From owner-freebsd-security Sun Jul 15 3:54:28 2001 Delivered-To: freebsd-security@freebsd.org Received: from internethelp.ru (wh.internethelp.ru [212.113.112.145]) by hub.freebsd.org (Postfix) with ESMTP id 012A737B401 for ; Sun, 15 Jul 2001 03:54:20 -0700 (PDT) (envelope-from nkritsky@internethelp.ru) Received: from IBMKA (ibmka.internethelp.ru. [192.168.0.6]) by internethelp.ru (8.9.3/8.9.3) with ESMTP id OAA49015 for ; Sun, 15 Jul 2001 14:54:08 +0400 (MSD) Date: Sun, 15 Jul 2001 14:54:11 +0400 From: "Nickolay A.Kritsky" X-Mailer: The Bat! (v1.49) Personal Reply-To: "Nickolay A.Kritsky" Organization: IHelp X-Priority: 3 (Normal) Message-ID: <84162803008.20010715145411@internethelp.ru> To: security@freebsd.org Subject: Safe CGI scripting Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi, All. Has anybody heard of the function in kernel or standart librarys with similiar action: int isinside(const char *path1,const char *path2) that returns 1 if file referenced by path2 is "inside" the directory hierarchy referenced by path1 and 0 in all other cases. If you don't know such functions, I will try to write myself. In that case, can you advice me about the fastest/securest/compatiblest ways i can do this. Thanks for any help. ;--------------------------------------------- ; Nickolay A.Kritsky ; nkritsky@internethelp.ru To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Jul 15 4:31:36 2001 Delivered-To: freebsd-security@freebsd.org Received: from zero.namba1.com (zero.namba1.com [64.75.169.20]) by hub.freebsd.org (Postfix) with ESMTP id D2D4837B401 for ; Sun, 15 Jul 2001 04:31:27 -0700 (PDT) (envelope-from aaron@namba1.com) Received: from [134.173.120.17] by zero.namba1.com (NTMail 5.02.0001/QC8568.34.ce8cdec7) with ESMTP id gyhbaaaa for security@freebsd.org; Sun, 15 Jul 2001 01:31:24 -1000 From: "Aaron Namba" To: "Nickolay A.Kritsky" , Subject: RE: Safe CGI scripting Date: Sun, 15 Jul 2001 04:30:59 -0700 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 In-Reply-To: <84162803008.20010715145411@internethelp.ru> Importance: Normal Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I'd recommend simply using cgiwrap or suexec (part of apache). suexec is more transparent, but is difficult to troubleshoot. cgiwrap is what it sounds like -- a setuid root wrapper cgi which provides a safe environment in which to execute other cgi's. -----Original Message----- From: owner-freebsd-security@FreeBSD.ORG [mailto:owner-freebsd-security@FreeBSD.ORG]On Behalf Of Nickolay A.Kritsky Sent: Sunday, July 15, 2001 3:54 AM To: security@freebsd.org Subject: Safe CGI scripting Hi, All. Has anybody heard of the function in kernel or standart librarys with similiar action: int isinside(const char *path1,const char *path2) that returns 1 if file referenced by path2 is "inside" the directory hierarchy referenced by path1 and 0 in all other cases. If you don't know such functions, I will try to write myself. In that case, can you advice me about the fastest/securest/compatiblest ways i can do this. Thanks for any help. ;--------------------------------------------- ; Nickolay A.Kritsky ; nkritsky@internethelp.ru To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Jul 15 9:53:37 2001 Delivered-To: freebsd-security@freebsd.org Received: from aldan.algebra.com (aldan.algebra.com [216.254.65.224]) by hub.freebsd.org (Postfix) with ESMTP id 6694437B401; Sun, 15 Jul 2001 09:53:33 -0700 (PDT) (envelope-from mi@aldan.algebra.com) Received: from aldan.algebra.com (localhost [127.0.0.1]) by aldan.algebra.com (8.11.4/8.11.4) with ESMTP id f6FGqcO75324; Sun, 15 Jul 2001 12:52:42 -0400 (EDT) (envelope-from mi@aldan.algebra.com) Message-Id: <200107151652.f6FGqcO75324@aldan.algebra.com> Date: Sun, 15 Jul 2001 12:52:37 -0400 (EDT) From: Mikhail Teterin Subject: Re: FYI: mx2.FreeBSD.org listed by ORBS To: mark@grondar.za Cc: admins@freebsd.org, security@freebsd.org In-Reply-To: <200107150758.f6F7wLq99891@grimreaper.grondar.za> MIME-Version: 1.0 Content-Type: TEXT/plain; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On 15 Jul, Mark Murray wrote: > Don't use ORBS. ORBS is DEAD. Yeah, I figured... Well, I have not receive an announcement regarding this -- and orbs usage is an option in the stock sendmail.mc. Does this warrant a "security advisory"? Because ORBS' misbehavior may cause someone, who pushes the ORBS-knob in sendmail.mc to stop getting some e-mail -- it did cause me... Thanks! -mi >> I stopped getting CVS-commit messages and other FreeBSD stuff >> and checked the maillog... >> >> Jul 15 00:17:21 corbulon sendmail[3955]: f6F4HKW03955: >> ruleset=check_relay, arg1=mx2.freebsd.org, arg2=216.136.204.119, relay=mx2.freebsd.org [216.136.204.119], reject=550 5.7.1 216.136.204.119 is a spamsource; see http://lookup.orbs.org/verify.php3?address=216.136.204.119 >> >> Indeed: >> >> root@corbulon:/etc/mail (109) nslookup 119.204.136.216.spamsources.orbs.org >> Server: localhost.video-collage.com >> Address: 127.0.0.1 >> >> Non-authoritative answer: >> Name: 119.204.136.216.spamsources.orbs.org >> Address: 127.0.0.2 >> >> root@corbulon:/etc/mail (110) nslookup 119.204.136.216.spamsource-netblocks.orbs.org >> Server: localhost.video-collage.com >> Address: 127.0.0.1 >> >> Non-authoritative answer: >> Name: 119.204.136.216.spamsource-netblocks.orbs.org >> Address: 127.0.0.2 >> >> I'm probably not the first to report this, but... What's worse, the >> ORBS' web-site is down... -- |\__-----__/| _____/ ::::: :::\_____ '__--( ::::::::..::)--__` -mi If you have a / _- \/ :::::::\/ -_ serious knowledge / / :. .::::\ \ about computers -- | ::::::::::::| Ok, let's say you broke keep it in a secret! _|/ ::::____::\|_ the wall with your head "Rules of dating", / /:::::/:_::\::\:.\ What are you going to 'Playboy', ? 1994 | :| ..:(_/ \::|::|::| do in the next cell? | :|:::::. ::|: |::|.:| Stanislaw J. Lec \ |:: :::_/::/: :|:/ ((___\____\____/___/___)) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Jul 15 10:55: 9 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.hiwaay.net (fly.HiWAAY.net [208.147.154.56]) by hub.freebsd.org (Postfix) with ESMTP id B24D537B406; Sun, 15 Jul 2001 10:54:57 -0700 (PDT) (envelope-from steve@havk.org) Received: from bsd.havk.org (user-24-214-56-224.knology.net [24.214.56.224]) by mail.hiwaay.net (8.11.3/8.11.3) with ESMTP id f6FHsrF10748; Sun, 15 Jul 2001 12:54:53 -0500 (CDT) Received: by bsd.havk.org (Postfix, from userid 1001) id 9B6D31A7D1; Sun, 15 Jul 2001 12:54:51 -0500 (CDT) Date: Sun, 15 Jul 2001 12:54:51 -0500 From: Steve Price To: Mikhail Teterin Cc: admins@FreeBSD.ORG, security@FreeBSD.ORG Subject: Re: FYI: mx2.FreeBSD.org listed by ORBS Message-ID: <20010715125451.M700@bsd.havk.org> References: <200107150758.f6F7wLq99891@grimreaper.grondar.za> <200107151652.f6FGqcO75324@aldan.algebra.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <200107151652.f6FGqcO75324@aldan.algebra.com>; from mi@aldan.algebra.com on Sun, Jul 15, 2001 at 12:52:37PM -0400 X-Operating-System: FreeBSD 4.3-STABLE i386 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Sun, Jul 15, 2001 at 12:52:37PM -0400, Mikhail Teterin wrote: > > Well, I have not receive an announcement regarding this -- and > orbs usage is an option in the stock sendmail.mc. FYI this came across the postfix-users list the other day and might of some interest to those people still using ORBS. Date: Thu, 12 Jul 2001 19:07:44 -0400 (EDT) Reply-To: postfix-users@postfix.org From: jseymour@LinxNet.com (Jim Seymour) To: postfix-users@postfix.org Subject: FW: IMPORTANT!!! ORBS USERS PLEASE TAKE NOTE Sender: owner-postfix-users@postfix.org Forwarded from a post to news.admin.net-abuse.email... ----- Begin Included Message ----- From: rfg@monkeys.com (Ronald F. Guilmette) Newsgroups: news.admin.net-abuse.email Subject: IMPORTANT!!! ORBS USERS PLEASE TAKE NOTE Date: Thu, 12 Jul 2001 22:30:50 -0000 Message-ID: IMPORTANT!!! IF YOU ARE CONFIGURED TO MAKE REFERENCES TO ANY ORBS.ORG `LIST' ZONE(S) I STRONGLY SUGGEST THAT YOU DISCONTINUE DOING SO IMMEDIATELY, IF NOT SOONER. FAILURE TO DO SO MAY RESULT IN SERIOUS IMPARMENT OF YOUR E-MAIL INFLOW. This is a public service announcement for those sites that are still configured to perform lookups against any or all of the following former (and now defunct) ORBS zones: inputs.orbs.org outputs.orbs.org relays.orbs.org delayed-outputs.orbs.org spamsources.orbs.org spamsource-netblocks.orbs.org manual.orbs.org As a courtesy to Alan Brown (owner and operator of ORBS.ORG), I agreed last year to allow one of my name servers (E-SCRUB.COM) to become one of 11 name servers for the orbs.org zone. I agree to this because the each of the `list' subdomains noted above was in fact a separate zone of its own, separate and different from the base `orbs.org' zone, which itself contained very few DNS records. My agreement with Alan was ONLY to act as a secondary name server (one of eleven) for the base orbs.org zone. Because of normal DNS client-side caching, and because of the small number of DNS records involved, I knew for certain at the time that having my name server be one of 11 secondaries for the base orbs.org zone would involve very little expenditure of band- width on my part. The situation changed dramatically however with Alan's disabling of the subzones mentioned above. (This occured sometime last month. I'm not exactly sure of the date.) When disabling the `list' subzones, Alan apparently just removed any mention of these subzones/subdomains from the base orbs.org zone file. Because of the way Alan disabled the former ORBS list zones, my name server is now shouldering (at least) 1/11th of the total world-wide DNS queries that are still being made against both the base orbs.org zone and also against all of the former ORBS `list' subzones. This may not sound like a lot, but in fact it DOES represent a substantial and noticable drain on the small amount of bandwidth I have. I should note also that when I briefly turned on query logging in my name server recently, I found that over 2,000 sites world wide are still making frequent and repeated references to the former ORBS list subzones, presumably as they attempt to check each e-mail message coming into their mail servers. I simply do not have the kind of bandwidth necessary to support all of this pointless and utterly wasteful traffic. I've asked Alan multiple times to remove my name server from the list of authoratative name servers for the orbs.org zone, and each time he has made up some new implausible excuse. Alan's dog may indeed have eaten his homework, but his excuses just aren't believable anymore. (He has had plenty of time to take care of this. I first requested him to remove my server on June 7th, 2001, and I have re-requested that he do that several times since. Each time he has either failed to respond or else had presented me with some new implausible excuse.) I've considered various solutions to this problem, but none of them seem particularly easy for me. I could certainly relocate my name server, called E-SCRUB.COM, to a different IP address, but for all I know, the DNS query traffic might just follow the name, rather than the IP address, so then I'd be right back where I started. It would also be a major pain in the ass for me to get an new IP for other reasons. I have already tried setting up NS records in _my_ copy of the orbs.org zonefile (on my name server) for all of the subzones mentioned above, and pointing all of those NS records at 127.0.0.1 (local loopback address) but for reason I don't fully under- stand, that hasn't stopped the DNS query flood to my name server either. I'm sure that there are a number of other possible convoluted solutions to this problem, e.g. creating a new `host' record in DNS (and with NSI) and then re-jiggering all of the records for my many other domains so that the primary name servers for those are listed as being the new `host', but this seems like a lot more work than I should have to go to just because Alan refuses to do the decent thing and because so many sites have been so horribly lax in removing references to the now long defunct ORBS list zones. In light of all this, I've decided to just use a trivial and brute-force approach to stopping all of this DNS query traffic from being sent to my name server. As of 9 PM tonight (Pacific Daylight Time) my name server will be configured to answer ALL `A' record queries regarding ANY name within the orbs.org domain with an affirmative response and with the IP address value `127.0.0.1'. Each such response will carry an extremely long TTL, in order to insure that further queries regarding the same name will be put off as long as possible into the indefinite future. An exception will be made, of course, for `A' record queries relating to `www.orbs.org', which my name server will contine to identify as being located at 202.61.250.235. The implications of my plan for sites still attempting to use the orbs.org zones for e-mail filtering purposes should be evident. From 9 PM PDT tonight all such sites will begin to reject (at least) an estimated 1/11th of their incoming e-mail, at random. The portion of incoming e-mail given this treatment by these sites may in fact increase, over time, as I also intend to delete all other NS (name server) records from my copy of the orbs.org zone file, leaving only my server listed as being authoritative for this zone. (I'm actually not sure what effects this will have as the root server will still contain a completely list of all 11 current registered name server for the zone.) Complaints, flames, and lawsuit threats resulting from the DNS change that I will make to name server this evening should be directed to Alan Brown, whose new/current e-mail address seems to be , and/or to your own local mail administrator. Finally, allow me to recommend to all mail administrators reading this that tonight's change will provide you with what I believe will be a more than compelling incentive to select some new and different source of open relays data. At the present time, there are at least four such services available to the general public. Regards, Ron Guilmette P.S. I wish that I could recommend one of the four active open relays listing services above the others, but one of them refuses to accept automated sub- missions, two of the others don't seem to even answer their e-mail, and the final one has recently blacklisted my own non-open mail server, simply be- cause I made the small mistake of manually replying to one of their own auto-replies that was sent in response to a prior message that I had sent them to nominate some open relays I knew about. When and if a responsive and intelligently-run public open relays listing service become available, I'll certainly be among the first to use it and to recommend it. ----- End Included Message ----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Jul 15 11:33:57 2001 Delivered-To: freebsd-security@freebsd.org Received: from point.osg.gov.bc.ca (point.osg.gov.bc.ca [142.32.102.44]) by hub.freebsd.org (Postfix) with ESMTP id BBCC337B407; Sun, 15 Jul 2001 11:33:48 -0700 (PDT) (envelope-from Cy.Schubert@uumail.gov.bc.ca) Received: (from daemon@localhost) by point.osg.gov.bc.ca (8.8.7/8.8.8) id LAA10747; Sun, 15 Jul 2001 11:33:25 -0700 Received: from passer.osg.gov.bc.ca(142.32.110.29) via SMTP by point.osg.gov.bc.ca, id smtpda10745; Sun Jul 15 11:33:06 2001 Received: (from uucp@localhost) by passer.osg.gov.bc.ca (8.11.4/8.9.1) id f6FIX0c03785; Sun, 15 Jul 2001 11:33:00 -0700 (PDT) Received: from UNKNOWN(10.1.2.1), claiming to be "cwsys.cwsent.com" via SMTP by passer9.cwsent.com, id smtpdAq3783; Sun Jul 15 11:32:20 2001 Received: (from uucp@localhost) by cwsys.cwsent.com (8.11.4/8.9.1) id f6FIWKp07648; Sun, 15 Jul 2001 11:32:20 -0700 (PDT) Message-Id: <200107151832.f6FIWKp07648@cwsys.cwsent.com> Received: from localhost.cwsent.com(127.0.0.1), claiming to be "cwsys" via SMTP by localhost.cwsent.com, id smtpdLn7642; Sun Jul 15 11:31:29 2001 X-Mailer: exmh version 2.3.1 01/18/2001 with nmh-1.0.4 Reply-To: Cy Schubert - ITSD Open Systems Group From: Cy Schubert - ITSD Open Systems Group X-Sender: schubert To: Steve Price Cc: Mikhail Teterin , admins@FreeBSD.ORG, security@FreeBSD.ORG Subject: Re: FYI: mx2.FreeBSD.org listed by ORBS In-reply-to: Your message of "Sun, 15 Jul 2001 12:54:51 CDT." <20010715125451.M700@bsd.havk.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Sun, 15 Jul 2001 11:31:28 -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Effective July 31, MAPS, RBL, DUL, and RSS will be by subscription only, see http://www.mail-abuse.org/subscription.html. I would think that anyone using these services without a subscription should stop using them by July 31 or face serious impairment of their mail throughput as well. I think that the only ways to fight SPAM as of July 31 is through litigation or through subscription to the mail-abuse service. Regards, Phone: (250)387-8437 Cy Schubert Fax: (250)387-5766 Team Leader, Sun/Alpha Team Internet: Cy.Schubert@osg.gov.bc.ca Open Systems Group, ITSD, ISTA Province of BC In message <20010715125451.M700@bsd.havk.org>, Steve Price writes: > On Sun, Jul 15, 2001 at 12:52:37PM -0400, Mikhail Teterin wrote: > > > > Well, I have not receive an announcement regarding this -- and > > orbs usage is an option in the stock sendmail.mc. > > FYI this came across the postfix-users list the other day and > might of some interest to those people still using ORBS. > > Date: Thu, 12 Jul 2001 19:07:44 -0400 (EDT) > Reply-To: postfix-users@postfix.org > From: jseymour@LinxNet.com (Jim Seymour) > To: postfix-users@postfix.org > Subject: FW: IMPORTANT!!! ORBS USERS PLEASE TAKE NOTE > Sender: owner-postfix-users@postfix.org > > Forwarded from a post to news.admin.net-abuse.email... > > ----- Begin Included Message ----- > > From: rfg@monkeys.com (Ronald F. Guilmette) > Newsgroups: news.admin.net-abuse.email > Subject: IMPORTANT!!! ORBS USERS PLEASE TAKE NOTE > Date: Thu, 12 Jul 2001 22:30:50 -0000 > Message-ID: > > > IMPORTANT!!! > > IF YOU ARE CONFIGURED TO MAKE REFERENCES TO ANY ORBS.ORG `LIST' ZONE(S) > I STRONGLY SUGGEST THAT YOU DISCONTINUE DOING SO IMMEDIATELY, IF NOT > SOONER. FAILURE TO DO SO MAY RESULT IN SERIOUS IMPARMENT OF YOUR > E-MAIL INFLOW. > > This is a public service announcement for those sites that are still > configured to perform lookups against any or all of the following > former (and now defunct) ORBS zones: > > inputs.orbs.org > outputs.orbs.org > relays.orbs.org > delayed-outputs.orbs.org > spamsources.orbs.org > spamsource-netblocks.orbs.org > manual.orbs.org > > As a courtesy to Alan Brown (owner and operator of ORBS.ORG), I agreed > last year to allow one of my name servers (E-SCRUB.COM) to become one > of 11 name servers for the orbs.org zone. I agree to this because the > each of the `list' subdomains noted above was in fact a separate zone > of its own, separate and different from the base `orbs.org' zone, which > itself contained very few DNS records. > > My agreement with Alan was ONLY to act as a secondary name server (one > of eleven) for the base orbs.org zone. Because of normal DNS client-side > caching, and because of the small number of DNS records involved, I knew > for certain at the time that having my name server be one of 11 secondaries > for the base orbs.org zone would involve very little expenditure of band- > width on my part. > > The situation changed dramatically however with Alan's disabling of the > subzones mentioned above. (This occured sometime last month. I'm not > exactly sure of the date.) When disabling the `list' subzones, Alan > apparently just removed any mention of these subzones/subdomains from > the base orbs.org zone file. > > Because of the way Alan disabled the former ORBS list zones, my name > server is now shouldering (at least) 1/11th of the total world-wide > DNS queries that are still being made against both the base orbs.org > zone and also against all of the former ORBS `list' subzones. This > may not sound like a lot, but in fact it DOES represent a substantial > and noticable drain on the small amount of bandwidth I have. I should > note also that when I briefly turned on query logging in my name server > recently, I found that over 2,000 sites world wide are still making > frequent and repeated references to the former ORBS list subzones, > presumably as they attempt to check each e-mail message coming into > their mail servers. > > I simply do not have the kind of bandwidth necessary to support all of > this pointless and utterly wasteful traffic. I've asked Alan multiple > times to remove my name server from the list of authoratative name servers > for the orbs.org zone, and each time he has made up some new implausible > excuse. Alan's dog may indeed have eaten his homework, but his excuses > just aren't believable anymore. (He has had plenty of time to take care > of this. I first requested him to remove my server on June 7th, 2001, > and I have re-requested that he do that several times since. Each time > he has either failed to respond or else had presented me with some new > implausible excuse.) > > I've considered various solutions to this problem, but none of them seem > particularly easy for me. I could certainly relocate my name server, called > E-SCRUB.COM, to a different IP address, but for all I know, the DNS query > traffic might just follow the name, rather than the IP address, so then I'd > be right back where I started. It would also be a major pain in the ass for > me to get an new IP for other reasons. I have already tried setting up > NS records in _my_ copy of the orbs.org zonefile (on my name server) for > all of the subzones mentioned above, and pointing all of those NS records > at 127.0.0.1 (local loopback address) but for reason I don't fully under- > stand, that hasn't stopped the DNS query flood to my name server either. > > I'm sure that there are a number of other possible convoluted solutions to > this problem, e.g. creating a new `host' record in DNS (and with NSI) and > then re-jiggering all of the records for my many other domains so that the > primary name servers for those are listed as being the new `host', but this > seems like a lot more work than I should have to go to just because Alan > refuses to do the decent thing and because so many sites have been so horribl > y > lax in removing references to the now long defunct ORBS list zones. > > In light of all this, I've decided to just use a trivial and brute-force > approach to stopping all of this DNS query traffic from being sent to my > name server. As of 9 PM tonight (Pacific Daylight Time) my name server > will be configured to answer ALL `A' record queries regarding ANY name > within the orbs.org domain with an affirmative response and with the IP > address value `127.0.0.1'. Each such response will carry an extremely > long TTL, in order to insure that further queries regarding the same name > will be put off as long as possible into the indefinite future. > > An exception will be made, of course, for `A' record queries relating to > `www.orbs.org', which my name server will contine to identify as being > located at 202.61.250.235. > > The implications of my plan for sites still attempting to use the orbs.org > zones for e-mail filtering purposes should be evident. From 9 PM PDT tonight > all such sites will begin to reject (at least) an estimated 1/11th of their > incoming e-mail, at random. The portion of incoming e-mail given this > treatment by these sites may in fact increase, over time, as I also intend > to delete all other NS (name server) records from my copy of the orbs.org > zone file, leaving only my server listed as being authoritative for this > zone. (I'm actually not sure what effects this will have as the root > server will still contain a completely list of all 11 current registered > name server for the zone.) > > Complaints, flames, and lawsuit threats resulting from the DNS change that > I will make to name server this evening should be directed to Alan Brown, > whose new/current e-mail address seems to be , > and/or to your own local mail administrator. > > Finally, allow me to recommend to all mail administrators reading this that > tonight's change will provide you with what I believe will be a more than > compelling incentive to select some new and different source of open relays > data. At the present time, there are at least four such services available > to the general public. > > > Regards, > Ron Guilmette > > > > P.S. I wish that I could recommend one of the four active open relays listin > g > services above the others, but one of them refuses to accept automated sub- > missions, two of the others don't seem to even answer their e-mail, and the final one has recently blacklisted my own non-open mail server, simply be- > cause I made the small mistake of manually replying to one of their own > auto-replies that was sent in response to a prior message that I had sent > them to nominate some open relays I knew about. > > When and if a responsive and intelligently-run public open relays listing > service become available, I'll certainly be among the first to use it and to > recommend it. > > > ----- End Included Message ----- > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Jul 15 11:40:24 2001 Delivered-To: freebsd-security@freebsd.org Received: from lariat.org (lariat.org [12.23.109.2]) by hub.freebsd.org (Postfix) with ESMTP id 2206F37B403; Sun, 15 Jul 2001 11:40:22 -0700 (PDT) (envelope-from brett@lariat.org) Received: from mustang.lariat.org (IDENT:ppp0.lariat.org@lariat.org [12.23.109.2]) by lariat.org (8.9.3/8.9.3) with ESMTP id MAA21210; Sun, 15 Jul 2001 12:39:50 -0600 (MDT) Message-Id: <4.3.2.7.2.20010715123829.00cbc100@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Date: Sun, 15 Jul 2001 12:39:45 -0600 To: Mikhail Teterin , mark@grondar.za From: Brett Glass Subject: Re: FYI: mx2.FreeBSD.org listed by ORBS Cc: admins@FreeBSD.ORG, security@FreeBSD.ORG In-Reply-To: <200107151652.f6FGqcO75324@aldan.algebra.com> References: <200107150758.f6F7wLq99891@grimreaper.grondar.za> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org And as soon as ORBS died, MAPS announced that it would be charging a fee for service. Is there a connection between these two events? --Brett At 10:52 AM 7/15/2001, Mikhail Teterin wrote: >On 15 Jul, Mark Murray wrote: > >> Don't use ORBS. ORBS is DEAD. > >Yeah, I figured... > >Well, I have not receive an announcement regarding this -- and >orbs usage is an option in the stock sendmail.mc. > >Does this warrant a "security advisory"? Because ORBS' misbehavior >may cause someone, who pushes the ORBS-knob in sendmail.mc to stop >getting some e-mail -- it did cause me... > >Thanks! To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Jul 15 11:42:13 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.hiwaay.net (fly.HiWAAY.net [208.147.154.56]) by hub.freebsd.org (Postfix) with ESMTP id CF92737B405; Sun, 15 Jul 2001 11:42:09 -0700 (PDT) (envelope-from steve@havk.org) Received: from bsd.havk.org (user-24-214-56-224.knology.net [24.214.56.224]) by mail.hiwaay.net (8.11.3/8.11.3) with ESMTP id f6FIg5F07069; Sun, 15 Jul 2001 13:42:06 -0500 (CDT) Received: by bsd.havk.org (Postfix, from userid 1001) id 034CE1A7D2; Sun, 15 Jul 2001 13:42:04 -0500 (CDT) Date: Sun, 15 Jul 2001 13:42:03 -0500 From: Steve Price To: Cy Schubert - ITSD Open Systems Group Cc: Mikhail Teterin , admins@freebsd.org, security@freebsd.org Subject: Re: FYI: mx2.FreeBSD.org listed by ORBS Message-ID: <20010715134203.O700@bsd.havk.org> References: <20010715125451.M700@bsd.havk.org> <200107151832.f6FIWKp07648@cwsys.cwsent.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <200107151832.f6FIWKp07648@cwsys.cwsent.com>; from Cy.Schubert@uumail.gov.bc.ca on Sun, Jul 15, 2001 at 11:31:28AM -0700 X-Operating-System: FreeBSD 4.3-STABLE i386 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Sun, Jul 15, 2001 at 11:31:28AM -0700, Cy Schubert - ITSD Open Systems Group wrote: > Effective July 31, MAPS, RBL, DUL, and RSS will be by subscription > only, see http://www.mail-abuse.org/subscription.html. I would think > that anyone using these services without a subscription should stop > using them by July 31 or face serious impairment of their mail > throughput as well. > > I think that the only ways to fight SPAM as of July 31 is through > litigation or through subscription to the mail-abuse service. That's what I thought but people corrected me and gave a couple of suggestions. See the following two threads if you are interested in more information. http://groups.google.com/groups?hl=en&safe=off&ic=1&th=ba5d16beb30276b5,6 http://groups.google.com/groups?hl=en&safe=off&ic=1&th=d96fd88358bea4d3,1 -steve To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Jul 15 14:52: 7 2001 Delivered-To: freebsd-security@freebsd.org Received: from aldan.algebra.com (aldan.algebra.com [216.254.65.224]) by hub.freebsd.org (Postfix) with ESMTP id 2578837B403; Sun, 15 Jul 2001 14:52:03 -0700 (PDT) (envelope-from mi@aldan.algebra.com) Received: from aldan.algebra.com (localhost [127.0.0.1]) by aldan.algebra.com (8.11.4/8.11.4) with ESMTP id f6FLouO95110; Sun, 15 Jul 2001 17:51:01 -0400 (EDT) (envelope-from mi@aldan.algebra.com) Message-Id: <200107152151.f6FLouO95110@aldan.algebra.com> Date: Sun, 15 Jul 2001 17:50:53 -0400 (EDT) From: Mikhail Teterin Subject: Re: FYI: mx2.FreeBSD.org listed by ORBS To: steve@havk.org Cc: Cy.Schubert@uumail.gov.bc.ca, admins@freebsd.org, security@freebsd.org In-Reply-To: <20010715134203.O700@bsd.havk.org> MIME-Version: 1.0 Content-Type: TEXT/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On 15 Jul, Steve Price wrote: >> I think that the only ways to fight SPAM as of July 31 is through >> litigation or through subscription to the mail-abuse service. > > That's what I thought but people corrected me and gave a couple of > suggestions. See the following two threads if you are interested > in more information. > > http://groups.google.com/groups?hl=en&safe=off&ic=1&th=ba5d16beb30276b5,6 > http://groups.google.com/groups?hl=en&safe=off&ic=1&th=d96fd88358bea4d3,1 Well, some sort of resume from this findings needs to find its way into the etc/mail/sendmail.mc ASAP. And the advisory on -announce is due, IMHO. -- |\__-----__/| _____/ ::::: :::\_____ '__--( ::::::::..::)--__` -mi If you have a / _- \/ :::::::\/ -_ serious knowledge / / :. .::::\ \ about computers -- | ::::::::::::| Ok, let's say you broke keep it in a secret! _|/ ::::____::\|_ the wall with your head "Rules of dating", / /:::::/:_::\::\:.\ What are you going to 'Playboy', ? 1994 | :| ..:(_/ \::|::|::| do in the next cell? | :|:::::. ::|: |::|.:| Stanislaw J. Lec \ |:: :::_/::/: :|:/ ((___\____\____/___/___)) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Jul 15 15:35:59 2001 Delivered-To: freebsd-security@freebsd.org Received: from horsey.gshapiro.net (horsey.gshapiro.net [209.220.147.178]) by hub.freebsd.org (Postfix) with ESMTP id 4E3DD37B403; Sun, 15 Jul 2001 15:35:53 -0700 (PDT) (envelope-from gshapiro@gshapiro.net) Received: from horsey.gshapiro.net (gshapiro@localhost [127.0.0.1]) by horsey.gshapiro.net (8.12.0.Beta14/8.12.0.Beta14) with ESMTP id f6FMZehT018623 (version=TLSv1/SSLv3 cipher=EDH-RSA-DES-CBC3-SHA bits=168 verify=NO); Sun, 15 Jul 2001 15:35:40 -0700 (PDT) Received: (from gshapiro@localhost) by horsey.gshapiro.net (8.12.0.Beta14/8.12.0.Beta14) id f6FMZe7B018620; Sun, 15 Jul 2001 15:35:40 -0700 (PDT) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <15186.6844.125519.828305@horsey.gshapiro.net> Date: Sun, 15 Jul 2001 15:35:40 -0700 From: Gregory Neil Shapiro To: Mikhail Teterin Cc: steve@havk.org, Cy.Schubert@uumail.gov.bc.ca, admins@FreeBSD.ORG, security@FreeBSD.ORG Subject: Re: FYI: mx2.FreeBSD.org listed by ORBS In-Reply-To: <200107152151.f6FLouO95110@aldan.algebra.com> References: <20010715134203.O700@bsd.havk.org> <200107152151.f6FLouO95110@aldan.algebra.com> X-Mailer: VM 6.92 under 21.5 (beta1) "anise" XEmacs Lucid Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org >> http://groups.google.com/groups?hl=en&safe=off&ic=1&th=ba5d16beb30276b5,6 >> http://groups.google.com/groups?hl=en&safe=off&ic=1&th=d96fd88358bea4d3,1 mi> Well, some sort of resume from this findings needs to find its way mi> into the etc/mail/sendmail.mc ASAP. src/etc/sendmail/freebsd.mc already has mention of the MAPS change and has had ORBS removed. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Jul 15 15:37:29 2001 Delivered-To: freebsd-security@freebsd.org Received: from lariat.org (lariat.org [12.23.109.2]) by hub.freebsd.org (Postfix) with ESMTP id 5BF2037B403; Sun, 15 Jul 2001 15:37:23 -0700 (PDT) (envelope-from brett@lariat.org) Received: from mustang.lariat.org (IDENT:ppp0.lariat.org@lariat.org [12.23.109.2]) by lariat.org (8.9.3/8.9.3) with ESMTP id QAA23017; Sun, 15 Jul 2001 16:36:46 -0600 (MDT) Message-Id: <4.3.2.7.2.20010715163504.00bac7d0@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Date: Sun, 15 Jul 2001 16:36:44 -0600 To: Mikhail Teterin , steve@havk.org From: Brett Glass Subject: Re: FYI: mx2.FreeBSD.org listed by ORBS Cc: Cy.Schubert@uumail.gov.bc.ca, admins@FreeBSD.ORG, security@FreeBSD.ORG In-Reply-To: <200107152151.f6FLouO95110@aldan.algebra.com> References: <20010715134203.O700@bsd.havk.org> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org At 03:50 PM 7/15/2001, Mikhail Teterin wrote: >Well, some sort of resume from this findings needs to find its way >into the etc/mail/sendmail.mc ASAP. > >And the advisory on -announce is due, IMHO. Good idea. But not everyone will see it, and sysadmins the world over will be very angry at MAPS when they throw the switch. It'll look like a DoS attack. --Brett To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Jul 15 16:15: 4 2001 Delivered-To: freebsd-security@freebsd.org Received: from hotmail.com (nic-41-c140-174.mn.mediaone.net [66.41.140.174]) by hub.freebsd.org (Postfix) with SMTP id 165BC37B405 for ; Sun, 15 Jul 2001 16:14:58 -0700 (PDT) (envelope-from dtj79@hotmail.com) From: "Daniel" To: Subject: Mime-Version: 1.0 Content-Type: text/html; charset="ISO-8859-1" Date: Sun, 15 Jul 2001 18:15:41 -0500 Content-Transfer-Encoding: 8bit Message-Id: <20010715231458.165BC37B405@hub.freebsd.org> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Jul 15 16:40:58 2001 Delivered-To: freebsd-security@freebsd.org Received: from aldan.algebra.com (aldan.algebra.com [216.254.65.224]) by hub.freebsd.org (Postfix) with ESMTP id E2FA037B403; Sun, 15 Jul 2001 16:40:54 -0700 (PDT) (envelope-from mi@aldan.algebra.com) Received: from aldan.algebra.com (localhost [127.0.0.1]) by aldan.algebra.com (8.11.4/8.11.4) with ESMTP id f6FNdkO95808; Sun, 15 Jul 2001 19:39:47 -0400 (EDT) (envelope-from mi@aldan.algebra.com) Message-Id: <200107152339.f6FNdkO95808@aldan.algebra.com> Date: Sun, 15 Jul 2001 19:39:43 -0400 (EDT) From: Mikhail Teterin Subject: Re: FYI: mx2.FreeBSD.org listed by ORBS To: brett@lariat.org Cc: steve@havk.org, Cy.Schubert@uumail.gov.bc.ca, admins@FreeBSD.ORG, security@FreeBSD.ORG In-Reply-To: <4.3.2.7.2.20010715163504.00bac7d0@localhost> MIME-Version: 1.0 Content-Type: TEXT/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On 15 Jul, Brett Glass wrote: > At 03:50 PM 7/15/2001, Mikhail Teterin wrote: > >>Well, some sort of resume from this findings needs to find its way >>into the etc/mail/sendmail.mc ASAP. >> >>And the advisory on -announce is due, IMHO. > > Good idea. But not everyone will see it, and sysadmins the world over > will be very angry at MAPS when they throw the switch. It'll look like > a DoS attack. Well, /me is already angry -- for not being told, that "ORBS is dead". I stopped getting FreeBSD mail, BTW... -- |\__-----__/| _____/ ::::: :::\_____ '__--( ::::::::..::)--__` -mi If you have a / _- \/ :::::::\/ -_ serious knowledge / / :. .::::\ \ about computers -- | ::::::::::::| Ok, let's say you broke keep it in a secret! _|/ ::::____::\|_ the wall with your head "Rules of dating", / /:::::/:_::\::\:.\ What are you going to 'Playboy', ? 1994 | :| ..:(_/ \::|::|::| do in the next cell? | :|:::::. ::|: |::|.:| Stanislaw J. Lec \ |:: :::_/::/: :|:/ ((___\____\____/___/___)) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Jul 15 16:46:22 2001 Delivered-To: freebsd-security@freebsd.org Received: from rlee.leefam.org (cx250485-a.irvn1.occa.home.com [24.19.255.190]) by hub.freebsd.org (Postfix) with ESMTP id 69B4937B403; Sun, 15 Jul 2001 16:46:19 -0700 (PDT) (envelope-from rel@gulbransen.com) Received: from localhost (rel@localhost [127.0.0.1]) by rlee.leefam.org (8.11.4/8.11.4) with ESMTP id f6FNkH000503; Sun, 15 Jul 2001 16:46:17 -0700 (PDT) (envelope-from rel@gulbransen.com) Date: Sun, 15 Jul 2001 16:46:16 -0700 (PDT) From: "Robert E. Lee" X-X-Sender: To: , Subject: Re: ORBS In-Reply-To: <200107151832.f6FIWKp07648@cwsys.cwsent.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Has anyone here successfully used the servers from www.orbz.org? A friend of mine suggested that orbz.org is similar to orbs.org, but will not be charging for a subscription. Robert To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Jul 15 16:50:50 2001 Delivered-To: freebsd-security@freebsd.org Received: from lariat.org (lariat.org [12.23.109.2]) by hub.freebsd.org (Postfix) with ESMTP id E223E37B401; Sun, 15 Jul 2001 16:50:45 -0700 (PDT) (envelope-from brett@lariat.org) Received: from mustang.lariat.org (IDENT:ppp0.lariat.org@lariat.org [12.23.109.2]) by lariat.org (8.9.3/8.9.3) with ESMTP id RAA23870; Sun, 15 Jul 2001 17:50:09 -0600 (MDT) Message-Id: <4.3.2.7.2.20010715174356.00d1b860@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Date: Sun, 15 Jul 2001 17:50:03 -0600 To: Mikhail Teterin From: Brett Glass Subject: Re: FYI: mx2.FreeBSD.org listed by ORBS Cc: steve@havk.org, Cy.Schubert@uumail.gov.bc.ca, admins@FreeBSD.ORG, security@FreeBSD.ORG In-Reply-To: <200107152339.f6FNdkO95808@aldan.algebra.com> References: <4.3.2.7.2.20010715163504.00bac7d0@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org At 05:39 PM 7/15/2001, Mikhail Teterin wrote: >Well, /me is already angry -- for not being told, that "ORBS is dead". I found out only by accident, when I tried to submit an open relay for testing via ORBS' Web page. I had about a dozen sendmail.cf's to rebuild for multiple machines, so I cancelled an appointment and had at it. If I hadn't reacted immediately, the mail servers would have slowed to a crawl while they waited for DNS. This is one reason why I submitted a PR some months ago that would have modified the Sendmail makefiles to let you rebuild your whole library of cf files at one time. I haven't checked to see if the change is in the tree yet.... I have it in my own makefiles. --Brett To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Jul 15 16:51:50 2001 Delivered-To: freebsd-security@freebsd.org Received: from lariat.org (lariat.org [12.23.109.2]) by hub.freebsd.org (Postfix) with ESMTP id 8335937B401; Sun, 15 Jul 2001 16:51:46 -0700 (PDT) (envelope-from brett@lariat.org) Received: from mustang.lariat.org (IDENT:ppp0.lariat.org@lariat.org [12.23.109.2]) by lariat.org (8.9.3/8.9.3) with ESMTP id RAA23895; Sun, 15 Jul 2001 17:51:38 -0600 (MDT) Message-Id: <4.3.2.7.2.20010715175024.00d42d10@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Date: Sun, 15 Jul 2001 17:51:33 -0600 To: "Robert E. Lee" , , From: Brett Glass Subject: Re: ORBS In-Reply-To: References: <200107151832.f6FIWKp07648@cwsys.cwsent.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org At 05:46 PM 7/15/2001, Robert E. Lee wrote: >Has anyone here successfully used the servers from www.orbz.org? I'm still waiting to learn more about orbz.org, orbl.org, ordb.org, etc. before I trust any of them. I have heard (anecdotally) that at least one of the blocks localhost... not good. --Brett To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Jul 15 20:21:33 2001 Delivered-To: freebsd-security@freebsd.org Received: from rtp.tfd.com (rtp.tfd.com [198.79.53.206]) by hub.freebsd.org (Postfix) with ESMTP id D946A37B406 for ; Sun, 15 Jul 2001 20:21:18 -0700 (PDT) (envelope-from kent@tfd.com) Received: (from kent@localhost) by rtp.tfd.com (8.9.3/8.9.3) id XAA15174 for security@freebsd.org; Sun, 15 Jul 2001 23:21:23 -0400 (EDT) Date: Sun, 15 Jul 2001 23:21:23 -0400 (EDT) From: Kent Hauser Message-Id: <200107160321.XAA15174@rtp.tfd.com> To: security@freebsd.org Subject: ipsec pkts dropped: unknown/unsupported protocol Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi all, When I brought my -current box forward from a May build, my VPN stopped working. From tcpdump & netstat -s I see the pkts come & go correctly, but are dropped because: netstat -s: "ip: xx packets for unknown/unsupported protocol". I have "net.inet.ip.check_interface=0" which was sufficient to get it working again with the May build. Any suggestions? Thanks. Kent BTW: the IPSec traffic is running over a PPPoE DSL IP link. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jul 16 0:51:15 2001 Delivered-To: freebsd-security@freebsd.org Received: from arb.arb.za.net (arb.arb.za.net [196.7.148.4]) by hub.freebsd.org (Postfix) with ESMTP id 4981337B405; Mon, 16 Jul 2001 00:51:10 -0700 (PDT) (envelope-from mark@grondar.za) Received: (from uucp@localhost) by arb.arb.za.net (8.11.4/8.11.3) with UUCP id f6G7ouf69496; Mon, 16 Jul 2001 09:50:56 +0200 (SAST) (envelope-from mark@grondar.za) Received: from grondar.za (mark@localhost [127.0.0.1]) by grimreaper.grondar.za (8.11.4/8.11.4) with ESMTP id f6G7V3q44391; Mon, 16 Jul 2001 09:31:03 +0200 (SAST) (envelope-from mark@grondar.za) Message-Id: <200107160731.f6G7V3q44391@grimreaper.grondar.za> To: Mikhail Teterin Cc: admins@freebsd.org, security@freebsd.org Subject: Re: FYI: mx2.FreeBSD.org listed by ORBS References: <200107151652.f6FGqcO75324@aldan.algebra.com> In-Reply-To: <200107151652.f6FGqcO75324@aldan.algebra.com> ; from Mikhail Teterin "Sun, 15 Jul 2001 12:52:37 -0400." Date: Mon, 16 Jul 2001 09:31:02 +0200 From: Mark Murray Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > > Don't use ORBS. ORBS is DEAD. > > Yeah, I figured... > > Well, I have not receive an announcement regarding this -- and > orbs usage is an option in the stock sendmail.mc. Not any more. M -- Mark Murray Warning: this .sig is umop ap!sdn To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jul 16 0:51:43 2001 Delivered-To: freebsd-security@freebsd.org Received: from arb.arb.za.net (arb.arb.za.net [196.7.148.4]) by hub.freebsd.org (Postfix) with ESMTP id D7B7A37B405; Mon, 16 Jul 2001 00:51:37 -0700 (PDT) (envelope-from mark@grondar.za) Received: (from uucp@localhost) by arb.arb.za.net (8.11.4/8.11.3) with UUCP id f6G7pIv69555; Mon, 16 Jul 2001 09:51:18 +0200 (SAST) (envelope-from mark@grondar.za) Received: from grondar.za (mark@localhost [127.0.0.1]) by grimreaper.grondar.za (8.11.4/8.11.4) with ESMTP id f6G7Vvq44412; Mon, 16 Jul 2001 09:31:57 +0200 (SAST) (envelope-from mark@grondar.za) Message-Id: <200107160731.f6G7Vvq44412@grimreaper.grondar.za> To: Brett Glass Cc: Mikhail Teterin , admins@FreeBSD.ORG, security@FreeBSD.ORG Subject: Re: FYI: mx2.FreeBSD.org listed by ORBS References: <4.3.2.7.2.20010715123829.00cbc100@localhost> In-Reply-To: <4.3.2.7.2.20010715123829.00cbc100@localhost> ; from Brett Glass "Sun, 15 Jul 2001 12:39:45 CST." Date: Mon, 16 Jul 2001 09:31:57 +0200 From: Mark Murray Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > And as soon as ORBS died, MAPS announced that it would > be charging a fee for service. Is there a > connection between these two events? No. M -- Mark Murray Warning: this .sig is umop ap!sdn To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jul 16 1:16:17 2001 Delivered-To: freebsd-security@freebsd.org Received: from mistral.beybol.pop3.pl (mistral.beybol.pop3.pl [195.216.106.9]) by hub.freebsd.org (Postfix) with ESMTP id 14F8B37B401 for ; Mon, 16 Jul 2001 01:16:13 -0700 (PDT) (envelope-from mistral@beybol.pop3.pl) Received: from beybol.beybol.pop3.pl (beybol.gammanet.pl [10.216.113.102] (may be forged)) by mistral.beybol.pop3.pl (8.11.1/8.11.1) with ESMTP id f6GAEoA51299; Mon, 16 Jul 2001 10:14:51 GMT Message-Id: <5.1.0.14.0.20010716102430.03490ec0@mail.beybol.pop3.pl> X-Sender: mistral@mail.beybol.pop3.pl X-Mailer: QUALCOMM Windows Eudora Version 5.1 Date: Mon, 16 Jul 2001 10:25:42 +0200 To: Giorgos Keramidas From: Mistral Subject: Re: Advisory FreeBSD-SA-01 prblem Cc: freebsd-security@FreeBSD.ORG In-Reply-To: <20010714011342.C7611@hades.hell.gr> References: <5.1.0.14.0.20010713132029.0349cec0@mail.gammanet.pl> <5.1.0.14.0.20010713132029.0349cec0@mail.gammanet.pl> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org it is the patch downloaded from: ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-01:42/signal-4.3.patch At 01:13 01-07-14 +0300, Giorgos Keramidas wrote: >From: Mistral >Subject: Advisory FreeBSD-SA-01 prblem >Date: Fri, Jul 13, 2001 at 01:28:07PM +0200 > > > HELLO > > > > I patched my FreeBSD 4.2 box and here is a problem: > > some of non suid programs witch execute fork() doesn't work. > > for example: bounds wichis part of ports collection! > > > > Can anybody help me? > >Show us the patches. > >-giorgos To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jul 16 1:22:18 2001 Delivered-To: freebsd-security@freebsd.org Received: from hotmail.com (f174.law10.hotmail.com [64.4.15.174]) by hub.freebsd.org (Postfix) with ESMTP id 4AB2737B405; Mon, 16 Jul 2001 01:22:15 -0700 (PDT) (envelope-from shila_ofek@hotmail.com) Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Mon, 16 Jul 2001 01:22:15 -0700 Received: from 212.25.110.131 by lw10fd.law10.hotmail.msn.com with HTTP; Mon, 16 Jul 2001 08:22:14 GMT X-Originating-IP: [212.25.110.131] From: "Shila Ofek" To: green@freebsd.org Cc: security@freebsd.org Subject: Re: OpenSSH UseLogin parameter Date: Mon, 16 Jul 2001 11:22:14 +0300 Mime-Version: 1.0 Content-Type: text/plain; format=flowed Message-ID: X-OriginalArrivalTime: 16 Jul 2001 08:22:15.0171 (UTC) FILETIME=[6B8AED30:01C10DD0] Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org When the ssh user authentication is a password authentication, I want to use PAM. It seems that the OpenSsh daemon does not work with PAM, so I thought that using the regular login, I will get PAM integration for free. So, is it possible to work with the UseLogin to use the regular login program? What do I have to do to use it properly? Or, is there a possibility, the the OpenSSH daemon will work with PAM when it's doing password authentication? Thanks, Shila Ofek. >From: "Brian F. Feldman" >To: "Shila Ofek" >CC: security@freebsd.org >Subject: Re: OpenSSH UseLogin parameter >Date: Thu, 12 Jul 2001 15:59:45 -0400 > >"Shila Ofek" wrote: > > Hello, > > I'm trying to get an openssh daemon to work with the regular login, >using > > the UseLogin parameter in the daemon's configuration file. > > But, it doesn't work... > > Does anyone have any experience with this? > > > > Thanks, > > Shila Ofek. > >Why exactly would you want to do this? If there are bugs that you know >about in OpenSSH's login code, they should be reported. OpenSSH is meant >to >work without using login, supporting all the functionality login has. Let >me know exactly what problems you're having. > >-- > Brian Fundakowski Feldman \ FreeBSD: The Power to Serve! / > green@FreeBSD.org `------------------------------' > > _________________________________________________________________________ Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jul 16 2: 3:55 2001 Delivered-To: freebsd-security@freebsd.org Received: from ringworld.nanolink.com (ringworld.nanolink.com [195.24.48.39]) by hub.freebsd.org (Postfix) with SMTP id 46DF437B40A for ; Mon, 16 Jul 2001 02:03:49 -0700 (PDT) (envelope-from roam@orbitel.bg) Received: (qmail 1928 invoked by uid 1000); 16 Jul 2001 09:08:03 -0000 Date: Mon, 16 Jul 2001 12:08:03 +0300 From: Peter Pentchev To: Shila Ofek Cc: green@freebsd.org, security@freebsd.org Subject: Re: OpenSSH UseLogin parameter Message-ID: <20010716120803.A1766@ringworld.oblivion.bg> Mail-Followup-To: Shila Ofek , green@freebsd.org, security@freebsd.org References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from shila_ofek@hotmail.com on Mon, Jul 16, 2001 at 11:22:14AM +0300 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Mon, Jul 16, 2001 at 11:22:14AM +0300, Shila Ofek wrote: > When the ssh user authentication is a password authentication, I want to use > PAM. It seems that the OpenSsh daemon does not work with PAM, so I thought > that using the regular login, I will get PAM integration for free. > So, is it possible to work with the UseLogin to use the regular login > program? What do I have to do to use it properly? > Or, is there a possibility, the the OpenSSH daemon will work with PAM when > it's doing password authentication? The OpenSSH daemon does work with PAM. Do you have the proper configuration lines in your /etc/pam.conf file, though? Post the output of: grep '^sshd' /etc/pam.conf G'luck, Peter -- If there were no counterfactuals, this sentence would not have been paradoxical. > >From: "Brian F. Feldman" > >To: "Shila Ofek" > >CC: security@freebsd.org > >Subject: Re: OpenSSH UseLogin parameter > >Date: Thu, 12 Jul 2001 15:59:45 -0400 > > > >"Shila Ofek" wrote: > > > Hello, > > > I'm trying to get an openssh daemon to work with the regular login, > >using > > > the UseLogin parameter in the daemon's configuration file. > > > But, it doesn't work... > > > Does anyone have any experience with this? > > > > > > Thanks, > > > Shila Ofek. > > > >Why exactly would you want to do this? If there are bugs that you know > >about in OpenSSH's login code, they should be reported. OpenSSH is meant > >to > >work without using login, supporting all the functionality login has. Let > >me know exactly what problems you're having. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jul 16 2: 8:25 2001 Delivered-To: freebsd-security@freebsd.org Received: from magnetar.blackhatnetworks.com (magnetar.blackhatnetworks.com [65.166.202.3]) by hub.freebsd.org (Postfix) with ESMTP id 3E26037B407 for ; Mon, 16 Jul 2001 02:08:21 -0700 (PDT) (envelope-from alex@bhni.net) Received: from bhni.net (alex@bhni.net [65.166.202.15]) by magnetar.blackhatnetworks.com (8.x/8.x) with ESMTP id f6G985Y01686; Mon, 16 Jul 2001 05:08:05 -0400 (EDT) Date: Mon, 16 Jul 2001 05:08:05 -0400 (EDT) From: Alex X-X-Sender: To: Bart Matthaei Cc: , Subject: Re: kern.randompid In-Reply-To: <20010712171104.A38121@heresy.xs4nobody.nl> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org No, it doesn't seem to work on 4.x at all for me. -Alex On Thu, 12 Jul 2001, Bart Matthaei wrote: > Does it work on any other releases ? > > Regards, > > Bart > > On Thu, Jul 12, 2001 at 04:07:44PM +0100, rich@rdrose.org wrote: > > Hi, > > > > Any reason why this happens (consistently) on a 4.3-RELEASE machine? > > > > shrek# sysctl -w kern.randompid=1 > > kern.randompid: 0 -> 0 > > > > Given that I also have kern.randompid=1 in my /etc/sysctl.con, it should > > already be 1.. but it isn't... > > > > rik > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > -- > Bart Matthaei | bart@xs4nobody.nl > | +31 6 24907042 > Cysonet Managed Hosting | bart@cysonet.com > ------------------------------------------------- > /* It's always funny until someone gets hurt.. > * (and then it's just hilarious) */ > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jul 16 2:20:13 2001 Delivered-To: freebsd-security@freebsd.org Received: from ringworld.nanolink.com (ringworld.nanolink.com [195.24.48.39]) by hub.freebsd.org (Postfix) with SMTP id 2BC9A37B40E for ; Mon, 16 Jul 2001 02:20:07 -0700 (PDT) (envelope-from roam@orbitel.bg) Received: (qmail 2235 invoked by uid 1000); 16 Jul 2001 09:24:22 -0000 Date: Mon, 16 Jul 2001 12:24:22 +0300 From: Peter Pentchev To: Alex Cc: Bart Matthaei , freebsd-security@FreeBSD.ORG Subject: Re: kern.randompid Message-ID: <20010716122422.C1766@ringworld.oblivion.bg> Mail-Followup-To: Alex , Bart Matthaei , freebsd-security@FreeBSD.ORG References: <20010712171104.A38121@heresy.xs4nobody.nl> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from alex@bhni.net on Mon, Jul 16, 2001 at 05:08:05AM -0400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org It does work; read my followup in the thread. kern.randompid is not a boolean on/off switch. G'luck, Peter -- This sentence claims to be an Epimenides paradox, but it is lying. On Mon, Jul 16, 2001 at 05:08:05AM -0400, Alex wrote: > No, it doesn't seem to work on 4.x at all for me. > > -Alex > > On Thu, 12 Jul 2001, Bart Matthaei wrote: > > > Does it work on any other releases ? > > > > Regards, > > > > Bart > > > > On Thu, Jul 12, 2001 at 04:07:44PM +0100, rich@rdrose.org wrote: > > > Hi, > > > > > > Any reason why this happens (consistently) on a 4.3-RELEASE machine? > > > > > > shrek# sysctl -w kern.randompid=1 > > > kern.randompid: 0 -> 0 > > > > > > Given that I also have kern.randompid=1 in my /etc/sysctl.con, it should > > > already be 1.. but it isn't... > > > > > > rik To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jul 16 2:29:21 2001 Delivered-To: freebsd-security@freebsd.org Received: from web10001.mail.yahoo.com (web10001.mail.yahoo.com [216.136.130.37]) by hub.freebsd.org (Postfix) with SMTP id 337F137B409 for ; Mon, 16 Jul 2001 02:29:19 -0700 (PDT) (envelope-from thiamwah@yahoo.com) Message-ID: <20010716092919.59749.qmail@web10001.mail.yahoo.com> Received: from [161.142.100.81] by web10001.mail.yahoo.com via HTTP; Mon, 16 Jul 2001 02:29:19 PDT Date: Mon, 16 Jul 2001 02:29:19 -0700 (PDT) From: David Chong Subject: Portsentry and TCP wrappers on 4.x FreeBSD To: freebsd-security@FreeBSD.ORG MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org guys, I am testing out PortSentry 1.0 on FreeBSD 4.x and I have configured it to log the offending hosts to "hosts.deny" which works. Everything works fine except that in "hosts.allow", it says that: # NOTE: The hosts.deny file is deprecated. # Place both 'allow' and 'deny' rules in the hosts.allow file. So basically the hosts.deny file is not used at all..?! How can I make Tcp wrappers work with Portsentry in this case? Must I periodically cut and paste the logged entries from "hosts.deny" into "hosts.allow" to block the offending hosts via TCP wrappers? Please advice. Thanks -CTW __________________________________________________ Do You Yahoo!? Get personalized email addresses from Yahoo! Mail http://personal.mail.yahoo.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jul 16 2:39:33 2001 Delivered-To: freebsd-security@freebsd.org Received: from pippo.dada.it (giovit.dada.it [195.110.97.5]) by hub.freebsd.org (Postfix) with ESMTP id 33E0637B407 for ; Mon, 16 Jul 2001 02:39:29 -0700 (PDT) (envelope-from drummino@yahoo.com) Received: (from root@localhost) by pippo.dada.it (8.11.4/8.11.4) id f6G9blO00559; Mon, 16 Jul 2001 11:37:47 +0200 (CEST) (envelope-from drummino@yahoo.com) Date: Mon, 16 Jul 2001 11:37:47 +0200 From: Matteo To: David Chong Cc: security@freebsd.org Subject: Re: Portsentry and TCP wrappers on 4.x FreeBSD Message-ID: <20010716113747.A337@pippo.dada.it> Reply-To: drum@gufi.org References: <20010716092919.59749.qmail@web10001.mail.yahoo.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010716092919.59749.qmail@web10001.mail.yahoo.com>; from David Chong on Mon, Jul 16, 2001 at 02:29:19AM -0700 X-Mailer: Mutt 1.2.5i on FreeBSD 4.3 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Mon, Jul 16, 2001 at 02:29:19AM -0700, David Chong wrote: > all..?! How can I make Tcp wrappers work with > Portsentry in this case? I've done so: cd /etc ; ln -s hosts.allow hosts.deny and in /usr/local/etc/portsentry.conf, I've select KILL_HOSTS_DENY="ALL: $TARGET$ : DENY" and it works...Bye. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jul 16 3:18:32 2001 Delivered-To: freebsd-security@freebsd.org Received: from hotmail.com (f40.law10.hotmail.com [64.4.15.40]) by hub.freebsd.org (Postfix) with ESMTP id 713C837B401 for ; Mon, 16 Jul 2001 03:18:27 -0700 (PDT) (envelope-from shila_ofek@hotmail.com) Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Mon, 16 Jul 2001 03:18:27 -0700 Received: from 212.25.110.131 by lw10fd.law10.hotmail.msn.com with HTTP; Mon, 16 Jul 2001 10:18:27 GMT X-Originating-IP: [212.25.110.131] From: "Shila Ofek" To: roam@orbitel.bg Cc: security@freebsd.org Subject: Re: OpenSSH UseLogin parameter Date: Mon, 16 Jul 2001 13:18:27 +0300 Mime-Version: 1.0 Content-Type: text/plain; format=flowed Message-ID: X-OriginalArrivalTime: 16 Jul 2001 10:18:27.0302 (UTC) FILETIME=[A741B060:01C10DE0] Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I'm working with OpenSSH-2.2.0 on FreeBSD 4.2, and from a look at the code it doesn't work with PAM. The only reminder of PAM in the code is in file auth1.c: #ifdef HAVE_LIBPAM int pam_retval; #endif /* HAVE_LIBPAM */ and that's it... Should I recompile the SSH daemon with some flag or something, or do I have the wrong version? The lines I have in pam.conf are: sshd auth required pam_radius.so sshd account optional pam_unix.so sshd password required pam_permit.so sshd session required pam_permit.so Is this OK? Although I'm quite sure it doesn't get to this part at all. The output I get when I run the daemon with -d is: [Prompt]sshd -d debug: sshd version OpenSSH_2.2.0 error: Could not load DSA host key: /etc/ssh/ssh_host_dsa_key Disabling protocol version 2 debug: Bind to port 22 on 0.0.0.0. Server listening on 0.0.0.0 port 22. Generating 768 bit RSA key. RSA key generation complete. debug: Server will not fork when running in debugging mode. Connection from XXX port XXX Connection from XXX port XXX debug: Client protocol version 1.5; client software version OpenSSH_2.2.0 debug: Local version string SSH-1.5-OpenSSH_2.2.0 debug: Sent 768 bit public key and 1024 bit host key. debug: Encryption type: 3des debug: Received session key; encryption turned on. debug: Installing crc compensation attack detector. Faking authloop for illegal user radtest from XXX port XXX Thanks, Shila. >From: Peter Pentchev >To: Shila Ofek >CC: green@freebsd.org, security@freebsd.org >Subject: Re: OpenSSH UseLogin parameter >Date: Mon, 16 Jul 2001 12:08:03 +0300 > >On Mon, Jul 16, 2001 at 11:22:14AM +0300, Shila Ofek wrote: > > When the ssh user authentication is a password authentication, I want to >use > > PAM. It seems that the OpenSsh daemon does not work with PAM, so I >thought > > that using the regular login, I will get PAM integration for free. > > So, is it possible to work with the UseLogin to use the regular login > > program? What do I have to do to use it properly? > > Or, is there a possibility, the the OpenSSH daemon will work with PAM >when > > it's doing password authentication? > >The OpenSSH daemon does work with PAM. Do you have the proper >configuration >lines in your /etc/pam.conf file, though? Post the output of: > > grep '^sshd' /etc/pam.conf > >G'luck, >Peter > >-- >If there were no counterfactuals, this sentence would not have been >paradoxical. > > > >From: "Brian F. Feldman" > > >To: "Shila Ofek" > > >CC: security@freebsd.org > > >Subject: Re: OpenSSH UseLogin parameter > > >Date: Thu, 12 Jul 2001 15:59:45 -0400 > > > > > >"Shila Ofek" wrote: > > > > Hello, > > > > I'm trying to get an openssh daemon to work with the regular login, > > >using > > > > the UseLogin parameter in the daemon's configuration file. > > > > But, it doesn't work... > > > > Does anyone have any experience with this? > > > > > > > > Thanks, > > > > Shila Ofek. > > > > > >Why exactly would you want to do this? If there are bugs that you know > > >about in OpenSSH's login code, they should be reported. OpenSSH is >meant > > >to > > >work without using login, supporting all the functionality login has. >Let > > >me know exactly what problems you're having. _________________________________________________________________________ Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jul 16 4:32:32 2001 Delivered-To: freebsd-security@freebsd.org Received: from cage.simianscience.com (cage.simianscience.com [64.7.134.1]) by hub.freebsd.org (Postfix) with ESMTP id 6C8C737B401; Mon, 16 Jul 2001 04:32:28 -0700 (PDT) (envelope-from mike@sentex.net) Received: (from root@localhost) by cage.simianscience.com (8.11.4/8.11.2) id f6GBWRB98275; Mon, 16 Jul 2001 07:32:27 -0400 (EDT) (envelope-from mike@sentex.net) Received: from chimp.sentex.net (fcage [192.168.0.2]) by cage.simianscience.com (8.11.4/8.11.2av) with ESMTP id f6GBWLG98267; Mon, 16 Jul 2001 07:32:22 -0400 (EDT) (envelope-from mike@sentex.net) Message-Id: <5.1.0.14.0.20010716073031.03c364f8@192.168.0.12> X-Sender: mdtancsa@192.168.0.12 X-Mailer: QUALCOMM Windows Eudora Version 5.1 Date: Mon, 16 Jul 2001 07:32:20 -0400 To: Peter Pentchev , Shila Ofek From: Mike Tancsa Subject: Re: OpenSSH UseLogin parameter Cc: green@freebsd.org, security@freebsd.org In-Reply-To: <20010716120803.A1766@ringworld.oblivion.bg> References: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed X-Virus-Scanned: by AMaViS perl-10 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org At 12:08 PM 7/16/2001 +0300, Peter Pentchev wrote: >The OpenSSH daemon does work with PAM. Do you have the proper configuration >lines in your /etc/pam.conf file, though? Post the output of: Beware that password expire checks do not work with sshd and PAM. ---Mike To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jul 16 5:18:14 2001 Delivered-To: freebsd-security@freebsd.org Received: from c001.snv.cp.net (c001-h000.c001.snv.cp.net [209.228.32.114]) by hub.freebsd.org (Postfix) with SMTP id 3806D37B401 for ; Mon, 16 Jul 2001 05:18:10 -0700 (PDT) (envelope-from ivan@al3ks4ndr0v.net) Received: (cpmta 17115 invoked from network); 16 Jul 2001 05:18:00 -0700 Received: from unknown (HELO 212.111.70.23) (212.111.70.23) by smtp.al3ks4ndr0v.net (209.228.32.114) with SMTP; 16 Jul 2001 05:18:00 -0700 X-Sent: 16 Jul 2001 12:18:00 GMT Date: Mon, 16 Jul 2001 18:17:21 +0600 From: Ivan X-Mailer: The Bat! (v1.49) Personal Reply-To: Ivan Organization: dxxr X-Priority: 3 (Normal) Message-ID: <178309637.20010716181721@al3ks4ndr0v.net> To: security@freebsd.org Subject: log message. Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Socks5 v1.0r11 listend on 6667 port permit only 192.168.1.0/24. also firewalled. I receive messages from log: Jul 16 13:16:39 bsd ircd[80482]: Connect to *[192.168.3.2] @192.168.3.2 # netstat -na Proto Recv-Q Send-Q Local Address Foreign Address (state) tcp4 0 0 192.168.1.1.3600 192.168.3.2.6667 SYN_SENT add in ipfw list: 04000 0 0 deny ip from 192.168.3.2 to any # traceroute 192.168.3.2 traceroute to 192.168.3.2 (192.168.3.2), 30 hops max, 40 byte packets 1 192.168.10.5 (192.168.10.5) 1.237 ms 1.121 ms 1.083 ms 2 192.168.0.2 (192.168.0.2) 2.805 ms 2.578 ms 2.554 ms 3 192.168.10.5 (192.168.10.5) 4.819 ms 2.690 ms 3.085 ms 4 192.168.0.2 (192.168.0.2) 4.039 ms 4.212 ms 4.069 ms 5 192.168.10.5 (192.168.10.5) 4.077 ms 9.975 ms 4.082 ms 6 192.168.0.2 (192.168.0.2) 5.594 ms 5.762 ms 5.456 ms 7 192.168.10.5 (192.168.90.5) 5.590 ms 5.614 ms 11.071 ms 8 192.168.0.2 (192.168.0.2) 7.042 ms 7.079 ms 6.866 ms 9 192.168.10.5 (192.168.90.5) 6.934 ms 7.740 ms 6.921 ms 10 192.168.0.2 (192.168.0.2) 13.574 ms 8.517 ms 8.965 ms 11 192.168.10.5 (192.168.90.5) 8.649 ms 8.824 ms 8.886 ms 12 192.168.0.2 (192.168.0.2) 14.828 ms 9.912 ms 9.815 ms .......... # ping 192.168.3.2 PING 192.168.3.2 (192.168.3.2): 56 data bytes 36 bytes from 192.168.10.5: Time to live exceeded Vr HL TOS Len ID Flg off TTL Pro cks Src Dst 4 5 00 5400 612a 0 0000 01 01 1fe5 192.168.1.1 192.168.3.2 Jul 16 13:26:39 bsd ircd[80482]: Connect to *[192.168.3.2] @192.168.3.2 # netstat -na Proto Recv-Q Send-Q Local Address Foreign Address (state) tcp4 0 0 192.168.1.1.3601 192.168.3.2.6667 SYN_SENT what this? help.. -- Best regards, Ivan mailto:ivan@al3ks4ndr0v.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jul 16 7:56:40 2001 Delivered-To: freebsd-security@freebsd.org Received: from whale.sunbay.crimea.ua (whale.sunbay.crimea.ua [212.110.138.65]) by hub.freebsd.org (Postfix) with ESMTP id 83EC437B401 for ; Mon, 16 Jul 2001 07:56:16 -0700 (PDT) (envelope-from ru@whale.sunbay.crimea.ua) Received: (from ru@localhost) by whale.sunbay.crimea.ua (8.11.2/8.11.2) id f6GEtTa60010; Mon, 16 Jul 2001 17:55:29 +0300 (EEST) (envelope-from ru) Date: Mon, 16 Jul 2001 17:55:29 +0300 From: Ruslan Ermilov To: Darren Reed Cc: Crist Clark , freebsd-security@FreeBSD.ORG Subject: Re: FW: Small TCP packets == very large overhead == DoS? Message-ID: <20010716175529.A51681@sunbay.com> Mail-Followup-To: Darren Reed , Crist Clark , freebsd-security@FreeBSD.ORG References: <3B4A53D7.287F47AF@globalstar.com> <200107100938.TAA13064@caligula.anu.edu.au> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <200107100938.TAA13064@caligula.anu.edu.au>; from avalon@coombs.anu.edu.au on Tue, Jul 10, 2001 at 07:38:59PM +1000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Tue, Jul 10, 2001 at 07:38:59PM +1000, Darren Reed wrote: > In some mail from Crist Clark, sie said: > > > > The TCP segment is everything in the IP payload. An SYN segment is a > > TCP segment, but it carries no data and has a segment length of one (whee!). > > I can see that clearly in the RFC, and I think we all cab agree on that. > > However, I think that a SYN segment, which is all header, has a size greater > > than one. It looks more like 24-or-so bytes typically... or maybe it does not. > > I am looking for where (if anywhere) the specification comes out and says > > that segment "size" is the same as "length." Why isn't the MSS called the MSL > > after the RFC has gone to such pains to define "length?" > > Why can't a SYN segment be a TCP segment of length 0 ? > (with one phantom byte) > Because it is acknowledged by the other side. -- Ruslan Ermilov Oracle Developer/DBA, ru@sunbay.com Sunbay Software AG, ru@FreeBSD.org FreeBSD committer, +380.652.512.251 Simferopol, Ukraine http://www.FreeBSD.org The Power To Serve http://www.oracle.com Enabling The Information Age To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jul 16 8:37:53 2001 Delivered-To: freebsd-security@freebsd.org Received: from tcpns.com (dsl-64-192-239-221.telocity.com [64.192.239.221]) by hub.freebsd.org (Postfix) with ESMTP id 24C5837B407 for ; Mon, 16 Jul 2001 08:37:45 -0700 (PDT) (envelope-from jcborkow@tcpns.com) Received: from localhost (jcborkow@localhost) by tcpns.com (8.11.4/8.11.4) with ESMTP id f6GFbhu09242 for ; Mon, 16 Jul 2001 11:37:44 -0400 (EDT) Date: Mon, 16 Jul 2001 11:37:43 -0400 (EDT) From: Jason Borkowsky To: freebsd-security@freebsd.org Subject: ipfw pipe command Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I have a question about using pipes in ipfw and hope this is the right forum to ask this question. I have a FreeBSD box connected to a DSL modem at Ethernet 802.3 (10Mb/s) half duplex connection. I am running ipfw on the box, and in terms of filtering, NAT'ing, and port redirection, everything works fine. I decided I wanted to try to use piping to bandwidth limit certain types of traffic. After reading the man pages and ipfw HOW-TO, I came up with the following simple configuration: ipfw pipe 10 config bw 5Kbit/s queue 4Mbytes ipfw add pipe 10 tcp from x.x.x.x 41000-42000 to any out xmit fxp0 So the first line creates a pipe that is limited to 5 Kb/s and has a queue of 4Mbytes, which should limit traffic drops for large transfers. The next line creates a rule saying if the traffic is TCP, and is sourced from my FreeBSD box of IP address x.x.x.x and the source port is in the range of 41000-42000 and is being transmitted out my external interface (fxp0), it should use this pipe. So now if I list the pipes, I see the following: #ipfw pipe list 00010: 5.000 Kbit/s 0 ms 4 sl. 1 queues (1 buckets) droptail mask: 0x00 0x00000000/0x0000 -> 0x00000000/0x0000 BKT Prot ___Source IP/port____ ____Dest. IP/port____ Tot_pkt/bytes Pkt/Byte Drp So I have my pipe at 5Kb/s, but it doesn't look like it is being used. I then set up a test connection, use an external sniffer (SnifferPro) and monitor my traffic sessions. However, any tcp traffic in the range of 41000-42000 that is being transmitted from my machine out that interface is not being slowed to 5Kb/s, and is just grabbing all available bandwidth (11,000 to 16,000 KBYTES/s). Can anyone that uses pipes tell me what I did wrong or how to better troubleshoot this? Thanks! To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jul 16 8:51:42 2001 Delivered-To: freebsd-security@freebsd.org Received: from internethelp.ru (wh.internethelp.ru [212.113.112.145]) by hub.freebsd.org (Postfix) with ESMTP id 40E9037B408 for ; Mon, 16 Jul 2001 08:51:35 -0700 (PDT) (envelope-from nkritsky@internethelp.ru) Received: from IBMKA (ibmka.internethelp.ru. [192.168.0.6]) by internethelp.ru (8.9.3/8.9.3) with ESMTP id TAA68252; Mon, 16 Jul 2001 19:50:59 +0400 (MSD) Date: Mon, 16 Jul 2001 19:51:03 +0400 From: "Nickolay A.Kritsky" X-Mailer: The Bat! (v1.49) Personal Reply-To: "Nickolay A.Kritsky" Organization: IHelp X-Priority: 3 (Normal) Message-ID: <178267014666.20010716195103@internethelp.ru> To: Jason Borkowsky Cc: freebsd-security@FreeBSD.ORG Subject: Re: ipfw pipe command In-reply-To: References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hello Jason, Monday, July 16, 2001, 7:37:43 PM, you wrote: JB> I have a question about using pipes in ipfw and hope this is the right JB> forum to ask this question. JB> I have a FreeBSD box connected to a DSL modem at Ethernet 802.3 JB> (10Mb/s) half duplex connection. I am running ipfw on the box, and in JB> terms of filtering, NAT'ing, and port redirection, everything works fine. JB> I decided I wanted to try to use piping to bandwidth limit certain types JB> of traffic. After reading the man pages and ipfw HOW-TO, I came up with JB> the following simple configuration: JB> ipfw pipe 10 config bw 5Kbit/s queue 4Mbytes JB> ipfw add pipe 10 tcp from x.x.x.x 41000-42000 to any out xmit fxp0 JB> So the first line creates a pipe that is limited to 5 Kb/s and has a queue JB> of 4Mbytes, which should limit traffic drops for large transfers. JB> The next line creates a rule saying if the traffic is TCP, and is sourced JB> from my FreeBSD box of IP address x.x.x.x and the source port is in the JB> range of 41000-42000 and is being transmitted out my external interface JB> (fxp0), it should use this pipe. JB> So now if I list the pipes, I see the following: JB> #ipfw pipe list 00010: 5.000 Kbit/s 0 ms 4 sl. 1 queues (1 buckets) JB> droptail mask: 0x00 0x00000000/0x0000 -> 0x00000000/0x0000 JB> BKT Prot ___Source IP/port____ ____Dest. IP/port____ Tot_pkt/bytes JB> Pkt/Byte Drp JB> So I have my pipe at 5Kb/s, but it doesn't look like it is being used. I JB> then set up a test connection, use an external sniffer (SnifferPro) and JB> monitor my traffic sessions. However, any tcp traffic in the range of JB> 41000-42000 that is being transmitted from my machine out that interface JB> is not being slowed to 5Kb/s, and is just grabbing all available bandwidth JB> (11,000 to 16,000 KBYTES/s). Can anyone that uses pipes tell me what I did JB> wrong or how to better troubleshoot this? Thanks! JB> To Unsubscribe: send mail to majordomo@FreeBSD.org JB> with "unsubscribe freebsd-security" in the body of the message Try `ipfw show' to see if the traffic really does hit the pipe. Check your rc.firewall file to see if you have any rules that apply to such traffic (i.e. ipfw add pass tcp from x.x.x.x 41000-42000 to any out xmit fxp0) _before_ your "pipe" rule. Good luck! ;------------------------------------------- ; NKritsky ; SysAdmin InternetHelp.Ru ; http://www.internethelp.ru ; mailto:nkritsky@internethelp.ru To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jul 16 8:56:37 2001 Delivered-To: freebsd-security@freebsd.org Received: from thedarkside.nl (cc31301-a.assen1.dr.nl.home.com [213.51.66.128]) by hub.freebsd.org (Postfix) with ESMTP id B601B37B403 for ; Mon, 16 Jul 2001 08:56:28 -0700 (PDT) (envelope-from serkoon@thedarkside.nl) Received: (from root@localhost) by thedarkside.nl (?/8.9.3) id f6GFuMH64321 for freebsd-security@freebsd.org; Mon, 16 Jul 2001 17:56:22 +0200 (CEST) (envelope-from serkoon@thedarkside.nl) Received: from kilmarnock (kilmarnock [10.0.0.2]) by thedarkside.nl (?/8.9.3av) with SMTP id f6GFuI464313 for ; Mon, 16 Jul 2001 17:56:19 +0200 (CEST) (envelope-from serkoon@thedarkside.nl) Message-ID: <004901c10e10$0a7c52f0$0200000a@kilmarnock> From: "serkoon" To: References: Subject: Re: ipfw pipe command Date: Mon, 16 Jul 2001 17:57:39 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4133.2400 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 X-Virus-Scanned: by AMaViS perl-10 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi, > ipfw pipe 10 config bw 5Kbit/s queue 4Mbytes > ipfw add pipe 10 tcp from x.x.x.x 41000-42000 to any out xmit fxp0 > ... > Can anyone that uses pipes tell me what I did > wrong or how to better troubleshoot this? Thanks! Try swapping the two lines, eg: ipfw add pipe 10 tcp from x.x.x.x 41000-42000 to any out xmit fxp0 ipfw pipe 10 config bw 5KBit/s queue 4Mbytes Btw: 1) You should/could use rule-numbers: ipfw add 1000 pipe .. . 2) A queue of 4Mbyte is HUGE when limiting at 5kbit, see the man for hints regarding this. Regards To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jul 16 13:46:35 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.cstone.net (mail.cstone.net [209.145.64.80]) by hub.freebsd.org (Postfix) with ESMTP id 743B637B401 for ; Mon, 16 Jul 2001 13:46:24 -0700 (PDT) (envelope-from esproul@ntelos.net) Received: from ntelos.net (thunderbolt.eng.cstone.net [209.145.66.13]) by mail.cstone.net (8.11.1/8.11.1) with ESMTP id f6GKkNm97026 for ; Mon, 16 Jul 2001 16:46:23 -0400 (EDT) Message-ID: <3B53529F.A0DBDC48@ntelos.net> Date: Mon, 16 Jul 2001 16:46:23 -0400 From: Eric Sproul X-Mailer: Mozilla 4.77 [en] (X11; U; Linux 2.4.3 i686) X-Accept-Language: en MIME-Version: 1.0 To: freebsd-security@freebsd.org Subject: stunnel/mysql question Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi all, I'm trying out a setup that was described in the latest Sysadmin issue-- setting up Snort to log to a MySQL db over an stunnel-encrypted connection. Anyone else tried this yet? I'm running the client on 4.3-STABLE, with mysql323-client from the port (3.23.39) and stunnel 3.14, also from the port. The server is my Redhat 7.1 workstation with mysql 3.23.36 from RPM and stunnel 3.14 from source. As far as I can tell, both the mysql server and stunnel are configured correctly. I followed all the setup guidelines and made sure I had the access rights correct. The client has stunnel listening to localhost:3306 and forwarding to :3307. The server is listening to port 3307 and forwarding to its localhost:3306, where the mysql server is running. But when I try to connect from the client over the stunnel-ed connection, I get client$ mysql -h 127.0.0.1 -u snortdb -p snortdata Enter password: ERROR 1045: Access denied for user: 'snortdb@localhost.localdomain' (Using password: YES) I can connect the same way right on the server and get in. I've eliminated host ACL's as the cause. On the network level everything is fine. Could stunnel be somehow mangling the login process? I don't have much experience with stunnel or SSL in general so I'm at a loss here. Thanks in advance! Eric To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jul 16 14: 6:55 2001 Delivered-To: freebsd-security@freebsd.org Received: from maildrop.dub-t3-1.nwcgroup.com (maildrop.dub-t3-1.nwcgroup.com [195.129.80.17]) by hub.freebsd.org (Postfix) with ESMTP id 2A06537B409 for ; Mon, 16 Jul 2001 14:06:38 -0700 (PDT) (envelope-from customerservice@playnetwork.com) Received: from maildrop (localhost [127.0.0.1]) by maildrop.dub-t3-1.nwcgroup.com (Postfix) with ESMTP id DB09B4C5A for ; Mon, 16 Jul 2001 22:06:37 +0100 (IST) Message-ID: <775849209.995317597895.JavaMail.nwdmail@maildrop> Date: Mon, 16 Jul 2001 21:06:37 +0000 (GMT+00:00) From: Reply-To: customerservice@playnetwork.com To: security@FreeBSD.org Subject: Save Up To 70% On Music For Your Business! Mime-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_Part_39278_699598073.995317597893" X-mailer: NewWorld Direct Java Mail Program X-uri: http://www.newworldcommerce.com X-Complaints: abuse@nwcgroup.com X-Bounce-Info: AIswR1AhZ~KvDPBZ7mn.bYM~xXKb01~MTyuYz+wX+kM+Zy~ut+zg+oGnGw+yPI+K2k6+fkmUAQb9~jk~eQFjM+oYh+NV+CV~JSf3~ccPV+CgL~ayre~f7kr+nMjs Return-Errors-To: customerservice@playnetwork.com X-Errors-To: customerservice@playnetwork.com Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Dear Are you currently playing the radio as your in-store music source? Are you tired of all the deejay chatter and endless advertising? OR, are you using a CD player - and find your customers and employees hear the same music over and over because you're too busy to change CDs or buy new ones? Are you uncertain about paying ASCAP, BMI, or SESAC music licensing fees? Introducing PlayNetwork Online, a monthly subscription service that resolves all your business music issues. http://www.nwd42.com/s.asp?N=Zwm8Yq3701v~HNJBFHJKKOYJCHGDFHJhO Best of all it's available to you at an affordable monthly fee. If you'd like to learn more about this exciting new music service, please click on the link below for information regarding the benefits of professionally programmed music and details on our special introductory offer. Add life to your business with music. PlayNetwork Online. Imagine music your way. http://www.nwd42.com/s.asp?N=Zwm8Yq3701v~HNJBFHJKKOYJCHGDFHJhO Click here to configure your eMail preference: http://www.nwd42.com/s.asp?N=Zwm8Yq3701v~HNJBFHJKKOYJCHGDFHJXb Click here to unsubscribe: http://www.nwd42.com/s.asp?N=Zwm8Yq3701v~HNJBFHJKKOYJCHGDFHJfN The following text is for MIME compliant client programs. ------=_Part_39278_699598073.995317597893 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Content-Description: Plain Text mail part Dear Are you currently playing the radio as your in-store music source? Are you tired of all the deejay chatter and endless advertising? OR, are you using a CD player - and find your customers and employees hear the same music over and over because you're too busy to change CDs or buy new ones? Are you uncertain about paying ASCAP, BMI, or SESAC music licensing fees? Introducing PlayNetwork Online, a monthly subscription service that resolves all your business music issues. http://www.nwd42.com/s.asp?N=Zwm8Yq3701v~HNJBFHJKKOYJCHGDFHJhO Best of all it's available to you at an affordable monthly fee. If you'd like to learn more about this exciting new music service, please click on the link below for information regarding the benefits of professionally programmed music and details on our special introductory offer. Add life to your business with music. PlayNetwork Online. Imagine music your way. http://www.nwd42.com/s.asp?N=Zwm8Yq3701v~HNJBFHJKKOYJCHGDFHJhO Click here to configure your eMail preference: http://www.nwd42.com/s.asp?N=Zwm8Yq3701v~HNJBFHJKKOYJCHGDFHJXb Click here to unsubscribe: http://www.nwd42.com/s.asp?N=Zwm8Yq3701v~HNJBFHJKKOYJCHGDFHJfN ------=_Part_39278_699598073.995317597893 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline Content-Description: HTML mail part - external links Welcome
=09 =09
=09 =09 =09=09 =09 =09<= td align=3Dleft width=3D"100%">
If you cannot read this eMail, please go to
http://www.nwd42.= com/s.asp?N=3DZwm8Yq3701v~HNJBFHJKKOYJCHGDFHJhO
=09=09=09 =09=09=09=20 =09=09=09 =09=09=09 =09=09=09
3D""
=09=09
Welcome= !
=09=09
FINALLY, AFFORDABLE MUSIC FOR YOUR BUSINESS!
3D""

3D""=
 
<= IMG SRC=3D"http://www.nwd42.com/offer/PlayNetwork/Images/banner5%2ejpg" BOR= DER=3D0 ALT=3D"">
&n= bsp;

Visit our web = site and subscribe today.
Add life to your business with music!
3D""
 
<= TR>
3D""
Or Call Us At 1-866-752-9321 For M= ore Information.
 
Call Me
eMail Us
3D""<= /TD>

=
SUBSCRIBE TODAY AND SAVE!
=09 =09=09 =09

=09 =09=09=20 =09=09=09 =09=09=09=09 =09=09=09 =09=09
=09 =09 =09 =09=09 =09=09=09 =09 =09=09=09 =09=09=09=09 =09=09=09 =09=09
=09=09Click he= re to configure your eMail preference:
http://www.nwd42.com/s.asp?N=3D= Zwm8Yq3701v~HNJBFHJKKOYJCHGDFHJXb =09
=09=09=09=09=09 =09=09=09=09=09Click here to unsubscribe:
http://www.nwd42.com/s.asp?N=3DZwm8Yq3701v= ~HNJBFHJKKOYJCHGDFHJfN =09=09=09=09
=09
------=_Part_39278_699598073.995317597893-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jul 16 15:26:59 2001 Delivered-To: freebsd-security@freebsd.org Received: from db.nexgen.com (db.nexgen.com [66.92.98.149]) by hub.freebsd.org (Postfix) with SMTP id 4171337B403 for ; Mon, 16 Jul 2001 15:26:53 -0700 (PDT) (envelope-from ml@db.nexgen.com) Received: (qmail 714 invoked from network); 16 Jul 2001 22:26:31 -0000 Received: from localhost.nexgen.com (HELO alexus) (root@127.0.0.1) by localhost.nexgen.com with SMTP; 16 Jul 2001 22:26:31 -0000 Message-ID: <011301c10e46$66da80e0$0d00a8c0@alexus> From: "alexus" To: Subject: out of entropy Date: Mon, 16 Jul 2001 18:26:47 -0400 Organization: NexGen MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2499.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2499.0000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I'm sorry in advance for a cross posting, I just need to resolve this issue a.s.a.p. I'm using FreeBSD 4.3-RELEASE and latest version of bind 9 su-2.05# dnssec-keygen -a HMAC-MD5 -b 128 -n HOST box.nexgen.com dnssec-keygen: failed to generate key box.nexgen.com/157: out of entropy su-2.05# any ideas why? and how do i get around it? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jul 16 15:35: 8 2001 Delivered-To: freebsd-security@freebsd.org Received: from fangg.lbl.gov (fangg.lbl.gov [128.3.1.103]) by hub.freebsd.org (Postfix) with ESMTP id 6C89F37B401 for ; Mon, 16 Jul 2001 15:35:03 -0700 (PDT) (envelope-from dart@nersc.gov) Received: from usul.nersc.gov (usul [192.168.1.115]) by fangg.lbl.gov (Postfix) with ESMTP id 4AC2B1F5A; Mon, 16 Jul 2001 15:35:03 -0700 (PDT) Received: from usul.nersc.gov (localhost [127.0.0.1]) by usul.nersc.gov (Postfix) with ESMTP id 0FD7B2B; Mon, 16 Jul 2001 15:35:03 -0700 (PDT) X-Mailer: exmh version 2.3.1 01/18/2001 with nmh-1.0.4 To: "alexus" Cc: freebsd-security@freebsd.org Subject: Re: out of entropy In-Reply-To: Message from "alexus" of "Mon, 16 Jul 2001 18:26:47 EDT." <011301c10e46$66da80e0$0d00a8c0@alexus> Mime-Version: 1.0 Content-Type: multipart/signed; boundary="==_Exmh_1427149034P"; micalg=pgp-sha1; protocol="application/pgp-signature" Content-Transfer-Encoding: 7bit Date: Mon, 16 Jul 2001 15:35:03 -0700 From: Eli Dart Message-Id: <20010716223503.0FD7B2B@usul.nersc.gov> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --==_Exmh_1427149034P Content-Type: text/plain; charset=us-ascii try adding interrupts to your entropy pool..... man rndcontrol --eli In reply to "alexus" : repl: bad addresses: -- no at-sign after local-part (:) > I'm sorry in advance for a cross posting, I just need to resolve this issue > a.s.a.p. > > I'm using FreeBSD 4.3-RELEASE and latest version of bind 9 > > su-2.05# dnssec-keygen -a HMAC-MD5 -b 128 -n HOST box.nexgen.com > dnssec-keygen: failed to generate key box.nexgen.com/157: out of entropy > > su-2.05# > > any ideas why? and how do i get around it? > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > --==_Exmh_1427149034P Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: This is a comment. iD8DBQE7U2wWLTFEeF+CsrMRAom+AJwIGNy5zH/pL5obx6JP0QE61RIhYQCgkvtU l1Szc0OvjVC5ERXo0jlcuU8= =Eaxo -----END PGP SIGNATURE----- --==_Exmh_1427149034P-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jul 16 15:56: 5 2001 Delivered-To: freebsd-security@freebsd.org Received: from drugs.dv.isc.org (drugs.dv.isc.org [130.155.191.236]) by hub.freebsd.org (Postfix) with ESMTP id 2D26D37B40A for ; Mon, 16 Jul 2001 15:55:59 -0700 (PDT) (envelope-from marka@nominum.com) Received: from nominum.com (localhost.dv.isc.org [127.0.0.1]) by drugs.dv.isc.org (8.11.3/8.11.2) with ESMTP id f6GMtfu59417; Tue, 17 Jul 2001 08:55:43 +1000 (EST) (envelope-from marka@nominum.com) Message-Id: <200107162255.f6GMtfu59417@drugs.dv.isc.org> To: Eli Dart Cc: "alexus" , freebsd-security@freebsd.org From: Mark.Andrews@nominum.com Subject: Re: out of entropy In-reply-to: Your message of "Mon, 16 Jul 2001 15:35:03 MST." <20010716223503.0FD7B2B@usul.nersc.gov> Date: Tue, 17 Jul 2001 08:55:41 +1000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org FreeBSD 4.3 RELEASE's /dev/random also has a device driver bug where it returns EOF rather that EWOULDBLOCK when it runs out entropy in non-blocking mode. Mark > --==_Exmh_1427149034P > Content-Type: text/plain; charset=us-ascii > > try adding interrupts to your entropy pool..... > > man rndcontrol > > --eli > > > In reply to "alexus" : > > repl: bad addresses: > -- no at-sign after local-part ( > :) > > > I'm sorry in advance for a cross posting, I just need to resolve this issue > > a.s.a.p. > > > > I'm using FreeBSD 4.3-RELEASE and latest version of bind 9 > > > > su-2.05# dnssec-keygen -a HMAC-MD5 -b 128 -n HOST box.nexgen.com > > dnssec-keygen: failed to generate key box.nexgen.com/157: out of entropy > > > > su-2.05# > > > > any ideas why? and how do i get around it? > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > > > > > --==_Exmh_1427149034P > Content-Type: application/pgp-signature > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.0.6 (FreeBSD) > Comment: This is a comment. > > iD8DBQE7U2wWLTFEeF+CsrMRAom+AJwIGNy5zH/pL5obx6JP0QE61RIhYQCgkvtU > l1Szc0OvjVC5ERXo0jlcuU8= > =Eaxo > -----END PGP SIGNATURE----- > > --==_Exmh_1427149034P-- > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- Mark Andrews, Nominum Inc. 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: Mark.Andrews@nominum.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jul 16 15:56:24 2001 Delivered-To: freebsd-security@freebsd.org Received: from I-Sphere.COM (shell.i-sphere.com [209.249.146.70]) by hub.freebsd.org (Postfix) with ESMTP id 121BF37B408 for ; Mon, 16 Jul 2001 15:56:19 -0700 (PDT) (envelope-from fasty@I-Sphere.COM) Received: (from fasty@localhost) by I-Sphere.COM (8.11.4/8.11.3) id f6GN02w80534; Mon, 16 Jul 2001 16:00:02 -0700 (PDT) (envelope-from fasty) Date: Mon, 16 Jul 2001 16:00:02 -0700 From: faSty To: Eric Sproul Cc: freebsd-security@FreeBSD.ORG Subject: Re: stunnel/mysql question Message-ID: <20010716160002.A80238@i-sphere.com> References: <3B53529F.A0DBDC48@ntelos.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <3B53529F.A0DBDC48@ntelos.net>; from esproul@ntelos.net on Mon, Jul 16, 2001 at 04:46:23PM -0400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org you need fix your hostname on MySQL under db table in mysql database. I.E. 1. mysql mysql 2. insert into db values(Host,User,Db) 3. values("hostname","username","snortdb"); 4. flush privileges; very important you find correct hostname, you must find exactly hostname when you are on tunneled and once you find correct hostname to replace "hostname" in values's parameters. I assumed values("127.0.0.1","snortdb","your snort db name here"); It should work for you and make sure you correct db name since you didnt tell me full information on database name. -trev On Mon, Jul 16, 2001 at 04:46:23PM -0400, Eric Sproul wrote: > Hi all, > I'm trying out a setup that was described in the latest Sysadmin issue-- > setting up Snort to log to a MySQL db over an stunnel-encrypted > connection. Anyone else tried this yet? > > I'm running the client on 4.3-STABLE, with mysql323-client from the port > (3.23.39) and stunnel 3.14, also from the port. The server is my Redhat > 7.1 workstation with mysql 3.23.36 from RPM and stunnel 3.14 from > source. As far as I can tell, both the mysql server and stunnel are > configured correctly. I followed all the setup guidelines and made sure > I had the access rights correct. > > The client has stunnel listening to localhost:3306 and forwarding to > :3307. The server is listening to port 3307 and forwarding to > its localhost:3306, where the mysql server is running. But when I try > to connect from the client over the stunnel-ed connection, I get > > client$ mysql -h 127.0.0.1 -u snortdb -p snortdata > Enter password: > ERROR 1045: Access denied for user: 'snortdb@localhost.localdomain' > (Using password: YES) > > I can connect the same way right on the server and get in. I've > eliminated host ACL's as the cause. On the network level everything is > fine. Could stunnel be somehow mangling the login process? I don't > have much experience with stunnel or SSL in general so I'm at a loss > here. > > Thanks in advance! > Eric > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- Acid -- better living through chemistry. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jul 16 15:58:50 2001 Delivered-To: freebsd-security@freebsd.org Received: from db.nexgen.com (db.nexgen.com [66.92.98.149]) by hub.freebsd.org (Postfix) with SMTP id 4E47837B407 for ; Mon, 16 Jul 2001 15:58:44 -0700 (PDT) (envelope-from ml@db.nexgen.com) Received: (qmail 1064 invoked from network); 16 Jul 2001 22:58:21 -0000 Received: from localhost.nexgen.com (HELO alexus) (root@127.0.0.1) by localhost.nexgen.com with SMTP; 16 Jul 2001 22:58:21 -0000 Message-ID: <01aa01c10e4a$d95f1320$0d00a8c0@alexus> From: "alexus" To: "Eli Dart" , Cc: References: <200107162255.f6GMtfu59417@drugs.dv.isc.org> Subject: Re: out of entropy Date: Mon, 16 Jul 2001 18:58:37 -0400 Organization: NexGen MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2499.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2499.0000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org is there a solution for that? ----- Original Message ----- From: To: "Eli Dart" Cc: "alexus" ; Sent: Monday, July 16, 2001 6:55 PM Subject: Re: out of entropy > > FreeBSD 4.3 RELEASE's /dev/random also has a device driver bug > where it returns EOF rather that EWOULDBLOCK when it runs out > entropy in non-blocking mode. > > Mark > > > --==_Exmh_1427149034P > > Content-Type: text/plain; charset=us-ascii > > > > try adding interrupts to your entropy pool..... > > > > man rndcontrol > > > > --eli > > > > > > In reply to "alexus" : > > > > repl: bad addresses: > > -- no at-sign after local-part ( > > :) > > > > > I'm sorry in advance for a cross posting, I just need to resolve this issue > > > a.s.a.p. > > > > > > I'm using FreeBSD 4.3-RELEASE and latest version of bind 9 > > > > > > su-2.05# dnssec-keygen -a HMAC-MD5 -b 128 -n HOST box.nexgen.com > > > dnssec-keygen: failed to generate key box.nexgen.com/157: out of entropy > > > > > > su-2.05# > > > > > > any ideas why? and how do i get around it? > > > > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > > with "unsubscribe freebsd-security" in the body of the message > > > > > > > > > > > --==_Exmh_1427149034P > > Content-Type: application/pgp-signature > > > > -----BEGIN PGP SIGNATURE----- > > Version: GnuPG v1.0.6 (FreeBSD) > > Comment: This is a comment. > > > > iD8DBQE7U2wWLTFEeF+CsrMRAom+AJwIGNy5zH/pL5obx6JP0QE61RIhYQCgkvtU > > l1Szc0OvjVC5ERXo0jlcuU8= > > =Eaxo > > -----END PGP SIGNATURE----- > > > > --==_Exmh_1427149034P-- > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > -- > Mark Andrews, Nominum Inc. > 1 Seymour St., Dundas Valley, NSW 2117, Australia > PHONE: +61 2 9871 4742 INTERNET: Mark.Andrews@nominum.com > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jul 16 16: 6:10 2001 Delivered-To: freebsd-security@freebsd.org Received: from db.nexgen.com (db.nexgen.com [66.92.98.149]) by hub.freebsd.org (Postfix) with SMTP id 3112B37B401 for ; Mon, 16 Jul 2001 16:06:07 -0700 (PDT) (envelope-from ml@db.nexgen.com) Received: (qmail 1128 invoked from network); 16 Jul 2001 23:05:45 -0000 Received: from localhost.nexgen.com (HELO alexus) (root@127.0.0.1) by localhost.nexgen.com with SMTP; 16 Jul 2001 23:05:45 -0000 Message-ID: <01c601c10e4b$e20d19d0$0d00a8c0@alexus> From: "alexus" To: "Eli Dart" Cc: References: <20010716223503.0FD7B2B@usul.nersc.gov> Subject: Re: out of entropy Date: Mon, 16 Jul 2001 19:06:01 -0400 Organization: NexGen MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2499.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2499.0000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org i've tryed that... su-2.05# rndcontrol rndcontrol: interrupts in use: 10 15 su-2.05# still same thing ----- Original Message ----- From: "Eli Dart" To: "alexus" Cc: Sent: Monday, July 16, 2001 6:35 PM Subject: Re: out of entropy To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jul 16 16:31:47 2001 Delivered-To: freebsd-security@freebsd.org Received: from scooby.netsville.com (scooby.netsville.com [206.27.96.131]) by hub.freebsd.org (Postfix) with ESMTP id AA9DF37B405 for ; Mon, 16 Jul 2001 16:31:43 -0700 (PDT) (envelope-from brandon@vv.com) Received: from brandon by scooby.netsville.com with local (Exim 3.22 #1 (Debian)) id 15MHq1-0002kq-00; Mon, 16 Jul 2001 19:31:41 -0400 Date: Mon, 16 Jul 2001 19:31:40 -0400 From: Micah Brandon To: alexus Cc: freebsd-security@freebsd.org Subject: Re: out of entropy Message-ID: <20010716193140.Q6318@vv.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <01c601c10e4b$e20d19d0$0d00a8c0@alexus> User-Agent: Mutt/1.3.18i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Here is a work-around I've used in the past. Create a "random" file from the output of various commands like this: $ dd if=/dev/urandom of=my_random_file count=1024 $ date >>my_random_file $ netstat -a >>my_random_file $ df -k >>my_random_file Then, feed the file to dnssec-keygen with the "-r " option. Obviously, this is not the best "randomness", but it will create a key for you. Just keep secret what output you use in your random file :) * alexus (ml@db.nexgen.com) [010716 19:08]: > i've tryed that... > > su-2.05# rndcontrol > rndcontrol: interrupts in use: 10 15 > su-2.05# > > still same thing > -- Micah Brandon brandon@vv.com Netsville, Inc. http://www.netsville.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jul 16 18:40:13 2001 Delivered-To: freebsd-security@freebsd.org Received: from drugs.dv.isc.org (drugs.dv.isc.org [130.155.191.236]) by hub.freebsd.org (Postfix) with ESMTP id CE96C37B418 for ; Mon, 16 Jul 2001 18:37:27 -0700 (PDT) (envelope-from marka@nominum.com) Received: from nominum.com (localhost.dv.isc.org [127.0.0.1]) by drugs.dv.isc.org (8.11.3/8.11.2) with ESMTP id f6H1SPu25824; Tue, 17 Jul 2001 11:28:25 +1000 (EST) (envelope-from marka@nominum.com) Message-Id: <200107170128.f6H1SPu25824@drugs.dv.isc.org> To: "alexus" Cc: "Eli Dart" , Mark.Andrews@nominum.com, freebsd-security@freebsd.org From: Mark.Andrews@nominum.com Subject: Re: out of entropy In-reply-to: Your message of "Mon, 16 Jul 2001 18:58:37 -0400." <01aa01c10e4a$d95f1320$0d00a8c0@alexus> Date: Tue, 17 Jul 2001 11:28:25 +1000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Yes. sys/i386/i386/mem.c 1.79.2.8. > is there a solution for that? > > ----- Original Message ----- > From: > To: "Eli Dart" > Cc: "alexus" ; > Sent: Monday, July 16, 2001 6:55 PM > Subject: Re: out of entropy > > > > > > FreeBSD 4.3 RELEASE's /dev/random also has a device driver bug > > where it returns EOF rather that EWOULDBLOCK when it runs out > > entropy in non-blocking mode. > > > > Mark > > > > > --==_Exmh_1427149034P > > > Content-Type: text/plain; charset=us-ascii > > > > > > try adding interrupts to your entropy pool..... > > > > > > man rndcontrol > > > > > > --eli > > > > > > > > > In reply to "alexus" : > > > > > > repl: bad addresses: > > > -- no at-sign after local-part ( > > > :) > > > > > > > I'm sorry in advance for a cross posting, I just need to resolve this > issue > > > > a.s.a.p. > > > > > > > > I'm using FreeBSD 4.3-RELEASE and latest version of bind 9 > > > > > > > > su-2.05# dnssec-keygen -a HMAC-MD5 -b 128 -n HOST box.nexgen.com > > > > dnssec-keygen: failed to generate key box.nexgen.com/157: out of > entropy > > > > > > > > su-2.05# > > > > > > > > any ideas why? and how do i get around it? > > > > > > > > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > > > with "unsubscribe freebsd-security" in the body of the message > > > > > > > > > > > > > > > > --==_Exmh_1427149034P > > > Content-Type: application/pgp-signature > > > > > > -----BEGIN PGP SIGNATURE----- > > > Version: GnuPG v1.0.6 (FreeBSD) > > > Comment: This is a comment. > > > > > > iD8DBQE7U2wWLTFEeF+CsrMRAom+AJwIGNy5zH/pL5obx6JP0QE61RIhYQCgkvtU > > > l1Szc0OvjVC5ERXo0jlcuU8= > > > =Eaxo > > > -----END PGP SIGNATURE----- > > > > > > --==_Exmh_1427149034P-- > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > > with "unsubscribe freebsd-security" in the body of the message > > -- > > Mark Andrews, Nominum Inc. > > 1 Seymour St., Dundas Valley, NSW 2117, Australia > > PHONE: +61 2 9871 4742 INTERNET: Mark.Andrews@nominum.com > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- Mark Andrews, Nominum Inc. 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: Mark.Andrews@nominum.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jul 16 18:44:13 2001 Delivered-To: freebsd-security@freebsd.org Received: from iatl0x01.coxmail.com (iatl1x01.coxmail.com [206.157.231.23]) by hub.freebsd.org (Postfix) with ESMTP id 1CE3337B421 for ; Mon, 16 Jul 2001 18:41:30 -0700 (PDT) (envelope-from mheffner@novacoxmail.com) Received: from enterprise.muriel.penguinpowered.com ([208.138.198.178]) by iatl0x01.coxmail.com (InterMail vK.4.03.02.00 201-232-124 license 85f4f10023be2bd3bce00b3a38363ea2) with ESMTP id <20010717014107.BMSY1023.iatl0x01@enterprise.muriel.penguinpowered.com>; Mon, 16 Jul 2001 21:41:07 -0400 Message-ID: X-Mailer: XFMail 1.5.0 on FreeBSD X-Priority: 3 (Normal) MIME-Version: 1.0 Content-Type: multipart/signed; boundary="_=XFMail.1.5.0.FreeBSD:20010716213950:67204=_"; micalg=pgp-md5; protocol="application/pgp-signature" In-Reply-To: <20010710155350.Y19184@ns1.arch.bellsouth.net> Date: Mon, 16 Jul 2001 21:39:50 -0400 (EDT) Reply-To: Mike Heffner From: Mike Heffner To: Christian Kuhtz Subject: RE: buffer overflows Cc: security@freebsd.org Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org This message is in MIME format --_=XFMail.1.5.0.FreeBSD:20010716213950:67204=_ Content-Type: text/plain; charset=us-ascii On 10-Jul-2001 Christian Kuhtz wrote: | | Does anyone have a pointer to a FAQ or other document which I can rub into a | developers nose to help him/her find the code prone to buffer overflows and | how to fix them? | | The question keeps coming up more frequently than I have time to answer it | ;-) You could check out the Secure Programming for Linux and Unix HOWTO at: http://www.dwheeler.com/secure-programs/. Mike -- Mike Heffner Fredericksburg, VA --_=XFMail.1.5.0.FreeBSD:20010716213950:67204=_ Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE7U5dlFokZQs3sv5kRAi5RAJsEKbPRk7WYS/CXaCBr2Vsq/fn2cACaA11y MD/HZVjdePniRCBeJct+XFU= =VeAF -----END PGP SIGNATURE----- --_=XFMail.1.5.0.FreeBSD:20010716213950:67204=_-- End of MIME message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jul 16 18:47:43 2001 Delivered-To: freebsd-security@freebsd.org Received: from arnie.systems.sa.gov.au (arnie.systems.sa.gov.au [203.26.120.3]) by hub.freebsd.org (Postfix) with ESMTP id AF00937B41E for ; Mon, 16 Jul 2001 18:44:59 -0700 (PDT) (envelope-from Freeman.Peter@saugov.sa.gov.au) Received: from arnie.systems.sa.gov.au (localhost [127.0.0.1]) by arnie.systems.sa.gov.au OUTGOING (8.9.3/8.9.3) with ESMTP id LAA25620 for ; Tue, 17 Jul 2001 11:14:57 +0930 (CST)' Received: from sagemsbb006.saugov.sa.gov.au (sagemsbb006.saugov.sa.gov.au [143.216.59.14]) by arnie.systems.sa.gov.au INCOMING (8.9.3/8.9.3) with ESMTP id LAA25601 for ; Tue, 17 Jul 2001 11:14:56 +0930 (CST)' Received: by sagemsbb006.sagemsmrd01.sa.gov.au with Internet Mail Service (5.5.2653.19) id <3R4C45MC>; Tue, 17 Jul 2001 11:14:57 +0930 Message-ID: <3390FF2B0DE0D21183B30008C70D751A08A7FB21@sagemsg0003.sagemsmrd01.sa.gov.au> From: "Freeman, Peter (ERHS)" To: freebsd-security@freebsd.org Subject: Date: Tue, 17 Jul 2001 11:14:47 +0930 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2653.19) Content-Type: text/plain; charset="iso-8859-1" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org unsubscribe To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jul 16 19:50:52 2001 Delivered-To: freebsd-security@freebsd.org Received: from silby.com (cb34181-a.mdsn1.wi.home.com [24.14.173.39]) by hub.freebsd.org (Postfix) with ESMTP id BCC3F37B40F for ; Mon, 16 Jul 2001 19:48:07 -0700 (PDT) (envelope-from silby@silby.com) Received: (qmail 403 invoked by uid 1000); 17 Jul 2001 02:48:01 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 17 Jul 2001 02:48:01 -0000 Date: Mon, 16 Jul 2001 21:48:01 -0500 (CDT) From: Mike Silbersack To: Shila Ofek Cc: , Subject: Re: OpenSSH UseLogin parameter In-Reply-To: Message-ID: <20010716214440.G314-100000@achilles.silby.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Mon, 16 Jul 2001, Shila Ofek wrote: > > I'm working with OpenSSH-2.2.0 on FreeBSD 4.2, and from a look at the code > it doesn't work with PAM. The only reminder of PAM in the code is in file > auth1.c: > #ifdef HAVE_LIBPAM > int pam_retval; > #endif /* HAVE_LIBPAM */ > and that's it... > > Should I recompile the SSH daemon with some flag or something, or do I have > the wrong version? PAM was added along with openssh 2.3.0 in FreeBSD 4.3. But PAM isn't the main reason you should upgrade. You should upgrade because you're running a remotely exploitable version of OpenSSH! Please subscribe to the security advisories. Mike "Silby" Silbersack To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jul 16 23:31:38 2001 Delivered-To: freebsd-security@freebsd.org Received: from femail13.sdc1.sfba.home.com (femail13.sdc1.sfba.home.com [24.0.95.140]) by hub.freebsd.org (Postfix) with ESMTP id 4F16037B40A for ; Mon, 16 Jul 2001 23:31:34 -0700 (PDT) (envelope-from btdang@home.com) Received: from home.com ([24.248.85.196]) by femail13.sdc1.sfba.home.com (InterMail vM.4.01.03.20 201-229-121-120-20010223) with ESMTP id <20010717063133.ODXD20529.femail13.sdc1.sfba.home.com@home.com> for ; Mon, 16 Jul 2001 23:31:33 -0700 Message-ID: <3B53DCFE.83B37AEF@home.com> Date: Mon, 16 Jul 2001 23:36:46 -0700 From: Bruce Dang Organization: Boys & Girls Clubs X-Mailer: Mozilla 4.77 [en] (X11; U; Linux 2.2.12 i386) X-Accept-Language: en MIME-Version: 1.0 Cc: security@FreeBSD.ORG Subject: Re: buffer overflows References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Yea, there are quite a few of those available. You might want to look at www.lsap.org/faq.txt or read "Writing Priviledge Programs" by Benjamin Karas (search packetstorm, I forgot the URL). Bruce Dang www.tbug.org Mike Heffner wrote: > > On 10-Jul-2001 Christian Kuhtz wrote: > | > | Does anyone have a pointer to a FAQ or other document which I can rub into a > | developers nose to help him/her find the code prone to buffer overflows and > | how to fix them? > | > | The question keeps coming up more frequently than I have time to answer it > | ;-) > > You could check out the Secure Programming for Linux and Unix HOWTO at: > http://www.dwheeler.com/secure-programs/. > > Mike > > -- > Mike Heffner > Fredericksburg, VA > > ------------------------------------------------------------------------ > Part 1.2Type: application/pgp-signature To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jul 16 23:36:12 2001 Delivered-To: freebsd-security@freebsd.org Received: from femail13.sdc1.sfba.home.com (femail13.sdc1.sfba.home.com [24.0.95.140]) by hub.freebsd.org (Postfix) with ESMTP id 6E68837B405 for ; Mon, 16 Jul 2001 23:36:07 -0700 (PDT) (envelope-from btdang@home.com) Received: from home.com ([24.248.85.196]) by femail13.sdc1.sfba.home.com (InterMail vM.4.01.03.20 201-229-121-120-20010223) with ESMTP id <20010717063606.OJDF20529.femail13.sdc1.sfba.home.com@home.com> for ; Mon, 16 Jul 2001 23:36:06 -0700 Message-ID: <3B53DE0F.28970950@home.com> Date: Mon, 16 Jul 2001 23:41:19 -0700 From: Bruce Dang Organization: Boys & Girls Clubs X-Mailer: Mozilla 4.77 [en] (X11; U; Linux 2.2.12 i386) X-Accept-Language: en MIME-Version: 1.0 To: security@FreeBSD.ORG Subject: Re: buffer overflows References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Yea, there are quite a few of those available. You might want to look at www.lsap.org/faq.txt or read "Writing Priviledge Programs" by Benjamin Karas (search packetstorm, I forgot the URL). Bruce Dang www.tbug.org Mike Heffner wrote: > > On 10-Jul-2001 Christian Kuhtz wrote: > | > | Does anyone have a pointer to a FAQ or other document which I can rub into a > | developers nose to help him/her find the code prone to buffer overflows and > | how to fix them? > | > | The question keeps coming up more frequently than I have time to answer it > | ;-) > > You could check out the Secure Programming for Linux and Unix HOWTO at: > http://www.dwheeler.com/secure-programs/. > > Mike > > -- > Mike Heffner > Fredericksburg, VA > > ------------------------------------------------------------------------ > Part 1.2Type: application/pgp-signature To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jul 17 0: 6:21 2001 Delivered-To: freebsd-security@freebsd.org Received: from orotal.panku.pc.ashlandfiber.net (063-151-110-116.pc.ashlandfiber.net [63.151.110.116]) by hub.freebsd.org (Postfix) with ESMTP id 2842A37B40C for ; Tue, 17 Jul 2001 00:06:18 -0700 (PDT) (envelope-from louisk@bend.com) Received: (from louisk@localhost) by orotal.panku.pc.ashlandfiber.net (8.11.2/8.11.2) id f6H75gD02796; Tue, 17 Jul 2001 00:05:42 -0700 X-Authentication-Warning: orotal.panku.pc.ashlandfiber.net: louisk set sender to louisk@bend.com using -f Subject: From: Louis Kowolowski To: freebsd-security@freebsd.org Content-Type: text/plain X-Mailer: Evolution/0.10 (Preview Release) Date: 17 Jul 2001 00:05:42 -0700 Message-Id: <995353542.2709.1.camel@orotal> Mime-Version: 1.0 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org subscribe freebsd-security To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jul 17 3:35:31 2001 Delivered-To: freebsd-security@freebsd.org Received: from rapid.black.pl (rapid.black.pl [217.113.224.151]) by hub.freebsd.org (Postfix) with ESMTP id 56CD237B409 for ; Tue, 17 Jul 2001 03:35:24 -0700 (PDT) (envelope-from glash@black.pl) Received: by rapid.black.pl (Postfix, from userid 1001) id 5E34B11; Tue, 17 Jul 2001 10:34:22 +0000 (GMT) Date: Tue, 17 Jul 2001 12:34:22 +0200 From: Artur Meski To: freebsd-security@freebsd.org Subject: Exec logging, FreeBSD Kernel Module. Message-ID: <20010717123422.A97994@rapid.black.pl> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi. I'm looking for FreeBSD Kernel Module, which will log all executed commands by users. Could somebody help me? -- Artur Meski [glash@freebsd.net.pl] [tel +48606494552] [http://glash.black.pl/] To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jul 17 4: 5:19 2001 Delivered-To: freebsd-security@freebsd.org Received: from cobweb.example.org (ams-clip-nat-ext1.cisco.com [64.103.37.2]) by hub.freebsd.org (Postfix) with SMTP id C4E3937B403 for ; Tue, 17 Jul 2001 04:05:06 -0700 (PDT) (envelope-from molter@tin.it) Received: (qmail 3253 invoked by uid 1000); 17 Jul 2001 11:06:42 -0000 Date: Tue, 17 Jul 2001 13:06:42 +0200 From: Marco Molteni To: Artur Meski Cc: freebsd-security@freebsd.org Subject: Re: Exec logging, FreeBSD Kernel Module. Message-ID: <20010717130642.A3183@cobweb.example.org> References: <20010717123422.A97994@rapid.black.pl> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010717123422.A97994@rapid.black.pl>; from glash@freebsd.net.pl on Tue, Jul 17, 2001 at 12:34:22PM +0200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On 2001-07-17, Artur Meski wrote: > Hi. > > I'm looking for FreeBSD Kernel Module, which will log all executed commands > by users. Could somebody help me? Artur, have a look at this. Marco --------- begin forwarded message Date: Wed, 11 Jul 2001 01:40:17 +0200 (CEST) From: Andrzej Bialecki To: freebsd-hackers@freebsd.org Subject: [ANNOUNCE] SPY-1.1 - syscall monitoring kernel module Hi,I just uploaded an updated version of the SPY, which is a kernel module that allows to selectively monitor and/or block execution of any syscalls. This version works on relatively current -CURRENT (after the struct proc changes). You can get it from: http://people.freebsd.org/~abial See also the detailed description there. I should be able also to provide a version for 4-STABLE soon, depending on my time and availability of the machine... Enjoy! -- Andrzej // ---------------------------------------------------------------- // Andrzej Bialecki , Chief System Architect // WebGiro AB, Sweden (http://www.webgiro.com) // ---------------------------------------------------------------- // FreeBSD developer (http://www.freebsd.org) -------------- end forwarded message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jul 17 4: 9:32 2001 Delivered-To: freebsd-security@freebsd.org Received: from terminus.dnttm.ro (terminus.dnttm.ro [193.226.98.11]) by hub.freebsd.org (Postfix) with ESMTP id 78AED37B406 for ; Tue, 17 Jul 2001 04:09:25 -0700 (PDT) (envelope-from titus@edc.dnttm.ro) Received: from unix.edc.dnttm.ro (edc.dnttm.ro [193.226.98.104]) by terminus.dnttm.ro (8.9.3/8.9.3) with ESMTP id OAA14322 for ; Tue, 17 Jul 2001 14:09:20 +0300 Received: (from root@localhost) by unix.edc.dnttm.ro (8.11.4/8.11.2) id f6HB9KI18144 for freebsd-security@freebsd.org; Tue, 17 Jul 2001 14:09:20 +0300 (EEST) (envelope-from titus) Received: (from titus@localhost) by unix.edc.dnttm.ro (8.11.4/8.11.2av) id f6HB9IR18136 for freebsd-security@freebsd.org; Tue, 17 Jul 2001 14:09:18 +0300 (EEST) (envelope-from titus) Date: Tue, 17 Jul 2001 14:09:18 +0300 From: titus manea To: freebsd-security@freebsd.org Subject: Re: Exec logging, FreeBSD Kernel Module. Message-ID: <20010717140918.A18009@unix.edc.dnttm.ro> References: <20010717123422.A97994@rapid.black.pl> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010717123422.A97994@rapid.black.pl>; from glash@freebsd.net.pl on Tue, Jul 17, 2001 at 12:34:22PM +0200 X-Virus-Scanned: by AMaViS perl-10 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org man lastcomm man accton it may be what you need To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jul 17 4:38:50 2001 Delivered-To: freebsd-security@freebsd.org Received: from internethelp.ru (wh.internethelp.ru [212.113.112.145]) by hub.freebsd.org (Postfix) with ESMTP id CA8BF37B401 for ; Tue, 17 Jul 2001 04:38:44 -0700 (PDT) (envelope-from nkritsky@internethelp.ru) Received: from IBMKA (ibmka.internethelp.ru. [192.168.0.6]) by internethelp.ru (8.9.3/8.9.3) with ESMTP id PAA85862; Tue, 17 Jul 2001 15:37:23 +0400 (MSD) Date: Tue, 17 Jul 2001 15:37:20 +0400 From: "Nickolay A.Kritsky" X-Mailer: The Bat! (v1.49) Personal Reply-To: "Nickolay A.Kritsky" Organization: IHelp X-Priority: 3 (Normal) Message-ID: <1122461978.20010717153720@internethelp.ru> To: titus manea Cc: freebsd-security@FreeBSD.ORG Subject: Re[2]: Exec logging, FreeBSD Kernel Module. In-reply-To: <20010717140918.A18009@unix.edc.dnttm.ro> References: <20010717123422.A97994@rapid.black.pl> <20010717140918.A18009@unix.edc.dnttm.ro> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hello titus, Tuesday, July 17, 2001, 3:09:18 PM, you wrote: tm> man lastcomm tm> man accton tm> it may be what you need I don't think so. If you look in this thread: http://www.freebsd.org/cgi/getmsg.cgi?fetch=299788+0+/usr/local/www/db/text/2001/freebsd-security/20010603.freebsd-security you will see, why accounting is no good for security. And I suppose, that your main goal is security enhancing, isn't it? If it is, then you can take a look here: http://www.frasunek.com/sources/security/rexec/ Good Luck tm> To Unsubscribe: send mail to majordomo@FreeBSD.org tm> with "unsubscribe freebsd-security" in the body of the message ;------------------------------------------- ; NKritsky ; SysAdmin InternetHelp.Ru ; http://www.internethelp.ru ; mailto:nkritsky@internethelp.ru To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jul 17 4:53: 6 2001 Delivered-To: freebsd-security@freebsd.org Received: from hotmail.com (f192.law10.hotmail.com [64.4.15.192]) by hub.freebsd.org (Postfix) with ESMTP id 5963537B401 for ; Tue, 17 Jul 2001 04:52:54 -0700 (PDT) (envelope-from shila_ofek@hotmail.com) Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Tue, 17 Jul 2001 04:52:54 -0700 Received: from 212.25.110.131 by lw10fd.law10.hotmail.msn.com with HTTP; Tue, 17 Jul 2001 11:52:53 GMT X-Originating-IP: [212.25.110.131] From: "Shila Ofek" To: security@freebsd.org Subject: SSH with PAM and TACACS+/Radius (was: OpenSSH UseLogin parameter) Date: Tue, 17 Jul 2001 14:52:53 +0300 Mime-Version: 1.0 Content-Type: text/plain; format=flowed Message-ID: X-OriginalArrivalTime: 17 Jul 2001 11:52:54.0271 (UTC) FILETIME=[037248F0:01C10EB7] Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi, Thanks for all the answers about my previous question. Well, now I've got the right version - FreeBSD4.3, but I still can't do what I need. What I need to do is the following: When the SSH user authentication is a password authentication, I want to authenticate through PAM. The reason for that is that I want to authenticate through TACACS+ and Radius servers. Users that authenticate through these servers, usually don't have local accounts in the master.passwd files. Instead a parameter named "template user" is given in the pam.conf file, and the pam_radius and pam_tacplus libraries return this user after authenticating the real user. The template user must have a local account. Now to the actual problem.. The code of the OpenSSH deamon first looks for the user in the passwd files. In case the user is a TACACS/Radius user, he is not found there, of course. If the user is not fount, the authentication with PAM is not called at all! This is a problem. The code in SSH should work similarly to that in the login program, where after the authentication takes place, the template user is looked up in the master.passwd file. Does anyone know of a patch for this, or any other solution? Thanks, Shila. _________________________________________________________________________ Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jul 17 5:56:54 2001 Delivered-To: freebsd-security@freebsd.org Received: from sirius.ccf.auth.gr (sirius.ccf.auth.gr [155.207.112.25]) by hub.freebsd.org (Postfix) with ESMTP id 30B9637B403 for ; Tue, 17 Jul 2001 05:56:49 -0700 (PDT) (envelope-from mixtou@ccf.auth.gr) Received: from ccf.auth.gr (nestor.ccf.auth.gr [155.207.112.11]) by sirius.ccf.auth.gr (8.11.4/8.11.4/8.11.4) with ESMTP id f6HCukn08977 for ; Tue, 17 Jul 2001 15:56:47 +0300 (EET DST) Message-ID: <3B543603.FC2D8F86@ccf.auth.gr> Date: Tue, 17 Jul 2001 15:56:35 +0300 From: Mihalis Toutoudakis Organization: Aristotle University Of Thessaloniki X-Mailer: Mozilla 4.76 [en] (WinNT; U) X-Accept-Language: el,en MIME-Version: 1.0 To: security@FreeBSD.ORG Subject: Re: log message. References: <178309637.20010716181721@al3ks4ndr0v.net> Content-Type: multipart/mixed; boundary="------------26CB34FDC3C28B62356C41AB" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org This is a multi-part message in MIME format. --------------26CB34FDC3C28B62356C41AB Content-Type: text/plain; charset=iso-8859-7 Content-Transfer-Encoding: 7bit unsubscribe security@FreeBSD.ORG --------------26CB34FDC3C28B62356C41AB Content-Type: text/x-vcard; charset=iso-8859-7; name="mixtou.vcf" Content-Transfer-Encoding: 7bit Content-Description: Card for Mihalis Toutoudakis Content-Disposition: attachment; filename="mixtou.vcf" begin:vcard n:Toutoudakis;Mihalis tel;pager:847492 tel;quoted-printable;home:=C3.=CA=F9=ED=F3=F4=E1=ED=F4=E9=ED=DF=E4=E7 11-13 tel;work:Aristotle University Of Thessaloniki x-mozilla-html:FALSE org:N.O.C. Auth;ANCT Team adr:;;Konstantinidi 11-13 Faliro;Thessaloniki;Thessaloniki;54641;Greece version:2.1 email;internet:mixtou@ccf.auth.gr title:Student fn:Mihalis Toutoudakis end:vcard --------------26CB34FDC3C28B62356C41AB-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jul 17 6: 3:27 2001 Delivered-To: freebsd-security@freebsd.org Received: from point.osg.gov.bc.ca (point.osg.gov.bc.ca [142.32.102.44]) by hub.freebsd.org (Postfix) with ESMTP id A56D337B403; Tue, 17 Jul 2001 06:03:23 -0700 (PDT) (envelope-from Cy.Schubert@uumail.gov.bc.ca) Received: (from daemon@localhost) by point.osg.gov.bc.ca (8.8.7/8.8.8) id GAA19392; Tue, 17 Jul 2001 06:02:44 -0700 Received: from passer.osg.gov.bc.ca(142.32.110.29) via SMTP by point.osg.gov.bc.ca, id smtpda19390; Tue Jul 17 06:02:32 2001 Received: (from uucp@localhost) by passer.osg.gov.bc.ca (8.11.4/8.9.1) id f6HD2Qa18991; Tue, 17 Jul 2001 06:02:27 -0700 (PDT) Received: from UNKNOWN(10.1.2.1), claiming to be "cwsys.cwsent.com" via SMTP by passer9.cwsent.com, id smtpde18989; Tue Jul 17 06:01:50 2001 Received: (from uucp@localhost) by cwsys.cwsent.com (8.11.4/8.9.1) id f6HD1n221653; Tue, 17 Jul 2001 06:01:49 -0700 (PDT) Message-Id: <200107171301.f6HD1n221653@cwsys.cwsent.com> Received: from localhost.cwsent.com(127.0.0.1), claiming to be "cwsys" via SMTP by localhost.cwsent.com, id smtpde21649; Tue Jul 17 06:01:36 2001 X-Mailer: exmh version 2.3.1 01/18/2001 with nmh-1.0.4 Reply-To: Cy Schubert - ITSD Open Systems Group From: Cy Schubert - ITSD Open Systems Group X-Sender: schubert To: Brett Glass Cc: "Robert E. Lee" , security@FreeBSD.ORG, admins@FreeBSD.ORG Subject: Re: ORBS In-reply-to: Your message of "Sun, 15 Jul 2001 17:51:33 MDT." <4.3.2.7.2.20010715175024.00d42d10@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Tue, 17 Jul 2001 06:01:36 -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org In message <4.3.2.7.2.20010715175024.00d42d10@localhost>, Brett Glass writes: > At 05:46 PM 7/15/2001, Robert E. Lee wrote: > > >Has anyone here successfully used the servers from www.orbz.org? > > I'm still waiting to learn more about orbz.org, orbl.org, ordb.org, > etc. before I trust any of them. I have heard (anecdotally) that > at least one of the blocks localhost... not good. To be sure, blocking localhost is bad, however this is not the end of the world. All you need to do is design your sendmail.cf, smtpd_check_rules, or whatever product you use to allow all mail from localhost before checking any other rules. Regards, Phone: (250)387-8437 Cy Schubert Fax: (250)387-5766 Team Leader, Sun/Alpha Team Internet: Cy.Schubert@osg.gov.bc.ca Open Systems Group, ITSD, ISTA Province of BC To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jul 17 6: 6:30 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.pacta.net (home.pacta.net [212.18.32.50]) by hub.freebsd.org (Postfix) with ESMTP id CA97737B405 for ; Tue, 17 Jul 2001 06:06:25 -0700 (PDT) (envelope-from simon.bozic@pacta.net) Received: from 8-52.ta.cable.kks.net ([213.161.8.52] helo=fire) by mail.pacta.net with smtp (Exim 3.22 #9) id 15MUch-000AkN-00 for freebsd-security@FreeBSD.ORG; Tue, 17 Jul 2001 15:10:47 +0200 Message-ID: <001401c10ec1$1e2765e0$0401a8c0@fire> From: "Simon Bozic" To: Subject: named crushes Date: Tue, 17 Jul 2001 15:05:12 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2462.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2462.0000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org hello from time to time my named crushes, here's the log output Jul 17 03:32:02 home /kernel: pid 14724 (named), uid 0: exited on signal 11 (core dumped) named version is : named 8.2.3-T6B anyone can help? 10x To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jul 17 6: 9:45 2001 Delivered-To: freebsd-security@freebsd.org Received: from peitho.fxp.org (peitho.fxp.org [209.26.95.40]) by hub.freebsd.org (Postfix) with ESMTP id E472737B401 for ; Tue, 17 Jul 2001 06:09:39 -0700 (PDT) (envelope-from cdf.lists@fxp.org) Received: by peitho.fxp.org (Postfix, from userid 1501) id AC2511360E; Tue, 17 Jul 2001 09:09:39 -0400 (EDT) Date: Tue, 17 Jul 2001 09:09:39 -0400 From: Chris Faulhaber To: Simon Bozic Cc: freebsd-security@FreeBSD.ORG Subject: Re: named crushes Message-ID: <20010717090939.A28649@peitho.fxp.org> Mail-Followup-To: Chris Faulhaber , Simon Bozic , freebsd-security@FreeBSD.ORG References: <001401c10ec1$1e2765e0$0401a8c0@fire> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="5mCyUwZo2JvN/JJP" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <001401c10ec1$1e2765e0$0401a8c0@fire>; from Simon.Bozic@pacta.net on Tue, Jul 17, 2001 at 03:05:12PM +0200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --5mCyUwZo2JvN/JJP Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Jul 17, 2001 at 03:05:12PM +0200, Simon Bozic wrote: > hello >=20 > from time to time my named crushes, here's the log output > Jul 17 03:32:02 home /kernel: pid 14724 (named), uid 0: exited on signal = 11 > (core dumped) >=20 > named version is : named 8.2.3-T6B >=20 > anyone can help? >=20 You are running a vulnerable version of Bind that was reported/fixed almost 6 months ago... Chances are someone is trying to exploit it. ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-01:18.bind.asc --=20 Chris D. Faulhaber - jedgar@fxp.org - jedgar@FreeBSD.org -------------------------------------------------------- FreeBSD: The Power To Serve - http://www.FreeBSD.org --5mCyUwZo2JvN/JJP Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: FreeBSD: The Power To Serve iEYEARECAAYFAjtUORMACgkQObaG4P6BelBL7QCeKW7vd3azVzVAspZsPtH+sEkf oBYAn2fpWQ4jW6YM40Cna1M0i9Q8OOOF =TX7y -----END PGP SIGNATURE----- --5mCyUwZo2JvN/JJP-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jul 17 6:50:49 2001 Delivered-To: freebsd-security@freebsd.org Received: from tcpns.com (dsl-64-192-239-221.telocity.com [64.192.239.221]) by hub.freebsd.org (Postfix) with ESMTP id 53BDD37B401 for ; Tue, 17 Jul 2001 06:50:43 -0700 (PDT) (envelope-from jcborkow@tcpns.com) Received: from localhost (jcborkow@localhost) by tcpns.com (8.11.4/8.11.4) with ESMTP id f6HDoZ311912; Tue, 17 Jul 2001 09:50:36 -0400 (EDT) Date: Tue, 17 Jul 2001 09:50:35 -0400 (EDT) From: Jason Borkowsky To: "Nickolay A.Kritsky" Cc: freebsd-security@FreeBSD.ORG Subject: Re: ipfw pipe command In-Reply-To: <178267014666.20010716195103@internethelp.ru> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Thank you for your response. After playing around with ipfw, I discovered what the problem was: I was trying various combinations of pipes, and it seems if you do not delete your pipe (using ipfw pipe delete) before trying to recreate the pipe, the pipe seems to go unused. So, for example, when I update my firewall rules, I do an ipfw flush, and then dump in the new rules. Now, instead, I have to do an ipfw pipe delete, then an ipfw flush, and then dump in the new rules including the new pipe. > JB> I have a question about using pipes in ipfw and hope this is the right > JB> forum to ask this question. > > JB> I have a FreeBSD box connected to a DSL modem at Ethernet 802.3 > JB> (10Mb/s) half duplex connection. I am running ipfw on the box, and in > JB> terms of filtering, NAT'ing, and port redirection, everything works fine. > > JB> I decided I wanted to try to use piping to bandwidth limit certain types > JB> of traffic. After reading the man pages and ipfw HOW-TO, I came up with > JB> the following simple configuration: > > JB> ipfw pipe 10 config bw 5Kbit/s queue 4Mbytes > JB> ipfw add pipe 10 tcp from x.x.x.x 41000-42000 to any out xmit fxp0 > > JB> So the first line creates a pipe that is limited to 5 Kb/s and has a queue > JB> of 4Mbytes, which should limit traffic drops for large transfers. > > JB> The next line creates a rule saying if the traffic is TCP, and is sourced > JB> from my FreeBSD box of IP address x.x.x.x and the source port is in the > JB> range of 41000-42000 and is being transmitted out my external interface > JB> (fxp0), it should use this pipe. > > JB> So now if I list the pipes, I see the following: > > JB> #ipfw pipe list 00010: 5.000 Kbit/s 0 ms 4 sl. 1 queues (1 buckets) > JB> droptail mask: 0x00 0x00000000/0x0000 -> 0x00000000/0x0000 > JB> BKT Prot ___Source IP/port____ ____Dest. IP/port____ Tot_pkt/bytes > JB> Pkt/Byte Drp > > > JB> So I have my pipe at 5Kb/s, but it doesn't look like it is being used. I > JB> then set up a test connection, use an external sniffer (SnifferPro) and > JB> monitor my traffic sessions. However, any tcp traffic in the range of > JB> 41000-42000 that is being transmitted from my machine out that interface > JB> is not being slowed to 5Kb/s, and is just grabbing all available bandwidth > JB> (11,000 to 16,000 KBYTES/s). Can anyone that uses pipes tell me what I did > JB> wrong or how to better troubleshoot this? Thanks! > Try `ipfw show' to see if the traffic really does hit the pipe. Check > your rc.firewall file to see if you have any rules that apply to such > traffic (i.e. ipfw add pass tcp from x.x.x.x 41000-42000 to any out > xmit fxp0) _before_ your "pipe" rule. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jul 17 8:12:38 2001 Delivered-To: freebsd-security@freebsd.org Received: from internethelp.ru (wh.internethelp.ru [212.113.112.145]) by hub.freebsd.org (Postfix) with ESMTP id 880B237B405 for ; Tue, 17 Jul 2001 08:12:30 -0700 (PDT) (envelope-from nkritsky@internethelp.ru) Received: from IBMKA (ibmka.internethelp.ru. [192.168.0.6]) by internethelp.ru (8.9.3/8.9.3) with ESMTP id TAA88911; Tue, 17 Jul 2001 19:12:24 +0400 (MSD) Date: Tue, 17 Jul 2001 19:12:22 +0400 From: "Nickolay A.Kritsky" X-Mailer: The Bat! (v1.49) Personal Reply-To: "Nickolay A.Kritsky" Organization: IHelp X-Priority: 3 (Normal) Message-ID: <14735363670.20010717191222@internethelp.ru> To: Jason Borkowsky Cc: security@FreeBSD.ORG Subject: Re[2]: ipfw pipe command In-reply-To: References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hello Jason, Tuesday, July 17, 2001, 5:50:35 PM, you wrote: JB> Thank you for your response. After playing around with ipfw, I discovered JB> what the problem was: JB> I was trying various combinations of pipes, and it seems if you do not JB> delete your pipe (using ipfw pipe delete) before trying to recreate the JB> pipe, the pipe seems to go unused. Unused? I 'm afraid that I don't quite understand you... How does it affect ipfw functionality? JB> So, for example, when I update my firewall rules, I do an ipfw flush, and JB> then dump in the new rules. Now, instead, I have to do an ipfw pipe JB> delete, then an ipfw flush, and then dump in the new rules including the JB> new pipe. You know, I am the real ipfw newbie, but I am using pipes during about 5 months. I do ipfw flush quite often (I like to play with that tool :)) , but never did "ipfw pipe delete", and never noticed nothing strange in pipe behavior. Now I am quite confused? Are you sure, that doing "ipfw flush" does not delete the pipes? May be FreeBSD guys should add "ipfw pipe delete" line to standart /etc/rc.firewall, just before the "ipfw flush"? IMHO this will save many newbies from confusion ;) Good luck JB> To Unsubscribe: send mail to majordomo@FreeBSD.org JB> with "unsubscribe freebsd-security" in the body of the message ;------------------------------------------- ; NKritsky ; SysAdmin InternetHelp.Ru ; http://www.internethelp.ru ; mailto:nkritsky@internethelp.ru To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jul 17 8:35:40 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.cstone.net (mail.cstone.net [209.145.64.80]) by hub.freebsd.org (Postfix) with ESMTP id 59BD437B408 for ; Tue, 17 Jul 2001 08:35:35 -0700 (PDT) (envelope-from esproul@ntelos.net) Received: from ntelos.net (thunderbolt.eng.cstone.net [209.145.66.13]) by mail.cstone.net (8.11.1/8.11.1) with ESMTP id f6HFZYv91336 for ; Tue, 17 Jul 2001 11:35:34 -0400 (EDT) Message-ID: <3B545B3A.40C17B0C@ntelos.net> Date: Tue, 17 Jul 2001 11:35:22 -0400 From: Eric Sproul X-Mailer: Mozilla 4.77 [en] (X11; U; Linux 2.4.3 i686) X-Accept-Language: en MIME-Version: 1.0 To: freebsd-security@FreeBSD.ORG Subject: Re: stunnel/mysql question References: <3B53529F.A0DBDC48@ntelos.net> <20010716160002.A80238@i-sphere.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org faSty wrote: > > you need fix your hostname on MySQL under db table in mysql database. > > I.E. > > 1. mysql mysql > 2. insert into db values(Host,User,Db) > 3. values("hostname","username","snortdb"); > 4. flush privileges; > > very important you find correct hostname, you must find exactly hostname > when you are on tunneled and once you find correct hostname to replace > "hostname" in values's parameters. I assumed > In the user privilege table, which I assume you are referring to, I have got both 127.0.0.1 and "localhost%" as potential access hosts for user snortdb. I figured having both the 127.0.0.1 and the localhost wildcard would take care of everything. Even if they don't, during my testing I did a full "%" wildcard and it *still* didn't work. That's why I suspected stunnel "mangulation" because I believe I have eliminated host access rules as the source of the problem. Eric To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jul 17 8:43:32 2001 Delivered-To: freebsd-security@freebsd.org Received: from mirage.jlschwab.com (cc1035823-c.sandia1.nm.home.com [24.179.146.111]) by hub.freebsd.org (Postfix) with ESMTP id 0B86F37B405 for ; Tue, 17 Jul 2001 08:43:25 -0700 (PDT) (envelope-from jlschwab@jlschwab.com) Received: by mirage.jlschwab.com (Postfix, from userid 1000) id 997143E99; Tue, 17 Jul 2001 09:43:23 -0600 (MDT) Received: from localhost (localhost [127.0.0.1]) by mirage.jlschwab.com (Postfix) with ESMTP id 92FEA7CA8 for ; Tue, 17 Jul 2001 09:43:23 -0600 (MDT) Date: Tue, 17 Jul 2001 09:43:23 -0600 (MDT) From: "Jason L. Schwab" To: Subject: login failure question Message-ID: <20010717094033.F3123-100000@mirage.jlschwab.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hiya; I run multiple servers running FreeBSD 4.X-S (most of them 4.3-S). Lately, I have been getting alot of brute force attemps to login into my machine, not that I care, because they dont have a chance of logging in, also I have been getting alot of port scans, well the port scans I took care of via portsentry and ipfw (freebsd's firewall). What I am wondering is, is there a way, for like after 10 invalid logins from the same host/ip (mask?) can I have login run a ipfw command and block them for like 24 hours or something? I can do the 24 thing, I just need to know how to have login run whatever script I want it to call. Thanks a million. - Jason L. Schwab --> Unix Systems Administrator && Perl Programmer My PGP Key: finger jlschwab@jlschwab.com - To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jul 17 8:43:50 2001 Delivered-To: freebsd-security@freebsd.org Received: from mohegan.mohawk.net (mohegan.mohawk.net [63.66.68.21]) by hub.freebsd.org (Postfix) with ESMTP id 45F8A37B403 for ; Tue, 17 Jul 2001 08:43:48 -0700 (PDT) (envelope-from rjh@mohawk.net) Received: from mohegan.mohawk.net (mohegan.mohawk.net [63.66.68.21]) by mohegan.mohawk.net (8.11.3/8.11.3) with ESMTP id f6HFl0x45230; Tue, 17 Jul 2001 11:47:01 -0400 (EDT) Date: Tue, 17 Jul 2001 11:47:00 -0400 (EDT) From: Ralph Huntington To: Simon Bozic Cc: freebsd-security@FreeBSD.ORG Subject: Re: named crushes In-Reply-To: <001401c10ec1$1e2765e0$0401a8c0@fire> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org You're named is likely being crashed from the outside. There is a vulnerability in that version (and all earlier versions). You must upgrade either to 8.2.3-REL or 9.1 On Tue, 17 Jul 2001, Simon Bozic wrote: > hello > > from time to time my named crushes, here's the log output > Jul 17 03:32:02 home /kernel: pid 14724 (named), uid 0: exited on signal 11 > (core dumped) > > named version is : named 8.2.3-T6B > > anyone can help? > > 10x > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jul 17 9:37:28 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.epylon.com (sf-gw.epylon.com [63.93.9.98]) by hub.freebsd.org (Postfix) with ESMTP id 99F4737B406 for ; Tue, 17 Jul 2001 09:37:25 -0700 (PDT) (envelope-from jdicioccio@epylon.com) Received: by goofy.epylon.lan with Internet Mail Service (5.5.2653.19) id <3SVWDTMD>; Tue, 17 Jul 2001 09:37:23 -0700 Message-ID: <657B20E93E93D4118F9700D0B73CE3EA02FFEFCD@goofy.epylon.lan> From: Jason DiCioccio To: 'Artur Meski' , freebsd-security@freebsd.org Subject: RE: Exec logging, FreeBSD Kernel Module. Date: Tue, 17 Jul 2001 09:37:22 -0700 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2653.19) Content-Type: text/plain; charset="iso-8859-1" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Try reading up on process accounting :-) - ------- Jason DiCioccio Evil Genius Unix BOFH - -----Original Message----- From: Artur Meski [mailto:glash@freebsd.net.pl] Sent: Tuesday, July 17, 2001 3:34 AM To: freebsd-security@freebsd.org Subject: Exec logging, FreeBSD Kernel Module. Hi. I'm looking for FreeBSD Kernel Module, which will log all executed commands by users. Could somebody help me? - -- Artur Meski [glash@freebsd.net.pl] [tel +48606494552] [http://glash.black.pl/] To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 7.0.3 for non-commercial use iQA/AwUBO1RquVCmU62pemyaEQKgGwCdE57DILj1y21hKPOa3fRM/ECTT0QAn1yS Gc4P50wbcq0fA5Md6HMgopCr =pFVI -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jul 17 9:55:42 2001 Delivered-To: freebsd-security@freebsd.org Received: from obsecurity.dyndns.org (adsl-63-207-60-62.dsl.lsan03.pacbell.net [63.207.60.62]) by hub.freebsd.org (Postfix) with ESMTP id 2123C37B403 for ; Tue, 17 Jul 2001 09:55:38 -0700 (PDT) (envelope-from kris@obsecurity.org) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id DDE4567378; Tue, 17 Jul 2001 09:55:36 -0700 (PDT) Date: Tue, 17 Jul 2001 09:55:36 -0700 From: Kris Kennaway To: Jason DiCioccio Cc: 'Artur Meski' , freebsd-security@FreeBSD.ORG Subject: Re: Exec logging, FreeBSD Kernel Module. Message-ID: <20010717095535.A78558@xor.obsecurity.org> References: <657B20E93E93D4118F9700D0B73CE3EA02FFEFCD@goofy.epylon.lan> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="tKW2IUtsqtDRztdT" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <657B20E93E93D4118F9700D0B73CE3EA02FFEFCD@goofy.epylon.lan>; from jdicioccio@epylon.com on Tue, Jul 17, 2001 at 09:37:22AM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --tKW2IUtsqtDRztdT Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Jul 17, 2001 at 09:37:22AM -0700, Jason DiCioccio wrote: > =20 > Try reading up on process accounting :-) Process accounting isn't intended as a security audit feature. Kris --tKW2IUtsqtDRztdT Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE7VG4FWry0BWjoQKURAuicAJ4t+DyKJnmzCEkefnGPaQ14O0uv3wCgzokP juTzt1ucMUcCYUJLzptCAuE= =Rb9D -----END PGP SIGNATURE----- --tKW2IUtsqtDRztdT-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jul 17 10: 0: 5 2001 Delivered-To: freebsd-security@freebsd.org Received: from D00015.dialonly.kemerovo.su (D00015.dialonly.kemerovo.su [213.184.66.105]) by hub.freebsd.org (Postfix) with ESMTP id BC3D137B409 for ; Tue, 17 Jul 2001 09:59:54 -0700 (PDT) (envelope-from eugen@D00015.dialonly.kemerovo.su) Received: (from eugen@localhost) by D00015.dialonly.kemerovo.su (8.11.4/8.11.4) id f6HGsLE01666; Wed, 18 Jul 2001 00:54:21 +0800 (KRAST) (envelope-from eugen) Date: Wed, 18 Jul 2001 00:54:21 +0800 From: Eugene Grosbein To: "Jason L. Schwab" Cc: freebsd-security@FreeBSD.ORG Subject: Re: login failure question Message-ID: <20010718005421.A1615@grosbein.pp.ru> References: <20010717094033.F3123-100000@mirage.jlschwab.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010717094033.F3123-100000@mirage.jlschwab.com>; from jlschwab@jlschwab.com on Tue, Jul 17, 2001 at 09:43:23AM -0600 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Tue, Jul 17, 2001 at 09:43:23AM -0600, Jason L. Schwab wrote: > What I am wondering is, is there a way, for like after 10 invalid > logins from the same host/ip (mask?) can I have login run a ipfw > command and block them for like 24 hours or something? I can do > the 24 thing, I just need to know how to have login run whatever > script I want it to call. You can use syslogd to implement this. man syslog.conf explains how to run your application for an event. This application should keep statictics and run ipfw command when needed. Eugene Grosbein To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jul 17 10:15:52 2001 Delivered-To: freebsd-security@freebsd.org Received: from femail11.sdc1.sfba.home.com (femail11.sdc1.sfba.home.com [24.0.95.107]) by hub.freebsd.org (Postfix) with ESMTP id 5808037B401 for ; Tue, 17 Jul 2001 10:15:47 -0700 (PDT) (envelope-from btdang@home.com) Received: from home.com ([24.248.85.196]) by femail11.sdc1.sfba.home.com (InterMail vM.4.01.03.20 201-229-121-120-20010223) with ESMTP id <20010717171545.TQQK18785.femail11.sdc1.sfba.home.com@home.com>; Tue, 17 Jul 2001 10:15:45 -0700 Message-ID: <3B5473FD.7D32070C@home.com> Date: Tue, 17 Jul 2001 10:21:01 -0700 From: Bruce Dang Organization: Boys & Girls Clubs X-Mailer: Mozilla 4.77 [en] (X11; U; Linux 2.2.12 i386) X-Accept-Language: en MIME-Version: 1.0 To: "Jason L. Schwab" Cc: freebsd-security@FreeBSD.ORG Subject: Re: login failure question References: <20010717094033.F3123-100000@mirage.jlschwab.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Jason, You might want to look at login.conf(5) man page. Regarding the scans; in today's Internet, there are 349067239460723986 leeto kids running around scanning for leeto exploits, so getting scanned on a daily basis is NORMAL now ;). So the best you can do is block those IPs. An good way of logging these stuff is setting net.inet.tcp.log_in_vain=1 net.inet.udp.log_in_vain=1 via sysctl(8). Btw, if you are running telnet, I suggest you close that and use ssh instead. Bruce Dang www.tbug.org "Jason L. Schwab" wrote: > > Hiya; > > I run multiple servers running FreeBSD 4.X-S (most of them 4.3-S). > Lately, I have been getting alot of brute force attemps to login > into my machine, not that I care, because they dont have a chance > of logging in, also I have been getting alot of port scans, well > the port scans I took care of via portsentry and ipfw (freebsd's > firewall). > > What I am wondering is, is there a way, for like after 10 invalid > logins from the same host/ip (mask?) can I have login run a ipfw > command and block them for like 24 hours or something? I can do > the 24 thing, I just need to know how to have login run whatever > script I want it to call. > > Thanks a million. > > - > > Jason L. Schwab --> > Unix Systems Administrator && Perl Programmer > My PGP Key: finger jlschwab@jlschwab.com > > - > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jul 17 10:26: 4 2001 Delivered-To: freebsd-security@freebsd.org Received: from mx6.port.ru (mx6.port.ru [194.67.23.42]) by hub.freebsd.org (Postfix) with ESMTP id 01FF037B403 for ; Tue, 17 Jul 2001 10:25:40 -0700 (PDT) (envelope-from mnvhome@mail.ru) Received: from f4.int ([10.0.0.51] helo=f4.mail.ru) by mx6.port.ru with esmtp (Exim 3.14 #1) id 15MYbJ-0009hC-00 for security@freebsd.org; Tue, 17 Jul 2001 21:25:37 +0400 Received: from mail by f4.mail.ru with local (Exim 3.14 #1) id 15MYbJ-000P1q-00 for security@freebsd.org; Tue, 17 Jul 2001 21:25:37 +0400 Received: from [212.35.160.177] by koi.mail.port.ru with HTTP; Tue, 17 Jul 2001 17:25:37 +0000 (GMT) From: "Nick Maschenko" To: security@freebsd.org Subject: Fw: Re: A question about FreeBSD security Mime-Version: 1.0 X-Mailer: mPOP Web-Mail 2.19 X-Originating-IP: unknown via proxy [212.35.160.177] Reply-To: "Nick Maschenko" Content-Type: text/plain; charset=koi8-r Content-Transfer-Encoding: 8bit Message-Id: Date: Tue, 17 Jul 2001 21:25:37 +0400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org -----Original Message----- From: Kris Kennaway To: Nick Maschenko Date: Tue, 17 Jul 2001 09:45:04 -0700 Subject: Re: A question about FreeBSD security > Ask on security@freebsd.org > > On Tue, Jul 17, 2001 at 03:38:16PM +0400, Nick Maschenko wrote: > > Hello Kris. > > Sorry if my question is too stupid. :-) > > If it is possible for you, would you like to advice me following: > > 1) some URLs about packet filtering in FreeBSD (ipfw), > > examples of good ipfw firewalls are preffered. > > 2) does FreeBSD kernel realize defence against some DoS > > attacks like smurf, broadcast, some types of > > flooding? > > I know and i use Linux 2.4.x branch with iptables, which can prevent some DoS attacks by using it's built-in mechanism. Does FreeBSD do somethging like this? For example, i saw how "she" :-) rejects > > a burst of RST/ACK packets while NMap scanning (stealth scan). If you do not want to answer in details, please advice me some URL(s) where i can read about this myself. > > Best regards. Nick. > > > > --- > > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jul 17 10:43: 5 2001 Delivered-To: freebsd-security@freebsd.org Received: from stuart.microshaft.org (ns1.microshaft.org [208.201.249.2]) by hub.freebsd.org (Postfix) with ESMTP id 0C78D37B406 for ; Tue, 17 Jul 2001 10:43:02 -0700 (PDT) (envelope-from jono@stuart.microshaft.org) Received: (from jono@localhost) by stuart.microshaft.org (8.9.3/8.9.3) id KAA46145; Tue, 17 Jul 2001 10:42:27 -0700 (PDT) (envelope-from jono) Date: Tue, 17 Jul 2001 10:42:27 -0700 From: "Jon O ." To: Artur Meski Cc: freebsd-security@FreeBSD.ORG Subject: Re: Exec logging, FreeBSD Kernel Module. Message-ID: <20010717104227.A46090@networkcommand.com> Reply-To: "jono@networkcommand.com" References: <20010717123422.A97994@rapid.black.pl> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2i In-Reply-To: <20010717123422.A97994@rapid.black.pl>; from glash@freebsd.net.pl on Tue, Jul 17, 2001 at 12:34:22PM +0200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org See below: # man watch WATCH(8) FreeBSD System Manager's Manual WATCH(8) NAME watch - snoop on another tty line SYNOPSIS watch [-ciotnW] [tty] DESCRIPTION Watch allows the superuser to examine all data coming through a specified tty. Watch writes to standard output. # man snp SNP(4) FreeBSD Kernel Interfaces Manual SNP(4) NAME snp - tty snoop interface SYNOPSIS #include On 17-Jul-2001, Artur Meski wrote: > Hi. > > I'm looking for FreeBSD Kernel Module, which will log all executed commands > by users. Could somebody help me? > > -- > Artur Meski [glash@freebsd.net.pl] [tel +48606494552] [http://glash.black.pl/] > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jul 17 10:49:30 2001 Delivered-To: freebsd-security@freebsd.org Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id 703EA37B403; Tue, 17 Jul 2001 10:49:12 -0700 (PDT) (envelope-from security-advisories@FreeBSD.org) Received: (from kris@localhost) by freefall.freebsd.org (8.11.4/8.11.4) id f6HHnCl52513; Tue, 17 Jul 2001 10:49:12 -0700 (PDT) (envelope-from security-advisories@FreeBSD.org) Date: Tue, 17 Jul 2001 10:49:12 -0700 (PDT) Message-Id: <200107171749.f6HHnCl52513@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: kris set sender to security-advisories@FreeBSD.org using -f From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-01:48.tcpdump Reply-To: security-advisories@FreeBSD.org Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SA-01:48 Security Advisory FreeBSD, Inc. Topic: tcpdump contains remote buffer overflow Category: core Module: tcpdump Announced: 2001-07-17 Credits: Nick Cleaton Affects: All releases of FreeBSD 4.x prior to 4.4, FreeBSD 4.3-STABLE prior to the correction date FreeBSD 3.x is unaffected. Corrected: 2001-07-09 Vendor status: Patch released FreeBSD only: NO I. Background tcpdump is a tool for monitoring network traffic activity. II. Problem Description An overflowable buffer was found in the version of tcpdump included with FreeBSD 4.x. Due to incorrect string length handling in the decoding of AFS RPC packets, a remote user may be able to overflow a buffer causing the local tcpdump process to crash. In addition, it may be possible to execute arbitrary code with the privileges of the user running tcpdump, often root. The effects of this vulnerability are similiar to those described in advisory FreeBSD-SA-00:61.tcpdump.v1.1. All released versions of FreeBSD prior to the correction date including 4.3-RELEASE are vulnerable to this problem, however it does not affect the FreeBSD 3.x branch which includes an older version of tcpdump. III. Impact Remote users can cause the local tcpdump process to crash, and may be able to cause arbitrary code to be executed as the user running tcpdump, often root. IV. Workaround Do not use vulnerable versions of tcpdump in network environments which may contain packets from untrusted sources. V. Solution One of the following: 1) Upgrade your vulnerable FreeBSD system to 4.3-STABLE or the RELENG_4_3 security branch after the respective correction dates. 2) FreeBSD 4.x systems prior to the correction date: Download the patch and the detached PGP signature from the following locations, and verify the signature using your PGP utility. ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-01:48/tcpdump-4.x.patch ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-01:48/tcpdump-4.x.patch.asc # cd /usr/src/contrib/tcpdump # patch -p < /path/to/patch # cd /usr/src/usr.sbin/tcpdump # make depend && make all install 3) FreeBSD 4.3-RELEASE systems: An experimental upgrade package is available for users who wish to provide testing and feedback on the binary upgrade process. This package may be installed on FreeBSD 4.3-RELEASE systems only, and is intended for use on systems for which source patching is not practical or convenient. If you use the upgrade package, feedback (positive or negative) is requested to security-officer@FreeBSD.org so we can improve the process for future advisories. During the installation procedure, backup copies are made of the files which are replaced by the package. These backup copies will be reinstalled if the package is removed, reverting the system to a pre-patched state. Two versions of the upgrade package are available, depending on whether or not the system has openssl installed. To verify whether your system has openssl installed, perform the following command: # ls /usr/bin/openssl Possible responses: /usr/bin/openssl # This response indicates you have openssl present ls: /usr/bin/openssl: No such file or directory # This reponse indicates you do not have # openssl present 3a) If OpenSSL is not present # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/packages/SA-01:48/security-patch-tcpdump-nossl-01.48.tgz # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/packages/SA-01:48/security-patch-tcpdump-nossl-01.48.tgz.asc Verify the detached PGP signature using your PGP utility. # pkg_add security-patch-tcpdump-nossl-01.48.tgz 3b) If OpenSSL is present # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/packages/SA-01:48/security-patch-tcpdump-ssl-01.48.tgz # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/packages/SA-01:48/security-patch-tcpdump-ssl-01.48.tgz.asc Verify the detached PGP signature using your PGP utility. # pkg_add security-patch-tcpdump-ssl-01.48.tgz -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iQCVAwUBO1R5i1UuHi5z0oilAQFdCQQAhFUzYA7plZN1O0rK/iU/jPaoCqM0KDPP Vdg+3zP8I5Vovdbxdns1DVefI3PVhZbLwh8E0ZnEz544FB5atiYsRiqQxuoEMZiN 1JSRHUOIYyAChtIUZY1JV9eF8GfemWaAcgNp7mNWYKl7dUn0nYERfTO92YNm+l7M 3nNvOwkhqLU= =PrXC -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jul 17 10:53:37 2001 Delivered-To: freebsd-security@freebsd.org Received: from kes.unstable.org (216-164-29-164.c3-0.crm-ubr1.crm.ny.cable.rcn.com [216.164.29.164]) by hub.freebsd.org (Postfix) with ESMTP id ACD9A37B403 for ; Tue, 17 Jul 2001 10:53:33 -0700 (PDT) (envelope-from klik@unstable.org) Received: from homer (klik@homer.unstable.org [192.168.1.2]) by kes.unstable.org (8.11.4/8.9.3) with SMTP id f6HHsGY65512; Tue, 17 Jul 2001 13:54:16 -0400 (EDT) (envelope-from klik@unstable.org) Message-ID: <003801c10ee9$5f897fa0$0201a8c0@unstable.org> From: "Klik" To: "Ralph Huntington" , "Simon Bozic" Cc: References: Subject: Re: named crushes Date: Tue, 17 Jul 2001 13:53:22 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4133.2400 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org if this is a small nameserver, your're better off upgrading to 9.1 ----- Original Message ----- From: "Ralph Huntington" To: "Simon Bozic" Cc: Sent: Tuesday, July 17, 2001 11:47 AM Subject: Re: named crushes > You're named is likely being crashed from the outside. There is a > vulnerability in that version (and all earlier versions). You must upgrade > either to 8.2.3-REL or 9.1 > > > On Tue, 17 Jul 2001, Simon Bozic wrote: > > > hello > > > > from time to time my named crushes, here's the log output > > Jul 17 03:32:02 home /kernel: pid 14724 (named), uid 0: exited on signal 11 > > (core dumped) > > > > named version is : named 8.2.3-T6B > > > > anyone can help? > > > > 10x > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jul 17 10:58:10 2001 Delivered-To: freebsd-security@freebsd.org Received: from fledge.watson.org (fledge.watson.org [204.156.12.50]) by hub.freebsd.org (Postfix) with ESMTP id 582B137B409 for ; Tue, 17 Jul 2001 10:58:06 -0700 (PDT) (envelope-from arr@watson.org) Received: from localhost (arr@localhost) by fledge.watson.org (8.11.4/8.11.4) with SMTP id f6HHuQZ44533; Tue, 17 Jul 2001 13:56:27 -0400 (EDT) (envelope-from arr@watson.org) Date: Tue, 17 Jul 2001 13:56:26 -0400 (EDT) From: "Andrew R. Reiter" To: Kris Kennaway Cc: Jason DiCioccio , "'Artur Meski'" , freebsd-security@FreeBSD.ORG, robert@watson.org Subject: Re: Exec logging, FreeBSD Kernel Module. In-Reply-To: <20010717095535.A78558@xor.obsecurity.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I basically got a 0 response to my initial SPY reply, so I will attempt to mention it here again, and throw Robert's name on it. AFAIK, at USENIX there was a BoF for those working on kernel related security features (Trusted patch sets, other) to speak their minds on 1) what they were doing and 2) to attempt to start to come up with some sort of cross-OS standard for having "hooks" into kernel code. This would allow for easy coding of kernel related features that could be cross-OS allowing for only recoding of possible OS specific pieces (which would be greatly lessened after this standard interface was in place). Anyway, what I had been wondering was whether or not there were some useful conclusions actually made from that BoF... These would be useful in something like SPY -- or some work that Im doing -- so that they can attempt to conform to a standard from the beginning. Anyone have any thoughts on 1) what happened at hte BoF and 2) future of kernel hook standards in fbsd? Andrew On Tue, 17 Jul 2001, Kris Kennaway wrote: > On Tue, Jul 17, 2001 at 09:37:22AM -0700, Jason DiCioccio wrote: > > > > Try reading up on process accounting :-) > > Process accounting isn't intended as a security audit feature. > > Kris > *-------------................................................. | Andrew R. Reiter | arr@fledge.watson.org | "It requires a very unusual mind | to undertake the analysis of the obvious" -- A.N. Whitehead To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jul 17 12: 7: 9 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.taloncc.com (ns.taloncc.com [208.149.58.8]) by hub.freebsd.org (Postfix) with SMTP id 97C0937B408 for ; Tue, 17 Jul 2001 12:07:05 -0700 (PDT) (envelope-from nathan@corp.wac.com) Received: (qmail 5260 invoked from network); 17 Jul 2001 19:10:57 -0000 Received: from wall.lodinet.com (HELO NATHAN) (206.151.38.45) by ns.taloncc.com with SMTP; 17 Jul 2001 19:10:57 -0000 Message-ID: <003401c10ef4$4b631bc0$f5c8a8c0@NATHAN> From: To: "jono@networkcommand.com" Cc: References: <20010717123422.A97994@rapid.black.pl> <20010717104227.A46090@networkcommand.com> Subject: Re: Exec logging, FreeBSD Kernel Module. Date: Tue, 17 Jul 2001 12:11:25 -0700 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4522.1200 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org to reply to your last message.. i've never been able to get watch to work properly. has anyone else? ----- Original Message ----- From: "Jon O ." To: "Artur Meski" Cc: Sent: Tuesday, July 17, 2001 10:42 AM Subject: Re: Exec logging, FreeBSD Kernel Module. > See below: > > > # man watch > WATCH(8) FreeBSD System Manager's Manual WATCH(8) > > NAME > watch - snoop on another tty line > > SYNOPSIS > watch [-ciotnW] [tty] > > DESCRIPTION > Watch allows the superuser to examine all data coming through a specified > tty. Watch writes to standard output. > > > > # man snp > SNP(4) FreeBSD Kernel Interfaces Manual SNP(4) > > NAME > snp - tty snoop interface > > SYNOPSIS > #include > > > > > On 17-Jul-2001, Artur Meski wrote: > > Hi. > > > > I'm looking for FreeBSD Kernel Module, which will log all executed commands > > by users. Could somebody help me? > > > > -- > > Artur Meski [glash@freebsd.net.pl] [tel +48606494552] [http://glash.black.pl/] > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jul 17 12: 9:58 2001 Delivered-To: freebsd-security@freebsd.org Received: from imr2.ericy.com (imr2.ericy.com [12.34.240.68]) by hub.freebsd.org (Postfix) with ESMTP id 8890837B401 for ; Tue, 17 Jul 2001 12:09:47 -0700 (PDT) (envelope-from Antoine.Beaupre@ericsson.ca) Received: from mr6.exu.ericsson.se (mr6att.ericy.com [138.85.92.14]) by imr2.ericy.com (8.11.3/8.11.3) with ESMTP id f6HJ9A509098; Tue, 17 Jul 2001 14:09:10 -0500 (CDT) Received: from noah.lmc.ericsson.se (noah.lmc.ericsson.se [142.133.1.1]) by mr6.exu.ericsson.se (8.11.3/8.11.3) with ESMTP id f6HJ99V17079; Tue, 17 Jul 2001 14:09:09 -0500 (CDT) Received: from lmc35.lmc.ericsson.se (lmc35.lmc.ericsson.se [142.133.16.175]) by noah.lmc.ericsson.se (8.11.2/8.9.2) with ESMTP id f6HJ96A19436; Tue, 17 Jul 2001 15:09:07 -0400 (EDT) Received: by lmc35.lmc.ericsson.se with Internet Mail Service (5.5.2653.19) id ; Tue, 17 Jul 2001 15:09:05 -0400 Received: from lmc.ericsson.se (lmcpc100455.pc.lmc.ericsson.se [142.133.23.150]) by LMC37.lmc.ericsson.se with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2653.13) id PCZRNFMT; Tue, 17 Jul 2001 15:08:55 -0400 From: "Antoine Beaupre (LMC)" To: nathan@corp.wac.com Cc: "jono@networkcommand.com" , freebsd-security@FreeBSD.ORG Message-ID: <3B548D46.2000909@lmc.ericsson.se> Date: Tue, 17 Jul 2001 15:08:54 -0400 Organization: LMC, Ericsson Research Canada User-Agent: Mozilla/5.0 (Windows; U; WinNT4.0; en-US; rv:0.9.2+) Gecko/20010717 X-Accept-Language: en,fr-CA,fr MIME-Version: 1.0 Subject: Re: Exec logging, FreeBSD Kernel Module. References: <20010717123422.A97994@rapid.black.pl> <20010717104227.A46090@networkcommand.com> <003401c10ef4$4b631bc0$f5c8a8c0@NATHAN> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 8bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org works fine here. nathan@corp.wac.com wrote: > to reply to your last message.. i've never been able to get watch to work > properly. has anyone else? > > > ----- Original Message ----- > From: "Jon O ." > To: "Artur Meski" > Cc: > Sent: Tuesday, July 17, 2001 10:42 AM > Subject: Re: Exec logging, FreeBSD Kernel Module. > > > >>See below: >> >> >># man watch >>WATCH(8) FreeBSD System Manager's Manual >> > WATCH(8) > >>NAME >> watch - snoop on another tty line >> >>SYNOPSIS >> watch [-ciotnW] [tty] >> >>DESCRIPTION >> Watch allows the superuser to examine all data coming through a >> > specified > >> tty. Watch writes to standard output. >> >> >> >># man snp >>SNP(4) FreeBSD Kernel Interfaces Manual >> > SNP(4) > >>NAME >> snp - tty snoop interface >> >>SYNOPSIS >> #include >> >> >> >> >>On 17-Jul-2001, Artur Meski wrote: >> >>>Hi. >>> >>>I'm looking for FreeBSD Kernel Module, which will log all executed >>> > commands > >>>by users. Could somebody help me? >>> >>>-- >>>Artur Meski [glash@freebsd.net.pl] [tel +48606494552] >>> > [http://glash.black.pl/] > >>>To Unsubscribe: send mail to majordomo@FreeBSD.org >>>with "unsubscribe freebsd-security" in the body of the message >>> >>To Unsubscribe: send mail to majordomo@FreeBSD.org >>with "unsubscribe freebsd-security" in the body of the message >> > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > -- Antoine Beaupré Jambala TCM team Ericsson Canada inc. mailto:antoine.beaupre@ericsson.ca To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jul 17 12:11: 8 2001 Delivered-To: freebsd-security@freebsd.org Received: from virtual-voodoo.com (virtual-voodoo.com [204.120.165.254]) by hub.freebsd.org (Postfix) with ESMTP id AA93D37B403 for ; Tue, 17 Jul 2001 12:10:51 -0700 (PDT) (envelope-from steve@virtual-voodoo.com) Received: from inlafrec (80.winstar.net [63.140.3.80] (may be forged)) (authenticated) by virtual-voodoo.com (8.11.4/8.11.4) with ESMTP id f6HJAel74107; Tue, 17 Jul 2001 14:10:40 -0500 (EST) (envelope-from steve@virtual-voodoo.com) Message-ID: <020f01c10ef3$db082370$50038c3f@eservoffice.com> From: "Steven Ames" To: , "jono@networkcommand.com" Cc: References: <20010717123422.A97994@rapid.black.pl> <20010717104227.A46090@networkcommand.com> <003401c10ef4$4b631bc0$f5c8a8c0@NATHAN> Subject: Re: Exec logging, FreeBSD Kernel Module. Date: Tue, 17 Jul 2001 14:08:25 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4522.1200 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Sure. However you have to have 'snp' devices configured into the kernel. device snp In 4.X that may read something more like: device snp 1 I don't remember. -Steve ----- Original Message ----- From: To: "jono@networkcommand.com" Cc: Sent: Tuesday, July 17, 2001 2:11 PM Subject: Re: Exec logging, FreeBSD Kernel Module. > > to reply to your last message.. i've never been able to get watch to work > properly. has anyone else? > > > ----- Original Message ----- > From: "Jon O ." > To: "Artur Meski" > Cc: > Sent: Tuesday, July 17, 2001 10:42 AM > Subject: Re: Exec logging, FreeBSD Kernel Module. > > > > See below: > > > > > > # man watch > > WATCH(8) FreeBSD System Manager's Manual > WATCH(8) > > > > NAME > > watch - snoop on another tty line > > > > SYNOPSIS > > watch [-ciotnW] [tty] > > > > DESCRIPTION > > Watch allows the superuser to examine all data coming through a > specified > > tty. Watch writes to standard output. > > > > > > > > # man snp > > SNP(4) FreeBSD Kernel Interfaces Manual > SNP(4) > > > > NAME > > snp - tty snoop interface > > > > SYNOPSIS > > #include > > > > > > > > > > On 17-Jul-2001, Artur Meski wrote: > > > Hi. > > > > > > I'm looking for FreeBSD Kernel Module, which will log all executed > commands > > > by users. Could somebody help me? > > > > > > -- > > > Artur Meski [glash@freebsd.net.pl] [tel +48606494552] > [http://glash.black.pl/] > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > > with "unsubscribe freebsd-security" in the body of the message > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jul 17 12:11:21 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.taloncc.com (ns.taloncc.com [208.149.58.8]) by hub.freebsd.org (Postfix) with SMTP id B763237B401 for ; Tue, 17 Jul 2001 12:11:07 -0700 (PDT) (envelope-from nathan@corp.wac.com) Received: (qmail 5271 invoked from network); 17 Jul 2001 19:15:09 -0000 Received: from wall.lodinet.com (HELO NATHAN) (206.151.38.45) by ns.taloncc.com with SMTP; 17 Jul 2001 19:15:09 -0000 Message-ID: <004001c10ef4$e1df6e50$f5c8a8c0@NATHAN> From: To: "Antoine Beaupre (LMC)" Cc: References: <20010717123422.A97994@rapid.black.pl> <20010717104227.A46090@networkcommand.com> <003401c10ef4$4b631bc0$f5c8a8c0@NATHAN> <3B548D46.2000909@lmc.ericsson.se> Subject: Re: Exec logging, FreeBSD Kernel Module. Date: Tue, 17 Jul 2001 12:15:46 -0700 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 8bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4522.1200 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org care to give a little insight? steps that you've taken, etc?? if you don't mind that is. ;) thanks, nathan. ----- Original Message ----- From: "Antoine Beaupre (LMC)" To: Cc: "jono@networkcommand.com" ; Sent: Tuesday, July 17, 2001 12:08 PM Subject: Re: Exec logging, FreeBSD Kernel Module. > works fine here. > > nathan@corp.wac.com wrote: > > to reply to your last message.. i've never been able to get watch to work > > properly. has anyone else? > > > > > > ----- Original Message ----- > > From: "Jon O ." > > To: "Artur Meski" > > Cc: > > Sent: Tuesday, July 17, 2001 10:42 AM > > Subject: Re: Exec logging, FreeBSD Kernel Module. > > > > > > > >>See below: > >> > >> > >># man watch > >>WATCH(8) FreeBSD System Manager's Manual > >> > > WATCH(8) > > > >>NAME > >> watch - snoop on another tty line > >> > >>SYNOPSIS > >> watch [-ciotnW] [tty] > >> > >>DESCRIPTION > >> Watch allows the superuser to examine all data coming through a > >> > > specified > > > >> tty. Watch writes to standard output. > >> > >> > >> > >># man snp > >>SNP(4) FreeBSD Kernel Interfaces Manual > >> > > SNP(4) > > > >>NAME > >> snp - tty snoop interface > >> > >>SYNOPSIS > >> #include > >> > >> > >> > >> > >>On 17-Jul-2001, Artur Meski wrote: > >> > >>>Hi. > >>> > >>>I'm looking for FreeBSD Kernel Module, which will log all executed > >>> > > commands > > > >>>by users. Could somebody help me? > >>> > >>>-- > >>>Artur Meski [glash@freebsd.net.pl] [tel +48606494552] > >>> > > [http://glash.black.pl/] > > > >>>To Unsubscribe: send mail to majordomo@FreeBSD.org > >>>with "unsubscribe freebsd-security" in the body of the message > >>> > >>To Unsubscribe: send mail to majordomo@FreeBSD.org > >>with "unsubscribe freebsd-security" in the body of the message > >> > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > > > > -- > Antoine Beaupré > Jambala TCM team > Ericsson Canada inc. > mailto:antoine.beaupre@ericsson.ca To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jul 17 12:12:54 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.taloncc.com (ns.taloncc.com [208.149.58.8]) by hub.freebsd.org (Postfix) with SMTP id 048A037B401 for ; Tue, 17 Jul 2001 12:12:47 -0700 (PDT) (envelope-from nathan@corp.wac.com) Received: (qmail 5280 invoked from network); 17 Jul 2001 19:16:49 -0000 Received: from wall.lodinet.com (HELO NATHAN) (206.151.38.45) by ns.taloncc.com with SMTP; 17 Jul 2001 19:16:49 -0000 Message-ID: <004801c10ef5$1d3a9740$f5c8a8c0@NATHAN> From: To: Cc: References: <20010717123422.A97994@rapid.black.pl> <20010717104227.A46090@networkcommand.com> <003401c10ef4$4b631bc0$f5c8a8c0@NATHAN> <3B548D87.92EBEAD7@centtech.com> Subject: Re: Exec logging, FreeBSD Kernel Module. Date: Tue, 17 Jul 2001 12:17:25 -0700 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4522.1200 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org actually to reply to those messages.. i did compile the snp p-device in to my kernel. i'm using FreeBSD 4.2-RELEASE #1... ----- Original Message ----- From: "Eric Anderson" To: Cc: "jono@networkcommand.com" ; Sent: Tuesday, July 17, 2001 12:09 PM Subject: Re: Exec logging, FreeBSD Kernel Module. > Did you compile the snp pseudo-devices into your kernel, and make the > devices? > > Works great for me.. > > Eric > > > nathan@corp.wac.com wrote: > > > > to reply to your last message.. i've never been able to get watch to work > > properly. has anyone else? > > > > ----- Original Message ----- > > From: "Jon O ." > > To: "Artur Meski" > > Cc: > > Sent: Tuesday, July 17, 2001 10:42 AM > > Subject: Re: Exec logging, FreeBSD Kernel Module. > > > > > See below: > > > > > > > > > # man watch > > > WATCH(8) FreeBSD System Manager's Manual > > WATCH(8) > > > > > > NAME > > > watch - snoop on another tty line > > > > > > SYNOPSIS > > > watch [-ciotnW] [tty] > > > > > > DESCRIPTION > > > Watch allows the superuser to examine all data coming through a > > specified > > > tty. Watch writes to standard output. > > > > > > > > > > > > # man snp > > > SNP(4) FreeBSD Kernel Interfaces Manual > > SNP(4) > > > > > > NAME > > > snp - tty snoop interface > > > > > > SYNOPSIS > > > #include > > > > > > > > > > > > > > > On 17-Jul-2001, Artur Meski wrote: > > > > Hi. > > > > > > > > I'm looking for FreeBSD Kernel Module, which will log all executed > > commands > > > > by users. Could somebody help me? > > > > > > > > -- > > > > Artur Meski [glash@freebsd.net.pl] [tel +48606494552] > > [http://glash.black.pl/] > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > > > with "unsubscribe freebsd-security" in the body of the message > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > > with "unsubscribe freebsd-security" in the body of the message > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > -- > -------------------------------------------------------------------------- ----- > Eric Anderson anderson@centtech.com Centaur Technology (512) > 418-5792 > For every complex problem, there is a solution that is simple, neat, and > wrong. > -------------------------------------------------------------------------- ----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jul 17 12:33:31 2001 Delivered-To: freebsd-security@freebsd.org Received: from mg03.austin.ibm.com (mg03.austin.ibm.com [192.35.232.20]) by hub.freebsd.org (Postfix) with ESMTP id 6CC0737B403 for ; Tue, 17 Jul 2001 12:33:24 -0700 (PDT) (envelope-from ratliff@austin.ibm.com) Received: from austin.ibm.com (netmail1.austin.ibm.com [9.53.250.96]) by mg03.austin.ibm.com (AIX4.3/8.9.3/8.9.3) with ESMTP id OAA30134; Tue, 17 Jul 2001 14:33:43 -0500 Received: from spiff.austin.ibm.com (spiff.austin.ibm.com [9.53.216.123]) by austin.ibm.com (AIX4.3/8.9.3/8.9.3) with ESMTP id OAA39422; Tue, 17 Jul 2001 14:33:14 -0500 Date: Tue, 17 Jul 2001 14:33:35 -0500 (CDT) From: Emily Ratliff To: "Andrew R. Reiter" Cc: Kris Kennaway , Jason DiCioccio , "'Artur Meski'" , , Subject: Re: Exec logging, FreeBSD Kernel Module. In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Tue, 17 Jul 2001, Andrew R. Reiter wrote: > Anyone have any thoughts on 1) what happened at hte BoF and 2) future of > kernel hook standards in fbsd? Assuming you are talking about the Kernel Security Extensions BoF see http://lwn.net/2001/0704/security.php3 for a LWN write-up about it. Linked off of that page is my summary of the BoF which was posted to the (Linux) Loadable Security Module mailing list linked off of that page. After the initial presentations, the discussion focused around the LSM effort. The homepage for LSM is http://lsm.immunix.org/ Emily Emily Ratliff IBM Linux Technology Center, Security To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jul 17 12:33:35 2001 Delivered-To: freebsd-security@freebsd.org Received: from federation.addy.com (federation.addy.com [208.11.142.20]) by hub.freebsd.org (Postfix) with ESMTP id 8F93737B407 for ; Tue, 17 Jul 2001 12:33:29 -0700 (PDT) (envelope-from jim@federation.addy.com) Received: from localhost (jim@localhost) by federation.addy.com (8.9.3/8.9.3) with ESMTP id PAA33774 for ; Tue, 17 Jul 2001 15:31:45 -0400 (EDT) (envelope-from jim@federation.addy.com) Date: Tue, 17 Jul 2001 15:31:45 -0400 (EDT) From: Jim Sander Cc: freebsd-security@FreeBSD.ORG Subject: Re: Exec logging, FreeBSD Kernel Module. In-Reply-To: <004801c10ef5$1d3a9740$f5c8a8c0@NATHAN> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > actually to reply to those messages.. i did compile the snp p-device > in to my kernel. You also have to actually make the snp device nodes- /dev/MAKEDEV If you haven't done that already, it probably will help. This is more fully documented in the handbook or somewhere else on freebsd.org, but I can't find the reference just now. -=Jim=- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jul 17 12:46: 1 2001 Delivered-To: freebsd-security@freebsd.org Received: from fledge.watson.org (fledge.watson.org [204.156.12.50]) by hub.freebsd.org (Postfix) with ESMTP id D1B7037B408 for ; Tue, 17 Jul 2001 12:45:54 -0700 (PDT) (envelope-from arr@watson.org) Received: from localhost (arr@localhost) by fledge.watson.org (8.11.4/8.11.4) with SMTP id f6HJhc246202; Tue, 17 Jul 2001 15:43:38 -0400 (EDT) (envelope-from arr@watson.org) Date: Tue, 17 Jul 2001 15:43:37 -0400 (EDT) From: "Andrew R. Reiter" To: Emily Ratliff Cc: Kris Kennaway , Jason DiCioccio , "'Artur Meski'" , freebsd-security@FreeBSD.ORG, robert@watson.org Subject: Re: Exec logging, FreeBSD Kernel Module. In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Yes, this is exactly what I was speaking of... Thanks for the URL. On Tue, 17 Jul 2001, Emily Ratliff wrote: > On Tue, 17 Jul 2001, Andrew R. Reiter wrote: > > Anyone have any thoughts on 1) what happened at hte BoF and 2) future of > > kernel hook standards in fbsd? > Assuming you are talking about the Kernel Security Extensions BoF see > http://lwn.net/2001/0704/security.php3 > for a LWN write-up about it. Linked off of that page is my summary of the > BoF which was posted to the (Linux) Loadable Security Module mailing list > linked off of that page. > > After the initial presentations, the discussion focused around the LSM > effort. The homepage for LSM is http://lsm.immunix.org/ > > Emily > > Emily Ratliff > IBM Linux Technology Center, Security > > *-------------................................................. | Andrew R. Reiter | arr@fledge.watson.org | "It requires a very unusual mind | to undertake the analysis of the obvious" -- A.N. Whitehead To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jul 17 12:49: 4 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.taloncc.com (ns.taloncc.com [208.149.58.8]) by hub.freebsd.org (Postfix) with SMTP id D0F6D37B406 for ; Tue, 17 Jul 2001 12:48:55 -0700 (PDT) (envelope-from nathan@corp.wac.com) Received: (qmail 5437 invoked from network); 17 Jul 2001 19:52:57 -0000 Received: from wall.lodinet.com (HELO NATHAN) (206.151.38.45) by ns.taloncc.com with SMTP; 17 Jul 2001 19:52:57 -0000 Message-ID: <008e01c10efa$29d98a60$f5c8a8c0@NATHAN> From: To: References: <20010717123422.A97994@rapid.black.pl> <20010717104227.A46090@networkcommand.com> <003401c10ef4$4b631bc0$f5c8a8c0@NATHAN> <020f01c10ef3$db082370$50038c3f@eservoffice.com> Subject: Re: Exec logging, FreeBSD Kernel Module. Date: Tue, 17 Jul 2001 12:53:34 -0700 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4522.1200 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org got everything working with watch, i guess i've been to drunk to notice that i didn't do a damn MAKEDEV.. sorry about that. i figured i did. =\ have a great day. ----- Original Message ----- From: "Steven Ames" To: ; "jono@networkcommand.com" Cc: Sent: Tuesday, July 17, 2001 12:08 PM Subject: Re: Exec logging, FreeBSD Kernel Module. > Sure. However you have to have 'snp' devices configured into the kernel. > > device snp > > In 4.X that may read something more like: > > device snp 1 > > I don't remember. > > -Steve > > ----- Original Message ----- > From: > To: "jono@networkcommand.com" > Cc: > Sent: Tuesday, July 17, 2001 2:11 PM > Subject: Re: Exec logging, FreeBSD Kernel Module. > > > > > > to reply to your last message.. i've never been able to get watch to work > > properly. has anyone else? > > > > > > ----- Original Message ----- > > From: "Jon O ." > > To: "Artur Meski" > > Cc: > > Sent: Tuesday, July 17, 2001 10:42 AM > > Subject: Re: Exec logging, FreeBSD Kernel Module. > > > > > > > See below: > > > > > > > > > # man watch > > > WATCH(8) FreeBSD System Manager's Manual > > WATCH(8) > > > > > > NAME > > > watch - snoop on another tty line > > > > > > SYNOPSIS > > > watch [-ciotnW] [tty] > > > > > > DESCRIPTION > > > Watch allows the superuser to examine all data coming through a > > specified > > > tty. Watch writes to standard output. > > > > > > > > > > > > # man snp > > > SNP(4) FreeBSD Kernel Interfaces Manual > > SNP(4) > > > > > > NAME > > > snp - tty snoop interface > > > > > > SYNOPSIS > > > #include > > > > > > > > > > > > > > > On 17-Jul-2001, Artur Meski wrote: > > > > Hi. > > > > > > > > I'm looking for FreeBSD Kernel Module, which will log all executed > > commands > > > > by users. Could somebody help me? > > > > > > > > -- > > > > Artur Meski [glash@freebsd.net.pl] [tel +48606494552] > > [http://glash.black.pl/] > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > > > with "unsubscribe freebsd-security" in the body of the message > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > > with "unsubscribe freebsd-security" in the body of the message > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jul 17 13: 5:22 2001 Delivered-To: freebsd-security@freebsd.org Received: from stevie.loop.com (stevie.loop.com [207.211.60.71]) by hub.freebsd.org (Postfix) with ESMTP id D27A937B403 for ; Tue, 17 Jul 2001 13:05:17 -0700 (PDT) (envelope-from dwplists@loop.com) Received: from Elektra.loop.com (elektra.loop.com [207.211.60.33]) by stevie.loop.com (8.9.3/8.9.3) with SMTP id NAA30535 for ; Tue, 17 Jul 2001 13:05:12 -0700 (PDT) Message-ID: <03a401c10efb$dd2eda60$213cd3cf@loop.com> From: "D. W. Piper" To: References: <200105181518.WAA12362@bazooka.cs.ait.ac.th> <046c01c0dfc0$833e7fc0$213cd3cf@loop.com> Subject: Another question on IPFW Rule -1 Date: Tue, 17 Jul 2001 13:05:39 -0700 Organization: The Loop Internet MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4522.1200 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Originally I'd asked whether IPFW rule -1 always indicated an attack because for the last few weeks we've been seeing the following entries in the IPFW logs on two of our servers: ipfw: -1 Refuse TCP aaa.bbb.ccc.ddd www.xxx.yyy.zzz in via de0 Fragment = 184 Yesterday for example it happened for about 25 minutes on the primary mail server, then when it stopped happening on that server it happened for about 20 minutes on one of our secondary mail servers. As I said earlier, this has been going on for the last few weeks, always from the same IP address, always to the same two of our servers, and always with "Fragment = 184". Can anyone shed any light on what's going on here? Is it significant that it's always "Fragment = 184"? (Is that the number of the fragment, or if not what does it mean?) Thank you, David To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jul 17 14:26:37 2001 Delivered-To: freebsd-security@freebsd.org Received: from dros.delnoch.net (dros.delnoch.net [66.22.112.8]) by hub.freebsd.org (Postfix) with ESMTP id 7206337B406 for ; Tue, 17 Jul 2001 14:26:22 -0700 (PDT) (envelope-from jeffi@rcn.com) Received: from localhost (jeff@localhost) by dros.delnoch.net (8.11.4/8.11.4) with SMTP id f6HLP9J59886; Tue, 17 Jul 2001 17:25:10 -0400 (EDT) (envelope-from jeffi@rcn.com) X-Authentication-Warning: dros.delnoch.net: jeff owned process doing -bs Date: Tue, 17 Jul 2001 17:25:09 -0400 (EDT) From: Jeff Ito X-Sender: jeff@dros.delnoch.net To: nathan@corp.wac.com Cc: freebsd-security@freebsd.org Subject: Re: Exec logging, FreeBSD Kernel Module. In-Reply-To: <008e01c10efa$29d98a60$f5c8a8c0@NATHAN> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org if you look at the LINT file this is listed: pseudo-device snp 3 #Snoop device - to look at pty/vty/etc.. --- Jeff > got everything working with watch, i guess i've been to drunk to notice that > i > didn't do a damn MAKEDEV.. sorry about that. i figured i did. =\ > > have a great day. > > > ----- Original Message ----- > From: "Steven Ames" > To: ; "jono@networkcommand.com" > Cc: > Sent: Tuesday, July 17, 2001 12:08 PM > Subject: Re: Exec logging, FreeBSD Kernel Module. > > > > Sure. However you have to have 'snp' devices configured into the kernel. > > > > device snp > > > > In 4.X that may read something more like: > > > > device snp 1 > > > > I don't remember. > > > > -Steve > > > > ----- Original Message ----- > > From: > > To: "jono@networkcommand.com" > > Cc: > > Sent: Tuesday, July 17, 2001 2:11 PM > > Subject: Re: Exec logging, FreeBSD Kernel Module. > > > > > > > > > > to reply to your last message.. i've never been able to get watch to > work > > > properly. has anyone else? > > > > > > > > > ----- Original Message ----- > > > From: "Jon O ." > > > To: "Artur Meski" > > > Cc: > > > Sent: Tuesday, July 17, 2001 10:42 AM > > > Subject: Re: Exec logging, FreeBSD Kernel Module. > > > > > > > > > > See below: > > > > > > > > > > > > # man watch > > > > WATCH(8) FreeBSD System Manager's Manual > > > WATCH(8) > > > > > > > > NAME > > > > watch - snoop on another tty line > > > > > > > > SYNOPSIS > > > > watch [-ciotnW] [tty] > > > > > > > > DESCRIPTION > > > > Watch allows the superuser to examine all data coming through a > > > specified > > > > tty. Watch writes to standard output. > > > > > > > > > > > > > > > > # man snp > > > > SNP(4) FreeBSD Kernel Interfaces Manual > > > SNP(4) > > > > > > > > NAME > > > > snp - tty snoop interface > > > > > > > > SYNOPSIS > > > > #include > > > > > > > > > > > > > > > > > > > > On 17-Jul-2001, Artur Meski wrote: > > > > > Hi. > > > > > > > > > > I'm looking for FreeBSD Kernel Module, which will log all executed > > > commands > > > > > by users. Could somebody help me? > > > > > > > > > > -- > > > > > Artur Meski [glash@freebsd.net.pl] [tel +48606494552] > > > [http://glash.black.pl/] > > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > > > > with "unsubscribe freebsd-security" in the body of the message > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > > > with "unsubscribe freebsd-security" in the body of the message > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > > with "unsubscribe freebsd-security" in the body of the message > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jul 17 14:41:40 2001 Delivered-To: freebsd-security@freebsd.org Received: from pa169.kurdwanowa.sdi.tpnet.pl (pa169.kurdwanowa.sdi.tpnet.pl [213.77.148.169]) by hub.freebsd.org (Postfix) with ESMTP id D8A2137B403 for ; Tue, 17 Jul 2001 14:41:37 -0700 (PDT) (envelope-from kzaraska@student.uci.agh.edu.pl) Received: by pa169.kurdwanowa.sdi.tpnet.pl (Postfix, from userid 1001) id 0A6871C4D; Tue, 17 Jul 2001 23:39:52 +0200 (CEST) Received: from localhost (localhost [127.0.0.1]) by pa169.kurdwanowa.sdi.tpnet.pl (Postfix) with ESMTP id B77B2545D; Tue, 17 Jul 2001 23:39:52 +0200 (CEST) Date: Tue, 17 Jul 2001 23:39:52 +0200 (CEST) From: Krzysztof Zaraska To: Ralph Huntington Cc: Simon Bozic , freebsd-security@FreeBSD.ORG Subject: Re: named crushes In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Tue, 17 Jul 2001, Ralph Huntington wrote: > You're named is likely being crashed from the outside. There is a > vulnerability in that version (and all earlier versions). You must upgrade > either to 8.2.3-REL or 9.1 Personally I would also recommend to do some kind of integrity checking on the machine. Since these crashes may be exploit attempts some could be successfull and in this case machine could have been backdoored. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jul 17 18:17:19 2001 Delivered-To: freebsd-security@freebsd.org Received: from prox.centtech.com (moat2.centtech.com [206.196.95.21]) by hub.freebsd.org (Postfix) with ESMTP id 401B037B405 for ; Tue, 17 Jul 2001 18:17:08 -0700 (PDT) (envelope-from anderson@centtech.com) Received: (from smap@localhost) by prox.centtech.com (8.9.3+Sun/8.9.3) id OAA05718; Tue, 17 Jul 2001 14:10:24 -0500 (CDT) Received: from sprint.centtech.com(10.177.173.31) by prox via smap (V2.1+anti-relay+anti-spam) id xma005640; Tue, 17 Jul 01 14:09:57 -0500 Received: from centtech.com (proton [10.177.173.77]) by sprint.centtech.com (8.9.3+Sun/8.9.3) with ESMTP id OAA05271; Tue, 17 Jul 2001 14:09:57 -0500 (CDT) Message-ID: <3B548D87.92EBEAD7@centtech.com> Date: Tue, 17 Jul 2001 14:09:59 -0500 From: Eric Anderson Reply-To: anderson@centtech.com Organization: Centaur Technology X-Mailer: Mozilla 4.77 [en] (X11; U; Linux 2.2.14-5.0smp i686) X-Accept-Language: en MIME-Version: 1.0 To: nathan@corp.wac.com Cc: "jono@networkcommand.com" , freebsd-security@freebsd.org Subject: Re: Exec logging, FreeBSD Kernel Module. References: <20010717123422.A97994@rapid.black.pl> <20010717104227.A46090@networkcommand.com> <003401c10ef4$4b631bc0$f5c8a8c0@NATHAN> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Did you compile the snp pseudo-devices into your kernel, and make the devices? Works great for me.. Eric nathan@corp.wac.com wrote: > > to reply to your last message.. i've never been able to get watch to work > properly. has anyone else? > > ----- Original Message ----- > From: "Jon O ." > To: "Artur Meski" > Cc: > Sent: Tuesday, July 17, 2001 10:42 AM > Subject: Re: Exec logging, FreeBSD Kernel Module. > > > See below: > > > > > > # man watch > > WATCH(8) FreeBSD System Manager's Manual > WATCH(8) > > > > NAME > > watch - snoop on another tty line > > > > SYNOPSIS > > watch [-ciotnW] [tty] > > > > DESCRIPTION > > Watch allows the superuser to examine all data coming through a > specified > > tty. Watch writes to standard output. > > > > > > > > # man snp > > SNP(4) FreeBSD Kernel Interfaces Manual > SNP(4) > > > > NAME > > snp - tty snoop interface > > > > SYNOPSIS > > #include > > > > > > > > > > On 17-Jul-2001, Artur Meski wrote: > > > Hi. > > > > > > I'm looking for FreeBSD Kernel Module, which will log all executed > commands > > > by users. Could somebody help me? > > > > > > -- > > > Artur Meski [glash@freebsd.net.pl] [tel +48606494552] > [http://glash.black.pl/] > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > > with "unsubscribe freebsd-security" in the body of the message > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- ------------------------------------------------------------------------------- Eric Anderson anderson@centtech.com Centaur Technology (512) 418-5792 For every complex problem, there is a solution that is simple, neat, and wrong. ------------------------------------------------------------------------------- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jul 17 22:39:53 2001 Delivered-To: freebsd-security@freebsd.org Received: from swan.mail.pas.earthlink.net (swan.mail.pas.earthlink.net [207.217.120.123]) by hub.freebsd.org (Postfix) with ESMTP id 5D3FC37B401 for ; Tue, 17 Jul 2001 22:39:50 -0700 (PDT) (envelope-from cjc@earthlink.net) Received: from blossom.cjclark.org (dialup-209.244.107.178.Dial1.SanJose1.Level3.net [209.244.107.178]) by swan.mail.pas.earthlink.net (EL-8_9_3_3/8.9.3) with ESMTP id WAA11568; Tue, 17 Jul 2001 22:39:46 -0700 (PDT) Received: (from cjc@localhost) by blossom.cjclark.org (8.11.4/8.11.3) id f6I5dfO01890; Tue, 17 Jul 2001 22:39:41 -0700 (PDT) (envelope-from cjc) Date: Tue, 17 Jul 2001 22:39:40 -0700 From: "Crist J. Clark" To: "D. W. Piper" Cc: freebsd-security@FreeBSD.ORG Subject: Re: Another question on IPFW Rule -1 Message-ID: <20010717223940.A437@blossom.cjclark.org> Reply-To: cjclark@alum.mit.edu References: <200105181518.WAA12362@bazooka.cs.ait.ac.th> <046c01c0dfc0$833e7fc0$213cd3cf@loop.com> <03a401c10efb$dd2eda60$213cd3cf@loop.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <03a401c10efb$dd2eda60$213cd3cf@loop.com>; from dwplists@loop.com on Tue, Jul 17, 2001 at 01:05:39PM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Tue, Jul 17, 2001 at 01:05:39PM -0700, D. W. Piper wrote: > Originally I'd asked whether IPFW rule -1 always indicated an attack > because for the last few weeks we've been seeing the following entries > in the IPFW logs on two of our servers: > > ipfw: -1 Refuse TCP aaa.bbb.ccc.ddd www.xxx.yyy.zzz in via de0 Fragment > = 184 > > Yesterday for example it happened for about 25 minutes on the primary > mail server, then when it stopped happening on that server it happened > for about 20 minutes on one of our secondary mail servers. > > As I said earlier, this has been going on for the last few weeks, always > from the same IP address, always to the same two of our servers, and > always with "Fragment = 184". > > Can anyone shed any light on what's going on here? > > Is it significant that it's always "Fragment = 184"? (Is that the > number of the fragment, or if not what does it mean?) It's the offset. The data in the fragment should be placed at an offset of 1472 bytes in the reassembled datagram. This is not a "bogus frag" as described in the manpage. I think it's probably a runt packet. -- Crist J. Clark cjclark@alum.mit.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jul 17 22:47:46 2001 Delivered-To: freebsd-security@freebsd.org Received: from sbtx.tmn.ru (sbtx.tmn.ru [212.76.160.49]) by hub.freebsd.org (Postfix) with ESMTP id C1FD537B405 for ; Tue, 17 Jul 2001 22:47:40 -0700 (PDT) (envelope-from serg@sbtx.tmn.ru) Received: from sv.tech.sibitex.tmn.ru (sv.tech.sibitex.tmn.ru [212.76.160.59]) by sbtx.tmn.ru (8.11.3/8.11.3) with ESMTP id f6I5lcc81806; Wed, 18 Jul 2001 11:47:38 +0600 (YEKST) (envelope-from serg@sbtx.tmn.ru) Received: (from serg@localhost) by sv.tech.sibitex.tmn.ru (8.11.4/8.11.4) id f6I5lba54089; Wed, 18 Jul 2001 11:47:37 +0600 (YEKST) (envelope-from serg) Date: Wed, 18 Jul 2001 11:47:37 +0600 From: "Sergey N. Voronkov" To: Nick Maschenko Cc: security@FreeBSD.ORG Subject: Re: Fw: Re: A question about FreeBSD security Message-ID: <20010718114737.A53934@sv.tech.sibitex.tmn.ru> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from mnvhome@mail.ru on Tue, Jul 17, 2001 at 09:25:37PM +0400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Tue, Jul 17, 2001 at 09:25:37PM +0400, Nick Maschenko wrote: > > -----Original Message----- > From: Kris Kennaway > To: Nick Maschenko > Date: Tue, 17 Jul 2001 09:45:04 -0700 > Subject: Re: A question about FreeBSD security > > > Ask on security@freebsd.org > > > > On Tue, Jul 17, 2001 at 03:38:16PM +0400, Nick Maschenko wrote: > > > Hello Kris. > > > Sorry if my question is too stupid. :-) > > > If it is possible for you, would you like to advice me following: > > > 1) some URLs about packet filtering in FreeBSD (ipfw), > > > examples of good ipfw firewalls are preffered. I prefer to use IPF 'cose of it's stateful filtering. man security man 4 ipf man 5 ipf man ipfw more /etc/rc.firewall cd /usr/src/contrib/ipfilter/rules; for arg in *; do more $arg; done; > > > 2) does FreeBSD kernel realize defence against some DoS > > > attacks like smurf, broadcast, some types of > > > flooding? Yes. See above. > > > I know and i use Linux 2.4.x branch with iptables, which can prevent > some DoS attacks by using it's built-in mechanism. Does FreeBSD do > somethging like this? For example, i saw how "she" :-) rejects > > > a burst of RST/ACK packets while NMap scanning (stealth scan). If you > do not want to answer in details, please advice me some URL(s) where i can > read about this myself. > > > Best regards. Nick. http://www.freebsdzine.org/ http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/security.html Bye! Serg N. Voronkov. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jul 18 1: 5: 2 2001 Delivered-To: freebsd-security@freebsd.org Received: from axl.seasidesoftware.co.za (axl.seasidesoftware.co.za [196.31.7.201]) by hub.freebsd.org (Postfix) with ESMTP id 4D5C237B411 for ; Wed, 18 Jul 2001 01:04:58 -0700 (PDT) (envelope-from sheldonh@starjuice.net) Received: from sheldonh (helo=axl.seasidesoftware.co.za) by axl.seasidesoftware.co.za with local-esmtp (Exim 3.31 #1) id 15MmJT-0001RZ-00; Wed, 18 Jul 2001 10:04:07 +0200 From: Sheldon Hearn To: Artur Meski Cc: freebsd-security@freebsd.org Subject: Re: Exec logging, FreeBSD Kernel Module. In-reply-to: Your message of "Tue, 17 Jul 2001 12:34:22 +0200." <20010717123422.A97994@rapid.black.pl> Date: Wed, 18 Jul 2001 10:04:07 +0200 Message-ID: <5552.995443447@axl.seasidesoftware.co.za> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Tue, 17 Jul 2001 12:34:22 +0200, Artur Meski wrote: > I'm looking for FreeBSD Kernel Module, which will log all executed commands > by users. Could somebody help me? You're probably looking for Andrzej Bialecki's spy module: http://people.freebsd.org/~abial/ I haven't looked at it in a while, but it looked good when I wrote the manual page. :-) Ciao, Sheldon. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jul 18 4:46:47 2001 Delivered-To: freebsd-security@freebsd.org Received: from post-gw.kami.krsk.ru (post-gw.kami.krsk.ru [195.161.20.162]) by hub.freebsd.org (Postfix) with ESMTP id 2464F37B405 for ; Wed, 18 Jul 2001 04:46:45 -0700 (PDT) (envelope-from costa@kami.krsk.ru) Received: from kami-cicuta.kami.krsk.ru (kami-cicuta.kami [192.168.1.4]) by post-gw.kami.krsk.ru (8.11.1/8.11.1) with ESMTP id f6IBki303163 for ; Wed, 18 Jul 2001 19:46:44 +0800 (KRAST) (envelope-from costa@kami.krsk.ru) Subject: ñ × ÏÔÐÕÓËÅ From: "Konstantin Tselikhin" To: security@FreeBSD.ORG Message-ID: Date: Wed, 18 Jul 2001 19:46:26 +0800 X-MIMETrack: Serialize by Router on kami-cicuta/Kami(Release 5.0.6 |December 14, 2000) at 18.07.2001 19:46:38 MIME-Version: 1.0 Content-type: text/plain; charset=koi8-r Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I will be out of the office starting 07.07.2001 and will not return until 23.07.2001. ñ ÏÔ×ÅÞÕ ÎÁ ÷ÁÛÅ ÓÏÏÂÝÅÎÉÅ ÐÏÓÌÅ ×ÏÚ×ÒÁÝÅÎÉÑ ÉÚ ÏÔÐÕÓËÁ. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jul 18 7:36: 5 2001 Delivered-To: freebsd-security@freebsd.org Received: from icmp.dhs.org (e-135-33-res1.mts.net [206.45.135.33]) by hub.freebsd.org (Postfix) with ESMTP id 04CCB37B403 for ; Wed, 18 Jul 2001 07:35:57 -0700 (PDT) (envelope-from modulus@icmp.dhs.org) Received: from localhost (modulus@localhost) by icmp.dhs.org (8.11.4/8.11.3) with ESMTP id f6J3cw514861 for ; Wed, 18 Jul 2001 22:38:58 -0500 (CDT) (envelope-from modulus@icmp.dhs.org) Date: Wed, 18 Jul 2001 22:38:57 -0500 (CDT) From: modulus To: Subject: named & zone transfers Message-ID: <20010718223718.A14766-100000@icmp.dhs.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I was wondering how i would restrict all zone transfers with the exception of the secondary DNS daemon. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jul 18 7:37:59 2001 Delivered-To: freebsd-security@freebsd.org Received: from db.nexgen.com (db.nexgen.com [66.92.98.149]) by hub.freebsd.org (Postfix) with SMTP id 5CE3B37B406 for ; Wed, 18 Jul 2001 07:37:55 -0700 (PDT) (envelope-from ml@db.nexgen.com) Received: (qmail 15826 invoked from network); 18 Jul 2001 14:37:39 -0000 Received: from localhost.nexgen.com (HELO alexus) (root@127.0.0.1) by localhost.nexgen.com with SMTP; 18 Jul 2001 14:37:39 -0000 Message-ID: <004c01c10f97$3a327c30$0d00a8c0@alexus> From: "alexus" To: "modulus" , References: <20010718223718.A14766-100000@icmp.dhs.org> Subject: Re: named & zone transfers Date: Wed, 18 Jul 2001 10:37:53 -0400 Organization: NexGen MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2499.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2499.0000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org put allow-transfer option in named.conf better yet read about named.conf or documentation for more info ----- Original Message ----- From: "modulus" To: Sent: Wednesday, July 18, 2001 11:38 PM Subject: named & zone transfers > > I was wondering how i would restrict all zone transfers > with the exception of the secondary DNS daemon. > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jul 18 7:41:34 2001 Delivered-To: freebsd-security@freebsd.org Received: from bunrab.catwhisker.org (adsl-63-193-123-122.dsl.snfc21.pacbell.net [63.193.123.122]) by hub.freebsd.org (Postfix) with ESMTP id 503A037B401 for ; Wed, 18 Jul 2001 07:41:31 -0700 (PDT) (envelope-from david@catwhisker.org) Received: (from david@localhost) by bunrab.catwhisker.org (8.11.4/8.11.4) id f6IEfFH65804; Wed, 18 Jul 2001 07:41:15 -0700 (PDT) Date: Wed, 18 Jul 2001 07:41:15 -0700 (PDT) From: David Wolfskill Message-Id: <200107181441.f6IEfFH65804@bunrab.catwhisker.org> To: freebsd-security@FreeBSD.ORG, modulus@icmp.dhs.org Subject: Re: named & zone transfers In-Reply-To: <20010718223718.A14766-100000@icmp.dhs.org> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org >Date: Wed, 18 Jul 2001 22:38:57 -0500 (CDT) >From: modulus >I was wondering how i would restrict all zone transfers >with the exception of the secondary DNS daemon. Although I'd be very hard-pressed to consider this a "security" issue (or a FreeBSD one), the precise syntax will depend on which nameserver software you are using. For example, with BIND 8, the "options" statement may be used to specify a default policy with respect to zone transfers, and the "stanzas" for individual zones may contain clauses that override that default. The O'Reilly _DNS and BIND_ volume covers the material rather thoroughly. Cheers, david -- David H. Wolfskill david@catwhisker.org As a computing professional, I believe it would be unethical for me to advise, recommend, or support the use (save possibly for personal amusement) of any product that is or depends on any Microsoft product. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jul 18 7:53: 3 2001 Delivered-To: freebsd-security@freebsd.org Received: from mgw1.MEIway.com (mgw1.meiway.com [212.73.210.75]) by hub.freebsd.org (Postfix) with ESMTP id 02B3837B405 for ; Wed, 18 Jul 2001 07:53:01 -0700 (PDT) (envelope-from LConrad@Go2France.com) Received: from mail.Go2France.com (ms1.meiway.com [212.73.210.73]) by mgw1.MEIway.com (Postfix Relay Hub) with ESMTP id F074D16B37 for ; Wed, 18 Jul 2001 16:52:58 +0200 (CEST) Received: from IBM-HIRXKN66F0W.Go2France.com [195.115.185.184] by mail.Go2France.com with ESMTP (SMTPD32-6.06) id A4E52B66043C; Wed, 18 Jul 2001 17:01:57 +0200 Message-Id: <5.1.0.14.0.20010718165108.02e52e48@mail.Go2France.com> X-Sender: LConrad@Go2France.com@mail.Go2France.com X-Mailer: QUALCOMM Windows Eudora Version 5.1 Date: Wed, 18 Jul 2001 16:53:45 +0200 To: freebsd-security@freebsd.org From: Len Conrad Subject: Re: named & zone transfers In-Reply-To: <200107181441.f6IEfFH65804@bunrab.catwhisker.org> References: <20010718223718.A14766-100000@icmp.dhs.org> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org >Although I'd be very hard-pressed to consider this a "security" issue >(or a FreeBSD one) unrestricted zone transfers ( with no resource limits ) allows malicious resource exhaustion, which I consider a security breach. Len http://MenAndMice.com/DNS-training http://BIND8NT.MEIway.com : ISC BIND 8.2.4 for NT4 & W2K http://IMGate.MEIway.com : Build free, hi-perf, anti-abuse mail gateways To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jul 18 8:52:59 2001 Delivered-To: freebsd-security@freebsd.org Received: from stevie.loop.com (stevie.loop.com [207.211.60.71]) by hub.freebsd.org (Postfix) with ESMTP id A3DD537B403 for ; Wed, 18 Jul 2001 08:52:56 -0700 (PDT) (envelope-from dwplists@loop.com) Received: from Elektra.loop.com (elektra.loop.com [207.211.60.33]) by stevie.loop.com (8.9.3/8.9.3) with SMTP id IAA69607; Wed, 18 Jul 2001 08:52:25 -0700 (PDT) Message-ID: <039301c10fa1$c1e44b40$213cd3cf@loop.com> From: "D. W. Piper" To: Cc: References: <200105181518.WAA12362@bazooka.cs.ait.ac.th> <046c01c0dfc0$833e7fc0$213cd3cf@loop.com> <03a401c10efb$dd2eda60$213cd3cf@loop.com> <20010717223940.A437@blossom.cjclark.org> Subject: Re: Another question on IPFW Rule -1 Date: Wed, 18 Jul 2001 08:53:09 -0700 Organization: The Loop Internet MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4522.1200 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Me: > > Is it significant that it's always "Fragment = 184"? (Is that the > > number of the fragment, or if not what does it mean?) From: "Crist J. Clark" > It's the offset. The data in the fragment should be placed at an > offset of 1472 bytes in the reassembled datagram. This is not a "bogus > frag" as described in the manpage. I think it's probably a runt > packet. Thank you for the response. Um... pardon my ignorance, but what do you mean by "runt packet"? Does what I've described suggest some kind of problem somewhere on our network, or on the other end? Or is it something that can be safely ignored? Thanks, David To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jul 18 9:27:55 2001 Delivered-To: freebsd-security@freebsd.org Received: from osvald.void.ru (osvald.void.ru [195.209.226.151]) by hub.freebsd.org (Postfix) with ESMTP id 710E237B403 for ; Wed, 18 Jul 2001 09:27:51 -0700 (PDT) (envelope-from void@void.ru) Received: from DUKE_NOTER ([195.42.77.50]) by osvald.void.ru (6.6.6 /6.6.6) with ESMTP id f6IGQJO92482 for ; Wed, 18 Jul 2001 20:26:19 +0400 (MSD) Date: Wed, 18 Jul 2001 20:18:25 +0400 From: void@void.ru X-Mailer: The Bat! (v1.53bis) X-Priority: 3 (Normal) Message-ID: <18810307145.20010718201825@void.ru> To: freebsd-security@FreeBSD.ORG Subject: host(1) In-Reply-To: <039301c10fa1$c1e44b40$213cd3cf@loop.com> References: <200105181518.WAA12362@bazooka.cs.ait.ac.th> <046c01c0dfc0$833e7fc0$213cd3cf@loop.com> <03a401c10efb$dd2eda60$213cd3cf@loop.com> <20010717223940.A437@blossom.cjclark.org> <039301c10fa1$c1e44b40$213cd3cf@loop.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hello All, what's the principle on which host(1) works ? Recently I've denied the zone-transfer queries on the primary and secondary NS'es but command host -l myzone.dom from remote system using different nameserver still lists the zone (but incomplete(!), i.e. some records shown, some not). If it's a problem which caching, can someone explain how to initiate 'cache purging' on the nonauthoritative nameservers ? remotehost# nslookup Default Server: ns.remotens.com Address: 1.1.1.2 > ls -d myzone.dom [ns.remotens.com] *** Can't list domain myzone.dom: Unspecified error >^D remotehost# host -l myzone.dom system1.myzone.dom has address 2.2.2.3 system2.myzone.dom has address 2.2.2.4 [skip] remotehost# 10x, .d To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jul 18 13: 0: 2 2001 Delivered-To: freebsd-security@freebsd.org Received: from lariat.org (lariat.org [12.23.109.2]) by hub.freebsd.org (Postfix) with ESMTP id 493D637B406 for ; Wed, 18 Jul 2001 12:59:57 -0700 (PDT) (envelope-from brett@lariat.org) Received: (from brett@localhost) by lariat.org (8.9.3/8.9.3) id NAA06459 for security@freebsd.org; Wed, 18 Jul 2001 13:59:54 -0600 (MDT) Date: Wed, 18 Jul 2001 13:59:54 -0600 (MDT) From: Brett Glass Message-Id: <200107181959.NAA06459@lariat.org> To: security@freebsd.org Subject: Piping and scripts with scp Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I need to create a script that deposits the output of a program in a file on a remote host. I'd like to do this over an encrypted connection, so I'd like to use scp for this purpose. The script will need to execute via cron and run unattended, and I'm limited to the SSH-1 protocol for the moment (though I intend to move to SSH-2 when all the hosts can handle it). Trouble is, I cannot seem to find options for scp that will allow me to (a) pipe data into it for placement in the remote file; or (b) supply a password -- kept only in the script, which cannot be read except by root -- in advance rather than manually at the console. (Yes, I could generate and use RSA keys, but since anyone who could view the script will have broken root, he or she could also get at the private key anyway... so there's no additional security in this.) Help from someone experienced with scp and ssh would be appreciated. --Brett Glass To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jul 18 13: 4:46 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail2.mediadesign.nl (md2.mediadesign.nl [212.19.205.67]) by hub.freebsd.org (Postfix) with SMTP id 95C7237B40D for ; Wed, 18 Jul 2001 13:04:43 -0700 (PDT) (envelope-from alson@mediadesign.nl) Received: (qmail 32697 invoked by uid 1002); 18 Jul 2001 20:04:42 -0000 Date: Wed, 18 Jul 2001 22:04:42 +0200 From: Alson van der Meulen To: security@freebsd.org Subject: Re: Piping and scripts with scp Message-ID: <20010718220442.B15065@md2.mediadesign.nl> Mail-Followup-To: security@freebsd.org References: <200107181959.NAA06459@lariat.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <200107181959.NAA06459@lariat.org> User-Agent: Mutt/1.3.18i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Wed, Jul 18, 2001 at 01:59:54PM -0600, Brett Glass wrote: > I need to create a script that deposits the output of a program in a file on a > remote host. I'd like to do this over an encrypted connection, so I'd like to > use scp for this purpose. The script will need to execute via cron and run > unattended, and I'm limited to the SSH-1 protocol for the moment (though I > intend to move to SSH-2 when all the hosts can handle it). > > Trouble is, I cannot seem to find options for scp that will allow me > to (a) pipe data into it for placement in the remote file; or echo foo | ssh myuser@myhost dd of=bar > (b) supply a password -- kept only in the script, which cannot be > read except by root -- in advance rather than manually at the console. > (Yes, I could generate and use RSA keys, but since anyone who could > view the script will have broken root, he or she could also get at > the private key anyway... so there's no additional security in this.) > Help from someone experienced with scp and ssh would be appreciated. You really should use RSA keys without passphrase for this, though you could use something like expect to enter a password in batch, RSA keys is really the way to go for scripts. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jul 18 14:10:54 2001 Delivered-To: freebsd-security@freebsd.org Received: from zogbe.tasam.com (cj45658-a.reston1.va.home.com [65.9.36.73]) by hub.freebsd.org (Postfix) with ESMTP id 2E7FD37B401 for ; Wed, 18 Jul 2001 14:10:47 -0700 (PDT) (envelope-from clash@tasam.com) Received: from battleship (zogbe.tasam.com [10.45.45.5] (may be forged)) by zogbe.tasam.com (8.11.4/8.11.4) with SMTP id f6ILAjh86141 for ; Wed, 18 Jul 2001 17:10:45 -0400 (EDT) Message-ID: <002b01c10fce$18317aa0$0b2d2d0a@battleship> From: "Joseph Gleason" To: Subject: Fw: remote root vulnerability Date: Wed, 18 Jul 2001 17:10:38 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.3018.1300 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.3018.1300 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Anyone know if this is real? I received it from a source I don't have any strong reason to trust. > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > > - ------ > > TESO Security Advisory > 06/10/2001 > > Multiple vendor Telnet Daemon vulnerability > > > Summary > =================== > > Within most of the current telnet daemons in use today there exist a buffer > overflow in the telnet option handling. Under certain circumstances it may > be possible to exploit it to gain root priviledges remotely. > > > Systems Affected > =================== > > System | vulnerable | exploitable * > ----------------------------------------+--------------+-------------- ---- > BSDI 4.x default | yes | yes > FreeBSD [2345].x default | yes | yes > IRIX 6.5 | yes | no > Linux netkit-telnetd < 0.14 | yes | ? > Linux netkit-telnetd >= 0.14 | no | > NetBSD 1.x default | yes | yes > OpenBSD 2.x | yes | ? > OpenBSD current | no | > Solaris 2.x sparc | yes | ? > | yes | ? > ----------------------------------------+--------------+-------------- ---- > > * = From our analysis and conclusions, which may not be correct or we may > have overseen things. Do not rely on this. > > Details about the systems can be found below. > > > Impact > =================== > > Through sending a specially formed option string to the remote telnet > daemon a remote attacker might be able to overwrite sensitive information > on the static memory pages. If done properly this may result in arbitrary > code getting executed on the remote machine under the priviledges the > telnet daemon runs on, usually root. > > > Explanation > =================== > > Within every BSD derived telnet daemon under UNIX the telnet options are > processed by the 'telrcv' function. This function parses the options > according to the telnet protocol and its internal state. During this > parsing the results which should be send back to the client are stored > within the 'netobuf' buffer. This is done without any bounds checking, > since it is assumed that the reply data is smaller than the buffer size > (which is BUFSIZ bytes, usually). > > However, using a combination of options, especially the 'AYT' Are You There > option, it is possible to append data to the buffer, usually nine bytes > long. To trigger this response, two bytes in the input buffer are > necessary. Since this input buffer is BUFSIZ bytes long, you can exceed the > output buffer by as much as (BUFSIZ / 2) * 9) - BUFSIZ bytes. For the > common case that BUFSIZ is defined to be 1024, this results in a buffer > overflow by up to 3584 bytes. On systems where BUFSIZ is defined to be > 4096, this is an even greater value (14336). > > Due to the limited set of characters an attacker is able to write outside > of the buffer it is difficult - if not impossible on some systems - to > exploit this buffer overflow. Another hurdle for a possible attacker may be > the lack of interesting information to modify after the buffer. > > This buffer overflow should be considered serious nevertheless, since > experience has shown that even complicated vulnerabilities can be > exploited by skilled attackers, BIND TSIG and SSH deattack come to mind. > > We have constructed a working exploit for any version of BSDI, NetBSD and > FreeBSD. Exploitation on Solaris sparc may be possible but if it is, it is > very difficult involving lots of arcane tricks. OpenBSD is not as easily > exploitable as the other BSD's, because they do compile with other > options by default, changing memory layout. > > > Solution > =================== > > The vendors have been notified of the problem at the same time as the > general public, vendor patches for your telnet daemon that fix the bug will > show up soon. > > Sometimes a fix might not be trivial and require a lot of changes to the > source code, due to the insecure nature the 'nfrontp' pointer is handled. > The best long term solution is to disable the telnet daemon at all, since > there are good and free replacements. > > > Acknowledgements > =================== > > The bug has been discovered by scut. > > The tests and further analysis were done by smiler, lorian, zip and scut. > > > Contact Information > =================== > > The TESO crew can be reached by mailing to teso@team-teso.net > Our web page is at http://www.team-teso.net/ > > > References > =================== > > [1] TESO > http://www.team-teso.net/ > > > Disclaimer > =================== > > This advisory does not claim to be complete or to be usable for any > purpose. Especially information on the vulnerable systems may be inaccurate > or wrong. Possibly supplied exploit code is not to be used for malicious > purposes, but for educational purposes only. > > This advisory is free for open distribution in unmodified form. > Articles that are based on information from this advisory should include > link [1]. > > > Exploit > =================== > > Not this time. Not here. > > - ------ > > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.0.6 (GNU/Linux) > Comment: For info see http://www.gnupg.org > > iD8DBQE7VfBscZZ+BjKdwjcRAsTcAJ9esSlkS7BGkYM1Yulaz3zINqxpmgCeM885 > 3thubMQc+6S4RpHasL0qz0Y= > =VT7y > -----END PGP SIGNATURE----- > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jul 18 14:49:57 2001 Delivered-To: freebsd-security@freebsd.org Received: from smtp2.netc.pt (smtp2.netc.pt [212.18.160.142]) by hub.freebsd.org (Postfix) with ESMTP id 2726837B409 for ; Wed, 18 Jul 2001 14:49:53 -0700 (PDT) (envelope-from nuno.teixeira@pt-quorum.com) Received: from localhost (p176-237.netc.pt) by smtp2.netc.pt (Sun Internet Mail Server sims.3.5.1999.05.24.18.28.p7) with ESMTP id <0GGO00GO3VB1CT@smtp2.netc.pt>; Wed, 18 Jul 2001 22:49:51 +0100 (WET DST) Received: (from admin@localhost) by localhost (8.11.4/8.11.4) id f6ILpM203249; Wed, 18 Jul 2001 22:51:22 +0100 (WEST envelope-from admin) Date: Wed, 18 Jul 2001 22:51:21 +0100 From: Nuno Teixeira Subject: What FTPd FreeBSD uses? To: freebsd-security@FreeBSD.ORG Message-id: <20010718225121.A3116@> MIME-version: 1.0 Content-type: text/plain; charset=iso-8859-1 Content-disposition: inline Content-transfer-encoding: 8BIT User-Agent: Mutt/1.2.5i X-Operating-System: FreeBSD 4.3-STABLE Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hello to all, 1. The ftpd FreeBSD distribution is FTP verion 6.00 LS. I noted that ftp.freebsd.org uses an FTP version DG-4.1.73 What the differences between the two ftpds? 2. (I don't want to start a flame war) What of this 2 ftpd programs (FTPd FreeBSD dist. and ProFTPd) is more secure? Or, what FTPd program should I use to obtain maximum security? Thanks very much, -- Nuno Teixeira Dir. Técnico pt-quorum.com -- PGP Public Key: http://www.pt-quorum.com/pgp/nunoteixeira.asc Key fingerprint: 8C2C B364 D4DC 0C92 56F5 CE6F 8F07 720A 63A0 4FC7 -- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jul 18 15:17:54 2001 Delivered-To: freebsd-security@freebsd.org Received: from nomad.tor.lets.net (H74.C220.tor.velocet.net [216.138.220.74]) by hub.freebsd.org (Postfix) with SMTP id 0875937B405 for ; Wed, 18 Jul 2001 15:17:52 -0700 (PDT) (envelope-from steve@nomad.lets.net) Received: (qmail 3923 invoked by uid 1001); 18 Jul 2001 22:12:56 -0000 Date: Wed, 18 Jul 2001 18:12:56 -0400 From: Steve Shorter To: Nuno Teixeira Cc: freebsd-security@FreeBSD.ORG Subject: Re: What FTPd FreeBSD uses? Message-ID: <20010718181256.A3915@nomad.lets.net> References: <20010718225121.A3116@> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010718225121.A3116@>; from nuno.mailinglists@pt-quorum.com on Wed, Jul 18, 2001 at 10:51:21PM +0100 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Wed, Jul 18, 2001 at 10:51:21PM +0100, Nuno Teixeira wrote: > > Or, what FTPd program should I use to obtain maximum security? Depending on what you need to do, publicfile might be your best choice. http://cr.yp.to/publicfile.html -steve To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jul 18 15:23:23 2001 Delivered-To: freebsd-security@freebsd.org Received: from lariat.org (lariat.org [12.23.109.2]) by hub.freebsd.org (Postfix) with ESMTP id 1162B37B403 for ; Wed, 18 Jul 2001 15:23:21 -0700 (PDT) (envelope-from brett@lariat.org) Received: from mustang.lariat.org (IDENT:ppp0.lariat.org@lariat.org [12.23.109.2]) by lariat.org (8.9.3/8.9.3) with ESMTP id QAA08404; Wed, 18 Jul 2001 16:23:08 -0600 (MDT) Message-Id: <4.3.2.7.2.20010718160356.04478100@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Date: Wed, 18 Jul 2001 16:23:03 -0600 To: Alson van der Meulen , security@FreeBSD.ORG From: Brett Glass Subject: Re: Piping and scripts with scp In-Reply-To: <20010718220442.B15065@md2.mediadesign.nl> References: <200107181959.NAA06459@lariat.org> <200107181959.NAA06459@lariat.org> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org At 02:04 PM 7/18/2001, Alson van der Meulen wrote: >You really should use RSA keys without passphrase for this, The problem with un-passphrased RSA keys is that they provide no more security but create logistical problems. Since the script will be run by cron as root, it means either generating an un-passphrased key pair for root (not wise!) and/or generating a special key pair for the script, which is stored... where? In whose directory? There's no convention for this, so the next admin who comes along will have to figure out what's what. Second, the RSA keys afford no additional security, since if someone breaks root and gets the un-passphrased key pair he's home free (just as if he'd plucked an unencrypted password out of a batch file). So, overall, we have a bunch more complexity and many more things to go wrong with no security benefit. BTW, from what people are telling me, scp doesn't allow data to be piped into it (as does ftp), which means I have to use ssh and invoke "cat" (or something similar) on the other side. A bit awkward. (Perhaps using "-" to mean standard input or output should be allowed in scp, as it is in so many other utilities. Or maybe the ftp "|" syntax could be used.... The latter is more complex because scp would have to fork a shell and execute the command as a data source/sink.) --Brett To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jul 18 15:54:11 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail2.mediadesign.nl (md2.mediadesign.nl [212.19.205.67]) by hub.freebsd.org (Postfix) with SMTP id 4B76237B405 for ; Wed, 18 Jul 2001 15:54:07 -0700 (PDT) (envelope-from alson@mediadesign.nl) Received: (qmail 17176 invoked by uid 1002); 18 Jul 2001 22:54:06 -0000 Date: Thu, 19 Jul 2001 00:54:06 +0200 From: Alson van der Meulen To: security@FreeBSD.ORG Subject: Re: Piping and scripts with scp Message-ID: <20010719005405.E15065@md2.mediadesign.nl> Mail-Followup-To: security@FreeBSD.ORG References: <200107181959.NAA06459@lariat.org> <200107181959.NAA06459@lariat.org> <4.3.2.7.2.20010718160356.04478100@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <4.3.2.7.2.20010718160356.04478100@localhost> User-Agent: Mutt/1.3.18i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Wed, Jul 18, 2001 at 04:23:03PM -0600, Brett Glass wrote: > At 02:04 PM 7/18/2001, Alson van der Meulen wrote: > > >You really should use RSA keys without passphrase for this, > > The problem with un-passphrased RSA keys is that they provide > no more security but create logistical problems. Since > the script will be run by cron as root, it means either > generating an un-passphrased key pair for root (not wise!) > and/or generating a special key pair for the script, which > is stored... where? In whose directory? There's no convention > for this, so the next admin who comes along will have to figure > out what's what. Second, the RSA keys afford no additional > security, since if someone breaks root and gets the > un-passphrased key pair he's home free (just as if he'd plucked > an unencrypted password out of a batch file). So, overall, we > have a bunch more complexity and many more things to go wrong > with no security benefit. ssh-keys arent more complex then passing passwords from a script to ssh, since ssh isn't designed to read passwords from stdin or some file. you can just document the location of the keypair in your script, and add it to the remote root's ./.ssh/authorized_keys, shouldn't be that complex imho.. > > BTW, from what people are telling me, scp doesn't allow data > to be piped into it (as does ftp), which means I have to > use ssh and invoke "cat" (or something similar) on the other > side. A bit awkward. (Perhaps using "-" to mean standard input > or output should be allowed in scp, as it is in so many > other utilities. Or maybe the ftp "|" syntax could be used.... > The latter is more complex because scp would have to fork a > shell and execute the command as a data source/sink.) scp actually does something like cat foo | ssh bar cat \> fo To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jul 18 21:19:19 2001 Delivered-To: freebsd-security@freebsd.org Received: from cage.simianscience.com (cage.simianscience.com [64.7.134.1]) by hub.freebsd.org (Postfix) with ESMTP id F0E9937B401; Wed, 18 Jul 2001 21:19:15 -0700 (PDT) (envelope-from mike@sentex.net) Received: (from root@localhost) by cage.simianscience.com (8.11.4/8.11.2) id f6J4JFT24803; Thu, 19 Jul 2001 00:19:15 -0400 (EDT) (envelope-from mike@sentex.net) Received: from chimp.sentex.net (fcage [192.168.0.2]) by cage.simianscience.com (8.11.4/8.11.2av) with ESMTP id f6J4JAG24795; Thu, 19 Jul 2001 00:19:10 -0400 (EDT) (envelope-from mike@sentex.net) Message-Id: <5.1.0.14.0.20010719001357.03e22638@192.168.0.12> X-Sender: mdtancsa@192.168.0.12 X-Mailer: QUALCOMM Windows Eudora Version 5.1 Date: Thu, 19 Jul 2001 00:19:09 -0400 To: security@freebsd.org From: Mike Tancsa Subject: FreeBSD remote root exploit ? Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed X-Virus-Scanned: by AMaViS perl-10 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Posted to bugtraq is a notice about telnetd being remotely root exploitable. Does anyone know if it is true ? ---Mike -------------------------------------------------------------------- Mike Tancsa, tel +1 519 651 3400 Network Administration, mike@sentex.net Sentex Communications www.sentex.net Cambridge, Ontario Canada www.sentex.net/mike To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jul 18 21:30:21 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.tgd.net (rand.tgd.net [64.81.67.117]) by hub.freebsd.org (Postfix) with SMTP id 33CAF37B403 for ; Wed, 18 Jul 2001 21:30:11 -0700 (PDT) (envelope-from sean@mailhost.tgd.net) Received: (qmail 89930 invoked by uid 1001); 19 Jul 2001 04:30:05 -0000 Date: Wed, 18 Jul 2001 21:30:04 -0700 From: Sean Chittenden To: freebsd-security@freebsd.org Subject: BUGTRAQ post re: "multiple vendor telnet daemon vulnerability" Message-ID: <20010718213004.Z77559@rand.tgd.net> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="OUFKJBnicyeI7VqU" Content-Disposition: inline X-PGP-Key: 0x1EDDFAAD X-PGP-Fingerprint: C665 A17F 9A56 286C 5CFB 1DEA 9F4F 5CEF 1EDD FAAD X-Web-Homepage: http://sean.chittenden.org/ Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --OUFKJBnicyeI7VqU Content-Type: multipart/mixed; boundary="n7zTieg8iIQ1Wja9" Content-Disposition: inline --n7zTieg8iIQ1Wja9 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Here's the BUGTRAQ post. -sc --=20 Sean Chittenden --n7zTieg8iIQ1Wja9 Content-Type: message/rfc822 Content-Disposition: inline Return-Path: Delivered-To: chittenden.org-sean-securityfocus-bugtraq@chittenden.org Received: (qmail 89668 invoked from network); 19 Jul 2001 03:32:37 -0000 Received: from search.securityfocus.com (HELO outgoing.securityfocus.com) (66.38.151.6) by rand.tgd.net with SMTP; 19 Jul 2001 03:32:37 -0000 Received: from lists.securityfocus.com (lists.securityfocus.com [66.38.151.19]) by outgoing.securityfocus.com (Postfix) with QMQP id 8E28B259A67; Wed, 18 Jul 2001 21:31:58 -0600 (MDT) Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm Precedence: bulk List-Id: List-Post: List-Help: List-Unsubscribe: List-Subscribe: Delivered-To: mailing list bugtraq@securityfocus.com Delivered-To: moderator for bugtraq@securityfocus.com Received: (qmail 12709 invoked from network); 18 Jul 2001 22:20:32 -0000 Date: Wed, 18 Jul 2001 22:15:10 +0200 From: Sebastian To: bugtraq@securityfocus.com Subject: multiple vendor telnet daemon vulnerability Message-ID: <20010718221510.A16174@nb.in-berlin.de> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="x+6KMIRAuhnl3hBn" Content-Disposition: inline User-Agent: Mutt/1.2.4i X-Sender: 520091045308-0001@t-dialin.net --x+6KMIRAuhnl3hBn Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable This is a short version of the original advisory. Most details about exploiting this vulnerabilty have been removed after thinking about it. I do not release it because it makes me happy, and I would like you to plea= se not assume things about the reasons involving this posting. I wish things w= ould have worked out better for all of us. I do not want to get that much involv= ed into disclosure policies, but I am sure a lot of advocates from both sides = are going to flame me about this one. Please save yourself and me the time, I c= ould not care less. A few days ago some script kiddies have somehow got access to a copy of an exploit for this vulnerability. I do not know how it happened, but while I write this dozen of BSD hosts fall victim to clueless attackers. And please, again, I would like to ask you to not assume and speculate how this might has happened. The copy of the exploit was quite script-kiddie safe and requires no fiddling. It works out of the box. Please patch fast, or better disable telnetd at all. Btw, I do not think a simple patch will do it anyway, there are so many horrible bugs - also non security related - in telnetd beside this one. Just send some random junk at telnetd and see it die if you do not believe me. ciao, -scut ------ TESO Security Advisory 07/18/2001 Multiple vendor Telnet Daemon vulnerability Summary =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D Within most of the current telnet daemons in use today there exist a bu= ffer overflow in the telnet option handling. Under certain circumstances it = may be possible to exploit it to gain root priviledges remotely. Systems Affected =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D System | vulnerable | exploitable * ----------------------------------------+--------------+---------------= --- BSDI 4.x default | yes | yes FreeBSD [2345].x default | yes | yes IRIX 6.5 | yes | no Linux netkit-telnetd < 0.14 | yes | ? Linux netkit-telnetd >=3D 0.14 | no | NetBSD 1.x default | yes | yes OpenBSD 2.x | yes | ? OpenBSD current | no | Solaris 2.x sparc | yes | ? | yes | ? ----------------------------------------+--------------+---------------= --- * =3D From our analysis and conclusions, which may not be correct or we= may have overseen things. Do not rely on this. Details about the systems can be found below. Impact =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D Through sending a specially formed option string to the remote telnet daemon a remote attacker might be able to overwrite sensitive informati= on on the static memory pages. If done properly this may result in arbitra= ry code getting executed on the remote machine under the priviledges the telnet daemon runs on, usually root. Explanation =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D Within every BSD derived telnet daemon under UNIX the telnet options are processed by the 'telrcv' function. This function parses the options according to the telnet protocol and its internal state. During this parsing the results which should be send back to the client are stored within the 'netobuf' buffer. This is done without any bounds checking, since it is assumed that the reply data is smaller than the buffer size (which is BUFSIZ bytes, usually). However, using a combination of options, especially the 'AYT' Are You T= here option, it is possible to append data to the buffer, usually nine bytes long. To trigger this response, two bytes in the input buffer are necessary. Since this input buffer is BUFSIZ bytes long, you can exceed= the output buffer by as much as (BUFSIZ / 2) * 9) - BUFSIZ bytes. For the common case that BUFSIZ is defined to be 1024, this results in a buffer overflow by up to 3584 bytes. On systems where BUFSIZ is defined to be 4096, this is an even greater value (14336). Due to the limited set of characters an attacker is able to write outsi= de of the buffer it is difficult - if not impossible on some systems - to exploit this buffer overflow. Another hurdle for a possible attacker ma= y be the lack of interesting information to modify after the buffer. This buffer overflow should be considered serious nevertheless, since experience has shown that even complicated vulnerabilities can be exploited by skilled attackers, BIND TSIG and SSH deattack come to mind. We have constructed a working exploit for any version of BSDI, NetBSD a= nd FreeBSD. Exploitation on Solaris sparc may be possible but if it is, it= is very difficult involving lots of arcane tricks. OpenBSD is not as easily exploitable as the other BSD's, because they do compile with other options by default, changing memory layout. Solution =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D The vendors have been notified of the problem at the same time as the general public, vendor patches for your telnet daemon that fix the bug = will show up soon. Sometimes a fix might not be trivial and require a lot of changes to the source code, due to the insecure nature the 'nfrontp' pointer is handle= d. The best long term solution is to disable the telnet daemon at all, sin= ce there are good and free replacements. Acknowledgements =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D The bug has been discovered by scut. (It is easy to spot, so I do not want to rule out discoveries by other persons) The tests and further analysis were done by smiler, lorian, zip and scu= t. Contact Information =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D The TESO crew can be reached by mailing to teso@team-teso.net Our web page is at http://www.team-teso.net/ References =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D [1] TESO http://www.team-teso.net/ Disclaimer =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D This advisory does not claim to be complete or to be usable for any purpose. Especially information on the vulnerable systems may be inaccu= rate or wrong. Possibly supplied exploit code is not to be used for malicious purposes, but for educational purposes only. This advisory is free for open distribution in unmodified form. Articles that are based on information from this advisory should include link [1]. Exploit =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D Not this time. Not here. ------ --=20 -. scut@nb.in-berlin.de -. + http://segfault.net/~scut/ `------------------= --. -' segfault.net/~scut/pgp `' 5453 AC95 1E02 FDA7 50D2 A42D 427E 6DEF 745A 8= E07 `- AFIWC control and information seized. awaiting orders. hi echelon ------= --' --x+6KMIRAuhnl3hBn Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE7Ve5NQn5t73RajgcRAnN7AKDS0wmMSpwu29J9jdBiuu59GXZGaQCghSjc VqoGwd+UxWuDFqEvPz3CuuU= =+r9F -----END PGP SIGNATURE----- --x+6KMIRAuhnl3hBn-- --n7zTieg8iIQ1Wja9-- --OUFKJBnicyeI7VqU Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Comment: Sean Chittenden iEYEARECAAYFAjtWYksACgkQn09c7x7d+q1lFQCfVgRP9qbEELRM+ki821o8o4BL x+EAnRr6SO8qzIOOle5JHBoBpskDtlMm =VKcf -----END PGP SIGNATURE----- --OUFKJBnicyeI7VqU-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jul 18 21:39:31 2001 Delivered-To: freebsd-security@freebsd.org Received: from obsecurity.dyndns.org (adsl-63-207-60-191.dsl.lsan03.pacbell.net [63.207.60.191]) by hub.freebsd.org (Postfix) with ESMTP id EE24137B403 for ; Wed, 18 Jul 2001 21:39:27 -0700 (PDT) (envelope-from kris@obsecurity.org) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id CDD7E66C4D; Wed, 18 Jul 2001 21:39:26 -0700 (PDT) Date: Wed, 18 Jul 2001 21:39:26 -0700 From: Kris Kennaway To: Mike Tancsa Cc: security@freebsd.org Subject: Re: FreeBSD remote root exploit ? Message-ID: <20010718213926.A19395@xor.obsecurity.org> References: <5.1.0.14.0.20010719001357.03e22638@192.168.0.12> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="pf9I7BMVVzbSWLtt" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <5.1.0.14.0.20010719001357.03e22638@192.168.0.12>; from mike@sentex.net on Thu, Jul 19, 2001 at 12:19:09AM -0400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --pf9I7BMVVzbSWLtt Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable I haven't been able to verify it yet; they didn't bother to give us any advance notice before releasing to bugtraq, nor did they give us any additional details. Kris On Thu, Jul 19, 2001 at 12:19:09AM -0400, Mike Tancsa wrote: >=20 > Posted to bugtraq is a notice about telnetd being remotely root=20 > exploitable. Does anyone know if it is true ? >=20 > ---Mike --pf9I7BMVVzbSWLtt Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE7VmR9Wry0BWjoQKURAoBLAKDLqEfYEqEV1zZwlnusxEtq9R1ZmQCeOY4K +YImmAGrSTK5CKoRMfSURiE= =Vk+f -----END PGP SIGNATURE----- --pf9I7BMVVzbSWLtt-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jul 18 22: 9:48 2001 Delivered-To: freebsd-security@freebsd.org Received: from cage.simianscience.com (cage.simianscience.com [64.7.134.1]) by hub.freebsd.org (Postfix) with ESMTP id 108AB37B401 for ; Wed, 18 Jul 2001 22:09:42 -0700 (PDT) (envelope-from mike@sentex.net) Received: (from root@localhost) by cage.simianscience.com (8.11.4/8.11.2) id f6J59fZ25357; Thu, 19 Jul 2001 01:09:41 -0400 (EDT) (envelope-from mike@sentex.net) Received: from chimp.sentex.net (fcage [192.168.0.2]) by cage.simianscience.com (8.11.4/8.11.2av) with ESMTP id f6J59aG25347; Thu, 19 Jul 2001 01:09:36 -0400 (EDT) (envelope-from mike@sentex.net) Message-Id: <5.1.0.14.0.20010719010646.03e25eb8@192.168.0.12> X-Sender: mdtancsa@192.168.0.12 X-Mailer: QUALCOMM Windows Eudora Version 5.1 Date: Thu, 19 Jul 2001 01:09:35 -0400 To: Kris Kennaway From: Mike Tancsa Subject: Re: FreeBSD remote root exploit ? Cc: security@freebsd.org In-Reply-To: <20010718213926.A19395@xor.obsecurity.org> References: <5.1.0.14.0.20010719001357.03e22638@192.168.0.12> <5.1.0.14.0.20010719001357.03e22638@192.168.0.12> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed X-Virus-Scanned: by AMaViS perl-10 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Major drag. Sadly, one of my customers needs telnetd running. Are there any alternative daemons that can be used as a temp measure that are not derived from the BSD tree ? ---Mike At 09:39 PM 7/18/2001 -0700, Kris Kennaway wrote: >I haven't been able to verify it yet; they didn't bother to give us >any advance notice before releasing to bugtraq, nor did they give us >any additional details. > >Kris > >On Thu, Jul 19, 2001 at 12:19:09AM -0400, Mike Tancsa wrote: > > > > Posted to bugtraq is a notice about telnetd being remotely root > > exploitable. Does anyone know if it is true ? > > > > ---Mike -------------------------------------------------------------------- Mike Tancsa, tel +1 519 651 3400 Network Administration, mike@sentex.net Sentex Communications www.sentex.net Cambridge, Ontario Canada www.sentex.net/mike To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jul 18 22:48:49 2001 Delivered-To: freebsd-security@freebsd.org Received: from point.osg.gov.bc.ca (point.osg.gov.bc.ca [142.32.102.44]) by hub.freebsd.org (Postfix) with ESMTP id C662037B401 for ; Wed, 18 Jul 2001 22:48:44 -0700 (PDT) (envelope-from Cy.Schubert@uumail.gov.bc.ca) Received: (from daemon@localhost) by point.osg.gov.bc.ca (8.8.7/8.8.8) id WAA27612; Wed, 18 Jul 2001 22:48:30 -0700 Received: from passer.osg.gov.bc.ca(142.32.110.29) via SMTP by point.osg.gov.bc.ca, id smtpda27610; Wed Jul 18 22:48:25 2001 Received: (from uucp@localhost) by passer.osg.gov.bc.ca (8.11.4/8.9.1) id f6J5mJg10241; Wed, 18 Jul 2001 22:48:19 -0700 (PDT) Received: from UNKNOWN(10.1.2.1), claiming to be "cwsys.cwsent.com" via SMTP by passer9.cwsent.com, id smtpdp10239; Wed Jul 18 22:47:48 2001 Received: (from uucp@localhost) by cwsys.cwsent.com (8.11.4/8.9.1) id f6J5lmD66188; Wed, 18 Jul 2001 22:47:48 -0700 (PDT) Message-Id: <200107190547.f6J5lmD66188@cwsys.cwsent.com> Received: from localhost.cwsent.com(127.0.0.1), claiming to be "cwsys" via SMTP by localhost.cwsent.com, id smtpdq66183; Wed Jul 18 22:47:18 2001 X-Mailer: exmh version 2.3.1 01/18/2001 with nmh-1.0.4 Reply-To: Cy Schubert - ITSD Open Systems Group From: Cy Schubert - ITSD Open Systems Group X-Sender: schubert To: Mike Tancsa Cc: Kris Kennaway , security@FreeBSD.ORG Subject: Re: FreeBSD remote root exploit ? In-reply-to: Your message of "Thu, 19 Jul 2001 01:09:35 EDT." <5.1.0.14.0.20010719010646.03e25eb8@192.168.0.12> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Wed, 18 Jul 2001 22:47:18 -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I wouldn't be surprised that Kerberos IV and V telnetd's are also vulnerable. The krb5 port will need to be patched when we patch the base telnetd. Also, there are two telnetd's in the base tree. I'm sure everyone knows this, I put my paranoid manager's hat on. Regards, Phone: (250)387-8437 Cy Schubert Fax: (250)387-5766 Team Leader, Sun/Alpha Team Internet: Cy.Schubert@osg.gov.bc.ca Open Systems Group, ITSD, ISTA Province of BC In message <5.1.0.14.0.20010719010646.03e25eb8@192.168.0.12>, Mike Tancsa write s: > > Major drag. Sadly, one of my customers needs telnetd running. Are there > any alternative daemons that can be used as a temp measure that are not > derived from the BSD tree ? > > ---Mike > > At 09:39 PM 7/18/2001 -0700, Kris Kennaway wrote: > >I haven't been able to verify it yet; they didn't bother to give us > >any advance notice before releasing to bugtraq, nor did they give us > >any additional details. > > > >Kris > > > >On Thu, Jul 19, 2001 at 12:19:09AM -0400, Mike Tancsa wrote: > > > > > > Posted to bugtraq is a notice about telnetd being remotely root > > > exploitable. Does anyone know if it is true ? > > > > > > ---Mike > > -------------------------------------------------------------------- > Mike Tancsa, tel +1 519 651 3400 > Network Administration, mike@sentex.net > Sentex Communications www.sentex.net > Cambridge, Ontario Canada www.sentex.net/mike > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jul 18 23:39: 8 2001 Delivered-To: freebsd-security@freebsd.org Received: from point.osg.gov.bc.ca (point.osg.gov.bc.ca [142.32.102.44]) by hub.freebsd.org (Postfix) with ESMTP id D9CBA37B434 for ; Wed, 18 Jul 2001 23:38:59 -0700 (PDT) (envelope-from Cy.Schubert@uumail.gov.bc.ca) Received: (from daemon@localhost) by point.osg.gov.bc.ca (8.8.7/8.8.8) id XAA27762; Wed, 18 Jul 2001 23:38:51 -0700 Received: from passer.osg.gov.bc.ca(142.32.110.29) via SMTP by point.osg.gov.bc.ca, id smtpda27760; Wed Jul 18 23:38:43 2001 Received: (from uucp@localhost) by passer.osg.gov.bc.ca (8.11.4/8.9.1) id f6J6ccu10462; Wed, 18 Jul 2001 23:38:38 -0700 (PDT) Received: from UNKNOWN(10.1.2.1), claiming to be "cwsys.cwsent.com" via SMTP by passer9.cwsent.com, id smtpdN10460; Wed Jul 18 23:37:50 2001 Received: (from uucp@localhost) by cwsys.cwsent.com (8.11.4/8.9.1) id f6J6bnf66559; Wed, 18 Jul 2001 23:37:49 -0700 (PDT) Message-Id: <200107190637.f6J6bnf66559@cwsys.cwsent.com> Received: from localhost.cwsent.com(127.0.0.1), claiming to be "cwsys" via SMTP by localhost.cwsent.com, id smtpdx66415; Wed Jul 18 23:37:42 2001 X-Mailer: exmh version 2.3.1 01/18/2001 with nmh-1.0.4 Reply-To: Cy Schubert - ITSD Open Systems Group From: Cy Schubert - ITSD Open Systems Group X-Sender: schubert To: Mike Tancsa Cc: Kris Kennaway , security@FreeBSD.ORG Subject: Re: FreeBSD remote root exploit ? In-reply-to: Your message of "Thu, 19 Jul 2001 01:09:35 EDT." <5.1.0.14.0.20010719010646.03e25eb8@192.168.0.12> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Wed, 18 Jul 2001 23:37:42 -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org The advisory says that OpenBSD-current invulnerable. Looking at the OpenBSD source tree, they've replaced BSD telnetd with heimdal telnetd. Build with kerberos5 enabled might be a temp workaround. Regards, Phone: (250)387-8437 Cy Schubert Fax: (250)387-5766 Team Leader, Sun/Alpha Team Internet: Cy.Schubert@osg.gov.bc.ca Open Systems Group, ITSD, ISTA Province of BC In message <5.1.0.14.0.20010719010646.03e25eb8@192.168.0.12>, Mike Tancsa write s: > > Major drag. Sadly, one of my customers needs telnetd running. Are there > any alternative daemons that can be used as a temp measure that are not > derived from the BSD tree ? > > ---Mike > > At 09:39 PM 7/18/2001 -0700, Kris Kennaway wrote: > >I haven't been able to verify it yet; they didn't bother to give us > >any advance notice before releasing to bugtraq, nor did they give us > >any additional details. > > > >Kris > > > >On Thu, Jul 19, 2001 at 12:19:09AM -0400, Mike Tancsa wrote: > > > > > > Posted to bugtraq is a notice about telnetd being remotely root > > > exploitable. Does anyone know if it is true ? > > > > > > ---Mike > > -------------------------------------------------------------------- > Mike Tancsa, tel +1 519 651 3400 > Network Administration, mike@sentex.net > Sentex Communications www.sentex.net > Cambridge, Ontario Canada www.sentex.net/mike > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jul 19 0:43:57 2001 Delivered-To: freebsd-security@freebsd.org Received: from amsmta02-svc.chello.nl (mail-out.chello.nl [213.46.240.7]) by hub.freebsd.org (Postfix) with ESMTP id 27EC737B403 for ; Thu, 19 Jul 2001 00:43:54 -0700 (PDT) (envelope-from asmodai@wxs.nl) Received: from daemon.chronias.ninth-circle.org ([62.163.96.180]) by amsmta02-svc.chello.nl (InterMail vK.4.03.02.00 201-232-124 license dd4a379df8e387594186908c65258374) with ESMTP id <20010719074319.JAKC10337.amsmta02-svc@daemon.chronias.ninth-circle.org>; Thu, 19 Jul 2001 09:43:19 +0200 Received: (from asmodai@localhost) by daemon.chronias.ninth-circle.org (8.11.3/8.11.3) id f6J7hmd77811; Thu, 19 Jul 2001 09:43:48 +0200 (CEST) (envelope-from asmodai) Date: Thu, 19 Jul 2001 09:43:48 +0200 From: Jeroen Ruigrok/Asmodai To: Cy Schubert - ITSD Open Systems Group Cc: Mike Tancsa , Kris Kennaway , security@FreeBSD.ORG Subject: Re: FreeBSD remote root exploit ? Message-ID: <20010719094348.K58092@daemon.ninth-circle.org> References: <5.1.0.14.0.20010719010646.03e25eb8@192.168.0.12> <200107190547.f6J5lmD66188@cwsys.cwsent.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <200107190547.f6J5lmD66188@cwsys.cwsent.com> User-Agent: Mutt/1.3.19i Organisation: Ninth-Circle Enterprises Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org -On [20010719 08:00], Cy Schubert - ITSD Open Systems Group (Cy.Schubert@uumail.gov.bc.ca) wrote: >I wouldn't be surprised that Kerberos IV and V telnetd's are also >vulnerable. The krb5 port will need to be patched when we patch the >base telnetd. > >Also, there are two telnetd's in the base tree. I'm sure everyone >knows this, I put my paranoid manager's hat on. Don't forget I have been doing a lot of synching between the two/three telnet(d)'s in the source repository, including a lot of fix merging [which Kris did a lot of the work in first place for]. Suffice to say we don't have real stock telnet(d)'s present, but quite audited in a lot of places. Now that I have more time again I need to continue moving the telnet(d)'s into one app again. -- Jeroen Ruigrok van der Werven/Asmodai asmodai@[wxs.nl|freebsd.org|xmach.org] Documentation nutter/C-rated Coder, finger asmodai@ninth-circle.dnsalias.net http://www.freebsd.org/doc/en_US.ISO8859-1/books/developers-handbook/ You shall see wonders... To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jul 19 0:48: 8 2001 Delivered-To: freebsd-security@freebsd.org Received: from earth.backplane.com (earth-nat-cw.backplane.com [208.161.114.67]) by hub.freebsd.org (Postfix) with ESMTP id A851837B401 for ; Thu, 19 Jul 2001 00:48:03 -0700 (PDT) (envelope-from dillon@earth.backplane.com) Received: (from dillon@localhost) by earth.backplane.com (8.11.4/8.11.2) id f6J7lMU71487; Thu, 19 Jul 2001 00:47:22 -0700 (PDT) (envelope-from dillon) Date: Thu, 19 Jul 2001 00:47:22 -0700 (PDT) From: Matt Dillon Message-Id: <200107190747.f6J7lMU71487@earth.backplane.com> To: Cy Schubert - ITSD Open Systems Group Cc: Mike Tancsa , Kris Kennaway , security@FreeBSD.ORG Subject: Re: FreeBSD remote root exploit ? References: <200107190547.f6J5lmD66188@cwsys.cwsent.com> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org : :I wouldn't be surprised that Kerberos IV and V telnetd's are also :vulnerable. The krb5 port will need to be patched when we patch the :base telnetd. : :Also, there are two telnetd's in the base tree. I'm sure everyone :knows this, I put my paranoid manager's hat on. : : :Regards, Phone: (250)387-8437 :Cy Schubert Fax: (250)387-5766 Lets see... There are actually *FOUR* telnetd's in our source tree. /usr/src/crypto/telnet/telnetd VULNERABLE /usr/src/libexec/telnetd VULNERABLE /usr/src/crypto/heimdal/appl/telnet/telnetd NOT VULNERABLE /usr/src/crypto/kerberosIV/appl/telnet/telnetd/telnetd.c NOT VULNERABLE The heimdal and kerberosIV telnetd's call an output_data() function which does not allow the output buffer to overflow. The first two telnetd' just blindly copy the option data into the output buffer. -Matt To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jul 19 0:50:38 2001 Delivered-To: freebsd-security@freebsd.org Received: from erouter0.it-datacntr.louisville.edu (erouter0.it-datacntr.louisville.edu [136.165.1.36]) by hub.freebsd.org (Postfix) with ESMTP id B7C3337B401 for ; Thu, 19 Jul 2001 00:50:34 -0700 (PDT) (envelope-from keith.stevenson@louisville.edu) Received: from osaka.louisville.edu (osaka.louisville.edu [136.165.1.114]) by erouter0.it-datacntr.louisville.edu (Postfix) with ESMTP id 3002C10A9; Thu, 19 Jul 2001 03:50:34 -0400 (EDT) Received: by osaka.louisville.edu (Postfix, from userid 15) id 2962C1862E; Thu, 19 Jul 2001 03:50:30 -0400 (EDT) Date: Thu, 19 Jul 2001 03:50:30 -0400 From: Keith Stevenson To: Joseph Gleason Cc: freebsd-security@FreeBSD.ORG Subject: Re: Fw: remote root vulnerability Message-ID: <20010719035029.A37336@osaka.louisville.edu> References: <002b01c10fce$18317aa0$0b2d2d0a@battleship> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <002b01c10fce$18317aa0$0b2d2d0a@battleship>; from clash@tasam.com on Wed, Jul 18, 2001 at 05:10:38PM -0400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Wed, Jul 18, 2001 at 05:10:38PM -0400, Joseph Gleason wrote: > Anyone know if this is real? I received it from a source I don't have any > strong reason to trust. (advisory text trimmed) It looks like it. The recv_ayt() function in telnetd.c does appear to behave in the manner described in the advisory. Nine bytes are strcpy()'d into nfrontp and then nfrontp itself is incremented by nine. I don't see any check to make sure that nfrontp isn't incremented past the end of the buffer that has been allocated for it. Quickly glancing through the code, I find several instances of something being copied into the buffer and then increment the pointer by the number of bytes copied. This seems to be an idiom in this code. I don't consider myself to be a pointer manipulation wizard (especially at 0347 local time), but I don't see any safety checks on the nfrontp manipulations anywhere in the code. I examined src/libexec/telnetd/telnetd.c version 1.22.2.5 from FreeBSD-4.3. I didn't see anything in the commitlogs which make me think that CURRENT is any different. Regards, --Keith Stevenson-- -- Keith Stevenson System Programmer - Data Center Services - University of Louisville keith.stevenson@louisville.edu GPG key fingerprint = 332D 97F0 6321 F00F 8EE7 2D44 00D8 F384 75BB 89AE To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jul 19 1:45: 0 2001 Delivered-To: freebsd-security@freebsd.org Received: from ringworld.nanolink.com (ringworld.nanolink.com [195.24.48.39]) by hub.freebsd.org (Postfix) with SMTP id 8961837B406 for ; Thu, 19 Jul 2001 01:44:55 -0700 (PDT) (envelope-from roam@ringworld.nanolink.com) Received: (qmail 7784 invoked by uid 1000); 19 Jul 2001 08:49:04 -0000 Date: Thu, 19 Jul 2001 11:49:04 +0300 From: Peter Pentchev To: Brett Glass Cc: Alson van der Meulen , security@FreeBSD.ORG Subject: Re: Piping and scripts with scp Message-ID: <20010719114904.B7129@ringworld.oblivion.bg> Mail-Followup-To: Brett Glass , Alson van der Meulen , security@FreeBSD.ORG References: <200107181959.NAA06459@lariat.org> <200107181959.NAA06459@lariat.org> <20010718220442.B15065@md2.mediadesign.nl> <4.3.2.7.2.20010718160356.04478100@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <4.3.2.7.2.20010718160356.04478100@localhost>; from brett@lariat.org on Wed, Jul 18, 2001 at 04:23:03PM -0600 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Wed, Jul 18, 2001 at 04:23:03PM -0600, Brett Glass wrote: > At 02:04 PM 7/18/2001, Alson van der Meulen wrote: > > >You really should use RSA keys without passphrase for this, > > The problem with un-passphrased RSA keys is that they provide > no more security but create logistical problems. Since > the script will be run by cron as root, it means either > generating an un-passphrased key pair for root (not wise!) Wrong. You need to create an un-passphrased key that shall be *used* by root on the cron-running machine, but that shall authenticate a login as the *logging user* on the logging machine. The logging user need not be root (actually, it would be extremely unwise to log as root even using a password). The RSA key only authenticates a login if the key itself is added to the authorized_keys file. It does not need to be added to root's authorized_keys file on the cron-running machine just because root needs to use it. > and/or generating a special key pair for the script, which > is stored... where? In whose directory? There's no convention > for this, so the next admin who comes along will have to figure > out what's what. In a directory accessible by the user running the program which output you want logged - that is, in a directory readable by root on the cron-running machine. > Second, the RSA keys afford no additional > security, since if someone breaks root and gets the > un-passphrased key pair he's home free (just as if he'd plucked > an unencrypted password out of a batch file). Actually, there is additional security, if you're using OpenSSH on the logging machine. It is true that somebody breaking root gains access to the logging account in the password-authentication scenario, BUT if you use keys, you can specify on the logging machine that this key may only be used to run this particular command. Thus, even if anyone should break root and gain access to the key, all they would be able to do is append lines to the log. > So, overall, we > have a bunch more complexity and many more things to go wrong > with no security benefit. No more complexity than an ssh-keygen and adding an ASCII file to a .ssh/authorized_keys file. A great security benefit - see above (appending to a logfile versus getting a local shell on the logging machine). > BTW, from what people are telling me, scp doesn't allow data > to be piped into it (as does ftp), which means I have to > use ssh and invoke "cat" (or something similar) on the other > side. A bit awkward. Or as given in the message you replied to, ssh loghost dd of=logfile. > (Perhaps using "-" to mean standard input > or output should be allowed in scp, as it is in so many > other utilities. Or maybe the ftp "|" syntax could be used.... > The latter is more complex because scp would have to fork a > shell and execute the command as a data source/sink.) G'luck, Peter -- The rest of this sentence is written in Thailand, on To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jul 19 1:48: 1 2001 Delivered-To: freebsd-security@freebsd.org Received: from amsmta06-svc.chello.nl (mail-out.chello.nl [213.46.240.7]) by hub.freebsd.org (Postfix) with ESMTP id 765C937B401 for ; Thu, 19 Jul 2001 01:47:56 -0700 (PDT) (envelope-from asmodai@wxs.nl) Received: from daemon.chronias.ninth-circle.org ([62.163.96.180]) by amsmta06-svc.chello.nl (InterMail vK.4.03.02.00 201-232-124 license dd4a379df8e387594186908c65258374) with ESMTP id <20010719084802.GCUQ13241.amsmta06-svc@daemon.chronias.ninth-circle.org>; Thu, 19 Jul 2001 10:48:02 +0200 Received: (from asmodai@localhost) by daemon.chronias.ninth-circle.org (8.11.3/8.11.3) id f6J8lpB78356; Thu, 19 Jul 2001 10:47:51 +0200 (CEST) (envelope-from asmodai) Date: Thu, 19 Jul 2001 10:47:50 +0200 From: Jeroen Ruigrok/Asmodai To: Matt Dillon Cc: Cy Schubert - ITSD Open Systems Group , Mike Tancsa , Kris Kennaway , security@FreeBSD.ORG Subject: Re: FreeBSD remote root exploit ? Message-ID: <20010719104750.L58092@daemon.ninth-circle.org> References: <200107190547.f6J5lmD66188@cwsys.cwsent.com> <200107190747.f6J7lMU71487@earth.backplane.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <200107190747.f6J7lMU71487@earth.backplane.com> User-Agent: Mutt/1.3.19i Organisation: Ninth-Circle Enterprises Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org -On [20010719 10:00], Matt Dillon (dillon@earth.backplane.com) wrote: > Lets see... There are actually *FOUR* telnetd's in our source tree. > > /usr/src/crypto/telnet/telnetd VULNERABLE > /usr/src/libexec/telnetd VULNERABLE I was busy merging these two and then later get rid off one after adding compile time code in/exclusion. > /usr/src/crypto/heimdal/appl/telnet/telnetd NOT VULNERABLE > /usr/src/crypto/kerberosIV/appl/telnet/telnetd/telnetd.c NOT VULNERABLE Not sure if all four can be collapsed. -- Jeroen Ruigrok van der Werven/Asmodai asmodai@[wxs.nl|freebsd.org|xmach.org] Documentation nutter/C-rated Coder, finger asmodai@ninth-circle.dnsalias.net http://www.freebsd.org/doc/en_US.ISO8859-1/books/developers-handbook/ Whoever undertakes to set himself up as judge in the field of truth and knowledge is shipwrecked by the laughter of the Gods. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jul 19 1:52: 8 2001 Delivered-To: freebsd-security@freebsd.org Received: from ringworld.nanolink.com (ringworld.nanolink.com [195.24.48.39]) by hub.freebsd.org (Postfix) with SMTP id 47F7337B401 for ; Thu, 19 Jul 2001 01:52:02 -0700 (PDT) (envelope-from roam@orbitel.bg) Received: (qmail 7865 invoked by uid 1000); 19 Jul 2001 08:56:13 -0000 Date: Thu, 19 Jul 2001 11:56:13 +0300 From: Peter Pentchev To: Brett Glass Cc: Alson van der Meulen , security@FreeBSD.ORG Subject: Re: Piping and scripts with scp Message-ID: <20010719115613.D7129@ringworld.oblivion.bg> Mail-Followup-To: Brett Glass , Alson van der Meulen , security@FreeBSD.ORG References: <200107181959.NAA06459@lariat.org> <200107181959.NAA06459@lariat.org> <20010718220442.B15065@md2.mediadesign.nl> <4.3.2.7.2.20010718160356.04478100@localhost> <20010719114904.B7129@ringworld.oblivion.bg> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010719114904.B7129@ringworld.oblivion.bg>; from roam@orbitel.bg on Thu, Jul 19, 2001 at 11:49:04AM +0300 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Thu, Jul 19, 2001 at 11:49:04AM +0300, Peter Pentchev wrote: > On Wed, Jul 18, 2001 at 04:23:03PM -0600, Brett Glass wrote: > > At 02:04 PM 7/18/2001, Alson van der Meulen wrote: > > > > >You really should use RSA keys without passphrase for this, > > > > The problem with un-passphrased RSA keys is that they provide > > no more security but create logistical problems. Since > > the script will be run by cron as root, it means either > > generating an un-passphrased key pair for root (not wise!) > > Wrong. You need to create an un-passphrased key that shall be *used* > by root on the cron-running machine, but that shall authenticate > a login as the *logging user* on the logging machine. The logging user > need not be root (actually, it would be extremely unwise to log as root > even using a password). The RSA key only authenticates a login if > the key itself is added to the authorized_keys file. It does not need > to be added to root's authorized_keys file on the cron-running machine > just because root needs to use it. And before anybody jumps in, actually it is the *public* portion of the key that needs to be added to the logging machine account's authorized_keys file; the private portion needs only reside on the log-generating machine. G'luck, Peter -- If this sentence didn't exist, somebody would have invented it. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jul 19 2: 7:32 2001 Delivered-To: freebsd-security@freebsd.org Received: from mailhost.freebsd.lublin.pl (mailhost.freebsd.lublin.pl [212.182.115.12]) by hub.freebsd.org (Postfix) with ESMTP id E61D637B403 for ; Thu, 19 Jul 2001 02:07:15 -0700 (PDT) (envelope-from venglin@freebsd.lublin.pl) Received: from clitoris (root@mailhost.freebsd.lublin.pl [212.182.115.12]) by mailhost.freebsd.lublin.pl (8.11.4/8.11.4) with SMTP id f6J95om09102; Thu, 19 Jul 2001 11:05:50 +0200 (CEST) (envelope-from venglin@freebsd.lublin.pl) Message-ID: <014d01c11031$bdab5a10$2001a8c0@clitoris> From: "Przemyslaw Frasunek" To: "Mike Tancsa" Cc: References: <5.1.0.14.0.20010719001357.03e22638@192.168.0.12> Subject: Re: FreeBSD remote root exploit ? Date: Thu, 19 Jul 2001 11:03:53 +0200 Organization: babcia padlina ltd. MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4522.1200 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > Posted to bugtraq is a notice about telnetd being remotely root > exploitable. Does anyone know if it is true ? Yes, telnetd is vulnerable. lagoon:venglin:~> perl -e '$c=sprintf("%c%c", 255, 246); sleep 10; print $c x0 . "\r\n"' | nc localhost 23 (gdb) att 9024 Attaching to process 9024 0x28230f90 in ?? () (gdb) cont Continuing. Program received signal SIGSEGV, Segmentation fault. 0x5d736559 in ?? () (gdb) bt #0 0x5d736559 in ?? () #1 0x804e9d9 in ?? () #2 0x804d1a1 in ?? () #3 0x804d6d1 in ?? () #4 0x804d14d in ?? () #5 0x8049bd3 in ?? () The strange %eip value is: riget:root:/# perl -e 'printf("%c%c%c%c\n", 0x59, 0x65, 0x73, 0x5d)' Yes] "\r\n[Yes]\r\n" is response for IAC AYT command string. -- * Fido: 2:480/124 ** WWW: http://www.frasunek.com/ ** NIC-HDL: PMF9-RIPE * * Inet: przemyslaw@frasunek.com ** PGP: D48684904685DF43EA93AFA13BE170BF * To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jul 19 2:16:51 2001 Delivered-To: freebsd-security@freebsd.org Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31]) by hub.freebsd.org (Postfix) with ESMTP id 8AB4A37B403 for ; Thu, 19 Jul 2001 02:16:48 -0700 (PDT) (envelope-from des@ofug.org) Received: (from des@localhost) by flood.ping.uio.no (8.9.3/8.9.3) id LAA06715; Thu, 19 Jul 2001 11:16:44 +0200 (CEST) (envelope-from des@ofug.org) X-URL: http://www.ofug.org/~des/ X-Disclaimer: The views expressed in this message do not necessarily coincide with those of any organisation or company with which I am or have been affiliated. To: "Sergey N. Voronkov" Cc: Nick Maschenko , security@FreeBSD.ORG Subject: Re: Fw: Re: A question about FreeBSD security References: <20010718114737.A53934@sv.tech.sibitex.tmn.ru> From: Dag-Erling Smorgrav Date: 19 Jul 2001 11:16:44 +0200 In-Reply-To: <20010718114737.A53934@sv.tech.sibitex.tmn.ru> Message-ID: Lines: 8 User-Agent: Gnus/5.0808 (Gnus v5.8.8) Emacs/20.7 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org "Sergey N. Voronkov" writes: > I prefer to use IPF 'cose of it's stateful filtering. IPFW can keep state as well. DES -- Dag-Erling Smorgrav - des@ofug.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jul 19 3:52:35 2001 Delivered-To: freebsd-security@freebsd.org Received: from web13807.mail.yahoo.com (web13807.mail.yahoo.com [216.136.175.17]) by hub.freebsd.org (Postfix) with SMTP id E9B9E37B403 for ; Thu, 19 Jul 2001 03:52:32 -0700 (PDT) (envelope-from uktests@yahoo.com) Message-ID: <20010719105232.40147.qmail@web13807.mail.yahoo.com> Received: from [212.70.166.74] by web13807.mail.yahoo.com via HTTP; Thu, 19 Jul 2001 03:52:32 PDT Date: Thu, 19 Jul 2001 03:52:32 -0700 (PDT) From: John Braun Subject: ipfw for private networks To: security@FreeBSD.ORG MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hello! Will my router-proxy server work between two private networks? Uldis There is my net: | Local network | 192.168.1.1 |(iip) ------------------ FreeBSD 4.3. box natd&ipfw&squid ------------------ |(oip) 10.1.53.3 | | |10.1.53.254 ------------------- router with dialup ------------------- | Internet __________________________________________________ Do You Yahoo!? Get personalized email addresses from Yahoo! Mail http://personal.mail.yahoo.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jul 19 5:38:52 2001 Delivered-To: freebsd-security@freebsd.org Received: from ns1.via-net-works.net.ar (ns1.via-net-works.net.ar [200.10.100.10]) by hub.freebsd.org (Postfix) with ESMTP id 37AEF37B405 for ; Thu, 19 Jul 2001 05:38:47 -0700 (PDT) (envelope-from fschapachnik@vianetworks.com.ar) Received: (from fpscha@localhost) by ns1.via-net-works.net.ar (8.9.3/8.9.3) id JAA33094; Thu, 19 Jul 2001 09:11:54 -0300 (ART) X-Authentication-Warning: ns1.via-net-works.net.ar: fpscha set sender to fschapachnik@vianetworks.com.ar using -f Date: Thu, 19 Jul 2001 09:11:54 -0300 From: Fernando Schapachnik To: John Braun Cc: security@FreeBSD.ORG Subject: Re: ipfw for private networks Message-ID: <20010719091154.E17148@ns1.via-net-works.net.ar> References: <20010719105232.40147.qmail@web13807.mail.yahoo.com> Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit User-Agent: Mutt/1.2.5i In-Reply-To: <20010719105232.40147.qmail@web13807.mail.yahoo.com>; from uktests@yahoo.com on Thu, Jul 19, 2001 at 03:52:32AM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org En un mensaje anterior, John Braun escribió: > Hello! > > Will my router-proxy server work between > two private networks? If you craft your rules apropiatedly, yes (meaning it will protect/nat 192.168.1.0 from 10.1.53.0). If you want to double nat and get to the Internet from the local net, that's another thing. Good luck. Fernando P. Schapachnik Planificación de red y tecnología VIA NET.WORKS ARGENTINA S.A. fschapachnik@vianetworks.com.ar Tel.: (54-11) 4323-3381 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jul 19 5:49: 5 2001 Delivered-To: freebsd-security@freebsd.org Received: from hotmail.com (oe63.law12.hotmail.com [64.4.18.198]) by hub.freebsd.org (Postfix) with ESMTP id 2563B37B406 for ; Thu, 19 Jul 2001 05:49:03 -0700 (PDT) (envelope-from default013subscriptions@hotmail.com) Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Thu, 19 Jul 2001 05:49:02 -0700 X-Originating-IP: [24.14.93.185] Reply-To: "default013 - subscriptions" From: "default013 - subscriptions" To: Subject: blocking I.P. addresses/ranges Date: Thu, 19 Jul 2001 07:49:40 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4522.1200 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Message-ID: X-OriginalArrivalTime: 19 Jul 2001 12:49:02.0875 (UTC) FILETIME=[301DF6B0:01C11051] Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hello, I know there is a way to block I.P. addresses/I.P. ranges in Linux by using something like 'route add 24.198.54.0 deny' etc... I assume that there must be a similar way to do this in FreeBSD... Is anyone familiar with this? How would I do it? Thanks, Jordan To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jul 19 5:52: 4 2001 Delivered-To: freebsd-security@freebsd.org Received: from axis.tdd.lt (axis.tdd.lt [213.197.128.94]) by hub.freebsd.org (Postfix) with ESMTP id 750AD37B406 for ; Thu, 19 Jul 2001 05:51:59 -0700 (PDT) (envelope-from domas.mituzas@delfi.lt) Received: from localhost (midom@localhost) by axis.tdd.lt (8.11.3/8.11.1) with ESMTP id f6JCpsF86989; Thu, 19 Jul 2001 12:51:54 GMT X-Authentication-Warning: axis.tdd.lt: midom owned process doing -bs Date: Thu, 19 Jul 2001 12:51:53 +0000 (GMT) From: Domas Mituzas X-X-Sender: To: default013 - subscriptions Cc: Subject: Re: blocking I.P. addresses/ranges In-Reply-To: Message-ID: <20010719125106.V86410-100000@axis.tdd.lt> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > I know there is a way to block I.P. addresses/I.P. ranges in Linux by using > something like 'route add 24.198.54.0 deny' etc... I assume that there must > be a similar way to do this in FreeBSD... Is anyone familiar with this? How > would I do it? route add 1.2.3.4 127.0.0.1 Domas To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jul 19 5:52:12 2001 Delivered-To: freebsd-security@freebsd.org Received: from smtpf.casema.net (smtpf.casema.net [195.96.96.173]) by hub.freebsd.org (Postfix) with SMTP id A17D337B401 for ; Thu, 19 Jul 2001 05:52:07 -0700 (PDT) (envelope-from walter@binity.com) Received: (qmail 30760 invoked by uid 0); 19 Jul 2001 12:52:06 -0000 Received: from unknown (HELO slash.b118.binity.net) (212.64.76.102) by smtpf.casema.net with SMTP; 19 Jul 2001 12:52:06 -0000 Received: from silver.b118.binity.net (silver.b118.binity.net [172.18.3.10]) by slash.b118.binity.net (Postfix) with ESMTP id 9F40E151; Thu, 19 Jul 2001 14:50:53 +0200 (CEST) Date: Thu, 19 Jul 2001 14:53:35 +0200 From: Walter Hop X-Mailer: The Bat! (v1.52f) Educational Organization: Binity X-Priority: 3 (Normal) Message-ID: <4723040991.20010719145335@binity.com> To: "default013 - subscriptions" Cc: freebsd-security@freebsd.org Subject: Re: blocking I.P. addresses/ranges In-Reply-To: References: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org [in reply to default013subscriptions@hotmail.com, 19-07-2001] > I know there is a way to block I.P. addresses/I.P. ranges in Linux by using > something like 'route add 24.198.54.0 deny' etc... I assume that there must > be a similar way to do this in FreeBSD... In FreeBSD, you can do this for instance with the ``ipfw'' tool. You will need a kernel with firewall support first. Check out the relevant section of the FreeBSD Handbook for instructions if you need them: http://www.nl.freebsd.org/handbook/kernelconfig.html A quick ``man ipfw'' will give you a lengthy description; the examples are at the end of the man page ;) -- Walter Hop | +31 6 24290808 | Finger for public key To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jul 19 5:58: 8 2001 Delivered-To: freebsd-security@freebsd.org Received: from euromedia.pl (trinity.euromedia.pl [62.233.132.2]) by hub.freebsd.org (Postfix) with SMTP id EB70337B403 for ; Thu, 19 Jul 2001 05:58:03 -0700 (PDT) (envelope-from rafal@euromedia.pl) Received: (qmail 24135 invoked by uid 85); 19 Jul 2001 12:57:56 -0000 Received: from rafal@euromedia.pl by trinity.euromedia.pl with qmail-scanner-0.96 (uvscan: v4.1.40/v4142. . Clean. Processed in 0.241561 secs); 19 Jul 2001 12:57:56 -0000 Received: from rafal.euromedia.pl (HELO euromedia.pl) (62.233.132.8) by em.pl with SMTP; 19 Jul 2001 12:57:56 -0000 Message-ID: <3B56DA04.41D50B15@euromedia.pl> Date: Thu, 19 Jul 2001 15:00:52 +0200 From: =?iso-8859-2?Q?Rafa=B3?= Banaszkiewicz Organization: emedia sp. z o.o. X-Mailer: Mozilla 4.77 [en] (Win98; U) X-Accept-Language: pl,en MIME-Version: 1.0 To: default013 - subscriptions , freebsd-security@FreeBSD.ORG Subject: Re: blocking I.P. addresses/ranges References: Content-Type: text/plain; charset=iso-8859-2 Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org default013 - subscriptions wrote: > > Hello, > > I know there is a way to block I.P. addresses/I.P. ranges in Linux by using > something like 'route add 24.198.54.0 deny' etc... I assume that there must > be a similar way to do this in FreeBSD... Is anyone familiar with this? How > would I do it? > I think You should use ipfw or ipfilter to do this, in example: # ipfw add deny log all from 192.0.2.0/24 to any via ed0 Connections with source address (any protocol) from subnet 192.0.2.0/24 will be filtered via interface ed0. Regards, -- // Rafal Banaszkiewicz, ircnet: RaFau, mailto: rafal[at]rafcio.net // nic hdl: RB5860-RIPE, 6bone-hdl: RB6-6BONE, ICQ uin: 35053919 // workphone: +48815382348 int. 21, homepage: http://1055491093 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jul 19 7: 8:47 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.webmonster.de (datasink.webmonster.de [194.162.162.209]) by hub.freebsd.org (Postfix) with SMTP id 8BB7A37B405 for ; Thu, 19 Jul 2001 07:08:41 -0700 (PDT) (envelope-from karsten@rohrbach.de) Received: (qmail 40337 invoked by uid 1000); 19 Jul 2001 14:20:49 -0000 Date: Thu, 19 Jul 2001 16:20:49 +0200 From: "Karsten W. Rohrbach" To: Nuno Teixeira Cc: freebsd-security@FreeBSD.ORG Subject: Re: What FTPd FreeBSD uses? Message-ID: <20010719162049.A39506@mail.webmonster.de> Mail-Followup-To: "Karsten W. Rohrbach" , Nuno Teixeira , freebsd-security@FreeBSD.ORG References: <20010718225121.A3116@> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="dDRMvlgZJXvWKvBx" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010718225121.A3116@>; from nuno.mailinglists@pt-quorum.com on Wed, Jul 18, 2001 at 10:51:21PM +0100 X-Arbitrary-Number-Of-The-Day: 42 X-URL: http://www.webmonster.de/ X-Disclaimer: My opinions do not necessarily represent those of my employer Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --dDRMvlgZJXvWKvBx Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Nuno Teixeira(nuno.mailinglists@pt-quorum.com)@2001.07.18 22:51:21 +0000: > Hello to all, >=20 > 1. > The ftpd FreeBSD distribution is FTP verion 6.00 LS. =2E..the standard FreeBSD ftpd >=20 > I noted that ftp.freebsd.org uses an FTP version DG-4.1.73 =2E..the dg@root.com "it's-powerful-but-i-won't-give-the-source-away" ftpd with several nice features -- it's tiny, it uses all sorts of optimizations towards the os, it satisfies a lot of simultaneous sessions, you wield the "powered by dg software" sign when you use it ;-) >=20 > What the differences between the two ftpds? 6.00LS comes with your system dgftpd is commercial software i think > 2. > (I don't want to start a flame war) >=20 > What of this 2 ftpd programs (FTPd FreeBSD dist. and ProFTPd) is more > secure? i would not consider proftpd to be more secure than the freebsd ftpd. proftpd is much too fancy, it suffers some feature-o-mania coding approach, it is complex, thus error-prone. proftpd is not dgftpd. i personally like lukemftpd, but that's just my preference. it lacks decent logging to files, just syslog (at least the version i use). > Or, what FTPd program should I use to obtain maximum security? none ;-) no, honestly, i would stick with the freebsd ftpd or lukemftpd in this case. do you need fancy features? ratio? strange process limiting abilities that act funky? you should use a KISS designed ftpd to get improved security and, if possible, just leave it away in case your do not really need it (scp/rsync over ssh is your friend) /k --=20 > Life is a sexually transmitted disease. KR433/KR11-RIPE -- WebMonster Community Founder -- nGENn GmbH Senior Techie http://www.webmonster.de/ -- ftp://ftp.webmonster.de/ -- http://www.ngenn.n= et/ karsten&rohrbach.de -- alpha&ngenn.net -- alpha&scene.org -- catch@spam.de GnuPG 0x2964BF46 2001-03-15 42F9 9FFF 50D4 2F38 DBEE DF22 3340 4F4E 2964 B= F46 Please do not remove my address from To: and Cc: fields in mailing lists. 1= 0x --dDRMvlgZJXvWKvBx Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE7VuzBM0BPTilkv0YRAtEjAJ9qGW/+BpiqE74HHqupcNTr1zH5wgCcCU2U AgHjnycRUKCVKAlJy5JNPsk= =zWon -----END PGP SIGNATURE----- --dDRMvlgZJXvWKvBx-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jul 19 7:10:37 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.webmonster.de (datasink.webmonster.de [194.162.162.209]) by hub.freebsd.org (Postfix) with SMTP id EE7A937B403 for ; Thu, 19 Jul 2001 07:10:32 -0700 (PDT) (envelope-from karsten@rohrbach.de) Received: (qmail 40390 invoked by uid 1000); 19 Jul 2001 14:22:41 -0000 Date: Thu, 19 Jul 2001 16:22:41 +0200 From: "Karsten W. Rohrbach" To: Steve Shorter Cc: Nuno Teixeira , freebsd-security@FreeBSD.ORG Subject: Re: What FTPd FreeBSD uses? Message-ID: <20010719162241.B39506@mail.webmonster.de> Mail-Followup-To: "Karsten W. Rohrbach" , Steve Shorter , Nuno Teixeira , freebsd-security@FreeBSD.ORG References: <20010718225121.A3116@> <20010718181256.A3915@nomad.lets.net> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="yEPQxsgoJgBvi8ip" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010718181256.A3915@nomad.lets.net>; from steve@nomad.lets.net on Wed, Jul 18, 2001 at 06:12:56PM -0400 X-Arbitrary-Number-Of-The-Day: 42 X-URL: http://www.webmonster.de/ X-Disclaimer: My opinions do not necessarily represent those of my employer Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --yEPQxsgoJgBvi8ip Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Steve Shorter(steve@nomad.lets.net)@2001.07.18 18:12:56 +0000: > On Wed, Jul 18, 2001 at 10:51:21PM +0100, Nuno Teixeira wrote: > >=20 > > Or, what FTPd program should I use to obtain maximum security? >=20 > Depending on what you need to do, publicfile might be > your best choice. >=20 > http://cr.yp.to/publicfile.html advocating djbware for quite some time now, i must admit that publicfile is a mess. not from the programmer's standpoint, neither from the view of a systems administrator. for the user it plainly sucks due to the somewhat screwed NLST formats and stuff... besides all that its a pretty reliable piece of software and _very_ secure. /k --=20 > What do you want to re-install today? KR433/KR11-RIPE -- WebMonster Community Founder -- nGENn GmbH Senior Techie http://www.webmonster.de/ -- ftp://ftp.webmonster.de/ -- http://www.ngenn.n= et/ karsten&rohrbach.de -- alpha&ngenn.net -- alpha&scene.org -- catch@spam.de GnuPG 0x2964BF46 2001-03-15 42F9 9FFF 50D4 2F38 DBEE DF22 3340 4F4E 2964 B= F46 Please do not remove my address from To: and Cc: fields in mailing lists. 1= 0x --yEPQxsgoJgBvi8ip Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE7Vu0xM0BPTilkv0YRAtY0AJ4+IB5c8v31VekxCMjIz5SmZmackgCfRi8z JmKrbUBe+omzC6CIwgy6eWw= =YUSD -----END PGP SIGNATURE----- --yEPQxsgoJgBvi8ip-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jul 19 7:19: 7 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.webmonster.de (datasink.webmonster.de [194.162.162.209]) by hub.freebsd.org (Postfix) with SMTP id 77EEF37B419 for ; Thu, 19 Jul 2001 07:18:41 -0700 (PDT) (envelope-from karsten@rohrbach.de) Received: (qmail 40551 invoked by uid 1000); 19 Jul 2001 14:30:52 -0000 Date: Thu, 19 Jul 2001 16:30:52 +0200 From: "Karsten W. Rohrbach" To: Dag-Erling Smorgrav Cc: "Sergey N. Voronkov" , Nick Maschenko , security@FreeBSD.ORG Subject: Re: Fw: Re: A question about FreeBSD security Message-ID: <20010719163052.C39506@mail.webmonster.de> Mail-Followup-To: "Karsten W. Rohrbach" , Dag-Erling Smorgrav , "Sergey N. Voronkov" , Nick Maschenko , security@FreeBSD.ORG References: <20010718114737.A53934@sv.tech.sibitex.tmn.ru> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="qjNfmADvan18RZcF" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from des@ofug.org on Thu, Jul 19, 2001 at 11:16:44AM +0200 X-Arbitrary-Number-Of-The-Day: 42 X-URL: http://www.webmonster.de/ X-Disclaimer: My opinions do not necessarily represent those of my employer Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --qjNfmADvan18RZcF Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Dag-Erling Smorgrav(des@ofug.org)@2001.07.19 11:16:44 +0000: > "Sergey N. Voronkov" writes: > > I prefer to use IPF 'cose of it's stateful filtering. >=20 > IPFW can keep state as well. seeing the many improvements in ipfw in the last time, selection between ipf/ipfw for firewalls just became a "peppermint vs. spearmint flavor" question. i am very happy to see so meny improvements in both packages. i am also very happy about the fact to be able to use both on selected sytems. /k --=20 > Only wimps use tape backups; real men put their software on ftp-servers > and let the rest of the world mirror it. --Linus Torvalds KR433/KR11-RIPE -- WebMonster Community Founder -- nGENn GmbH Senior Techie http://www.webmonster.de/ -- ftp://ftp.webmonster.de/ -- http://www.ngenn.n= et/ karsten&rohrbach.de -- alpha&ngenn.net -- alpha&scene.org -- catch@spam.de GnuPG 0x2964BF46 2001-03-15 42F9 9FFF 50D4 2F38 DBEE DF22 3340 4F4E 2964 B= F46 Please do not remove my address from To: and Cc: fields in mailing lists. 1= 0x --qjNfmADvan18RZcF Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE7Vu8cM0BPTilkv0YRAgq3AKCDcSSTzFHLYSIQEsgUvz3UFsje4ACgs4ne o3kIjU71IgVNdw7nAq16BI0= =2RC5 -----END PGP SIGNATURE----- --qjNfmADvan18RZcF-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jul 19 7:23: 3 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.webmonster.de (datasink.webmonster.de [194.162.162.209]) by hub.freebsd.org (Postfix) with SMTP id C271A37B401 for ; Thu, 19 Jul 2001 07:22:54 -0700 (PDT) (envelope-from karsten@rohrbach.de) Received: (qmail 40656 invoked by uid 1000); 19 Jul 2001 14:35:07 -0000 Date: Thu, 19 Jul 2001 16:35:07 +0200 From: "Karsten W. Rohrbach" To: default013 - subscriptions Cc: freebsd-security@freebsd.org Subject: Re: blocking I.P. addresses/ranges Message-ID: <20010719163507.D39506@mail.webmonster.de> Mail-Followup-To: "Karsten W. Rohrbach" , default013 - subscriptions , freebsd-security@freebsd.org References: Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="Km1U/tdNT/EmXiR1" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from default013subscriptions@hotmail.com on Thu, Jul 19, 2001 at 07:49:40AM -0500 X-Arbitrary-Number-Of-The-Day: 42 X-URL: http://www.webmonster.de/ X-Disclaimer: My opinions do not necessarily represent those of my employer Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --Km1U/tdNT/EmXiR1 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable default013 - subscriptions(default013subscriptions@hotmail.com)@2001.07.19 = 07:49:40 +0000: > Hello, >=20 > I know there is a way to block I.P. addresses/I.P. ranges in Linux by usi= ng > something like 'route add 24.198.54.0 deny' etc... I assume that there mu= st > be a similar way to do this in FreeBSD... Is anyone familiar with this? H= ow > would I do it? in your kernel config: pseudo-device disc # discard network interface support ifconfig ds0 inet netmask route add this is cleaner than routing it onto lo0 127.0.0.1 IMVHO... /k --=20 > "I didn't change a thing and from the moment I didn't change it, > it didn't work anymore." --Anonymous KR433/KR11-RIPE -- WebMonster Community Founder -- nGENn GmbH Senior Techie http://www.webmonster.de/ -- ftp://ftp.webmonster.de/ -- http://www.ngenn.n= et/ karsten&rohrbach.de -- alpha&ngenn.net -- alpha&scene.org -- catch@spam.de GnuPG 0x2964BF46 2001-03-15 42F9 9FFF 50D4 2F38 DBEE DF22 3340 4F4E 2964 B= F46 Please do not remove my address from To: and Cc: fields in mailing lists. 1= 0x --Km1U/tdNT/EmXiR1 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE7VvAbM0BPTilkv0YRAjPRAJwOMgQpkQ3VRAzea+HyZzMeCTdT4QCfSezU q8UhkEcuOuR9ImlRLMLNsl4= =nQia -----END PGP SIGNATURE----- --Km1U/tdNT/EmXiR1-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jul 19 7:29:31 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.webmonster.de (datasink.webmonster.de [194.162.162.209]) by hub.freebsd.org (Postfix) with SMTP id 2ED7F37B401 for ; Thu, 19 Jul 2001 07:29:19 -0700 (PDT) (envelope-from karsten@rohrbach.de) Received: (qmail 40771 invoked by uid 1000); 19 Jul 2001 14:41:33 -0000 Date: Thu, 19 Jul 2001 16:41:33 +0200 From: "Karsten W. Rohrbach" To: Brett Glass Cc: security@freebsd.org Subject: Re: Piping and scripts with scp Message-ID: <20010719164133.E39506@mail.webmonster.de> Mail-Followup-To: "Karsten W. Rohrbach" , Brett Glass , security@freebsd.org References: <200107181959.NAA06459@lariat.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="5xSkJheCpeK0RUEJ" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <200107181959.NAA06459@lariat.org>; from brett@lariat.org on Wed, Jul 18, 2001 at 01:59:54PM -0600 X-Arbitrary-Number-Of-The-Day: 42 X-URL: http://www.webmonster.de/ X-Disclaimer: My opinions do not necessarily represent those of my employer Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --5xSkJheCpeK0RUEJ Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable generate ssh keys with ssh-keygen(1) and limit the remote command to something that makes sense. generate one key pair for every command you want to run and name the key files appropriately to reference the in you ssh(1) invocation. a command restricted pubkey looks like this (example for self-contained scp to a defined subdirectory): command=3D"scp -t /path/to/data",from=3D"1.2.3.4" this pubkey will be placed in the corresponding $HOME/.ssh/authorized_keys file on the target host. if you invoke scp with the corresponding key, scp's remote invocation is limited to the target directory /path/to/data and to the source host ip 1.2.3.4. have fun /k Brett Glass(brett@lariat.org)@2001.07.18 13:59:54 +0000: > I need to create a script that deposits the output of a program in a file= on a > remote host. I'd like to do this over an encrypted connection, so I'd lik= e to > use scp for this purpose. The script will need to execute via cron and r= un > unattended, and I'm limited to the SSH-1 protocol for the moment (though I > intend to move to SSH-2 when all the hosts can handle it). >=20 > Trouble is, I cannot seem to find options for scp that will allow me > to (a) pipe data into it for placement in the remote file; or > (b) supply a password -- kept only in the script, which cannot be > read except by root -- in advance rather than manually at the console. > (Yes, I could generate and use RSA keys, but since anyone who could > view the script will have broken root, he or she could also get at > the private key anyway... so there's no additional security in this.) > Help from someone experienced with scp and ssh would be appreciated. >=20 > --Brett Glass >=20 >=20 > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message --=20 > Microsoft isn't the answer. Microsoft is the question, and the answer is = no. KR433/KR11-RIPE -- WebMonster Community Founder -- nGENn GmbH Senior Techie http://www.webmonster.de/ -- ftp://ftp.webmonster.de/ -- http://www.ngenn.n= et/ karsten&rohrbach.de -- alpha&ngenn.net -- alpha&scene.org -- catch@spam.de GnuPG 0x2964BF46 2001-03-15 42F9 9FFF 50D4 2F38 DBEE DF22 3340 4F4E 2964 B= F46 Please do not remove my address from To: and Cc: fields in mailing lists. 1= 0x --5xSkJheCpeK0RUEJ Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE7VvGcM0BPTilkv0YRAjTBAJ9EhUtkWdTr86N9ji7IG/OQYlsIzACdGrS5 cxaLBKsvQ+s5Tbk9uHppNIQ= =zL/e -----END PGP SIGNATURE----- --5xSkJheCpeK0RUEJ-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jul 19 7:32:27 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.webmonster.de (datasink.webmonster.de [194.162.162.209]) by hub.freebsd.org (Postfix) with SMTP id 2553D37B401 for ; Thu, 19 Jul 2001 07:32:20 -0700 (PDT) (envelope-from karsten@rohrbach.de) Received: (qmail 40858 invoked by uid 1000); 19 Jul 2001 14:44:35 -0000 Date: Thu, 19 Jul 2001 16:44:35 +0200 From: "Karsten W. Rohrbach" To: modulus Cc: freebsd-security@FreeBSD.ORG Subject: Re: named & zone transfers Message-ID: <20010719164435.F39506@mail.webmonster.de> Mail-Followup-To: "Karsten W. Rohrbach" , modulus , freebsd-security@FreeBSD.ORG References: <20010718223718.A14766-100000@icmp.dhs.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="8JPrznbw0YAQ/KXy" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010718223718.A14766-100000@icmp.dhs.org>; from modulus@icmp.dhs.org on Wed, Jul 18, 2001 at 10:38:57PM -0500 X-Arbitrary-Number-Of-The-Day: 42 X-URL: http://www.webmonster.de/ X-Disclaimer: My opinions do not necessarily represent those of my employer Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --8JPrznbw0YAQ/KXy Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable with djbdns' axfrdns you include the to-be-served domain in the tcpserver allow rule: 10.0.0.1:allow,AXFR=3D"mydomain.com/otherdomain.org" which would allow 10.0.0.1 to fetch mydomain.com and otherdomain.org via tcp/53 axfr. have fun, /k modulus(modulus@icmp.dhs.org)@2001.07.18 22:38:57 +0000: >=20 > I was wondering how i would restrict all zone transfers > with the exception of the secondary DNS daemon. >=20 >=20 >=20 >=20 > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message --=20 > Friends don't let friends use sendmail. KR433/KR11-RIPE -- WebMonster Community Founder -- nGENn GmbH Senior Techie http://www.webmonster.de/ -- ftp://ftp.webmonster.de/ -- http://www.ngenn.n= et/ karsten&rohrbach.de -- alpha&ngenn.net -- alpha&scene.org -- catch@spam.de GnuPG 0x2964BF46 2001-03-15 42F9 9FFF 50D4 2F38 DBEE DF22 3340 4F4E 2964 B= F46 Please do not remove my address from To: and Cc: fields in mailing lists. 1= 0x --8JPrznbw0YAQ/KXy Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE7VvJTM0BPTilkv0YRAnSnAJ4mEcjssEETEcEm7uuYSwD6KSJUngCdGxoK 6p3Z7epiTcBL5vP5mPTzQ1U= =HX/B -----END PGP SIGNATURE----- --8JPrznbw0YAQ/KXy-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jul 19 8:11:41 2001 Delivered-To: freebsd-security@freebsd.org Received: from gw.nectar.com (gw.nectar.com [208.42.49.153]) by hub.freebsd.org (Postfix) with ESMTP id 2C7A437B403 for ; Thu, 19 Jul 2001 08:11:39 -0700 (PDT) (envelope-from nectar@nectar.com) Received: from madman.nectar.com (madman.nectar.com [10.0.1.111]) by gw.nectar.com (Postfix) with ESMTP id 94327AF22E; Thu, 19 Jul 2001 10:11:38 -0500 (CDT) Received: (from nectar@localhost) by madman.nectar.com (8.11.3/8.11.3) id f6JFBbh29574; Thu, 19 Jul 2001 10:11:37 -0500 (CDT) (envelope-from nectar) Date: Thu, 19 Jul 2001 10:11:37 -0500 From: "Jacques A. Vidrine" To: Jeroen Ruigrok/Asmodai Cc: Cy Schubert - ITSD Open Systems Group , Mike Tancsa , Kris Kennaway , security@FreeBSD.ORG Subject: Re: FreeBSD remote root exploit ? Message-ID: <20010719101137.K27900@madman.nectar.com> References: <5.1.0.14.0.20010719010646.03e25eb8@192.168.0.12> <200107190547.f6J5lmD66188@cwsys.cwsent.com> <20010719094348.K58092@daemon.ninth-circle.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010719094348.K58092@daemon.ninth-circle.org>; from asmodai@wxs.nl on Thu, Jul 19, 2001 at 09:43:48AM +0200 X-Url: http://www.nectar.com/ Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Thu, Jul 19, 2001 at 09:43:48AM +0200, Jeroen Ruigrok/Asmodai wrote: > Don't forget I have been doing a lot of synching between the two/three > telnet(d)'s in the source repository, including a lot of fix merging > [which Kris did a lot of the work in first place for]. > > Suffice to say we don't have real stock telnet(d)'s present, but quite > audited in a lot of places. > > Now that I have more time again I need to continue moving the > telnet(d)'s into one app again. Please consider merging in Heimdal's telnet/telnetd. It is a close relative of what we have now (and therefore also vulnerability-compatible :-). I believe OpenBSD has done this already. Cheers, -- Jacques Vidrine / n@nectar.com / jvidrine@verio.net / nectar@FreeBSD.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jul 19 8:22:34 2001 Delivered-To: freebsd-security@freebsd.org Received: from gw.nectar.com (gw.nectar.com [208.42.49.153]) by hub.freebsd.org (Postfix) with ESMTP id 35FAA37B405 for ; Thu, 19 Jul 2001 08:22:31 -0700 (PDT) (envelope-from nectar@nectar.com) Received: from madman.nectar.com (madman.nectar.com [10.0.1.111]) by gw.nectar.com (Postfix) with ESMTP id 87B3BAF22E; Thu, 19 Jul 2001 10:22:30 -0500 (CDT) Received: (from nectar@localhost) by madman.nectar.com (8.11.3/8.11.3) id f6JFMUT29699; Thu, 19 Jul 2001 10:22:30 -0500 (CDT) (envelope-from nectar) Date: Thu, 19 Jul 2001 10:22:30 -0500 From: "Jacques A. Vidrine" To: Matt Dillon Cc: Cy Schubert - ITSD Open Systems Group , Mike Tancsa , Kris Kennaway , security@FreeBSD.ORG Subject: Re: FreeBSD remote root exploit ? Message-ID: <20010719102230.L27900@madman.nectar.com> References: <200107190547.f6J5lmD66188@cwsys.cwsent.com> <200107190747.f6J7lMU71487@earth.backplane.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <200107190747.f6J7lMU71487@earth.backplane.com>; from dillon@earth.backplane.com on Thu, Jul 19, 2001 at 12:47:22AM -0700 X-Url: http://www.nectar.com/ Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Thu, Jul 19, 2001 at 12:47:22AM -0700, Matt Dillon wrote: > Lets see... There are actually *FOUR* telnetd's in our source tree. > > /usr/src/crypto/telnet/telnetd VULNERABLE > /usr/src/libexec/telnetd VULNERABLE > /usr/src/crypto/heimdal/appl/telnet/telnetd NOT VULNERABLE > /usr/src/crypto/kerberosIV/appl/telnet/telnetd/telnetd.c NOT VULNERABLE > > The heimdal and kerberosIV telnetd's call an output_data() > function which does not allow the output buffer to overflow. The > first two telnetd' just blindly copy the option data into the output > buffer. Actually, Heimdal's telnetd _is_ vulnerable, but I don't know if it is exploitable. Sending it a big fat AYT gets it to crash with `seY[' on the stack. (gdb) bt #0 0x7365595b in ?? () #1 0x804dc8e in free () #2 0x804ac0d in free () #3 0x804b1bc in free () #4 0x804aac9 in free () #5 0x804a4c9 in free () (gdb) info reg eax 0x7365595b 1936021851 ecx 0xbfbff764 -1077938332 edx 0x9 9 ebx 0xff 255 esp 0xbfbff7f0 0xbfbff7f0 ebp 0xbfbff81c 0xbfbff81c esi 0xffffffff -1 edi 0x805c98a 134597002 eip 0x7365595b 0x7365595b eflags 0x10283 66179 cs 0x1f 31 ss 0x2f 47 ds 0x2f 47 es 0x2f 47 fs 0x2f 47 gs 0x2f 47 Cheers, -- Jacques Vidrine / n@nectar.com / jvidrine@verio.net / nectar@FreeBSD.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jul 19 8:26: 8 2001 Delivered-To: freebsd-security@freebsd.org Received: from mohegan.mohawk.net (mohegan.mohawk.net [63.66.68.21]) by hub.freebsd.org (Postfix) with ESMTP id D5D8237B401 for ; Thu, 19 Jul 2001 08:26:05 -0700 (PDT) (envelope-from rjh@mohawk.net) Received: from mohegan.mohawk.net (mohegan.mohawk.net [63.66.68.21]) by mohegan.mohawk.net (8.11.3/8.11.3) with ESMTP id f6JFTOx01385; Thu, 19 Jul 2001 11:29:24 -0400 (EDT) Date: Thu, 19 Jul 2001 11:29:24 -0400 (EDT) From: Ralph Huntington To: Dag-Erling Smorgrav Cc: "Sergey N. Voronkov" , Nick Maschenko , security@FreeBSD.ORG Subject: Re: Fw: Re: A question about FreeBSD security In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > > I prefer to use IPF 'cose of it's stateful filtering. > > IPFW can keep state as well. Ah, but do they keep state in the same way? How is that accomplished? Is one as secure as the other in this regard? My understanding (someone please correct me if I am wrong) is that IPFW relies on the incoming packets' own headers to infer the established state, whereas IPF keeps a table of outgoing packets (when told to keep state) and matches incoming packets to the entries in the table to determine if they are actually in response to an outgoing packet. This seems to indicate that packets could be spoofed to fool IPFW regarding state. Would someone more knowledgeable about these firewalls please comment on this? Thank you very much. -=r=- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jul 19 9:13:28 2001 Delivered-To: freebsd-security@freebsd.org Received: from khavrinen.lcs.mit.edu (khavrinen.lcs.mit.edu [18.24.4.193]) by hub.freebsd.org (Postfix) with ESMTP id A70D537B408 for ; Thu, 19 Jul 2001 09:13:25 -0700 (PDT) (envelope-from wollman@khavrinen.lcs.mit.edu) Received: (from wollman@localhost) by khavrinen.lcs.mit.edu (8.11.4/8.11.4) id f6JGDJq08938; Thu, 19 Jul 2001 12:13:19 -0400 (EDT) (envelope-from wollman) Date: Thu, 19 Jul 2001 12:13:19 -0400 (EDT) From: Garrett Wollman Message-Id: <200107191613.f6JGDJq08938@khavrinen.lcs.mit.edu> To: Walter Hop Cc: "default013 - subscriptions" , freebsd-security@FreeBSD.ORG Subject: Re: blocking I.P. addresses/ranges In-Reply-To: <4723040991.20010719145335@binity.com> References: <4723040991.20010719145335@binity.com> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org < said: > [in reply to default013subscriptions@hotmail.com, 19-07-2001] >> I know there is a way to block I.P. addresses/I.P. ranges in Linux by using >> something like 'route add 24.198.54.0 deny' etc... I assume that there must >> be a similar way to do this in FreeBSD... > In FreeBSD, you can do this for instance with the ``ipfw'' tool. Or, without recourse to the packet-filtering code, using: route add -net aa.bb.cc.dd -netmask (some mask) -interface lo0 -reject However, there is an important caveat to doing this: adding such a route does not prevent the other party from sending packets to you; it only prevents your machine from responding. Thus, it does not help against those attacks which do not require a response. -GAWollman To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jul 19 9:57:24 2001 Delivered-To: freebsd-security@freebsd.org Received: from earth.backplane.com (earth-nat-cw.backplane.com [208.161.114.67]) by hub.freebsd.org (Postfix) with ESMTP id D64ED37B406 for ; Thu, 19 Jul 2001 09:57:21 -0700 (PDT) (envelope-from dillon@earth.backplane.com) Received: (from dillon@localhost) by earth.backplane.com (8.11.4/8.11.2) id f6JGvG574763; Thu, 19 Jul 2001 09:57:16 -0700 (PDT) (envelope-from dillon) Date: Thu, 19 Jul 2001 09:57:16 -0700 (PDT) From: Matt Dillon Message-Id: <200107191657.f6JGvG574763@earth.backplane.com> To: "Jacques A. Vidrine" Cc: Cy Schubert - ITSD Open Systems Group , Mike Tancsa , Kris Kennaway , security@FreeBSD.ORG Subject: Re: FreeBSD remote root exploit ? References: <200107190547.f6J5lmD66188@cwsys.cwsent.com> <200107190747.f6J7lMU71487@earth.backplane.com> <20010719102230.L27900@madman.nectar.com> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org : :Actually, Heimdal's telnetd _is_ vulnerable, but I don't know if it is :exploitable. Sending it a big fat AYT gets it to crash with `seY[' on :the stack. Oh joy. Hmm. Then I don't know... it calls output_data() to generate the AYT answer, I don't see anything particularly wrong with the code unless nfrontp exceeds BUFSIZ. That's fragile, it could be that something else is causing nfrontp to exceed BUFSIZ and breaks the snprintf() 'remaining' calculation in output_data(). -Matt To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jul 19 10: 2:38 2001 Delivered-To: freebsd-security@freebsd.org Received: from assaris.sics.se (assaris.sics.se [193.10.66.234]) by hub.freebsd.org (Postfix) with ESMTP id 9B85637B406 for ; Thu, 19 Jul 2001 10:02:35 -0700 (PDT) (envelope-from assar@assaris.sics.se) Received: (from assar@localhost) by assaris.sics.se (8.9.3/8.9.3) id TAA14869; Thu, 19 Jul 2001 19:02:47 +0200 (CEST) (envelope-from assar) To: "Jacques A. Vidrine" Cc: Jeroen Ruigrok/Asmodai , Cy Schubert - ITSD Open Systems Group , Mike Tancsa , Kris Kennaway , security@FreeBSD.ORG Subject: Re: FreeBSD remote root exploit ? References: <5.1.0.14.0.20010719010646.03e25eb8@192.168.0.12> <200107190547.f6J5lmD66188@cwsys.cwsent.com> <20010719094348.K58092@daemon.ninth-circle.org> <20010719101137.K27900@madman.nectar.com> From: Assar Westerlund Date: 19 Jul 2001 19:02:45 +0200 In-Reply-To: "Jacques A. Vidrine"'s message of "Thu, 19 Jul 2001 10:11:37 -0500" Message-ID: <5lzoa026oa.fsf@assaris.sics.se> Lines: 8 User-Agent: Gnus/5.070098 (Pterodactyl Gnus v0.98) Emacs/20.6 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org "Jacques A. Vidrine" writes: > Please consider merging in Heimdal's telnet/telnetd. It is a close > relative of what we have now (and therefore also > vulnerability-compatible :-). I believe OpenBSD has done this already. I cannot but agree with Jacques. :-) /assar To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jul 19 10: 3:48 2001 Delivered-To: freebsd-security@freebsd.org Received: from assaris.sics.se (assaris.sics.se [193.10.66.234]) by hub.freebsd.org (Postfix) with ESMTP id 35A8637B401 for ; Thu, 19 Jul 2001 10:03:41 -0700 (PDT) (envelope-from assar@assaris.sics.se) Received: (from assar@localhost) by assaris.sics.se (8.9.3/8.9.3) id TAA14873; Thu, 19 Jul 2001 19:03:51 +0200 (CEST) (envelope-from assar) To: Matt Dillon Cc: Cy Schubert - ITSD Open Systems Group , Mike Tancsa , Kris Kennaway , security@FreeBSD.ORG Subject: Re: FreeBSD remote root exploit ? References: <200107190547.f6J5lmD66188@cwsys.cwsent.com> <200107190747.f6J7lMU71487@earth.backplane.com> From: Assar Westerlund Date: 19 Jul 2001 19:03:50 +0200 In-Reply-To: Matt Dillon's message of "Thu, 19 Jul 2001 00:47:22 -0700 (PDT)" Message-ID: <5lvgko26mh.fsf@assaris.sics.se> Lines: 20 User-Agent: Gnus/5.070098 (Pterodactyl Gnus v0.98) Emacs/20.6 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Matt Dillon writes: > Lets see... There are actually *FOUR* telnetd's in our source tree. > > /usr/src/crypto/telnet/telnetd VULNERABLE > /usr/src/libexec/telnetd VULNERABLE > /usr/src/crypto/heimdal/appl/telnet/telnetd NOT VULNERABLE > /usr/src/crypto/kerberosIV/appl/telnet/telnetd/telnetd.c NOT VULNERABLE The last two are actually the `same', just from different versions from the same CVS tree. > The heimdal and kerberosIV telnetd's call an output_data() > function which does not allow the output buffer to overflow. The > first two telnetd' just blindly copy the option data into the output > buffer. The heimdal/kerberosIV are possibly less bad, but not blame-less, see further down in the thread. /assar To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jul 19 10: 4:39 2001 Delivered-To: freebsd-security@freebsd.org Received: from assaris.sics.se (assaris.sics.se [193.10.66.234]) by hub.freebsd.org (Postfix) with ESMTP id E4B9337B403 for ; Thu, 19 Jul 2001 10:04:34 -0700 (PDT) (envelope-from assar@assaris.sics.se) Received: (from assar@localhost) by assaris.sics.se (8.9.3/8.9.3) id TAA14876; Thu, 19 Jul 2001 19:04:50 +0200 (CEST) (envelope-from assar) To: "Jacques A. Vidrine" Cc: Matt Dillon , Cy Schubert - ITSD Open Systems Group , Mike Tancsa , Kris Kennaway , security@FreeBSD.ORG Subject: Re: FreeBSD remote root exploit ? References: <200107190547.f6J5lmD66188@cwsys.cwsent.com> <200107190747.f6J7lMU71487@earth.backplane.com> <20010719102230.L27900@madman.nectar.com> From: Assar Westerlund Date: 19 Jul 2001 19:04:50 +0200 In-Reply-To: "Jacques A. Vidrine"'s message of "Thu, 19 Jul 2001 10:22:30 -0500" Message-ID: <5lpuaw26kt.fsf@assaris.sics.se> Lines: 8 User-Agent: Gnus/5.070098 (Pterodactyl Gnus v0.98) Emacs/20.6 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org "Jacques A. Vidrine" writes: > Actually, Heimdal's telnetd _is_ vulnerable, but I don't know if it is > exploitable. I don't know if it's exploitable either. I don't _think_ so, but I've of course fixed the problem anyways. /assar To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jul 19 10: 5:45 2001 Delivered-To: freebsd-security@freebsd.org Received: from assaris.sics.se (assaris.sics.se [193.10.66.234]) by hub.freebsd.org (Postfix) with ESMTP id E3D9F37B405 for ; Thu, 19 Jul 2001 10:05:36 -0700 (PDT) (envelope-from assar@assaris.sics.se) Received: (from assar@localhost) by assaris.sics.se (8.9.3/8.9.3) id TAA14886; Thu, 19 Jul 2001 19:05:51 +0200 (CEST) (envelope-from assar) To: Matt Dillon Cc: "Jacques A. Vidrine" , Cy Schubert - ITSD Open Systems Group , Mike Tancsa , Kris Kennaway , security@FreeBSD.ORG Subject: Re: FreeBSD remote root exploit ? References: <200107190547.f6J5lmD66188@cwsys.cwsent.com> <200107190747.f6J7lMU71487@earth.backplane.com> <20010719102230.L27900@madman.nectar.com> <200107191657.f6JGvG574763@earth.backplane.com> From: Assar Westerlund Date: 19 Jul 2001 19:05:51 +0200 In-Reply-To: Matt Dillon's message of "Thu, 19 Jul 2001 09:57:16 -0700 (PDT)" Message-ID: <5llmlk26j4.fsf@assaris.sics.se> Lines: 12 User-Agent: Gnus/5.070098 (Pterodactyl Gnus v0.98) Emacs/20.6 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Matt Dillon writes: > Oh joy. Hmm. Then I don't know... it calls output_data() to generate > the AYT answer, I don't see anything particularly wrong with the code > unless nfrontp exceeds BUFSIZ. That's fragile, it could be that something > else is causing nfrontp to exceed BUFSIZ and breaks the snprintf() > 'remaining' calculation in output_data(). output_data adds the result from vsnprintf() to nfrontp. If there's not enough room for the formatted string in `remaining', vsnprintf() returns the size that would be required. Bad me, no cookie. /assar To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jul 19 10: 9:47 2001 Delivered-To: freebsd-security@freebsd.org Received: from assaris.sics.se (assaris.sics.se [193.10.66.234]) by hub.freebsd.org (Postfix) with ESMTP id 3F8B437B403 for ; Thu, 19 Jul 2001 10:09:42 -0700 (PDT) (envelope-from assar@assaris.sics.se) Received: (from assar@localhost) by assaris.sics.se (8.9.3/8.9.3) id TAA14932; Thu, 19 Jul 2001 19:09:32 +0200 (CEST) (envelope-from assar) To: Cy Schubert - ITSD Open Systems Group Cc: Mike Tancsa , Kris Kennaway , security@FreeBSD.ORG Subject: Re: FreeBSD remote root exploit ? References: <200107190637.f6J6bnf66559@cwsys.cwsent.com> From: Assar Westerlund Date: 19 Jul 2001 19:09:32 +0200 In-Reply-To: Cy Schubert - ITSD Open Systems Group's message of "Wed, 18 Jul 2001 23:37:42 -0700" Message-ID: <5lhew826cz.fsf@assaris.sics.se> Lines: 12 User-Agent: Gnus/5.070098 (Pterodactyl Gnus v0.98) Emacs/20.6 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Cy Schubert - ITSD Open Systems Group writes: > The advisory says that OpenBSD-current invulnerable. Looking at the > OpenBSD source tree, they've replaced BSD telnetd with heimdal telnetd. Depends on what you mean by OpenBSD-current. itojun just fixed it, see libexec/telnetd/global.c:1.6 > Build with kerberos5 enabled might be a temp workaround. Afraid not. That builds the one in secure. /assar To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jul 19 10:10:32 2001 Delivered-To: freebsd-security@freebsd.org Received: from whale.sunbay.crimea.ua (whale.sunbay.crimea.ua [212.110.138.65]) by hub.freebsd.org (Postfix) with ESMTP id 6214937B405; Thu, 19 Jul 2001 10:10:21 -0700 (PDT) (envelope-from ru@whale.sunbay.crimea.ua) Received: (from ru@localhost) by whale.sunbay.crimea.ua (8.11.2/8.11.2) id f6JHA9E64003; Thu, 19 Jul 2001 20:10:09 +0300 (EEST) (envelope-from ru) Date: Thu, 19 Jul 2001 20:10:09 +0300 From: Ruslan Ermilov To: Assar Westerlund Cc: "Jacques A. Vidrine" , Matt Dillon , Cy Schubert - ITSD Open Systems Group , Mike Tancsa , Kris Kennaway , security@FreeBSD.ORG Subject: Re: FreeBSD remote root exploit ? Message-ID: <20010719201009.A61061@sunbay.com> Mail-Followup-To: Assar Westerlund , "Jacques A. Vidrine" , Matt Dillon , Cy Schubert - ITSD Open Systems Group , Mike Tancsa , Kris Kennaway , security@FreeBSD.ORG References: <200107190547.f6J5lmD66188@cwsys.cwsent.com> <200107190747.f6J7lMU71487@earth.backplane.com> <20010719102230.L27900@madman.nectar.com> <5lpuaw26kt.fsf@assaris.sics.se> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <5lpuaw26kt.fsf@assaris.sics.se>; from assar@FreeBSD.ORG on Thu, Jul 19, 2001 at 07:04:50PM +0200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Thu, Jul 19, 2001 at 07:04:50PM +0200, Assar Westerlund wrote: > "Jacques A. Vidrine" writes: > > Actually, Heimdal's telnetd _is_ vulnerable, but I don't know if it is > > exploitable. > > I don't know if it's exploitable either. I don't _think_ so, but I've > of course fixed the problem anyways. > You mean, in netflush()? -- Ruslan Ermilov Oracle Developer/DBA, ru@sunbay.com Sunbay Software AG, ru@FreeBSD.org FreeBSD committer, +380.652.512.251 Simferopol, Ukraine http://www.FreeBSD.org The Power To Serve http://www.oracle.com Enabling The Information Age To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jul 19 10:12:29 2001 Delivered-To: freebsd-security@freebsd.org Received: from earth.backplane.com (earth-nat-cw.backplane.com [208.161.114.67]) by hub.freebsd.org (Postfix) with ESMTP id 268F537B401; Thu, 19 Jul 2001 10:12:26 -0700 (PDT) (envelope-from dillon@earth.backplane.com) Received: (from dillon@localhost) by earth.backplane.com (8.11.4/8.11.2) id f6JHCPD75088; Thu, 19 Jul 2001 10:12:25 -0700 (PDT) (envelope-from dillon) Date: Thu, 19 Jul 2001 10:12:25 -0700 (PDT) From: Matt Dillon Message-Id: <200107191712.f6JHCPD75088@earth.backplane.com> To: Assar Westerlund Cc: "Jacques A. Vidrine" , Cy Schubert - ITSD Open Systems Group , Mike Tancsa , Kris Kennaway , security@FreeBSD.ORG Subject: Re: FreeBSD remote root exploit ? References: <200107190547.f6J5lmD66188@cwsys.cwsent.com> <200107190747.f6J7lMU71487@earth.backplane.com> <20010719102230.L27900@madman.nectar.com> <200107191657.f6JGvG574763@earth.backplane.com> <5llmlk26j4.fsf@assaris.sics.se> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org :output_data adds the result from vsnprintf() to nfrontp. If there's :not enough room for the formatted string in `remaining', vsnprintf() :returns the size that would be required. Bad me, no cookie. : :/assar Ach! Of course! I totally missed that even though I read the code half a dozen times. It's even owrse... size_t is unsigned, so once you overflow the buffer the 'remaining' amount will be some huge number and you are screwed. -Matt To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jul 19 10:17: 7 2001 Delivered-To: freebsd-security@freebsd.org Received: from whale.sunbay.crimea.ua (whale.sunbay.crimea.ua [212.110.138.65]) by hub.freebsd.org (Postfix) with ESMTP id 1CC8137B401 for ; Thu, 19 Jul 2001 10:16:58 -0700 (PDT) (envelope-from ru@whale.sunbay.crimea.ua) Received: (from ru@localhost) by whale.sunbay.crimea.ua (8.11.2/8.11.2) id f6JHE7e64280; Thu, 19 Jul 2001 20:14:07 +0300 (EEST) (envelope-from ru) Date: Thu, 19 Jul 2001 20:14:07 +0300 From: Ruslan Ermilov To: Przemyslaw Frasunek Cc: security@FreeBSD.ORG Subject: [PATCH] Re: FreeBSD remote root exploit ? Message-ID: <20010719201407.B61061@sunbay.com> Mail-Followup-To: Przemyslaw Frasunek , security@FreeBSD.ORG References: <5.1.0.14.0.20010719001357.03e22638@192.168.0.12> <014d01c11031$bdab5a10$2001a8c0@clitoris> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <014d01c11031$bdab5a10$2001a8c0@clitoris>; from venglin@freebsd.lublin.pl on Thu, Jul 19, 2001 at 11:03:53AM +0200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Thu, Jul 19, 2001 at 11:03:53AM +0200, Przemyslaw Frasunek wrote: > > Posted to bugtraq is a notice about telnetd being remotely root > > exploitable. Does anyone know if it is true ? > > Yes, telnetd is vulnerable. > The patch is available at: http://people.FreeBSD.org/~ru/telnetd.patch Cheers, -- Ruslan Ermilov Oracle Developer/DBA, ru@sunbay.com Sunbay Software AG, ru@FreeBSD.org FreeBSD committer, +380.652.512.251 Simferopol, Ukraine http://www.FreeBSD.org The Power To Serve http://www.oracle.com Enabling The Information Age To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jul 19 10:18:48 2001 Delivered-To: freebsd-security@freebsd.org Received: from assaris.sics.se (assaris.sics.se [193.10.66.234]) by hub.freebsd.org (Postfix) with ESMTP id 17B4537B403 for ; Thu, 19 Jul 2001 10:18:44 -0700 (PDT) (envelope-from assar@assaris.sics.se) Received: (from assar@localhost) by assaris.sics.se (8.9.3/8.9.3) id TAA14964; Thu, 19 Jul 2001 19:18:59 +0200 (CEST) (envelope-from assar) To: Matt Dillon Cc: "Jacques A. Vidrine" , Cy Schubert - ITSD Open Systems Group , Mike Tancsa , Kris Kennaway , security@FreeBSD.ORG Subject: Re: FreeBSD remote root exploit ? References: <200107190547.f6J5lmD66188@cwsys.cwsent.com> <200107190747.f6J7lMU71487@earth.backplane.com> <20010719102230.L27900@madman.nectar.com> <200107191657.f6JGvG574763@earth.backplane.com> <5llmlk26j4.fsf@assaris.sics.se> <200107191712.f6JHCPD75088@earth.backplane.com> From: Assar Westerlund Date: 19 Jul 2001 19:18:58 +0200 In-Reply-To: Matt Dillon's message of "Thu, 19 Jul 2001 10:12:25 -0700 (PDT)" Message-ID: <5ld76w25x9.fsf@assaris.sics.se> Lines: 8 User-Agent: Gnus/5.070098 (Pterodactyl Gnus v0.98) Emacs/20.6 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Matt Dillon writes: > It's even owrse... size_t is unsigned, so once you overflow the buffer > the 'remaining' amount will be some huge number and you are screwed. Yeah, I know. I changed them to `int' too. But if it wouldn't have overflowed, it wouldn't have mattered... /assar To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jul 19 10:19:39 2001 Delivered-To: freebsd-security@freebsd.org Received: from earth.backplane.com (earth-nat-cw.backplane.com [208.161.114.67]) by hub.freebsd.org (Postfix) with ESMTP id D99FD37B403; Thu, 19 Jul 2001 10:19:35 -0700 (PDT) (envelope-from dillon@earth.backplane.com) Received: (from dillon@localhost) by earth.backplane.com (8.11.4/8.11.2) id f6JHJZb75216; Thu, 19 Jul 2001 10:19:35 -0700 (PDT) (envelope-from dillon) Date: Thu, 19 Jul 2001 10:19:35 -0700 (PDT) From: Matt Dillon Message-Id: <200107191719.f6JHJZb75216@earth.backplane.com> To: Ruslan Ermilov Cc: Assar Westerlund , "Jacques A. Vidrine" , Cy Schubert - ITSD Open Systems Group , Mike Tancsa , Kris Kennaway , security@FreeBSD.ORG Subject: Re: FreeBSD remote root exploit ? References: <200107190547.f6J5lmD66188@cwsys.cwsent.com> <200107190747.f6J7lMU71487@earth.backplane.com> <20010719102230.L27900@madman.nectar.com> <5lpuaw26kt.fsf@assaris.sics.se> <20010719201009.A61061@sunbay.com> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org :You mean, in netflush()? : :-- :Ruslan Ermilov Oracle Developer/DBA, netflush() isn't used in enough places. It doesn't save the day. -Matt To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jul 19 10:19:56 2001 Delivered-To: freebsd-security@freebsd.org Received: from assaris.sics.se (assaris.sics.se [193.10.66.234]) by hub.freebsd.org (Postfix) with ESMTP id 23C4237B403; Thu, 19 Jul 2001 10:19:53 -0700 (PDT) (envelope-from assar@assaris.sics.se) Received: (from assar@localhost) by assaris.sics.se (8.9.3/8.9.3) id TAA15011; Thu, 19 Jul 2001 19:20:10 +0200 (CEST) (envelope-from assar) To: Ruslan Ermilov Cc: "Jacques A. Vidrine" , Matt Dillon , Cy Schubert - ITSD Open Systems Group , Mike Tancsa , Kris Kennaway , security@FreeBSD.ORG Subject: Re: FreeBSD remote root exploit ? References: <200107190547.f6J5lmD66188@cwsys.cwsent.com> <200107190747.f6J7lMU71487@earth.backplane.com> <20010719102230.L27900@madman.nectar.com> <5lpuaw26kt.fsf@assaris.sics.se> <20010719201009.A61061@sunbay.com> From: Assar Westerlund Date: 19 Jul 2001 19:20:10 +0200 In-Reply-To: Ruslan Ermilov's message of "Thu, 19 Jul 2001 20:10:09 +0300" Message-ID: <5l8zhk25v9.fsf@assaris.sics.se> Lines: 9 User-Agent: Gnus/5.070098 (Pterodactyl Gnus v0.98) Emacs/20.6 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Ruslan Ermilov writes: > > I don't know if it's exploitable either. I don't _think_ so, but I've > > of course fixed the problem anyways. > > > You mean, in netflush()? No, in output_data() (in heimdal's telnetd/global.c) /assar To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jul 19 10:24:50 2001 Delivered-To: freebsd-security@freebsd.org Received: from db.nexgen.com (db.nexgen.com [66.92.98.149]) by hub.freebsd.org (Postfix) with SMTP id E869D37B405 for ; Thu, 19 Jul 2001 10:24:46 -0700 (PDT) (envelope-from ml@db.nexgen.com) Received: (qmail 35321 invoked from network); 19 Jul 2001 17:24:34 -0000 Received: from localhost.nexgen.com (HELO alexus) (root@127.0.0.1) by localhost.nexgen.com with SMTP; 19 Jul 2001 17:24:34 -0000 Message-ID: <003701c11077$b3125400$0d00a8c0@alexus> From: "alexus" To: "Ruslan Ermilov" , "Przemyslaw Frasunek" Cc: References: <5.1.0.14.0.20010719001357.03e22638@192.168.0.12> <014d01c11031$bdab5a10$2001a8c0@clitoris> <20010719201407.B61061@sunbay.com> Subject: Re: [PATCH] Re: FreeBSD remote root exploit ? Date: Thu, 19 Jul 2001 13:24:42 -0400 Organization: NexGen MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2499.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2499.0000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org could you also include some sort of instruction how to apply it? thanks in advance ----- Original Message ----- From: "Ruslan Ermilov" To: "Przemyslaw Frasunek" Cc: Sent: Thursday, July 19, 2001 1:14 PM Subject: [PATCH] Re: FreeBSD remote root exploit ? > On Thu, Jul 19, 2001 at 11:03:53AM +0200, Przemyslaw Frasunek wrote: > > > Posted to bugtraq is a notice about telnetd being remotely root > > > exploitable. Does anyone know if it is true ? > > > > Yes, telnetd is vulnerable. > > > The patch is available at: > > http://people.FreeBSD.org/~ru/telnetd.patch > > > Cheers, > -- > Ruslan Ermilov Oracle Developer/DBA, > ru@sunbay.com Sunbay Software AG, > ru@FreeBSD.org FreeBSD committer, > +380.652.512.251 Simferopol, Ukraine > > http://www.FreeBSD.org The Power To Serve > http://www.oracle.com Enabling The Information Age > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jul 19 10:31:28 2001 Delivered-To: freebsd-security@freebsd.org Received: from oksala.org (modemcable048.156-201-24.mtl.mc.videotron.ca [24.201.156.48]) by hub.freebsd.org (Postfix) with ESMTP id 3DEBE37B401 for ; Thu, 19 Jul 2001 10:31:17 -0700 (PDT) (envelope-from silence@oksala.org) Received: from oksala.org (silence@silence [24.201.156.48]) by oksala.org (8.11.4/8.11.1) with ESMTP id f6JHS1J23685 for ; Thu, 19 Jul 2001 13:28:01 -0400 (EDT) (envelope-from silence@oksala.org) Message-ID: <3B5718A0.2B650C9C@oksala.org> Date: Thu, 19 Jul 2001 13:28:00 -0400 From: Pierre-Luc =?iso-8859-1?Q?Lesp=E9rance?= X-Mailer: Mozilla 4.76 [en] (X11; U; FreeBSD 4.3-STABLE i386) X-Accept-Language: en MIME-Version: 1.0 To: security@FreeBSD.ORG Subject: Re: [PATCH] Re: FreeBSD remote root exploit ? References: <5.1.0.14.0.20010719001357.03e22638@192.168.0.12> <014d01c11031$bdab5a10$2001a8c0@clitoris> <20010719201407.B61061@sunbay.com> <003701c11077$b3125400$0d00a8c0@alexus> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org alexus wrote: > > could you also include some sort of instruction how to apply it? > > thanks in advance > > ----- Original Message ----- > From: "Ruslan Ermilov" > To: "Przemyslaw Frasunek" > Cc: > Sent: Thursday, July 19, 2001 1:14 PM > Subject: [PATCH] Re: FreeBSD remote root exploit ? > > > On Thu, Jul 19, 2001 at 11:03:53AM +0200, Przemyslaw Frasunek wrote: > > > > Posted to bugtraq is a notice about telnetd being remotely root > > > > exploitable. Does anyone know if it is true ? > > > > > > Yes, telnetd is vulnerable. > > > > > The patch is available at: > > > > http://people.FreeBSD.org/~ru/telnetd.patch > > > > > > Cheers, > > -- > > Ruslan Ermilov Oracle Developer/DBA, > > ru@sunbay.com Sunbay Software AG, > > ru@FreeBSD.org FreeBSD committer, > > +380.652.512.251 Simferopol, Ukraine > > > > http://www.FreeBSD.org The Power To Serve > > http://www.oracle.com Enabling The Information Age > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message go to /usr/src/crypto/telnet/telnetd and type shell~# patch -p < /where/is/the/file.patch To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jul 19 10:37:23 2001 Delivered-To: freebsd-security@freebsd.org Received: from db.nexgen.com (db.nexgen.com [66.92.98.149]) by hub.freebsd.org (Postfix) with SMTP id 6E0D337B401 for ; Thu, 19 Jul 2001 10:37:18 -0700 (PDT) (envelope-from ml@db.nexgen.com) Received: (qmail 35428 invoked from network); 19 Jul 2001 17:37:06 -0000 Received: from localhost.nexgen.com (HELO alexus) (root@127.0.0.1) by localhost.nexgen.com with SMTP; 19 Jul 2001 17:37:06 -0000 Message-ID: <004501c11079$7321d990$0d00a8c0@alexus> From: "alexus" To: =?iso-8859-1?Q?Pierre-Luc_Lesp=E9rance?= , References: <5.1.0.14.0.20010719001357.03e22638@192.168.0.12> <014d01c11031$bdab5a10$2001a8c0@clitoris> <20010719201407.B61061@sunbay.com> <003701c11077$b3125400$0d00a8c0@alexus> <3B5718A0.2B650C9C@oksala.org> Subject: Re: [PATCH] Re: FreeBSD remote root exploit ? Date: Thu, 19 Jul 2001 13:37:14 -0400 Organization: NexGen MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 8bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2499.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2499.0000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org uh. ok:) this part is done.. should i recompile telnetd now somehow? if so then how?:) ----- Original Message ----- From: "Pierre-Luc Lespérance" To: Sent: Thursday, July 19, 2001 1:28 PM Subject: Re: [PATCH] Re: FreeBSD remote root exploit ? > alexus wrote: > > > > could you also include some sort of instruction how to apply it? > > > > thanks in advance > > > > ----- Original Message ----- > > From: "Ruslan Ermilov" > > To: "Przemyslaw Frasunek" > > Cc: > > Sent: Thursday, July 19, 2001 1:14 PM > > Subject: [PATCH] Re: FreeBSD remote root exploit ? > > > > > On Thu, Jul 19, 2001 at 11:03:53AM +0200, Przemyslaw Frasunek wrote: > > > > > Posted to bugtraq is a notice about telnetd being remotely root > > > > > exploitable. Does anyone know if it is true ? > > > > > > > > Yes, telnetd is vulnerable. > > > > > > > The patch is available at: > > > > > > http://people.FreeBSD.org/~ru/telnetd.patch > > > > > > > > > Cheers, > > > -- > > > Ruslan Ermilov Oracle Developer/DBA, > > > ru@sunbay.com Sunbay Software AG, > > > ru@FreeBSD.org FreeBSD committer, > > > +380.652.512.251 Simferopol, Ukraine > > > > > > http://www.FreeBSD.org The Power To Serve > > > http://www.oracle.com Enabling The Information Age > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > > with "unsubscribe freebsd-security" in the body of the message > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > go to /usr/src/crypto/telnet/telnetd > and type > shell~# patch -p < /where/is/the/file.patch > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jul 19 10:39:37 2001 Delivered-To: freebsd-security@freebsd.org Received: from awww.jeah.net (awww.jeah.net [216.111.239.130]) by hub.freebsd.org (Postfix) with ESMTP id 55E1637B406 for ; Thu, 19 Jul 2001 10:39:33 -0700 (PDT) (envelope-from chris@jeah.net) Received: from localhost (chris@localhost) by awww.jeah.net (8.11.4/8.11.3) with ESMTP id f6JHdiO71518; Thu, 19 Jul 2001 12:39:44 -0500 (CDT) (envelope-from chris@jeah.net) Date: Thu, 19 Jul 2001 12:39:43 -0500 (CDT) From: Chris Byrnes To: alexus Cc: Subject: Re: [PATCH] Re: FreeBSD remote root exploit ? In-Reply-To: <004501c11079$7321d990$0d00a8c0@alexus> Message-ID: <20010719123906.D71473-100000@awww.jeah.net> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=X-UNKNOWN Content-Transfer-Encoding: QUOTED-PRINTABLE Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org root# cd /usr/src/libexec/telnetd ; make all install ; killall -HUP inetd Chris Byrnes, Managing Member JEAH Communications, LLC On Thu, 19 Jul 2001, alexus wrote: > uh. ok:) > > this part is done.. should i recompile telnetd now somehow? if so then > how?:) > > ----- Original Message ----- > From: "Pierre-Luc Lesp=E9rance" > To: > Sent: Thursday, July 19, 2001 1:28 PM > Subject: Re: [PATCH] Re: FreeBSD remote root exploit ? > > > > alexus wrote: > > > > > > could you also include some sort of instruction how to apply it? > > > > > > thanks in advance > > > > > > ----- Original Message ----- > > > From: "Ruslan Ermilov" > > > To: "Przemyslaw Frasunek" > > > Cc: > > > Sent: Thursday, July 19, 2001 1:14 PM > > > Subject: [PATCH] Re: FreeBSD remote root exploit ? > > > > > > > On Thu, Jul 19, 2001 at 11:03:53AM +0200, Przemyslaw Frasunek wrote= : > > > > > > Posted to bugtraq is a notice about telnetd being remotely root > > > > > > exploitable. Does anyone know if it is true ? > > > > > > > > > > Yes, telnetd is vulnerable. > > > > > > > > > The patch is available at: > > > > > > > > http://people.FreeBSD.org/~ru/telnetd.patch > > > > > > > > > > > > Cheers, > > > > -- > > > > Ruslan Ermilov Oracle Developer/DBA, > > > > ru@sunbay.com Sunbay Software AG, > > > > ru@FreeBSD.org FreeBSD committer, > > > > +380.652.512.251 Simferopol, Ukraine > > > > > > > > http://www.FreeBSD.org The Power To Serve > > > > http://www.oracle.com Enabling The Information Age > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > > > with "unsubscribe freebsd-security" in the body of the message > > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > > with "unsubscribe freebsd-security" in the body of the message > > go to /usr/src/crypto/telnet/telnetd > > and type > > shell~# patch -p < /where/is/the/file.patch > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jul 19 10:46:29 2001 Delivered-To: freebsd-security@freebsd.org Received: from db.nexgen.com (db.nexgen.com [66.92.98.149]) by hub.freebsd.org (Postfix) with SMTP id 8700D37B401 for ; Thu, 19 Jul 2001 10:46:20 -0700 (PDT) (envelope-from ml@db.nexgen.com) Received: (qmail 35516 invoked from network); 19 Jul 2001 17:46:09 -0000 Received: from localhost.nexgen.com (HELO alexus) (root@127.0.0.1) by localhost.nexgen.com with SMTP; 19 Jul 2001 17:46:09 -0000 Message-ID: <005d01c1107a$b6f57a40$0d00a8c0@alexus> From: "alexus" To: "Chris Byrnes" Cc: References: <20010719123906.D71473-100000@awww.jeah.net> Subject: Re: [PATCH] Re: FreeBSD remote root exploit ? Date: Thu, 19 Jul 2001 13:46:17 -0400 Organization: NexGen MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 8bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2499.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2499.0000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org su-2.05# cd /usr/src/libexec/telnetd/ su-2.05# make all install install -c -s -o root -g wheel -m 555 telnetd /usr/libexec install -c -o root -g wheel -m 444 telnetd.8.gz /usr/share/man/man8 su-2.05# hmm that's it? seems like too short compilation .. is it supposed to be like this? ----- Original Message ----- From: "Chris Byrnes" To: "alexus" Cc: Sent: Thursday, July 19, 2001 1:39 PM Subject: Re: [PATCH] Re: FreeBSD remote root exploit ? root# cd /usr/src/libexec/telnetd ; make all install ; killall -HUP inetd Chris Byrnes, Managing Member JEAH Communications, LLC On Thu, 19 Jul 2001, alexus wrote: > uh. ok:) > > this part is done.. should i recompile telnetd now somehow? if so then > how?:) > > ----- Original Message ----- > From: "Pierre-Luc Lespérance" > To: > Sent: Thursday, July 19, 2001 1:28 PM > Subject: Re: [PATCH] Re: FreeBSD remote root exploit ? > > > > alexus wrote: > > > > > > could you also include some sort of instruction how to apply it? > > > > > > thanks in advance > > > > > > ----- Original Message ----- > > > From: "Ruslan Ermilov" > > > To: "Przemyslaw Frasunek" > > > Cc: > > > Sent: Thursday, July 19, 2001 1:14 PM > > > Subject: [PATCH] Re: FreeBSD remote root exploit ? > > > > > > > On Thu, Jul 19, 2001 at 11:03:53AM +0200, Przemyslaw Frasunek wrote: > > > > > > Posted to bugtraq is a notice about telnetd being remotely root > > > > > > exploitable. Does anyone know if it is true ? > > > > > > > > > > Yes, telnetd is vulnerable. > > > > > > > > > The patch is available at: > > > > > > > > http://people.FreeBSD.org/~ru/telnetd.patch > > > > > > > > > > > > Cheers, > > > > -- > > > > Ruslan Ermilov Oracle Developer/DBA, > > > > ru@sunbay.com Sunbay Software AG, > > > > ru@FreeBSD.org FreeBSD committer, > > > > +380.652.512.251 Simferopol, Ukraine > > > > > > > > http://www.FreeBSD.org The Power To Serve > > > > http://www.oracle.com Enabling The Information Age > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > > > with "unsubscribe freebsd-security" in the body of the message > > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > > with "unsubscribe freebsd-security" in the body of the message > > go to /usr/src/crypto/telnet/telnetd > > and type > > shell~# patch -p < /where/is/the/file.patch > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jul 19 10:46:53 2001 Delivered-To: freebsd-security@freebsd.org Received: from awww.jeah.net (awww.jeah.net [216.111.239.130]) by hub.freebsd.org (Postfix) with ESMTP id CEF4437B403 for ; Thu, 19 Jul 2001 10:46:44 -0700 (PDT) (envelope-from chris@jeah.net) Received: from localhost (chris@localhost) by awww.jeah.net (8.11.4/8.11.3) with ESMTP id f6JHkxE72433; Thu, 19 Jul 2001 12:46:59 -0500 (CDT) (envelope-from chris@jeah.net) Date: Thu, 19 Jul 2001 12:46:58 -0500 (CDT) From: Chris Byrnes To: alexus Cc: Subject: Re: [PATCH] Re: FreeBSD remote root exploit ? In-Reply-To: <005d01c1107a$b6f57a40$0d00a8c0@alexus> Message-ID: <20010719124656.S72422-100000@awww.jeah.net> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=X-UNKNOWN Content-Transfer-Encoding: QUOTED-PRINTABLE Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org yup Chris Byrnes, Managing Member JEAH Communications, LLC On Thu, 19 Jul 2001, alexus wrote: > su-2.05# cd /usr/src/libexec/telnetd/ > su-2.05# make all install > install -c -s -o root -g wheel -m 555 telnetd /usr/libexec > install -c -o root -g wheel -m 444 telnetd.8.gz /usr/share/man/man8 > su-2.05# > > hmm that's it? seems like too short compilation .. is it supposed to be l= ike > this? > > ----- Original Message ----- > From: "Chris Byrnes" > To: "alexus" > Cc: > Sent: Thursday, July 19, 2001 1:39 PM > Subject: Re: [PATCH] Re: FreeBSD remote root exploit ? > > > root# cd /usr/src/libexec/telnetd ; make all install ; killall -HUP inetd > > > Chris Byrnes, Managing Member > JEAH Communications, LLC > > On Thu, 19 Jul 2001, alexus wrote: > > > uh. ok:) > > > > this part is done.. should i recompile telnetd now somehow? if so then > > how?:) > > > > ----- Original Message ----- > > From: "Pierre-Luc Lesp=E9rance" > > To: > > Sent: Thursday, July 19, 2001 1:28 PM > > Subject: Re: [PATCH] Re: FreeBSD remote root exploit ? > > > > > > > alexus wrote: > > > > > > > > could you also include some sort of instruction how to apply it? > > > > > > > > thanks in advance > > > > > > > > ----- Original Message ----- > > > > From: "Ruslan Ermilov" > > > > To: "Przemyslaw Frasunek" > > > > Cc: > > > > Sent: Thursday, July 19, 2001 1:14 PM > > > > Subject: [PATCH] Re: FreeBSD remote root exploit ? > > > > > > > > > On Thu, Jul 19, 2001 at 11:03:53AM +0200, Przemyslaw Frasunek wro= te: > > > > > > > Posted to bugtraq is a notice about telnetd being remotely ro= ot > > > > > > > exploitable. Does anyone know if it is true ? > > > > > > > > > > > > Yes, telnetd is vulnerable. > > > > > > > > > > > The patch is available at: > > > > > > > > > > http://people.FreeBSD.org/~ru/telnetd.patch > > > > > > > > > > > > > > > Cheers, > > > > > -- > > > > > Ruslan Ermilov Oracle Developer/DBA, > > > > > ru@sunbay.com Sunbay Software AG, > > > > > ru@FreeBSD.org FreeBSD committer, > > > > > +380.652.512.251 Simferopol, Ukraine > > > > > > > > > > http://www.FreeBSD.org The Power To Serve > > > > > http://www.oracle.com Enabling The Information Age > > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > > > > with "unsubscribe freebsd-security" in the body of the message > > > > > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > > > with "unsubscribe freebsd-security" in the body of the message > > > go to /usr/src/crypto/telnet/telnetd > > > and type > > > shell~# patch -p < /where/is/the/file.patch > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > > with "unsubscribe freebsd-security" in the body of the message > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jul 19 10:47:18 2001 Delivered-To: freebsd-security@freebsd.org Received: from db.nexgen.com (db.nexgen.com [66.92.98.149]) by hub.freebsd.org (Postfix) with SMTP id AD7E437B403 for ; Thu, 19 Jul 2001 10:47:09 -0700 (PDT) (envelope-from ml@db.nexgen.com) Received: (qmail 35547 invoked from network); 19 Jul 2001 17:46:59 -0000 Received: from localhost.nexgen.com (HELO alexus) (root@127.0.0.1) by localhost.nexgen.com with SMTP; 19 Jul 2001 17:46:59 -0000 Message-ID: <007101c1107a$d4615e50$0d00a8c0@alexus> From: "alexus" To: "Chris Byrnes" Cc: References: <20010719124656.S72422-100000@awww.jeah.net> Subject: Re: [PATCH] Re: FreeBSD remote root exploit ? Date: Thu, 19 Jul 2001 13:47:07 -0400 Organization: NexGen MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 8bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2499.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2499.0000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org ok thanks ----- Original Message ----- From: "Chris Byrnes" To: "alexus" Cc: Sent: Thursday, July 19, 2001 1:46 PM Subject: Re: [PATCH] Re: FreeBSD remote root exploit ? yup Chris Byrnes, Managing Member JEAH Communications, LLC On Thu, 19 Jul 2001, alexus wrote: > su-2.05# cd /usr/src/libexec/telnetd/ > su-2.05# make all install > install -c -s -o root -g wheel -m 555 telnetd /usr/libexec > install -c -o root -g wheel -m 444 telnetd.8.gz /usr/share/man/man8 > su-2.05# > > hmm that's it? seems like too short compilation .. is it supposed to be like > this? > > ----- Original Message ----- > From: "Chris Byrnes" > To: "alexus" > Cc: > Sent: Thursday, July 19, 2001 1:39 PM > Subject: Re: [PATCH] Re: FreeBSD remote root exploit ? > > > root# cd /usr/src/libexec/telnetd ; make all install ; killall -HUP inetd > > > Chris Byrnes, Managing Member > JEAH Communications, LLC > > On Thu, 19 Jul 2001, alexus wrote: > > > uh. ok:) > > > > this part is done.. should i recompile telnetd now somehow? if so then > > how?:) > > > > ----- Original Message ----- > > From: "Pierre-Luc Lespérance" > > To: > > Sent: Thursday, July 19, 2001 1:28 PM > > Subject: Re: [PATCH] Re: FreeBSD remote root exploit ? > > > > > > > alexus wrote: > > > > > > > > could you also include some sort of instruction how to apply it? > > > > > > > > thanks in advance > > > > > > > > ----- Original Message ----- > > > > From: "Ruslan Ermilov" > > > > To: "Przemyslaw Frasunek" > > > > Cc: > > > > Sent: Thursday, July 19, 2001 1:14 PM > > > > Subject: [PATCH] Re: FreeBSD remote root exploit ? > > > > > > > > > On Thu, Jul 19, 2001 at 11:03:53AM +0200, Przemyslaw Frasunek wrote: > > > > > > > Posted to bugtraq is a notice about telnetd being remotely root > > > > > > > exploitable. Does anyone know if it is true ? > > > > > > > > > > > > Yes, telnetd is vulnerable. > > > > > > > > > > > The patch is available at: > > > > > > > > > > http://people.FreeBSD.org/~ru/telnetd.patch > > > > > > > > > > > > > > > Cheers, > > > > > -- > > > > > Ruslan Ermilov Oracle Developer/DBA, > > > > > ru@sunbay.com Sunbay Software AG, > > > > > ru@FreeBSD.org FreeBSD committer, > > > > > +380.652.512.251 Simferopol, Ukraine > > > > > > > > > > http://www.FreeBSD.org The Power To Serve > > > > > http://www.oracle.com Enabling The Information Age > > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > > > > with "unsubscribe freebsd-security" in the body of the message > > > > > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > > > with "unsubscribe freebsd-security" in the body of the message > > > go to /usr/src/crypto/telnet/telnetd > > > and type > > > shell~# patch -p < /where/is/the/file.patch > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > > with "unsubscribe freebsd-security" in the body of the message > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jul 19 10:50:27 2001 Delivered-To: freebsd-security@freebsd.org Received: from whale.sunbay.crimea.ua (whale.sunbay.crimea.ua [212.110.138.65]) by hub.freebsd.org (Postfix) with ESMTP id A84C137B401; Thu, 19 Jul 2001 10:50:19 -0700 (PDT) (envelope-from ru@whale.sunbay.crimea.ua) Received: (from ru@localhost) by whale.sunbay.crimea.ua (8.11.2/8.11.2) id f6JHoGn68059; Thu, 19 Jul 2001 20:50:16 +0300 (EEST) (envelope-from ru) Date: Thu, 19 Jul 2001 20:50:16 +0300 From: Ruslan Ermilov To: Assar Westerlund Cc: "Jacques A. Vidrine" , Matt Dillon , Cy Schubert - ITSD Open Systems Group , Mike Tancsa , Kris Kennaway , security@FreeBSD.ORG Subject: Re: FreeBSD remote root exploit ? Message-ID: <20010719205016.A67829@sunbay.com> Mail-Followup-To: Assar Westerlund , "Jacques A. Vidrine" , Matt Dillon , Cy Schubert - ITSD Open Systems Group , Mike Tancsa , Kris Kennaway , security@FreeBSD.ORG References: <200107190547.f6J5lmD66188@cwsys.cwsent.com> <200107190747.f6J7lMU71487@earth.backplane.com> <20010719102230.L27900@madman.nectar.com> <5lpuaw26kt.fsf@assaris.sics.se> <20010719201009.A61061@sunbay.com> <5l8zhk25v9.fsf@assaris.sics.se> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <5l8zhk25v9.fsf@assaris.sics.se>; from assar@FreeBSD.ORG on Thu, Jul 19, 2001 at 07:20:10PM +0200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Thu, Jul 19, 2001 at 07:20:10PM +0200, Assar Westerlund wrote: > Ruslan Ermilov writes: > > > I don't know if it's exploitable either. I don't _think_ so, but I've > > > of course fixed the problem anyways. > > > > > You mean, in netflush()? > > No, in output_data() (in heimdal's telnetd/global.c) > Doh, of course I meant output_data(), but itojun done a good job in NetBSD. output_data() attempts netflush() before a failure. See NetBSD's state.c,v 1.16. Cheers, -- Ruslan Ermilov Oracle Developer/DBA, ru@sunbay.com Sunbay Software AG, ru@FreeBSD.org FreeBSD committer, +380.652.512.251 Simferopol, Ukraine http://www.FreeBSD.org The Power To Serve http://www.oracle.com Enabling The Information Age To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jul 19 10:52: 4 2001 Delivered-To: freebsd-security@freebsd.org Received: from oksala.org (modemcable048.156-201-24.mtl.mc.videotron.ca [24.201.156.48]) by hub.freebsd.org (Postfix) with ESMTP id ACCE237B405 for ; Thu, 19 Jul 2001 10:51:57 -0700 (PDT) (envelope-from silence@oksala.org) Received: from oksala.org (silence@silence [24.201.156.48]) by oksala.org (8.11.4/8.11.1) with ESMTP id f6JHmbJ25663 for ; Thu, 19 Jul 2001 13:48:37 -0400 (EDT) (envelope-from silence@oksala.org) Message-ID: <3B571D75.A8E8AB58@oksala.org> Date: Thu, 19 Jul 2001 13:48:37 -0400 From: Pierre-Luc =?iso-8859-1?Q?Lesp=E9rance?= X-Mailer: Mozilla 4.76 [en] (X11; U; FreeBSD 4.3-STABLE i386) X-Accept-Language: en MIME-Version: 1.0 Cc: security@FreeBSD.ORG Subject: Re: [PATCH] Re: FreeBSD remote root exploit ? References: <20010719123906.D71473-100000@awww.jeah.net> <005d01c1107a$b6f57a40$0d00a8c0@alexus> Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org alexus wrote: > > su-2.05# cd /usr/src/libexec/telnetd/ > su-2.05# make all install > install -c -s -o root -g wheel -m 555 telnetd /usr/libexec > install -c -o root -g wheel -m 444 telnetd.8.gz /usr/share/man/man8 > su-2.05# > > hmm that's it? seems like too short compilation .. is it supposed to be like > this? > > ----- Original Message ----- > From: "Chris Byrnes" > To: "alexus" > Cc: > Sent: Thursday, July 19, 2001 1:39 PM > Subject: Re: [PATCH] Re: FreeBSD remote root exploit ? > > root# cd /usr/src/libexec/telnetd ; make all install ; killall -HUP inetd > > Chris Byrnes, Managing Member > JEAH Communications, LLC > > On Thu, 19 Jul 2001, alexus wrote: > > > uh. ok:) > > > > this part is done.. should i recompile telnetd now somehow? if so then > > how?:) > > > > ----- Original Message ----- > > From: "Pierre-Luc Lespérance" > > To: > > Sent: Thursday, July 19, 2001 1:28 PM > > Subject: Re: [PATCH] Re: FreeBSD remote root exploit ? > > > > > > > alexus wrote: > > > > > > > > could you also include some sort of instruction how to apply it? > > > > > > > > thanks in advance > > > > > > > > ----- Original Message ----- > > > > From: "Ruslan Ermilov" > > > > To: "Przemyslaw Frasunek" > > > > Cc: > > > > Sent: Thursday, July 19, 2001 1:14 PM > > > > Subject: [PATCH] Re: FreeBSD remote root exploit ? > > > > > > > > > On Thu, Jul 19, 2001 at 11:03:53AM +0200, Przemyslaw Frasunek wrote: > > > > > > > Posted to bugtraq is a notice about telnetd being remotely root > > > > > > > exploitable. Does anyone know if it is true ? > > > > > > > > > > > > Yes, telnetd is vulnerable. > > > > > > > > > > > The patch is available at: > > > > > > > > > > http://people.FreeBSD.org/~ru/telnetd.patch > > > > > > > > > > > > > > > Cheers, > > > > > -- > > > > > Ruslan Ermilov Oracle Developer/DBA, > > > > > ru@sunbay.com Sunbay Software AG, > > > > > ru@FreeBSD.org FreeBSD committer, > > > > > +380.652.512.251 Simferopol, Ukraine > > > > > > > > > > http://www.FreeBSD.org The Power To Serve > > > > > http://www.oracle.com Enabling The Information Age > > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > > > > with "unsubscribe freebsd-security" in the body of the message > > > > > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > > > with "unsubscribe freebsd-security" in the body of the message > > > go to /usr/src/crypto/telnet/telnetd > > > and type > > > shell~# patch -p < /where/is/the/file.patch > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > > with "unsubscribe freebsd-security" in the body of the message > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message make clean make depend make make install To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jul 19 10:53: 6 2001 Delivered-To: freebsd-security@freebsd.org Received: from earth.backplane.com (earth-nat-cw.backplane.com [208.161.114.67]) by hub.freebsd.org (Postfix) with ESMTP id E804A37B401 for ; Thu, 19 Jul 2001 10:52:58 -0700 (PDT) (envelope-from dillon@earth.backplane.com) Received: (from dillon@localhost) by earth.backplane.com (8.11.4/8.11.2) id f6JHqer75736; Thu, 19 Jul 2001 10:52:40 -0700 (PDT) (envelope-from dillon) Date: Thu, 19 Jul 2001 10:52:40 -0700 (PDT) From: Matt Dillon Message-Id: <200107191752.f6JHqer75736@earth.backplane.com> To: Pierre-Luc =?iso-8859-1?Q?Lesp=E9rance?= Cc: security@FreeBSD.ORG Subject: Re: [PATCH] Re: FreeBSD remote root exploit ? References: <5.1.0.14.0.20010719001357.03e22638@192.168.0.12> <014d01c11031$bdab5a10$2001a8c0@clitoris> <20010719201407.B61061@sunbay.com> <003701c11077$b3125400$0d00a8c0@alexus> <3B5718A0.2B650C9C@oksala.org> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org :go to /usr/src/crypto/telnet/telnetd :and type :shell~# patch -p < /where/is/the/file.patch It isn't really safe code. If the data being formatted is large r then the format argument you can overflow the buffer, and the 'ret' from vsnprintf() is the amount of data that would have been output if the buffer had been large enough, not the amount of data that was actually output. Also, size_t is unsigned, which means if you overflow the buffer by one byte you are screwed. There appear to be a number of places (mainly the DIAG code, but also the ENCRYPT code) where this is true. This patch will fix the existing options-based hole, but doesn't close it. -Matt To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jul 19 10:53:23 2001 Delivered-To: freebsd-security@freebsd.org Received: from whale.sunbay.crimea.ua (whale.sunbay.crimea.ua [212.110.138.65]) by hub.freebsd.org (Postfix) with ESMTP id 9E27237B405 for ; Thu, 19 Jul 2001 10:53:15 -0700 (PDT) (envelope-from ru@whale.sunbay.crimea.ua) Received: (from ru@localhost) by whale.sunbay.crimea.ua (8.11.2/8.11.2) id f6JHqAi68176; Thu, 19 Jul 2001 20:52:10 +0300 (EEST) (envelope-from ru) Date: Thu, 19 Jul 2001 20:52:09 +0300 From: Ruslan Ermilov To: alexus Cc: Chris Byrnes , security@FreeBSD.ORG Subject: Re: [PATCH] Re: FreeBSD remote root exploit ? Message-ID: <20010719205209.B67829@sunbay.com> Mail-Followup-To: alexus , Chris Byrnes , security@FreeBSD.ORG References: <20010719123906.D71473-100000@awww.jeah.net> <005d01c1107a$b6f57a40$0d00a8c0@alexus> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <005d01c1107a$b6f57a40$0d00a8c0@alexus>; from ml@db.nexgen.com on Thu, Jul 19, 2001 at 01:46:17PM -0400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Thu, Jul 19, 2001 at 01:46:17PM -0400, alexus wrote: > su-2.05# cd /usr/src/libexec/telnetd/ > su-2.05# make all install > install -c -s -o root -g wheel -m 555 telnetd /usr/libexec > install -c -o root -g wheel -m 444 telnetd.8.gz /usr/share/man/man8 > su-2.05# > > hmm that's it? seems like too short compilation .. is it supposed to be like > this? > cd /usr/src/secure/libexec/telnetd/; make depend && make all && make install ^^^^^^ Non-secure telnetd will be fixed tomorrow. I must go home now. :-) Cheers, -- Ruslan Ermilov Oracle Developer/DBA, ru@sunbay.com Sunbay Software AG, ru@FreeBSD.org FreeBSD committer, +380.652.512.251 Simferopol, Ukraine http://www.FreeBSD.org The Power To Serve http://www.oracle.com Enabling The Information Age To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jul 19 10:53:47 2001 Delivered-To: freebsd-security@freebsd.org Received: from woh-65-28-240-79.woh.rr.com (woh-65-28-240-79.woh.rr.com [65.28.240.79]) by hub.freebsd.org (Postfix) with SMTP id 9252937B401 for ; Thu, 19 Jul 2001 10:53:39 -0700 (PDT) (envelope-from changty@muohio.edu) Received: (qmail 21086 invoked by uid 1000); 19 Jul 2001 17:53:33 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 19 Jul 2001 17:53:33 -0000 Date: Thu, 19 Jul 2001 13:53:33 -0400 (EDT) From: Tony Chang X-X-Sender: To: Subject: Re: [PATCH] Re: FreeBSD remote root exploit ? In-Reply-To: <005d01c1107a$b6f57a40$0d00a8c0@alexus> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=iso-8859-1 Content-Transfer-Encoding: QUOTED-PRINTABLE Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Make sure to delete the old obj files: rm -r /usr/obj/usr/src/libexec/telnetd/ Then it should work. ja~ Tony ---------- Tony Chang http://www.muohio.edu/~changty/ "Nothing is certain or proved beyond all doubt." --Richard Feynman On Thu, 19 Jul 2001, alexus wrote: > Date: Thu, 19 Jul 2001 13:46:17 -0400 > From: alexus > To: Chris Byrnes > Cc: security@FreeBSD.ORG > Subject: Re: [PATCH] Re: FreeBSD remote root exploit ? > > su-2.05# cd /usr/src/libexec/telnetd/ > su-2.05# make all install > install -c -s -o root -g wheel -m 555 telnetd /usr/libexec > install -c -o root -g wheel -m 444 telnetd.8.gz /usr/share/man/man8 > su-2.05# > > hmm that's it? seems like too short compilation .. is it supposed to be l= ike > this? > > ----- Original Message ----- > From: "Chris Byrnes" > To: "alexus" > Cc: > Sent: Thursday, July 19, 2001 1:39 PM > Subject: Re: [PATCH] Re: FreeBSD remote root exploit ? > > > root# cd /usr/src/libexec/telnetd ; make all install ; killall -HUP inetd > > > Chris Byrnes, Managing Member > JEAH Communications, LLC > > On Thu, 19 Jul 2001, alexus wrote: > > > uh. ok:) > > > > this part is done.. should i recompile telnetd now somehow? if so then > > how?:) > > > > ----- Original Message ----- > > From: "Pierre-Luc Lesp=E9rance" > > To: > > Sent: Thursday, July 19, 2001 1:28 PM > > Subject: Re: [PATCH] Re: FreeBSD remote root exploit ? > > > > > > > alexus wrote: > > > > > > > > could you also include some sort of instruction how to apply it? > > > > > > > > thanks in advance > > > > > > > > ----- Original Message ----- > > > > From: "Ruslan Ermilov" > > > > To: "Przemyslaw Frasunek" > > > > Cc: > > > > Sent: Thursday, July 19, 2001 1:14 PM > > > > Subject: [PATCH] Re: FreeBSD remote root exploit ? > > > > > > > > > On Thu, Jul 19, 2001 at 11:03:53AM +0200, Przemyslaw Frasunek wro= te: > > > > > > > Posted to bugtraq is a notice about telnetd being remotely ro= ot > > > > > > > exploitable. Does anyone know if it is true ? > > > > > > > > > > > > Yes, telnetd is vulnerable. > > > > > > > > > > > The patch is available at: > > > > > > > > > > http://people.FreeBSD.org/~ru/telnetd.patch > > > > > > > > > > > > > > > Cheers, > > > > > -- > > > > > Ruslan Ermilov Oracle Developer/DBA, > > > > > ru@sunbay.com Sunbay Software AG, > > > > > ru@FreeBSD.org FreeBSD committer, > > > > > +380.652.512.251 Simferopol, Ukraine > > > > > > > > > > http://www.FreeBSD.org The Power To Serve > > > > > http://www.oracle.com Enabling The Information Age > > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > > > > with "unsubscribe freebsd-security" in the body of the message > > > > > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > > > with "unsubscribe freebsd-security" in the body of the message > > > go to /usr/src/crypto/telnet/telnetd > > > and type > > > shell~# patch -p < /where/is/the/file.patch > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > > with "unsubscribe freebsd-security" in the body of the message > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jul 19 10:54:15 2001 Delivered-To: freebsd-security@freebsd.org Received: from smtp1.sentex.ca (smtp1.sentex.ca [199.212.134.4]) by hub.freebsd.org (Postfix) with ESMTP id AC29537B401 for ; Thu, 19 Jul 2001 10:54:12 -0700 (PDT) (envelope-from mike@sentex.net) Received: from simoeon.sentex.net (simeon.sentex.ca [209.112.4.47]) by smtp1.sentex.ca (8.11.2/8.11.1) with ESMTP id f6JHsB829194 for ; Thu, 19 Jul 2001 13:54:11 -0400 (EDT) (envelope-from mike@sentex.net) Message-Id: <5.1.0.14.0.20010719134655.0397a720@marble.sentex.ca> X-Sender: mdtpop@marble.sentex.ca X-Mailer: QUALCOMM Windows Eudora Version 5.1 Date: Thu, 19 Jul 2001 13:47:43 -0400 To: security@FreeBSD.ORG From: Mike Tancsa Subject: Re: [PATCH] Re: FreeBSD remote root exploit ? In-Reply-To: <3B571D75.A8E8AB58@oksala.org> References: <20010719123906.D71473-100000@awww.jeah.net> <005d01c1107a$b6f57a40$0d00a8c0@alexus> Mime-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1"; format=flowed Content-Transfer-Encoding: quoted-printable Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org At 01:48 PM 7/19/01 -0400, Pierre-Luc Lesp=E9rance wrote: >alexus wrote: > > > > su-2.05# cd /usr/src/libexec/telnetd/ > > su-2.05# make all install > > install -c -s -o root -g wheel -m 555 telnetd /usr/libexec > > install -c -o root -g wheel -m 444 telnetd.8.gz /usr/share/man/man8 > > su-2.05# > > > > hmm that's it? seems like too short compilation .. is it supposed to be= =20 > like > > this? >make clean >make depend >make >make install And, kill -HUP `cat /var/run/inetd.pid` ---Mike To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jul 19 10:57:21 2001 Delivered-To: freebsd-security@freebsd.org Received: from giganda.komkon.org (giganda.komkon.org [209.125.17.66]) by hub.freebsd.org (Postfix) with ESMTP id 3CB6D37B406 for ; Thu, 19 Jul 2001 10:57:04 -0700 (PDT) (envelope-from str@giganda.komkon.org) Received: (from str@localhost) by giganda.komkon.org (8.11.3/8.11.3) id f6JHupL14475; Thu, 19 Jul 2001 13:56:51 -0400 (EDT) (envelope-from str) Date: Thu, 19 Jul 2001 13:56:51 -0400 (EDT) From: Igor Roshchin Message-Id: <200107191756.f6JHupL14475@giganda.komkon.org> To: chris@jeah.net, ml@db.nexgen.com Subject: Re: [PATCH] Re: FreeBSD remote root exploit ? Cc: security@FreeBSD.ORG In-Reply-To: <20010719123906.D71473-100000@awww.jeah.net> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org It is /usr/src/crypto/telnet/telnetd that is patched by the patch in question. /usr/src/libexec/telnetd is not touched. So, does not seem to be incorrect. The correct directory would be /usr/src/secure/libexec/telnetd So, cd /usr/src/secure/libexec/telnetd make all make install ... However, in my case (4.3-RELEASE) the compile failed, (the patch seemed to apply cleanly). Below is make's output. Igor ...secure/libexec/telnetd#make Warning: Object directory not changed from original /usr/src/secure/libexec/telnetd cc -O -pipe -DLINEMODE -DUSE_TERMIO -DDIAGNOSTICS -DOLD_ENVIRON -DENV_HACK -DAUTHENTICATION -DENCRYPTION -I/usr/src/secure/libexec/telnetd/../../../crypto/telnet -DINET6 -DNO_IDEA -c /usr/src/secure/libexec/telnetd/../../../crypto/telnet/telnetd/global.c cc -O -pipe -DLINEMODE -DUSE_TERMIO -DDIAGNOSTICS -DOLD_ENVIRON -DENV_HACK -DAUTHENTICATION -DENCRYPTION -I/usr/src/secure/libexec/telnetd/../../../crypto/telnet -DINET6 -DNO_IDEA -c /usr/src/secure/libexec/telnetd/../../../crypto/telnet/telnetd/slc.c cc -O -pipe -DLINEMODE -DUSE_TERMIO -DDIAGNOSTICS -DOLD_ENVIRON -DENV_HACK -DAUTHENTICATION -DENCRYPTION -I/usr/src/secure/libexec/telnetd/../../../crypto/telnet -DINET6 -DNO_IDEA -c /usr/src/secure/libexec/telnetd/../../../crypto/telnet/telnetd/state.c cc -O -pipe -DLINEMODE -DUSE_TERMIO -DDIAGNOSTICS -DOLD_ENVIRON -DENV_HACK -DAUTHENTICATION -DENCRYPTION -I/usr/src/secure/libexec/telnetd/../../../crypto/telnet -DINET6 -DNO_IDEA -c /usr/src/secure/libexec/telnetd/../../../crypto/telnet/telnetd/sys_term.c cc -O -pipe -DLINEMODE -DUSE_TERMIO -DDIAGNOSTICS -DOLD_ENVIRON -DENV_HACK -DAUTHENTICATION -DENCRYPTION -I/usr/src/secure/libexec/telnetd/../../../crypto/telnet -DINET6 -DNO_IDEA -c /usr/src/secure/libexec/telnetd/../../../crypto/telnet/telnetd/telnetd.c cc -O -pipe -DLINEMODE -DUSE_TERMIO -DDIAGNOSTICS -DOLD_ENVIRON -DENV_HACK -DAUTHENTICATION -DENCRYPTION -I/usr/src/secure/libexec/telnetd/../../../crypto/telnet -DINET6 -DNO_IDEA -c /usr/src/secure/libexec/telnetd/../../../crypto/telnet/telnetd/termstat.c cc -O -pipe -DLINEMODE -DUSE_TERMIO -DDIAGNOSTICS -DOLD_ENVIRON -DENV_HACK -DAUTHENTICATION -DENCRYPTION -I/usr/src/secure/libexec/telnetd/../../../crypto/telnet -DINET6 -DNO_IDEA -c /usr/src/secure/libexec/telnetd/../../../crypto/telnet/telnetd/utility.c cc -O -pipe -DLINEMODE -DUSE_TERMIO -DDIAGNOSTICS -DOLD_ENVIRON -DENV_HACK -DAUTHENTICATION -DENCRYPTION -I/usr/src/secure/libexec/telnetd/../../../crypto/telnet -DINET6 -DNO_IDEA -c /usr/src/secure/libexec/telnetd/../../../crypto/telnet/telnetd/authenc.c cc -O -pipe -DLINEMODE -DUSE_TERMIO -DDIAGNOSTICS -DOLD_ENVIRON -DENV_HACK -DAUTHENTICATION -DENCRYPTION -I/usr/src/secure/libexec/telnetd/../../../crypto/telnet -DINET6 -DNO_IDEA -o telnetd global.o slc.o state.o sys_term.o telnetd.o termstat.o utility.o authenc.o -lutil -ltermcap -L/usr/src/secure/libexec/telnetd/../../lib/libtelnet -ltelnet -lcrypto -lcrypt -lmp /usr/lib/libtelnet.a(kerberos.o): In function `kerberos4_init': kerberos.o(.text+0x114): undefined reference to `krb_get_default_keyfile' /usr/lib/libtelnet.a(kerberos.o): In function `kerberos4_send': kerberos.o(.text+0x1a6): undefined reference to `krb_get_phost' kerberos.o(.text+0x1e3): undefined reference to `krb_realmofhost' kerberos.o(.text+0x21a): undefined reference to `krb_mk_req' kerberos.o(.text+0x22b): undefined reference to `krb_err_txt' kerberos.o(.text+0x24d): undefined reference to `krb_get_cred' kerberos.o(.text+0x25e): undefined reference to `krb_err_txt' /usr/lib/libtelnet.a(kerberos.o): In function `kerberos4_is': kerberos.o(.text+0x456): undefined reference to `krb_get_lrealm' kerberos.o(.text+0x53c): undefined reference to `krb_rd_req' kerberos.o(.text+0x56c): undefined reference to `krb_err_txt' kerberos.o(.text+0x5a2): undefined reference to `krb_kntoln' kerberos.o(.text+0x5c1): undefined reference to `kuserok' /usr/lib/libtelnet.a(kerberos.o): In function `kerberos4_status': kerberos.o(.text+0x89e): undefined reference to `kuserok' *** Error code 1 Stop in /usr/src/secure/libexec/telnetd. > Date: Thu, 19 Jul 2001 12:39:43 -0500 (CDT) > From: Chris Byrnes > To: alexus > Cc: > Subject: Re: [PATCH] Re: FreeBSD remote root exploit ? > > root# cd /usr/src/libexec/telnetd ; make all install ; killall -HUP inetd > > > Chris Byrnes, Managing Member > JEAH Communications, LLC > > On Thu, 19 Jul 2001, alexus wrote: > > > uh. ok:) > > > > this part is done.. should i recompile telnetd now somehow? if so then > > how?:) > > > > ----- Original Message ----- > > From: "Pierre-Luc Lespérance" > > To: > > Sent: Thursday, July 19, 2001 1:28 PM > > Subject: Re: [PATCH] Re: FreeBSD remote root exploit ? > > > > > > > alexus wrote: > > > > > > > > could you also include some sort of instruction how to apply it? > > > > > > > > thanks in advance > > > > > > > > ----- Original Message ----- > > > > From: "Ruslan Ermilov" > > > > To: "Przemyslaw Frasunek" > > > > Cc: > > > > Sent: Thursday, July 19, 2001 1:14 PM > > > > Subject: [PATCH] Re: FreeBSD remote root exploit ? > > > > > > > > > On Thu, Jul 19, 2001 at 11:03:53AM +0200, Przemyslaw Frasunek wrote: > > > > > > > Posted to bugtraq is a notice about telnetd being remotely root > > > > > > > exploitable. Does anyone know if it is true ? > > > > > > > > > > > > Yes, telnetd is vulnerable. > > > > > > > > > > > The patch is available at: > > > > > > > > > > http://people.FreeBSD.org/~ru/telnetd.patch > > > > > > > > > > > > > > > Cheers, > > > > > -- > > > > > Ruslan Ermilov Oracle Developer/DBA, > > > > > ru@sunbay.com Sunbay Software AG, > > > > > ru@FreeBSD.org FreeBSD committer, > > > > > +380.652.512.251 Simferopol, Ukraine > > > > > > > > > > http://www.FreeBSD.org The Power To Serve > > > > > http://www.oracle.com Enabling The Information Age > > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > > > > with "unsubscribe freebsd-security" in the body of the message > > > > > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > > > with "unsubscribe freebsd-security" in the body of the message > > > go to /usr/src/crypto/telnet/telnetd > > > and type > > > shell~# patch -p < /where/is/the/file.patch > > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jul 19 11: 0:11 2001 Delivered-To: freebsd-security@freebsd.org Received: from whale.sunbay.crimea.ua (whale.sunbay.crimea.ua [212.110.138.65]) by hub.freebsd.org (Postfix) with ESMTP id 10AAD37B405 for ; Thu, 19 Jul 2001 11:00:02 -0700 (PDT) (envelope-from ru@whale.sunbay.crimea.ua) Received: (from ru@localhost) by whale.sunbay.crimea.ua (8.11.2/8.11.2) id f6JHxmC68903; Thu, 19 Jul 2001 20:59:48 +0300 (EEST) (envelope-from ru) Date: Thu, 19 Jul 2001 20:59:48 +0300 From: Ruslan Ermilov To: Matt Dillon Cc: security@FreeBSD.ORG Subject: Re: [PATCH] Re: FreeBSD remote root exploit ? Message-ID: <20010719205948.D67829@sunbay.com> Mail-Followup-To: Matt Dillon , security@FreeBSD.ORG References: <5.1.0.14.0.20010719001357.03e22638@192.168.0.12> <014d01c11031$bdab5a10$2001a8c0@clitoris> <20010719201407.B61061@sunbay.com> <003701c11077$b3125400$0d00a8c0@alexus> <3B5718A0.2B650C9C@oksala.org> <200107191752.f6JHqer75736@earth.backplane.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <200107191752.f6JHqer75736@earth.backplane.com>; from dillon@earth.backplane.com on Thu, Jul 19, 2001 at 10:52:40AM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Thu, Jul 19, 2001 at 10:52:40AM -0700, Matt Dillon wrote: > > :go to /usr/src/crypto/telnet/telnetd > :and type > :shell~# patch -p < /where/is/the/file.patch > > It isn't really safe code. If the data being formatted is large > r then the format argument you can overflow the buffer, and the > 'ret' from vsnprintf() is the amount of data that would have been > output if the buffer had been large enough, not the amount of data > that was actually output. Also, size_t is unsigned, which means > if you overflow the buffer by one byte you are screwed. > > There appear to be a number of places (mainly the DIAG code, but also > the ENCRYPT code) where this is true. This patch will fix the existing > options-based hole, but doesn't close it. > Doesn't this handle this? int output_data(const char *format, ...) { va_list args; size_t remaining, ret; va_start(args, format); remaining = BUFSIZ - (nfrontp - netobuf); /* try a netflush() if the room is too low */ if (strlen(format) > remaining || BUFSIZ / 4 > remaining) { ^^^^^^^^^^^^^^^^^^^^^^^^^^ netflush(); remaining = BUFSIZ - (nfrontp - netobuf); } ret = vsnprintf(nfrontp, remaining, format, args); nfrontp += ret; va_end(args); return ret; } -- Ruslan Ermilov Oracle Developer/DBA, ru@sunbay.com Sunbay Software AG, ru@FreeBSD.org FreeBSD committer, +380.652.512.251 Simferopol, Ukraine http://www.FreeBSD.org The Power To Serve http://www.oracle.com Enabling The Information Age To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jul 19 11: 3:54 2001 Delivered-To: freebsd-security@freebsd.org Received: from giganda.komkon.org (giganda.komkon.org [209.125.17.66]) by hub.freebsd.org (Postfix) with ESMTP id 6730F37B40C for ; Thu, 19 Jul 2001 11:03:39 -0700 (PDT) (envelope-from str@giganda.komkon.org) Received: (from str@localhost) by giganda.komkon.org (8.11.3/8.11.3) id f6JI3cT14814; Thu, 19 Jul 2001 14:03:38 -0400 (EDT) (envelope-from str) Date: Thu, 19 Jul 2001 14:03:38 -0400 (EDT) From: Igor Roshchin Message-Id: <200107191803.f6JI3cT14814@giganda.komkon.org> To: chris@jeah.net Subject: Re: [PATCH] Re: FreeBSD remote root exploit ? Cc: security@FreeBSD.ORG In-Reply-To: <200107191756.f6JHupL14475@giganda.komkon.org> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org PS. make depend does not help either, because make still attempts to link against the /usr/lib/libtelnet.a which causes the problem. > From str Thu Jul 19 13:57:04 2001 > Date: Thu, 19 Jul 2001 13:56:51 -0400 (EDT) > From: Igor Roshchin > To: chris@jeah.net, ml@db.nexgen.com > Subject: Re: [PATCH] Re: FreeBSD remote root exploit ? > Cc: security@FreeBSD.ORG > > > It is /usr/src/crypto/telnet/telnetd that is patched by the patch in question. > /usr/src/libexec/telnetd is not touched. > > So, does not seem to be incorrect. > > The correct directory would be > /usr/src/secure/libexec/telnetd > > So, > cd /usr/src/secure/libexec/telnetd > make all > make install > ... > > However, in my case (4.3-RELEASE) the compile failed, > (the patch seemed to apply cleanly). > Below is make's output. > > Igor > > ...secure/libexec/telnetd#make > Warning: Object directory not changed from original /usr/src/secure/libexec/telnetd > cc -O -pipe -DLINEMODE -DUSE_TERMIO -DDIAGNOSTICS -DOLD_ENVIRON -DENV_HACK -DAUTHENTICATION -DENCRYPTION -I/usr/src/secure/libexec/telnetd/../../../crypto/telnet -DINET6 -DNO_IDEA -c /usr/src/secure/libexec/telnetd/../../../crypto/telnet/telnetd/global.c > cc -O -pipe -DLINEMODE -DUSE_TERMIO -DDIAGNOSTICS -DOLD_ENVIRON -DENV_HACK -DAUTHENTICATION -DENCRYPTION -I/usr/src/secure/libexec/telnetd/../../../crypto/telnet -DINET6 -DNO_IDEA -c /usr/src/secure/libexec/telnetd/../../../crypto/telnet/telnetd/slc.c > cc -O -pipe -DLINEMODE -DUSE_TERMIO -DDIAGNOSTICS -DOLD_ENVIRON -DENV_HACK -DAUTHENTICATION -DENCRYPTION -I/usr/src/secure/libexec/telnetd/../../../crypto/telnet -DINET6 -DNO_IDEA -c /usr/src/secure/libexec/telnetd/../../../crypto/telnet/telnetd/state.c > cc -O -pipe -DLINEMODE -DUSE_TERMIO -DDIAGNOSTICS -DOLD_ENVIRON -DENV_HACK -DAUTHENTICATION -DENCRYPTION -I/usr/src/secure/libexec/telnetd/../../../crypto/telnet -DINET6 -DNO_IDEA -c /usr/src/secure/libexec/telnetd/../../../crypto/telnet/telnetd/sys_term.c > cc -O -pipe -DLINEMODE -DUSE_TERMIO -DDIAGNOSTICS -DOLD_ENVIRON -DENV_HACK -DAUTHENTICATION -DENCRYPTION -I/usr/src/secure/libexec/telnetd/../../../crypto/telnet -DINET6 -DNO_IDEA -c /usr/src/secure/libexec/telnetd/../../../crypto/telnet/telnetd/telnetd.c > cc -O -pipe -DLINEMODE -DUSE_TERMIO -DDIAGNOSTICS -DOLD_ENVIRON -DENV_HACK -DAUTHENTICATION -DENCRYPTION -I/usr/src/secure/libexec/telnetd/../../../crypto/telnet -DINET6 -DNO_IDEA -c /usr/src/secure/libexec/telnetd/../../../crypto/telnet/telnetd/termstat.c > cc -O -pipe -DLINEMODE -DUSE_TERMIO -DDIAGNOSTICS -DOLD_ENVIRON -DENV_HACK -DAUTHENTICATION -DENCRYPTION -I/usr/src/secure/libexec/telnetd/../../../crypto/telnet -DINET6 -DNO_IDEA -c /usr/src/secure/libexec/telnetd/../../../crypto/telnet/telnetd/utility.c > cc -O -pipe -DLINEMODE -DUSE_TERMIO -DDIAGNOSTICS -DOLD_ENVIRON -DENV_HACK -DAUTHENTICATION -DENCRYPTION -I/usr/src/secure/libexec/telnetd/../../../crypto/telnet -DINET6 -DNO_IDEA -c /usr/src/secure/libexec/telnetd/../../../crypto/telnet/telnetd/authenc.c > cc -O -pipe -DLINEMODE -DUSE_TERMIO -DDIAGNOSTICS -DOLD_ENVIRON -DENV_HACK -DAUTHENTICATION -DENCRYPTION -I/usr/src/secure/libexec/telnetd/../../../crypto/telnet -DINET6 -DNO_IDEA -o telnetd global.o slc.o state.o sys_term.o telnetd.o termstat.o utility.o authenc.o -lutil -ltermcap -L/usr/src/secure/libexec/telnetd/../../lib/libtelnet -ltelnet -lcrypto -lcrypt -lmp > /usr/lib/libtelnet.a(kerberos.o): In function `kerberos4_init': > kerberos.o(.text+0x114): undefined reference to `krb_get_default_keyfile' > /usr/lib/libtelnet.a(kerberos.o): In function `kerberos4_send': > kerberos.o(.text+0x1a6): undefined reference to `krb_get_phost' > kerberos.o(.text+0x1e3): undefined reference to `krb_realmofhost' > kerberos.o(.text+0x21a): undefined reference to `krb_mk_req' > kerberos.o(.text+0x22b): undefined reference to `krb_err_txt' > kerberos.o(.text+0x24d): undefined reference to `krb_get_cred' > kerberos.o(.text+0x25e): undefined reference to `krb_err_txt' > /usr/lib/libtelnet.a(kerberos.o): In function `kerberos4_is': > kerberos.o(.text+0x456): undefined reference to `krb_get_lrealm' > kerberos.o(.text+0x53c): undefined reference to `krb_rd_req' > kerberos.o(.text+0x56c): undefined reference to `krb_err_txt' > kerberos.o(.text+0x5a2): undefined reference to `krb_kntoln' > kerberos.o(.text+0x5c1): undefined reference to `kuserok' > /usr/lib/libtelnet.a(kerberos.o): In function `kerberos4_status': > kerberos.o(.text+0x89e): undefined reference to `kuserok' > *** Error code 1 > > Stop in /usr/src/secure/libexec/telnetd. > > > > > > > > > > Date: Thu, 19 Jul 2001 12:39:43 -0500 (CDT) > > From: Chris Byrnes > > To: alexus > > Cc: > > Subject: Re: [PATCH] Re: FreeBSD remote root exploit ? > > > > root# cd /usr/src/libexec/telnetd ; make all install ; killall -HUP inetd > > > > > > Chris Byrnes, Managing Member > > JEAH Communications, LLC > > > > On Thu, 19 Jul 2001, alexus wrote: > > > > > uh. ok:) > > > > > > this part is done.. should i recompile telnetd now somehow? if so then > > > how?:) > > > > > > ----- Original Message ----- > > > From: "Pierre-Luc Lespérance" > > > To: > > > Sent: Thursday, July 19, 2001 1:28 PM > > > Subject: Re: [PATCH] Re: FreeBSD remote root exploit ? > > > > > > > > > > alexus wrote: > > > > > > > > > > could you also include some sort of instruction how to apply it? > > > > > > > > > > thanks in advance > > > > > > > > > > ----- Original Message ----- > > > > > From: "Ruslan Ermilov" > > > > > To: "Przemyslaw Frasunek" > > > > > Cc: > > > > > Sent: Thursday, July 19, 2001 1:14 PM > > > > > Subject: [PATCH] Re: FreeBSD remote root exploit ? > > > > > > > > > > > On Thu, Jul 19, 2001 at 11:03:53AM +0200, Przemyslaw Frasunek wrote: > > > > > > > > Posted to bugtraq is a notice about telnetd being remotely root > > > > > > > > exploitable. Does anyone know if it is true ? > > > > > > > > > > > > > > Yes, telnetd is vulnerable. > > > > > > > > > > > > > The patch is available at: > > > > > > > > > > > > http://people.FreeBSD.org/~ru/telnetd.patch > > > > > > > > > > > > > > > > > > Cheers, > > > > > > -- > > > > > > Ruslan Ermilov Oracle Developer/DBA, > > > > > > ru@sunbay.com Sunbay Software AG, > > > > > > ru@FreeBSD.org FreeBSD committer, > > > > > > +380.652.512.251 Simferopol, Ukraine > > > > > > > > > > > > http://www.FreeBSD.org The Power To Serve > > > > > > http://www.oracle.com Enabling The Information Age > > > > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > > > > > with "unsubscribe freebsd-security" in the body of the message > > > > > > > > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > > > > with "unsubscribe freebsd-security" in the body of the message > > > > go to /usr/src/crypto/telnet/telnetd > > > > and type > > > > shell~# patch -p < /where/is/the/file.patch > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jul 19 11:17:33 2001 Delivered-To: freebsd-security@freebsd.org Received: from earth.backplane.com (earth-nat-cw.backplane.com [208.161.114.67]) by hub.freebsd.org (Postfix) with ESMTP id F0C5A37B405; Thu, 19 Jul 2001 11:17:28 -0700 (PDT) (envelope-from dillon@earth.backplane.com) Received: (from dillon@localhost) by earth.backplane.com (8.11.4/8.11.2) id f6JIHSJ76262; Thu, 19 Jul 2001 11:17:28 -0700 (PDT) (envelope-from dillon) Date: Thu, 19 Jul 2001 11:17:28 -0700 (PDT) From: Matt Dillon Message-Id: <200107191817.f6JIHSJ76262@earth.backplane.com> To: Ruslan Ermilov Cc: security@FreeBSD.ORG Subject: Re: [PATCH] Re: FreeBSD remote root exploit ? References: <5.1.0.14.0.20010719001357.03e22638@192.168.0.12> <014d01c11031$bdab5a10$2001a8c0@clitoris> <20010719201407.B61061@sunbay.com> <003701c11077$b3125400$0d00a8c0@alexus> <3B5718A0.2B650C9C@oksala.org> <200107191752.f6JHqer75736@earth.backplane.com> <20010719205948.D67829@sunbay.com> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org :> the ENCRYPT code) where this is true. This patch will fix the existing :> options-based hole, but doesn't close it. :> :Doesn't this handle this? : :int :output_data(const char *format, ...) :{ : va_list args; : size_t remaining, ret; : va_start(args, format); : remaining = BUFSIZ - (nfrontp - netobuf); : /* try a netflush() if the room is too low */ : if (strlen(format) > remaining || BUFSIZ / 4 > remaining) { : ^^^^^^^^^^^^^^^^^^^^^^^^^^ Nope. What if the format is "%d" and the number is "123"? Or that format is "%s" and the argument is "abcdefghijklmnopqrstuvwxyz"? Then strlen(format) could be < remaining but the result of the vsnprintf() could still be > remaining. The output_data() calls for the various options are safe, strlen(format) will always be larger then the actual formatted result. But the debugging and crypto calls to output_data() are not safe. -Matt : netflush(); : remaining = BUFSIZ - (nfrontp - netobuf); : } : ret = vsnprintf(nfrontp, remaining, format, args); To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jul 19 11:21:58 2001 Delivered-To: freebsd-security@freebsd.org Received: from amsmta06-svc.chello.nl (mail-out.chello.nl [213.46.240.7]) by hub.freebsd.org (Postfix) with ESMTP id 6E5D637B405; Thu, 19 Jul 2001 11:21:55 -0700 (PDT) (envelope-from asmodai@wxs.nl) Received: from daemon.chronias.ninth-circle.org ([62.163.96.180]) by amsmta06-svc.chello.nl (InterMail vK.4.03.02.00 201-232-124 license dd4a379df8e387594186908c65258374) with ESMTP id <20010719182201.KMQM13241.amsmta06-svc@daemon.chronias.ninth-circle.org>; Thu, 19 Jul 2001 20:22:01 +0200 Received: (from asmodai@localhost) by daemon.chronias.ninth-circle.org (8.11.3/8.11.3) id f6JILoK83645; Thu, 19 Jul 2001 20:21:50 +0200 (CEST) (envelope-from asmodai) Date: Thu, 19 Jul 2001 20:21:50 +0200 From: Jeroen Ruigrok/Asmodai To: Assar Westerlund Cc: "Jacques A. Vidrine" , security@FreeBSD.ORG Subject: Re: FreeBSD remote root exploit ? Message-ID: <20010719202149.E79615@daemon.ninth-circle.org> References: <5.1.0.14.0.20010719010646.03e25eb8@192.168.0.12> <200107190547.f6J5lmD66188@cwsys.cwsent.com> <20010719094348.K58092@daemon.ninth-circle.org> <20010719101137.K27900@madman.nectar.com> <5lzoa026oa.fsf@assaris.sics.se> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <5lzoa026oa.fsf@assaris.sics.se> User-Agent: Mutt/1.3.19i Organisation: Ninth-Circle Enterprises Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Tjosin Assar, -On [20010719 19:37], Assar Westerlund (assar@FreeBSD.ORG) wrote: >"Jacques A. Vidrine" writes: >> Please consider merging in Heimdal's telnet/telnetd. It is a close >> relative of what we have now (and therefore also >> vulnerability-compatible :-). I believe OpenBSD has done this already. > >I cannot but agree with Jacques. :-) I'll have a look at that in the next couple of days. -- Jeroen Ruigrok van der Werven/Asmodai asmodai@[wxs.nl|freebsd.org|xmach.org] Documentation nutter/C-rated Coder, finger asmodai@ninth-circle.dnsalias.net http://www.freebsd.org/doc/en_US.ISO8859-1/books/developers-handbook/ Once upon a midnight dreary, while I pondered, weak and weary... To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jul 19 11:47: 4 2001 Delivered-To: freebsd-security@freebsd.org Received: from smtp3.jarna.com (mail.jarna.com [63.236.58.109]) by hub.freebsd.org (Postfix) with SMTP id 7638137B403 for ; Thu, 19 Jul 2001 11:46:55 -0700 (PDT) (envelope-from nevin@jarna.com) Received: (qmail 85286 invoked by uid 0); 19 Jul 2001 18:46:54 -0000 Received: from unknown (HELO njk) (66.7.227.67) by smtp.jarna.com with SMTP; 19 Jul 2001 18:46:54 -0000 From: "Nevin Kapoor" To: Subject: RE: [PATCH] Re: FreeBSD remote root exploit ? Date: Thu, 19 Jul 2001 11:55:38 -0700 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 8bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) In-Reply-To: <200107191756.f6JHupL14475@giganda.komkon.org> X-Mimeole: Produced By Microsoft MimeOLE V5.50.4133.2400 Importance: Normal Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Folks, I think you folks have done an outstanding job at keeping everyone informed and up to date on this issue and I wanted to express my thanks for that. One quick note though.... I have been receiving email from people confused as to where exactly this patch should be applied, as well as who's steps are the proper steps to follow in the patching process. In reading back through the string of emails, and there are many as we all know, I can see how it could be confusing for people to know what exactly to patch... and what the proper steps are. I don't know that I am 100% positive myself anymore ;-) I was wondering if someone who is proactively working on this issue could post an email with "cookbook" style instructions detailing where the patch is to be applied, and what the correct steps are to apply the patch. I think this may relieve some of the confusion. Thanks again. /nk -----Original Message----- From: owner-freebsd-security@FreeBSD.ORG [mailto:owner-freebsd-security@FreeBSD.ORG]On Behalf Of Igor Roshchin Sent: Thursday, July 19, 2001 10:57 AM To: chris@jeah.net; ml@db.nexgen.com Cc: security@FreeBSD.ORG Subject: Re: [PATCH] Re: FreeBSD remote root exploit ? It is /usr/src/crypto/telnet/telnetd that is patched by the patch in question. /usr/src/libexec/telnetd is not touched. So, does not seem to be incorrect. The correct directory would be /usr/src/secure/libexec/telnetd So, cd /usr/src/secure/libexec/telnetd make all make install ... However, in my case (4.3-RELEASE) the compile failed, (the patch seemed to apply cleanly). Below is make's output. Igor ...secure/libexec/telnetd#make Warning: Object directory not changed from original /usr/src/secure/libexec/telnetd cc -O -pipe -DLINEMODE -DUSE_TERMIO -DDIAGNOSTICS -DOLD_ENVIRON -DENV_HACK -DAUTHENTICATION -DENCRYPTION -I/usr/src/secure/libexec/telnetd/../../../c rypto/telnet -DINET6 -DNO_IDEA -c /usr/src/secure/libexec/telnetd/../../../crypto/telnet/telnetd/global.c cc -O -pipe -DLINEMODE -DUSE_TERMIO -DDIAGNOSTICS -DOLD_ENVIRON -DENV_HACK -DAUTHENTICATION -DENCRYPTION -I/usr/src/secure/libexec/telnetd/../../../c rypto/telnet -DINET6 -DNO_IDEA -c /usr/src/secure/libexec/telnetd/../../../crypto/telnet/telnetd/slc.c cc -O -pipe -DLINEMODE -DUSE_TERMIO -DDIAGNOSTICS -DOLD_ENVIRON -DENV_HACK -DAUTHENTICATION -DENCRYPTION -I/usr/src/secure/libexec/telnetd/../../../c rypto/telnet -DINET6 -DNO_IDEA -c /usr/src/secure/libexec/telnetd/../../../crypto/telnet/telnetd/state.c cc -O -pipe -DLINEMODE -DUSE_TERMIO -DDIAGNOSTICS -DOLD_ENVIRON -DENV_HACK -DAUTHENTICATION -DENCRYPTION -I/usr/src/secure/libexec/telnetd/../../../c rypto/telnet -DINET6 -DNO_IDEA -c /usr/src/secure/libexec/telnetd/../../../crypto/telnet/telnetd/sys_term.c cc -O -pipe -DLINEMODE -DUSE_TERMIO -DDIAGNOSTICS -DOLD_ENVIRON -DENV_HACK -DAUTHENTICATION -DENCRYPTION -I/usr/src/secure/libexec/telnetd/../../../c rypto/telnet -DINET6 -DNO_IDEA -c /usr/src/secure/libexec/telnetd/../../../crypto/telnet/telnetd/telnetd.c cc -O -pipe -DLINEMODE -DUSE_TERMIO -DDIAGNOSTICS -DOLD_ENVIRON -DENV_HACK -DAUTHENTICATION -DENCRYPTION -I/usr/src/secure/libexec/telnetd/../../../c rypto/telnet -DINET6 -DNO_IDEA -c /usr/src/secure/libexec/telnetd/../../../crypto/telnet/telnetd/termstat.c cc -O -pipe -DLINEMODE -DUSE_TERMIO -DDIAGNOSTICS -DOLD_ENVIRON -DENV_HACK -DAUTHENTICATION -DENCRYPTION -I/usr/src/secure/libexec/telnetd/../../../c rypto/telnet -DINET6 -DNO_IDEA -c /usr/src/secure/libexec/telnetd/../../../crypto/telnet/telnetd/utility.c cc -O -pipe -DLINEMODE -DUSE_TERMIO -DDIAGNOSTICS -DOLD_ENVIRON -DENV_HACK -DAUTHENTICATION -DENCRYPTION -I/usr/src/secure/libexec/telnetd/../../../c rypto/telnet -DINET6 -DNO_IDEA -c /usr/src/secure/libexec/telnetd/../../../crypto/telnet/telnetd/authenc.c cc -O -pipe -DLINEMODE -DUSE_TERMIO -DDIAGNOSTICS -DOLD_ENVIRON -DENV_HACK -DAUTHENTICATION -DENCRYPTION -I/usr/src/secure/libexec/telnetd/../../../c rypto/telnet -DINET6 -DNO_IDEA -o telnetd global.o slc.o state.o sys_term.o telnetd.o termstat.o utility.o authenc.o -lutil -ltermcap -L/usr/src/secure/libexec/telnetd/../../lib/libt elnet -ltelnet -lcrypto -lcrypt -lmp /usr/lib/libtelnet.a(kerberos.o): In function `kerberos4_init': kerberos.o(.text+0x114): undefined reference to `krb_get_default_keyfile' /usr/lib/libtelnet.a(kerberos.o): In function `kerberos4_send': kerberos.o(.text+0x1a6): undefined reference to `krb_get_phost' kerberos.o(.text+0x1e3): undefined reference to `krb_realmofhost' kerberos.o(.text+0x21a): undefined reference to `krb_mk_req' kerberos.o(.text+0x22b): undefined reference to `krb_err_txt' kerberos.o(.text+0x24d): undefined reference to `krb_get_cred' kerberos.o(.text+0x25e): undefined reference to `krb_err_txt' /usr/lib/libtelnet.a(kerberos.o): In function `kerberos4_is': kerberos.o(.text+0x456): undefined reference to `krb_get_lrealm' kerberos.o(.text+0x53c): undefined reference to `krb_rd_req' kerberos.o(.text+0x56c): undefined reference to `krb_err_txt' kerberos.o(.text+0x5a2): undefined reference to `krb_kntoln' kerberos.o(.text+0x5c1): undefined reference to `kuserok' /usr/lib/libtelnet.a(kerberos.o): In function `kerberos4_status': kerberos.o(.text+0x89e): undefined reference to `kuserok' *** Error code 1 Stop in /usr/src/secure/libexec/telnetd. > Date: Thu, 19 Jul 2001 12:39:43 -0500 (CDT) > From: Chris Byrnes > To: alexus > Cc: > Subject: Re: [PATCH] Re: FreeBSD remote root exploit ? > > root# cd /usr/src/libexec/telnetd ; make all install ; killall -HUP inetd > > > Chris Byrnes, Managing Member > JEAH Communications, LLC > > On Thu, 19 Jul 2001, alexus wrote: > > > uh. ok:) > > > > this part is done.. should i recompile telnetd now somehow? if so then > > how?:) > > > > ----- Original Message ----- > > From: "Pierre-Luc Lespérance" > > To: > > Sent: Thursday, July 19, 2001 1:28 PM > > Subject: Re: [PATCH] Re: FreeBSD remote root exploit ? > > > > > > > alexus wrote: > > > > > > > > could you also include some sort of instruction how to apply it? > > > > > > > > thanks in advance > > > > > > > > ----- Original Message ----- > > > > From: "Ruslan Ermilov" > > > > To: "Przemyslaw Frasunek" > > > > Cc: > > > > Sent: Thursday, July 19, 2001 1:14 PM > > > > Subject: [PATCH] Re: FreeBSD remote root exploit ? > > > > > > > > > On Thu, Jul 19, 2001 at 11:03:53AM +0200, Przemyslaw Frasunek wrote: > > > > > > > Posted to bugtraq is a notice about telnetd being remotely root > > > > > > > exploitable. Does anyone know if it is true ? > > > > > > > > > > > > Yes, telnetd is vulnerable. > > > > > > > > > > > The patch is available at: > > > > > > > > > > http://people.FreeBSD.org/~ru/telnetd.patch > > > > > > > > > > > > > > > Cheers, > > > > > -- > > > > > Ruslan Ermilov Oracle Developer/DBA, > > > > > ru@sunbay.com Sunbay Software AG, > > > > > ru@FreeBSD.org FreeBSD committer, > > > > > +380.652.512.251 Simferopol, Ukraine > > > > > > > > > > http://www.FreeBSD.org The Power To Serve > > > > > http://www.oracle.com Enabling The Information Age > > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > > > > with "unsubscribe freebsd-security" in the body of the message > > > > > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > > > with "unsubscribe freebsd-security" in the body of the message > > > go to /usr/src/crypto/telnet/telnetd > > > and type > > > shell~# patch -p < /where/is/the/file.patch > > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jul 19 12: 0:20 2001 Delivered-To: freebsd-security@freebsd.org Received: from whale.sunbay.crimea.ua (whale.sunbay.crimea.ua [212.110.138.65]) by hub.freebsd.org (Postfix) with ESMTP id 326D037B401; Thu, 19 Jul 2001 12:00:10 -0700 (PDT) (envelope-from ru@whale.sunbay.crimea.ua) Received: (from ru@localhost) by whale.sunbay.crimea.ua (8.11.2/8.11.2) id f6JIxvL74110; Thu, 19 Jul 2001 21:59:57 +0300 (EEST) (envelope-from ru) Date: Thu, 19 Jul 2001 21:59:57 +0300 From: Ruslan Ermilov To: Matt Dillon Cc: Assar Westerlund , security@FreeBSD.org Subject: Re: [PATCH] Re: FreeBSD remote root exploit ? Message-ID: <20010719215957.A74024@sunbay.com> Mail-Followup-To: Matt Dillon , Assar Westerlund , security@FreeBSD.org References: <5.1.0.14.0.20010719001357.03e22638@192.168.0.12> <014d01c11031$bdab5a10$2001a8c0@clitoris> <20010719201407.B61061@sunbay.com> <003701c11077$b3125400$0d00a8c0@alexus> <3B5718A0.2B650C9C@oksala.org> <200107191752.f6JHqer75736@earth.backplane.com> <20010719205948.D67829@sunbay.com> <200107191817.f6JIHSJ76262@earth.backplane.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <200107191817.f6JIHSJ76262@earth.backplane.com>; from dillon@earth.backplane.com on Thu, Jul 19, 2001 at 11:17:28AM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Thu, Jul 19, 2001 at 11:17:28AM -0700, Matt Dillon wrote: > > :> the ENCRYPT code) where this is true. This patch will fix the existing > :> options-based hole, but doesn't close it. > :> > :Doesn't this handle this? > : > :int > :output_data(const char *format, ...) > :{ > : va_list args; > : size_t remaining, ret; > : va_start(args, format); > : remaining = BUFSIZ - (nfrontp - netobuf); > : /* try a netflush() if the room is too low */ > : if (strlen(format) > remaining || BUFSIZ / 4 > remaining) { > : ^^^^^^^^^^^^^^^^^^^^^^^^^^ > > Nope. What if the format is "%d" and the number is "123"? Or > that format is "%s" and the argument is "abcdefghijklmnopqrstuvwxyz"? > Then strlen(format) could be < remaining but the result of the vsnprintf() > could still be > remaining. > > The output_data() calls for the various options are safe, strlen(format) > will always be larger then the actual formatted result. But the > debugging and crypto calls to output_data() are not safe. > > -Matt > > : netflush(); > : remaining = BUFSIZ - (nfrontp - netobuf); > : } > : ret = vsnprintf(nfrontp, remaining, format, args); > Should be fixed in state.c,v 1.7. Thanks, Assar! Cheers, -- Ruslan Ermilov Oracle Developer/DBA, ru@sunbay.com Sunbay Software AG, ru@FreeBSD.org FreeBSD committer, +380.652.512.251 Simferopol, Ukraine http://www.FreeBSD.org The Power To Serve http://www.oracle.com Enabling The Information Age To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jul 19 12: 5:45 2001 Delivered-To: freebsd-security@freebsd.org Received: from obsecurity.dyndns.org (adsl-63-207-60-215.dsl.lsan03.pacbell.net [63.207.60.215]) by hub.freebsd.org (Postfix) with ESMTP id CB5F937B406 for ; Thu, 19 Jul 2001 12:05:40 -0700 (PDT) (envelope-from kris@obsecurity.org) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id C223E66C4D; Thu, 19 Jul 2001 12:05:38 -0700 (PDT) Date: Thu, 19 Jul 2001 12:05:38 -0700 From: Kris Kennaway To: alexus Cc: Chris Byrnes , security@FreeBSD.ORG Subject: Re: [PATCH] Re: FreeBSD remote root exploit ? Message-ID: <20010719120538.E43977@xor.obsecurity.org> References: <20010719123906.D71473-100000@awww.jeah.net> <005d01c1107a$b6f57a40$0d00a8c0@alexus> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="vni90+aGYgRvsTuO" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <005d01c1107a$b6f57a40$0d00a8c0@alexus>; from ml@db.nexgen.com on Thu, Jul 19, 2001 at 01:46:17PM -0400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --vni90+aGYgRvsTuO Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Jul 19, 2001 at 01:46:17PM -0400, alexus wrote: > su-2.05# cd /usr/src/libexec/telnetd/ secure/libexec/telnetd > su-2.05# make all install > install -c -s -o root -g wheel -m 555 telnetd /usr/libexec > install -c -o root -g wheel -m 444 telnetd.8.gz /usr/share/man/man8 > su-2.05# >=20 > hmm that's it? seems like too short compilation .. is it supposed to be l= ike > this? You rebuilt the wrong copy. Kris --vni90+aGYgRvsTuO Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE7Vy+BWry0BWjoQKURAmROAKDKB3Z2m9ppPikyvCHf+6PcUlg7lQCdEdh0 rrOG2C00qr9IUg3DPBhNvJg= =rifT -----END PGP SIGNATURE----- --vni90+aGYgRvsTuO-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jul 19 12:15:30 2001 Delivered-To: freebsd-security@freebsd.org Received: from earth.backplane.com (earth-nat-cw.backplane.com [208.161.114.67]) by hub.freebsd.org (Postfix) with ESMTP id E136137B408; Thu, 19 Jul 2001 12:15:24 -0700 (PDT) (envelope-from dillon@earth.backplane.com) Received: (from dillon@localhost) by earth.backplane.com (8.11.4/8.11.2) id f6JJFOM77379; Thu, 19 Jul 2001 12:15:24 -0700 (PDT) (envelope-from dillon) Date: Thu, 19 Jul 2001 12:15:24 -0700 (PDT) From: Matt Dillon Message-Id: <200107191915.f6JJFOM77379@earth.backplane.com> To: Ruslan Ermilov Cc: Assar Westerlund , security@FreeBSD.ORG Subject: Re: [PATCH] Re: FreeBSD remote root exploit ? References: <5.1.0.14.0.20010719001357.03e22638@192.168.0.12> <014d01c11031$bdab5a10$2001a8c0@clitoris> <20010719201407.B61061@sunbay.com> <003701c11077$b3125400$0d00a8c0@alexus> <3B5718A0.2B650C9C@oksala.org> <200107191752.f6JHqer75736@earth.backplane.com> <20010719205948.D67829@sunbay.com> <200107191817.f6JIHSJ76262@earth.backplane.com> <20010719215957.A74024@sunbay.com> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org :... :> that format is "%s" and the argument is "abcdefghijklmnopqrstuvwxyz"? :> Then strlen(format) could be < remaining but the result of the vsnprintf() :> could still be > remaining. :> :> The output_data() calls for the various options are safe, strlen(format) :> will always be larger then the actual formatted result. But the :> debugging and crypto calls to output_data() are not safe. :> :> -Matt :> :> : netflush(); :> : remaining = BUFSIZ - (nfrontp - netobuf); :> : } :> : ret = vsnprintf(nfrontp, remaining, format, args); :> :Should be fixed in state.c,v 1.7. Thanks, Assar! : :Cheers, :-- :Ruslan Ermilov Oracle Developer/DBA, I think an immediate MFC is acceptable for this situation! -Matt To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jul 19 12:18: 3 2001 Delivered-To: freebsd-security@freebsd.org Received: from earth.backplane.com (earth-nat-cw.backplane.com [208.161.114.67]) by hub.freebsd.org (Postfix) with ESMTP id CA21F37B403; Thu, 19 Jul 2001 12:17:58 -0700 (PDT) (envelope-from dillon@earth.backplane.com) Received: (from dillon@localhost) by earth.backplane.com (8.11.4/8.11.2) id f6JJHwV77405; Thu, 19 Jul 2001 12:17:58 -0700 (PDT) (envelope-from dillon) Date: Thu, 19 Jul 2001 12:17:58 -0700 (PDT) From: Matt Dillon Message-Id: <200107191917.f6JJHwV77405@earth.backplane.com> To: Ruslan Ermilov Cc: Assar Westerlund , security@FreeBSD.ORG Subject: Re: [PATCH] Re: FreeBSD remote root exploit ? References: <5.1.0.14.0.20010719001357.03e22638@192.168.0.12> <014d01c11031$bdab5a10$2001a8c0@clitoris> <20010719201407.B61061@sunbay.com> <003701c11077$b3125400$0d00a8c0@alexus> <3B5718A0.2B650C9C@oksala.org> <200107191752.f6JHqer75736@earth.backplane.com> <20010719205948.D67829@sunbay.com> <200107191817.f6JIHSJ76262@earth.backplane.com> <20010719215957.A74024@sunbay.com> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org :> :> The output_data() calls for the various options are safe, strlen(format) :> will always be larger then the actual formatted result. But the :> debugging and crypto calls to output_data() are not safe. :> :> -Matt :> :> : netflush(); :> : remaining = BUFSIZ - (nfrontp - netobuf); :> : } :> : ret = vsnprintf(nfrontp, remaining, format, args); :> :Should be fixed in state.c,v 1.7. Thanks, Assar! : : :Cheers, :-- :Ruslan Ermilov Oracle Developer/DBA, :ru@sunbay.com Sunbay Software AG, heh heh. Sorry guys, state.c still isn't quite right. nfrontp += ((ret < remaining - 1) ? ret : remaining - 1); What happens if remaining is 0 ? -Matt To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jul 19 13:28:26 2001 Delivered-To: freebsd-security@freebsd.org Received: from mx2.threeh.com (ct515603-b.lafayt1.in.home.com [24.22.253.67]) by hub.freebsd.org (Postfix) with ESMTP id D539437B403 for ; Thu, 19 Jul 2001 13:28:20 -0700 (PDT) (envelope-from rlucas@solidcomputing.com) Received: from localhost (rlucas@localhost) by mx2.threeh.com (8.11.3/8.11.3) with ESMTP id f6JKSKL25025 for ; Thu, 19 Jul 2001 15:28:20 -0500 (EST) (envelope-from rlucas@solidcomputing.com) Date: Thu, 19 Jul 2001 15:28:20 -0500 (EST) From: Richard Lucas X-X-Sender: To: Subject: Re: [PATCH] Re: FreeBSD remote root exploit ? In-Reply-To: <20010719120538.E43977@xor.obsecurity.org> Message-ID: <20010719152558.G24980-100000@mx2.threeh.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Ok in the emails I've read so far there has been 3 different paths listed on where to apply this patch. Can someone say for sure where it goes? /usr/src/crypo/telnet/telnetd/ /usr/src/libexec/telnetd/ /usr/src/secure/libexec/telnetd/ I have nothing in the last one except a Makefile so obviously that isn't going to work. -Richard To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jul 19 14: 0:15 2001 Delivered-To: freebsd-security@freebsd.org Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31]) by hub.freebsd.org (Postfix) with ESMTP id 01EAD37B401 for ; Thu, 19 Jul 2001 14:00:11 -0700 (PDT) (envelope-from des@ofug.org) Received: (from des@localhost) by flood.ping.uio.no (8.9.3/8.9.3) id XAA09309; Thu, 19 Jul 2001 23:00:07 +0200 (CEST) (envelope-from des@ofug.org) X-URL: http://www.ofug.org/~des/ X-Disclaimer: The views expressed in this message do not necessarily coincide with those of any organisation or company with which I am or have been affiliated. To: Ralph Huntington Cc: "Sergey N. Voronkov" , Nick Maschenko , security@FreeBSD.ORG Subject: Re: Fw: Re: A question about FreeBSD security References: From: Dag-Erling Smorgrav Date: 19 Jul 2001 23:00:06 +0200 In-Reply-To: Message-ID: Lines: 23 User-Agent: Gnus/5.0808 (Gnus v5.8.8) Emacs/20.7 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Ralph Huntington writes: > My understanding (someone please correct me if I am wrong) is that IPFW > relies on the incoming packets' own headers to infer the established > state, whereas IPF keeps a table of outgoing packets (when told to keep > state) and matches incoming packets to the entries in the table to > determine if they are actually in response to an outgoing packet. Both. It all depends on how you set up your rule set - you can do # ipfw add pass tcp from any to me 22 in setup # ipfw add pass tcp from me 22 to any out tcpflags syn,ack keep-state instead of # ipfw add pass tcp from any to me 22 in setup keep-state The first variant will only store state for incoming connections to which you actually respond, while the second will store state for all incoming connections. DES -- Dag-Erling Smorgrav - des@ofug.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jul 19 14: 5:26 2001 Delivered-To: freebsd-security@freebsd.org Received: from point.osg.gov.bc.ca (point.osg.gov.bc.ca [142.32.102.44]) by hub.freebsd.org (Postfix) with ESMTP id E813737B407 for ; Thu, 19 Jul 2001 14:05:21 -0700 (PDT) (envelope-from Cy.Schubert@uumail.gov.bc.ca) Received: (from daemon@localhost) by point.osg.gov.bc.ca (8.8.7/8.8.8) id OAA31704; Thu, 19 Jul 2001 14:05:15 -0700 Received: from passer.osg.gov.bc.ca(142.32.110.29) via SMTP by point.osg.gov.bc.ca, id smtpda31696; Thu Jul 19 14:05:06 2001 Received: (from uucp@localhost) by passer.osg.gov.bc.ca (8.11.4/8.9.1) id f6JL4p117140; Thu, 19 Jul 2001 14:04:51 -0700 (PDT) Received: from UNKNOWN(10.1.2.1), claiming to be "cwsys.cwsent.com" via SMTP by passer9.cwsent.com, id smtpdC17137; Thu Jul 19 14:04:16 2001 Received: (from uucp@localhost) by cwsys.cwsent.com (8.11.4/8.9.1) id f6JL4GX00992; Thu, 19 Jul 2001 14:04:16 -0700 (PDT) Message-Id: <200107192104.f6JL4GX00992@cwsys.cwsent.com> Received: from localhost.cwsent.com(127.0.0.1), claiming to be "cwsys" via SMTP by localhost.cwsent.com, id smtpdSln988; Thu Jul 19 14:04:09 2001 X-Mailer: exmh version 2.3.1 01/18/2001 with nmh-1.0.4 Reply-To: Cy Schubert - ITSD Open Systems Group From: Cy Schubert - ITSD Open Systems Group X-Sender: schubert To: Richard Lucas Cc: security@FreeBSD.ORG Subject: Re: [PATCH] Re: FreeBSD remote root exploit ? In-reply-to: Your message of "Thu, 19 Jul 2001 15:28:20 CDT." <20010719152558.G24980-100000@mx2.threeh.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Thu, 19 Jul 2001 14:04:09 -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org In message <20010719152558.G24980-100000@mx2.threeh.com>, Richard Lucas writes: > Ok in the emails I've read so far there has been 3 different paths listed > on where to apply this patch. Can someone say for sure where it goes? > > /usr/src/crypo/telnet/telnetd/ > /usr/src/libexec/telnetd/ > /usr/src/secure/libexec/telnetd/ > > I have nothing in the last one except a Makefile so obviously that isn't > going to work. The patch should be applied to /usr/src/crypto/telnet/telnetd. As I understand it, the other telnetd's will have patches applied/issued shortly and subsequently a merging of telnetd's will take place. Regards, Phone: (250)387-8437 Cy Schubert Fax: (250)387-5766 Team Leader, Sun/Alpha Team Internet: Cy.Schubert@osg.gov.bc.ca Open Systems Group, ITSD, ISTA Province of BC To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jul 19 14:20:45 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.tgd.net (rand.tgd.net [64.81.67.117]) by hub.freebsd.org (Postfix) with SMTP id 1F05E37B405 for ; Thu, 19 Jul 2001 14:20:41 -0700 (PDT) (envelope-from sean@mailhost.tgd.net) Received: (qmail 97902 invoked by uid 1001); 19 Jul 2001 21:20:37 -0000 Date: Thu, 19 Jul 2001 14:20:37 -0700 From: Sean Chittenden To: security@FreeBSD.ORG Subject: Possible limitations of ipfw dynamic rules/state (was: Re: Fw: Re: A question about FreeBSD security) Message-ID: <20010719142036.K92387@rand.tgd.net> References: Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="EOHJn1TVIJfeVXv2" Content-Disposition: inline In-Reply-To: ; from "des@ofug.org" on Thu, Jul 19, 2001 at = 11:00:06PM X-PGP-Key: 0x1EDDFAAD X-PGP-Fingerprint: C665 A17F 9A56 286C 5CFB 1DEA 9F4F 5CEF 1EDD FAAD X-Web-Homepage: http://sean.chittenden.org/ Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --EOHJn1TVIJfeVXv2 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable > Both. It all depends on how you set up your rule set - you can do >=20 > # ipfw add pass tcp from any to me 22 in setup > # ipfw add pass tcp from me 22 to any out tcpflags syn,ack keep-state >=20 > instead of >=20 > # ipfw add pass tcp from any to me 22 in setup keep-state Two quick points: 1) ipf does clean up its state table on a FIN packet from a TCP stream. =20 =46rom the following excerpt from the man page, I'm not sure if ipfw has this functionality at the moment. Does it decrease the lifetime, or does it expire the rule? Taken from ipfw(8): net.inet.ip.fw.dyn_short_lifetime: 30 These variables control the lifetime, in seconds, of dynamic rules. Upon the initial SYN exchange the lifetime is kept sho= rt, then increased after both SYN have been seen, then decreased again during the final FIN exchange or when a RST 2) Last I heard there were performance concerns regarding a large number of connections because each rule is checked for every packet... which means, unless there have been some optimizations that I'm not aware of (entirely possible), that every IP gets tested against possibly several thousand rules before it either gets processed (denied or accepted). Taken from ipfw(8): A check-state rule should be usually placed near the beginning of the ruleset to minimize the amount of work scanning the ruleset. =20 Your mileage may vary. BEWARE: stateful rules can be subject to denial-of-service attacks by a SYN-flood which opens a huge number of dynamic rules. The effects of such attacks can be partially limited by acting on a set of sysctl(8) variables which control the operation of the firewall. [snip] net.inet.ip.fw.dyn_max: 1000 Maximum number of dynamic rules. When you hit this limit, no more dynamic rules can be installed until old ones expire. If I'm operating with old knowledge I'd love to know and I'll move all of my systems back to ipfw (from ipf), but I don't think I'm far from the truth (if at all). -sc --=20 Sean Chittenden --EOHJn1TVIJfeVXv2 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Comment: Sean Chittenden iEYEARECAAYFAjtXTyQACgkQn09c7x7d+q2xPwCgmRULqV1UMWqNyoQv9lm3iIsJ qB8AoKFKDte0D4hW+sFf/RQCe3qTxu7i =clua -----END PGP SIGNATURE----- --EOHJn1TVIJfeVXv2-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jul 19 15:11:19 2001 Delivered-To: freebsd-security@freebsd.org Received: from angryfist.fasttrackmonkey.com (angryfist.fasttrackmonkey.com [216.223.217.166]) by hub.freebsd.org (Postfix) with ESMTP id 9F40A37B405 for ; Thu, 19 Jul 2001 15:11:16 -0700 (PDT) (envelope-from spork@fasttrackmonkey.com) Received: (qmail 937 invoked by uid 89); 19 Jul 2001 22:06:52 -0000 Message-ID: <20010719220652.936.qmail@angryfist.fasttrackmonkey.com> From: "Mr. Sporkman" To: freebsd-security@freebsd.org Subject: telnetd patch and 2.2.x Date: Thu, 19 Jul 2001 22:06:52 GMT Mime-Version: 1.0 Content-Type: text/plain; format=flowed; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi, I've been trying all sorts of things to get a safe telnetd running on a 2.2.7 box. I tried a bit of backporting of the patch, and that was no good. I tried bringing over the sources to the newer telnetd, and that's not good either. It seems many things have changed since then, like the addition of "printflike", netdb.h, more stuff in libutil.h, etc. Is there anyone who is more skilled at this looking at getting a patch backported? While the obvious answer is to upgrade this box or turn off telnetd, neither is possible for at least a few more months (shell server)... Thanks, CS To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jul 19 15:45:57 2001 Delivered-To: freebsd-security@freebsd.org Received: from mx1.deloitte.com.au (mx1.deloitte.com.au [210.11.17.9]) by hub.freebsd.org (Postfix) with ESMTP id DC0E737B401 for ; Thu, 19 Jul 2001 15:45:50 -0700 (PDT) (envelope-from jshevland@deloitte.com.au) Received: from ausyd0490.deloitte.com.au (unverified) by mx1.deloitte.com.au (Content Technologies SMTPRS 4.1.5) with ESMTP id ; Fri, 20 Jul 2001 08:37:13 +1000 Received: by ausyd0490.deloitte.com.au with Internet Mail Service (5.5.2653.19) id ; Fri, 20 Jul 2001 08:45:48 +1000 Message-ID: From: "Shevland, Joseph (AU - Hobart)" To: "'Karsten W. Rohrbach'" Cc: "'security@FreeBSD.ORG'" Subject: RE: Piping and scripts with scp Date: Fri, 20 Jul 2001 08:45:48 +1000 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2653.19) Content-Type: text/plain Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi Karsten, I wasn't aware you could command restrict the key-pair, sounds like quite a cool feature and one I could use in an application I'm dealing with at the moment. Couldn't find any doco on the format to use in the man page though, or on OpenSSH (quicky search admittedly), do you have a pointer to some more information on this setup? Cheers, Joe > -----Original Message----- > From: owner-freebsd-security@FreeBSD.ORG > [mailto:owner-freebsd-security@FreeBSD.ORG]On Behalf Of Karsten W. > Rohrbach > Sent: Friday, 20 July 2001 12:42 AM > To: Brett Glass > Cc: security@FreeBSD.ORG > Subject: Re: Piping and scripts with scp > > > generate ssh keys with ssh-keygen(1) and limit the remote command to > something that makes sense. > generate one key pair for every command you want to run and > name the key > files appropriately to reference the in you ssh(1) invocation. > > a command restricted pubkey looks like this (example for > self-contained > scp to a defined subdirectory): > command="scp -t /path/to/data",from="1.2.3.4" > [snip] apologies about the whopping big sig thats going to get appended ***********Confidentiality/Limited Liability Statement*************** Have the latest business news and in depth analysis delivered to your desktop. Subscribe to "Insights", Deloitte's fortnightly email business bulletin . . . http://www.deloitte.com.au/preferences/preference.asp This message contains privileged and confidential information intended only for the use of the addressee named above. If you are not the intended recipient of this message, you must not disseminate, copy or take any action in reliance on it. If you have received this message in error, please notify Deloitte Touche Tohmatsu immediately. Any views expressed in this message are those of the individual sender, except where the sender specifically states them to be the views of Deloitte. The liability of Deloitte Touche Tohmatsu, is limited by, and to the extent of, the Accountants' Scheme under the Professional Standards Act 1994 (NSW). To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jul 19 15:51:52 2001 Delivered-To: freebsd-security@freebsd.org Received: from odin.ac.hmc.edu (Odin.AC.HMC.Edu [134.173.32.75]) by hub.freebsd.org (Postfix) with ESMTP id 0383B37B401 for ; Thu, 19 Jul 2001 15:51:47 -0700 (PDT) (envelope-from brdavis@odin.ac.hmc.edu) Received: (from brdavis@localhost) by odin.ac.hmc.edu (8.11.0/8.11.0) id f6JMpdq15944; Thu, 19 Jul 2001 15:51:39 -0700 Date: Thu, 19 Jul 2001 15:51:39 -0700 From: Brooks Davis To: "Shevland, Joseph (AU - Hobart)" Cc: "'Karsten W. Rohrbach'" , "'security@FreeBSD.ORG'" Subject: Re: Piping and scripts with scp Message-ID: <20010719155139.A15286@Odin.AC.HMC.Edu> References: Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="pWyiEgJYm5f9v55/" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from jshevland@deloitte.com.au on Fri, Jul 20, 2001 at 08:45:48AM +1000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --pWyiEgJYm5f9v55/ Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Fri, Jul 20, 2001 at 08:45:48AM +1000, Shevland, Joseph (AU - Hobart) wr= ote: > I wasn't aware you could command restrict the key-pair, sounds like quite= a > cool feature and one I could use in an application I'm dealing with at the > moment. Couldn't find any doco on the format to use in the man page thoug= h, > or on OpenSSH (quicky search admittedly), do you have a pointer to some m= ore > information on this setup? It's hiding in sshd(8) under AUTHORIZED_KEYS FILE FORMAT. -- Brooks --=20 Any statement of the form "X is the one, true Y" is FALSE. PGP fingerprint 655D 519C 26A7 82E7 2529 9BF0 5D8E 8BE9 F238 1AD4 --pWyiEgJYm5f9v55/ Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE7V2R6XY6L6fI4GtQRAlBtAKC2l95irFPWvolzyLVZqee2NyOV1QCePLM3 jWN4c29UmNQPbodHTvOj8k0= =QvKi -----END PGP SIGNATURE----- --pWyiEgJYm5f9v55/-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jul 19 22: 9:21 2001 Delivered-To: freebsd-security@freebsd.org Received: from awww.jeah.net (awww.jeah.net [216.111.239.130]) by hub.freebsd.org (Postfix) with ESMTP id 7DFAB37B406 for ; Thu, 19 Jul 2001 22:09:17 -0700 (PDT) (envelope-from chris@jeah.net) Received: from localhost (chris@localhost) by awww.jeah.net (8.11.4/8.11.3) with ESMTP id f6K4Z2I51036; Thu, 19 Jul 2001 23:35:02 -0500 (CDT) (envelope-from chris@jeah.net) Date: Thu, 19 Jul 2001 23:35:01 -0500 (CDT) From: Chris Byrnes To: Cy Schubert - ITSD Open Systems Group Cc: Richard Lucas , Subject: Re: [PATCH] Re: FreeBSD remote root exploit ? In-Reply-To: <200107192104.f6JL4GX00992@cwsys.cwsent.com> Message-ID: <20010719233443.T50064-100000@awww.jeah.net> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I think this patching and merging needs to take place ASAP, and very publially, because it appears everyone, including me, is very confused. Chris Byrnes, Managing Member JEAH Communications, LLC On Thu, 19 Jul 2001, Cy Schubert - ITSD Open Systems Group wrote: > In message <20010719152558.G24980-100000@mx2.threeh.com>, Richard Lucas > writes: > > Ok in the emails I've read so far there has been 3 different paths listed > > on where to apply this patch. Can someone say for sure where it goes? > > > > /usr/src/crypo/telnet/telnetd/ > > /usr/src/libexec/telnetd/ > > /usr/src/secure/libexec/telnetd/ > > > > I have nothing in the last one except a Makefile so obviously that isn't > > going to work. > > The patch should be applied to /usr/src/crypto/telnet/telnetd. As I > understand it, the other telnetd's will have patches applied/issued > shortly and subsequently a merging of telnetd's will take place. > > > Regards, Phone: (250)387-8437 > Cy Schubert Fax: (250)387-5766 > Team Leader, Sun/Alpha Team Internet: Cy.Schubert@osg.gov.bc.ca > Open Systems Group, ITSD, ISTA > Province of BC > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jul 19 22:47:57 2001 Delivered-To: freebsd-security@freebsd.org Received: from science.slc.edu (Science.SLC.Edu [198.83.6.248]) by hub.freebsd.org (Postfix) with ESMTP id 95D1337B406 for ; Thu, 19 Jul 2001 22:47:54 -0700 (PDT) (envelope-from aschneid@science.slc.edu) Received: (from aschneid@localhost) by science.slc.edu (8.11.0/8.11.0) id f6K5mp585864; Fri, 20 Jul 2001 01:48:51 -0400 (EDT) (envelope-from aschneid) Date: Fri, 20 Jul 2001 01:48:51 -0400 From: Anthony Schneider To: Chris Byrnes Cc: Cy Schubert - ITSD Open Systems Group , Richard Lucas , security@FreeBSD.ORG Subject: Re: [PATCH] Re: FreeBSD remote root exploit ? Message-ID: <20010720014851.A85841@mail.slc.edu> References: <200107192104.f6JL4GX00992@cwsys.cwsent.com> <20010719233443.T50064-100000@awww.jeah.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010719233443.T50064-100000@awww.jeah.net>; from chris@jeah.net on Thu, Jul 19, 2001 at 11:35:01PM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org cd /usr/src/crypto/telnet/telnetd patch -p < /path/to/patch cd /usr/src/secure/libexec/telnetd make mv /usr/libexec/telnetd /usr/libexec/telnetd.hole cp telnetd /usr/libexec/telnetd kill -HUP `cat /var/run/inetd.pid` That should work just fine. -Anthony. On Thu, Jul 19, 2001 at 11:35:01PM -0500, Chris Byrnes wrote: > I think this patching and merging needs to take place ASAP, and very > publially, because it appears everyone, including me, is very confused. > > > Chris Byrnes, Managing Member > JEAH Communications, LLC > > On Thu, 19 Jul 2001, Cy Schubert - ITSD Open Systems Group wrote: > > > In message <20010719152558.G24980-100000@mx2.threeh.com>, Richard Lucas > > writes: > > > Ok in the emails I've read so far there has been 3 different paths listed > > > on where to apply this patch. Can someone say for sure where it goes? > > > > > > /usr/src/crypo/telnet/telnetd/ > > > /usr/src/libexec/telnetd/ > > > /usr/src/secure/libexec/telnetd/ > > > > > > I have nothing in the last one except a Makefile so obviously that isn't > > > going to work. > > > > The patch should be applied to /usr/src/crypto/telnet/telnetd. As I > > understand it, the other telnetd's will have patches applied/issued > > shortly and subsequently a merging of telnetd's will take place. > > > > > > Regards, Phone: (250)387-8437 > > Cy Schubert Fax: (250)387-5766 > > Team Leader, Sun/Alpha Team Internet: Cy.Schubert@osg.gov.bc.ca > > Open Systems Group, ITSD, ISTA > > Province of BC > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jul 19 23: 0:26 2001 Delivered-To: freebsd-security@freebsd.org Received: from obsecurity.dyndns.org (adsl-63-207-60-215.dsl.lsan03.pacbell.net [63.207.60.215]) by hub.freebsd.org (Postfix) with ESMTP id CF77A37B405 for ; Thu, 19 Jul 2001 23:00:23 -0700 (PDT) (envelope-from kris@obsecurity.org) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id C912666C4D; Thu, 19 Jul 2001 23:00:22 -0700 (PDT) Date: Thu, 19 Jul 2001 23:00:22 -0700 From: Kris Kennaway To: Chris Byrnes Cc: Cy Schubert - ITSD Open Systems Group , Richard Lucas , security@FreeBSD.ORG Subject: Re: [PATCH] Re: FreeBSD remote root exploit ? Message-ID: <20010719230021.A80204@xor.obsecurity.org> References: <200107192104.f6JL4GX00992@cwsys.cwsent.com> <20010719233443.T50064-100000@awww.jeah.net> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="2oS5YaxWCcQjTEyO" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010719233443.T50064-100000@awww.jeah.net>; from chris@jeah.net on Thu, Jul 19, 2001 at 11:35:01PM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --2oS5YaxWCcQjTEyO Content-Type: text/plain; charset=us-ascii Content-Disposition: inline On Thu, Jul 19, 2001 at 11:35:01PM -0500, Chris Byrnes wrote: > I think this patching and merging needs to take place ASAP, and very > publially, because it appears everyone, including me, is very confused. Yes, we're working on it. If you're too confused, just disable telnetd for now :-) Kris --2oS5YaxWCcQjTEyO Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE7V8j1Wry0BWjoQKURAqDPAJ9uC7rBAOhkV8jA9Sq8+/Gs6LK5FwCgzTZ8 bpuJRD2eMy/t9ZI0mo2Be8c= =IkCx -----END PGP SIGNATURE----- --2oS5YaxWCcQjTEyO-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jul 19 23:19:27 2001 Delivered-To: freebsd-security@freebsd.org Received: from femail2.sdc1.sfba.home.com (femail2.sdc1.sfba.home.com [24.0.95.82]) by hub.freebsd.org (Postfix) with ESMTP id C41BB37B40C for ; Thu, 19 Jul 2001 23:19:15 -0700 (PDT) (envelope-from bmah@employees.org) Received: from intruder.bmah.org ([24.176.204.87]) by femail2.sdc1.sfba.home.com (InterMail vM.4.01.03.20 201-229-121-120-20010223) with ESMTP id <20010720061915.NDY2362.femail2.sdc1.sfba.home.com@intruder.bmah.org>; Thu, 19 Jul 2001 23:19:15 -0700 Received: (from bmah@localhost) by intruder.bmah.org (8.11.4/8.11.3) id f6K6JFB04833; Thu, 19 Jul 2001 23:19:15 -0700 (PDT) (envelope-from bmah) Message-Id: <200107200619.f6K6JFB04833@intruder.bmah.org> X-Mailer: exmh version 2.5 07/13/2001 with nmh-1.0.4 To: Chris Byrnes Cc: security@FreeBSD.ORG Subject: Re: [PATCH] Re: FreeBSD remote root exploit ? In-Reply-To: <20010719233443.T50064-100000@awww.jeah.net> References: <20010719233443.T50064-100000@awww.jeah.net> Comments: In-reply-to Chris Byrnes message dated "Thu, 19 Jul 2001 23:35:01 -0500." From: "Bruce A. Mah" Reply-To: bmah@FreeBSD.ORG X-Face: g~c`.{#4q0"(V*b#g[i~rXgm*w;:nMfz%_RZLma)UgGN&=j`5vXoU^@n5v4:OO)c["!w)nD/!!~e4Sj7LiT'6*wZ83454H""lb{CC%T37O!!'S$S&D}sem7I[A 2V%N&+ X-Image-Url: http://www.employees.org/~bmah/Images/bmah-cisco-small.gif X-Url: http://www.employees.org/~bmah/ Mime-Version: 1.0 Content-Type: multipart/signed; boundary="==_Exmh_968808325P"; micalg=pgp-sha1; protocol="application/pgp-signature" Content-Transfer-Encoding: 7bit Date: Thu, 19 Jul 2001 23:19:15 -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --==_Exmh_968808325P Content-Type: text/plain; charset=us-ascii If memory serves me right, Chris Byrnes wrote: > I think this patching and merging needs to take place ASAP, and very > publially, because it appears everyone, including me, is very confused. It'd be a lot more confusing if the security-officer team (of which I am *not* a member) was forced into doing a hasty job that needed to be fixed again later. Please give them the time to do things right, rather than just do them quickly. Bruce. --==_Exmh_968808325P Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: Exmh version 2.3.1+ 05/14/2001 iD8DBQE7V81j2MoxcVugUsMRAvJ1AJ4q6pUJYnMghQ9utrxYcdHMXjdyWACgk9pR 8tNYEYec/Qb5LeSMTMQYNjg= =hKqB -----END PGP SIGNATURE----- --==_Exmh_968808325P-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jul 20 0: 1:30 2001 Delivered-To: freebsd-security@freebsd.org Received: from whale.sunbay.crimea.ua (whale.sunbay.crimea.ua [212.110.138.65]) by hub.freebsd.org (Postfix) with ESMTP id B6DED37B401; Fri, 20 Jul 2001 00:01:06 -0700 (PDT) (envelope-from ru@whale.sunbay.crimea.ua) Received: (from ru@localhost) by whale.sunbay.crimea.ua (8.11.2/8.11.2) id f6K70T232105; Fri, 20 Jul 2001 10:00:29 +0300 (EEST) (envelope-from ru) Date: Fri, 20 Jul 2001 10:00:29 +0300 From: Ruslan Ermilov To: Matt Dillon Cc: Assar Westerlund , security@FreeBSD.ORG Subject: Re: [PATCH] Re: FreeBSD remote root exploit ? Message-ID: <20010720100029.A30828@sunbay.com> Mail-Followup-To: Matt Dillon , Assar Westerlund , security@FreeBSD.ORG References: <5.1.0.14.0.20010719001357.03e22638@192.168.0.12> <014d01c11031$bdab5a10$2001a8c0@clitoris> <20010719201407.B61061@sunbay.com> <003701c11077$b3125400$0d00a8c0@alexus> <3B5718A0.2B650C9C@oksala.org> <200107191752.f6JHqer75736@earth.backplane.com> <20010719205948.D67829@sunbay.com> <200107191817.f6JIHSJ76262@earth.backplane.com> <20010719215957.A74024@sunbay.com> <200107191917.f6JJHwV77405@earth.backplane.com> Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="Dxnq1zWXvFF0Q93v" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <200107191917.f6JJHwV77405@earth.backplane.com>; from dillon@earth.backplane.com on Thu, Jul 19, 2001 at 12:17:58PM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --Dxnq1zWXvFF0Q93v Content-Type: text/plain; charset=us-ascii Content-Disposition: inline On Thu, Jul 19, 2001 at 12:17:58PM -0700, Matt Dillon wrote: > > :> > :> The output_data() calls for the various options are safe, strlen(format) > :> will always be larger then the actual formatted result. But the > :> debugging and crypto calls to output_data() are not safe. > :> > :> -Matt > :> > :> : netflush(); > :> : remaining = BUFSIZ - (nfrontp - netobuf); > :> : } > :> : ret = vsnprintf(nfrontp, remaining, format, args); > :> > :Should be fixed in state.c,v 1.7. Thanks, Assar! > : > : > :Cheers, > :-- > :Ruslan Ermilov Oracle Developer/DBA, > :ru@sunbay.com Sunbay Software AG, > > heh heh. Sorry guys, state.c still isn't quite right. > > nfrontp += ((ret < remaining - 1) ? ret : remaining - 1); > > What happens if remaining is 0 ? > Umm, let's count. 0. Let netobuf be 0. 1. nfrontp = BUFSIZ - 3 2. remaining = 3 and we try to write 10 bytes. 3. ret = 10 4. (10 < 3 - 1) ? 10 : 3 - 1 = 2 5. nfrontp += 2 = BUFSIZ - 1 [next 10 bytes write] 6. remaining = BUFSIZ - (BUFSIZ - 1) = 1 7. ret = 10 8. (10 < 1 - 1) ? 10 : 1 - 1 = 0 9. nfrontp += 0 = BUFSIZ - 1 remaining = BUFSIZ - (nfrontp - netobuf) = BUFSIZ - ((BUFSIZ - 1) - 0) = 1 So, the minimum possible value for `remaining' is 1. OTOH, we have another routine that advances nfrontp(): : int : output_datalen(const char *buf, size_t len) : { : size_t remaining; : : remaining = BUFSIZ - (nfrontp - netobuf); : if (remaining < len) { : netflush(); : remaining = BUFSIZ - (nfrontp - netobuf); : } : if (remaining < len) : return -1; : memmove(nfrontp, buf, len); : nfrontp += len; : return (len); : } 1. nfrontp = BUFSIZ - 3 2. remaining = 3 and we write len = 3 bytes. 3. nfrontp += 3 = BUFSIZ Then, on the next call to output_data() 4. remaining = 0 and, assuming that netflush() did nothing(!) 5. ret = 10 (10 bytes write attempt) 6. (10 < 0 - 1) ? 10 : 0 - 1 = -1 7. nfrontp += -1 = nfrontp - 1 So, the worst we can have `nfrontp' decremented by one. Not overflowable, but not right. OK, how about the following? It should be OK if `nfrontp' points beyond one byte of `netobuf'. See netflush() for details. Please review. Cheers, -- Ruslan Ermilov Oracle Developer/DBA, ru@sunbay.com Sunbay Software AG, ru@FreeBSD.org FreeBSD committer, +380.652.512.251 Simferopol, Ukraine http://www.FreeBSD.org The Power To Serve http://www.oracle.com Enabling The Information Age --Dxnq1zWXvFF0Q93v Content-Type: text/plain; charset=us-ascii Content-Disposition: attachment; filename=p Index: ext.h =================================================================== RCS file: /home/ncvs/src/crypto/telnet/telnetd/ext.h,v retrieving revision 1.5 diff -u -p -r1.5 ext.h --- ext.h 2001/07/19 17:48:57 1.5 +++ ext.h 2001/07/20 06:50:28 @@ -74,7 +74,7 @@ extern char ptyobuf[BUFSIZ+NETSLOP], *pf extern char netibuf[BUFSIZ], *netip; -extern char netobuf[BUFSIZ+NETSLOP], *nfrontp, *nbackp; +extern char netobuf[BUFSIZ], *nfrontp, *nbackp; extern char *neturg; /* one past last bye of urgent data */ extern int pcc, ncc; Index: state.c =================================================================== RCS file: /home/ncvs/src/crypto/telnet/telnetd/state.c,v retrieving revision 1.7 diff -u -p -r1.7 state.c --- state.c 2001/07/19 18:58:31 1.7 +++ state.c 2001/07/20 06:51:13 @@ -1631,7 +1631,7 @@ output_data(const char *format, ...) remaining = BUFSIZ - (nfrontp - netobuf); } ret = vsnprintf(nfrontp, remaining, format, args); - nfrontp += ((ret < remaining - 1) ? ret : remaining - 1); + nfrontp += (ret < remaining) ? ret : remaining; va_end(args); return ret; } --Dxnq1zWXvFF0Q93v-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jul 20 1:42:33 2001 Delivered-To: freebsd-security@freebsd.org Received: from ringworld.nanolink.com (ringworld.nanolink.com [195.24.48.39]) by hub.freebsd.org (Postfix) with SMTP id BC6D137B401 for ; Fri, 20 Jul 2001 01:42:29 -0700 (PDT) (envelope-from roam@orbitel.bg) Received: (qmail 57172 invoked by uid 1000); 20 Jul 2001 08:46:28 -0000 Date: Fri, 20 Jul 2001 11:46:27 +0300 From: Peter Pentchev To: Richard Lucas Cc: security@freebsd.org Subject: Re: [PATCH] Re: FreeBSD remote root exploit ? Message-ID: <20010720114627.A25689@ringworld.oblivion.bg> Mail-Followup-To: Richard Lucas , security@freebsd.org References: <20010719120538.E43977@xor.obsecurity.org> <20010719152558.G24980-100000@mx2.threeh.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010719152558.G24980-100000@mx2.threeh.com>; from rlucas@solidcomputing.com on Thu, Jul 19, 2001 at 03:28:20PM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Thu, Jul 19, 2001 at 03:28:20PM -0500, Richard Lucas wrote: > Ok in the emails I've read so far there has been 3 different paths listed > on where to apply this patch. Can someone say for sure where it goes? > > /usr/src/crypo/telnet/telnetd/ > /usr/src/libexec/telnetd/ > /usr/src/secure/libexec/telnetd/ > > I have nothing in the last one except a Makefile so obviously that isn't > going to work. Actually, as people have already stated, it is exactly the last one which is the correct one to *rebuild*. Having just a Makefile does not mean that this particular Makefile does not reference sources in other directories; this is the case with pretty much everything in src/secure - most of it references sources in src/crypto. So, patch in src/crypto, rebuild in src/secure... and never ignore 'just a Makefile' again :P G'luck, Peter -- I had to translate this sentence into English because I could not read the original Sanskrit. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jul 20 2:10:31 2001 Delivered-To: freebsd-security@freebsd.org Received: from whale.sunbay.crimea.ua (whale.sunbay.crimea.ua [212.110.138.65]) by hub.freebsd.org (Postfix) with ESMTP id A223E37B405 for ; Fri, 20 Jul 2001 02:10:25 -0700 (PDT) (envelope-from ru@whale.sunbay.crimea.ua) Received: (from ru@localhost) by whale.sunbay.crimea.ua (8.11.2/8.11.2) id f6K99nE57183; Fri, 20 Jul 2001 12:09:49 +0300 (EEST) (envelope-from ru) Date: Fri, 20 Jul 2001 12:09:49 +0300 From: Ruslan Ermilov To: "Mr. Sporkman" Cc: freebsd-security@FreeBSD.ORG Subject: Re: telnetd patch and 2.2.x Message-ID: <20010720120949.G30828@sunbay.com> Mail-Followup-To: "Mr. Sporkman" , freebsd-security@FreeBSD.ORG References: <20010719220652.936.qmail@angryfist.fasttrackmonkey.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010719220652.936.qmail@angryfist.fasttrackmonkey.com>; from spork@fasttrackmonkey.com on Thu, Jul 19, 2001 at 10:06:52PM +0000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Thu, Jul 19, 2001 at 10:06:52PM +0000, Mr. Sporkman wrote: > Hi, > > I've been trying all sorts of things to get a safe telnetd > running on a 2.2.7 box. I tried a bit of backporting of the > patch, and that was no good. I tried bringing over the sources > to the newer telnetd, and that's not good either. > > It seems many things have changed since then, like the addition > of "printflike", netdb.h, more stuff in libutil.h, etc. > > Is there anyone who is more skilled at this looking at getting > a patch backported? While the obvious answer is to upgrade this > box or turn off telnetd, neither is possible for at least a few > more months (shell server)... > I was going to prepare the patches for 2.2.LATEST and 3.LATEST series. I will let you know when it's done. Cheers, -- Ruslan Ermilov Oracle Developer/DBA, ru@sunbay.com Sunbay Software AG, ru@FreeBSD.org FreeBSD committer, +380.652.512.251 Simferopol, Ukraine http://www.FreeBSD.org The Power To Serve http://www.oracle.com Enabling The Information Age To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jul 20 2:33: 2 2001 Delivered-To: freebsd-security@freebsd.org Received: from earth.backplane.com (earth-nat-cw.backplane.com [208.161.114.67]) by hub.freebsd.org (Postfix) with ESMTP id 5685F37B407; Fri, 20 Jul 2001 02:32:43 -0700 (PDT) (envelope-from dillon@earth.backplane.com) Received: (from dillon@localhost) by earth.backplane.com (8.11.4/8.11.2) id f6K9WgZ88552; Fri, 20 Jul 2001 02:32:42 -0700 (PDT) (envelope-from dillon) Date: Fri, 20 Jul 2001 02:32:42 -0700 (PDT) From: Matt Dillon Message-Id: <200107200932.f6K9WgZ88552@earth.backplane.com> To: Ruslan Ermilov Cc: Assar Westerlund , security@FreeBSD.ORG Subject: Re: [PATCH] Re: FreeBSD remote root exploit ? References: <5.1.0.14.0.20010719001357.03e22638@192.168.0.12> <014d01c11031$bdab5a10$2001a8c0@clitoris> <20010719201407.B61061@sunbay.com> <003701c11077$b3125400$0d00a8c0@alexus> <3B5718A0.2B650C9C@oksala.org> <200107191752.f6JHqer75736@earth.backplane.com> <20010719205948.D67829@sunbay.com> <200107191817.f6JIHSJ76262@earth.backplane.com> <20010719215957.A74024@sunbay.com> <200107191917.f6JJHwV77405@earth.backplane.com> <20010720100029.A30828@sunbay.com> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org :.. : :1. nfrontp = BUFSIZ - 3 :2. remaining = 3 and we write len = 3 bytes. :3. nfrontp += 3 = BUFSIZ : :Then, on the next call to output_data() : :4. remaining = 0 :and, assuming that netflush() did nothing(!) :5. ret = 10 (10 bytes write attempt) :6. (10 < 0 - 1) ? 10 : 0 - 1 = -1 :7. nfrontp += -1 = nfrontp - 1 : :So, the worst we can have `nfrontp' decremented by one. :Not overflowable, but not right. Except on the NEXT call remaining will be negative, but since remaining is unsigned it will appear to be a very large number and the routine will believe that *any* length is legal. Now, of course, the attempt to netflush() will probably hide this potential problem but it is still a good idea to write bullet proof code that does not rely on caller assumptions. :OK, how about the following? : :It should be OK if `nfrontp' points beyond one byte of :`netobuf'. See netflush() for details. : :Please review. :Cheers, :-- :Ruslan Ermilov Oracle Developer/DBA, The below fix seems reasonable. Strictly speaking it isn't really pointing beyond the end of netobuf, the pointer will simply be such that the length calculation will wind up being exactly the size of netobuf which is what you want. I would go further and just use 'int' instead of size_t in this routine, and to doubly guarentee that no miscalculation will occur you would assert() that remaining is >= 0 (in addition to the changes you make below). It pays to write safe code. -Matt : extern int pcc, ncc; :Index: state.c :=================================================================== :RCS file: /home/ncvs/src/crypto/telnet/telnetd/state.c,v :retrieving revision 1.7 :diff -u -p -r1.7 state.c :--- state.c 2001/07/19 18:58:31 1.7 :+++ state.c 2001/07/20 06:51:13 :@@ -1631,7 +1631,7 @@ output_data(const char *format, ...) : remaining = BUFSIZ - (nfrontp - netobuf); : } : ret = vsnprintf(nfrontp, remaining, format, args); :- nfrontp += ((ret < remaining - 1) ? ret : remaining - 1); :+ nfrontp += (ret < remaining) ? ret : remaining; : va_end(args); : return ret; : } : :--Dxnq1zWXvFF0Q93v-- : To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jul 20 4:38:48 2001 Delivered-To: freebsd-security@freebsd.org Received: from whale.sunbay.crimea.ua (whale.sunbay.crimea.ua [212.110.138.65]) by hub.freebsd.org (Postfix) with ESMTP id 129EB37B407; Fri, 20 Jul 2001 04:38:23 -0700 (PDT) (envelope-from ru@whale.sunbay.crimea.ua) Received: (from ru@localhost) by whale.sunbay.crimea.ua (8.11.2/8.11.2) id f6KBbgX80391; Fri, 20 Jul 2001 14:37:42 +0300 (EEST) (envelope-from ru) Date: Fri, 20 Jul 2001 14:37:42 +0300 From: Ruslan Ermilov To: Matt Dillon Cc: Assar Westerlund , security@FreeBSD.ORG Subject: Re: [PATCH] Re: FreeBSD remote root exploit ? Message-ID: <20010720143742.E65677@sunbay.com> Mail-Followup-To: Matt Dillon , Assar Westerlund , security@FreeBSD.ORG References: <20010719201407.B61061@sunbay.com> <003701c11077$b3125400$0d00a8c0@alexus> <3B5718A0.2B650C9C@oksala.org> <200107191752.f6JHqer75736@earth.backplane.com> <20010719205948.D67829@sunbay.com> <200107191817.f6JIHSJ76262@earth.backplane.com> <20010719215957.A74024@sunbay.com> <200107191917.f6JJHwV77405@earth.backplane.com> <20010720100029.A30828@sunbay.com> <200107200932.f6K9WgZ88552@earth.backplane.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <200107200932.f6K9WgZ88552@earth.backplane.com>; from dillon@earth.backplane.com on Fri, Jul 20, 2001 at 02:32:42AM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Fri, Jul 20, 2001 at 02:32:42AM -0700, Matt Dillon wrote: > > :.. > : > :1. nfrontp = BUFSIZ - 3 > :2. remaining = 3 and we write len = 3 bytes. > :3. nfrontp += 3 = BUFSIZ > : > :Then, on the next call to output_data() > : > :4. remaining = 0 > :and, assuming that netflush() did nothing(!) > :5. ret = 10 (10 bytes write attempt) > :6. (10 < 0 - 1) ? 10 : 0 - 1 = -1 > :7. nfrontp += -1 = nfrontp - 1 > : > :So, the worst we can have `nfrontp' decremented by one. > :Not overflowable, but not right. > > Except on the NEXT call remaining will be negative, but > since remaining is unsigned it will appear to be a very > large number and the routine will believe that *any* length > is legal. Now, of course, the attempt to netflush() will > probably hide this potential problem but it is still a good > idea to write bullet proof code that does not rely on > caller assumptions. > Not taking into account the signedness of `remaining', how it could be negative? remaining = BUFSIZ - (nfrontp - netobuf); For `remaining' to be negative, the following must be true: nfrontp > netobuf + BUFSIZ But that's not possible. > :OK, how about the following? > : > :It should be OK if `nfrontp' points beyond one byte of > :`netobuf'. See netflush() for details. > : > :Please review. > :Cheers, > :-- > :Ruslan Ermilov Oracle Developer/DBA, > > The below fix seems reasonable. Strictly speaking it isn't really > pointing beyond the end of netobuf, the pointer will simply be such > that the length calculation will wind up being exactly the size of > netobuf which is what you want. > Yes, just a simple "write" pointer of the FIFO queue. > I would go further and just use 'int' instead of size_t in this > routine, and to doubly guarentee that no miscalculation will occur > you would assert() that remaining is >= 0 (in addition to the changes > you make below). It pays to write safe code. > I don't think this is now required as all `nfrontp' modifications have been fold into output_data(), output_datalen(), netflush(), and netclear(), and they appear to be safe. I have found yet one unsafe place, writenet(), which I have replaced with output_datalen(). Cheers, -- Ruslan Ermilov Oracle Developer/DBA, ru@sunbay.com Sunbay Software AG, ru@FreeBSD.org FreeBSD committer, +380.652.512.251 Simferopol, Ukraine http://www.FreeBSD.org The Power To Serve http://www.oracle.com Enabling The Information Age To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jul 20 7:30:10 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.london-1.starlabs.net (mail.london-1.starlabs.net [212.125.75.12]) by hub.freebsd.org (Postfix) with SMTP id C77A437B406 for ; Fri, 20 Jul 2001 07:30:00 -0700 (PDT) (envelope-from CarrE@logica.com) X-VirusChecked: Checked Received: (qmail 20305 invoked from network); 20 Jul 2001 14:26:51 -0000 Received: from pag.logica.co.uk (193.123.204.67) by server-2.tower-4.starlabs.net with SMTP; 20 Jul 2001 14:26:51 -0000 Received: from mauchly.logica.co.uk (mauchly.logica.co.uk [158.234.71.80]) by pag.logica.co.uk (8.9.1/8.9.1) with ESMTP id PAA01893; Fri, 20 Jul 2001 15:29:54 +0100 Received: by mauchly.logica.co.uk with Internet Mail Service (5.5.2448.0) id <3KLXTRKT>; Fri, 20 Jul 2001 15:29:53 +0100 Message-ID: <9BF54A52E1DFD311BC1000D0B73EADFE043BFE6F@bell.logica.co.uk> From: "Carr, Ewan" To: "'FreeBSD-Questions@FreeBSD.Org'" , "'FreeBSD-Security@FreeBSD.Org'" Subject: Racoon Date: Fri, 20 Jul 2001 15:29:45 +0100 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2448.0) Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01C11128.7097AEFC" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------_=_NextPart_001_01C11128.7097AEFC Content-Type: text/plain; charset="iso-8859-1" hi, I have a few questions on racoon - any help appreciated. I dont subscribe to the list so i would be grateful if you cc and replies to carre@logica.com too...cheers ! 1) According to the FreeBSD handboom racoon runs in user-space..does the SAD exist in user-space too or is it in the kernel. In whatever situation is there an API which I can get at which accesses the SAD...I am interested because I am looking at a user-space implementation of a IPSec-like security protocol...so yeh..any info on SAD structure/APIs would be great.. 2) Is there any useful documentationn out there on racoon (configuration, etc?). Failing that any useful pointers would be good...ta ! 3) Can anyone provide any info on the mechanism by which IKE communicates with IPSec when, say, an SA doesnt exist and one has to be set up on-the-fly so to speak.. Cheers and TIA Ewan ------_=_NextPart_001_01C11128.7097AEFC Content-Type: text/html; charset="iso-8859-1"
hi,
I have a few questions on racoon - any help
appreciated. I dont subscribe to the list so i would be grateful if you
cc and replies to carre@logica.com too...cheers !
 
1) According to the FreeBSD handboom racoon runs in user-space..does the SAD
exist in user-space too or is it in the kernel. In whatever situation is there an API which
I can get at which accesses the SAD...I am interested because I am looking at a
user-space implementation of a IPSec-like security protocol...so yeh..any info on SAD structure/APIs would be great..
 
2) Is there any useful documentationn out there on racoon (configuration, etc?). Failing
that any useful pointers would be good...ta !
 
3) Can anyone provide any info on the mechanism by which IKE communicates with
IPSec when, say, an SA doesnt exist and one has to be set up on-the-fly so to speak..
 
Cheers and TIA
Ewan
 
------_=_NextPart_001_01C11128.7097AEFC-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jul 20 7:54:25 2001 Delivered-To: freebsd-security@freebsd.org Received: from ringworld.nanolink.com (ringworld.nanolink.com [195.24.48.39]) by hub.freebsd.org (Postfix) with SMTP id 92ADE37B403 for ; Fri, 20 Jul 2001 07:54:21 -0700 (PDT) (envelope-from roam@orbitel.bg) Received: (qmail 5388 invoked by uid 1000); 20 Jul 2001 14:58:26 -0000 Date: Fri, 20 Jul 2001 17:58:26 +0300 From: Peter Pentchev To: "Carr, Ewan" Cc: "'FreeBSD-Questions@FreeBSD.Org'" Subject: Re: Racoon Message-ID: <20010720175826.A5207@ringworld.oblivion.bg> Mail-Followup-To: "Carr, Ewan" , "'FreeBSD-Questions@FreeBSD.Org'" References: <9BF54A52E1DFD311BC1000D0B73EADFE043BFE6F@bell.logica.co.uk> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <9BF54A52E1DFD311BC1000D0B73EADFE043BFE6F@bell.logica.co.uk>; from CarrE@logica.com on Fri, Jul 20, 2001 at 03:29:45PM +0100 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Fri, Jul 20, 2001 at 03:29:45PM +0100, Carr, Ewan wrote: > hi, > I have a few questions on racoon - any help > appreciated. I dont subscribe to the list so i would be grateful if you > cc and replies to carre@logica.com too...cheers ! > > 1) According to the FreeBSD handboom racoon runs in user-space..does the SAD > exist in user-space too or is it in the kernel. In whatever situation is > there an API which > I can get at which accesses the SAD...I am interested because I am looking > at a > user-space implementation of a IPSec-like security protocol...so yeh..any > info on SAD structure/APIs would be great.. The SAD itself is in the kernel, as documented by the ipsec(4) and setkey(8) FreeBSD manual pages. The most portable way to access it would be the setkey(8) utility, though if you really do need an API, you might want to take a look at the ipsec(4) manpage and the setkey(8) source, which resides in src/usr.sbin/setkey directory. > 2) Is there any useful documentationn out there on racoon (configuration, > etc?). Failing > that any useful pointers would be good...ta ! Check the mailing list archives, racoon is often discussed on this list. > 3) Can anyone provide any info on the mechanism by which IKE communicates > with > IPSec when, say, an SA doesnt exist and one has to be set up on-the-fly so > to speak.. I think you'll find most of what you need in the setkey(8) source. Hope that helps! G'luck, Peter PS. Oh, and btw, why have you addressed this message to a list with a name of "FreeBSD Questions" and an address of freebsd-security? :) -- This sentence was in the past tense. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jul 20 9:42: 0 2001 Delivered-To: freebsd-security@freebsd.org Received: from mx2.threeh.com (ct515603-b.lafayt1.in.home.com [24.22.253.67]) by hub.freebsd.org (Postfix) with ESMTP id 10A2237B403 for ; Fri, 20 Jul 2001 09:41:56 -0700 (PDT) (envelope-from rlucas@solidcomputing.com) Received: from localhost (rlucas@localhost) by mx2.threeh.com (8.11.3/8.11.3) with ESMTP id f6KGfpH30152; Fri, 20 Jul 2001 11:41:51 -0500 (EST) (envelope-from rlucas@solidcomputing.com) Date: Fri, 20 Jul 2001 11:41:51 -0500 (EST) From: Richard Lucas X-X-Sender: To: Peter Pentchev Cc: Subject: Re: [PATCH] Re: FreeBSD remote root exploit ? In-Reply-To: <20010720114627.A25689@ringworld.oblivion.bg> Message-ID: <20010720113810.Y30070-100000@mx2.threeh.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Fri, 20 Jul 2001, Peter Pentchev wrote: > Actually, as people have already stated, it is exactly the last one > which is the correct one to *rebuild*. Having just a Makefile does > not mean that this particular Makefile does not reference sources > in other directories; this is the case with pretty much everything > in src/secure - most of it references sources in src/crypto. > > So, patch in src/crypto, rebuild in src/secure... and never ignore > 'just a Makefile' again :P > Ok let me rephrase then. I tried to patch in that directory and it asked me what file I wanted to patch. Since I had no idea I just killed it. So as I said before, it didn't work in that directory. Since telnet really isn't needed on the machine I just shut it off for now. I'll just wait till it's fixed in src since I need to upgrade the machine anyway. -Richard To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jul 20 10:17:24 2001 Delivered-To: freebsd-security@freebsd.org Received: from earth.backplane.com (earth-nat-cw.backplane.com [208.161.114.67]) by hub.freebsd.org (Postfix) with ESMTP id 3162537B405; Fri, 20 Jul 2001 10:17:16 -0700 (PDT) (envelope-from dillon@earth.backplane.com) Received: (from dillon@localhost) by earth.backplane.com (8.11.4/8.11.2) id f6KHHGa91142; Fri, 20 Jul 2001 10:17:16 -0700 (PDT) (envelope-from dillon) Date: Fri, 20 Jul 2001 10:17:16 -0700 (PDT) From: Matt Dillon Message-Id: <200107201717.f6KHHGa91142@earth.backplane.com> To: Ruslan Ermilov Cc: Assar Westerlund , security@FreeBSD.ORG Subject: Re: [PATCH] Re: FreeBSD remote root exploit ? References: <20010719201407.B61061@sunbay.com> <003701c11077$b3125400$0d00a8c0@alexus> <3B5718A0.2B650C9C@oksala.org> <200107191752.f6JHqer75736@earth.backplane.com> <20010719205948.D67829@sunbay.com> <200107191817.f6JIHSJ76262@earth.backplane.com> <20010719215957.A74024@sunbay.com> <200107191917.f6JJHwV77405@earth.backplane.com> <20010720100029.A30828@sunbay.com> <200107200932.f6K9WgZ88552@earth.backplane.com> <20010720143742.E65677@sunbay.com> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org :... :> :4. remaining = 0 :> :and, assuming that netflush() did nothing(!) :> :5. ret = 10 (10 bytes write attempt) :> :6. (10 < 0 - 1) ? 10 : 0 - 1 = -1 :> :7. nfrontp += -1 = nfrontp - 1 :> : :> :So, the worst we can have `nfrontp' decremented by one. :> :Not overflowable, but not right. :> :> Except on the NEXT call remaining will be negative, but :> since remaining is unsigned it will appear to be a very :> large number and the routine will believe that *any* length :> is legal. Now, of course, the attempt to netflush() will :> probably hide this potential problem but it is still a good :> idea to write bullet proof code that does not rely on :> caller assumptions. :> :Not taking into account the signedness of `remaining', how it :could be negative? : : remaining = BUFSIZ - (nfrontp - netobuf); : :For `remaining' to be negative, the following must be true: : : nfrontp > netobuf + BUFSIZ : :But that's not possible. I'm losing track of which code piece we are talking about, but this is wrong: :> :6. (10 < 0 - 1) ? 10 : 0 - 1 = -1 This is what really happens, because remaining is unsigned. :> :6. (10 < 0 - 1) ? 10 : 0xFFFFFFFF = 0xFFFFFFFF Which allows the buffer to overflow (before you removed the -1). With the -1 removed the buffer can't overflow, but I would still recommend putting an assert() in to guarentee the fact. e.g. assert((int)remaining >= 0); :> The below fix seems reasonable. Strictly speaking it isn't really :> pointing beyond the end of netobuf, the pointer will simply be such :> that the length calculation will wind up being exactly the size of :> netobuf which is what you want. :> :Yes, just a simple "write" pointer of the FIFO queue. : :> I would go further and just use 'int' instead of size_t in this :> routine, and to doubly guarentee that no miscalculation will occur :> you would assert() that remaining is >= 0 (in addition to the changes :> you make below). It pays to write safe code. :> :I don't think this is now required as all `nfrontp' modifications have :been fold into output_data(), output_datalen(), netflush(), and netclear(), :and they appear to be safe. : :I have found yet one unsafe place, writenet(), which I have replaced :with output_datalen(). : :Cheers, :-- :Ruslan Ermilov Oracle Developer/DBA, I would do it anyway. Remember, you aren't just writing a routine that is correct for the codebase, you are writing a routine that needs to be robust ('bullet proof') in the face of future work. I often put in assertions for things that I don't think can happen. I have 515 assertions in the database core I wrote for Backplane. About half (250) those assertions I didn't think could happen, but if they did I wanted to catch the condition before it got obscured. Around 10 of that half actually *HAVE* happened in the last year. Assertions pay off. By spending a small amount of time adding self checks to the code I save literally several man months of debugging work later on when the code gets complex. We have 2321 assertions in our product code as a whole, and over its life-time those assertions have caught 90% of the bugs before they could obscure themselves behind layers of procedure calls. -Matt To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jul 20 11:59:49 2001 Delivered-To: freebsd-security@freebsd.org Received: from hotmail.com (f47.pav2.hotmail.com [64.4.37.47]) by hub.freebsd.org (Postfix) with ESMTP id 9931437B405 for ; Fri, 20 Jul 2001 11:59:46 -0700 (PDT) (envelope-from rezaj_@hotmail.com) Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Fri, 20 Jul 2001 11:59:46 -0700 Received: from 203.173.250.142 by pv2fd.pav2.hotmail.msn.com with HTTP; Fri, 20 Jul 2001 18:59:46 GMT X-Originating-IP: [203.173.250.142] From: "reza jamshid" To: freebsd-security@freebsd.org Subject: ssh fatal: Timeout before authentication for 192.168.1.2 Date: Sat, 21 Jul 2001 04:29:46 +0930 Mime-Version: 1.0 Content-Type: text/plain; format=flowed Message-ID: X-OriginalArrivalTime: 20 Jul 2001 18:59:46.0375 (UTC) FILETIME=[24B07570:01C1114E] Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi, Recently when ive tried to ssh to my FreeBSD gateway box from my win2k box, i get this error pop up on the gateway: sshd[1847]: fatal: Timeout before authentication for 192.168.1.2 ive tried a number of different ssh clients but neither of them can make the connection. Putty just seems to hang after it asks me for the password. Any ideas? Thanks _________________________________________________________________ Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jul 20 12:11:37 2001 Delivered-To: freebsd-security@freebsd.org Received: from gyw.com (gyw.com [209.55.67.177]) by hub.freebsd.org (Postfix) with ESMTP id 827D637B408 for ; Fri, 20 Jul 2001 12:11:30 -0700 (PDT) (envelope-from tjk@tksoft.com) Received: from smtp3.tksoft.com (smtp3.tksoft.com [192.168.50.56] (may be forged)) by gyw.com (8.8.8/8.8.8) with ESMTP id LAA19646; Fri, 20 Jul 2001 11:10:39 -0700 Received: (from tjk@tksoft.com) by smtp3.tksoft.com (8.8.8/8.8.8) id KAA14834; Fri, 20 Jul 2001 10:37:47 -0700 From: "tjk@tksoft.com" Message-Id: <200107201737.KAA14834@smtp3.tksoft.com> Subject: Re: ssh fatal: Timeout before authentication for 192.168.1.2 To: rezaj_@hotmail.com (reza jamshid) Date: Fri, 20 Jul 2001 10:37:47 -0700 (PDT) Cc: freebsd-security@FreeBSD.ORG In-Reply-To: from "reza jamshid" at Jul 21, 2001 04:29:46 AM X-Info: None MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org sshd might be tcp wrapped. If so, see /etc/hosts.allow You need an entry: sshd : 192.168.1.2 : allow or ALL : 192.168.1.2 : allow Troy > > > Hi, > > Recently when ive tried to ssh to my FreeBSD gateway box from my win2k box, > i get this error pop up on the gateway: > > sshd[1847]: fatal: Timeout before authentication for 192.168.1.2 > > ive tried a number of different ssh clients but neither of them can make the > connection. Putty just seems to hang after it asks me for the > password. > > > Any ideas? > > Thanks > > > > _________________________________________________________________ > Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jul 20 12:58:13 2001 Delivered-To: freebsd-security@freebsd.org Received: from overlord.e-gerbil.net (e-gerbil.net [207.91.110.247]) by hub.freebsd.org (Postfix) with ESMTP id 9A9F137B401 for ; Fri, 20 Jul 2001 12:58:11 -0700 (PDT) (envelope-from ras@e-gerbil.net) Received: by overlord.e-gerbil.net (Postfix, from userid 1001) id 3769AE5041; Fri, 20 Jul 2001 15:58:09 -0400 (EDT) Received: from localhost (localhost [127.0.0.1]) by overlord.e-gerbil.net (Postfix) with ESMTP id B9ECDE4CB1 for ; Fri, 20 Jul 2001 15:58:09 -0400 (EDT) Date: Fri, 20 Jul 2001 15:58:09 -0400 (EDT) From: "Richard A. Steenbergen" To: freebsd-security@freebsd.org Subject: telnetd suckage Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Speaking of telnetd sucking, did anyone ever get around to fixing http://www.freebsd.org/cgi/query-pr.cgi?pr=22595 Doesn't look like it. -- Richard A Steenbergen http://www.e-gerbil.net/ras PGP Key ID: 0x138EA177 (67 29 D7 BC E8 18 3E DA B2 46 B3 D8 14 36 FE B6) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jul 20 16:18:25 2001 Delivered-To: freebsd-security@freebsd.org Received: from voyager.straynet.com (voyager.straynet.com [208.185.24.8]) by hub.freebsd.org (Postfix) with ESMTP id 4D3E837B401 for ; Fri, 20 Jul 2001 16:18:21 -0700 (PDT) (envelope-from greg@straynet.com) Received: by voyager.straynet.com (Postfix, from userid 1001) id 916952068C; Fri, 20 Jul 2001 19:18:20 -0400 (EDT) Received: from localhost (localhost [127.0.0.1]) by voyager.straynet.com (Postfix) with ESMTP id 8427418C95; Fri, 20 Jul 2001 19:18:20 -0400 (EDT) Date: Fri, 20 Jul 2001 19:18:20 -0400 (EDT) From: Greg Prosser X-Sender: xyst@voyager.straynet.com Reply-To: Greg Prosser To: alexus Cc: Chris Byrnes , security@FreeBSD.ORG Subject: Re: [PATCH] Re: FreeBSD remote root exploit ? In-Reply-To: <007101c1107a$d4615e50$0d00a8c0@alexus> Message-ID: X-Sysadmin-Nolife: True X-BOFH: Yes MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Er. No. try make clean all install in the place where you did make all install. It seems to have not realized the src was patched and didn't recompile the binaries, just re-installed them. /gnp on Thu, 19 Jul 2001, alexus babbled .. ;; ok ;; ;; thanks ;; ;; ----- Original Message ----- ;; From: "Chris Byrnes" ;; To: "alexus" ;; Cc: ;; Sent: Thursday, July 19, 2001 1:46 PM ;; Subject: Re: [PATCH] Re: FreeBSD remote root exploit ? ;; ;; ;; yup ;; ;; ;; Chris Byrnes, Managing Member ;; JEAH Communications, LLC ;; ;; On Thu, 19 Jul 2001, alexus wrote: ;; ;; > su-2.05# cd /usr/src/libexec/telnetd/ ;; > su-2.05# make all install ;; > install -c -s -o root -g wheel -m 555 telnetd /usr/libexec ;; > install -c -o root -g wheel -m 444 telnetd.8.gz /usr/share/man/man8 ;; > su-2.05# ;; > ;; > hmm that's it? seems like too short compilation .. is it supposed to be ;; like ;; > this? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jul 20 17:31:16 2001 Delivered-To: freebsd-security@freebsd.org Received: from smtp6ve.mailsrvcs.net (smtp6vepub.gte.net [206.46.170.27]) by hub.freebsd.org (Postfix) with ESMTP id A177B37B405 for ; Fri, 20 Jul 2001 17:31:08 -0700 (PDT) (envelope-from info@wpi2001.com) Received: from wpi2001.com (client-141-150-248-226.delval.dialup.bellatlantic.net [141.150.248.226]) by smtp6ve.mailsrvcs.net (8.9.1/8.9.1) with SMTP id AAA45740684 for ; Sat, 21 Jul 2001 00:31:07 GMT Message-Id: <200107210031.AAA45740684@smtp6ve.mailsrvcs.net> From: "Washington Promotions International" To: Subject: Official America's Cup Jubilee Announcement Mime-Version: 1.0 Content-Type: text/plain; charset="ISO-8859-1" Date: Fri, 20 Jul 2001 20:30:16 -0400 Content-Transfer-Encoding: 8bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org WASHINGTON PROMOTIONS INTERNATIONAL HONORED BY THE AMERICA'S CUP JUBILEE 2001 The America's Cup Jubilee Governing Committee in Cowes, United Kingdom has selected Washington Promotions International as the official U.S.A. merchandise licensee for the 150th Anniversary of the America's Cup. Please visit this web site to see the array of clothing, compasses, barometers and other commemorative items. http://wpi2001.com/index2.html Individuals, yacht and sailing clubs, and corporations everywhere, currently have the opportunity to acquire special items with ACJ2001 logo. Additionally, you may also choose to add your own logo to these fine items. This is a once in a lifetime opportunity to celebrate an event of this caliber and prestige. Please post to your newsletter or bulletin board. If you have any questions contact: Vassil C. Yanco (281)292-9810 Office (281)292-9331 Fax E-mail: info@wpi2001.com Web Site: http://wpi2001.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jul 20 18:18: 6 2001 Delivered-To: freebsd-security@freebsd.org Received: from mta5.rcsntx.swbell.net (mta5.rcsntx.swbell.net [151.164.30.29]) by hub.freebsd.org (Postfix) with ESMTP id D8AEA37B401 for ; Fri, 20 Jul 2001 18:18:02 -0700 (PDT) (envelope-from dnpowers@swbell.net) Disposition-notification-to: David Powers Received: from daveabit ([64.218.90.203]) by mta5.rcsntx.swbell.net (Sun Internet Mail Server sims.3.5.2000.03.23.18.03.p10) with SMTP id <0GGS00MF3U4Y3A@mta5.rcsntx.swbell.net> for freebsd-security@freebsd.org; Fri, 20 Jul 2001 20:14:59 -0500 (CDT) Date: Fri, 20 Jul 2001 20:17:59 -0500 From: David Powers Subject: Recent probes To: freebsd-security@freebsd.org Message-id: <00b401c11182$fb2f8260$0401a8c0@swbell.net> MIME-version: 1.0 X-Mailer: Microsoft Outlook CWS, Build 9.0.2416 (9.0.2911.0) Content-type: text/plain; charset="iso-8859-1" Content-transfer-encoding: 7bit Importance: Normal X-MSMail-Priority: Normal X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 X-Priority: 3 (Normal) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I have been getting a rash of probes to TCP/80 recently, is there a recent issue that they might be trying to exploit? Below is the data on the probes origination. /kernel: ipfw: 65435 Deny TCP 203.126.35.77:2543 64.218.90.203:80 in via tun0 ; <<>> DiG 8.3 <<>> -x ;; res options: init recurs defnam dnsrch ;; got answer: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 4 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 ;; QUERY SECTION: ;; 77.35.126.203.in-addr.arpa, type = ANY, class = IN ;; AUTHORITY SECTION: 35.126.203.in-addr.arpa. 1D IN SOA dnspri.singnet.com.sg. hostmaster.singnet.com.sg. ( 2000101700 ; serial 30M ; refresh 15M ; retry 1W ; expiry 1D ) ; minimum inetnum: 203.126.35.64 - 203.126.35.95 netname: SUNRIGHT-SG descr: SunRight Limited descr: 1093 Lower Delta Road descr: #02-01/08 descr: Singapore 169204 country: SG admin-c: SAT1-AP tech-c: SH9-AP rev-srv: dnssec1.singnet.com.sg rev-srv: dnssec2.singnet.com.sg rev-srv: dnssec3.singnet.com.sg notify: hostmaster@singnet.com.sg mnt-by: MAINT-SG-SINGNET changed: hostmaster@singnet.com.sg 20001016 source: APNIC person: Sim Ah Tee address: SunRight Limited address: 1093 Lower Delta Road address: #02-01/08 address: Singapore 169204 phone: +65 3749553 fax-no: +65 2768426 e-mail: srmis@pacific.net.sg nic-hdl: SAT1-AP notify: hostmaster@singnet.com.sg mnt-by: MAINT-SG-SINGNET changed: hostmaster@singnet.com.sg 20001016 source: APNIC person: SingNet Hostmaster address: SingNet Engineering & Operations address: 2 Stirling Road address: #03-00 Queenstown Exchange address: Singapore 148943 phone: +65 7845922 fax-no: +65 4753273 e-mail: hostmaster@singnet.com.sg nic-hdl: SH9-AP notify: hostmaster@singnet.com.sg mnt-by: MAINT-SG-SINGNET changed: hostmaster@singnet.com.sg 20000921 source: APNIC To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jul 20 18:18:54 2001 Delivered-To: freebsd-security@freebsd.org Received: from I-Sphere.COM (shell.i-sphere.com [209.249.146.70]) by hub.freebsd.org (Postfix) with ESMTP id C3D0537B401 for ; Fri, 20 Jul 2001 18:18:51 -0700 (PDT) (envelope-from fasty@I-Sphere.COM) Received: (from fasty@localhost) by I-Sphere.COM (8.11.4/8.11.3) id f6L1NI178230; Fri, 20 Jul 2001 18:23:18 -0700 (PDT) (envelope-from fasty) Date: Fri, 20 Jul 2001 18:23:18 -0700 From: faSty To: Washington Promotions International Cc: freebsd-security@freebsd.org Subject: Re: Official America's Cup Jubilee Announcement' Message-ID: <20010720182317.D78014@i-sphere.com> References: <200107210031.AAA45740684@smtp6ve.mailsrvcs.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <200107210031.AAA45740684@smtp6ve.mailsrvcs.net>; from info@wpi2001.com on Fri, Jul 20, 2001 at 08:30:16PM -0400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org wtf this is spam! get out of here. -trev On Fri, Jul 20, 2001 at 08:30:16PM -0400, Washington Promotions International wrote: > WASHINGTON PROMOTIONS INTERNATIONAL HONORED BY > THE > AMERICA'S CUP JUBILEE 2001 > > The America's Cup Jubilee Governing Committee in Cowes, United Kingdom > has selected Washington Promotions International as the official U.S.A. > merchandise licensee for the 150th Anniversary of the America's Cup. > Please visit this web site to see the array of clothing, compasses, barometers > and other commemorative items. > http://wpi2001.com/index2.html > Individuals, yacht and sailing clubs, and corporations everywhere, currently > have the opportunity to acquire special items with ACJ2001 logo. > Additionally, > you may also choose to add your own logo to these fine items. > This is a once in a lifetime opportunity to celebrate an event of this caliber > and prestige. > > Please post to your newsletter or bulletin board. > If you have any questions contact: > Vassil C. Yanco > (281)292-9810 Office > (281)292-9331 Fax > E-mail: info@wpi2001.com > Web Site: http://wpi2001.com > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- Xerox never comes up with anything original. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jul 20 18:25:33 2001 Delivered-To: freebsd-security@freebsd.org Received: from peitho.fxp.org (peitho.fxp.org [209.26.95.40]) by hub.freebsd.org (Postfix) with ESMTP id 5470337B401 for ; Fri, 20 Jul 2001 18:25:30 -0700 (PDT) (envelope-from cdf.lists@fxp.org) Received: by peitho.fxp.org (Postfix, from userid 1501) id E58901360E; Fri, 20 Jul 2001 21:25:28 -0400 (EDT) Date: Fri, 20 Jul 2001 21:25:28 -0400 From: Chris Faulhaber To: David Powers Cc: freebsd-security@freebsd.org Subject: Re: Recent probes Message-ID: <20010720212528.A26564@peitho.fxp.org> Mail-Followup-To: Chris Faulhaber , David Powers , freebsd-security@freebsd.org References: <00b401c11182$fb2f8260$0401a8c0@swbell.net> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="RnlQjJ0d97Da+TV1" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <00b401c11182$fb2f8260$0401a8c0@swbell.net>; from dnpowers@swbell.net on Fri, Jul 20, 2001 at 08:17:59PM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --RnlQjJ0d97Da+TV1 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Fri, Jul 20, 2001 at 08:17:59PM -0500, David Powers wrote: > I have been getting a rash of probes to TCP/80 recently, is there a recent > issue that they might be trying to exploit? Below is the data on the pro= bes > origination. >=20 Don't worry, it's only hundreds of thousands of compromised IIS servers trying to assimilate you... http://www.net-security.org/text/articles/coverage/code-red/ --=20 Chris D. Faulhaber - jedgar@fxp.org - jedgar@FreeBSD.org -------------------------------------------------------- FreeBSD: The Power To Serve - http://www.FreeBSD.org --RnlQjJ0d97Da+TV1 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: FreeBSD: The Power To Serve iEYEARECAAYFAjtY2ggACgkQObaG4P6BelDeNACcCU0MCExjiM30yxTkmXn+HsRM jDUAn3GjGXLdHoD4rF0vobv2JSGkL2tr =EXB+ -----END PGP SIGNATURE----- --RnlQjJ0d97Da+TV1-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jul 20 20:21:23 2001 Delivered-To: freebsd-security@freebsd.org Received: from mx2.threeh.com (ct515603-b.lafayt1.in.home.com [24.22.253.67]) by hub.freebsd.org (Postfix) with ESMTP id B773537B405 for ; Fri, 20 Jul 2001 20:21:20 -0700 (PDT) (envelope-from rlucas@solidcomputing.com) Received: from localhost (rlucas@localhost) by mx2.threeh.com (8.11.3/8.11.3) with ESMTP id f6L3LIt00939; Fri, 20 Jul 2001 22:21:19 -0500 (EST) (envelope-from rlucas@solidcomputing.com) Date: Fri, 20 Jul 2001 22:21:18 -0500 (EST) From: Richard Lucas X-X-Sender: To: David Powers Cc: Subject: Re: Recent probes In-Reply-To: <00b401c11182$fb2f8260$0401a8c0@swbell.net> Message-ID: <20010720221836.F896-100000@mx2.threeh.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Fri, 20 Jul 2001, David Powers wrote: > I have been getting a rash of probes to TCP/80 recently, is there a recent > issue that they might be trying to exploit? Below is the data on the probes > origination. > > /kernel: ipfw: 65435 Deny TCP 203.126.35.77:2543 64.218.90.203:80 in via > tun0 > Quite a few people have. There's a worm that infects IIS servers and then tries random ip's to try to infect other computers that was hitting quite a bit yesterday. Here's some more info: http://www.net-security.org/text/articles/coverage/code-red/ -Richard To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Jul 21 0:46:41 2001 Delivered-To: freebsd-security@freebsd.org Received: from ns.gnupg.cz (ns.gnupg.cz [193.165.192.251]) by hub.freebsd.org (Postfix) with ESMTP id BE6FE37B405 for ; Sat, 21 Jul 2001 00:46:34 -0700 (PDT) (envelope-from jp@tns.cz) Received: by ns.gnupg.cz (Postfix, from userid 1002) id AC7411B242; Sat, 21 Jul 2001 09:46:33 +0200 (CEST) Date: Sat, 21 Jul 2001 09:46:33 +0200 From: Josef Pojsl To: "Carr, Ewan" Cc: freebsd-security@freebsd.org Subject: Re: Racoon Message-ID: <20010721094633.A8914@ns.gnupg.cz> Mail-Followup-To: "Carr, Ewan" , freebsd-security@freebsd.org References: <9BF54A52E1DFD311BC1000D0B73EADFE043BFE6F@bell.logica.co.uk> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <9BF54A52E1DFD311BC1000D0B73EADFE043BFE6F@bell.logica.co.uk>; from CarrE@logica.com on Fri, Jul 20, 2001 at 03:29:45PM +0100 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Ewan, you may want to check the KAME project homepage (www.kame.net) as both racoon and IPsec in FreeBSD are instances of their IPv6/IPsec stack. Also, there is a very helpful mailing list, snap-users@kame.net (www.kame.net/snap-users/). On Fri, Jul 20, 2001 at 03:29:45PM +0100, Carr, Ewan wrote: > hi, > I have a few questions on racoon - any help > appreciated. I dont subscribe to the list so i would be grateful if you > cc and replies to carre@logica.com too...cheers ! > > 1) According to the FreeBSD handboom racoon runs in user-space..does the SAD > exist in user-space too or is it in the kernel. In whatever situation is > there an API which > I can get at which accesses the SAD...I am interested because I am looking > at a > user-space implementation of a IPSec-like security protocol...so yeh..any > info on SAD structure/APIs would be great.. SADs are in kernel, they can be manipulated with setkey(8), racoon or any other application by means of libipsec. > 2) Is there any useful documentationn out there on racoon (configuration, > etc?). Failing > that any useful pointers would be good...ta ! Try http://www.kame.net/newsletter/20001119/ > 3) Can anyone provide any info on the mechanism by which IKE communicates > with > IPSec when, say, an SA doesnt exist and one has to be set up on-the-fly so > to speak.. There is man page for SPD manipulation in ipsec_set_policy(3) but AFAIK no for SAD manipulation. I would suggest looking at setkey source codes... Regards, Josef To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Jul 21 0:56:37 2001 Delivered-To: freebsd-security@freebsd.org Received: from london.physics.purdue.edu (london.physics.purdue.edu [128.210.67.35]) by hub.freebsd.org (Postfix) with ESMTP id 3E83237B403 for ; Sat, 21 Jul 2001 00:56:34 -0700 (PDT) (envelope-from will@physics.purdue.edu) Received: from bohr.physics.purdue.edu (bohr.physics.purdue.edu [128.210.67.12]) by london.physics.purdue.edu (8.8.8/8.8.8) with ESMTP id CAA17584 for ; Sat, 21 Jul 2001 02:56:33 -0500 (EST) Received: by bohr.physics.purdue.edu (Postfix, from userid 12409) id 41AD05BB5; Sat, 21 Jul 2001 02:56:35 -0500 (EST) Date: Sat, 21 Jul 2001 02:56:35 -0500 From: Will Andrews To: freebsd-security@FreeBSD.ORG Subject: Re: Official America's Cup Jubilee Announcement' Message-ID: <20010721025635.Z97456@bohr.physics.purdue.edu> Reply-To: Will Andrews Mail-Followup-To: freebsd-security@FreeBSD.ORG References: <200107210031.AAA45740684@smtp6ve.mailsrvcs.net> <20010720182317.D78014@i-sphere.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.3.17i In-Reply-To: <20010720182317.D78014@i-sphere.com>; from fasty@i-sphere.com on Fri, Jul 20, 2001 at 06:23:18PM -0700 X-Operating-System: FreeBSD 4.3-STABLE i386 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Fri, Jul 20, 2001 at 06:23:18PM -0700, faSty (fasty@i-sphere.com) wrote: > wtf this is spam! get out of here. By responding to the original sender, you have confirmed that your email address (and freebsd-security@FreeBSD.org) has live humans reading it. Congratulations. -- wca To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Jul 21 6: 7: 7 2001 Delivered-To: freebsd-security@freebsd.org Received: from ringworld.nanolink.com (ringworld.nanolink.com [195.24.48.39]) by hub.freebsd.org (Postfix) with SMTP id 5CED537B405 for ; Sat, 21 Jul 2001 06:07:04 -0700 (PDT) (envelope-from roam@orbitel.bg) Received: (qmail 31868 invoked by uid 1000); 21 Jul 2001 13:11:09 -0000 Date: Sat, 21 Jul 2001 16:11:08 +0300 From: Peter Pentchev To: "Richard A. Steenbergen" Cc: freebsd-security@freebsd.org Subject: Re: telnetd suckage Message-ID: <20010721161108.A19430@ringworld.oblivion.bg> Mail-Followup-To: "Richard A. Steenbergen" , freebsd-security@freebsd.org References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from ras@e-gerbil.net on Fri, Jul 20, 2001 at 03:58:09PM -0400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Fri, Jul 20, 2001 at 03:58:09PM -0400, Richard A. Steenbergen wrote: > Speaking of telnetd sucking, did anyone ever get around to fixing > http://www.freebsd.org/cgi/query-pr.cgi?pr=22595 > > Doesn't look like it. Do you have any actual suggestions on how to 'make realhostname*() not suck', as you have so helpfully suggested as a fix? G'luck, Peter -- This sentence is false. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Jul 21 6:37:43 2001 Delivered-To: freebsd-security@freebsd.org Received: from Awfulhak.org (gw.Awfulhak.org [217.204.245.18]) by hub.freebsd.org (Postfix) with ESMTP id 8D1EE37B403; Sat, 21 Jul 2001 06:37:39 -0700 (PDT) (envelope-from brian@Awfulhak.org) Received: from hak.lan.Awfulhak.org (root@hak.lan.Awfulhak.org [172.16.0.12]) by Awfulhak.org (8.11.4/8.11.4) with ESMTP id f6LDbbL09467; Sat, 21 Jul 2001 14:37:37 +0100 (BST) (envelope-from brian@lan.Awfulhak.org) Received: from hak.lan.Awfulhak.org (brian@localhost [127.0.0.1]) by hak.lan.Awfulhak.org (8.11.4/8.11.4) with ESMTP id f6LDbag72093; Sat, 21 Jul 2001 14:37:36 +0100 (BST) (envelope-from brian@hak.lan.Awfulhak.org) Message-Id: <200107211337.f6LDbag72093@hak.lan.Awfulhak.org> X-Mailer: exmh version 2.3.1 01/18/2001 with nmh-1.0.4 To: "Richard A. Steenbergen" Cc: Peter Pentchev , freebsd-security@FreeBSD.org, freebsd-gnats-submit@FreeBSD.org Subject: bin/22595: telnetd tricked into using arbitrary peer ip (was: telnetd suckage) In-Reply-To: Message from Peter Pentchev of "Sat, 21 Jul 2001 16:11:08 +0300." <20010721161108.A19430@ringworld.oblivion.bg> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Sat, 21 Jul 2001 14:37:36 +0100 From: Brian Somers Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > On Fri, Jul 20, 2001 at 03:58:09PM -0400, Richard A. Steenbergen wrote: > > Speaking of telnetd sucking, did anyone ever get around to fixing > > http://www.freebsd.org/cgi/query-pr.cgi?pr=22595 > > > > Doesn't look like it. > > Do you have any actual suggestions on how to 'make realhostname*() > not suck', as you have so helpfully suggested as a fix? I don't understand this PR. What's the problem ? realhostname*() takes the connecting IP, turns it into a name and resolves that name. If the *original* IP isn't in the list (or if a name couldn't be found from the IP), it puts the *original* ip in utmp/wtmp. If the *original* IP is in the list, it uses the name that the IP was turned into. The difference between ``w'' and ``w -n'' is whether ``w'' will look up IP numbers found in utmp. The fact that you're seeing different answers means that realhostname_sa() stored the IP number in utmp. The example in the PR means that someone connected from 199.95.76.12. There's nothing wrong with realhostname_sa() here. Can the originator please follow up with a better description of what the perceived problem is please ? > G'luck, > Peter > > -- > This sentence is false. -- Brian http://www.freebsd-services.com/ Don't _EVER_ lose your sense of humour ! To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Jul 21 7: 6:25 2001 Delivered-To: freebsd-security@freebsd.org Received: from ct980320-b.blmngtn1.in.home.com (ct980320-b.blmngtn1.in.home.com [65.8.207.32]) by hub.freebsd.org (Postfix) with ESMTP id 1B1B637B403 for ; Sat, 21 Jul 2001 07:06:23 -0700 (PDT) (envelope-from mikes@ct980320-b.blmngtn1.in.home.com) Received: (from mikes@localhost) by ct980320-b.blmngtn1.in.home.com (8.11.4/8.11.4) id f6LE6Am32960; Sat, 21 Jul 2001 09:06:10 -0500 (EST) (envelope-from mikes) From: Mike Squires Message-Id: <200107211406.f6LE6Am32960@ct980320-b.blmngtn1.in.home.com> Subject: Re: Recent probes In-Reply-To: <00b401c11182$fb2f8260$0401a8c0@swbell.net> "from David Powers at Jul 20, 2001 08:17:59 pm" To: David Powers Date: Sat, 21 Jul 2001 09:06:10 -0500 (EST) Cc: freebsd-security@freebsd.org X-Mailer: ELM [version 2.4ME+ PL88 (25)] MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > I have been getting a rash of probes to TCP/80 recently, is there a recent > issue that they might be trying to exploit? Below is the data on the probes > origination. Check out www.dshield.org; they show a majority of probes in the past 5 days to have been on port 80. MLS To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Jul 21 7:12:37 2001 Delivered-To: freebsd-security@freebsd.org Received: from critter.freebsd.dk (critter.freebsd.dk [212.242.86.163]) by hub.freebsd.org (Postfix) with ESMTP id D183737B403 for ; Sat, 21 Jul 2001 07:12:33 -0700 (PDT) (envelope-from phk@critter.freebsd.dk) Received: from critter (localhost [127.0.0.1]) by critter.freebsd.dk (8.11.3/8.11.3) with ESMTP id f6LECCn99150; Sat, 21 Jul 2001 16:12:17 +0200 (CEST) (envelope-from phk@critter.freebsd.dk) To: Mike Squires Cc: David Powers , freebsd-security@FreeBSD.ORG Subject: Re: Recent probes In-Reply-To: Your message of "Sat, 21 Jul 2001 09:06:10 CDT." <200107211406.f6LE6Am32960@ct980320-b.blmngtn1.in.home.com> Date: Sat, 21 Jul 2001 16:12:12 +0200 Message-ID: <99148.995724732@critter> From: Poul-Henning Kamp Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org In message <200107211406.f6LE6Am32960@ct980320-b.blmngtn1.in.home.com>, Mike Squires writes: >> I have been getting a rash of probes to TCP/80 recently, is there a recent >> issue that they might be trying to exploit? Below is the data on the probes >> origination. > >Check out www.dshield.org; they show a majority of probes in the past 5 days >to have been on port 80. Havn't any of you heard about the "CodeRed" worm ? http://www.theregister.co.uk/content/4/20546.html http://www.theregister.co.uk/content/56/20545.html -- Poul-Henning Kamp | UNIX since Zilog Zeus 3.20 phk@FreeBSD.ORG | TCP/IP since RFC 956 FreeBSD committer | BSD since 4.3-tahoe Never attribute to malice what can adequately be explained by incompetence. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Jul 21 7:31:15 2001 Delivered-To: freebsd-security@freebsd.org Received: from web11603.mail.yahoo.com (web11603.mail.yahoo.com [216.136.172.55]) by hub.freebsd.org (Postfix) with SMTP id E238B37B406 for ; Sat, 21 Jul 2001 07:31:13 -0700 (PDT) (envelope-from holtor@yahoo.com) Message-ID: <20010721143113.46212.qmail@web11603.mail.yahoo.com> Received: from [64.23.0.234] by web11603.mail.yahoo.com via HTTP; Sat, 21 Jul 2001 07:31:13 PDT Date: Sat, 21 Jul 2001 07:31:13 -0700 (PDT) From: Holtor Subject: telnetd root exploit To: security@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Has the telnetd root vulnerability been "officially" fixed in RELENG_4 ? Thanks. __________________________________________________ Do You Yahoo!? Make international calls for as low as $.04/minute with Yahoo! Messenger http://phonecard.yahoo.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Jul 21 9:31:27 2001 Delivered-To: freebsd-security@freebsd.org Received: from purgatory.unfix.org (purgatory.xs4all.nl [194.109.237.229]) by hub.freebsd.org (Postfix) with ESMTP id 551D537B405; Sat, 21 Jul 2001 09:31:18 -0700 (PDT) (envelope-from jeroen@unfix.org) Received: from HELL (hell.unfix.org [::ffff:10.100.13.66]) by purgatory.unfix.org (Postfix) with ESMTP id DA70A31E7; Sat, 21 Jul 2001 18:31:09 +0200 (CEST) From: "Jeroen Massar" To: "'Brian Somers'" , "'Richard A. Steenbergen'" Cc: "'Peter Pentchev'" , , Subject: RE: bin/22595: telnetd tricked into using arbitrary peer ip (was: telnetd suckage) Date: Sat, 21 Jul 2001 18:27:11 +0200 Organization: Unfix Message-ID: <000f01c11201$ffefafd0$420d640a@HELL> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.2616 In-Reply-To: <200107211337.f6LDbag72093@hak.lan.Awfulhak.org> Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2479.0006 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Brian Somers wrote: > > On Fri, Jul 20, 2001 at 03:58:09PM -0400, Richard A. > Steenbergen wrote: > > > Speaking of telnetd sucking, did anyone ever get around to fixing > > > http://www.freebsd.org/cgi/query-pr.cgi?pr=22595 > > > > > > Doesn't look like it. > > > > Do you have any actual suggestions on how to 'make realhostname*() > > not suck', as you have so helpfully suggested as a fix? > > I don't understand this PR. What's the problem ? realhostname*() > takes the connecting IP, turns it into a name and resolves that name. > If the *original* IP isn't in the list (or if a name couldn't be > found from the IP), it puts the *original* ip in utmp/wtmp. If the > *original* IP is in the list, it uses the name that the IP was turned > into. $ host -t ptr 10.0.0.1 1.0.0.10.IN-ADDR.ARPA domain name pointer www.fbi.gov $ host -t a www.fbi.gov www.fbi.gov has address 32.96.111.130 And then your average dumb admin does a 'who' and oooooh... That dude is leet he/she/it logs in from www.fbi.gov It's also great for your logs... "My box got hacked from www.fbi.gov, the feds are on to me" nice quotes :) IRCd and many more (even PuTTY (www.chiark.greenend.org.uk/~sgtatham/putty/) :) do a: - Resolve IP -> hostname - resolve hostname -> IP2 - if IP1 != IP2 then hostname = IP1 That's the problem reported in the 22595 PR... But it get's even worse (evil grin :), this is a nice trick you can do to fool your ssh which IMHO should be a nice PR on it's own: 8<----------- jeroen@purgatory:~$ w 6:08PM up 93 days, 9:58, 1 user, load averages: 0.19, 0.13, 0.14 USER TTY FROM LOGIN@ IDLE WHAT jeroen p1 hell.unfix.org 10:16AM - w jeroen@purgatory:~$ w -n 6:08PM up 93 days, 9:58, 1 user, load averages: 0.16, 0.12, 0.13 USER TTY FROM LOGIN@ IDLE WHAT jeroen p1 10.100.13.66 10:16AM - w -n ------------>8 And guess what: 8<----------- jeroen@purgatory:~$ netstat -an | grep \.22 | less tcp6 0 0 3ffe:8114:2000:2.22 3ffe:8114:2000:2.1628 ESTABLISHED tcp4 0 0 *.22 *.* LISTEN tcp46 0 0 *.22 *.* LISTEN ------------>8 Now I wonder... why the peep doesn't the wtmp log an IP (either IPv4 or IPv6) alongside a hostname... As you see ... Hell.unfix.org resolves nicely to 10.100.13.66 (an IPv4 address) even when I am connected over IPv6... If that isn't one kind of security risk.... Simply change your reverse to something nice and wh0ppa... No-one will even notice thaty you're coming from a remote network far far away... With this nice IPv4/IPv6 trick you could even set a forward IPv4 lookup to make a local IPv4 IP. So that it looks like you logged in from a local system. If that isn't enough 'proof' that the whole utmp/wtmp concept is wrong.... -> YES, I accuse utmp/wtmp not telnetd as you might notice ssh has the same problem :) Telnetd simply does what it _can_ do ... log the hostname to utmp/wtmp, 'w' and friends simply use that info to show it to us... So we basically have the following list of problems: - wtmp/utmp should have hostname and IPv4 or IPv6 or ... one could choose IPv4 mapped IP's.. eg: ::ffff:10.100.13.66 (but this could become a prob in the future again... IMHO adding an extra field containing the ascii representation of the IP/address whatever should do... Which also would be able to log the IPX addy or whatever :) And the hostname field should contain either nothing (empty) or should contain the ascii representation of the address, that's what forward&reverse resolve is for... - utmp/wtmp-"client"-programs (readers) show the wrong info when 'showing network numbered' because they don't have the full/correct info because they don't have it. _if/when_ these get fixed even "dumb admins/users" won't go around telling that they got hacked by the FBI or the CIA simply because some kiddy with reverse access, which currently is quite easy to obtain with all those IPv6 tunnelbrokers around who don't give anything about (possible) abuse from their clients. And the same goes for IPv4 ofcourse.... Simply insert a PTR record... and tada... you're now coming from a NASA host... how 1337 or whatever spelling those people/things/... prefer... And like Richard says: THAT REALLY SUCKS. Greets, Jeroen To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Jul 21 11:38:36 2001 Delivered-To: freebsd-security@freebsd.org Received: from Awfulhak.org (gw.Awfulhak.org [217.204.245.18]) by hub.freebsd.org (Postfix) with ESMTP id B7B6737B406; Sat, 21 Jul 2001 11:38:27 -0700 (PDT) (envelope-from brian@Awfulhak.org) Received: from hak.lan.Awfulhak.org (root@hak.lan.Awfulhak.org [172.16.0.12]) by Awfulhak.org (8.11.4/8.11.4) with ESMTP id f6LIcPL11270; Sat, 21 Jul 2001 19:38:25 +0100 (BST) (envelope-from brian@lan.Awfulhak.org) Received: from hak.lan.Awfulhak.org (brian@localhost [127.0.0.1]) by hak.lan.Awfulhak.org (8.11.4/8.11.4) with ESMTP id f6LIcNg76517; Sat, 21 Jul 2001 19:38:23 +0100 (BST) (envelope-from brian@hak.lan.Awfulhak.org) Message-Id: <200107211838.f6LIcNg76517@hak.lan.Awfulhak.org> X-Mailer: exmh version 2.3.1 01/18/2001 with nmh-1.0.4 To: "Jeroen Massar" Cc: "'Brian Somers'" , "'Richard A. Steenbergen'" , "'Peter Pentchev'" , freebsd-security@FreeBSD.org, freebsd-gnats-submit@FreeBSD.org, brian@Awfulhak.org Subject: Re: bin/22595: telnetd tricked into using arbitrary peer ip (was: telnetd suckage) In-Reply-To: Message from "Jeroen Massar" of "Sat, 21 Jul 2001 18:27:11 +0200." <000f01c11201$ffefafd0$420d640a@HELL> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Sat, 21 Jul 2001 19:38:23 +0100 From: Brian Somers Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > Brian Somers wrote: > > > > On Fri, Jul 20, 2001 at 03:58:09PM -0400, Richard A. > > Steenbergen wrote: > > > > Speaking of telnetd sucking, did anyone ever get around to fixing > > > > http://www.freebsd.org/cgi/query-pr.cgi?pr=22595 > > > > > > > > Doesn't look like it. > > > > > > Do you have any actual suggestions on how to 'make realhostname*() > > > not suck', as you have so helpfully suggested as a fix? > > > > I don't understand this PR. What's the problem ? realhostname*() > > takes the connecting IP, turns it into a name and resolves that name. > > If the *original* IP isn't in the list (or if a name couldn't be > > found from the IP), it puts the *original* ip in utmp/wtmp. If the > > *original* IP is in the list, it uses the name that the IP was turned > > into. > > $ host -t ptr 10.0.0.1 > 1.0.0.10.IN-ADDR.ARPA domain name pointer www.fbi.gov > > $ host -t a www.fbi.gov > www.fbi.gov has address 32.96.111.130 > > And then your average dumb admin does a 'who' and oooooh... That dude is > leet he/she/it logs in from www.fbi.gov > It's also great for your logs... "My box got hacked from www.fbi.gov, > the feds are on to me" nice quotes :) If you log in from 10.0.0.1 and the above resolutions are in effect, realhostname_sa() will put 10.0.0.1 in utmp. Why are you assuming it doesn't ? > IRCd and many more (even PuTTY > (www.chiark.greenend.org.uk/~sgtatham/putty/) :) do a: > - Resolve IP -> hostname > - resolve hostname -> IP2 > - if IP1 != IP2 then hostname = IP1 Which is exactly what realhostname() and realhostname_sa() do. > That's the problem reported in the 22595 PR... What is ? > But it get's even worse (evil grin :), this is a nice trick you can do > to fool your ssh which IMHO should be a nice PR on it's own: > > 8<----------- > jeroen@purgatory:~$ w > 6:08PM up 93 days, 9:58, 1 user, load averages: 0.19, 0.13, 0.14 > USER TTY FROM LOGIN@ IDLE WHAT > jeroen p1 hell.unfix.org 10:16AM - w > jeroen@purgatory:~$ w -n > 6:08PM up 93 days, 9:58, 1 user, load averages: 0.16, 0.12, 0.13 > USER TTY FROM LOGIN@ IDLE WHAT > jeroen p1 10.100.13.66 10:16AM - w -n > ------------>8 > > And guess what: > 8<----------- > jeroen@purgatory:~$ netstat -an | grep \.22 | less > tcp6 0 0 3ffe:8114:2000:2.22 3ffe:8114:2000:2.1628 > ESTABLISHED > tcp4 0 0 *.22 *.* > LISTEN > tcp46 0 0 *.22 *.* > LISTEN > ------------>8 > > Now I wonder... why the peep doesn't the wtmp log an IP (either IPv4 or > IPv6) alongside a hostname... > As you see ... Hell.unfix.org resolves nicely to 10.100.13.66 (an IPv4 > address) even when I am connected over IPv6... > If that isn't one kind of security risk.... Simply change your reverse > to something nice and wh0ppa... > No-one will even notice thaty you're coming from a remote network far > far away... > With this nice IPv4/IPv6 trick you could even set a forward IPv4 lookup > to make a local IPv4 IP. So that it looks like you logged in from a > local system. But this doesn't happen either. On my machine, 3ffe:8114:2000:2 is recorded. In fact, I've just fixed realhostname_sa() so that it records the hostname if it fits in the utmp field and the forward/ reverse lookup ends up with the same ipv6 number, but even before the fix, the IPv6 number was what's recorded. Ah, wait, I see what the problem is. It's ``w'' that's getting it wrong. It's assuming that it knows the address family of the name in utmp -- and mucks about with name resolutions whether you say -n or not. ``who'' gives the right answer. > If that isn't enough 'proof' that the whole utmp/wtmp concept is > wrong.... -> YES, I accuse utmp/wtmp not telnetd as you might notice ssh > has the same problem :) > Telnetd simply does what it _can_ do ... log the hostname to utmp/wtmp, > 'w' and friends simply use that info to show it to us... All daemon programs that log you in and are part of the base system will display this behaviour, but I don't agree that there's any problem with realhostname*(). w(1) is flawed. > So we basically have the following list of problems: > - wtmp/utmp should have hostname and IPv4 or IPv6 or ... > one could choose IPv4 mapped IP's.. eg: ::ffff:10.100.13.66 (but this > could become a prob in the future again... > IMHO adding an extra field containing the ascii representation of the > IP/address whatever should do... Which also would be able to log the IPX > addy or whatever :) > And the hostname field should contain either nothing (empty) or > should contain the ascii representation of the address, that's what > forward&reverse resolve is for... The extra field should hold the address family. > - utmp/wtmp-"client"-programs (readers) show the wrong info when > 'showing network numbered' because they don't have the full/correct info > because they don't have it. Agreed. > _if/when_ these get fixed even "dumb admins/users" won't go around > telling that they got hacked by the FBI or the CIA simply because some > kiddy with reverse access, > which currently is quite easy to obtain with all those IPv6 > tunnelbrokers around who don't give anything about (possible) abuse from > their clients. > And the same goes for IPv4 ofcourse.... Simply insert a PTR record... > and tada... you're now coming from a NASA host... how 1337 or whatever > spelling those people/things/... prefer... I don't agree. A dumb admin/user will do dumb things no matter what the operating system that they're working with does. If realhostname*() doesn't see the PTR record pointing at a name that resolves back to the IP, it records the IP. > And like Richard says: THAT REALLY SUCKS. Which is a pretty useless statement. > Greets, > Jeroen I'll have a look at fixing ``w'' -- probably by tearing the -n option out as it's evil. I won't add the extra field to utmp however. This has been discussed before and it would break too much. Programs should simply not attempt to muck about with things when they don't have enough information. -- Brian http://www.freebsd-services.com/ Don't _EVER_ lose your sense of humour ! To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Jul 21 12: 0:58 2001 Delivered-To: freebsd-security@freebsd.org Received: from veldy.net (w028.z064001117.msp-mn.dsl.cnc.net [64.1.117.28]) by hub.freebsd.org (Postfix) with ESMTP id 75A7137B403 for ; Sat, 21 Jul 2001 12:00:53 -0700 (PDT) (envelope-from veldy@veldy.net) Received: from cascade (cascade.veldy.net [192.168.1.1]) by veldy.net (Postfix) with SMTP id B9D78BAA8; Sat, 21 Jul 2001 14:00:52 -0500 (CDT) Message-ID: <004601c11217$7e416fd0$0101a8c0@cascade> From: "Thomas T. Veldhouse" To: "David Powers" , References: <00b401c11182$fb2f8260$0401a8c0@swbell.net> Subject: Re: Recent probes Date: Sat, 21 Jul 2001 14:01:05 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4522.1200 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Yeah -- there is an IIS exploit that they seem to try on ALL server. It will incidentally drop a Cisco 67x DSL router if it hasn't been updated to the latest CBOS and the web management interface is enabled. Tom Veldhouse veldy@veldy.net ----- Original Message ----- From: "David Powers" To: Sent: Friday, July 20, 2001 8:17 PM Subject: Recent probes > I have been getting a rash of probes to TCP/80 recently, is there a recent > issue that they might be trying to exploit? Below is the data on the probes > origination. > > /kernel: ipfw: 65435 Deny TCP 203.126.35.77:2543 64.218.90.203:80 in via > tun0 > > ; <<>> DiG 8.3 <<>> -x > ;; res options: init recurs defnam dnsrch > ;; got answer: > ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 4 > ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 > ;; QUERY SECTION: > ;; 77.35.126.203.in-addr.arpa, type = ANY, class = IN > > ;; AUTHORITY SECTION: > 35.126.203.in-addr.arpa. 1D IN SOA dnspri.singnet.com.sg. > hostmaster.singnet.com.sg. ( > 2000101700 ; serial > 30M ; refresh > 15M ; retry > 1W ; expiry > 1D ) ; minimum > > inetnum: 203.126.35.64 - 203.126.35.95 > netname: SUNRIGHT-SG > descr: SunRight Limited > descr: 1093 Lower Delta Road > descr: #02-01/08 > descr: Singapore 169204 > country: SG > admin-c: SAT1-AP > tech-c: SH9-AP > rev-srv: dnssec1.singnet.com.sg > rev-srv: dnssec2.singnet.com.sg > rev-srv: dnssec3.singnet.com.sg > notify: hostmaster@singnet.com.sg > mnt-by: MAINT-SG-SINGNET > changed: hostmaster@singnet.com.sg 20001016 > source: APNIC > > person: Sim Ah Tee > address: SunRight Limited > address: 1093 Lower Delta Road > address: #02-01/08 > address: Singapore 169204 > phone: +65 3749553 > fax-no: +65 2768426 > e-mail: srmis@pacific.net.sg > nic-hdl: SAT1-AP > notify: hostmaster@singnet.com.sg > mnt-by: MAINT-SG-SINGNET > changed: hostmaster@singnet.com.sg 20001016 > source: APNIC > > person: SingNet Hostmaster > address: SingNet Engineering & Operations > address: 2 Stirling Road > address: #03-00 Queenstown Exchange > address: Singapore 148943 > phone: +65 7845922 > fax-no: +65 4753273 > e-mail: hostmaster@singnet.com.sg > nic-hdl: SH9-AP > notify: hostmaster@singnet.com.sg > mnt-by: MAINT-SG-SINGNET > changed: hostmaster@singnet.com.sg 20000921 > source: APNIC > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Jul 21 12:14:50 2001 Delivered-To: freebsd-security@freebsd.org Received: from overlord.e-gerbil.net (e-gerbil.net [207.91.110.247]) by hub.freebsd.org (Postfix) with ESMTP id 84F3537B405; Sat, 21 Jul 2001 12:14:42 -0700 (PDT) (envelope-from ras@e-gerbil.net) Received: by overlord.e-gerbil.net (Postfix, from userid 1001) id D2670E5004; Sat, 21 Jul 2001 15:14:40 -0400 (EDT) Received: from localhost (localhost [127.0.0.1]) by overlord.e-gerbil.net (Postfix) with ESMTP id A3171E4CFC; Sat, 21 Jul 2001 15:14:40 -0400 (EDT) Date: Sat, 21 Jul 2001 15:14:40 -0400 (EDT) From: "Richard A. Steenbergen" To: Brian Somers Cc: Jeroen Massar , 'Peter Pentchev' , freebsd-security@FreeBSD.org, freebsd-gnats-submit@FreeBSD.org Subject: Re: bin/22595: telnetd tricked into using arbitrary peer ip (was: telnetd suckage) In-Reply-To: <200107211838.f6LIcNg76517@hak.lan.Awfulhak.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Sat, 21 Jul 2001, Brian Somers wrote: > > Brian Somers wrote: > > > > $ host -t ptr 10.0.0.1 > > 1.0.0.10.IN-ADDR.ARPA domain name pointer www.fbi.gov > > > > $ host -t a www.fbi.gov > > www.fbi.gov has address 32.96.111.130 > > > > And then your average dumb admin does a 'who' and oooooh... That dude is > > leet he/she/it logs in from www.fbi.gov > > It's also great for your logs... "My box got hacked from www.fbi.gov, > > the feds are on to me" nice quotes :) > > If you log in from 10.0.0.1 and the above resolutions are in effect, > realhostname_sa() will put 10.0.0.1 in utmp. I think the problem would be obvious from a security prospective. You'll note that not only does the bad dns get passed to the system from telnetd, but the bad IP, an arbitrary IP. Not only is it a perfect spoof but its easy to control from the attackers side, they just need control over a domain forward. Did you ever hear of a little thing called trusted hosts? Infact, won't this be the IP that is passed to tcp wrappers and other security checks? > If realhostname*() doesn't see the PTR record pointing at a name that > resolves back to the IP, it records the IP. > > > And like Richard says: THAT REALLY SUCKS. > > Which is a pretty useless statement. Well there are two solutions, stop using realhostname*() or make those functions actually work. Anything which does reverse forward then reverse again and takes the forward and reverse IPs is so broken that calling it real anything is laughable at best. I figured that would be blatantly obvious, sorry for the false assumption. -- Richard A Steenbergen http://www.e-gerbil.net/ras PGP Key ID: 0x138EA177 (67 29 D7 BC E8 18 3E DA B2 46 B3 D8 14 36 FE B6) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Jul 21 12:21:39 2001 Delivered-To: freebsd-security@freebsd.org Received: from overlord.e-gerbil.net (e-gerbil.net [207.91.110.247]) by hub.freebsd.org (Postfix) with ESMTP id 12C6237B401; Sat, 21 Jul 2001 12:21:37 -0700 (PDT) (envelope-from ras@e-gerbil.net) Received: by overlord.e-gerbil.net (Postfix, from userid 1001) id 21A90E5004; Sat, 21 Jul 2001 15:21:35 -0400 (EDT) Received: from localhost (localhost [127.0.0.1]) by overlord.e-gerbil.net (Postfix) with ESMTP id EDF7EE4CFC; Sat, 21 Jul 2001 15:21:34 -0400 (EDT) Date: Sat, 21 Jul 2001 15:21:34 -0400 (EDT) From: "Richard A. Steenbergen" To: Brian Somers Cc: Peter Pentchev , freebsd-security@FreeBSD.org, freebsd-gnats-submit@FreeBSD.org Subject: Re: bin/22595: telnetd tricked into using arbitrary peer ip (was: telnetd suckage) In-Reply-To: <200107211337.f6LDbag72093@hak.lan.Awfulhak.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Sat, 21 Jul 2001, Brian Somers wrote: > The example in the PR means that someone connected from 199.95.76.12. Sorry, at the time of the PR writing, that was the correct IP for www.senate.gov. traceroute to 199.95.76.12 (199.95.76.12), 64 hops max, 40 byte packets ... 10 senate-gw3.customer.alter.net (157.130.33.182) 14.671 ms 14.310 ms 14.885 ms It's very simple: You are 1.2.3.4, your reverse dns is your.domain.com. You control domain.com, so you setup multiple CNAMES for "your", one pointing to 1.2.3.4 and one pointing to the IP you wish to spoof (we'll call it 9.8.7.6). When you connect to telnet, it reverses 1.2.3.4 to your.domain.com, forwards your.domain.com to 9.8.7.6, reverses 9.8.7.6 to www.senate.gov, and passes on 9.8.7.6 to the rest of the system. Spoofing at its finest... -- Richard A Steenbergen http://www.e-gerbil.net/ras PGP Key ID: 0x138EA177 (67 29 D7 BC E8 18 3E DA B2 46 B3 D8 14 36 FE B6) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Jul 21 13:35:44 2001 Delivered-To: freebsd-security@freebsd.org Received: from I-Sphere.COM (shell.i-sphere.com [209.249.146.70]) by hub.freebsd.org (Postfix) with ESMTP id 2562437B405 for ; Sat, 21 Jul 2001 13:35:42 -0700 (PDT) (envelope-from fasty@I-Sphere.COM) Received: (from fasty@localhost) by I-Sphere.COM (8.11.4/8.11.3) id f6LKeGV60361; Sat, 21 Jul 2001 13:40:16 -0700 (PDT) (envelope-from fasty) Date: Sat, 21 Jul 2001 13:40:15 -0700 From: faSty To: Holtor Cc: freebsd-security@freebsd.org Subject: Re: telnetd root exploit Message-ID: <20010721134015.A60332@i-sphere.com> References: <20010721143113.46212.qmail@web11603.mail.yahoo.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010721143113.46212.qmail@web11603.mail.yahoo.com>; from holtor@yahoo.com on Sat, Jul 21, 2001 at 07:31:13AM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Yes, I saw the cvsup update the telnetd :) -trev On Sat, Jul 21, 2001 at 07:31:13AM -0700, Holtor wrote: > Has the telnetd root vulnerability been > "officially" fixed in RELENG_4 ? > > Thanks. > > __________________________________________________ > Do You Yahoo!? > Make international calls for as low as $.04/minute with Yahoo! Messenger > http://phonecard.yahoo.com/ > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- "No, `Eureka' is Greek for `This bath is too hot.'" -- Dr. Who To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Jul 21 14:12:31 2001 Delivered-To: freebsd-security@freebsd.org Received: from salvation.unixgeeks.com (cc784475-b.scrmnt1.ca.home.com [65.5.73.160]) by hub.freebsd.org (Postfix) with SMTP id 6FD2437B403 for ; Sat, 21 Jul 2001 14:12:29 -0700 (PDT) (envelope-from nathan@salvation.unixgeeks.com) Received: (qmail 12011 invoked by uid 1001); 21 Jul 2001 20:49:42 -0000 Date: 21 Jul 2001 20:49:42 -0000 Message-ID: <20010721204942.12010.qmail@salvation.unixgeeks.com> From: nathan@salvation.unixgeeks.com To: freebsd-security@freebsd.org Subject: possible? Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org okay, today i checked my apache logs this is what i got: 195.10.116.2 - - [19/Jul/2001:15:50:20 -0700] "GET /default.ida?NNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u 6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u53 1b%u53ff%u0078%u0000%u00=a HTTP/1.0" 400 332 this same exact get request came from several different address as well. such as: 128.138.105.172, 202.157.154.126, and a couple of others. any ideas? any remote exploits in apache i've missed? i'm running Apache/1.3.19 Server.. thanks in advance, nathan. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Jul 21 14:16:54 2001 Delivered-To: freebsd-security@freebsd.org Received: from cassie.foobarbaz.net (195.mudb.snfc.snfccafj.dsl.att.net [12.99.91.195]) by hub.freebsd.org (Postfix) with SMTP id 52BD937B405 for ; Sat, 21 Jul 2001 14:16:52 -0700 (PDT) (envelope-from enkhyl@foobarbaz.net) Received: (qmail 15432 invoked by uid 1000); 21 Jul 2001 21:04:47 -0000 Date: Sat, 21 Jul 2001 14:04:47 -0700 From: Enkhyl To: nathan@salvation.unixgeeks.com Cc: freebsd-security@freebsd.org Subject: Re: possible? Message-ID: <20010721140447.X89481@cassie.foobarbaz.net> Reply-To: enkhyl@pobox.com Mail-Followup-To: nathan@salvation.unixgeeks.com, freebsd-security@freebsd.org References: <20010721204942.12010.qmail@salvation.unixgeeks.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010721204942.12010.qmail@salvation.unixgeeks.com>; from nathan@salvation.unixgeeks.com on Sat, Jul 21, 2001 at 08:49:42PM -0000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Sat, Jul 21, 2001 at 08:49:42PM -0000, nathan@salvation.unixgeeks.com wrote: [snip] > this same exact get request came from several different address as well. such > as: 128.138.105.172, 202.157.154.126, and a couple of others. any ideas? any > remote exploits in apache i've missed? i'm running Apache/1.3.19 Server.. This is from the Code Red worm. Take a look at the threads on Bugtraq and/or Nanog lists. -- Christopher Nielsen - Metal-wielding pyro techie cnielsen@pobox.com "Any technology indistinguishable from magic is insufficiently advanced." --unknown To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Jul 21 14:17:31 2001 Delivered-To: freebsd-security@freebsd.org Received: from I-Sphere.COM (shell.i-sphere.com [209.249.146.70]) by hub.freebsd.org (Postfix) with ESMTP id D2ABA37B403 for ; Sat, 21 Jul 2001 14:17:27 -0700 (PDT) (envelope-from fasty@I-Sphere.COM) Received: (from fasty@localhost) by I-Sphere.COM (8.11.4/8.11.4) id f6LLLv161066; Sat, 21 Jul 2001 14:21:57 -0700 (PDT) (envelope-from fasty) Date: Sat, 21 Jul 2001 14:21:53 -0700 From: faSty To: nathan@salvation.unixgeeks.com Cc: freebsd-security@freebsd.org Subject: Re: possible? Message-ID: <20010721142152.A61045@i-sphere.com> References: <20010721204942.12010.qmail@salvation.unixgeeks.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010721204942.12010.qmail@salvation.unixgeeks.com>; from nathan@salvation.unixgeeks.com on Sat, Jul 21, 2001 at 08:49:42PM -0000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I got that same like 10 times so far. nothing do with apache's expliot. It just basically for IIS expliot called Red worm virus. You might want check www.cnn.com or any security website talk about red worm alert. -trev On Sat, Jul 21, 2001 at 08:49:42PM -0000, nathan@salvation.unixgeeks.com wrote: > > okay, today i checked my apache logs this is what i got: > > 195.10.116.2 - - [19/Jul/2001:15:50:20 -0700] "GET /default.ida?NNNNNNNNNNNNNNNN > NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN > NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN > NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u > 6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u53 > 1b%u53ff%u0078%u0000%u00=a HTTP/1.0" 400 332 > > this same exact get request came from several different address as well. such > as: 128.138.105.172, 202.157.154.126, and a couple of others. any ideas? any > remote exploits in apache i've missed? i'm running Apache/1.3.19 Server.. > > thanks in advance, > nathan. > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- "Reality is that which, when you stop believing in it, doesn't go away". -- Philip K. Dick To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Jul 21 14:17:38 2001 Delivered-To: freebsd-security@freebsd.org Received: from smtp8.xs4all.nl (smtp8.xs4all.nl [194.109.127.134]) by hub.freebsd.org (Postfix) with ESMTP id 8A04437B408 for ; Sat, 21 Jul 2001 14:17:31 -0700 (PDT) (envelope-from wkb@freebie.xs4all.nl) Received: from freebie.xs4all.nl (freebie.xs4all.nl [213.84.32.253]) by smtp8.xs4all.nl (8.9.3/8.9.3) with ESMTP id XAA17911; Sat, 21 Jul 2001 23:17:28 +0200 (CEST) Received: (from wkb@localhost) by freebie.xs4all.nl (8.11.4/8.11.4) id f6LLHRo20420; Sat, 21 Jul 2001 23:17:27 +0200 (CEST) (envelope-from wkb) Date: Sat, 21 Jul 2001 23:17:27 +0200 From: Wilko Bulte To: nathan@salvation.unixgeeks.com Cc: freebsd-security@FreeBSD.ORG Subject: Re: possible? Message-ID: <20010721231727.A20401@freebie.xs4all.nl> References: <20010721204942.12010.qmail@salvation.unixgeeks.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010721204942.12010.qmail@salvation.unixgeeks.com>; from nathan@salvation.unixgeeks.com on Sat, Jul 21, 2001 at 08:49:42PM -0000 X-OS: FreeBSD 4.3-STABLE X-PGP: finger wilko@freebsd.org Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Sat, Jul 21, 2001 at 08:49:42PM -0000, nathan@salvation.unixgeeks.com wrote: **SIGH** This is an attack destined for M$'s IIS, not for Apache. Please see the Internet, half of the traffic it carries is (about) this bloody attack. Wilko > okay, today i checked my apache logs this is what i got: > > 195.10.116.2 - - [19/Jul/2001:15:50:20 -0700] "GET /default.ida?NNNNNNNNNNNNNNNN > NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN > NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN > NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u > 6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u53 > 1b%u53ff%u0078%u0000%u00=a HTTP/1.0" 400 332 > > this same exact get request came from several different address as well. such > as: 128.138.105.172, 202.157.154.126, and a couple of others. any ideas? any > remote exploits in apache i've missed? i'm running Apache/1.3.19 Server.. > > thanks in advance, > nathan. > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message ---end of quoted text--- -- | / o / / _ Arnhem, The Netherlands email: wilko@FreeBSD.org |/|/ / / /( (_) Bulte "Youth is not a time in life, it is a state of mind" To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Jul 21 14:18:27 2001 Delivered-To: freebsd-security@freebsd.org Received: from pogo.caustic.org (pogo.caustic.org [208.44.193.69]) by hub.freebsd.org (Postfix) with ESMTP id 39D2C37B406 for ; Sat, 21 Jul 2001 14:18:25 -0700 (PDT) (envelope-from jan@caustic.org) Received: from localhost (jan@localhost) by pogo.caustic.org (8.11.0/ignatz) with ESMTP id f6LLIO044724; Sat, 21 Jul 2001 14:18:24 -0700 (PDT) Date: Sat, 21 Jul 2001 14:18:24 -0700 (PDT) From: "f.johan.beisser" To: nathan@salvation.unixgeeks.com Cc: freebsd-security@FreeBSD.ORG Subject: Re: possible? In-Reply-To: <20010721204942.12010.qmail@salvation.unixgeeks.com> Message-ID: X-Ignore: This statement isn't supposed to be read by you MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On 21 Jul 2001 nathan@salvation.unixgeeks.com wrote: > > okay, today i checked my apache logs this is what i got: > > 195.10.116.2 - - [19/Jul/2001:15:50:20 -0700] "GET /default.ida?NNNNNNNNNNNNNNNN > NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN > NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN > NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u > 6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u53 > 1b%u53ff%u0078%u0000%u00=a HTTP/1.0" 400 332 > > this same exact get request came from several different address as well. such > as: 128.138.105.172, 202.157.154.126, and a couple of others. any ideas? any > remote exploits in apache i've missed? i'm running Apache/1.3.19 Server.. that right there is the "Code Red" exploit for IIS. the worm has been making the rounds for the last couple weeks, and is not an exploit against apache. you're pretty much safe. -- jan -------/ f. johan beisser /--------------------------------------+ http://caustic.org/~jan jan@caustic.org "if my thought-dreams could be seen.. "they'd probably put my head in a gillotine" -- Bob Dylan To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Jul 21 14:19:35 2001 Delivered-To: freebsd-security@freebsd.org Received: from unix-shells.com (handi4-145-253-158-092.arcor-ip.net [145.253.158.92]) by hub.freebsd.org (Postfix) with ESMTP id C0D9F37B406 for ; Sat, 21 Jul 2001 14:19:29 -0700 (PDT) (envelope-from bjoern@loenneker.com) Received: from mobile (root@localhost [127.0.0.1]) (authenticated) by unix-shells.com (8.11.4/8.11.4) with ESMTP id f6LLJNV60416; Sat, 21 Jul 2001 23:19:24 +0200 (CEST) (envelope-from bjoern@loenneker.com) From: =?iso-8859-1?Q?Bj=F6rn_L=F6nneker?= To: , Subject: RE: possible? Date: Sat, 21 Jul 2001 23:19:20 +0200 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) In-Reply-To: <20010721204942.12010.qmail@salvation.unixgeeks.com> X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Importance: Normal Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Nathan, an IIS server compromised by "Code Red Worm" tried to attack you. You are quite safe because only IIS servers are vulnerable to this attack. -- bjoern -----Original Message----- From: owner-freebsd-security@FreeBSD.ORG [mailto:owner-freebsd-security@FreeBSD.ORG]On Behalf Of nathan@salvation.unixgeeks.com Sent: Saturday, July 21, 2001 10:50 PM To: freebsd-security@FreeBSD.ORG Subject: possible? okay, today i checked my apache logs this is what i got: 195.10.116.2 - - [19/Jul/2001:15:50:20 -0700] "GET /default.ida?NNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u90 90%u 6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00 %u53 1b%u53ff%u0078%u0000%u00=a HTTP/1.0" 400 332 this same exact get request came from several different address as well. such as: 128.138.105.172, 202.157.154.126, and a couple of others. any ideas? any remote exploits in apache i've missed? i'm running Apache/1.3.19 Server.. thanks in advance, nathan. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Jul 21 14:29:52 2001 Delivered-To: freebsd-security@freebsd.org Received: from post.kis.ru (post.kis.ru [195.98.32.206]) by hub.freebsd.org (Postfix) with ESMTP id 91FC537B408 for ; Sat, 21 Jul 2001 14:29:46 -0700 (PDT) (envelope-from dv@dv.ru) Received: from xkis.kis.ru ([195.98.32.200] verified) by post.kis.ru (CommuniGate Pro SMTP 3.4.8) with SMTP id 90341; Sun, 22 Jul 2001 01:28:03 +0400 Date: Sun, 22 Jul 2001 01:29:44 +0400 (MSD) From: Dmitry Valdov X-Sender: dv@xkis.kis.ru To: faSty Cc: Holtor , freebsd-security@FreeBSD.ORG Subject: Re: telnetd root exploit In-Reply-To: <20010721134015.A60332@i-sphere.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi! How about 3.x and 2.x? Dmitry. On Sat, 21 Jul 2001, faSty wrote: > Date: Sat, 21 Jul 2001 13:40:15 -0700 > From: faSty > To: Holtor > Cc: freebsd-security@FreeBSD.ORG > Subject: Re: telnetd root exploit > > Yes, I saw the cvsup update the telnetd :) > > -trev > > On Sat, Jul 21, 2001 at 07:31:13AM -0700, Holtor wrote: > > Has the telnetd root vulnerability been > > "officially" fixed in RELENG_4 ? > > > > Thanks. > > > > __________________________________________________ > > Do You Yahoo!? > > Make international calls for as low as $.04/minute with Yahoo! Messenger > > http://phonecard.yahoo.com/ > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > -- > "No, `Eureka' is Greek for `This bath is too hot.'" > -- Dr. Who > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Jul 21 14:31:16 2001 Delivered-To: freebsd-security@freebsd.org Received: from gaia.nimnet.asn.au (nimbin.lnk.telstra.net [139.130.45.143]) by hub.freebsd.org (Postfix) with ESMTP id 6501137B401 for ; Sat, 21 Jul 2001 14:31:10 -0700 (PDT) (envelope-from smithi@nimnet.asn.au) Received: from localhost (smithi@localhost) by gaia.nimnet.asn.au (8.8.8/8.8.8R1.2) with SMTP id HAA02111; Sun, 22 Jul 2001 07:30:59 +1000 (EST) (envelope-from smithi@nimnet.asn.au) Date: Sun, 22 Jul 2001 07:30:59 +1000 (EST) From: Ian Smith To: nathan@salvation.unixgeeks.com Cc: freebsd-security@FreeBSD.ORG Subject: Re: possible? In-Reply-To: <20010721204942.12010.qmail@salvation.unixgeeks.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On 21 Jul 2001 nathan@salvation.unixgeeks.com wrote: > okay, today i checked my apache logs this is what i got: > > 195.10.116.2 - - [19/Jul/2001:15:50:20 -0700] "GET /default.ida?NNNNNNNNNNNNNNNN > NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN > NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN > NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u > 6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u53 > 1b%u53ff%u0078%u0000%u00=a HTTP/1.0" 400 332 > > this same exact get request came from several different address as well. such > as: 128.138.105.172, 202.157.154.126, and a couple of others. any ideas? any > remote exploits in apache i've missed? i'm running Apache/1.3.19 Server.. Unless you happen to be running Microsoft IIS as your webserver, it's just an ugly blob in the log .. we got a whole pile of them here too, from all over the planet. Don't bother chasing the IPs, they're more likely victims than villains. Ian To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Jul 21 14:43:42 2001 Delivered-To: freebsd-security@freebsd.org Received: from obsecurity.dyndns.org (adsl-63-207-60-215.dsl.lsan03.pacbell.net [63.207.60.215]) by hub.freebsd.org (Postfix) with ESMTP id E1E0037B401 for ; Sat, 21 Jul 2001 14:43:39 -0700 (PDT) (envelope-from kris@obsecurity.org) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id 8397F66D78; Sat, 21 Jul 2001 14:43:38 -0700 (PDT) Date: Sat, 21 Jul 2001 14:43:38 -0700 From: Kris Kennaway To: Dmitry Valdov Cc: faSty , Holtor , freebsd-security@FreeBSD.ORG Subject: Re: telnetd root exploit Message-ID: <20010721144337.B90359@xor.obsecurity.org> References: <20010721134015.A60332@i-sphere.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="SkvwRMAIpAhPCcCJ" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from dv@dv.ru on Sun, Jul 22, 2001 at 01:29:44AM +0400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --SkvwRMAIpAhPCcCJ Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sun, Jul 22, 2001 at 01:29:44AM +0400, Dmitry Valdov wrote: > Hi! >=20 > How about 3.x and 2.x? 3.x has not been patched yet, but will be. 2.x may or may not be patched (that branch is not supported) -- it's up to a committer to do it if they want to. Kris --SkvwRMAIpAhPCcCJ Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE7WfeJWry0BWjoQKURApk5AJ9+Le516peRwkhkOGAn8T5IurzzJwCgzFa6 07DoSrFqp/1znrmm5a/S1zA= =JOeU -----END PGP SIGNATURE----- --SkvwRMAIpAhPCcCJ-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Jul 21 14:50:10 2001 Delivered-To: freebsd-security@freebsd.org Received: from web11606.mail.yahoo.com (web11606.mail.yahoo.com [216.136.172.58]) by hub.freebsd.org (Postfix) with SMTP id DEAC737B401 for ; Sat, 21 Jul 2001 14:50:05 -0700 (PDT) (envelope-from holtor@yahoo.com) Message-ID: <20010721215005.70250.qmail@web11606.mail.yahoo.com> Received: from [64.23.0.234] by web11606.mail.yahoo.com via HTTP; Sat, 21 Jul 2001 14:50:05 PDT Date: Sat, 21 Jul 2001 14:50:05 -0700 (PDT) From: Holtor Subject: Re: telnetd root exploit To: Kris Kennaway , security@freebsd.org In-Reply-To: <20010721144337.B90359@xor.obsecurity.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --- Kris Kennaway wrote: > On Sun, Jul 22, 2001 at 01:29:44AM +0400, Dmitry > Valdov wrote: > > Hi! > > > > How about 3.x and 2.x? > > 3.x has not been patched yet, but will be. 2.x may > or may not be > patched (that branch is not supported) -- it's up to > a committer to do > it if they want to. > > Kris > > ATTACHMENT part 2 application/pgp-signature Kris, Any idea when the official advisory will be sent? I don't want to think i'm patched and restart telnetd only to be rooted by some lame script kiddie. Thanks much. Holt. __________________________________________________ Do You Yahoo!? Make international calls for as low as $.04/minute with Yahoo! Messenger http://phonecard.yahoo.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Jul 21 14:54: 0 2001 Delivered-To: freebsd-security@freebsd.org Received: from obsecurity.dyndns.org (adsl-63-207-60-215.dsl.lsan03.pacbell.net [63.207.60.215]) by hub.freebsd.org (Postfix) with ESMTP id 64DA537B403 for ; Sat, 21 Jul 2001 14:53:57 -0700 (PDT) (envelope-from kris@obsecurity.org) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id 2B08A66CC1; Sat, 21 Jul 2001 14:53:55 -0700 (PDT) Date: Sat, 21 Jul 2001 14:53:55 -0700 From: Kris Kennaway To: Holtor Cc: Kris Kennaway , security@freebsd.org Subject: Re: telnetd root exploit Message-ID: <20010721145355.A4238@xor.obsecurity.org> References: <20010721144337.B90359@xor.obsecurity.org> <20010721215005.70250.qmail@web11606.mail.yahoo.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="cWoXeonUoKmBZSoM" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010721215005.70250.qmail@web11606.mail.yahoo.com>; from holtor@yahoo.com on Sat, Jul 21, 2001 at 02:50:05PM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --cWoXeonUoKmBZSoM Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sat, Jul 21, 2001 at 02:50:05PM -0700, Holtor wrote: > --- Kris Kennaway wrote: > > On Sun, Jul 22, 2001 at 01:29:44AM +0400, Dmitry > > Valdov wrote: > > > Hi! > > >=20 > > > How about 3.x and 2.x? > >=20 > > 3.x has not been patched yet, but will be. 2.x may > > or may not be > > patched (that branch is not supported) -- it's up to > > a committer to do > > it if they want to. > >=20 > > Kris > >=20 >=20 > > ATTACHMENT part 2 application/pgp-signature=20 >=20 >=20 > Kris, >=20 > Any idea when the official advisory will be sent? > I don't want to think i'm patched and restart telnetd > only to be rooted by some lame script kiddie. Thanks > much. Probably Monday. Kris --cWoXeonUoKmBZSoM Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE7WfnyWry0BWjoQKURAvHBAJ9VozeYaA97l386WSsGVPFzFvhY3ACfczBk VoKezlsGhhQCO2wBX2FOqYQ= =94AV -----END PGP SIGNATURE----- --cWoXeonUoKmBZSoM-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Jul 21 14:54:27 2001 Delivered-To: freebsd-security@freebsd.org Received: from stuart.microshaft.org (ns1.microshaft.org [208.201.249.2]) by hub.freebsd.org (Postfix) with ESMTP id 8E2C537B405 for ; Sat, 21 Jul 2001 14:54:22 -0700 (PDT) (envelope-from jono@stuart.microshaft.org) Received: (from jono@localhost) by stuart.microshaft.org (8.9.3/8.9.3) id OAA87022; Sat, 21 Jul 2001 14:54:17 -0700 (PDT) (envelope-from jono) Date: Sat, 21 Jul 2001 14:54:17 -0700 From: "Jon O ." To: nathan@salvation.unixgeeks.com Cc: freebsd-security@FreeBSD.ORG Subject: Reinfection phase Re: possible? Message-ID: <20010721145417.A86996@networkcommand.com> Reply-To: "jono@networkcommand.com" References: <20010721204942.12010.qmail@salvation.unixgeeks.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2i In-Reply-To: <20010721204942.12010.qmail@salvation.unixgeeks.com>; from nathan@salvation.unixgeeks.com on Sat, Jul 21, 2001 at 08:49:42PM -0000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I justed wanted to make sure everyone was aware that Code Red is supposed to restart its infection phase on 8.01.01. www.eeye.com has a good write up on this and the rest of the worm. Watch out for their scanner tool though, it's a windows binary and there is no source... On 21-Jul-2001, nathan@salvation.unixgeeks.com wrote: > > okay, today i checked my apache logs this is what i got: > > 195.10.116.2 - - [19/Jul/2001:15:50:20 -0700] "GET /default.ida?NNNNNNNNNNNNNNNN > NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN > NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN > NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u > 6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u53 > 1b%u53ff%u0078%u0000%u00=a HTTP/1.0" 400 332 > > this same exact get request came from several different address as well. such > as: 128.138.105.172, 202.157.154.126, and a couple of others. any ideas? any > remote exploits in apache i've missed? i'm running Apache/1.3.19 Server.. > > thanks in advance, > nathan. > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Jul 21 15:35: 3 2001 Delivered-To: freebsd-security@freebsd.org Received: from Awfulhak.org (gw.Awfulhak.org [217.204.245.18]) by hub.freebsd.org (Postfix) with ESMTP id B77CC37B40A; Sat, 21 Jul 2001 15:34:34 -0700 (PDT) (envelope-from brian@Awfulhak.org) Received: from hak.lan.Awfulhak.org (root@hak.lan.Awfulhak.org [172.16.0.12]) by Awfulhak.org (8.11.4/8.11.4) with ESMTP id f6LMYVL12752; Sat, 21 Jul 2001 23:34:32 +0100 (BST) (envelope-from brian@lan.Awfulhak.org) Received: from hak.lan.Awfulhak.org (brian@localhost [127.0.0.1]) by hak.lan.Awfulhak.org (8.11.4/8.11.4) with ESMTP id f6LMYUg79964; Sat, 21 Jul 2001 23:34:30 +0100 (BST) (envelope-from brian@hak.lan.Awfulhak.org) Message-Id: <200107212234.f6LMYUg79964@hak.lan.Awfulhak.org> X-Mailer: exmh version 2.3.1 01/18/2001 with nmh-1.0.4 To: "Richard A. Steenbergen" Cc: Brian Somers , Peter Pentchev , freebsd-security@FreeBSD.org, freebsd-gnats-submit@FreeBSD.org, brian@Awfulhak.org Subject: Re: bin/22595: telnetd tricked into using arbitrary peer ip (was: telnetd suckage) In-Reply-To: Message from "Richard A. Steenbergen" of "Sat, 21 Jul 2001 15:21:34 EDT." Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Sat, 21 Jul 2001 23:34:30 +0100 From: Brian Somers Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > On Sat, 21 Jul 2001, Brian Somers wrote: > > > The example in the PR means that someone connected from 199.95.76.12. > > Sorry, at the time of the PR writing, that was the correct IP for > www.senate.gov. > > traceroute to 199.95.76.12 (199.95.76.12), 64 hops max, 40 byte packets > ... > 10 senate-gw3.customer.alter.net (157.130.33.182) 14.671 ms 14.310 ms 14.885 ms > > It's very simple: > > You are 1.2.3.4, your reverse dns is your.domain.com. You control > domain.com, so you setup multiple CNAMES for "your", one pointing to > 1.2.3.4 and one pointing to the IP you wish to spoof (we'll call it > 9.8.7.6). When you connect to telnet, it reverses 1.2.3.4 to > your.domain.com, forwards your.domain.com to 9.8.7.6, reverses 9.8.7.6 to > www.senate.gov, and passes on 9.8.7.6 to the rest of the system. > > Spoofing at its finest... I must be getting something wrong. I wrote this stuff, and wrote it so that 1.2.3.4 is looked up giving your.domain.com, your.domain.com is looked up to give 1.2.3.4 and 9.8.7.6. As 1.2.3.4 is correct, your.domain.com is recorded in utmp (not 9.8.7.6). Yes, there is a problem where we've basically trusted a DNS that we don't own -- and that is a risk. But I can't see why 9.8.7.6 is relevant, *except* that ``w -n'' may be mentioning it. Am I misinterpreting things or is the real problem that a forward and reverse DNS can both conspire against you ? Or is the real problem just ``w''s -n flag ? > -- > Richard A Steenbergen http://www.e-gerbil.net/ras > PGP Key ID: 0x138EA177 (67 29 D7 BC E8 18 3E DA B2 46 B3 D8 14 36 FE B6) -- Brian http://www.freebsd-services.com/ Don't _EVER_ lose your sense of humour ! To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Jul 21 15:35:59 2001 Delivered-To: freebsd-security@freebsd.org Received: from obsecurity.dyndns.org (adsl-63-207-60-215.dsl.lsan03.pacbell.net [63.207.60.215]) by hub.freebsd.org (Postfix) with ESMTP id BCA6C37B406 for ; Sat, 21 Jul 2001 15:35:52 -0700 (PDT) (envelope-from kris@obsecurity.org) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id D71B966CC1; Sat, 21 Jul 2001 15:35:51 -0700 (PDT) Date: Sat, 21 Jul 2001 15:35:51 -0700 From: Kris Kennaway To: "Jon O ." Cc: nathan@salvation.unixgeeks.com, freebsd-security@FreeBSD.ORG Subject: Re: Reinfection phase Re: possible? Message-ID: <20010721153551.A11181@xor.obsecurity.org> References: <20010721204942.12010.qmail@salvation.unixgeeks.com> <20010721145417.A86996@networkcommand.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="fdj2RfSjLxBAspz7" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010721145417.A86996@networkcommand.com>; from jono@microshaft.org on Sat, Jul 21, 2001 at 02:54:17PM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --fdj2RfSjLxBAspz7 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sat, Jul 21, 2001 at 02:54:17PM -0700, Jon O . wrote: >=20 > I justed wanted to make sure everyone was aware that Code Red is supposed > to restart its infection phase on 8.01.01.=20 >=20 > www.eeye.com has a good write up on this and the rest of the worm. >=20 > Watch out for their scanner tool though, it's a windows binary and there= =20 > is no source... This is off-topic for freebsd-security, thanks. Kris --fdj2RfSjLxBAspz7 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE7WgPGWry0BWjoQKURAgD3AKCeZQotOdaAy1D9r5QzKJSHQZXY+gCg7DK9 pxpZADqaKSpi+cQtyT1nWjI= =bjIy -----END PGP SIGNATURE----- --fdj2RfSjLxBAspz7-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Jul 21 17:40:23 2001 Delivered-To: freebsd-security@freebsd.org Received: from earthquake.mweb.co.za (earthquake.mweb.co.za [196.2.53.139]) by hub.freebsd.org (Postfix) with ESMTP id 4132537B406 for ; Sat, 21 Jul 2001 17:40:20 -0700 (PDT) (envelope-from psyv@root.org.za) Received: from pta-dial-196-31-187-73.mweb.co.za ([196.31.187.73]) by earthquake.mweb.co.za (Sun Internet Mail Server sims.3.5.2000.03.23.18.03.p10) with ESMTP id <0GGU0010YN6UY8@earthquake.mweb.co.za> for freebsd-security@FreeBSD.ORG; Sun, 22 Jul 2001 02:40:08 +0200 (SAT) Date: Sun, 22 Jul 2001 02:41:53 +0200 (SAST) From: The Psychotic Viper Subject: Re: Reinfection phase Re: possible? In-reply-to: <20010721145417.A86996@networkcommand.com> X-Sender: psyv@lucifer.fuzion.za.org To: "Jon O ." Cc: nathan@salvation.unixgeeks.com, freebsd-security@FreeBSD.ORG Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi, On Sat, 21 Jul 2001, Jon O . wrote: > I justed wanted to make sure everyone was aware that Code Red is supposed > to restart its infection phase on 8.01.01. sorry have to ask, but what format is that date in? Because if its d/mm/yr then 8th January 2001 is over:) (maybe 8/10/01?) > Watch out for their scanner tool though, it's a windows binary and there > is no source... Eeye are the good guys I think...:) PsyV To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Jul 21 17:47: 4 2001 Delivered-To: freebsd-security@freebsd.org Received: from stuart.microshaft.org (ns1.microshaft.org [208.201.249.2]) by hub.freebsd.org (Postfix) with ESMTP id 4DA0537B401 for ; Sat, 21 Jul 2001 17:47:01 -0700 (PDT) (envelope-from jono@stuart.microshaft.org) Received: (from jono@localhost) by stuart.microshaft.org (8.9.3/8.9.3) id RAA87870; Sat, 21 Jul 2001 17:46:51 -0700 (PDT) (envelope-from jono) Date: Sat, 21 Jul 2001 17:46:51 -0700 From: "Jon O ." To: The Psychotic Viper Cc: "Jon O ." , nathan@salvation.unixgeeks.com, freebsd-security@FreeBSD.ORG Subject: Re: Reinfection phase Re: possible? Message-ID: <20010721174651.H86996@networkcommand.com> Reply-To: "jono@networkcommand.com" References: <20010721145417.A86996@networkcommand.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2i In-Reply-To: ; from psyv@root.org.za on Sun, Jul 22, 2001 at 02:41:53AM +0200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On 22-Jul-2001, The Psychotic Viper wrote: > Hi, > On Sat, 21 Jul 2001, Jon O . wrote: > > > I justed wanted to make sure everyone was aware that Code Red is supposed > > to restart its infection phase on 8.01.01. > sorry have to ask, but what format is that date in? Because if its d/mm/yr > then 8th January 2001 is over:) (maybe 8/10/01?) 08.01.01 August 1, 2001. Sorry if it's US centric. I'm really tired so I would check the eeye.com site for the true date, but I'm pretty sure it's the Aug. 1. Eeye did the disassemble, they know best... > > > Watch out for their scanner tool though, it's a windows binary and there > > is no source... > Eeye are the good guys I think...:) I agree, but I also can't understand why they don't give the source. I mean even MS is releasing source. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Jul 21 19:44:26 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.tgd.net (rand.tgd.net [64.81.67.117]) by hub.freebsd.org (Postfix) with SMTP id AD13137B405 for ; Sat, 21 Jul 2001 19:44:23 -0700 (PDT) (envelope-from sean@mailhost.tgd.net) Received: (qmail 17561 invoked by uid 1001); 21 Jul 2001 21:17:36 -0000 Date: Sat, 21 Jul 2001 14:17:36 -0700 From: Sean Chittenden To: nathan@salvation.unixgeeks.com Cc: freebsd-security@freebsd.org Subject: Re: possible? Message-ID: <20010721141736.V5160@rand.tgd.net> References: <20010721204942.12010.qmail@salvation.unixgeeks.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="pqmPt9oPL4cuP/b5" Content-Disposition: inline In-Reply-To: <20010721204942.12010.qmail@salvation.unixgeeks.com>; from "nathan@salvation.unixgeeks.com" on Sat, Jul 21, 2001 at = 08:49:42PM X-PGP-Key: 0x1EDDFAAD X-PGP-Fingerprint: C665 A17F 9A56 286C 5CFB 1DEA 9F4F 5CEF 1EDD FAAD X-Web-Homepage: http://sean.chittenden.org/ Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --pqmPt9oPL4cuP/b5 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable > 195.10.116.2 - - [19/Jul/2001:15:50:20 -0700] "GET /default.ida?NNNNNNNNN= NNNNNNN > NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN= NNNNNNN > NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN= NNNNNNN > NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%= u9090%u > 6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8= b00%u53 > 1b%u53ff%u0078%u0000%u00=3Da HTTP/1.0" 400 332 This is the "Code Red" worm that's been infecting MS IIS boxes. =20 Check out securityfocus.com for more information regarding this. If you're using apache then this is a non-issue and is mearly a fun pasttime. "Oooh! An infected host... and another, and another... ad infinitum (or 219,000 at last count)." You can also get more=20 information from the bugtraq and incidents security mailing lists which=20 are hosted by securityfocus.com. -sc --=20 Sean Chittenden --pqmPt9oPL4cuP/b5 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Comment: Sean Chittenden iEYEARECAAYFAjtZ8W8ACgkQn09c7x7d+q1msgCgsvwrf5RZmlUoEHqzZmvWSdbc eccAoMRT7svtZfFa/e/kGty7a07xiEDM =N4rv -----END PGP SIGNATURE----- --pqmPt9oPL4cuP/b5-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Jul 21 19:55:52 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.tgd.net (rand.tgd.net [64.81.67.117]) by hub.freebsd.org (Postfix) with SMTP id 146E537B401 for ; Sat, 21 Jul 2001 19:55:49 -0700 (PDT) (envelope-from sean@mailhost.tgd.net) Received: (qmail 18983 invoked by uid 1001); 22 Jul 2001 02:55:43 -0000 Date: Sat, 21 Jul 2001 19:55:42 -0700 From: Sean Chittenden To: freebsd-security@freebsd.org Subject: Re: possible? Message-ID: <20010721195542.A18767@rand.tgd.net> References: <20010721204942.12010.qmail@salvation.unixgeeks.com> <20010721141736.V5160@rand.tgd.net> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="Dxnq1zWXvFF0Q93v" Content-Disposition: inline In-Reply-To: <20010721141736.V5160@rand.tgd.net>; from "sean-freebsd-security@chittenden.org" on Sat, Jul 21, 2001 at = 02:17:36PM X-PGP-Key: 0x1EDDFAAD X-PGP-Fingerprint: C665 A17F 9A56 286C 5CFB 1DEA 9F4F 5CEF 1EDD FAAD X-Web-Homepage: http://sean.chittenden.org/ Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --Dxnq1zWXvFF0Q93v Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sat, Jul 21, 2001 at 02:17:36PM -0700, Sean Chittenden wrote: > Delivered-To: freebsd-security@freebsd.org > Date: Sat, 21 Jul 2001 14:17:36 -0700 Well don't I feel like forest gump... sorry about being late to the party folks, my ISP's reverse DNS hit the shiznits earlier today and all of its outbound email to hubs (or any mail server that did reverse lookups) was a tad slow to be accepted. This is pretty OT at this point, but I'd like to question the value of reverse DNS lookups for mail hosts. SPAM prevention? Hardly any benefit these days... -sc --=20 Sean Chittenden --Dxnq1zWXvFF0Q93v Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Comment: Sean Chittenden iEYEARECAAYFAjtaQK0ACgkQn09c7x7d+q29UQCgy4eYgBuQtGw0j4QK0hCr5d/R GDkAnRlIWr0M428vuTtb1lnUmBIzVGYD =5U/w -----END PGP SIGNATURE----- --Dxnq1zWXvFF0Q93v-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Jul 21 21:24:49 2001 Delivered-To: freebsd-security@freebsd.org Received: from w2xo.pgh.pa.us (18.gibs5.xdsl.nauticom.net [209.195.184.19]) by hub.freebsd.org (Postfix) with ESMTP id 5C2DD37B403 for ; Sat, 21 Jul 2001 21:24:40 -0700 (PDT) (envelope-from durham@w2xo.pgh.pa.us) Received: from jimslaptop.int (jimslaptop.int [192.168.5.8]) by w2xo.pgh.pa.us (8.11.3/8.11.3) with ESMTP id f6M4YKm25674 for ; Sun, 22 Jul 2001 00:34:20 -0400 (EDT) (envelope-from durham@w2xo.pgh.pa.us) Date: Sun, 22 Jul 2001 00:25:00 -0400 (EDT) From: Jim Durham X-X-Sender: To: Subject: rpc.statd attacks Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org About 2 or 3 times a week I see an error message saying invalid host name to rpc.statd and a string of ^P_Ms . I believe this is a Linux exploit that fails on FreeBSD. However, since I have port 111 blocked in the firewall, how in the world is even an error message being generated? I have even portscanned and 111 is not open to the outside. -Jim Durham To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Jul 21 21:42:51 2001 Delivered-To: freebsd-security@freebsd.org Received: from salvation.unixgeeks.com (cc784475-b.scrmnt1.ca.home.com [65.5.73.160]) by hub.freebsd.org (Postfix) with SMTP id 7719A37B401 for ; Sat, 21 Jul 2001 21:42:49 -0700 (PDT) (envelope-from nathan@salvation.unixgeeks.com) Received: (qmail 12577 invoked by uid 1001); 22 Jul 2001 04:15:29 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 22 Jul 2001 04:15:29 -0000 Date: Sat, 21 Jul 2001 21:15:29 -0700 (PDT) From: nathan barrick To: Subject: everyone Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org everyone on the list, i wanna thank you guys for the responses.. a little after i sent off the email to the list i was search for "GET /default.ida?NNN" and i ended up finding alot of info about this red alert worm. but thanks alot for the responses -- again. good to have people who are willing to help. 'till next time, nathan. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Jul 21 23: 2:26 2001 Delivered-To: freebsd-security@freebsd.org Received: from stuart.microshaft.org (ns1.microshaft.org [208.201.249.2]) by hub.freebsd.org (Postfix) with ESMTP id 6C90C37B403 for ; Sat, 21 Jul 2001 23:02:22 -0700 (PDT) (envelope-from jono@stuart.microshaft.org) Received: (from jono@localhost) by stuart.microshaft.org (8.9.3/8.9.3) id XAA88909; Sat, 21 Jul 2001 23:02:19 -0700 (PDT) (envelope-from jono) Date: Sat, 21 Jul 2001 23:02:19 -0700 From: "Jon O ." To: nathan barrick Cc: freebsd-security@FreeBSD.ORG Subject: Re: everyone Message-ID: <20010721230219.N86996@networkcommand.com> Reply-To: "jono@networkcommand.com" References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2i In-Reply-To: ; from nathan@salvation.unixgeeks.com on Sat, Jul 21, 2001 at 09:15:29PM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org You know I have about logs showing about 60K attempts for that file. You might want to take a look at some of the web servers that attacked you. You might find some interesting things... On 21-Jul-2001, nathan barrick wrote: > > everyone on the list, > > i wanna thank you guys for the responses.. a little after i sent > off the email to the list i was search for "GET /default.ida?NNN" > and i ended up finding alot of info about this red alert worm. but > thanks alot for the responses -- again. > > good to have people who are willing to help. > 'till next time, > > nathan. > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message