From owner-freebsd-security Mon Mar 17 01:49:18 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id BAA02649 for security-outgoing; Mon, 17 Mar 1997 01:49:18 -0800 (PST) Received: from monster.telekom.lv (root@monster.telekom.lv [194.8.16.106]) by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id BAA02642 for ; Mon, 17 Mar 1997 01:49:12 -0800 (PST) Received: from exchange.telekom.lv (exchange.telekom.lv [194.8.16.211]) by monster.telekom.lv (8.8.5/8.6.9) with SMTP id LAA03197 for ; Mon, 17 Mar 1997 11:48:55 +0200 (EET) Received: by exchange.telekom.lv with SMTP (Microsoft Exchange Server Internet Mail Connector Version 4.0.994.57) id <01BC32C9.2152EFB0@exchange.telekom.lv>; Mon, 17 Mar 1997 11:48:28 +0200 Message-ID: From: Normunds Zelianka To: "'security@freebsd.org'" Date: Mon, 17 Mar 1997 11:48:19 +0200 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.994.57 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk lists From owner-freebsd-security Mon Mar 17 10:27:03 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id KAA25195 for security-outgoing; Mon, 17 Mar 1997 10:27:03 -0800 (PST) Received: from infowest.com (infowest.com [204.17.177.10]) by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id KAA25190 for ; Mon, 17 Mar 1997 10:27:01 -0800 (PST) Received: from none (Tolkien.infowest.com [204.17.177.150]) by infowest.com (8.8.5/8.8.5) with SMTP id LAA16539 for ; Mon, 17 Mar 1997 11:29:07 -0700 (MST) Message-Id: <3.0.1.32.19970317112657.0110be20@infowest.com> X-Sender: agifford@infowest.com X-Mailer: Windows Eudora Light Version 3.0.1 beta 12 (32) Date: Mon, 17 Mar 1997 11:26:57 -0700 To: security@freebsd.org From: "Aaron D. Gifford" Subject: Fwd: Security bug (buffer overflow) in lib/libterm/tgoto.c Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk Does this affect FreeBSD 2.1.7? Thanks, Aaron >Approved-By: aleph1@UNDERGROUND.ORG >Date: Sun, 16 Mar 1997 14:56:23 -0600 >Reply-To: Aleph One >Sender: Bugtraq List >From: Aleph One >Subject: bin/2983: Security bug (buffer overflow) in lib/libterm/tgoto.c >To: BUGTRAQ@netspace.org > >Path: >news.reference.com!arclight.uoregon.edu!su-news-hub1.bbnplanet.com!cam-n >ews-hub1.bbnplanet.com!news.bbnplanet.com!news.maxwell.syr.edu!newsfeed.nac amar >.de!news.space.net!news.camelot.de!gateway >From: kivinen@ssh.fi >Newsgroups: muc.lists.freebsd.bugs >Subject: bin/2983: Security bug (buffer overflow) in lib/libterm/tgoto.c >Date: 14 Mar 1997 04:08:32 +0100 >Organization: Mail2News Gateway at Camelot Online Services >Lines: 86 >Sender: news@camelot.de >Approved: news@camelot.de >Message-ID: <199703140243.EAA27893@taulu.ssh.fi> >Reply-To: kivinen@ssh.fi >NNTP-Posting-Host: lancelot.camelot.de >Mime-Version: 1.0 >Content-Type: text/plain; charset=ISO-8859-1 >Content-Transfer-Encoding: 8bit >Xref: news.reference.com muc.lists.freebsd.bugs:967 > > > >>Number: 2983 >>Category: bin >>Synopsis: Security bug (buffer overflow) in lib/libterm/tgoto.c >>Confidential: no >>Severity: serious >>Priority: high >>Responsible: freebsd-bugs >>State: open >>Class: sw-bug >>Submitter-Id: current-users >>Arrival-Date: Thu Mar 13 18:50:01 PST 1997 >>Last-Modified: >>Originator: Tero Kivinen >>Organization: >SSH Communications Security >>Release: NetBSD 1.2, FreeBSD 2.1-STABLE >>Environment: > >System: NetBSD taulu.ssh.fi 1.2 NetBSD 1.2 (TAULU) #50: Mon Feb 24 >21:40:52 EET > 1997 kivinen@taulu.ssh.fi:/usr/src/sys/arch/i386/compile/TAULU i386 >System: FreeBSD pilari.ssh.fi 2.1.5-RELEASE FreeBSD 2.1.5-RELEASE #1: Thu >Oct 3 >1 23:58:19 EET 1996 root@lamppu.ssh.fi:/usr/src/sys/compile/SSHGEN >i386 > >>Description: > >The termcap libraries tgoto function has buffer overflow bug that can >be used to overwrite data in BSS segment. > >The tgoto have function have static char result[MAXRETURNSIZE] (64 >characters) buffer that is used to return cursor addressing string >from tgoto function. If the CM-cabability have more than 64 characters >in it the tgoto function will overwrite something in the bss segment >after result-variable. There are no checks about the length of cm >string nor checks if the resulting string is longer than MAXRETURNSIZE >characters. > >For example suid root system utility "systat" is vulnerable to this >bug. No known exploits of this exists yet, but someone might find >such. Also lots of systems have other suid root/kmem etc program >installed that are vulnerable to this bug. For example top and monitor >are such programs. > >Easiest way to demonstrate this is to change TERMCAP environment >variable and add some about 80 characters to cm-capablitie and then >start anything that uses curses or termcap directly (initscr in curses >library will call setterm that will call tgoto to test if we can move >cursor around...). > >The fix in netbsd current that changes the strcpy at the end of >tgoto-function to strncpy isn't sufficient, because the dp pointer >might already be way over the length of result buffer thus >"sizeof(result) - (dp - result) - 1" results to negative value. > >Notice that fix in netbsd-current also may return non null terminated >string, thus causing unexptected behavior later. > >>How-To-Repeat: > >~> TERMCAP='xterm|vs100|xterm terminal emulator (X11R6 Window System): > :am:km:mi:ms:xn:xo: :co#80:it#8:li#25: > :AL=\E[%dL:DC=\E[%dP:DL=\E[%dM:DO=\E[%dB:IC=\E[%d@: > :LE=\E[%dD:RI=\E[%dC:UP=\E[%dA:ae=^O:al=\E[L:as=^N: > >:bl=^G:cd=\E[J:ce=\E[K:cl=\E[H\E[2J:cm=\E[%i%d;%dHsakdjaskjdaslkjdlaksj >dlkjdslkjdakljdakljdlalkjasdlkjasdlkjasdlkaslkdaslkjdlksjadkljasdjklasdjkla sdlk >jaskld: > :cr=^M:cs=\E[%i%d;%dr:ct=\E[3k:dc=\E[P:dl=\E[M:do=^J: > :ei=\E[4l:ho=\E[H:ic=\E[@:im=\E[4h: > :is=\E[r\E[m\E[2J\E[H\E[?7h\E[?1;3;4;6l\E[4l: > :k1=\E[11~:k2=\E[12~:k3=\E[13~:k4=\E[14~:k5=\E[15~: > :k6=\E[17~:k7=\E[18~:k8=\E[19~:k9=\E[20~:kI=\E[2~: > :kN=\E[6~:kP=\E[5~:kb=^H:kd=\EOB:ke=\E[?1l\E>: > :kh=\E[@:kl=\EOD:kr=\EOC:ks=\E[?1h\E=:ku=\EOA:le=^H: > :md=\E[1m:me=\E[m:mr=\E[7m:nd=\E[C:rc=\E8:sc=\E7: > :se=\E[m:sf=^J:so=\E[7m:sr=\EM:ta=^I: :ue=\E[m:up=\E[A: > :us=\E[4m:' >~> export TERMCAP >~> systat >zsh: 27863 bus error systat >~> > >>Fix: > >Add check that result buffer isn't overflown. >-- >kivinen@iki.fi Work : +358-9-4354 3205 >Magnus Enckellin kuja 9 K 19, 02610, Espoo Home : +358-9-502 1573 >>Audit-Trail: >>Unformatted: > > From owner-freebsd-security Mon Mar 17 14:21:02 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id OAA08393 for security-outgoing; Mon, 17 Mar 1997 14:21:02 -0800 (PST) Received: from rover.village.org (rover.village.org [204.144.255.49]) by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id OAA08386 for ; Mon, 17 Mar 1997 14:20:58 -0800 (PST) Received: from rover.village.org (localhost [127.0.0.1]) by rover.village.org (8.8.5/8.6.6) with ESMTP id PAA08609; Mon, 17 Mar 1997 15:20:50 -0700 (MST) Message-Id: <199703172220.PAA08609@rover.village.org> To: "Aaron D. Gifford" Subject: Re: Fwd: Security bug (buffer overflow) in lib/libterm/tgoto.c Cc: security@freebsd.org In-reply-to: Your message of "Mon, 17 Mar 1997 11:26:57 MST." <3.0.1.32.19970317112657.0110be20@infowest.com> References: <3.0.1.32.19970317112657.0110be20@infowest.com> Date: Mon, 17 Mar 1997 15:20:50 -0700 From: Warner Losh Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk In message <3.0.1.32.19970317112657.0110be20@infowest.com> "Aaron D. Gifford" writes: : Does this affect FreeBSD 2.1.7? Yes. A fix has already been checked into the RELENG_2_1_0 branch. Warner From owner-freebsd-security Mon Mar 17 20:08:57 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id UAA29691 for security-outgoing; Mon, 17 Mar 1997 20:08:57 -0800 (PST) Received: from ns2.harborcom.net (root@ns2.harborcom.net [206.158.4.4]) by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id UAA29685 for ; Mon, 17 Mar 1997 20:08:53 -0800 (PST) Received: from localhost (bradley@localhost) by ns2.harborcom.net (8.8.5/8.8.4) with SMTP id XAA24050 for ; Mon, 17 Mar 1997 23:08:52 -0500 (EST) Date: Mon, 17 Mar 1997 23:08:50 -0500 (EST) From: Bradley Dunn X-Sender: bradley@ns2.harborcom.net To: freebsd-security@freebsd.org Subject: libtermcap fix? Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk I use CVSup to get the latest and greatest on the RELENG_2_2 branch. I hadn't seen the fix to src/lib/libtermcap/tgoto.c come through yet, so I went to http://freebsd.org/cgi/cvsweb.cgi/src/lib/libtermcap/tgoto.c?r1=1.4&r2=1.4.2.1 to grab the patch and apply it myself. After applying the patch I ran CVSup again and this came through: Updating collection src-all/cvs Edit src/lib/libtermcap/tgoto.c Add delta 1.4.2.1 97.03.17.09.34.23 eivind ?!?! What that did was back out the patch! I don't have a clue about how CVS works, but maybe there is a problem because this is the first revision to branch from the HEAD? Has anyone seen the new tgoto.c come through CVSup yet? Bradley Dunn From owner-freebsd-security Tue Mar 18 08:13:48 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id IAA01231 for security-outgoing; Tue, 18 Mar 1997 08:13:48 -0800 (PST) Received: from ns2.harborcom.net (root@ns2.harborcom.net [206.158.4.4]) by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id IAA01223; Tue, 18 Mar 1997 08:13:43 -0800 (PST) Received: from localhost (bradley@localhost) by ns2.harborcom.net (8.8.5/8.8.4) with SMTP id LAA17087; Tue, 18 Mar 1997 11:13:38 -0500 (EST) Date: Tue, 18 Mar 1997 11:13:37 -0500 (EST) From: Bradley Dunn X-Sender: bradley@ns2.harborcom.net To: Eivind Eklund cc: jpd@freebsd.org, freebsd-security@freebsd.org Subject: Re: libtermcap fix? In-Reply-To: <3.0.32.19970318163505.00cb37a0@dimaga.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk I figured out the problem. What happened is I missed the update come through CVSup and the patch at http://freebsd.org/cgi/cvsweb.cgi/src/lib/libtermcap/tgoto.c?r1=1.4&r2=1.4.2.1 is wrong. It is from a diff -u -r1.4.2.1 -r1.4 when it should be from a diff -u -r1.4 -r1.4.2.1 So apparently this is a bug in the CVS web interface. pbd On Tue, 18 Mar 1997, Eivind Eklund wrote: > That sound like a bug in CVSup. > John? > > I just ran CVSup against cvsup.no.freebsd.org with the original > (non-patched) sources in place (I wrote patch in another directory) - it > picked up the changes just fine. From owner-freebsd-security Tue Mar 18 08:26:19 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id IAA02736 for security-outgoing; Tue, 18 Mar 1997 08:26:19 -0800 (PST) Received: from who.cdrom.com (who.cdrom.com [204.216.27.3]) by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id IAA02720; Tue, 18 Mar 1997 08:26:15 -0800 (PST) Received: from nic.follonett.no (nic.follonett.no [194.198.43.10]) by who.cdrom.com (8.8.5/8.6.11) with ESMTP id HAA00490 ; Tue, 18 Mar 1997 07:39:44 -0800 (PST) Received: (from uucp@localhost) by nic.follonett.no (8.8.5/8.8.3) with UUCP id QAA14827; Tue, 18 Mar 1997 16:36:41 +0100 (MET) Received: from oo7 (oo7.dimaga.com [192.0.0.65]) by dimaga.com (8.7.5/8.7.2) with SMTP id QAA09580; Tue, 18 Mar 1997 16:35:05 +0100 (MET) Message-Id: <3.0.32.19970318163505.00cb37a0@dimaga.com> X-Sender: eivind@dimaga.com X-Mailer: Windows Eudora Pro Version 3.0 (32) Date: Tue, 18 Mar 1997 16:35:06 +0100 To: Bradley Dunn From: Eivind Eklund Subject: Re: libtermcap fix? Cc: jpd@FreeBSD.ORG, freebsd-security@FreeBSD.ORG Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk At 11:08 PM 3/17/97 -0500, Bradley Dunn wrote: >I use CVSup to get the latest and greatest on the RELENG_2_2 branch. I >hadn't seen the fix to src/lib/libtermcap/tgoto.c come through yet, so I >went to >http://freebsd.org/cgi/cvsweb.cgi/src/lib/libtermcap/tgoto.c?r1=1.4&r2=1.4. 2.1 >to grab the patch and apply it myself. After applying the patch I ran >CVSup again and this came through: >Updating collection src-all/cvs > Edit src/lib/libtermcap/tgoto.c > Add delta 1.4.2.1 97.03.17.09.34.23 eivind > >?!?! > >What that did was back out the patch! That sound like a bug in CVSup. John? I just ran CVSup against cvsup.no.freebsd.org with the original (non-patched) sources in place (I wrote patch in another directory) - it picked up the changes just fine. Eivind Eklund perhaps@yes.no http://maybe.yes.no/perhaps/ eivind@freebsd.org From owner-freebsd-security Tue Mar 18 08:38:37 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id IAA05349 for security-outgoing; Tue, 18 Mar 1997 08:38:37 -0800 (PST) Received: from who.cdrom.com (who.cdrom.com [204.216.27.3]) by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id IAA05310 for ; Tue, 18 Mar 1997 08:38:23 -0800 (PST) Received: from florence.pavilion.net (florence.pavilion.net [194.242.128.25]) by who.cdrom.com (8.8.5/8.6.11) with ESMTP id FAA29069 for ; Tue, 18 Mar 1997 05:23:47 -0800 (PST) Received: (from joe@localhost) by florence.pavilion.net (8.8.5/8.8.5) id NAA02757; Tue, 18 Mar 1997 13:21:54 GMT Message-ID: <19970318132154.58761@pavilion.net> Date: Tue, 18 Mar 1997 13:21:54 +0000 From: Josef Karthauser To: freebsd-security@FreeBSD.ORG Subject: subscribe Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.64 Sender: owner-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk -- Josef Karthauser Technical Manager Email: joe@pavilion.net Pavilion Internet plc. [Tel: +44 1273 607072 Fax: +44 1273 607073] From owner-freebsd-security Tue Mar 18 10:00:55 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id KAA12501 for security-outgoing; Tue, 18 Mar 1997 10:00:55 -0800 (PST) Received: from Utopia.EUnet.fr (ns.fnet.fr [192.134.192.2]) by freefall.freebsd.org (8.8.5/8.8.5) with SMTP id KAA12493 for ; Tue, 18 Mar 1997 10:00:52 -0800 (PST) Received: from tech.EUnet.fr ([193.107.210.161]) by Utopia.EUnet.fr (5.65c8d/EUNET-4.2.3) via EUnet-France id AA17416; Tue, 18 Mar 1997 18:58:16 +0100 (MET) Message-Id: <332EDB4D.DC1@EUnet.fr> Date: Tue, 18 Mar 1997 19:13:33 +0100 From: Eric Feillant Reply-To: Eric.Feillant@EUnet.fr Organization: EUnet BRETAGNE groupe EUnet X-Mailer: Mozilla 3.01 (Win95; I) Mime-Version: 1.0 To: freebsd-security@freebsd.org Subject: does ipfw knows NAT ??? Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk hi, Does anybody knows if ipfw can do NAT (Network Address Translation) ?? Or is there another firewall (shareware) for that ? Thanx, Eric. -- ========= ____ ===== Eric Feillant ======== / / / ___ ___ /_ ====== EUnet BRETAGNE ======= /---- / / / / /___/ / ======= 140, bd de Creach Gwen ====== /____ /___/ / / /___ /_ ======== 29000 QUIMPER, France ===== Bretagne ========= Tel:(+33) 298101620 Fax:(+33) 298828788 Eric.Feillant@EUnet.fr http://www.EUnet.fr From owner-freebsd-security Wed Mar 19 12:46:37 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id MAA21058 for security-outgoing; Wed, 19 Mar 1997 12:46:37 -0800 (PST) Received: from cwsys.cwent.com (0@cschuber.net.gov.bc.ca [142.31.240.113]) by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id MAA21025 for ; Wed, 19 Mar 1997 12:46:19 -0800 (PST) Received: (from uucp@localhost) by cwsys.cwent.com (8.8.5/8.6.10) id HAA01215; Wed, 19 Mar 1997 07:44:25 -0800 (PST) Message-Id: <199703191544.HAA01215@cwsys.cwent.com> Received: from localhost.cwent.com(127.0.0.1), claiming to be "cwsys" via SMTP by localhost.cwent.com, id smtpd001211; Wed Mar 19 15:44:15 1997 Reply-to: cys@wlc.com X-Mailer: MH To: Eric.Feillant@EUnet.fr cc: freebsd-security@freebsd.org Subject: Re: does ipfw knows NAT ??? In-reply-to: Your message of "Tue, 18 Mar 1997 19:13:33 +0100." <332EDB4D.DC1@EUnet.fr> Date: Wed, 19 Mar 1997 07:44:14 -0800 From: Cy Schubert Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk > hi, > > Does anybody knows if ipfw can do NAT (Network Address Translation) ?? > > Or is there another firewall (shareware) for that ? > > Thanx, Try IP-Filter. It works with *BSD, Solaris, and SunOS. Regards, Phone: (250)387-8437 Cy Schubert Fax: (250)387-5766 UNIX Support OV/VM: BCSC02(CSCHUBER) ITSD BITNET: CSCHUBER@BCSC02.BITNET Government of BC Internet: cschuber@uumail.gov.bc.ca cschuber@bcsc02.gov.bc.ca "Quit spooling around, JES do it." From owner-freebsd-security Wed Mar 19 14:22:14 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id OAA26481 for security-outgoing; Wed, 19 Mar 1997 14:22:14 -0800 (PST) Received: from vic.cioe.com (vic.cioe.com [204.120.165.37]) by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id OAA26474 for ; Wed, 19 Mar 1997 14:22:03 -0800 (PST) Received: (from steve@localhost) by vic.cioe.com (8.7.5/8.7.3) id RAA13287 for freebsd-security@freebsd.org; Wed, 19 Mar 1997 17:23:21 -0500 (EST) Date: Wed, 19 Mar 1997 17:23:21 -0500 (EST) From: Steve Ames Message-Id: <199703192223.RAA13287@vic.cioe.com> To: freebsd-security@freebsd.org Subject: rdist exploitation Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk Someone I know just sent me a snippet of C code to exploit rdist under FreeBSD... he used it to obtain the master.passwd file. Is this a known security hold and what's the plug? -Steve From owner-freebsd-security Wed Mar 19 16:27:40 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id QAA05200 for security-outgoing; Wed, 19 Mar 1997 16:27:40 -0800 (PST) Received: from alpha.xerox.com (alpha.Xerox.COM [13.1.64.93]) by freefall.freebsd.org (8.8.5/8.8.5) with SMTP id QAA05195; Wed, 19 Mar 1997 16:27:37 -0800 (PST) Received: from crevenia.parc.xerox.com ([13.2.116.11]) by alpha.xerox.com with SMTP id <15788(4)>; Wed, 19 Mar 1997 16:26:27 PST Received: from localhost ([127.0.0.1]) by crevenia.parc.xerox.com with SMTP id <177490>; Wed, 19 Mar 1997 16:26:06 -0800 X-Mailer: exmh version 1.6.9 8/22/96 To: Bradley Dunn cc: Eivind Eklund , jpd@freebsd.org, freebsd-security@freebsd.org Subject: Re: libtermcap fix? In-reply-to: Your message of "Tue, 18 Mar 1997 08:13:37 PST." Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Wed, 19 Mar 1997 16:25:51 PST From: Bill Fenner Message-Id: <97Mar19.162606pst.177490@crevenia.parc.xerox.com> Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk Unfortunately, yes, cvsweb sometimes goofs on diff's between a branch and the head. I can't say that I understand why but it's on my list to fix. Bill From owner-freebsd-security Thu Mar 20 06:10:10 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id GAA15651 for security-outgoing; Thu, 20 Mar 1997 06:10:10 -0800 (PST) Received: from hawk.gnome.co.uk (gnome.gw.cerbernet.co.uk [193.243.224.22]) by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id GAA15645; Thu, 20 Mar 1997 06:10:03 -0800 (PST) Received: (from jacs@localhost) by hawk.gnome.co.uk (8.8.5/8.8.5) id OAA00472; Thu, 20 Mar 1997 14:09:59 GMT Date: Thu, 20 Mar 1997 14:09:59 GMT From: Chris Stenton Subject: ipfw with kerberos problem To: stable@freebsd.org Cc: security@freebsd.org Message-Id: Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk I have just activated ipfw within 2.1.7.1 with an add 65000 allow all from any to any rule However, it will not allow me to logon from the console or via telnet. Thankfully xdm would allow me in. If I kill kerberos then I can logon via telnet once initkt times out. Any ideas what is wrong? Thanks Chris From owner-freebsd-security Thu Mar 20 10:26:41 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id KAA28621 for security-outgoing; Thu, 20 Mar 1997 10:26:41 -0800 (PST) Received: from roundtable.cif.rochester.edu (sadmin@roundtable.cif.rochester.edu [128.151.220.14]) by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id KAA28613 for ; Thu, 20 Mar 1997 10:26:38 -0800 (PST) Received: (from sadmin@localhost) by roundtable.cif.rochester.edu (8.8.5/8.8.3) id NAA06646; Thu, 20 Mar 1997 13:26:25 -0500 (EST) From: Security Administrator Message-Id: <199703201826.NAA06646@roundtable.cif.rochester.edu> Subject: Re: rdist exploitation To: steve@vic.cioe.com (Steve Ames) Date: Thu, 20 Mar 1997 13:26:25 -0500 (EST) Cc: freebsd-security@freebsd.org (FreeBSD Security) In-Reply-To: <199703192223.RAA13287@vic.cioe.com> from "Steve Ames" at Mar 19, 97 05:23:21 pm X-Mailer: ELM [version 2.4 PL25] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk > > > Someone I know just sent me a snippet of C code to exploit rdist under > FreeBSD... he used it to obtain the master.passwd file. > > Is this a known security hold and what's the plug? > > -Steve As far as I know, rdist is still broken. Your best bet is to remove the world executable permissions on the program and only allow root/bin to run it. That may cause a problem if you are trying to run the program from afar in an attempt to install something in your local machine. JP -- System Security Administrator Computer Interest Floor University of Rochester Rochester, NY 14627 sadmin@roundtable.cif.rochester.edu From owner-freebsd-security Thu Mar 20 14:31:41 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id OAA02332 for security-outgoing; Thu, 20 Mar 1997 14:31:41 -0800 (PST) Received: from mexico.brainstorm.eu.org (root@mexico.brainstorm.fr [193.56.58.253]) by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id OAA02299 for ; Thu, 20 Mar 1997 14:31:30 -0800 (PST) Received: from brasil.brainstorm.eu.org (brasil.brainstorm.fr [193.56.58.33]) by mexico.brainstorm.eu.org (8.8.4/8.8.4) with ESMTP id XAA26502 for ; Thu, 20 Mar 1997 23:31:12 +0100 Received: (from uucp@localhost) by brasil.brainstorm.eu.org (8.8.4/8.6.12) with UUCP id XAA15496 for freebsd-security@freebsd.org; Thu, 20 Mar 1997 23:30:50 +0100 Received: (from roberto@localhost) by keltia.freenix.fr (8.8.5/keltia-uucp-2.9) id WAA09788; Thu, 20 Mar 1997 22:02:02 +0100 (CET) Message-ID: <19970320220201.29725@keltia.freenix.fr> Date: Thu, 20 Mar 1997 22:02:01 +0100 From: Ollivier Robert To: FreeBSD Security Subject: Re: rdist exploitation References: <199703192223.RAA13287@vic.cioe.com> <199703201826.NAA06646@roundtable.cif.rochester.edu> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.65,1-4,10,14-18 X-Operating-System: FreeBSD 3.0-CURRENT ctm#3142 Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk According to Security Administrator: > As far as I know, rdist is still broken. Your best bet is to > remove the world executable permissions on the program and only allow > root/bin to run it. It has been plugged in 2.2/3.0 a long time ago: revision 1.3 date: 1996/08/10 07:54:11; author: peter; state: Exp; lines: +8 -4 Remove the need for rdist(1) to run setuid, thus completely closing any possibility of a security hole. It now does what rdist-6 does, and calls /usr/bin/rsh if not running as root. There are NO protocol changes, this is 100% compatable with the old rdist, except that it does not need setuid root privs. However, there are some minor differences to the base rdist-6 code in that if it is being run by root, it will call rcmd(3) directly rather than piping everything through rsh(1). This is a little more efficient as it doesn't involve context switching on pipe reads/writes. Also, the -P option was added from rdist-6.1.2, which allows an alternative rsh program to be specified, such as ssh. Note that it requires the fixes to the ssh port to disable the unconditional USE_PIPES option that was recently added. The rcmd(3) optimisation is disabled if a non-rsh program is speficied. -- Ollivier ROBERT -=- FreeBSD: There are no limits -=- roberto@keltia.freenix.fr FreeBSD keltia.freenix.fr 3.0-CURRENT #39: Sun Feb 2 22:12:44 CET 1997 From owner-freebsd-security Fri Mar 21 21:32:33 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id VAA10409 for security-outgoing; Fri, 21 Mar 1997 21:32:33 -0800 (PST) Received: from galak.telcel.net.ve (galak.T-Net.net.ve [206.48.41.9]) by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id VAA10402 for ; Fri, 21 Mar 1997 21:32:25 -0800 (PST) Received: from telcel.telcel.net.ve ([208.136.193.202]) by galak.telcel.net.ve (Netscape Mail Server v2.0) with ESMTP id AAA9659 for ; Sat, 22 Mar 1997 01:31:37 +0400 From: "=?ISO-8859-1?Q?Ricardo_N=FA=F1ez?=" To: "FreeBSD Security" Subject: =?ISO-8859-1?Q?=B4One_Direction=B4_Routed?= Date: Fri, 21 Mar 1997 21:55:40 -0400 X-MSMail-Priority: Normal X-Priority: 3 X-Mailer: Microsoft Internet Mail 4.70.1157 MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit Message-ID: <19970321213136.AAA9659@telcel.telcel.net.ve> Sender: owner-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk Dear Gentlemen, I´d just want to know if the following project were possible with a FreeBSD computer: If we could use a FreeBSD PC computer as a router between an Ethernet LAN and Internet but in one direction. I mean: A LAN host could access Internet, but an outside Internet host SHOULDN´T access an inside host, just access that ´router´. An outside host could see the FreeBSD Web Browser and anything else in the FreeBSD machine only. Thank you in advance, Ricardo Nunez From owner-freebsd-security Fri Mar 21 21:32:37 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id VAA10425 for security-outgoing; Fri, 21 Mar 1997 21:32:37 -0800 (PST) Received: from galak.telcel.net.ve (galak.T-Net.net.ve [206.48.41.9]) by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id VAA10404; Fri, 21 Mar 1997 21:32:29 -0800 (PST) Received: from telcel.telcel.net.ve ([208.136.193.202]) by galak.telcel.net.ve (Netscape Mail Server v2.0) with ESMTP id AAC9659; Sat, 22 Mar 1997 01:31:41 +0400 From: "=?ISO-8859-1?Q?Ricardo_N=FA=F1ez?=" To: "FreeBSD Security" , "FreeBSD Current Version" , "FreeBSD" Subject: FreeBSD as a SNMP RMON Date: Sat, 22 Mar 1997 00:23:45 -0400 X-MSMail-Priority: Normal X-Priority: 3 X-Mailer: Microsoft Internet Mail 4.70.1157 MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Message-ID: <19970321213136.AAC9659@telcel.telcel.net.ve> Sender: owner-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk Dear Gentlemen, Could a FreeBSD PC be used as a SNMP RMON agent monitoring computer so that a remote SNMP manager could ask network statistics to it? Thank you in advance, Ricardo Nunez From owner-freebsd-security Fri Mar 21 21:52:24 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id VAA11097 for security-outgoing; Fri, 21 Mar 1997 21:52:24 -0800 (PST) Received: from sui.gda.itesm.mx (sui.gda.itesm.mx [132.254.53.124]) by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id VAA11090 for ; Fri, 21 Mar 1997 21:52:20 -0800 (PST) Received: from rebi ([200.23.228.114]) by sui.gda.itesm.mx (8.7.5/8.7.3) with ESMTP id XAA01126; Fri, 21 Mar 1997 23:54:19 -0600 (CST) Message-ID: <33337396.1EFE@sui.gda.itesm.mx> Date: Fri, 21 Mar 1997 23:52:22 -0600 From: "Alejandro Vázquez C." Organization: SUI - ITESM Campus Guadalajara X-Mailer: Mozilla 4.0b2 (Win95; I) MIME-Version: 1.0 To: Ricardo Núñez CC: FreeBSD Security Subject: Re: ´One Direction´ Routed X-Priority: 3 (Normal) References: <19970321213136.AAA9659@telcel.telcel.net.ve> Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=us-ascii Sender: owner-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk Ricardo Núñez wrote: It is posible. Read about Security & Firewalls in the FreeBSD Handbook. If we could use a FreeBSD PC computer as a router between an Ethernet LAN and Internet but in one direction. I mean: A LAN host could access Internet, but an outside Internet host SHOULDN´T access an inside host, just access that ´router´. An outside host could see the FreeBSD Web Browser and anything else in the FreeBSD machine only. Thank you in advance, Ricardo Nunez From owner-freebsd-security Sat Mar 22 08:05:14 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id IAA28651 for security-outgoing; Sat, 22 Mar 1997 08:05:14 -0800 (PST) Received: from cwsys.cwent.com (0@cschuber.net.gov.bc.ca [142.31.240.113]) by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id IAA28631 for ; Sat, 22 Mar 1997 08:05:09 -0800 (PST) Received: (from uucp@localhost) by cwsys.cwent.com (8.8.5/8.6.10) id HAA01697; Sat, 22 Mar 1997 07:57:25 -0800 (PST) Message-Id: <199703221557.HAA01697@cwsys.cwent.com> Received: from localhost.cwent.com(127.0.0.1), claiming to be "cwsys" via SMTP by localhost.cwent.com, id smtpd001694; Sat Mar 22 15:57:17 1997 Reply-to: cschuber@uumail.gov.bc.ca X-Mailer: MH To: "=?ISO-8859-1?Q?Ricardo_N=FA=F1ez?=" cc: "FreeBSD Security" Subject: Re: =?ISO-8859-1?Q?=B4One_Direction=B4_Routed?= In-reply-to: Your message of "Fri, 21 Mar 1997 21:55:40 -0400." <19970321213136.AAA9659@telcel.telcel.net.ve> Date: Sat, 22 Mar 1997 07:57:16 -0800 From: Cy Schubert Sender: owner-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk > Dear Gentlemen, > > I=B4d just want to know if the following project were possible with a Fre= > eBSD > computer: > > If we could use a FreeBSD PC computer as a router between an Ethernet LAN > and Internet but in one direction. I mean: A LAN host could access > Internet, but an outside Internet host SHOULDN=B4T access an inside host, > just access that =B4router=B4. An outside host could see the FreeBSD Web > Browser and anything else in the FreeBSD machine only. This is possible using the kernel packet filter. Regards, Phone: (250)387-8437 Cy Schubert Fax: (250)387-5766 UNIX Support OV/VM: BCSC02(CSCHUBER) ITSD BITNET: CSCHUBER@BCSC02.BITNET Government of BC Internet: cschuber@uumail.gov.bc.ca cschuber@bcsc02.gov.bc.ca "Quit spooling around, JES do it."