From owner-freebsd-security@FreeBSD.ORG Sun Jul 25 18:34:52 2010 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 4096E1065675 for ; Sun, 25 Jul 2010 18:34:52 +0000 (UTC) (envelope-from lumiwa@gmail.com) Received: from mail-iw0-f182.google.com (mail-iw0-f182.google.com [209.85.214.182]) by mx1.freebsd.org (Postfix) with ESMTP id 8DB418FC0A for ; Sun, 25 Jul 2010 18:34:49 +0000 (UTC) Received: by iwn35 with SMTP id 35so2615672iwn.13 for ; Sun, 25 Jul 2010 11:34:48 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:from:to:subject:date :user-agent:mime-version:content-type:content-transfer-encoding :message-id; bh=J9ERElIlzM3N6/iRQ9yMOuxE2yI8oohZwNX4Wf0U8NU=; b=DcIJAFqBjh4a57XT46iAMpOdleHTDlrV2c5Xx3MQmY+4PE38GxikQEdchOarbVQprD VU9LWpuUe6fwaPS/D4+lvzRFvjsjT2/s9vTO+Ug/yW2sOjFRRgPj4dKI7mlQZZVsRTAQ 1RewdFhN8AvCSHpVZyepqLYuRFi+Uj9bEhqgA= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=from:to:subject:date:user-agent:mime-version:content-type :content-transfer-encoding:message-id; b=NCV5aKdKf4qIQu7tEQZ9LGB4I3tOJBd/NwAKxAgq1pb8X2pJ5xQt9YuktEdNT17amR 6oCVEm2fCeDfAmMLvCZ/ei+FAnjegxy9KeQnqU7DnrvxLj9kbiAYF9/mI4K8O42+KU2c YQocdcL9t8+5HccjGF7aAIeR+TEsLZOtHF9dU= Received: by 10.231.12.136 with SMTP id x8mr7275741ibx.54.1280081198091; Sun, 25 Jul 2010 11:06:38 -0700 (PDT) Received: from athena.wi.rr.com (CPE-65-29-60-73.wi.res.rr.com [65.29.60.73]) by mx.google.com with ESMTPS id n20sm2729924ibe.23.2010.07.25.11.06.36 (version=TLSv1/SSLv3 cipher=RC4-MD5); Sun, 25 Jul 2010 11:06:37 -0700 (PDT) From: ajtiM To: freebsd-security@freebsd.org Date: Sun, 25 Jul 2010 13:06:30 -0500 User-Agent: KMail/1.13.5 (FreeBSD/8.0-RELEASE-p4; KDE/4.4.5; i386; ; ) MIME-Version: 1.0 Content-Type: Text/Plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Message-Id: <201007251306.30579.lumiwa@gmail.com> Subject: portaudit X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 25 Jul 2010 18:34:52 -0000 Hi! portaudit -a shows: Affected package: mDNSResponder-214 Type of problem: mDNSResponder -- corrupted stack crash when parsing bad resolv.conf. Reference: Affected package: opera-10.10.20091120_2 Type of problem: opera -- Data URIs can be used to allow cross-site scripting. Reference: Affected package: linux-f10-pango-1.22.3_1 Type of problem: pango -- integer overflow. Reference: 3 problem(s) in your installed packages found. You are advised to update or deinstall the affected package(s) immediately. Do I need to deinstall those ports or is safe anyway? Thanks in advance. Mitja -------- http://starikarp.redbubble.com From owner-freebsd-security@FreeBSD.ORG Sun Jul 25 18:59:12 2010 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 2B8F81065675 for ; Sun, 25 Jul 2010 18:59:12 +0000 (UTC) (envelope-from lx@redundancy.redundancy.org) Received: from redundancy.redundancy.org (75-101-96-57.dsl.static.sonic.net [75.101.96.57]) by mx1.freebsd.org (Postfix) with SMTP id 1C89F8FC13 for ; Sun, 25 Jul 2010 18:59:11 +0000 (UTC) Received: (qmail 81545 invoked by uid 0); 25 Jul 2010 18:59:35 -0000 Received: from localhost (HELO redundancy.redundancy.org) (127.0.0.1) by 0 with SMTP; 25 Jul 2010 18:59:35 -0000 Received: (from lx@localhost) by redundancy.redundancy.org (8.14.4/8.14.4/Submit) id o6PIxBDH081543 for freebsd-security@freebsd.org; Sun, 25 Jul 2010 11:59:35 -0700 (PDT) (envelope-from lx) Date: Sun, 25 Jul 2010 11:59:33 -0700 From: "David E. Thiel" To: freebsd-security@freebsd.org Message-ID: <20100725185908.GA18047@redundancy.redundancy.org> References: <201007251306.30579.lumiwa@gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <201007251306.30579.lumiwa@gmail.com> X-OpenPGP-Key-fingerprint: 482A 8C46 C844 7E7C 8CBC 2313 96EE BEE5 1F4B CA13 X-OpenPGP-Key-available: http://redundancy.redundancy.org/lx.gpg X-Face: %H~{$1~NOw1y#%mM6{|4:/ List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 25 Jul 2010 18:59:12 -0000 On Sun, Jul 25, 2010 at 01:06:06PM -0500, ajtiM wrote: > 3 problem(s) in your installed packages found. > > You are advised to update or deinstall the affected package(s) immediately. > > Do I need to deinstall those ports or is safe anyway? portaudit(1): "If you have a vulnerable package installed, you are advised to update or deinstall it immediately." From owner-freebsd-security@FreeBSD.ORG Sun Jul 25 21:10:55 2010 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id A5BDE1065673 for ; Sun, 25 Jul 2010 21:10:55 +0000 (UTC) (envelope-from m.seaman@infracaninophile.co.uk) Received: from smtp.infracaninophile.co.uk (gate6.infracaninophile.co.uk [IPv6:2001:8b0:151:1::1]) by mx1.freebsd.org (Postfix) with ESMTP id 1BC348FC1B for ; Sun, 25 Jul 2010 21:10:54 +0000 (UTC) Received: from seedling.black-earth.co.uk (seedling.black-earth.co.uk [81.187.76.163]) (authenticated bits=0) by smtp.infracaninophile.co.uk (8.14.4/8.14.4) with ESMTP id o6PLAox5096699 (version=TLSv1/SSLv3 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=NO); Sun, 25 Jul 2010 22:10:50 +0100 (BST) (envelope-from m.seaman@infracaninophile.co.uk) Message-ID: <4C4CA852.9070005@infracaninophile.co.uk> Date: Sun, 25 Jul 2010 22:10:42 +0100 From: Matthew Seaman Organization: Infracaninophile User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-GB; rv:1.9.2.7) Gecko/20100713 Thunderbird/3.1.1 MIME-Version: 1.0 To: ajtiM References: <201007251306.30579.lumiwa@gmail.com> In-Reply-To: <201007251306.30579.lumiwa@gmail.com> X-Enigmail-Version: 1.1.1 OpenPGP: id=60AE908C Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="------------enig2DBC0CEE27BA4338F5AC09A5" X-Virus-Scanned: clamav-milter 0.96.1 at lucid-nonsense.infracaninophile.co.uk X-Virus-Status: Clean X-Spam-Status: No, score=0.3 required=5.0 tests=BAYES_05,DKIM_ADSP_ALL, SPF_FAIL autolearn=no version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on lucid-nonsense.infracaninophile.co.uk Cc: freebsd-security@freebsd.org Subject: Re: portaudit X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 25 Jul 2010 21:10:55 -0000 This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enig2DBC0CEE27BA4338F5AC09A5 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable On 25/07/2010 19:06:30, ajtiM wrote: > Hi! > portaudit -a shows: >=20 > Affected package: mDNSResponder-214 > Type of problem: mDNSResponder -- corrupted stack crash when parsing ba= d=20 > resolv.conf. > Reference:=20 > >=20 > Affected package: opera-10.10.20091120_2 > Type of problem: opera -- Data URIs can be used to allow cross-site scr= ipting. > Reference:=20 > >=20 > Affected package: linux-f10-pango-1.22.3_1 > Type of problem: pango -- integer overflow. > Reference: becb-001cc0377035.html> >=20 > 3 problem(s) in your installed packages found. >=20 > You are advised to update or deinstall the affected package(s) immediat= ely. >=20 > Do I need to deinstall those ports or is safe anyway? No, it's not in any way "safe" to ignore what portaudit tells you. However that does not mean that you necessarily have to delete the referenced packages. What you need to do is read the referenced vuXML data, look at the reports referenced therein and decide if: a) The vulnerability affects you, given your usage patterns. For instance, you might be running a server where all users also have root access, in which case, you don't need to worry about privilege escalation attacks from logged in users. b) The vulnerability affects you, but you can mitigate or prevent any attack. Eg. you can cause a vulnerable daemon to bind only to the loopback interface, or apply strict firewall rules to prevent attacks over the network. c) The software in question is mission critical, and removing it would have a worse effect on you than some possible exploit. If the software fails all of the above, then yes, you should certainly remove it. Otherwise, you need to keep an eye out for any updates or fixes and apply them ASAP. In the particular case of linux-f10-pango -- this is a long standing vulnerability with no real prospect of a software patch becoming available. Unfortunately that port is a vital part of the linuxulator, so a lot of people are keeping it installed under case (c). mDNSResponse can be fixed by a very simple patch, and exploiting the bug depends on being able to control the contents of /etc/resolv.conf, which pretty much implies the attacker would already have root access to your machine. Keep an eye out for when the update hits the ports and apply it as soon as possible. The opera bug is more severe. Your vulnerability to it depends on your usage patterns with that browser. It looks like the opera devs are on the case, but in the mean time it might be an idea to switch to using an alternate browser temporarily. Cheers, Matthew --=20 Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate JID: matthew@infracaninophile.co.uk Kent, CT11 9PW --------------enig2DBC0CEE27BA4338F5AC09A5 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.14 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkxMqFkACgkQ8Mjk52CukIxFBwCghW31fHwMlLSRlewEkVIhgNxa Y1kAn16AkSWMy1sqFEmqLsKgx4s0vQjI =K4tL -----END PGP SIGNATURE----- --------------enig2DBC0CEE27BA4338F5AC09A5-- From owner-freebsd-security@FreeBSD.ORG Sun Jul 25 22:15:28 2010 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 59E2B1065673 for ; Sun, 25 Jul 2010 22:15:28 +0000 (UTC) (envelope-from lumiwa@gmail.com) Received: from mail-iw0-f182.google.com (mail-iw0-f182.google.com [209.85.214.182]) by mx1.freebsd.org (Postfix) with ESMTP id 3D7F48FC12 for ; Sun, 25 Jul 2010 22:15:27 +0000 (UTC) Received: by iwn35 with SMTP id 35so2756219iwn.13 for ; Sun, 25 Jul 2010 15:15:27 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:from:to:subject:date :user-agent:cc:references:in-reply-to:mime-version:content-type :content-transfer-encoding:message-id; bh=mnMIyILXcgicA4LP2sr7UlY9wLBnY1qNaAp1vcpE9lI=; b=LLvZutoTuNjRFrmQszgx3AScBTp6rq/kGHPra7XF8I0dxU3oISKApirEiOsEeYL2Ul OlKoeKL2YP4jzDIq/leLOZ5r8WNWR8BE0NA9xQ6VrTauW2KcGWOZyyk15E72pFuMLEZT Ab+mt+WuqrfF19cCTsFLHks2c3n5bW8FkD228= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=from:to:subject:date:user-agent:cc:references:in-reply-to :mime-version:content-type:content-transfer-encoding:message-id; b=reGV8dcLq+hmrPUWkKgapC8aXpYOfHCIr/fptpE+sdNQgK0mEfFQWxc4RtaBcvXTv+ 33jI15eNcNz4daEOePbgIWFLTX+BQtUGMVkwp/ou9UjzBuvl9wWEHU5Pzx1ijzIJlnF1 0c6L8W0CESfvo2uHkDFMoTka++qLnUly9viWA= Received: by 10.231.14.201 with SMTP id h9mr6482154iba.129.1280096127408; Sun, 25 Jul 2010 15:15:27 -0700 (PDT) Received: from athena.wi.rr.com (CPE-65-29-60-73.wi.res.rr.com [65.29.60.73]) by mx.google.com with ESMTPS id e8sm2935771ibb.2.2010.07.25.15.15.25 (version=TLSv1/SSLv3 cipher=RC4-MD5); Sun, 25 Jul 2010 15:15:26 -0700 (PDT) From: ajtiM To: Matthew Seaman Date: Sun, 25 Jul 2010 17:15:20 -0500 User-Agent: KMail/1.13.5 (FreeBSD/8.0-RELEASE-p4; KDE/4.4.5; i386; ; ) References: <201007251306.30579.lumiwa@gmail.com> <4C4CA852.9070005@infracaninophile.co.uk> In-Reply-To: <4C4CA852.9070005@infracaninophile.co.uk> MIME-Version: 1.0 Content-Type: Text/Plain; charset="iso-8859-15" Content-Transfer-Encoding: 7bit Message-Id: <201007251715.21274.lumiwa@gmail.com> Cc: freebsd-security@freebsd.org Subject: Re: portaudit X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 25 Jul 2010 22:15:28 -0000 On Sunday 25 July 2010 16:10:42 Matthew Seaman wrote: > On 25/07/2010 19:06:30, ajtiM wrote: > > Hi! > > > > portaudit -a shows: > > Affected package: mDNSResponder-214 > > Type of problem: mDNSResponder -- corrupted stack crash when parsing bad > > resolv.conf. > > Reference: > > > > > > Affected package: opera-10.10.20091120_2 > > Type of problem: opera -- Data URIs can be used to allow cross-site > > scripting. Reference: > > > > > > Affected package: linux-f10-pango-1.22.3_1 > > Type of problem: pango -- integer overflow. > > Reference: > becb-001cc0377035.html> > > > > 3 problem(s) in your installed packages found. > > > > You are advised to update or deinstall the affected package(s) > > immediately. > > > > Do I need to deinstall those ports or is safe anyway? > > No, it's not in any way "safe" to ignore what portaudit tells you. > However that does not mean that you necessarily have to delete the > referenced packages. > > What you need to do is read the referenced vuXML data, look at the > reports referenced therein and decide if: > > a) The vulnerability affects you, given your usage patterns. For > instance, you might be running a server where all users also have > root access, in which case, you don't need to worry about > privilege escalation attacks from logged in users. > > b) The vulnerability affects you, but you can mitigate or prevent > any attack. Eg. you can cause a vulnerable daemon to bind only > to the loopback interface, or apply strict firewall rules to > prevent attacks over the network. > > c) The software in question is mission critical, and removing it > would have a worse effect on you than some possible exploit. > > If the software fails all of the above, then yes, you should certainly > remove it. Otherwise, you need to keep an eye out for any updates or > fixes and apply them ASAP. > > In the particular case of linux-f10-pango -- this is a long standing > vulnerability with no real prospect of a software patch becoming > available. Unfortunately that port is a vital part of the linuxulator, > so a lot of people are keeping it installed under case (c). > > mDNSResponse can be fixed by a very simple patch, and exploiting the bug > depends on being able to control the contents of /etc/resolv.conf, which > pretty much implies the attacker would already have root access to your > machine. Keep an eye out for when the update hits the ports and apply > it as soon as possible. > > The opera bug is more severe. Your vulnerability to it depends on your > usage patterns with that browser. It looks like the opera devs are on > the case, but in the mean time it might be an idea to switch to using an > alternate browser temporarily. > > Cheers, > > Matthew Thank you very much. It is sad that port mDNSResponse is without maintainer: mDNSResponder 214 net This port version is marked as vulnerable. Apple's mDNSResponder There is no maintainer for this port. Opera has update 10.11 long time ago but it was not response too. For linux pango I understand because it is an old version which Fedora doesn't use also very loooong time. Thanks again. Mitja -------- http://starikarp.redbubble.com From owner-freebsd-security@FreeBSD.ORG Mon Jul 26 12:25:09 2010 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 011951065670 for ; Mon, 26 Jul 2010 12:25:09 +0000 (UTC) (envelope-from peterjeremy@acm.org) Received: from fallbackmx10.syd.optusnet.com.au (fallbackmx10.syd.optusnet.com.au [211.29.132.251]) by mx1.freebsd.org (Postfix) with ESMTP id 863998FC15 for ; Mon, 26 Jul 2010 12:25:08 +0000 (UTC) Received: from mail35.syd.optusnet.com.au (mail35.syd.optusnet.com.au [211.29.133.51]) by fallbackmx10.syd.optusnet.com.au (8.13.1/8.13.1) with ESMTP id o6QAJq0c012763 for ; Mon, 26 Jul 2010 20:19:52 +1000 Received: from server.vk2pj.dyndns.org (c211-30-160-13.belrs4.nsw.optusnet.com.au [211.30.160.13]) by mail35.syd.optusnet.com.au (8.13.1/8.13.1) with ESMTP id o6QAJn8o024203 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Mon, 26 Jul 2010 20:19:50 +1000 X-Bogosity: Ham, spamicity=0.000000 Received: from server.vk2pj.dyndns.org (localhost.vk2pj.dyndns.org [127.0.0.1]) by server.vk2pj.dyndns.org (8.14.4/8.14.4) with ESMTP id o6QAJkCF009686; Mon, 26 Jul 2010 20:19:46 +1000 (EST) (envelope-from peter@server.vk2pj.dyndns.org) Received: (from peter@localhost) by server.vk2pj.dyndns.org (8.14.4/8.14.4/Submit) id o6QAJk2m009685; Mon, 26 Jul 2010 20:19:46 +1000 (EST) (envelope-from peter) Date: Mon, 26 Jul 2010 20:19:46 +1000 From: Peter Jeremy To: ajtiM Message-ID: <20100726101946.GA8918@server.vk2pj.dyndns.org> References: <201007251306.30579.lumiwa@gmail.com> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="bp/iNruPH9dso1Pn" Content-Disposition: inline In-Reply-To: <201007251306.30579.lumiwa@gmail.com> X-PGP-Key: http://members.optusnet.com.au/peterjeremy/pubkey.asc User-Agent: Mutt/1.5.20 (2009-06-14) Cc: freebsd-security@freebsd.org Subject: Re: portaudit X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 26 Jul 2010 12:25:09 -0000 --bp/iNruPH9dso1Pn Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On 2010-Jul-25 13:06:30 -0500, ajtiM wrote: >Hi! > portaudit -a shows: > >Affected package: mDNSResponder-214 >Type of problem: mDNSResponder -- corrupted stack crash when parsing bad= =20 >resolv.conf. >Reference:=20 > =2E.. >3 problem(s) in your installed packages found. > >You are advised to update or deinstall the affected package(s) immediately. > >Do I need to deinstall those ports or is safe anyway? For maximum safety, you should update or uninstall the specified packages. Alternatively, you could follow the reference links and determine whether the particular vulnerabilities apply to your particular situation. This obviously requires a greater level of skill and reviewing if the situation changes. --=20 Peter Jeremy --bp/iNruPH9dso1Pn Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.15 (FreeBSD) iEYEARECAAYFAkxNYUIACgkQ/opHv/APuIfBhQCgwerFiIySRoWmoo/5xme7AG8r TTkAn1znQ6Miwz67TzbBR1ZWLYcwy0QB =K8Vx -----END PGP SIGNATURE----- --bp/iNruPH9dso1Pn-- From owner-freebsd-security@FreeBSD.ORG Sat Jul 31 06:43:35 2010 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 7503D1065670 for ; Sat, 31 Jul 2010 06:43:35 +0000 (UTC) (envelope-from selphie.keller@gmail.com) Received: from mail-pv0-f182.google.com (mail-pv0-f182.google.com [74.125.83.182]) by mx1.freebsd.org (Postfix) with ESMTP id 448D38FC1C for ; Sat, 31 Jul 2010 06:43:35 +0000 (UTC) Received: by pvh1 with SMTP id 1so926225pvh.13 for ; Fri, 30 Jul 2010 23:43:34 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:from:to:subject:date :message-id:mime-version:content-type:x-mailer:x-mimeole :thread-index; bh=6JwITWlneAWUumeKpXglwu99Wa4zmjyepUbv9CpAEsE=; b=DzCicRy5Tbrw+2VS5uJDTAcMZfX/QOnf08CcKCIRFKZB+YJKLvZvSvb98Xgnxpub4d YwgXpsWiIBr3jEPK8swjY2zQWrKGCpHd46BIbgxuWp2a07VXWPrUj6bcGEDWRhqCe0GX yOSrsjMHwiEc8IaxZ7IWU+4LCI6QC+Qy4eFpg= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=from:to:subject:date:message-id:mime-version:content-type:x-mailer :x-mimeole:thread-index; b=iNbHkuoiTWanV1qcMz6x68v0ADq/oBWIWBgDs9xu/O1SZ8+BFQFAWnzqrBn7xZbfoZ XHgkfyj0Mpvhu9Imt/lORUCkEWgqOU4wfsJw0/fgvF4K82tUz0OnVljqKeL34ktnPxRP Ph6kkM1RYR/qrNlWmBx4qBcKZLi2q5eugVuj0= Received: by 10.114.136.16 with SMTP id j16mr3636939wad.63.1280557121487; Fri, 30 Jul 2010 23:18:41 -0700 (PDT) Received: from 2WIRE304 (c-69-181-16-61.hsd1.ca.comcast.net [69.181.16.61]) by mx.google.com with ESMTPS id d35sm5381290waa.21.2010.07.30.23.18.40 (version=SSLv3 cipher=RC4-MD5); Fri, 30 Jul 2010 23:18:41 -0700 (PDT) From: Selphie Keller To: Date: Fri, 30 Jul 2010 23:18:39 -0700 Message-ID: <235BB726E71747BA980A0EF60F76ED37@2WIRE304> MIME-Version: 1.0 X-Mailer: Microsoft Office Outlook 11 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.5579 Thread-Index: AcsweDdrsqGp5duwTDyJf1pH2sw1RQ== Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: kernel module for chmod restrictions while in securelevel one or higher X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 31 Jul 2010 06:43:35 -0000 Kernel module for chmod restrictions while in securelevel one or higher: http://gist.github.com/501800 (fbsd 8.x) Was looking at the new recent sendfile/mbuf exploit and it was using a shellcode that calls chmod syscall to make a setuid/setgid binary. However was thinking of ways to block the creation of suid/sgid binaries if the machine is in a securelevel, beyond the normal things like nosuid/noexec mount flags for /tmp. So came up with this quick module to handle it, but the concept of restricting the creation of suid/sgid binaries while in securelevel seems like a good idea to be part of the base. -Estella Mystagic From owner-freebsd-security@FreeBSD.ORG Sat Jul 31 12:55:59 2010 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 94E481065675 for ; Sat, 31 Jul 2010 12:55:59 +0000 (UTC) (envelope-from kostikbel@gmail.com) Received: from mail.zoral.com.ua (mx0.zoral.com.ua [91.193.166.200]) by mx1.freebsd.org (Postfix) with ESMTP id 11B4B8FC14 for ; Sat, 31 Jul 2010 12:55:58 +0000 (UTC) Received: from deviant.kiev.zoral.com.ua (root@deviant.kiev.zoral.com.ua [10.1.1.148]) by mail.zoral.com.ua (8.14.2/8.14.2) with ESMTP id o6VCfaB5033038 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Sat, 31 Jul 2010 15:41:36 +0300 (EEST) (envelope-from kostikbel@gmail.com) Received: from deviant.kiev.zoral.com.ua (kostik@localhost [127.0.0.1]) by deviant.kiev.zoral.com.ua (8.14.4/8.14.4) with ESMTP id o6VCfaZr089627; Sat, 31 Jul 2010 15:41:36 +0300 (EEST) (envelope-from kostikbel@gmail.com) Received: (from kostik@localhost) by deviant.kiev.zoral.com.ua (8.14.4/8.14.4/Submit) id o6VCfaOE089626; Sat, 31 Jul 2010 15:41:36 +0300 (EEST) (envelope-from kostikbel@gmail.com) X-Authentication-Warning: deviant.kiev.zoral.com.ua: kostik set sender to kostikbel@gmail.com using -f Date: Sat, 31 Jul 2010 15:41:36 +0300 From: Kostik Belousov To: Selphie Keller Message-ID: <20100731124136.GN22295@deviant.kiev.zoral.com.ua> References: <235BB726E71747BA980A0EF60F76ED37@2WIRE304> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="9j9z4uig7ElIUlwi" Content-Disposition: inline In-Reply-To: <235BB726E71747BA980A0EF60F76ED37@2WIRE304> User-Agent: Mutt/1.4.2.3i X-Virus-Scanned: clamav-milter 0.95.2 at skuns.kiev.zoral.com.ua X-Virus-Status: Clean X-Spam-Status: No, score=-2.6 required=5.0 tests=ALL_TRUSTED,AWL,BAYES_20, DNS_FROM_OPENWHOIS autolearn=no version=3.2.5 X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on skuns.kiev.zoral.com.ua Cc: freebsd-security@freebsd.org Subject: Re: kernel module for chmod restrictions while in securelevel one or higher X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 31 Jul 2010 12:55:59 -0000 --9j9z4uig7ElIUlwi Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Fri, Jul 30, 2010 at 11:18:39PM -0700, Selphie Keller wrote: > Kernel module for chmod restrictions while in securelevel one or higher: > http://gist.github.com/501800 (fbsd 8.x) >=20 > Was looking at the new recent sendfile/mbuf exploit and it was using a > shellcode that calls chmod syscall to make a setuid/setgid binary. However Can you point to the exploit (code) ? --9j9z4uig7ElIUlwi Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (FreeBSD) iEYEARECAAYFAkxUGgAACgkQC3+MBN1Mb4j7XgCeN3eeGinQ28eRSz/KRXPcL/uW E0sAoOyFDWeOQasKxsr8aMgjahuKr7iP =fWxs -----END PGP SIGNATURE----- --9j9z4uig7ElIUlwi-- From owner-freebsd-security@FreeBSD.ORG Sat Jul 31 13:04:15 2010 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 3D0D31065670 for ; Sat, 31 Jul 2010 13:04:15 +0000 (UTC) (envelope-from kostikbel@gmail.com) Received: from mail.zoral.com.ua (mx0.zoral.com.ua [91.193.166.200]) by mx1.freebsd.org (Postfix) with ESMTP id A03C18FC1B for ; Sat, 31 Jul 2010 13:04:14 +0000 (UTC) Received: from deviant.kiev.zoral.com.ua (root@deviant.kiev.zoral.com.ua [10.1.1.148]) by mail.zoral.com.ua (8.14.2/8.14.2) with ESMTP id o6VD4AZ8034651 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Sat, 31 Jul 2010 16:04:10 +0300 (EEST) (envelope-from kostikbel@gmail.com) Received: from deviant.kiev.zoral.com.ua (kostik@localhost [127.0.0.1]) by deviant.kiev.zoral.com.ua (8.14.4/8.14.4) with ESMTP id o6VD4Ace089736; Sat, 31 Jul 2010 16:04:10 +0300 (EEST) (envelope-from kostikbel@gmail.com) Received: (from kostik@localhost) by deviant.kiev.zoral.com.ua (8.14.4/8.14.4/Submit) id o6VD4AHJ089735; Sat, 31 Jul 2010 16:04:10 +0300 (EEST) (envelope-from kostikbel@gmail.com) X-Authentication-Warning: deviant.kiev.zoral.com.ua: kostik set sender to kostikbel@gmail.com using -f Date: Sat, 31 Jul 2010 16:04:10 +0300 From: Kostik Belousov To: Istv??n Message-ID: <20100731130410.GO22295@deviant.kiev.zoral.com.ua> References: <235BB726E71747BA980A0EF60F76ED37@2WIRE304> <20100731124136.GN22295@deviant.kiev.zoral.com.ua> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="+0mKm/ENadSkQxF+" Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.4.2.3i X-Virus-Scanned: clamav-milter 0.95.2 at skuns.kiev.zoral.com.ua X-Virus-Status: Clean X-Spam-Status: No, score=-2.3 required=5.0 tests=ALL_TRUSTED,AWL,BAYES_40, DNS_FROM_OPENWHOIS autolearn=no version=3.2.5 X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on skuns.kiev.zoral.com.ua Cc: freebsd-security , Selphie Keller Subject: Re: kernel module for chmod restrictions while in securelevel one or higher X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 31 Jul 2010 13:04:15 -0000 --+0mKm/ENadSkQxF+ Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sat, Jul 31, 2010 at 01:59:43PM +0100, Istv??n wrote: > http://www.securiteam.com/exploits/6P00C00EKO.html This is an exploit for the archaic SA-05:02.sendfile. Op (semi-)obviously means exploit for the recent SA-10:07.mbuf, for which I am very curious whether the working exploit appeared in the wild. >=20 > On Sat, Jul 31, 2010 at 1:41 PM, Kostik Belousov wro= te: >=20 > > On Fri, Jul 30, 2010 at 11:18:39PM -0700, Selphie Keller wrote: > > > Kernel module for chmod restrictions while in securelevel one or high= er: > > > http://gist.github.com/501800 (fbsd 8.x) > > > > > > Was looking at the new recent sendfile/mbuf exploit and it was using a > > > shellcode that calls chmod syscall to make a setuid/setgid binary. > > However > > Can you point to the exploit (code) ? > > >=20 >=20 >=20 > --=20 > the sun shines for all >=20 > http://l1xl1x.blogspot.com --+0mKm/ENadSkQxF+ Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (FreeBSD) iEYEARECAAYFAkxUH0oACgkQC3+MBN1Mb4ivegCfRB4VAekrICL9OY/nlBoTXHxC YYAAoLRcOLkD/RbxMi63FECo6flAdY+x =rjGO -----END PGP SIGNATURE----- --+0mKm/ENadSkQxF+-- From owner-freebsd-security@FreeBSD.ORG Sat Jul 31 13:11:39 2010 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 5B7161065674 for ; Sat, 31 Jul 2010 13:11:39 +0000 (UTC) (envelope-from leccine@gmail.com) Received: from mail-bw0-f54.google.com (mail-bw0-f54.google.com [209.85.214.54]) by mx1.freebsd.org (Postfix) with ESMTP id D8AB88FC1B for ; Sat, 31 Jul 2010 13:11:38 +0000 (UTC) Received: by bwz12 with SMTP id 12so1380088bwz.13 for ; Sat, 31 Jul 2010 06:11:38 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:received:in-reply-to :references:date:message-id:subject:from:to:cc:content-type; bh=wXXn2ONF6x+vIO/qgJC171mXlTyojCdtAfc6xhSmqkA=; b=Hi+ZSuMSRXo/ula3deT6KeoBYw19ec5gbPBo9daH7ieU1Yx+xEcBh+mr3U+DovJveh fV1r0xmuN1G8CvAMPSPT7zYzCb1Vgz5P/IMGtyMLpd+6uAtlepNc23q9V2sH8Z+4ushg 4jVWYDPHCSHre0zhtACW3RtgUMZOVAEJssW6Y= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; b=GWTBDNaHN869KU+1XXb+P9d51Sq2pw/5H3+2jRuudg9A0uwgzVIRSNvmbpKA07l2/n LADGGynAn7MWYk8tRBCj4ZSENIVOEYCkkl7AEwv1tqnjWulNJ6L77Zpxd0Aytl3iIFVM Eus9rFMvG1sTAAKkzfcrFPUm+5jbLLBM5WETI= MIME-Version: 1.0 Received: by 10.204.100.132 with SMTP id y4mr2167605bkn.117.1280581897885; Sat, 31 Jul 2010 06:11:37 -0700 (PDT) Received: by 10.204.140.146 with HTTP; Sat, 31 Jul 2010 06:11:37 -0700 (PDT) In-Reply-To: <20100731130410.GO22295@deviant.kiev.zoral.com.ua> References: <235BB726E71747BA980A0EF60F76ED37@2WIRE304> <20100731124136.GN22295@deviant.kiev.zoral.com.ua> <20100731130410.GO22295@deviant.kiev.zoral.com.ua> Date: Sat, 31 Jul 2010 14:11:37 +0100 Message-ID: From: =?UTF-8?Q?Istv=C3=A1n?= To: Kostik Belousov Content-Type: text/plain; charset=UTF-8 X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: freebsd-security , Selphie Keller Subject: Re: kernel module for chmod restrictions while in securelevel one or higher X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 31 Jul 2010 13:11:39 -0000 sorry my bad On Sat, Jul 31, 2010 at 2:04 PM, Kostik Belousov wrote: > On Sat, Jul 31, 2010 at 01:59:43PM +0100, Istv??n wrote: > > http://www.securiteam.com/exploits/6P00C00EKO.html > This is an exploit for the archaic SA-05:02.sendfile. Op (semi-)obviously > means exploit for the recent SA-10:07.mbuf, for which I am very > curious whether the working exploit appeared in the wild. > > > > > On Sat, Jul 31, 2010 at 1:41 PM, Kostik Belousov >wrote: > > > > > On Fri, Jul 30, 2010 at 11:18:39PM -0700, Selphie Keller wrote: > > > > Kernel module for chmod restrictions while in securelevel one or > higher: > > > > http://gist.github.com/501800 (fbsd 8.x) > > > > > > > > Was looking at the new recent sendfile/mbuf exploit and it was using > a > > > > shellcode that calls chmod syscall to make a setuid/setgid binary. > > > However > > > Can you point to the exploit (code) ? > > > > > > > > > > > -- > > the sun shines for all > > > > http://l1xl1x.blogspot.com > -- the sun shines for all http://l1xl1x.blogspot.com From owner-freebsd-security@FreeBSD.ORG Sat Jul 31 13:21:34 2010 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 74C47106567D for ; Sat, 31 Jul 2010 13:21:34 +0000 (UTC) (envelope-from leccine@gmail.com) Received: from mail-bw0-f54.google.com (mail-bw0-f54.google.com [209.85.214.54]) by mx1.freebsd.org (Postfix) with ESMTP id F3F8D8FC0A for ; Sat, 31 Jul 2010 13:21:33 +0000 (UTC) Received: by bwz12 with SMTP id 12so1382596bwz.13 for ; Sat, 31 Jul 2010 06:21:33 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:received:in-reply-to :references:date:message-id:subject:from:to:cc:content-type; bh=wgxNAv5jcKB5RuyGybxMsFKnOIKTe58rBjS1KbGQxoE=; b=GmF/x5cYLrcQjy+zk5N8EhVFFGlffR1nVTHA2qOt51v68yBGMvfN9PSrlQGjV+3y0a hubwmi1H7/dDGhxVcXCpsjBwzuJL8mSGdKhunotpuQIzd0etcB2qOOqPmT+jDV68e2Yw kQUmgBm2nDCaFEmzfmuuB1vxQwGQf0tDrc0jI= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; b=LYsDPU2gguJnAKF9E6Ye8z1HUiRkQrGabJ76EDa17RVLrYzvUfDxYxskDmYz8KbStU D3b7o1D/cROxd9XtoCOkfyP8Q0h8fGZEt7yGs1VmFCAMwScc0hbqWTzYL6Qcc/RRpjDc UN7Vd8GR6aQezsJHycnHDx3TyQvYNUJ8tgztM= MIME-Version: 1.0 Received: by 10.204.133.129 with SMTP id f1mr2185093bkt.91.1280581183298; Sat, 31 Jul 2010 05:59:43 -0700 (PDT) Received: by 10.204.140.146 with HTTP; Sat, 31 Jul 2010 05:59:43 -0700 (PDT) In-Reply-To: <20100731124136.GN22295@deviant.kiev.zoral.com.ua> References: <235BB726E71747BA980A0EF60F76ED37@2WIRE304> <20100731124136.GN22295@deviant.kiev.zoral.com.ua> Date: Sat, 31 Jul 2010 13:59:43 +0100 Message-ID: From: =?UTF-8?Q?Istv=C3=A1n?= To: Kostik Belousov Content-Type: text/plain; charset=UTF-8 X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: freebsd-security , Selphie Keller Subject: Re: kernel module for chmod restrictions while in securelevel one or higher X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 31 Jul 2010 13:21:34 -0000 http://www.securiteam.com/exploits/6P00C00EKO.html HTH On Sat, Jul 31, 2010 at 1:41 PM, Kostik Belousov wrote: > On Fri, Jul 30, 2010 at 11:18:39PM -0700, Selphie Keller wrote: > > Kernel module for chmod restrictions while in securelevel one or higher: > > http://gist.github.com/501800 (fbsd 8.x) > > > > Was looking at the new recent sendfile/mbuf exploit and it was using a > > shellcode that calls chmod syscall to make a setuid/setgid binary. > However > Can you point to the exploit (code) ? > -- the sun shines for all http://l1xl1x.blogspot.com From owner-freebsd-security@FreeBSD.ORG Sat Jul 31 16:05:19 2010 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 5FD221065675 for ; Sat, 31 Jul 2010 16:05:19 +0000 (UTC) (envelope-from chris.walker@velocitum.com) Received: from asav3.lyse.net (asav3.lyse.net [81.167.37.131]) by mx1.freebsd.org (Postfix) with ESMTP id E67B98FC0C for ; Sat, 31 Jul 2010 16:05:18 +0000 (UTC) Received: from localhost (localhost.localdomain [127.0.0.1]) by asav3.lyse.net (Postfix) with ESMTP id 6968A847FA; Sat, 31 Jul 2010 17:42:50 +0200 (CEST) X-Virus-Scanned: amavisd-new at lyse.net Received: from [192.168.1.102] (173.81-167-5.customer.lyse.net [81.167.5.173]) by asav3.lyse.net (Postfix) with ESMTP id 55D78845B8; Sat, 31 Jul 2010 17:42:49 +0200 (CEST) Mime-Version: 1.0 (Apple Message framework v1078) Content-Type: text/plain; charset=iso-8859-1 From: Chris Walker In-Reply-To: Date: Sat, 31 Jul 2010 17:39:47 +0200 Content-Transfer-Encoding: quoted-printable Message-Id: References: <235BB726E71747BA980A0EF60F76ED37@2WIRE304> <20100731124136.GN22295@deviant.kiev.zoral.com.ua> To: =?iso-8859-1?Q?Istv=E1n?= X-Mailer: Apple Mail (2.1078) X-Mailman-Approved-At: Sat, 31 Jul 2010 17:17:41 +0000 Cc: Kostik Belousov , freebsd-security , Selphie Keller Subject: Re: kernel module for chmod restrictions while in securelevel one or higher X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 31 Jul 2010 16:05:19 -0000 Hi list #1 Not same exploit referenced in URL. #2 Not same bug, although you had the function right, sort of. #3 That kernel module is useless: The exploit in the wild has already = changed to bypass such restriction. #4 The bug is already patched, upgrade your kernel. #5 If you intend on introducing a kernel module that potentially makes = your system unstable, make sure it actually fixes the bug. This = workaround merely made the exploit grow more lethal, and provides a = FALSE sense of a security, and as such I would *STRONGLY* discourage use = of this kernel module. This is a perfect example of why software developers never ever will be = able to fight blackhat hackers: Ignorance. Thanks. On Jul 31, 2010, at 2:59 PM, Istv=E1n wrote: > http://www.securiteam.com/exploits/6P00C00EKO.html >=20 > HTH >=20 > On Sat, Jul 31, 2010 at 1:41 PM, Kostik Belousov = wrote: >=20 >> On Fri, Jul 30, 2010 at 11:18:39PM -0700, Selphie Keller wrote: >>> Kernel module for chmod restrictions while in securelevel one or = higher: >>> http://gist.github.com/501800 (fbsd 8.x) >>>=20 >>> Was looking at the new recent sendfile/mbuf exploit and it was using = a >>> shellcode that calls chmod syscall to make a setuid/setgid binary. >> However >> Can you point to the exploit (code) ? >>=20 >=20 >=20 >=20 > --=20 > the sun shines for all >=20 > http://l1xl1x.blogspot.com > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to = "freebsd-security-unsubscribe@freebsd.org" >=20 From owner-freebsd-security@FreeBSD.ORG Sat Jul 31 17:30:31 2010 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C03121065672 for ; Sat, 31 Jul 2010 17:30:31 +0000 (UTC) (envelope-from bryan@xzibition.com) Received: from secure.xzibition.com (secure.xzibition.com [173.160.118.92]) by mx1.freebsd.org (Postfix) with ESMTP id 7A06A8FC1A for ; Sat, 31 Jul 2010 17:30:31 +0000 (UTC) DomainKey-Signature: a=rsa-sha1; c=nofws; d=xzibition.com; h=message-id :date:from:mime-version:to:cc:subject:references:in-reply-to :content-type:content-transfer-encoding; q=dns; s=sweb; b=J+4MNg nKkbJgAdMUCNoOPApRon+ydKCCvPXPdj/Grv6GCqS7kxQ/8+hUwLOCE1JNELc7AI gmWHxgr1izWPcJviBkogO2VaKSZ/OK3+1R9ObY3x98R3f5mixJ5k9hvmy5t9WYLc cxq2TT93dgCCvUVgcG61mjdmyDYa5XqJ44dpg= DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=xzibition.com; h= message-id:date:from:mime-version:to:cc:subject:references :in-reply-to:content-type:content-transfer-encoding; s=sweb; bh= outZVRI/LmdAyTZeFkMnsbcwEzZw3qTQVsYBC0vYcMg=; b=iaeohIaGDa24n+W+ qYSwDUJ3RIA3EWd2ajXoL/N9vMiQw9kQtDD+vklrWw5HGmdN9YGcmJKsBrXBlT3e vuHSCSuxx40npk02kitZPxFge7i9AGU3KP2/wmU7PYiDrSWenjd/K5SGQO9+yYxn NPYJKQjYJA5xwILfBrCHXLn+dd0= Received: (qmail 20310 invoked from network); 31 Jul 2010 12:30:28 -0500 Received: from unknown (HELO ?10.10.1.64?) (bryan@shatow.net@10.1.10.10) by sweb.xzibition.com with ESMTPA; 31 Jul 2010 12:30:28 -0500 Message-ID: <4C545DB0.6020901@xzibition.com> Date: Sat, 31 Jul 2010 12:30:24 -0500 From: Bryan Drewery User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.7) Gecko/20100713 Lightning/1.0b2 Thunderbird/3.1.1 MIME-Version: 1.0 To: Chris Walker References: <235BB726E71747BA980A0EF60F76ED37@2WIRE304> <20100731124136.GN22295@deviant.kiev.zoral.com.ua> In-Reply-To: X-Enigmail-Version: 1.1.1 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit Cc: Kostik Belousov , =?ISO-8859-1?Q?Istv=E1n?= , Selphie Keller , freebsd-security Subject: Re: kernel module for chmod restrictions while in securelevel one or higher X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 31 Jul 2010 17:30:31 -0000 The module/change never proposed to stop the exploit. There's no reason to attack someone trying to help the community. It's merely adding on top of the already existing securelevel restrictions, such as chflags restrictions. It makes a lot of sense to restrict setuid/setgid when in securelevel, based on the fact that flags are as well. But maybe securelevel should just be removed? By your arguments it's useless, makes the system unstable and gives a false sense of security. Bryan On 7/31/2010 10:39 AM, Chris Walker wrote: > Hi list > > #1 Not same exploit referenced in URL. > #2 Not same bug, although you had the function right, sort of. > #3 That kernel module is useless: The exploit in the wild has already changed to bypass such restriction. > #4 The bug is already patched, upgrade your kernel. > #5 If you intend on introducing a kernel module that potentially makes your system unstable, make sure it actually fixes the bug. This workaround merely made the exploit grow more lethal, and provides a FALSE sense of a security, and as such I would *STRONGLY* discourage use of this kernel module. > > This is a perfect example of why software developers never ever will be able to fight blackhat hackers: Ignorance. > > Thanks. > > On Jul 31, 2010, at 2:59 PM, István wrote: > >> http://www.securiteam.com/exploits/6P00C00EKO.html >> >> HTH >> >> On Sat, Jul 31, 2010 at 1:41 PM, Kostik Belousov wrote: >> >>> On Fri, Jul 30, 2010 at 11:18:39PM -0700, Selphie Keller wrote: >>>> Kernel module for chmod restrictions while in securelevel one or higher: >>>> http://gist.github.com/501800 (fbsd 8.x) >>>> >>>> Was looking at the new recent sendfile/mbuf exploit and it was using a >>>> shellcode that calls chmod syscall to make a setuid/setgid binary. >>> However >>> Can you point to the exploit (code) ? >>> >> >> >> -- >> the sun shines for all >> >> http://l1xl1x.blogspot.com >> _______________________________________________ >> freebsd-security@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-security >> To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" >> > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"