From owner-freebsd-security Sun Mar 30 03:26:07 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id DAA20415 for security-outgoing; Sun, 30 Mar 1997 03:26:07 -0800 (PST) Received: from minor.stranger.com (stranger.vip.best.com [204.156.129.250]) by freefall.freebsd.org (8.8.5/8.8.5) with SMTP id DAA20410 for ; Sun, 30 Mar 1997 03:26:00 -0800 (PST) Received: from dog.farm.org (dog.farm.org [207.111.140.47]) by minor.stranger.com (8.6.12/8.6.12) with ESMTP id DAA15727; Sun, 30 Mar 1997 03:27:42 -0800 Received: (from dk@localhost) by dog.farm.org (8.7.5/dk#3) id DAA24526; Sun, 30 Mar 1997 03:31:46 -0800 (PST) Date: Sun, 30 Mar 1997 03:31:46 -0800 (PST) From: Dmitry Kohmanyuk Message-Id: <199703301131.DAA24526@dog.farm.org> To: ache@nagual.ru (=?KOI8-R?B?4c7E0sXKIP7F0s7P1w==?=) Cc: freebsd-security@freebsd.org Subject: Re: ATTENTION: Initial state of random pool Newsgroups: cs-monolit.gated.lists.freebsd.security Organization: FARM Computing Association Reply-To: dk+@ua.net X-Newsreader: TIN [version 1.2 PL2] Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk In article you wrote: > 4a) We need remove rndcontrol from rc.i386 (leaving it as user-land > utility) and add all interrupts to kernel config file, i.e. > something like: > option RAND_INTS "5 7 10 11" > or something more suitable. I think it's much better to have them specified per-device. Having PCI cards in the system (for network and disk, which are both good sources of entropy) means that I have to maintain driver-to-IRQ mapping in sync by carefully looking at dmesg output ;-) And it can change even if I swap slots for the cards. hmm, how it would work in presence of PCI irq sharing? From owner-freebsd-security Tue Apr 1 06:22:20 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id GAA03488 for security-outgoing; Tue, 1 Apr 1997 06:22:20 -0800 (PST) Received: from cheops.anu.edu.au (avalon@cheops.anu.edu.au [150.203.76.24]) by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id GAA03481; Tue, 1 Apr 1997 06:22:14 -0800 (PST) Message-Id: <199704011422.GAA03481@freefall.freebsd.org> Received: by cheops.anu.edu.au (1.37.109.16/16.2) id AA253474249; Wed, 2 Apr 1997 00:17:29 +1000 From: Darren Reed Subject: root logins on secure tty's ? To: hackers@freebsd.org Date: Wed, 2 Apr 1997 00:17:28 +1000 (EST) Cc: security@freebsd.org Priority: urgent X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk for some reason, in 2.2.1 source, /bin/login root logins appear to be broken on secure tty's. line 271 of login.c (or thereabouts): } else if (pwd->pw_passwd[0] == '\0') { if (rootlogin && !rootok) { /* pretend password okay */ rval = 0; goto ttycheck; } } in my ttys, I enable ttyv1 as secure, rootok == 1 and I get prompted for a password. Were the tty insecure, I suspect this would work (I have a null password for root). btw, I only noticed this because it used to work on 2.1.6 and didn't after the upgrade... Is this (perhaps) a leftover from the breakin earlier in the year ? Darren From owner-freebsd-security Tue Apr 1 07:17:09 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id HAA06217 for security-outgoing; Tue, 1 Apr 1997 07:17:09 -0800 (PST) Received: from cheops.anu.edu.au (cheops.anu.edu.au [150.203.76.24]) by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id HAA06197; Tue, 1 Apr 1997 07:16:54 -0800 (PST) Message-Id: <199704011516.HAA06197@freefall.freebsd.org> Received: by cheops.anu.edu.au (1.37.109.16/16.2) id AA264867486; Wed, 2 Apr 1997 01:11:26 +1000 From: Darren Reed Subject: Re: root logins on secure tty's ? To: avalon@coombs.anu.edu.au (Darren Reed) Date: Wed, 2 Apr 1997 01:11:26 +1000 (EST) Cc: hackers@freebsd.org, security@freebsd.org In-Reply-To: <199704011422.GAA03481@freefall.freebsd.org> from "Darren Reed" at Apr 2, 97 00:17:28 am X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk Ignore this. Someone broke root logins, thats all. In some mail from Darren Reed, sie said: > > > for some reason, in 2.2.1 source, /bin/login root logins appear > to be broken on secure tty's. > > line 271 of login.c (or thereabouts): > } else if (pwd->pw_passwd[0] == '\0') { > if (rootlogin && !rootok) { > /* pretend password okay */ > rval = 0; > goto ttycheck; > } > } > > in my ttys, I enable ttyv1 as secure, rootok == 1 and I get prompted > for a password. Were the tty insecure, I suspect this would work (I > have a null password for root). btw, I only noticed this because it > used to work on 2.1.6 and didn't after the upgrade... > > Is this (perhaps) a leftover from the breakin earlier in the year ? From owner-freebsd-security Wed Apr 2 05:25:43 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id FAA29274 for security-outgoing; Wed, 2 Apr 1997 05:25:43 -0800 (PST) Received: from pdx1.world.net (pdx1.world.net [192.243.32.18]) by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id FAA29269 for ; Wed, 2 Apr 1997 05:25:40 -0800 (PST) Received: from suburbia.net (suburbia.net [203.4.184.1]) by pdx1.world.net (8.7.5/8.7.3) with SMTP id FAA17264 for ; Wed, 2 Apr 1997 05:27:51 -0800 (PST) Received: (qmail 25517 invoked by uid 110); 2 Apr 1997 13:24:53 -0000 MBOX-Line: From owner-ipfilter@coombs.anu.edu.au Wed Apr 02 13:22:49 1997 remote from suburbia.net Delivered-To: proff@suburbia.net Received: (qmail 25434 invoked from network); 2 Apr 1997 13:22:47 -0000 Received: from postbox.anu.edu.au (150.203.76.16) by suburbia.net with SMTP; 2 Apr 1997 13:22:47 -0000 Received: from localhost by postbox.anu.edu.au with SMTP (1.37.109.16/16.2) id AA190207251; Wed, 2 Apr 1997 23:20:51 +1000 Received: by postbox.anu.edu.au (bulk_mailer v1.5); Wed, 2 Apr 1997 23:14:54 +1000 Received: by postbox.anu.edu.au (1.37.109.16/16.2) id AA187766892; Wed, 2 Apr 1997 23:14:52 +1000 Received: from plum.cyber.com.au by postbox.anu.edu.au with ESMTP (1.37.109.16/16.2) id AA187696881; Wed, 2 Apr 1997 23:14:41 +1000 Received: (from darrenr@localhost) by plum.cyber.com.au (8.6.12/8.6.6) id XAA13307 for ipfilter@coombs.anu.edu.au; Wed, 2 Apr 1997 23:14:33 +1000 From: Darren Reed Message-Id: <199704021314.XAA13307@plum.cyber.com.au> Subject: IP Filter 3.2alpha4 To: ipfilter@postbox.anu.edu.au Date: Wed, 2 Apr 1997 23:14:33 +1000 (EST) X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: owner-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk 3.2alpha4 is primarily concerned with one thing: port to FreeBSD-2.2 I've successfully compiled this revision for FreeBSD-2.2.1 and loaded the kernel module. The changes I made have been heavily based on those sent to me by others, although it's not yet in an ideal state: I haven't tested kernel install (nor how to do that). If you're running FreeBSD 2.2 and have the time, please try this out. *** Make sure you read "INST.FreeBSD-2.2" if you are going to try it! *** Can others using IP Filter on FreeBSD-2.1.*/NetBSD please check that this still compiles ok ? This hasn't been ported to use DEVFS, although there is some code at the bottom of mln_ipl.c which I believe to be related to that :) You can grab this alpha from (and patches from 3.2alpha3): ftp://coombs.anu.edu.au/pub/net/firewall/ip-filter/ip_fil3.2a4.tar.gz ftp://coombs.anu.edu.au/pub/net/firewall/ip-filter/patch-3.2a4.gz Cheers, Darren 3.2alpha4 2/4/97 - Released Some compiler warnings cleaned up. FreeBSD-2.2 patches for LKM completed. 3.2alpha3 31/3/97 - Released From owner-freebsd-security Wed Apr 2 19:20:43 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id TAA22298 for security-outgoing; Wed, 2 Apr 1997 19:20:43 -0800 (PST) Received: from db1.datablast.net (db1.datablast.net [207.60.250.253]) by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id TAA22293 for ; Wed, 2 Apr 1997 19:20:32 -0800 (PST) Received: from l17.net1.metro.MA.datablast.net (l17.net1.metro.MA.datablast.net [207.60.251.17]) by db1.datablast.net (8.8.4/8.8.4) with SMTP id DAA05381 for ; Thu, 3 Apr 1997 03:32:57 GMT Message-ID: <33434C57.7DB6@DATABLAST.com> Date: Wed, 02 Apr 1997 22:22:42 -0800 From: "Disaster Recovery Yellow Pages(tm)" Reply-To: DRYP@DATABLAST.com Organization: The Systems Audit Group, Inc., Newton, Mass. X-Mailer: Mozilla 3.0 (Win16; I) MIME-Version: 1.0 To: FREEBSD-SECURITY@FREEBSD.ORG Subject: 1997 DISASTER RECOVERY SOURCEBOOK Content-Type: text/plain; charset=us-ascii; name="111PRESS.TXT" Content-Transfer-Encoding: 7bit Content-Disposition: inline; filename="111PRESS.TXT" Sender: owner-security@FREEBSD.ORG X-Loop: FreeBSD.org Precedence: bulk FOR IMMEDIATE RELEASE - 1997 DISASTER RECOVERY RESOURCE GUIDE April 4, 1997 Contact: Steven Lewis DRYP@DATABLAST.com TEL: 617 - 332-3496 FAX: 617 - 332-4358 SIXTH EDITION OF THE DISASTER RECOVERY YELLOW PAGES(tm) BEGINS SHIPMENTS - - - UPDATED FOR 1997 (coincides with yet another disastrous season) Newton, MA -- The 6th edition of the Disaster Recovery Yellow Pages(tm), by The Systems Audit Group, Inc. has begun shipping, just as people are digging out of last Winter's snows, and getting ready to cope with Spring's flooding! Based on nearly two decades of disaster planning experience, the Disaster Recovery Yellow Pages(tm) is a 320-page, comprehensive sourcebook designed to help users locate scores of crucial but hard-to-find recovery services throughout the United States and Canada. It contains over 3000 vendors and covers hundreds of categories such as drying & dehumidification of paper & microfilm records, smoke odor counteracting services, trauma counselors, emergency rental of POS and other computer equipment, planning software, etc. The volume is an essential reference for risk managers, computer operations managers, emergency personnel, facility managers, security managers, librarians, record managers, systems executives, and business recovery coordinators, as well as claims adjusters, insurance agents, and any others responsible for putting organizations "back to normal" after a crisis. This reference contains five comprehensive sections, covering restoration services, mobile buildings, computer and emergency equipment, planning and data recovery software, as well as training publications, videos, associations, etc. In addition, The Disaster Recovery Yellow Pages(tm) also includes an alphabetical listing of companies for ease in locating a vendor without knowing an address. The Disaster Recovery Yellow Pages(tm) also includes a tutorial on areas which are frequently overlooked - even by experienced users - when preparing their disaster recovery plans, as well as hints on "getting started" and preparing a disaster plan. The Systems Audit Group, Inc., has worked for years with leaders in the Disaster Recovery field to develop this comprehensive sourcebook, as well as using the experiences gained in working with over 100 organizations and institutions to prepare comprehensive recovery plans for the resumption of their operations following a disaster. These organizations have ranged from Banks and Colleges, to Insurance companies, Manufacturers, Retailers, and other organizations. The Disaster Recovery Yellow Pages(tm) comes in a three-ring binder, for ease in adding sources which individual users have gathered that are unique to their own circumstances. The price is $98. per copy, plus $3 for shipping and handling. Regular updates are available. To obtain a free brochure, or to order The Disaster Recovery Yellow Pages(tm), contact The Systems Audit Group, Inc., 25 Ellison Road, Newton, Mass. 02159, Telephone 617-332-3496, FAX: 617-332-4358, E-Mail: DRYP@DATABLAST.com KEYWORDS: disaster, recovery, planning, facilities, physical plant, computer REPLY TO: DRYP@DATABLAST.com  From owner-freebsd-security Thu Apr 3 14:11:19 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id OAA19645 for security-outgoing; Thu, 3 Apr 1997 14:11:19 -0800 (PST) Received: from mail.webspan.net (mail.webspan.net [206.154.70.7]) by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id OAA19621; Thu, 3 Apr 1997 14:11:08 -0800 (PST) Received: from orion.webspan.net (orion.webspan.net [206.154.70.5]) by mail.webspan.net (WEBSPAN/970116) with ESMTP id RAA07447; Thu, 3 Apr 1997 17:10:49 -0500 (EST) Received: from orion.webspan.net (localhost [127.0.0.1]) by orion.webspan.net (WEBSPN/970116) with ESMTP id RAA13821; Thu, 3 Apr 1997 17:10:49 -0500 (EST) To: freebsd-isp@freebsd.org cc: freebsd-security@freebsd.org From: "Gary Palmer" Subject: Another INND security hole. Date: Thu, 03 Apr 1997 17:10:49 -0500 Message-ID: <13819.860105449@orion.webspan.net> Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk Hope I'm not out of line forwarding this before the CERT advisory... It's probably all over bugtraq already tho. Gary -- Gary Palmer FreeBSD Core Team Member FreeBSD: Turning PC's into workstations. See http://www.FreeBSD.ORG/ for info ------- Forwarded Message From: owner-inn-announce@vix.com Message-Id: <199704032026.MAA17781@gw.home.vix.com> Sender: owner-inn-announce@vix.com Precedence: bulk You heard it here first (CERT will be making an announcement shortly). There's another problem in INN. This time all versions. It's actually more of a problem with UCB Mail, and if you don't use UCB Mail as the _PATH_MAILCMD definition in your config.data, then you're not affected, but I suggest doing the fix anyway.... There's a new patch (to the same script as the previous security announcement) in ftp://ftp.isc.org/isc/inn/patches/security-patch.04 NOTE. If you are running a version older than 1.5.1, then you *must* first apply the appropriate patch mentioned previously here and in the CERT announcement of about 6 weeks ago (i.e. one of security-patch.01, security-patch.02 or security-patch.03) The web page http://www.isc.org has a section on the new security issue, and part on how to install the patch, if you don't know what to do. James - -- James Brister brister@vix.com Internet Software Consortium http://www.isc.org inn@isc.org ------- End of Forwarded Message From owner-freebsd-security Fri Apr 4 04:09:37 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id EAA03894 for security-outgoing; Fri, 4 Apr 1997 04:09:37 -0800 (PST) Received: from nexis.net (customer-1.ican.net [198.133.36.101]) by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id EAA03881; Fri, 4 Apr 1997 04:09:28 -0800 (PST) Received: from localhost (james@localhost) by nexis.net (8.8.5/8.8.5) with SMTP id HAA07192; Fri, 4 Apr 1997 07:08:57 -0500 (EST) Date: Fri, 4 Apr 1997 07:08:56 -0500 (EST) From: James FitzGibbon To: Gary Palmer cc: freebsd-isp@freebsd.org, freebsd-security@freebsd.org Subject: Re: Another INND security hole. In-Reply-To: <13819.860105449@orion.webspan.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk On Thu, 3 Apr 1997, Gary Palmer wrote: > Hope I'm not out of line forwarding this before the CERT > advisory... It's probably all over bugtraq already tho. Two issues about this patch and it necessity on FreeBSD. Not understanding INN myself, I noted that the you're not exposed unless you run 'ucbmail'. Does that include FreeBSD ? There's no such binary on the system. Is ucbmail the SVR4 version of our /usr/bin/mail, and if so, is our one prone to the same faults ? The other issue is that when you visit www.isc.org and try to get the patch, it doesn't exist. -- j. From owner-freebsd-security Fri Apr 4 21:35:09 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id VAA22154 for security-outgoing; Fri, 4 Apr 1997 21:35:09 -0800 (PST) Received: from mail.webspan.net (mail.webspan.net [206.154.70.7]) by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id VAA22133; Fri, 4 Apr 1997 21:35:02 -0800 (PST) Received: from orion.webspan.net (orion.webspan.net [206.154.70.5]) by mail.webspan.net (WEBSPAN/970116) with ESMTP id AAA28239; Sat, 5 Apr 1997 00:34:17 -0500 (EST) Received: from orion.webspan.net (localhost [127.0.0.1]) by orion.webspan.net (WEBSPN/970116) with ESMTP id AAA10332; Sat, 5 Apr 1997 00:34:16 -0500 (EST) To: James FitzGibbon cc: freebsd-isp@freebsd.org, freebsd-security@freebsd.org From: "Gary Palmer" Subject: Re: Another INND security hole. In-reply-to: Your message of "Fri, 04 Apr 1997 07:08:56 EST." Date: Sat, 05 Apr 1997 00:34:16 -0500 Message-ID: <10330.860218456@orion.webspan.net> Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk James FitzGibbon wrote in message ID : > On Thu, 3 Apr 1997, Gary Palmer wrote: > > Hope I'm not out of line forwarding this before the CERT > > advisory... It's probably all over bugtraq already tho. > Two issues about this patch and it necessity on FreeBSD. Not > understanding INN myself, I noted that the you're not exposed unless you > run 'ucbmail'. Does that include FreeBSD ? There's no such binary on the > system. Is ucbmail the SVR4 version of our /usr/bin/mail, and if so, is > our one prone to the same faults ? No idea to be honest. However, the patch is recommended for all installations. The other thing is that it does NOT say `ucbmail', rather UCB mail, i.e. the UCB mailer distributed by UCB. (At least the WWW page says that. I don't have the advisory infront of me right now) > The other issue is that when you visit www.isc.org and try to get the > patch, it doesn't exist. Try again. It seems to have been regenrated. From the WWW page: A new security issue has come up that affects anyone using UCB Mail as the mailer defined in the config.data variable _PATH_MAILCMD. A patch has been created that is for all versions of INN and is available here. Note: The patch was originally released as security-patch.04, but has been regenerated as security-patch.05. You should apply this even if you don't use UCB mail. It is a patch to the same file (samples/parsecontrol) as the patches discussed below. If you are running a version of INN older than 1.5.1, then you must apply one of the patches discussed in Security Notice 1 before you can apply this patch.. Gary -- Gary Palmer FreeBSD Core Team Member FreeBSD: Turning PC's into workstations. See http://www.FreeBSD.ORG/ for info From owner-freebsd-security Sat Apr 5 10:39:01 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id KAA21399 for security-outgoing; Sat, 5 Apr 1997 10:39:01 -0800 (PST) Received: from postoffice.cso.uiuc.edu (postoffice.cso.uiuc.edu [128.174.5.11]) by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id KAA21376; Sat, 5 Apr 1997 10:38:55 -0800 (PST) Received: from alecto.physics.uiuc.edu (alecto.physics.uiuc.edu [128.174.83.167]) by postoffice.cso.uiuc.edu (8.8.5/8.8.5) with SMTP id MAA212288; Sat, 5 Apr 1997 12:38:53 -0600 Received: by alecto.physics.uiuc.edu (940816.SGI.8.6.9/940406.SGI) id MAA28007; Sat, 5 Apr 1997 12:38:40 -0600 From: igor@alecto.physics.uiuc.edu (Igor Roshchin) Message-Id: <199704051838.MAA28007@alecto.physics.uiuc.edu> Subject: Is it an attempt to use some wu-ftpd exploit ? To: gpalmer@freebsd.org (Gary Palmer) Date: Sat, 5 Apr 1997 12:38:40 -0600 (CST) Cc: james@nexis.net, freebsd-isp@freebsd.org, freebsd-security@freebsd.org In-Reply-To: <10330.860218456@orion.webspan.net> from "Gary Palmer" at Apr 5, 97 00:34:16 am X-Mailer: ELM [version 2.4 PL24] Content-Type: text Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk Hello! I am not sure, I might have missed some message about such an exploit, but recently I've noticed in the syslog that people are trying to "scan" ports using ftp. I am running Version wu-2.4.2-academ[BETA-12](2) (I compiled it on Feb 2, 1997) The message I see in the syslog is of the following type: ftpd[3313]: refused PORT 0,3451 from tba-40.tba.com.br And, the port number can be a different number, I believe in the range 1xxx-4xxx ir even 5xxx Any idea ? Thanks! I did not have time to look into the source code yet, but may be somebody can advise me what are the possible situations when such message is generated. IgoR From owner-freebsd-security Sat Apr 5 21:23:42 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id VAA24657 for security-outgoing; Sat, 5 Apr 1997 21:23:42 -0800 (PST) Received: from nightmare.dreamchaser.org (nightmare.dreamchaser.org [206.230.42.65]) by freefall.freebsd.org (8.8.5/8.8.5) with SMTP id VAA24648 for ; Sat, 5 Apr 1997 21:23:34 -0800 (PST) Received: from imagination (imagination.dreamchaser.org [206.230.42.83]) by nightmare.dreamchaser.org (8.6.12/8.6.12) with ESMTP id WAA14980 for ; Sat, 5 Apr 1997 22:21:06 -0700 Message-ID: <334732C4.4F60@weblogic.com> Date: Sat, 05 Apr 1997 22:21:08 -0700 From: Gary Aitken Reply-To: garya@weblogic.com Organization: WebLogic X-Mailer: Mozilla 4.0b2 (WinNT; I) MIME-Version: 1.0 To: security@freebsd.org Subject: KLaPrair@nrginfo.com X-Priority: 3 (Normal) Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=us-ascii Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk Does the login KLaPrair#nrginfo.com mean anything to anyone? We had some unexplained traffic through here addressed to KLaPrair, and inquiries to postmaster@nrginfo.com are returned undelivered. -- Gary Aitken garya@weblogic.com http://www.weblogic.com/ (business) garya@dreamchaser.org (personal)