From owner-freebsd-security@FreeBSD.ORG Tue Apr 5 00:09:10 2005 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E532316A4CE; Tue, 5 Apr 2005 00:09:10 +0000 (GMT) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id E439943D58; Tue, 5 Apr 2005 00:09:09 +0000 (GMT) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (cperciva@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.3/8.13.3) with ESMTP id j35099Fw068125; Tue, 5 Apr 2005 00:09:09 GMT (envelope-from security-advisories@freebsd.org) Received: (from cperciva@localhost) by freefall.freebsd.org (8.13.3/8.13.1/Submit) id j35099Zr068123; Tue, 5 Apr 2005 00:09:09 GMT (envelope-from security-advisories@freebsd.org) Date: Tue, 5 Apr 2005 00:09:09 GMT Message-Id: <200504050009.j35099Zr068123@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: cperciva set sender to security-advisories@freebsd.org using -f From: FreeBSD Security Advisories To: FreeBSD Security Advisories Precedence: bulk Subject: FreeBSD Security Advisory FreeBSD-SA-05:02.sendfile X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Reply-To: security-advisories@freebsd.org List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 05 Apr 2005 00:09:11 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ============================================================================= FreeBSD-SA-05:02.sendfile Security Advisory The FreeBSD Project Topic: sendfile kernel memory disclosure Category: core Module: sys_kern Announced: 2005-04-04 Credits: Sven Berkvens Marc Olzheim Affects: All FreeBSD 4.x releases All FreeBSD 5.x releases prior to 5.4-RELEASE Corrected: 2005-04-04 23:52:02 UTC (RELENG_5, 5.4-STABLE) 2005-04-04 23:52:35 UTC (RELENG_5_4, 5.4-RELEASE) 2005-04-04 23:53:24 UTC (RELENG_5_3, 5.3-RELEASE-p7) 2005-04-04 23:53:36 UTC (RELENG_4, 4.11-STABLE) 2005-04-04 23:53:56 UTC (RELENG_4_11, 4.11-RELEASE-p2) 2005-04-04 23:54:13 UTC (RELENG_4_10, 4.10-RELEASE-p7) 2005-04-04 23:54:33 UTC (RELENG_4_8, 4.8-RELEASE-p29) CVE Name: CAN-2005-0708 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background The sendfile(2) system call allows a server application (such as an HTTP or FTP server) to transmit the contents of a file over a network connection without first copying it to application memory. High performance servers such as Apache and ftpd use sendfile. II. Problem Description If the file being transmitted is truncated after the transfer has started but before it completes, sendfile(2) will transfer the contents of more or less random portions of kernel memory in lieu of the missing part of the file. III. Impact A local user could create a large file and truncate it while transferring it to himself, thus obtaining a copy of portions of system memory to which he would normally not have access. Such memory might contain sensitive information, such as portions of the file cache or terminal buffers. This information might be directly useful, or it might be leveraged to obtain elevated privileges in some way. For example, a terminal buffer might include a user-entered password. IV. Workaround No known workaround. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to 4-STABLE or 5-STABLE, or to the RELENG_5_3, RELENG_4_11, RELENG_4_10, or RELENG_4_8 security branch dated after the correction date. 2) To patch your present system: The following patches have been verified to apply to FreeBSD 4.8, 4.10, 4.11, and 5.3 systems. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 4.x] # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-05:02/sendfile_4.patch # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-05:02/sendfile_4.patch.asc [FreeBSD 5.3] # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-05:02/sendfile_5.patch # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-05:02/sendfile_5.patch.asc b) Apply the patch. # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in and reboot the system. VI. Correction details The following list contains the revision numbers of each file that was corrected in FreeBSD. Branch Revision Path - ------------------------------------------------------------------------- RELENG_4 src/sys/ufs/ffs/ffs_inode.c 1.56.2.6 RELENG_4_11 src/UPDATING 1.73.2.91.2.3 src/sys/conf/newvers.sh 1.44.2.39.2.6 src/sys/ufs/ffs/ffs_inode.c 1.56.2.5.12.1 RELENG_4_10 src/UPDATING 1.73.2.90.2.8 src/sys/conf/newvers.sh 1.44.2.34.2.8 src/sys/ufs/ffs/ffs_inode.c 1.56.2.5.10.1 RELENG_4_8 src/UPDATING 1.73.2.80.2.33 src/sys/conf/newvers.sh 1.44.2.29.2.29 src/sys/ufs/ffs/ffs_inode.c 1.56.2.5.6.1 RELENG_5 src/sys/ufs/ffs/ffs_inode.c 1.93.2.2 RELENG_5_4 src/UPDATING 1.342.2.24.2.1 src/sys/ufs/ffs/ffs_inode.c 1.93.2.1.2.1 RELENG_5_3 src/UPDATING 1.342.2.13.2.10 src/sys/conf/newvers.sh 1.62.2.15.2.12 src/sys/ufs/ffs/ffs_inode.c 1.93.4.1 - ------------------------------------------------------------------------- The latest revision of this advisory is available at ftp://ftp.freebsd.org/pub/CERT/advisories/FreeBSD-SA-05:02.sendfile.asc -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (FreeBSD) iD8DBQFCUdSBFdaIBMps37IRAkJQAJ9jiw22zHygE8ui8ksl3T5jo12L6gCgkq5i CYhVGcVxiWOU9Yu1Muwi1Xw= =83NE -----END PGP SIGNATURE----- From owner-freebsd-security@FreeBSD.ORG Tue Apr 5 01:10:58 2005 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4FC3816A4CE for ; Tue, 5 Apr 2005 01:10:58 +0000 (GMT) Received: from mxfep02.bredband.com (mxfep02.bredband.com [195.54.107.73]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0C95943D54 for ; Tue, 5 Apr 2005 01:10:57 +0000 (GMT) (envelope-from jesper@hackunite.net) Received: from omikron.hackunite.net ([213.112.198.142] [213.112.198.142]) by mxfep02.bredband.com with ESMTP <20050405011055.BLLD22685.mxfep02.bredband.com@omikron.hackunite.net> for ; Tue, 5 Apr 2005 03:10:55 +0200 Received: from mail.hackunite.net (omikron.hackunite.net [127.0.0.1]) by omikron.hackunite.net (Postfix) with ESMTP id BA1D560CD for ; Tue, 5 Apr 2005 03:10:54 +0200 (CEST) Received: from 213.112.198.172 (SquirrelMail authenticated user z3l3zt@hackunite.net) by mail.hackunite.net with HTTP; Tue, 5 Apr 2005 03:10:54 +0200 (CEST) Message-ID: <1614.213.112.198.172.1112663454.squirrel@mail.hackunite.net> Date: Tue, 5 Apr 2005 03:10:54 +0200 (CEST) From: "Jesper Wallin" To: freebsd-security@freebsd.org User-Agent: SquirrelMail/1.4.4 MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Priority: 3 (Normal) Importance: Normal X-Virus-Scanned: by amavisd-new at mail.hackunite.net Subject: Strange messages in dmesg after DDoS-attack. X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: jesper@hackunite.net List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 05 Apr 2005 01:10:58 -0000 Dear list, A few days ago one of my machines were attacked by a DDoS-attack using UDP on random ports.. When I later on analyzed the logs, I found this in my dmesg: xl0: initialization of the rx ring failed (55) xl0: initialization of the rx ring failed (55) xl0: initialization of the rx ring failed (55) I tried to find out on google what it ment, but without any luck. What does that mean and how can I correct it (if it's a problem of course). Best regards, Jesper Wallin From owner-freebsd-security@FreeBSD.ORG Tue Apr 5 01:16:28 2005 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D882016A4CE for ; Tue, 5 Apr 2005 01:16:28 +0000 (GMT) Received: from relay02.pair.com (relay02.pair.com [209.68.5.16]) by mx1.FreeBSD.org (Postfix) with SMTP id 3AAC943D54 for ; Tue, 5 Apr 2005 01:16:28 +0000 (GMT) (envelope-from silby@silby.com) Received: (qmail 35165 invoked from network); 5 Apr 2005 01:16:27 -0000 Received: from unknown (HELO localhost) (unknown) by unknown with SMTP; 5 Apr 2005 01:16:27 -0000 X-pair-Authenticated: 209.68.2.70 Date: Mon, 4 Apr 2005 20:16:21 -0500 (CDT) From: Mike Silbersack To: Jesper Wallin In-Reply-To: <1614.213.112.198.172.1112663454.squirrel@mail.hackunite.net> Message-ID: <20050404201428.C4511@odysseus.silby.com> References: <1614.213.112.198.172.1112663454.squirrel@mail.hackunite.net> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed cc: freebsd-security@freebsd.org Subject: Re: Strange messages in dmesg after DDoS-attack. X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 05 Apr 2005 01:16:29 -0000 On Tue, 5 Apr 2005, Jesper Wallin wrote: > Dear list, > > A few days ago one of my machines were attacked by a DDoS-attack using UDP > on random ports.. When I later on analyzed the logs, I found this in my > dmesg: > > xl0: initialization of the rx ring failed (55) > xl0: initialization of the rx ring failed (55) > xl0: initialization of the rx ring failed (55) > > I tried to find out on google what it ment, but without any luck. What > does that mean and how can I correct it (if it's a problem of course). > > > Best regards, > Jesper Wallin It means that we have a bug in the xl driver, probably nothing too serious. Were there any other xl0 related messages, like "watchdog timeout"? My guess is that we have a problem under high traffic conditions, and the DDoS would qualify as that. Mike "Silby" Silbersack From owner-freebsd-security@FreeBSD.ORG Tue Apr 5 01:32:04 2005 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7BC2416A4CE for ; Tue, 5 Apr 2005 01:32:04 +0000 (GMT) Received: from mxfep01.bredband.com (mxfep01.bredband.com [195.54.107.70]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5E9A543D5D for ; Tue, 5 Apr 2005 01:32:03 +0000 (GMT) (envelope-from jesper@hackunite.net) Received: from omikron.hackunite.net ([213.112.198.142] [213.112.198.142]) by mxfep01.bredband.com with ESMTP <20050405013202.ZTIQ25559.mxfep01.bredband.com@omikron.hackunite.net>; Tue, 5 Apr 2005 03:32:02 +0200 Received: from mail.hackunite.net (omikron.hackunite.net [127.0.0.1]) by omikron.hackunite.net (Postfix) with ESMTP id F2EB460CD; Tue, 5 Apr 2005 03:32:00 +0200 (CEST) Received: from 213.112.198.172 (SquirrelMail authenticated user z3l3zt@hackunite.net) by mail.hackunite.net with HTTP; Tue, 5 Apr 2005 03:32:01 +0200 (CEST) Message-ID: <1656.213.112.198.172.1112664721.squirrel@mail.hackunite.net> In-Reply-To: <20050404201428.C4511@odysseus.silby.com> References: <1614.213.112.198.172.1112663454.squirrel@mail.hackunite.net> <20050404201428.C4511@odysseus.silby.com> Date: Tue, 5 Apr 2005 03:32:01 +0200 (CEST) From: "Jesper Wallin" To: "Mike Silbersack" User-Agent: SquirrelMail/1.4.4 MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Priority: 3 (Normal) Importance: Normal X-Virus-Scanned: by amavisd-new at mail.hackunite.net cc: freebsd-security@freebsd.org Subject: Re: Strange messages in dmesg after DDoS-attack. X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: jesper@hackunite.net List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 05 Apr 2005 01:32:04 -0000 > > On Tue, 5 Apr 2005, Jesper Wallin wrote: > >> Dear list, >> >> A few days ago one of my machines were attacked by a DDoS-attack using >> UDP >> on random ports.. When I later on analyzed the logs, I found this in my >> dmesg: >> >> xl0: initialization of the rx ring failed (55) >> xl0: initialization of the rx ring failed (55) >> xl0: initialization of the rx ring failed (55) >> >> I tried to find out on google what it ment, but without any luck. What >> does that mean and how can I correct it (if it's a problem of course). >> >> >> Best regards, >> Jesper Wallin > > It means that we have a bug in the xl driver, probably nothing too > serious. Were there any other xl0 related messages, like "watchdog > timeout"? > > My guess is that we have a problem under high traffic conditions, and the > DDoS would qualify as that. > > Mike "Silby" Silbersack > Hi Mike, First of all, thanks for your reply.. Nope, as far as I can see, I only got 6 of those lines and nothing more. I have a fxp0 in my other server, would you recommend me to switch the NICs since the server using the xl0 got higher priority than the fxp0 one? Regards, Jesper Wallin From owner-freebsd-security@FreeBSD.ORG Tue Apr 5 02:48:04 2005 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6C0ED16A4CE for ; Tue, 5 Apr 2005 02:48:04 +0000 (GMT) Received: from relay01.pair.com (relay01.pair.com [209.68.5.15]) by mx1.FreeBSD.org (Postfix) with SMTP id CD8B643D1F for ; Tue, 5 Apr 2005 02:48:03 +0000 (GMT) (envelope-from silby@silby.com) Received: (qmail 76459 invoked from network); 5 Apr 2005 02:48:02 -0000 Received: from unknown (HELO localhost) (unknown) by unknown with SMTP; 5 Apr 2005 02:48:02 -0000 X-pair-Authenticated: 209.68.2.70 Date: Mon, 4 Apr 2005 21:47:58 -0500 (CDT) From: Mike Silbersack To: Jesper Wallin In-Reply-To: <1656.213.112.198.172.1112664721.squirrel@mail.hackunite.net> Message-ID: <20050404214404.I4823@odysseus.silby.com> References: <1614.213.112.198.172.1112663454.squirrel@mail.hackunite.net> <1656.213.112.198.172.1112664721.squirrel@mail.hackunite.net> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed cc: freebsd-security@freebsd.org Subject: Re: Strange messages in dmesg after DDoS-attack. X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 05 Apr 2005 02:48:04 -0000 On Tue, 5 Apr 2005, Jesper Wallin wrote: > Hi Mike, > > First of all, thanks for your reply.. Nope, as far as I can see, I only > got 6 of those lines and nothing more. > > I have a fxp0 in my other server, would you recommend me to switch the > NICs since the server using the xl0 got higher priority than the fxp0 one? > > > Regards, > Jesper Wallin All network cards/drivers have some bugs in them, so as long as the 3com card survived the DDoS and didn't require the interface to be restarted, I'd stick with it. I think I found how those messages appeared, xl_init is called whenever the card sets the flag "ADFAIL", whatever that means. Apparently it's bad and the network driver resets itself when it happens. So, you're probably losing a few packets as a result of the reset, but other than that I don't see it causing any real problems. Mike "Silby" Silbersack From owner-freebsd-security@FreeBSD.ORG Tue Apr 5 08:14:20 2005 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B87F116A4CE for ; Tue, 5 Apr 2005 08:14:20 +0000 (GMT) Received: from gen129.n001.c02.escapebox.net (gen129.n001.c02.escapebox.net [213.73.91.129]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3319343D54 for ; Tue, 5 Apr 2005 08:14:20 +0000 (GMT) (envelope-from gemini@geminix.org) Message-ID: <425248D8.1040508@geminix.org> Date: Tue, 05 Apr 2005 10:14:16 +0200 From: Uwe Doering Organization: Private UNIX Site User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.7.6) Gecko/20050326 X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-security@freebsd.org References: <200504050009.j35099Zr068123@freefall.freebsd.org> In-Reply-To: <200504050009.j35099Zr068123@freefall.freebsd.org> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Received: from gemini by geminix.org with asmtp (TLSv1:AES256-SHA:256) (Exim 3.36 #1) id 1DIjCU-0004Hp-00; Tue, 05 Apr 2005 10:14:18 +0200 Subject: Re: FreeBSD Security Advisory FreeBSD-SA-05:02.sendfile X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 05 Apr 2005 08:14:20 -0000 FreeBSD Security Advisories wrote: > [...] > a) Download the relevant patch from the location below, and verify the > detached PGP signature using your PGP utility. > > [FreeBSD 4.x] > # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-05:02/sendfile_4.patch > # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-05:02/sendfile_4.patch.asc > [...] The patch file (and CVS, too) contains this: --------------------- cut here ---------------------- --- sys/ufs/ffs/ffs_inode.c 5 Feb 2002 18:35:03 -0000 1.56.2.5 +++ sys/ufs/ffs/ffs_inode.c 11 Mar 2005 14:29:19 -0000 @@ -197,6 +197,7 @@ #endif softdep_setup_freeblocks(oip, length); vinvalbuf(ovp, 0, cred, p, 0, 0); + vnode_pager_setsize(vp, 0); oip->i_flag |= IN_CHANGE | IN_UPDATE; return (ffs_update(ovp, 0)); } --------------------- cut here ---------------------- I wonder, isn't the variable 'vp' actually supposed to be 'ovp' in the added line? Technically they are identical. 'ovp' is assigned from 'vp' once in the variable definition section at the start of the function. However, using 'vp' when calling vnode_pager_setsize() looks a little odd given that anywhere else in this function, including another call to vnode_pager_setsize(), the variable 'ovp' is used instead of 'vp'. I can't tell why 'ovp' was introduced in the first place. Might have historical reasons. But that's how the code currently works. In the MAIN branch as well, according to CVS. So I'd suggest to replace 'vp' with 'ovp' in the patch above, for the sake of clarity and consistency. Uwe -- Uwe Doering | EscapeBox - Managed On-Demand UNIX Servers gemini@geminix.org | http://www.escapebox.net From owner-freebsd-security@FreeBSD.ORG Tue Apr 5 08:40:06 2005 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2353416A4CE for ; Tue, 5 Apr 2005 08:40:06 +0000 (GMT) Received: from pd4mo1so.prod.shaw.ca (shawidc-mo1.cg.shawcable.net [24.71.223.10]) by mx1.FreeBSD.org (Postfix) with ESMTP id CC0EF43D4C for ; Tue, 5 Apr 2005 08:40:05 +0000 (GMT) (envelope-from cperciva@freebsd.org) Received: from pd4mr2so.prod.shaw.ca (pd4mr2so-qfe3.prod.shaw.ca [10.0.141.213]) by l-daemon (Sun ONE Messaging Server 6.0 HotFix 1.01 (built Mar 15 2004)) with ESMTP id <0IEG00HJWTETQCA0@l-daemon> for freebsd-security@freebsd.org; Tue, 05 Apr 2005 02:40:05 -0600 (MDT) Received: from pn2ml9so.prod.shaw.ca ([10.0.121.7]) by pd4mr2so.prod.shaw.ca (Sun ONE Messaging Server 6.0 HotFix 1.01 (built Mar 15 2004)) with ESMTP id <0IEG00E7QTETBS7Y@pd4mr2so.prod.shaw.ca> for freebsd-security@freebsd.org; Tue, 05 Apr 2005 02:40:05 -0600 (MDT) Received: from [192.168.0.60] (S0106006067227a4a.vc.shawcable.net [24.87.209.6]) by l-daemon (iPlanet Messaging Server 5.2 HotFix 1.18 (built Jul 28 2003)) freebsd-security@freebsd.org; Tue, 05 Apr 2005 02:40:05 -0600 (MDT) Date: Tue, 05 Apr 2005 01:40:03 -0700 From: Colin Percival In-reply-to: <425248D8.1040508@geminix.org> To: Uwe Doering Message-id: <42524EE3.2040102@freebsd.org> MIME-version: 1.0 Content-type: text/plain; charset=ISO-8859-1 Content-transfer-encoding: 7bit X-Accept-Language: en-us, en X-Enigmail-Version: 0.90.1.0 X-Enigmail-Supports: pgp-inline, pgp-mime References: <200504050009.j35099Zr068123@freefall.freebsd.org> <425248D8.1040508@geminix.org> User-Agent: Mozilla Thunderbird 1.0.2 (X11/20050326) cc: freebsd-security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-05:02.sendfile X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 05 Apr 2005 08:40:06 -0000 Uwe Doering wrote: > + vnode_pager_setsize(vp, 0); > > I wonder, isn't the variable 'vp' actually supposed to be 'ovp' in the > added line? Technically they are identical. 'ovp' is assigned from > 'vp' once in the variable definition section at the start of the function. > > However, using 'vp' when calling vnode_pager_setsize() looks a little > odd given that anywhere else in this function, including another call to > vnode_pager_setsize(), the variable 'ovp' is used instead of 'vp'. I agree that it looks a bit odd; a few people have pointed this out to us (but none of them before it was committed into the CVS tree). That said, it doesn't seem to matter, so I'm not going to go back and change the patch now. Colin Percival From owner-freebsd-security@FreeBSD.ORG Tue Apr 5 10:39:45 2005 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 88DA316A4CE for ; Tue, 5 Apr 2005 10:39:45 +0000 (GMT) Received: from www.enhyper.com (mailgate.enhyper.com [62.49.250.18]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6556443D2F for ; Tue, 5 Apr 2005 10:39:44 +0000 (GMT) (envelope-from iang@iang.org) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by www.enhyper.com (8.11.6/8.11.6) with SMTP id j35AdMU17878 for ; Tue, 5 Apr 2005 11:39:38 +0100 X-Authentication-Warning: www.enhyper.com: localhost.localdomain [127.0.0.1] didn't use HELO protocol Message-ID: <42526BB6.40701@iang.org> Date: Tue, 05 Apr 2005 11:43:02 +0100 From: Ian G Organization: http://iang.org/ User-Agent: Mozilla Thunderbird 1.0 (X11/20050219) X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-security@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: Secunia / Firefox Javascript "Arbitrary Memory Exposure" test X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 05 Apr 2005 10:39:45 -0000 I just confirmed the following bug on my firefox. http://secunia.com/advisories/14820/ Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.7.5) Gecko/20050219 Firefox/1.0 (I think my firefox is a month or two behind, from ports, but the advisary indicates both 1.0.1 and 1.0.2 are effected.) FreeBSD localhost 5.3-RELEASE FreeBSD 5.3-RELEASE #0: Fri Nov 5 04:19:18 UTC 2004 root@harlow.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC i386 -- News and views on what matters in finance+crypto: http://financialcryptography.com/ From owner-freebsd-security@FreeBSD.ORG Tue Apr 5 17:30:07 2005 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3515C16A4CE for ; Tue, 5 Apr 2005 17:30:07 +0000 (GMT) Received: from ciao.gmane.org (main.gmane.org [80.91.229.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5E60F43D54 for ; Tue, 5 Apr 2005 17:30:06 +0000 (GMT) (envelope-from freebsd-security@m.gmane.org) Received: from list by ciao.gmane.org with local (Exim 4.43) id 1DIrpi-0002TT-3h for freebsd-security@freebsd.org; Tue, 05 Apr 2005 19:27:22 +0200 Received: from pcp08490587pcs.levtwn01.pa.comcast.net ([68.83.169.224]) by main.gmane.org with esmtp (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Tue, 05 Apr 2005 19:27:22 +0200 Received: from apeiron+usenet by pcp08490587pcs.levtwn01.pa.comcast.net with local (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Tue, 05 Apr 2005 19:27:22 +0200 X-Injected-Via-Gmane: http://gmane.org/ To: freebsd-security@freebsd.org From: Christopher Nehren Date: Tue, 5 Apr 2005 17:26:03 +0000 (UTC) Organization: /usr/bin/false Lines: 30 Message-ID: References: <42526BB6.40701@iang.org> X-Complaints-To: usenet@sea.gmane.org X-Gmane-NNTP-Posting-Host: pcp08490587pcs.levtwn01.pa.comcast.net User-Agent: slrn/0.9.8.1 (FreeBSD) Sender: news Subject: Re: Secunia / Firefox Javascript "Arbitrary Memory Exposure" test X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 05 Apr 2005 17:30:07 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 2005-04-05, Ian G scribbled these curious markings: > I just confirmed the following bug on my firefox. > > http://secunia.com/advisories/14820/ I also see it in Seamonkey, Epiphany, and Galeon. Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.8b) Gecko/20050315 Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.7.5) Gecko/20050311 Epiphany/1.6.0 Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.7.5) Gecko/20050311 Galeon/1.3.19 Best Regards, Christopher Nehren -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (FreeBSD) iD8DBQFCUsqkk/lo7zvzJioRAudcAJ0ZBdaE0GnjMYGHUVudm4t57zZUlgCgt3Md /qhWfpEEh3slsh8ieo8wDNs= =8juo -----END PGP SIGNATURE----- -- I abhor a system designed for the "user", if that word is a coded pejorative meaning "stupid and unsophisticated". -- Ken Thompson If you ask the wrong questions, you get answers like "42" and "God". Unix is user friendly. However, it isn't idiot friendly. From owner-freebsd-security@FreeBSD.ORG Wed Apr 6 01:11:58 2005 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 776E016A4CE; Wed, 6 Apr 2005 01:11:58 +0000 (GMT) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id AF2BC43D5D; Wed, 6 Apr 2005 01:11:57 +0000 (GMT) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (cperciva@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.3/8.13.3) with ESMTP id j361Bv5X096084; Wed, 6 Apr 2005 01:11:57 GMT (envelope-from security-advisories@freebsd.org) Received: (from cperciva@localhost) by freefall.freebsd.org (8.13.3/8.13.1/Submit) id j361BvXv096083; Wed, 6 Apr 2005 01:11:57 GMT (envelope-from security-advisories@freebsd.org) Date: Wed, 6 Apr 2005 01:11:57 GMT Message-Id: <200504060111.j361BvXv096083@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: cperciva set sender to security-advisories@freebsd.org using -f From: FreeBSD Security Advisories To: FreeBSD Security Advisories Precedence: bulk Subject: FreeBSD Security Advisory FreeBSD-SA-05:03.amd64 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Reply-To: security-advisories@freebsd.org List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 06 Apr 2005 01:11:58 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ============================================================================= FreeBSD-SA-05:03.amd64 Security Advisory The FreeBSD Project Topic: unprivileged hardware access on amd64 Category: core Module: sys_amd64 Announced: 2004-04-06 Credits: Jari Kirma Affects: All FreeBSD/amd64 5.x releases prior to 5.4-RELEASE Corrected: 2005-04-06 01:05:51 UTC (RELENG_5, 5.4-STABLE) 2005-04-06 01:06:15 UTC (RELENG_5_4, 5.4-RELEASE) 2005-04-06 01:06:44 UTC (RELENG_5_3, 5.3-RELEASE-p8) For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background The AMD64 architecture has two mechanisms for permitting processes to access hardware: Kernel code can access hardware directly by reason of its elevated privilege level, while user code can access a subset of hardware determined by a bitmap. II. Problem Description The bitmap which determines which hardware can be accessed by unprivileged processes was not initialized properly. III. Impact Unprivileged users on amd64 systems can gain direct access to some hardware, allowing for denial of service, disclosure of sensitive information, or possible privilege escalation. IV. Workaround No workaround is known for amd64 systems; other platforms are not affected by this issue. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to 5-STABLE or to the RELENG_5_3 security branch dated after the correction date. 2) To patch your present system: a) Download the patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-05:03/amd64.patch # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-05:03/amd64.patch.asc b) Apply the patch. # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in and reboot the system. VI. Correction details The following list contains the revision numbers of each file that was corrected in FreeBSD. Branch Revision Path - ------------------------------------------------------------------------- RELENG_5 src/sys/amd64/amd64/machdep.c 1.618.2.10 src/sys/amd64/amd64/mp_machdep.c 1.242.2.8 src/sys/amd64/include/tss.h 1.16.2.1 RELENG_5_4 src/UPDATING 1.342.2.24.2.2 src/sys/amd64/amd64/machdep.c 1.618.2.9.2.1 src/sys/amd64/amd64/mp_machdep.c 1.242.2.7.2.1 src/sys/amd64/include/tss.h 1.16.6.1 RELENG_5_3 src/UPDATING 1.342.2.13.2.11 src/sys/conf/newvers.sh 1.62.2.15.2.13 src/sys/amd64/amd64/machdep.c 1.618.2.1.2.1 src/sys/amd64/amd64/mp_machdep.c 1.242.2.2.2.1 src/sys/amd64/include/tss.h 1.16.4.1 - ------------------------------------------------------------------------- The latest revision of this advisory is available at ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-05:03.amd64.asc -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (FreeBSD) iD8DBQFCUzaUFdaIBMps37IRAnRFAJ9jtpE43eTtfUyK+x8RhurMG4PpcQCfbfYM gptRJSrN9EmQ/cDgo6Xoank= =ocq1 -----END PGP SIGNATURE----- From owner-freebsd-security@FreeBSD.ORG Wed Apr 6 01:34:11 2005 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D0BA416A4CE for ; Wed, 6 Apr 2005 01:34:11 +0000 (GMT) Received: from mxfep02.bredband.com (mxfep02.bredband.com [195.54.107.73]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9395F43D49 for ; Wed, 6 Apr 2005 01:34:10 +0000 (GMT) (envelope-from jesper@hackunite.net) Received: from omikron.hackunite.net ([213.112.198.142] [213.112.198.142]) by mxfep02.bredband.com with ESMTP <20050406013409.LGOQ22685.mxfep02.bredband.com@omikron.hackunite.net> for ; Wed, 6 Apr 2005 03:34:09 +0200 Received: from mail.hackunite.net (omikron.hackunite.net [127.0.0.1]) by omikron.hackunite.net (Postfix) with ESMTP id ABB2060E7 for ; Wed, 6 Apr 2005 03:34:09 +0200 (CEST) Received: from 213.112.198.172 (SquirrelMail authenticated user z3l3zt@hackunite.net) by mail.hackunite.net with HTTP; Wed, 6 Apr 2005 03:34:09 +0200 (CEST) Message-ID: <1477.213.112.198.172.1112751249.squirrel@mail.hackunite.net> Date: Wed, 6 Apr 2005 03:34:09 +0200 (CEST) From: "Jesper Wallin" To: freebsd-security@freebsd.org User-Agent: SquirrelMail/1.4.4 MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Priority: 3 (Normal) Importance: Normal X-Virus-Scanned: by amavisd-new at mail.hackunite.net Subject: About the FreeBSD Security Advisories X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: jesper@hackunite.net List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 06 Apr 2005 01:34:12 -0000 Hello.. I've noticed a delay between when the security advisories are sent and when the cvsup servers, ftp mirrors and web mirrors are updated. Is this delay on purpose to give the users some time to update/patch their system(s) before it hit pages like bugtraq, etc.. or is it just a caused by the delay between when the ftp/cvsup servers are synced? Best regard, Jesper Wallin From owner-freebsd-security@FreeBSD.ORG Wed Apr 6 01:43:20 2005 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 61CF816A4CE for ; Wed, 6 Apr 2005 01:43:20 +0000 (GMT) Received: from obsecurity.dyndns.org (CPE0050040655c8-CM00111ae02aac.cpe.net.cable.rogers.com [69.194.102.111]) by mx1.FreeBSD.org (Postfix) with ESMTP id 01A0143D53 for ; Wed, 6 Apr 2005 01:43:20 +0000 (GMT) (envelope-from kris@obsecurity.org) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id 0B7F251343; Tue, 5 Apr 2005 18:43:19 -0700 (PDT) Date: Tue, 5 Apr 2005 18:43:18 -0700 From: Kris Kennaway To: Jesper Wallin Message-ID: <20050406014318.GA17090@xor.obsecurity.org> References: <1477.213.112.198.172.1112751249.squirrel@mail.hackunite.net> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="HcAYCG3uE/tztfnV" Content-Disposition: inline In-Reply-To: <1477.213.112.198.172.1112751249.squirrel@mail.hackunite.net> User-Agent: Mutt/1.4.2.1i cc: freebsd-security@freebsd.org Subject: Re: About the FreeBSD Security Advisories X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 06 Apr 2005 01:43:20 -0000 --HcAYCG3uE/tztfnV Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, Apr 06, 2005 at 03:34:09AM +0200, Jesper Wallin wrote: > Hello.. >=20 > I've noticed a delay between when the security advisories are sent and > when the cvsup servers, ftp mirrors and web mirrors are updated. Is this > delay on purpose to give the users some time to update/patch their > system(s) before it hit pages like bugtraq, etc.. or is it just a caused > by the delay between when the ftp/cvsup servers are synced? The mirrors are updated automatically, i.e. on a regular schedule determined by their individual administrators. They're not resynched specially when a security advisory is released. Kris --HcAYCG3uE/tztfnV Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (FreeBSD) iD8DBQFCUz62Wry0BWjoQKURApo3AKDltJ+uVXgh+Y9o4bZL4Q5lP/VXjwCgxWBx F/3P+IL6sE/JSNSM+cIH/7M= =2NoH -----END PGP SIGNATURE----- --HcAYCG3uE/tztfnV-- From owner-freebsd-security@FreeBSD.ORG Wed Apr 6 06:18:38 2005 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id AB5BF16A4CE for ; Wed, 6 Apr 2005 06:18:38 +0000 (GMT) Received: from pd2mo2so.prod.shaw.ca (shawidc-mo1.cg.shawcable.net [24.71.223.10]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6A52843D1D for ; Wed, 6 Apr 2005 06:18:38 +0000 (GMT) (envelope-from cperciva@freebsd.org) Received: from pd3mr1so.prod.shaw.ca (pd3mr1so-qfe3.prod.shaw.ca [10.0.141.177]) by l-daemon (Sun ONE Messaging Server 6.0 HotFix 1.01 (built Mar 15 2004)) with ESMTP id <0IEI0087VHI77B80@l-daemon> for freebsd-security@freebsd.org; Wed, 06 Apr 2005 00:18:07 -0600 (MDT) Received: from pn2ml8so.prod.shaw.ca ([10.0.121.152]) by pd3mr1so.prod.shaw.ca (Sun ONE Messaging Server 6.0 HotFix 1.01 (built Mar 15 2004)) with ESMTP id <0IEI00EICHI7GOK0@pd3mr1so.prod.shaw.ca> for freebsd-security@freebsd.org; Wed, 06 Apr 2005 00:18:07 -0600 (MDT) Received: from [192.168.0.60] (S0106006067227a4a.vc.shawcable.net [24.87.209.6]) by l-daemon (iPlanet Messaging Server 5.2 HotFix 1.18 (built Jul 28 2003)) freebsd-security@freebsd.org; Wed, 06 Apr 2005 00:18:07 -0600 (MDT) Date: Tue, 05 Apr 2005 23:18:04 -0700 From: Colin Percival In-reply-to: <1477.213.112.198.172.1112751249.squirrel@mail.hackunite.net> To: jesper@www.hackunite.net Message-id: <42537F1C.5010502@freebsd.org> MIME-version: 1.0 Content-type: text/plain; charset=ISO-8859-1 Content-transfer-encoding: 7bit X-Accept-Language: en-us, en X-Enigmail-Version: 0.90.1.0 X-Enigmail-Supports: pgp-inline, pgp-mime References: <1477.213.112.198.172.1112751249.squirrel@mail.hackunite.net> User-Agent: Mozilla Thunderbird 1.0.2 (X11/20050326) cc: freebsd-security@freebsd.org Subject: Re: About the FreeBSD Security Advisories X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 06 Apr 2005 06:18:38 -0000 Jesper Wallin wrote: > I've noticed a delay between when the security advisories are sent and > when the cvsup servers, ftp mirrors and web mirrors are updated. Is this > delay on purpose to give the users some time to update/patch their > system(s) before it hit pages like bugtraq, etc.. or is it just a caused > by the delay between when the ftp/cvsup servers are synced? It's mostly logistics. We write the advisory and prepare patches ahead of time, but then we need to 1. Commit to the affected security branches (at least, to the ones which are still supported), 2. Update the advisory to include the correction times in the header, 3. Sign the advisory, 4. Upload the advisory + patches to ftp-master, 5. Email out the advisory. 6. Update the website to point to the advisory. As Kris noted, the ftp and cvsup mirrors then catch up according to their usual schedule. It probably took longer than usual for the ftp mirrors this time since many of them are still grabbing the 5.4-RC1 bits. Colin Percival From owner-freebsd-security@FreeBSD.ORG Wed Apr 6 11:42:59 2005 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C849516A4CE for ; Wed, 6 Apr 2005 11:42:59 +0000 (GMT) Received: from mailhost.stack.nl (vaak.stack.nl [131.155.140.140]) by mx1.FreeBSD.org (Postfix) with ESMTP id 07DE143D45 for ; Wed, 6 Apr 2005 11:42:59 +0000 (GMT) (envelope-from marcolz@stack.nl) Received: from hammer.stack.nl (hammer.stack.nl [IPv6:2001:610:1108:5010::153]) by mailhost.stack.nl (Postfix) with ESMTP id 1EE271F1DD; Wed, 6 Apr 2005 13:42:58 +0200 (CEST) Received: by hammer.stack.nl (Postfix, from userid 333) id F3EB4618D; Wed, 6 Apr 2005 13:42:57 +0200 (CEST) Date: Wed, 6 Apr 2005 13:42:57 +0200 From: Marc Olzheim To: Uwe Doering Message-ID: <20050406114257.GA22448@stack.nl> References: <200504050009.j35099Zr068123@freefall.freebsd.org> <425248D8.1040508@geminix.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="Nq2Wo0NMKNjxTN9z" Content-Disposition: inline In-Reply-To: <425248D8.1040508@geminix.org> X-Operating-System: FreeBSD hammer.stack.nl 5.4-STABLE FreeBSD 5.4-STABLE X-URL: http://www.stack.nl/~marcolz/ User-Agent: Mutt/1.5.9i cc: freebsd-security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-05:02.sendfile X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 06 Apr 2005 11:42:59 -0000 --Nq2Wo0NMKNjxTN9z Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Apr 05, 2005 at 10:14:16AM +0200, Uwe Doering wrote: > I can't tell why 'ovp' was introduced in the first place. Might have=20 > historical reasons. But that's how the code currently works. In the=20 > MAIN branch as well, according to CVS. So I'd suggest to replace 'vp'=20 > with 'ovp' in the patch above, for the sake of clarity and consistency. It's a remnant from sys/ufs/ffs/ffs_inode.c:1.27 - 1.28, when the arguments of ffs_truncate changed from (ap), to (vp, length, flags, cred, p) and ovp was declared as 'register struct vnode *vp =3D ap->a_vp;'. This could be cleaned up without problems. Marc --Nq2Wo0NMKNjxTN9z Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (FreeBSD) iD8DBQFCU8tBezjnobFOgrERAvSSAKCuM3WCuoL5yn+L0kgtj1UJhkGF/wCeNZz5 twShJMn5nPlYbz+SXGr733c= =iEYG -----END PGP SIGNATURE----- --Nq2Wo0NMKNjxTN9z-- From owner-freebsd-security@FreeBSD.ORG Wed Apr 6 15:49:09 2005 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 317D516A4CE for ; Wed, 6 Apr 2005 15:49:09 +0000 (GMT) Received: from dc.cis.okstate.edu (dc.cis.okstate.edu [139.78.100.219]) by mx1.FreeBSD.org (Postfix) with ESMTP id D9A3F43D39 for ; Wed, 6 Apr 2005 15:49:08 +0000 (GMT) (envelope-from martin@dc.cis.okstate.edu) Received: from dc.cis.okstate.edu (localhost.cis.okstate.edu [127.0.0.1]) by dc.cis.okstate.edu (8.12.6/8.12.6) with ESMTP id j36Fn8Y5082507 for ; Wed, 6 Apr 2005 10:49:08 -0500 (CDT) (envelope-from martin@dc.cis.okstate.edu) Message-Id: <200504061549.j36Fn8Y5082507@dc.cis.okstate.edu> To: freebsd-security@freebsd.org Date: Wed, 06 Apr 2005 10:49:08 -0500 From: Martin McCormick Subject: What is this Very Stupid DOS Attack Script? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 06 Apr 2005 15:49:09 -0000 We have been noticing flurries of sshd reject messages in which some system out there in the hinterlands hits us with a flood of ssh login attempts. An example: Apr 6 05:41:51 dc sshd[88763]: Did not receive identification string from 67.19.58.170 Apr 6 05:49:42 dc sshd[12389]: input_userauth_request: illegal user anonymous Apr 6 05:49:42 dc sshd[12389]: Failed password for illegal user anonymous from 67.19.58.170 port 32942 ssh2 Apr 6 05:49:42 dc sshd[12389]: Received disconnect from 67.19.58.170: 11: Bye Bye Apr 6 05:49:42 dc sshd[12406]: input_userauth_request: illegal user bruce Apr 6 05:49:42 dc sshd[12406]: Failed password for illegal user bruce from 67.19.58.170 port 32983 ssh2 Apr 6 05:49:42 dc sshd[12406]: Received disconnect from 67.19.58.170: 11: Bye Bye Apr 6 05:49:42 dc sshd[12422]: input_userauth_request: illegal user chuck You get the idea. This goes on for 3 or 4 minutes and then just stops for now. I can almost promise that later, another attack will start from some other IP address and blaze away for a few minutes. Other than spewing lots of entries in to syslog, what is the purpose of the attack? Are they just hoping to luck in to an open account? The odds of guessing the right account name and then guessing the correct password are astronomical to say the least. Direct root logins are not possible so there is another roadblock. This seems on the surface to be aimed at simply filling up the /var file system, but it is so stupid as to make me wonder if there is something else more sophisticated that we truly need to be trembling in our shoes over. I notice from the syslog servers, here, that the same system is hammering other sshd applications on those devices at the same time it is hitting this system so what ever script it is is probably just trolling our network, looking for anything that answers. Thanks for any useful information as to the nature of what appears to be more of a nuisance than a diabolical threat to security. Martin McCormick WB5AGZ Stillwater, OK OSU Information Technology Division Network Operations Group From owner-freebsd-security@FreeBSD.ORG Wed Apr 6 15:56:02 2005 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C21B116A4CE for ; Wed, 6 Apr 2005 15:56:02 +0000 (GMT) Received: from nic.nic.br (nic.nic.br [200.160.7.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7BCBD43D46 for ; Wed, 6 Apr 2005 15:56:01 +0000 (GMT) (envelope-from cordeiro@nic.br) Received: from luinil.nic.br (luinil.nic.br [200.160.7.67]) by nic.nic.br (Postfix) with ESMTP id D9AA722470B for ; Wed, 6 Apr 2005 12:55:59 -0300 (BRT) Received: by luinil.nic.br (Postfix, from userid 1400) id B0F985C047; Wed, 6 Apr 2005 15:55:59 +0000 (UTC) From: Luiz Eduardo Roncato Cordeiro Organization: NBSO To: freebsd-security@freebsd.org Date: Wed, 6 Apr 2005 12:55:58 -0300 User-Agent: Lamb's MUA References: <200504061549.j36Fn8Y5082507@dc.cis.okstate.edu> In-Reply-To: <200504061549.j36Fn8Y5082507@dc.cis.okstate.edu> X-URL: http://www.nbso.nic.br/ MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200504061255.59142.cordeiro@nic.br> Subject: Re: What is this Very Stupid DOS Attack Script? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: cordeiro@nic.br List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 06 Apr 2005 15:56:02 -0000 Hi, Probably, what you have seen is a force brute attack against your sshd. Unfortunately, this kind of attack still works. Regards, Cordeiro On Wednesday April 6 2005 12:49, Martin McCormick > wrote: > We have been noticing flurries of sshd reject messages in > which some system out there in the hinterlands hits us with a flood of > ssh login attempts. An example: > > Apr 6 05:41:51 dc sshd[88763]: Did not receive identification > string from 67.19.58.170 > Apr 6 05:49:42 dc sshd[12389]: input_userauth_request: illegal > user anonymous > Apr 6 05:49:42 dc sshd[12389]: Failed password for illegal user > anonymous from 67.19.58.170 port 32942 ssh2 > Apr 6 05:49:42 dc sshd[12389]: Received disconnect from > 67.19.58.170: 11: Bye Bye > Apr 6 05:49:42 dc sshd[12406]: input_userauth_request: illegal > user bruce > Apr 6 05:49:42 dc sshd[12406]: Failed password for illegal user > bruce from 67.19.58.170 port 32983 ssh2 > Apr 6 05:49:42 dc sshd[12406]: Received disconnect from > 67.19.58.170: 11: Bye Bye > Apr 6 05:49:42 dc sshd[12422]: input_userauth_request: illegal > user chuck > > You get the idea. This goes on for 3 or 4 minutes and then > just stops for now. I can almost promise that later, another attack > will start from some other IP address and blaze away for a few > minutes. > > Other than spewing lots of entries in to syslog, what is the > purpose of the attack? Are they just hoping to luck in to an open > account? The odds of guessing the right account name and then guessing > the correct password are astronomical to say the least. > Direct root logins are not possible so there is another roadblock. > > This seems on the surface to be aimed at simply filling up the /var > file system, but it is so stupid as to make me wonder if there is > something else more sophisticated that we truly need to be trembling > in our shoes over. > > I notice from the syslog servers, here, that the same system > is hammering other sshd applications on those devices at the same time > it is hitting this system so what ever script it is is probably just > trolling our network, looking for anything that answers. > > Thanks for any useful information as to the nature of what > appears to be more of a nuisance than a diabolical threat to security. > > Martin McCormick WB5AGZ Stillwater, OK > OSU Information Technology Division Network Operations Group > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" > > From owner-freebsd-security@FreeBSD.ORG Wed Apr 6 15:57:48 2005 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 064C516A4CE for ; Wed, 6 Apr 2005 15:57:48 +0000 (GMT) Received: from freebee.digiware.nl (dsl439.iae.nl [212.61.63.187]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7D28143D45 for ; Wed, 6 Apr 2005 15:57:46 +0000 (GMT) (envelope-from wjw@withagen.nl) Received: from [212.61.27.71] (dual.digiware.nl [212.61.27.71]) by freebee.digiware.nl (8.13.1/8.13.1) with ESMTP id j36FvXDZ067962; Wed, 6 Apr 2005 17:57:33 +0200 (CEST) (envelope-from wjw@withagen.nl) Message-ID: <425406ED.5060400@withagen.nl> Date: Wed, 06 Apr 2005 17:57:33 +0200 From: Willem Jan Withagen User-Agent: Mozilla Thunderbird 0.9 (Windows/20041103) X-Accept-Language: en-us, en MIME-Version: 1.0 To: Martin McCormick References: <200504061549.j36Fn8Y5082507@dc.cis.okstate.edu> In-Reply-To: <200504061549.j36Fn8Y5082507@dc.cis.okstate.edu> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit cc: freebsd-security@freebsd.org Subject: Re: What is this Very Stupid DOS Attack Script? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 06 Apr 2005 15:57:48 -0000 Martin McCormick wrote: > Apr 6 05:49:42 dc sshd[12422]: input_userauth_request: illegal > user chuck > > You get the idea. This goes on for 3 or 4 minutes and then > just stops for now. I can almost promise that later, another attack > will start from some other IP address and blaze away for a few > minutes. I asked the same question a while ago. Seems that there are some linux type worms out there, that use this to target not well protected linux systems.??? I've build some swatch-rules that after two of these hits, I dump the host into ifpw-deny space. --WjW From owner-freebsd-security@FreeBSD.ORG Wed Apr 6 15:58:16 2005 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1380416A4CE for ; Wed, 6 Apr 2005 15:58:16 +0000 (GMT) Received: from avscan1.sentex.ca (avscan1.sentex.ca [199.212.134.11]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9CE8343D2D for ; Wed, 6 Apr 2005 15:58:15 +0000 (GMT) (envelope-from mike@sentex.net) Received: from localhost (localhost.sentex.ca [127.0.0.1]) by avscan1.sentex.ca (8.12.11/8.12.11) with ESMTP id j36FwBW1024495; Wed, 6 Apr 2005 11:58:11 -0400 (EDT) (envelope-from mike@sentex.net) Received: from avscan1.sentex.ca ([127.0.0.1]) by localhost (avscan1.sentex.ca [127.0.0.1]) (amavisd-new, port 10024) with LMTP id 23621-10; Wed, 6 Apr 2005 11:58:11 -0400 (EDT) Received: from lava.sentex.ca (pyroxene.sentex.ca [199.212.134.18]) by avscan1.sentex.ca (8.12.11/8.12.11) with ESMTP id j36FwBm4024480; Wed, 6 Apr 2005 11:58:11 -0400 (EDT) (envelope-from mike@sentex.net) Received: from simian.sentex.net (simeon.sentex.ca [192.168.43.27]) by lava.sentex.ca (8.13.3/8.12.11) with ESMTP id j36Fw5Lp002944; Wed, 6 Apr 2005 11:58:05 -0400 (EDT) (envelope-from mike@sentex.net) Message-Id: <6.2.1.2.0.20050406114850.04d0b538@64.7.153.2> X-Mailer: QUALCOMM Windows Eudora Version 6.2.1.2 Date: Wed, 06 Apr 2005 11:56:29 -0400 To: Martin McCormick , freebsd-security@freebsd.org From: Mike Tancsa In-Reply-To: <200504061549.j36Fn8Y5082507@dc.cis.okstate.edu> References: <200504061549.j36Fn8Y5082507@dc.cis.okstate.edu> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed X-Virus-Scanned: by amavisd-new X-Virus-Scanned: by amavisd-new at avscan1b Subject: Re: What is this Very Stupid DOS Attack Script? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 06 Apr 2005 15:58:16 -0000 At 11:49 AM 06/04/2005, Martin McCormick wrote: > We have been noticing flurries of sshd reject messages in >which some system out there in the hinterlands hits us with a flood of >ssh login attempts. An example: > >Apr 6 05:41:51 dc sshd[88763]: Did not receive identification > string from 67.19.58.170 >Apr 6 05:49:42 dc sshd[12389]: input_userauth_request: illegal > user anonymous > Other than spewing lots of entries in to syslog, what is the >purpose of the attack? Are they just hoping to luck in to an open >account? The odds of guessing the right account name and then guessing >the correct password are astronomical to say the least. Actually, sadly the odds are far too good given the cost to run such a script. Unless you force users to use GOOD passwords, they will use dumb ones.... Think Paris Hilton recently. The cost to let a script like that go in the background and pound away at hosts that have open ssh access is zilch. If you have ftpd running anywhere, you will see similar attempts ---Mike From owner-freebsd-security@FreeBSD.ORG Wed Apr 6 16:18:17 2005 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5431E16A4CE for ; Wed, 6 Apr 2005 16:18:17 +0000 (GMT) Received: from dc.cis.okstate.edu (dc.cis.okstate.edu [139.78.100.219]) by mx1.FreeBSD.org (Postfix) with ESMTP id EF89943D2D for ; Wed, 6 Apr 2005 16:18:16 +0000 (GMT) (envelope-from martin@dc.cis.okstate.edu) Received: from dc.cis.okstate.edu (localhost.cis.okstate.edu [127.0.0.1]) by dc.cis.okstate.edu (8.12.6/8.12.6) with ESMTP id j36GIGY5068963 for ; Wed, 6 Apr 2005 11:18:16 -0500 (CDT) (envelope-from martin@dc.cis.okstate.edu) Message-Id: <200504061618.j36GIGY5068963@dc.cis.okstate.edu> To: freebsd-security@freebsd.org Date: Wed, 06 Apr 2005 11:18:16 -0500 From: Martin McCormick Subject: Re: What is this Very Stupid DOS Attack Script? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 06 Apr 2005 16:18:17 -0000 Luiz Eduardo Roncato Cordeiro writes: >Probably, what you have seen is a force brute attack against your >sshd. Unfortunately, this kind of attack still works. My thanks to all who have responded. I am glad to know this isn't more sinister than it appears to be. It did make me get religion and fix all the Linux systems I have control over so that one can not successfully log in as root with any password even though I choose strong passwords. Better to log in as you and su -. From owner-freebsd-security@FreeBSD.ORG Wed Apr 6 16:19:30 2005 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 58E1316A4CE for ; Wed, 6 Apr 2005 16:19:30 +0000 (GMT) Received: from crivens.unixoid.de (crivens.unixoid.de [81.169.171.191]) by mx1.FreeBSD.org (Postfix) with ESMTP id D0DC943D2D for ; Wed, 6 Apr 2005 16:19:29 +0000 (GMT) (envelope-from MH@kernel32.de) Received: from localhost (localhost [127.0.0.1]) by crivens.unixoid.de (Postfix) with ESMTP id B40DB43E2; Wed, 6 Apr 2005 18:19:28 +0200 (CEST) Received: from crivens.unixoid.de ([127.0.0.1]) by localhost (crivens.unixoid.de [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 78584-16; Wed, 6 Apr 2005 18:19:17 +0200 (CEST) Received: by crivens.unixoid.de (Postfix, from userid 1006) id EF27F41A3; Wed, 6 Apr 2005 18:19:16 +0200 (CEST) Received: from 212.12.51.89 (SquirrelMail authenticated user mh); by mail.reisegruppe-mollengrab.de with HTTP; Wed, 6 Apr 2005 18:19:16 +0200 (CEST) Message-ID: <4100.212.12.51.89.1112804356.squirrel@212.12.51.89> In-Reply-To: <425406ED.5060400@withagen.nl> References: <200504061549.j36Fn8Y5082507@dc.cis.okstate.edu> <425406ED.5060400@withagen.nl> Date: Wed, 6 Apr 2005 18:19:16 +0200 (CEST) From: "Marian Hettwer" To: "Willem Jan Withagen" User-Agent: SquirrelMail/1.4.3a X-Mailer: SquirrelMail/1.4.3a MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Priority: 3 (Normal) Importance: Normal X-Virus-Scanned: amavisd-new at unixoid.de cc: freebsd-security@freebsd.org Subject: Re: What is this Very Stupid DOS Attack Script? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 06 Apr 2005 16:19:30 -0000 On Mi, 6.04.2005, 17:57, Willem Jan Withagen sagte: > I've build some swatch-rules that after two of these hits, I dump > the host into ifpw-deny space. > Aye. I thought about writing a script, doing the same like yours, too. Could you post this script somewhere, so that I could add some functionality or just use it ? On one hand, of course, it would make no sense to blog these attackers, as they don't mind anyway wether they're blocked or not, on the other hand, I'd like to see only two attempts, and not loads of pages, blowing up my logfiles useless. By the way, you do know, that if you block these attackers forever, you may run into a self-made DOS attack, right ? Imagine, you have 10 attacks per day (from 10 different IP addresses) and you all block them, each day, for another 10 days. You already blocked 100 IP adresses then ;) Well, perhaps your script releases the blocked IP adresses after an specific amount of time... this would be a functionality I'd like to add :) So, I'd be glad if you could either upload the script on some webserver and make it public, or if you could private mail it to me. best regards, Marian From owner-freebsd-security@FreeBSD.ORG Wed Apr 6 16:28:12 2005 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A5E6816A4CE for ; Wed, 6 Apr 2005 16:28:12 +0000 (GMT) Received: from cenn.mc.mpls.visi.com (cenn.mc.mpls.visi.com [208.42.156.9]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6B5FD43D1D for ; Wed, 6 Apr 2005 16:28:12 +0000 (GMT) (envelope-from drue@therub.org) Received: from egypt.therub.org (therub.org [209.98.146.43]) by cenn.mc.mpls.visi.com (Postfix) with ESMTP id DF5E48276; Wed, 6 Apr 2005 11:28:11 -0500 (CDT) Received: by egypt.therub.org (Postfix, from userid 1001) id 747EF4566E8; Wed, 6 Apr 2005 11:28:11 -0500 (CDT) Date: Wed, 6 Apr 2005 11:28:11 -0500 From: Dan Rue To: Martin McCormick Message-ID: <20050406162811.GQ1019@therub.org> References: <200504061549.j36Fn8Y5082507@dc.cis.okstate.edu> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <200504061549.j36Fn8Y5082507@dc.cis.okstate.edu> User-Agent: Mutt/1.4.2.1i cc: freebsd-security@freebsd.org Subject: Re: What is this Very Stupid DOS Attack Script? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 06 Apr 2005 16:28:12 -0000 On Wed, Apr 06, 2005 at 10:49:08AM -0500, Martin McCormick wrote: > We have been noticing flurries of sshd reject messages in > which some system out there in the hinterlands hits us with a flood of > ssh login attempts. An example: > > Apr 6 05:49:42 dc sshd[12406]: Failed password for illegal user > bruce from 67.19.58.170 port 32983 ssh2 In my experience, these are just script kiddies goofing around. The only useful thing to do is to report them to abuse@ their ISP - this can actually be effective in some cases. $ whois 67.19.58.170 OrgName: ThePlanet.com Internet Services, Inc. OrgID: TPCM Address: 1333 North Stemmons Freeway Address: Suite 110 City: Dallas StateProv: TX PostalCode: 75207 Country: US ... OrgAbuseHandle: ABUSE271-ARIN OrgAbuseName: Abuse OrgAbusePhone: +1-214-782-7802 OrgAbuseEmail: abuse@theplanet.com I'm sure his ISP would like to know about his behavior - send them a report of his attempts. Often in my opinion it's some 13 year old who doesn't realize he's not anonymous on the internet. It quickly becomes a tedious and thankless job, but it's the best weapon you have imo. Also, I find on some systems it's nice to do whitelisting with hosts.allow to only allow connectinos from certain addresses. Obviously that is not a solution for every system, but it can work well for some. Dan From owner-freebsd-security@FreeBSD.ORG Wed Apr 6 16:00:53 2005 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B7C9A16A4CE for ; Wed, 6 Apr 2005 16:00:53 +0000 (GMT) Received: from smp500.sitetronics.com (sitetronics.com [82.192.77.163]) by mx1.FreeBSD.org (Postfix) with ESMTP id 41D1543D2D for ; Wed, 6 Apr 2005 16:00:53 +0000 (GMT) (envelope-from dodell@offmyserver.com) Received: from localhost.sitetronics.com ([127.0.0.1] helo=smp500.sitetronics.com) by smp500.sitetronics.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.50 (FreeBSD)) id 1DJCvh-000NjG-3a; Wed, 06 Apr 2005 17:58:57 +0200 Received: (from dodell@localhost) by smp500.sitetronics.com (8.12.11/8.12.11/Submit) id j36FwuGx091217; Wed, 6 Apr 2005 17:58:56 +0200 (CEST) (envelope-from dodell@offmyserver.com) X-Authentication-Warning: smp500.sitetronics.com: dodell set sender to dodell@offmyserver.com using -f Date: Wed, 6 Apr 2005 17:58:56 +0200 From: "Devon H. O'Dell " To: Martin McCormick Message-ID: <20050406155856.GA43436@smp500.sitetronics.com> Mail-Followup-To: Martin McCormick , freebsd-security@freebsd.org References: <200504061549.j36Fn8Y5082507@dc.cis.okstate.edu> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="Y46NoIcKQuicSz3X" Content-Disposition: inline In-Reply-To: <200504061549.j36Fn8Y5082507@dc.cis.okstate.edu> User-Agent: Mutt/1.5.8i X-Mailman-Approved-At: Wed, 06 Apr 2005 16:33:24 +0000 cc: freebsd-security@freebsd.org Subject: Re: What is this Very Stupid DOS Attack Script? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 06 Apr 2005 16:00:53 -0000 --Y46NoIcKQuicSz3X Content-Type: text/plain; charset=us-ascii Content-Disposition: inline On Wed, Apr 06, 2005 at 10:49:08AM -0500, Martin McCormick wrote: > We have been noticing flurries of sshd reject messages in > which some system out there in the hinterlands hits us with a flood of > ssh login attempts. An example: [snip] If you search google, you'll see many recent similar threads on both this and other mailing lists. Perhaps the most interesting is one recently on the DragonFly BSD users list, in which there were several scripts / applications written to analyze the logs and add IPFW / PF rules blocking these connections. It's simply a brute force kiddy script. No harm. Or, shouldn't be if you don't use silly passwords ;) The script simply tries user:user combinations. --Devon --Y46NoIcKQuicSz3X Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (FreeBSD) iD8DBQFCVAdASkf3jVXOdl0RAspQAKCZRqRWLAEopgWfteN5j4091simkQCfWkqQ EjLXiRNPVdc6k8OLdI/KVGY= =BEDN -----END PGP SIGNATURE----- --Y46NoIcKQuicSz3X-- From owner-freebsd-security@FreeBSD.ORG Wed Apr 6 16:35:16 2005 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9BEF516A4CE for ; Wed, 6 Apr 2005 16:35:16 +0000 (GMT) Received: from mail3.spm1.com (mail.spm1.com [209.210.151.163]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2A8D843D4C for ; Wed, 6 Apr 2005 16:35:16 +0000 (GMT) (envelope-from linux0642@sbcglobal.net) Received: from localhost (localhost [127.0.0.1])id 93EF648420D for ; Wed, 6 Apr 2005 09:23:45 -0700 (PDT) Received: from mail3.spm1.com ([127.0.0.1]) by localhost (mail3 [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 26356-05 for ; Wed, 6 Apr 2005 09:23:44 -0700 (PDT) Received: from [192.168.4.200] (unknown [192.168.4.200]) (using TLSv1 with cipher RC4-MD5 (128/128 bits)) (Client did not present a certificate)id 2E57048413B for ; Wed, 6 Apr 2005 09:23:44 -0700 (PDT) Message-ID: <42540FC5.1020002@sbcglobal.net> Date: Wed, 06 Apr 2005 09:35:17 -0700 From: John Davis User-Agent: Mozilla Thunderbird 0.8 (Windows/20040913) X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-security@freebsd.org References: <200504061549.j36Fn8Y5082507@dc.cis.okstate.edu> In-Reply-To: <200504061549.j36Fn8Y5082507@dc.cis.okstate.edu> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Scanned: amavisd-new at spm1.com Subject: Re: What is this Very Stupid DOS Attack Script? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 06 Apr 2005 16:35:16 -0000 Martin McCormick wrote: > We have been noticing flurries of sshd reject messages in > which some system out there in the hinterlands hits us with a flood of > ssh login attempts. An example: > > Other than spewing lots of entries in to syslog, what is the > purpose of the attack? Are they just hoping to luck in to an open > account? The odds of guessing the right account name and then guessing > the correct password are astronomical to say the least. > Direct root logins are not possible so there is another roadblock. > This is probably a variant of a worm that infects the server and then spends all its time trying to log into other servers by guessing the ssh password. Once it succeeds, it attempts a compromise, and if successful, tries to break into other machines. I have read some interesting analyses on this. Apparently there are multiple variations of the worm, but they all do essentially the same thing. About the only real defense you have is to enforce a good password policy. I have taken to dropping everthing that comes from the pacific rim at the firewall. This has been helpful in reducing some attacks, though in my case, it seems like about a quarter of them come from inside the USA. Here's a list of pacific rim IP ranges: http://www.okean.com/iptables/rc.firewall.sinokorea Here's an interesting read on one of the worm variants: http://www.security.org.sg/gtec/honeynet/viewdiary.php?diary=20041102 Personally, it think people who write malicious software should be treated like terrorists because it seems to me, they are. I know it's a common defense to claim that publishing exploits is useful to IT (perhaps it is in some twisted way), but that's like saying defendants in foiled murder plots should be forgiven because they helped to expose flaws in one's personal security. It's nonsense. -- -linux_lad From owner-freebsd-security@FreeBSD.ORG Wed Apr 6 17:08:57 2005 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E626B16A4CE for ; Wed, 6 Apr 2005 17:08:57 +0000 (GMT) Received: from resmo.com (resmo.com [204.202.11.13]) by mx1.FreeBSD.org (Postfix) with ESMTP id B7D2B43D31 for ; Wed, 6 Apr 2005 17:08:57 +0000 (GMT) (envelope-from gstewart@spamcop.net) X-Resmo-Authenticated-User: [] X-Resmo-Msg-Submitted-By: mail.bonivet.net [81.56.185.133] Received: from dragonfly.bonivet.net (mail.bonivet.net [81.56.185.133]) by resmo.com (8.13.1/8.12.11) with ESMTP id j36H8uH3044656 for ; Wed, 6 Apr 2005 17:08:56 GMT Received: from dragonfly.bonivet.net (localhost.bonivet.net [127.0.0.1]) by dragonfly.bonivet.net (8.13.3/8.13.1) with SMTP id j36H8nRv040076 for ; Wed, 6 Apr 2005 19:08:50 +0200 (CEST) (envelope-from gstewart@spamcop.net) Date: Wed, 6 Apr 2005 19:08:49 +0200 From: Godwin Stewart To: freebsd-security@freebsd.org Message-Id: <20050406190849.29f14168.gstewart@spamcop.net> In-Reply-To: <20050406162811.GQ1019@therub.org> References: <200504061549.j36Fn8Y5082507@dc.cis.okstate.edu> <20050406162811.GQ1019@therub.org> X-Mailer: Sylpheed version 1.9.7 (GTK+ 2.6.4; i386-unknown-freebsd5.4) X-Face: #T;eJks=B[`71qrwp`l6BW8xI&hP8S*4Kd%e?8o"rL02ZYf"rWa41l83a)L,*; S).Ukq$U% II{-z#5%i&X8"%{$)ZWmE7WBDF)?wK1^7]u9T;@jqdZo?IT!d-L`!@&vW)F_1 X-GnuPG-Key: http://www.bonivet.net/gpg/pubkey.txt Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: quoted-printable Subject: Re: What is this Very Stupid DOS Attack Script? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 06 Apr 2005 17:08:58 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Wed, 6 Apr 2005 11:28:11 -0500, Dan Rue wrote: > In my experience, these are just script kiddies goofing around. The > only useful thing to do is to report them to abuse@ their ISP - this can > actually be effective in some cases. >=20 > $ whois 67.19.58.170 > OrgName: ThePlanet.com Internet Services, Inc. But definitely *not* in the case of theplanet.com. http://tinyurl.com/6sebk (expands to a search on theplanet.com in the news.admin.net-abuse.sightings newsgroup) Drawing conclusions from the evidence provided is left as an exercise for the reader. - --=20 G. Stewart - gstewart@spamcop.net Your fault: core dumped -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (FreeBSD) iD8DBQFCVBehK5oiGLo9AcYRAk59AKDF4UmhASqBsNKtNcRSyrDWI8Vh+gCgkrEa xD2aKKc3l6xYR43zR4yUi7Y=3D =3DgKry -----END PGP SIGNATURE----- From owner-freebsd-security@FreeBSD.ORG Fri Apr 8 00:28:46 2005 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0C82E16A4CE for ; Fri, 8 Apr 2005 00:28:46 +0000 (GMT) Received: from iron.allciti.net (iron.allciti.net [66.36.240.251]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6FFB243D45 for ; Fri, 8 Apr 2005 00:28:45 +0000 (GMT) (envelope-from jonaadam@nsu.nova.edu) Received: from localhost (localhost [127.0.0.1]) by iron.allciti.net (Postfix) with ESMTP id EAA1133C0E for ; Thu, 7 Apr 2005 20:29:46 -0400 (EDT) Received: from iron.allciti.net ([127.0.0.1]) by localhost (iron.allciti.net [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 70089-01 for ; Thu, 7 Apr 2005 20:29:44 -0400 (EDT) Received: from [192.168.1.4] (pcp09122379pcs.arlngt01.va.comcast.net [69.143.1.250]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by iron.allciti.net (Postfix) with ESMTP id EF56733C0D for ; Thu, 7 Apr 2005 20:29:16 -0400 (EDT) Message-ID: <4255D022.9040205@nsu.nova.edu> Date: Thu, 07 Apr 2005 20:28:18 -0400 From: Jon Adams User-Agent: Mozilla Thunderbird 0.9 (Windows/20041103) X-Accept-Language: rs1_4f1c29d98c6, rs2_246f19c3bce, rs3_81d0880ece MIME-Version: 1.0 To: freebsd-security@freebsd.org References: <200504061549.j36Fn8Y5082507@dc.cis.okstate.edu> <425406ED.5060400@withagen.nl> <4100.212.12.51.89.1112804356.squirrel@212.12.51.89> In-Reply-To: <4100.212.12.51.89.1112804356.squirrel@212.12.51.89> X-Enigmail-Version: 0.89.0.0 X-Enigmail-Supports: pgp-inline, pgp-mime Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Scanned: by amavisd-new at iron.allciti.net Subject: Re: What is this Very Stupid DOS Attack Script? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 08 Apr 2005 00:28:46 -0000 Marian Hettwer wrote: >On Mi, 6.04.2005, 17:57, Willem Jan Withagen sagte: > > >>I've build some swatch-rules that after two of these hits, I dump >>the host into ifpw-deny space. >> >> >> >Aye. I thought about writing a script, doing the same like yours, too. >Could you post this script somewhere, so that I could add some >functionality or just use it ? > > > This is similar to what I do... except I just run a cronjob every so often... daily.. weekly.. what have you.. that will restart ipfw... probably there is a cleaner solution, but it does the job for me.... as far as cleaning out the dozens of IPs that get blocked for connecting to ports they shouldnt on my boxes From owner-freebsd-security@FreeBSD.ORG Fri Apr 8 19:07:12 2005 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E139E16A4CE for ; Fri, 8 Apr 2005 19:07:12 +0000 (GMT) Received: from smtp-2.llnl.gov (smtp-2.llnl.gov [128.115.250.82]) by mx1.FreeBSD.org (Postfix) with ESMTP id B410143D45 for ; Fri, 8 Apr 2005 19:07:12 +0000 (GMT) (envelope-from carlson39@llnl.gov) Received: from CARLSON39PC01.llnl.gov (localhost [127.0.0.1]) with ESMTP id j38J7B1r020762 for ; Fri, 8 Apr 2005 12:07:12 -0700 (PDT) Message-Id: <6.1.2.0.2.20050408120501.103c99c8@mail.llnl.gov> X-Sender: carlson39@mail.llnl.gov X-Mailer: QUALCOMM Windows Eudora Version 6.1.2.0 Date: Fri, 08 Apr 2005 12:07:11 -0700 To: freebsd-security@freebsd.org From: Michael Carlson In-Reply-To: <4255D022.9040205@nsu.nova.edu> References: <200504061549.j36Fn8Y5082507@dc.cis.okstate.edu> <425406ED.5060400@withagen.nl> <4100.212.12.51.89.1112804356.squirrel@212.12.51.89> <4255D022.9040205@nsu.nova.edu> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Subject: Re: What is this Very Stupid DOS Attack Script? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 08 Apr 2005 19:07:13 -0000 I would be very interested in a script/setup like this, so I second the suggestion of posting it somewhere. On a minor off topic question, has anyone gotten the linux-pam/pam_tally to work in 5.x? Due to security requirements at work I need either that or something similar. At 05:28 PM 4/7/2005, Jon Adams wrote: >Marian Hettwer wrote: > >>On Mi, 6.04.2005, 17:57, Willem Jan Withagen sagte: >> >> >>>I've build some swatch-rules that after two of these hits, I dump >>>the host into ifpw-deny space. >>> >>> >>Aye. I thought about writing a script, doing the same like yours, too. >>Could you post this script somewhere, so that I could add some >>functionality or just use it ? >> >> >This is similar to what I do... except > >I just run a cronjob every so often... daily.. weekly.. what have you.. >that will restart ipfw... probably there is a cleaner solution, but it >does the job for me.... as far as cleaning out the dozens of IPs that get >blocked for connecting to ports they shouldnt on my boxes > >_______________________________________________ >freebsd-security@freebsd.org mailing list >http://lists.freebsd.org/mailman/listinfo/freebsd-security >To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" From owner-freebsd-security@FreeBSD.ORG Fri Apr 8 19:39:57 2005 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9996816A4CE for ; Fri, 8 Apr 2005 19:39:57 +0000 (GMT) Received: from bgo1smout1.broadpark.no (bgo1smout1.broadpark.no [217.13.4.94]) by mx1.FreeBSD.org (Postfix) with ESMTP id EB83143D48 for ; Fri, 8 Apr 2005 19:39:55 +0000 (GMT) (envelope-from rip@overflow.no) Received: from bgo1sminn1.broadpark.no ([217.13.4.93]) by bgo1smout1.broadpark.no (Sun Java System Messaging Server 6.1 HotFix 0.05 (built Oct 21 2004)) with ESMTP id <0IEN00BUX7P6OF70@bgo1smout1.broadpark.no> for freebsd-security@freebsd.org; Fri, 08 Apr 2005 21:34:18 +0200 (CEST) Received: from magic.shrooms ([213.145.183.242]) by bgo1sminn1.broadpark.no (Sun Java System Messaging Server 6.1 HotFix 0.05 (built Oct 21 2004)) with ESMTP id <0IEN006DB80R2091@bgo1sminn1.broadpark.no> for freebsd-security@freebsd.org; Fri, 08 Apr 2005 21:41:15 +0200 (CEST) Date: Fri, 08 Apr 2005 21:39:20 +0200 From: Chris In-reply-to: <6.1.2.0.2.20050408120501.103c99c8@mail.llnl.gov> To: freebsd-security@freebsd.org Message-id: <1112989160.4471.19.camel@magic.shrooms> Organization: overflow.no MIME-version: 1.0 X-Mailer: Evolution 2.0.1 Content-type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="=-dWoQSALcmsLjKeMDpr+u" References: <200504061549.j36Fn8Y5082507@dc.cis.okstate.edu> <425406ED.5060400@withagen.nl> <4100.212.12.51.89.1112804356.squirrel@212.12.51.89> <4255D022.9040205@nsu.nova.edu> <6.1.2.0.2.20050408120501.103c99c8@mail.llnl.gov> Subject: Re: What is this Very Stupid DOS Attack Script? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 08 Apr 2005 19:39:57 -0000 --=-dWoQSALcmsLjKeMDpr+u Content-Type: text/plain Content-Transfer-Encoding: quoted-printable This might not be exactly what you want, but solution to this might be timelox by brian. It has a definable action to take when an IP attempts X logins in N seconds. I've modified his timelox-code for openbsd to suit openssh portable 3.9p1/4.0p1 (linux/freebsd). I will try to keep this up to date with the openssh-portable tree. You can find it at http://www.overflow.no/?p=3Dhacking The next version will have a sshd_config setting for a script to run on this event, to improve portability basicly.=20 This prolly isn't the best solution, but it works pretty good. If blocking out all of the world is a concern just add a cronjob for root to clear the rules one a week or something like that. :) On Fri, 2005-04-08 at 12:07 -0700, Michael Carlson wrote: > I would be very interested in a script/setup like this, so I second the=20 > suggestion of posting it somewhere. >=20 > On a minor off topic question, has anyone gotten the linux-pam/pam_tally = to=20 > work in 5.x? >=20 > Due to security requirements at work I need either that or something simi= lar. >=20 > At 05:28 PM 4/7/2005, Jon Adams wrote: >=20 >=20 > >Marian Hettwer wrote: > > > >>On Mi, 6.04.2005, 17:57, Willem Jan Withagen sagte: > >> > >> > >>>I've build some swatch-rules that after two of these hits, I dump > >>>the host into ifpw-deny space. > >>> > >>> > >>Aye. I thought about writing a script, doing the same like yours, too. > >>Could you post this script somewhere, so that I could add some > >>functionality or just use it ? > >> > >> > >This is similar to what I do... except > > > >I just run a cronjob every so often... daily.. weekly.. what have you..=20 > >that will restart ipfw... probably there is a cleaner solution, but it > >does the job for me.... as far as cleaning out the dozens of IPs that ge= t=20 > >blocked for connecting to ports they shouldnt on my boxes > > > >_______________________________________________ > >freebsd-security@freebsd.org mailing list > >http://lists.freebsd.org/mailman/listinfo/freebsd-security > >To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.o= rg" >=20 >=20 > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.or= g" >=20 Chris --=20 Computer games don't affect kids; I mean if Pac-Man affected us as kids, we'd all be running around in darkened rooms, swallowing magic pills and listening to repetitive electronic music. --=-dWoQSALcmsLjKeMDpr+u Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.5 (GNU/Linux) iD8DBQBCVt3oWwvIQMvefh0RAu8YAJ9cN6nF1OWZRdoh581l8shTCazuwACfXe/Y pyxZ99/u4QlJoLZqTLqIC70= =4LIG -----END PGP SIGNATURE----- --=-dWoQSALcmsLjKeMDpr+u--