From owner-freebsd-security@FreeBSD.ORG Mon May 18 16:41:24 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 1EC91106566C for ; Mon, 18 May 2009 16:41:24 +0000 (UTC) (envelope-from oliver.pntr@gmail.com) Received: from mail-fx0-f216.google.com (mail-fx0-f216.google.com [209.85.220.216]) by mx1.freebsd.org (Postfix) with ESMTP id 975B38FC08 for ; Mon, 18 May 2009 16:41:23 +0000 (UTC) (envelope-from oliver.pntr@gmail.com) Received: by fxm12 with SMTP id 12so3349554fxm.43 for ; Mon, 18 May 2009 09:41:22 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:date:message-id:subject :from:to:content-type:content-transfer-encoding; bh=Ne7R8AJEYUIxhhvecvfKnSBKhni0aL75KicKwAuYwEU=; b=lHvtKbn+el6GcoOKwcgQqcMi56VZnMOOA0VukHS+w4fG8R8anlmfa25ZTlUc9n84gO XaGo3+4fdKfvxSvXGCsKG2mqluwmoJpTPA2xDj6JOozT4Wof2LgcRkmYw/Rhs/tSnS1i FXg63hqh9lfiDLBekSNSidP3AxCbMkuJYPTEk= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:date:message-id:subject:from:to:content-type :content-transfer-encoding; b=QwgjxZ8/er/7IiPnkMW1emCGqYxNbRgriUaMj2HwC+ixQq9r0SCX6MidxNPUuGEJZN vAKr64TaOFUVetrjbIo/Ps4ebqQz7bvjn7Y2x4D5bTEHAs/AJUfREJ/PanYiKW781f7c RU4pz8D/AT9Uy3JXS+VN7EcrGFeu7tGnqZofg= MIME-Version: 1.0 Received: by 10.103.172.7 with SMTP id z7mr4075103muo.129.1242662920258; Mon, 18 May 2009 09:08:40 -0700 (PDT) Date: Mon, 18 May 2009 18:08:40 +0200 Message-ID: <6101e8c40905180908x6d80b279n919fdcc3890e69f6@mail.gmail.com> From: Oliver Pinter To: freebsd-security@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Subject: FreeBSD 7.2 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 18 May 2009 16:41:24 -0000 Hi all! here is an paxtest output: http://www.grsecurity.net/~paxguy1/paxtest-0.9.7-pre5.tar.gz [oliver@oliverp /tmp/paxtest-0.9.7-pre5]$ ./paxtest usage: paxtest [kiddie|blackhat] [oliver@oliverp /tmp/paxtest-0.9.7-pre5]$ ./paxtest kiddie PaXtest - Copyright(c) 2003,2004 by Peter Busser Released under the GNU Public Licence version 2 or later Writing output to paxtest.log It may take a while for the tests to complete Test results: PaXtest - Copyright(c) 2003,2004 by Peter Busser Released under the GNU Public Licence version 2 or later __________Mode: kiddie________ FreeBSD oliverp 7.2-STABLE FreeBSD 7.2-STABLE #20: Sat May 9 21:13:36 CEST 2009 root@oliverp:/usr/obj/usr/src/sys/stable amd64 Executable anonymous mapping : Killed Executable bss : Killed Executable data : Killed Executable heap : Killed Executable stack : Vulnerable Executable anonymous mapping (mprotect) : Vulnerable Executable bss (mprotect) : Vulnerable Executable data (mprotect) : Vulnerable Executable heap (mprotect) : Vulnerable >>>>>>>>> Executable shared library bss (mprotect) : Vulnerable <<<<<<<<<< Executable shared library data (mprotect): Vulnerable Executable stack (mprotect) : Vulnerable Anonymous mapping randomisation test : No randomisation Heap randomisation test (ET_EXEC) : No randomisation Main executable randomisation (ET_EXEC) : No randomisation Shared library randomisation test : No randomisation Stack randomisation test (SEGMEXEC) : No randomisation Stack randomisation test (PAGEEXEC) : No randomisation Return to function (strcpy) : paxtest: return address contains a NULL byte. Return to function (strcpy, RANDEXEC) : paxtest: return address contains a NULL byte. Return to function (memcpy) : Vulnerable Return to function (memcpy, RANDEXEC) : Vulnerable Executable shared library bss : Killed Executable shared library data : Killed Writable text segments : Vulnerable [oliver@oliverp /tmp/paxtest-0.9.7-pre5]$ ./paxtest blackhat PaXtest - Copyright(c) 2003,2004 by Peter Busser Released under the GNU Public Licence version 2 or later Writing output to paxtest.log It may take a while for the tests to complete Test results: PaXtest - Copyright(c) 2003,2004 by Peter Busser Released under the GNU Public Licence version 2 or later ____________Mode: blackhat__________ FreeBSD oliverp 7.2-STABLE FreeBSD 7.2-STABLE #20: Sat May 9 21:13:36 CEST 2009 root@oliverp:/usr/obj/usr/src/sys/stable amd64 Executable anonymous mapping : Killed Executable bss : Killed Executable data : Killed Executable heap : Killed Executable stack : Vulnerable Executable anonymous mapping (mprotect) : Vulnerable Executable bss (mprotect) : Vulnerable Executable data (mprotect) : Vulnerable Executable heap (mprotect) : Vulnerable >>>>>>>>> Executable shared library bss (mprotect) : Killed <<<<<<<<<<<<<<<<<< Executable shared library data (mprotect): Vulnerable Executable stack (mprotect) : Vulnerable Anonymous mapping randomisation test : No randomisation Heap randomisation test (ET_EXEC) : No randomisation Main executable randomisation (ET_EXEC) : No randomisation Shared library randomisation test : No randomisation Stack randomisation test (SEGMEXEC) : No randomisation Stack randomisation test (PAGEEXEC) : No randomisation Return to function (strcpy) : paxtest: return address contains a NULL byte. Return to function (strcpy, RANDEXEC) : paxtest: return address contains a NULL byte. Return to function (memcpy) : Vulnerable Return to function (memcpy, RANDEXEC) : Vulnerable Executable shared library bss : Killed Executable shared library data : Killed Writable text segments : Vulnerable [oliver@oliverp /tmp/paxtest-0.9.7-pre5]$ ./paxtest kiddie PaXtest - Copyright(c) 2003,2004 by Peter Busser Released under the GNU Public Licence version 2 or later Writing output to paxtest.log It may take a while for the tests to complete Test results: PaXtest - Copyright(c) 2003,2004 by Peter Busser Released under the GNU Public Licence version 2 or later __________________Mode: kiddie____________ FreeBSD oliverp 7.2-STABLE FreeBSD 7.2-STABLE #20: Sat May 9 21:13:36 CEST 2009 root@oliverp:/usr/obj/usr/src/sys/stable amd64 Executable anonymous mapping : Killed Executable bss : Killed Executable data : Killed Executable heap : Killed Executable stack : Vulnerable Executable anonymous mapping (mprotect) : Vulnerable Executable bss (mprotect) : Vulnerable Executable data (mprotect) : Vulnerable Executable heap (mprotect) : Vulnerable >>>>>>>>>>>Executable shared library bss (mprotect) : Vulnerable <<<<<<<<<<<<<<<<<<< Executable shared library data (mprotect): Vulnerable Executable stack (mprotect) : Vulnerable Anonymous mapping randomisation test : No randomisation Heap randomisation test (ET_EXEC) : No randomisation Main executable randomisation (ET_EXEC) : No randomisation Shared library randomisation test : No randomisation Stack randomisation test (SEGMEXEC) : No randomisation Stack randomisation test (PAGEEXEC) : No randomisation Return to function (strcpy) : paxtest: return address contains a NULL byte. Return to function (strcpy, RANDEXEC) : paxtest: return address contains a NULL byte. Return to function (memcpy) : Vulnerable Return to function (memcpy, RANDEXEC) : Vulnerable Executable shared library bss : Killed Executable shared library data : Killed Writable text segments : Vulnerable oliver@oliverp /tmp/paxtest-0.9.7-pre5]$ ./paxtest blackhat PaXtest - Copyright(c) 2003,2004 by Peter Busser Released under the GNU Public Licence version 2 or later Writing output to paxtest.log It may take a while for the tests to complete Test results: PaXtest - Copyright(c) 2003,2004 by Peter Busser Released under the GNU Public Licence version 2 or later ___________Mode: blackhat_______ FreeBSD oliverp 7.2-STABLE FreeBSD 7.2-STABLE #20: Sat May 9 21:13:36 CEST 2009 root@oliverp:/usr/obj/usr/src/sys/stable amd64 Executable anonymous mapping : Killed Executable bss : Killed Executable data : Killed Executable heap : Killed Executable stack : Vulnerable Executable anonymous mapping (mprotect) : Vulnerable Executable bss (mprotect) : Vulnerable Executable data (mprotect) : Vulnerable Executable heap (mprotect) : Vulnerable >>>>>>>>>>>>>Executable shared library bss (mprotect) : Vulnerable<<<<<<<<< Executable shared library data (mprotect): Vulnerable Executable stack (mprotect) : Vulnerable Anonymous mapping randomisation test : No randomisation Heap randomisation test (ET_EXEC) : No randomisation Main executable randomisation (ET_EXEC) : No randomisation Shared library randomisation test : No randomisation Stack randomisation test (SEGMEXEC) : No randomisation Stack randomisation test (PAGEEXEC) : No randomisation Return to function (strcpy) : paxtest: return address contains a NULL byte. Return to function (strcpy, RANDEXEC) : paxtest: return address contains a NULL byte. Return to function (memcpy) : Vulnerable Return to function (memcpy, RANDEXEC) : Vulnerable Executable shared library bss : Killed Executable shared library data : Killed Writable text segments : Vulnerable -------------------- sum kiddie 1st: Executable shared library bss (mprotect) : Vulnerable blackhat 1st: Executable shared library bss (mprotect) : Killed kiddie 2nd: Executable shared library bss (mprotect) : Vulnerable blackhat 2nd: Executable shared library bss (mprotect) : Vulnerable it is the interesst part, when in kiddie mode is vulnarable, and in black mode is too vulnarable, but in first run not.. the running order is: kiddie, blackbat, kiddie, blackhat ps.: sorry for the bad english From owner-freebsd-security@FreeBSD.ORG Thu May 21 15:27:15 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 58940106566C for ; Thu, 21 May 2009 15:27:15 +0000 (UTC) (envelope-from rea-fbsd@codelabs.ru) Received: from 0.mx.codelabs.ru (0.mx.codelabs.ru [144.206.177.45]) by mx1.freebsd.org (Postfix) with ESMTP id 101138FC19 for ; Thu, 21 May 2009 15:27:14 +0000 (UTC) (envelope-from rea-fbsd@codelabs.ru) DomainKey-Signature: a=rsa-sha1; q=dns; c=simple; s=one; d=codelabs.ru; h=Received:Date:From:To:Subject:Message-ID:Reply-To:MIME-Version:Content-Type:Content-Disposition:Sender; b=UiK/htUbRM0E5/Z0s7XuD3UNeJ2dKvW5iZodSt9WSd0qhKOrYUP8SFQFM4k4EfKlbSeQxTaUwDjWjrdwmcnb+ef1V2yiIB+Ld6Zm+Z1CaRhQtfT03GadYbI1lMOLpZVfhMRifgJrwn+MJ0Ad73QV01s9okeFgdCpBVLK7zGS1cw=; Received: from void.codelabs.ru (void.codelabs.ru [144.206.177.25]) by 0.mx.codelabs.ru with esmtpsa (TLSv1:AES256-SHA:256) id 1M7AAr-0009oq-KI for freebsd-security@freebsd.org; Thu, 21 May 2009 19:27:13 +0400 Date: Thu, 21 May 2009 19:27:11 +0400 From: Eygene Ryabinkin To: freebsd-security@freebsd.org Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Sender: rea-fbsd@codelabs.ru Subject: FYI: ntpd, CVE-2009-1252, remote code execution with enabled Autokey authentication X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: rea-fbsd@codelabs.ru List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 21 May 2009 15:27:15 -0000 For those who are running Autokey with stock NTPD: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1252 http://www.freebsd.org/cgi/query-pr.cgi?pr=134787 For users of net/ntp: http://www.freebsd.org/cgi/query-pr.cgi?pr=ports/134755 http://www.freebsd.org/cgi/query-pr.cgi?pr=ports/134756 -- Eygene _ ___ _.--. # \`.|\..----...-'` `-._.-'_.-'` # Remember that it is hard / ' ` , __.--' # to read the on-line manual )/' _/ \ `-_, / # while single-stepping the kernel. `-'" `"\_ ,_.-;_.-\_ ', fsc/as # _.-'_./ {_.' ; / # -- FreeBSD Developers handbook {_.-``-' {_/ #