From owner-freebsd-security@freebsd.org Tue Aug 30 10:22:48 2016 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 033B8B78C78 for ; Tue, 30 Aug 2016 10:22:48 +0000 (UTC) (envelope-from des@des.no) Received: from smtp.des.no (smtp.des.no [194.63.250.102]) by mx1.freebsd.org (Postfix) with ESMTP id C0D43304; Tue, 30 Aug 2016 10:22:47 +0000 (UTC) (envelope-from des@des.no) Received: from desk.des.no (smtp.des.no [194.63.250.102]) by smtp.des.no (Postfix) with ESMTP id 659FA5623; Tue, 30 Aug 2016 10:22:46 +0000 (UTC) Received: by desk.des.no (Postfix, from userid 1001) id 7BFDE2B09; Tue, 30 Aug 2016 12:20:59 +0200 (CEST) From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= To: Kubilay Kocak Cc: Weldon Godfrey , freebsd-security@freebsd.org Subject: Re: Ports EOL vuxml entry References: <80eda92991512e9c50915536e7793396@excelsusphoto.com> <8a222379-442d-b77d-e96d-27a556f798df@FreeBSD.org> Date: Tue, 30 Aug 2016 12:20:59 +0200 In-Reply-To: <8a222379-442d-b77d-e96d-27a556f798df@FreeBSD.org> (Kubilay Kocak's message of "Wed, 24 Aug 2016 01:02:42 +1000") Message-ID: <8660qitv5g.fsf@desk.des.no> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.5 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 30 Aug 2016 10:22:48 -0000 Kubilay Kocak writes: > This (good) argument sounds primarily about classification and/or the > ability or lack thereof to distinguish between types-of-things, which > are not identical: > > * Explicit vulnerability ("Active", Official record (CVE, etc), will or > likely/expected to be fixed) > * Implicit (probable) vulnerability (by way of EoL, no fixes/support, > may have CVE (forever), port/pkg deleted, etc) In theory, these are not identical. In practice, there is no way to tell the difference given the sources and resources we have. DES --=20 Dag-Erling Sm=C3=B8rgrav - des@des.no From owner-freebsd-security@freebsd.org Wed Aug 31 21:42:02 2016 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 08E4DBCA957 for ; Wed, 31 Aug 2016 21:42:02 +0000 (UTC) (envelope-from carpeddiem@gmail.com) Received: from mail-it0-x22b.google.com (mail-it0-x22b.google.com [IPv6:2607:f8b0:4001:c0b::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id C828A6ED for ; Wed, 31 Aug 2016 21:42:01 +0000 (UTC) (envelope-from carpeddiem@gmail.com) Received: by mail-it0-x22b.google.com with SMTP id i184so34196108itf.1 for ; Wed, 31 Aug 2016 14:42:01 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to; bh=RhzNsWJ3jkP3v8LivU1N0fjkKSLWYaZ4Uhw+6DLhgOU=; b=eZxgQcosKZy3hzr+ZGkVhvtexm3Hvws/qoR/8/zLU2nv70MlBHk/oOlTq1eyhbNwlg 1Nx/acDFl2dT459uXZqUog1ECfE0tlCIEqkwMkVTHAxi4/MY9Q1/RQiOrcyLXhGDPltP Y2UfMEof8xCwTkjR4JfJnviHUnrwTPKaqLaMXii+jDRLvCnOHg8CMu2UMQcPMnTu6RN+ 8g6HGRKD6PNCVGPW5jaAwVmWzB4Q+E4dMCeZcewS2L26QCnhG6SmR3A8uWXhFhfnXl7P fM3q3IT3EQiPOdfrKC6YyqIv/qmrQjAWSDmcvm+qLA5gWg1Pyx9F/+NxYGbxYpCCMVUJ j1gA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to; bh=RhzNsWJ3jkP3v8LivU1N0fjkKSLWYaZ4Uhw+6DLhgOU=; b=nLA4fk+kVwEmIjt35KhPJI3FNcpxl1w906hjpaEziWMIE6OVm1GkxN+EEtPDwZeT7r T17uBCG+gTvgAUL6X5SoxF2xy+1r/Eo8M7ES9ISII201Aob7mx4ZZWH0vNz/1z6UKWoX Rr7CFQsnTgn7TNrXlw5HzO9Zyq/betgFwKGyNlKz4Zo1/xlxF8tpU99idd1lfW+O2PH+ ByYpp3aRkULPnjE1ssmrqBSQJR5Rga4NKzmuZdPaz2I/GBUEtgza8ARPYiL/hDGOiqou vzd7JJ3uyiHmjPVI/NLIW8NfhLbARB2UikEWYoa7+tGS96Vmp2qfOm1jXq1rs0tQVbcU /Aew== X-Gm-Message-State: AE9vXwN4mP8srDUs8vz+1r9A6VoNyl0R4vOB9x5ZQ27xlj2sVuillEGZBPJxqXBsxFBhf25jVdE0Qn/CWR4hqw== X-Received: by 10.36.117.79 with SMTP id y76mr32539946itc.35.1472679721096; Wed, 31 Aug 2016 14:42:01 -0700 (PDT) MIME-Version: 1.0 Sender: carpeddiem@gmail.com Received: by 10.107.138.28 with HTTP; Wed, 31 Aug 2016 14:41:40 -0700 (PDT) In-Reply-To: <20160823002821.GJ1069@FreeBSD.org> References: <201608221415.u7MEFl8d009158@higson.cam.lispworks.com> <20160823002821.GJ1069@FreeBSD.org> From: Ed Maste Date: Wed, 31 Aug 2016 17:41:40 -0400 X-Google-Sender-Auth: o7wbYF514vUuK7i9XtowVWxRJTc Message-ID: Subject: Re: Unexplained update to /boot/boot1.efi and 2 others by freebsd-update To: freebsd-security@freebsd.org Content-Type: text/plain; charset=UTF-8 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 31 Aug 2016 21:42:02 -0000 On 22 August 2016 at 20:28, Gleb Smirnoff wrote: > > The freebsd-update build code attempts to extract and ignore timestamps in order > to determine whether files are 'really' changing between builds; unfortunately these > particular files contain a build artifact which the freebsd-update code was not > able to handle, thus resulting in them being incorrectly identified as needing to be > distributed. The issue with PE/COFF timestamps in the UEFI bootloader components is fixed as of SVN r305160 in HEAD and will make it back to stable/11 in due course. The timestamps will now be set to a consistent, known value. From owner-freebsd-security@freebsd.org Thu Sep 1 12:47:29 2016 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 55323BCB33F for ; Thu, 1 Sep 2016 12:47:29 +0000 (UTC) (envelope-from akuzik@gmail.com) Received: from mail-wm0-x232.google.com (mail-wm0-x232.google.com [IPv6:2a00:1450:400c:c09::232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id E3DEBD92 for ; Thu, 1 Sep 2016 12:47:28 +0000 (UTC) (envelope-from akuzik@gmail.com) Received: by mail-wm0-x232.google.com with SMTP id w207so4056215wmw.1 for ; Thu, 01 Sep 2016 05:47:28 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:from:date:message-id:subject:to; bh=4kQOcrCJmEezxdrdZbnM1RwzClBGgJrvFN0LZwd6rJQ=; b=xkX3cE7FY3ChomzoSOWtOa/8NkJio3JNqmefRF5h80PUntGAvl6tiN2h0t+YXEbcyM XBFdIdXm7KopjTXCeD8+tPR9K6Oug+K4NQkH+uHy+y3NGe+dmTVxbF7Tc60ndtaFCCGn CRlBPxG74+SuMka/pZVzKfO/m/TSZq3F68oQ8Az6aTXik6GVI6JVSjC1uLHSrBTy4TmI 1MX2dWa5AkACuJlxrOQTIQtVYuPWpQKOA2hI518IQSfOIEZYlJ5GsXW8eWHYnp70lEn3 Q0JZzHKYHU4PD7kvDp+DBEuVsRGVw/BIwVTG2ftka6+FXZ14gh5im9Y3XOgQCuWJML+2 BhgA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=4kQOcrCJmEezxdrdZbnM1RwzClBGgJrvFN0LZwd6rJQ=; b=IfRKrlcKfTTzRtjF9Fi3Aw7LDRKOZpgOXciWeSrANxtlpWM7MH0FV68DjIjmm2Z9bx 24qNZS8vv5BGRkdCEV+vT0cFvGvw3zg5mxc+bhOLlt4y86Rc/VEoZSuS9m+SQ7mCYp/C wLlbzdIOQQ4zvlp5p+6hn51/oGd1ISeNjOzNjhy1CHr1XmNVTc5sbdjrr6cNIJWtnTPu /ZxIjOUYxoGVQ9UK32/+uvry4KF8bMzDrzqDN8zEBKI7zpDqpTspHfP1TuaDrGfkkk0j SN4MDAdXFNAnVWCzwjb/hNJRUdzjTNMHhnlk2/upgoYKFjK43/5Qv5G9Z5eODLlPiFsu 6aVQ== X-Gm-Message-State: AE9vXwO0+pxI+rt28CIPaUeyweuYV34jZjqAD1EB/XlmlVCt+MW1twSFanjWOtwU8ffh/wSuiUWDvGoYRi/e6Q== X-Received: by 10.194.40.166 with SMTP id y6mr13607815wjk.171.1472734047032; Thu, 01 Sep 2016 05:47:27 -0700 (PDT) MIME-Version: 1.0 Received: by 10.28.139.65 with HTTP; Thu, 1 Sep 2016 05:47:26 -0700 (PDT) From: Andrii Kuzik Date: Thu, 1 Sep 2016 14:47:26 +0200 Message-ID: Subject: edit others user crontab, security bug To: freebsd-security@freebsd.org Content-Type: text/plain; charset=UTF-8 X-Mailman-Approved-At: Thu, 01 Sep 2016 13:14:57 +0000 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 01 Sep 2016 12:47:29 -0000 Probably a lot of freebsd servers affected Security bug allows to edit other users crontab root# pw useradd -n www.promspecbud.com -g nobody -s /bin/sh -d /tmp root# pw useradd -n www.promspecbud.com.other -g nobody -s /bin/sh -d /tmp root# echo @daily doit baby > /tmp/test root# crontab -u www.promspecbud.com.other /tmp/test root# crontab -u www.promspecbud.com -l =====output ===== @daily doit baby ================= root#echo @daily doit baby one more time>> /tmp/test root#sudo -u www.promspecbud.com.other crontab /tmp/test root#sudo -u www.promspecbud.com crontab -l =====output ===== @daily doit baby @daily doit baby one more time ================= root# uname -a FreeBSD kuzik 10.3-RELEASE FreeBSD 10.3-RELEASE #0 r297264: Fri Mar 25 02:10:02 UTC 2016 root@releng1.nyi.freebsd.org:/usr/obj/usr/src/sys/GENERIC amd64 best regards, Andrii Kuzik From owner-freebsd-security@freebsd.org Thu Sep 1 13:37:48 2016 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 44912BCAB94 for ; Thu, 1 Sep 2016 13:37:48 +0000 (UTC) (envelope-from kitchetech@gmail.com) Received: from mail-ua0-x233.google.com (mail-ua0-x233.google.com [IPv6:2607:f8b0:400c:c08::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id F1349916 for ; Thu, 1 Sep 2016 13:37:47 +0000 (UTC) (envelope-from kitchetech@gmail.com) Received: by mail-ua0-x233.google.com with SMTP id m60so145423866uam.3 for ; Thu, 01 Sep 2016 06:37:47 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=MNrpZt5fa7ea6qfeIyomBqf/cMT9nEs5ydPjzwh4G9A=; b=lAmJ6n+R0bRVMAToIteV7jsYucIQx1cs5pKTHIRz2uGrGBPkyAkiRQs7x7ziZoU1NN zCzFy2/YIdlcW8PDMIN46CrM/kpLWCpDnDb/W+u4CuKF5tuNAIWi21yFsWdEofl6KwpW d82xysb9tMQDHElRZZqQOVxAnJcXA7oDH57wYBc1nGr12+ZoNuyRcN2zNYX90+r97zzv ahOcXtaUHFaHlcYx4K5uHGHAUi8y4buvR3R6BgpJhebpJg+JrvTLzo/tj9BXvodAYdlp P6X+Rlcew/Rq0RKySMSdGSbKmRcjIH5y8tsfupx3nWEAwfGjI2pRy2Kw/wC0Ex5M3Cc1 pIlA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=MNrpZt5fa7ea6qfeIyomBqf/cMT9nEs5ydPjzwh4G9A=; b=B+xP5GQSZgkOT/tlUZFMD4qgVdvTZNtflGYczCYvNbHr/k7DRKnSjXEHT+CZbnRiO3 uXj4jq2mAaPNZ8eyRZchyJjgeXtYrbfdWOcIdDBowNovkLmBZqyrqpcvzw0eBfgR+M0H ZJ/9dFV3TNyclyqEWEeT/B99ikFS0CsHUjr7WsZxY7xwls+TMUQr31dOSYCHRLTV394h uU4g8HuHbWGC7qy3Ceb5qdUylYUvG8+eHFnTsoB48guij17PaCSSHWMDb3A5O2mcyYjZ ngftFrWLmJBICJMVPmcyEDpb8Dq1bI/IjVUINogAsTcV6xWWOY/UXrB4e1caDNG2uxIk 66Lw== X-Gm-Message-State: AE9vXwNrNeScDQqMN9csbvh4nTGrZAqu8IrAWuHwo0RQy6Oo2pFnVKHtvkYuTl+01aDWGM15X2UKLFXNG9bJ/w== X-Received: by 10.31.79.66 with SMTP id d63mr9412284vkb.96.1472737067077; Thu, 01 Sep 2016 06:37:47 -0700 (PDT) MIME-Version: 1.0 Received: by 10.31.138.206 with HTTP; Thu, 1 Sep 2016 06:37:46 -0700 (PDT) Received: by 10.31.138.206 with HTTP; Thu, 1 Sep 2016 06:37:46 -0700 (PDT) In-Reply-To: References: From: Matt Donovan Date: Thu, 1 Sep 2016 08:37:46 -0500 Message-ID: Subject: Re: edit others user crontab, security bug To: Andrii Kuzik Cc: freebsd-security Content-Type: text/plain; charset=UTF-8 X-Content-Filtered-By: Mailman/MimeDel 2.1.22 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 01 Sep 2016 13:37:48 -0000 So your doing it as root. Root can do that. As it has access to everything. On Sep 1, 2016 8:15 AM, "Andrii Kuzik" wrote: > Probably a lot of freebsd servers affected > > Security bug allows to edit other users crontab > > root# pw useradd -n www.promspecbud.com -g nobody -s /bin/sh -d /tmp > root# pw useradd -n www.promspecbud.com.other -g nobody -s /bin/sh -d /tmp > root# echo @daily doit baby > /tmp/test > root# crontab -u www.promspecbud.com.other /tmp/test > root# crontab -u www.promspecbud.com -l > > =====output ===== > @daily doit baby > ================= > > root#echo @daily doit baby one more time>> /tmp/test > root#sudo -u www.promspecbud.com.other crontab /tmp/test > root#sudo -u www.promspecbud.com crontab -l > =====output ===== > @daily doit baby > @daily doit baby one more time > ================= > > root# uname -a > FreeBSD kuzik 10.3-RELEASE FreeBSD 10.3-RELEASE #0 r297264: Fri Mar 25 > 02:10:02 UTC 2016 > root@releng1.nyi.freebsd.org:/usr/obj/usr/src/sys/GENERIC amd64 > > best regards, Andrii Kuzik > _______________________________________________ > freebsd-security@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org > " > From owner-freebsd-security@freebsd.org Thu Sep 1 13:20:29 2016 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id A2280BCA0BA for ; Thu, 1 Sep 2016 13:20:29 +0000 (UTC) (envelope-from fwagglechop@gmail.com) Received: from mail-ua0-x232.google.com (mail-ua0-x232.google.com [IPv6:2607:f8b0:400c:c08::232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 5C6129CB for ; Thu, 1 Sep 2016 13:20:29 +0000 (UTC) (envelope-from fwagglechop@gmail.com) Received: by mail-ua0-x232.google.com with SMTP id m60so144501158uam.3 for ; Thu, 01 Sep 2016 06:20:29 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=VC+TJ3JSpzx4Jm1J10PJFKEfHmurUqgAlxR0svKB4w8=; b=fhfMLnQumJE+4a3WtQAlblYMgu3fJ8pBrvime5YUmVF1zC7A8ZNcgRckgfAUhyEIHE 77DJf/TZK1sCLCrb0LiG69P4St0P4w3evIZddKYHx8Br7/LaM93AcAXvEAdDyPHfDrGv zkIgOB0p6ddMqzcl5OTqFs/Q3bdVBIq95EeCYwy8Ov9VnGQAbfdW/z6Goir6bUJqT7Z+ tYIrVPyp0pN5tpBfPe+IBq0KT2WBc/UR98HUl+AgQnUB3ZJCHMAKLtjlhqRbZeE/LuqC 3WnD+NIHbd2WrxDPB1S4LmnDngrNf4JJf9bHmjT+x2P2xNDQgBmNbWlG2/miKSqiT7TC se4Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=VC+TJ3JSpzx4Jm1J10PJFKEfHmurUqgAlxR0svKB4w8=; b=aILaDBBqhxZSiEqQxpri7WId7oq2T3MV7KGK5puwKUr4adQLRV+4KIEPdYj+/wzx2+ suY0PEYE5CskoITTZjgbOxaxtvyf+mVIqI9/XDNBaxyyurJ7sTDYw9wl6L0UlIaEkmkM /P0M+qpriQclAKZZTQPVsVNOaPu8KeQdAI4yw64qv+NK4s59uh5/cvx6R+H2nTPpL0h8 RbuhTGglSyAivGw1zJxLURRS16gChG9n5eOxE5imxXyImm1hBdGw4gsQu/SaswgmONr8 Huws/nsxvoD08fJHsIdS+I5HpdW1/k5oRLw2ICUNvuxrHJ0qVuPAKU6REd5evP/xlWUo 8uTA== X-Gm-Message-State: AE9vXwMpwg9vAnfE5vMt7sJ3yoM/cwaSsmZZdYWq12MMHnDwcToNDuGLFUlZ/F60VGxuf3er9LqMafMemr9JEw== X-Received: by 10.31.237.131 with SMTP id l125mr9170740vkh.47.1472736028524; Thu, 01 Sep 2016 06:20:28 -0700 (PDT) MIME-Version: 1.0 Received: by 10.176.1.84 with HTTP; Thu, 1 Sep 2016 06:20:26 -0700 (PDT) In-Reply-To: References: From: fwaggle Date: Thu, 1 Sep 2016 23:20:26 +1000 Message-ID: Subject: Re: edit others user crontab, security bug To: Andrii Kuzik Cc: freebsd-security@freebsd.org Content-Type: text/plain; charset=UTF-8 X-Mailman-Approved-At: Thu, 01 Sep 2016 13:41:26 +0000 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 01 Sep 2016 13:20:29 -0000 > root# pw useradd -n www.promspecbud.com -g nobody -s /bin/sh -d /tmp > root# pw useradd -n www.promspecbud.com.other -g nobody -s /bin/sh -d /tmp I'm really sleepy so this might be wrong or outdated, but aren't/weren't FreeBSD usernames limited to 16 characters? Seems to me this probably relates to both the users being evaluated to the username "www.promspecbud." or whatever. -- James "fwaggle" Fraser From owner-freebsd-security@freebsd.org Thu Sep 1 13:44:00 2016 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 7B082BCB0BF for ; Thu, 1 Sep 2016 13:44:00 +0000 (UTC) (envelope-from me@myconan.net) Received: from out4-smtp.messagingengine.com (out4-smtp.messagingengine.com [66.111.4.28]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 53C785F5 for ; Thu, 1 Sep 2016 13:44:00 +0000 (UTC) (envelope-from me@myconan.net) Received: from compute6.internal (compute6.nyi.internal [10.202.2.46]) by mailout.nyi.internal (Postfix) with ESMTP id F026A2045B for ; Thu, 1 Sep 2016 09:43:58 -0400 (EDT) Received: from web3 ([10.202.2.213]) by compute6.internal (MEProxy); Thu, 01 Sep 2016 09:43:58 -0400 DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=myconan.net; h= content-transfer-encoding:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-sasl-enc :x-sasl-enc; s=mesmtp; bh=YMTcGquotl13zaOcHDHWaXWXRU0=; b=rDi/pO VBUlgaJMZYcu9D2c9j+iOqqj9tRv7PODnPusGs8oWxHvznEAyyVKjKUtIHlDOoph MUmCt1JhUXVWsxpTqsq1sHyxaMv+UY3teDEq3DboXrLwGawp5soMARquL7yGmygZ or7SWMqxPsVLt8g4KATt/EZVYa4Y4R2bwFR/U= DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d= messagingengine.com; h=content-transfer-encoding:content-type :date:from:in-reply-to:message-id:mime-version:references :subject:to:x-sasl-enc:x-sasl-enc; s=smtpout; bh=YMTcGquotl13zaO cHDHWaXWXRU0=; b=MpAIhe9Zxm2tfGkcrdMwPIKryw6b6kSfIAvbmun46IybwSP 15YYkCZ0BFo4M4AQ0Hbb8JbrTGCza627C83cYGNROo9uAoMls4j/KiojmEv3wT6v 3RaeSnhZbLM7b80SA8sk+/wllRYI2+/MlXZUpvQIhA4MttDko+pFvvs6frco= Received: by mailuser.nyi.internal (Postfix, from userid 99) id BAB2E168FF; Thu, 1 Sep 2016 09:43:58 -0400 (EDT) Message-Id: <1472737438.3589865.712736753.5CFBB0DC@webmail.messagingengine.com> X-Sasl-Enc: h+FeFkcouOr6Ifj6FK8PEHXVNBdbfEMFDfndjZ+7jbj+ 1472737438 From: Edho Arief To: freebsd-security@freebsd.org MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Type: text/plain X-Mailer: MessagingEngine.com Webmail Interface - ajax-8baf8b60 Subject: Re: edit others user crontab, security bug Date: Thu, 01 Sep 2016 22:43:58 +0900 In-Reply-To: References: X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 01 Sep 2016 13:44:00 -0000 Hi, On Thu, Sep 1, 2016, at 21:47, Andrii Kuzik wrote: > Probably a lot of freebsd servers affected > > Security bug allows to edit other users crontab > > root# pw useradd -n www.promspecbud.com -g nobody -s /bin/sh -d /tmp > root# pw useradd -n www.promspecbud.com.other -g nobody -s /bin/sh -d > /tmp > root# echo @daily doit baby > /tmp/test > root# crontab -u www.promspecbud.com.other /tmp/test > root# crontab -u www.promspecbud.com -l > > =====output ===== > @daily doit baby > ================= > > root#echo @daily doit baby one more time>> /tmp/test > root#sudo -u www.promspecbud.com.other crontab /tmp/test > root#sudo -u www.promspecbud.com crontab -l > =====output ===== > @daily doit baby > @daily doit baby one more time > ================= > to be more specific, the bug is crontab truncates usernames to 19 characters as defined in cron.h: #define MAX_UNAME 20 /* max length of username, should be overkill */ # pw useradd users12345names67890 # crontab -u users12345names67890 -l crontab: no crontab for users12345names6789 ^-- cut off From owner-freebsd-security@freebsd.org Thu Sep 1 17:41:11 2016 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 00AAABC9221 for ; Thu, 1 Sep 2016 17:41:11 +0000 (UTC) (envelope-from dweber@htwsaar.de) Received: from theia.rz.uni-saarland.de (theia.rz.uni-saarland.de [134.96.7.31]) by mx1.freebsd.org (Postfix) with ESMTP id 8BA071D8 for ; Thu, 1 Sep 2016 17:41:09 +0000 (UTC) (envelope-from dweber@htwsaar.de) Received: from itz-mail.htw-saarland.de (itz-mail.htw-saarland.de [134.96.210.141]) by theia.rz.uni-saarland.de (8.14.9/8.14.0) with ESMTP id u81Gu94k018931 for ; Thu, 1 Sep 2016 18:56:09 +0200 X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.99.2 at HIZ-Mailrelay theia.rz.uni-saarland.de Received: from isl-dw.htw-saarland.de (isl-dw.htw-saarland.de [134.96.218.251]) by itz-mail.htw-saarland.de (8.14.5/8.14.5) with ESMTP id u81Gu9VP004010 for ; Thu, 1 Sep 2016 18:56:09 +0200 (CEST) Date: Thu, 1 Sep 2016 18:56:04 +0200 (CEST) From: Damian Weber To: freebsd-security@freebsd.org Subject: Re: edit others user crontab, security bug In-Reply-To: <1472737438.3589865.712736753.5CFBB0DC@webmail.messagingengine.com> Message-ID: References: <1472737438.3589865.712736753.5CFBB0DC@webmail.messagingengine.com> User-Agent: Alpine 2.20 (BSF 67 2015-01-07) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII X-Virus-Scanned: clamav-milter 0.97.3 at itz-mail X-Virus-Status: Clean X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-3.0 (theia.rz.uni-saarland.de [134.96.7.31]); Thu, 01 Sep 2016 18:56:09 +0200 (CEST) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 01 Sep 2016 17:41:11 -0000 On Thu, 1 Sep 2016, Edho Arief wrote: > Date: Thu, 1 Sep 2016 15:43:58 > From: Edho Arief > To: freebsd-security@freebsd.org > Subject: Re: edit others user crontab, security bug > > Hi, > > On Thu, Sep 1, 2016, at 21:47, Andrii Kuzik wrote: > > Probably a lot of freebsd servers affected > > > > Security bug allows to edit other users crontab > > > > root# pw useradd -n www.promspecbud.com -g nobody -s /bin/sh -d /tmp > > root# pw useradd -n www.promspecbud.com.other -g nobody -s /bin/sh -d > > /tmp > > root# echo @daily doit baby > /tmp/test > > root# crontab -u www.promspecbud.com.other /tmp/test > > root# crontab -u www.promspecbud.com -l > > > > =====output ===== > > @daily doit baby > > ================= > > > > root#echo @daily doit baby one more time>> /tmp/test > > root#sudo -u www.promspecbud.com.other crontab /tmp/test > > root#sudo -u www.promspecbud.com crontab -l > > =====output ===== > > @daily doit baby > > @daily doit baby one more time > > ================= > > > > > to be more specific, the bug is crontab truncates usernames to 19 > characters as defined in cron.h: > > #define MAX_UNAME 20 /* max length of username, should be > overkill */ > > > # pw useradd users12345names67890 > # crontab -u users12345names67890 -l > crontab: no crontab for users12345names6789 > ^-- cut off apart from the crontab user length there seem to be quite a lot of possible values to choose from (MAXLOGNAME being the FreeBSD standard, right?) $ cd /usr/include $ egrep "^#define.*(USER|LOG)" */*h *.h| grep MAX |grep NAME bsm/libbsm.h:#define AU_USER_NAME_MAX 50 netsmb/smb.h:#define SMB_MAXUSERNAMELEN 128 sys/param.h:#define MAXLOGNAME 33 /* max login name length (incl. NUL) */ sys/sysctl.h:#define USER_TZNAME_MAX 20 /* int: POSIX2_TZNAME_MA X */ limits.h:#define _POSIX_LOGIN_NAME_MAX 9 stdio.h:#define L_cuserid 17 /* size for cuserid(3); MAXLOGNAME, lega cy */ unistd.h:#define _SC_LOGIN_NAME_MAX 73 -- Damian Weber From owner-freebsd-security@freebsd.org Thu Sep 1 18:10:07 2016 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 3CF3DBCB086 for ; Thu, 1 Sep 2016 18:10:07 +0000 (UTC) (envelope-from rollingbits@gmail.com) Received: from mail-it0-x236.google.com (mail-it0-x236.google.com [IPv6:2607:f8b0:4001:c0b::236]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 07562982 for ; Thu, 1 Sep 2016 18:10:07 +0000 (UTC) (envelope-from rollingbits@gmail.com) Received: by mail-it0-x236.google.com with SMTP id e124so118844431ith.0 for ; Thu, 01 Sep 2016 11:10:07 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=/JSrcVuMfDgwnmVdIsxTO0rIHkEflRNnlYMCY1fj82w=; b=t7S/dkXTNYNYbK8OVt2f90t58k+A5BgM4IWedRnjkxrxcW5/osr99nvoxZ4QxxM87H 2f3Afq9jjWO/BKPocLf42g665R3SEwOnd9Ol9yv6bIrvUm4xE+VgubzQXPSVDCyWkUnT 9bQhJ0QN832zHvpHbPWAKreJoZPQiOduzCPiss05c/utV/2w1SaFLVrBN93km8QgwYTy vB8RK93NaogvSr8X57m56m3pbbRwcvQESKAGIpFqCKgO59ay4HtxSOIKhu0U+M0grQfq z31G7YAMQQgO8sZNhpK0jJQQvleT7gqVXfTVSJ58xmBy5yR44Kh4Aq1ZbtugforW/il9 Bt6Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=/JSrcVuMfDgwnmVdIsxTO0rIHkEflRNnlYMCY1fj82w=; b=IsC5/gUrPkkNL5M+h2bSbtJJ3nxR1OdDR0jg/MgDWp/RIWJlMZ++PD6FEyL/8Dg1DQ kL3tG6YEjwEjIMNIK5ufvwa9qP7InG4iKfcj6h5+oHlW+wdY1QMuT17hWZCA429ZgZNN Xaz5kBIOag34e8BF4yIk8LwPH4K8peGmtD/EtDlySr//Q+HiJjt0pKWc5X3tuamNDia6 9qj8uDy2tYOZRmoDUYuVoC1EXUOini33Rzn4+KA4OogusWUbhC4J+eFnFuSUS6x5RaI1 0P64F/Ewv8DwdRSKrOq1vvCS0asS1fNdmHTxOLhnZv7P11P62ngpDBGgx/4uw6f4R7Hl Uz+g== X-Gm-Message-State: AE9vXwNDRSnAfN2OyxXFqlGygeJp5cQqiWrAM6I9q8SCzldoBSW4cLMNjs/Boflr+laHDHcBrIqQ3ES8MERvVg== X-Received: by 10.36.87.212 with SMTP id u203mr32475461ita.7.1472753406363; Thu, 01 Sep 2016 11:10:06 -0700 (PDT) MIME-Version: 1.0 Received: by 10.79.84.2 with HTTP; Thu, 1 Sep 2016 11:10:05 -0700 (PDT) In-Reply-To: References: From: "rollingbits (Lucas)" Date: Thu, 1 Sep 2016 15:10:05 -0300 Message-ID: Subject: Re: edit others user crontab, security bug To: Matt Donovan Cc: Andrii Kuzik , freebsd-security Content-Type: text/plain; charset=UTF-8 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 01 Sep 2016 18:10:07 -0000 On Thu, Sep 1, 2016 at 10:37 AM, Matt Donovan wrote: > On Sep 1, 2016 8:15 AM, "Andrii Kuzik" wrote: (...) >> root# crontab -u www.promspecbud.com.other /tmp/test >> root# crontab -u www.promspecbud.com -l > > So your doing it as root. Root can do that. As it has access to everything. This may be obvious but I think you can not: the first cron command requests add a crontab to user 'www.promspecbud.com.other' but the table ends in user 'www.promspecbud.com'. Is it advertising in user names? -- rollingbits -- rollingbits@yahoo.com, lucasnm@ig.com.br, rollingbits@gmail.com, rollingbits@terra.com.br, rollingbits@globo.com From owner-freebsd-security@freebsd.org Sat Sep 3 02:31:11 2016 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id A6D32BCDB88 for ; Sat, 3 Sep 2016 02:31:11 +0000 (UTC) (envelope-from wollman@hergotha.csail.mit.edu) Received: from hergotha.csail.mit.edu (wollman-1-pt.tunnel.tserv4.nyc4.ipv6.he.net [IPv6:2001:470:1f06:ccb::2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 37629D6D; Sat, 3 Sep 2016 02:31:10 +0000 (UTC) (envelope-from wollman@hergotha.csail.mit.edu) Received: from hergotha.csail.mit.edu (localhost [127.0.0.1]) by hergotha.csail.mit.edu (8.15.2/8.15.2) with ESMTP id u832V7ou040323; Fri, 2 Sep 2016 22:31:08 -0400 (EDT) (envelope-from wollman@hergotha.csail.mit.edu) Received: (from wollman@localhost) by hergotha.csail.mit.edu (8.15.2/8.14.4/Submit) id u832V68B040322; Fri, 2 Sep 2016 22:31:06 -0400 (EDT) (envelope-from wollman) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <22474.13802.335507.240401@hergotha.csail.mit.edu> Date: Fri, 2 Sep 2016 22:31:06 -0400 From: Garrett Wollman To: Damian Weber Cc: freebsd-security@freebsd.org, emaste@freebsd.org Subject: Re: edit others user crontab, security bug In-Reply-To: References: <1472737438.3589865.712736753.5CFBB0DC@webmail.messagingengine.com> X-Mailer: VM 8.2.0b under 24.5.1 (amd64-portbld-freebsd10.3) X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.4.3 (hergotha.csail.mit.edu [127.0.0.1]); Fri, 02 Sep 2016 22:31:08 -0400 (EDT) X-Spam-Status: No, score=-1.0 required=5.0 tests=ALL_TRUSTED, HEADER_FROM_DIFFERENT_DOMAINS autolearn=disabled version=3.4.1 X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on hergotha.csail.mit.edu X-Mailman-Approved-At: Sat, 03 Sep 2016 03:55:06 +0000 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 03 Sep 2016 02:31:11 -0000 < said: > bsm/libbsm.h:#define AU_USER_NAME_MAX 50 That's fine, since it means that the user name in an audit record (i.e., output data) is bigger than what FreeBSD needs. > netsmb/smb.h:#define SMB_MAXUSERNAMELEN 128 Not sure that this matters for anything. > sys/param.h:#define MAXLOGNAME 33 /* max login name length > (incl. NUL) */ This is the one that matters. > sys/sysctl.h:#define USER_TZNAME_MAX 20 /* int: POSIX2_TZNAME_MA > X */ Not relevant. > limits.h:#define _POSIX_LOGIN_NAME_MAX 9 This is the POSIX "minimum maximum" -- i.e., all POSIX systems must support at least this value. > stdio.h:#define L_cuserid 17 /* size for cuserid(3); MAXLOGNAME, lega > cy */ Legacy interface that should not be used. > unistd.h:#define _SC_LOGIN_NAME_MAX 73 Because we do not define LOGIN_NAME_MAX, portable applications are required to use sysconf(3) to find out what {LOGIN_NAME_MAX} (i.e., the parameter, not the C-language macro) in the running system actually is. This is the "key" which allows them to retrieve that value; it is just an arbitrary integer (could be an enum if we went in for that sort of thing). I see now that this was fixed by emaste@ yesterday (r305269). I'm a bit disappointed that it was done using MAXLOGNAME, but looking at the way it's used in the code, fixing it to use the proper POSIX parameter {LOGIN_NAME_MAX} would require significant restructuring, since the arrays that are currently statically allocated would have to be replaced with dynamic allocations. There are other static limits in this old code that should probably also be replaced, for safety, but don't represent a problem currently. -GAWollman