From owner-freebsd-security Sun Jun 1 23:20:21 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id XAA29905 for security-outgoing; Sun, 1 Jun 1997 23:20:21 -0700 (PDT) Received: from bitbox.follo.net (bitbox.follo.net [194.198.43.36]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id XAA29900 for ; Sun, 1 Jun 1997 23:20:15 -0700 (PDT) Received: (from eivind@localhost) by bitbox.follo.net (8.7.6/8.7.3) id IAA18628; Mon, 2 Jun 1997 08:19:32 +0200 (MET DST) Date: Mon, 2 Jun 1997 08:19:32 +0200 (MET DST) Message-Id: <199706020619.IAA18628@bitbox.follo.net> From: Eivind Eklund To: rich@rich.isdn.bcm.tmc.edu CC: perhaps@yes.no, security@FreeBSD.ORG In-reply-to: Rich Murphey's message of Fri, 30 May 1997 18:41:27 -0500 (CDT) Subject: Re: X libraries References: <199705301538.RAA08714@bitbox.follo.net> <199705302341.SAA08966@rich.isdn.bcm.tmc.edu> Sender: owner-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk > > |Hopefully XFree will provide replacement libraries soon; if not, I'll > |try to do it, but I'm not presently equipped to compile new libraries > |for all FreeBSD versions. (The XFree liason is Cc:'ed - can you > |comment on this, Rich?) > > I guess I've missed other discussions about the bug. > We can include the patch for freebsd untill XFree86 > picks it up if that's the consensus. I don't know how quickly we feel we need to react - if XFree 3.3 come in two weeks (as the rumors say), then we can depend on that and still have as quick response as most commercial vendors. However, Red Hat has already provided a binary patch for _their_ systems. Depends on how people feel; I'm not quite certain how I we should react to bugs in bundled software. > Have you talked to anyone else with XFree86 about it? No. However, it is all over bugtraq, so I guess they should know. Eivind. From owner-freebsd-security Sun Jun 1 23:29:05 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id XAA00482 for security-outgoing; Sun, 1 Jun 1997 23:29:05 -0700 (PDT) Received: from bitbox.follo.net (bitbox.follo.net [194.198.43.36]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id XAA00472; Sun, 1 Jun 1997 23:28:53 -0700 (PDT) Received: (from eivind@localhost) by bitbox.follo.net (8.7.6/8.7.3) id IAA18656; Mon, 2 Jun 1997 08:28:01 +0200 (MET DST) Date: Mon, 2 Jun 1997 08:28:01 +0200 (MET DST) Message-Id: <199706020628.IAA18656@bitbox.follo.net> From: Eivind Eklund To: David Dawes CC: perhaps@yes.no, security@FreeBSD.ORG, rich@FreeBSD.ORG In-reply-to: David Dawes's message of Sat, 31 May 1997 11:33:02 +1000 Subject: Re: X libraries References: <199705301538.RAA08714@bitbox.follo.net> <19970531113302.04820@rf900.physics.usyd.edu.au> Sender: owner-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk > > On Fri, May 30, 1997 at 05:38:02PM +0200, Eivind Eklund wrote: > > > >There is presently at least one hole in the X11 libraries (a buffer > >overflow) being passed around in hacker circles. This buffer overrun > >makes it possible to exploit any setuid program for X11 (e.g. xterm) > >user set to; xterm (and others) give root. > > >Hopefully XFree will provide replacement libraries soon; if not, I'll > >try to do it, but I'm not presently equipped to compile new libraries > >for all FreeBSD versions. (The XFree liason is Cc:'ed - can you > >comment on this, Rich?) > > XFree86 is aware of two Xlib buffer overflows which are present in > the base X11R6.3 code. One is related to the -xrm command line flag, > and the other is related to the locale-related environment variables. > Xterm built from XFree86 3.1.2 and later source happens to be immune > from the first problem because it runs the vulnerable code with the > euid == ruid. How this helps against a buffer overflow is unclear to me. You'd just need to do setuid(0) as a syscall in the shellcode to bypass it, wouldn't you? > We have fixes for both of these problems, and they will be included in > our 3.3 release, which should be available some time in the next week. > We'll be providing binary distributions for FreeBSD 2.1.7, 2.2.x, and > 3.0-CURRENT (using the 970520-SNAP). > > If you know of any other Xlib (or other) vulnerabilities, please let me > know *now* (send details to XFree86@XFree86.org) so that we can attempt > to have them fixed in 3.3. We close off 3.3 completely in a day or two. I know of no more. One question, though: Will it be possible to get a secure 3.2(a) by replacing just the relevant libraries with the ones from 3.3? (Doing a full new X install is somewhat more of an operation than just surgically replacing libraries. Would be nice if people could do that - increase user confidence etc) Eivind. From owner-freebsd-security Sun Jun 1 23:50:26 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id XAA02148 for security-outgoing; Sun, 1 Jun 1997 23:50:26 -0700 (PDT) Received: from rf900.physics.usyd.edu.au (rf900.physics.usyd.edu.au [129.78.129.109]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id XAA02138; Sun, 1 Jun 1997 23:50:09 -0700 (PDT) Received: (from dawes@localhost) by rf900.physics.usyd.edu.au (8.8.5/8.8.2) id QAA28428; Mon, 2 Jun 1997 16:49:46 +1000 (EST) Message-ID: <19970602164945.36050@rf900.physics.usyd.edu.au> Date: Mon, 2 Jun 1997 16:49:45 +1000 From: David Dawes To: Eivind Eklund Cc: security@FreeBSD.ORG, rich@FreeBSD.ORG Subject: Re: X libraries References: <199705301538.RAA08714@bitbox.follo.net> <19970531113302.04820@rf900.physics.usyd.edu.au> <199706020628.IAA18656@bitbox.follo.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.69 In-Reply-To: <199706020628.IAA18656@bitbox.follo.net>; from Eivind Eklund on Mon, Jun 02, 1997 at 08:28:01AM +0200 Sender: owner-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk On Mon, Jun 02, 1997 at 08:28:01AM +0200, Eivind Eklund wrote: >> XFree86 is aware of two Xlib buffer overflows which are present in >> the base X11R6.3 code. One is related to the -xrm command line flag, >> and the other is related to the locale-related environment variables. >> Xterm built from XFree86 3.1.2 and later source happens to be immune >> from the first problem because it runs the vulnerable code with the >> euid == ruid. > >How this helps against a buffer overflow is unclear to me. You'd just >need to do setuid(0) as a syscall in the shellcode to bypass it, >wouldn't you? That's right. I suppose what I should have said is the standard exploit scripts don't result in a root shell. With a little more effort, it is still vulnerable. >> We have fixes for both of these problems, and they will be included in >> our 3.3 release, which should be available some time in the next week. >> We'll be providing binary distributions for FreeBSD 2.1.7, 2.2.x, and >> 3.0-CURRENT (using the 970520-SNAP). >> >> If you know of any other Xlib (or other) vulnerabilities, please let me >> know *now* (send details to XFree86@XFree86.org) so that we can attempt >> to have them fixed in 3.3. We close off 3.3 completely in a day or two. > >I know of no more. One question, though: Will it be possible to get a >secure 3.2(a) by replacing just the relevant libraries with the ones >from 3.3? (Doing a full new X install is somewhat more of an >operation than just surgically replacing libraries. Would be nice if >people could do that - increase user confidence etc) Yes, that is possible. The minor version number of a some libraries changed between 3.2 and 3.2A because of the change from R6.1 to R6.3, but that shouldn't be a problem. David From owner-freebsd-security Sun Jun 1 23:58:10 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id XAA02878 for security-outgoing; Sun, 1 Jun 1997 23:58:10 -0700 (PDT) Received: from rf900.physics.usyd.edu.au (rf900.physics.usyd.edu.au [129.78.129.109]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id XAA02873 for ; Sun, 1 Jun 1997 23:58:06 -0700 (PDT) Received: (from dawes@localhost) by rf900.physics.usyd.edu.au (8.8.5/8.8.2) id QAA28958; Mon, 2 Jun 1997 16:57:35 +1000 (EST) Message-ID: <19970602165734.49045@rf900.physics.usyd.edu.au> Date: Mon, 2 Jun 1997 16:57:34 +1000 From: David Dawes To: Eivind Eklund Cc: rich@rich.isdn.bcm.tmc.edu, security@FreeBSD.ORG Subject: Re: X libraries References: <199705301538.RAA08714@bitbox.follo.net> <199705302341.SAA08966@rich.isdn.bcm.tmc.edu> <199706020619.IAA18628@bitbox.follo.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.69 In-Reply-To: <199706020619.IAA18628@bitbox.follo.net>; from Eivind Eklund on Mon, Jun 02, 1997 at 08:19:32AM +0200 Sender: owner-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk On Mon, Jun 02, 1997 at 08:19:32AM +0200, Eivind Eklund wrote: >> >> |Hopefully XFree will provide replacement libraries soon; if not, I'll >> |try to do it, but I'm not presently equipped to compile new libraries >> |for all FreeBSD versions. (The XFree liason is Cc:'ed - can you >> |comment on this, Rich?) >> >> I guess I've missed other discussions about the bug. >> We can include the patch for freebsd untill XFree86 >> picks it up if that's the consensus. > >I don't know how quickly we feel we need to react - if XFree 3.3 come >in two weeks (as the rumors say), then we can depend on that and >still have as quick response as most commercial vendors. However, Red >Hat has already provided a binary patch for _their_ systems. XFree86 3.3 was just finalised, and will be released this week. >Depends on how people feel; I'm not quite certain how I we should >react to bugs in bundled software. > >> Have you talked to anyone else with XFree86 about it? > >No. However, it is all over bugtraq, so I guess they should know. You shouldn't make such assumptions. As it turns out we did know about it. But, if everyone had assumed that we wouldn't have known about it in time to do anything about it for this release. David From owner-freebsd-security Mon Jun 2 03:15:18 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id DAA11028 for security-outgoing; Mon, 2 Jun 1997 03:15:18 -0700 (PDT) Received: from plum.cyber.com.au (plum.cyber.com.au [203.7.155.24]) by hub.freebsd.org (8.8.5/8.8.5) with SMTP id DAA11022 for ; Mon, 2 Jun 1997 03:15:13 -0700 (PDT) Received: (from darrenr@localhost) by plum.cyber.com.au (8.6.12/8.6.6) id UAA26583 for security@freebsd.org; Mon, 2 Jun 1997 20:15:08 +1000 From: Darren Reed Message-Id: <199706021015.UAA26583@plum.cyber.com.au> Subject: TCP RST Handling in 2.2 To: security@freebsd.org Date: Mon, 2 Jun 1997 20:15:08 +1000 (EST) X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk Can someone cross check with the RFC (I will later), but there is no ack/seq numbers checked for a RST packet. Is this deliberate ? Look at code paths which lead to ~line 1121 of tcp_input.c which I see as: if (tiflags&TH_RST) switch (tp->t_state) { consider the case of a RST only packet as well as a RST+ACK packet. Darren From owner-freebsd-security Mon Jun 2 03:21:11 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id DAA11262 for security-outgoing; Mon, 2 Jun 1997 03:21:11 -0700 (PDT) Received: from bitbox.follo.net (bitbox.follo.net [194.198.43.36]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id DAA11257 for ; Mon, 2 Jun 1997 03:21:08 -0700 (PDT) Received: (from eivind@localhost) by bitbox.follo.net (8.7.6/8.7.3) id MAA19289; Mon, 2 Jun 1997 12:20:26 +0200 (MET DST) Date: Mon, 2 Jun 1997 12:20:26 +0200 (MET DST) Message-Id: <199706021020.MAA19289@bitbox.follo.net> From: Eivind Eklund To: David Dawes CC: perhaps@yes.no, rich@rich.isdn.bcm.tmc.edu, security@FreeBSD.ORG In-reply-to: David Dawes's message of Mon, 2 Jun 1997 16:57:34 +1000 Subject: Re: X libraries References: <199705301538.RAA08714@bitbox.follo.net> <199705302341.SAA08966@rich.isdn.bcm.tmc.edu> <199706020619.IAA18628@bitbox.follo.net> <19970602165734.49045@rf900.physics.usyd.edu.au> Sender: owner-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk > >Depends on how people feel; I'm not quite certain how I we should > >react to bugs in bundled software. > > > >> Have you talked to anyone else with XFree86 about it? > > > >No. However, it is all over bugtraq, so I guess they should know. > > You shouldn't make such assumptions. As it turns out we did know about > it. But, if everyone had assumed that we wouldn't have known about it > in time to do anything about it for this release. You know, I'm literally getting shivers down my spine when you say that. BugTraq has 10k subscribers. When it has been posted there, it should (IMHO) be more visible to a developer than if it had been on the front page of all newspapers every day the last week. Sure, I can forward (which I more or less did, by Cc:'ing Rich) - but it absolutely, positively shouldn't be necessary. Eivind. (Sorry for the strong wording, but I'm actually quite upset by this. I don't like doing this to people who are giving me of their time for free. :-( From owner-freebsd-security Mon Jun 2 04:05:56 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id EAA13158 for security-outgoing; Mon, 2 Jun 1997 04:05:56 -0700 (PDT) Received: from rf900.physics.usyd.edu.au (rf900.physics.usyd.edu.au [129.78.129.109]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id EAA13151 for ; Mon, 2 Jun 1997 04:05:50 -0700 (PDT) Received: (from dawes@localhost) by rf900.physics.usyd.edu.au (8.8.5/8.8.2) id VAA08995; Mon, 2 Jun 1997 21:05:20 +1000 (EST) Message-ID: <19970602210520.43280@rf900.physics.usyd.edu.au> Date: Mon, 2 Jun 1997 21:05:20 +1000 From: David Dawes To: Eivind Eklund Cc: rich@rich.isdn.bcm.tmc.edu, security@FreeBSD.ORG Subject: Re: X libraries References: <199705301538.RAA08714@bitbox.follo.net> <199705302341.SAA08966@rich.isdn.bcm.tmc.edu> <199706020619.IAA18628@bitbox.follo.net> <19970602165734.49045@rf900.physics.usyd.edu.au> <199706021020.MAA19289@bitbox.follo.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.69 In-Reply-To: <199706021020.MAA19289@bitbox.follo.net>; from Eivind Eklund on Mon, Jun 02, 1997 at 12:20:26PM +0200 Sender: owner-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk On Mon, Jun 02, 1997 at 12:20:26PM +0200, Eivind Eklund wrote: >> >Depends on how people feel; I'm not quite certain how I we should >> >react to bugs in bundled software. >> > >> >> Have you talked to anyone else with XFree86 about it? >> > >> >No. However, it is all over bugtraq, so I guess they should know. >> >> You shouldn't make such assumptions. As it turns out we did know about >> it. But, if everyone had assumed that we wouldn't have known about it >> in time to do anything about it for this release. > >You know, I'm literally getting shivers down my spine when you say >that. BugTraq has 10k subscribers. When it has been posted there, it >should (IMHO) be more visible to a developer than if it had been on >the front page of all newspapers every day the last week. > >Sure, I can forward (which I more or less did, by Cc:'ing Rich) - but >it absolutely, positively shouldn't be necessary. Well, I've asked for someone on our large beta team to step forward and be our "security officer", but nobody seemed to be interested. There is a limit to what I can do personally, and I don't believe that I am qualified enough in regard to security issues to deal with this properly anyway. If anyone here wants to volunteer, please do. >(Sorry for the strong wording, but I'm actually quite upset by this. >I don't like doing this to people who are giving me of their time for >free. :-( Maybe you should direct your complaints to the source of the code, ie, The Open Group (formerly OSF) since the X Consortium ceased. They didn't appear to be aware of the problems before we were. David From owner-freebsd-security Mon Jun 2 12:28:48 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id MAA06882 for security-outgoing; Mon, 2 Jun 1997 12:28:48 -0700 (PDT) Received: from agora.rdrop.com (root@agora.rdrop.com [199.2.210.241]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id MAA06877 for ; Mon, 2 Jun 1997 12:28:47 -0700 (PDT) Received: from ns1.cioe.com (ns1.cioe.com [204.120.165.37]) by agora.rdrop.com (8.8.5/8.8.5) with ESMTP id MAA28063 for ; Mon, 2 Jun 1997 12:28:43 -0700 (PDT) Received: (from root@localhost) by ns1.cioe.com (8.8.5/8.8.5) id OAA23172 for freebsd-security@freebsd.org; Mon, 2 Jun 1997 14:26:51 -0500 (EST) Date: Mon, 2 Jun 1997 14:26:51 -0500 (EST) From: Steve Ames Message-Id: <199706021926.OAA23172@ns1.cioe.com> To: freebsd-security@freebsd.org Subject: master.passwd Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk Every now and again a file called /etc/master.passwd.crash##### will appear. This file is world readable. Anyone want to fix it so that whatever piece of software creates that file it sets the permissions correctl? -Steve From owner-freebsd-security Mon Jun 2 15:38:36 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id PAA17330 for security-outgoing; Mon, 2 Jun 1997 15:38:36 -0700 (PDT) Received: from plum.cyber.com.au (plum.cyber.com.au [203.7.155.24]) by hub.freebsd.org (8.8.5/8.8.5) with SMTP id PAA17322 for ; Mon, 2 Jun 1997 15:38:30 -0700 (PDT) Received: (from darrenr@localhost) by plum.cyber.com.au (8.6.12/8.6.6) id IAA29632 for security@freebsd.org; Tue, 3 Jun 1997 08:38:23 +1000 From: Darren Reed Message-Id: <199706022238.IAA29632@plum.cyber.com.au> Subject: Re: TCP RST Handling in 2.2 (fwd) To: security@freebsd.org Date: Tue, 3 Jun 1997 08:38:23 +1000 (EST) X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk Bakul Shah forwarded to me the relevant part of the RFC. I think there is some missing code. [...] > Reset Processing > > All reset (RST) segments are validated by checking their SEQ-fields. > A reset is valid if its sequence number is in the window. In the case > of a RST received in response to an initial SYN any sequence number is > acceptable if the ACK field acknowledges the SYN. > > The receiver of a RST first validates it, then changes state. If the > receiver was in the LISTEN state, it ignores it. If the receiver was > in SYN-RECEIVED state and had previously been in the LISTEN state, > then the receiver returns to the LISTEN state, otherwise the receiver > aborts the connection and goes to the CLOSED state. If the receiver > was in any other state, it aborts the connection and advises the user > and goes to the CLOSED state. [...] Currently, not even the SEQ number is verified (for an RST packet) - i.e. that the ACK does acknowledge the SYN. I think there is room for improvement in the code. Comments ? Darren p.s. I've brought this up because of people's experience with IP Filter which currently won't allow any TCP packets through if they are outside either window (when "keep state" is used). A case has been presented where the RST being sent back has a 0 ACK field by a non-zero SEQ field. From owner-freebsd-security Mon Jun 2 16:30:21 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id QAA19938 for security-outgoing; Mon, 2 Jun 1997 16:30:21 -0700 (PDT) Received: from khavrinen.lcs.mit.edu (khavrinen.lcs.mit.edu [18.24.4.193]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id QAA19933 for ; Mon, 2 Jun 1997 16:30:15 -0700 (PDT) Received: (from wollman@localhost) by khavrinen.lcs.mit.edu (8.8.5/8.8.5) id TAA25329; Mon, 2 Jun 1997 19:24:55 -0400 (EDT) Date: Mon, 2 Jun 1997 19:24:55 -0400 (EDT) From: Garrett Wollman Message-Id: <199706022324.TAA25329@khavrinen.lcs.mit.edu> To: Darren Reed Cc: security@FreeBSD.ORG Subject: Re: TCP RST Handling in 2.2 (fwd) In-Reply-To: <199706022238.IAA29632@plum.cyber.com.au> References: <199706022238.IAA29632@plum.cyber.com.au> Sender: owner-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk < said: > Currently, not even the SEQ number is verified (for an RST packet) - i.e. > that the ACK does acknowledge the SYN. > I think there is room for improvement in the code. Comments ? Certainly. It might also be worth implementing the three-way RST handshake which has been proposed by some to fill some theoretical gaps in TCP's handling of resets which could (very rarely) result in innocent connections getting reset. I don't propose to do either myself, however, although I'm happy to look at anyone else's attempt to do so. -GAWollman -- Garrett A. Wollman | O Siem / We are all family / O Siem / We're all the same wollman@lcs.mit.edu | O Siem / The fires of freedom Opinions not those of| Dance in the burning flame MIT, LCS, CRS, or NSA| - Susan Aglukark and Chad Irschick From owner-freebsd-security Mon Jun 2 17:39:00 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id RAA23184 for security-outgoing; Mon, 2 Jun 1997 17:39:00 -0700 (PDT) Received: from genesis.atrad.adelaide.edu.au (genesis.atrad.adelaide.edu.au [129.127.96.120]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id RAA23177 for ; Mon, 2 Jun 1997 17:38:55 -0700 (PDT) Received: (from msmith@localhost) by genesis.atrad.adelaide.edu.au (8.8.5/8.7.3) id KAA27794; Tue, 3 Jun 1997 10:08:49 +0930 (CST) From: Michael Smith Message-Id: <199706030038.KAA27794@genesis.atrad.adelaide.edu.au> Subject: Re: TCP RST Handling in 2.2 (fwd) In-Reply-To: <199706022238.IAA29632@plum.cyber.com.au> from Darren Reed at "Jun 3, 97 08:38:23 am" To: darrenr@cyber.com.au (Darren Reed) Date: Tue, 3 Jun 1997 10:08:48 +0930 (CST) Cc: security@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL28 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk Darren Reed stands accused of saying: > > Darren > > p.s. I've brought this up because of people's experience with IP Filter > which currently won't allow any TCP packets through if they are > outside either window (when "keep state" is used). A case has been > presented where the RST being sent back has a 0 ACK field by a > non-zero SEQ field. Speaking of ipfilter, I was trying to help someone build it on a 2.2 box last night. Have you tested it there recently? Where do you define ACTUALLY_LKM_NOT_KERNEL in your LKM source before including ? (TBH, we both wanted to use ipfilter because they have a mix of NetBSD/FreeBSD/Solaris systems and your code runs on all of them, but, well, there's this little problem 8) -- ]] Mike Smith, Software Engineer msmith@gsoft.com.au [[ ]] Genesis Software genesis@gsoft.com.au [[ ]] High-speed data acquisition and (GSM mobile) 0411-222-496 [[ ]] realtime instrument control. (ph) +61-8-8267-3493 [[ ]] Unix hardware collector. "Where are your PEZ?" The Tick [[ From owner-freebsd-security Mon Jun 2 20:27:45 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id UAA00584 for security-outgoing; Mon, 2 Jun 1997 20:27:45 -0700 (PDT) Received: from homeport.org (lighthouse.homeport.org [205.136.65.198]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id UAA00578 for ; Mon, 2 Jun 1997 20:27:40 -0700 (PDT) Received: (adam@localhost) by homeport.org (8.8.5/8.6.9) id XAA20211; Mon, 2 Jun 1997 23:24:15 -0400 (EDT) From: Adam Shostack Message-Id: <199706030324.XAA20211@homeport.org> Subject: Re: TCP RST Handling in 2.2 (fwd) In-Reply-To: <199706022324.TAA25329@khavrinen.lcs.mit.edu> from Garrett Wollman at "Jun 2, 97 07:24:55 pm" To: wollman@khavrinen.lcs.mit.edu (Garrett Wollman) Date: Mon, 2 Jun 1997 23:24:15 -0400 (EDT) Cc: darrenr@cyber.com.au, security@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL27 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk Garrett Wollman wrote: | < said: | | > Currently, not even the SEQ number is verified (for an RST packet) - i.e. | > that the ACK does acknowledge the SYN. | | > I think there is room for improvement in the code. Comments ? | | Certainly. It might also be worth implementing the three-way RST | handshake which has been proposed by some to fill some theoretical | gaps in TCP's handling of resets which could (very rarely) result in | innocent connections getting reset. I'd strongly recommend against implementing a non standard TCP mod as anything but an option for those who want to play with it. Please don't put it in the base code. -- "It is seldom that liberty of any kind is lost all at once." -Hume From owner-freebsd-security Mon Jun 2 22:29:43 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id WAA05729 for security-outgoing; Mon, 2 Jun 1997 22:29:43 -0700 (PDT) Received: from zibbi.mikom.csir.co.za (zibbi.mikom.csir.co.za [146.64.24.58]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id WAA05720 for ; Mon, 2 Jun 1997 22:29:37 -0700 (PDT) Received: (from jhay@localhost) by zibbi.mikom.csir.co.za (8.8.5/8.8.5) id HAA03199; Tue, 3 Jun 1997 07:23:20 +0200 (SAT) From: John Hay Message-Id: <199706030523.HAA03199@zibbi.mikom.csir.co.za> Subject: Re: TCP RST Handling in 2.2 (fwd) In-Reply-To: <199706030324.XAA20211@homeport.org> from Adam Shostack at "Jun 2, 97 11:24:15 pm" To: adam@homeport.org (Adam Shostack) Date: Tue, 3 Jun 1997 07:23:20 +0200 (SAT) Cc: wollman@khavrinen.lcs.mit.edu, darrenr@cyber.com.au, security@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL31 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk > > Garrett Wollman wrote: > | < said: > | > | > Currently, not even the SEQ number is verified (for an RST packet) - i.e. > | > that the ACK does acknowledge the SYN. > | > | > I think there is room for improvement in the code. Comments ? > | > | Certainly. It might also be worth implementing the three-way RST > | handshake which has been proposed by some to fill some theoretical > | gaps in TCP's handling of resets which could (very rarely) result in > | innocent connections getting reset. > > I'd strongly recommend against implementing a non standard > TCP mod as anything but an option for those who want to play with it. > Please don't put it in the base code. > But if we can get something better than we have now, I would feel a lot better. Last week we had the case here where tcp connections between machines would just die at random with a "connection reset by peer" message. It turned out that there was an old Windows 3.1 box with Trumpet Winsock v1.0b which send Reset messages "at random" for connections that had nothing to do with it, execept that it was on the same piece of ethernet coax. John -- John Hay -- John.Hay@mikom.csir.co.za From owner-freebsd-security Tue Jun 3 00:11:59 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id AAA11985 for security-outgoing; Tue, 3 Jun 1997 00:11:59 -0700 (PDT) Received: from plum.cyber.com.au (plum.cyber.com.au [203.7.155.24]) by hub.freebsd.org (8.8.5/8.8.5) with SMTP id AAA11964 for ; Tue, 3 Jun 1997 00:11:52 -0700 (PDT) Received: (from darrenr@localhost) by plum.cyber.com.au (8.6.12/8.6.6) id RAA01953; Tue, 3 Jun 1997 17:11:24 +1000 From: Darren Reed Message-Id: <199706030711.RAA01953@plum.cyber.com.au> Subject: Re: TCP RST Handling in 2.2 (fwd) To: adam@homeport.org (Adam Shostack) Date: Tue, 3 Jun 1997 17:11:24 +1000 (EST) Cc: wollman@khavrinen.lcs.mit.edu, darrenr@cyber.com.au, security@FreeBSD.ORG In-Reply-To: <199706030324.XAA20211@homeport.org> from "Adam Shostack" at Jun 2, 97 11:24:15 pm X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: owner-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk In some mail I received from Adam Shostack, sie wrote > Garrett Wollman wrote: > | < said: > | > | > Currently, not even the SEQ number is verified (for an RST packet) - i.e. > | > that the ACK does acknowledge the SYN. > | > | > I think there is room for improvement in the code. Comments ? > | > | Certainly. It might also be worth implementing the three-way RST > | handshake which has been proposed by some to fill some theoretical > | gaps in TCP's handling of resets which could (very rarely) result in > | innocent connections getting reset. > > I'd strongly recommend against implementing a non standard > TCP mod as anything but an option for those who want to play with it. > Please don't put it in the base code. Ahem. This isn't a "play" thing. It's a bug which needs fixing. Darren From owner-freebsd-security Tue Jun 3 03:25:33 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id DAA20421 for security-outgoing; Tue, 3 Jun 1997 03:25:33 -0700 (PDT) Received: from tangelo.lal.ufl.edu ([204.199.163.200]) by hub.freebsd.org (8.8.5/8.8.5) with SMTP id DAA20416 for ; Tue, 3 Jun 1997 03:25:30 -0700 (PDT) Received: from bates-dialup (204.199.163.191) by tangelo.lal.ufl.edu (EMWAC SMTPRS 0.81) with SMTP id ; Tue, 03 Jun 1997 06:28:57 -0400 Message-ID: From: "Brad Bates" To: "Michael Haro" Cc: Subject: Re: Security problem with FreeBSD 2.2.1 default installation Date: Tue, 3 Jun 1997 06:23:03 -0400 X-MSMail-Priority: Normal X-Priority: 3 X-Mailer: Microsoft Internet Mail 4.70.1161 MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk Michael, First, you may want to check-in with the security mail group and keep this out of the question group. See the freebsd-security information on the Support page at the fbsd site nearest you. Also, most folks would prefer that any security hole, whether real or suspected, not be generally announced until it is dealt with -- if you identify a problem to the right folks they will fix it, and then announce the fix. This helps people with less resources keep their systems secure until the fixes are available, and keeps the less mature of those on the Internet (bad boys & girls) from finding out about something they may have overlooked. The security folks will let you know how to report it, and may want some very specific details. As for "holes" (bugs) in existing code, well, that's part of life. No system is 100% secure. If you get a chance, take a read of Practical UNIX & Internet Security by Garfinkel & Spafford, or some comparable book to learn more about that. Thanks for the information, and good luck cleaning up your system. bab ---------- > From: Michael Haro > To: freebsd-questions@FreeBSD.ORG > Cc: perl@netmug.org > Subject: Security problem with FreeBSD 2.2.1 default installation > Date: Monday, June 02, 1997 11:20 PM > > Hi, yesterday one of my users gained root access to my system. > They did it by exploiting a bug in /usr/bin/sperl4* > Why does FreeBSD ship with a security hole? Is this a new one that you didn't > know about? How can I remedy the problem? Right now, I deleted the file from > the server. I am new to FreeBSD and would like to know how to fix it. > > Thanks, > Michael perl@netmug.org From owner-freebsd-security Tue Jun 3 03:40:33 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id DAA21297 for security-outgoing; Tue, 3 Jun 1997 03:40:33 -0700 (PDT) Received: from plum.cyber.com.au (plum.cyber.com.au [203.7.155.24]) by hub.freebsd.org (8.8.5/8.8.5) with SMTP id DAA21234 for ; Tue, 3 Jun 1997 03:39:58 -0700 (PDT) Received: (from darrenr@localhost) by plum.cyber.com.au (8.6.12/8.6.6) id UAA02820 for security@freebsd.org; Tue, 3 Jun 1997 20:39:11 +1000 From: Darren Reed Message-Id: <199706031039.UAA02820@plum.cyber.com.au> Subject: Re: TCP RST Handling in 2.2 (fwd) To: security@freebsd.org Date: Tue, 3 Jun 1997 20:39:11 +1000 (EST) In-Reply-To: <199706030324.XAA20211@homeport.org> from "Adam Shostack" at Jun 2, 97 11:24:15 pm X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk I've hacked on tcp_input() a bit and changed the handling of an RST. I'd like it if a few others also tested this patch, seems to work ok for me. Cheers, Darren *** /sys/netinet/tcp_input.c.orig Tue Jun 3 20:26:02 1997 --- /sys/netinet/tcp_input.c Tue Jun 3 20:27:35 1997 *************** *** 1118,1145 **** * CLOSING, LAST_ACK, TIME_WAIT STATES * Close the tcb. */ ! if (tiflags&TH_RST) switch (tp->t_state) { ! case TCPS_SYN_RECEIVED: ! so->so_error = ECONNREFUSED; ! goto close; ! case TCPS_ESTABLISHED: ! case TCPS_FIN_WAIT_1: ! case TCPS_FIN_WAIT_2: ! case TCPS_CLOSE_WAIT: ! so->so_error = ECONNRESET; ! close: ! tp->t_state = TCPS_CLOSED; ! tcpstat.tcps_drops++; ! tp = tcp_close(tp); ! goto drop; ! case TCPS_CLOSING: ! case TCPS_LAST_ACK: ! case TCPS_TIME_WAIT: ! tp = tcp_close(tp); ! goto drop; } /* --- 1118,1153 ---- * CLOSING, LAST_ACK, TIME_WAIT STATES * Close the tcb. */ ! if (tiflags&TH_RST) { ! if ((ti->ti_seq != tp->rcv_nxt) || ! (ti->ti_ack && ((SEQ_LEQ(ti->ti_ack, tp->iss) || ! SEQ_GT(ti->ti_ack, tp->snd_max))))) ! goto drop; ! switch (tp->t_state) { ! ! case TCPS_SYN_RECEIVED: ! so->so_error = ECONNREFUSED; ! goto close; ! case TCPS_ESTABLISHED: ! case TCPS_FIN_WAIT_1: ! case TCPS_FIN_WAIT_2: ! case TCPS_CLOSE_WAIT: ! so->so_error = ECONNRESET; ! close: ! tp->t_state = TCPS_CLOSED; ! tcpstat.tcps_drops++; ! tp = tcp_close(tp); ! goto drop; ! ! case TCPS_CLOSING: ! case TCPS_LAST_ACK: ! case TCPS_TIME_WAIT: ! tp = tcp_close(tp); ! goto drop; ! } } /* From owner-freebsd-security Tue Jun 3 04:19:03 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id EAA22865 for security-outgoing; Tue, 3 Jun 1997 04:19:03 -0700 (PDT) Received: from implode.root.com (implode.root.com [198.145.90.17]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id EAA22860 for ; Tue, 3 Jun 1997 04:19:01 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by implode.root.com (8.8.5/8.8.5) with SMTP id EAA06181; Tue, 3 Jun 1997 04:20:16 -0700 (PDT) Message-Id: <199706031120.EAA06181@implode.root.com> X-Authentication-Warning: implode.root.com: localhost [127.0.0.1] didn't use HELO protocol To: Darren Reed cc: security@FreeBSD.ORG Subject: Re: TCP RST Handling in 2.2 (fwd) In-reply-to: Your message of "Tue, 03 Jun 1997 20:39:11 +1000." <199706031039.UAA02820@plum.cyber.com.au> From: David Greenman Reply-To: dg@root.com Date: Tue, 03 Jun 1997 04:20:16 -0700 Sender: owner-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk >! if (tiflags&TH_RST) { > >! if ((ti->ti_seq != tp->rcv_nxt) || >! (ti->ti_ack && ((SEQ_LEQ(ti->ti_ack, tp->iss) || >! SEQ_GT(ti->ti_ack, tp->snd_max))))) >! goto drop; This looks highly bogus to me. What happens if the server crashes and comes back up? The code as written above appears to drop all attempts by the server to issue an RST...right? -DG David Greenman Core-team/Principal Architect, The FreeBSD Project From owner-freebsd-security Tue Jun 3 04:24:50 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id EAA23222 for security-outgoing; Tue, 3 Jun 1997 04:24:50 -0700 (PDT) Received: from plum.cyber.com.au (plum.cyber.com.au [203.7.155.24]) by hub.freebsd.org (8.8.5/8.8.5) with SMTP id EAA23208 for ; Tue, 3 Jun 1997 04:24:32 -0700 (PDT) Received: (from darrenr@localhost) by plum.cyber.com.au (8.6.12/8.6.6) id VAA03044; Tue, 3 Jun 1997 21:23:50 +1000 From: Darren Reed Message-Id: <199706031123.VAA03044@plum.cyber.com.au> Subject: Re: TCP RST Handling in 2.2 (fwd) To: dg@root.com Date: Tue, 3 Jun 1997 21:23:49 +1000 (EST) Cc: security@freebsd.org In-Reply-To: <199706031120.EAA06181@implode.root.com> from "David Greenman" at Jun 3, 97 04:20:16 am X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk In some mail I received from David Greenman, sie wrote > > >! if (tiflags&TH_RST) { > > > >! if ((ti->ti_seq != tp->rcv_nxt) || > >! (ti->ti_ack && ((SEQ_LEQ(ti->ti_ack, tp->iss) || > >! SEQ_GT(ti->ti_ack, tp->snd_max))))) > >! goto drop; > > This looks highly bogus to me. What happens if the server crashes and comes > back up? The code as written above appears to drop all attempts by the server > to issue an RST...right? No. An RST must be issued for a packet that it has received. These usually come out of tcp_respond() which uses the original packet (with the SEQ & ACK numbers). Or is there a situation which I'm missing here ? Darren From owner-freebsd-security Tue Jun 3 05:09:17 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id FAA24628 for security-outgoing; Tue, 3 Jun 1997 05:09:17 -0700 (PDT) Received: from homeport.org (lighthouse.homeport.org [205.136.65.198]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id FAA24623 for ; Tue, 3 Jun 1997 05:09:08 -0700 (PDT) Received: (adam@localhost) by homeport.org (8.8.5/8.6.9) id IAA21853; Tue, 3 Jun 1997 08:04:54 -0400 (EDT) From: Adam Shostack Message-Id: <199706031204.IAA21853@homeport.org> Subject: Re: TCP RST Handling in 2.2 (fwd) In-Reply-To: <199706030523.HAA03199@zibbi.mikom.csir.co.za> from John Hay at "Jun 3, 97 07:23:20 am" To: jhay@zibbi.mikom.csir.co.za (John Hay) Date: Tue, 3 Jun 1997 08:04:54 -0400 (EDT) Cc: security@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL27 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk Thats a bug in trumpet, which should be fixed there. Is there an RFC which details this mod you're suggesting? I'd hate to see my OpenBSD boxes react even more negatively to freebsd. Arbitrary extra rst packets arriving worry me. (Right now, they refuse to talk NFS to a freebsd server with virtual interfaces, since the kernel doesn't send packets back with the right IP address. OpenBSD assumes that a spoof is taking place.) Adam PS To Darren: This is the change I was refering to, not fixing the bug you were pointing out. John Hay wrote: | > | Certainly. It might also be worth implementing the three-way RST | > | handshake which has been proposed by some to fill some theoretical | > | gaps in TCP's handling of resets which could (very rarely) result in | > | innocent connections getting reset. | > | > I'd strongly recommend against implementing a non standard | > TCP mod as anything but an option for those who want to play with it. | > Please don't put it in the base code. | > | | But if we can get something better than we have now, I would feel a lot | better. Last week we had the case here where tcp connections between | machines would just die at random with a "connection reset by peer" | message. It turned out that there was an old Windows 3.1 box with | Trumpet Winsock v1.0b which send Reset messages "at random" for connections | that had nothing to do with it, execept that it was on the same piece | of ethernet coax. | | John | -- | John Hay -- John.Hay@mikom.csir.co.za | -- "It is seldom that liberty of any kind is lost all at once." -Hume From owner-freebsd-security Tue Jun 3 06:04:16 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id GAA27265 for security-outgoing; Tue, 3 Jun 1997 06:04:16 -0700 (PDT) Received: from agora.rdrop.com (root@agora.rdrop.com [199.2.210.241]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id GAA27260 for ; Tue, 3 Jun 1997 06:04:14 -0700 (PDT) Received: from zibbi.mikom.csir.co.za (zibbi.mikom.csir.co.za [146.64.24.58]) by agora.rdrop.com (8.8.5/8.8.5) with ESMTP id GAA25527 for ; Tue, 3 Jun 1997 06:03:46 -0700 (PDT) Received: (from jhay@localhost) by zibbi.mikom.csir.co.za (8.8.5/8.8.5) id PAA09997; Tue, 3 Jun 1997 15:01:18 +0200 (SAT) From: John Hay Message-Id: <199706031301.PAA09997@zibbi.mikom.csir.co.za> Subject: Re: TCP RST Handling in 2.2 (fwd) In-Reply-To: <199706031204.IAA21853@homeport.org> from Adam Shostack at "Jun 3, 97 08:04:54 am" To: adam@homeport.org (Adam Shostack) Date: Tue, 3 Jun 1997 15:01:18 +0200 (SAT) Cc: security@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL31 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk > Thats a bug in trumpet, which should be fixed there. Is there an RFC > which details this mod you're suggesting? I'd hate to see my OpenBSD > boxes react even more negatively to freebsd. Arbitrary extra rst > packets arriving worry me. I agree that it is a bug in trumpet, but I still don't think another machine should be able to just kill my connections like it is now. > > (Right now, they refuse to talk NFS to a freebsd server with virtual > interfaces, since the kernel doesn't send packets back with the right > IP address. OpenBSD assumes that a spoof is taking place.) > > Adam > > PS To Darren: This is the change I was refering to, not fixing the > bug you were pointing out. > > John Hay wrote: > > | > | Certainly. It might also be worth implementing the three-way RST > | > | handshake which has been proposed by some to fill some theoretical > | > | gaps in TCP's handling of resets which could (very rarely) result in > | > | innocent connections getting reset. > | > > | > I'd strongly recommend against implementing a non standard > | > TCP mod as anything but an option for those who want to play with it. > | > Please don't put it in the base code. > | > > | > | But if we can get something better than we have now, I would feel a lot > | better. Last week we had the case here where tcp connections between > | machines would just die at random with a "connection reset by peer" > | message. It turned out that there was an old Windows 3.1 box with > | Trumpet Winsock v1.0b which send Reset messages "at random" for connections > | that had nothing to do with it, execept that it was on the same piece > | of ethernet coax. > | John -- John Hay -- John.Hay@mikom.csir.co.za From owner-freebsd-security Tue Jun 3 08:30:37 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id IAA04219 for security-outgoing; Tue, 3 Jun 1997 08:30:37 -0700 (PDT) Received: from cs.iastate.edu (cs.iastate.edu [129.186.3.1]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id IAA04135 for ; Tue, 3 Jun 1997 08:30:01 -0700 (PDT) Received: from sunfire.cs.iastate.edu (sunfire.cs.iastate.edu [129.186.3.46]) by cs.iastate.edu (8.8.5/8.7.1) with ESMTP id KAA15013; Tue, 3 Jun 1997 10:29:18 -0500 (CDT) Received: from localhost (ghelmer@localhost) by sunfire.cs.iastate.edu (8.8.5/8.7.1) with SMTP id KAA16577; Tue, 3 Jun 1997 10:29:18 -0500 (CDT) X-Authentication-Warning: sunfire.cs.iastate.edu: ghelmer owned process doing -bs Date: Tue, 3 Jun 1997 10:29:16 -0500 (CDT) From: Guy Helmer To: Michael Haro cc: freebsd-security@freebsd.org Subject: Re: Security problem with FreeBSD 2.2.1 default installation In-Reply-To: <199706030320.UAA14616@netmug.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk On Mon, 2 Jun 1997, Michael Haro wrote: > Hi, yesterday one of my users gained root access to my system. > They did it by exploiting a bug in /usr/bin/sperl4* > Why does FreeBSD ship with a security hole? Is this a new one that you didn't > know about? How can I remedy the problem? Right now, I deleted the file from > the server. I am new to FreeBSD and would like to know how to fix it. See the CERT Advisory CA-97.17 (sperl) for this problem at ftp://info.cert.org/pub/cert_advisories/CA-97.17.sperl dated May 29, 1997. It would not have been known at the time FreeBSD 2.2.1 (or 2.2.2, for that matter) was released. The simplest way to overcome this vulnerability is to remove /usr/bin/sperl4.036 and /usr/bin/suidperl, but setuid Perl scripts will no longer work. (If you have installed the Perl5 package and it was Perl version 5.003 or earlier, you will also need to track down its sperl5.xxx & suidperl and remove them.) FWIW, it's a fair bet that any UNIX release has security holes. That's why it's important to watch CERT, CIAC, and bugtraq, as well as your vendor's mail list (e.g., freebsd-security@freebsd.org), for security notices. Guy Helmer Guy Helmer, Computer Science Grad Student, Iowa State - ghelmer@cs.iastate.edu http://www.cs.iastate.edu/~ghelmer From owner-freebsd-security Tue Jun 3 08:44:43 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id IAA05025 for security-outgoing; Tue, 3 Jun 1997 08:44:43 -0700 (PDT) Received: from cs.iastate.edu (cs.iastate.edu [129.186.3.1]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id IAA05017 for ; Tue, 3 Jun 1997 08:44:38 -0700 (PDT) Received: from sunfire.cs.iastate.edu (sunfire.cs.iastate.edu [129.186.3.46]) by cs.iastate.edu (8.8.5/8.7.1) with ESMTP id KAA16598 for ; Tue, 3 Jun 1997 10:44:34 -0500 (CDT) Received: from localhost (ghelmer@localhost) by sunfire.cs.iastate.edu (8.8.5/8.7.1) with SMTP id KAA16599 for ; Tue, 3 Jun 1997 10:44:34 -0500 (CDT) X-Authentication-Warning: sunfire.cs.iastate.edu: ghelmer owned process doing -bs Date: Tue, 3 Jun 1997 10:44:33 -0500 (CDT) From: Guy Helmer To: freebsd-security@freebsd.org Subject: Re: Security problem with FreeBSD 2.2.1 default installation In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk > On Mon, 2 Jun 1997, Michael Haro wrote: > > [... report of suidperl exploit ...] > [my response] I just checked the bugtraq archives and found an exploit for sperl4.036 and sperl 5.00x on FreeBSD was posted April 21! I guess no one watches bugtraq?!? Guy Helmer, Computer Science Grad Student, Iowa State - ghelmer@cs.iastate.edu http://www.cs.iastate.edu/~ghelmer From owner-freebsd-security Tue Jun 3 09:52:17 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id JAA09015 for security-outgoing; Tue, 3 Jun 1997 09:52:17 -0700 (PDT) Received: from wrzx07.rz.uni-wuerzburg.de (wrzx07.rz.uni-wuerzburg.de [132.187.1.7]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id JAA09010 for ; Tue, 3 Jun 1997 09:52:13 -0700 (PDT) Received: from wicx50.informatik.uni-wuerzburg.de (mail@wicx50.informatik.uni-wuerzburg.de [132.187.9.50]) by wrzx07.rz.uni-wuerzburg.de (8.8.5/8.8.5) with SMTP id SAA19264; Tue, 3 Jun 1997 18:51:58 +0200 (MET DST) Received: by wicx50.informatik.uni-wuerzburg.de (8.6.12/uniwue-C-3.1a (CIP Gate)) id SAA08997; Tue, 3 Jun 1997 18:51:57 +0200 Received: from tahiti(132.187.9.20) by cipgate via smap (V1.3) id sma008991; Tue Jun 3 18:51:42 1997 Received: by wicx20.informatik.uni-wuerzburg.de (8.8.5/uniwue-C-3.1 (C)) id SAA24768; Tue, 3 Jun 1997 18:51:42 +0200 From: Matthias Buelow Message-Id: <199706031651.SAA24768@wicx20.informatik.uni-wuerzburg.de> Subject: Re: Security problem with FreeBSD 2.2.1 default installation To: ghelmer@cs.iastate.edu (Guy Helmer) Date: Tue, 3 Jun 1997 18:51:42 +0200 (MET DST) Cc: freebsd-security@FreeBSD.ORG In-Reply-To: from "Guy Helmer" at Jun 3, 97 10:44:33 am Content-Type: text Sender: owner-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk > > I just checked the bugtraq archives and found an exploit for sperl4.036 > and sperl 5.00x on FreeBSD was posted April 21! > > I guess no one watches bugtraq?!? I was already wondering when I freshly installed 2.1.5 half a year ago that sperl 4.x was still setuid (I remember that Perl's unsafety was already known at least when I was still running 2.1.0 and I also remember some old CERT advisories mentioning freebsd ages ago). Since then it has become routine for me to chmod 0 sperl/setuidperl etc. and I'm really wondering how there could be people left who don't know of that ancient hole? I mean, even some of my clueless Linux friends know about the sperl vulnerability. ;) From owner-freebsd-security Tue Jun 3 10:32:25 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id KAA10733 for security-outgoing; Tue, 3 Jun 1997 10:32:25 -0700 (PDT) Received: from phobos.frii.com (phobos.frii.com [204.144.241.1]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id KAA10723 for ; Tue, 3 Jun 1997 10:32:20 -0700 (PDT) From: gnat@frii.com Received: from elara.frii.com (elara.frii.com [204.144.241.9]) by phobos.frii.com (8.8.5/8.8.4) with ESMTP id LAA05207; Tue, 3 Jun 1997 11:31:31 -0600 (MDT) Received: (from gnat@localhost) by elara.frii.com (8.8.5/8.6.9) id LAA02257; Tue, 3 Jun 1997 11:31:31 -0600 (MDT) Date: Tue, 3 Jun 1997 11:31:31 -0600 (MDT) Message-Id: <199706031731.LAA02257@elara.frii.com> To: Matthias Buelow Cc: ghelmer@cs.iastate.edu (Guy Helmer), freebsd-security@FreeBSD.ORG Subject: Re: Security problem with FreeBSD 2.2.1 default installation In-Reply-To: <199706031651.SAA24768@wicx20.informatik.uni-wuerzburg.de> References: <199706031651.SAA24768@wicx20.informatik.uni-wuerzburg.de> Mime-Version: 1.0 (generated by tm-edit 7.103) Content-Type: text/plain; charset=US-ASCII Sender: owner-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk Matthias Buelow writes: > routine for me to chmod 0 sperl/setuidperl etc. My standard installation process is now to: - build and install perl5.004 with a suidperl into /usr/local - make sure /usr/bin and /usr/local have perl and perl5 hard- linked to /usr/local/bin/perl5.004 - make sure /usr/bin/ and /usr/local/bin/ have perl4 being the perl4 that came with the system - make sure 5.004 suidperl is hardlinked between /usr/local/bin and /usr/bin - delete any *perl* crap that came with the system (curseperl and taintperl and sperl and any other oddities I stumble across in /usr/bin/) I have a question: because 2.2 and 2.1 seem to have /dev/fd/n where n is a file descriptor number, does this mean that FreeBSD doesn't need a suidperl because setuid scripts are now safe in the kernel? Nat From owner-freebsd-security Tue Jun 3 11:08:17 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id LAA13084 for security-outgoing; Tue, 3 Jun 1997 11:08:17 -0700 (PDT) Received: from cs.iastate.edu (cs.iastate.edu [129.186.3.1]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id LAA13079 for ; Tue, 3 Jun 1997 11:08:14 -0700 (PDT) Received: from popeye.cs.iastate.edu (popeye.cs.iastate.edu [129.186.3.4]) by cs.iastate.edu (8.8.5/8.7.1) with ESMTP id NAA26375; Tue, 3 Jun 1997 13:07:34 -0500 (CDT) Received: from localhost (ghelmer@localhost) by popeye.cs.iastate.edu (8.8.5/8.7.1) with SMTP id NAA10317; Tue, 3 Jun 1997 13:07:35 -0500 (CDT) X-Authentication-Warning: popeye.cs.iastate.edu: ghelmer owned process doing -bs Date: Tue, 3 Jun 1997 13:07:33 -0500 (CDT) From: Guy Helmer To: Matthias Buelow cc: freebsd-security@FreeBSD.ORG Subject: Re: Security problem with FreeBSD 2.2.1 default installation In-Reply-To: <199706031651.SAA24768@wicx20.informatik.uni-wuerzburg.de> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk On Tue, 3 Jun 1997, Matthias Buelow wrote: > > I just checked the bugtraq archives and found an exploit for sperl4.036 > > and sperl 5.00x on FreeBSD was posted April 21! > > I was already wondering when I freshly installed 2.1.5 half a year ago that > sperl 4.x was still setuid (I remember that Perl's unsafety was already > known at least when I was still running 2.1.0 and I also remember some old > CERT advisories mentioning freebsd ages ago). Since then it has become > routine for me to chmod 0 sperl/setuidperl etc. and I'm really wondering > how there could be people left who don't know of that ancient hole? I mean, > even some of my clueless Linux friends know about the sperl vulnerability. ;) In fairness, I think there were patches in FreeBSD's perl for the earlier sperl vulnerability having to do with seteuid/setegid (see FreeBSD SA-96:12 from June 1996 at ftp://freebsd.org/pub/CERT/advisories/FreeBSD-SA-96%3A12.perl.asc). The newly-fixed problems have to do with buffer overflows. Guy Helmer, Computer Science Grad Student, Iowa State - ghelmer@cs.iastate.edu http://www.cs.iastate.edu/~ghelmer From owner-freebsd-security Tue Jun 3 11:17:54 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id LAA13720 for security-outgoing; Tue, 3 Jun 1997 11:17:54 -0700 (PDT) Received: from wrzx07.rz.uni-wuerzburg.de (wrzx07.rz.uni-wuerzburg.de [132.187.1.7]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id LAA13715 for ; Tue, 3 Jun 1997 11:17:51 -0700 (PDT) Received: from wicx50.informatik.uni-wuerzburg.de (mail@wicx50.informatik.uni-wuerzburg.de [132.187.9.50]) by wrzx07.rz.uni-wuerzburg.de (8.8.5/8.8.5) with SMTP id UAA20476; Tue, 3 Jun 1997 20:17:40 +0200 (MET DST) Received: by wicx50.informatik.uni-wuerzburg.de (8.6.12/uniwue-C-3.1a (CIP Gate)) id UAA09361; Tue, 3 Jun 1997 20:17:40 +0200 Received: from tahiti(132.187.9.20) by cipgate via smap (V1.3) id sma009359; Tue Jun 3 20:17:11 1997 Received: by wicx20.informatik.uni-wuerzburg.de (8.8.5/uniwue-C-3.1 (C)) id UAA25322; Tue, 3 Jun 1997 20:17:10 +0200 From: Matthias Buelow Message-Id: <199706031817.UAA25322@wicx20.informatik.uni-wuerzburg.de> Subject: Re: Security problem with FreeBSD 2.2.1 default installation To: ghelmer@cs.iastate.edu (Guy Helmer) Date: Tue, 3 Jun 1997 20:17:10 +0200 (MET DST) Cc: freebsd-security@freebsd.org In-Reply-To: from "Guy Helmer" at Jun 3, 97 01:07:33 pm Content-Type: text Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk > In fairness, I think there were patches in FreeBSD's perl for the earlier > sperl vulnerability having to do with seteuid/setegid (see FreeBSD > SA-96:12 from June 1996 at > ftp://freebsd.org/pub/CERT/advisories/FreeBSD-SA-96%3A12.perl.asc). > > The newly-fixed problems have to do with buffer overflows. Well, I generally find it questionable to have such a huge program like the Perl interpreter installed as setuid/gid. You really can't control what's going on in those many 10KLOC, I dare to say that there are a lot of other security problems waiting for discovery in it. I'd rather NOT have an s-bit on this thingy as default. From owner-freebsd-security Tue Jun 3 12:53:18 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id MAA19136 for security-outgoing; Tue, 3 Jun 1997 12:53:18 -0700 (PDT) Received: from mexico.brainstorm.eu.org (root@mexico.brainstorm.fr [193.56.58.253]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id MAA19119 for ; Tue, 3 Jun 1997 12:53:10 -0700 (PDT) Received: from brasil.brainstorm.eu.org (brasil.brainstorm.fr [193.56.58.33]) by mexico.brainstorm.eu.org (8.8.4/8.8.4) with ESMTP id VAA02919 for ; Tue, 3 Jun 1997 21:52:56 +0200 Received: (from uucp@localhost) by brasil.brainstorm.eu.org (8.8.4/8.6.12) with UUCP id VAA06924 for freebsd-security@FreeBSD.ORG; Tue, 3 Jun 1997 21:52:53 +0200 Received: (from roberto@localhost) by keltia.freenix.fr (8.8.5/keltia-uucp-2.9) id VAA28470; Tue, 3 Jun 1997 21:46:56 +0200 (CEST) Message-ID: <19970603214656.38422@keltia.freenix.fr> Date: Tue, 3 Jun 1997 21:46:56 +0200 From: Ollivier Robert To: freebsd-security@FreeBSD.ORG Subject: Re: Security problem with FreeBSD 2.2.1 default installation References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.67 In-Reply-To: ; from Guy Helmer on Tue, Jun 03, 1997 at 10:44:33AM -0500 X-Operating-System: FreeBSD 3.0-CURRENT ctm#3332 AMD-K6 MMX @ 208 MHz Sender: owner-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk According to Guy Helmer: > I just checked the bugtraq archives and found an exploit for sperl4.036 > and sperl 5.00x on FreeBSD was posted April 21! > > I guess no one watches bugtraq?!? Some of us do -- including myself -- but 1. it took some time to make the Perl4 fix because it is not supported anymore, 2. the Perl5 fix was available later too. The Perl5 porters fixed the bug just after the Bugtraq announce but it took some time to get 5.004 out. -- Ollivier ROBERT -=- FreeBSD: There are no limits -=- roberto@keltia.freenix.fr FreeBSD keltia.freenix.fr 3.0-CURRENT #17: Sat May 31 18:55:45 CEST 1997 From owner-freebsd-security Tue Jun 3 15:01:30 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id PAA25785 for security-outgoing; Tue, 3 Jun 1997 15:01:30 -0700 (PDT) Received: from mexico.brainstorm.eu.org (root@mexico.brainstorm.fr [193.56.58.253]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id PAA25766 for ; Tue, 3 Jun 1997 15:01:15 -0700 (PDT) Received: from brasil.brainstorm.eu.org (brasil.brainstorm.fr [193.56.58.33]) by mexico.brainstorm.eu.org (8.8.4/8.8.4) with ESMTP id AAA03572 for ; Wed, 4 Jun 1997 00:00:57 +0200 Received: (from uucp@localhost) by brasil.brainstorm.eu.org (8.8.4/8.6.12) with UUCP id AAA08233 for freebsd-security@FreeBSD.ORG; Wed, 4 Jun 1997 00:00:55 +0200 Received: (from roberto@localhost) by keltia.freenix.fr (8.8.5/keltia-uucp-2.9) id WAA28752; Tue, 3 Jun 1997 22:03:29 +0200 (CEST) Message-ID: <19970603220329.48559@keltia.freenix.fr> Date: Tue, 3 Jun 1997 22:03:29 +0200 From: Ollivier Robert To: freebsd-security@FreeBSD.ORG Subject: Re: Security problem with FreeBSD 2.2.1 default installation References: <199706031651.SAA24768@wicx20.informatik.uni-wuerzburg.de> <199706031731.LAA02257@elara.frii.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.67 In-Reply-To: <199706031731.LAA02257@elara.frii.com>; from gnat@frii.com on Tue, Jun 03, 1997 at 11:31:31AM -0600 X-Operating-System: FreeBSD 3.0-CURRENT ctm#3332 AMD-K6 MMX @ 208 MHz Sender: owner-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk According to gnat@frii.com: > I have a question: because 2.2 and 2.1 seem to have /dev/fd/n where n > is a file descriptor number, does this mean that FreeBSD doesn't need > a suidperl because setuid scripts are now safe in the kernel? Support for setuid scripts is still disabled in the kernel even though we could have it securely... We just need someone to implement it correctly. -- Ollivier ROBERT -=- FreeBSD: There are no limits -=- roberto@keltia.freenix.fr FreeBSD keltia.freenix.fr 3.0-CURRENT #17: Sat May 31 18:55:45 CEST 1997 From owner-freebsd-security Tue Jun 3 20:28:03 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id UAA15905 for security-outgoing; Tue, 3 Jun 1997 20:28:03 -0700 (PDT) Received: from homeport.org (lighthouse.homeport.org [205.136.65.198]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id UAA15869 for ; Tue, 3 Jun 1997 20:27:56 -0700 (PDT) Received: (adam@localhost) by homeport.org (8.8.5/8.6.9) id XAA27060; Tue, 3 Jun 1997 23:22:34 -0400 (EDT) From: Adam Shostack Message-Id: <199706040322.XAA27060@homeport.org> Subject: Re: Security problem with FreeBSD 2.2.1 default installation In-Reply-To: <199706031731.LAA02257@elara.frii.com> from "gnat@frii.com" at "Jun 3, 97 11:31:31 am" To: gnat@frii.com Date: Tue, 3 Jun 1997 23:22:34 -0400 (EDT) Cc: freebsd-security@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL27 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk gnat@frii.com wrote: | My standard installation process is now to: | | - build and install perl5.004 with a suidperl into /usr/local Why install setuid perl by default? (My personal feeling is that perl, while wonderful, is too big to be trustworthy. Use a C wrapper to strip the environment, and call the perl script with a "checked against the ok" list of arguments.) Adam -- "It is seldom that liberty of any kind is lost all at once." -Hume From owner-freebsd-security Thu Jun 5 06:26:38 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id GAA13093 for security-outgoing; Thu, 5 Jun 1997 06:26:38 -0700 (PDT) Received: from cmu1.acs.cmu.edu (CMU1.ACS.CMU.EDU [128.2.35.186]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id GAA13088 for ; Thu, 5 Jun 1997 06:26:35 -0700 (PDT) Received: from apriori.cc.cmu.edu (APRIORI.CC.CMU.EDU [128.2.72.117]) by cmu1.acs.cmu.edu (8.8.2/8.7.3) with SMTP id JAA02644 for ; Thu, 5 Jun 1997 09:26:32 -0400 Date: Thu, 5 Jun 1997 09:26:31 -0400 (EDT) From: Robert N Watson X-Sender: rnw@apriori.cc.cmu.edu To: security@freebsd.org Subject: sequence predictability (fwd) Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk Having seen this post on the ntbugtraq mailing list, I was wondering how preditcabkle sequence numbers in FreeBSD TCP connections were.. And is this an accurate measurement? Thanks ---- Robert Watson ---------- Forwarded message ---------- Date: Fri, 30 May 1997 13:20:49 -0400 From: David LeBlanc Reply-To: Windows NT BugTraq Mailing List , David LeBlanc To: NTBUGTRAQ@RC.ON.CA Subject: sequence predictability I had previously stated that NT was TCP sequence predictable. In response to a question, I did a bit of research on our network and found the following: This is largely fixed in SP3. Instead of being from 15-85% predictable, it is now from 5% to ~20% predictable. This is fairly reasonable. For comparison, IRIX, HP-UX, SunOS, and AIX are all _extremely_ predictable - 50% or better on a consistent basis. BSD is typically very predictable. However, Linux and Solaris are best at this, and are consistently 5% predictable or less. I would like to see NT join this group, but SP3 shows a substantial improvement. ----------------------------------------------------------- David LeBlanc | Voice: (770)395-0150 x138 Internet Security Systems, Inc. | Fax: (404)395-1972 41 Perimeter Center East | E-Mail: dleblanc@iss.net Suite 660 | www: http://www.iss.net/ Atlanta, GA 30328 | From owner-freebsd-security Thu Jun 5 22:15:45 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id WAA28011 for security-outgoing; Thu, 5 Jun 1997 22:15:45 -0700 (PDT) Received: from mailserv.tversu.ac.ru (vadim@mailserv.tversu.ac.ru [193.233.128.3]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id WAA28000 for ; Thu, 5 Jun 1997 22:15:34 -0700 (PDT) Received: (from vadim@localhost) by mailserv.tversu.ac.ru (8.8.5/8.8.5) id JAA02523; Fri, 6 Jun 1997 09:15:37 +0400 (MSD) Message-ID: <19970606091536.08429@tversu.ac.ru> Date: Fri, 6 Jun 1997 09:15:36 +0400 From: Vadim Kolontsov To: security@FreeBSD.ORG Subject: Re: sequence predictability (fwd) References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.74 In-Reply-To: ; from Robert N Watson on Thu, Jun 05, 1997 at 09:26:31AM -0400 Sender: owner-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk On Thu, Jun 05, 1997 at 09:26:31AM -0400, Robert N Watson wrote: > > Having seen this post on the ntbugtraq mailing list, I was wondering how > preditcabkle sequence numbers in FreeBSD TCP connections were.. And is > this an accurate measurement? > > Thanks > How about implementing random choosing of start TCP sequence number? Of course, it need crypotographicaly strong random numbers generator.. I think it will help a lot against TCP seq.numbers predictability attacks.. Best regards sb -------------------------------------------------------------------------- Vadim Kolontsov SysAdm/Programmer Tver Regional Center of New Information Technologies Networks Lab From owner-freebsd-security Fri Jun 6 05:01:35 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id FAA16140 for security-outgoing; Fri, 6 Jun 1997 05:01:35 -0700 (PDT) Received: from bitbox.follo.net (bitbox.follo.net [194.198.43.36]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id FAA16135 for ; Fri, 6 Jun 1997 05:01:29 -0700 (PDT) Received: (from eivind@localhost) by bitbox.follo.net (8.8.5/8.7.3) id OAA08973; Fri, 6 Jun 1997 14:01:10 +0200 (MET DST) Date: Fri, 6 Jun 1997 14:01:10 +0200 (MET DST) Message-Id: <199706061201.OAA08973@bitbox.follo.net> From: Eivind Eklund To: Robert N Watson CC: security@FreeBSD.ORG In-reply-to: Robert N Watson's message of Thu, 5 Jun 1997 09:26:31 -0400 (EDT) Subject: Re: sequence predictability (fwd) References: Sender: owner-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk > > > Having seen this post on the ntbugtraq mailing list, I was wondering how > preditcabkle sequence numbers in FreeBSD TCP connections were.. And is > this an accurate measurement? I believe this is for BSDi. I saw it too, and have sent a mail to David LeBlanc, asking what his numbers were supposed to mean (they're not well enough specified to be meaningfull; I _guess_ that they refer to linear prediction, but I'm not certain), which BSDs he had measured on, and to please do a clarification on the NTBugTraq list. I really wouldn't want people to believe FreeBSD is that vulnerable if it isn't true; and I suspect it no longer is. Eivind. From owner-freebsd-security Fri Jun 6 12:09:34 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id MAA05377 for security-outgoing; Fri, 6 Jun 1997 12:09:34 -0700 (PDT) Received: from sendero-ppp.i-connect.net (sendero-ppp.i-Connect.Net [206.190.143.100]) by hub.freebsd.org (8.8.5/8.8.5) with SMTP id MAA05372 for ; Fri, 6 Jun 1997 12:09:31 -0700 (PDT) Received: (qmail 746 invoked by uid 1000); 6 Jun 1997 19:09:35 -0000 Message-ID: X-Mailer: XFMail 1.2-alpha [p0] on FreeBSD Content-Type: text/plain; charset=iso-8859-8 Content-Transfer-Encoding: 8bit MIME-Version: 1.0 In-Reply-To: <19970606091536.08429@tversu.ac.ru> Date: Fri, 06 Jun 1997 12:09:35 -0700 (PDT) Organization: Atlas Telecom From: Simon Shapiro To: Vadim Kolontsov Subject: Re: sequence predictability (fwd) Cc: security@FreeBSD.ORG Sender: owner-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk Hi Vadim Kolontsov; On 06-Jun-97 you wrote: > On Thu, Jun 05, 1997 at 09:26:31AM -0400, Robert N Watson wrote: > > > > Having seen this post on the ntbugtraq mailing list, I was wondering > how > > preditcabkle sequence numbers in FreeBSD TCP connections were.. And is > > this an accurate measurement? > > > > Thanks > > > > How about implementing random choosing of start TCP sequence number? > Of course, it need crypotographicaly strong random numbers generator.. > I think it will help a lot against TCP seq.numbers predictability > attack. Good Idea. /dev/rand, setup properly produces very good results. Simon From owner-freebsd-security Fri Jun 6 14:15:13 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id OAA12537 for security-outgoing; Fri, 6 Jun 1997 14:15:13 -0700 (PDT) Received: from khavrinen.lcs.mit.edu (khavrinen.lcs.mit.edu [18.24.4.193]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id OAA12525 for ; Fri, 6 Jun 1997 14:15:10 -0700 (PDT) Received: (from wollman@localhost) by khavrinen.lcs.mit.edu (8.8.5/8.8.5) id RAA12756; Fri, 6 Jun 1997 17:15:05 -0400 (EDT) Date: Fri, 6 Jun 1997 17:15:05 -0400 (EDT) From: Garrett Wollman Message-Id: <199706062115.RAA12756@khavrinen.lcs.mit.edu> To: Simon Shapiro Cc: security@FreeBSD.ORG Subject: Re: sequence predictability (fwd) In-Reply-To: References: <19970606091536.08429@tversu.ac.ru> Sender: owner-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk < said: > Good Idea. /dev/rand, setup properly produces very good results. It's also far too slow. If I had a working kernel debugger at the moment (it's sick from version skew at the moment) or BPF (it's in use by something else) I could document precisely how the ISS changes. In the current design, it is incremented by a random amount which averages to approximately the old rate. -GAWollman -- Garrett A. Wollman | O Siem / We are all family / O Siem / We're all the same wollman@lcs.mit.edu | O Siem / The fires of freedom Opinions not those of| Dance in the burning flame MIT, LCS, CRS, or NSA| - Susan Aglukark and Chad Irschick From owner-freebsd-security Fri Jun 6 15:32:40 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id PAA16180 for security-outgoing; Fri, 6 Jun 1997 15:32:40 -0700 (PDT) Received: from kirk.edmweb.com (kirk.edmweb.com [204.244.190.1]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id PAA16175 for ; Fri, 6 Jun 1997 15:32:37 -0700 (PDT) Received: from bluesmoke.edmweb.com (bluesmoke.edmweb.com [204.244.190.8]) by kirk.edmweb.com (8.8.5/8.7.3) with ESMTP id PAA11640; Fri, 6 Jun 1997 15:32:03 -0700 (PDT) Message-Id: <199706062232.PAA11640@kirk.edmweb.com> To: Simon Shapiro cc: Vadim Kolontsov , security@FreeBSD.ORG Subject: Re: sequence predictability (fwd) In-reply-to: Your message of "Fri, 06 Jun 1997 12:09:35 PDT." Date: Fri, 06 Jun 1997 15:32:04 -0700 From: Steve Sender: owner-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk >> How about implementing random choosing of start TCP sequence number? >> Of course, it need crypotographicaly strong random numbers generator.. >> I think it will help a lot against TCP seq.numbers predictability >> attack. > > Good Idea. /dev/rand, setup properly produces very good results. Sequence numbers should not be chosen at random. Read RFC 1948.