From owner-freebsd-security Sun Apr 13 00:35:40 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id AAA22093 for security-outgoing; Sun, 13 Apr 1997 00:35:40 -0700 (PDT) Received: from mailserv.tversu.ac.ru (root@mailserv.tversu.ac.ru [193.233.128.3]) by freefall.freebsd.org (8.8.5/8.8.5) with SMTP id AAA22088; Sun, 13 Apr 1997 00:35:35 -0700 (PDT) Received: (from vadim@localhost) by mailserv.tversu.ac.ru (8.6.12/8.6.12) id LAA05138; Sun, 13 Apr 1997 11:34:47 +0400 Message-ID: <19970413113446.26166@tversu.ac.ru> Date: Sun, 13 Apr 1997 11:34:46 +0400 From: Vadim Kolontsov To: freebsd-security@freebsd.org, freebsd-hackers@freebsd.org Subject: ftpd bug (yes, again..) Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.64 Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk Hello, do you remeber a bug with "argc > 100" in ftpd_popen(), when users was able to kill your ftpd to produce core dump with shadow password? Ok, this bug (which was reported when 2.1 was the latest release) still presents in 2.2 & 3.0 Yes, ftpd was patched, but incompletely. It seems that this patches was never tested (although I didn't check a patch against "kill -11" yet) Here is an additional patch for 3.0's ftpd ============================== cut here ================================ *** popen.c.old Sun Apr 13 11:22:59 1997 --- popen.c Sun Apr 13 11:23:16 1997 *************** *** 95,101 **** /* glob each piece */ gargv[0] = argv[0]; ! for (gargc = argc = 1; argv[argc] && gargc < (MAXGLOBARGS-1); argc++) { glob_t gl; int flags = GLOB_BRACE|GLOB_NOCHECK|GLOB_QUOTE|GLOB_TILDE; --- 95,101 ---- /* glob each piece */ gargv[0] = argv[0]; ! for (gargc = argc = 1; argv[argc] && gargc < (MAXGLOBARGS-1) && argc < MAXUSRARGS; argc++) { glob_t gl; int flags = GLOB_BRACE|GLOB_NOCHECK|GLOB_QUOTE|GLOB_TILDE; ============================== cut here ================================ See the source code to understand why previous patch was incomplete - it's easy... BTW, wu-ftpd latest beta (13) still can be killed in this way... although wu-ftpd's maintainer was informed by me about 3 monthes ago. With best regards, Vadim. P.S. to test ftpd, do the following: telnet your.host 21 user ftp (or your userid, if you have no anonymous ftp) pass ftp@ (or your password) list x x x x x x x x x x x ... (around 3 lines will be enough ;) Bugged ftpdwill die here - "Connection closed by foreigh host". Now look for core dump, extract password, start your Crack :) -------------------------------------------------------------------------- Vadim Kolontsov SysAdm/Programmer Tver Regional Center of New Information Technologies Networks Lab From owner-freebsd-security Sun Apr 13 09:09:51 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id JAA11992 for security-outgoing; Sun, 13 Apr 1997 09:09:51 -0700 (PDT) Received: from postoffice.cso.uiuc.edu (postoffice.cso.uiuc.edu [128.174.5.11]) by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id JAA11986 for ; Sun, 13 Apr 1997 09:09:47 -0700 (PDT) Received: from alecto.physics.uiuc.edu (alecto.physics.uiuc.edu [128.174.83.167]) by postoffice.cso.uiuc.edu (8.8.5/8.8.5) with SMTP id LAA256788 for <@mailhost.uiuc.edu:freebsd-security@freebsd.org>; Sun, 13 Apr 1997 11:09:45 -0500 Received: by alecto.physics.uiuc.edu (940816.SGI.8.6.9/940406.SGI) for freebsd-security@freebsd.org id LAA28308; Sun, 13 Apr 1997 11:09:15 -0500 Date: Sun, 13 Apr 1997 11:09:15 -0500 From: igor@alecto.physics.uiuc.edu (Igor Roshchin) Message-Id: <199704131609.LAA28308@alecto.physics.uiuc.edu> To: freebsd-security@freebsd.org Subject: About SIGSEGV and SIGBUS Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk Hello! Some time ago people were asking about SIGSEGV (and probably SIGBUS) occuring while they were compiling kernel, or "making world". Looking through my archives I found the URL of the page devoted to this question. I think it might be helpful to somebody... http://www.bitwizard.nl/sig11/ Best regards, IgoR From owner-freebsd-security Sun Apr 13 09:37:44 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id JAA13090 for security-outgoing; Sun, 13 Apr 1997 09:37:44 -0700 (PDT) Received: from pdx1.world.net (pdx1.world.net [192.243.32.18]) by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id JAA13078 for ; Sun, 13 Apr 1997 09:37:41 -0700 (PDT) From: proff@suburbia.net Received: from suburbia.net (suburbia.net [203.4.184.1]) by pdx1.world.net (8.7.5/8.7.3) with SMTP id GAA04558 for ; Sun, 13 Apr 1997 06:29:16 -0700 (PDT) Received: (qmail 26307 invoked by uid 110); 13 Apr 1997 13:26:09 -0000 Message-ID: <19970413132609.26306.qmail@suburbia.net> Subject: ipfilter-proff-final2.shar.gz To: hackers@freebsd.org, security@freebsd.org Date: Sun, 13 Apr 1997 23:26:09 +1000 (EST) X-Mailer: ELM [version 2.4ME+ PL28 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk Some of you may recall that I believed the ipfilter state following code was buggy and was leaking mbufs. I've isolated the problem, and without going into details fixed it. The issue was significant enough that I felt a new snapshot was required. ftp://ftp.freebsd.org/pub/FreeBSD/incoming/ipfilter-proff-final2.shar.gz Hopefully I can now go back into retirement :) -- Prof. Julian Assange |If you want to build a ship, don't drum up people |together to collect wood and don't assign them tasks proff@suburbia.net |and work, but rather teach them to long for the endless proff@gnu.ai.mit.edu |immensity of the sea. -- Antoine de Saint Exupery From owner-freebsd-security Sun Apr 13 10:50:57 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id KAA15884 for security-outgoing; Sun, 13 Apr 1997 10:50:57 -0700 (PDT) Received: from pdx1.world.net (pdx1.world.net [192.243.32.18]) by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id KAA15879 for ; Sun, 13 Apr 1997 10:50:55 -0700 (PDT) Received: from suburbia.net (suburbia.net [203.4.184.1]) by pdx1.world.net (8.7.5/8.7.3) with SMTP id KAA08040 for ; Sun, 13 Apr 1997 10:52:55 -0700 (PDT) Received: (qmail 937 invoked by uid 110); 13 Apr 1997 17:42:48 -0000 MBOX-Line: From owner-bugtraq@NETSPACE.ORG Sun Apr 13 17:37:32 1997 remote from suburbia.net Delivered-To: proff@SUBURBIA.NET Received: (qmail 766 invoked from network); 13 Apr 1997 17:37:25 -0000 Received: from brimstone.netspace.org (128.148.157.143) by suburbia.net with SMTP; 13 Apr 1997 17:37:25 -0000 Received: from netspace.org ([128.148.157.6]) by brimstone.netspace.org with ESMTP id <32898-29443>; Sun, 13 Apr 1997 13:35:17 -0400 Received: from NETSPACE.ORG by NETSPACE.ORG (LISTSERV-TCP/IP release 1.8c) with spool id 3444988 for BUGTRAQ@NETSPACE.ORG; Sun, 13 Apr 1997 13:20:08 -0400 Received: from brimstone.netspace.org (brimstone [128.148.157.143]) by netspace.org (8.8.5/8.8.2) with ESMTP id NAA17692 for ; Sun, 13 Apr 1997 13:19:40 -0400 Received: from netspace.org ([128.148.157.6]) by brimstone.netspace.org with ESMTP id <32770-29445>; Sun, 13 Apr 1997 13:22:09 -0400 Approved-By: aleph1@UNDERGROUND.ORG Received: from sun1.ideal.ru (fsite.24h.dialup.ru [194.87.18.254]) by netspace.org (8.8.5/8.8.2) with ESMTP id IAA28809 for ; Sun, 13 Apr 1997 08:05:21 -0400 Received: (from solar@localhost) by sun1.ideal.ru (8.8.3/8.7.3) id QAA06271; Sun, 13 Apr 1997 16:06:40 -0300 (GMT) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7BIT Message-ID: <199704131906.QAA06271@sun1.ideal.ru> Date: Sun, 13 Apr 1997 16:06:38 -0300 Reply-To: solar@SUN1.IDEAL.RU From: Solar Designer Subject: 2nd Linux kernel patch to remove stack exec X-To: linux-kernel@vger.rutgers.edu To: BUGTRAQ@NETSPACE.ORG Sender: owner-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk Hello! I include an improved version of my patch in this message. The main difference from the old one is that no programs at all should be broken by using it (this includes GCC trampolines). If some programs still get broken, please let me know. I'd like to thank everyone who replied to my previous message pointing out the problem, I'll now answer the common stuff at once. About GCC trampolines -- yes, there is a problem, but in reality it turns out to be quite easy to solve; also, nested functions, and especially those which address gets passed somewhere else, are not common in real world applications -- one of the reasons is that it's a GNU C extension. Since most programs will never use the trampolines, it makes sense to run them with non-executable stack, and enable stack execution permission for those that really need it. This can be done automatically, by modifying the GPF handler to switch back to the huge code segment (which covers the stack) and re-executing the instruction, unless it was a RET. Since most buffer overflows can only be exploited by overwriting the return address, this will still make them unexploitable (RET has to be the instruction to pass the control onto the stack), while C programs will normally only use CALL, and it is extremely unlikely that some code will use RET for that purpose (this can never happen for pure C programs compiled with GCC). Note that such emulation won't make the things run any slower since only one GPF per entire process life may get generated (after that the stack remains executable for this entire process). About me breaking the entire signal handling -- wrong, I handle this case specially from the very beginning, by temporary switching to the huge code segment for the time of signal handler execution. This leaves potential buffer overflows in signal handlers exploitable, but there seems to be no other simple way for the kernel to put the necessary return code in user program's address space (remember, signal handlers have to return with a plain RET, but they need to return to the kernel, so some extra code in the user space is required, which would get jumped to by the RET, and jump into the kernel). About [not] including the patch in Linux kernel release -- the patch was not intended to be included in standard kernel distribution, at least not right now, when it hasn't been tested widely enough. Anyway, it might be reasonable to include it there after some testing is done, as a configurable experimental feature. A possible new question -- why can't an exploit be made such a way, so the GPF handler would enable execution permission on the stack? This is due to most buffer overflow vulnerabilities allowing to only overwrite the function return address, and not some other pointer which would get jumped to. No matter if the custom code would contain a CALL, since it has to be put onto the stack, and GPF would happen when attempting to execute the RET, before the control has a chance to get to the CALL. However, I admit there're some rare buffer overflow cases which will remain exploitable -- these are when the vulnerable function uses function pointers, and keeps them on its stack. I only know one such example -- SuperProbe. Also, in some cases the custom code may be put somewhere else in user program's address space, not on the stack, or the program may already have some suitable code in it (I already mentioned that in my previous message). Anyway, I believe my patch makes most buffer overflows (well, at least some of them for sure, which is enough to be worth using) unexploitable. Another possible new question -- what if the GPF is caused by some bug in a program? Well, in that case my patched handler will still switch to the huge code segment, and attempt to re-execute the instruction, which will cause the GPF again. This time the handler will do what it used to do earlier -- terminate the program with a SIGSEGV. I actually tested that, seems to work fine (exactly the same as it did without my patch), including the case when running under gdb. As usual, any bug reports are welcome. Finally, someone might wonder if the patch is still useful, when it got that fallback in the GPF handler. While using libc5, it is unlikely the fallback will ever happen (even if it does, only that single process will be running with the stack being executable), so the patch prevents many overflows from being exploitable (I actually ensured that many overflow exploits stopped working, well, except for my SuperProbe exploit that I mentioned above), so the patch is useful. However, things are likely to change with glibc... To enable/disable execution permission on the stack in your programs (who would need that, with such a GPF handler?), the following can be used: #include [...] /* Switch to huge code segment => executable stack */ asm("ljmp %0,$1f\n1:\n" : : "i" (USER_HUGE_CS)); /* Switch to truncated code segment => non-executable stack */ asm("ljmp %0,$1f\n1:\n" : : "i" (USER_CS)); If someone really uses these, it might be reasonable to make such macros in asm/segment.h, so the stuff looks more readable. And now the patch... (to make it work with 2.1.x, change "cs" to "xcs" for signal.c and traps.c). diff -u --recursive /extra/linux-2.0.30/arch/i386/kernel/head.S linux/arch/i386/kernel/head.S --- /extra/linux-2.0.30/arch/i386/kernel/head.S Sat Apr 12 10:41:59 1997 +++ linux/arch/i386/kernel/head.S Sat Apr 12 10:44:58 1997 @@ -402,7 +402,7 @@ .quad 0xc0c392000000ffff /* 0x18 kernel 1GB data at 0xC0000000 */ .quad 0x00cbfa000000ffff /* 0x23 user 3GB code at 0x00000000 */ .quad 0x00cbf2000000ffff /* 0x2b user 3GB data at 0x00000000 */ - .quad 0x0000000000000000 /* not used */ + .quad 0x00cafa000000ffff /* 0x33 user 2.75GB code */ .quad 0x0000000000000000 /* not used */ .fill 2*NR_TASKS,8,0 /* space for LDT's and TSS's etc */ #ifdef CONFIG_APM diff -u --recursive /extra/linux-2.0.30/arch/i386/kernel/signal.c linux/arch/i386/kernel/signal.c --- /extra/linux-2.0.30/arch/i386/kernel/signal.c Sat Apr 12 10:41:59 1997 +++ linux/arch/i386/kernel/signal.c Sat Apr 12 10:44:58 1997 @@ -214,7 +214,7 @@ /* Set up registers for signal handler */ regs->esp = (unsigned long) frame; regs->eip = (unsigned long) sa->sa_handler; - regs->cs = USER_CS; regs->ss = USER_DS; + regs->cs = USER_HUGE_CS; regs->ss = USER_DS; regs->ds = USER_DS; regs->es = USER_DS; regs->gs = USER_DS; regs->fs = USER_DS; regs->eflags &= ~TF_MASK; diff -u --recursive /extra/linux-2.0.30/arch/i386/kernel/traps.c linux/arch/i386/kernel/traps.c --- /extra/linux-2.0.30/arch/i386/kernel/traps.c Sat Apr 12 10:41:59 1997 +++ linux/arch/i386/kernel/traps.c Sun Apr 13 07:22:44 1997 @@ -198,6 +198,14 @@ return; } die_if_kernel("general protection",regs,error_code); + if (regs->cs == USER_CS && get_seg_byte(USER_DS, (char *)regs->eip) != 0xC3) { +/* + * Switch to the original huge code segment (and allow code execution on the + * stack for this entire process), unless the faulty instruction is a RET. + */ + regs->cs = USER_HUGE_CS; + return; + } current->tss.error_code = error_code; current->tss.trap_no = 13; force_sig(SIGSEGV, current); diff -u --recursive /extra/linux-2.0.30/include/asm-i386/segment.h linux/include/asm-i386/segment.h --- /extra/linux-2.0.30/include/asm-i386/segment.h Sat Apr 12 10:41:37 1997 +++ linux/include/asm-i386/segment.h Sat Apr 12 10:44:58 1997 @@ -4,7 +4,8 @@ #define KERNEL_CS 0x10 #define KERNEL_DS 0x18 -#define USER_CS 0x23 +#define USER_HUGE_CS 0x23 +#define USER_CS 0x33 #define USER_DS 0x2B #ifndef __ASSEMBLY__ Signed, Solar Designer From owner-freebsd-security Sun Apr 13 11:09:51 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id LAA16781 for security-outgoing; Sun, 13 Apr 1997 11:09:51 -0700 (PDT) Received: from rover.village.org (rover.village.org [204.144.255.49]) by freefall.freebsd.org (8.8.5/8.8.5) with SMTP id LAA16753; Sun, 13 Apr 1997 11:09:41 -0700 (PDT) Received: from rover.village.org [127.0.0.1] by rover.village.org with esmtp (Exim 1.60 #1) id 0wGTiL-0005zj-00; Sun, 13 Apr 1997 12:09:21 -0600 To: Vadim Kolontsov Subject: Re: ftpd bug (yes, again..) Cc: freebsd-security@freebsd.org, freebsd-hackers@freebsd.org In-reply-to: Your message of "Sun, 13 Apr 1997 11:34:46 +0400." <19970413113446.26166@tversu.ac.ru> References: <19970413113446.26166@tversu.ac.ru> Date: Sun, 13 Apr 1997 12:09:21 -0600 From: Warner Losh Message-Id: Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk In message <19970413113446.26166@tversu.ac.ru> Vadim Kolontsov writes: : Now look for core dump, extract password, start your Crack :) Fail to find core dump, become bummed :-( The kernel won't produce a core in these cases. Warner From owner-freebsd-security Sun Apr 13 11:52:26 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id LAA18721 for security-outgoing; Sun, 13 Apr 1997 11:52:26 -0700 (PDT) Received: from gvr.win.tue.nl (root@gvr.win.tue.nl [131.155.210.19]) by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id LAA18699; Sun, 13 Apr 1997 11:52:15 -0700 (PDT) Received: (from guido@localhost) by gvr.win.tue.nl (8.8.5/8.8.2) id UAA15689; Sun, 13 Apr 1997 20:51:31 +0200 (MET DST) From: Guido van Rooij Message-Id: <199704131851.UAA15689@gvr.win.tue.nl> Subject: Re: ftpd bug (yes, again..) In-Reply-To: from Warner Losh at "Apr 13, 97 12:09:21 pm" To: imp@village.org (Warner Losh) Date: Sun, 13 Apr 1997 20:51:31 +0200 (MET DST) Cc: vadim@tversu.ac.ru, freebsd-security@freebsd.org, freebsd-hackers@freebsd.org X-Mailer: ELM [version 2.4ME+ PL28 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk Warner Losh wrote: > In message <19970413113446.26166@tversu.ac.ru> Vadim Kolontsov writes: > : Now look for core dump, extract password, start your Crack :) > > Fail to find core dump, become bummed :-( The kernel won't produce a > core in these cases. > Not on 2.1 I think. On 2.2 ftpd will not coredump (deliberately) -Guido From owner-freebsd-security Sun Apr 13 11:55:12 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id LAA18908 for security-outgoing; Sun, 13 Apr 1997 11:55:12 -0700 (PDT) Received: from rover.village.org (rover.village.org [204.144.255.49]) by freefall.freebsd.org (8.8.5/8.8.5) with SMTP id LAA18903; Sun, 13 Apr 1997 11:55:06 -0700 (PDT) Received: from rover.village.org [127.0.0.1] by rover.village.org with esmtp (Exim 1.60 #1) id 0wGUQ3-00067B-00; Sun, 13 Apr 1997 12:54:31 -0600 To: Guido van Rooij Subject: Re: ftpd bug (yes, again..) Cc: vadim@tversu.ac.ru, freebsd-security@freebsd.org, freebsd-hackers@freebsd.org In-reply-to: Your message of "Sun, 13 Apr 1997 20:51:31 +0200." <199704131851.UAA15689@gvr.win.tue.nl> References: <199704131851.UAA15689@gvr.win.tue.nl> Date: Sun, 13 Apr 1997 12:54:31 -0600 From: Warner Losh Message-Id: Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk In message <199704131851.UAA15689@gvr.win.tue.nl> Guido van Rooij writes: : Warner Losh wrote: : > In message <19970413113446.26166@tversu.ac.ru> Vadim Kolontsov writes: : > : Now look for core dump, extract password, start your Crack :) : > : > Fail to find core dump, become bummed :-( The kernel won't produce a : > core in these cases. : > : : Not on 2.1 I think. On 2.2 ftpd will not coredump (deliberately) I thought the core dump patches had been backported to the 2.1 branch, post 2.1.7. Am I mistaken? Warner From owner-freebsd-security Sun Apr 13 12:11:15 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id MAA19397 for security-outgoing; Sun, 13 Apr 1997 12:11:15 -0700 (PDT) Received: from gvr.win.tue.nl (root@gvr.win.tue.nl [131.155.210.19]) by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id MAA19376; Sun, 13 Apr 1997 12:11:06 -0700 (PDT) Received: (from guido@localhost) by gvr.win.tue.nl (8.8.5/8.8.2) id VAA15840; Sun, 13 Apr 1997 21:10:24 +0200 (MET DST) From: Guido van Rooij Message-Id: <199704131910.VAA15840@gvr.win.tue.nl> Subject: Re: ftpd bug (yes, again..) In-Reply-To: from Warner Losh at "Apr 13, 97 12:54:31 pm" To: imp@village.org (Warner Losh) Date: Sun, 13 Apr 1997 21:10:24 +0200 (MET DST) Cc: vadim@tversu.ac.ru, freebsd-security@freebsd.org, freebsd-hackers@freebsd.org X-Mailer: ELM [version 2.4ME+ PL28 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk Warner Losh wrote: > In message <199704131851.UAA15689@gvr.win.tue.nl> Guido van Rooij writes: > : Warner Losh wrote: > : > In message <19970413113446.26166@tversu.ac.ru> Vadim Kolontsov writes: > : > : Now look for core dump, extract password, start your Crack :) > : > > : > Fail to find core dump, become bummed :-( The kernel won't produce a > : > core in these cases. > : > > : > : Not on 2.1 I think. On 2.2 ftpd will not coredump (deliberately) > > I thought the core dump patches had been backported to the 2.1 > branch, post 2.1.7. Am I mistaken? RELENG_2_2_1_RELEASE: 1.26.2.1 RELENG_2_2_0_RELEASE: 1.26.2.1 RELENG_2_1_7_RELEASE: 1.11.4.2 RELENG_2_1_6_1_RELEASE: 1.11.4.2 RELENG_2_1_6_RELEASE: 1.11.4.2 RELENG_2_1_5_RELEASE: 1.11.4.1 revision 1.11.4.2 date: 1996/10/19 01:07:38; author: davidg; state: Exp; lines: +3 -4 Brought in change from revs 1.19/1.26: check for P_SUGID before coredumping. So it's not in 2.1.5, but it is in 2.1.6 and further. -Guido From owner-freebsd-security Sun Apr 13 22:48:51 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id WAA17089 for security-outgoing; Sun, 13 Apr 1997 22:48:51 -0700 (PDT) Received: from mailserv.tversu.ac.ru (root@mailserv.tversu.ac.ru [193.233.128.3]) by freefall.freebsd.org (8.8.5/8.8.5) with SMTP id WAA17081; Sun, 13 Apr 1997 22:48:46 -0700 (PDT) Received: (from vadim@localhost) by mailserv.tversu.ac.ru (8.6.12/8.6.12) id JAA14766; Mon, 14 Apr 1997 09:48:10 +0400 Message-ID: <19970414094810.03662@tversu.ac.ru> Date: Mon, 14 Apr 1997 09:48:10 +0400 From: Vadim Kolontsov To: Warner Losh Cc: freebsd-security@freebsd.org, freebsd-hackers@freebsd.org Subject: Re: ftpd bug (yes, again..) References: <19970413113446.26166@tversu.ac.ru> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.64 In-Reply-To: ; from Warner Losh on Sun, Apr 13, 1997 at 12:09:21PM -0600 Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk On Sun, Apr 13, 1997 at 12:09:21PM -0600, Warner Losh wrote: > : Now look for core dump, extract password, start your Crack :) > > Fail to find core dump, become bummed :-( I didn't noticed it - I check ftpd's sources on 2.1 :) But anyway, I think that bug must be fixed. Am I wrong? Best regards, Vadim. -------------------------------------------------------------------------- Vadim Kolontsov SysAdm/Programmer Tver Regional Center of New Information Technologies Networks Lab From owner-freebsd-security Sun Apr 13 23:55:51 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id XAA21133 for security-outgoing; Sun, 13 Apr 1997 23:55:51 -0700 (PDT) Received: from oblivion.esgroup.net (root@oblivion.esgroup.net [204.174.98.210]) by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id XAA21111; Sun, 13 Apr 1997 23:55:45 -0700 (PDT) Received: from oblivion.esgroup.net (tbaur@oblivion.esgroup.net [204.174.98.210]) by oblivion.esgroup.net (8.8.5/8.8.5) with SMTP id XAA18538; Sun, 13 Apr 1997 23:55:53 -0700 (PDT) Date: Sun, 13 Apr 1997 23:55:52 -0700 (PDT) From: Tim Baur To: Vadim Kolontsov cc: Warner Losh , freebsd-security@freebsd.org, freebsd-hackers@freebsd.org Subject: Re: ftpd bug (yes, again..) In-Reply-To: <19970414094810.03662@tversu.ac.ru> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk On Mon, 14 Apr 1997, Vadim Kolontsov wrote: > I didn't noticed it - I check ftpd's sources on 2.1 :) > But anyway, I think that bug must be fixed. Am I wrong? Its fixed. From owner-freebsd-security Mon Apr 14 00:55:55 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id AAA24770 for security-outgoing; Mon, 14 Apr 1997 00:55:55 -0700 (PDT) Received: from relaybr.eunet.fr (relaybr.EUnet.fr [193.107.210.133]) by freefall.freebsd.org (8.8.5/8.8.5) with SMTP id AAA24765 for ; Mon, 14 Apr 1997 00:55:46 -0700 (PDT) Received: from ericf.EUnet-Bretagne.fr ([193.107.210.161]) by relaybr.eunet.fr (8.6.12/8.6.9) with SMTP id JAA24819; Mon, 14 Apr 1997 09:58:31 +0200 Message-ID: <3351E541.1F0@EUnet-Bretagne.fr> Date: Mon, 14 Apr 1997 10:05:21 +0200 From: Eric Feillant Reply-To: Eric.Feillant@EUnet-Bretagne.fr Organization: EUnet BRETAGNE groupe EUnet X-Mailer: Mozilla 3.01 (Win95; I) MIME-Version: 1.0 To: Darren Reed CC: proff@suburbia.net, ipfilter@postbox.anu.edu.au, security@freebsd.org Subject: Re: ipfilter-proff-final.shar.gz References: <199704120213.MAA23890@plum.cyber.com.au> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk Darren Reed wrote: > > In some mail I received from Eric Feillant, sie wrote > > > > proff@suburbia.net wrote: > > > > > > ftp://ftp.freebsd.org/pub/FreeBSD/incoming/ipfilter-proff-final.shar.gz (112k) > > > > > > I'm done. I've tested this release fairly heavily under both -current > > > and 2.2.1 and am happy with it. I have heavy time contraints for > > > the next few weeks/months, and I know avalon is facing similar > > > difficulties. I'm handing over the torch to another bearer. > > > > > > No more troubles for installing this package now... > > > > We are still trying to run IPNAT without any good results.... > > > > our natrules: > > > > map ed0 192.168.1.1/32 -> 193.107.210.225/32 > > > > our external interface is ed0 (193.107.210) > > our internal interface is ed1 (192.168.1) > > If you have multiple hosts inside your network, on the 192.168.1 net, > then you need to use "192.168.1.0/24". > > Darren We still have a problem: Here is our config: localnet (192.168.1.0)---> 192.168.1.1 (Sun/SunOS or FreeBSD2.2)193.107.210.129 --->193.107.210.0 Here's our NATRULES FILE: map ie1 192.168.1.0/24 -> 193.107.210.225/32 ie1 is our INTERNAL interface (192.168.1.1) Here's my netstat -rn config output: Routing tables Destination Gateway Flags Refcnt Use Interface 127.0.0.1 127.0.0.1 UH 4 666 lo0 default 193.107.210.1 UG 0 457 le0 192.168.1.0 192.168.1.1 U 0 21 ie1 193.107.210.0 193.107.210.129 U 4 163 le0 When we try tcpdump on ie1 (internal int.): we are not able to receive reply packets from the outside world. What's going wrong ????? Thanx for help, -- ========= ____ ===== Eric Feillant ======== / / / ___ ___ /_ ====== EUnet BRETAGNE ======= /---- / / / / /___/ / ======= 140, bd de Creach Gwen ====== /____ /___/ / / /___ /_ ======== 29000 QUIMPER, France ===== Bretagne ========= Tel:(+33) 298101620 Fax:(+33) 298828788 Eric.Feillant@EUnet.fr http://www.EUnet.fr Partenaire CISCO, CHECKPOINT (FIREWALL), BAY NETWORKS, UB NETWORK, SUN, CITRIX From owner-freebsd-security Tue Apr 15 10:27:01 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id KAA22954 for security-outgoing; Tue, 15 Apr 1997 10:27:01 -0700 (PDT) Received: from dira.bris.ac.uk (dira.bris.ac.uk [137.222.10.41]) by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id KAA22913 for ; Tue, 15 Apr 1997 10:26:42 -0700 (PDT) Received: from kukini.cs.bris.ac.uk by dira.bris.ac.uk with SMTP (PP); Tue, 15 Apr 1997 18:25:02 +0100 Received: from maxx by kukini.compsci.bristol.ac.uk id aa28834; 15 Apr 97 17:24 GMT Received: from localhost by maxx.cs.bris.ac.uk (SMI-8.6/SMI-SVR4) id SAA02395; Tue, 15 Apr 1997 18:25:24 +0100 To: freebsd-security@freebsd.org Subject: xlock problem X-Address: Computer Science Dept., University of Bristol, Bristol, U.K. X-Work-Phone: +44 (117) 954 5106 X-Attribution: Dave Date: Tue, 15 Apr 1997 18:25:24 +0100 Message-ID: <2394.861125124@maxx> From: David Hedley Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk Hi there, Just a quick note to say that you should upgrade the version of xlock you are distributing with 2.2.1 and 2.1.7 to xlockmore-4.01 as previous versions have several exploitable buffer overflows which allow root access. To see if you are vulnerable do the following: xlock -name xxxxxxxxxxx << insert at least 1000 x's here) If xlock segmentation faults, then it is vulnerable. To fix, chmod u-s /usr/X11R6/bin/xlock and download and install version 4.01 (available from ftp.x.org:/contrib) Cheers, David -- David Hedley (hedley@cs.bris.ac.uk) finger hedley@cs.bris.ac.uk for PGP key Computer Graphics Group | University of Bristol | UK From owner-freebsd-security Thu Apr 17 21:02:50 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id VAA00221 for security-outgoing; Thu, 17 Apr 1997 21:02:50 -0700 (PDT) Received: from postoffice.cso.uiuc.edu (postoffice.cso.uiuc.edu [128.174.5.11]) by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id VAA00215 for ; Thu, 17 Apr 1997 21:02:45 -0700 (PDT) Received: from alecto.physics.uiuc.edu (alecto.physics.uiuc.edu [128.174.83.167]) by postoffice.cso.uiuc.edu (8.8.5/8.8.5) with SMTP id XAA84312 for <@mailhost.uiuc.edu:Freebsd-security@freebsd.org>; Thu, 17 Apr 1997 23:02:43 -0500 Received: by alecto.physics.uiuc.edu (940816.SGI.8.6.9/940406.SGI) for Freebsd-security@freebsd.org id XAA11899; Thu, 17 Apr 1997 23:02:07 -0500 From: igor@alecto.physics.uiuc.edu (Igor Roshchin) Message-Id: <199704180402.XAA11899@alecto.physics.uiuc.edu> Subject: Buffer overflow in sperl5.003 (fwd) -- Is this relevant to FreeBSD ? To: Freebsd-security@freebsd.org Date: Thu, 17 Apr 1997 23:02:07 -0500 (CDT) X-Mailer: ELM [version 2.4 PL24] Content-Type: text Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk Hello! Does anybody know if this hole exists on FreeBSD ? Thanks! IgoR Forwarded message: >From owner-bugtraq@NETSPACE.ORG Thu Apr 17 19:40:09 1997 Approved-By: aleph1@UNDERGROUND.ORG MIME-Version: 1.0 Content-Type: MULTIPART/MIXED; BOUNDARY="-242971389-615984271-861311469=:24662" Message-ID: Date: Thu, 17 Apr 1997 14:11:09 -0700 Reply-To: Murphy Sender: Bugtraq List From: Murphy Subject: Buffer overflow in sperl5.003 To: BUGTRAQ@NETSPACE.ORG This message is in MIME format. The first part should be readable text, while the remaining parts are likely unreadable without MIME-aware tools. Send mail to mime@docserver.cac.washington.edu for more info. ---242971389-615984271-861311469=:24662 Content-Type: TEXT/PLAIN; charset=US-ASCII Its came to my attention that there is a buffer overflow bug in sperl5.003 that will allow local users gain root access, if SUID root. The exploit and bug was made and brought to my attention by Willy Tarreau (tarreau@aemiaif.ibp.fr). Attached is the source for the exploit. Since it requires some work to be done to the compiled exploit (Stripping of 5 byte at the begining and end of the binary), the precompiled Linux x86 exploit can be found at http://www.ecst.csuchico.edu/~jtmurphy/localusers.html. PS. Have a nice a day. -- ---------------------------------------------------------------------------- Jason T. Murphy | Finger for PGP Public Key | jtmurphy@ecst.csuchico.edu The Linux Security Home Page -> http://www.ecst.csuchico.edu/~jtmurphy Security buff, Linux Freak, PC Tech @ Chico State, and all around nice guy. ---242971389-615984271-861311469=:24662 Content-Type: APPLICATION/octet-stream; name="sperlexp.tgz" Content-Transfer-Encoding: BASE64 Content-ID: Content-Description: H4sIAFcBVTMAA+1a3W7bRhb2rWf3IY6VdCW5FEXq17Wboq5joNk2sRHL6AZt kY7IkTQIf7TDoSyi6GKBvepF36WPsBd7tcA+xD7G3u05Q0p2ksJuCltG0PkS WyJneOZwZr7znUMzmwsVtbfuFNDzhkMftgBgOOybT7/XM58VPIBBt9PveF7f G2Cr7/e7W9C/W7dK5JnmCmALfyvB82v6CZVtwqHNIjPrr1XBo8g1B7c/hu95 w/416z/sDsr194eDbh/3gt8ddAZb4N2+K2/jd77+D3baY5m0dZDN2APQMwHZ TEQRJDwWIDOYyoVIYFxAXQSzFFoJuK5bB56EEOPUwViAWPJARwUMIZhxlcFM KOGgsVRBkeZ1NDbjCwE6hTgN5aQoR9E8eAVjngmYYEc6Vf/y+LAOMsm0ygMt 0wS/UwOaytJcBdhDLEXg8r1B3cWTL9IcAp5AkM4LaOeZMnciQxqpreO5cVLl iTmg82Ra8NCF0YzrOt5bmlLn1GXm3mqn6MDZMTw+gWcnIzjHr6PPn5zB6ASO nh8efQGHcPbibHT81IHPzkfw5/OzEbWNjvHzxcn587NvduhfjWVCw4JH8AgD 2dBjFzMZCWg8pFMfg9/pec1ywJEqZDIFamBr/w0H+67ndeE7t63m2rQfBFyD uXvsc7Bainp5xax+4LZFNgeMn9+xT2nsDz9kIgnZzetf8v/58eHjp8d3tceQ /4OBdw3/O70V/4fdYQdbO37Xt/zfBI5mAnmIPFUw53pmyFhtwSXCgXweco2h QFdshCxQEnflVckgpjFimtQu0ZI4nwgRAgcKLERIatUzDCjl5S6cmOhgCFxe CTFPcjRZuOwkgbiADixwyjEOZA6sWeEbVl+SxKEriRi5FhmOp9JUVyGMa4b8 67qMjdBtwbNCYMC64MVr/uB/PMxkPMcQpos5RpmYvxJ1F55QjDiN8mnrWes0 wsv2W03GHqdJHa2kShXAx2muzaTUMjGNRaK5iVsTnke6RgGwNiHum2CKgQai NJnWIBZZxqcic8kxtKKwR6piDA+ZTDDMXcZHdE6JCyW1xiC8w9hXEucHRuVW Zazas59yEUsuJ64cz92J+hWsv0TJ/6d4x+Tp3ewx4n/vGv73r+h/x+8T/4de 1/J/E0DC7QNpBynNSmDYtvtaSshYEAme7LNtFUNrsu6/66aw+zcUYCUYe2CA ujxCocf9tLbmvJkGIPf2AXi2N4DWeN0NVuKOJojjyILyUqRAnC5KWvRhIhWy mDr0IeKUgRTE/AuJwYsD2uFITBFKjexrjAVfNNHeE5irdCHDiltlNkF5islK yFkaJ09CXGNNtmfpBQUWpPkrpCnd1TvCMPWdmHg/KPmPC+oGdzbGDfzvdHqX /B/2u8T/Tqdv+b8JtHdvDW3W3gU44lGQR5QyXMrYPJWJFooS03yV76O0ISen iscunBnZQ76FqchIXqEytiAyYxZQYLERYHKi0hjSRKyuJPbyJMWBFCX3a36T 3JocwDHHlTEldK4SzEpKNyjzwOoF1zVcRQ9TEPAgyBUPCioTBKDAz1HjKVFI sMfasyrQTEi3MeFIcSD8xFuozAZpgim7SPAnvOomFjeU81eojGFnzWVCDRwn S5kkIp3g+VC48BVXpmlnx3hUer++GarCzJStjJkoy5OCDEidQa+KkFSVoCOe Q3kJxTaMUOQp+lvHWoG6l85h6rM2tqqx5pT/lLOkpguTMeVjjdOEobjySKdX CzuBMyOoeiTPK2PSOJDpECfVfdeAukZl7Hbw24yVadgvG7tFOrEHyIsox139 MU6aTN3ZJ4xllGMGuBsjiUSYClzaeaMJ3zOAly95Fr982cAMM11E8AG2OB8I voRa84D9wFiMewwaSEVaxMAx5Trs7tKKlgYoPUUVzOSUdhZefoAnqX8oAh49 8uiQzkygQRY+8ZtVC9eppFOLr/1vm1UvvPzRyr2W6UYNE8pmReNP5FvP8Z1y NzSvbfrhPdDR9xWl/mMyd3/67/e6w3X93xl4Rv+79vnfRnCLAWt3F0mMEnWp 7KuyGkvLKINVrVw+UkzyeIx6iKpj5MmFzwoMJqZyNqpNtqiFpNdb9nxo1A/r TbiYSUwEsOJQGCbSJMxQzhLSMMowIjg6PSeNqWHgBBEsa1TFk6UgzaOwlMax oAeaQlNCgl1xXeHZySk0vOVHXtOBsfESB6XoiPpGqYXJSf6aY3QiW3MUSc3H ERUS5rlIhuW7Ng8YjL6JSAQmFUjXD0xoSPP4AC8/TIoLXjhQe/LsCI6P/lJb Zz2YSdBwVH+sTqETybTMaigZqGfoOd6FxArGIWPkwYSShmrCx4onwUxkq4c1 sQxDdBRnmfITZ5WgmKcfpP/UB8XfJVvst+kgu80dhKL3i6pH0nWdclGTrISH 8suGfEOT5IFslfOPC5hrMtCgbdU8AMAMoNovJOGoXEupG97vQ3iq+q8qve9m jJue//hDbxX/+/2eef7T92z83wi2MVWkne9gOGXbS6QOJowO/rDteZ7NwHyL BAcxXjpfY6fW8Fu2zUOTHjp+52q38tsYvxmjIdoJqgMeOb7Ptomm3nLPY9v3 fd8WJa7wH0vauxnjJv5D9fefbr8zMLHA79i//24IP/7X/+fpT988/N8//vXH 07Mf//3zH/7z9/v2yWJzeO39j6lIhJK3Xgje9P5Hf9i78v5Pj1p9r2P5vwlc ff/j8r2Fj/befm3BW7220Erg+enIvJYA++zh7q95T4HewLjmPYUrb0y8PXSn t5mhcZg3h+7t3eXQ9732FhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYW FhYWFhYWFhYW7yf+D4S0HUYAUAAA ---242971389-615984271-861311469=:24662-- From owner-freebsd-security Thu Apr 17 23:17:47 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id XAA06392 for security-outgoing; Thu, 17 Apr 1997 23:17:47 -0700 (PDT) Received: from staff.cs.su.OZ.AU (staff.cs.su.OZ.AU [129.78.8.1]) by freefall.freebsd.org (8.8.5/8.8.5) with SMTP id XAA06385 for ; Thu, 17 Apr 1997 23:17:39 -0700 (PDT) Received: from suede.sw.oz.au by swallow.sw.oz.au with ESMTP id GAA00051; Fri, 18 Apr 1997 06:17:20 GMT (8.6.10/Unixware) (from pjc@sw.oz.au for ) Received: from suede.sw.oz.au by suede.sw.oz.au with SMTP id GAA16445; Fri, 18 Apr 1997 06:17:19 GMT (SMI-8.6/1.34) (from pjc@softway.com.au for ) Message-ID: <335711EF.55A@softway.com.au> Date: Fri, 18 Apr 1997 16:17:19 +1000 From: Peter Clark Organization: Softway Pty Ltd X-Mailer: Mozilla 3.01 (X11; I; SunOS 5.5.1 sun4m) MIME-Version: 1.0 To: security@freebsd.org CC: security-notification@freebsd.org Subject: subscription Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk subscribe security@freebsd.org subscribe security-notification@freebsd.org From owner-freebsd-security Fri Apr 18 08:45:57 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id IAA12963 for security-outgoing; Fri, 18 Apr 1997 08:45:57 -0700 (PDT) Received: from coven.queeg.com (queeg.com [204.95.70.218]) by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id IAA12957; Fri, 18 Apr 1997 08:45:49 -0700 (PDT) Received: (from brion@localhost) by coven.queeg.com (8.8.5/8.8.4) id IAA25067; Fri, 18 Apr 1997 08:44:47 -0700 (PDT) Date: Fri, 18 Apr 1997 08:44:47 -0700 (PDT) Message-Id: <199704181544.IAA25067@coven.queeg.com> From: Brion Moss To: The Hermit Hacker Cc: "Serge A. Babkin" , khetan@iafrica.com, security@freebsd.org, hackers@freebsd.org Subject: Re: SATAN under FreeBSD In-Reply-To: References: <199704111311.TAA06060@hq.icb.chel.su> Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk Check out "The Admin Guide to Cracking, by the people who brought you Satan. It's at ftp://ftp.win.tue.nl/pub/security/index.html, along with a lot of other good stuff. AUSCERT has a security checklist that you can go through. There's a better checklist in _Practical_UNIX_And_Internet_Security_, from O'Reilly. -Brion The Hermit Hacker writes: > On Fri, 11 Apr 1997, Serge A. Babkin wrote: > > > > > Or just set in the options that the .pl suffix means a HTML file. > > > > It worked great for me. The only problem is that I found > > > > absolutely no usefulness in SATAN. The "holes" it reported > > > > about were so idiotic. > > > > > > > Any useful resources that I can look through on how to debug > > > things? For instance, one of the machines at the office is an old > > > Altos machine running 'Sendmail 5.59/Altos-2.0 ready'...I'd like to be > > > able to test that one for any holes. > > > > I awaited a like thing from SATAN too. But almost all it did was analysing > > the NFS exports :-( > > Looking at the work on SATAN, and what it was trying to address, > why isn't there a list compiled of 'how to break into an insecure system'? > Something that a system adminstrator could sit down and go through, one by > one, to test their systems? > > One of the 'papers' that I've come across through Yahoo is found > at: > > http://www.geocities.com/SiliconValley/Lakes/6866/admin.html > > which details several different methods of cracking into a system, > but its by no means complete, and all of them fail even on that old Altos > machine, so, like SATAN, is practically useless. > > Does anyone else know of something similar? Maybe start up a > 'Improving Security' section off of the FreeBSD web pages with links to > *good* papers like the above? > > > Marc G. Fournier > Systems Administrator @ hub.org > primary: scrappy@hub.org secondary: scrappy@{freebsd|postgresql}.org > From owner-freebsd-security Sat Apr 19 06:48:52 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id GAA17194 for security-outgoing; Sat, 19 Apr 1997 06:48:52 -0700 (PDT) Received: from newonyx.interactive.net (ritz@newonyx.interactive.net [208.192.224.60]) by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id GAA17189 for ; Sat, 19 Apr 1997 06:48:49 -0700 (PDT) From: ritz@newonyx.interactive.net Received: (from ritz@localhost) by newonyx.interactive.net (8.8.5/8.8.5) id JAA19171 for freebsd-security@freebsd.org; Sat, 19 Apr 1997 09:46:20 -0400 (EDT) Message-Id: <199704191346.JAA19171@newonyx.interactive.net> Subject: subscribe freebsd-security To: freebsd-security@freebsd.org Date: Sat, 19 Apr 1997 09:46:20 -0400 (EDT) X-Mailer: ELM [version 2.4 PL25] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk subscribe freebsd-security From owner-freebsd-security Sat Apr 19 15:43:14 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id PAA20140 for security-outgoing; Sat, 19 Apr 1997 15:43:14 -0700 (PDT) Received: from sand.sentex.ca (sand.sentex.ca [206.222.77.6]) by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id PAA20133 for ; Sat, 19 Apr 1997 15:43:10 -0700 (PDT) Received: from gravel (gravel.sentex.ca [205.211.165.210]) by sand.sentex.ca (8.8.5/8.8.3) with SMTP id SAA14033 for ; Sat, 19 Apr 1997 18:48:15 -0400 (EDT) Message-Id: <3.0.1.32.19970419184754.00a5d8f0@sentex.net> X-Sender: mdtancsa@sentex.net X-Mailer: Windows Eudora Pro Version 3.0.1 (32) Date: Sat, 19 Apr 1997 18:47:54 -0400 To: security@freebsd.org From: Mike Tancsa Subject: Any plans for IPSEC on FreeBSD ? Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk While trying to find out info about VPNs and such, I started reading up on IPSEC. Linux, NetBSD, and OpenBSD seem to be trying to provide support for this next standard. I was wondering if there were any plans to port it to FreeBSD... In the mean time, is their any way to get a VPN happening with a FreeBSD 2.2 box ? Sun's SKIP seems to only work with 2.1.5 (at least the DOCS say so). Thanks, ---Mike ********************************************************************** Mike Tancsa (mike@sentex.net) * To do is to be -- Nietzsche Sentex Communications Corp, * To be is to do -- Sartre Cambridge, Ontario * Do be do be do -- Sinatra (http://www.sentex.net/~mdtancsa) * From owner-freebsd-security Sat Apr 19 19:56:21 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id TAA29621 for security-outgoing; Sat, 19 Apr 1997 19:56:21 -0700 (PDT) Received: from genesis.atrad.adelaide.edu.au (genesis.atrad.adelaide.edu.au [129.127.96.120]) by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id TAA29616 for ; Sat, 19 Apr 1997 19:56:17 -0700 (PDT) Received: (from msmith@localhost) by genesis.atrad.adelaide.edu.au (8.8.5/8.7.3) id MAA02480; Sun, 20 Apr 1997 12:26:09 +0930 (CST) From: Michael Smith Message-Id: <199704200256.MAA02480@genesis.atrad.adelaide.edu.au> Subject: Re: Any plans for IPSEC on FreeBSD ? In-Reply-To: <3.0.1.32.19970419184754.00a5d8f0@sentex.net> from Mike Tancsa at "Apr 19, 97 06:47:54 pm" To: mike@sentex.net (Mike Tancsa) Date: Sun, 20 Apr 1997 12:26:09 +0930 (CST) Cc: security@freebsd.org X-Mailer: ELM [version 2.4ME+ PL28 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk Mike Tancsa stands accused of saying: > > While trying to find out info about VPNs and such, I started reading up on > IPSEC. Linux, NetBSD, and OpenBSD seem to be trying to provide support for > this next standard. I was wondering if there were any plans to port it to > FreeBSD... In the mean time, is their any way to get a VPN happening with > a FreeBSD 2.2 box ? Sun's SKIP seems to only work with 2.1.5 (at least the > DOCS say so). Have a look at Jim B's SMN page; http://www.cs.pdx.edu/research/SMN/index.html > Thanks, > > ---Mike > ********************************************************************** > Mike Tancsa (mike@sentex.net) * To do is to be -- Nietzsche > Sentex Communications Corp, * To be is to do -- Sartre > Cambridge, Ontario * Do be do be do -- Sinatra > (http://www.sentex.net/~mdtancsa) * > -- ]] Mike Smith, Software Engineer msmith@gsoft.com.au [[ ]] Genesis Software genesis@gsoft.com.au [[ ]] High-speed data acquisition and (GSM mobile) 0411-222-496 [[ ]] realtime instrument control. (ph) +61-8-8267-3493 [[ ]] Unix hardware collector. "Where are your PEZ?" The Tick [[