From owner-freebsd-security@FreeBSD.ORG Mon Sep 13 22:07:36 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1247C16A4CE for ; Mon, 13 Sep 2004 22:07:36 +0000 (GMT) Received: from smtp810.mail.sc5.yahoo.com (smtp810.mail.sc5.yahoo.com [66.163.170.80]) by mx1.FreeBSD.org (Postfix) with SMTP id AF0FB43D45 for ; Mon, 13 Sep 2004 22:07:35 +0000 (GMT) (envelope-from dr2867@pacbell.net) Received: from unknown (HELO ?192.168.0.248?) (dr2867@pacbell.net@68.126.231.116 with plain) by smtp810.mail.sc5.yahoo.com with SMTP; 13 Sep 2004 22:07:35 -0000 Message-ID: <41461A28.1060308@pacbell.net> Date: Mon, 13 Sep 2004 15:07:36 -0700 From: Daniel Rudy Organization: SBC Internet Services User-Agent: Mozilla/5.0 (X11R6; UNIX; FreeBSD/i386 4.10-RELEASE-p2; en-US; rv:1.7.2) Gecko/20040707 MultiZilla/1.6.2.0c X-Accept-Language: en-us, en, ja MIME-Version: 1.0 To: freebsd-security@freebsd.org Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Subject: Kerberos 5 Security Alert? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: dr2867@pacbell.net List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 13 Sep 2004 22:07:36 -0000 Why wasn't there a FreeBSD security alert for Kerberos 5? Does FreeBSD use the MIT implementation? I got an email from CERT about this. See the attached message below. -- Daniel Rudy >From - Sat Sep 04 03:22:15 2004 X-UIDL: a8f31551eb03ca144862bddc8ccce266 X-Mozilla-Status: 0001 X-Mozilla-Status2: 00000000 X-Apparently-To: dcrudy@pacbell.net via 206.190.37.79; Fri, 03 Sep 2004 14:39:51 -0700 X-Originating-IP: [192.88.209.130] Return-Path: Received: from 207.115.57.65 (EHLO ylpvm34.prodigy.net) (207.115.57.65) by mta815.mail.yahoo.com with SMTP; Fri, 03 Sep 2004 14:39:41 -0700 X-Originating-IP: [192.88.209.130] Received: from canaveral.indigo.cert.org (canaveral.indigo.cert.org [192.88.209.130]) by ylpvm34.prodigy.net (8.12.10 mpsfix/8.12.10) with ESMTP id i83Ld9Bs021775; Fri, 3 Sep 2004 17:39:09 -0400 Received: from canaveral.indigo.cert.org (localhost [127.0.0.1]) by canaveral.indigo.cert.org (8.12.8/8.12.8/1.31) with ESMTP id i83LM0hd010300; Fri, 3 Sep 2004 17:36:30 -0400 Received: from localhost (lnchuser@localhost) by canaveral.indigo.cert.org (8.12.8/8.12.8/Submit/1.1) with SMTP id i83KDBeG006539; Fri, 3 Sep 2004 16:13:11 -0400 Date: Fri, 3 Sep 2004 16:13:11 -0400 Message-Id: From: CERT Advisory To: cert-advisory@cert.org Organization: CERT(R) Coordination Center - +1 412-268-7090 List-Help: , List-Unsubscribe: List-Post: NO (posting not allowed on this list) List-Owner: List-Archive: Subject: US-CERT Technical Cyber Security Alert TA04-247A -- Vulnerabilities in MIT Kerberos 5 Precedence: list -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 National Cyber Alert System Technical Cyber Security Alert TA04-247A Vulnerabilities in MIT Kerberos 5 Original release date: September 3, 2004 Last revised: -- Source: US-CERT Systems Affected * MIT Kerberos 5 versions prior to krb5-1.3.5 * Applications that use versions of MIT Kerberos 5 libraries prior to krb5-1.3.5 * Applications that contain code derived from MIT Kerberos 5 Updated vendor information is available in the systems affected section of the individual vulnerability notes. Overview The MIT Kerberos 5 implementation contains several vulnerabilities, the most severe of which could allow an unauthenticated, remote attacker to execute arbitrary code on a Kerberos Distribution Center (KDC). This could result in the compromise of an entire Kerberos realm. I. Description There are several vulnerabilities in the MIT implementation of the Kerberos 5 protocol. With one exception (VU#550464), all of the vulnerabilities involve insecure deallocation of heap memory (double-free vulnerabilities) during error handling and Abstract Syntax Notation One (ASN.1) decoding. For further details, please see the following vulnerability notes: VU#795632 - MIT Kerberos 5 ASN.1 decoding functions insecurely deallocate memory (double-free) The MIT Kerberos 5 library does not securely deallocate heap memory when decoding ASN.1 structures, resulting in double-free vulnerabilities. An unauthenticated, remote attacker could execute arbitrary code on a KDC server, which could compromise an entire Kerberos realm. An attacker may also be able to execute arbitrary code on Kerberos clients, or cause a denial of service on KDCs or clients. (Other resources: MITKRB5-SA-2004-002, CAN-2004-0642) VU#866472 - MIT Kerberos 5 ASN.1 decoding function krb5_rd_cred() insecurely deallocates memory (double-free) The krb5_rd_cred() function in the MIT Kerberos 5 library does not securely deallocate heap memory when decoding ASN.1 structures, resulting in a double-free vulnerability. A remote, authenticated attacker could execute arbitrary code or cause a denial of service on any system running an application that calls krb5_rd_cred(). This includes Kerberos application servers and other applications that process Kerberos authentication via the MIT Kerberos 5 library, Generic Security Services Application Programming Interface (GSSAPI), and other libraries. (Other resources: MITKRB5-SA-2004-002, CAN-2004-0643) VU#350792 - MIT Kerberos krb524d insecurely deallocates memory (double-free) The MIT Kerberos krb524d daemon does not securely deallocate heap memory when handling an error condition, resulting in a double-free vulnerability. An unauthenticated, remote attacker could execute arbitrary code on a system running krb524d, which in many cases is also a KDC. The compromise of a KDC system can lead to the compromise of an entire Kerberos realm. An attacker may also be able to cause a denial of service on a system running krb524d. (Other resources: MITKRB5-SA-2004-002, CAN-2004-0772) VU#550464 - MIT Kerberos 5 ASN.1 decoding function asn1buf_skiptail() does not properly terminate loop The asn1buf_skiptail() function in the MIT Kerberos 5 library does not properly terminate a loop, allowing an unauthenticated, remote attacker to cause a denial of service in a KDC, application server, or Kerberos client. (Other resources: MITKRB5-SA-2004-003, CAN-2004-0644) II. Impact The impacts of these vulnerabilities vary, but an attacker may be able to execute arbitrary code on KDCs, systems running krb524d (typically also KDCs), application servers, applications that use Kerberos libraries directly or via GSSAPI, and Kerberos clients. An attacker could also cause a denial of service on any of these systems. The most severe vulnerabilities could allow an unauthenticated, remote attacker to execute arbitrary code on a KDC system. This could result in the compromise of both the KDC and an entire Kerberos realm. III. Solution Apply a patch or upgrade Check with your vendor(s) for patches or updates. For information about a specific vendor, please see the systems affected sections in the individual vulnerability notes or contact your vendor directly. Alternatively, apply the appropriate source code patch(es) referenced in MITKRB5-SA-2004-002 and MITKRB5-SA-2004-003 and recompile. These vulnerabilities will be addressed in krb5-1.3.5. Appendix A. References * Vulnerability Note VU#795632 - * Vulnerability Note VU#866472 - * Vulnerability Note VU#350792 - * Vulnerability Note VU#550464 - * MIT krb5 Security Advisory 2004-002 - * MIT krb5 Security Advisory 2004-003 - * Kerberos: The Network Authentication Protocol - _______________________________________________________________________ Thanks to Tom Yu and the MIT Kerberos Development team for addressing these vulnerabilities and coordinating with vendors. MIT credits the following people: Will Fiveash, Joseph Galbraith, John Hawkinson, Marc Horowitz, and Nico Williams. _______________________________________________________________________ Feedback can be directed to the author: Art Manion _______________________________________________________________________ This document is available from: _______________________________________________________________________ Copyright 2004 Carnegie Mellon University. Terms of use Terms of use: _______________________________________________________________________ Revision History September 3, 2004: Initial release -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQFBOM3iXlvNRxAkFWARAs9xAKC23q9EekPz/InQVWZPeUVhH4bnKwCgkVfh vKAOqE4sCXyydZ4BKnNreK8= =7R1M -----END PGP SIGNATURE----- From owner-freebsd-security@FreeBSD.ORG Mon Sep 13 22:35:44 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4EF6716A4CE for ; Mon, 13 Sep 2004 22:35:44 +0000 (GMT) Received: from eagle.aitken.com (eagle.aitken.com [198.137.194.213]) by mx1.FreeBSD.org (Postfix) with ESMTP id BA06443D1D for ; Mon, 13 Sep 2004 22:35:43 +0000 (GMT) (envelope-from jaitken@aitken.com) Received: by eagle.aitken.com (Postfix, from userid 1000) id 22901B2464; Mon, 13 Sep 2004 18:35:43 -0400 (EDT) Date: Mon, 13 Sep 2004 18:35:43 -0400 From: Jeff Aitken To: Daniel Rudy Message-ID: <20040913223543.GA28187@eagle.aitken.com> References: <41461A28.1060308@pacbell.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <41461A28.1060308@pacbell.net> User-Agent: Mutt/1.4.2i cc: freebsd-security@freebsd.org Subject: Re: Kerberos 5 Security Alert? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 13 Sep 2004 22:35:44 -0000 On Mon, Sep 13, 2004 at 03:07:36PM -0700, Daniel Rudy wrote: > Does FreeBSD use the MIT implementation? No, the system-supplied krb5 bits are from the Heimdal distribution. The MIT distribution is available as a port, but is not part of the base system. > Why wasn't there a FreeBSD security alert for Kerberos 5? I may be wrong, but I think that security alerts are issued only for the base system (i.e., things that are part of FreeBSD proper). Vulnerabilities that affect ports are documented here: http://www.vuxml.org/freebsd/ I'm sure someone will correct me if this is wrong. --Jeff From owner-freebsd-security@FreeBSD.ORG Tue Sep 14 08:16:44 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 776B816A4CF for ; Tue, 14 Sep 2004 08:16:44 +0000 (GMT) Received: from smtp.atlantis.dp.ua (smtp.atlantis.dp.ua [193.108.46.231]) by mx1.FreeBSD.org (Postfix) with ESMTP id D811A43D31 for ; Tue, 14 Sep 2004 08:16:42 +0000 (GMT) (envelope-from dmitry@atlantis.dp.ua) Received: from smtp.atlantis.dp.ua (smtp.atlantis.dp.ua [193.108.46.231]) by smtp.atlantis.dp.ua (8.12.6p2/8.12.6) with ESMTP id i8E8GVes095615 for ; Tue, 14 Sep 2004 11:16:31 +0300 (EEST) (envelope-from dmitry@atlantis.dp.ua) Date: Thu, 9 Sep 2004 13:38:41 +0300 (EEST) From: Dmitry Pryanishnikov To: freebsd-security@freebsd.org Message-ID: <20040909133319.A41151@atlantis.atlantis.dp.ua> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed ReSent-Date: Tue, 14 Sep 2004 11:16:27 +0300 (EEST) Resent-From: Dmitry Pryanishnikov Resent-To: freebsd-security@freebsd.org ReSent-Subject: multiple vulnerabilities in the cvs server code ReSent-Message-ID: <20040914111627.F69813@atlantis.atlantis.dp.ua> Subject: multiple vulnerabilities in the cvs server code X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 14 Sep 2004 08:16:44 -0000 Hello! Port security/portaudit reports the following problem: Affected package: FreeBSD-491000 Type of problem: multiple vulnerabilities in the cvs server code. Reference: Note: To disable this check add the uuid to `portaudit_fixed' in /usr/local/etc/portaudit.conf I have 2 related questions: 1) What are current plans to fix these vulnerabilities? 2) Are the FreeBSD public CVS servers trustworthy now? Sincerely, Dmitry -- Atlantis ISP, System Administrator e-mail: dmitry@atlantis.dp.ua nic-hdl: LYNX-RIPE From owner-freebsd-security@FreeBSD.ORG Tue Sep 14 13:15:32 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E592416A4CE for ; Tue, 14 Sep 2004 13:15:31 +0000 (GMT) Received: from smtp.infracaninophile.co.uk (happy-idiot-talk.infracaninophile.co.uk [81.2.69.218]) by mx1.FreeBSD.org (Postfix) with ESMTP id F17FD43D1F for ; Tue, 14 Sep 2004 13:15:30 +0000 (GMT) (envelope-from m.seaman@infracaninophile.co.uk) Received: from happy-idiot-talk.infracaninophile.co.uk (localhost [IPv6:::1]) i8EDFJSE046156 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 14 Sep 2004 14:15:19 +0100 (BST) (envelope-from matthew@happy-idiot-talk.infracaninophile.co.uk) Received: (from matthew@localhost)i8EDFI5a046155; Tue, 14 Sep 2004 14:15:18 +0100 (BST) (envelope-from matthew) Date: Tue, 14 Sep 2004 14:15:18 +0100 From: Matthew Seaman To: Jeff Aitken Message-ID: <20040914131518.GG43574@happy-idiot-talk.infracaninophile.co.uk> Mail-Followup-To: Jeff Aitken , Daniel Rudy , freebsd-security@freebsd.org References: <41461A28.1060308@pacbell.net> <20040913223543.GA28187@eagle.aitken.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="KR/qxknboQ7+Tpez" Content-Disposition: inline In-Reply-To: <20040913223543.GA28187@eagle.aitken.com> User-Agent: Mutt/1.4.2.1i X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-1.5.6 (smtp.infracaninophile.co.uk [IPv6:::1]); Tue, 14 Sep 2004 14:15:19 +0100 (BST) X-Virus-Scanned: clamd / ClamAV version devel-20040904, clamav-milter version 0.75l on smtp.infracaninophile.co.uk X-Virus-Status: Clean X-Spam-Status: No, hits=-4.8 required=5.0 tests=AWL,BAYES_00 autolearn=ham version=2.64 X-Spam-Checker-Version: SpamAssassin 2.64 (2004-01-11) on happy-idiot-talk.infracaninophile.co.uk cc: freebsd-security@freebsd.org cc: Daniel Rudy Subject: Re: Kerberos 5 Security Alert? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 14 Sep 2004 13:15:32 -0000 --KR/qxknboQ7+Tpez Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Mon, Sep 13, 2004 at 06:35:43PM -0400, Jeff Aitken wrote: > On Mon, Sep 13, 2004 at 03:07:36PM -0700, Daniel Rudy wrote: =20 > > Why wasn't there a FreeBSD security alert for Kerberos 5? =20 >=20 > I may be wrong, but I think that security alerts are issued only > for the base system (i.e., things that are part of FreeBSD proper). > Vulnerabilities that affect ports are documented here: >=20 > http://www.vuxml.org/freebsd/ >=20 > I'm sure someone will correct me if this is wrong. That's correct. The VuXML system is now the standard repositiry for information about security vulnerabilities to do with the ports or the base system. FreeBSD Security Alerts are still being produced when necessary -- which cover the base OS, but alerts or notifications for stuff in ports now use a different mechanism. If you install the security/portaudit port, you'll get a message in your daily system e-mail if you have a vulnerable version of any port installed, together with a link to a page on the FreeBSD site with more details. It will also print out warnings and prevent you from installing a port if there is an outstanding security problem with it. The portaudit port also sets up a local copy of its database of security problems which it updates each night -- I think that originally portaudit and VuXML were quite separate projects, but portaudit now uses VuXML stuff internally. I happen to know that the VuXML data will be appearing in a future release of the freshports.org site as well. Cheers, Matthew --=20 Dr Matthew J Seaman MA, D.Phil. 26 The Paddocks Savill Way PGP: http://www.infracaninophile.co.uk/pgpkey Marlow Tel: +44 1628 476614 Bucks., SL7 1TH UK --KR/qxknboQ7+Tpez Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (FreeBSD) iD8DBQFBRu7miD657aJF7eIRAgW/AJ9ctsdiPYsnNAv7qp1TL/Fkb55D4gCcDj2S v1TMw9XIiz+wf+HCZN+aVtw= =YKkZ -----END PGP SIGNATURE----- --KR/qxknboQ7+Tpez-- From owner-freebsd-security@FreeBSD.ORG Tue Sep 14 13:37:24 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 079FE16A4CE; Tue, 14 Sep 2004 13:37:24 +0000 (GMT) Received: from smtp.atlantis.dp.ua (smtp.atlantis.dp.ua [193.108.46.231]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0B53743D53; Tue, 14 Sep 2004 13:37:22 +0000 (GMT) (envelope-from dmitry@atlantis.dp.ua) Received: from smtp.atlantis.dp.ua (smtp.atlantis.dp.ua [193.108.46.231]) by smtp.atlantis.dp.ua (8.12.6p2/8.12.6) with ESMTP id i8EDbAes083409; Tue, 14 Sep 2004 16:37:10 +0300 (EEST) (envelope-from dmitry@atlantis.dp.ua) Date: Tue, 14 Sep 2004 16:37:10 +0300 (EEST) From: Dmitry Pryanishnikov To: Volker Stolz In-Reply-To: <20040914131723.GA63705@i2.informatik.rwth-aachen.de> Message-ID: <20040914162407.J77824@atlantis.atlantis.dp.ua> References: <20040909133319.A41151@atlantis.atlantis.dp.ua> <20040914131723.GA63705@i2.informatik.rwth-aachen.de> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed cc: freebsd-security@freebsd.org Subject: Re: multiple vulnerabilities in the cvs server code X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 14 Sep 2004 13:37:24 -0000 Hello! On Tue, 14 Sep 2004, Volker Stolz wrote: >> Type of problem: multiple vulnerabilities in the cvs server code. >> 1) What are current plans to fix these vulnerabilities? > > The related security advisory [SA] was already published in May: > ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-04:10.cvs.asc > (SAs are available from the project's front page). As I read in this SA, this vulnerability was fixed on 2004-05-20, before 4.10 was released, so 4.10-RELEASE isn't vulnerable, right? But portaudit still complains about FreeBSD-491000. Probably, wrong check in auditfile? Also, it would be nice if such an advisories advance kern.osreldate, so auditfile could check this automatically; e.g., I have 4.9-RELEASE-p11, which isn't vulnerable to this problem, but kern.osreldate is still 490000 there. If Security Officer bumps src/sys/conf/newvers.sh, why he doesn't bump src/sys/sys/param.h? Sincerely, Dmitry -- Atlantis ISP, System Administrator e-mail: dmitry@atlantis.dp.ua nic-hdl: LYNX-RIPE From owner-freebsd-security@FreeBSD.ORG Tue Sep 14 14:12:42 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 00C2D16A4CE for ; Tue, 14 Sep 2004 14:12:42 +0000 (GMT) Received: from bast.unixathome.org (bast.unixathome.org [66.11.174.150]) by mx1.FreeBSD.org (Postfix) with ESMTP id CD72643D49 for ; Tue, 14 Sep 2004 14:12:41 +0000 (GMT) (envelope-from dan@langille.org) Received: from wocker (wocker.unixathome.org [192.168.0.99]) by bast.unixathome.org (Postfix) with ESMTP id CEBF93D3D; Tue, 14 Sep 2004 10:12:40 -0400 (EDT) From: "Dan Langille" To: freebsd-security@freebsd.org Date: Tue, 14 Sep 2004 10:12:41 -0400 MIME-Version: 1.0 Message-ID: <4146C419.5115.1E9B43B2@localhost> Priority: normal In-reply-to: <20040914131518.GG43574@happy-idiot-talk.infracaninophile.co.uk> References: <20040913223543.GA28187@eagle.aitken.com> X-mailer: Pegasus Mail for Windows (v4.12a) Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Content-description: Mail message body cc: Daniel Rudy Subject: Re: Kerberos 5 Security Alert? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 14 Sep 2004 14:12:42 -0000 On 14 Sep 2004 at 14:15, Matthew Seaman wrote: > I happen to know that the VuXML data will be appearing in a future > release of the freshports.org site as well. Matthew knows this because he wrote the code which parses ports/security/vuxml/vuln.xml for FreshPorts. I then amended his work to insert the parsed VuXML data into the FreshPorts database. This page shows what VuXML flagged commits will look like: http://beta.freshports.org/ftp/tnftpd/ The above relates to http://www.vuxml.org/freebsd/c4b025bb-f05d-11d8- 9837-000c41e2cdad.html -- Dan Langille : http://www.langille.org/ From owner-freebsd-security@FreeBSD.ORG Tue Sep 14 14:19:36 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 47B0416A4CE for ; Tue, 14 Sep 2004 14:19:36 +0000 (GMT) Received: from mail.freebsd.org.cn (dns3.freebsd.org.cn [61.129.66.75]) by mx1.FreeBSD.org (Postfix) with SMTP id 2F36943D2F for ; Tue, 14 Sep 2004 14:19:35 +0000 (GMT) (envelope-from delphij@frontfree.net) Received: (qmail 83647 invoked by uid 0); 14 Sep 2004 14:15:50 -0000 Received: from unknown (HELO beastie.frontfree.net) (219.239.98.7) by mail.freebsd.org.cn with SMTP; 14 Sep 2004 14:15:50 -0000 Received: from localhost (localhost.frontfree.net [127.0.0.1]) by beastie.frontfree.net (Postfix) with ESMTP id AEEE8130C48; Tue, 14 Sep 2004 22:18:34 +0800 (CST) Received: from beastie.frontfree.net ([127.0.0.1]) by localhost (beastie.frontfree.net [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 00375-07; Tue, 14 Sep 2004 22:18:21 +0800 (CST) Received: by beastie.frontfree.net (Postfix, from userid 1001) id BE9C313219B; Tue, 14 Sep 2004 22:18:20 +0800 (CST) Date: Tue, 14 Sep 2004 22:18:20 +0800 From: Xin LI To: Dmitry Pryanishnikov Message-ID: <20040914141820.GA1728@frontfree.net> References: <20040909133319.A41151@atlantis.atlantis.dp.ua> <20040914131723.GA63705@i2.informatik.rwth-aachen.de> <20040914162407.J77824@atlantis.atlantis.dp.ua> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="82I3+IH0IqGh5yIs" Content-Disposition: inline In-Reply-To: <20040914162407.J77824@atlantis.atlantis.dp.ua> User-Agent: Mutt/1.4.2.1i X-GPG-key-ID/Fingerprint: 0xCAEEB8C0 / 43B8 B703 B8DD 0231 B333 DC28 39FB 93A0 CAEE B8C0 X-GPG-Public-Key: http://www.delphij.net/delphij.asc X-Operating-System: FreeBSD beastie.frontfree.net 5.3-delphij FreeBSD 5.3-delphij #4: Mon Sep 13 12:44:05 CST 2004 delphij@beastie.frontfree.net:/usr/obj/usr/src/sys/BEASTIE i386 X-URL: http://www.delphij.net X-By: delphij@beastie.frontfree.net X-Location: Beijing, China X-Virus-Scanned: by amavisd-new at frontfree.net cc: freebsd-security@freebsd.org cc: Volker Stolz Subject: Re: multiple vulnerabilities in the cvs server code X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 14 Sep 2004 14:19:36 -0000 --82I3+IH0IqGh5yIs Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Sep 14, 2004 at 04:37:10PM +0300, Dmitry Pryanishnikov wrote: > As I read in this SA, this vulnerability was fixed on 2004-05-20, before > 4.10 was released, so 4.10-RELEASE isn't vulnerable, right? But portaudit Yes, 4.10 is not vulnerable. > still complains about FreeBSD-491000. Probably, wrong check in auditfile? > Also, it would be nice if such an advisories advance kern.osreldate, > so auditfile could check this automatically; e.g., I have 4.9-RELEASE-p11= ,=20 > which isn't vulnerable to this problem, but kern.osreldate is still 49000= 0=20 > there. If Security Officer bumps src/sys/conf/newvers.sh, why he doesn't= =20 > bump src/sys/sys/param.h? I think it is not applicable to bump param.h, as it represents an ABI chang= e, which a security update should not introduce. (just my $0.02 :-) Cheers, --=20 Xin LI http://www.delphij.net/ See complete headers for GPG key and other information. --82I3+IH0IqGh5yIs Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (FreeBSD) iD4DBQFBRv2sOfuToMruuMARApKXAJ9B3PCDTo2y3atGWdmZVZwC8PVvhgCVHxxn 9INVyv8mozpV04jh1wpRMg== =WMHi -----END PGP SIGNATURE----- --82I3+IH0IqGh5yIs-- From owner-freebsd-security@FreeBSD.ORG Tue Sep 14 14:32:51 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 037A016A4CE; Tue, 14 Sep 2004 14:32:51 +0000 (GMT) Received: from smtp.atlantis.dp.ua (smtp.atlantis.dp.ua [193.108.46.231]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1C1E643D5D; Tue, 14 Sep 2004 14:32:46 +0000 (GMT) (envelope-from dmitry@atlantis.dp.ua) Received: from smtp.atlantis.dp.ua (smtp.atlantis.dp.ua [193.108.46.231]) by smtp.atlantis.dp.ua (8.12.6p2/8.12.6) with ESMTP id i8EEWZes098231; Tue, 14 Sep 2004 17:32:35 +0300 (EEST) (envelope-from dmitry@atlantis.dp.ua) Date: Tue, 14 Sep 2004 17:32:35 +0300 (EEST) From: Dmitry Pryanishnikov To: Xin LI In-Reply-To: <20040914141820.GA1728@frontfree.net> Message-ID: <20040914172844.X96954@atlantis.atlantis.dp.ua> References: <20040909133319.A41151@atlantis.atlantis.dp.ua> <20040914131723.GA63705@i2.informatik.rwth-aachen.de> <20040914141820.GA1728@frontfree.net> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed cc: freebsd-security@freebsd.org cc: Volker Stolz Subject: Re: multiple vulnerabilities in the cvs server code X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 14 Sep 2004 14:32:51 -0000 On Tue, 14 Sep 2004, Xin LI wrote: >> Also, it would be nice if such an advisories advance kern.osreldate, >> so auditfile could check this automatically; e.g., I have 4.9-RELEASE-p11, >> which isn't vulnerable to this problem, but kern.osreldate is still 490000 >> there. If Security Officer bumps src/sys/conf/newvers.sh, why he doesn't >> bump src/sys/sys/param.h? > > I think it is not applicable to bump param.h, as it represents an ABI change, > which a security update should not introduce. (just my $0.02 :-) Then it should be another possibility to get release "patch level" - maybe by parsing kern.osrelease? In any case, it would be nice to add such a check, so portaudit won't complain when base system isn't vulnerable. Sincerely, Dmitry -- Atlantis ISP, System Administrator e-mail: dmitry@atlantis.dp.ua nic-hdl: LYNX-RIPE From owner-freebsd-security@FreeBSD.ORG Tue Sep 14 17:04:57 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 39B8A16A4D7 for ; Tue, 14 Sep 2004 17:04:57 +0000 (GMT) Received: from smtp806.mail.sc5.yahoo.com (smtp806.mail.sc5.yahoo.com [66.163.168.185]) by mx1.FreeBSD.org (Postfix) with SMTP id E54D343D54 for ; Tue, 14 Sep 2004 17:04:56 +0000 (GMT) (envelope-from dr2867@pacbell.net) Received: from unknown (HELO ?192.168.0.248?) (dr2867@pacbell.net@68.126.231.116 with plain) by smtp806.mail.sc5.yahoo.com with SMTP; 14 Sep 2004 17:04:56 -0000 Message-ID: <414724BA.60908@pacbell.net> Date: Tue, 14 Sep 2004 10:04:58 -0700 From: Daniel Rudy Organization: SBC Internet Services User-Agent: Mozilla/5.0 (X11R6; UNIX; FreeBSD/i386 4.10-RELEASE-p2; en-US; rv:1.7.2) Gecko/20040707 MultiZilla/1.6.2.0c X-Accept-Language: en-us, en, ja MIME-Version: 1.0 To: freebsd-security@freebsd.org References: <41461A28.1060308@pacbell.net> <20040913223543.GA28187@eagle.aitken.com> In-Reply-To: <20040913223543.GA28187@eagle.aitken.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Subject: Re: Kerberos 5 Security Alert? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: dr2867@pacbell.net List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 14 Sep 2004 17:04:57 -0000 At about the time of 9/13/2004 3:35 PM, Jeff Aitken stated the following: > On Mon, Sep 13, 2004 at 03:07:36PM -0700, Daniel Rudy wrote: > >>Does FreeBSD use the MIT implementation? > > > No, the system-supplied krb5 bits are from the Heimdal distribution. > The MIT distribution is available as a port, but is not part of the > base system. > > > >>Why wasn't there a FreeBSD security alert for Kerberos 5? > > > I may be wrong, but I think that security alerts are issued only > for the base system (i.e., things that are part of FreeBSD proper). > Vulnerabilities that affect ports are documented here: > > http://www.vuxml.org/freebsd/ > > I'm sure someone will correct me if this is wrong. > > > --Jeff > > Ok. Then what is the current production version of FreeBSD? I currently have 4.10-p2. -- Daniel Rudy From owner-freebsd-security@FreeBSD.ORG Wed Sep 15 09:34:11 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B6E5616A4F3 for ; Wed, 15 Sep 2004 09:34:11 +0000 (GMT) Received: from mail04.syd.optusnet.com.au (mail04.syd.optusnet.com.au [211.29.132.185]) by mx1.FreeBSD.org (Postfix) with ESMTP id D3B5D43D1D for ; Wed, 15 Sep 2004 09:34:10 +0000 (GMT) (envelope-from PeterJeremy@optushome.com.au) Received: from cirb503493.alcatel.com.au (c211-30-75-229.belrs2.nsw.optusnet.com.au [211.30.75.229]) i8F9Y8HE010013 (version=TLSv1/SSLv3 cipher=EDH-RSA-DES-CBC3-SHA bits=168 verify=NO); Wed, 15 Sep 2004 19:34:09 +1000 Received: from cirb503493.alcatel.com.au (localhost.alcatel.com.au [127.0.0.1])i8F9Y7xP087352; Wed, 15 Sep 2004 19:34:07 +1000 (EST) (envelope-from pjeremy@cirb503493.alcatel.com.au) Received: (from pjeremy@localhost)i8F9Y7QQ087351; Wed, 15 Sep 2004 19:34:07 +1000 (EST) (envelope-from pjeremy) Date: Wed, 15 Sep 2004 19:34:07 +1000 From: Peter Jeremy To: Dan Langille Message-ID: <20040915093407.GA83620@cirb503493.alcatel.com.au> References: <20040913223543.GA28187@eagle.aitken.com> <4146C419.5115.1E9B43B2@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <4146C419.5115.1E9B43B2@localhost> User-Agent: Mutt/1.4.2i cc: freebsd-security@freebsd.org Subject: Re: Kerberos 5 Security Alert? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 15 Sep 2004 09:34:11 -0000 On Tue, 2004-Sep-14 10:12:41 -0400, Dan Langille wrote: >On 14 Sep 2004 at 14:15, Matthew Seaman wrote: > >> I happen to know that the VuXML data will be appearing in a future >> release of the freshports.org site as well. > >Matthew knows this because he wrote the code which parses >ports/security/vuxml/vuln.xml for FreshPorts. I then amended his >work to insert the parsed VuXML data into the FreshPorts database. > >This page shows what VuXML flagged commits will look like: > > http://beta.freshports.org/ftp/tnftpd/ > >The above relates to http://www.vuxml.org/freebsd/c4b025bb-f05d-11d8- >9837-000c41e2cdad.html I presume you're referring to the skulls against the version number rather than the message: "ERROR: permission denied for relation ports_active SELECT id AS slave_port_id, name AS slave_port_name, category_id AS slave_category_id, category AS slave_category_name FROM ports_active WHERE master_port = 'ftp/tnftpd' ORDER BY slave_category_name, slave_port_name" -- Peter Jeremy From owner-freebsd-security@FreeBSD.ORG Wed Sep 15 10:37:19 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id AB2C316A4CE for ; Wed, 15 Sep 2004 10:37:19 +0000 (GMT) Received: from bast.unixathome.org (bast.unixathome.org [66.11.174.150]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7C9CB43D2D for ; Wed, 15 Sep 2004 10:37:19 +0000 (GMT) (envelope-from dan@langille.org) Received: from wocker (wocker.unixathome.org [192.168.0.99]) by bast.unixathome.org (Postfix) with ESMTP id B6A553D3D; Wed, 15 Sep 2004 06:37:14 -0400 (EDT) From: "Dan Langille" To: Peter Jeremy Date: Wed, 15 Sep 2004 06:39:17 -0400 MIME-Version: 1.0 Message-ID: <4147E395.6565.22FC640F@localhost> Priority: normal In-reply-to: <20040915093407.GA83620@cirb503493.alcatel.com.au> References: <4146C419.5115.1E9B43B2@localhost> X-mailer: Pegasus Mail for Windows (v4.12a) Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Content-description: Mail message body cc: freebsd-security@freebsd.org Subject: Re: Kerberos 5 Security Alert? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 15 Sep 2004 10:37:19 -0000 On 15 Sep 2004 at 19:34, Peter Jeremy wrote: > On Tue, 2004-Sep-14 10:12:41 -0400, Dan Langille wrote: > >On 14 Sep 2004 at 14:15, Matthew Seaman wrote: > > > >> I happen to know that the VuXML data will be appearing in a future > >> release of the freshports.org site as well. > > > >Matthew knows this because he wrote the code which parses > >ports/security/vuxml/vuln.xml for FreshPorts. I then amended his > >work to insert the parsed VuXML data into the FreshPorts database. > > > >This page shows what VuXML flagged commits will look like: > > > > http://beta.freshports.org/ftp/tnftpd/ > > > >The above relates to http://www.vuxml.org/freebsd/c4b025bb-f05d-11d8- > >9837-000c41e2cdad.html > > I presume you're referring to the skulls against the version number > rather than the message: > "ERROR: permission denied for relation ports_active > SELECT id AS slave_port_id, name AS slave_port_name, > category_id AS slave_category_id, category AS > slave_category_name FROM ports_active WHERE master_port = > 'ftp/tnftpd' ORDER BY slave_category_name, slave_port_name" Sorry about that. Heh, any publicity is better than none. That is a beta site, under active development. Last night, I recreated a view (ports_active) and did not rerun the permissions granting script. I just did that. Try now. -- Dan Langille : http://www.langille.org/ BSDCan - The Technical BSD Conference - http://www.bsdcan.org/ From owner-freebsd-security@FreeBSD.ORG Wed Sep 15 19:56:26 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B0A9116A4CF for ; Wed, 15 Sep 2004 19:56:26 +0000 (GMT) Received: from mail17.syd.optusnet.com.au (mail17.syd.optusnet.com.au [211.29.132.198]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0CDC443D53 for ; Wed, 15 Sep 2004 19:56:26 +0000 (GMT) (envelope-from PeterJeremy@optushome.com.au) Received: from cirb503493.alcatel.com.au (c211-30-75-229.belrs2.nsw.optusnet.com.au [211.30.75.229]) i8FJuNUM019534 (version=TLSv1/SSLv3 cipher=EDH-RSA-DES-CBC3-SHA bits=168 verify=NO); Thu, 16 Sep 2004 05:56:24 +1000 Received: from cirb503493.alcatel.com.au (localhost.alcatel.com.au [127.0.0.1])i8FJuHxP088222; Thu, 16 Sep 2004 05:56:23 +1000 (EST) (envelope-from pjeremy@cirb503493.alcatel.com.au) Received: (from pjeremy@localhost)i8FJuGdi088221; Thu, 16 Sep 2004 05:56:16 +1000 (EST) (envelope-from pjeremy) Date: Thu, 16 Sep 2004 05:56:16 +1000 From: Peter Jeremy To: Dan Langille Message-ID: <20040915195616.GB83620@cirb503493.alcatel.com.au> References: <4146C419.5115.1E9B43B2@localhost> <4147E395.6565.22FC640F@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <4147E395.6565.22FC640F@localhost> User-Agent: Mutt/1.4.2i cc: freebsd-security@freebsd.org Subject: Re: Kerberos 5 Security Alert? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 15 Sep 2004 19:56:26 -0000 On Wed, 2004-Sep-15 06:39:17 -0400, Dan Langille wrote: >That is a beta site, under active development. Last night, I >recreated a view (ports_active) and did not rerun the permissions >granting script. I just did that. No errors now, thanks. Another advantage (from a user's POV) over the main site is the lack of banner ads (though your view on this is probably different to mine). Thanks for your efforts in maintaining this site. -- Peter Jeremy From owner-freebsd-security@FreeBSD.ORG Wed Sep 15 20:13:44 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 78A8216A4CE for ; Wed, 15 Sep 2004 20:13:44 +0000 (GMT) Received: from bast.unixathome.org (bast.unixathome.org [66.11.174.150]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4CDD543D46 for ; Wed, 15 Sep 2004 20:13:44 +0000 (GMT) (envelope-from dan@langille.org) Received: from wocker (wocker.unixathome.org [192.168.0.99]) by bast.unixathome.org (Postfix) with ESMTP id 516763D3D; Wed, 15 Sep 2004 16:13:43 -0400 (EDT) From: "Dan Langille" To: Peter Jeremy Date: Wed, 15 Sep 2004 16:15:45 -0400 MIME-Version: 1.0 Message-ID: <41486AB1.27940.250C2BFF@localhost> Priority: normal In-reply-to: <20040915195616.GB83620@cirb503493.alcatel.com.au> References: <4147E395.6565.22FC640F@localhost> X-mailer: Pegasus Mail for Windows (v4.12a) Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Content-description: Mail message body cc: freebsd-security@freebsd.org Subject: Re: Kerberos 5 Security Alert? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 15 Sep 2004 20:13:44 -0000 On 16 Sep 2004 at 5:56, Peter Jeremy wrote: > On Wed, 2004-Sep-15 06:39:17 -0400, Dan Langille wrote: > >That is a beta site, under active development. Last night, I > >recreated a view (ports_active) and did not rerun the permissions > >granting script. I just did that. > > No errors now, thanks. Another advantage (from a user's POV) over the > main site is the lack of banner ads (though your view on this is > probably different to mine). Thanks for your efforts in maintaining > this site. Thanks for reminding me. I just turned them back on. -- Dan Langille : http://www.langille.org/ BSDCan - The Technical BSD Conference - http://www.bsdcan.org/ From owner-freebsd-security@FreeBSD.ORG Sat Sep 18 04:09:28 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 05C0516A4CE for ; Sat, 18 Sep 2004 04:09:28 +0000 (GMT) Received: from avscan2.sentex.ca (avscan2.sentex.ca [199.212.134.19]) by mx1.FreeBSD.org (Postfix) with ESMTP id A07DE43D49 for ; Sat, 18 Sep 2004 04:09:27 +0000 (GMT) (envelope-from mike@sentex.net) Received: from localhost (localhost.sentex.ca [127.0.0.1]) by avscan2.sentex.ca (8.12.11/8.12.11) with ESMTP id i8I49SYh034693 for ; Sat, 18 Sep 2004 00:09:28 -0400 (EDT) (envelope-from mike@sentex.net) Received: from avscan2.sentex.ca ([127.0.0.1]) by localhost (avscan2.sentex.ca [127.0.0.1]) (amavisd-new, port 10024) with LMTP id 34623-01 for ; Sat, 18 Sep 2004 00:09:28 -0400 (EDT) Received: from lava.sentex.ca (pyroxene.sentex.ca [199.212.134.18]) by avscan2.sentex.ca (8.12.11/8.12.11) with ESMTP id i8I49SPJ034667 for ; Sat, 18 Sep 2004 00:09:28 -0400 (EDT) (envelope-from mike@sentex.net) Received: from simian.sentex.net (simeon.sentex.ca [192.168.43.27]) by lava.sentex.ca (8.12.11/8.12.11) with ESMTP id i8I49IDf033358 for ; Sat, 18 Sep 2004 00:09:19 -0400 (EDT) (envelope-from mike@sentex.net) Message-Id: <6.1.2.0.0.20040918001332.02bfda70@64.7.153.2> X-Sender: mdtpop@64.7.153.2 (Unverified) X-Mailer: QUALCOMM Windows Eudora Version 6.1.2.0 Date: Sat, 18 Sep 2004 00:15:28 -0400 To: freebsd-security@freebsd.org From: Mike Tancsa Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed X-Virus-Scanned: by amavisd-new X-Virus-Scanned: by amavisd-new at avscan2b Subject: Fwd: FreeBSD kernel buffer overflow X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 18 Sep 2004 04:09:28 -0000 Can anyone provide more details about the posting below ? >Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm >List-Id: >List-Post: >List-Help: >List-Unsubscribe: >List-Subscribe: >Delivered-To: mailing list bugtraq@securityfocus.com >Delivered-To: moderator for bugtraq@securityfocus.com >Date: Thu, 16 Sep 2004 23:48:21 +0200 >From: gerarra@tin.it >Subject: FreeBSD kernel buffer overflow >To: bugtraq@securityfocus.com >X-Virus-Scanned: by amavisd-new at avscan1b > >Topic: Buffer Overflow in FreeBSD >Versions: All the versions of FreeBSD are broken (4.x, 5.x, 6.0) >Arch: x86 >Date: 16/09/2004 > >All discussion refers to CURRENT-6.0, for other versions some things could >change (btw bugged). >Discussion involves a lot of arch x32 dependant mechanisms, so, in some >points, could sound a little bit dark. > > >A buffer overflow has been found in i386/i386/trap.c syscall() function >of FreeBSD official >source tree. >In order to rule syscalls mechanism, the 'particular' interrupt 128 (0x80) >is provided in the >IDT vector. To serve this interrupt, i386/i386/exception.s int0x80_syscall() >function is >done and, in the end, it calls syscall(). >syscall() is responsible for loading arguments from a syscall and copying >them in a kspace >pointer in order to accessing them. The code to do that is the following: > >void >syscall(frame) > struct trapframe frame; >{ > caddr_t params; > struct sysent *callp; > struct thread *td = curthread; > struct proc *p = td->td_proc; > register_t orig_tf_eflags; > u_int sticks; > int error; > int narg; > int args[8]; > u_int code; > > > ... > > > narg = callp->sy_narg & SYF_ARGMASK; (<- you can see it's the > only one >check) > > if (params != NULL && narg != 0) > error = copyin(params, (caddr_t)args, > (u_int)(narg * sizeof(int))); > else > error = 0; > > > ... > > >and: > > > grep SYF_ARGMASK /usr/src/sys/sys/sysent.h >#define SYF_ARGMASK 0x0000FFFF > >It's obvious that the amount of selectable memory is beyond the (8 * >sizeof(int)) >limit of >args array, so it would overwrite the saved eip by syscall() (it's invoked >through a call) or >making an interesting pointer corruption overwriting struct proc *p . > >It's exploitable, but the only one way I discovered is to link a new syscall >to the sysent >array and to do this you need to be root; I've no time to work on this >vulnerability, >but i think another way could be found. However it could give serious problems >(e.g. kernel >crashes). > >A good patch could be a dinamyc memory allocation for args, but it's not >a good solution >in order to mantain a well performanced system; another one could be a >strongest >check, but >it's not a good solution in order to set a good flexibility. > >You would get an attach containing proof of concept code (4.x, 5.x/6.0 >versions). > > >greetings > >rookie > > >P.S: in order to try the code, compile and link module to the kernel, later >do 'make test' and start ./poc -------------------------------------------------------------------- Mike Tancsa, tel +1 519 651 3400 Sentex Communications, mike@sentex.net Providing Internet since 1994 www.sentex.net Cambridge, Ontario Canada www.sentex.net/mike From owner-freebsd-security@FreeBSD.ORG Sat Sep 18 04:15:41 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DBCA416A4CE for ; Sat, 18 Sep 2004 04:15:41 +0000 (GMT) Received: from raadradd.homeunix.org (bwt185.neoplus.adsl.tpnet.pl [83.29.243.185]) by mx1.FreeBSD.org (Postfix) with ESMTP id 50ED343D1D for ; Sat, 18 Sep 2004 04:15:41 +0000 (GMT) (envelope-from radek@raadradd.com) Received: by raadradd.homeunix.org (Postfix, from userid 1001) id 1A4BBA558; Sat, 18 Sep 2004 06:15:39 +0200 (CEST) Date: Sat, 18 Sep 2004 06:15:39 +0200 From: Radek Kozlowski To: Mike Tancsa Message-ID: <20040918041538.GA62265@werd> References: <6.1.2.0.0.20040918001332.02bfda70@64.7.153.2> Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-2 Content-Disposition: inline In-Reply-To: <6.1.2.0.0.20040918001332.02bfda70@64.7.153.2> User-Agent: Mutt/1.5.6i cc: freebsd-security@freebsd.org Subject: Re: Fwd: FreeBSD kernel buffer overflow X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 18 Sep 2004 04:15:42 -0000 On Sat, Sep 18, 2004 at 12:15:28AM -0400, Mike Tancsa wrote: > > Can anyone provide more details about the posting below ? http://lists.freebsd.org/pipermail/freebsd-hackers/2004-September/thread.html#8280 -Radek From owner-freebsd-security@FreeBSD.ORG Sat Sep 18 05:05:03 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 933CA16A4CE for ; Sat, 18 Sep 2004 05:05:03 +0000 (GMT) Received: from keylime.silverwraith.com (keylime.silverwraith.com [69.55.228.10]) by mx1.FreeBSD.org (Postfix) with ESMTP id 789D743D60 for ; Sat, 18 Sep 2004 05:05:03 +0000 (GMT) (envelope-from lists-freebsd@silverwraith.com) Received: from keylime.silverwraith.com ([69.55.228.10]) by keylime.silverwraith.com with esmtp (Exim 4.41 (FreeBSD)) id 1C8XPC-0009Q0-4m; Fri, 17 Sep 2004 22:05:02 -0700 Received: (from avleen@localhost)i8I54v9T036207; Fri, 17 Sep 2004 22:04:57 -0700 (PDT) (envelope-from lists-freebsd@silverwraith.com) X-Authentication-Warning: keylime.silverwraith.com: avleen set sender to lists-freebsd@silverwraith.com using -f Date: Fri, 17 Sep 2004 22:04:57 -0700 From: Avleen Vig To: Radek Kozlowski Message-ID: <20040918050457.GG54961@silverwraith.com> References: <6.1.2.0.0.20040918001332.02bfda70@64.7.153.2> <20040918041538.GA62265@werd> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20040918041538.GA62265@werd> User-Agent: Mutt/1.5.6i cc: freebsd-security@freebsd.org Subject: Re: Fwd: FreeBSD kernel buffer overflow X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 18 Sep 2004 05:05:03 -0000 On Sat, Sep 18, 2004 at 06:15:39AM +0200, Radek Kozlowski wrote: > > Can anyone provide more details about the posting below ? > > http://lists.freebsd.org/pipermail/freebsd-hackers/2004-September/thread.html#8280 In short, there is no vulnerability, there's nothing to worry about. -- Avleen Vig Systems Administrator Personal: www.silverwraith.com EFnet: irc.mindspring.com (Earthlink user access only) From owner-freebsd-security@FreeBSD.ORG Sat Sep 18 12:18:36 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B17AB16A4CE for ; Sat, 18 Sep 2004 12:18:36 +0000 (GMT) Received: from freebee.digiware.nl (dsl390.iae.nl [212.61.63.138]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4317843D5D for ; Sat, 18 Sep 2004 12:18:35 +0000 (GMT) (envelope-from wjw@withagen.nl) Received: from [212.61.27.71] (dual [212.61.27.71]) by freebee.digiware.nl (8.12.10/8.12.10) with ESMTP id i8ICIWEg047719 for ; Sat, 18 Sep 2004 14:18:33 +0200 (CEST) (envelope-from wjw@withagen.nl) Message-ID: <414C2798.7060509@withagen.nl> Date: Sat, 18 Sep 2004 14:18:32 +0200 From: Willem Jan Withagen User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7.2) Gecko/20040804 Netscape/7.2 (ax) X-Accept-Language: en-us, en MIME-Version: 1.0 To: "freebsd-security@FreeBSD.ORG" Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: Attacks on ssh port X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 18 Sep 2004 12:18:36 -0000 Hi, Is there a security problem with ssh that I've missed??? Ik keep getting these hords of: Failed password for root from 69.242.5.195 port 39239 ssh2 with all kinds of different source addresses. They have a shot or 15 and then they are of again, but a little later on they're back and keep clogging my logs. Is there a "easy" way of getting these ip-numbers added to the blocking-list of ipfw?? Thanx, --WjW From owner-freebsd-security@FreeBSD.ORG Sat Sep 18 12:25:16 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1296A16A4CE for ; Sat, 18 Sep 2004 12:25:16 +0000 (GMT) Received: from mproxy.gmail.com (rproxy.gmail.com [64.233.170.197]) by mx1.FreeBSD.org (Postfix) with ESMTP id BC0D043D49 for ; Sat, 18 Sep 2004 12:25:15 +0000 (GMT) (envelope-from zparta@gmail.com) Received: by mproxy.gmail.com with SMTP id 74so361659rnk for ; Sat, 18 Sep 2004 05:25:11 -0700 (PDT) Received: by 10.38.125.2 with SMTP id x2mr652801rnc; Sat, 18 Sep 2004 05:25:11 -0700 (PDT) Received: by 10.38.9.18 with HTTP; Sat, 18 Sep 2004 05:25:11 -0700 (PDT) Message-ID: <3b41db8504091805257f380bd4@mail.gmail.com> Date: Sat, 18 Sep 2004 14:25:11 +0200 From: Jens Holmqvist To: "freebsd-security@FreeBSD.ORG" In-Reply-To: <414C2798.7060509@withagen.nl> Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit References: <414C2798.7060509@withagen.nl> Subject: Re: Attacks on ssh port X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: Jens Holmqvist List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 18 Sep 2004 12:25:16 -0000 i have the same problem and they also try the users test and admin which doesnt even exist and its alot every day sorry willem just sent it to you earlier not used to gmail that much :) On Sat, 18 Sep 2004 14:18:32 +0200, Willem Jan Withagen wrote: > Hi, > > Is there a security problem with ssh that I've missed??? > Ik keep getting these hords of: > Failed password for root from 69.242.5.195 port 39239 ssh2 > with all kinds of different source addresses. > > They have a shot or 15 and then they are of again, but a little later on > they're back and keep clogging my logs. > Is there a "easy" way of getting these ip-numbers added to the > blocking-list of ipfw?? > > Thanx, > --WjW > > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" > From owner-freebsd-security@FreeBSD.ORG Sat Sep 18 12:33:00 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D3ED716A4CE for ; Sat, 18 Sep 2004 12:33:00 +0000 (GMT) Received: from boleskine.patpro.net (boleskine.patpro.net [62.4.20.155]) by mx1.FreeBSD.org (Postfix) with ESMTP id 40D2443D45 for ; Sat, 18 Sep 2004 12:33:00 +0000 (GMT) (envelope-from patpro@patpro.net) Received: from localhost (localhost.patpro.net [127.0.0.1]) by boleskine.patpro.net (Postfix) with ESMTP id BDE1D7FB; Sat, 18 Sep 2004 14:32:58 +0200 (CEST) Received: from boleskine.patpro.net ([127.0.0.1]) by localhost (boleskine.patpro.net [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 31108-02; Sat, 18 Sep 2004 14:32:52 +0200 (CEST) Received: from [192.168.0.1] (cassandre [192.168.0.1]) by boleskine.patpro.net (Postfix) with ESMTP id 83DC5AB; Sat, 18 Sep 2004 14:32:51 +0200 (CEST) Mime-Version: 1.0 (Apple Message framework v619) In-Reply-To: <414C2798.7060509@withagen.nl> References: <414C2798.7060509@withagen.nl> Content-Type: text/plain; charset=US-ASCII; format=flowed Message-Id: Content-Transfer-Encoding: 7bit From: Patrick Proniewski Date: Sat, 18 Sep 2004 14:32:50 +0200 To: Willem Jan Withagen , Liste FreeBSD-security X-Mailer: Apple Mail (2.619) X-Virus-Scanned: by amavisd-new at patpro.net Subject: Re: Attacks on ssh port X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 18 Sep 2004 12:33:00 -0000 On 18 sept. 2004, at 14:18, Willem Jan Withagen wrote: > Hi, > > Is there a security problem with ssh that I've missed??? > Ik keep getting these hords of: Failed password for root from > 69.242.5.195 port 39239 ssh2 > with all kinds of different source addresses. > > They have a shot or 15 and then they are of again, but a little later > on they're back and keep clogging my logs. > Is there a "easy" way of getting these ip-numbers added to the > blocking-list of ipfw?? not a ssh related problem, it's just a brute force attack, I'm experiencing this on every servers I have, more than 10 times a day. I'm really thinking about releasing the list of attackers IP to the public. As far as I know, it's a pack of compromised machines. patpro From owner-freebsd-security@FreeBSD.ORG Sat Sep 18 13:02:47 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9E63016A4CE for ; Sat, 18 Sep 2004 13:02:47 +0000 (GMT) Received: from brainbox.winbot.co.uk (cpc2-mapp3-6-0-cust221.nott.cable.ntl.com [81.101.250.221]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1EAF243D48 for ; Sat, 18 Sep 2004 13:02:47 +0000 (GMT) (envelope-from brain@winbot.co.uk) Received: from brain.brainbox.winbot.co.uk ([10.0.0.2] helo=brain) by brainbox.winbot.co.uk with smtp (Exim 4.24; FreeBSD) id 1C8fre-000EPt-VB; Sat, 18 Sep 2004 15:06:58 +0100 Date: Sat, 18 Sep 2004 14:05:21 +0100 From: "Craig Edwards" To: "Patrick Proniewski" , "Willem Jan Withagen" , "Liste FreeBSD-security" Organization: Crypt Software X-mailer: Foxmail 5.0 [en] Mime-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Message-Id: Subject: Re: Re: Attacks on ssh port X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: brain@winbot.co.uk List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 18 Sep 2004 13:02:47 -0000 as ive read this is an attack from some kiddie trying to build a floodnet. records show that most of the compromised boxes are linux machines which end up having suckit rootkit and an energymech installed on them, i dont know if the attacker has ever gotten into a freebsd machine and what they'd do if they did. On my machines i have a dummy shell which APPEARS to be a successful login but just returns weird errors (such a "Segmentation Fault") or bad data for all commands that are issued, while also logging their commands. im tempted to put this on the 'test' account and let them in on this shell to see what is attempted. just to clarify, if i did such a thing theres no way for them to break out of the shell, right? its a simple perl script, so if the perl script ends, theyre logged off? This is what i expect to happen however i don't want to risk it unless its 100% safe... And just to clarify again all commands that are issued from this fake shell never reach the REAL os, even "uname" returns a redhat 7.2 string when the real machine is actually freebsd 5... Thanks, Craig >On 18 sept. 2004, at 14:18, Willem Jan Withagen wrote: > >> Hi, >> >> Is there a security problem with ssh that I've missed??? >> Ik keep getting these hords of: Failed password for root from >> 69.242.5.195 port 39239 ssh2 >> with all kinds of different source addresses. >> >> They have a shot or 15 and then they are of again, but a little later >> on they're back and keep clogging my logs. >> Is there a "easy" way of getting these ip-numbers added to the >> blocking-list of ipfw?? > > >not a ssh related problem, it's just a brute force attack, I'm >experiencing this on every servers I have, more than 10 times a day. >I'm really thinking about releasing the list of attackers IP to the >public. As far as I know, it's a pack of compromised machines. > >patpro > >_______________________________________________ >freebsd-security@freebsd.org mailing list >http://lists.freebsd.org/mailman/listinfo/freebsd-security >To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" > From owner-freebsd-security@FreeBSD.ORG Sat Sep 18 13:58:29 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 06A7216A4CE for ; Sat, 18 Sep 2004 13:58:29 +0000 (GMT) Received: from probsd.org (rrcs-24-199-182-230.midsouth.biz.rr.com [24.199.182.230]) by mx1.FreeBSD.org (Postfix) with ESMTP id B03E643D49 for ; Sat, 18 Sep 2004 13:58:28 +0000 (GMT) (envelope-from ms@probsd.org) Received: from localhost (jail [192.168.1.4]) by probsd.org (Postfix) with ESMTP id 6294A9E5AD for ; Sat, 18 Sep 2004 09:58:36 -0400 (EDT) Received: from probsd.org ([192.168.1.4]) by localhost (jail [192.168.1.4]) (amavisd-new, port 10024) with ESMTP id 55579-01 for ; Sat, 18 Sep 2004 09:58:35 -0400 (EDT) Received: from probsd.org (jail [192.168.1.4]) by probsd.org (Postfix) with ESMTP id 397859E560 for ; Sat, 18 Sep 2004 09:58:35 -0400 (EDT) Received: from 192.168.1.1 (SquirrelMail authenticated user ms); by probsd.org with HTTP; Sat, 18 Sep 2004 09:58:35 -0400 (EDT) Message-ID: <3434.192.168.1.1.1095515915.squirrel@192.168.1.1> In-Reply-To: References: Date: Sat, 18 Sep 2004 09:58:35 -0400 (EDT) From: "Michael Sharp" To: freebsd-security@freebsd.org User-Agent: SquirrelMail/1.4.3 X-Mailer: SquirrelMail/1.4.3 MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Priority: 3 (Normal) Importance: Normal X-Virus-Scanned: by amavisd-new at probsd.org - Isn't it ironic Subject: Re: Re: Attacks on ssh port X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 18 Sep 2004 13:58:29 -0000 > as ive read this is an attack from some kiddie trying to build a floodnet. One really dosent want to exposed root to the Internet either via SSH. Please Consider adding a user(s) that need root to a user acct, open SSH for them, then consider su or sudo from there. Michael From owner-freebsd-security@FreeBSD.ORG Sat Sep 18 14:08:55 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E399316A4CE for ; Sat, 18 Sep 2004 14:08:55 +0000 (GMT) Received: from web51005.mail.yahoo.com (web51005.mail.yahoo.com [206.190.38.136]) by mx1.FreeBSD.org (Postfix) with SMTP id 6FC4743D45 for ; Sat, 18 Sep 2004 14:08:55 +0000 (GMT) (envelope-from chrisryanemail@yahoo.com.au) Message-ID: <20040918140854.98917.qmail@web51005.mail.yahoo.com> Received: from [211.30.19.233] by web51005.mail.yahoo.com via HTTP; Sun, 19 Sep 2004 00:08:54 EST Date: Sun, 19 Sep 2004 00:08:54 +1000 (EST) From: Chris Ryan To: Michael Sharp , freebsd-security@freebsd.org In-Reply-To: <3434.192.168.1.1.1095515915.squirrel@192.168.1.1> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Subject: Re: Re: Attacks on ssh port X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 18 Sep 2004 14:08:56 -0000 > One really dosent want to exposed root to the > Internet either via SSH. couldn't agree more. > Please Consider adding a user(s) that need root to a > user acct, open SSH > for them, then consider su or sudo from there. > I use su works very well - another layer[strong] of protection. Chris Find local movie times and trailers on Yahoo! Movies. http://au.movies.yahoo.com From owner-freebsd-security@FreeBSD.ORG Sat Sep 18 14:14:37 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CECEE16A4CE for ; Sat, 18 Sep 2004 14:14:37 +0000 (GMT) Received: from mail.xensia.net (colo1.xensia.net [217.158.173.196]) by mx1.FreeBSD.org (Postfix) with ESMTP id 313C543D2F for ; Sat, 18 Sep 2004 14:14:37 +0000 (GMT) (envelope-from listsucker@ipv5.net) Received: from 81-174-3-174.f5.ngi.it ([81.174.3.174] helo=godzilla) by mail.xensia.net with asmtp (TLSv1:DES-CBC3-SHA:168) id 1C8fz1-000NoK-00; Sat, 18 Sep 2004 15:14:36 +0100 Date: Sat, 18 Sep 2004 16:14:31 +0200 From: Frankye - ML To: freebsd-security@freebsd.org Message-ID: <20040918161431.53a63dd3@godzilla> In-Reply-To: <414C2798.7060509@withagen.nl> References: <414C2798.7060509@withagen.nl> X-Mailer: Sylpheed-Claws 0.9.12a (GTK+ 1.2.10; i386-portbld-freebsd4.10) X-Face: =3I@Jvohf91[b8M]~KUNFaCt}pnTO2K^E#_P4`uCU]D"pHw List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 18 Sep 2004 14:14:37 -0000 On Sat, 18 Sep 2004 14:18:32 +0200 Willem Jan Withagen wrote: | Hi, | | Is there a security problem with ssh that I've missed??? | Ik keep getting these hords of: | Failed password for root from 69.242.5.195 port 39239 ssh2 | with all kinds of different source addresses. FYI, the past month there were a couple of (quite long) threads on this thing on bugtraq and incidents @securityfocus. It seems to be some worm that scans for weak passwords, someone on incidents published a webpage on this stuff here: http://www.jaenicke.org/sk/ with the binaries used and an irc log chatting with one of the kiddies. The sources seems to mainly be cracked boxes with, aemh... blank root passwords. (everytime I read the previous 3 words together I shudder, apologies if they have the same effect on you :) | they're back and keep clogging my logs. | Is there a "easy" way of getting these ip-numbers added to the | blocking-list of ipfw?? I've just moved the public port of the sshd on another port, quite lame but at least I'm not bothered by worms :) HTH Frankye -- Frankye Fattarelli |U| |P| |S|F| frankye.DIESPAMMERSDIE@ipv5.net |R| |S| |Y|I| this email is RFC 3514 compliant |G| |H| |N|N| From owner-freebsd-security@FreeBSD.ORG Sat Sep 18 14:29:53 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6F72F16A4CE for ; Sat, 18 Sep 2004 14:29:53 +0000 (GMT) Received: from brainbox.winbot.co.uk (cpc2-mapp3-6-0-cust221.nott.cable.ntl.com [81.101.250.221]) by mx1.FreeBSD.org (Postfix) with ESMTP id CC13E43D39 for ; Sat, 18 Sep 2004 14:29:52 +0000 (GMT) (envelope-from brain@winbot.co.uk) Received: from brain.brainbox.winbot.co.uk ([10.0.0.2] helo=brain) by brainbox.winbot.co.uk with smtp (Exim 4.24; FreeBSD) id 1C8hDz-000EZf-0d; Sat, 18 Sep 2004 16:34:07 +0100 Date: Sat, 18 Sep 2004 15:32:29 +0100 From: "Craig Edwards" To: "Frankye - ML" Organization: Crypt Software X-mailer: Foxmail 5.0 [en] Mime-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Message-Id: cc: freebsd-security Subject: Re: Re: Attacks on ssh port X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: brain@winbot.co.uk List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 18 Sep 2004 14:29:53 -0000 eurgh.... blank root passwords... (shudder) i stick with the standard of only one user being able to su to root, direct root logins being disabled, and deleting my toor account unless it is needed... >The sources seems to mainly be cracked boxes with, aemh... blank root >passwords. >(everytime I read the previous 3 words together I shudder, apologies if >they have the same effect on you :) > >| they're back and keep clogging my logs. >| Is there a "easy" way of getting these ip-numbers added to the >| blocking-list of ipfw?? > From owner-freebsd-security@FreeBSD.ORG Sat Sep 18 14:29:56 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2259D16A4CE for ; Sat, 18 Sep 2004 14:29:56 +0000 (GMT) Received: from web51007.mail.yahoo.com (web51007.mail.yahoo.com [206.190.38.138]) by mx1.FreeBSD.org (Postfix) with SMTP id B69F943D41 for ; Sat, 18 Sep 2004 14:29:55 +0000 (GMT) (envelope-from chrisryanemail@yahoo.com.au) Message-ID: <20040918142955.61586.qmail@web51007.mail.yahoo.com> Received: from [211.30.19.233] by web51007.mail.yahoo.com via HTTP; Sun, 19 Sep 2004 00:29:55 EST Date: Sun, 19 Sep 2004 00:29:55 +1000 (EST) From: Chris Ryan To: Frankye - ML , freebsd-security@freebsd.org In-Reply-To: <20040918161431.53a63dd3@godzilla> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Subject: Re: Attacks on ssh port X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 18 Sep 2004 14:29:56 -0000 > > I've just moved the public port of the sshd on > another port, quite lame > but at least I'm not bothered by worms :) i believe this has to be one of the simplest ways of stopping incoming ssh attacks. If ssh is the only open port and attackers port scan protection - with the appropriate active firewall that blocks their IP address after x failed attempts permanently.... Chris Find local movie times and trailers on Yahoo! Movies. http://au.movies.yahoo.com From owner-freebsd-security@FreeBSD.ORG Sat Sep 18 16:37:56 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8D1E516A4CE for ; Sat, 18 Sep 2004 16:37:56 +0000 (GMT) Received: from boleskine.patpro.net (boleskine.patpro.net [62.4.20.155]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2727043D2D for ; Sat, 18 Sep 2004 16:37:56 +0000 (GMT) (envelope-from patpro@patpro.net) Received: from localhost (localhost.patpro.net [127.0.0.1]) by boleskine.patpro.net (Postfix) with ESMTP id B1C067ED; Sat, 18 Sep 2004 18:37:55 +0200 (CEST) Received: from boleskine.patpro.net ([127.0.0.1]) by localhost (boleskine.patpro.net [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 69209-02; Sat, 18 Sep 2004 18:37:47 +0200 (CEST) Received: from [192.168.0.1] (cassandre [192.168.0.1]) by boleskine.patpro.net (Postfix) with ESMTP id 8D4206D8; Sat, 18 Sep 2004 18:37:45 +0200 (CEST) Mime-Version: 1.0 (Apple Message framework v619) In-Reply-To: References: Content-Type: text/plain; charset=US-ASCII; format=flowed Message-Id: <10CB0925-0991-11D9-AE98-000D93B1A412@patpro.net> Content-Transfer-Encoding: 7bit From: Patrick Proniewski Date: Sat, 18 Sep 2004 18:37:44 +0200 To: brain@winbot.co.uk, Liste FreeBSD-security X-Mailer: Apple Mail (2.619) X-Virus-Scanned: by amavisd-new at patpro.net Subject: Re: Attacks on ssh port X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 18 Sep 2004 16:37:56 -0000 On 18 sept. 2004, at 15:05, Craig Edwards wrote: > as ive read this is an attack from some kiddie trying to build a > floodnet. > > records show that most of the compromised boxes are linux machines > which end up having suckit rootkit and an energymech installed on > them, i dont know if the attacker has ever gotten into a freebsd > machine and what they'd do if they did. > > On my machines i have a dummy shell which APPEARS to be a successful > login but just returns weird errors (such a "Segmentation Fault") or > bad data for all commands that are issued, while also logging their > commands. im tempted to put this on the 'test' account and let them in > on this shell to see what is attempted. just to clarify, if i did such > a thing theres no way for them to break out of the shell, right? its a > simple perl script, so if the perl script ends, theyre logged off? > This is what i expect to happen however i don't want to risk it unless > its 100% safe... And just to clarify again all commands that are > issued from this fake shell never reach the REAL os, even "uname" > returns a redhat 7.2 string when the real machine is actually freebsd > 5... > I wouldn't do that if I were you, I think it's more interesting and safe to create a full jailed system, with a honeypot running in this jail (but well, honeypot has to be legal in your country, and that is not the case everywhere) patpro -- je cherche un poste d'admin-sys Mac/UNIX http://patpro.net/cv.php From owner-freebsd-security@FreeBSD.ORG Sat Sep 18 16:38:40 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 717F016A50F for ; Sat, 18 Sep 2004 16:38:40 +0000 (GMT) Received: from mail.xensia.net (colo1.xensia.net [217.158.173.196]) by mx1.FreeBSD.org (Postfix) with ESMTP id EFA1143D49 for ; Sat, 18 Sep 2004 16:38:39 +0000 (GMT) (envelope-from listsucker@ipv5.net) Received: from 81-174-3-174.f5.ngi.it ([81.174.3.174] helo=godzilla) by mail.xensia.net with asmtp (TLSv1:DES-CBC3-SHA:168) id 1C8iER-000PcN-00; Sat, 18 Sep 2004 17:38:39 +0100 Date: Sat, 18 Sep 2004 18:37:15 +0200 From: Frankye - ML To: freebsd-security@freebsd.org Message-ID: <20040918183715.26098016@godzilla> In-Reply-To: <20040918142955.61586.qmail@web51007.mail.yahoo.com> References: <20040918161431.53a63dd3@godzilla> <20040918142955.61586.qmail@web51007.mail.yahoo.com> X-Mailer: Sylpheed-Claws 0.9.12a (GTK+ 1.2.10; i386-portbld-freebsd4.10) X-Face: =3I@Jvohf91[b8M]~KUNFaCt}pnTO2K^E#_P4`uCU]D"pHw List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 18 Sep 2004 16:38:40 -0000 On Sun, 19 Sep 2004 00:29:55 +1000 (EST) Chris Ryan wrote: | > | > I've just moved the public port of the sshd on | > another port, quite lame | > but at least I'm not bothered by worms :) | | | i believe this has to be one of the simplest ways of | stopping incoming ssh attacks. Of course, this is just to stop mindless (and quite lame in this case) worms to fill my logs. It's almost-nonexistent impact on the complexity of the system, and almost all the scans (by worms or people with a portscanner) directed to ssh I've ever received are directed to 22 only. This, btw, seems to be the case with all the people I've speaked with on the subject, so I guess it's a good addition to the usual precautions (disallow certain users, do not use passwords and so on, guess everyone has a favorite receipt :) Frankye -- Frankye Fattarelli |U| |P| |S|F| frankye.DIESPAMMERSDIE@ipv5.net |R| |S| |Y|I| this email is RFC 3514 compliant |G| |H| |N|N| From owner-freebsd-security@FreeBSD.ORG Sat Sep 18 17:30:27 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id EE35516A4CE for ; Sat, 18 Sep 2004 17:30:27 +0000 (GMT) Received: from mproxy.gmail.com (rproxy.gmail.com [64.233.170.201]) by mx1.FreeBSD.org (Postfix) with ESMTP id A224043D5D for ; Sat, 18 Sep 2004 17:30:27 +0000 (GMT) (envelope-from david.downey@gmail.com) Received: by mproxy.gmail.com with SMTP id 79so493975rnk for ; Sat, 18 Sep 2004 10:30:23 -0700 (PDT) Received: by 10.38.15.66 with SMTP id 66mr355106rno; Sat, 18 Sep 2004 10:30:22 -0700 (PDT) Received: by 10.38.82.69 with HTTP; Sat, 18 Sep 2004 10:30:22 -0700 (PDT) Message-ID: <6917b781040918103077c76f0c@mail.gmail.com> Date: Sat, 18 Sep 2004 13:30:22 -0400 From: "David D.W. Downey" To: Willem Jan Withagen In-Reply-To: <414C2798.7060509@withagen.nl> Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit References: <414C2798.7060509@withagen.nl> cc: "freebsd-security@FreeBSD.ORG" Subject: Re: Attacks on ssh port X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: "David D.W. Downey" List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 18 Sep 2004 17:30:28 -0000 On Sat, 18 Sep 2004 14:18:32 +0200, Willem Jan Withagen wrote: > Hi, > > Is there a security problem with ssh that I've missed??? > Ik keep getting these hords of: > Failed password for root from 69.242.5.195 port 39239 ssh2 > with all kinds of different source addresses. > > They have a shot or 15 and then they are of again, but a little later on > they're back and keep clogging my logs. > Is there a "easy" way of getting these ip-numbers added to the > blocking-list of ipfw?? > > Thanx, > --WjW well you want to see those. So long as you have PermitRootLogin no in your /etc/ssh/sshd_config, they won't be able to get in since ssh is then denied for root (except via a valid ssh key which you can further lock down by adding from="ip.addr, forward.dns.record.of.host" to the beginning of your ssh-dsa or ssh-rsa key line in ~/.ssh/authorized_keys) A better solution to the verbosity level would probably be to change your kernel config to have something like options IPFIREWALL_VERBOSE_LIMIT=3 or using the sysctl.conf oid net.inet.ip.fw.verbose_limit=3 Then you can still see the attempts (and thus log the IP information for contacting the abuse@ for the responsible IP controller) while limiting your log sizes. -- David D.W. Downey From owner-freebsd-security@FreeBSD.ORG Sat Sep 18 19:23:15 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 49B4616A4CE for ; Sat, 18 Sep 2004 19:23:15 +0000 (GMT) Received: from h2.prohosting.com.ua (h2.prohosting.com.ua [217.16.18.181]) by mx1.FreeBSD.org (Postfix) with ESMTP id BD15A43D41 for ; Sat, 18 Sep 2004 19:23:14 +0000 (GMT) (envelope-from news@625.ru) Received: from [194.84.94.11] (helo=[192.168.5.24]) by h2.prohosting.com.ua with esmtpa (Exim 4.42 (FreeBSD)) id 1C8kkN-000Jff-EH for freebsd-security@freebsd.org; Sat, 18 Sep 2004 23:19:49 +0400 Date: Sat, 18 Sep 2004 23:22:48 +0400 From: Danil V.Gerun Organization: Project 625.ru X-Priority: 3 (Normal) Message-ID: <621146771453.20040918232248@625.ru> To: freebsd-security@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-AntiAbuse: This header was added to track abuse, please include it with any abuse report X-AntiAbuse: Primary Hostname - h2.prohosting.com.ua X-AntiAbuse: Original Domain - freebsd.org X-AntiAbuse: Originator/Caller UID/GID - [0 0] / [26 6] X-AntiAbuse: Sender Address Domain - 625.ru X-Source: X-Source-Args: X-Source-Dir: Subject: Random source ports in FreeBSD? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: "Danil V.Gerun" List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 18 Sep 2004 19:23:15 -0000 Hello, all! In the beginning I want to say, that this question seems to be a security one, isn't it so?.. Recently I was googling for the subject and coulnd't find anything... Even in the opennet.ru forum nobody answered me about this. So, as far as I got to know, randomizing source ports in FreeBSD is impossible now? (to be exact - is not implemented?) It's very interesting to me - WHY is it so? I mean - may be there are good reasons for not making all this?.. Anyway, I looked how it is done in OpenBSD and made a patch for FreeBSD. I've uploaded the patches for FreeBSD 4 and FreeBSD 5 here: http://www.625.ru/rlsp/ Direct links: http://www.625.ru/rlsp/in_pcb.c.patch.4 http://www.625.ru/rlsp/in_pcb.c.patch.5 It seems to be working on my 4.9 box =) - after recompiling the kernel the system picks up a random port for making a connetion. Especially - when I increase net.inet.ip.portrange.last, for example, to value 20000. The ports become 'more random' :) What the patch does: it creates a sysctl variable net.inet.ip.random_lport, which is "off" by default. When it is nonzero, the OpenBSD method is used in sys/netinet/in_pcb.c (in in_pcbbind() in FreeBSD 4 and in_pcbbind_setup() in FreeBSD 5) to pick up a source port. Otherwize - the 'old' FreeBSD method is used. The exact OpenBSD method for finding a free random port is used (but that wasn't just copy-paste =)) ). I don't have opportunity to test the FreeBSD 5 patch, but I tried to analyze the patching results attentively (what I worry about - is using the arc4random() function in FreeBSD 5...). I'm eager to hear your opinions on all this, as I'm rather a newbie to administrating FreeBSD (and especially - to 'hacking' the kernel). If you find errors, please try to understand that this is the first time I decided to change something 'so deep' in FreeBSD and decided to make a patch for this ;-)) (but I tried to do my best to avoid errors) Some information about this patch is here - http://www.625.ru/rlsp/ -- Best regards, Danil V. Gerun. danil@hate.spam.625.ru From owner-freebsd-security@FreeBSD.ORG Sat Sep 18 20:07:37 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0225716A4CE for ; Sat, 18 Sep 2004 20:07:37 +0000 (GMT) Received: from relay.pair.com (relay.pair.com [209.68.1.20]) by mx1.FreeBSD.org (Postfix) with SMTP id 7823143D1F for ; Sat, 18 Sep 2004 20:07:36 +0000 (GMT) (envelope-from silby@silby.com) Received: (qmail 91840 invoked from network); 18 Sep 2004 20:07:35 -0000 Received: from niwun.pair.com (HELO localhost) (209.68.2.70) by relay.pair.com with SMTP; 18 Sep 2004 20:07:35 -0000 X-pair-Authenticated: 209.68.2.70 Date: Sat, 18 Sep 2004 15:07:34 -0500 (CDT) From: Mike Silbersack To: "Danil V.Gerun" In-Reply-To: <621146771453.20040918232248@625.ru> Message-ID: <20040918150205.A8909@odysseus.silby.com> References: <621146771453.20040918232248@625.ru> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed cc: freebsd-security@freebsd.org Subject: Re: Random source ports in FreeBSD? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 18 Sep 2004 20:07:37 -0000 On Sat, 18 Sep 2004, Danil V.Gerun wrote: > So, as far as I got to know, randomizing source ports in FreeBSD is > impossible now? (to be exact - is not implemented?) > > It's very interesting to me - WHY is it so? > I mean - may be there are good reasons for not making all this?.. Source port randomization was implemented before 4.10 was released. See in_pcb.c revisions 1.143 - 1.146, 1.59.2.27, or 1.59.2.27.2.1, depending on the branch you're interested in: http://www.freebsd.org/cgi/cvsweb.cgi/src/sys/netinet/in_pcb.c > I don't have opportunity to test the FreeBSD 5 patch, but I tried to > analyze the patching results attentively (what I worry about - is > using the arc4random() function in FreeBSD 5...). What are your concerns with the way port randomization was implemented in FreeBSD? Mike "Silby" Silbersack From owner-freebsd-security@FreeBSD.ORG Sat Sep 18 21:44:56 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9BE8816A4CF for ; Sat, 18 Sep 2004 21:44:56 +0000 (GMT) Received: from freebee.digiware.nl (dsl390.iae.nl [212.61.63.138]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9BD7E43D46 for ; Sat, 18 Sep 2004 21:44:55 +0000 (GMT) (envelope-from wjw@withagen.nl) Received: from [212.61.27.71] (dual [212.61.27.71]) by freebee.digiware.nl (8.12.10/8.12.10) with ESMTP id i8ILirEg065735; Sat, 18 Sep 2004 23:44:53 +0200 (CEST) (envelope-from wjw@withagen.nl) Message-ID: <414CAC56.8020601@withagen.nl> Date: Sat, 18 Sep 2004 23:44:54 +0200 From: Willem Jan Withagen User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7.2) Gecko/20040804 Netscape/7.2 (ax) X-Accept-Language: en-us, en MIME-Version: 1.0 To: "David D.W. Downey" References: <414C2798.7060509@withagen.nl> <6917b781040918103077c76f0c@mail.gmail.com> In-Reply-To: <6917b781040918103077c76f0c@mail.gmail.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit cc: "freebsd-security@FreeBSD.ORG" Subject: Re: Attacks on ssh port X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 18 Sep 2004 21:44:56 -0000 David D.W. Downey wrote: >On Sat, 18 Sep 2004 14:18:32 +0200, Willem Jan Withagen wrote: > > >>Hi, >> >>Is there a security problem with ssh that I've missed??? >>Ik keep getting these hords of: >> Failed password for root from 69.242.5.195 port 39239 ssh2 >>with all kinds of different source addresses. >> >>They have a shot or 15 and then they are of again, but a little later on >>they're back and keep clogging my logs. >>Is there a "easy" way of getting these ip-numbers added to the >>blocking-list of ipfw?? >> >>Thanx, >>--WjW >> >> > >well you want to see those. So long as you have > >PermitRootLogin no > >in your /etc/ssh/sshd_config, they won't be able to get in since ssh >is then denied for root (except via a valid ssh key which you can >further lock down by adding > >from="ip.addr, forward.dns.record.of.host" > >to the beginning of your ssh-dsa or ssh-rsa key line in ~/.ssh/authorized_keys) > > > It is not about all this. I know these, and I use them if appropriate. (Come to think of it, I was one of the first externals to test Wietse Venema's TCP-wrapper.) Once I have identified the nature and quality of this type of problem, I want to deal with it in such a way that it is no longer a bother. And in this particular case these records are clogging my login error records. And because of that I just might miss out on the one or two that do matter. You might want to call it noise-reduction, and I'm looking for a as large as possible Signal/Noise ratio. So that is why I would like to be able to throw root/ssh login attempts directly in the garbage and kill the host where these are coming from with a records in my firewall. --WjW From owner-freebsd-security@FreeBSD.ORG Sat Sep 18 22:04:50 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1466816A4CE for ; Sat, 18 Sep 2004 22:04:50 +0000 (GMT) Received: from mproxy.gmail.com (rproxy.gmail.com [64.233.170.203]) by mx1.FreeBSD.org (Postfix) with ESMTP id BD49643D31 for ; Sat, 18 Sep 2004 22:04:49 +0000 (GMT) (envelope-from david.downey@gmail.com) Received: by mproxy.gmail.com with SMTP id 79so585787rnk for ; Sat, 18 Sep 2004 15:04:46 -0700 (PDT) Received: by 10.38.99.13 with SMTP id w13mr1134422rnb; Sat, 18 Sep 2004 15:04:45 -0700 (PDT) Received: by 10.38.82.69 with HTTP; Sat, 18 Sep 2004 15:04:45 -0700 (PDT) Message-ID: <6917b781040918150446b7dada@mail.gmail.com> Date: Sat, 18 Sep 2004 18:04:45 -0400 From: "David D.W. Downey" To: Willem Jan Withagen In-Reply-To: <414CAC56.8020601@withagen.nl> Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit References: <414C2798.7060509@withagen.nl> <6917b781040918103077c76f0c@mail.gmail.com> <414CAC56.8020601@withagen.nl> cc: "freebsd-security@FreeBSD.ORG" Subject: Re: Attacks on ssh port X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: "David D.W. Downey" List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 18 Sep 2004 22:04:50 -0000 > >On Sat, 18 Sep 2004 14:18:32 +0200, Willem Jan Withagen wrote: > It is not about all this. I know these, and I use them if appropriate. > (Come to think of it, I was one of the first externals to test Wietse > Venema's TCP-wrapper.) > > Once I have identified the nature and quality of this type of problem, > I want to deal with it in such a way that it is no longer a bother. And > in this particular case these records are clogging my login error > records. And because of that I just might miss out on the one or two > that do matter. You might want to call it noise-reduction, and I'm > looking for a as large as possible Signal/Noise ratio. > So that is why I would like to be able to throw root/ssh login attempts > directly in the garbage and kill the host where these are coming from > with a records in my firewall. > OK, was a simple suggestion. (no derogatory tone meant). I will say this much. adding each individual host that scans your machine instantly to your firewall WILL end up killing your machine due to lookups if this is in place during any large scan or direct port attacks. I do think you're being overly concerned about your log entries since this is *exactly* what the system is *supposed* to do, log the entries for further use by the admin if needed. There is no signal to noise reduction gained, since what you consider noise is what the system is *designed* to do. If you want to reduce the number of entries then reduce the # of entries it logs (aka when you enable the verbose_limit count it won't log any more than that number of attempts from a host. So set it to 2 or even 1 (i would suggest 2 so you only get what should be considered a bona fide failure) ) If you want to enable firewalling based on that information then you're going to have to write a custom script to cull the information from the logfiles or enable some ports NIDs, or 3rd party NIDS to do this for you. (Such as maybe portsentry and hostsentry for a basic choice option set) Hopefully this helps. -- David D.W. Downey From owner-freebsd-security@FreeBSD.ORG Sat Sep 18 22:25:53 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2270E16A4CE for ; Sat, 18 Sep 2004 22:25:53 +0000 (GMT) Received: from freebee.digiware.nl (dsl390.iae.nl [212.61.63.138]) by mx1.FreeBSD.org (Postfix) with ESMTP id 54D7143D46 for ; Sat, 18 Sep 2004 22:25:52 +0000 (GMT) (envelope-from wjw@withagen.nl) Received: from [212.61.27.71] (dual [212.61.27.71]) by freebee.digiware.nl (8.12.10/8.12.10) with ESMTP id i8IMPoEg067167; Sun, 19 Sep 2004 00:25:51 +0200 (CEST) (envelope-from wjw@withagen.nl) Message-ID: <414CB5EF.7080901@withagen.nl> Date: Sun, 19 Sep 2004 00:25:51 +0200 From: Willem Jan Withagen User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7.2) Gecko/20040804 Netscape/7.2 (ax) X-Accept-Language: en-us, en MIME-Version: 1.0 To: "David D.W. Downey" References: <414C2798.7060509@withagen.nl> <6917b781040918103077c76f0c@mail.gmail.com> <414CAC56.8020601@withagen.nl> <6917b781040918150446b7dada@mail.gmail.com> In-Reply-To: <6917b781040918150446b7dada@mail.gmail.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit cc: "freebsd-security@FreeBSD.ORG" Subject: Re: Attacks on ssh port X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 18 Sep 2004 22:25:53 -0000 David D.W. Downey wrote: >> <>OK, was a simple suggestion. (no derogatory tone meant). > I'm sorry. No intentions to put you down. The suggestions you made are very valid. And a lot of them were already in place. Please attribute it to being none native English >> <>I will say >> this much. adding each individual host that scans your machine >> instantly to your firewall WILL end up killing your machine due to >> lookups if this is in place during any large scan or direct port >> attacks. > I also have portsentry in a rather sensitive mode doing exactly the same thing. Trigger one of the "backdoor" ports, and you're out of my game. >> <>I do think you're being overly concerned about your log entries since >> this is *exactly* what the system is *supposed* to do, log the entries >> for further use by the admin if needed. There is no signal to noise >> reduction gained, since what you consider noise is what the system is >> *designed* to do. If you want to reduce the number of entries then >> reduce the # of entries it logs (aka when you enable the verbose_limit >> count it won't log any more than that number of attempts from a host. >> So set it to 2 or even 1 (i would suggest 2 so you only get what >> should be considered a bona fide failure) ) > True, and perhaps even more true. BUT since I've now concluded that there are script-kiddies trying ssh-breakins at nausium. This logging gets a totally different meaning. I don't need to see these specific warnings myself anymore, it is a full indication of a host that is no longer under his masters control. So instead of writing to see if the attacks get any smarter, just deny full access. Blunt but effective. Note that this is on a server of one of my customers. And having seen the havoc of previously hacked systems of the ISP where I worked, I prefer to be a little more safe. The only reason that this would kill my machine, is when the list of IP-numbers gets so large that it keeps the system from doing anything else any more. But it has not come this far yet, Moore's law outpaces this problem by far. >> <>If you want to enable firewalling based on that information then >> you're going to have to write a custom script to cull the information >> from the logfiles or enable some ports NIDs, or 3rd party NIDS to do >> this for you. (Such as maybe portsentry and hostsentry for a basic >> choice option set) > I used to run one of such tools, but found those just a little bit too inaccurate to actually trust it for this job. Remeber that you do not have the time to turn over the logfile at midnight, and then start blocking ip-nummbers. It has to be done at first sight of a possible attempt to break into the system. But perhaps I'll start runing that again. --WjW From owner-freebsd-security@FreeBSD.ORG Sat Sep 18 22:28:20 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E490316A4CE for ; Sat, 18 Sep 2004 22:28:20 +0000 (GMT) Received: from moek.pir.net (moek.pir.net [130.64.1.215]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8614343D2F for ; Sat, 18 Sep 2004 22:28:20 +0000 (GMT) (envelope-from pir@pir.net) Received: from pir by moek.pir.net with local (Exim) id 1C8ngq-0001IJ-0u for freebsd-security@freebsd.org; Sat, 18 Sep 2004 18:28:20 -0400 Date: Sat, 18 Sep 2004 18:28:19 -0400 From: Peter Radcliffe To: "freebsd-security@FreeBSD.ORG" Message-ID: <20040918222819.GG20449@pir.net> Mail-Followup-To: "freebsd-security@FreeBSD.ORG" References: <414C2798.7060509@withagen.nl> <6917b781040918103077c76f0c@mail.gmail.com> <414CAC56.8020601@withagen.nl> <6917b781040918150446b7dada@mail.gmail.com> <414CB5EF.7080901@withagen.nl> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <414CB5EF.7080901@withagen.nl> User-Agent: Mutt/1.4.2i X-fish: < X-Copy-On-Listmail: Please do NOT Cc: me on list mail. Subject: Re: Attacks on ssh port X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: freebsd-security@freebsd.org List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 18 Sep 2004 22:28:21 -0000 Willem Jan Withagen probably said: > I also have portsentry in a rather sensitive mode doing exactly the same > thing. > Trigger one of the "backdoor" ports, and you're out of my game. The general problm with this type of reactive filtering is that if someone can spoof the source addresses effectively or cause a connection from a legitimate host you've just DoSed yourself... Personally I only allow ssh from known legitimate sources and block the rest so the "noise" is in a completely different list. P. -- pir From owner-freebsd-security@FreeBSD.ORG Sat Sep 18 22:44:34 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id F166C16A4CE for ; Sat, 18 Sep 2004 22:44:34 +0000 (GMT) Received: from freebee.digiware.nl (dsl390.iae.nl [212.61.63.138]) by mx1.FreeBSD.org (Postfix) with ESMTP id 55A8743D31 for ; Sat, 18 Sep 2004 22:44:34 +0000 (GMT) (envelope-from wjw@withagen.nl) Received: from [212.61.27.71] (dual [212.61.27.71]) by freebee.digiware.nl (8.12.10/8.12.10) with ESMTP id i8IMiXEg067749 for ; Sun, 19 Sep 2004 00:44:33 +0200 (CEST) (envelope-from wjw@withagen.nl) Message-ID: <414CBA51.4060502@withagen.nl> Date: Sun, 19 Sep 2004 00:44:33 +0200 From: Willem Jan Withagen User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7.2) Gecko/20040804 Netscape/7.2 (ax) X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-security@freebsd.org References: <414C2798.7060509@withagen.nl> <6917b781040918103077c76f0c@mail.gmail.com> <414CAC56.8020601@withagen.nl> <6917b781040918150446b7dada@mail.gmail.com> <414CB5EF.7080901@withagen.nl> <20040918222819.GG20449@pir.net> In-Reply-To: <20040918222819.GG20449@pir.net> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: Attacks on ssh port X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 18 Sep 2004 22:44:35 -0000 Peter Radcliffe wrote: >Willem Jan Withagen probably said: > > >>I also have portsentry in a rather sensitive mode doing exactly the same >>thing. >>Trigger one of the "backdoor" ports, and you're out of my game. >> >> > >The general problm with this type of reactive filtering is that if >someone can spoof the source addresses effectively or cause a connection >from a legitimate host you've just DoSed yourself... > >Personally I only allow ssh from known legitimate sources and block the >rest so the "noise" is in a completely different list. > > I do too, on systems that are completly mine. But I had to "force" this customer to refrain from using ftp/telnet/... with plain open passwords. And access to this box is required from verious remote locations with yet unknown IPs. So I have little chances there. As far as I know, you need to go thru a lot of trouble to complete a spoofed full 3-way handshake just to get my maintenace IP-number blocked. Next to the fact that there is a rule before the blocked list which lets me in anyways.... :) --WjW