From owner-freebsd-security Tue Jan 14 08:47:22 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.4/8.8.4) id IAA21652 for security-outgoing; Tue, 14 Jan 1997 08:47:22 -0800 (PST) Received: from ingenieria ([168.176.15.11]) by freefall.freebsd.org (8.8.4/8.8.4) with SMTP id IAA21633 for ; Tue, 14 Jan 1997 08:47:12 -0800 (PST) Received: from unalmodem.usc.unal.edu.co by ingenieria (SMI-8.6/SMI-SVR4) id LAA01795; Tue, 14 Jan 1997 11:34:13 -0500 Message-ID: <32DBE243.4793@fps.biblos.unal.edu.co> Date: Tue, 14 Jan 1997 11:45:07 -0800 From: "Pedro Giffuni S." Reply-To: m230761@ingenieria.ingsala.unal.edu.co Organization: Universidad Nacional de Colombia X-Mailer: Mozilla 3.0 (Win16; I) MIME-Version: 1.0 To: security@freebsd.org Subject: Any lawyer online? Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk Howdy, Is there someone that knows the real implications of the Bernstein case? Shouldn't we all(specially WC) join the golden key campaign? (http://www.eff.org/goldkey.html) best regards, Pedro. From owner-freebsd-security Wed Jan 15 06:22:57 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.4/8.8.4) id GAA04011 for security-outgoing; Wed, 15 Jan 1997 06:22:57 -0800 (PST) Received: from seine.cs.umd.edu (10862@seine.cs.umd.edu [128.8.128.59]) by freefall.freebsd.org (8.8.4/8.8.4) with ESMTP id GAA04006 for ; Wed, 15 Jan 1997 06:22:55 -0800 (PST) Received: by seine.cs.umd.edu (8.8.4/UMIACS-0.9/04-05-88) id JAA03779; Wed, 15 Jan 1997 09:22:54 -0500 (EST) Date: Wed, 15 Jan 1997 09:22:54 -0500 (EST) From: rohit@cs.umd.edu (Rohit Dube) Message-Id: <199701151422.JAA03779@seine.cs.umd.edu> To: security@freebsd.org Subject: Firewall and FreeBSD CIDR Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk [I am not sure if this belongs here, but there is no freebsd-net list..] Hi, I have a block of 32 globally routable addresses which I split into two blocks of 16 in order to set up a firewall from the internal machines to the external router. From the FreeBSD firewall machine, I can 'see' both the internal network and the outside. But, the firewall machine refuses to route any packets across it. (Yes the firewall functionality is turned off, ip forwarding is enabled and the subnet masks are set correctly). Instead of subnetting at the firewall, if I use an RFC 1918 (10.0.0.X) addrress between the firewall and the external router, everything works just fine. Does this mean that FreeBSD doesn't do CIDR correctly? Anybody see this before? I have been tearing my hair over this for a while now... Thanks. --rohit. PS: [ext. router] -------X |firewall| X-------- [internal machines] From owner-freebsd-security Wed Jan 15 07:50:00 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.4/8.8.4) id HAA07565 for security-outgoing; Wed, 15 Jan 1997 07:50:00 -0800 (PST) Received: from halloran-eldar.lcs.mit.edu (halloran-eldar.lcs.mit.edu [18.26.0.159]) by freefall.freebsd.org (8.8.4/8.8.4) with SMTP id HAA07557 for ; Wed, 15 Jan 1997 07:49:48 -0800 (PST) Received: by halloran-eldar.lcs.mit.edu; (5.65v3.2/1.1.8.2/19Aug95-0530PM) id AA05177; Wed, 15 Jan 1997 10:49:40 -0500 Date: Wed, 15 Jan 1997 10:49:40 -0500 From: Garrett Wollman Message-Id: <9701151549.AA05177@halloran-eldar.lcs.mit.edu> To: rohit@cs.umd.edu (Rohit Dube) Cc: security@FreeBSD.ORG Subject: Firewall and FreeBSD CIDR In-Reply-To: <199701151422.JAA03779@seine.cs.umd.edu> References: <199701151422.JAA03779@seine.cs.umd.edu> Sender: owner-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk < [I am not sure if this belongs here, but there is no freebsd-net list..] > Does this mean that FreeBSD doesn't do CIDR correctly? Anybody see this > before? God only knows. If you provided enough information to actually tell what your configuration was in actuality, then perhaps we could figure out what your problem is. -GAWollman -- Garrett A. Wollman | O Siem / We are all family / O Siem / We're all the same wollman@lcs.mit.edu | O Siem / The fires of freedom Opinions not those of| Dance in the burning flame MIT, LCS, ANA, or NSA| - Susan Aglukark and Chad Irschick From owner-freebsd-security Wed Jan 15 08:11:48 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.4/8.8.4) id IAA08585 for security-outgoing; Wed, 15 Jan 1997 08:11:48 -0800 (PST) Received: from seine.cs.umd.edu (10862@seine.cs.umd.edu [128.8.128.59]) by freefall.freebsd.org (8.8.4/8.8.4) with ESMTP id IAA08577 for ; Wed, 15 Jan 1997 08:11:45 -0800 (PST) Received: by seine.cs.umd.edu (8.8.4/UMIACS-0.9/04-05-88) id LAA04783; Wed, 15 Jan 1997 11:11:40 -0500 (EST) Message-Id: <199701151611.LAA04783@seine.cs.umd.edu> To: Garrett Wollman cc: rohit@cs.umd.edu (Rohit Dube), security@FreeBSD.ORG, rohit@cs.umd.edu Subject: Re: Firewall and FreeBSD CIDR In-reply-to: Your message of "Wed, 15 Jan 1997 10:49:40 EST." <9701151549.AA05177@halloran-eldar.lcs.mit.edu> Date: Wed, 15 Jan 1997 11:11:40 -0500 From: Rohit Dube Sender: owner-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk On Wed, 15 Jan 1997 10:49:40 -0500 wollman@lcs.mit.edu writes: =><d: => =>> [I am not sure if this belongs here, but there is no freebsd-net list..] => =>> Does this mean that FreeBSD doesn't do CIDR correctly? Anybody see this =>> before? => =>God only knows. If you provided enough information to actually tell =>what your configuration was in actuality, then perhaps we could figure =>out what your problem is. => ____ Ok. Here goes - Routing tables on Firewall (X.Y.Z is a placeholder for my net prefix. I have addresses 96 thru 128) Internet: Destination Gateway Flags Refs Use Netif Expire default X.Y.Z.113 UGSc 4 99 vx1 127.0.0.1 127.0.0.1 UH 0 0 lo0 X.Y.Z.96/28 link#1 UC 0 0 X.Y.Z.97 0:60:97:54:13:66 UHLW 0 10 lo0 X.Y.Z.98 0:0:c0:a7:8a:e4 UHLW 0 2 vx0 1139 X.Y.Z.99 0:0:c0:ac:8a:e4 UHLW 0 20 vx0 1139 X.Y.Z.112/28 link#2 UC 0 0 X.Y.Z.113 0:0:c:33:28:3a UHLW 4 6 vx1 1199 X.Y.Z.114 0:60:97:33:da:92 UHLW 0 4 lo0 GATEWAY option ON. Firewall option OFF. NOT running 'routed' or 'gated'. Firewall has interfaces X.Y.Z.114 to external router (vx1) and X.Y.Z.97 to the internal ethernet hub (vx0). External Machine (X.Y.Z.113) / Router | | | Firewall vx1 (X.Y.Z.114) Firewall vx0 (X.Y.Z.97) | | | Ethernet Hub (connecting internal machines). Note that if I replace 10.0.0.2 on vx1 and 10.0.0.1 on the external machine (instead of X.Y.Z.113) I can get packets across the Firewall, but not in the configuration shown above. The Firewall runs FreeBSD 2.2 Beta. Thanks. --rohit. From owner-freebsd-security Wed Jan 15 08:23:16 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.4/8.8.4) id IAA09429 for security-outgoing; Wed, 15 Jan 1997 08:23:16 -0800 (PST) Received: from halloran-eldar.lcs.mit.edu (halloran-eldar.lcs.mit.edu [18.26.0.159]) by freefall.freebsd.org (8.8.4/8.8.4) with SMTP id IAA09422 for ; Wed, 15 Jan 1997 08:23:00 -0800 (PST) Received: by halloran-eldar.lcs.mit.edu; (5.65v3.2/1.1.8.2/19Aug95-0530PM) id AA05683; Wed, 15 Jan 1997 11:22:52 -0500 Date: Wed, 15 Jan 1997 11:22:52 -0500 From: Garrett Wollman Message-Id: <9701151622.AA05683@halloran-eldar.lcs.mit.edu> To: Rohit Dube Cc: Garrett Wollman , security@FreeBSD.ORG Subject: Re: Firewall and FreeBSD CIDR In-Reply-To: <199701151611.LAA04783@seine.cs.umd.edu> References: <9701151549.AA05177@halloran-eldar.lcs.mit.edu> <199701151611.LAA04783@seine.cs.umd.edu> Sender: owner-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk < said: > Routing tables on Firewall (X.Y.Z is a placeholder for my net prefix. I have > addresses 96 thru 128) You still haven't told us your precise configuration. That means the contents of the `network' section of /etc/sysconfig, the output of `netstat -rn', and the output of `ifconfig -a'. -GAWollman -- Garrett A. Wollman | O Siem / We are all family / O Siem / We're all the same wollman@lcs.mit.edu | O Siem / The fires of freedom Opinions not those of| Dance in the burning flame MIT, LCS, ANA, or NSA| - Susan Aglukark and Chad Irschick From owner-freebsd-security Wed Jan 15 08:37:14 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.4/8.8.4) id IAA09987 for security-outgoing; Wed, 15 Jan 1997 08:37:14 -0800 (PST) Received: from postoffice.cso.uiuc.edu (postoffice.cso.uiuc.edu [128.174.5.11]) by freefall.freebsd.org (8.8.4/8.8.4) with SMTP id IAA09981; Wed, 15 Jan 1997 08:37:09 -0800 (PST) Received: from alecto.physics.uiuc.edu (alecto.physics.uiuc.edu [128.174.83.167]) by postoffice.cso.uiuc.edu (8.6.12/8.6.12) with ESMTP id KAA16134; Wed, 15 Jan 1997 10:37:06 -0600 Received: by alecto.physics.uiuc.edu (940816.SGI.8.6.9/940406.SGI) id KAA21934; Wed, 15 Jan 1997 10:34:49 -0600 From: igor@alecto.physics.uiuc.edu (Igor Roshchin) Message-Id: <199701151634.KAA21934@alecto.physics.uiuc.edu> Subject: Re: BoS: serious security bug in wu-ftpd v2.4 -- PATCH (fwd) To: security@FreeBSD.ORG, owner-security@FreeBSD.ORG Date: Wed, 15 Jan 1997 10:34:49 -0600 (CST) X-Mailer: ELM [version 2.4 PL24] Content-Type: text Sender: owner-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk Sorry for probably a lame question: Is this a new security hole, or something which has been patched for FreeBSD ? Any comment on this ? BTW, what is the FreeBSD team's "official" point of view concerning the Academ-branch of wu-ftpd ? Thanks, IgoR aka StR Forwarded message: >From owner-bugtraq@NETSPACE.ORG Tue Jan 14 17:45:23 1997 Approved-By: ALEPH1@UNDERGROUND.ORG X-Sender: hpj@tide.globecom.net MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=ISO-8859-1 Content-Transfer-Encoding: QUOTED-PRINTABLE Approved-By: Henrik P Johnson Message-ID: Date: Sun, 12 Jan 1997 19:56:01 +0100 Reply-To: Henrik P Johnson Sender: Bugtraq List From: Henrik P Johnson Subject: Re: BoS: serious security bug in wu-ftpd v2.4 -- PATCH X-To: Dave Kinchlea To: Multiple recipients of list BUGTRAQ In-Reply-To: Below comes an hopefully improved version of the sigfix.c file to fix w= u-ftp. This will block signals while within crusial parts of the FTP server, y= et the signals will occur after the resumesigs is called. I have no idea of ho= w portable this may or may not be, but it seems to work on HP, OSF, linux= and Solaris. Otherwise the patch as supplied by Dave Kinchlea should be applied. /* ######################### sigfix.c #################################= */ void #ifdef __STDC__ suspendsigs(void) #else suspendsigs() #endif { sigset_t sset=3D0; #ifdef SIGPIPE sset=3DSIGPIPE; #endif #ifdef SIGURG sset|=3DSIGURG; #endif sigprocmask(SIG_BLOCK,&sset,NULL); } void #ifdef __STDC__ resumesigs(void) #else reseumesigs() #endif { sigset_t sset=3D0; #ifdef SIGPIPE sset=3DSIGPIPE; #endif #ifdef SIGURG sset|=3DSIGURG; #endif sigprocmask(SIG_UNBLOCK,&sset,NULL); } =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D Henrik P Johnson Tel: +46-(0)31-812091 Eklandaga= tan 41a GlobeCom Network GSM: +46-(0)70-5409924 41261 G= =F6teborg IRC: [TC] FAX: +46-(0)31-208460 = Sweden E-Mail: king@globecom.net king@one.se, hpj@etek.chalmers.se, hpj@tjh.se= ... etc =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D Nice site: http://www.underscore.se/sj (Swedish) From owner-freebsd-security Wed Jan 15 09:14:48 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.4/8.8.4) id JAA11786 for security-outgoing; Wed, 15 Jan 1997 09:14:48 -0800 (PST) Received: from spark.gage.com (brimstone.gage.com [205.217.2.10]) by freefall.freebsd.org (8.8.4/8.8.4) with ESMTP id JAA11779 for ; Wed, 15 Jan 1997 09:14:45 -0800 (PST) Received: (from mail@localhost) by spark.gage.com (8.8.3/8.8.4) id LAA26521 for ; Wed, 15 Jan 1997 11:14:43 -0600 (CST) Received: from octopus.gage.com(158.60.57.50) by spark.gage.com via smap (V2.0beta) id xma026518; Wed, 15 Jan 97 11:14:19 -0600 Received: from squid.gage.com (squid [158.60.57.101]) by octopus.gage.com (8.7.5/8.7.3) with SMTP id LAA07759 for ; Wed, 15 Jan 1997 11:14:19 -0600 (CST) Received: from schemer by squid.gage.com (NX5.67e/NX3.0S) id AA29561; Wed, 15 Jan 97 11:14:18 -0600 Message-Id: <9701151714.AA29561@squid.gage.com> Received: by schemer.gage.com (NX5.67g/NX3.0X) id AA00614; Wed, 15 Jan 97 11:14:18 -0600 Content-Type: text/plain Mime-Version: 1.0 (NeXT Mail 4.0 v146.2) In-Reply-To: <9701151622.AA05683@halloran-eldar.lcs.mit.edu> X-Nextstep-Mailer: Mail 3.3 (Enhance 1.3) Received: by NeXT.Mailer (1.146.2) From: Ben Black Date: Wed, 15 Jan 97 11:14:16 -0600 To: security@freebsd.org Subject: Re: Firewall and FreeBSD CIDR References: <9701151549.AA05177@halloran-eldar.lcs.mit.edu> <199701151611.LAA04783@seine.cs.umd.edu> <9701151622.AA05683@halloran-eldar.lcs.mit.edu> Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk CIDR has nothing to do with this. the term for what you are doing is subnetting. CIDR is the aggregation of large blocks of class C networks to reduce routing table size. b3n From owner-freebsd-security Wed Jan 15 11:44:21 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.4/8.8.4) id LAA19562 for security-outgoing; Wed, 15 Jan 1997 11:44:21 -0800 (PST) Received: from alpha.xerox.com (alpha.Xerox.COM [13.1.64.93]) by freefall.freebsd.org (8.8.4/8.8.4) with SMTP id LAA19555 for ; Wed, 15 Jan 1997 11:44:14 -0800 (PST) Received: from crevenia.parc.xerox.com ([13.2.116.11]) by alpha.xerox.com with SMTP id <23086(7)>; Wed, 15 Jan 1997 11:43:26 PST Received: from localhost ([127.0.0.1]) by crevenia.parc.xerox.com with SMTP id <177476>; Wed, 15 Jan 1997 11:43:14 -0800 X-Mailer: exmh version 1.6.9 8/22/96 To: Rohit Dube cc: Garrett Wollman , security@freebsd.org Subject: Re: Firewall and FreeBSD CIDR In-reply-to: Your message of "Wed, 15 Jan 1997 08:11:40 PST." <199701151611.LAA04783@seine.cs.umd.edu> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Wed, 15 Jan 1997 11:43:10 PST From: Bill Fenner Message-Id: <97Jan15.114314pst.177476@crevenia.parc.xerox.com> Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk In message <199701151611.LAA04783@seine.cs.umd.edu>you write: >External Machine (X.Y.Z.113) / Router What's this machine's configuration? What's its netmask on this link? If its netmask is /27, then you can't get beyond the firewall because the router doesn't think it's necessary to send the packets *to* the firewall. You can fix this by configuring the router correctly, or by using the ARP_PROXYALL kludge on the firewall (sysctl -w net.link.ether.inet.proxyall=1). Bill From owner-freebsd-security Wed Jan 15 16:52:44 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.4/8.8.4) id QAA11681 for security-outgoing; Wed, 15 Jan 1997 16:52:44 -0800 (PST) Received: from dns.pinpt.com (dns.pinpt.com [205.179.195.1]) by freefall.freebsd.org (8.8.4/8.8.4) with SMTP id QAA11676 for ; Wed, 15 Jan 1997 16:52:42 -0800 (PST) Received: from journeyman (gatemaster.pinpt.com [205.179.195.65]) by dns.pinpt.com (8.6.12/8.6.12) with SMTP id QAA22172; Wed, 15 Jan 1997 16:51:57 -0800 Date: Wed, 15 Jan 97 16:51:09 Pacific Standard Time From: "Sean J. Schluntz" Subject: Re: sendmail running non-root SUCCESS! To: freebsd-security@freebsd.org, Ollivier Robert X-Mailer: Chameleon ATX 6.0, Standards Based IntraNet Solutions, NetManage Inc. X-Priority: 3 (Normal) References: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk > Anyone can use any mailer they want, the real discussion has never been to > choose between one or the other but what should be standard (i.e. in > /usr/src). Just to stick my nose in on this one for a moment. I would in the past, now, and will continue to vote for sendmail. Just because another projgram is newer does not mean that it is any easer to crack, it just means that the holes have not been discovered yet. sendmail is not my favorit to work on, but I will never trade it for anything else. -Sean ---------------------------------------------------------------------- Sean J. Schluntz Manager, Support Services ph. 408.997.6900 x222 PinPoint Software Corporation fx. 408.323.2300 6155 Almaden Expressway, Suite 100 San Jose, CA. 95120 http://www.pinpt.com/ Local Time Sent: 01/15/97 16:51:09 ---------------------------------------------------------------------- From owner-freebsd-security Thu Jan 16 03:03:53 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.4/8.8.4) id DAA16207 for security-outgoing; Thu, 16 Jan 1997 03:03:53 -0800 (PST) Received: from shadows.aeon.net (bsdsec@shadows.aeon.net [194.100.41.1]) by freefall.freebsd.org (8.8.4/8.8.4) with ESMTP id DAA16199 for ; Thu, 16 Jan 1997 03:03:42 -0800 (PST) Received: (from bsdsec@localhost) by shadows.aeon.net (8.8.4/8.8.3) id NAA22995; Thu, 16 Jan 1997 13:02:34 +0200 (EET) From: mika ruohotie Message-Id: <199701161102.NAA22995@shadows.aeon.net> Subject: Re: Firewall and FreeBSD CIDR To: black@squid.gage.com (Ben Black) Date: Thu, 16 Jan 1997 13:02:33 +0200 (EET) Cc: security@freebsd.org In-Reply-To: <9701151714.AA29561@squid.gage.com> from Ben Black at "Jan 15, 97 11:14:16 am" X-Mailer: ELM [version 2.4ME+ PL22 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk > CIDR has nothing to do with this. the term for what you are doing is > subnetting. CIDR is the aggregation of large blocks of class C networks to > reduce routing table size. actually, CIDR number can point to a subnet of C-class too... and it can be non C-class also... as rfc1878 says... /25 - /31 (yes, yes, /32 too) are subnets, /1 - /8 As, /9 - /16 Bs, and between those (/17 - /24) full Cs but we knew it... =) > b3n mickey From owner-freebsd-security Thu Jan 16 05:36:26 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.4/8.8.4) id FAA21425 for security-outgoing; Thu, 16 Jan 1997 05:36:26 -0800 (PST) Received: from foobar.gw2kbbs.com (foobar.gw2kbbs.com [205.217.137.150]) by freefall.freebsd.org (8.8.4/8.8.4) with ESMTP id FAA21407 for ; Thu, 16 Jan 1997 05:36:23 -0800 (PST) Received: from blue ([10.12.5.66]) by foobar.gw2kbbs.com (8.7.5/8.6.11) with SMTP id HAA11286 for ; Thu, 16 Jan 1997 07:09:14 -0600 (CST) Message-ID: <32DE16C4.35A3@gw2kbbs.com> Date: Thu, 16 Jan 1997 06:53:40 -0500 From: Tyson Reply-To: tysonb@gw2kbbs.com X-Mailer: Mozilla 2.02E (OS/2; I) MIME-Version: 1.0 To: security@freebsd.org Subject: Re: sendmail running non-root SUCCESS! References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk Sean J. Schluntz wrote: > Just to stick my nose in on this one for a moment. I would in the past, now, > and will continue to vote for sendmail. Just because another projgram is > newer does not mean that it is any easer to crack, it just means that the Nothing in life is certain; a newer tool may have had extremely talented people with a gift for secure code, and massive luck on their side. I wish I could say for certain that something WILL work. I can only tell you in terms of the relative probability. :( > holes have not been discovered yet. sendmail is not my favorit to work on, > but I will never trade it for anything else. Before we get all crazy here (poems extolling the virtues of sendmail, flames, & etc.), here is my $.02 worth; All you're talking about here is a tool. Plain and simple. I don't think I'll ever fall in love with a hammer, but when I need to pound a nail, I look for it (usually at the last place I used it... ;-) ). There are other tools, some better suited to the job at hand, some that miss the mark in some way. New tools come along every day. The fact remains, that when I need a hammer, I'll come looking for one or something that passes for one. When I need a screwdriver, I'll look for a screwdriver. When I need a tool to keep my network safe, I'll subscribe to the appropriate mailing list. A value judgement on a tool in this list devalues this list as a tool; we're adults here, and the assumption that you know what you're doing is a critical first step in finding a solution for whatever issue you're facing at the moment. To sum up, let's keep the discussion on track. From owner-freebsd-security Sat Jan 18 01:19:31 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.4/8.8.4) id BAA03084 for security-outgoing; Sat, 18 Jan 1997 01:19:31 -0800 (PST) Received: from precipice.shockwave.com (ppp-206-170-6-70.rdcy01.pacbell.net [206.170.6.70]) by freefall.freebsd.org (8.8.4/8.8.4) with ESMTP id BAA03077; Sat, 18 Jan 1997 01:19:26 -0800 (PST) Received: from shockwave.com (localhost.shockwave.com [127.0.0.1]) by precipice.shockwave.com (8.8.4/8.7.3) with ESMTP id BAA16314; Sat, 18 Jan 1997 01:19:18 -0800 (PST) Message-Id: <199701180919.BAA16314@precipice.shockwave.com> From: FreeBSD Security Officer To: freebsd-announce@freebsd.org, freebsd-security@freebsd.org Cc: first-teams@first.org, auscert@auscert.org.au Subject: FreeBSD Security Advisory: SA-96:21 - talkd Date: Sat, 18 Jan 1997 01:19:18 -0800 Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk -----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SA-96:21 Security Advisory FreeBSD, Inc. Topic: unauthorized access via buffer overrun in talkd Category: core Module: talkd Announced: 1997-01-18 Affects: 1.0, 1.1, 2.1.0, 2.1.5, 2.1.6, 2.1.6.1 Corrected: 2.2-current as of 1997-01-18 2.1-stable as of 1197-01-18 FreeBSD only: no Patches: ftp://freebsd.org/pub/CERT/patches/SA-96:21/ References: AUSCERT AA-97.01 (Australian CERT organization), SEI CERT VU#5942 (internal tracking reference only) ============================================================================= I. Background Buffer overrun (aka stack overflow) exploits in system supplied and locally installed utilities are commonly used by individuals wishing to obtain unauthorized access to computer systems. The FreeBSD team has been reviewing and fixing the source code pool to eliminate potential exploits based on this technique. Recently, the Australian CERT organization received information of a buffer-overrun vulnerability in the talkd daemon shipped in most modern BSD based systems. II. Problem Description To quote AUSCERT: talk is a communication program which copies text from one users terminal to that of another, possibly remote, user. talkd is the daemon that notifies a user that someone else wishes to initiate a conversation. As part of the talk connection, talkd does a DNS lookup for the hostname of the host where the connection is being initiating from. Due to insufficient bounds checking on the buffer where the hostname is stored, it is possible to overwrite the internal stack space of talkd. By carefully manipulating the hostname information, it is possible to force talkd to execute arbitrary commands. As talkd runs with root privileges, this may allow intruders to remotely execute arbitrary commands with these privileges. This attack requires an intruder to be able to make a network connection to a vulnerable talkd program and provide corrupt DNS information to that host. This type of attack is a particular instance of the problem described in CERT advisory CA-96.04 "Corrupt Information from Network Servers". This advisory is available from: ftp://info.cert.org/pub/cert_advisories/ Recent versions of FreeBSD 2.2 -current may not be affected with this vulnerability due to improved security in new versions of BIND, which sanity-check the results of reverse name lookups performed by the DNS system. III. Impact Intruders may be able to remotely execute arbitrary commands with root privileges. Access to a valid user account on the local system is not required. IV. Workaround Disable the ntalkd program found in /etc/inetd.conf by commenting the appropriate line out and reconfiguring inetd. # grep -i ntalk /etc/inetd.conf ntalk dgram udp wait root /usr/libexec/ntalkd ntalkd After editing /etc/inetd.conf, reconfigure inetd by sending it a HUP signal. # kill -HUP `cat /var/run/inetd.pid` V. Solution The patches found at the following URL fix this vulnerability. Patches are available for FreeBSD 2.1.x (-stable) and -current. Acknowledgment: These patches were based off of published work provided by BSDI, Inc. After applying these patches, recompile and re-install the affected utilities. For FreeBSD -current (2.2 prerelease and 3.0 prerelease) systems: Index: announce.c =================================================================== RCS file: /cvs/freebsd/src/libexec/talkd/announce.c,v retrieving revision 1.6 diff -u -r1.6 announce.c --- announce.c 1997/01/14 06:20:58 1.6 +++ announce.c 1997/01/18 08:27:04 @@ -34,7 +34,7 @@ */ #ifndef lint -static char sccsid[] = "@(#)announce.c 8.2 (Berkeley) 1/7/94"; +static char sccsid[] = "@(#)announce.c 8.3 (Berkeley) 4/28/95"; #endif /* not lint */ #include @@ -43,13 +43,17 @@ #include #include #include + #include + #include -#include -#include +#include #include +#include #include -#include +#include +#include +#include extern char hostname[]; @@ -78,7 +82,7 @@ #define max(a,b) ( (a) > (b) ? (a) : (b) ) #define N_LINES 5 -#define N_CHARS 120 +#define N_CHARS 256 /* * Build a block of characters containing the message. @@ -100,33 +104,37 @@ char line_buf[N_LINES][N_CHARS]; int sizes[N_LINES]; char big_buf[N_LINES*N_CHARS]; - char *bptr, *lptr, *ttymsg(); + char *bptr, *lptr, *vis_user; int i, j, max_size; i = 0; max_size = 0; gettimeofday(&clock, &zone); localclock = localtime( &clock.tv_sec ); - (void)sprintf(line_buf[i], " "); + (void)snprintf(line_buf[i], N_CHARS, " "); sizes[i] = strlen(line_buf[i]); max_size = max(max_size, sizes[i]); i++; - (void)sprintf(line_buf[i], "Message from Talk_Daemon@%s at %d:%02d ...", - hostname, localclock->tm_hour , localclock->tm_min ); + (void)snprintf(line_buf[i], N_CHARS, + "Message from Talk_Daemon@%s at %d:%02d ...", + hostname, localclock->tm_hour , localclock->tm_min ); sizes[i] = strlen(line_buf[i]); max_size = max(max_size, sizes[i]); i++; - (void)sprintf(line_buf[i], "talk: connection requested by %s@%s", - request->l_name, remote_machine); + + vis_user = malloc(strlen(request->l_name) * 4 + 1); + strvis(vis_user, request->l_name, VIS_CSTYLE); + (void)snprintf(line_buf[i], N_CHARS, + "talk: connection requested by %s@%s", vis_user, remote_machine); sizes[i] = strlen(line_buf[i]); max_size = max(max_size, sizes[i]); i++; - (void)sprintf(line_buf[i], "talk: respond with: talk %s@%s", - request->l_name, remote_machine); + (void)snprintf(line_buf[i], N_CHARS, "talk: respond with: talk %s@%s", + vis_user, remote_machine); sizes[i] = strlen(line_buf[i]); max_size = max(max_size, sizes[i]); i++; - (void)sprintf(line_buf[i], " "); + (void)snprintf(line_buf[i], N_CHARS, " "); sizes[i] = strlen(line_buf[i]); max_size = max(max_size, sizes[i]); i++; Index: talkd.c =================================================================== RCS file: /cvs/freebsd/src/libexec/talkd/talkd.c,v retrieving revision 1.5 diff -u -r1.5 talkd.c --- talkd.c 1997/01/14 06:21:01 1.5 +++ talkd.c 1997/01/18 08:26:44 @@ -71,7 +71,7 @@ void timeout(); long lastmsgtime; -char hostname[MAXHOSTNAMELEN]; +char hostname[MAXHOSTNAMELEN + 1]; #define TIMEOUT 30 #define MAXIDLE 120 For FreeBSD 2.1 based systems: --- announce.c 1995/05/30 05:46:38 1.3 +++ announce.c 1997/01/18 08:33:55 1.3.4.1 @@ -32,7 +32,7 @@ */ #ifndef lint -static char sccsid[] = "@(#)announce.c 8.2 (Berkeley) 1/7/94"; +static char sccsid[] = "@(#)announce.c 8.3 (Berkeley) 4/28/95"; #endif /* not lint */ #include @@ -41,15 +41,18 @@ #include #include #include + #include -#include + #include -#include -#include +#include #include +#include #include -#include - +#include +#include +#include + extern char hostname[]; /* @@ -77,7 +80,7 @@ #define max(a,b) ( (a) > (b) ? (a) : (b) ) #define N_LINES 5 -#define N_CHARS 120 +#define N_CHARS 256 /* * Build a block of characters containing the message. @@ -99,33 +102,37 @@ char line_buf[N_LINES][N_CHARS]; int sizes[N_LINES]; char big_buf[N_LINES*N_CHARS]; - char *bptr, *lptr, *ttymsg(); + char *bptr, *lptr, *vis_user; int i, j, max_size; i = 0; max_size = 0; gettimeofday(&clock, &zone); localclock = localtime( &clock.tv_sec ); - (void)sprintf(line_buf[i], " "); + (void)snprintf(line_buf[i], N_CHARS, " "); sizes[i] = strlen(line_buf[i]); max_size = max(max_size, sizes[i]); i++; - (void)sprintf(line_buf[i], "Message from Talk_Daemon@%s at %d:%02d ...", - hostname, localclock->tm_hour , localclock->tm_min ); + (void)snprintf(line_buf[i], N_CHARS, + "Message from Talk_Daemon@%s at %d:%02d ...", + hostname, localclock->tm_hour , localclock->tm_min ); sizes[i] = strlen(line_buf[i]); max_size = max(max_size, sizes[i]); i++; - (void)sprintf(line_buf[i], "talk: connection requested by %s@%s", - request->l_name, remote_machine); + + vis_user = malloc(strlen(request->l_name) * 4 + 1); + strvis(vis_user, request->l_name, VIS_CSTYLE); + (void)snprintf(line_buf[i], N_CHARS, + "talk: connection requested by %s@%s", vis_user, remote_machine); sizes[i] = strlen(line_buf[i]); max_size = max(max_size, sizes[i]); i++; - (void)sprintf(line_buf[i], "talk: respond with: talk %s@%s", - request->l_name, remote_machine); + (void)snprintf(line_buf[i], N_CHARS, "talk: respond with: talk %s@%s", + vis_user, remote_machine); sizes[i] = strlen(line_buf[i]); max_size = max(max_size, sizes[i]); i++; - (void)sprintf(line_buf[i], " "); + (void)snprintf(line_buf[i], N_CHARS, " "); sizes[i] = strlen(line_buf[i]); max_size = max(max_size, sizes[i]); i++; Index: talkd.c =================================================================== RCS file: /home/ncvs/src/libexec/talkd/talkd.c,v retrieving revision 1.3 retrieving revision 1.3.4.1 diff -u -r1.3 -r1.3.4.1 --- talkd.c 1995/05/30 05:46:44 1.3 +++ talkd.c 1997/01/18 08:33:56 1.3.4.1 @@ -69,7 +69,7 @@ void timeout(); long lastmsgtime; -char hostname[MAXHOSTNAMELEN]; +char hostname[MAXHOSTNAMELEN + 1]; #define TIMEOUT 30 #define MAXIDLE 120 ============================================================================= FreeBSD, Inc. Web Site: http://www.freebsd.org/ Confidential contacts: security-officer@freebsd.org PGP Key: ftp://freebsd.org/pub/CERT/public_key.asc Security notifications: security-notifications@freebsd.org Security public discussion: security@freebsd.org Notice: Any patches in this document may not apply cleanly due to modifications caused by digital signature or mailer software. Please reference the URL listed at the top of this document for original copies of all patches if necessary. ============================================================================= -----BEGIN PGP SIGNATURE----- Version: 2.6.3ia Charset: noconv iQCVAwUBMuCVAVUuHi5z0oilAQGx7gQAiiptKNx7xoeHec1jmBFLsoGBrxO9H3TC 0FHl4n3p/MQEO3OEfChepC5coTAe00SjOEpnAZIinHbtVzNaodPs0hyMbQ7UnpPq wIRlxsPhxVuS+rbrY62pvn1Iagr4SaMAaseGK18f+Tq2Lbwc6//1bTOBn+Ms980F VaXsIaKYinQ= =yj1H -----END PGP SIGNATURE----- From owner-freebsd-security Sat Jan 18 17:39:54 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.4/8.8.4) id RAA11482 for security-outgoing; Sat, 18 Jan 1997 17:39:54 -0800 (PST) Received: from maslow.cia-g.com (root@maslow.cia-g.com [206.206.162.5]) by freefall.freebsd.org (8.8.4/8.8.4) with ESMTP id RAA11476 for ; Sat, 18 Jan 1997 17:39:51 -0800 (PST) Received: from maslow.cia-g.com (lithium@maslow.cia-g.com [206.206.162.5]) by maslow.cia-g.com (8.8.4/8.7.3) with SMTP id SAA21325; Sat, 18 Jan 1997 18:39:40 -0700 (MST) Date: Sat, 18 Jan 1997 18:39:40 -0700 (MST) From: Stephen Fisher To: "Sean J. Schluntz" cc: freebsd-security@FreeBSD.ORG, Ollivier Robert Subject: Re: sendmail running non-root SUCCESS! In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk I would like to use a mailer which I feel is better designed and programmed (security wise) but.... Since everyone uses Sendmail and everyone is hacking away at it I feel I'm pretty safe. Security problems are fixed quickly and without problems. And it's assumed you're using sendmail: when people work on "anti-spam" things they have sendmail rulesets to do it. Write a new mailer that has the power and functionality of Sendmail without the problems and uses sendmail.cf's format and I'll use it. On Wed, 15 Jan 1997, Sean J. Schluntz wrote: > > Anyone can use any mailer they want, the real discussion has never been to > > choose between one or the other but what should be standard (i.e. in > > /usr/src). > > Just to stick my nose in on this one for a moment. I would in the past, now, > and will continue to vote for sendmail. Just because another projgram is > newer does not mean that it is any easer to crack, it just means that the > holes have not been discovered yet. sendmail is not my favorit to work on, > but I will never trade it for anything else.