.2.4 Content-type: multipart/signed; boundary="=-UAyFFoFwA0lfjZ85hTzG"; protocol="application/pgp-signature"; micalg=pgp-sha1 Subject: [Fwd: Xinetd 2.3.10 Memory Leaks] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 18 Apr 2003 19:50:21 -0000 --=-UAyFFoFwA0lfjZ85hTzG Content-Type: text/plain Content-Transfer-Encoding: quoted-printable I just submitted a PR for this (haven't even gotten the confirmation email), but since not everyone tracks the GNATS CVS distribution, I figured that I'd send it here as well. -----Forwarded Message----- > From: Steve Grubb > To: bugtraq@securityfocus.com > Subject: Xinetd 2.3.10 Memory Leaks > Date: 18 Apr 2003 16:18:36 +0000 >=20 >=20 >=20 > BACKGROUND >=20 > ----------- >=20 >=20 >=20 > Xinetd is a popular inetd replacement. Shortly after the 2.3.9 release in= =20 >=20 > September 2002, it was realized that xinetd was leaking file descriptors.= =20 >=20 > That problem turned out to be that file descriptors were not always being= =20 >=20 > closed whenever a connection was rejected. 2.3.10 was released with this=20 >=20 > fixup among others in January. >=20 >=20 >=20 > Sometime in February, a machine that I admin was hit by an ftp worm. It=20 >=20 > created > 5000 connections in 1 second. Xinetd promptly keeled over.=20 >=20 > Xinetd had been running for over a month with no downtime. The machine ha= s=20 >=20 > next to no ftp traffic and only from 2 sources, so it was configured to b= e=20 >=20 > run via xinetd rejecting connections via tcp_wrappers. The machine had=20 >=20 > weathered worm attacks in the past, so this puzzled me. >=20 >=20 >=20 >=20 >=20 > TESTING >=20 > ------- >=20 >=20 >=20 > Eventually, I started looking at xinetd with valgrind. I used the=20 >=20 > following commandline: >=20 >=20 >=20 > valgrind --leak-check=3Dyes --leak-resolution=3Dmed --num-callers=3D8 \ >=20 > --logfile-fd=3D9 /usr/sbin/xinetd -d -pidfile /var/run/xinetd.pid \ >=20 > -stayalive 9> out.txt >=20 >=20 >=20 > Depending on your setup, you may need to use something higher than 9.=20 >=20 > Xinetd was tested on connections that succeed and connections that are=20 >=20 > rejected due to configuration settings. The easiest way to test this is t= o=20 >=20 > use the following setup for chargen: >=20 >=20 >=20 > service chargen >=20 > { >=20 > type =3D INTERNAL >=20 > user =3D root >=20 > protocol =3D tcp >=20 > wait =3D no >=20 > access_times =3D 2:00-3:00 >=20 > # only_from =3D 192.168.1.3/24 >=20 > # no_access =3D 192.168.1.3/24 >=20 > } >=20 >=20 >=20 > The point is to set it up in a way that the connection is guaranteed to b= e=20 >=20 > rejected. Then do a: >=20 >=20 >=20 > telnet localhost chargen >=20 > After a couple seconds "ctl-] quit" >=20 > Then, /etc/rc.d/init.d/xinetd stop >=20 >=20 >=20 > Valgrind reports the following: >=20 >=20 >=20 > =3D=3D18939=3D=3D 144 bytes in 1 blocks are definitely lost in loss recor= d 36 of 45 >=20 > =3D=3D18939=3D=3D at 0x40160DB8: malloc (vg_clientfuncs.c:103) >=20 > =3D=3D18939=3D=3D by 0x804FE22: (within /usr/sbin/xinetd) >=20 > =3D=3D18939=3D=3D by 0x805A496: (within /usr/sbin/xinetd) >=20 > =3D=3D18939=3D=3D by 0x8053611: (within /usr/sbin/xinetd) >=20 > =3D=3D18939=3D=3D by 0x805340D: (within /usr/sbin/xinetd) >=20 > =3D=3D18939=3D=3D by 0x40294A46: __libc_start_main (in /lib/libc-2.3.2= .so) >=20 > =3D=3D18939=3D=3D by 0x804A310: (within /usr/sbin/xinetd) >=20 > =3D=3D18939=3D=3D >=20 > =20 >=20 >=20 >=20 > THE PROBLEM >=20 > ----------- >=20 > =20 >=20 > Using objdump -S /usr/sbin/xinetd, the block of code in question comes=20 >=20 > from service.c: >=20 >=20 >=20 > void svc_request( struct service *sp ) >=20 > { >=20 > connection_s *cp ; >=20 > status_e ret_code; >=20 > = =20 >=20 > =20 >=20 > cp =3D conn_new( sp ) ; >=20 > if ( cp =3D=3D CONN_NULL ) >=20 > return ; >=20 > if (sp->svc_not_generic) >=20 > ret_code =3D spec_service_handler(sp, cp); >=20 > else >=20 > ret_code =3D svc_generic_handler(sp, cp); >=20 > = =20 >=20 > =20 >=20 > if ( ret_code !=3D OK ) >=20 > { >=20 > if ( SVC_LOGS_USERID_ON_FAILURE( sp ) ) >=20 > if( spec_service_handler( LOG_SERVICE( ps ), cp ) =3D=3D FAILED = ) { >=20 > conn_free( cp, 1 ); >=20 > return; >=20 > } >=20 > CONN_CLOSE(cp); >=20 > } >=20 > } >=20 >=20 >=20 > The above code has several problems. One background piece of information=20 >=20 > is that the sigchld handler in xinetd (child_exit->server_end->=20 >=20 > svc_postmortem) normally frees the connection's data. If the ret_code is=20 >=20 > not OK, the connection was only closed. This is little more than close(cp= - >=20 > >co_descriptor); This does not free cp since sigchld will not be called.=20 >=20 > It was only if the log service call failed that the connection was freed.= =20 >=20 >=20 >=20 > The above code also did not take into account ret_code =3D=3D OK if the=20 >=20 > service was no_wait or special. In both of those cases, the sigchld=20 >=20 > handler is not invoked so the memory pointed to by cp is lost when the=20 >=20 > call returns. >=20 >=20 >=20 >=20 >=20 > CONSEQUENCES >=20 > ------------ >=20 >=20 >=20 > The memory area pointed to by cp is 144 bytes. Since the variable goes ou= t=20 >=20 > of scope, it is permanently lost with no way of finding it again. The=20 >=20 > memory losses are cumulative, too. It would take little more than >=20 >=20 >=20 > while true; do telnet localhost chargen < /dev/null; done; >=20 >=20 >=20 > to DOS the services provided by xinetd if you could identify a machine=20 >=20 > that uses xinetd to reject connections. Xinetd provides a rich set of=20 >=20 > options for rejecting connections, this includes: tcp_wrappers, only_from= ,=20 >=20 > no_access, sensors, access_times, cps, load_avg, etc. >=20 >=20 >=20 > It should also be noted that if you DO NOT have any statements in the=20 >=20 > xinetd.conf file that would cause xinetd to reject a connection, then you= =20 >=20 > are free from this problem. >=20 >=20 >=20 >=20 >=20 > SOLUTION >=20 > -------- >=20 >=20 >=20 > Xinetd 2.3.11 fixes the memory leaks as well as other problems discovered= =20 >=20 > since 2.3.10 was released. All users of xinetd 2.3.10 are strongly urged=20 >=20 > to upgrade ASAP to avoid DOS conditions. Anyone running 2.3.9 is also=20 >=20 > strongly urged to upgrade since they are leaking file descriptors. >=20 >=20 >=20 > Your xinetd version can be determined by typing "xinetd -version" (that's= =20 >=20 > version with 1 dash). >=20 >=20 >=20 > The new tarball is: www.xinetd.org/xinetd-2.3.11.tar.gz >=20 >=20 >=20 > This problem has been assigned CAN-2003-0211 to track the bug.=20 >=20 >=20 >=20 > This bug was also reported here:=20 >=20 > https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=3D88537 >=20 >=20 >=20 > If you are affected, see if your vendor has an updated xinetd for you. >=20 >=20 >=20 > -Steve Grubb >=20 >=20 >=20 --=-UAyFFoFwA0lfjZ85hTzG Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (FreeBSD) iD8DBQA+oFcTUdqurN0fljsRAqeYAKC//nn/3oldlm7F7GoSN6VoLZ8vkwCgmhti XgcgF3V3vWS5wmsDiwHX7Lc= =1ak7 -----END PGP SIGNATURE----- --=-UAyFFoFwA0lfjZ85hTzG-- From owner-freebsd-security@FreeBSD.ORG Fri Apr 18 13:58:21 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 57A7C37B401 for ; Fri, 18 Apr 2003 13:58:21 -0700 (PDT) Received: from perrin.int.nxad.com (internal.ext.nxad.com [69.1.70.251]) by mx1.FreeBSD.org (Postfix) with ESMTP id DC6FE43F85 for ; Fri, 18 Apr 2003 13:58:20 -0700 (PDT) (envelope-from sean@perrin.int.nxad.com) Received: by perrin.int.nxad.com (Postfix, from userid 1001) id 61B9521083; Fri, 18 Apr 2003 13:58:20 -0700 (PDT) Date: Fri, 18 Apr 2003 13:58:20 -0700 From: Sean Chittenden To: Mark Murray Message-ID: <20030418205820.GF79923@perrin.int.nxad.com> References: <20030411182758.GN79923@perrin.int.nxad.com> <200304182028.h3IKShQ5008767@grimreaper.grondar.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <200304182028.h3IKShQ5008767@grimreaper.grondar.org> User-Agent: Mutt/1.4i X-PGP-Key: finger seanc@FreeBSD.org X-PGP-Fingerprint: 3849 3760 1AFE 7B17 11A0 83A6 DD99 E31F BC84 B341 X-Web-Homepage: http://sean.chittenden.org/ cc: security@freebsd.org Subject: Re: How often should an encrypted session be rekeyed? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 18 Apr 2003 20:58:21 -0000 > > Using OpenSSL, is there a preferred/recommended rate of rekeying > > an encrypted stream of data? Does OpenSSL handle this for > > developers behind the scenes? Does it even need to be rekeyed? > > "Depends". I recommend the O'Reilly book on OpenSSL for this and > related OpenSSL programming docs. > > ISBN: 0-596-00270-X Thanks, I may have to stop through B&N tonight. I know it depends on the strength of the cypher, the data transfered, and time between the last rekeying, but I was wondering on what scale this should happen. Once an hour? Once every X bytes? Does OpenSSL handle this for developers? I looked at OpenSSH and mod_ssl and couldn't find any indication as to how often things are rekeyed beyond "whenever the client requests it," but looking at client code didn't tell me much either. Do you know of any online URLs with useful bits? -sc -- Sean Chittenden From owner-freebsd-security@FreeBSD.ORG Sat Apr 12 00:38:37 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1B3A337B401 for ; Sat, 12 Apr 2003 00:38:37 -0700 (PDT) Received: from obsecurity.dyndns.org (adsl-63-207-60-150.dsl.lsan03.pacbell.net [63.207.60.150]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7D38443F85 for ; Sat, 12 Apr 2003 00:38:36 -0700 (PDT) (envelope-from kris@obsecurity.org) Received: from rot13.obsecurity.org (rot13.obsecurity.org [10.0.0.5]) by obsecurity.dyndns.org (Postfix) with ESMTP id 4E37866CFA; Sat, 12 Apr 2003 00:38:36 -0700 (PDT) Received: by rot13.obsecurity.org (Postfix, from userid 1000) id 2E49D10F6; Sat, 12 Apr 2003 00:38:36 -0700 (PDT) Date: Sat, 12 Apr 2003 00:38:36 -0700 From: Kris Kennaway To: Mike Silbersack Message-ID: <20030412073836.GA86038@rot13.obsecurity.org> References: <20030411111302.G4749@cvs.imp.ch> <20030411115522.I6045@odysseus.silby.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="ReaqsoxgOBHFXBhH" Content-Disposition: inline In-Reply-To: <20030411115522.I6045@odysseus.silby.com> User-Agent: Mutt/1.4i X-Mailman-Approved-At: Fri, 18 Apr 2003 14:16:39 -0700 cc: freebsd-security@freebsd.org cc: Martin Blapp Subject: Re: fstack protector X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 12 Apr 2003 07:38:37 -0000 --ReaqsoxgOBHFXBhH Content-Type: text/plain; charset=us-ascii Content-Disposition: inline On Fri, Apr 11, 2003 at 11:58:02AM -0500, Mike Silbersack wrote: > One possible solution would be to have a gcc-ssp port which would build a > SSP version of the base system's compiler, and call it gcc-ssp or > something. Then we could make certain ports depend on using it, perhaps. That's the best solution for FreeBSD. You'd just set CC and CFLAGS if you want to build with it, as usual. Be aware that some ports will not run when built with -fstack-protector, last time I checked (XFree86 is one). Kris --ReaqsoxgOBHFXBhH Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (FreeBSD) iD8DBQE+l8J7Wry0BWjoQKURAkcoAKDFUgNvqCXGfWqcS4y5TQzKXMro9ACeKudb HIhM/NFyF7E0D6o6Kadq8fs= =yXCh -----END PGP SIGNATURE----- --ReaqsoxgOBHFXBhH-- From owner-freebsd-security@FreeBSD.ORG Thu Apr 17 14:59:41 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D822E37B404 for ; Thu, 17 Apr 2003 14:59:41 -0700 (PDT) Received: from obsecurity.dyndns.org (adsl-63-207-60-150.dsl.lsan03.pacbell.net [63.207.60.150]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9714943F85 for ; Thu, 17 Apr 2003 14:59:40 -0700 (PDT) (envelope-from kris@obsecurity.org) Received: from rot13.obsecurity.org (rot13.obsecurity.org [10.0.0.5]) by obsecurity.dyndns.org (Postfix) with ESMTP id 5EE2666E05; Thu, 17 Apr 2003 14:59:40 -0700 (PDT) Received: by rot13.obsecurity.org (Postfix, from userid 1000) id 400BF1107; Thu, 17 Apr 2003 14:59:40 -0700 (PDT) Date: Thu, 17 Apr 2003 14:59:40 -0700 From: Kris Kennaway To: Christopher Nehren Message-ID: <20030417215940.GA92602@rot13.obsecurity.org> References: <1050612674.1534.22.camel@prophecy.dyndns.org> <20030417211451.GM82446@freebsd.org.ru> <1050616015.1534.44.camel@prophecy.dyndns.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="KsGdsel6WgEHnImy" Content-Disposition: inline In-Reply-To: <1050616015.1534.44.camel@prophecy.dyndns.org> User-Agent: Mutt/1.4i X-Mailman-Approved-At: Fri, 18 Apr 2003 14:16:39 -0700 cc: osa@FreeBSD.org.ru cc: security@freebsd.org Subject: Re: CERT Advisory for Snort in Ports X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 17 Apr 2003 21:59:42 -0000 --KsGdsel6WgEHnImy Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Apr 17, 2003 at 05:46:55PM -0400, Christopher Nehren wrote: > On Thu, 2003-04-17 at 17:14, Sergey A. Osokin wrote: > > Yes, you are right. > > Please look at > > http://www.freebsd.org/cgi/query-pr.cgi?pr=3Dports/51106 > > for review/test. > > Thanks. >=20 > Ah, thanks. For some reason I'm not surprised that the information for > the update is already there. =3D) I applied the patch that you submitted, > and removed the files/patch-snort.c file, and everything works quite > well.=20 Note that patch-snort.c should not have been completely removed. Use the version I committed instead. Kris --KsGdsel6WgEHnImy Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (FreeBSD) iD8DBQE+nyPMWry0BWjoQKURAp5pAKCrWaqEzE7xcW2rDiQ1SXB11EMyFACfdQsw FLCuSCiF/YeVfZq2pABcTFw= =TORQ -----END PGP SIGNATURE----- --KsGdsel6WgEHnImy-- From owner-freebsd-security@FreeBSD.ORG Fri Apr 18 13:28:23 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 619AE37B401 for ; Fri, 18 Apr 2003 13:28:23 -0700 (PDT) Received: from storm.FreeBSD.org.uk (storm.FreeBSD.org.uk [194.242.157.42]) by mx1.FreeBSD.org (Postfix) with ESMTP id 708AF43F3F for ; Fri, 18 Apr 2003 13:28:22 -0700 (PDT) (envelope-from mark@grondar.org) Received: from storm.FreeBSD.org.uk (Ugrondar@localhost [127.0.0.1]) by storm.FreeBSD.org.uk (8.12.7/8.12.7) with ESMTP id h3IKS2SQ089719; Fri, 18 Apr 2003 21:28:02 +0100 (BST) (envelope-from mark@grondar.org) Received: (from Ugrondar@localhost)h3IKS2pT089718; Fri, 18 Apr 2003 21:28:02 +0100 (BST) X-Authentication-Warning: storm.FreeBSD.org.uk: Ugrondar set sender to mark@grondar.org using -f Received: from grondar.org (localhost [127.0.0.1])h3IKShQ5008767; Fri, 18 Apr 2003 21:28:43 +0100 (BST) (envelope-from mark@grondar.org) From: Mark Murray Message-Id: <200304182028.h3IKShQ5008767@grimreaper.grondar.org> To: Sean Chittenden In-Reply-To: Your message of "Fri, 11 Apr 2003 11:27:58 PDT." <20030411182758.GN79923@perrin.int.nxad.com> Date: Fri, 18 Apr 2003 21:28:43 +0100 Sender: mark@grondar.org X-Mailman-Approved-At: Fri, 18 Apr 2003 14:16:39 -0700 cc: security@freebsd.org Subject: Re: How often should an encrypted session be rekeyed? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 18 Apr 2003 20:28:23 -0000 Sean Chittenden writes: > Using OpenSSL, is there a preferred/recommended rate of rekeying an > encrypted stream of data? Does OpenSSL handle this for developers > behind the scenes? Does it even need to be rekeyed? "Depends". I recommend the O'Reilly book on OpenSSL for this and related OpenSSL programming docs. ISBN: 0-596-00270-X M -- Mark Murray iumop ap!sdn w,I idlaH From owner-freebsd-security@FreeBSD.ORG Fri Apr 18 14:38:50 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DF55837B401 for ; Fri, 18 Apr 2003 14:38:50 -0700 (PDT) Received: from grayson.netsweng.com (grayson.netsweng.com [207.235.77.4]) by mx1.FreeBSD.org (Postfix) with ESMTP id 02EC243FB1 for ; Fri, 18 Apr 2003 14:38:50 -0700 (PDT) (envelope-from anderson@netsweng.com) Received: from trantor.stuart.netsweng.com (h244.91.213.151.ip.alltel.net [151.213.91.244]) by grayson.netsweng.com (8.12.9/8.12.7) with ESMTP id h3ILcmoQ032628 for ; Fri, 18 Apr 2003 17:38:48 -0400 (EDT) (envelope-from anderson@netsweng.com) Date: Fri, 18 Apr 2003 17:38:47 -0400 (EDT) From: Stuart Anderson X-X-Sender: anderson@trantor.stuart.netsweng.com To: freebsd-security@freebsd.org In-Reply-To: <20030412073836.GA86038@rot13.obsecurity.org> Message-ID: <20030418173713.C87664@trantor.stuart.netsweng.com> References: <20030411111302.G4749@cvs.imp.ch> <20030411115522.I6045@odysseus.silby.com> <20030412073836.GA86038@rot13.obsecurity.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Subject: Re: fstack protector X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 18 Apr 2003 21:38:51 -0000 On Sat, 12 Apr 2003, Kris Kennaway wrote: > That's the best solution for FreeBSD. You'd just set CC and CFLAGS if > you want to build with it, as usual. Be aware that some ports will > not run when built with -fstack-protector, last time I checked > (XFree86 is one). Do you recall what the problem is with XFree86? Is it client side, or in the server? My guess would be that some additional runtime support is needed in the module loader in the server. Stuart Stuart R. Anderson anderson@netsweng.com Network & Software Engineering http://www.netsweng.com/ 1024D/37A79149: 0791 D3B8 9A4C 2CDC A31F BD03 0A62 E534 37A7 9149 From owner-freebsd-security@FreeBSD.ORG Sat Apr 19 00:33:08 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A608937B401 for ; Sat, 19 Apr 2003 00:33:08 -0700 (PDT) Received: from geminix.org (gen129.n001.c02.escapebox.net [213.73.91.129]) by mx1.FreeBSD.org (Postfix) with ESMTP id C5D0A43F85 for ; Sat, 19 Apr 2003 00:33:07 -0700 (PDT) (envelope-from gemini@geminix.org) Received: from pd9e10d9f.dip.t-dialin.net ([217.225.13.159] helo=geminix.org) by geminix.org with asmtp (TLSv1:RC4-MD5:128) (Exim 3.36 #1) id 196mqO-000CDd-00; Sat, 19 Apr 2003 09:33:04 +0200 Message-ID: <3EA0FBA9.4090605@geminix.org> Date: Sat, 19 Apr 2003 09:32:57 +0200 From: Uwe Doering Organization: Private UNIX Site User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.3) Gecko/20030411 X-Accept-Language: en-us, en MIME-Version: 1.0 To: Kris Kennaway References: <20030411111302.G4749@cvs.imp.ch> <20030411115522.I6045@odysseus.silby.com> <20030412073836.GA86038@rot13.obsecurity.org> In-Reply-To: <20030412073836.GA86038@rot13.obsecurity.org> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit cc: freebsd-security@freebsd.org cc: Martin Blapp Subject: Re: fstack protector X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 19 Apr 2003 07:33:08 -0000 Kris Kennaway wrote: > On Fri, Apr 11, 2003 at 11:58:02AM -0500, Mike Silbersack wrote: > >>One possible solution would be to have a gcc-ssp port which would build a >>SSP version of the base system's compiler, and call it gcc-ssp or >>something. Then we could make certain ports depend on using it, perhaps. > > That's the best solution for FreeBSD. You'd just set CC and CFLAGS if > you want to build with it, as usual. Be aware that some ports will > not run when built with -fstack-protector, last time I checked > (XFree86 is one). Which version of XFree86? At least 3.3.6 works fine for me, with '-fstack-protector' (actually auto-enabled on my systems). Mozilla 1.x, however, doesn't work with stack protection. That's the only port I found so far that breaks. Reason unknown. Actually, it already happens at build time. 'regchrome' crashes. At least I think that was the name, if memory serves. Uwe -- Uwe Doering | EscapeBox - Managed On-Demand UNIX Servers gemini@geminix.org | http://www.escapebox.net From owner-freebsd-security@FreeBSD.ORG Sat Apr 19 06:42:44 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 89B3E37B401 for ; Sat, 19 Apr 2003 06:42:44 -0700 (PDT) Received: from grayson.netsweng.com (grayson.netsweng.com [207.235.77.4]) by mx1.FreeBSD.org (Postfix) with ESMTP id 92AFB43F85 for ; Sat, 19 Apr 2003 06:42:43 -0700 (PDT) (envelope-from anderson@netsweng.com) Received: from trantor.stuart.netsweng.com (h244.91.213.151.ip.alltel.net [151.213.91.244]) by grayson.netsweng.com (8.12.9/8.12.7) with ESMTP id h3JDgfoQ041020 for ; Sat, 19 Apr 2003 09:42:42 -0400 (EDT) (envelope-from anderson@netsweng.com) Date: Sat, 19 Apr 2003 09:42:43 -0400 (EDT) From: Stuart Anderson X-X-Sender: anderson@trantor.stuart.netsweng.com To: freebsd-security@freebsd.org In-Reply-To: <3EA0FBA9.4090605@geminix.org> Message-ID: <20030419094157.H87664@trantor.stuart.netsweng.com> References: <20030411111302.G4749@cvs.imp.ch> <20030411115522.I6045@odysseus.silby.com> <3EA0FBA9.4090605@geminix.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Subject: Re: fstack protector X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 19 Apr 2003 13:42:44 -0000 On Sat, 19 Apr 2003, Uwe Doering wrote: > Which version of XFree86? At least 3.3.6 works fine for me, with > '-fstack-protector' (actually auto-enabled on my systems). That would make sense as the module loader was part of 4.0. Stuart Stuart R. Anderson anderson@netsweng.com Network & Software Engineering http://www.netsweng.com/ 1024D/37A79149: 0791 D3B8 9A4C 2CDC A31F BD03 0A62 E534 37A7 9149 From owner-freebsd-security@FreeBSD.ORG Sat Apr 19 06:52:35 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 980BD37B401 for ; Sat, 19 Apr 2003 06:52:35 -0700 (PDT) Received: from grayson.netsweng.com (grayson.netsweng.com [207.235.77.4]) by mx1.FreeBSD.org (Postfix) with ESMTP id BB42D43F75 for ; Sat, 19 Apr 2003 06:52:34 -0700 (PDT) (envelope-from anderson@netsweng.com) Received: from trantor.stuart.netsweng.com (h244.91.213.151.ip.alltel.net [151.213.91.244]) by grayson.netsweng.com (8.12.9/8.12.7) with ESMTP id h3JDqXoQ041091 for ; Sat, 19 Apr 2003 09:52:33 -0400 (EDT) (envelope-from anderson@netsweng.com) Date: Sat, 19 Apr 2003 09:52:34 -0400 (EDT) From: Stuart Anderson X-X-Sender: anderson@trantor.stuart.netsweng.com To: freebsd-security@freebsd.org In-Reply-To: <20030419081650.GA92898@xor.obsecurity.org> Message-ID: <20030419094540.V87664@trantor.stuart.netsweng.com> References: <20030411111302.G4749@cvs.imp.ch> <20030411115522.I6045@odysseus.silby.com> <20030418173713.C87664@trantor.stuart.netsweng.com> <20030419081650.GA92898@xor.obsecurity.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Subject: Re: fstack protector X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 19 Apr 2003 13:52:35 -0000 On Sat, 19 Apr 2003, Kris Kennaway wrote: > Yes, it was to do with module loading. I think the XFree86 module > build ignored CFLAGS, so the modules were not built with > -fstack-protector. The modules use MODCFLAGS and MODULE_CFLAGS instead. I'm familair with the XFree86 loader, and would be willing to work with someone familiar with the -fstack-protector part to fix this. Stuart Stuart R. Anderson anderson@netsweng.com Network & Software Engineering http://www.netsweng.com/ 1024D/37A79149: 0791 D3B8 9A4C 2CDC A31F BD03 0A62 E534 37A7 9149 From owner-freebsd-security@FreeBSD.ORG Sat Apr 19 11:30:05 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id F045437B401 for ; Sat, 19 Apr 2003 11:30:05 -0700 (PDT) Received: from perrin.int.nxad.com (internal.ext.nxad.com [69.1.70.251]) by mx1.FreeBSD.org (Postfix) with ESMTP id 839C443FCB for ; Sat, 19 Apr 2003 11:30:05 -0700 (PDT) (envelope-from sean@perrin.int.nxad.com) Received: by perrin.int.nxad.com (Postfix, from userid 1001) id E384221078; Sat, 19 Apr 2003 11:30:03 -0700 (PDT) Date: Sat, 19 Apr 2003 11:30:03 -0700 From: Sean Chittenden To: Mark Murray Message-ID: <20030419183003.GO79923@perrin.int.nxad.com> References: <20030411182758.GN79923@perrin.int.nxad.com> <200304182028.h3IKShQ5008767@grimreaper.grondar.org> <20030418205820.GF79923@perrin.int.nxad.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20030418205820.GF79923@perrin.int.nxad.com> User-Agent: Mutt/1.4i X-PGP-Key: finger seanc@FreeBSD.org X-PGP-Fingerprint: 3849 3760 1AFE 7B17 11A0 83A6 DD99 E31F BC84 B341 X-Web-Homepage: http://sean.chittenden.org/ cc: security@freebsd.org Subject: Re: How often should an encrypted session be rekeyed? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 19 Apr 2003 18:30:06 -0000 > > > Using OpenSSL, is there a preferred/recommended rate of rekeying > > > an encrypted stream of data? Does OpenSSL handle this for > > > developers behind the scenes? Does it even need to be rekeyed? > > > > "Depends". I recommend the O'Reilly book on OpenSSL for this and > > related OpenSSL programming docs. > > > > ISBN: 0-596-00270-X > > Thanks, I may have to stop through B&N tonight. I know it depends > on the strength of the cypher, the data transfered, and time between > the last rekeying, but I was wondering on what scale this should > happen. Once an hour? Once every X bytes? Does OpenSSL handle > this for developers? I looked at OpenSSH and mod_ssl and couldn't > find any indication as to how often things are rekeyed beyond > "whenever the client requests it," but looking at client code didn't > tell me much either. Alright, well, I'm skeptical of most O'Reilly books, but I had a most enlightening evening with the OpenSSL book mentioned above. I always took this aspect of crypto for granted and assumed it was always used, but apparently not. The concept/option that I was looking for was ephemeral keying (I'd always called it private rekeying ::shrug::). For those interested, each connection/session the server generates a new private SSL key. In exchange for giving away the SSL connection options (only negative trade off other than higher connection setup overhead), the session uses a unique private key that is changed automatically by the underlying library thus providing forward security in the event that the data from a given session was recorded and the private key was discovered (read: wouldn't be possible to figure out what was transmitted even with the private key). Anyway, ephemeral keying requires the use of Diffie-Hellman's key exchange and that users of this technique (each connection) setup their own SSL_CTX object and set the SSL_OP_SINGLE_DH_USE option: SSL_CTX_set_options(ctx, SSL_OP_ALL | SSL_OP_NO_SSLv2 | SSL_OP_SINGLE_DH_USE); Happy happy joy joy, and now you know. -sc -- Sean Chittenden From owner-freebsd-security@FreeBSD.ORG Sat Apr 19 14:10:21 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 72A2237B401 for ; Sat, 19 Apr 2003 14:10:21 -0700 (PDT) Received: from obsecurity.dyndns.org (adsl-63-207-60-150.dsl.lsan03.pacbell.net [63.207.60.150]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8336343FBD for ; Sat, 19 Apr 2003 14:10:18 -0700 (PDT) (envelope-from kris@obsecurity.org) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id CF42066BE5; Sat, 19 Apr 2003 14:10:17 -0700 (PDT) Date: Sat, 19 Apr 2003 14:10:17 -0700 From: Kris Kennaway To: Stuart Anderson Message-ID: <20030419211017.GA51146@xor.obsecurity.org> References: <20030411111302.G4749@cvs.imp.ch> <20030411115522.I6045@odysseus.silby.com> <20030418173713.C87664@trantor.stuart.netsweng.com> <20030419081650.GA92898@xor.obsecurity.org> <20030419094540.V87664@trantor.stuart.netsweng.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="Qxx1br4bt0+wmkIi" Content-Disposition: inline In-Reply-To: <20030419094540.V87664@trantor.stuart.netsweng.com> User-Agent: Mutt/1.4.1i cc: freebsd-security@freebsd.org Subject: Re: fstack protector X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 19 Apr 2003 21:10:21 -0000 --Qxx1br4bt0+wmkIi Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sat, Apr 19, 2003 at 09:52:34AM -0400, Stuart Anderson wrote: > On Sat, 19 Apr 2003, Kris Kennaway wrote: >=20 > > Yes, it was to do with module loading. I think the XFree86 module > > build ignored CFLAGS, so the modules were not built with > > -fstack-protector. >=20 > The modules use MODCFLAGS and MODULE_CFLAGS instead. I'm familair with > the XFree86 loader, and would be willing to work with someone familiar wi= th > the -fstack-protector part to fix this. Hmm, OK. From the point of view of the FreeBSD port this is a POLA violation..it should just use CFLAGS like everything else is supposed to. Kris --Qxx1br4bt0+wmkIi Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (FreeBSD) iD8DBQE+obs5Wry0BWjoQKURAmumAJsHJAMkPUYd3Na4T+LBhpiT0QvHjgCg9vv+ nzyF4N7liTPYL5rYPsewv5g= =WlXU -----END PGP SIGNATURE----- --Qxx1br4bt0+wmkIi--